RE: HSRP + PORT SECURITY

From: Curt Girardin (curt.girardin@chicos.com)
Date: Fri Aug 04 2006 - 10:23:36 ART

Could you consider using the "standby use-bia" command (not sure if
that's the exact syntax), that should force the routers to use a
non-shared mac-address and it should alleviate your duplicate
mac-address port-security issue.

Of course I'm not sure I would do that in a production environment!

HTH,

Curt

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Leo Leung
Sent: Tuesday, August 01, 2006 2:23 PM
To: Anderson Mota Alves; chrlewiscsco@gmail.com
Cc: ccielab@groupstudy.com
Subject: Re: HSRP + PORT SECURITY

Group,

I have a silly question regarding hsrp and switchport port-security
mac-address. I shut down 2 ports on SW1 before configuring. The first
one went ok with virtual ip mac-address

interface FastEthernet0/4
 switchport port-security mac-address 0000.0c07.ac00

but SW1 refused to take the same command for the second port interface
FastEthernet0/24 with this message

Found duplicate mac-address 0000.0c07.ac00.

here's a copy, what I am missing or is my 3550 switch not working. I
tried on both of my switches with version
c3550-ipservicesk9-mz.122-25.SEC.bin
also tried mac-address 4000.0000.0001 with same result thanks,

Rack1SW1#sh run int f0/4
Building configuration...

Current configuration : 262 bytes
!
interface FastEthernet0/4
 switchport access vlan 43
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address 0000.0c07.ac00 switchport
port-security mac-address 0006.28aa.60a0 shutdown end

Rack1SW1#sh run int f0/24
Building configuration...

Current configuration : 210 bytes
!
interface FastEthernet0/24
 switchport access vlan 43
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address 00b0.640a.43e0 shutdown end

Rack1SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1SW1(config)#int f0/24
Rack1SW1(config-if)#swi port-security mac-address 0000.0c07.ac00 Found
duplicate mac-address 0000.0c07.ac00.

Rack1SW1(config-if)#

--- Anderson Mota Alves <mota_anderson@hotmail.com>
wrote:

> Hi Chris,
>
> I understood your configuration below but now I'm the one with a
> question
> :-) Imagine that I've been told that I need to configure switchport
> security in an environment that HSRP is in use and this configuration
> needs to be on the router in cause I need to reload it, I think the
> only way to accomplish this task is configuring switchport security
> with sticky no? Or if I configure as you said below would also work?
>
> Any comments are really appreciated !!
>
> Andy
>
>
>
--------------------------------------------------------------------
>
> From: "Chris Lewis" <chrlewiscsco@gmail.com>
> Reply-To: "Chris Lewis" <chrlewiscsco@gmail.com>
> To: "Leigh Harrison" <ccileigh@gmail.com>
> CC: KC <kanwal.chawla@gmail.com>, "Group Study (E-mail)"
> <ccielab@groupstudy.com>
> Subject: Re: HSRP + PORT SECURITY
> Date: Wed, 5 Apr 2006 09:35:45 -0500
> >KC,
> >
> >I think your problem is with configuring sticky on both switch
> ports. This
> >will give rise to an error message like this on the switch
> >
> >04:01:12: %PORT_SECURITY-2-PSECURE_VIOLATION:
> Security violation
> occurred,
> >caused by MAC address 0000.0c07.ac00 on port FastEthernet0/2.
> >
> >Having one of the ports go err-disable could make it look like both
> routers
> >are in Active, as the one that was standby may go active after the
> port shut
> >down by the switch.
> >
> >Try this (remembering to keep the switch ports shut down while you
> >configure).
> >
> >interface FastEthernet0/3
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address
> 4000.0000.0001
> >!
> >interface FastEthernet0/4
> > switchport access vlan 10
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 2
> > switchport port-security mac-address
> 4000.0000.0001
> >
> >Connected routers
> >interface FastEthernet0/0
> > ip address 12.12.12.3 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >interface FastEthernet0/0
> > ip address 12.12.12.4 255.255.255.0
> > duplex auto
> > speed auto
> > standby ip 12.12.12.200
> > standby mac-address 4000.0000.0001
> >
> >R5 is used to test
> >
> >R5(config-if)#do ping 12.12.12.200
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.200, timeout is 2
> seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4
> ms
> >R5(config-if)#do ping 12.12.12.3
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.3, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#do ping 12.12.12.4
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
> >.!!!!
> >Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
> >R5(config-if)#
> >If you test HSRP operation with this configuration by shutting down
> the
> >ethernet interface on the active router, while doing an extended
> ping from
> >R5, you will see the swap over as follows:
> >
> >!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!
> >
> >Chris
> >
> >
> >Chris
> >
> >On 4/5/06, Leigh Harrison <ccileigh@gmail.com>
> wrote:
> > >
> > > Hey there KC,
> > >
> > > I've done this a few times. Rather than use sticky mac, I found
> it was
> > > much better to type in the mac addresses for the ports and the
> virtual
> > > one.
> > >
> > > LH
> > >
> > > KC wrote:
> > > > Very strange to me, I requested 3 times to people to give me
> the config.
> > > of
> > > > HSRP Routers and Switch , but noone responded me with right
> solution .
> > > What
> > > > happened to you guys, i am stuck , ehlp me , this is the i
> guess last
> > > > question i am asking before lab
> > > >
> > > > On 4/4/06, KC <kanwal.chawla@gmail.com>
> wrote:
> > > >
> > > >> Hey Guys
> > > >>
> > > >> Whenever i configure this thing on one of Switchport, my both
> routers
> > > HSRP
> > > >> came up in Active states, noone is going standby
> > > >> switchport access vlan 10
> > > >> switchport mode access
> > > >> switchport port-security
> > > >> switchport port-security maximum 2
> > > >> switchport port-security mac-address sticky
> > > >> switchport port-security mac-address sticky 0000.0c07.ac01
> > > >> mac-address
> > > >> switchport port-security mac-address sticky 0008.a3fc.a661
> > > >>
> > > >>
> > > >> On 4/4/06, Chris Lewis
> <chrlewiscsco@gmail.com> wrote:
> > > >>
> > > >>> KC, I believe the answer to your question will only be
> found
> in the
> > > >>> exact wording of the question, which can take many, many
> forms.
> > > >>>
> > > >>> If you use BIA there will only be one MAC address associated
> with each
> > > >>> port, the downside of this is that traffic will be dropped
> as
> the
> > > switch
> > > >>> moves that MAC address from one port to another.
=== message truncated ===

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART