Manualshelf

HP Virtual Connect for the Cisco Network Administrator

ManualsBrandsHP ManualsComputer AccessoriesHP Virtual Connect Flex-10 10Gb Ethernet Module for c-Class BladeSystem
41424344454647484950
HP Virtual Connect for Cisco Network Administrators (version 4.x)
Document Number: C01386629 Date: January 2014
page 41
Figure 21: Using multiple vNets to force server-to-server traffic through external Cisco switch
Port Security
Many network administrators use a Cisco switch feature called “Port Security to provide additional
security on the network. This feature allows the administrator to control how many MAC address are
learned on a particular switch port or allows the administrator to limit connectivity to specific
MAC addresses. Typically, the feature is enabled on the Cisco switch ports where desktops and
laptops are connected in order to prevent additional hubs or switches from being connected to the
network. By enabling this feature, the administrator can configure the port to automatically shut off
(err-disable) if more than a certain number of MAC addresses are learned on the switch port. When
an unauthorized switch or hub is connected to the port, it is possible that more MAC addresses are
learned than are permitted by the administrator and the switch port is shut down. This isolates the
unauthorized switch or hub until the administrator re-enables the port.
Port security can also be used in the data center for Cisco switch ports connected to server NICs.
Since a server NIC port typically only uses a single MAC address, the feature does not cause the port
to be shut down. However, if Port Security is enabled on the Cisco switch ports connected to VC
uplinks and the administrator limits the number of MAC addresses to less than the number of
MAC addresses being used by the servers in the BladeSystem enclosure, then the port security
feature can cause the Cisco switch ports to shut down. This causes the BladeSystem enclosure
to be isolated from the external network.
If port security must be used on the Cisco switch ports connected to Virtual Connect, make sure the
number of MAC addresses allowed is greater than or equal to the number of MAC addresses used
within the enclosure. Be sure to take into account servers that may be added to the enclosure at a
later date and take into account the virtual MAC addresses used by virtual servers (e.g. ESX VMs).
If port security is configured to only allow specific MAC addresses to communicate on the Cisco
switch port connected to the VC Uplink, an Administrator may find that using HP Managed
MAC