Re: Port-Security and HSRP (Again !!!)

From: Shafagh Zandi (szmetal@gmail.com)
Date: Mon Jun 25 2007 - 05:20:53 ART

• Next message: Ivan: "Re: HOW IGMP PROFILE WORKS?"
• Previous message: Alan Ewer: "Re: Voice Vlan 0 - DOT1P"
• Maybe in reply to: Antonio Soares: "Port-Security and HSRP (Again !!!)"
• Next in thread: Antonio Soares: "RE: Port-Security and HSRP (Again !!!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's not a good solution Petr, manual HSRP :)

By default, a port security violation causes the switch interface to become
error-disabled and to shutdown immediately, which blocks the HSRP status
messages between the routers.

*Workaround*

   -

   Issue the *standby
use-bia<http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804462c4.html#wp1165870>
   *command on the routers. This forces the routers to use a burned-in
   address for HSRP instead of the virtual MAC address.
   -

   Disable port security on the switch ports that connect to the HSRP
   enabled routers

Maybe we can also, change the err-disable setting for shorter time recovery,
but it not a good idea.

Sincerley,
Shafagh Zandi

On 6/25/07, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> Antonio,
>
> Looks like the violation is caused by "duplicate" MAC address sourced on
> the
> new "active" port. When you transition by lowering HSRP priority, a new
> active
> router claims the virtual MAC. Since the old port is yet have it learned,
> it
> may temporary cause violation messages. To "avoid" this, try shutting down
> active router's intereface, effectively forcing the switch to wipe
> out MAC
> adderss table associated with a port.
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> 2007/6/25, Antonio Soares <amsoares@netcabo.pt>:
> >
> > Hello group,
> >
> > I still have doubts on this one. Why do i get Port-Security Violations
> as
> > soon as i change the Active Router ? I know that "standby use-bia" or
> > "standby mac-address" is an workaround to this problem but i saw this
> > configuration in one of the major vendors CoD and it was working. If i
> > remember well, the instructor had to change the maximum mac-addresses
> > value
> > from 2 to 3. Does it make any sense ? See bellow my configs and outputs.
> > Both R2 and R5 are connected to SW2 which is a 3750 running 12.2.25SEE.
> >
> > Thanks,
> > Antonio
> >
> > ++++++++++++++++++++++++++++++++++++++++++
> > R5#sh runn int e1/1
> > Building configuration...
> >
> > Current configuration : 166 bytes
> > !
> > interface Ethernet1/1
> > ip address 12.12.14.5 255.255.255.0
> > half-duplex
> > standby ip 12.12.14.1
> > standby priority 105
> > standby preempt
> > standby track Serial0/0
> > end
> >
> > R5#
> > ++++++++++++++++++++++++++++++++++++++++++
> > R5#sh standby
> > Ethernet1/1 - Group 0
> > State is Active
> > 17 state changes, last state change 00:04:32
> > Virtual IP address is 12.12.14.1
> > Active virtual MAC address is 0000.0c07.ac00
> > Local virtual MAC address is 0000.0c07.ac00 (v1 default)
> > Hello time 3 sec, hold time 10 sec
> > Next hello sent in 0.752 secs
> > Preemption enabled
> > Active router is local
> > Standby router is 12.12.14.2, priority 100 (expires in 8.758 sec)
> > Priority 105 (configured 105)
> > Track interface Serial0/0 state Up decrement 10
> > IP redundancy name is "hsrp-Et1/1-0" (default)
> > R5#
> > ++++++++++++++++++++++++++++++++++++++++++
> > R2#sh runn int e1/1
> > Building configuration...
> >
> > Current configuration : 144 bytes
> > !
> > interface Ethernet1/1
> > ip address 12.12.14.2 255.255.255.0
> > half-duplex
> > standby ip 12.12.14.1
> > standby preempt
> > standby track Serial0/0
> > end
> >
> > R2#
> > ++++++++++++++++++++++++++++++++++++++++++
> > R2#sh standby
> > Ethernet1/1 - Group 0
> > State is Standby
> > 31 state changes, last state change 00:03:52
> > Virtual IP address is 12.12.14.1
> > Active virtual MAC address is 0000.0c07.ac00
> > Local virtual MAC address is 0000.0c07.ac00 (default)
> > Hello time 3 sec, hold time 10 sec
> > Next hello sent in 1.741 secs
> > Preemption enabled
> > Active router is 12.12.14.5, priority 105 (expires in 7.732 sec)
> > Standby router is local
> > Priority 100 (default 100)
> > Track interface Serial0/0 state Up decrement 10
> > IP redundancy name is "hsrp-Et1/1-0" (default)
> > R2#
> > ++++++++++++++++++++++++++++++++++++++++++
> > SW2#sh runn int f1/0/2
> > Building configuration...
> >
> > Current configuration : 217 bytes
> > !
> > interface FastEthernet1/0/2
> > switchport access vlan 12
> > switchport mode access
> > switchport nonegotiate
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > end
> > ++++++++++++++++++++++++++++++++++++++++++
> > SW2#sh runn int f1/0/5
> > Building configuration...
> >
> > Current configuration : 217 bytes
> > !
> > interface FastEthernet1/0/5
> > switchport access vlan 12
> > switchport mode access
> > switchport nonegotiate
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security violation restrict
> > end
> >
> > SW2#
> > ++++++++++++++++++++++++++++++++++++++++++
> > SW2#
> > SW2#sh port-security int f1/0/2
> > Port Security : Enabled
> > Port Status : Secure-up
> > Violation Mode : Restrict
> > Aging Time : 0 mins
> > Aging Type : Absolute
> > SecureStatic Address Aging : Disabled
> > Maximum MAC Addresses : 2
> > Total MAC Addresses : 1
> > Configured MAC Addresses : 0
> > Sticky MAC Addresses : 0
> > Last Source Address:Vlan : 0030.9436.01f1:12
> > Security Violation Count : 0
> > ++++++++++++++++++++++++++++++++++++++++++
> > SW2#sh port-security int f1/0/5
> > Port Security : Enabled
> > Port Status : Secure-up
> > Violation Mode : Restrict
> > Aging Time : 0 mins
> > Aging Type : Absolute
> > SecureStatic Address Aging : Disabled
> > Maximum MAC Addresses : 2
> > Total MAC Addresses : 2
> > Configured MAC Addresses : 0
> > Sticky MAC Addresses : 0
> > Last Source Address:Vlan : 0011.93e6.91d1:12
> > Security Violation Count : 0
> >
> > SW2#
> > ++++++++++++++++++++++++++++++++++++++++++
> > R5(config)#int e1/1
> > R5(config-if)#standby priority 99
> > R5(config-if)#
> > Jun 24 21:40:52.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Active
> > ->
> > Speak
> > R5(config-if)#
> > Jun 24 21:41:02.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Speak
> ->
> > Standby
> > R5(config-if)#
> > Jun 24 21:41:12.139: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
> Standby
> > ->
> > Active
> > R5(config-if)#
> > ++++++++++++++++++++++++++++++++++++++++++
> > R2#
> > Jun 24 21:40:58.292: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state
> Standby
> > ->
> > Active
> > R2#
> > ++++++++++++++++++++++++++++++++++++++++++
> > SW2#
> > 1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> > caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
> > SW2#
> > 1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> > caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
> > SW2#
> > ++++++++++++++++++++++++++++++++++++++++++
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Shafagh Zandi,
www.shafagh.com

• Next message: Ivan: "Re: HOW IGMP PROFILE WORKS?"
• Previous message: Alan Ewer: "Re: Voice Vlan 0 - DOT1P"
• Maybe in reply to: Antonio Soares: "Port-Security and HSRP (Again !!!)"
• Next in thread: Antonio Soares: "RE: Port-Security and HSRP (Again !!!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART