R&S - WorkBook Vol 1 - Bridging & Switching v4.1 - Port Security and HSRP


I was trying to make this scenario work. Page number 148 on Bridging & Switching module - version 4.1.

The output in the workbook shows both the switchport on SW2 (F0/4 and F0/6) as enabled and scure-up. (SHOW PORT-S INT F0/4 & F0/6 output)

However, I kept on getting port violation on one of the ports on switch depending on what router was HSRP active.

I could never establish both of the switchport as enabled and secure-up. (SHOW PORT-S INT F0/4 & F0/6 output)

Has anyone run into this problem? If yes, is there a way to make this scenario work? Please explain. Thanks in advance.


  • Hi ketsha,

    This is exactly the point of the lab. :)

    The HSRP master generates a 2nd mac-addess because of HSRP being used. Port-security triggers when it sees more then one mac-address behind the port by default. As soon as port-security is triggered it shuts down the port, then the other router becomes active and generates the 2nd mac, guess what happens on that switchport..

    Configure the 'switchport port-security maximum 2' on both switchports and HSRP comes up. The solution with one mac-address is the next lab in that workbook. ;)

    Hope that helps.

  • I have this same issue, even with switchport port-security max 2 on. It looks like the IOS version on my 3550 shuts down a port not only when it sees a more MACs than the configured maximum, but also when it sees a mac address it has already locked down on another port. This theory is confirmed by the fact that it doesn't shutdown when I configure 2 different HSRP groups on the two routers.

  • ok, I did a little more experimenting:

    I found out that I did not remove the VLAN filter from the previous excercise. Causing the two routers not seeing eachothers HSRP messages, which caused them to both become HSRP active; which causes the 3550 to see same MAC on two ports, which it does find enough reason to kill one... after removing the VLAN filter, all goes well.

  • Well I had this same issue, port-security kept shutting down the port when the virtual mac was heard on the other interface. 

    Found a technote confirming the behavior.


    Case Study #10: HSRP Causes MAC Violation on a Secure Port

    A security violation
    occurs on a secure port in one of these situations:

    • The maximum number of secure MAC addresses is added to the address
      table, and a station whose MAC address is not in the address table attempts to
      access the interface.

    • An address that is learned or configured on one secure interface is
      seen on another secure interface in the same


    Issue the

    command on the routers.


    And of course the very next lab uses the burned in address.  So makes me wonder if the first lab was supposed to fail or I am still missing something?

Sign In or Register to comment.