Re: Hsrp and port-security
From: Mienbaikebi Patani (patmien@gmail.com)
Date: Wed Jun 28 2006 - 13:27:56 ART
For the first question u asked regarding some other devices using the Port.
You must understand that you have a switch port each connected to the two
routers directly. So if you talk of another device using the Port, you are
saying that you will remove the routers and plug in another device to the
switch ports connecting to the routers.
And then your second comment regarding using two virtual mac addresses
instead of one and add them statically on switch, well if that option works
you may try using it, but you must remember how the virtual mac-address is
formed so u don't cause conflicts in real life practice, and then for the
exam you should consider if there are any restrictions by clarifying from
the proctor.
On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com> wrote:
>
> And what will be the problem if I use two virtual mac addresses instead
> of one and add them statically on the switch ?
> Won't it be more close to what the task ask:
>
> secure in a way that only devices needed are allowed all else is denied ?
>
> Nick
>
>
>
>
>
>
> ------------------------------
> *From:* Popgeorgiev Nikolay
> *Sent:* Wednesday, June 28, 2006 2:24 PM
> *To:* Mienbaikebi Patani; Popgeorgiev Nikolay
> *Cc:* ccielab@groupstudy.com
> *Subject:* RE: Hsrp and port-security
>
>
> Hello man, thanks for answering BUT ,
>
> in the mean time any other device can use the port don't you think ?
>
>
> Nick
>
>
>
>
>
>
>
> Nikolay Popgeorgiev
>
> Senior System Engineer
>
> Mobile: +359 887 400210
>
> E-mail: Nikolay.Popgeorgiev@siemens.com
>
> *SIEMENS EOOD* **
>
> Bulgaria, Sofia 1309, 2 �Kukush"str.
>
>
>
>
>
>
>
>
>
>
> ------------------------------
> *From:* Mienbaikebi Patani [mailto:patmien@gmail.com]
> *Sent:* Wednesday, June 28, 2006 1:59 PM
> *To:* Popgeorgiev Nikolay
> *Cc:* ccielab@groupstudy.com
> *Subject:* Re: Hsrp and port-security
>
>
> You should not use the Sticky option of the Port-security command because
> when you do that, a switch port learns the mac-addresses and when you save
> the config, the learnt mac-addresses will always be associated to the
> specific Switch Port on which they were learnt.
>
> Look at the following sequence of events which clearly prohibits the use
> of the command "switchport port-security mac-address sticky" for this case.
>
> At time T1, let say Router A was the HSRP ACTIVE router and Router B is
> HSRP STANDBY router, and at this time T1 the HSRP Mac-address will be
learnt
> on the Switch Port connecting Router A. At the same time T1, if the Sticky
> Opiton of the Port Security command is used, and then you saved the config,
> then the HSRP Mac-address is associated with the Switch Port connecting
> Router A. Consider time T2, that Router A failed and Router B takes over to
> become HSRP ACTIVE router. At this time T2 when Router B generates
> information with the HSRP Mac-address and the switch receives it on the
port
> connected to Router B, the switch will reject the frame cos the frame is
> coming from a different Port other than the Port connected to Router A
which
> is already having an association with the HSRP Mac-address, and the switch
> will report an error condition. This will prevent successful
communications.
>
>
> Your best bet is specify only the Mac-addresses of the two HSRP routers
> statically on the appropriate switch port and specify maximum mac-addresses
> to be two, which will cause the switch to learn the HSRP Mac-address
> dynamically. Do not associate the HSRP Mac-address statically to any port
on
> the switch. Then you can reduce the Port Security Mac-address time-out
> period to minimum, and also reduce time-out of the switch global
mac-address
> table to an equivalent value for the vlan connecting the HSRP Routers.Thisis
all you need to do.
>
> Hope that this has been informative to you. I am at your disposal.
>
>
> On 6/28/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com> wrote:
> >
> > Hello group,
> >
> >
> > I know that this topic had been discussed a lot. I had already read all
> > posts about this topic and still no clear answer to the simple question:
> >
> >
> > How to use port-security together with HSRP without using USE-BIA.
> >
> > There were some answers to the question which advices to allow on the
> > switch two mac addresses instead of one and to write both the interface
and
> > the virtual mac address of the routers
> > but the switch says that the same MAC address is already been used. And
> > this is absolutely normal. So this is not an option.
> >
> > What about using this kind of solution ?
> >
> >
> >
> > R1
> > interface FastEthernet0/0
> > ip address 1.1.1.10 255.255.255.0
> > standby 1 ip 1.1.1.1
> > standby 1 priority 120
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1061
> >
> >
> > R2
> > interface FastEthernet0/0
> > ip address 1.1.1.20 255.255.255.0
> > duplex auto
> > speed auto
> > standby 1 ip 1.1.1.1
> > standby 1 preempt
> > standby 1 mac-address 4000.1000.1060
> >
> > SW
> > interface FastEthernet0/2
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.44e8
> > switchport port-security mac-address sticky 4000.1000.1060
> > !
> > interface FastEthernet0/5
> > switchport access vlan 101
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0016.c876.6200
> > switchport port-security mac-address sticky 4000.1000.1061
> >
> >
> > Please guys tell me what do you think ?
> >
> >
> > Best,
> > Nick
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Sat Jul 01 2006 - 07:57:33 ART