From: Cacca Mucca (caccamucca@gmail.com)
Date: Fri Mar 02 2007 - 08:55:33 ART
It does seem odd.
Can you try without using 'spanning-tree portfast' on the switch interfaces?
You shouldn't use them on ports connecting to the routers.
I'd then retry.
Do a 'sh mac-address int FastEthernet1/0/4' to see how many mac addresses
are listed.
On 3/2/07, Antonio Soares <amsoares@netcabo.pt> wrote:
>
> Hello GS,
>
> I'm having problems understanding why HSRP does not seem to work with Port
> Security. R4 and R6 are running HSRP and are connected to SW2 F1/0/4 and
> F1/0/6 respectively. Here are the configs:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1SW2#sh runn int f1/0/4
> Building configuration...
>
> Current configuration : 173 bytes
> !
> interface FastEthernet1/0/4
> description Rack1R4
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> spanning-tree portfast
> end
>
> Rack1SW2#sh runn int f1/0/6
> Building configuration...
>
> Current configuration : 173 bytes
> !
> interface FastEthernet1/0/6
> description Rack1R6
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> spanning-tree portfast
> end
>
> Rack1SW2#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R4#sh runn int e1/0
> Building configuration...
>
> Current configuration : 149 bytes
> !
> interface Ethernet1/0
> ip address 155.1.146.4 255.255.255.0
> half-duplex
> standby 1 ip 155.1.146.254
> standby 1 priority 0
> standby 1 preempt
> end
>
> Rack1R4#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R6#sh running-config int f0/0
> Building configuration...
>
> Current configuration : 143 bytes
> !
> interface FastEthernet0/0
> ip address 155.1.146.6 255.255.255.0
> duplex auto
> speed auto
> standby 1 ip 155.1.146.254
> standby 1 preempt
> end
>
> Rack1R6#
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> As soon as I change the active active router from R6 to R4, I get Port
> Security Violation:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1R4(config-if)#standby 1 priority 255
> Rack1R4(config-if)#
> *Mar 4 00:05:31.780: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Standby
> -> Active
> *Mar 4 00:05:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Ethernet1/0, changed state to down
> *Mar 4 00:05:35.783: %HSRP-5-STATECHANGE: Ethernet1/0 Grp 1 state Active
> ->
> Init
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Rack1SW2#
> 00:26:55: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/4,
> putting Fa1/0/4 in err-disable state
> 00:26:55: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> caused by MAC address 0000.0c07.ac01 on port FastEthernet1/0/4.
> 00:26:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet1/0/4,
> changed state to down
> 00:26:57: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to
> down
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> I know that use-bia is an workaround to this problem. But suppose you are
> not allowed to use it, which options do we have ?
>
>
> Thanks,
> Antonio
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART