How can I set up or should I be setting up our core network to allow for failover between redundant nics on individual servers when using port security? When simulating a failover scenario, we will discover some of our ports in the err-disabled state. I know it's a mac move violation and port security is working as intended but is there a way our servers should be configured to rememdy this violation or do we just do away with using port security on the failover ports? Also, a best practice would be appreciated too.
If your server is indeed connecting to two different physical switches which are not on any kind of stack then I suggest you set sticky mode with a maximum of 2 or more MACs as required on both ports. As part of your provisioning/testing you can test the failover which will allow the switches to learn the related MACs. Then save the config to flash and you are sorted. You could also specify the MACs manually in the config if they are known.
Alternatively look at 802.1X perhaps on a MAC level or AD membership level to get around this issue.
On a single switch or stack/VSS scenario I agree with Steve that a port channel would be best, probably LACP if the server supports it, but that will constrain your port security options so does not really solve your problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...