[c-nsp] Port-Security x Teaming on Catalyst 4500
Steve Francis
sfrancis at fastclick.com
Thu Sep 30 15:25:16 EDT 2004
Rubens Kuhl Jr. wrote:
>I'm facing a problem with port-security on a high-availability configuration. Scenario have two Catalyst 4500 switches (SUP III), with machines connected to both switches using teaming (active-standby, same MAC address is used by the adapters on both switches).
>
>Port-security is in learning mode (up to 1 address); primary switch receives a packet from the port, learns the MAC and locks to it. Secondary switch is active to other network elements, forwarding the packets to that machine thru a trunk between the switches.
>
>When a fail-over happens, secondary switch receives a packet from secondary NIC, learns the MAC and locks to it. So far, so good.
>
>Problem arises with fail-back: primary NIC resumes sending packets, secondary NIC goes into deaf mode and discards packets sent to it. Secondary switch insists on delivering packets locally instead of sending them thru trunk.
>
>The most curious about this is that the same scenario with Catalyst 6500 (Sup 720) works fine.
>
>Any ideas ?
>
>
That your second switch has not seen any traffic from the newly revived
promary NIC, so has not updated its mac-forwarding-table.
Only way around this I know of is to make sure that the switch the
primary NIC is attached to is also primary for everything else, at layer
2 and layer3 (OSPF, HSRP, spanning tree) so that traffic should not
reach secondary switch from any path, unless primary switch is dead.
>
>Rubens
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list