Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port security and mac move violations

How can I set up or should I be setting up our core network to allow for failover between redundant nics on individual servers when using port security? When simulating a failover scenario, we will discover some of our ports in the err-disabled state.  I know it's a mac move violation and port security is working as intended but is there a way our servers should be configured to rememdy this violation or do we just do away with using port security on the failover ports?  Also, a best practice would be appreciated too.              

Everyone's tags (4)
New Member

Port security and mac move violations


Do you only have one switch as your core?  If you do then I suggest configuring etherchanneling. 

If you have physical security to your servers and core then I wouldn't use port security on access ports to the servers.

Hope this helps

New Member

Port security and mac move violations

Hi Ernest

If your server is indeed connecting to two different physical switches which are not on any kind of stack then I suggest you set sticky mode with a maximum of 2 or more MACs as required on both ports.  As part of your provisioning/testing you can test the failover which will allow the switches to learn the related MACs.  Then save the config to flash and you are sorted.  You could also specify the MACs manually in the config if they are known.

Alternatively look at 802.1X perhaps on a MAC level or AD membership level to get around this issue.

On a single switch or stack/VSS scenario I agree with Steve that a port channel would be best, probably LACP if the server supports it, but that will constrain your port security options so does not really solve your problem.

Hope this helps,


CreatePlease login to create content