NIC teaming and port security

Discussion in 'Cisco' started by njwhitworth@gmail.com, Nov 27, 2007.

  1. Guest

    Hi,

    We have been given a brief by our client to provide hosted servers
    with fault tolerant network connections. We will achieve this by using
    adapter teaming and connecting each of the server's dual NICs to a
    different switch.

    We also HAVE to provide MAC based port security. The question I have
    is that if the virtual MAC address has been granted access on one
    switch and then the virtual MAC address fails over to the other NIC
    and switch, will this cause problems with port security and loss of
    connectivity because the MAC has already been learned on teh other/
    failed switch? If so, what solutions can get around the issue of NIC
    teaming and port security?

    Any ideas/comments are much appreciated.

    Regards,
    Nick
    , Nov 27, 2007
    #1
    1. Advertising

  2. The easiest thing I can think of would be to configure an Etherchannel
    between the two switches and enable GLBP. You get the best of both
    worlds - dynamic gateway assignments/load-balancing, and L2 support for
    the NIC teaming, and you don't have to fool with HSRP group configs. The
    gotcha is that you can't do port security on an Etherchannel. You should
    then be able to simply assign the VMAC to each of the NIC switchports.

    A downside to this approach is that this creates a possible L2 core
    scenario, with an L3 core being best-practice.


    wrote:
    > Hi,
    >
    > We have been given a brief by our client to provide hosted servers
    > with fault tolerant network connections. We will achieve this by using
    > adapter teaming and connecting each of the server's dual NICs to a
    > different switch.
    >
    > We also HAVE to provide MAC based port security. The question I have
    > is that if the virtual MAC address has been granted access on one
    > switch and then the virtual MAC address fails over to the other NIC
    > and switch, will this cause problems with port security and loss of
    > connectivity because the MAC has already been learned on teh other/
    > failed switch? If so, what solutions can get around the issue of NIC
    > teaming and port security?
    >
    > Any ideas/comments are much appreciated.
    >
    > Regards,
    > Nick
    fugettaboutit, Nov 27, 2007
    #2
    1. Advertising

  3. Trendkill Guest

    On Nov 27, 1:25 pm, wrote:
    > Hi,
    >
    > We have been given a brief by our client to provide hosted servers
    > with fault tolerant network connections. We will achieve this by using
    > adapter teaming and connecting each of the server's dual NICs to a
    > different switch.
    >
    > We also HAVE to provide MAC based port security. The question I have
    > is that if the virtual MAC address has been granted access on one
    > switch and then the virtual MAC address fails over to the other NIC
    > and switch, will this cause problems with port security and loss of
    > connectivity because the MAC has already been learned on teh other/
    > failed switch? If so, what solutions can get around the issue of NIC
    > teaming and port security?
    >
    > Any ideas/comments are much appreciated.
    >
    > Regards,
    > Nick


    The NICs should have their own macs, as the solution you are
    describing is not true 'teaming' or etherchannel. IBM and other
    vendors refer to this as teaming, but true teaming requires two
    connections to the same switch and the virtual MAC/IP. What you
    describe above is 'net-if' in the AIX world, and is simply for
    failover and fault tolerance. While I cannot speak for sure that all
    of these configs still dont have virtual MACs, I would plug one in and
    look at the mac table, and will bet you see multiple macs or no
    virtual at all since this is not etherchannel. I'm pretty sure even
    in the case of etherchannel, the NICs still must have their own unique
    MAC, just not sure if it shows up in the mac table or not.

    Lastly, I don't think port security has anything to do with layer 2
    switching. It simply matches and allows certain macs on certain
    ports, so presuming you set the virtual or physical macs on both
    ports, it will failover without issue. I don't see how this would
    impact or be impacted by a layer 2 failover.

    Let me know if I'm off base.
    Trendkill, Nov 27, 2007
    #3
  4. Thrill5 Guest

    No. Port security only means that the each port on the switch (other than
    uplinks, but on those port security is disabled for obvious reasons) is
    only allowed to talk to a single MAC address. Each port is allowed to
    "learn" the first MAC address it sees. The fact that the MAC is first
    learned on an uplink port doesn't matter since port security is not enabled
    on that port. The MAC will just failover to the new port on the switch.

    <> wrote in message
    news:...
    > Hi,
    >
    > We have been given a brief by our client to provide hosted servers
    > with fault tolerant network connections. We will achieve this by using
    > adapter teaming and connecting each of the server's dual NICs to a
    > different switch.
    >
    > We also HAVE to provide MAC based port security. The question I have
    > is that if the virtual MAC address has been granted access on one
    > switch and then the virtual MAC address fails over to the other NIC
    > and switch, will this cause problems with port security and loss of
    > connectivity because the MAC has already been learned on teh other/
    > failed switch? If so, what solutions can get around the issue of NIC
    > teaming and port security?
    >
    > Any ideas/comments are much appreciated.
    >
    > Regards,
    > Nick
    Thrill5, Nov 28, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Pearson

    NIC teaming with 3750

    Dan Pearson, Mar 1, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,606
    Dan Pearson
    Mar 1, 2004
  2. Michael Müller

    Nic Teaming Cisco 6k

    Michael Müller, Apr 26, 2006, in forum: Cisco
    Replies:
    3
    Views:
    5,078
    Kevin Widner
    May 4, 2006
  3. Johnatthon

    Wireless NIC & Wired NIC Bridging

    Johnatthon, May 2, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    910
    Johnatthon
    May 2, 2006
  4. Laurent GARNIER

    Server and teaming

    Laurent GARNIER, Dec 13, 2006, in forum: Cisco
    Replies:
    4
    Views:
    358
    Brian V
    Dec 14, 2006
  5. tman

    DSL Teaming

    tman, May 18, 2009, in forum: Cisco
    Replies:
    2
    Views:
    766
Loading...

Share This Page