VMware + Port-Security. Off? Really? What do you do in your shop?
"Port-security is not recommended due to the need for the VM MAC addresses to move from one switchport to a different switchport on the same or a different switch and on the same VLAN without the port physically going down."
It appears that some consulting firm is putting this in our MCP's ears. Some haven't liked port-security, and this is the ammunition some may want to get it shutdown.
Frankly, I am surprised that Cisco even says this without offering an alternative, or a discussion of the alternatives and acceptance of risks.
I thought one of the main reasons for "port-security" was to control the CAM table from overflow and the DOS effects (more likely caused by malicious software than accidental MCP).
I am surprised there is no mention of alternatives. So if an MCP says phy machine can handle 15 VMs tops, a network admin can quadruple it in case of VMotion Madness. So, that would be 60. And in the case of exceeding the MAX, configure the port not to shutdown, plus, age your port-security table.
What I am speaking of would look something like this.
switchport mode access
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security maximum 60
All VM switchports would have the aging set to 1 (lowest value) and the violation to restrict.
At least the CAM table would be protected, which is one of the main reasons for port-security, right? If I am missing something, please let me know.
Re: VMware + Port-Security. Off? Really? What do you do in your
Well, the statement itself is true. You generally wouldn't want port-security because of vmotion, but I would agree with your calculations. If you have 3 VMs and each handle max of 15, then you could configure max mac-addresses on that port to be 45 (plus the service console and physical connection nics). You could either statically create them, or create them as sticky.
Personally, I haven't done this since we don't have a need for port security on our VM servers, so I can't vouch that this would work, but it should work like any other learned mac address on any other port.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...