cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8592
Views
0
Helpful
9
Replies

How do i apply multiple mac address on multiple ports for port security

a.moch
Level 1
Level 1

I want allow the same set of mac address on different ports and tried the following

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

switchport port-secuirty mac-address 1111.1111.1111

switchport port-secuirty mac-address 2222.2222.2222

When i enter these commands on one port it accepts it, but the moment i enter this same command on another port on the same switch it says duplicate mac address.

Is there any way to allow what i want do ?

9 Replies 9

Hi ANDREAS,

Why is that required?

Hi,

it is a requirement because the failover of server nic's. Each physical nic uses a unique mac address, but if the primary nic fails the secondary nic takes over the mac address of the primary.

Port security disables that port in that case because duplicate MAC address.

Hi,

Try to use the same configuration above, but without:

switchport port-secuirty mac-address 1111.1111.1111

switchport port-secuirty mac-address 2222.2222.2222

as these two mac addresses will be dynamically learnt and saved to the running config once the server gets connected to the 2 switch ports.

Please provide us with feedback.

Cheers,

Same result. Switch complains duplicate mac when the failover occurs.

As long both nics are normaly working it is no problem but when the primary nic fails the secondary switch port is disabled because duplicate mac.

Not sure whether this will work in your situation, but it is an option you could possibly try?

Have you tried using port-security mac-address aging when port-security is using dynamic instead of sticky?

You can configure mac-address aging to commence during periods of inactivity, but the question is how quickly the switch learns the mac-address when the standby assume the primary-mac?

In theory you can age out the mac-address on the switchport from anything between 1-1440 minutes.

So after 1 minute of inactivety the mac-address will have aged out. Therefore the primary mac-address could be learned on the other switchport interface? I guess the mac-address will have already been learned before the 1 minute expiry though?

'switchport port-security aging type inactivity'

'switchport port-security aging time 1'

HTH

Allan.

Thanks for the idea, but it will not work. The failover to secondary nic is in seconds or perhaps milliseconds. 1 minute downtime would be not that what we want.

Enable portfast on the port that you're connected to. That will at least help with the cutover time.

--John

HTH, John *** Please rate all useful posts ***

Portfast is enabled but this will not help. Because the port security aging time is still at minimum 1 minute.

dgaunt
Level 1
Level 1

The following site has information on Switchport Port-Security. What your seeing is called a MAC move violation. When Port security is set up on a port, and the same address is set up on a different port in the same VLAN, it puts the port into violation mode (which by default shuts it down). You might be able to set each port onto a different vlan to fix your particular problem. Considering that your talking about a "trunk" line, you might consider taking the port security off these ports as another option.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042499

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco