From: M S (michaelgstout@hotmail.com)
Date: Mon Jun 25 2007 - 01:02:17 ART
I will try it.
--------------------------------------------------------------------
From: "Antonio Soares" <amsoares@netcabo.pt>
To: "'M S'" <michaelgstout@hotmail.com>,<ccielab@groupstudy.com>
Subject: RE: Port-Security and HSRP (Again !!!)
Date: Mon, 25 Jun 2007 01:41:19 +0100
Ok, you have a config with two switches. I had one with just one switch.
In your case you won't see Port Security messages but you still have a
problem: Try to ping the standby-ip from both routers and see what
happens. It won't work from the standby router. Then change the active
router and repeat the previous test. This is because both switches have
the standby MAC statically associated with the ports where the routers
are. Then reconfigure this scenario with just one switch. It will be
easier to see the problem this conjunction of features have.
------------------------------------------------------------------------
From: M S [mailto:michaelgstout@hotmail.com]
Sent: segunda-feira, 25 de Junho de 2007 1:12
To: amsoares@netcabo.pt; ccielab@groupstudy.com
Subject: RE: Port-Security and HSRP (Again !!!)
Here is the rest
CAT2#wr
Building configuration...
[OK]
CAT2#sho run int fas 0/3
Building configuration...
Current configuration : 268 bytes
!
interface FastEthernet0/3
description R3
switchport access vlan 36
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security mac-address 0000.0c07.ac01
switchport port-security mac-address 0016.4699.19d9
end
CAT2#sho port inter fa 0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0016.4699.19d9:36
Security Violation Count : 0
CAT2#sh ip int br fas 0/3
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/3 unassigned YES unset up
up
CAT2#
--------------------------------------------------------------------
From: "Antonio Soares" <amsoares@netcabo.pt>
To: "'M S'" <michaelgstout@hotmail.com>,<ccielab@groupstudy.com>
Subject: RE: Port-Security and HSRP (Again !!!)
Date: Mon, 25 Jun 2007 00:26:02 +0100
I only see one port configured and i see you statically configured
the Standby MAC-Address. I see a problem with this type of config:
you can not assign the same MAC to two different ports. Please try
with two routers and then play with the HSRP priorities to see what
happens. I just want to be sure that without "standby use-bia" or
"standby mac-address" configured on the routers, this will never
work.
--------------------------------------------------------------------
From: M S [mailto:michaelgstout@hotmail.com]
Sent: segunda-feira, 25 de Junho de 2007 0:16
To: amsoares@netcabo.pt; ccielab@groupstudy.com
Subject: RE: Port-Security and HSRP (Again !!!)
Here is a config where i got it to work with two mac addresses.
CAT1#sho port int fas 0/9
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.1917.1421:36
Security Violation Count : 0
CAT1#sho int fas 0/9 | in protocol
FastEthernet0/9 is up, line protocol is up (connected)
CAT1#sho run int fas 0/09
Building configuration...
Current configuration : 269 bytes
!
interface FastEthernet0/9
description FRS
switchport access vlan 36
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security mac-address 0000.0c07.ac01
switchport port-security mac-address 0030.1917.1421
end
CAT1#
----------------------------------------------------------------
From: "Antonio Soares" <amsoares@netcabo.pt>
Reply-To: "Antonio Soares" <amsoares@netcabo.pt>
To: "'Cisco certification'" <ccielab@groupstudy.com>
Subject: Port-Security and HSRP (Again !!!)
Date: Sun, 24 Jun 2007 21:54:05 +0100
Hello group,
I still have doubts on this one. Why do i get Port-Security
Violations as
soon as i change the Active Router ? I know that "standby
use-bia" or
"standby mac-address" is an workaround to this problem but i saw
this
configuration in one of the major vendors CoD and it was working.
If i
remember well, the instructor had to change the maximum
mac-addresses value
from 2 to 3. Does it make any sense ? See bellow my configs and
outputs.
Both R2 and R5 are connected to SW2 which is a 3750 running
12.2.25SEE.
Thanks,
Antonio
++++++++++++++++++++++++++++++++++++++++++
R5#sh runn int e1/1
Building configuration...
Current configuration : 166 bytes
!
interface Ethernet1/1
ip address 12.12.14.5 255.255.255.0
half-duplex
standby ip 12.12.14.1
standby priority 105
standby preempt
standby track Serial0/0
end
R5#
++++++++++++++++++++++++++++++++++++++++++
R5#sh standby
Ethernet1/1 - Group 0
State is Active
17 state changes, last state change 00:04:32
Virtual IP address is 12.12.14.1
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.752 secs
Preemption enabled
Active router is local
Standby router is 12.12.14.2, priority 100 (expires in 8.758 sec)
Priority 105 (configured 105)
Track interface Serial0/0 state Up decrement 10
IP redundancy name is "hsrp-Et1/1-0" (default)
R5#
++++++++++++++++++++++++++++++++++++++++++
R2#sh runn int e1/1
Building configuration...
Current configuration : 144 bytes
!
interface Ethernet1/1
ip address 12.12.14.2 255.255.255.0
half-duplex
standby ip 12.12.14.1
standby preempt
standby track Serial0/0
end
R2#
++++++++++++++++++++++++++++++++++++++++++
R2#sh standby
Ethernet1/1 - Group 0
State is Standby
31 state changes, last state change 00:03:52
Virtual IP address is 12.12.14.1
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.741 secs
Preemption enabled
Active router is 12.12.14.5, priority 105 (expires in 7.732 sec)
Standby router is local
Priority 100 (default 100)
Track interface Serial0/0 state Up decrement 10
IP redundancy name is "hsrp-Et1/1-0" (default)
R2#
++++++++++++++++++++++++++++++++++++++++++
SW2#sh runn int f1/0/2
Building configuration...
Current configuration : 217 bytes
!
interface FastEthernet1/0/2
switchport access vlan 12
switchport mode access
switchport nonegotiate
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
end
++++++++++++++++++++++++++++++++++++++++++
SW2#sh runn int f1/0/5
Building configuration...
Current configuration : 217 bytes
!
interface FastEthernet1/0/5
switchport access vlan 12
switchport mode access
switchport nonegotiate
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
end
SW2#
++++++++++++++++++++++++++++++++++++++++++
SW2#
SW2#sh port-security int f1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.9436.01f1:12
Security Violation Count : 0
++++++++++++++++++++++++++++++++++++++++++
SW2#sh port-security int f1/0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.93e6.91d1:12
Security Violation Count : 0
SW2#
++++++++++++++++++++++++++++++++++++++++++
R5(config)#int e1/1
R5(config-if)#standby priority 99
R5(config-if)#
Jun 24 21:40:52.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
Active ->
Speak
R5(config-if)#
Jun 24 21:41:02.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
Speak ->
Standby
R5(config-if)#
Jun 24 21:41:12.139: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
Standby ->
Active
R5(config-if)#
++++++++++++++++++++++++++++++++++++++++++
R2#
Jun 24 21:40:58.292: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
Standby ->
Active
R2#
++++++++++++++++++++++++++++++++++++++++++
SW2#
1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred,
caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
SW2#
1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred,
caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
SW2#
++++++++++++++++++++++++++++++++++++++++++
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--------------------------------------------------------------------