Since im reviewing the chapter i stopped little bit more over those 2 tasks because i've tried to alterate the scenario.

I noticed that with a qinq tunnel established between the router1 and switch1 port-security need to account for another mac-address to let the port properly work without violation. For example if in SW1 i dont add switchport port-security max 2 the port remain in shutdown state until i dont modify the statement. I always thought that qinq encapsulate into a metro tag the vlans without add/modify mac address so i dont know why it is happening that, i just know how correct it.

The things get complicated when we add HSRP and play with bia non-bia options. for example in Switch2 connected to R6. To let switch work i need insert 3 mac address maximum for trunk and 1 per vlan. Seems with qinq need account always for one mac address more...

anyway, after some tests, i saw that topology became not stable because sometimes the bia-nonbia workaround worked fine. Other times didnt worked at all. Does anybody experimented something like this before? We could find those kind of problems during the lab? i will repeat the test anyway and post results here.


  • After a quick re-lab i confirm my previous results.

    We need take into account 2 macs when we have a qinq tunnel between the router and the switch. If wasnt for that port that was continuosly flapping i admit i wouldn't notice it or probably i would notice after more time.

    What i thought in this case particular is the trunk configuration. Since we need 2 macs per port and on R6 we have 2 subinterfaces, if we don't allow 2 macs per vlan, R6 won't be able to ping anybody on vlan146. But here comes the connectioin with ticket 11.22 about HSRP. Since we have 2 macs allowed per vlan, we will configure the maximum aggregated threshold of macs of 4 or 3 on trunk f0/6 of SW2 to allow vlan67 and vlan 146 to transmit at the same time. So what happen in this case is that either R6 use or don't use standby use bia, it won't make much difference because if the threshold per vlan will pass over the 2 mac addresses, we still have the aggregated mac threshold of 4 over the trunk interface. So R6 will be able to transmit.

    What i thought confusing in this case is when you issue show port security on SW2. You will see the total count for 2 macs and the max count of 4 for the trunk. Once the virtual HSRp address appear you will have 3 total macs and again a max count of 4 for the trunk but the switch don't seems that "see" the other mac-address unless you set the threshold per port to 1. In that case for example on R4 after set up the portsecurity max 1 i saw the total mac :1 and the max mac:1 but the security violation were increasing so much that i imagined that would be cause of another mac address (probably coming from the qinq tunnel ) that was messing around. Once issue port-security max 2 the violations stopped. but the total count of mac was 1 yet...So it would be appreciated to know if someone out there experimented a similar issue and if also understood why the switch seems to account for a secondary mac address for each access or trunk port when transmist through qinq


Sign In or Register to comment.