From: Roberto Fernandez (rofernandez@us.telefonica.com)
Date: Wed Jun 28 2006 - 12:07:26 ART
Friends,
I've tried this on o a switch, and, what seems to be best is:
-configuring a vitrual MAC (standby mac-address) address 1234.5678.abc1
and 1234.5678.abc2 on each router, then add those to the switchport
portsecurity list.
It actually works.
The sticky option is not good because when the virtual MAC of the HSRP
passes from one switchport to the next, the switch will complain of a
security violation. For the same reason it is important to have two
different stand-by mac-addresses. It is easy to try, lab it.
Best Regards,
Roberto
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Popgeorgiev Nikolay
Sent: Wednesday, June 28, 2006 7:26 AM
To: Popgeorgiev Nikolay; 'Mienbaikebi Patani'; 'Popgeorgiev Nikolay'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Hsrp and port-security
And what will be the problem if I use two virtual mac addresses instead
of one and add them statically on the switch ?
Won't it be more close to what the task ask:
secure in a way that only devices needed are allowed all else is denied
?
Nick
_____
From: Popgeorgiev Nikolay
Sent: Wednesday, June 28, 2006 2:24 PM
To: Mienbaikebi Patani; Popgeorgiev Nikolay
Cc: ccielab@groupstudy.com
Subject: RE: Hsrp and port-security
Hello man, thanks for answering BUT ,
in the mean time any other device can use the port don't you think ?
Nick
Nikolay Popgeorgiev
Senior System Engineer
Mobile: +359 887 400210
E-mail: Nikolay.Popgeorgiev@siemens.com
<mailto:Nikolay.Popgeorgiev@siemens.com>
SIEMENS EOOD
Bulgaria, Sofia 1309, 2 "Kukush"str.
_____
From: Mienbaikebi Patani [mailto:patmien@gmail.com]
Sent: Wednesday, June 28, 2006 1:59 PM
To: Popgeorgiev Nikolay
Cc: ccielab@groupstudy.com
Subject: Re: Hsrp and port-security
You should not use the Sticky option of the Port-security command
because when you do that, a switch port learns the mac-addresses and
when you save the config, the learnt mac-addresses will always be
associated to the specific Switch Port on which they were learnt.
Look at the following sequence of events which clearly prohibits the use
of the command "switchport port-security mac-address sticky" for this
case.
At time T1, let say Router A was the HSRP ACTIVE router and Router B is
HSRP STANDBY router, and at this time T1 the HSRP Mac-address will be
learnt on the Switch Port connecting Router A. At the same time T1, if
the Sticky Opiton of the Port Security command is used, and then you
saved the config, then the HSRP Mac-address is associated with the
Switch Port connecting Router A. Consider time T2, that Router A failed
and Router B takes over to become HSRP ACTIVE router. At this time T2
when Router B generates information with the HSRP Mac-address and the
switch receives it on the port connected to Router B, the switch will
reject the frame cos the frame is coming from a different Port other
than the Port connected to Router A which is already having an
association with the HSRP Mac-address, and the switch will report an
error condition. This will prevent successful communications.
Your best bet is specify only the Mac-addresses of the two HSRP routers
statically on the appropriate switch port and specify maximum
mac-addresses to be two, which will cause the switch to learn the HSRP
Mac-address dynamically. Do not associate the HSRP Mac-address
statically to any port on the switch. Then you can reduce the Port
Security Mac-address time-out period to minimum, and also reduce
time-out of the switch global mac-address table to an equivalent value
for the vlan connecting the HSRP Routers.This is all you need to do.
Hope that this has been informative to you. I am at your disposal.
On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com
<mailto:nikolay.popgeorgiev@siemens.com> > wrote:
Hello group,
I know that this topic had been discussed a lot. I had already read all
posts about this topic and still no clear answer to the simple question:
How to use port-security together with HSRP without using USE-BIA.
There were some answers to the question which advices to allow on the
switch two mac addresses instead of one and to write both the interface
and the virtual mac address of the routers
but the switch says that the same MAC address is already been used. And
this is absolutely normal. So this is not an option.
What about using this kind of solution ?
R1
interface FastEthernet0/0
ip address 1.1.1.10 <http://1.1.1.10> 255.255.255.0
<http://255.255.255.0>
standby 1 ip 1.1.1.1 <http://1.1.1.1>
standby 1 priority 120
standby 1 preempt
standby 1 mac-address 4000.1000.1061
R2
interface FastEthernet0/0
ip address 1.1.1.20 <http://1.1.1.20> 255.255.255.0
<http://255.255.255.0>
duplex auto
speed auto
standby 1 ip 1.1.1.1 <http://1.1.1.1>
standby 1 preempt
standby 1 mac-address 4000.1000.1060
SW
interface FastEthernet0/2
switchport access vlan 101
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0016.c876.44e8
switchport port-security mac-address sticky 4000.1000.1060
!
interface FastEthernet0/5
switchport access vlan 101
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0016.c876.6200
switchport port-security mac-address sticky 4000.1000.1061
Please guys tell me what do you think ?
Best,
Nick
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART