Re: Port-Security with the same mac-address on multiple ports

From: paul cosgrove (paul.cosgrove@gmail.com)
Date: Tue Jan 20 2009 - 12:25:23 ARST

• Next message: Marijo Bernardic: "Passed in Brussels yesterday"
• Previous message: Darby Weaver: "Re: New CCIE logo"
• Maybe in reply to: Mark Stephanus Chandra: "Port-Security with the same mac-address on multiple ports"
• Next in thread: Jason Morris: "Re: Port-Security with the same mac-address on multiple ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Pavel,

Regarding your first point there, the switching standard you describe sounds
unusual, and I'm unclear how it helps when there are duplicate MACs
connected to two layer 2 switch ports. Perhaps you have a reference with a
more detailed description of its operation?

Normally if a switch dynamically learns a MAC address on multiple ports then
the most recently learned port is used in the MAC address table entry. This
behaviour allows frames to be sent around network failures without
unnecessary flooding. Sometimes withh server NIC teaming the same source
MAC is used on different physical NICs of a server, so you need an
etherchannel to logically group the switch ports to create just a single MAC
table entry.

My understanding is that when virtual MAC addresses are used for clusters in
the same VLAN, those addresses are not used to source traffic from multiple
servers simultaneously. To do so would cause switch CAM table entries to
flap, resulting in each server having patchy connectivity. If the two ports
are on a single switch, at any particular time one server would receive all
traffic to the virtual MAC whilst the other server would receive nothing.

When the virtual MAC is not used as a source address by any server (just as
a valid local address for receiving frames), switches will never associate
it with any ports and continue to flood frames destined to that address so
that all the servers receive it. The servers themselves send using unique
MAC addresses, but by sending ARP responses which specify the shared MAC
address (within the ARP) they can cause other devices to send frames which
the switches flood to all the clusters.

Paul.

On Tue, Jan 20, 2009 at 10:03 AM, Pavel Bykov <slidersv@gmail.com> wrote:

> :) No.
> Switching rule #2:
> Every mac address in the network has to be unique.
>
>
> When duplicate mac addresses are introduced into a switching network, cisco
> switches usually assign made up address to both of the ports, effectively
> flooding traffic destined to that mac address, because of unknown unicast
> behavior rule.
> Microsoft engineers thought it would be smart to use that rule to setup
> their clusters - they assign all members same mac address - this way they
> have guarantee that traffic will be delivered to them since it's going to
> be
> unknown unicast, because all switches that conform to standards will try to
> correct that "error" by not using that duplicate mac... kind of reminds me
> of 640K being enough for everybody...
>
> Anyways, youcould probably create a filter that would allow only mentioned
> mac addres, but MAC address table will not accept duplicate mac. (all that
> in same VLAN ofcourse) which brings me to possible solution:
> Can you assign those two ports to different VLANs? and have VLANs behave
> the
> same? I.E. lead to SVI somewhere. This would be a possible solution:
>
> Rack1SW2(config)#int ra fa 0/8 - 9
> Rack1SW2(config-if-range)#switchport access vlan 4
> Rack1SW2(config-if-range)#switchport port-security
> Command rejected: FastEthernet0/8 is a dynamic port.
> % Range command terminated because it failed on FastEthernet0/8
>
> Rack1SW2(config-if-range)#switchport mode acc
> Rack1SW2(config-if-range)#switchport port-security
> Rack1SW2(config-if-range)#switchport port-security mac-address
> 000c.257e.f7aa
> Found duplicate mac-address 000c.257e.f7aa.
>
> % Interface range command failed for FastEthernet0/9
> Rack1SW2(config-if-range)#
> Rack1SW2#sh run int fa
> 1d01h: %SYS-5-CONFIG_I: Configured from console by console
> Rack1SW2#sh run int fa 0/9
> Building configuration...
>
> Current configuration : 109 bytes
> !
> interface FastEthernet0/9
> switchport access vlan 4
> switchport mode access
> switchport port-security
> end
>
> Rack1SW2#sh run int fa 0/8
> Building configuration...
>
> Current configuration : 162 bytes
> !
> interface FastEthernet0/8
> switchport access vlan 4
> switchport mode access
> switchport port-security
> switchport port-security mac-address 000c.257e.f7aa
> end
>
> Rack1SW2#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1SW2(config)#int fa 0/9
> Rack1SW2(config-if)#switch acc vlan 5
> Rack1SW2(config-if)#
> Rack1SW2(config-if)#switchport port-security mac-address 000c.257e.f7aa
> Rack1SW2(config-if)#
> Rack1SW2#
> Rack1SW2#
> Rack1SW2#sh run int
> 1d01h: %SYS-5-CONFIG_I: Configured from console by console
> Rack1SW2#sh run int fa 0/8
> Building configuration...
>
> Current configuration : 162 bytes
> !
> interface FastEthernet0/8
> switchport access vlan 4
> switchport mode access
> switchport port-security
> switchport port-security mac-address 000c.257e.f7aa
> end
>
> Rack1SW2#sh run int fa 0/9
> Building configuration...
>
> Current configuration : 162 bytes
> !
> interface FastEthernet0/9
> switchport access vlan 5
> switchport mode access
> switchport port-security
> switchport port-security mac-address 000c.257e.f7aa
> end
>
>
>
> See?
>
>
> On Tue, Jan 20, 2009 at 10:12 AM, Mark Stephanus Chandra <
> mark.chandra@gmail.com> wrote:
>
> > Guys,
> >
> >
> >
> > I want to configure my mac-address to be allowed on multiple port on a
> > switch port-security.
> >
> >
> >
> > But when I insert the configuration, I have duplicated mac-address error.
> >
> >
> >
> > switchport port-security mac-address 000c.257e.f7aa
> >
> > Found duplicate mac-address 000c.257e.f7aa.
> >
> >
> >
> > Anyway, I just curious, is this can be done ? Configuring port-security
> > mac-address command with the same mac-address on the multiple ports ?
> >
> >
> >
> > Thanks in advance
> >
> >
> >
> > Regards
> >
> >
> >
> > Mark Stephanus Chandra
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Pavel Bykov
> ----------------
> Don't forget to help stopping the braindumps, use of which reduces value of
> your certifications. Sign the petition at http://www.stopbraindumps.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Marijo Bernardic: "Passed in Brussels yesterday"
• Previous message: Darby Weaver: "Re: New CCIE logo"
• Maybe in reply to: Mark Stephanus Chandra: "Port-Security with the same mac-address on multiple ports"
• Next in thread: Jason Morris: "Re: Port-Security with the same mac-address on multiple ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST