How can I set up or should I be setting up our core network to allow for failover between redundant nics on individual servers when using port security? When simulating a failover scenario, we will discover some of our ports in the err-disabled state. I know it's a mac move violation and port security is working as intended but is there a way our servers should be configured to rememdy this violation or do we just do away with using port security on the failover ports? Also, a best practice would be appreciated too.
If your server is indeed connecting to two different physical switches which are not on any kind of stack then I suggest you set sticky mode with a maximum of 2 or more MACs as required on both ports. As part of your provisioning/testing you can test the failover which will allow the switches to learn the related MACs. Then save the config to flash and you are sorted. You could also specify the MACs manually in the config if they are known.
Alternatively look at 802.1X perhaps on a MAC level or AD membership level to get around this issue.
On a single switch or stack/VSS scenario I agree with Steve that a port channel would be best, probably LACP if the server supports it, but that will constrain your port security options so does not really solve your problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :