RE: Port-Security and HSRP (Again !!!)

From: Antonio Soares (amsoares@netcabo.pt)
Date: Mon Jun 25 2007 - 12:06:55 ART

• Next message: Avner Izhar: "RE: Voice Vlan 0 - DOT1P"
• Previous message: Scott Morris: "RE: Voice Vlan 0 - DOT1P"
• Maybe in reply to: Antonio Soares: "Port-Security and HSRP (Again !!!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, so this confirms my thoughts: without "standby use-bia" or "standby
mac-address" configured on the routers, HSRP will not work in conjunction
with Port Security. The CoD where i saw this configuration without the
workarounds didn't mention this.

  _____

From: Shafagh Zandi [mailto:szmetal@gmail.com]
Sent: segunda-feira, 25 de Junho de 2007 9:21
To: Petr Lapukhov
Cc: Antonio Soares; Cisco certification
Subject: Re: Port-Security and HSRP (Again !!!)

It's not a good solution Petr, manual HSRP :)

By default, a port security violation causes the switch interface to become
error-disabled and to shutdown immediately, which blocks the HSRP status
messages between the routers.

Workaround

*
Issue the standby
<http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapt
er09186a00804462c4.html#wp1165870> use-bia command on the routers. This
forces the routers to use a burned-in address for HSRP instead of the
virtual MAC address.

*
Disable port security on the switch ports that connect to the HSRP enabled
routers

Maybe we can also, change the err-disable setting for shorter time recovery,
but it not a good idea.
 
Sincerley,
Shafagh Zandi

 
On 6/25/07, Petr Lapukhov <petr@internetworkexpert.com> wrote:

Antonio,

Looks like the violation is caused by "duplicate" MAC address sourced on
the
new "active" port. When you transition by lowering HSRP priority, a new
active
router claims the virtual MAC. Since the old port is yet have it learned, it
may temporary cause violation messages. To "avoid" this, try shutting down
active router's intereface, effectively forcing the switch to wipe out MAC
adderss table associated with a port.

--
Petr Lapukhov, CCIE #16379 (R&S/Security/SP)
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
2007/6/25, Antonio Soares <  <mailto:amsoares@netcabo.pt>
amsoares@netcabo.pt>:
>
> Hello group,
>
> I still have doubts on this one. Why do i get Port-Security Violations as
> soon as i change the Active Router ? I know that "standby use-bia" or 
> "standby mac-address" is an workaround to this problem but i saw this
> configuration in one of the major vendors CoD and it was working. If i
> remember well, the instructor had to change the maximum mac-addresses 
> value
> from 2 to 3. Does it make any sense ? See bellow my configs and outputs.
> Both R2 and R5 are connected to SW2 which is a 3750 running 12.2.25SEE.
>
> Thanks,
> Antonio
> 
> ++++++++++++++++++++++++++++++++++++++++++
> R5#sh runn int e1/1
> Building configuration...
>
> Current configuration : 166 bytes
> !
> interface Ethernet1/1
> ip address 12.12.14.5 255.255.255.0
> half-duplex
> standby ip 12.12.14.1
> standby priority 105
> standby preempt 
> standby track Serial0/0
> end
>
> R5#
> ++++++++++++++++++++++++++++++++++++++++++
> R5#sh standby
> Ethernet1/1 - Group 0
>   State is Active
>     17 state changes, last state change 00:04:32 
>   Virtual IP address is 12.12.14.1
>   Active virtual MAC address is 0000.0c07.ac00
>     Local virtual MAC address is 0000.0c07.ac00 (v1 default)
>   Hello time 3 sec, hold time 10 sec 
>     Next hello sent in 0.752 secs
>   Preemption enabled
>   Active router is local
>   Standby router is 12.12.14.2, priority 100 (expires in 8.758 sec)
>   Priority 105 (configured 105) 
>     Track interface Serial0/0 state Up decrement 10
>   IP redundancy name is "hsrp-Et1/1-0" (default)
> R5#
> ++++++++++++++++++++++++++++++++++++++++++
> R2#sh runn int e1/1
> Building configuration...
>
> Current configuration : 144 bytes
> !
> interface Ethernet1/1
> ip address 12.12.14.2 255.255.255.0  <http://255.255.255.0> 
> half-duplex
> standby ip 12.12.14.1
> standby preempt
> standby track Serial0/0
> end
>
> R2#
> ++++++++++++++++++++++++++++++++++++++++++ 
> R2#sh standby
> Ethernet1/1 - Group 0
>   State is Standby
>     31 state changes, last state change 00:03:52
>   Virtual IP address is 12.12.14.1
>   Active virtual MAC address is 0000.0c07.ac00
>     Local virtual MAC address is 0000.0c07.ac00 (default)
>   Hello time 3 sec, hold time 10 sec
>     Next hello sent in 1.741 secs
>   Preemption enabled
>   Active router is 12.12.14.5, priority 105 (expires in 7.732 sec)
>   Standby router is local
>   Priority 100 (default 100)
>     Track interface Serial0/0 state Up decrement 10
>   IP redundancy name is "hsrp-Et1/1-0" (default) 
> R2#
> ++++++++++++++++++++++++++++++++++++++++++
> SW2#sh runn int f1/0/2
> Building configuration...
>
> Current configuration : 217 bytes
> !
> interface FastEthernet1/0/2 
> switchport access vlan 12
> switchport mode access
> switchport nonegotiate
> switchport port-security maximum 2
> switchport port-security
> switchport port-security violation restrict 
> end
> ++++++++++++++++++++++++++++++++++++++++++
> SW2#sh runn int f1/0/5
> Building configuration...
>
> Current configuration : 217 bytes
> !
> interface FastEthernet1/0/5 
> switchport access vlan 12
> switchport mode access
> switchport nonegotiate
> switchport port-security maximum 2
> switchport port-security
> switchport port-security violation restrict 
> end
>
> SW2#
> ++++++++++++++++++++++++++++++++++++++++++
> SW2#
> SW2#sh port-security int f1/0/2
> Port Security              : Enabled
> Port Status                : Secure-up 
> Violation Mode             : Restrict
> Aging Time                 : 0 mins
> Aging Type                 : Absolute
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses      : 2 
> Total MAC Addresses        : 1
> Configured MAC Addresses   : 0
> Sticky MAC Addresses       : 0
> Last Source Address:Vlan   : 0030.9436.01f1:12
> Security Violation Count   : 0
> ++++++++++++++++++++++++++++++++++++++++++ 
> SW2#sh port-security int f1/0/5
> Port Security              : Enabled
> Port Status                : Secure-up
> Violation Mode             : Restrict
> Aging Time                 : 0 mins 
> Aging Type                 : Absolute
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses      : 2
> Total MAC Addresses        : 2
> Configured MAC Addresses   : 0
> Sticky MAC Addresses       : 0 
> Last Source Address:Vlan   : 0011.93e6.91d1:12
> Security Violation Count   : 0
>
> SW2#
> ++++++++++++++++++++++++++++++++++++++++++
> R5(config)#int e1/1
> R5(config-if)#standby priority 99 
> R5(config-if)#
> Jun 24 21:40:52.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Active
> ->
> Speak
> R5(config-if)#
> Jun 24 21:41:02.138: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Speak ->
> Standby
> R5(config-if)#
> Jun 24 21:41:12.139: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Standby
> ->
> Active
> R5(config-if)#
> ++++++++++++++++++++++++++++++++++++++++++ 
> R2#
> Jun 24 21:40:58.292: %HSRP-5-STATECHANGE: Ethernet1/1 Grp 0 state Standby
> ->
> Active
> R2#
> ++++++++++++++++++++++++++++++++++++++++++
> SW2#
> 1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, 
> caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2.
> SW2#
> 1d20h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> caused by MAC address 0000.0c07.ac00 on port FastEthernet1/0/2. 
> SW2#
> ++++++++++++++++++++++++++++++++++++++++++
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Avner Izhar: "RE: Voice Vlan 0 - DOT1P"
• Previous message: Scott Morris: "RE: Voice Vlan 0 - DOT1P"
• Maybe in reply to: Antonio Soares: "Port-Security and HSRP (Again !!!)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART