- New and Changed Information
- Index
- Preface
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring PKI
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring NAC
- Configuring Cisco TrustSec
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Control Plane Policing
- Configuring Rate Limits
- Information About Port Security
- Licensing Requirements for Port Security
- Prerequisites for Port Security
- Guidelines and Limitations
- Configuring Port Security
- Enabling or Disabling Port Security Globally
- Enabling or Disabling Port Security on a Layer 2 Interface
- Enabling or Disabling Sticky MAC Address Learning
- Adding a Static Secure MAC Address on an Interface
- Removing a Static or a Sticky Secure MAC Address on an Interface
- Removing a Dynamic Secure MAC Address
- Configuring a Maximum Number of MAC Addresses
- Configuring an Address Aging Type and Time
- Configuring a Security Violation Action
- Verifying the Port Security Configuration
- Displaying Secure MAC Addresses
- Example Configuration for Port Security
- Default Settings
- Additional References
- Feature History for Port Security
Configuring Port Security
This chapter describes how to configure port security on NX-OS devices.
This chapter includes the following sections:
•Information About Port Security
•Licensing Requirements for Port Security
•Prerequisites for Port Security
•Verifying the Port Security Configuration
•Displaying Secure MAC Addresses
•Example Configuration for Port Security
•Feature History for Port Security
Information About Port Security
Port security allows you to configure Layer 2 interfaces that allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.
This section includes the following topics:
•Security Violations and Actions
Secure MAC Address Learning
The process of securing a MAC address is called learning. The number of addresses that can be learned is restricted, as described in the "Secure MAC Address Maximums" section. For each interface that you enable port security on, the device can learn addresses by the static, dynamic, or sticky methods.
Static Method
The static learning method allows you to manually add or remove secure MAC addresses to the configuration of an interface.
A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
•You explicitly remove the address from the configuration. For more information, see the "Removing a Static or a Sticky Secure MAC Address on an Interface" section.
•You configure the interface to act as a Layer 3 interface. For more information, see the "Port Type Changes" section.
Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.
Dynamic Method
By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
The device ages dynamic addresses and drops them once the age limit is reached, as described in the "Dynamic Address Aging" section.
Dynamic addresses do not persist through a device restart or through restarting the interface.
To remove a specific address learned by the dynamic method or to remove all addresses learned by the dynamic method on a specific interface, see the "Removing a Dynamic Secure MAC Address" section.
Sticky Method
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in non-volatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.
The device does not age sticky secure MAC addresses.
To remove a specific address learned by the sticky method, see the "Removing a Static or a Sticky Secure MAC Address on an Interface" section.
Dynamic Address Aging
The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached. You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.
The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:
•Inactivity—The length of time after the device last received a packet from the address on the applicable interface.
•Absolute—The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Secure MAC Address Maximums
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
Tip To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.
The following three limits can determine how many secure MAC address are permitted on an interface:
•Device maximum—The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
•Interface maximum—You can configure a maximum number of secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Interface maximums cannot exceed the device maximum.
•VLAN maximum—You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
For an example of how VLAN and interface maximums interact, see the "Security Violations and Actions" section.
You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first. To remove dynamically learned addresses, see the "Removing a Dynamic Secure MAC Address" section. To remove addresses learned by the sticky or static methods, see the "Removing a Static or a Sticky Secure MAC Address on an Interface" section.
Security Violations and Actions
Port security triggers security violations when either of the two following events occur:
•Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
–VLAN 1 has a maximum of 5 addresses
–The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
–The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
–The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
•Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.
Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions that the device can take are as follows:
•Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
•Restrict—Drops ingress traffic from any nonsecure MAC addresses. The device keeps a count of the number of dropped packets.
•Protect—Prevents violations from occurring. Address learning continues until the maximum number of MAC addresses on the interface is reached, after which the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
Port Security and Port Types
You can configure port security only on Layer 2 interfaces. Details about port security and different types of interfaces or ports are as follows:
•Access ports—You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN.
•Trunk ports—You can configure port security on interfaces that you have configured as Layer 2 trunk ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
•SPAN ports—You can configure port security on SPAN source ports but not on SPAN destination ports.
•Ethernet Port Channels—Port security is not supported on Ethernet port channels.
Port Type Changes
When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:
•Access port to trunk port—When you change a Layer 2 interface from an access port to a trunk port, the device drops all secure addresses learned by the dynamic method. The device moves the addresses learned by the static or sticky method to the native trunk VLAN.
•Trunk port to access port—When you change a Layer 2 interface from a trunk port to an access port, the device drops all secure addresses learned by the dynamic method. It also moves all addresses learned by the sticky method on the native trunk VLAN to the access VLAN. The device drops secure addresses learned by the sticky method if they are not on the native trunk VLAN.
•Switched port to routed port—When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.
•Routed port to switched port—When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.
802.1X and Port Security
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
•Single host mode—Port security learns the MAC address of the authenticated host.
•Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows:
•Absolute—Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.
•Inactivity—Port security drops the secure address from the list of secure addresses for the interface and notifies 802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.
Virtualization Support
Port security supports VDCs as follows:
•Port security is local to each VDC. You enable and configure port security on a per-VDC basis.
•Each VDC maintains secure MAC addresses separately.
•The device cannot issue a security violation when a secured MAC address in one VDC is seen on a protected interface in another VDC.
Licensing Requirements for Port Security
The following table shows the licensing requirements for this feature:
Prerequisites for Port Security
Port security has the following prerequisites:
•You must globally enable port security for the device that you want to protect with port security.
Guidelines and Limitations
When configuring port security, follow these guidelines:
•Port security does not support Ethernet port-channel interfaces or switched port analyzer (SPAN) destination ports.
•Port security does not depend upon other features.
•Port security can work with 802.1X, as described in the "802.1X and Port Security" section.
Configuring Port Security
This section includes the following topics:
•Enabling or Disabling Port Security Globally
•Enabling or Disabling Port Security on a Layer 2 Interface
•Enabling or Disabling Sticky MAC Address Learning
•Adding a Static Secure MAC Address on an Interface
•Removing a Static or a Sticky Secure MAC Address on an Interface
•Removing a Dynamic Secure MAC Address
•Configuring a Maximum Number of MAC Addresses
•Configuring an Address Aging Type and Time
•Configuring a Security Violation Action
Enabling or Disabling Port Security Globally
You can enable or disable port security globally on a device.
When you disable port security globally, all port security configuration is lost, including any statically configured secure MAC addresses and all dynamic or sticky secured MAC addresses.
BEFORE YOU BEGIN
By default, port security is disabled.
Ensure that you are in the correct VDC (or use the switchto vdc command).
SUMMARY STEPS
1. config t
2. [no] feature port-security
3. show port-security
4. copy running-config startup-config
DETAILED STEPS
Enabling or Disabling Port Security on a Layer 2 Interface
You can enable or disable port security on a Layer 2 interface. For more information about dynamic learning of MAC addresses, see the "Secure MAC Address Learning" section.
Note You cannot enable port security on a routed interface.
BEFORE YOU BEGIN
By default, port security is disabled on all interfaces.
Enabling port security on an interface also enables dynamic MAC address learning. If you want to enable sticky MAC address learning, you must also complete the steps in the "Enabling or Disabling Sticky MAC Address Learning" section.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security, see the "Enabling or Disabling Port Security Globally" section.
SUMMARY STEPS
1. config t
2. interface type slot/port
3. switchport
4. [no] switchport port-security
5. show running-config port-security
6. copy running-config startup-config
DETAILED STEPS
Enabling or Disabling Sticky MAC Address Learning
You can disable or enable sticky MAC address learning on an interface. If you disable sticky learning, the device returns to dynamic MAC address learning on the interface, which is the default learning method.
BEFORE YOU BEGIN
By default, sticky MAC address learning is disabled.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled globally and on the interface that you are configuring. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security globally, see the "Enabling or Disabling Port Security Globally" section. To enable port security on the interface, see the "Enabling or Disabling Port Security on a Layer 2 Interface" section.
SUMMARY STEPS
1. config t
2. interface type slot/port
3. switchport
4. [no] switchport port-security mac-address sticky
5. show running-config port-security
6. copy running-config startup-config
DETAILED STEPS
Adding a Static Secure MAC Address on an Interface
You can add a static secure MAC address on a Layer 2 interface.
BEFORE YOU BEGIN
By default, no static secure MAC addresses are configured on an interface.
Determine if the interface maximum has been reached for secure MAC addresses (use the show port-security command). If needed, you can remove a secure MAC address (see the "Removing a Static or a Sticky Secure MAC Address on an Interface" section or the "Removing a Dynamic Secure MAC Address" section) or you can change the maximum number of addresses on the interface (see the "Configuring a Maximum Number of MAC Addresses" section).
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled both globally and on the interface. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security globally, see the "Enabling or Disabling Port Security Globally" section. To enable port security on the interface, see the "Enabling or Disabling Port Security on a Layer 2 Interface" section.
SUMMARY STEPS
1. config t
2. interface type slot/port
3. [no] switchport port-security mac-address address [vlan vlan-ID]
4. show running-config port-security
5. copy running-config startup-config
DETAILED STEPS
Removing a Static or a Sticky Secure MAC Address on an Interface
You can remove a static or a sticky secure MAC address on a Layer 2 interface.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security globally, see the "Enabling or Disabling Port Security Globally" section. To enable port security on the interface, see the "Enabling or Disabling Port Security on a Layer 2 Interface" section.
SUMMARY STEPS
1. config t
2. interface type slot/port
3. no switchport port-security mac-address address [vlan vlan-ID]
4. show running-config port-security
5. copy running-config startup-config
DETAILED STEPS
Removing a Dynamic Secure MAC Address
You can remove dynamically learned, secure MAC addresses.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command).
SUMMARY STEPS
1. config t
2. clear port-security dynamic {interface ethernet slot/port | address address} [vlan vlan-ID]
3. show port-security address
DETAILED STEPS
Configuring a Maximum Number of MAC Addresses
You can configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure is 4096 addresses.
Note When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the device rejects the command. To reduce the number of addresses learned by the sticky or static methods, see the "Removing a Static or a Sticky Secure MAC Address on an Interface" section. To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.
BEFORE YOU BEGIN
By default, an interface has a maximum of one secure MAC address. VLANs have no default maximum number of secure MAC addresses.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security, see the "Enabling or Disabling Port Security Globally" section.
SUMMARY STEPS
1. config t
2. interface type slot
3. [no] switchport port-security maximum number [vlan vlan-ID]
4. show running-config port-security
5. copy running-config startup-config
DETAILED STEPS
Configuring an Address Aging Type and Time
You can configure the MAC address aging type and the length of time that the device uses to determine when MAC addresses learned by the dynamic method have reached their age limit.
BEFORE YOU BEGIN
By default, the aging time is 0 minutes, which disables aging.
Absolute aging is the default aging type.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security, see the "Enabling or Disabling Port Security Globally" section.
SUMMARY STEPS
1. config t
2. interface type slot
3. [no] switchport port-security aging type {absolute | inactivity}
4. [no] switchport port-security aging time minutes
5. show running-config port-security
6. copy running-config startup-config
DETAILED STEPS
Configuring a Security Violation Action
You can configure the action that the device takes if a security violation occurs. The violation action is configurable on each interface that you enable with port security.
BEFORE YOU BEGIN
The default security action is to shut down the port on which the security violation occurs.
Ensure that you are in the correct VDC (or use the switchto vdc command).
Ensure that port security is enabled. To verify the configuration, see the "Verifying the Port Security Configuration" section. To enable port security, see the "Enabling or Disabling Port Security Globally" section.
SUMMARY STEPS
1. config t
2. interface type slot/port
3. [no] switchport port-security violation {protect | restrict | shutdown}
4. show running-config port-security
5. copy running-config startup-config
DETAILED STEPS
Verifying the Port Security Configuration
To display the port security configuration information, use the following commands:
|
|
---|---|
show running-config port-security |
Displays the port security configuration |
show port-security |
Displays the port security status. |
For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1.
Displaying Secure MAC Addresses
Use the show port-security address command to display secure MAC addresses. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.1.
Example Configuration for Port Security
The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.
feature port-security
interface Ethernet 2/1
switchport
switchport port-security
switchport port-security maximum 10
switchport port-security maximum 7 vlan 10
switchport port-security maximum 3 vlan 20
switchport port-security violation restrict
Default Settings
Table 14-1 lists the default settings for port security parameters.
Additional References
For additional information related to implementing port security, see the following sections:
•MIBs
Related Documents
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
NX-OS provides read-only SNMP support for port security.
|
|
---|---|
•CISCO-PORT-SECURITY-MIB |
To locate and download MIBs, go to the following URL: http://www.cisco.com/nx-os/mibs |
Feature History for Port Security
Table 14-2 lists the release history for this feature.
|
|
|
---|---|---|
Port security |
4.1(2) |
No change from Release 4.0. |