On Tue, 2010-03-09 at 23:05 +1030, mark walters wrote: [...] > The config is pretty vanilla but the one thing that is really strange > is the fact that both switches are learning the virtual MAC and > neither is purged during failover. In previous configs port-security > has caused the MAC addresses to be learnt “dynamically” and obviously > the virtual MAC is only seen from the active router. In this set up > both switches are learning the virtual Mac from both upstream routers > and then ‘statically’ assigning them rather than dynamic which I > believe is causing issues. [...] > SW01#sh run int fa0/1 > > interface FastEthernet0/1 > description "Provider Primary RTR” > switchport access vlan 200 > switchport mode access > switchport nonegotiate > switchport port-security maximum 2 > switchport port-security > speed 100 > duplex full > no cdp enable > spanning-tree portfast > spanning-tree bpdufilter enable > spanning-tree bpduguard enable > spanning-tree guard root > end [...]
As far as I remember, enabling port-security on a port always forces learned MAC addresses to be "sticky", i.e. recorded as STATIC. It should clear if the port goes down, but not otherwise. Any special reason for using port-security here? It doesn't really give you more security. -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/