"Port-security is not recommended due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down."
It appears that some consulting firm is putting this in our MCP's ears. Some haven't liked port-security, and this is the ammunition some may want to get it shutdown.
Frankly, I am surprised that Cisco even says this without offering an alternative, or a discussion of the alternatives and acceptance of risks.
I thought one of the main reasons for "port-security" was to control the CAM table from overflow and the DOS effects (more likely caused by malicious software than accidental MCP).
I am surprised there is no mention of alternatives. So if an MCP says phy machine can handle 15 VMs tops, a network admin can quadruple it in case of VMotion Madness. So, that would be 60. And in the case of exceeding the MAX, configure the port not to shutdown, plus, age your port-security table.
What I am speaking of would look something like this.
switchport mode access
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security maximum 60
All VM switchports would have the aging set to 1 (lowest value) and the violation to restrict.
At least the CAM table would be protected, which is one of the main reasons for port-security, right? If I am missing something, please let me know.
Can I get a response from Cisco?
What do you do in your shop?