cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6988
Views
10
Helpful
9
Replies

HP NIC Teaming and Switchport Port Security on 3750G Stack

stephenscott
Level 1
Level 1

I have 2 3750G switches in a stack. I have an HP server using NIC Teaming. The cable from NIC1 with MAC aaaa.aaaa.aaaa goes to Gi1/0/2. The cable from NIC2 with MAC bbbb.bbbb.bbbb goes to Gi2/0/2. I have the following port security commands on the interfaces.

interface Gi1/0/2 (Gi2/0/2)

switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky aaaa.aaaa.aaaa (bbbb.bbbb.bbbb)
spanning-tree portfast
spanning-tree bpduguard enable
end

The NIC Team is set for Switch Assisted Load Balanacing with Fault Tolerance.

Transmit Load Balancing is set to Destination IP address.

The MAC address of the Team can be aaaa.aaaa.aaaa or bbbb.bbbb.bbbb, depending on which one it chooses.

Everything works fine when the cables are both connected. The problem is when we remove one of the cables and the mac address of the team changes. If the switch sees a new MAC on the port, even though I am allowing 2 sticky MAC's, the switch sees that MAC on a different port now and it doesn't take over. If the MAC of the team happens to stay on the correct port, everything works fine, but that doesn't happen all of the time.

My question is: How do I setup HP NIC teaming using port security with sticky MAC's on a 3750G stack.? Etherchannels do not support port security, so that is not an option. I have already tried that.

HELP!!!

9 Replies 9

stephenscott
Level 1
Level 1

After removing the cable in NIC1, the connection stayed up. I reconnected the cable no problem. I removed the cable in NIC2 and the connection dropped and I captured the port security data from before and after the change.

Before and After removing cable in NIC1

Gi1/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0026.xxxx.xxxx:1
Security Violation Count   : 0


Gi2/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 18a9.xxxx.xxxx:1

027787: Jun  2 10:17:58.130 EDT: %LINEPROTO-5-UPDOWN: Line protocol on  Interface GigabitEthernet1/0/2, changed state to down
027788: Jun  2 10:17:59.137 EDT: %LINK-3-UPDOWN: Interface  GigabitEthernet1/0/2, changed state to down
027789: Jun  2 10:18:22.725 EDT: %LINK-3-UPDOWN: Interface  GigabitEthernet1/0/2, changed state to up
027790: Jun  2 10:18:23.732 EDT: %LINEPROTO-5-UPDOWN: Line protocol on  Interface GigabitEthernet1/0/2, changed state to up
Security Violation Count   : 0

After Removing Cable in NIC2

Gi1/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 18a9.xxxx.xxxx:1
Security Violation Count   : 0


Gi2/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0026.xxxx.xxxx:1
Security Violation Count   : 0


027791: Jun  2 10:18:41.382 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.
027792: Jun  2 10:18:42.774 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to down
027793: Jun  2 10:18:43.772 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to down
027794: Jun  2 10:18:47.019 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 18a9.xxxx.xxxx on port GigabitEthernet1/0/2.

Notice how the MAC addresses have switched ports causing port security violations.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Stephen,

I would remove port security configuration if the environment is secure (a server farm with controlled access)

From your show command we see they have changed MAC addresses between them after restore and this can be a server choice.

If you want to keep using port security you need to check if you can add both MAC addresses to both ports (I doubt)

I would remove port security, teaming causes already several troubles with all its variants.

Hope to help

Giuseppe

What if you just staticly configured them to the ports. Or could you increase the maximum to 3 from 2.

Mike

Burley,

In a port security setup, the MAC address can not be assigned to 2 different ports, either statically or dynamically. If that happens, port security violations occur. The same is true for increasing the number from 2 to 3. As long as the MAC address is seen on 2 different ports, no matter how many are allowed, port security violations occur. I can not find a work around for this. I wonder if a VMAC would allow this to happen?

Oh...That's right. DUH!!! My brain is doing to much today.....Sorry about that.

Mike

Mike,

No worries. I feel your pain!

Stephen

Hi,

I have the same problem with teaming and port security, (not using HP servers but it's the same case).

Do you know any solution or work arround ? In my case both MAC based port security and teaming are requested by the customer.

Thanks!

MB

It has been almost 10 years since this thread started, so I'm afraid to even post this:

 

But the case is also true with Intel NIC AFT or SFT (Adapter Fault Tolerance / Switch Fault Tolerance)

 

The short version: Sticky MAC learning bypasses MAC address aging behavior in the entire VLAN and on the Port (even if you explicitly define a Port Security Aging Time of 1).   

 

So even if your NIC teaming technology (Intel, HP, Veritas, BSD, GNU/Linux*) performs a gARP/Gratuitous ARP during a Active/Standby NIC Transition, the Catalyst with the original Active NIC port will continue to announce/learn/know the locally configured static MAC locally and will not learn the MAC from a neighboring switch over a Dot1Q Trunk.

 

The only condition that prevents a static secure MAC from being announced? Physical down status on the Interface.

 

Solution? Dynamic secure MAC learning for NIC team hosts (in OT, "DAN", Dual Attached Node).  Port security Sticky MAC is still valid for S.A.N. (Single attached Node)

 

Ce n'est pas bien! No beuño!  Not good!

 

Maybe there is a work around on the Nexus platform which is more Datacenter-centric?   

Hello


@stephenscott wrote:

The problem is when we remove one of the cables and the mac address of the team changes. I


You try a flexlink on those two ports.

int gig1/0/2
switchport backup interface gigi2/02


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco