Re: Port-Security and HSRP with Virtual MAC Addresses

From: Cielieska Nathan (ncielieska@gmail.com)
Date: Thu Dec 13 2007 - 13:14:03 ART

• Next message: Gupta, Gopal (NWCC): "Lab Date Swap"
• Previous message: Gary Duncanson: "Re: Site-Site VPN"
• Maybe in reply to: Andrew Harris (andharri): "Port-Security and HSRP with Virtual MAC Addresses"
• Next in thread: Edison Ortiz: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andy,

The output is because the port has been shutdown per the security
policy. After the port is shutdown obviously no MAC addresses are
learned on that interface.

It looks like the interface was seeing "some" MAC addresses if it
flagged the port for err-disable in the first place, once the
interface shutdown.. the CAM table was cleared for that port.

Regards,
Nate

On Dec 13, 2007, at 2:32 AM, Andrew Harris (andharri) wrote:

> Hi,
>
> I am following the Internetwork Expert Workbook on Switching.
>
> I have a situation where three routers are connected into two
> switches.
> As shown by the following topology:
>
>
> R1 ------ SW1 ========== SW2 -------- R4
> -------- R6
>
> R4 and R6 are configured for HSRP. The aim of the exercise is to
> configure the switchports connecting to R4 fa0/4 and R6 fa0/6 to only
> accept the BIA and HSRP Virtual MAC.
>
> I have the following config to do this:
>
> SW2#sh run int fa0/4
> Building configuration...
>
> Current configuration : 147 bytes
> !
> interface FastEthernet0/4
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> end
>
> SW2#sh run int fa0/6
> Building configuration...
>
> Current configuration : 147 bytes
> !
> interface FastEthernet0/6
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> end
>
> SW2#
>
> However for some reason fa0/4 is being shut down due to a port
> violation;
>
> 00:15:50: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0
> /4, putting Fa0/4 in err-disable state
> 00:15:50: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occ
> urred, caused by MAC address 0000.0c07.ac01 on port FastEthernet0/4.
>
> What puzzles me is the output below:
>
> SW2#show port-security int fa0/4
> Port Security : Enabled
> Port Status : Secure-shutdown
> Violation Mode : Shutdown
> Aging Time : 0 mins
> Aging Type : Absolute
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses : 2
> Total MAC Addresses : 0
> Configured MAC Addresses : 0
> Sticky MAC Addresses : 0
> Last Source Address:Vlan : 0000.0c07.ac01:146
> Security Violation Count : 1
>
> SW2#show port-security int fa0/4 add
> Secure Mac Address Table
> ----------------------------------------------------------------------
> --
> Vlan Mac Address Type Ports
> Remaining Age
> (mins)
> ---- ----------- ---- -----
> -------------
> ----------------------------------------------------------------------
> --
> Total Addresses: 0
>
> SW2#
>
> The maximum mac addresses = 2, yet the total is only 0? How can the
> port
> go into errdisable/
>
> Fa0/6 works fine
>
> Thanks in advance
>
> Andy
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Gupta, Gopal (NWCC): "Lab Date Swap"
• Previous message: Gary Duncanson: "Re: Site-Site VPN"
• Maybe in reply to: Andrew Harris (andharri): "Port-Security and HSRP with Virtual MAC Addresses"
• Next in thread: Edison Ortiz: "RE: Port-Security and HSRP with Virtual MAC Addresses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST