All switches in the Cisco MDS 9000 Family provide port security features that reject intrusion attempts and report these intrusions to the administrator.
Typically, any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN services based on zone membership. Port security features prevent unauthorized access to a switch port in the Cisco MDS 9000 Family in the following ways:
Login requests from unauthorized Fibre Channel devices (Nx ports) and switches (xE ports) are rejected.
All intrusion attempts are reported to the SAN administrator through system messages.
Configuration distribution uses the CFS infrastructure, and is limited to those switches that are CFS capable. Distribution is disabled by default.
Configuring the port security policy requires the ENTERPRISE_PKG license (see the Cisco MDS 9000 Family NX-OS Licensing Guide).
To enforce port security, configure the devices and switch port interfaces through which each device or switch is connected, and activate the configuration.
Use the port world wide name (pWWN) or the node world wide name (nWWN) to specify the Nx port connection for each device.
Use the switch world wide name (sWWN) to specify the xE port connection for each switch.
Each Nx and xE port can be configured to restrict a single port or a range of ports.
Enforcement of port security policies are done on every activation and when the port tries to come up.
The port security feature uses two databases to accept and implement configuration changes.
Configuration database—All configuration changes are stored in the configuration database.
Active database—The database currently enforced by the fabric. The port security feature requires all devices connecting to a switch to be part of the port security active database. The software uses this active database to enforce authorization.
You can instruct the switch to automatically learn (auto-learn) the port security configurations over a specified period. This feature allows any switch in the Cisco MDS 9000 Family to automatically learn about devices and switches that connect to it. Use this feature when you activate the port security feature for the first time as it saves tedious manual configuration for each port. You must configure auto-learning on a per-VSAN basis. If enabled, devices and switches that are allowed to connect to the switch are automatically learned, even if you have not configured any port access.
When auto-learning is enabled, learning happens only for the devices or interfaces that were not already logged into the switch. Learned entries on a port are cleaned up after you shut down that port if auto-learning is still enabled.
Learning does not override the existing configured port security policies. So, for example, if an interface is configured to allow a specific pWWN, then auto-learning will not add a new entry to allow any other pWWN on that interface. All other pWWNs will be blocked even in auto-learning mode.
No entries are learned for a port in the shutdown state.
When you activate the port security feature, auto-learning is also automatically enabled.
Note If you enable auto-learning before activating port security, you cannot activate until auto-learning is disabled.
Port Security Activation
By default, the port security feature is not activated in any switch in the Cisco MDS 9000 Family.
By activating the port security feature, the following apply:
Auto-learning is also automatically enabled, which means:
– From this point, auto-learning happens only for the devices or interfaces that were not logged into the switch.
– You cannot activate the database until you disable auto-learning.
All the devices that are already logged in are learned and are added to the active database.
All entries in the configured database are copied to the active database.
After the database is activated, subsequent device login is subject to the activated port bound WWN pairs, excluding the auto-learned entries. You must disable auto-learning before the auto-learned entries become activated.
When you activate the port security feature, auto-learning is also automatically enabled. You can choose to activate the port security feature and disable auto-learning.
Tip If a port is shut down because of a denied login attempt, and you subsequently configure the database to allow that login, the port does not come up automatically. You must explicitly issue a no shutdown CLI command to bring that port back online.
Database Activation Rejection
Database activation is rejected in the following cases:
Missing or conflicting entries exist in the configuration database but not in the active database.
The auto-learning feature was enabled before the activation. To reactivate a database in this state, disable auto-learning.
The exact security is not configured for each PortChannel member.
The configured database is empty but the active database is not.
If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed by forcing the port security activation.
About Enabling Auto-learning
The state of the auto-learning configuration depends on the state of the port security feature:
If the port security feature is not activated, auto-learning is disabled by default.
If the port security feature is activated, auto-learning is enabled by default (unless you explicitly disabled this option).
Tip If auto-learning is enabled on a VSAN, you can only activate the database for that VSAN by using the force option.
Auto-learning Device Authorization
Table 36-1 summarizes the authorized connection conditions for device requests.
Assume that the port security feature is activated and the following conditions are specified in the active database:
A pWWN (P1) is allowed access through interface fc1/1 (F1).
A pWWN (P2) is allowed access through interface fc1/1 (F1).
A nWWN (N1) is allowed access through interface fc1/2 (F2).
Any WWN is allowed access through interface fc1/3 (F3).
A nWWN (N3) is allowed access through any interface.
A pWWN (P3) is allowed access through interface fc1/4 (F4).
A sWWN (S1) is allowed access through interface fc1/10-13 (F10 to F13).
A pWWN (P10) is allowed access through interface fc1/11 (F11).
Table 36-2 summarizes the port security authorization results for this active database. The conditions listed refer to the conditions from
Table 36-2 Authorization Results for Scenario
Device Connection Request
P1, N2, F1
P2, N2, F1
P3, N2, F1
F1 is bound to P1/P2.
P1, N3, F1
Wildcard match for N3.
P1, N1, F3
Wildcard match for F3.
P1, N4, F5
P1 is bound to F1.
P5, N1, F5
N1 is only allowed on F2.
P3, N3, F4
P10 is bound to F11.
P4, N4, F5 (auto-learning on)
P4, N4, F5(auto-learning off)
S3, F5 (auto-learning on)
S3, F5 (auto-learning off)
P1, N1, F6 (auto-learning on)
P1 is bound to F1.
P5, N5, F1 (auto-learning on)
Only P1 and P2 bound to F1.
S3, F4 (auto-learning on)
P3 paired with F4.
S1, F3 (auto-learning on)
P5, N3, F3
Wildcard ( * ) match for F3 and N3.
P7, N3, F9
Wildcard ( * ) match for N3.
About WWN Identification
If you decide to manually configure port security, be sure to adhere to the following guidelines:
Identify switch ports by the interface or by the fWWN.
Identify devices by the pWWN or by the nWWN.
If an Nx port is allowed to log in to SAN switch port Fx, then that Nx port can only log in through the specified Fx port.
If an Nx port’s nWWN is bound to an Fx port WWN, then all pWWNs in the Nx port are implicitly paired with the Fx port.
TE port checking is done on each VSAN in the allowed VSAN list of the trunk port.
All PortChannel xE ports must be configured with the same set of WWNs in the same PortChannel.
E port security is implemented in the port VSAN of the E port. In this case the sWWN is used to secure authorization checks.
Once activated, the config database can be modified without any effect on the active database.
By saving the running configuration, you save the configuration database and activated entries in the active database. Learned entries in the active database are not saved.
Activation and Auto-learning Configuration Distribution
Activation and auto-learning configurations in distributed mode are remembered as actions to be performed when you commit the changes in the pending database.
Learned entries are temporary and do not have any role in determining if a login is authorized or not. As such, learned entries do not participate in distribution. When you disable learning and commit the changes in the pending database, the learned entries become static entries in the active database and are distributed to all switches in the fabric. After the commit, the active database on all switches are identical and learning can be disabled.
If the pending database contains more than one activation and auto-learning configuration when you commit the changes, then the activation and auto-learning changes are consolidated and the behavior may change (see
Table 36-3 Scenarios for Activation and Auto- learning Configurations in Distributed Mode
Distribution = OFF
Distribution = ON
A and B exist in the configuration database, activation is not done and devices C,D are logged in.
1. You activate the port security database and enable auto-learning.