10-23-2008 11:37 PM - edited 03-06-2019 02:07 AM
I want allow the same set of mac address on different ports and tried the following
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-secuirty mac-address 1111.1111.1111
switchport port-secuirty mac-address 2222.2222.2222
When i enter these commands on one port it accepts it, but the moment i enter this same command on another port on the same switch it says duplicate mac address.
Is there any way to allow what i want do ?
10-24-2008 01:01 AM
Hi ANDREAS,
Why is that required?
10-24-2008 04:48 AM
Hi,
it is a requirement because the failover of server nic's. Each physical nic uses a unique mac address, but if the primary nic fails the secondary nic takes over the mac address of the primary.
Port security disables that port in that case because duplicate MAC address.
10-24-2008 05:59 AM
Hi,
Try to use the same configuration above, but without:
switchport port-secuirty mac-address 1111.1111.1111
switchport port-secuirty mac-address 2222.2222.2222
as these two mac addresses will be dynamically learnt and saved to the running config once the server gets connected to the 2 switch ports.
Please provide us with feedback.
Cheers,
10-25-2008 01:24 AM
Same result. Switch complains duplicate mac when the failover occurs.
As long both nics are normaly working it is no problem but when the primary nic fails the secondary switch port is disabled because duplicate mac.
10-25-2008 04:23 AM
Not sure whether this will work in your situation, but it is an option you could possibly try?
Have you tried using port-security mac-address aging when port-security is using dynamic instead of sticky?
You can configure mac-address aging to commence during periods of inactivity, but the question is how quickly the switch learns the mac-address when the standby assume the primary-mac?
In theory you can age out the mac-address on the switchport from anything between 1-1440 minutes.
So after 1 minute of inactivety the mac-address will have aged out. Therefore the primary mac-address could be learned on the other switchport interface? I guess the mac-address will have already been learned before the 1 minute expiry though?
'switchport port-security aging type inactivity'
'switchport port-security aging time 1'
HTH
Allan.
10-27-2008 01:55 AM
Thanks for the idea, but it will not work. The failover to secondary nic is in seconds or perhaps milliseconds. 1 minute downtime would be not that what we want.
10-27-2008 07:29 AM
Enable portfast on the port that you're connected to. That will at least help with the cutover time.
--John
10-27-2008 08:30 AM
Portfast is enabled but this will not help. Because the port security aging time is still at minimum 1 minute.
12-16-2008 08:35 AM
The following site has information on Switchport Port-Security. What your seeing is called a MAC move violation. When Port security is set up on a port, and the same address is set up on a different port in the same VLAN, it puts the port into violation mode (which by default shuts it down). You might be able to set each port onto a different vlan to fix your particular problem. Considering that your talking about a "trunk" line, you might consider taking the port security off these ports as another option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide