01-31-2005 05:09 AM - edited 03-02-2019 09:23 PM
Hi there,
We're implementing port-security on our 3750 access switches. Some of our users need to have vmware running. Vmware, for an ungodly reason, seems to create a virtual mac address that, of course, triggers the port security.
My question is two-folds
1) Can I allow, on all ports, all 000c.29* mac addresses so that vmware's are allowed through?
2) Does anyone one know how to prevent vmware from spoofing a mac address?
Thanks.
01-31-2005 05:47 AM
I would look if there is a way in VMWARE to manually specify the mac address for each hosted system.
Let me know whether or not you find this link helpful:
01-31-2005 08:49 AM
This certainly helps, and works, however it implies that users go manually into configuration files and modify them. It also implies that we have to keep a table of some sort of what mac address we assign to which user and thus, which port.
We will also have problems with changing PC's or laptops. It seems that when you add 1 static mac address on a port, all other mac addresses on this port become static.
#show run int fa 3/0/44
Building configuration...
Current configuration : 404 bytes
!
interface FastEthernet3/0/44
switchport access vlan 210
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 2
switchport port-security violation protect
switchport port-security aging type inactivity
switchport port-security mac-address 000c.2911.aa11
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
end
#show mac- int fa 3/0/44
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
210 0006.5b95.d931 STATIC Fa3/0/44
210 000c.2911.aa11 STATIC Fa3/0/44
The first one is my PC's MAC, which would otherwise be a dynamically discovered, but when I added the second one in the config (switchport port-security mac-address 000c.2911.aa11), it seems to have switched the port's MAC learning mode from dynamic to sticky. Could this be or am I doing something wrong?
This coudl be a step in the right direction but there's something missing still, I think.
01-31-2005 07:25 AM
Depending on the actual needs of your users who have VMWare, there is a network mode for it that will do NAT instead of bridged mode. All traffic from these systems will be seen as coming from the host workstation. This may not be ideal, depending on exactly what is performed by the virtual machines, but it's a possibility.
01-31-2005 08:58 AM
Unfortunately, no. The VM's the users usually work on are dev servers that multiple users collaborate on. Also, I don't like the default 192.168.x.x stuff getting on our 10.x.x.x network.
I just don't get why VMWare FORCES users to do this. I understand that DHCP servers wouldn't dish out multiple IP's to the same MAC, but I'd still like to have a choice. Anyways, that rant doesn't belong here.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide