RE: HSRP and Port Security

From: Antonio Soares (amsoares@netcabo.pt)
Date: Fri Mar 02 2007 - 10:44:01 ART

• Next message: Dwi C Taniel: "RE: BGP Conditional Advertising - Bug?"
• Previous message: Daniel_Steyn@Dell.com: "RE: BGP Conditional Advertising - Bug?"
• Maybe in reply to: Antonio Soares: "HSRP and Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes, the stand-by Mac Addresses don't need to be the same. Great solution
!!!

Thanks.
Antonio

-----Original Message-----
From: Ivan [mailto:ivan@iip.net]
Sent: sexta-feira, 2 de Margo de 2007 12:32
To: ccielab@groupstudy.com; Antonio Soares
Cc: Thomas.W.Johnson@chase.com; osuphd2b@yahoo.com
Subject: Re: HSRP and Port Security

As Thomas wrote you must use

R1:
standby 1 mac-address 1.1.1
R2:
standby 1 mac-address 2.2.2

On Friday 02 March 2007 14:31, Antonio Soares wrote:
> Hello Thomas,
>
> Yes, I'm using the defaults. The problem occurs when the active router
> changes. When this occurs, the stand-by mac is seen in two different
> ports on the switch and the switch reports Port Security violation.
> This makes sense but if you are not allowed to use "standby use-bia",
> which options do we have ? I tried using another HSRP mac but the problem
is the same:
>
> +++++++++++++++++++
> Rack1SW2(config-if)#
> 10:40:43: %PM-4-ERR_DISABLE: psecure-violation error detected on
> Fa1/0/4, putting Fa1/0/4 in err-disable state
> 10:40:43: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
> occurred, caused by MAC address 0000.1111.2222 on port FastEthernet1/0/4.
> 10:40:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet1/0/4, changed state to down
> 10:40:45: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state
> to down +++++++++++++++++++
>
> Thanks.
> Antonio
>
> -----Original Message-----
> From: Thomas.W.Johnson@chase.com [mailto:Thomas.W.Johnson@chase.com]
> Sent: sexta-feira, 2 de Margo de 2007 3:10
> To: osuphd2b@yahoo.com; amsoares@netcabo.pt; ccielab@groupstudy.com
> Subject: RE: HSRP and Port Security
>
> Are using the default HSRP MAC address? And port-security keeps
> err-disabling the ports?
>
> It is a security violation when one of these situations occurs:
>
> *The maximum number of secure MAC addresses have been added to the
> address table, and a station whose MAC address is not in the address
> table attempts to access the interface.
>
> *An address learned or configured on one secure interface is seen on
> another secure interface in the same VLAN.
>
> So, you have two options. Use the standby use-bia command or use the
> standby mac-address command.
>
> Hope that helps.
>
>
> Thomas Johnson
> JP Morgan Chase
> Global Network Implementation
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of James Russell
> Sent: Thursday, March 01, 2007 8:04 PM
> To: Antonio Soares; ccielab@groupstudy.com
> Subject: Re: HSRP and Port Security
>
> I have set up a similar lab, and I am not having this problem. Since
> this is my first post, I will refrain from sticking my configs in here.
>
>
> Antonio Soares <amsoares@netcabo.pt> wrote: Hello GS,
>
> I'm having problems understanding why HSRP does not seem to work with
> Port Security. R4 and R6 are running HSRP and are connected to SW2
> F1/0/4 and
> F1/0/6 respectively. Here are the configs: <original message
> truncated>
>
> ---------------------------------
> Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> This transmission may contain information that is privileged,
> confidential, legally privileged, and/or exempt from disclosure under
> applicable law. If you are not the intended recipient, you are hereby
> notified that any disclosure, copying, distribution, or use of the
> information contained herein (including any reliance thereon) is
> STRICTLY PROHIBITED. Although this transmission and any attachments
> are believed to be free of any virus or other defect that might affect
> any computer system into which it is received and opened, it is the
> responsibility of the recipient to ensure that it is virus free and no
> responsibility is accepted by JPMorgan Chase & Co., its subsidiaries
> and affiliates, as applicable, for any loss or damage arising in any
> way from its use. If you received this transmission in error, please
> immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.
> **********************************************************************
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

--
Ivan

• Next message: Dwi C Taniel: "RE: BGP Conditional Advertising - Bug?"
• Previous message: Daniel_Steyn@Dell.com: "RE: BGP Conditional Advertising - Bug?"
• Maybe in reply to: Antonio Soares: "HSRP and Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART