cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1686
Views
10
Helpful
5
Replies

2 NIC teaming and port security issue

shibindong
Level 1
Level 1

we have server with 2 NICs connect to differrent switches (CAT6), server using HP build-in software to run network teaming. and we also configured port security on the switch port and only allow 1 mac address.

I also checked the server teaming configuration, 2 NICs original mac adress are :AAAAAAAAAAAA and BBBBBBBBBB, after binding to teaming, the virtual MAC address is BBBBBBBBBBBBB.

it was working properly at first, until I plug out one connection, which happen to be the active connection, the server got disconnected form the network, and the switch returned me the error msg:"

%PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address AAAAAAAAAAAA on port GigabitEthernet3/20."

when i checked the mac address table using command "show mac-address-table interface gX/XX", gX/XX is the port connect to the NIC with MAC AAAAAAAAAAAA. I got 2 record, one is static and ther other is dynamic:

* 90 AAAAAAAAAAAA static Yes - Gi3/20

* 90 BBBBBBBBBBBB dynamic Yes 45 Gi3/20

i did not configure any "static" mac on the switch, and how come there is static mac address in the record? If I can remove that static record, we can slove that issue. I have checked the cisco web site and foum topic, some posts also raised the same issue but no solution yet.

I also post my port configuration for your infomation:

interface GigabitEthernet3/20

switchport

switchport access vlan 900

switchport mode access

switchport port-security

switchport port-security violation restrict

no ip address

spanning-tree portfast

end

5 Replies 5

I think your config is not right for this situation.

Default port-security allows only 1 MAC and like you see after a error of one NIC the mac change.

Or your problem is "restrict" because you need to remove a sufficient number of secure MAC addresses to drop below the maximum value.

So recommend you to add this:

"switchport port-security maximum 2"

For more information see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html

Sebastian

PS: I prefer to diable cdp on server ports..

thanks for your reply, I think you are still not clear about my problem:

of course i can solve the problem by setting the maximum number of MAC addresses to 2, but i don't think it is the good way. Because I saw there are 2 MAC addresses entries in the switch: 1 is static and 1 is dynsmic, if i can remove the static MAC entry, problem can be sloved.

But i don't know why there is a static entry and how to remove it.

I hope this guide will help it covers some excellent points and recommedation how to configure switch ports in a Virtual enviroments and nic teaming.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/vmware.html

Ryan Carretta
Cisco Employee
Cisco Employee

Hello,

Port-security installs its entries into the CAM table as static entries. The AAAAAAAAAAAA entry you see as static is likely the secure address.

Try using the 'show port-security' commands to check out the secure address(es) on the interface.

-Ryan

thanks for your reply, that's what i wanted. So does that means, there is no way to implement port security maximum 1 and NICs teaming together?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco