From: Ben (ccieben@cox.net)
Date: Fri Mar 02 2007 - 00:04:50 ART
Hi Antonio,
I labbed up the same thing, but not experiencing the same problem -
perhaps try: debug port-security, and see what the extra mac-address
being added is... or "show mac-address-table interface" before applying
the port-security configs...
************************************
CAT2(config-if)#do debug port-security
All Port Security debugging is on
CAT2(config-if)#no shut
CAT2(config-if)#
12w1d: PSECURE: psecure_linkchange: Fa0/5 hwidb=0x1A1BDE0
12w1d: PSECURE: Link is coming up
12w1d: PSECURE: psecure_linkup_init: Fa0/5 hwidb = 0x1A1BDE0
12w1d: PSECURE: psecure_vp_linkup port Fa0/5, vlan 45, mode access
12w1d: PSECURE: psecure_vp_linkup Populating addresses for vlan 45
12w1d: PSECURE: Activating port-security feature
12w1d: PSECURE: port_activate: status is 1
12w1d: PSECURE: Deleting all dynamic addresses from h/w tables.
12w1d: PSECURE: psecure_platform_delete_all_addrs: deleti
CAT2(config-if)#ng all addresses on vlan 45
12w1d: PSECURE: psecure_vp_list_fwdchange invoked
12w1d: PSECURE: Read:23, Write:24
12w1d: PSECURE: swidb = FastEthernet0/5 mac_addr = 0005.dca4.2c08 vlanid
= 45 <-- BIA of the router on that port
12w1d: PSECURE: Adding 0005.dca4.2c08 as dynamic on port Fa0/5 for vlan 45
12w1d: PSECURE: Adding address vlan 45 0005.dca4.2c08 to port-security
12w1d: PSECURE: Adding addresses to port-security sub block
CAT2(config-if)#
12w1d: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up
12w1d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5,
changed state to up
CAT2(config-if)#
12w1d: PSECURE: Read:24, Write:25
12w1d: PSECURE: swidb = FastEthernet0/5 mac_addr = 0000.0c07.ac01 vlanid
= 45 <--- HSRP MAC for group 1
12w1d: PSECURE: Adding 0000.0c07.ac01 as dynamic on port Fa0/5 for vlan 45
12w1d: PSECURE: Adding address vlan 45 0000.0c07.ac01 to port-security
12w1d: PSECURE: Adding addresses to port-security sub block
************************************
CAT2#show run int fa0/5
Building configuration...
Current configuration : 221 bytes
!
interface FastEthernet0/5
description to 7206B fa0/0
switchport access vlan 45
switchport mode access
switchport port-security maximum 2
switchport port-security
speed 10
duplex full
spanning-tree portfast
end
************************************
7206B#show run int fa0/0
Building configuration...
Current configuration : 165 bytes
!
interface FastEthernet0/0
ip address 172.16.45.5 255.255.255.0
duplex full
speed 10
standby 1 ip 172.16.45.254
standby 1 priority 105
standby 1 preempt
end
************************************
Antonio Soares wrote:
> Hello GS,
>
> I'm having problems understanding why HSRP does not seem to work with Port
> Security. R4 and R6 are running HSRP and are connected to SW2 F1/0/4 and
> F1/0/6 respectively. Here are the configs:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1SW2#sh runn int f1/0/4
> Building configuration...
>
> Current configuration : 173 bytes
> !
> interface FastEthernet1/0/4
> description Rack1R4
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> spanning-tree portfast
> end
>
> Rack1SW2#sh runn int f1/0/6
> Building configuration...
>
> Current configuration : 173 bytes
> !
> interface FastEthernet1/0/6
> description Rack1R6
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> spanning-tree portfast
> end
>
> Rack1SW2#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R4#sh runn int e1/0
> Building configuration...
>
> Current configuration : 149 bytes
> !
> interface Ethernet1/0
> ip address 155.1.146.4 255.255.255.0
> half-duplex
> standby 1 ip 155.1.146.254
> standby 1 priority 0
> standby 1 preempt
> end
>
> Rack1R4#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R6#sh running-config int f0/0
> Building configuration...
>
> Current configuration : 143 bytes
> !
> interface FastEthernet0/0
> ip address 155.1.146.6 255.255.255.0
> duplex auto
> speed auto
> standby 1 ip 155.1.146.254
> standby 1 preempt
> end
>
> Rack1R6#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> As soon as I change the active active router from R6 to R4, I get Port
> Security Violation:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R4(config-if)#standby 1 priority 255
> Rack1R4(config-if)#
> *Mar 4 00:05:31.780: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Standby
> -> Active
> *Mar 4 00:05:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Ethernet1/0, changed state to down
> *Mar 4 00:05:35.783: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Active ->
> Init
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1SW2#
> 00:26:55: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/4,
> putting Fa1/0/4 in err-disable state
> 00:26:55: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> caused by MAC address 0000.0c07.ac01 on port FastEthernet1/0/4.
> 00:26:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4,
> changed state to down
> 00:26:57: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to down
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> I know that use-bia is an workaround to this problem. But suppose you are
> not allowed to use it, which options do we have ?
>
>
> Thanks,
> Antonio
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART