From: Darren Johnson (dazza_johnson@yahoo.co.uk)
Date: Sat Dec 15 2007 - 14:09:44 ART
Hey there Andy. Not sure if you got the answer on this or not (I don't have
IE workbook), but here is how I played this out:
Configuration:
interface FastEthernet0/4
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 15
switchport port-security aging type inactivity
switchport port-security violation protect
end
interface FastEthernet0/4
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 15
switchport port-security aging type inactivity
switchport port-security violation protect
end
My thinking here is that the port will not go into shutdown now it is
configured in 'protect' mode. Additionally, if an interface doesn't receive
any frames from the HSRP address in 15 seconds, it ages out and the HSRP
router can be re-learned on the other interface. I tried this and it seems
to work. When I disconnect a router, the HSRP MAC address is aged out and
re-learned on the new interface. Works a charm, but not sure what others
think?
Anyone have any comments?
Dazzler
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Andrew Harris (andharri)
Sent: 13 December 2007 07:32
To: ccielab@groupstudy.com
Subject: Port-Security and HSRP with Virtual MAC Addresses
Hi,
I am following the Internetwork Expert Workbook on Switching.
I have a situation where three routers are connected into two switches.
As shown by the following topology:
R1 ------ SW1 ========== SW2 -------- R4
-------- R6
R4 and R6 are configured for HSRP. The aim of the exercise is to
configure the switchports connecting to R4 fa0/4 and R6 fa0/6 to only
accept the BIA and HSRP Virtual MAC.
I have the following config to do this:
SW2#sh run int fa0/4
Building configuration...
Current configuration : 147 bytes
!
interface FastEthernet0/4
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
end
SW2#sh run int fa0/6
Building configuration...
Current configuration : 147 bytes
!
interface FastEthernet0/6
switchport access vlan 146
switchport mode access
switchport port-security maximum 2
switchport port-security
end
SW2#
However for some reason fa0/4 is being shut down due to a port
violation;
00:15:50: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0
/4, putting Fa0/4 in err-disable state
00:15:50: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occ
urred, caused by MAC address 0000.0c07.ac01 on port FastEthernet0/4.
What puzzles me is the output below:
SW2#show port-security int fa0/4
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0c07.ac01:146
Security Violation Count : 1
SW2#show port-security int fa0/4 add
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
------------------------------------------------------------------------
Total Addresses: 0
SW2#
The maximum mac addresses = 2, yet the total is only 0? How can the port
go into errdisable/
Fa0/6 works fine
Thanks in advance
Andy
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST