HP NIC Teaming and Switchport Port Security on 3750G Stack

Unanswered Question
Jun 2nd, 2010

I have 2 3750G switches in a stack. I have an HP server using NIC Teaming. The cable from NIC1 with MAC aaaa.aaaa.aaaa goes to Gi1/0/2. The cable from NIC2 with MAC bbbb.bbbb.bbbb goes to Gi2/0/2. I have the following port security commands on the interfaces.

interface Gi1/0/2 (Gi2/0/2)

switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky aaaa.aaaa.aaaa (bbbb.bbbb.bbbb)
spanning-tree portfast
spanning-tree bpduguard enable
end

The NIC Team is set for Switch Assisted Load Balanacing with Fault Tolerance.

Transmit Load Balancing is set to Destination IP address.

The MAC address of the Team can be aaaa.aaaa.aaaa or bbbb.bbbb.bbbb, depending on which one it chooses.

Everything works fine when the cables are both connected. The problem is when we remove one of the cables and the mac address of the team changes. If the switch sees a new MAC on the port, even though I am allowing 2 sticky MAC's, the switch sees that MAC on a different port now and it doesn't take over. If the MAC of the team happens to stay on the correct port, everything works fine, but that doesn't happen all of the time.

My question is: How do I setup HP NIC teaming using port security with sticky MAC's on a 3750G stack.? Etherchannels do not support port security, so that is not an option. I have already tried that.

HELP!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 06/02/2010 - 07:40

Hello Stephen,

I would remove port security configuration if the environment is secure (a server farm with controlled access)

From your show command we see they have changed MAC addresses between them after restore and this can be a server choice.

If you want to keep using port security you need to check if you can add both MAC addresses to both ports (I doubt)

I would remove port security, teaming causes already several troubles with all its variants.

Hope to help

Giuseppe

burleyman Wed, 06/02/2010 - 08:06

What if you just staticly configured them to the ports. Or could you increase the maximum to 3 from 2.

Mike

stephenscott Wed, 06/02/2010 - 11:03

Burley,

In a port security setup, the MAC address can not be assigned to 2 different ports, either statically or dynamically. If that happens, port security violations occur. The same is true for increasing the number from 2 to 3. As long as the MAC address is seen on 2 different ports, no matter how many are allowed, port security violations occur. I can not find a work around for this. I wonder if a VMAC would allow this to happen?

burleyman Wed, 06/02/2010 - 11:09

Oh...That's right. DUH!!! My brain is doing to much today.....Sorry about that.

Mike

CSCO11150194 Tue, 11/23/2010 - 06:30

Hi,

I have the same problem with teaming and port security, (not using HP servers but it's the same case).

Do you know any solution or work arround ? In my case both MAC based port security and teaming are requested by the customer.

Thanks!

MB

stephenscott Wed, 06/02/2010 - 07:28

After removing the cable in NIC1, the connection stayed up. I reconnected the cable no problem. I removed the cable in NIC2 and the connection dropped and I captured the port security data from before and after the change.

Before and After removing cable in NIC1

Gi1/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0026.xxxx.xxxx:1
Security Violation Count   : 0


Gi2/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 18a9.xxxx.xxxx:1

027787: Jun  2 10:17:58.130 EDT: %LINEPROTO-5-UPDOWN: Line protocol on  Interface GigabitEthernet1/0/2, changed state to down
027788: Jun  2 10:17:59.137 EDT: %LINK-3-UPDOWN: Interface  GigabitEthernet1/0/2, changed state to down
027789: Jun  2 10:18:22.725 EDT: %LINK-3-UPDOWN: Interface  GigabitEthernet1/0/2, changed state to up
027790: Jun  2 10:18:23.732 EDT: %LINEPROTO-5-UPDOWN: Line protocol on  Interface GigabitEthernet1/0/2, changed state to up
Security Violation Count   : 0

After Removing Cable in NIC2

Gi1/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 18a9.xxxx.xxxx:1
Security Violation Count   : 0


Gi2/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0026.xxxx.xxxx:1
Security Violation Count   : 0


027791: Jun  2 10:18:41.382 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.
027792: Jun  2 10:18:42.774 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to down
027793: Jun  2 10:18:43.772 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to down
027794: Jun  2 10:18:47.019 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.

Notice how the MAC addresses have switched ports causing port security violations.

Actions

This Discussion

Related Content