Re: Port Security questions

marcus.glover · ‎10-06-2005

I have a question regarding the interoperation of HSRP and port security. Currently we have port security on switchports connecting to the two HSRP routers. The port security settings are to allow 2 MAC addresses on each of these ports (for the physical router mac and the virtual HSRP mac).

Now my question is this: when the HSRP failover occurrs, the virtual MAC will be advertised by the backup HSRP router. At this time the virtual MAC will be seen on 2 ports by the switch. How does port security treat this? If I have MAC-A which is secured on a port can MAC-A appear in the CAM table on another port?

amit-singh · ‎10-06-2005

Mark,

Switch will not allow you to have same MAC on 2 different ports. So in this case if you primary router goes down and the secondry router starts responding to the ARP request using the standby MAC add the port security will shut down the port depending on the kind of voilation set. We can over come this using 2 ways :

1. Disable port-security on th respective interfaces.

2. use " standby use-bia" command on router interfaces and HSRP will use the burn-in MAC-address of the ethernet interface for the arp requests to the standby IP.

The second option should be enabled taking care in mind due to follwoing disadvantages :

Using the standby use-bia command has these disadvantages:

* When a router becomes active the virtual IP address is moved to a different MAC address. The newly active router sends a gratuitous ARP response, but not all host implementations handle the gratuitous ARP correctly.

* Proxy ARP breaks when use-bia is configured. A standby router cannot cover for the lost proxy ARP database of the failed router.

HTH,

-amit singh

marcus.glover · ‎10-06-2005

Thanks Amit, much appreciated