-
Cisco MDS 9000 Family Configuration Guide, Release 2.x
-
New and Changed Information
-
Index
-
Preface
- Part 1 - Getting Started
- Part 2 - Cisco MDS SAN-OS Installation and Switch Management
- Part 3 - Switch Configuration
-
Part 4 - Fabric Configuration
-
Configuring and Managing VSANs
-
Creating Dynamic VSANs
-
Configuring Inter-VSAN Routing
-
Configuring Zones
-
Distributing Device Alias Services
-
Configuring Fibre Channel Routing Services and Protocols
-
Managing FLOGI, Name Server, FDMI, and RSCN Databases
-
Discovering SCSI Targets
-
Configuring FICON
-
Advanced Features and Concepts
-
- Part 5 - Security
- Part 6 - IP Services
- Part 7 - Intelligent Storage Services
- Part 8 - Network and Switch Monitoring
- Part 9 - Traffic Management
- Part 10 - Troubleshooting
-
Feedback
Table Of Contents
Port Security Manual Configuration
Forcing Port Security Activation
Auto-Learning Device Authorization
Port Security Configuration Distribution
Activation and Autolearning Configuration Distribution
Port Security Database Deletion
Port Security Database Cleanup
Displaying Port Security Configurations
Configuring Port Security
All switches in the Cisco MDS 9000 Family provide port security features that reject intrusion attempts and report these intrusions to the administrator.
Note
Port security is only supported for Fibre Channel ports.
This chapter includes the following sections:
•
•
•
•
•
Port Security Features
Typically, any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN services based on zone membership. Port security features prevent unauthorized access to a switch port in the Cisco MDS 9000 Family:
•
•
•
•
Port Security Enforcement
To enforce port security, configure the devices and switch port interfaces through which each device or switch is connected, and activate the configuration.
•
•
Each Nx and xE port can be configured to restrict a single port or a range of ports.
Enforcement of port security policies are done on every activation and when the port tries to come up.
The port security feature uses two databases to accept and implement configurations.
•
•
Port Security Initiation
By default, the port security feature is disabled in all switches in the Cisco MDS 9000 Family.
To enable port security, follow these steps:
Port Security Manual Configuration
To configure port security on any switch in the Cisco MDS 9000 Family, follow these steps:
Step 1
Step 2
Step 3
Step 4
WWN Identification
If you decide to manually configure port security, be sure to adhere to the following guidelines:
•
•
•
–
–
•
•
•
•
•
Authorized Port Pair Addition
After identifying the WWN pairs that need to be bound, add those pairs to the port security database.
Tip
To configure port security, follow these steps:
Port Security Activation
By default, the port security feature is not activated in any switch in the Cisco MDS 9000 Family.
When you activate the port security feature, the following apply:
•
–
–
•
•
After the database is activated, subsequent device login is subject to the activated port bound WWN pairs.
When you activate the port security feature, the auto-learning is also automatically enabled. You can choose to activate the port security feature and disable autolearing.
To activate the port security feature, follow these steps:
Note
Database Activation Rejection
Database activation is rejected in the following cases:
•
•
•
•
If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed by forcing the port security activation.
Forcing Port Security Activation
If the port security activation request is rejected, you can force the activation
Note
You can view missing or conflicting entries using the port-security database diff active vsan command in EXEC mode.
To forcefully activate the port security database, follow these steps:
Database Reactivation
Tip
To reactivate the database, follow these steps:
Step 1
Step 2
Tip
Step 3
Step 4
To reactivate the port security database, follow these steps:
About Auto-Learning
You can instruct the switch to automatically learn (auto-learn) the port security configurations over a specified period. This feature allows any switch in the Cisco MDS 9000 Family to automatically learn about devices and switches that connect to it. Use this feature to activate the port security feature for the first time as it saves tedious manual configuration for each port. You must configure auto-learning on a per-VSAN basis. If enabled, devices and switches that are allowed to connect to the switch are automatically learned, even if you have not configured any port access. Learned entries on a port are cleaned up after you shut down that port. Learning does not override the enforced port security policies.
When you activate the port security feature autolearning is also automatically enabled. When auto-learning is enabled, the following apply:
•
•
Enabling Auto-Learning
The state of the auto-learning configuration depends on the state of the port security feature:
•
•
Tip
To enable auto-learning, follow these steps:
Disabling Autolearning
To disable autolearning, follow these steps:
Auto-Learning Device Authorization
Table 32-1 summarizes the authorized connection for device requests.
Authorization Scenario
Assume that the port security feature is activated and the following conditions are specified in the active database:
•
•
•
•
•
•
•
•
Table 32-2 summarizes the port security authorization results for this active database.
Port Security Configuration Distribution
The port security feature uses the Cisco Fabric Services (CFS) infrastructure to enable efficient database management, provide a single point of configuration for the entire fabric in the VSAN, and enforce the port security policies on throughout the fabric (see Chapter 5, "Using the CFS Infrastructure").
Enabling Distribution
All the configurations performed in distributed mode are stored in a pending (temporary) database. If you modify the configuration, you need to commit or discard the pending database changes to the configurations. The fabric remains locked during this period. Changes to the pending database are not reflected in the configurations until you commit the changes.
To enable the port security distribution, follow these steps:
Locking The Fabric
The first action that modifies the existing configuration creates the pending database and locks the feature in the VSAN. Once you lock the fabric, the following situations apply:
•
•
Committing the Changes
If you commit the changes made to the configurations, the configurations in the pending database are distributed to other switches. On a successful commit, the configuration change is applied throughout the fabric and the lock is released.
To commit the port security configuration changes for the specified VSAN, follow these steps:
Step 1
switch# config t
switch(config)#
Enters configuration mode.
Step 2
switch(config)# port-security commit vsan 3
Commits the port security changes in the specified VSAN.
Discarding the Changes
If you discard (abort) the changes made to the pending database, the configurations remains unaffected and the lock is released.
To discard the port security configuration changes for the specified VSAN, follow these steps:
Activation and Autolearning Configuration Distribution
Activation and autolearning configurations in distributed mode are remembered merely as actions to be performed when you commit the changes in the pending database.
Learned entries are temporary and do not have any role in determining if a login is authorized or not. As such, learned entries do not participate in distribution. When you disable learning and commit the changes in the pending database, the learned entries become static entries in the active database and are distributed to all switches in the fabric. After the commit, the active database on all switches are identical and learning can be disabled.
If the pending database contains more than one activation and autolearning configuration when you commit the changes, then the activation and autolearning changes are consolidated and the behavior may change (see Table 32-3).
If you activate port security, follow up by disabling auto-learning , and finally commit the changes in the pending database, then the net result of your actions is the same as issuing a port-security activate vsan vsan-id no-auto-learn command.
Table 32-3 Scenarios for Activation and Autolearning Configurations in Distributed Mode
A and B exist in the configuration database, activation is not done and devices C,D are logged in.
1.
configuration database = {A,B}
active database = {A,B, C1 , D*}
configuration database = {A,B}
active database = {null}
pending database = {A,B + activation to be enabled}
2.
configuration database = {A,B, E}
active database = {A,B, C*, D*}
configuration database = {A,B}
active database = {null}
pending database = {A,B, E + activation to be enabled}
3.
Not applicable
configuration database = {A,B, E}
active database = {A,B, E, C*, D*}
pending database = empty
A and B exist in the configuration database, activation is not done and devices C,D are logged in.
1.
configuration database = {A,B}
active database = {A,B, C*, D*}
configuration database = {A,B}
active database = {null}
pending database = {A,B + activation to be enabled}
2.
configuration database = {A,B}
active database = {A,B, C, D}
configuration database = {A,B}
active database = {null}
pending database = {A,B + activation to be enabled +
learning to be disabled}3.
Not applicable
configuration database = {A,B}
active database = {A,B} and devices C and D are logged out. This is equal to an activation with autolearning disabled.
pending database = empty
1 The * (asterisk) indicates learned entries.
Tip
Database Merge Guidelines
A database merge refers to a union of the configuration database and static (unlearned) entries in the active database. See the "CFS Merge Support" section on page 5-7 for detailed concepts.
When merging the database between two fabric, follow these guidelines:
•
•
Caution
Database Interaction
Table 32-4 lists the differences and interaction between the active and configuration databases.
Note
Database Scenarios
Figure 32-1 depicts various scenarios to depict the active database and the configuration database status based on port security configurations.
Figure 32-1 Port Security Database Scenarios
Port Security Database Copy
Tip
Use the port-security database copy vsan command to copy from the active to the configured database. If the active database is empty, this command is not accepted.
switch# port-security database copy vsan 1switch#Use the port-security database diff active vsan command to view the differences between the active database and the configuration database. This command can be used when resolving conflicts.
switch# port-security database diff active vsan 1Use the port-security database diff config vsan command to obtain information on the differences between the configuration database and the active database.
switch# port-security database diff config vsan 1Port Security Database Deletion
Tip
Use the no port-security database vsan command in configuration mode to delete the configured database for a specified VSAN
switch(config)# no port-security database vsan 1Port Security Database Cleanup
Use the clear port-security statistics vsan command to clear all existing statistics from the port security database for a specified VSAN.
switch# clear port-security statistics vsan 1Use the clear port-security database auto-learn interface command to clear any learned entries in the active database for a specified interface within a VSAN.
switch# clear port-security database auto-learn interface fc1/1 vsan 1Use the clear port-security database auto-learn vsan command to clear any learned entries in the active database up to for the entire VSAN.
switch# clear port-security database auto-learn vsan 1
Note
Use the port-security clear vsan command to clear the pending session in the VSAN from any switch in the VSAN.
switch# clear port-security session vsan 5Displaying Port Security Configurations
The show port-security database commands display the configured port security information (see Examples 32-1 to 32-11).
Example 32-1 Displays the Contents of the Port Security Configuration Database
switch# show port-security database---------------------------------------------------------------------------------------VSAN Logging-in Entity Logging-in Point (Interface)----------------------------------------------------------------------------------------1 21:00:00:e0:8b:06:d9:1d(pwwn) 20:0d:00:05:30:00:95:de(fc1/13)1 50:06:04:82:bc:01:c3:84(pwwn) 20:0c:00:05:30:00:95:de(fc1/12)2 20:00:00:05:30:00:95:df(swwn) 20:0c:00:05:30:00:95:de(port-channel 128)3 20:00:00:05:30:00:95:de(swwn) 20:01:00:05:30:00:95:de(fc1/1)[Total 4 entries]You can optionally specify a fWWN and a VSAN, or an interface and a VSAN in the show port-security command to view the output of the activated port security (see Example 32-2).
Example 32-2 Displays the Port Security Configuration Database in VSAN 1
switch# show port-security database vsan 1--------------------------------------------------------------------------------Vsan Logging-in Entity Logging-in Point (Interface)--------------------------------------------------------------------------------1 * 20:85:00:44:22:00:4a:9e (fc3/5)1 20:11:00:33:11:00:2a:4a(pwwn) 20:81:00:44:22:00:4a:9e (fc3/1)[Total 2 entries]Example 32-3 Displays the Activated Database
switch# show port-security database active----------------------------------------------------------------------------------------VSAN Logging-in Entity Logging-in Point (Interface) Learnt----------------------------------------------------------------------------------------1 21:00:00:e0:8b:06:d9:1d(pwwn) 20:0d:00:05:30:00:95:de(fc1/13) Yes1 50:06:04:82:bc:01:c3:84(pwwn) 20:0c:00:05:30:00:95:de(fc1/12) Yes2 20:00:00:05:30:00:95:df(swwn) 20:0c:00:05:30:00:95:de(port-channel 128) Yes3 20:00:00:05:30:00:95:de(swwn) 20:01:00:05:30:00:95:de(fc1/1)[Total 4 entries]Example 32-4 Displays the Contents of the Temporary Configuration Database
switch# show port-security pending vsan 1Session Context for VSAN 1---------------------------Activation Status: ActiveAuto Learn Status: OnForce activate: NoConfig db modified: YesActivation done: YesSession owner: admin(2)Session database:--------------------------------------------------------------------------------VSAN Logging-in Entity Logging-in Point (Interface)--------------------------------------------------------------------------------1 20:11:00:33:22:00:2a:4a(pwwn) 20:41:00:05:30:00:4a:1e(fc2/1)[Total 1 entries]Example 32-5 Displays the Difference between the Temporary Configuration Database and the Configuration Database
switch# show port-security pending-diff vsan 1Session Diff for VSAN: 1-------------------------Database will be activatedLearning will be turned ONDatabase Diff:+pwwn 20:11:00:33:22:00:2a:4a fwwn 20:41:00:05:30:00:4a:1eThe access information for each port can be individually displayed. If you specify the fwwn or interface options, all devices that are paired in the active database (at that point) with the given fWWN or the interface are displayed (see Examples 32-6 to 32-8).
Example 32-6 Displays the Wildcard fWWN Port Security in VSAN 1
switch# show port-security database fwwn 20:85:00:44:22:00:4a:9e vsan 1Any port can login thru' this fwwnExample 32-7 Displays the Configured fWWN Port Security in VSAN 1
switch# show port-security database fwwn 20:01:00:05:30:00:95:de vsan 120:00:00:0c:88:00:4a:e2(swwn)Example 32-8 Displays the Interface Port Information in VSAN 2
switch# show port-security database interface fc 1/1 vsan 220:00:00:0c:88:00:4a:e2(swwn)The port security statistics are constantly updated and available at any time (see Example 32-9).
Example 32-9 Displays the Port Security Statistics
switch# show port-security statisticsStatistics For VSAN: 1------------------------Number of pWWN permit: 2Number of nWWN permit: 2Number of sWWN permit: 2Number of pWWN deny : 0Number of nWWN deny : 0Number of sWWN deny : 0Total Logins permitted : 4Total Logins denied : 0Statistics For VSAN: 2------------------------Number of pWWN permit: 0Number of nWWN permit: 0Number of sWWN permit: 2Number of pWWN deny : 0Number of nWWN deny : 0Number of sWWN deny : 0...To verify the status of the active database and the auto-learn configuration, use the show port-security status command (see Example 32-10).
Example 32-10 Displays the Port Security Status
switch# show port-security statusFabric Distribution EnabledVSAN 1 :No Active database, learning is disabled, Session Lock TakenVSAN 2 :No Active database, learning is disabled, Session Lock Taken...The show port-security command displays the previous 100 violations by default (see Example 32-11).
Example 32-11 Displays the Violations in the Port Security Database
switch# show port-security violations------------------------------------------------------------------------------------------VSAN Interface Logging-in Entity Last-Time [Repeat count]------------------------------------------------------------------------------------------1 fc1/13 21:00:00:e0:8b:06:d9:1d(pwwn) Jul 9 08:32:20 2003 [20]20:00:00:e0:8b:06:d9:1d(nwwn)1 fc1/12 50:06:04:82:bc:01:c3:84(pwwn) Jul 9 08:32:20 2003 [1]50:06:04:82:bc:01:c3:84(nwwn)2 port-channel 1 20:00:00:05:30:00:95:de(swwn) Jul 9 08:32:40 2003 [1][Total 2 entries]The show port-security command issued with the last number option displays only the specified number of entries that appear first.
Default Settings
Table 32-5 lists the default settings for all port security features in any switch.
