1. Home
  2. Cisco Systems
  3. NIC teaming and port security

NIC teaming and port security

Hi,

We have been given a brief by our client to provide hosted servers with fault tolerant network connections. We will achieve this by using adapter teaming and connecting each of the server's dual NICs to a different switch.

We also HAVE to provide MAC based port security. The question I have is that if the virtual MAC address has been granted access on one switch and then the virtual MAC address fails over to the other NIC and switch, will this cause problems with port security and loss of connectivity because the MAC has already been learned on teh other/ failed switch? If so, what solutions can get around the issue of NIC teaming and port security?

Any ideas/comments are much appreciated.

Regards, Nick

Reply to
njwhitworth
Loading thread data ...

The easiest thing I can think of would be to configure an Etherchannel between the two switches and enable GLBP. You get the best of both worlds - dynamic gateway assignments/load-balancing, and L2 support for the NIC teaming, and you don't have to fool with HSRP group configs. The gotcha is that you can't do port security on an Etherchannel. You should then be able to simply assign the VMAC to each of the NIC switchports.

A downside to this approach is that this creates a possible L2 core scenario, with an L3 core being best-practice.

snipped-for-privacy@gmail.com wrote:

Reply to
fugettaboutit

The NICs should have their own macs, as the solution you are describing is not true 'teaming' or etherchannel. IBM and other vendors refer to this as teaming, but true teaming requires two connections to the same switch and the virtual MAC/IP. What you describe above is 'net-if' in the AIX world, and is simply for failover and fault tolerance. While I cannot speak for sure that all of these configs still dont have virtual MACs, I would plug one in and look at the mac table, and will bet you see multiple macs or no virtual at all since this is not etherchannel. I'm pretty sure even in the case of etherchannel, the NICs still must have their own unique MAC, just not sure if it shows up in the mac table or not.

Lastly, I don't think port security has anything to do with layer 2 switching. It simply matches and allows certain macs on certain ports, so presuming you set the virtual or physical macs on both ports, it will failover without issue. I don't see how this would impact or be impacted by a layer 2 failover.

Let me know if I'm off base.

Reply to
Trendkill

No. Port security only means that the each port on the switch (other than uplinks, but on those port security is disabled for obvious reasons) is only allowed to talk to a single MAC address. Each port is allowed to "learn" the first MAC address it sees. The fact that the MAC is first learned on an uplink port doesn't matter since port security is not enabled on that port. The MAC will just failover to the new port on the switch.

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.