Re: HSRP and Port Security

From: Ivan (ivan@iip.net)
Date: Fri Mar 02 2007 - 09:32:05 ART

• Next message: Daniel_Steyn@Dell.com: "RE: BGP Conditional Advertising - Bug?"
• Previous message: Dwi C Taniel: "RE: BGP Conditional Advertising - Bug?"
• Maybe in reply to: Antonio Soares: "HSRP and Port Security"
• Next in thread: Antonio Soares: "RE: HSRP and Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As Thomas wrote you must use

R1:
standby 1 mac-address 1.1.1
R2:
standby 1 mac-address 2.2.2

On Friday 02 March 2007 14:31, Antonio Soares wrote:
> Hello Thomas,
>
> Yes, I'm using the defaults. The problem occurs when the active router
> changes. When this occurs, the stand-by mac is seen in two different ports
> on the switch and the switch reports Port Security violation. This makes
> sense but if you are not allowed to use "standby use-bia", which options do
> we have ? I tried using another HSRP mac but the problem is the same:
>
> +++++++++++++++++++
> Rack1SW2(config-if)#
> 10:40:43: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/4,
> putting Fa1/0/4 in err-disable state
> 10:40:43: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
> caused by MAC address 0000.1111.2222 on port FastEthernet1/0/4.
> 10:40:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet1/0/4, changed state to down
> 10:40:45: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to
> down +++++++++++++++++++
>
> Thanks.
> Antonio
>
> -----Original Message-----
> From: Thomas.W.Johnson@chase.com [mailto:Thomas.W.Johnson@chase.com]
> Sent: sexta-feira, 2 de Margo de 2007 3:10
> To: osuphd2b@yahoo.com; amsoares@netcabo.pt; ccielab@groupstudy.com
> Subject: RE: HSRP and Port Security
>
> Are using the default HSRP MAC address? And port-security keeps
> err-disabling the ports?
>
> It is a security violation when one of these situations occurs:
>
> *The maximum number of secure MAC addresses have been added to the address
> table, and a station whose MAC address is not in the address table attempts
> to access the interface.
>
> *An address learned or configured on one secure interface is seen on
> another secure interface in the same VLAN.
>
> So, you have two options. Use the standby use-bia command or use the
> standby mac-address command.
>
> Hope that helps.
>
>
> Thomas Johnson
> JP Morgan Chase
> Global Network Implementation
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> James Russell
> Sent: Thursday, March 01, 2007 8:04 PM
> To: Antonio Soares; ccielab@groupstudy.com
> Subject: Re: HSRP and Port Security
>
> I have set up a similar lab, and I am not having this problem. Since this
> is my first post, I will refrain from sticking my configs in here.
>
>
> Antonio Soares <amsoares@netcabo.pt> wrote: Hello GS,
>
> I'm having problems understanding why HSRP does not seem to work with Port
> Security. R4 and R6 are running HSRP and are connected to SW2 F1/0/4 and
> F1/0/6 respectively. Here are the configs: <original message truncated>
>
> ---------------------------------
> Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> This transmission may contain information that is privileged, confidential,
> legally privileged, and/or exempt from disclosure under applicable law. If
> you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. Although
> this transmission and any attachments are believed to be free of any virus
> or other defect that might affect any computer system into which it is
> received and opened, it is the responsibility of the recipient to ensure
> that it is virus free and no responsibility is accepted by JPMorgan Chase &
> Co., its subsidiaries and affiliates, as applicable, for any loss or damage
> arising in any way from its use. If you received this transmission in
> error, please immediately contact the sender and destroy the material in
> its entirety, whether in electronic or hard copy format. Thank you.
> **********************************************************************
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: Daniel_Steyn@Dell.com: "RE: BGP Conditional Advertising - Bug?"
• Previous message: Dwi C Taniel: "RE: BGP Conditional Advertising - Bug?"
• Maybe in reply to: Antonio Soares: "HSRP and Port Security"
• Next in thread: Antonio Soares: "RE: HSRP and Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:49 ART