[c-nsp] Port-security and high-availability issue on Cat 4K

Cameron.Dry at didata.com.au Cameron.Dry at didata.com.au
Wed Feb 16 04:07:51 EST 2005


have you tried "set cam agingtime" ?

Regards

Cameron

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl Jr.
Sent: Tuesday, 15 February 2005 12:22 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Port-security and high-availability issue on Cat 4K



I'm having issues with port-security on Cat 4K in a high-availability
scenario. 
All servers have two NICs, configured to fail-over teaming,
active-standby; a virtual MAC is created by the NIC driver. All servers
are connected to two Catalyst 4506 switches; the switch where standby
NICs are connected is identically configured to the one where active
NICs are connected. There is a port-channel of multiple ports linking
both switches.

Port-security is configured on learning mode, with 1 maximum
MAC-address. 

On normal situation, a server's MAC-address appears on the #1 switch as
an static entry directed to the connected port. On switch #2, it appears
as a dynamic entry pointed to the port-channel. So far, so good. 

If NIC #1 fails, the static entry on switch #1 is quickly removed, but
the dynamic entry on switch #2 keeps up preventing another entry with
that MAC to be created on switch #2. After some time (5 minutes, in most
tests), Switch #2 shows a static entry to the connected port, switch #1
shows a dynamic entry pointed to the trunk, and traffic resumes flowing.


If NIC #1 becomes operational again, fail-back on switch #1 goes ok: a
static entry is recreated to the connected port. On switch #2, the
static entry keeps up, but the port no longer responds. All traffic that
come thru this switch to the server is droped. 

A similar scenario with Cat 6K switches runs fine, failing-over and
failing-back just fine. 
Anything that can be tuned on Cat 4K to better perform on such a
scenario ?


 
Rubens




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


******************************************************************************
 - NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged information.  If you have received this email in error, please notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments.
******************************************************************************



More information about the cisco-nsp mailing list