[c-nsp] MAC Address 'static' and HSRP failover
Peter Rathlev
peter at rathlev.dk
Tue Mar 9 12:39:27 EST 2010
On Tue, 2010-03-09 at 23:05 +1030, mark walters wrote:
[...]
> The config is pretty vanilla but the one thing that is really strange
> is the fact that both switches are learning the virtual MAC and
> neither is purged during failover. In previous configs port-security
> has caused the MAC addresses to be learnt “dynamically” and obviously
> the virtual MAC is only seen from the active router. In this set up
> both switches are learning the virtual Mac from both upstream routers
> and then ‘statically’ assigning them rather than dynamic which I
> believe is causing issues.
[...]
> SW01#sh run int fa0/1
>
> interface FastEthernet0/1
> description "Provider Primary RTR”
> switchport access vlan 200
> switchport mode access
> switchport nonegotiate
> switchport port-security maximum 2
> switchport port-security
> speed 100
> duplex full
> no cdp enable
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard root
> end
[...]
As far as I remember, enabling port-security on a port always forces
learned MAC addresses to be "sticky", i.e. recorded as STATIC. It should
clear if the port goes down, but not otherwise.
Any special reason for using port-security here? It doesn't really give
you more security.
--
Peter
More information about the cisco-nsp
mailing list