[OSL | CCIE_RS] Jason!

[Samir Idris]

Jason,

Congrats man.

Regards,
Samir.

On Thu, May 26, 2011 at 11:10 AM, <ccie_rs-requ...@onlinestudylist.com>wrote:

> Send CCIE_RS mailing list submissions to
>        ccie_rs@onlinestudylist.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://onlinestudylist.com/mailman/listinfo/ccie_rs
> or, via email, send a message with subject or body 'help' to
>        ccie_rs-requ...@onlinestudylist.com
>
> You can reach the person managing the list at
>        ccie_rs-ow...@onlinestudylist.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CCIE_RS digest..."
>
>
> Today's Topics:
>
>   1. Re: cisco switch drops the first packet when port security is
>      enabled. (Di Bias, Steve)
>   2. Re: cisco switch drops the first packet when port security is
>      enabled. (AKHILESH THAKUR)
>   3. Passed (Jason Maynard)
>   4. Re: cisco switch drops the first packet when port security is
>      enabled. (Di Bias, Steve)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 26 May 2011 01:45:14 -0400
> From: "Di Bias, Steve" <steve.dib...@uhsinc.com>
> To: AKHILESH THAKUR <akhi_tha...@hotmail.com>,
>        "ccie_rs@onlinestudylist.com"   <ccie_rs@onlinestudylist.com>
> Subject: Re: [OSL | CCIE_RS] cisco switch drops the first packet when
>        port security is enabled.
> Message-ID:
>        <
> 2fe030039b8ad14eb4373ca25779c63e91e6324...@corp-exvs01.corp.uhsinc.biz>
>
> Content-Type: text/plain; charset="us-ascii"
>
> I think you just answered your own question here and this would happen
> regardless of port-security. If there is no ARP entry with the MAC address
> in question then an ARP entry will  be sent and the first packet dropped.
> Once the ARP entry exists the rest of your pings succeed.
>
> From: AKHILESH THAKUR [mailto:akhi_tha...@hotmail.com]
> Sent: Wednesday, May 25, 2011 10:30 PM
> To: Di Bias, Steve; ccie_rs@onlinestudylist.com
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
>
> Dear Steve,
> On switch port configure the following:
>
> interface FastEthernet0/21
>  description "Connected to AP-2"
>  switchport mode trunk
>  switchport port-security maximum 1000
>  switchport port-security
>  switchport port-security aging time 1
>  switchport port-security violation restrict
>  switchport port-security aging type inactivity
>
> The drop happens if switch has not learned the mac address of device. so
> when the first ICMP we can see the packet hits the interface and learns the
> mac address. But the icmp packet is dropped.
> This behaviour can be seen after every aging time of the interface.
>
> Don't use sticky, this keeps the mac address in the cam table permanently.
>
> Regards
> Akhilesh
>
> > From: steve.dib...@uhsinc.com<mailto:steve.dib...@uhsinc.com>
> > To: akhi_tha...@hotmail.com<mailto:akhi_tha...@hotmail.com>;
> ccie_rs@onlinestudylist.com<mailto:ccie_rs@onlinestudylist.com>
> > Date: Wed, 25 May 2011 14:55:39 -0400
> > Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when
> port security is enabled.
> >
> > Interestingly I have heard of this before, however I have been unable to
> see it in action myself. What are you seeing? Is it dropping the first
> packet when you send ICMP echos? Here is what I did:
> >
> > R1--VLAN12--CAT1--VLAN12--R2
> >
> > R1 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.1 255.255.255.0
> >
> > Cat1 Config (interface connecting to R1)
> >
> > interface GigabitEthernet0/1
> > switchport access vlan 12
> > switchport mode access
> > switchport nonegotiate
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0014.1c2b.4550
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> >
> > R2 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.2 255.255.255.0
> >
> >
> > Now if I initiate ICMP echoes from R2 to R1 you are saying I should drop
> the first packet? Let's test this
> >
> > R2(config)#do deb ip pack
> > IP packet debugging is on
> > R2(config)#
> > R2(config)#do ping 150.100.12.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
> > R2(config)#
> > *Aug 21 12:05:53.917: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.917: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.921: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.925: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.929: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via F
> > R2(config)#IB
> > *Aug 21 12:05:53.929: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.937: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.937: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.941: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.945: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> >
> >
> > As you can see I didn't drop any packets. Can you elaborate on what you
> are seeing and how you are testing this?
> >
> > Thank you,
> >
> > Steve Di Bias
> > Network Engineer - Information Systems
> > Valley Health System - Las Vegas
> > Office - 702- 369-7594
> > Cell - 702-241-1801
> > steve.dib...@uhsinc.com<mailto:steve.dib...@uhsinc.com>
> >
> > -----Original Message-----
> > From: ccie_rs-boun...@onlinestudylist.com<mailto:
> ccie_rs-boun...@onlinestudylist.com> [mailto:
> ccie_rs-boun...@onlinestudylist.com]<mailto:[mailto:
> ccie_rs-boun...@onlinestudylist.com]> On Behalf Of AKHILESH THAKUR
> > Sent: Wednesday, May 25, 2011 2:14 AM
> > To: ccie_rs@onlinestudylist.com<mailto:ccie_rs@onlinestudylist.com>
> > Subject: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
> >
> >
> > Dear GS,
> >
> > Does anyone know why cisco switch drops the first packet when port
> security is enabled.
> >
> > Regards
> > Akhilesh
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com<http://www.ipexpert.com>
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com <http://www.platinumplacement.com/><
> http://www.PlatinumPlacement.com <http://www.platinumplacement.com/>>
> >
> >
> > UHS Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient (s) and may
> contain confidential and privileged information. Any unauthorized review,
> use, disclosure or distribution of this information is prohibited. If this
> was sent to you in error, please notify the sender by reply e-mail and
> destroy all copies of the original message.
>
>
> UHS Confidentiality Notice:  This e-mail message, including any
> attachments, is for the sole use of the intended recipient (s) and may
> contain confidential and privileged information.  Any unauthorized review,
> use, disclosure or distribution of this information is prohibited.  If this
> was sent to you in error, please notify the sender by reply e-mail and
> destroy all copies of the original message.
>
> ------------------------------
>
> Message: 2
> Date: Thu, 26 May 2011 05:49:29 +0000
> From: AKHILESH THAKUR <akhi_tha...@hotmail.com>
> To: <steve.dib...@uhsinc.com>, <ccie_rs@onlinestudylist.com>
> Subject: Re: [OSL | CCIE_RS] cisco switch drops the first packet when
>        port security is enabled.
> Message-ID: <bay163-w550c31fc94b2c03e50ac2a8a...@phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Dear Steve,
> There is arp entry on the routers. if you remove port-security then there
> is no drops.
>
>
>
>
> From: steve.dib...@uhsinc.com
> To: akhi_tha...@hotmail.com; ccie_rs@onlinestudylist.com
> Date: Thu, 26 May 2011 01:45:14 -0400
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
>
>
>
>
>
>
> I think you just answered your own question here and this would happen
> regardless of port-security. If there is no ARP entry with the MAC address
> in question then an ARP entry will  be sent and the first packet dropped.
> Once the ARP entry exists the rest of your pings succeed.
>
>
>
> From: AKHILESH THAKUR [mailto:akhi_tha...@hotmail.com]
> Sent: Wednesday, May 25, 2011 10:30 PM
> To: Di Bias, Steve; ccie_rs@onlinestudylist.com
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
>
> Dear Steve,
> On switch port configure the following:
>
> interface FastEthernet0/21
>  description "Connected to AP-2"
>  switchport mode trunk
>  switchport port-security maximum 1000
>  switchport port-security
>  switchport port-security aging time 1
>  switchport port-security violation restrict
>  switchport port-security aging type inactivity
>
> The drop happens if switch has not learned the mac address of device. so
> when the first ICMP we can see the packet hits the interface and learns the
> mac address. But the icmp packet is dropped.
> This behaviour can be seen after every aging time of the interface.
>
> Don't use sticky, this keeps the mac address in the cam table permanently.
>
> Regards
> Akhilesh
>
> > From: steve.dib...@uhsinc.com
> > To: akhi_tha...@hotmail.com; ccie_rs@onlinestudylist.com
> > Date: Wed, 25 May 2011 14:55:39 -0400
> > Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when
> port security is enabled.
> >
> > Interestingly I have heard of this before, however I have been unable to
> see it in action myself. What are you seeing? Is it dropping the first
> packet when you send ICMP echos? Here is what I did:
> >
> > R1--VLAN12--CAT1--VLAN12--R2
> >
> > R1 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.1 255.255.255.0
> >
> > Cat1 Config (interface connecting to R1)
> >
> > interface GigabitEthernet0/1
> > switchport access vlan 12
> > switchport mode access
> > switchport nonegotiate
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0014.1c2b.4550
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> >
> > R2 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.2 255.255.255.0
> >
> >
> > Now if I initiate ICMP echoes from R2 to R1 you are saying I should drop
> the first packet? Let's test this
> >
> > R2(config)#do deb ip pack
> > IP packet debugging is on
> > R2(config)#
> > R2(config)#do ping 150.100.12.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
> > R2(config)#
> > *Aug 21 12:05:53.917: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.917: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.921: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.925: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.929: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via F
> > R2(config)#IB
> > *Aug 21 12:05:53.929: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.937: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.937: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.941: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.945: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> >
> >
> > As you can see I didn't drop any packets. Can you elaborate on what you
> are seeing and how you are testing this?
> >
> > Thank you,
> >
> > Steve Di Bias
> > Network Engineer - Information Systems
> > Valley Health System - Las Vegas
> > Office - 702- 369-7594
> > Cell - 702-241-1801
> > steve.dib...@uhsinc.com
> >
> > -----Original Message-----
> > From: ccie_rs-boun...@onlinestudylist.com [mailto:
> ccie_rs-boun...@onlinestudylist.com] On Behalf Of AKHILESH THAKUR
> > Sent: Wednesday, May 25, 2011 2:14 AM
> > To: ccie_rs@onlinestudylist.com
> > Subject: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
> >
> >
> > Dear GS,
> >
> > Does anyone know why cisco switch drops the first packet when port
> security is enabled.
> >
> > Regards
> > Akhilesh
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com <http://www.platinumplacement.com/>
> >
> >
> > UHS Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient (s) and may
> contain confidential and privileged information. Any unauthorized review,
> use, disclosure or distribution of this information is prohibited. If this
> was sent to you in error, please notify the sender by reply e-mail and
> destroy all copies of the original message.
>
>
> UHS Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution of this information is prohibited, and may be
> punishable by law. If this was sent to you in error, please notify the
> sender by reply e-mail and destroy all copies of the original message.
>
> ------------------------------
>
> Message: 3
> Date: Thu, 26 May 2011 01:57:21 -0400
> From: "Jason Maynard" <jasonlmayn...@gmail.com>
> To: <ccie_rs@onlinestudylist.com>, "'Don Lundquist'"
>        <don.lundqu...@peak10.com>
> Subject: [OSL | CCIE_RS] Passed
> Message-ID: <001501cc1b69$c7df2db0$579d8910$@com>
> Content-Type: text/plain;       charset="us-ascii"
>
> Just thought I update everyone as I got my number today
>
>
>
> 29033
>
>
>
> I will pass on my experience at a later date
>
>
>
>    /@
>
>    \ \
>
>  ___> \
>
> (__O)  \
>
> (____@)  \
>
> (____@)   \
>
> (__o)_    \
>
>       \    \
>
>
>
>
>
>
>
> Jason Maynard
>
> CCIE 29033, CC(I/D)P, GSEC, GCFW, CEH
>
> IT Consultant
>
> Email: jasonlmayn...@gmail.com
>
> Blog:  <http://packetsanalyzed.blogspot.com/>
> http://packetsanalyzed.blogspot.com/
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 26 May 2011 02:10:18 -0400
> From: "Di Bias, Steve" <steve.dib...@uhsinc.com>
> To: AKHILESH THAKUR <akhi_tha...@hotmail.com>,
>        "ccie_rs@onlinestudylist.com"   <ccie_rs@onlinestudylist.com>
> Subject: Re: [OSL | CCIE_RS] cisco switch drops the first packet when
>        port security is enabled.
> Message-ID:
>        <
> 2fe030039b8ad14eb4373ca25779c63e91e6324...@corp-exvs01.corp.uhsinc.biz>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
>
> On the switch I killed the config and cleared the CAM table. On R2 I
> cleared the ARP table and then I put the configuration you suggested back on
> Cat1 Gig0/1
>
> R2#clear ip arp 150.100.12.1
> R2#sh ip arp
> Protocol  Address          Age (min)  Hardware Addr   Type   Interface
> Internet  150.100.12.2            -   0011.92a1.db20  ARPA
> FastEthernet0/0
>
> Notice there is no ARP entry there, now I will ping R1 and the first ping
> will fail because there is no ARP entry (notice encapsulation failed on the
> first packet)
>
> R2#ping 150.100.12.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:
>
> *Aug 21 23:17:48.566: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via RIB
> *Aug 21 23:17:48.566: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:17:48.570: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, encapsulation failed.!!!!
> Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
> R2#
> *Aug 21 23:17:50.566: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:17:50.566: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:17:50.566: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:17:50.570: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:17:50.570: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:17:50.570: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:17:50.574: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:17:50.574: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:17:50.574: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via F
> R2#IB
> *Aug 21 23:17:50.578: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:17:50.578: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:17:50.578: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:17:50.582: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:17:50.582: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:17:50.586: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:17:50.586: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
>
>
> From this point on, so long as that ARP entry exists I never drop the first
> packet again
>
> R2#sh ip arp
> Protocol  Address          Age (min)  Hardware Addr   Type   Interface
> Internet  150.100.12.2            -   0011.92a1.db20  ARPA
> FastEthernet0/0
> Internet  150.100.12.1            2   0014.1c2b.4550  ARPA
> FastEthernet0/0
>
>
> R2#ping 150.100.12.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
> R2#
> *Aug 21 23:20:24.170: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:20:24.174: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:20:24.174: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:20:24.178: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:20:24.178: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:20:24.178: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:20:24.182: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:20:24.182: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:20:24.182: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:20:24.186: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:20:24.186: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:20:24.186: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:20:24.190: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:20:24.190: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:20:24.194: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:20:24.194: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
> *Aug 21 23:20:24.194: IP: tableid=0, s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), routed via FIB
> *Aug 21 23:20:24.194: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> *Aug 21 23:20:24.198: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> *Aug 21 23:20:24.198: IP: s=150.100.12.1 (FastEthernet0/0), d=150.100.12.2
> (FastEthernet0/0), len 100, rcvd 3
>
>
>
> Is this not the behavior you're seeing?
>
> From: AKHILESH THAKUR [mailto:akhi_tha...@hotmail.com]
> Sent: Wednesday, May 25, 2011 10:49 PM
> To: Di Bias, Steve; ccie_rs@onlinestudylist.com
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
>
> Dear Steve,
> There is arp entry on the routers. if you remove port-security then there
> is no drops.
>
>
> ________________________________
> From: steve.dib...@uhsinc.com
> To: akhi_tha...@hotmail.com; ccie_rs@onlinestudylist.com
> Date: Thu, 26 May 2011 01:45:14 -0400
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
> I think you just answered your own question here and this would happen
> regardless of port-security. If there is no ARP entry with the MAC address
> in question then an ARP entry will  be sent and the first packet dropped.
> Once the ARP entry exists the rest of your pings succeed.
>
> From: AKHILESH THAKUR [mailto:akhi_tha...@hotmail.com]
> Sent: Wednesday, May 25, 2011 10:30 PM
> To: Di Bias, Steve; ccie_rs@onlinestudylist.com
> Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
>
> Dear Steve,
> On switch port configure the following:
>
> interface FastEthernet0/21
>  description "Connected to AP-2"
>  switchport mode trunk
>  switchport port-security maximum 1000
>  switchport port-security
>  switchport port-security aging time 1
>  switchport port-security violation restrict
>  switchport port-security aging type inactivity
>
> The drop happens if switch has not learned the mac address of device. so
> when the first ICMP we can see the packet hits the interface and learns the
> mac address. But the icmp packet is dropped.
> This behaviour can be seen after every aging time of the interface.
>
> Don't use sticky, this keeps the mac address in the cam table permanently.
>
> Regards
> Akhilesh
>
> > From: steve.dib...@uhsinc.com<mailto:steve.dib...@uhsinc.com>
> > To: akhi_tha...@hotmail.com<mailto:akhi_tha...@hotmail.com>;
> ccie_rs@onlinestudylist.com<mailto:ccie_rs@onlinestudylist.com>
> > Date: Wed, 25 May 2011 14:55:39 -0400
> > Subject: RE: [OSL | CCIE_RS] cisco switch drops the first packet when
> port security is enabled.
> >
> > Interestingly I have heard of this before, however I have been unable to
> see it in action myself. What are you seeing? Is it dropping the first
> packet when you send ICMP echos? Here is what I did:
> >
> > R1--VLAN12--CAT1--VLAN12--R2
> >
> > R1 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.1 255.255.255.0
> >
> > Cat1 Config (interface connecting to R1)
> >
> > interface GigabitEthernet0/1
> > switchport access vlan 12
> > switchport mode access
> > switchport nonegotiate
> > switchport port-security maximum 2
> > switchport port-security
> > switchport port-security mac-address sticky
> > switchport port-security mac-address sticky 0014.1c2b.4550
> > spanning-tree portfast
> > spanning-tree bpduguard enable
> >
> > R2 Config
> >
> > interface FastEthernet0/0
> > ip address 150.100.12.2 255.255.255.0
> >
> >
> > Now if I initiate ICMP echoes from R2 to R1 you are saying I should drop
> the first packet? Let's test this
> >
> > R2(config)#do deb ip pack
> > IP packet debugging is on
> > R2(config)#
> > R2(config)#do ping 150.100.12.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
> > R2(config)#
> > *Aug 21 12:05:53.917: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.917: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.921: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.921: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.925: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.925: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.929: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via F
> > R2(config)#IB
> > *Aug 21 12:05:53.929: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.933: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.933: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.937: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.937: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.2 (local),
> d=150.100.12.1 (FastEthernet0/0), routed via FIB
> > *Aug 21 12:05:53.941: IP: s=150.100.12.2 (local), d=150.100.12.1
> (FastEthernet0/0), len 100, sending
> > *Aug 21 12:05:53.941: IP: tableid=0, s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), routed via RIB
> > *Aug 21 12:05:53.945: IP: s=150.100.12.1 (FastEthernet0/0),
> d=150.100.12.2 (FastEthernet0/0), len 100, rcvd 3
> >
> >
> > As you can see I didn't drop any packets. Can you elaborate on what you
> are seeing and how you are testing this?
> >
> > Thank you,
> >
> > Steve Di Bias
> > Network Engineer - Information Systems
> > Valley Health System - Las Vegas
> > Office - 702- 369-7594
> > Cell - 702-241-1801
> > steve.dib...@uhsinc.com<mailto:steve.dib...@uhsinc.com>
> >
> > -----Original Message-----
> > From: ccie_rs-boun...@onlinestudylist.com<mailto:
> ccie_rs-boun...@onlinestudylist.com> [mailto:
> ccie_rs-boun...@onlinestudylist.com]<mailto:[mailto:
> ccie_rs-boun...@onlinestudylist.com]> On Behalf Of AKHILESH THAKUR
> > Sent: Wednesday, May 25, 2011 2:14 AM
> > To: ccie_rs@onlinestudylist.com<mailto:ccie_rs@onlinestudylist.com>
> > Subject: [OSL | CCIE_RS] cisco switch drops the first packet when port
> security is enabled.
> >
> >
> > Dear GS,
> >
> > Does anyone know why cisco switch drops the first packet when port
> security is enabled.
> >
> > Regards
> > Akhilesh
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com<http://www.ipexpert.com/>
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com <http://www.platinumplacement.com/><
> http://www.platinumplacement.com/>
> >
> >
> > UHS Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient (s) and may
> contain confidential and privileged information. Any unauthorized review,
> use, disclosure or distribution of this information is prohibited. If this
> was sent to you in error, please notify the sender by reply e-mail and
> destroy all copies of the original message.
>
>
>
> UHS Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution of this information is prohibited, and may be
> punishable by law. If this was sent to you in error, please notify the
> sender by reply e-mail and destroy all copies of the original message.
>
>
> UHS Confidentiality Notice:  This e-mail message, including any
> attachments, is for the sole use of the intended recipient (s) and may
> contain confidential and privileged information.  Any unauthorized review,
> use, disclosure or distribution of this information is prohibited.  If this
> was sent to you in error, please notify the sender by reply e-mail and
> destroy all copies of the original message.
>
> End of CCIE_RS Digest, Vol 64, Issue 62
> ***************************************
>



-- 
Samir Idris
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com