cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
4
Helpful
2
Replies

Port Security questions

marcus.glover
Level 1
Level 1

I have a question regarding the interoperation of HSRP and port security. Currently we have port security on switchports connecting to the two HSRP routers. The port security settings are to allow 2 MAC addresses on each of these ports (for the physical router mac and the virtual HSRP mac).

Now my question is this: when the HSRP failover occurrs, the virtual MAC will be advertised by the backup HSRP router. At this time the virtual MAC will be seen on 2 ports by the switch. How does port security treat this? If I have MAC-A which is secured on a port can MAC-A appear in the CAM table on another port?

2 Replies 2

amit-singh
Level 8
Level 8

Mark,

Switch will not allow you to have same MAC on 2 different ports. So in this case if you primary router goes down and the secondry router starts responding to the ARP request using the standby MAC add the port security will shut down the port depending on the kind of voilation set. We can over come this using 2 ways :

1. Disable port-security on th respective interfaces.

2. use " standby use-bia" command on router interfaces and HSRP will use the burn-in MAC-address of the ethernet interface for the arp requests to the standby IP.

The second option should be enabled taking care in mind due to follwoing disadvantages :

Using the standby use-bia command has these disadvantages:

* When a router becomes active the virtual IP address is moved to a different MAC address. The newly active router sends a gratuitous ARP response, but not all host implementations handle the gratuitous ARP correctly.

* Proxy ARP breaks when use-bia is configured. A standby router cannot cover for the lost proxy ARP database of the failed router.

HTH,

-amit singh

Thanks Amit, much appreciated

Review Cisco Networking for a $25 gift card