RE: 3550 port-security and HSRP.
From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jul 05 2005 - 19:05:53 GMT-3
Jerry,
I don't know the answer to your question but I can tell you it's not dumb at
all.
It's an interesting question.
In fact, let's simplify the scenario a bit.
Suppose, we have just R1 and R2, 1 standby group both rtr's belong to, and
R1 is the active router.
However, to reach some destinations, packets must go to R2.
How does this work for hosts on the same vlan as hsrp?
I assume based on your post that we have to override ip redirect. But, what
happens when that's done?
Does R1 redirect packets to R2's physical ip address and thus "bypass" hsrp?
Or, is there something else going on?
TIA, Tim
_____
From: hulbertj@comcast.net [mailto:hulbertj@comcast.net]
Sent: Tuesday, July 05, 2005 5:47 PM
To: ccie2be; 'Spyros Kranis'
Cc: ccielab@groupstudy.com
Subject: RE: 3550 port-security and HSRP.
I have a quick (probably dumb) question on this topic.
Suppose you have the following:
Router A and B participating in an HSRP Group.
Router A is the Active Router.
Router B has an external link to Network X.X.X.X.
Host #1 has a data flow destined for Network X.X.X.X
When Router A receives this frame, he'll see the destination address and
make
a check of it's route table. The next hop for this destination is Router B
via the
same interface that he is receiving it on.
Normally, Router A would send an ICMP redirect to Host #1, but since by
default, Router A
will not send a Redirect to a Router that is not the Active HSRP (standby)
router.
So if you override this by adding
standby redirects
standby 2 ip Y.Y.Y.Y - where this ip is a valid IP in the same subnet as
standby 1.
make Router B the active router.
How would you still implement port-security with the below configs, and
still allow for efficient
switching/routing in your LAN, with minimal allowed MAC addresses?
TIA
Jerry
-------------- Original message --------------
> Thanks, Spyros. I figured that if the command, use-bia, is configured,
only
> 1 mac address is needed for port security.
>
> I assume that the switch side of the config is the same regardless of
> whether the 2 routers are connected to the same switch or to 2 different
> switches, right?
>
> R1 sw1 --- sw2 R2
>
>
>
> Do you know, by any chance, what happens during a failover from a host
point
> of view? IOW, when the standby router takes over, the virtual mac address
> used will also change since now it will become the bia of the former
standby
> router which is now the active router.
>
> Wouldn't this cause the hosts to have a wrong entry in their arp table
once
> the standby router takes over? And, wouldn't tha! t cause any active
sessions
> to fail while waiting for the old arp table entries to age out on the
hosts?
>
> I vaguely recall that during a failover, the newly active router might
issue
> a gratuitous arp which speeds up the process of the hosts updating their
arp
> table, but I'm not sure if I remember this correctly.
>
> Any thoughts?
>
> Tim
>
> -----Original Message-----
> From: Spyros Kranis [mailto:skranis@algosystems.gr]
> Sent: Tuesday, July 05, 2005 1:06 PM
> To: 'ccie2be'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
>
> Tim ,
> I labed it up and the only thing that you need is the standby use-bia
> command at both routers and the following config to the switch
>
> Int fa0/1
> switchport mode access
> switchport port-security maximum 1 <-- it is default - the! switch does
not
> display it
>
> switchport port -security violation restrict
> switchport port-security mac-address 0050.3efa.f540 <-- this is the real
mac
> address of the router interface.
>
> Int fa0/2
> switchport mode access
> switchport port-security maximum 1 <-- it is default - the switch does not
> display it
>
> switchport port-security violation restrict
> switchport port-security mac-address 0050.1adf.ccbc <-- this is the real
mac
> address of the router interface.
>
>
>
>
> HTH
>
> skra
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Tuesday, July 05, 2005 7:25 PM
> To: 'Rajib Khan'; alsontra@hotmail.com; 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> Thanks Raj.
>
> By a! ny chance, do you know if you have to allow a max of 2 addresses for
> HSRP to work with port security?
>
> I assume you do but if the command use-bia is configured, than why
wouldn't
> just a max of one mac address work?
>
> Thanks again, Tim
>
> _____
>
> From: Rajib Khan [mailto:rajib56666@yahoo.com]
> Sent: Tuesday, July 05, 2005 12:13 PM
> To: ccie2be; alsontra@hotmail.com; 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> HI Tim,
>
> You don't need to configure "switchport port-security mac-address sticky
> 0050.3eef.6260" in order this to work
>
>
>
> with sticky and maximum 2 it wil learn 2 mac address dynamically
>
> But I don't know the answer of your question though. Use a etheral
analyzer
> if you can
>
> Thanks
>
> Ra! j
>
> ccie2be wrote:
> Hi Guy s,
>
> Can anybody explain why the below works and what happens when the active
> router fails and the standby router takes over as far as the mac addresses
> are concerned?
>
> With the config below, is a failover transparent to users on the attacked
> vlan?
>
> TIA, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> alsontra@hotmail.com
> Sent: Sunday, January 09, 2005 11:29 AM
> To: 'Lai, Ben'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> All,
>
> Below is a 3550 configuration using bia-addresses. Anyone find a fault in
> the logic?
>
> R1
> !
> interface Ethernet0/0
> ip address 120.1.1.1 255.255.255.0
> half-duplex
> standby use-bia
> standby preempt
> standby 1 ip 12! 0.1.1.254
> standby 1 priority 150
> standby 1 preempt
> end
>
> R1#sh stan
> Ethernet0/0 - Group 1
> State is Active
> 13 state changes, last state change 01:11:22
> Virtual IP address is 120.1.1.254
> Active virtual MAC address is 0050.3eef.6260
> Local virtual MAC address is 0050.3eef.6260 (bia)
> Hello time 3 sec, hold time 10 sec
> Next hello sent in 0.484 secs
> Preemption enabled
> Active router is local
> Standby router is 120.1.1.2, priority 100 (expires in 7.688 sec)
> Priority 150 (configured 150)
> IP redundancy name is "hsrp-Et0/0-1" (default)
>
> R2
>
> !
> interface Ethernet0/0
> ip address 120.1.1.2 255.255.255.0
> ip pim sparse-dense-mode
> half-duplex
> ipv6 address 2001::/64 eui-64
> standby use-bia
> standby 1 ip 120.1.1.254
> standby 1 preempt > end
>
> R2#sh stan
> Ethernet0/0 - Group 1
> State is Standby
> 19 state changes, last state change 01:11:41
> Virtual IP address is 120.1.1.254
> Active virtual MAC address is 0050.3eef.6260
> Local virtual MAC address is 0050.3efa.f540 (bia)Hello time 3 sec, hold
time
> 10 sec
> Next hello sent in 1.678 secs
> Preemption enabled
> Active router is 120.1.1.1, priority 150 (expires in 8.470 sec)
> Standby router is local
> Priority 100 (default 100)
> IP redundancy name is "hsrp-Et0/0-1" (default)
>
> 3550
> !
> interface FastEthernet0/1
> switchport mode access
> switchport port-security maximum 2
> switchport port-security aging time 1
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0050.3eef.6260
> no ip address
> !
> interface FastEthernet0/2
> s! witchport mode access
> switchport port-security maximum 2
> switchport port-security aging time 1
> switchport port-security violation restrict
> switchport port-security mac-address sticky
> switchport port-security mac-address sticky 0050.3efa.f540
> no ip address
>
> -----Original Message-----
> From: Lai, Ben [mailto:benlai_cn@hotmail.com]
> Sent: S! unday, January 09, 2005 10:03 PM
> To: 'Alsontra'
> Cc: ccielab@groupstudy.com
> Subject: RE: 3550 port-security and HSRP.
>
> Firstly, can we use HSRP without a virtual MAC address for the virtual
> router?
> Secondly, I use sticky address because it is easy to copy the mac address
of
> the attached device to the configuration.
>
> Rgds.
>
> -----Original Message-----
> From: Alsontra [mailto:alsontra@gmail.com]
> Sent: 2005e941f��9f% 22:44
> To: 'La! i, Ben'
> Subject: RE: 3550 port-security and HSRP.
> > Why are you using virtual MACs and also why are you using sticky
address?
> Are these requirements?
>
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lai,
> Ben
> Sent: Sunday, January 09, 2005 7:51 PM
> To: ccielab@groupstudy.com
> Subject: 3550 port-security and HSRP.
>
> Hi all:
>
> Is there anybody used to configure PORT-SECURITY and HSRP?
>
>
>
> The scenario is: t! here are two router connected with a CAT 3550 switch,
> running HSRP,
>
> When I configuration HSRP on the two routers and PORT-SECURITY on the 3550
> switch, the problem occurs:
>
> The configuration of the 3550 switch is as follow:
>
>
>
> For example:
>
>
>
> interface FastEthernet0/1
>
> switchport acce! ss vlan 2
>
> switchport mode access
>
> switchport port-security
>
> switchport port-security maximum 2
>
> switchport port-security aging time 1
>
> switchport port-security violation restrict
>
> switchport port-security mac-address sticky 1111.1111.1111
>
> switchport port-security mac-address sticky AAAA.AAAA.AAAA(as the virtual
> mac of HSRP)
>
>
>
> interface FastEthernet0/3
>
> switchport access vlan 2
>
> switchport mode access
>
> switchport port-security
>
> switchport port-security maximum 2
>
> switchport port-security aging time 1
>
> switchport port-security violation restrict
>
> switchport port-security mac-address sticky 2222.2222.2222
>
>
>
> the switch prompts error message with the virtual MAC addre! ss of HSRP.
>
> How to deal with this?
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Ve! rsion: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> _____
>
> Yahoo! Sports
> Rekindle
>
>
ysports.yahoo.com?ovchn=YAH&ovcpn=Integration&ovcrn=Mail+footer&ovrfd=YAH&ov
> tac=AD%20> the Rivalries. Sign up for Fantasy Football
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ____! ___________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Sun Sep 04 2005 - 17:00:29 GMT-3