Information About Port Security
Port security allows you to configure Layer 2 physical interfaces, Layer 2 port-channel interfaces, and virtual port channels (vPCs) to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.
 Note |
Unless otherwise specified, the term interface refers to physical interfaces, port-channel interfaces, and vPCs; likewise, the term Layer 2 interface refers to both Layer 2 physical interfaces and Layer 2 port-channel interfaces. |
Secure MAC Address Learning
The process of securing a MAC address is called learning. A MAC address on a VLAN can be a secure MAC address on one interface only. For each interface that you enable port security on, the device can learn a limited number of MAC addresses by the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending upon how the device learned the secure MAC address.
Note |
All learned MAC addresses are synchronized between vPC peers. |
Static Method
The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure MAC addresses are unaffected if the device restarts.
A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
-
You explicitly remove the address from the configuration.
-
You configure the interface to act as a Layer 3 interface.
Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.
Dynamic Method
By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains secured on an interface until one of the following events occurs:
-
The device restarts.
-
The interface restarts.
-
The address reaches the age limit that you configured for the interface.
-
You explicitly remove the address. For more information, see Removing a Dynamic Secure MAC Address.
-
If the port security feature is disabled on an interface, then all the dynamic secured MAC addresses on it are removed.
-
You configure the interface to act as a Layer 3 interface.
Sticky Method
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.
A sticky secure MAC address entry remains secured on an interface until one of the following events occurs:
-
You explicitly remove the sticky MAC address configuration from the interface. For more information, see Removing a Sticky Secure MAC Address.
-
From Cisco NX-OS Release 7.1(4)N1(1), if the port security feature is disabled on an interface, then all the sticky secured MAC addresses on it are removed.
-
You configure the interface to act as a Layer 3 interface.
Note |
From Cisco NX-OS Release 7.1(4)N1(1), if the port security feature is disabled on one of the vPC peers of a vPC port, the sticky or dynamic secure MAC addresses are deleted on both the vPC peers configured for the vPC port. |
Dynamic Address Aging
The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached. You can configure the age limit on each interface. The range is from 1 to 1440 minutes. The default aging time is 0, which disables aging.
In vPC domains, dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.
The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:
- Inactivity
-
The length of time after the device last received a packet from the address on the applicable interface.
- Absolute
-
The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Note |
If the absolute method is used to age out a MAC address, then depending on the traffic rate, few packets may drop each time a MAC address is aged out and relearned. To avoid this use inactivity timeout. |
Note |
In case of VPC ports, the secure dynamic MAC address has to age out on both VPC peers before it is removed from secured MAC table. |
Secure MAC Address Maximums
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
Note |
In vPC domains, the configuration on the primary vPC takes effect. |
 Tip |
To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device. |
The following three limits can determine how many secure MAC addresses are permitted on an interface:
- System maximum
-
The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
When calculating the system maximum count, the single default secure MAC address per each port is not considered. For example, if you have an interface with five secure MAC addresses, only four secure MAC addresses are considered while calculating the device maximum count.
- Interface maximum
-
You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Sum of all interface maximums on a switch cannot exceed the system maximum.
In vPC domains, you set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.
- VLAN maximum
-
You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. The sum of all VLAN maximums under an interface cannot exceed the configured interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first. Otherwise, the configuration of new limit is rejected.
Security Violations and Actions
Port security triggers security violations when either of the two following events occur:
- MAX Count Violation
-
Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses. The blocked entry is added to the Forwarding Module (FWM) of the Cisco Nexus switch.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security: -
VLAN 1 has a maximum of 5 addresses
-
The interface has a maximum of 20 addresses
The device detects a violation when any of the following occurs: -
The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
-
The device has learned 20 addresses on the interface and inbound traffic from the 21st address arrives at the interface.
-
- MAC Move Violation
-
Ingress traffic from a secure MAC address arrives at a different secured interface in the same VLAN as the interface on which the address is secured. The blocked entry is added as a drop entry in the Port Security table.
When a security violation occurs, the device increments the security violation counter for the interface and takes the action specified by the port security configuration of the interface. If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
The violation modes and the possible actions that a device can take are as follows:
- Shutdown violation mode
-
Error disables the interface that received the packet triggering the violation and the port shuts down. The security violation count is set to 1. This action is the default. After you reenable the interface, it retains its port security configuration, including its static and sticky secure MAC addresses. However, the dynamic MAC addresses are not retained and have to relearned.
You can use the errdisable recovery cause pscecure-violation global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands. For detailed information about the commands, see the Security Command Reference for your platform.
The MAC address does not move to the unsecure port, and the frame on the unsecure port is dropped.
- Restrict violation mode
-
Drops ingress traffic from any nonsecure MAC addresses and adds the MAC address as a blocked MAC entry in the port security table..
Note
In vPC domains, blocked MAC addresses added to the port security table due to violations occurring in the Restrict mode are not synchronized across vPC peers.
The device keeps a count of the number of unique source MAC addresses of dropped packets, which is called the security violation count.
Violation is triggered for each unique nonsecure source MAC address and security violation count increments till 10, which is the maximum value. The maximum value of 10 is fixed and not configurable.
Address learning continues until the maximum security violations (10 counts) have occurred on the interface. Traffic from addresses learned after the first security violation are added as BLOCKED entries in the MAC table and dropped. These BLOCKED MAC address age out after 5 minutes. The BLOCKED MAC address age out time of 5 minutes is fixed and not configurable.
In case of VPC topology, the BLOCKED MAC addresses are not synced across VPC peers.
After the maximum number of MAX count violations (10) is reached, a violation is triggered and the device stops learning new MAC addresses.
Depending on the violation type, RESTRICT mode action varies as follows: -
In case of MAX count violation, after the maximum number of MAX count violations (10) is reached, the device stops learning new MAC addresses. Interface remains up.
-
In case of MAC move violation, when the maximum security violations have occurred on the interface, the interface is error Disabled.
-
- Protect violation mode
-
Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Security violation counter is set to 1, which is the maximum value. Further address learning stops. Interface remains up.
Note that the security violation is reset to 0 after the interface is recovered from violation through one of the following events:
-
Dynamic secure MAC addresses age out
-
Interface flap, link down, or link up events
-
Port-security disable and re-enable on the interface
-
Changing violation mode of the interface
Note |
If an interface is errDisabled, you can bring it up only by flapping the interface. |
Note |
In vPCs, the violation action configured on the primary vPC switch takes affect. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs. |
After the maximum number of MAX move violations (10) is reached, the interface is shut down and placed in the errdisabled state.
Port Type Changes
When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:
- Access port to trunk port
-
When you change a Layer 2 interface from an access port to a trunk port, the device deletes all secure addresses learned by the dynamic method. The device moves the addresses learned by the static method to the native trunk VLAN. The sticky MAC addresses remain in same VLAN if the VLAN exists. Otherwise, the MAC addresses move to the native VLAN of the trunk port.
- Trunk port to access port
-
When you change a Layer 2 interface from a trunk port to an access port, the device deletes all secure addresses learned by the dynamic method. All static addresses configured on VLAN are removed; static addresses configured without VLAN sub command (defaulted to native VLAN) are retained on the access VLAN. All sticky MAC addresses of trunk allowed VLANs are moved to the access VLAN.
- Switched port to routed port
-
When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.
- Routed port to switched port
-
When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.
The static secure addresses that are configured per access or trunk VLAN on an interface are not retained during the following events:
-
Changing global VLAN mode of the active VLANs on an interface between classical Ethernet and fabric path interfaces
-
Changing switchport mode access or trunk to private VLAN or vice versa
Feedback