[c-nsp] Alternatives for port-security in a L2 host redundancy environment

Christopher Pilkington cjp at 0x1.net
Thu Apr 28 12:59:57 EDT 2011


We have a situation where auditors are requiring us to use
port-security on L2 switchports.  However, we have firewalls that
cluster and move their mac address from one switchport to the other.

On a single switch, this would result in the port being disabled.

In redundant switches, the port doesn't disable, but the MAC is being
nailed in the static table on both switches, which seems to cause the
firewalls some trouble, as they are in an active/passive
configuration.

Has anyone else run into this and found an alternate solution to
port-security?  Basically we want to defend against two things: 1.
someone unplugging the firewall and utilizing its switchport for other
purposes (which is game over anyway, since that implies physical
access to cage) 2. someone hijacking the MAC of the firewall from a
different network interface.

Thanks!

-cjp


More information about the cisco-nsp mailing list