---

@Colby LeMaire wrote:

NIC teaming is something that is usually used with servers only and not for access devices.  Servers are usually located in a physically secure datacenter environment so 802.1x is not used on datacenter switches.  Depending on what software/hypervisor is used on this host, there may be configuration options within that host to ensure that virtual machines are dedicated to one physical link with another as a backup in case of failure.  But there are a lot of things that could be happening here.  Usually, the only time we see VMware or similar in a workstation situation is with developers and they have multiple VM's running on their workstation.  But they have only one physical link.  With bridged mode, you would have to use either multi-auth or multi-host mode on the switchport.  With NAT mode, you can authenticate the host OS and then the VM's are NAT'd to the same IP of the host.

Can you expand on what the host is running and what it is used for?

---

Hi Colby,  not configuring dot1x on switch ports facing the host is my last resort but I am hoping I don't have to do that.  We have over a 100 branch offices and a lot of them do not have the same type of security you would expect in a data center.  Most branch offices have a single host running Microsoft Hyper-V and several guests. 

This would make sense however on the server side NIC teaming configuration is "switch independent".  This means server never really negotiates an etherchannel (LACP or otherwise) with the switch.  All 4 server NICs that are part of the team connect on individual access ports on the switch.  Server internally decides which ports to use as primary etc.  Only thing I can think of is that the switch might see MAC addresses bouncing between ports.  However I have MAC MOVE permitted.

Are the guest OS's authenticating with 802.1x?  Or MAB?  Without the pre-auth ACL and auth open, then the switch will never block anything even if authentication is failing.  Once you apply a pre-auth ACL to limit connectivity, then traffic is blocked until a successful authentication and the dACL gets applied.  So, are the guests authenticating properly?  What do you see when you do a "show auth session int gx/y detail"?

On the server side, is there a way with your NIC Teaming configuration to control which physical interface is used for each guest OS?  I know with VMware, you can have it use one as a primary and not switch to another physical link unless the first one goes down.  That would minimize the amount of movement of the MAC addresses.  Because you have to realize that even if the OS's are authenticating correctly, every time the MAC moves to another port, the switch is blocking traffic for that IP until authentication is successful and the port ACL is updated with the dACL.  So there would be timeouts with pings if the MACs are moving around a lot.

You could try "authentication host-mode multi-host" where the host OS is authenticated first and then everything else is allowed after it.  Not sure how that would work since I am sure the host OS is using one physical NIC at a time.  But you can try it.