Re: Port Security Questions

From: Ming Ki Au (aurmkstr@gmail.com)
Date: Tue Nov 14 2006 - 07:42:45 ART

• Next message: Ian Stong: "RE: VOIP Over NAT"
• Previous message: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe in reply to: Jay Hanke: "Port Security Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear all,

Can anyone answer my question below?

On 11/13/06, Ming Ki Au <aurmkstr@gmail.com> wrote:
>
> Hi Thomas,
>
> So in that case, why we still have to create a unique MAC address for each
> router in the group - standby [group-number] mac-address mac-address if we
> need to allow 2 connections via the port security? Why can't we use the
> default mac-address for the standby group?
>
> Thanks!
>
>
> On 11/11/06, Thomas.W.Johnson@chase.com <Thomas.W.Johnson@chase.com >
> wrote:
> >
> > Ming -
> >
> > Yes, you would need to allow 2 connections via port security. You could
> > configure it either statically or sticky depending on your
> > requirements. And yes, you would want to allow your physical mac address
of
> > the interface.
> >
> > Hope that helps you out. Have a good one.
> >
> > - Thomas
> >
> > -----Original Message-----
> > From: Ming Ki Au [mailto:aurmkstr@gmail.com]
> > Sent: Fri 11/10/2006 11:43 PM
> > To: Johnson, Thomas W (Card Services)
> > Cc:
> > Subject: Re: Port Security Questions
> >
> >
> > Hi Thomas,
> >
> > Thank you for your info. For option 2, so we still need to add
> > port-security max 2 commands right? Since apart from the unique standby
> > address, there is also a mac-address from the physical interface. Am I
> > right?
> >
> >
> > On 11/10/06, Thomas.W.Johnson@chase.com <
> > Thomas.W.Johnson@chase.com > wrote:
> >
> > Here, hope this helps, the second bullet point.
> >
> >
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtraf
c.htm#wp1038501
> >
> > Security Violations
> >
> > It is a security violation when one of these situations
> > occurs:
> >
> > The maximum number of secure MAC addresses have been
> > added to the address table, and a station whose MAC address is not in the
> > address table attempts to access the interface.
> >
> > An address learned or configured on one secure interface
> > is seen on another secure interface in the same VLAN.
> >
> > With HSRP you have two options
> >
> > 1. Use the Burned In address - standby use-bia [scope
> > interface]
> >
> > 2. Create a unique MAC address for each router in the
> > group - standby [group-number] mac-address mac-address
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com on behalf of Ming Ki Au
> > Sent: Fri 11/10/2006 1:51 AM
> > To: Victor Cappuccio
> > Cc: Ricky MK Au; ccielab@groupstudy.com
> > Subject: Re: Port Security Questions
> >
> >
> >
> > Dear all,
> >
> > If I use a static mac address at the HSRP
> > configuration, it is not work. Can
> > you tell me the exact command? Do I have to type
> > in the mac-address of the
> > physical interface as well and add port-security
> > max 2 commands?
> >
> >
> > On 10/22/06, Victor Cappuccio
<cvictor@protokolgroup.com
> > > wrote:
> > >
> > > If you can not use the bia parameter of HSRP,
> > then use a static Mac
> > > address
> > > at the HSRP Configuration..
> > > This had been discussed several times on this
> > board
> > > Check the Archives :D
> > > Victor.-
> > >
> > >
> > > -----Mensaje original-----
> > > De: nobody@groupstudy.com
[mailto:nobody@groupstudy.com
> > ] En nombre de
> > > Ricky
> > > MK Au
> > > Enviado el: Sabado, 21 de Octubre de 2006 03:03
> > p.m.
> > > Para: ccielab@groupstudy.com
> > > Asunto: Port Security Questions
> > >
> > > Dear all,
> > >
> > > I have the following problem in configuring
> > port-security on a VLAN 13
> > > with
> > > (R1-e0/0 on switch port fa0/3) and (R2-fa0/0 on
> > switch port fa0/4) and an
> > > HSRP interfaces for R1-e0/0 and R2-fa0/0. While
> > R1-e0/0 is the primary
> > > interface unless it lost it's connection to the
> > WAN interface.
> > >
> > > I have configured port-security with the mad
> > address of R1-e0/0 and
> > > R2-fa0/0 in the corresponding their
> > corresponding switch ports. However,
> > > it
> > > display a message with duplicate mac address
> > detected.
> > >
> > > Is anyone can tell me what is the corresponding
> > step in setting port
> > > security to allow only the two allowed routers
> > to plug in the switch ports
> > > with HSRP enabled for that VLAN?
> > >
> > > Ricky M.K. Au,
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >

• Next message: Ian Stong: "RE: VOIP Over NAT"
• Previous message: Ivan: "Re: CBAC <-> traffic starting from the router."
• Maybe in reply to: Jay Hanke: "Port Security Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART