Interfaces Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring Port Profiles
Downloads: This chapterpdf (PDF - 427.0KB) The complete bookPDF (PDF - 7.16MB) | Feedback

Configuring Port Profiles

Table Of Contents

Configuring Port Profiles

Information About Port Profiles

Port Profile States

Port Profile Inheritance

Port Profile Visibility

System Port Profiles

Port Profiles and Port Groups

Port Profile Characteristics

Port Profiles and vPC Host Mode

Subgroup Creation Using CDP or Manual Method

Interface Assignment Using Static Pinning

Port Profiles and MAC Pinning

Port Profiles and Layer 3 Control

Port Profiles and iSCSI Multipath

Licensing Requirements for Port Profiles

Platform Support

Configuring Port Profiles

Creating a Port Profile

Deleting a Port Profile

Enabling and Disabling Port Profiles

Managing Port Profile Roles

Configuring Port Profile Inheritance

Configuring a System Port Profile

Configuring a Port Profile with a Virtual Service Domain

Configuring a Port Profile for Layer 3 Control

Configuring a Port Profile for iSCSI Multipath

Configuring a Port Profile as a VMware Port Group

Configuring a Port Channel

Configuring Static Pinning on a vEthernet Interface

Configuring Static Pinning on a Control or Packet VLAN

Configuring Port Management

Configuring a Port Profile as a Private VLAN

Configuring DHCP Snooping

Configuring IP Source Guard

Configuring ARP Inspection

Enabling or Disabling Port Security on a Layer 2 Interface

Enabling or Disabling Sticky MAC Address Learning

Configuring a Maximum Number of MAC Addresses

Configuring an Address Aging Type and Time

Configuring a Security Violation Action

Configuring an IPv4 ACL

Configuring a MAC ACL

Verifying the CLI

Copying Port Profiles to Multiple Devices

Field Descriptions for Port Profiles

Port Profile: Settings: Basic Settings Section

Port Profile: Settings: Inherited Interfaces Section

Port Profile:Settings: Port Profile Visibility

Port Profile: Advanced Settings: System, VM Settings Section

Port Profile: Advanced Settings: Port Channel, Pinning Section

Port Profile: Features: Interfaces: Ethernet

Port Profile: Features: Switching: VLAN

Port Profile: Features: Switching: DHCP Snooping

Port Profile: Features: Switching: IP Source Guard

Port Profile: Features: Switching: ARP Inspection

Port Profile: Features: Switching: Port Security

Port Profile: Features: Security: IPv4 ACL

Port Profile: Features: Security: MAC ACL

Additional References

Related Documents

Standards

Feature History for Port Profiles


Configuring Port Profiles


This chapter describes how to configure port profiles using Cisco Data Center Network Manager (DCNM).

This chapter includes the following sections:

Information About Port Profiles

Licensing Requirements for Port Profiles

Platform Support

Configuring Port Profiles

Field Descriptions for Port Profiles

Additional References

Feature History for Port Profiles

Information About Port Profiles

A port profile is a mechanism for simplifying the configuration of interfaces. You can configure a port profile and then assign it to multiple interfaces to give them all the same configuration. Changes to the port profile are propagated to the configuration of any interface that is assigned to it.

You can configure Ethernet or vEthernet port profiles to which you can assign Ethernet or vEthernet interfaces, respectively.


Note We do not recommend that you override port profile configurations by making changes to the assigned interface configurations. Only make configuration changes to interfaces to quickly test a change or to disable a port.



Note System-message logging levels for the Port Profiles feature must meet or exceed Cisco DCNM requirements. During device discovery, Cisco DCNM detects inadequate logging levels and raises them to the minimum requirements. Cisco Nexus 7000 Series Switches that run Cisco NX-OS Release 4.0 are an exception. For Cisco NX-OS Release 4.0, prior to device discovery, use the command-line interface to configure logging levels to meet or exceed Cisco DCNM requirements. For more information, see the Fundamentals Configuration Guide, Cisco DCNM for LAN, Release 5.x .


This section includes the following topics:

Port Profile States

Port Profile Inheritance

Port Profile Visibility

System Port Profiles

Port Profiles and Port Groups

Port Profile Characteristics

Port Profiles and vPC Host Mode, page 10-3

Port Profiles and MAC Pinning

Port Profiles and Layer 3 Control

Port Profiles and iSCSI Multipath

Port Profile States

A port profile can be in one of two states: enabled or disabled.

When disabled, a port profile is not applied to assigned ports. In addition, if the port profile is exporting policies to a VMware port group, the port group is not created on the vCenter Server.

When enabled, a port profile is applied to assigned ports. If the port profile is configured to inherit policies from a VMware port group, the port group is created on the vCenter Server.

Port Profile Inheritance

You can assign port profiles to other port profiles. The configuration attributes of the parent port profile are copied over to and stored in the child port profile. You can override inherited attributes by configuring those attributes explicitly in the child port profile.

You can change settings directly on the new port profile to override the inherited settings.

You can also explicitly remove port profile inheritance, so that a port profile returns to the default settings, except where there has been a direct configuration. s

Four levels of inheritance are supported. The same port profile can be inherited by any number of port profiles.

Port Profile Visibility

The port profile visibility feature enables you to view a Port group without searching the entire list of available Port groups. This feature limits the access of Port groups by introducing roles, users profiles

and groups. The network administrator can give access to port groups by assigning roles and inturn each role can have multiple users and groups associated with it.

System Port Profiles

A system port profile is a port profile that establishes and protects the vCenter Server connectivity. A system port-profile has system VLANs (that is, control and packet VLANs) configured.

Port Profiles and Port Groups

A port group is a representation of a port profile on the vCenter server. Every port group on the vCenter server is associated with a port profile on the Cisco NX-OS. Network administrators configure port profiles, and then server administrators can use the corresponding port groups on the vCenter server to assign ports to port profiles.

Port Profile Characteristics

You can configure a port profile to have the following characteristics:

Description

VMware settings

Port channels

Static pinning

Switchport mode

VLANs

DHCP snooping

IP source guard

ARP inspection

Port security

MAC or IP ACLs

For more information, see the documentation for your platform.

Port Profiles and vPC Host Mode

You can configure port profiles with the virtual port channel host mode (vPC-HM) feature. vPC-HM allows member ports in a port channel to connect to multiple upstream switches. With vPC-HM, ports are grouped into subgroups (0-31) for traffic separation.

As shown in Figure 10-1, for traffic separation using vPC-HM, member ports 1 and 2 are assigned to subgroup ID 0 and member ports 3 and 4 are assigned to subgroup ID 1.

Figure 10-1 Using vPC-HM to Connect a Port Channel to Multiple Upstream Switches

If the upstream switches do not support port channels, you can use MAC pinning, which allows you to assign each Ethernet port member to a particular port channel subgroup. For more information, see the "Port Profiles and MAC Pinning" section.


Note Do not configure vPC-HM on the Cisco NX-OS if the upstream switches have vPC enabled. If vPC-HM is configured on the Cisco NX-OS and vPC is configured on the upstream switches, the connection can be interrupted or disabled.


To configure a port profile for vPC-HM, see the "Configuring a Port Channel" section.

For information about how subgroups are created and interfaces assigned, see the following sections:

Subgroup Creation Using CDP or Manual Method

Interface Assignment Using Static Pinning

Subgroup Creation Using CDP or Manual Method

If Cisco Discovery Protocol (CDP) is enabled on the upstream switches, then the subgroups are automatically created using CDP information. If CDP is not enabled on the upstream switches, then you must manually create the subgroup on the interface.

You configure this setting as part of the port profile configuration. For more information, see the "Configuring a Port Channel" section.

Interface Assignment Using Static Pinning

Static pinning is a feature that allows you to assign (or pin) a vEthernet interface, control VLAN, or packet VLAN to a specific port channel subgroup. With static pinning, traffic from a vEthernet interface, control VLAN, or packet VLAN is forwarded only through the member ports in the specified subgroup.

To pin a vEthernet interface, control VLAN, or packet VLAN to a specific port channel subgroup, see the "Configuring Static Pinning on a Control or Packet VLAN" section.

You can also pin vEthernet interfaces to subgroups in interface configuration mode. For more information, see the "Configuring Static Pinning on a vEthernet Interface" section.

Port Profiles and MAC Pinning

MAC pinning is a feature that allows you to assign Ethernet port members to specific port channel subgroups. You can use MAC pinning if one or more upstream switches do not support port channels. Figure 10-2 shows each member port that is assigned to a specific port channel subgroup using MAC pinning.

Figure 10-2 Using MAC Pinning to Connect a Port Channel to Multiple Upstream Switches

Port Profiles and Layer 3 Control

Layer 3 control, or IP connectivity, is supported between the Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM) for control and packet traffic and is required for the Cisco Nexus 1000V domain. With Layer 3 control, a VSM can be Layer 3 accessible and control hosts that reside in a separate Layer 2 network. All hosts controlled by a VSM, however, must still reside in the same Layer 2 network. Because a VSM cannot control a host that is outside of the Layer 2 network it controls, the host on which it resides must be controlled by another VSM.

To implement Layer 3 control, you must make the following configurations:

Configure the VSM domain transport mode as Layer 3.

For more information, see the documentation and release notes for your platform and software release.

Configure a port profile using the "Configuring a Port Profile for Layer 3 Control" section.

Create an VMware kernel NIC interface on each host and apply the Layer 3 control port profile to it.

For more information, see your VMware documentation.

Figure 10-3 shows an example of Layer 3 control where VSM0 controls VEM_0_1, VEM_0_1, in turn, hosts VSM1 and VSM2, and VSM1 and VSM2 control VEMs in other Layer 2 networks.

Figure 10-3 Example of Layer 3 Control IP Connectivity

Port Profiles and iSCSI Multipath

The iSCSI multipath feature sets up multiple routes between a server and its storage devices for maintaining a constant connection and balancing the traffic load. The multipathing software handles all input and output requests and passes them through on the best possible path. Traffic from host servers is transported to shared storage using the iSCSI protocol that packages SCSI commands into iSCSI packets and transmits them on the Ethernet network.

If a path or any component along the path fails, the server selects another of the available paths.

Licensing Requirements for Port Profiles

The following table shows the licensing requirements for this feature:

Product
License Requirement

Cisco DCNM

Port Profiles requires no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you. For information about obtaining and installing a Cisco DCNM LAN Enterprise license, see the Fundamentals Configuration Guide, Cisco DCNM for LAN, Release 5.x .

Cisco NX-OS

Port Profiles require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.


Platform Support

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform
Documentation

Cisco Nexus 1000V Series Switches

Cisco Nexus 1000V Series Switch Documentation

Cisco Nexus 5000 Series Switches

Cisco Nexus 5000 Series Switch Documentation

Cisco Nexus 7000 Series Switches

Cisco Nexus 7000 Series Switch Documentation


Configuring Port Profiles

You can configure port profiles in Cisco DCNM.

This section includes the following topics:

Creating a Port Profile

Deleting a Port Profile

Enabling and Disabling Port Profiles

Port Profile Visibility

Configuring Port Profile Inheritance

Configuring a System Port Profile

Configuring a Port Profile with a Virtual Service Domain

Configuring a Port Profile for Layer 3 Control

Configuring a Port Profile for iSCSI Multipath

Configuring a Port Profile as a VMware Port Group

Configuring a Port Channel

Configuring Static Pinning on a vEthernet Interface

Configuring Static Pinning on a Control or Packet VLAN

Configuring Port Management

Configuring a Port Profile as a Private VLAN

Configuring DHCP Snooping

Configuring IP Source Guard

Configuring ARP Inspection

Enabling or Disabling Port Security on a Layer 2 Interface

Enabling or Disabling Sticky MAC Address Learning

Configuring a Maximum Number of MAC Addresses

Configuring an Address Aging Type and Time

Configuring a Security Violation Action

Configuring an IPv4 ACL

Configuring a MAC ACL

Verifying the CLI

Copying Port Profiles to Multiple Devices

Creating a Port Profile

You can create an Ethernet or vEthernet port profile.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the device for which you want to create a port profile.

Step 3 From the menu bar, choose Actions > New > L2 Ethernet Profile or VEthernet Profile.

The new profile appears in the Summary pane.

Step 4 From the Summary pane, enter a name in the Name field.

Step 5 From the Settings tab, enter a description in the Description field.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Deleting a Port Profile

You can delete port profiles that you no longer use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, expand the device that has the port profiles that you want to delete.

Step 3 Choose one or more port profiles to delete.

Step 4 From the menu bar, choose Actions > Delete Port Profile and click Yes to confirm.

Step 5 From the menu bar, choose File > Deploy to apply your changes to the device.


Enabling and Disabling Port Profiles

You can enable or disable port profiles.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, expand the device that has the port profiles that you want to enable or disable.

Step 3 Choose one or more port profiles to enable or disable.

Step 4 From the menu bar, choose Actions > Enable Port Profiles or Disable Port Profiles.

Step 5 From the menu bar, choose File > Deploy to apply your changes to the device.


Managing Port Profile Roles

You can manage the port profile roles.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile you want to use. Enable the port profile visibility feature by selecting the device, right-clicking and selecting Enable Port Profile Visibility option.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.> Visibility

Devices that support this feature appear in the Device View pane.

Step 2 Click on Add to create a new port profile role for the device.

Step 3 Select a port profile name and click Delete to delete the port profile role.

Step 4 Select a port profile role and configure the port profile role settings. Enter the Name, Description, and select the Users.

Step 5 Click Add Group to add a new group to the port profile role. You can add user to the group and delete user from group by clicking on Add User and Delete button respectively.

Step 6 You can Assign Port Profile by selecting a port profiles from the drop down and and assigning it to the port profile roles.Also, select the Type of port profile from the drop down list.

Step 7 Click on the Visibility View pane to view the details of accessible port-profiles with roles for the users and groups.

Step 8 Click on the Add button to Assign Port-Profile Role to a port-profile.

Step 9 You can also grant access to a port profile for user group depending upon the user credentials. You can also perform this operation from the Association panel.

Step 10 Click on Delete to delet ethe selected port profile role.


Configuring Port Profile Inheritance

You can configure a port profile to inherit the settings of another port profile.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the port profile to which you want to assign another port profile.

Step 3 From the Details pane, click the Settings tab.

Step 4 Expand the Basic Settings section.

Step 5 From the Parent Profile drop-down list, choose the port profile that you want to inherit.


Note To remove a parent port profile, delete the name from the Parent Profile field.


Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a System Port Profile

You can configure a port profile to inherit the settings of another port profile.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

Configure the port admin status to active (up).

Configure the port mode as access or trunk.

Create VLANs to be used as system VLANs.

Configure access or trunk-allowed VLANs.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the port profile that you want to configure as a system port profile.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the System, VM Settings section.

Step 5 In the System VLAN drop-down list, choose a VLAN to be used as the system VLAN.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Port Profile with a Virtual Service Domain

You can configure a Virtual Service Domain (VSD) to classify and separate traffic for network services in the specified port profile.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the port profile that you want to configure with a virtual service domain.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the System, VM Settings section.

Step 5 In the Virtual Service Domain field, enter a name for the virtual service domain.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Port Profile for Layer 3 Control

You can configure a port profile for Layer 3 control to allow the Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM) to communicate over IP for control and packet traffic.

BEFORE YOU BEGIN

Make sure that the transport mode for the VSM domain has already been configured as Layer 3. For more information, see the documentation and release notes for your platform and software release.

Make sure that all VEMs belong to the same Layer 2 domain.

Make sure that the VEM VM kernel NIC connects to this Layer 3 control port profile when adding the host to the Cisco NX-OS Distributed Virtual Switch (DVS).

Be aware that only one VM kernel NIC can be assigned to this Layer 3 control port profile per host.

If more than one VMware kernel NIC is assigned to a host, the last one assigned takes effect.

If more than one VMware kernel NIC is assigned to a host, and you remove the second one assigned, then the VEM does not use the first one assigned. Instead, you must remove both VMware kernel NICs and then add one back.

Make sure you know the VLAN ID for the VLAN you are adding to this Layer 3 control port profile.

The VLAN must already be created on the Cisco NX-OS.

The VLAN assigned to this Layer 3 control port profile must be a system VLAN.

One of the uplink ports must already have this VLAN in its system VLAN range.

Make sure that the port profile is an access port profile. It cannot be a trunk port profile. This procedure includes steps to configure the port profile as an access port profile.

Be aware that more than one port profile can be configured with Layer 3 control.

Be aware that different hosts can use different VLANs for Layer 3 control.

Create a vEthernet port profile or determine which existing vEthernet port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the vEthernet port profile that you want to configure for Layer 3 control.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the System, VM Settings section.

Step 5 In the System VLAN drop-down list, choose the system VLAN for this port profile. Configuring the system VLAN ensures that when the host is added for the first time or rebooted later, the VEM is able to reach the VSM.


Note One of the uplink ports must have this VLAN in its system VLAN range.


Step 6 In the Capability drop-down list, choose Layer 3 Control to allow the port profile to be used for IP connectivity.


Note In the vCenter Server, the Layer 3 control port profile must be selected and assigned to the VM kernel NIC physical port.


Step 7 Check VM Port Group to assign a VMware port group to the port profile.

Step 8 In the Port Group Name field, enter the name of the VMware port group to which you want to map to the port profile.

Step 9 In the Details pane, click the Features tab.

Step 10 Expand Interfaces and choose Ethernet.

Step 11 In the Admin Status drop-down list, choose Up to administratively enable all ports in the profile.

Step 12 In the Mode drop-down list, choose Access to designate that the interfaces are switch access ports (the default).

Step 13 Expand Switching and choose VLAN.

Step 14 In the Access VLAN drop-down list, choose the system VLAN ID.

Step 15 In the Details pane, click the Settings tab.

Step 16 Expand the Basic Settings section.

Step 17 In the State drop-down list, choose Enabled.

Step 18 From the menu bar, choose File > Deploy to apply your changes to the device.

The configuration for this port profile is applied to the assigned ports, and the port group is created in the VMware vSwitch on the vCenter Server.


Configuring a Port Profile for iSCSI Multipath

You can configure communication multipathing between hosts and targets using the iSCSI protocol by creating an iSCSI multipath port profile and then assigning an interface to it.

BEFORE YOU BEGIN

Make sure that you have already configured the host with a port channel that includes two or more physical NICs.

Make sure that you have already created VMware kernel NICs to access the SAN external storage.

Create a system VLAN on the Cisco NX-OS that you will use for this iSCSI multipath port profile, or determine which system VLAN you will use. Make sure that one of the uplink ports already has this VLAN in its system VLAN range.

Create a vEthernet port profile or determine which existing vEthernet port profile you will use.

Make sure that the port profile is an access port profile. It cannot be a trunk port profile.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the vEthernet port profile that you want to configure for iSCSI Multipath.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the System, VM Settings section.

Step 5 In the System VLAN drop-down list, choose the system VLAN for this port profile. Configuring the system VLAN ensures that when the host is added for the first time or rebooted later, the VEM is able to reach the VSM.


Note One of the uplink ports must have this VLAN in its system VLAN range.


Step 6 In the Capability drop-down list, choose ISCSI-MULTIPATH to allow the port profile to be used for iSCSI multipathing.


Note In the vCenter Server, the iSCSI multipath port profile must be selected and assigned to the VM kernel NIC port.


Step 7 Check VM Port Group to assign a VMware port group to the port profile.

Step 8 In the Port Group Name field, enter the name of the VMware port group to which you want to map to the port profile.

Step 9 In the Details pane, click the Features tab.

Step 10 Expand Interfaces and choose Ethernet.

Step 11 In the Admin Status drop-down list, choose Up to administratively enable all ports in the profile.

Step 12 In the Mode drop-down list, choose Access to designate that the interfaces are switch access ports (the default).

Step 13 Expand Switching and choose VLAN.

Step 14 In the Access VLAN drop-down list, choose the system VLAN ID.

Step 15 In the Details pane, click the Settings tab.

Step 16 Expand the Basic Settings section.

Step 17 In the State drop-down list, choose Enabled.

Step 18 From the menu bar, choose File > Deploy to apply your changes to the device.

The configuration for this port profile is applied to the assigned ports, and the port group is created in the VMware vSwitch on the vCenter Server.


Configuring a Port Profile as a VMware Port Group

You configure a port profile as a VMware port group. When a vCenter Server connection is established, the port group created in Cisco NX-OS is then distributed to the virtual switch on the vCenter Server.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

Create a VMware port group on the VMware server. For information, see your VMware documentation.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Check VM Port Group to assign a VMware port group to the port profile.

Step 5 In the Port Group Name field, enter the name of the VMware port group to which you want to map to the port profile.

Step 6 (Optional) If you want to restrict the number of ports that can be assigned to the port profile, in the Max Ports field, enter the number of ports. The range is from 1 to 1024.


Note You can only make this restriction on nonuplink type port profiles.


Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Port Channel

You can configure a port channel for vPC-HM in a port profile.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

You need to know whether Cisco Discovery Protocol (CDP) is configured in the upstream switches. If you are using CDP with the default CDP timer (60 seconds), links that advertise that they are in service and then out of service in quick succession can take up to 60 seconds to be returned to service.

You need to configure vPC-HM when port channels connect to multiple upstream switches. If vPC-HM is not configured, the VMs behind the Cisco NX-OS receive duplicate packets from the network for unknown unicasts, multicast floods, and broadcasts.

Do not configure vPC-HM on the Cisco NX-OS if the upstream switches have vPC enabled. If vPC-HM is configured on the Cisco NX-OS and vPC is configured on the upstream switches, connectivity issues can occur.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the Port Channel, Pinning Settings section.

Step 5 Check Channel Group Auto and in the Protocol Mode drop-down list, choose Active, Passive, or On.

On is the default channel mode, and all port channels that are not running the Link Aggregation Control Protocol (LACP) need to be in this mode.

Active specifies that when you enable LACP, the interface is in an active negotiating state in which the port initiates negotiations with other ports by sending LACP packets.

Passive specifies that when you enable LACP, the interface is in a passive negotiation state, in which the port responds to LACP packets that it receives but does not initiate LACP negotiation.

Step 6 (Optional) Do one of the following:

If CDP is configured on the upstream switches, in the SubGroup drop-down list, choose CDP.

If CDP is not configured on the upstream switches, in the SubGroup drop-down list, choose Manual.

If the upstream switch does not support port channels, check MAC Pinning and in the Subgroup ID field, enter the ID number (0-31) of the subgroup to manage traffic for the upstream switch(es).

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring Static Pinning on a vEthernet Interface

You can configure static pinning on vEthernet interfaces in a vEthernet port profile.


Note You can also configure static pinning on a specific vEthernet interface. For information, see the "Configuring Static Pinning on a vEthernet Interface" section.


BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired vEthernet port profile.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the Port Channel, Pinning Settings section.

Step 5 In the Subgroup ID field, enter an ID number from 1 to 31.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring Static Pinning on a Control or Packet VLAN

You can configure static pinning on a control or packet VLAN.

BEFORE YOU BEGIN

Create an Ethernet type system port profile. For information, see the "Configuring a System Port Profile" section.

To configure static pinning on a control VLAN, make sure that the control VLAN is specified as one of the system VLANs for the port profile.

To configure static pinning on a packet VLAN, make sure that the packet VLAN is specified as one of the packet VLANs for the port profile.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Advanced Settings tab.

Step 4 Expand the Port Channel, Pinning Settings section.

Step 5 Do one of the following:

To configure static pinning on a control VLAN, in the Control VLAN Subgroup ID field, enter an ID number from 1 to 31.

To configure static pinning on a packet VLAN, in the Packet VLAN Subgroup ID field, enter an ID number from 1 to 31.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring Port Management

You can configure port management, including access and trunk modes, and the administrative state for each port in the profile.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand Interfaces and choose Ethernet.

Step 5 In the Mode drop-down list, choose one of the following:

Access—Transmits packets on only one, untagged VLAN. You specify which VLAN traffic that the interface carries, which becomes the access VLAN. If you do not specify a VLAN for an access port, that interface carries traffic only on the default VLAN. The default VLAN is VLAN1.

Trunk—Transmits untagged packets for the native VLAN and transmits encapsulated, tagged packets for all other VLANs.

Step 6 In the Admin Status drop-down list, choose Up.

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Port Profile as a Private VLAN

You can configure a port profile to be used as a private VLAN (PVLAN).

For more information about private VLANs, see the documentation for your platform and software release.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand Interfaces and choose Ethernet.

Step 5 In the Mode drop-down list, choose one of the following:

PVLAN Promiscuous—Specifies promiscuous ports that belong to the primary VLAN and communicate with the Layer 3 gateway. Promiscuous ports can communicate with any interface in the PVLAN domain, including those associated with secondary VLANs.

PVLAN Host—Specifies host ports that belong to the secondary VLANs in the PVLAN pairs as either community or isolated PVLAN host ports.

Step 6 Expand the Switching section and choose VLAN.

Step 7 In the PVLAN Host field, enter the ID number of the primary VLAN and one or more ID numbers for the secondary VLANs.

Step 8 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring DHCP Snooping

You can configure whether a virtual interface that belong to a port profile is a trusted or untrusted source of DHCP messages and the rate limit for DHCP packets received on each port.

BEFORE YOU BEGIN

Ensure that the Virtual Supervisor Module (VSM) and all Virtual Ethernet Modules (VEMs) are running a software release that supports this feature, and that the VEM feature level has been updated (see the documentation for your platform and software).

Be aware that vEthernet interfaces are untrusted by default. The only exception is the special vEthernet ports used by other features such as Virtual Service Domain (VSD) which are trusted.

Ensure that the vEthernet interface is configured as a Layer 2 interface.

Be aware that, for seamless DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard, the VSD service Virtual Machine (VM) ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.

Be aware that a failure to conform to the set rate causes the port to be put into an errdisable state.

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose DHCP Snooping.

Step 5 In the Trust State drop-down list, choose Trusted to configure the interfaces as trusted for DHCP snooping or choose Untrusted to configure the interfaces as untrusted for DHCP snooping.

Step 6 In the Rate Limit field, enter a number from 1 to 2048.

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring IP Source Guard

You can enable or disable IP Source Guard for interfaces that belong to a port profile.

BEFORE YOU BEGIN

Ensure that the Virtual Supervisor Module (VSM) and all Virtual Ethernet Modules (VEMs) are running a software release that supports this feature, and that the VEM feature level has been updated (see the documentation for your platform and software).

Be aware that IP Source Guard is disabled on all interfaces by default.

Ensure that DHCP snooping is enabled. For more information, see the "Configuring DHCP Snooping" section.

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose IP Source Guard.

Step 5 Check IP Source Guard to enable the feature or uncheck it to disable the feature.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring ARP Inspection

You can configure vEthernet interfaces that belong to a port profile as trusted for Address Resolution Protocol (ARP) inspection.

BEFORE YOU BEGIN

Be aware that vEthernet interfaces are untrusted by default, unless they are part of a Virtual Switch Domain (VSD).

Be aware that, if an interface is untrusted, all ARP requests and responses are verified for a valid IP-MAC address binding before the local cache is updated and the packet is forwarded. If a packet has an invalid IP-MAC address binding, it is dropped.

Be aware that ARP packets received on a trusted interface are forwarded but not checked.

Create a vEthernet port profile or determine which existing vEthernet port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose ARP Inspection.

Step 5 In the Trust State drop-down list, choose Trusted to configure the interfaces as trusted for ARP inspection or choose Untrusted to configure the interfaces as untrusted for ARP inspection.

Step 6 In the Rate Limit field, enter a number from 1 to 2048.

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Enabling or Disabling Port Security on a Layer 2 Interface

You can enable or disable port security on interfaces that belong to a port profile.


Note You cannot enable port security on a routed interface.


BEFORE YOU BEGIN

Be aware that port security is disabled on all interfaces by default.

Enabling port security on an interface also enables dynamic MAC address learning. If you want to enable sticky MAC address learning, you must also complete the steps in the "Enabling or Disabling Sticky MAC Address Learning" section.

Create a vEthernet port profile or determine which existing vEthernet that port profile you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose Port Security.

Step 5 In the Port Security drop-down list, choose Enabled to enable the feature or Disabled to disable the feature.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Enabling or Disabling Sticky MAC Address Learning

You can enable or disable sticky MAC address learning on interfaces that belong to a port profile.

BEFORE YOU BEGIN

Be aware that dynamic MAC address learning is the default on an interface.

Be aware that sticky MAC address learning is disabled by default.

Create a vEthernet port profile or determine which existing vEthernet port profile that you want to use.

Make sure that port security is enabled on the port profile that you are configuring.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose Port Security.

Step 5 Check Stickiness to enable the port security feature on this port profile or uncheck it to disable the feature.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Maximum Number of MAC Addresses

You can configure the maximum number of MAC addresses that can be learned or statically configured on interfaces that belong to a port profile.


Note When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the command is rejected.


BEFORE YOU BEGIN

The Secure MACs share the L2 Forwarding Table (L2FT). The forwarding table for each VLAN can hold up to 1024 entries.

VLANs have no default maximum number of secure MAC addresses.

Create a vEthernet port profile or determine which existing vEthernet port profile that you want to use.

Make sure that port security is enabled on the port profile that you are configuring.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose Port Security.

Step 5 In the Maximum Secure MAC to add field, enter a number from 1 to 1024 to indicate the maximum number of MAC addresses that can be learned or statically configured for the current port profile.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring an Address Aging Type and Time

You can configure the MAC address aging type and the length of time used to determine when MAC addresses learned by the dynamic method have reached their age limit.

BEFORE YOU BEGIN

Create a vEthernet port profile or determine which existing vEthernet port profile you want to use.

Make sure that port security is enabled on the interface that you are configuring.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose Port Security.

Step 5 In the Aging Type field, enter the type of aging (Absolute or InActivity) that the device applies to dynamically learned MAC addresses. The default is Absolute.

Step 6 In the Age field, enter the number of minutes that a dynamically learned MAC address must age before the address is dropped. The maximum valid minutes is 1440. The default is 0 minutes (no aging).

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a Security Violation Action

You can configure how interfaces belonging to a port profile respond to a security violation.

BEFORE YOU BEGIN

Create a vEthernet port profile or determine which existing vEthernet port profile that you want to use.

Make sure that port security is enabled on the interface that you are configuring.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand the Switching section and choose Port Security.

Step 5 In the Violation Action drop-down list, choose the security violation action (Protect, Restrict, or Shutdown) for interfaces assigned to this port profile. The default is to shut down the interface.

Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring an IPv4 ACL

You can configure an IPv4 access control list (ACL) for interfaces that belong to a port profile.

For information about ACLs, see the documentation for your platform and software release.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand Security and choose IPv4 ACL.

Step 5 In the Incoming IPv4 Traffic drop-down list, choose the ACL to use for incoming traffic.

Step 6 In the Outgoing IPv4 Traffic drop-down list, choose the ACL to use for outgoing traffic.

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Configuring a MAC ACL

You can configure a MAC access control list (ACL) for interfaces that belong to a port profile.

For information about ACLs, see the documentation for your platform.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the Features tab.

Step 4 Expand Security and choose MAC ACL.

Step 5 In the Incoming Traffic drop-down list, choose the ACL to use for incoming traffic.

Step 6 In the Outgoing Traffic drop-down list, choose the ACL to use for outgoing traffic.

Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.


Verifying the CLI

You can verify the configuration that you have created for a port profile and add, change, or delete any commands, if necessary.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile that you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 In the Details pane, click the CLI tab.

The configuration for the selected port profile appears.

Step 4 (Optional) Add, change, or delete any commands, as desired.

Step 5 From the menu bar, choose File > Deploy to apply your changes to the device.


Copying Port Profiles to Multiple Devices

You can use the Configuration Change Management feature to copy a port profile configuration and deploy it to multiple devices. Using the Configuration Change Management feature, you can also make modifications to the configuration using CLI commands. For more information, see the System Management Configuration Guide, Cisco DCNM for LAN, Release 5.x.

BEFORE YOU BEGIN

Create a port profile or determine which existing port profile you want to use.

DETAILED STEPS


Step 1 From the Feature Selector pane, choose Interfaces > Port Profile.

Devices that support this feature appear in the Summary pane.

Step 2 From the Summary pane, choose the desired port profile.

Step 3 From the menu bar, choose Actions > Copy to Multiple Devices.

The Configuration Delivery Jobs contents pane appears.

Step 4 Customize and deploy your configuration delivery job. For more information, see the System Management Configuration Guide, Cisco DCNM for LAN, Release 5.x.


Field Descriptions for Port Profiles

This section includes the following field descriptions for the Port Profiles feature:

Port Profile: Settings: Basic Settings Section

Port Profile: Settings: Inherited Interfaces Section

Port Profile:Settings: Port Profile Visibility

Port Profile: Advanced Settings: System, VM Settings Section

Port Profile: Advanced Settings: Port Channel, Pinning Section

Port Profile: Features: Interfaces: Ethernet

Port Profile: Features: Switching: VLAN

Port Profile: Features: Switching: DHCP Snooping

Port Profile: Features: Switching: IP Source Guard

Port Profile: Features: Switching: ARP Inspection

Port Profile: Features: Switching: Port Security

Port Profile: Features: Security: IPv4 ACL

Port Profile: Features: Security: MAC ACL

Port Profile: Settings: Basic Settings Section

Table 10-1 Port Profile: Settings: Basic Settings Section

Field
Description

Name

Display only. Name of the port profile.

Description

Word or phrase that identifies the port profile.

Type

Type of port profile, either Ethernet or vEthernet.

Interface Count

Number of interfaces that inherit the selected port profile.

State

State of the port profile, either Enabled or Disabled.

Parent Profile

Name of the port profile whose characteristics are inherited by the selected port profile. This field is disabled if the selected port profile is at the last level (the forth level) in the hierarchy.


Port Profile: Settings: Inherited Interfaces Section

Table 10-2 Port Profile: Settings: Inherited Interfaces Section

Field
Description

Name

Display only. Name of the interface.

Description

Display only. Word or phrase that identifies the interface.

Host Name

Display only. Name of the host where the interface resides.

VM Name

Display only. Name of the virtual machine where the interface resides.

VM Adapter

Display only. Number of the virtual machine adapter where the interface resides.


Port Profile:Settings: Port Profile Visibility

Table 10-3 Port Profile: Settings: Port Profile Visibility

Field
Description

Name

Name of the port profile role.

Description

Description of the port profile role.

Users

List of users and groups which belong to the selected port profile role.

Type

Type of the assigned port profile.

User name

User or the group name associated with the port profile role.

Device Name

The device name associated with the port profile role.

Port Profile Name

The port profile name.

Role name

The role name associated with the port profile.


Port Profile: Advanced Settings: System, VM Settings Section

Table 10-4 Port Profile: Advanced Settings: System, VM Settings Section

Field
Description
System

Virtual Service Domain

Name of the Virtual Service Domain (VSD) where the VM ports reside.

System VLAN

System VLANs defined for the port profile. Valid options are 1 to 3967 and 4048 to 4093, None, or one or more specific VLANs.

Capability

Capability (either iSCSI multipath or Layer 3) of the vEthernet port profile. This option is disabled for Ethernet port profiles.

Profile Role

The port profile role name associated with the device.

VM Setting

VM Port Group

Setting that specifies whether the port profile is a VMware port group.

Port Group Name

Display only if VM Port Group is not selected. Name of the VMware port group.

Max Ports

Maximum number of ports that can be assigned to the port profile.


Port Profile: Advanced Settings: Port Channel, Pinning Section

Table 10-5 Port Profile: Advanced Settings: Port Channel, Pinning Section 

Field
Description
Channel Setting

Channel Group Auto

Setting that specifies to create and define a channel group for all interfaces that belong to the port profile.

Protocol Mode

Protocol mode of the associated port channel.

On is the default channel mode, and all port channels that are not running Link Aggregation Control Protocol (LACP) need to be in this mode.

Active specifies that when you enable the LACP, the interface is in an active negotiating state in which the port initiates negotiations with other ports by sending LACP packets.

Passive specifies that when you enable LACP, the interface is in a passive negotiation state, in which the port responds to LACP packets that it receives but does not initiate LACP negotiation.

MAC Pinning

Setting that specifies to attach VEMs to an upstream switch that does not support port channels. There are a maximum of 32 subgroups per port channel, so a maximum of 32 port members can be assigned.

SubGroup Mode

Method used for subgroup assignment. Choose CDP if CDP is enabled on the upstream switch or choose Manual to configure subgroups manually.

Pinning

Subgroup ID

ID number (0 to 31) of the port channel subgroup used to forward traffic from the vEthernet interfaces that inherit the port profile.

Control VLAN Subgroup ID

ID number (0 to 31) of the port channel subgroup used to forward traffic from the control VLAN that inherits the port profile.

Packet VLAN Subgroup ID

ID number (0 to 31) of the port channel subgroup used to forward traffic from the packet VLAN that inherits the port profile.


Port Profile: Features: Interfaces: Ethernet

Table 10-6 Port Profile: Features: Interfaces: Ethernet

Field
Description

Admin Status

Status of the Ethernet interfaces that inherit the port profile.

Mode

Port management mode. Valid choices are as follows:

Access—Transmits packets on only one, untagged VLAN. You specify which VLAN traffic that the interface carries, which becomes the access VLAN. If you do not specify a VLAN for an access port, that interface carries traffic only on the default VLAN. The default VLAN is VLAN1.

Trunk—Transmits untagged packets for the native VLAN and transmits encapsulated, tagged packets for all other VLANs.

PVLAN Promiscuous—Specifies promiscuous ports that belong to the primary VLAN and that communicate with the Layer 3 gateway. Promiscuous ports can communicate with any interface in the PVLAN domain, including those associated with secondary VLANs.

PVLAN Host—Specifies host ports that belong to the secondary VLANs in the PVLAN pairs as either community or isolated PVLAN host ports.


Port Profile: Features: Switching: VLAN

Table 10-7 Port Profile: Features: Switching: VLAN

Field
Description
PVLAN Host

Primary VLAN

ID number of the primary VLAN.

Secondary VLAN

ID numbers of the secondary VLANs.

PVLAN Promiscuous

Primary VLAN

ID number of the primary VLAN.

Secondary VLAN

ID numbers of the secondary VLANs.

Trunk

Encapsulation

Display only. IEEE 802.1Q virtual LAN.

Allowed VLAN

ID number of the VLANs allowed to transmit data on interfaces that belong to this port profile. The range is 1 to 4094, and the default is 1.

VLANs 3968 to 4047 and 4094 are allocated for internal device use and do not carry data traffic.

Native VLAN

ID number of the native VLAN to be used for trunk ports. The default is VLAN 1.

Access

Access VLAN

ID number of the VLAN to be used for access ports. The default is VLAN 1.


Port Profile: Features: Switching: DHCP Snooping

Table 10-8 Port Profile: Features: Switching: DHCP Snooping

Field
Description

Trust State

Setting that indicates whether the interfaces in the port profile are trusted or untrusted for DHCP snooping. Valid choices are Trusted and Untrusted. The default is Untrusted.

Rate Limit

Number of DHCP packets per second.


Port Profile: Features: Switching: IP Source Guard

Table 10-9 Port Profile: Features: Switching: IP Source Guard

Field
Description

IP Source Guard

Enables IP Source Guard on all interfaces in the port profile. By default, IP Source Guard is disabled on all interfaces.


Port Profile: Features: Switching: ARP Inspection

Table 10-10 Port Profile: Features: Switching: ARP Inspection

Field
Description

Trust State

Setting that indicates whether the interfaces in the port profile are trusted or untrusted for ARP Inspection. Valid choices are Trusted and Untrusted. The default is Untrusted.

Rate Limit

Number of ARP inspection packets per second. The untrusted interface default is 15 packets per second. Trusted interface default is unlimited packets per second.


Port Profile: Features: Switching: Port Security

Table 10-11 Port Profile: Features: Switching: Port Security

Field
Description
Secure Interface Config

Port Security

Setting that indicates whether port security is enabled or disabled. Valid choices are Enabled or Disabled. By default, port security is disabled on all interfaces.

Violation Action

Action to occur when a port security violation is detected. Valid choices are Protect and Shutdown. The default security action is to shut down the port on which the security violation occurs.

Maximum Secure MACs to add

Maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. By default, an interface has a maximum of one secure MAC address.

Stickiness

Setting that enables or disables sticky MAC address learning on the interface. Dynamic MAC address learning is the default on an interface.

Dynamic Config

Aging Type

Type of aging method (Absolute or InActivity) that the device applies to dynamically learned MAC addresses. Absolute aging is the default aging type.

Age

Number of minutes that a dynamically learned MAC address must age before the address is dropped. The default is 0 minutes (no aging).


Port Profile: Features: Security: IPv4 ACL

Table 10-12 Port Profile: Features: Security: IPv4 ACL

Field
Description

Incoming IPv4 Traffic

ACL applied to inbound IP traffic. The default is no ACL.

Outgoing IPv4 Traffic

ACL applied to outbound IP traffic. The default is no ACL.


Port Profile: Features: Security: MAC ACL

Table 10-13 Port Profile: Features: Security: MAC ACL

Field
Description

Incoming Traffic

ACL applied to inbound non-IP traffic. The default is no ACL.

Outgoing Traffic

ACL applied to outbound non-IP traffic. The default is no ACL.


Additional References

For additional information related to implementing port profiles, see the following sections:

Related Documents

Standards

Related Documents

Related Topic
Document Title

Port Profile configuration

Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(2)

Interface configuration

Cisco Nexus 1000V Interface Configuration Guide, Release 4.0(4)SV1(2)

Complete command syntax, command modes, command history, defaults, usage guidelines, and examples for all Cisco NX-OS commands.

Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2)


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


Feature History for Port Profiles

This section provides the release history of the port profile feature.

Feature Name
Releases
Feature Information

Port Profiles

5.0

This feature was introduced.