Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VMware + Port-Security. Off? Really? What do you do in your shop?

"Port-security is not recommended due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down."

It appears that some consulting firm is putting this in our MCP's ears. Some haven't liked port-security, and this is the ammunition some may want to get it shutdown.

Frankly, I am surprised that Cisco even says this without offering an alternative, or a discussion of the alternatives and acceptance of risks.

I thought one of the main reasons for "port-security" was to control the CAM table from overflow and the DOS effects (more likely caused by malicious software than accidental MCP).

I am surprised there is no mention of alternatives. So if an MCP says phy machine can handle 15 VMs tops, a network admin can quadruple it in case of VMotion Madness. So, that would be 60. And in the case of exceeding the MAX, configure the port not to shutdown, plus, age your port-security table.

What I am speaking of would look something like this.

int gig4/4


switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security aging time 1

switchport port-security maximum 60

All VM switchports would have the aging set to 1 (lowest value) and the violation to restrict.

At least the CAM table would be protected, which is one of the main reasons for port-security, right? If I am missing something, please let me know.

Can I get a response from Cisco?

What do you do in your shop?


Re: VMware + Port-Security. Off? Really? What do you do in your

Well, the statement itself is true. You generally wouldn't want port-security because of vmotion, but I would agree with your calculations. If you have 3 VMs and each handle max of 15, then you could configure max mac-addresses on that port to be 45 (plus the service console and physical connection nics). You could either statically create them, or create them as sticky.

Personally, I haven't done this since we don't have a need for port security on our VM servers, so I can't vouch that this would work, but it should work like any other learned mac address on any other port.



HTH, John *** Please rate all useful posts ***