Re: HSRP and port-security...

From: Tony Paterra (apaterra@gmail.com)
Date: Thu Sep 21 2006 - 15:09:13 ART

• Next message: David Timmons: "Re: Default-router in DHCP POOL"
• Previous message: Niedens, Travis: "VPN backup route question"
• Maybe in reply to: Tony Paterra: "HSRP and port-security..."
• Next in thread: Radoslav Vasilev: "Re: HSRP and port-security..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I understand that you can do it manually by clearing the port-security
entries and bouncing the interface, but this defeats the purpose of
HSRP for fault-tolerant routing and gateway services... Any way to do
this seamlessly?

On 9/21/06, Radoslav Vasilev <deckland@gmail.com> wrote:
> Hi Tony,
>
> Rack1SW1(config-if)#switchport port-security mac-address 0015.c678.6a98
> Found duplicate mac-address 0015.c678.6a98.
>
> Rack1SW1(config-if)#do clear mac-addr dynamic
> Rack1SW1(config-if)#switchport port-security mac-address 0015.c678.6a98
>
> interface GigabitEthernet1/0/6
> switchport access vlan 5
> switchport mode access
> switchport port-security
> switchport port-security mac-address 0015.c678.6a98
> shutdown
>
> Rack1SW1(config)#int gi 1/0/6
> Rack1SW1(config-if)#no shu
> Rack1SW1(config-if)#no shutdown
>
>
> On 9/21/06, Tony Paterra <apaterra@gmail.com> wrote:
> > I was playing with a lab and came across one of those dependant
> > "gotchas" with HSRP and port-security. I'm trying to minimize the
> > number of port-security mac-addresses on the switch and still enable
> > HSRP to function properly.
> >
> > 2 questions...
> >
> > 1.) I am unable to allow the virtual mac-address on both switchports
> > as it gives me an error... How can I account for the Active router
> > going down and the Standby picking it up?
> >
> > SW1#
> > interface GigabitEthernet0/1
> > switchport access vlan 99
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security mac-address <virtual mac-address>
> >
> > interface GigabitEthernet0/2
> > switchport access vlan 99
> > switchport mode access
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security mac-address <virtual mac-address>
> >
> > ERROR: Found duplicate mac-address 0000.0c07.ac01.
> >
> >
> > 2.) Outside of use-bia, is there something I'm missing here? The
> > best way I see to do this is to put static allow's in for the BIA on
> > the interfaces and one sticky for the virtual. Should I be playing
> > with the timers for port-security or mac-address-table aging?
> >
> >
> > Thanks in advance,
> > --
> > Tony Paterra
> > apaterra@gmail.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>

-- 
Tony Paterra
apaterra@gmail.com

• Next message: David Timmons: "Re: Default-router in DHCP POOL"
• Previous message: Niedens, Travis: "VPN backup route question"
• Maybe in reply to: Tony Paterra: "HSRP and port-security..."
• Next in thread: Radoslav Vasilev: "Re: HSRP and port-security..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART