RE: Hsrp and port-security

From: Popgeorgiev Nikolay (nikolay.popgeorgiev@siemens.com)
Date: Wed Jun 28 2006 - 08:26:00 ART

• Next message: George Bekmezian: "Re: eigrp stub configuration"
• Previous message: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Maybe in reply to: Popgeorgiev Nikolay: "Hsrp and port-security"
• Next in thread: Roberto Fernandez: "RE: Hsrp and port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

And what will be the problem if I use two virtual mac addresses instead of one and add them statically on the switch ?
Won't it be more close to what the task ask:
 
secure in a way that only devices needed are allowed all else is denied ?
 
Nick

  _____

From: Popgeorgiev Nikolay
Sent: Wednesday, June 28, 2006 2:24 PM
To: Mienbaikebi Patani; Popgeorgiev Nikolay
Cc: ccielab@groupstudy.com
Subject: RE: Hsrp and port-security

Hello man, thanks for answering BUT ,
 
in the mean time any other device can use the port don't you think ?
 
 
Nick
 
 
 
 
 
 

Nikolay Popgeorgiev

Senior System Engineer

Mobile: +359 887 400210

E-mail: Nikolay.Popgeorgiev@siemens.com <mailto:Nikolay.Popgeorgiev@siemens.com>

SIEMENS EOOD

Bulgaria, Sofia 1309, 2 "Kukush"str.

  _____

From: Mienbaikebi Patani [mailto:patmien@gmail.com]
Sent: Wednesday, June 28, 2006 1:59 PM
To: Popgeorgiev Nikolay
Cc: ccielab@groupstudy.com
Subject: Re: Hsrp and port-security

You should not use the Sticky option of the Port-security command because when you do that, a switch port learns the mac-addresses and when you save the config, the learnt mac-addresses will always be associated to the specific Switch Port on which they were learnt.
 
Look at the following sequence of events which clearly prohibits the use of the command "switchport port-security mac-address sticky" for this case.
 
At time T1, let say Router A was the HSRP ACTIVE router and Router B is HSRP STANDBY router, and at this time T1 the HSRP Mac-address will be learnt on the Switch Port connecting Router A. At the same time T1, if the Sticky Opiton of the Port Security command is used, and then you saved the config, then the HSRP Mac-address is associated with the Switch Port connecting Router A. Consider time T2, that Router A failed and Router B takes over to become HSRP ACTIVE router. At this time T2 when Router B generates information with the HSRP Mac-address and the switch receives it on the port connected to Router B, the switch will reject the frame cos the frame is coming from a different Port other than the Port connected to Router A which is already having an association with the HSRP Mac-address, and the switch will report an error condition. This will prevent successful communications.
 
Your best bet is specify only the Mac-addresses of the two HSRP routers statically on the appropriate switch port and specify maximum mac-addresses to be two, which will cause the switch to learn the HSRP Mac-address dynamically. Do not associate the HSRP Mac-address statically to any port on the switch. Then you can reduce the Port Security Mac-address time-out period to minimum, and also reduce time-out of the switch global mac-address table to an equivalent value for the vlan connecting the HSRP Routers.This is all you need to do.
 
Hope that this has been informative to you. I am at your disposal.

 
On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com <mailto:nikolay.popgeorgiev@siemens.com> > wrote:

Hello group,

I know that this topic had been discussed a lot. I had already read all posts about this topic and still no clear answer to the simple question:

How to use port-security together with HSRP without using USE-BIA.

There were some answers to the question which advices to allow on the switch two mac addresses instead of one and to write both the interface and the virtual mac address of the routers
but the switch says that the same MAC address is already been used. And this is absolutely normal. So this is not an option.

What about using this kind of solution ?

R1
interface FastEthernet0/0
ip address 1.1.1.10 <http://1.1.1.10> 255.255.255.0 <http://255.255.255.0>
standby 1 ip 1.1.1.1 <http://1.1.1.1>
standby 1 priority 120
standby 1 preempt
standby 1 mac-address 4000.1000.1061

R2
interface FastEthernet0/0
ip address 1.1.1.20 <http://1.1.1.20> 255.255.255.0 <http://255.255.255.0>
duplex auto
speed auto
standby 1 ip 1.1.1.1 <http://1.1.1.1>
standby 1 preempt
standby 1 mac-address 4000.1000.1060

SW
interface FastEthernet0/2
switchport access vlan 101
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0016.c876.44e8
switchport port-security mac-address sticky 4000.1000.1060
!
interface FastEthernet0/5
switchport access vlan 101
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0016.c876.6200
switchport port-security mac-address sticky 4000.1000.1061

Please guys tell me what do you think ?

Best,
Nick

• Next message: George Bekmezian: "Re: eigrp stub configuration"
• Previous message: Popgeorgiev Nikolay: "RE: Hsrp and port-security"
• Maybe in reply to: Popgeorgiev Nikolay: "Hsrp and port-security"
• Next in thread: Roberto Fernandez: "RE: Hsrp and port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART