R&S - WorkBook Vol 1 - Bridging & Switching v4.1 - Port Security and HSRP

Hello,

I was trying to make this scenario work. Page number 148 on Bridging & Switching module - version 4.1.

The output in the workbook shows both the switchport on SW2 (F0/4 and F0/6) as enabled and scure-up. (SHOW PORT-S INT F0/4 & F0/6 output)

However, I kept on getting port violation on one of the ports on switch depending on what router was HSRP active.

I could never establish both of the switchport as enabled and secure-up. (SHOW PORT-S INT F0/4 & F0/6 output)

Has anyone run into this problem? If yes, is there a way to make this scenario work? Please explain. Thanks in advance.

Comments

  • Hi ketsha,

    This is exactly the point of the lab. :)

    The HSRP master generates a 2nd mac-addess because of HSRP being used. Port-security triggers when it sees more then one mac-address behind the port by default. As soon as port-security is triggered it shuts down the port, then the other router becomes active and generates the 2nd mac, guess what happens on that switchport..

    Configure the 'switchport port-security maximum 2' on both switchports and HSRP comes up. The solution with one mac-address is the next lab in that workbook. ;)

    Hope that helps.

  • I have this same issue, even with switchport port-security max 2 on. It looks like the IOS version on my 3550 shuts down a port not only when it sees a more MACs than the configured maximum, but also when it sees a mac address it has already locked down on another port. This theory is confirmed by the fact that it doesn't shutdown when I configure 2 different HSRP groups on the two routers.

  • ok, I did a little more experimenting:

    I found out that I did not remove the VLAN filter from the previous excercise. Causing the two routers not seeing eachothers HSRP messages, which caused them to both become HSRP active; which causes the 3550 to see same MAC on two ports, which it does find enough reason to kill one... after removing the VLAN filter, all goes well.

  • Well I had this same issue, port-security kept shutting down the port when the virtual mac was heard on the other interface. 

    Found a technote confirming the behavior.

    ----------------------------------------------------------------------------------------


    Case Study #10: HSRP Causes MAC Violation on a Secure Port

    A security violation
    occurs on a secure port in one of these situations:

    • The maximum number of secure MAC addresses is added to the address
      table, and a station whose MAC address is not in the address table attempts to
      access the interface.

    • An address that is learned or configured on one secure interface is
      seen on another secure interface in the same
      VLAN.


    Workaround

    Issue the
    standby
    use-bia

    command on the routers.

    ----------------------------------------------------------------------------------------

    And of course the very next lab uses the burned in address.  So makes me wonder if the first lab was supposed to fail or I am still missing something?

Sign In or Register to comment.