Re: Port-Security with the same mac-address on multiple ports

From: abdul muhammed (abdulmuri@gmail.com)
Date: Tue Jan 20 2009 - 15:12:36 ARST

• Next message: Anthony Sequeira: "Re: Passed in Brussels yesterday"
• Previous message: Cacca Mucca: "Re: New CCIE logo"
• Maybe in reply to: Mark Stephanus Chandra: "Port-Security with the same mac-address on multiple ports"
• Next in thread: paul cosgrove: "Re: Port-Security with the same mac-address on multiple ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I think u should just shutdown the port while u configure the
port-security and after then, enable the port.

On Tue, Jan 20, 2009 at 4:20 PM, Jason Morris <mcnever@gmail.com> wrote:
> I agree i dont know that i've seen any server clustering that uses a
> single unicast mac address for the cluster. typically what i've seen
> with microsoft load balancing is using a multicast mac which, to the
> best of my knowledge, can't be dynamically added to the cam table, so
> it broadcasts.
>
> anyway, unicast mac to multiple ports. looks like it works, haven't
> tested it but it lets me config it. anybody know why/if this wouldn't
> work.
>
>
>
> Test-SW(config)#mac-address-table static 001F.3CA6.07AA vlan 1
> interface fastEthernet 0/47 fastEthernet 0/48
> Test-SW(config)#do sho mac-
> Test-SW(config)#do sho mac- stat
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> All 0100.0ccc.cccc STATIC CPU
> ....
> All ffff.ffff.ffff STATIC CPU
> 1 001f.3ca6.07aa STATIC Fa0/47 Fa0/48
> Total Mac Addresses for this criterion: 21
> Test-SW(config)#
>
>
> thanks
> Jason
>
>
> On Tue, Jan 20, 2009 at 9:25 AM, paul cosgrove <paul.cosgrove@gmail.com> wrote:
>> Hi Pavel,
>>
>> Regarding your first point there, the switching standard you describe sounds
>> unusual, and I'm unclear how it helps when there are duplicate MACs
>> connected to two layer 2 switch ports. Perhaps you have a reference with a
>> more detailed description of its operation?
>>
>> Normally if a switch dynamically learns a MAC address on multiple ports then
>> the most recently learned port is used in the MAC address table entry. This
>> behaviour allows frames to be sent around network failures without
>> unnecessary flooding. Sometimes withh server NIC teaming the same source
>> MAC is used on different physical NICs of a server, so you need an
>> etherchannel to logically group the switch ports to create just a single MAC
>> table entry.
>>
>> My understanding is that when virtual MAC addresses are used for clusters in
>> the same VLAN, those addresses are not used to source traffic from multiple
>> servers simultaneously. To do so would cause switch CAM table entries to
>> flap, resulting in each server having patchy connectivity. If the two ports
>> are on a single switch, at any particular time one server would receive all
>> traffic to the virtual MAC whilst the other server would receive nothing.
>>
>> When the virtual MAC is not used as a source address by any server (just as
>> a valid local address for receiving frames), switches will never associate
>> it with any ports and continue to flood frames destined to that address so
>> that all the servers receive it. The servers themselves send using unique
>> MAC addresses, but by sending ARP responses which specify the shared MAC
>> address (within the ARP) they can cause other devices to send frames which
>> the switches flood to all the clusters.
>>
>> Paul.
>>
>> On Tue, Jan 20, 2009 at 10:03 AM, Pavel Bykov <slidersv@gmail.com> wrote:
>>
>>> :) No.
>>> Switching rule #2:
>>> Every mac address in the network has to be unique.
>>>
>>>
>>> When duplicate mac addresses are introduced into a switching network, cisco
>>> switches usually assign made up address to both of the ports, effectively
>>> flooding traffic destined to that mac address, because of unknown unicast
>>> behavior rule.
>>> Microsoft engineers thought it would be smart to use that rule to setup
>>> their clusters - they assign all members same mac address - this way they
>>> have guarantee that traffic will be delivered to them since it's going to
>>> be
>>> unknown unicast, because all switches that conform to standards will try to
>>> correct that "error" by not using that duplicate mac... kind of reminds me
>>> of 640K being enough for everybody...
>>>
>>> Anyways, youcould probably create a filter that would allow only mentioned
>>> mac addres, but MAC address table will not accept duplicate mac. (all that
>>> in same VLAN ofcourse) which brings me to possible solution:
>>> Can you assign those two ports to different VLANs? and have VLANs behave
>>> the
>>> same? I.E. lead to SVI somewhere. This would be a possible solution:
>>>
>>> Rack1SW2(config)#int ra fa 0/8 - 9
>>> Rack1SW2(config-if-range)#switchport access vlan 4
>>> Rack1SW2(config-if-range)#switchport port-security
>>> Command rejected: FastEthernet0/8 is a dynamic port.
>>> % Range command terminated because it failed on FastEthernet0/8
>>>
>>> Rack1SW2(config-if-range)#switchport mode acc
>>> Rack1SW2(config-if-range)#switchport port-security
>>> Rack1SW2(config-if-range)#switchport port-security mac-address
>>> 000c.257e.f7aa
>>> Found duplicate mac-address 000c.257e.f7aa.
>>>
>>> % Interface range command failed for FastEthernet0/9
>>> Rack1SW2(config-if-range)#
>>> Rack1SW2#sh run int fa
>>> 1d01h: %SYS-5-CONFIG_I: Configured from console by console
>>> Rack1SW2#sh run int fa 0/9
>>> Building configuration...
>>>
>>> Current configuration : 109 bytes
>>> !
>>> interface FastEthernet0/9
>>> switchport access vlan 4
>>> switchport mode access
>>> switchport port-security
>>> end
>>>
>>> Rack1SW2#sh run int fa 0/8
>>> Building configuration...
>>>
>>> Current configuration : 162 bytes
>>> !
>>> interface FastEthernet0/8
>>> switchport access vlan 4
>>> switchport mode access
>>> switchport port-security
>>> switchport port-security mac-address 000c.257e.f7aa
>>> end
>>>
>>> Rack1SW2#conf t
>>> Enter configuration commands, one per line. End with CNTL/Z.
>>> Rack1SW2(config)#int fa 0/9
>>> Rack1SW2(config-if)#switch acc vlan 5
>>> Rack1SW2(config-if)#
>>> Rack1SW2(config-if)#switchport port-security mac-address 000c.257e.f7aa
>>> Rack1SW2(config-if)#
>>> Rack1SW2#
>>> Rack1SW2#
>>> Rack1SW2#sh run int
>>> 1d01h: %SYS-5-CONFIG_I: Configured from console by console
>>> Rack1SW2#sh run int fa 0/8
>>> Building configuration...
>>>
>>> Current configuration : 162 bytes
>>> !
>>> interface FastEthernet0/8
>>> switchport access vlan 4
>>> switchport mode access
>>> switchport port-security
>>> switchport port-security mac-address 000c.257e.f7aa
>>> end
>>>
>>> Rack1SW2#sh run int fa 0/9
>>> Building configuration...
>>>
>>> Current configuration : 162 bytes
>>> !
>>> interface FastEthernet0/9
>>> switchport access vlan 5
>>> switchport mode access
>>> switchport port-security
>>> switchport port-security mac-address 000c.257e.f7aa
>>> end
>>>
>>>
>>>
>>> See?
>>>
>>>
>>> On Tue, Jan 20, 2009 at 10:12 AM, Mark Stephanus Chandra <
>>> mark.chandra@gmail.com> wrote:
>>>
>>> > Guys,
>>> >
>>> >
>>> >
>>> > I want to configure my mac-address to be allowed on multiple port on a
>>> > switch port-security.
>>> >
>>> >
>>> >
>>> > But when I insert the configuration, I have duplicated mac-address error.
>>> >
>>> >
>>> >
>>> > switchport port-security mac-address 000c.257e.f7aa
>>> >
>>> > Found duplicate mac-address 000c.257e.f7aa.
>>> >
>>> >
>>> >
>>> > Anyway, I just curious, is this can be done ? Configuring port-security
>>> > mac-address command with the same mac-address on the multiple ports ?
>>> >
>>> >
>>> >
>>> > Thanks in advance
>>> >
>>> >
>>> >
>>> > Regards
>>> >
>>> >
>>> >
>>> > Mark Stephanus Chandra
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> Pavel Bykov
>>> ----------------
>>> Don't forget to help stopping the braindumps, use of which reduces value of
>>> your certifications. Sign the petition at http://www.stopbraindumps.com/
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
There are no limitations to the mind except those we acknowledge; both
poverty and riches are the offspring of thought. "Napoleon Hill"
Abdul Muhammed Murtala
American University of Nigeria
Lamido Zubairu way, Yola
Adamawa
+2348052001153, +2348056201237
Network Manager
MCSE,MCDBA,MCSA,OCPDBA,CCNA,CCIE Written.
Blogs and organic groups at http://www.ccie.net

• Next message: Anthony Sequeira: "Re: Passed in Brussels yesterday"
• Previous message: Cacca Mucca: "Re: New CCIE logo"
• Maybe in reply to: Mark Stephanus Chandra: "Port-Security with the same mac-address on multiple ports"
• Next in thread: paul cosgrove: "Re: Port-Security with the same mac-address on multiple ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST