Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > NIC teaming and port security

Reply
Thread Tools

NIC teaming and port security

 
 
njwhitworth@gmail.com
Guest
Posts: n/a
 
      11-27-2007
Hi,

We have been given a brief by our client to provide hosted servers
with fault tolerant network connections. We will achieve this by using
adapter teaming and connecting each of the server's dual NICs to a
different switch.

We also HAVE to provide MAC based port security. The question I have
is that if the virtual MAC address has been granted access on one
switch and then the virtual MAC address fails over to the other NIC
and switch, will this cause problems with port security and loss of
connectivity because the MAC has already been learned on teh other/
failed switch? If so, what solutions can get around the issue of NIC
teaming and port security?

Any ideas/comments are much appreciated.

Regards,
Nick
 
Reply With Quote
 
 
 
 
fugettaboutit
Guest
Posts: n/a
 
      11-27-2007
The easiest thing I can think of would be to configure an Etherchannel
between the two switches and enable GLBP. You get the best of both
worlds - dynamic gateway assignments/load-balancing, and L2 support for
the NIC teaming, and you don't have to fool with HSRP group configs. The
gotcha is that you can't do port security on an Etherchannel. You should
then be able to simply assign the VMAC to each of the NIC switchports.

A downside to this approach is that this creates a possible L2 core
scenario, with an L3 core being best-practice.


http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi,
>
> We have been given a brief by our client to provide hosted servers
> with fault tolerant network connections. We will achieve this by using
> adapter teaming and connecting each of the server's dual NICs to a
> different switch.
>
> We also HAVE to provide MAC based port security. The question I have
> is that if the virtual MAC address has been granted access on one
> switch and then the virtual MAC address fails over to the other NIC
> and switch, will this cause problems with port security and loss of
> connectivity because the MAC has already been learned on teh other/
> failed switch? If so, what solutions can get around the issue of NIC
> teaming and port security?
>
> Any ideas/comments are much appreciated.
>
> Regards,
> Nick

 
Reply With Quote
 
 
 
 
Trendkill
Guest
Posts: n/a
 
      11-27-2007
On Nov 27, 1:25 pm, (E-Mail Removed) wrote:
> Hi,
>
> We have been given a brief by our client to provide hosted servers
> with fault tolerant network connections. We will achieve this by using
> adapter teaming and connecting each of the server's dual NICs to a
> different switch.
>
> We also HAVE to provide MAC based port security. The question I have
> is that if the virtual MAC address has been granted access on one
> switch and then the virtual MAC address fails over to the other NIC
> and switch, will this cause problems with port security and loss of
> connectivity because the MAC has already been learned on teh other/
> failed switch? If so, what solutions can get around the issue of NIC
> teaming and port security?
>
> Any ideas/comments are much appreciated.
>
> Regards,
> Nick


The NICs should have their own macs, as the solution you are
describing is not true 'teaming' or etherchannel. IBM and other
vendors refer to this as teaming, but true teaming requires two
connections to the same switch and the virtual MAC/IP. What you
describe above is 'net-if' in the AIX world, and is simply for
failover and fault tolerance. While I cannot speak for sure that all
of these configs still dont have virtual MACs, I would plug one in and
look at the mac table, and will bet you see multiple macs or no
virtual at all since this is not etherchannel. I'm pretty sure even
in the case of etherchannel, the NICs still must have their own unique
MAC, just not sure if it shows up in the mac table or not.

Lastly, I don't think port security has anything to do with layer 2
switching. It simply matches and allows certain macs on certain
ports, so presuming you set the virtual or physical macs on both
ports, it will failover without issue. I don't see how this would
impact or be impacted by a layer 2 failover.

Let me know if I'm off base.
 
Reply With Quote
 
Thrill5
Guest
Posts: n/a
 
      11-28-2007
No. Port security only means that the each port on the switch (other than
uplinks, but on those port security is disabled for obvious reasons) is
only allowed to talk to a single MAC address. Each port is allowed to
"learn" the first MAC address it sees. The fact that the MAC is first
learned on an uplink port doesn't matter since port security is not enabled
on that port. The MAC will just failover to the new port on the switch.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> We have been given a brief by our client to provide hosted servers
> with fault tolerant network connections. We will achieve this by using
> adapter teaming and connecting each of the server's dual NICs to a
> different switch.
>
> We also HAVE to provide MAC based port security. The question I have
> is that if the virtual MAC address has been granted access on one
> switch and then the virtual MAC address fails over to the other NIC
> and switch, will this cause problems with port security and loss of
> connectivity because the MAC has already been learned on teh other/
> failed switch? If so, what solutions can get around the issue of NIC
> teaming and port security?
>
> Any ideas/comments are much appreciated.
>
> Regards,
> Nick



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server and teaming Laurent GARNIER Cisco 4 12-14-2006 12:47 AM
XP - Allow wired NIC to use the wireless NIC (packet forwarding) =?Utf-8?B?R0dpbk5K?= Wireless Networking 1 07-14-2006 06:44 PM
Nic Teaming Cisco 6k Michael Müller Cisco 3 05-04-2006 03:01 PM
Wireless NIC & Wired NIC Bridging Johnatthon Wireless Networking 1 05-02-2006 06:31 PM
NIC teaming with 3750 Dan Pearson Cisco 0 03-01-2004 11:11 AM



Advertisments