VMware + Port-Security. Off? Really? What do you do in your shop?

Unanswered Question
Jan 12th, 2009

"Port-security is not recommended due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down."

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMwaredg.pdf

It appears that some consulting firm is putting this in our MCP's ears. Some haven't liked port-security, and this is the ammunition some may want to get it shutdown.

Frankly, I am surprised that Cisco even says this without offering an alternative, or a discussion of the alternatives and acceptance of risks.

I thought one of the main reasons for "port-security" was to control the CAM table from overflow and the DOS effects (more likely caused by malicious software than accidental MCP).

I am surprised there is no mention of alternatives. So if an MCP says phy machine can handle 15 VMs tops, a network admin can quadruple it in case of VMotion Madness. So, that would be 60. And in the case of exceeding the MAX, configure the port not to shutdown, plus, age your port-security table.

What I am speaking of would look something like this.

int gig4/4

switchport

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security aging time 1

switchport port-security maximum 60

All VM switchports would have the aging set to 1 (lowest value) and the violation to restrict.

At least the CAM table would be protected, which is one of the main reasons for port-security, right? If I am missing something, please let me know.

Can I get a response from Cisco?

What do you do in your shop?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 01/13/2009 - 07:08

Well, the statement itself is true. You generally wouldn't want port-security because of vmotion, but I would agree with your calculations. If you have 3 VMs and each handle max of 15, then you could configure max mac-addresses on that port to be 45 (plus the service console and physical connection nics). You could either statically create them, or create them as sticky.

Personally, I haven't done this since we don't have a need for port security on our VM servers, so I can't vouch that this would work, but it should work like any other learned mac address on any other port.

HTH,

John

Actions

This Discussion