Port security and mac move violations

Unanswered Question
Aug 7th, 2012
User Badges:

How can I set up or should I be setting up our core network to allow for failover between redundant nics on individual servers when using port security? When simulating a failover scenario, we will discover some of our ports in the err-disabled state.  I know it's a mac move violation and port security is working as intended but is there a way our servers should be configured to rememdy this violation or do we just do away with using port security on the failover ports?  Also, a best practice would be appreciated too.              

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stevenkrose Mon, 08/13/2012 - 13:17
User Badges:


Do you only have one switch as your core?  If you do then I suggest configuring etherchanneling. 

If you have physical security to your servers and core then I wouldn't use port security on access ports to the servers.

Hope this helps

mattaldridge Tue, 08/21/2012 - 05:30
User Badges:

Hi Ernest

If your server is indeed connecting to two different physical switches which are not on any kind of stack then I suggest you set sticky mode with a maximum of 2 or more MACs as required on both ports.  As part of your provisioning/testing you can test the failover which will allow the switches to learn the related MACs.  Then save the config to flash and you are sorted.  You could also specify the MACs manually in the config if they are known.

Alternatively look at 802.1X perhaps on a MAC level or AD membership level to get around this issue.

On a single switch or stack/VSS scenario I agree with Steve that a port channel would be best, probably LACP if the server supports it, but that will constrain your port security options so does not really solve your problem.

Hope this helps,



This Discussion

Related Content