From: Thomas.W.Johnson@chase.com
Date: Thu Dec 13 2007 - 14:13:12 ART
If you are using HSRP with Port Security you need to either use the
burned-in address or create a unique mac address for each HSRP router
using the standby mac-address command. You cannot allow HSRP to use the
standard mac address HSRP automatically generates.
It is a security violation when one of these situations occurs:
*The maximum number of secure MAC addresses have been added to the
address table, and a station whose MAC address is not in the address
table attempts to access the interface.
*An address learned or configured on one secure interface is seen on
another secure interface in the same VLAN.
Thomas Johnson
CCIE# 19064
JP Morgan Chase
Global Network Implementation
Office: 847-488-3326
Cell: 630-835-8866
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cielieska Nathan
Sent: Thursday, December 13, 2007 10:14 AM
To: Andrew Harris (andharri)
Cc: ccielab@groupstudy.com
Subject: Re: Port-Security and HSRP with Virtual MAC Addresses
Andy,
The output is because the port has been shutdown per the security
policy. After the port is shutdown obviously no MAC addresses are
learned on that interface.
It looks like the interface was seeing "some" MAC addresses if it
flagged the port for err-disable in the first place, once the
interface shutdown.. the CAM table was cleared for that port.
Regards,
Nate
On Dec 13, 2007, at 2:32 AM, Andrew Harris (andharri) wrote:
> Hi,
>
> I am following the Internetwork Expert Workbook on Switching.
>
> I have a situation where three routers are connected into two
> switches.
> As shown by the following topology:
>
>
> R1 ------ SW1 ========== SW2 -------- R4
> -------- R6
>
> R4 and R6 are configured for HSRP. The aim of the exercise is to
> configure the switchports connecting to R4 fa0/4 and R6 fa0/6 to only
> accept the BIA and HSRP Virtual MAC.
>
> I have the following config to do this:
>
> SW2#sh run int fa0/4
> Building configuration...
>
> Current configuration : 147 bytes
> !
> interface FastEthernet0/4
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> end
>
> SW2#sh run int fa0/6
> Building configuration...
>
> Current configuration : 147 bytes
> !
> interface FastEthernet0/6
> switchport access vlan 146
> switchport mode access
> switchport port-security maximum 2
> switchport port-security
> end
>
> SW2#
>
> However for some reason fa0/4 is being shut down due to a port
> violation;
>
> 00:15:50: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0
> /4, putting Fa0/4 in err-disable state
> 00:15:50: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occ
> urred, caused by MAC address 0000.0c07.ac01 on port FastEthernet0/4.
>
> What puzzles me is the output below:
>
> SW2#show port-security int fa0/4
> Port Security : Enabled
> Port Status : Secure-shutdown
> Violation Mode : Shutdown
> Aging Time : 0 mins
> Aging Type : Absolute
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses : 2
> Total MAC Addresses : 0
> Configured MAC Addresses : 0
> Sticky MAC Addresses : 0
> Last Source Address:Vlan : 0000.0c07.ac01:146
> Security Violation Count : 1
>
> SW2#show port-security int fa0/4 add
> Secure Mac Address Table
> ----------------------------------------------------------------------
> --
> Vlan Mac Address Type Ports
> Remaining Age
> (mins)
> ---- ----------- ---- -----
> -------------
> ----------------------------------------------------------------------
> --
> Total Addresses: 0
>
> SW2#
>
> The maximum mac addresses = 2, yet the total is only 0? How can the
> port
> go into errdisable/
>
> Fa0/6 works fine
>
> Thanks in advance
>
> Andy
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST