none
Failover Cluster Hyper-V and Port Security

    Question

  • I have two nodes in my cluster.  The hyper-v MAC address pool is set up for an alternate set of addresses for each node.  However, when I live or quick migrate my VMs from one node to the other, the MAC address does not change to an address in the pool of the node on which it is running.  This causes a problem with port security as the same MAC address cannot be assigned to two physical network switch ports (I am limited to one network switch/subnet for this configuration).  I am also trying to avoid disabling port security.  Any way to configure this to change the MAC address during a migrate to the other node?  Thanks in advance for any advice offered.
    • Edited by TGMVA Monday, March 05, 2012 4:17 PM
    Monday, March 05, 2012 4:16 PM

Answers

  • If a VM is Live Migrated its MAC moves with it.  This is by design and the default behavior. 

    This is similar to setting the MAC of the VM to static.

    If the VM is moved without Live Migration and the MAC is set to dynamic, then the MAC will change.


    Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    Monday, March 05, 2012 4:37 PM

All replies

  • If a VM is Live Migrated its MAC moves with it.  This is by design and the default behavior. 

    This is similar to setting the MAC of the VM to static.

    If the VM is moved without Live Migration and the MAC is set to dynamic, then the MAC will change.


    Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    Monday, March 05, 2012 4:37 PM
  • Thanks for the quick response.

    I did a move and the MAC address still stayed the same.  However I shutdown and started it on the node with the different MAC addr pool and it picked up the first addr in the pool.  I am not certain what the default behavior would be during a failover situation.  It probably depends on the failure.

    Is there anyway to keep the VMs mapped to specific MACs that are different on each node?  For example (last four digits), 01-00 on cluster host 1 and 02-00 on cluster host 2.  The pools are set up similarly.  I could then set the port security to accept the first 8 addresses 0x-00, 0x-01, 0x-02 (x being 1 or 2)  and so on for each port.

    Thanks.

    Monday, March 05, 2012 5:10 PM
  • The behavior is that if the VM is running during the migration the MAC will move.

    If it is an HA event (a host dies and the VM is booted) the MAC will be re-assigned from the Hyper-V pool.

    The other option is to make your MAC range contiguous between the members of your cluser.  Node one is the first 255 address, node two is the next 255 address, node 3 is the next 255 addresses and so on.  Then apply your filter to a know larger possible range.

    So, aa-bb-cc-dd-ee-ff could be your filter and a known gg- and hh is always a 255 range unless you need it higher.

    Or you move it up to the ff level.

    But aa-bb-cc is always Hyper-V if you take te default values.

    I don't know that I described my idea very well....


    Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    Monday, March 05, 2012 5:50 PM
  • Thanks.  I will check to see if this option is acceptable.  Not sure how clear your explanation was but I understood it after a bit of thought.  Actually, I am fairly confident that this was what the configuration defaulted to.  I can understand why supporting what I need would be an unnecessarily complicated to implement based on most organization's requirements.
    Monday, March 05, 2012 6:14 PM