Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 6.x
Configuring Port Security
Downloads: This chapterpdf (PDF - 1.26MB) The complete bookPDF (PDF - 4.19MB) | The complete bookePub (ePub - 672.0KB) | Feedback

Configuring Port Security

Contents

Configuring Port Security

This chapter includes the following sections:

Information About Port Security

Port security allows you to configure Layer 2 physical interfaces, Layer 2 port-channel interfaces, and virtual port channels (vPCs) to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.


Note


Unless otherwise specified, the term interface refers to physical interfaces, port-channel interfaces, and vPCs; likewise, the term Layer 2 interface refers to both Layer 2 physical interfaces and Layer 2 port-channel interfaces.


Secure MAC Address Learning

The process of securing a MAC address is called learning. A MAC address can be a secure MAC address on one interface only. For each interface that you enable port security on, the device can learn a limited number of MAC addresses by the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending upon how the device learned the secure MAC address.


Note


All learned MAC addresses are synchronized between vPC peers.


Static Method

The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure MAC addresses are unaffected if the device restarts.

A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

  • You explicitly remove the address from the configuration.
  • You configure the interface to act as a Layer 3 interface.

Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.

Dynamic Method

By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.

The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

  • The device restarts.
  • The interface restarts.
  • The address reaches the age limit that you configured for the interface.
  • You explicitly remove the address.
  • You configure the interface to act as a Layer 3 interface.

Sticky Method

If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.

Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.

A sticky secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

  • You explicitly remove the address.
  • You configure the interface to act as a Layer 3 interface.

Dynamic Address Aging

The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached. You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.

In vPC domains, dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.

The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:

Inactivity

The length of time after the device last received a packet from the address on the applicable interface.

Absolute

The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.

Secure MAC Address Maximums

By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.


Note


In vPC domains, the configuration on the primary vPC takes effect.



Tip


To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.

The following three limits can determine how many secure MAC addresses are permitted on an interface:

Device maximum

The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.

Interface maximum

You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Interface maximums cannot exceed the device maximum.

In vPC domains, you set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.

VLAN maximum

You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the configured interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.

You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first.

Security Violations and Actions

Port security triggers security violations when either of the two following events occur:

MAX Count Violation

Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses. The blocked entry is added to the Forwarding Module (FWM) of the Cisco Nexus switch.

When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
  • VLAN 1 has a maximum of 5 addresses
  • The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
  • The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
  • The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
MAC Move Violation

Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured. The blocked entry is added as a drop entry in the Port Security table.

When a security violation occurs, the device increments the security violation counter for the interface and takes the action specified by the port security configuration of the interface. If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.

The possible actions that the device can take are as follows:

Shutdown

Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.

You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.

The MAC address does not move to the unsecure port, and the frame on the unsecure port is dropped.

Restrict

Drops ingress traffic from any nonsecure MAC addresses and adds the MAC address as a blocked MAC entry in the port security table..


Note


In vPC domains, blocked MAC addresses added to the port security table due to violations occuring in the Restrict mode are not synchronized across vPC peers.


The device keeps a count of the number of dropped packets, which is called the security violation count. Address learning continues until the maximum security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.

After the maximum number of MAX count violations (10) is reached, a violation is triggered and the device stops learning new MAC addresses.

Protect

Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.


Note


In vPCs, the violation action configured on the primary vPC switch takes affect. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.


After the maximum number of MAX move violations (10) is reached, the interface is shut down and placed in the errdisabled state.

Port Type Changes

When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:

Access port to trunk port

When you change a Layer 2 interface from an access port to a trunk port, the device drops all secure addresses learned by the dynamic method. The device moves the addresses learned by the static or sticky method to the native trunk VLAN.

Trunk port to access port

When you change a Layer 2 interface from an access port to a trunk port, the device drops all secure addresses learned by the dynamic method. The device moves the addresses learned by the static method to the native trunk VLAN. The sticky MAC addresses remain in same VLAN if the VLAN exists. Otherwise, the MAC addresses move to the native VLAN of the trunk port.

Switched port to routed port

When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.

Routed port to switched port

When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.

Licensing Requirements for Port Security

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

Port security requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS device images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the License and Copyright Information for Cisco NX-OS Software available at the following URL: http:/​/​www.cisco.com/​en/​US/​docs/​switches/​datacenter/​sw/​4_0/​nx-os/​license_agreement/​nx-ossw_​lisns.html.

Prerequisites for Port Security

Port security has the following prerequisites:

  • You must globally enable port security for the device that you want to protect with port security.
  • In a vPC domain, you must enable port security globally on both vPC peers and on both vPC interfaces on the vPC peers. We recommend that you use the config sync command to ensure that the configuration is consistent on both vPC peers.

Guidelines and Limitations for Port Security

When configuring port security, follow these guidelines:

  • Port security is supported on PVLAN ports.
  • Port security does not support switched port analyzer (SPAN) destination ports.
  • Port security does not depend upon other features.
  • Port security is not supported on vPC peer links.
  • Port security is not supported on Network Interface (NIF) port, Flex Link ports, or vEthernet interfaces.

Guidelines and Limitations for Port Security on vPCs

In addition to the guidelines and limitations for port security, there are additional guidelines and limitations for port security on vPCs. When configuring port security on vPCs, follow these guidelines:

  • You must enabled port security globally on both vPC peers in a vPC domain.
  • You must enable port security on the vPC interfaces of both vPC peers.
  • You must configure a static secure MAC address on the primary vPC peer. This MAC address is synchronized with the secondary vPC peer. Do not configure a static secure MAC address on the secondary peer. This MAC address appears in the secondary vPC configuration, but does not take affect.
  • All learned MAC addresses are synchronized between vPC peers.
  • Both vPC peers can be configured with either the dynamic or sticky MAC address learning method. However, we recommend that both vPC peers be configured for the same method.
  • Dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.
  • You set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.
  • You configure the violation action on the primary vPC. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.
  • Port security is enabled on a vPC interface when the port security feature is enabled on both vPC peers and port security is enabled on both vPC interfaces of the vPC peers. You can use the config sync command to verify that the configuration is correct.
  • While a switch undergoes an in-service software upgrade (ISSU), port security operations are stopped on its peer switch. The peer switch does not learn any new MAC addresses, and MAC moves occurring during this operation are ignored. When the ISSU is complete, the peer switch is notified and normal port security functionality resumes.
  • ISSU to higher versions is supported; however ISSU to lower versions is not supported.

Configuring Port Security

Enabling or Disabling Port Security Globally

You can enable or disable port security globally on a device. By default, port security is disabled globally.

When you disable port security, all port security configuration on the interface is ineffective. When you disable port security globally, all port security configuration is lost.


Note


To enable or disable port security in a vPC domain, you must enable or disable port security globally on both vPC peers.


Procedure
      Command or Action Purpose
    Step 1 configure terminal


    Example:
    switch# configure terminal
    switch(config)#
     

    Enters global configuration mode.

     
    Step 2 [no] feature port-security


    Example:
    switch(config)# feature port-security
     

    Enables port security globally. The no option disables port security globally.

     
    Step 3 show port-security


    Example:
    switch(config)# show port-security
     

    Displays the status of port security.

     
    Step 4 copy running-config startup-config


    Example:
    switch(config)# copy running-config startup-config
     
    (Optional)

    Copies the running configuration to the startup configuration.

     
    Step 5 If you are configuring port security for a vPC domain, repeat steps 1 through 4 on the vPC peer to enable port security globally.

    Example:  

     

    Enabling or Disabling Port Security on a Layer 2 Interface

    You can enable or disable port security on a Layer 2 interface. By default, port security is disabled on all interfaces.

    When you disable port security on an interface, all switchport port security configuration for the interface is lost.

    Before You Begin

    You must have enabled port security globally.

    If you are setting up port security in a vPC domain, you must have enabled port security globally on both vPC peers.

    If a Layer 2 Ethernet interface is a member of a port-channel interface, you cannot enable or disable port security on the Layer 2 Ethernet interface.

    If any member port of a secure Layer 2 port-channel interface has port security enabled, you cannot disable port security for the port-channel interface unless you first remove all secure member ports from the port-channel interface.

    Procedure
        Command or Action Purpose
      Step 1 configure terminal


      Example:
      switch# configure terminal
      switch(config)#
      
       

      Enters global configuration mode.

       
      Step 2 Enter one of the following commands:
      • interface ethernet slot/port
      • interface port-channel channel-number


      Example:
      switch(config)# interface ethernet 2/1
      switch(config-if)#
      
       

      Enters interface configuration mode for the Ethernet or port-channel interface that you want to configure with port security.

      Note   

      If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

       
      Step 3 switchport


      Example:
      switch(config-if)# switchport
      
       

      Configures the interface as a Layer 2 interface.

       
      Step 4 [no] switchport port-security


      Example:
      switch(config-if)# switchport port-security
      
       

      Enables port security on the interface. The no option disables port security on the interface.

       
      Step 5 show running-config port-security


      Example:
      switch(config-if)# show running-config port-security
      
       

      Displays the port security configuration.

       
      Step 6 copy running-config startup-config


      Example:
      switch(config-if)# copy running-config startup-config
      
       
      (Optional)

      Copies the running configuration to the startup configuration.

       
      Step 7 If you are configuring port security for a vPC domain, repeat steps 1 through 6 to on the vPC peer to enable port security on its vPC interface. 

       

      Enabling or Disabling Sticky MAC Address Learning

      You can disable or enable sticky MAC address learning on an interface. If you disable sticky learning, the device returns to dynamic MAC address learning on the interface, which is the default learning method.

      By default, sticky MAC address learning is disabled.

      Before You Begin

      You must have enabled port security globally.

      Procedure
          Command or Action Purpose
        Step 1 configure terminal


        Example:
        switch# configure terminal
        switch(config)#
         

        Enters global configuration mode.

         
        Step 2 Enter one of the following commands:
        • interface ethernet slot/port
        • interface port-channel channel-number


        Example:
        switch(config)# interface ethernet 2/1
        switch(config-if)#
        
         

        Enters interface configuration mode for the interface that you want to configure with sticky MAC address learning.

        Note   

        If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

         
        Step 3 switchport


        Example:
        switch(config-if)# switchport
         

        Configures the interface as a Layer 2 interface.

         
        Step 4 [no] switchport port-security mac-address sticky


        Example:
        switch(config-if)# switchport port-security mac-address sticky
         

        Enables sticky MAC address learning on the interface. The no option disables sticky MAC address learning.

         
        Step 5 show running-config port-security


        Example:
        switch(config-if)# show running-config port-security
         

        Displays the port security configuration.

         
        Step 6 copy running-config startup-config


        Example:
        switch(config-if)# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Adding a Static Secure MAC Address on an Interface

        You can add a static secure MAC address on a Layer 2 interface.


        Note


        If the MAC address is a secure MAC address on any interface, you cannot add it as a static secure MAC address to another interface until you remove it from the interface on which it is already a secure MAC address.


        By default, no static secure MAC addresses are configured on an interface.

        Before You Begin

        You must have enabled port security globally.

        Verify that the interface maximum has not been reached for secure MAC addresses. If needed, you can remove a secure MAC address or you can change the maximum number of addresses on the interface.

        Procedure
            Command or Action Purpose
          Step 1 configure terminal


          Example:
          switch# configure terminal
          switch(config)#
           

          Enters global configuration mode.

           
          Step 2 Enter one of the following commands:
          • interface ethernet slot/port
          • interface port-channel channel-number


          Example:
          switch(config)# interface ethernet 2/1
          switch(config-if)#
          
           

          Enters interface configuration mode for the interface that you specify.

          Note   

          If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

           
          Step 3 [no] switchport port-security mac-address address [vlan vlan-ID]


          Example:
          switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE
           

          Configures a static MAC address for port security on the current interface. Use the vlan keyword if you want to specify the VLAN that traffic from the address is allowed on.

           
          Step 4 show running-config port-security


          Example:
          switch(config-if)# show running-config port-security
           

          Displays the port security configuration.

           
          Step 5 copy running-config startup-config


          Example:
          switch(config-if)# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          Removing a Static Secure MAC Address on an Interface

          You can remove a static secure MAC address on a Layer 2 interface.

          Procedure
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            switch# configure terminal
            switch(config)#
             

            Enters global configuration mode.

             
            Step 2 Enter one of the following commands:
            • interface ethernet slot/port
            • interface port-channel channel-number


            Example:
            switch(config)# interface ethernet 2/1
            switch(config-if)#
            
             

            Enters interface configuration mode for the interface from which you want to remove a static secure MAC address.

            Note   

            If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

             
            Step 3 no switchport port-security mac-address address


            Example:
            switch(config-if)# no switchport port-security mac-address 0019.D2D0.00AE
             

            Removes the static secure MAC address from port security on the current interface.

             
            Step 4 show running-config port-security


            Example:
            switch(config-if)# show running-config port-security
             

            Displays the port security configuration.

             
            Step 5 copy running-config startup-config


            Example:
            switch(config-if)# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            Removing a Dynamic Secure MAC Address

            You can remove dynamically learned, secure MAC addresses.

            Before You Begin

            You must have enabled port security globally.

            Procedure
                Command or Action Purpose
              Step 1 configure terminal


              Example:
              switch# configure terminal
              switch(config)#
               

              Enters global configuration mode.

               
              Step 2 clear port-security dynamic {interface ethernet slot/port | address address} [vlan vlan-ID]


              Example:
              switch(config)# clear port-security dynamic interface ethernet 2/1
               

              Removes dynamically learned, secure MAC addresses, as specified.

              If you use the interface keyword, you remove all dynamically learned addresses on the interface that you specify.

              If you use the address keyword, you remove the single, dynamically learned address that you specify.

              Use the vlan keyword if you want to further limit the command to removing an address or addresses on a particular VLAN.

              Note   

              If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

               
              Step 3 show port-security address


              Example:
              switch(config)# show port-security address
               

              Displays secure MAC addresses.

               
              Step 4 copy running-config startup-config


              Example:
              switch(config-if)# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               

              Configuring a Maximum Number of MAC Addresses

              You can configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure on an interface is 1025 addresses. The system maximum number of address is 8192.

              By default, an interface has a maximum of one secure MAC address. VLANs have no default maximum number of secure MAC addresses.


              Note


              When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the device rejects the command. To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.


              Before You Begin

              You must have enabled port security globally.

              Procedure
                  Command or Action Purpose
                Step 1 configure terminal


                Example:
                switch# configure terminal
                switch(config)#
                 

                Enters global configuration mode.

                 
                Step 2 Enter one of the following commands:
                • interface ethernet slot/port
                • interface port-channel channel-number


                Example:
                switch(config)# interface ethernet 2/1
                switch(config-if)#
                
                 

                Enters interface configuration mode, where slot is the interface that you want to configure with the maximum number of MAC addresses.

                Note   

                If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

                 
                Step 3 [no] switchport port-security maximum number [vlan vlan-ID]


                Example:
                switch(config-if)# switchport port-security maximum 425
                 

                Configures the maximum number of MAC addresses that can be learned or statically configured for the current interface. The highest valid number is 1025. The no option resets the maximum number of MAC addresses to the default, which is 1.

                If you want to specify the VLAN that the maximum applies to, use the vlan keyword.

                 
                Step 4 show running-config port-security


                Example:
                switch(config-if)# show running-config port-security
                 

                Displays the port security configuration.

                 
                Step 5 copy running-config startup-config


                Example:
                switch(config-if)# copy running-config startup-config
                 
                (Optional)

                Copies the running configuration to the startup configuration.

                 

                Configuring an Address Aging Type and Time

                You can configure the MAC address aging type and the length of time that the device uses to determine when MAC addresses learned by the dynamic method have reached their age limit.

                Absolute aging is the default aging type.

                By default, the aging time is 0 minutes, which disables aging.

                Before You Begin

                You must have enabled port security globally.

                Procedure
                    Command or Action Purpose
                  Step 1 configure terminal


                  Example:
                  switch# configure terminal
                  switch(config)#
                   

                  Enters global configuration mode.

                   
                  Step 2 Enter one of the following commands:
                  • interface ethernet slot/port
                  • interface port-channel channel-number


                  Example:
                  switch(config)# interface ethernet 2/1
                  switch(config-if)#
                  
                   

                  Enters interface configuration mode for the interface that you want to configure with the MAC aging type and time.

                  Note   

                  If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

                   
                  Step 3 [no] switchport port-security aging type {absolute | inactivity}


                  Example:
                  switch(config-if)# switchport port-security aging type inactivity
                   

                  Configures the type of aging that the device applies to dynamically learned MAC addresses. The no option resets the aging type to the default, which is absolute aging.

                   
                  Step 4 [no] switchport port-security aging time minutes


                  Example:
                  switch(config-if)# switchport port-security aging time 120
                   

                  Configures the number of minutes that a dynamically learned MAC address must age before the device drops the address. The maximum valid minutes is 1440. The no option resets the aging time to the default, which is 0 minutes (no aging).

                   
                  Step 5 show running-config port-security


                  Example:
                  switch(config-if)# show running-config port-security
                   

                  Displays the port security configuration.

                   
                  Step 6 copy running-config startup-config


                  Example:
                  switch(config-if)# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Configuring a Security Violation Action

                  You can configure the action that the device takes if a security violation occurs. The violation action is configurable on each interface that you enable with port security.

                  The default security action is to shut down the port on which the security violation occurs.

                  Before You Begin

                  You must have enabled port security globally.

                  Procedure
                      Command or Action Purpose
                    Step 1 configure terminal


                    Example:
                    switch# configure terminal
                    switch(config)#
                     

                    Enters global configuration mode.

                     
                    Step 2 Enter one of the following commands:
                    • interface ethernet slot/port
                    • interface port-channel channel-number


                    Example:
                    switch(config)# interface ethernet 2/1
                    switch(config-if)#
                    
                     

                    Enters interface configuration mode for the interface that you want to configure with a security violation action.

                    Note   

                    If this is a 10G breakout port, the slot/port syntax is slot/QSFP-module/port.

                     
                    Step 3 [no] switchport port-security violation {protect | restrict | shutdown}


                    Example:
                    switch(config-if)# switchport port-security violation restrict
                     

                    Configures the security violation action for port security on the current interface. The no option resets the violation action to the default, which is to shut down the interface.

                     
                    Step 4 show running-config port-security


                    Example:
                    switch(config-if)# show running-config port-security
                     

                    Displays the port security configuration.

                     
                    Step 5 copy running-config startup-config


                    Example:
                    switch(config-if)# copy running-config startup-config
                     
                    (Optional)

                    Copies the running configuration to the startup configuration.

                     

                    Verifying the Port Security Configuration

                    To display the port security configuration information, perform one of the following tasks. For detailed information about the fields in the output from this command, see the Security command reference for your platform.

                    Command

                    Purpose

                    show running-config port-security

                    Displays the port security configuration.

                    show port-security

                    Displays the port security status of the device.

                    show port-security interface

                    Displays the port security status of a specific interface.

                    show port-security address

                    Displays secure MAC addresses.

                    show running-config interface

                    Displays the interfaces that are in the running-configuration.

                    show mac address-table

                    Displays the contents of the MAC address table.

                    show system internal port-security info global

                    Displays the port security settings of the device.

                    Displaying Secure MAC Addresses

                    Use the show port-security address command to display secure MAC addresses. For detailed information about the fields in the output from this command, see the Security command reference for your platform.

                    Configuration Example for Port Security

                    The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.

                    feature port-security 
                    interface Ethernet 2/1
                      switchport
                      switchport port-security
                      switchport port-security maximum 10
                      switchport port-security maximum 7 vlan 10
                      switchport port-security maximum 3 vlan 20
                      switchport port-security violation restrict

                    Configuration Example of Port Security in a vPC Domain

                    The following example shows how to enable and configure port security on vPC peers in a vPC domain. The first switch is the primary vPC peer and the second switch is the secondary vPC peer. It is assumed that domain 103 has already been created.

                    primary_switch(config)# feature port-security
                    primary_switch(config-if)# int e1/1
                    primary_switch(config-if)# switchport port-security
                    primary_switch(config-if)# switchport port-security max 1025
                    primary_switch(config-if)# switchport port-security violation restrict
                    primary_switch(config-if)# switchport port-security aging time 4
                    primary_switch(config-if)# switchport port-security aging type absolute
                    primary_switch(config-if)# switchport port-security mac sticky
                    primary_switch(config-if)# switchport port-security mac-address 0.0.1 vlan 101
                    primary_switch(config-if)# switchport port-security mac-address 0.0.2 vlan 101
                    primary_switch(config-if)# copy running-config startup-config
                    
                    secondary_switch(config)# int e103/1/1
                    secondary_switch(config-if)# switchport port-security
                    secondary_switch(config-if)# copy running-config startup-config
                    

                    Default Settings for Port Security

                    This table lists the default settings for port security parameters.



                    Table 1 Default Port Security Parameters

                    Parameters

                    Default

                    Port security enablement globally

                    Disabled

                    Port security enablement per interface

                    Disabled

                    MAC address learning method

                    Dynamic

                    Interface maximum number of secure MAC addresses

                    1

                    Security violation action

                    Shutdown

                    Additional References for Port Security

                    Related Documents

                    Related Topic

                    Document Title

                    Layer 2 switching

                    Cisco Nexus 6000 Series NX-OS Layer 2 Switching Configuration Guide

                    Port security commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

                    Cisco Nexus 6000 Series NX-OS Security Command Reference

                    Standards

                    Standards

                    Title

                    No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                    MIBs

                    Cisco NX-OS provides read-only SNMP support for port security.

                    MIBs

                    MIBs Link

                    • CISCO-PORT-SECURITY-MIB
                    Note   

                    Traps are supported for notification of secure MAC address violations.

                    To locate and download MIBs, go to the following URL:

                    http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml