From: Mienbaikebi Patani (patmien@gmail.com)
Date: Wed Jun 28 2006 - 13:15:04 ART
Yes that is what I meant by saying you need to set the Port Security
mac-address aging time, which has minimum of 60 seconds. In addition to that
you can also set the global mac-address table aging time for the vlan
connected to the two routers in HSRP group to thesame value. You must set
that of Port Security, but that of the Global Mac-address for the vlan is
optional.
On 6/28/06, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> One may also use secure mac-address aging in this case,
> though it's minimum 60 seconds...
>
> 2006/6/28, Mienbaikebi Patani <patmien@gmail.com>:
> >
> > You should not use the Sticky option of the Port-security command
> because
> when you do that, a switch port learns the mac-addresses and when you save
> the config, the learnt mac-addresses will always be associated to the
> specific Switch Port on which they were learnt.
>
> Look at the following sequence of events which clearly prohibits the use
> of
> the command "switchport port-security mac-address sticky" for this case.
>
> At time T1, let say Router A was the HSRP ACTIVE router and Router B is
> HSRP
> STANDBY router, and at this time T1 the HSRP Mac-address will be learnt on
> the Switch Port connecting Router A. At the same time T1, if the Sticky
> Opiton of the Port Security command is used, and then you saved the
> config,
> then the HSRP Mac-address is associated with the Switch Port connecting
> Router A. Consider time T2, that Router A failed and Router B takes over
> to
> become HSRP ACTIVE router. At this time T2 when Router B generates
> information with the HSRP Mac-address and the switch receives it on the
> port
> connected to Router B, the switch will reject the frame cos the frame is
> coming from a different Port other than the Port connected to Router A
> which
> is already having an association with the HSRP Mac-address, and the switch
> will report an error condition. This will prevent successful
> communications.
>
> Your best bet is specify only the Mac-addresses of the two HSRP routers
> statically on the appropriate switch port and specify maximum
> mac-addresses
> to be two, which will cause the switch to learn the HSRP Mac-address
> dynamically. Do not associate the HSRP Mac-address statically to any port
> on
> the switch. Then you can reduce the Port Security Mac-address time-out
> period to minimum, and also reduce time-out of the switch global
> mac-address
> table to an equivalent value for the vlan connecting the HSRP
> Routers.Thisis all you need to do.
>
>
> Hope that this has been informative to you. I am at your disposal.
>
>
> On 6/28/06, Popgeorgiev Nikolay < nikolay.popgeorgiev@siemens.com> wrote:
> >
> > Hello group,
> >
> >
> > I know that this topic had been discussed a lot. I had already read all
> > posts about this topic and still no clear answer to the simple question:
> >
> >
> > How to use port-security together with HSRP without using USE-BIA.
> >
> > There were some answers to the question which advices to allow on the
> > switch two mac addresses instead of one and to write both the interface
> and
> > the virtual mac address of the routers
> > but the switch says that the same MAC address is already been used. And
> > this is absolutely normal. So this is not an option.
> >
> > What about using this kind of solution ?
> >
> >
> >
> > R1
> > interface FastEthernet0/0
> > ip address 1.1.1.10 255.255.255.0
> > standby 1 ip 1.1.1.1
> > standby 1 priority 120
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1061
> >
> >
> > R2
> > interface FastEthernet0/0
> > ip address 1.1.1.20 255.255.255.0
> > duplex auto
> > speed auto
> > standby 1 ip 1.1.1.1
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1060
> >
> > SW
> > interface FastEthernet0/2
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.44e8
> > switchport port-security mac-address sticky 4000.1000.1060
> > !
> > interface FastEthernet0/5
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.6200
> > switchport port-security mac-address sticky 4000.1000.1061
> >
> >
> > Please guys tell me what do you think ?
> >
> >
> > Best,
> > Nick
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART