Re: HSRP + PORT SECURITY

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Wed Aug 02 2006 - 11:22:16 ART

• Next message: Subhash P: "Re: bandwith shaper"
• Previous message: Leo Leung: "Re: HSRP + PORT SECURITY"
• Maybe in reply to: Leo Leung: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Leo,

Did you try this with shutting down the ports before configuring the MAC
addresses?

The following is the screen output when I configure this using 12.1 (20)
software on the switch, starting with default port configuration.

Switch(config)#int f0/7
Switch(config-if)#shut
Switch(config-if)#int f0/8
Switch(config-if)#
23:30:27: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to
administratively down
23:30:28: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7,
changed state to downshut
Switch(config-if)#
23:30:34: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to
administratively down
23:30:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8,
changed state to down
Switch(config-if)#interface FastEthernet0/7
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 4000.0000.0001
Switch(config-if)#!
Switch(config-if)#interface FastEthernet0/8
Switch(config-if)#switchport access vlan 10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address 4000.0000.0001
Switch(config-if)#no shut
Switch(config-if)#int f0/7
Switch(config-if)#
23:30:56: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
23:30:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8,
changed state to upno shut
Switch(config-if)#
23:31:03: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
23:31:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7,
changed state to up
Switch(config-if)#do sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(20)EA2, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 19-May-04 05:06 by antonino
Image text-base: 0x00003000, data-base: 0x0082D44C

ROM: Bootstrap program is C3550 boot loader

Switch uptime is 23 hours, 31 minutes
System returned to ROM by power-on
System image file is "flash:/c3550-i5q3l2-mz.121-20.EA2.bin"

cisco WS-C3550-24 (PowerPC) processor (revision J0) with 65526K/8192K bytes
of memory.
Processor board ID CAT0745R1MC
Last reset from warm-reset
Bridging software.
Running Layer2/3 Switching Image

Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

Switch(config-if)#do sho ip int brie
Interface IP-Address OK? Method Status
Protocol
Vlan1 unassigned YES unset administratively down
down
FastEthernet0/1 unassigned YES unset down
down
FastEthernet0/2 unassigned YES unset down
down
FastEthernet0/3 unassigned YES unset down
down
FastEthernet0/4 unassigned YES unset down
down
FastEthernet0/5 unassigned YES unset down
down
FastEthernet0/6 unassigned YES unset down
down
FastEthernet0/7 unassigned YES unset up
up
FastEthernet0/8 unassigned YES unset up
up
FastEthernet0/9 unassigned YES unset down
down
FastEthernet0/10 unassigned YES unset down
down

Switch(config-if)#do sh run | b 0/7
interface FastEthernet0/7
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address 4000.0000.0001
!
interface FastEthernet0/8
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address 4000.0000.0001
!

On 8/1/06, Leo Leung <leoleung_yh@yahoo.com> wrote:
>
> Group,
>
> I have a silly question regarding hsrp and switchport
> port-security mac-address. I shut down 2 ports on SW1
> before configuring. The first one went ok with
> virtual ip mac-address
>
> interface FastEthernet0/4
> switchport port-security mac-address 0000.0c07.ac00
>
> but SW1 refused to take the same command for the
> second port
> interface FastEthernet0/24 with this message
>
> Found duplicate mac-address 0000.0c07.ac00.
>
> here's a copy, what I am missing or is my 3550 switch
> not working. I tried on both of my switches with
> version c3550-ipservicesk9-mz.122-25.SEC.bin
> also tried mac-address 4000.0000.0001 with same result
> thanks,
>
> Rack1SW1#sh run int f0/4
> Building configuration...
>
> Current configuration : 262 bytes
> !
> interface FastEthernet0/4
> switchport access vlan 43
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> switchport port-security mac-address 0000.0c07.ac00
> switchport port-security mac-address 0006.28aa.60a0
> shutdown
> end
>
> Rack1SW1#sh run int f0/24
> Building configuration...
>
> Current configuration : 210 bytes
> !
> interface FastEthernet0/24
> switchport access vlan 43
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> switchport port-security mac-address 00b0.640a.43e0
> shutdown
> end
>
> Rack1SW1#conf t
> Enter configuration commands, one per line. End with
> CNTL/Z.
> Rack1SW1(config)#int f0/24
> Rack1SW1(config-if)#swi port-security mac-address
> 0000.0c07.ac00
> Found duplicate mac-address 0000.0c07.ac00.
>
> Rack1SW1(config-if)#
>
> --- Anderson Mota Alves <mota_anderson@hotmail.com>
> wrote:
>
> > Hi Chris,
> >
> > I understood your configuration below but now I'm
> > the one with a question
> > :-) Imagine that I've been told that I need to
> > configure switchport
> > security in an environment that HSRP is in use and
> > this configuration
> > needs to be on the router in cause I need to reload
> > it, I think the only
> > way to accomplish this task is configuring
> > switchport security with
> > sticky no? Or if I configure as you said below would
> > also work?
> >
> > Any comments are really appreciated !!
> >
> > Andy
> >
> >
> >
> --------------------------------------------------------------------
> >
> > From: "Chris Lewis" <chrlewiscsco@gmail.com>
> > Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
> > To: "Leigh Harrison" <ccileigh@gmail.com>
> > CC: KC <kanwal.chawla@gmail.com>, "Group Study
> > (E-mail)"
> > <ccielab@groupstudy.com>
> > Subject: Re: HSRP + PORT SECURITY
> > Date: Wed, 5 Apr 2006 09:35:45 -0500
> > >KC,
> > >
> > >I think your problem is with configuring sticky
> > on both switch
> > ports. This
> > >will give rise to an error message like this on
> > the switch
> > >
> > >04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION:
> > Security violation
> > occurred,
> > >caused by MAC address 0000.0c07.ac00 on port
> > FastEthernet0/2.
> > >
> > >Having one of the ports go err-disable could make
> > it look like both
> > routers
> > >are in Active, as the one that was standby may go
> > active after the
> > port shut
> > >down by the switch.
> > >
> > >Try this (remembering to keep the switch ports
> > shut down while you
> > >configure).
> > >
> > >interface FastEthernet0/3
> > > switchport access vlan 10
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security mac-address
> > 4000.0000.0001
> > >!
> > >interface FastEthernet0/4
> > > switchport access vlan 10
> > > switchport mode access
> > > switchport port-security
> > > switchport port-security maximum 2
> > > switchport port-security mac-address
> > 4000.0000.0001
> > >
> > >Connected routers
> > >interface FastEthernet0/0
> > > ip address 12.12.12.3 255.255.255.0
> > > duplex auto
> > > speed auto
> > > standby ip 12.12.12.200
> > > standby mac-address 4000.0000.0001
> > >
> > >interface FastEthernet0/0
> > > ip address 12.12.12.4 255.255.255.0
> > > duplex auto
> > > speed auto
> > > standby ip 12.12.12.200
> > > standby mac-address 4000.0000.0001
> > >
> > >R5 is used to test
> > >
> > >R5(config-if)#do ping 12.12.12.200
> > >
> > >Type escape sequence to abort.
> > >Sending 5, 100-byte ICMP Echos to 12.12.12.200,
> > timeout is 2
> > seconds:
> > >!!!!!
> > >Success rate is 100 percent (5/5), round-trip
> > min/avg/max = 1/2/4 ms
> > >R5(config-if)#do ping 12.12.12.3
> > >
> > >Type escape sequence to abort.
> > >Sending 5, 100-byte ICMP Echos to 12.12.12.3,
> > timeout is 2 seconds:
> > >.!!!!
> > >Success rate is 80 percent (4/5), round-trip
> > min/avg/max = 1/1/4 ms
> > >R5(config-if)#do ping 12.12.12.4
> > >
> > >Type escape sequence to abort.
> > >Sending 5, 100-byte ICMP Echos to 12.12.12.4,
> > timeout is 2 seconds:
> > >.!!!!
> > >Success rate is 80 percent (4/5), round-trip
> > min/avg/max = 1/1/4 ms
> > >R5(config-if)#
> > >If you test HSRP operation with this
> > configuration by shutting down
> > the
> > >ethernet interface on the active router, while
> > doing an extended
> > ping from
> > >R5, you will see the swap over as follows:
> > >
> > >!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
> > >
> > >Chris
> > >
> > >
> > >Chris
> > >
> > >On 4/5/06, Leigh Harrison <ccileigh@gmail.com>
> > wrote:
> > > >
> > > > Hey there KC,
> > > >
> > > > I've done this a few times. Rather than use
> > sticky mac, I found
> > it was
> > > > much better to type in the mac addresses for
> > the ports and the
> > virtual
> > > > one.
> > > >
> > > > LH
> > > >
> > > > KC wrote:
> > > > > Very strange to me, I requested 3 times to
> > people to give me
> > the config.
> > > > of
> > > > > HSRP Routers and Switch , but noone
> > responded me with right
> > solution .
> > > > What
> > > > > happened to you guys, i am stuck , ehlp me ,
> > this is the i
> > guess last
> > > > > question i am asking before lab
> > > > >
> > > > > On 4/4/06, KC <kanwal.chawla@gmail.com>
> > wrote:
> > > > >
> > > > >> Hey Guys
> > > > >>
> > > > >> Whenever i configure this thing on one of
> > Switchport, my both
> > routers
> > > > HSRP
> > > > >> came up in Active states, noone is going
> > standby
> > > > >> switchport access vlan 10
> > > > >> switchport mode access
> > > > >> switchport port-security
> > > > >> switchport port-security maximum 2
> > > > >> switchport port-security mac-address
> > sticky
> > > > >> switchport port-security mac-address
> > sticky 0000.0c07.ac01
> > > > >> mac-address
> > > > >> switchport port-security mac-address
> > sticky 0008.a3fc.a661
> > > > >>
> > > > >>
> > > > >> On 4/4/06, Chris Lewis
> > <chrlewiscsco@gmail.com> wrote:
> > > > >>
> > > > >>> KC, I believe the answer to your question
> > will only be found
> > in the
> > > > >>> exact wording of the question, which can
> > take many, many
> > forms.
> > > > >>>
> > > > >>> If you use BIA there will only be one MAC
> > address associated
> > with each
> > > > >>> port, the downside of this is that traffic
> > will be dropped as
> > the
> > > > switch
> > > > >>> moves that MAC address from one port to
> > another.
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

• Next message: Subhash P: "Re: bandwith shaper"
• Previous message: Leo Leung: "Re: HSRP + PORT SECURITY"
• Maybe in reply to: Leo Leung: "Re: HSRP + PORT SECURITY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART