Port-Security and HSRP (Again !!!)

From: Antonio Soares (amsoares@netcabo.pt)
Date: Sun Jun 24 2007 - 17:54:05 ART

Hello group,

I still have doubts on this one. Why do i get Port-Security Violations as
soon as i change the Active Router ? I know that "standby use-bia" or
"standby mac-address" is an workaround to this problem but i saw this
configuration in one of the major vendors CoD and it was working. If i
remember well, the instructor had to change the maximum mac-addresses value
from 2 to 3. Does it make any sense ? See bellow my configs and outputs.
Both R2 and R5 are connected to SW2 which is a 3750 running 12.2.25SEE.

Thanks,
Antonio

++++++++++++++++++++++++++++++++++++++++++
R5#sh runn int e1/1
Building configuration...

Current configuration : 166 bytes
!
interface Ethernet1/1
 ip address 12.12.14.5 255.255.255.0
 half-duplex
 standby ip 12.12.14.1
 standby priority 105
 standby preempt
 standby track Serial0/0
end

R5#
++++++++++++++++++++++++++++++++++++++++++
R5#sh standby
Ethernet1/1 - Group 0
  State is Active
    17 state changes, last state change 00:04:32
  Virtual IP address is 12.12.14.1
  Active virtual MAC address is 0000.0c07.ac00
    Local virtual MAC address is 0000.0c07.ac00 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.752 secs
  Preemption enabled
  Active router is local
  Standby router is 12.12.14.2, priority 100 (expires in 8.758 sec)
  Priority 105 (configured 105)
    Track interface Serial0/0 state Up decrement 10
  IP redundancy name is "hsrp-Et1/1-0" (default)
R5#
++++++++++++++++++++++++++++++++++++++++++
R2#sh runn int e1/1
Building configuration...

Current configuration : 144 bytes
!
interface Ethernet1/1
 ip address 12.12.14.2 255.255.255.0
 half-duplex
 standby ip 12.12.14.1
 standby preempt
 standby track Serial0/0
end

R2#
++++++++++++++++++++++++++++++++++++++++++
R2#sh standby
Ethernet1/1 - Group 0
  State is Standby
    31 state changes, last state change 00:03:52
  Virtual IP address is 12.12.14.1
  Active virtual MAC address is 0000.0c07.ac00
    Local virtual MAC address is 0000.0c07.ac00 (default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.741 secs
  Preemption enabled
  Active router is 12.12.14.5, priority 105 (expires in 7.732 sec)
  Standby router is local
  Priority 100 (default 100)
    Track interface Serial0/0 state Up decrement 10
  IP redundancy name is "hsrp-Et1/1-0" (default)
R2#
++++++++++++++++++++++++++++++++++++++++++
SW2#sh runn int f1/0/2
Building configuration...

Current configuration : 217 bytes
!
interface FastEthernet1/0/2
 switchport access vlan 12
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security violation restrict
end
++++++++++++++++++++++++++++++++++++++++++
SW2#sh runn int f1/0/5
Building configuration...

Current configuration : 217 bytes
!
interface FastEthernet1/0/5
 switchport access vlan 12
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security violation restrict
end

SW2#
++++++++++++++++++++++++++++++++++++++++++
SW2#
SW2#sh port-security int f1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.9436.01f1:12
Security Violation Count : 0
++++++++++++++++++++++++++++++++++++++++++
SW2#sh port-security int f1/0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.93e6.91d1:12
Security Violation Count : 0

SW2#
++++++++++++++++++++++++++++++++++++++++++
R5(config)#int e1/1
R5(config-if)#standby priority 99
R5(config-if)#
Jun 24 21:40:52.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Active ->
Speak
R5(config-if)#
Jun 24 21:41:02.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Speak ->
Standby
R5(config-if)#
Jun 24 21:41:12.139: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Standby ->
Active
R5(config-if)#
++++++++++++++++++++++++++++++++++++++++++
R2#
Jun 24 21:40:58.292: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Standby ->
Active
R2#
++++++++++++++++++++++++++++++++++++++++++
SW2#
1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
SW2#
1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
SW2#
++++++++++++++++++++++++++++++++++++++++++

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART