hsrp and port security

Hello
Working on the labs one of them is about hsrp and port security
I need to have hsrp between sw2 and sw3 while switch 1 is doing port security between those two switches.

simple configs:
sw1
int range gi0/19,gi0/23
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security max 2

So in theory it should work, but every time hsrp packets traversing those two ports of the the port goes into the err-disable

So i think the issues here is with port security as on access port it will not allow same mac from two different ports?
Is my logic correct ?
And only way to sole this is to use standby use-bia to force hsrp to use physical mac addresses?
But seems this command is not supported on 15.x?

Does anyone run into same issues?

Error message:
SW1(config-if-range)#
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0c07.ac00 on port GigabitEthernet0/23.
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
SW1(config-if-range)#
%LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
SW1(config-if-range)#

Answers

  • Hi...your logic is ok...the problem is that you are restricting the switches to learn only 2 mac addresse's per port so when the port see's more than 2 mac addresse's passing throught the port the port goes down to err-disable state. I think we can't put security on a port wich is using HSRP because they will be hundred's or even thousand's of mac addresse's going throught the port...

  • JoeMJoeM ✭✭✭

    Hello,
    This is possible. The standy config option - "standby use-bia" - will use only one mac-address. Without it, there will still only be two mac-addresses coming from the router, the physical and virtual.

    The error is clear in the messages. It is erroring when receiving the virtual mac-address. 0000.0c07.ac00

    Let's discover why you are getting the error.
    Be sure that your switch interfaces are actively allowing two mac-addresses already. If not, try bouncing the interface for the new security config to allow your port-security setting for max 2.

    This command will show the mac-addresses permitted on your switch interface:
    show port-security address

  • JoeMJoeM ✭✭✭

    @gargolek
    Was this helpful for you?

  • @gargolek
    Could this have been due to the fact that HSRP had previously learnt this MAC already ?
    If I'm not mistaken, port-security will also err-disable if a secure MAC is moved

Sign In or Register to comment.