Since im reviewing the chapter i stopped little bit more over those 2 tasks because i've tried to alterate the scenario.
I noticed that with a qinq tunnel established between the router1 and switch1 port-security need to account for another mac-address to let the port properly work without violation. For example if in SW1 i dont add switchport port-security max 2 the port remain in shutdown state until i dont modify the statement. I always thought that qinq encapsulate into a metro tag the vlans without add/modify mac address so i dont know why it is happening that, i just know how correct it.
The things get complicated when we add HSRP and play with bia non-bia options. for example in Switch2 connected to R6. To let switch work i need insert 3 mac address maximum for trunk and 1 per vlan. Seems with qinq need account always for one mac address more...
anyway, after some tests, i saw that topology became not stable because sometimes the bia-nonbia workaround worked fine. Other times didnt worked at all. Does anybody experimented something like this before? We could find those kind of problems during the lab? i will repeat the test anyway and post results here.