From: Antonio Soares (amsoares@netcabo.pt)
Date: Thu Mar 01 2007 - 22:21:37 ART
Hello GS,
I'm having problems understanding why HSRP does not seem to work with Port
Security. R4 and R6 are running HSRP and are connected to SW2 F1/0/4 and
F1/0/6 respectively. Here are the configs:
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rack1SW2#sh runn int f1/0/4
Building configuration...
Current configuration : 173 bytes
!
interface FastEthernet1/0/4
description Rack1R4
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
spanning-tree portfast
end
Rack1SW2#sh runn int f1/0/6
Building configuration...
Current configuration : 173 bytes
!
interface FastEthernet1/0/6
description Rack1R6
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
spanning-tree portfast
end
Rack1SW2#
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rack1R4#sh runn int e1/0
Building configuration...
Current configuration : 149 bytes
!
interface Ethernet1/0
ip address 155.1.146.4 255.255.255.0
half-duplex
standby 1 ip 155.1.146.254
standby 1 priority 0
standby 1 preempt
end
Rack1R4#
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rack1R6#sh running-config int f0/0
Building configuration...
Current configuration : 143 bytes
!
interface FastEthernet0/0
ip address 155.1.146.6 255.255.255.0
duplex auto
speed auto
standby 1 ip 155.1.146.254
standby 1 preempt
end
Rack1R6#
++++++++++++++++++++++++++++++++++++++++++++++++++++++
As soon as I change the active active router from R6 to R4, I get Port
Security Violation:
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rack1R4(config-if)#standby 1 priority 255
Rack1R4(config-if)#
*Mar 4 00:05:31.780: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Standby
-> Active
*Mar 4 00:05:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/0, changed state to down
*Mar 4 00:05:35.783: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Active ->
Init
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rack1SW2#
00:26:55: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/4,
putting Fa1/0/4 in err-disable state
00:26:55: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 0000.0c07.ac01 on port FastEthernet1/0/4.
00:26:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4,
changed state to down
00:26:57: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to down
++++++++++++++++++++++++++++++++++++++++++++++++++++++
I know that use-bia is an workaround to this problem. But suppose you are
not allowed to use it, which options do we have ?
Thanks,
Antonio
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART