Port-Security and HSRP with Virtual MAC Addresses

From: Andrew Harris (andharri) (andharri@cisco.com)
Date: Thu Dec 13 2007 - 04:32:12 ART

• Next message: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Previous message: Alan Ewer: "Re: OSPF Neighbour config wont stick in config ?"
• Next in thread: Cielieska Nathan: "Re: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Cielieska Nathan: "Re: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Edison Ortiz: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Thomas.W.Johnson@chase.com: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Darren Johnson: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Darren Johnson: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I am following the Internetwork Expert Workbook on Switching.

I have a situation where three routers are connected into two switches.
As shown by the following topology:

R1 ------ SW1 ========== SW2 -------- R4
                                     -------- R6

R4 and R6 are configured for HSRP. The aim of the exercise is to
configure the switchports connecting to R4 fa0/4 and R6 fa0/6 to only
accept the BIA and HSRP Virtual MAC.

I have the following config to do this:

SW2#sh run int fa0/4
Building configuration...

Current configuration : 147 bytes
!
interface FastEthernet0/4
 switchport access vlan 146
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
end

SW2#sh run int fa0/6
Building configuration...

Current configuration : 147 bytes
!
interface FastEthernet0/6
 switchport access vlan 146
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
end

SW2#

However for some reason fa0/4 is being shut down due to a port
violation;

00:15:50: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0
/4, putting Fa0/4 in err-disable state
00:15:50: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occ
urred, caused by MAC address 0000.0c07.ac01 on port FastEthernet0/4.

What puzzles me is the output below:

SW2#show port-security int fa0/4
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0c07.ac01:146
Security Violation Count : 1

SW2#show port-security int fa0/4 add
          Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
                                                              (mins)
---- ----------- ---- ----- -------------
------------------------------------------------------------------------
Total Addresses: 0

SW2#

The maximum mac addresses = 2, yet the total is only 0? How can the port
go into errdisable/

Fa0/6 works fine

Thanks in advance

Andy

• Next message: Andrew Harris (andharri): "RE: VLAN Access Maps for IP Traffic Filtering"
• Previous message: Alan Ewer: "Re: OSPF Neighbour config wont stick in config ?"
• Next in thread: Cielieska Nathan: "Re: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Cielieska Nathan: "Re: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Edison Ortiz: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Thomas.W.Johnson@chase.com: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Darren Johnson: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Maybe reply: Darren Johnson: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST