Re: HSRP + PORT SECURITY

From: Leo Leung (leoleung_yh@yahoo.com)
Date: Tue Aug 01 2006 - 15:22:32 ART

• Next message: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Previous message: Paul Cosgrove: "Re: Are grades NDA?"
• Next in thread: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Maybe reply: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Group,

I have a silly question regarding hsrp and switchport
port-security mac-address. I shut down 2 ports on SW1
before configuring. The first one went ok with
virtual ip mac-address

interface FastEthernet0/4
 switchport port-security mac-address 0000.0c07.ac00

but SW1 refused to take the same command for the
second port
interface FastEthernet0/24 with this message

Found duplicate mac-address 0000.0c07.ac00.

here's a copy, what I am missing or is my 3550 switch
not working. I tried on both of my switches with
version c3550-ipservicesk9-mz.122-25.SEC.bin
also tried mac-address 4000.0000.0001 with same result
thanks,

Rack1SW1#sh run int f0/4
Building configuration...

Current configuration : 262 bytes
!
interface FastEthernet0/4
 switchport access vlan 43
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address 0000.0c07.ac00
 switchport port-security mac-address 0006.28aa.60a0
 shutdown
end

Rack1SW1#sh run int f0/24
Building configuration...

Current configuration : 210 bytes
!
interface FastEthernet0/24
 switchport access vlan 43
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address 00b0.640a.43e0
 shutdown
end

Rack1SW1#conf t
Enter configuration commands, one per line. End with
CNTL/Z.
Rack1SW1(config)#int f0/24
Rack1SW1(config-if)#swi port-security mac-address
0000.0c07.ac00
Found duplicate mac-address 0000.0c07.ac00.

Rack1SW1(config-if)#

--- Anderson Mota Alves <mota_anderson@hotmail.com>
wrote:

> Hi Chris,
>
> I understood your configuration below but now I'm
> the one with a question
> :-) Imagine that I've been told that I need to
> configure switchport
> security in an environment that HSRP is in use and
> this configuration
> needs to be on the router in cause I need to reload
> it, I think the only
> way to accomplish this task is configuring
> switchport security with
> sticky no? Or if I configure as you said below would
> also work?
>
> Any comments are really appreciated !!
>
> Andy
>
>
>
--------------------------------------------------------------------
>
> From: "Chris Lewis" <chrlewiscsco@gmail.com>
> Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
> To: "Leigh Harrison" <ccileigh@gmail.com>
> CC: KC <kanwal.chawla@gmail.com>, "Group Study
> (E-mail)"
> <ccielab@groupstudy.com>
> Subject: Re: HSRP + PORT SECURITY
> Date: Wed, 5 Apr 2006 09:35:45 -0500
> >KC,
> >
> >I think your problem is with configuring sticky
> on both switch
> ports. This
> >will give rise to an error message like this on
> the switch
> >
> >04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION:
> Security violation
> occurred,
> >caused by MAC address 0000.0c07.ac00 on port
> FastEthernet0/2.
> >
> >Having one of the ports go err-disable could make
> it look like both
> routers
> >are in Active, as the one that was standby may go
> active after the
> port shut
> >down by the switch.
> >
> >Try this (remembering to keep the switch ports
> shut down while you
> >configure).
> >
> >interface FastEthernet0/3
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address
> 4000.0000.0001
> >!
> >interface FastEthernet0/4
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address
> 4000.0000.0001
> >
> >Connected routers
> >interface FastEthernet0/0
> > ip address 12.12.12.3 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >interface FastEthernet0/0
> > ip address 12.12.12.4 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >R5 is used to test
> >
> >R5(config-if)#do ping 12.12.12.200
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.200,
> timeout is 2
> seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip
> min/avg/max = 1/2/4 ms
> >R5(config-if)#do ping 12.12.12.3
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.3,
> timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip
> min/avg/max = 1/1/4 ms
> >R5(config-if)#do ping 12.12.12.4
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.4,
> timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip
> min/avg/max = 1/1/4 ms
> >R5(config-if)#
> >If you test HSRP operation with this
> configuration by shutting down
> the
> >ethernet interface on the active router, while
> doing an extended
> ping from
> >R5, you will see the swap over as follows:
> >
> >!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
> >
> >Chris
> >
> >
> >Chris
> >
> >On 4/5/06, Leigh Harrison <ccileigh@gmail.com>
> wrote:
> > >
> > > Hey there KC,
> > >
> > > I've done this a few times. Rather than use
> sticky mac, I found
> it was
> > > much better to type in the mac addresses for
> the ports and the
> virtual
> > > one.
> > >
> > > LH
> > >
> > > KC wrote:
> > > > Very strange to me, I requested 3 times to
> people to give me
> the config.
> > > of
> > > > HSRP Routers and Switch , but noone
> responded me with right
> solution .
> > > What
> > > > happened to you guys, i am stuck , ehlp me ,
> this is the i
> guess last
> > > > question i am asking before lab
> > > >
> > > > On 4/4/06, KC <kanwal.chawla@gmail.com>
> wrote:
> > > >
> > > >> Hey Guys
> > > >>
> > > >> Whenever i configure this thing on one of
> Switchport, my both
> routers
> > > HSRP
> > > >> came up in Active states, noone is going
> standby
> > > >> switchport access vlan 10
> > > >> switchport mode access
> > > >> switchport port-security
> > > >> switchport port-security maximum 2
> > > >> switchport port-security mac-address
> sticky
> > > >> switchport port-security mac-address
> sticky 0000.0c07.ac01
> > > >> mac-address
> > > >> switchport port-security mac-address
> sticky 0008.a3fc.a661
> > > >>
> > > >>
> > > >> On 4/4/06, Chris Lewis
> <chrlewiscsco@gmail.com> wrote:
> > > >>
> > > >>> KC, I believe the answer to your question
> will only be found
> in the
> > > >>> exact wording of the question, which can
> take many, many
> forms.
> > > >>>
> > > >>> If you use BIA there will only be one MAC
> address associated
> with each
> > > >>> port, the downside of this is that traffic
> will be dropped as
> the
> > > switch
> > > >>> moves that MAC address from one port to
> another.
=== message truncated ===

• Next message: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Previous message: Paul Cosgrove: "Re: Are grades NDA?"
• Next in thread: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Maybe reply: Chris Lewis: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART