Re: Port-security with HSRP

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sun Mar 26 2006 - 10:58:09 GMT-3

I understand what you are saying. However, this would be the only if you are applying port security to both ports of VRRP grouping, right? This shouldn't be the issue for a single port, correct?

Dave Schulz
*** Sent from my Blackberry ***

-----Original Message-----
From: xprtofnet <xprtofnet@yahoo.com>
To: Schulz, Dave <DSchulz@dpsciences.com>; mak.ccie2b@gmail.com <mak.ccie2b@gmail.com>
CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>; ccielab@groupstudy.com <ccielab@groupstudy.com>
Sent: Sun Mar 26 08:38:33 2006
Subject: Re: Port-security with HSRP

Mushtaq's concern is using same Mac addrs with port
security and it states clearly in the doc that port
security will complain about duplicate mac-addrs from
different ports. so in my opinion using same-mac for
vrrp/hsrp would not work with port-security (after
switch reboots with the same config)

m2c.

--- "Schulz, Dave" <DSchulz@dpsciences.com> wrote:

> Wouldn't indicating both the virtual and the
> physical MAC address do it for us. It appears to
> work for HSRP in the same way?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
> -----Original Message-----
> From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
> To: Schulz, Dave <DSchulz@dpsciences.com>
> CC: xprtofnet@yahoo.com <xprtofnet@yahoo.com>;
> ccielab@groupstudy.com <ccielab@groupstudy.com>
> Sent: Sun Mar 26 07:34:01 2006
> Subject: Re: Port-security with HSRP
>
>
> I am aware of this but as I mentioned earlier what
> if you are bound to use only mac then it is kind of
> limitation of VRRP as there is no option to use-bia
> or may be I'm unable to find any other option.
>
> Mushtaq
>
>
> On 3/26/06, Schulz, Dave <DSchulz@dpsciences.com>
> wrote:
>
> This shouldn't be an issue as I detailed at the
> beginning of this thread. Set the max addresses to
> 2, then hard-code them, right?
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
>
>
> -----Original Message-----
> From: Mushtaq A. Khan < mak.ccie2b@gmail.com
> <mailto:mak.ccie2b@gmail.com> >
> To: xprtofnet <xprtofnet@yahoo.com>
> CC: Schulz, Dave < DSchulz@dpsciences.com
> <mailto:DSchulz@dpsciences.com> >;
> ccielab@groupstudy.com < ccielab@groupstudy.com
> <mailto:ccielab@groupstudy.com> >
> Sent: Sun Mar 26 00:00:50 2006
> Subject: Re: Port-security with HSRP
>
> The problem here is that you are bound to use only
> one mac so no matter what mac address you use, the
> port security violation will occur as the switch
> detects the second mac (virutal mac add) generated
> by VRRP.
>
> Mushtaq
>
>
> On 3/25/06, xprtofnet <xprtofnet@yahoo.com> wrote:
>
> did you try different mac-addresses on the
> two routers
> ? it should work...!
>
> --- "Mushtaq A. Khan" <
> mak.ccie2b@gmail.com <mailto:mak.ccie2b@gmail.com> >
> wrote:
>
> > All,
> > I was thinking another scenario where we
> are bound
> > to use VRRP and allow
> > only one mac-address on the switch. What
> we do that
> > in that case as I
> > couldn't find an option to use-bia in
> VRRP. I tried
> > to make it work by hard
> > coding the virtual-mac generated by VRRP
> to the
> > router but it didn't work.
> > Is there any other option?
> >
> > Mushtaq
> >
> > On 3/25/06, xprtofnet <
> xprtofnet@yahoo.com <mailto:xprtofnet@yahoo.com> >
> wrote:
> > >
> > > keep in mind that port security will
> complain
> > about
> > > duplicate mac if hsrp uses same
> virtual-mac. so
> > better
> > > to hard-code the virtual-mac for hsrp
> or use bia
> > so
> > > that it is not same.
> > >
> > > m2c.
> > >
> > > --- "Schulz, Dave" <
> DSchulz@dpsciences.com> wrote:
> > >
> > > > I was working through some different
> solutions
> > with
> > > > port-security with
> > > > HSRP. If there is a requirement to
> lockdown a
> > > > specific port connected
> > > > to a router that is running HSRP, I
> see two
> > > > different solutions.
> > > >
> > > > First one being, to put the command
> "standby
> > > > use-bia" and force the
> > > > router to use the bia (or configured
> mac for the
> > > > virtual ip). Or, we
> > > > can also use the following (adding a
> second mac
> > to
> > > > the switchport
> > > > config). As below....
> > > >
> > > > Current configuration : 304 bytes
> > > > !
> > > > interface FastEthernet0/1
> > > > switchport access vlan 10
> > > > switchport mode access
> > > > switchport port-security
> > > > switchport port-security maximum 2
> > > > switchport port-security mac-address
> sticky
> > > > switchport port-security mac-address
> > 0000.0c07.ac01
> > > > <- router
> > > > mac-address
> > > > switchport port-security mac-address
> sticky
> > > > 0008.a3fc.a661 <-virtual
> > > > mac-address assigned by HSRP
> > > > end
> > > >
> > > > Any reason why each of these would
> not be valid?
> > > >
> > > > Also, it appears that we can
> statically
> > configure
> > > > the mac, or, use the
> > > > sticky (and save the
> config)....depending on the
> > > > requirements.
> > > >
> > > >
> > > > Dave Schulz
> > > >
> > > > Email: dschulz@dpsciences.com
> <mailto:dschulz@dpsciences.com>
> > > > <
> mailto: dschulz@dpsciences.com > >
>
<mailto:+dschulz@dpsciences.com+%3Cmailto:dschulz@dpsciences.com>
>
>
> > > >
> > > >
> > >
> >
>
>

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3