Re: Port-security with HSRP

From: Mushtaq A. Khan (mak.ccie2b@gmail.com)
Date: Sun Mar 26 2006 - 09:34:01 GMT-3

• Next message: Petr Lapukhov: "Re: frame relay hub and spoke multicast"
• Previous message: david robin: "frame relay hub and spoke multicast"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Schulz, Dave: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am aware of this but as I mentioned earlier what if you are bound to use
only mac then it is kind of limitation of VRRP as there is no option to
use-bia or may be I'm unable to find any other option.

Mushtaq

On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
>
> This shouldn't be an issue as I detailed at the beginning of this
> thread. Set the max addresses to 2, then hard-code them, right?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
>
> -----Original Message-----
> From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
> To: xprtofnet <xprtofnet@yahoo.com>
> CC: Schulz, Dave <DSchulz@dpsciences.com>; ccielab@groupstudy.com <
> ccielab@groupstudy.com>
> Sent: Sun Mar 26 00:00:50 2006
> Subject: Re: Port-security with HSRP
>
> The problem here is that you are bound to use only one mac so no matter
> what mac address you use, the port security violation will occur as the
> switch detects the second mac (virutal mac add) generated by VRRP.
>
> Mushtaq
>
>
> On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
>
> did you try different mac-addresses on the two routers
> ? it should work...!
>
> --- "Mushtaq A. Khan" < mak.ccie2b@gmail.com> wrote:
>
> > All,
> > I was thinking another scenario where we are bound
> > to use VRRP and allow
> > only one mac-address on the switch. What we do that
> > in that case as I
> > couldn't find an option to use-bia in VRRP. I tried
> > to make it work by hard
> > coding the virtual-mac generated by VRRP to the
> > router but it didn't work.
> > Is there any other option?
> >
> > Mushtaq
> >
> > On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
> > >
> > > keep in mind that port security will complain
> > about
> > > duplicate mac if hsrp uses same virtual-mac. so
> > better
> > > to hard-code the virtual-mac for hsrp or use bia
> > so
> > > that it is not same.
> > >
> > > m2c.
> > >
> > > --- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:
> > >
> > > > I was working through some different solutions
> > with
> > > > port-security with
> > > > HSRP. If there is a requirement to lockdown a
> > > > specific port connected
> > > > to a router that is running HSRP, I see two
> > > > different solutions.
> > > >
> > > > First one being, to put the command "standby
> > > > use-bia" and force the
> > > > router to use the bia (or configured mac for the
> > > > virtual ip). Or, we
> > > > can also use the following (adding a second mac
> > to
> > > > the switchport
> > > > config). As below....
> > > >
> > > > Current configuration : 304 bytes
> > > > !
> > > > interface FastEthernet0/1
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > switchport port-security
> > > > switchport port-security maximum 2
> > > > switchport port-security mac-address sticky
> > > > switchport port-security mac-address
> > 0000.0c07.ac01
> > > > <- router
> > > > mac-address
> > > > switchport port-security mac-address sticky
> > > > 0008.a3fc.a661 <-virtual
> > > > mac-address assigned by HSRP
> > > > end
> > > >
> > > > Any reason why each of these would not be valid?
> > > >
> > > > Also, it appears that we can statically
> > configure
> > > > the mac, or, use the
> > > > sticky (and save the config)....depending on the
> > > > requirements.
> > > >
> > > >
> > > > Dave Schulz
> > > >
> > > > Email: dschulz@dpsciences.com
> > > > <
> mailto: dschulz@dpsciences.com > >
>
> > > >
> > > >
> > >
> >
>
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
>
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html <
> http://www.groupstudy.com/list/CCIELab.html>
>
> > >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com <http://mail.yahoo.com>
>
>
>
> <+dschulz@dpsciences.com+%3Cmailto:dschulz@dpsciences.com>

• Next message: Petr Lapukhov: "Re: frame relay hub and spoke multicast"
• Previous message: david robin: "frame relay hub and spoke multicast"
• Maybe in reply to: Schulz, Dave: "Port-security with HSRP"
• Next in thread: Schulz, Dave: "Re: Port-security with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3