06-02-2010 06:35 AM - edited 03-06-2019 11:23 AM
I have 2 3750G switches in a stack. I have an HP server using NIC Teaming. The cable from NIC1 with MAC aaaa.aaaa.aaaa goes to Gi1/0/2. The cable from NIC2 with MAC bbbb.bbbb.bbbb goes to Gi2/0/2. I have the following port security commands on the interfaces.
interface Gi1/0/2 (Gi2/0/2)
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky aaaa.aaaa.aaaa (bbbb.bbbb.bbbb)
spanning-tree portfast
spanning-tree bpduguard enable
end
The NIC Team is set for Switch Assisted Load Balanacing with Fault Tolerance.
Transmit Load Balancing is set to Destination IP address.
The MAC address of the Team can be aaaa.aaaa.aaaa or bbbb.bbbb.bbbb, depending on which one it chooses.
Everything works fine when the cables are both connected. The problem is when we remove one of the cables and the mac address of the team changes. If the switch sees a new MAC on the port, even though I am allowing 2 sticky MAC's, the switch sees that MAC on a different port now and it doesn't take over. If the MAC of the team happens to stay on the correct port, everything works fine, but that doesn't happen all of the time.
My question is: How do I setup HP NIC teaming using port security with sticky MAC's on a 3750G stack.? Etherchannels do not support port security, so that is not an option. I have already tried that.
HELP!!!
06-02-2010 07:28 AM
After removing the cable in NIC1, the connection stayed up. I reconnected the cable no problem. I removed the cable in NIC2 and the connection dropped and I captured the port security data from before and after the change.
Before and After removing cable in NIC1
Gi1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0026.xxxx.xxxx:1
Security Violation Count : 0
Gi2/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 18a9.xxxx.xxxx:1
027787: Jun 2 10:17:58.130 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down
027788: Jun 2 10:17:59.137 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to down
027789: Jun 2 10:18:22.725 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to up
027790: Jun 2 10:18:23.732 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to up
Security Violation Count : 0
After Removing Cable in NIC2
Gi1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 18a9.xxxx.xxxx:1
Security Violation Count : 0
Gi2/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0026.xxxx.xxxx:1
Security Violation Count : 0
027791: Jun 2 10:18:41.382 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.
027792: Jun 2 10:18:42.774 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to down
027793: Jun 2 10:18:43.772 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to down
027794: Jun 2 10:18:47.019 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.
Notice how the MAC addresses have switched ports causing port security violations.
06-02-2010 07:40 AM
Hello Stephen,
I would remove port security configuration if the environment is secure (a server farm with controlled access)
From your show command we see they have changed MAC addresses between them after restore and this can be a server choice.
If you want to keep using port security you need to check if you can add both MAC addresses to both ports (I doubt)
I would remove port security, teaming causes already several troubles with all its variants.
Hope to help
Giuseppe
06-02-2010 08:06 AM
What if you just staticly configured them to the ports. Or could you increase the maximum to 3 from 2.
Mike
06-02-2010 11:03 AM
Burley,
In a port security setup, the MAC address can not be assigned to 2 different ports, either statically or dynamically. If that happens, port security violations occur. The same is true for increasing the number from 2 to 3. As long as the MAC address is seen on 2 different ports, no matter how many are allowed, port security violations occur. I can not find a work around for this. I wonder if a VMAC would allow this to happen?
06-02-2010 11:09 AM
Oh...That's right. DUH!!! My brain is doing to much today.....Sorry about that.
Mike
06-02-2010 12:53 PM
Mike,
No worries. I feel your pain!
Stephen
11-23-2010 06:30 AM
Hi,
I have the same problem with teaming and port security, (not using HP servers but it's the same case).
Do you know any solution or work arround ? In my case both MAC based port security and teaming are requested by the customer.
Thanks!
MB
05-11-2020 01:43 AM
It has been almost 10 years since this thread started, so I'm afraid to even post this:
But the case is also true with Intel NIC AFT or SFT (Adapter Fault Tolerance / Switch Fault Tolerance)
The short version: Sticky MAC learning bypasses MAC address aging behavior in the entire VLAN and on the Port (even if you explicitly define a Port Security Aging Time of 1).
So even if your NIC teaming technology (Intel, HP, Veritas, BSD, GNU/Linux*) performs a gARP/Gratuitous ARP during a Active/Standby NIC Transition, the Catalyst with the original Active NIC port will continue to announce/learn/know the locally configured static MAC locally and will not learn the MAC from a neighboring switch over a Dot1Q Trunk.
The only condition that prevents a static secure MAC from being announced? Physical down status on the Interface.
Solution? Dynamic secure MAC learning for NIC team hosts (in OT, "DAN", Dual Attached Node). Port security Sticky MAC is still valid for S.A.N. (Single attached Node)
Ce n'est pas bien! No beuño! Not good!
Maybe there is a work around on the Nexus platform which is more Datacenter-centric?
05-11-2020 02:46 AM
Hello
@stephenscott wrote:
The problem is when we remove one of the cables and the mac address of the team changes. I
You try a flexlink on those two ports.
int gig1/0/2
switchport backup interface gigi2/02
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: