-
Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1)
-
Preface
-
New and Changed Information
-
Security Overview
-
Managing User Accounts
-
Configuring AAA
-
Configuring RADIUS
-
Configuring TACACS+
-
Configuring SSH
-
Configuring Telnet
-
Configuring IP ACL
-
Configuring a MAC ACL
-
Configuring Port Security
-
Configuring DHCP Snooping
-
Configuring Dynamic ARP Inspection
-
Configuring IP Source Guard
-
Disabling HTTP Server
-
Blocking Unknown Unicast Flooding
-
Configuring Cisco TrustSec
-
Index
-
Feedback
Contents
- Configuring Port Security
- Information About Port Security
- Secure MAC Address Learning
- Static Method
- Dynamic Method
- Sticky Method
- Dynamic Address Aging
- Secure MAC Address Maximums
- Interface Secure MAC Addresses
- Security Violations and Actions
- Port Security and Port Types
- Result of Changing an Access Port to a Trunk Port
- Result of Changing a Trunk Port to an Access Port
- Guidelines and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Enabling or Disabling Port Security on a Layer 2 Interface
- Enabling or Disabling Sticky MAC Address Learning
- Adding a Static Secure MAC Address on an Interface
- Removing a Static or a Sticky Secure MAC Address from an Interface
- Removing a Dynamic Secure MAC Address
- Configuring a Maximum Number of MAC Addresses
- Configuring an Address Aging Type and Time
- Configuring a Security Violation Action
- Recovering Ports Disabled for Port Security Violations
- Verifying the Port Security Configuration
- Displaying Secure MAC Addresses
- Configuration Example for Port Security
- Feature History for Port Security
Configuring Port Security
This chapter contains the following sections:
- Information About Port Security
- Guidelines and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Verifying the Port Security Configuration
- Displaying Secure MAC Addresses
- Configuration Example for Port Security
- Feature History for Port Security
Information About Port Security
Port security allows you to configure Layer 2 interfaces that permit inbound traffic from a restricted, secured set of MAC addresses. Traffic from secured MAC addresses is not allowed on another interface within the same VLAN. The number of MAC addresses that can be secured is configured per interface.
- Secure MAC Address Learning
- Dynamic Address Aging
- Secure MAC Address Maximums
- Security Violations and Actions
- Port Security and Port Types
Secure MAC Address Learning
Static Method
- The static learning method allows you to manually add or remove secure MAC addresses in the configuration of an interface.
- A static secure MAC address entry remains in the configuration of an interface until you explicitly remove it.
- Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled
Dynamic Method
- By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
- Dynamic addresses are aged and dropped once the age limit is reached.
- Dynamic addresses do not persist through restarts.
Sticky Method
- If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning. These addresses can be made persistent through a reboot by using the copy run start command to copy the running configuration to the startup-configuration.
- Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, dynamic learning is stopped and sticky learning is used instead. If you disable sticky learning, dynamic learning is resumed.
- Sticky secure MAC addresses are not aged.
Dynamic Address Aging
MAC addresses learned by the dynamic method are aged and dropped when reaching the age limit. You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.
There are two methods of determining the address age:
Secure MAC Address Maximums
The secure MAC addresses on a secure port are inserted in the same MAC address table as other regular MACs. If a MAC table has reached its limit, it will not learn any new secure MACs for that VLAN.
The secure MAC addresses on a secure port are inserted in the same MAC address table as other regular MACs. If a MAC table has reached its limit, then it will not learn any new secure MACs for that VLAN.
The following figure shows that each VLAN in a VEM has a forwarding table that can store a maximum number of secure MAC addresses.
Interface Secure MAC Addresses
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
TipTo make use of the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.
The following limits can determine how many secure MAC address are permitted on an interface:
- Device maximum—The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
- Interface maximum—You can configure a maximum number of secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Interface maximums cannot exceed the device maximum.
- VLAN maximum—You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
You can configure a VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first.
Security Violations and Actions
Port security triggers a security violation when either of the following occurs:
- Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses. When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security: A violation is detected when either of the following occurs:
NoteAfter a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.
When a security violation occurs on an interface, the action specified in its port security configuration is applied. The possible actions that the device can take are as follows:
- Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.switch(config)# errdisable recovery cause psecure-violation switch(config)# copy running-config startup-config (Optional)- Protect—Prevents violations from occurring. Address learning continues until the maximum number of MAC addresses on the interface is reached, after which the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the action is applied on the interface that received the traffic. A MAC Move Violation is triggered on the port that sees the MAC address that is already secured on another interface.
Port Security and Port Types
You can configure port security only on Layer 2 interfaces. Details about port security and different types of interfaces or ports are as follows:
- Access ports—You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN.
- Trunk ports—You can configure port security on interfaces that you have configured as Layer 2 trunk ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
- SPAN ports—You can configure port security on SPAN source ports but not on SPAN destination ports.
- Ethernet Ports—Port security is not supported on Ethernet ports.
- Ethernet Port Channels—Port security is not supported on Ethernet port channels.
Result of Changing an Access Port to a Trunk Port
When you change an access port to a trunk port on a Layer 2 interface configured with port security, all secure addresses learned by the dynamic method are dropped. The device to the native trunk VLAN moves the addresses learned by the static or sticky method.
Result of Changing a Trunk Port to an Access Port
When you change a trunk port to an access port on a Layer 2 interface configured with port security, all secure addresses learned by the dynamic method are dropped. All configured and sticky MAC addresses are dropped if they are not on the native trunk VLAN and do not match the access VLAN configured for the access port that they are moving to.
Guidelines and Limitations for Port Security
- Port security is not supported on the following:
- Port security does not depend upon other features.
- Port security does not support 802.1X.
- Port security cannot be configured on interfaces with existing static MAC addresses.
- Port security cannot be enabled on interfaces whose VLANs have an existing static MAC address even if it is programmed on a different interface.
Configuring Port Security
Enabling or Disabling Port Security on a Layer 2 Interface
Use this procedure to enable or disable port security on a Layer 2 interface.Procedure
NoteYou cannot enable port security on a routed interface.
Enabling or Disabling Sticky MAC Address Learning
ProcedureAdding a Static Secure MAC Address on an Interface
ProcedureRemoving a Static or a Sticky Secure MAC Address from an Interface
ProcedureRemoving a Dynamic Secure MAC Address
ProcedureUse this procedure to remove a specific address learned by the dynamic method or to remove all addresses learned by the dynamic method on a specific interface.
NoteTo remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.
Configuring a Maximum Number of MAC Addresses
Use this procedure to configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure is 4096 addresses.
The secure MAC addresses share the Layer 2 Forwarding Table (L2FT). The forwarding table for each VLAN can hold up to 1024 entries.
NoteWhen you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the command is rejected.
Before You BeginProcedureBefore beginning this procedure, be sure you have done the following:
- Logged in to the CLI in EXEC mode
- Enabled port security on the interface that you are configuring.
- By default, an interface has a maximum of one secure MAC address.
- VLANs have no default maximum number of secure MAC addresses.
- To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.
Configuring an Address Aging Type and Time
ProcedureUse this procedure to configure the MAC address aging type and the length of time used to determine when MAC addresses learned by the dynamic method have reached their age limit.
Configuring a Security Violation Action
ProcedureUse this procedure to configure how an interface responds to a security violation. You can configure the following interface responses to security violations:
- protect: Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
- restrict: Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
- shutdown: (the default) Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.
Recovering Ports Disabled for Port Security Violations
ProcedureUse this procedure to automatically recover an interface disabled for port security violations. To recover an interface manually from the error-disabled state, you must enter the shutdown command and then the no shutdown command .
Configuration Example for Port Security
The following example shows a port security configuration for vEthernet 36 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Protect.
switch# config terminal switch(config)# interface vethernet 36 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 10 switch(config-if)# switchport port-security maximum 7 vlan 10 switch(config-if)# switchport port-security maximum 3 vlan 20 switch(config-if)# switchport port-security violation protect
