Port security lets you configure Layer 2 interfaces permitting inbound traffic from a restricted, secured set of MAC addresses. Traffic from secured MAC addresses is not allowed on another interface within the same VLAN. The Port security feature allows you to configure a maximum number of hosts or MAC addresses that are allowed to connect to the interface. One flexibility in the feature that has been introduced in the Nexus switches is that it’s possible to configure the port-security maximum amounts per VLAN.
Secure MAC Address Learning
The process of securing a MAC address is called learning. The number of addresses that can be learned is restricted. Address learning can be accomplished using the following methods on any interface where port security is enabled:
Static Method - The static learning method lets you manually add or remove secure MAC addresses in the configuration of an interface.
Dynamic Method (the default method) - With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
Sticky Method - If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning. These addresses can be made persistent through a reboot by copying the running-configuration to the startup-configuration, copy run start.
You can configure port security only on Layer 2 interfaces. Following is detail about port security and different types of interfaces or ports:
Access ports: You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN. Trunk ports: You can configure port security on interfaces that you have configured as Layer 2 trunk veth ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port. SPAN ports: You can configure port security on SPAN source ports but not on SPAN destination ports. Ethernet Ports: Port security is not supported on Ethernet ports. Ethernet Port Channels: Port security is not supported on Ethernet port channels.
Rule Violation and Actions
Rule violation occurs when any of the following happens:
Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.
Following actions can be taken depending on the rule violation: Shutdown : Means that the interface will go into errdisable state and the interface is completely shutdown at that point. After it is re-enabled it keeps its port-security configuration without changing anything. This is the default mode.
Restrict: Traffic from secure MAC addresses is allowed on the interface, but traffic from any unsecured MAC addresses is dropped and a count is kept for the dropped packets.
Protect: Traffic from secure MAC addresses is still allowed, but the interface is protected as MAC address learning is disabled right after the first unsecured MAC address is seen. This means that new MAC addresses are no longer learnt. Traffic from previously learned safe MAC addresses can still pass through the interface.
port-profile type vethernet ESXi switchport port-security switchpor port-security maximum 10 switchport-security violation shutdown
port-profile type vethernet Linux switchport port-sec aging type inactivity switchport port-sec aging time 6
port-profile type vethernet VLAN505 switchport port-security switchport port-security maximum 5 switchport port-security violation restrict
Assure Application Performance on Hyperconverged InfrastructureWednesday November 20th at 11 am ET
Increased adoption of hyperconverged infrastructure has been driven by the need for IT teams to simplify IT operations and increase agility. Organizations a...
Hi community,I'm integrating a CheckPoint ClusterXL HA (Active/Standby) to ACI for a client, using PBR Unmanaged Mode to redirect traffic to the CheckPoint. The CheckPoint will be connected to the ACI via two vPC - one for each unit, logically "One-armed"...
To be STIG compliant with the new infrastructure I'm looking to implement, FIPS mode has to be enabled on my APICs. The problem is that with FIPS mode, TACACS doesn't work. This puts us in a bind as we use RSA tokens. We looked at the idea of using LDAP a...
Hello!Dear sirs. I make two small datacenters and want to use VXLAN tunnel over L3, link between them.In each DC I have two switches and VRRP virtual IP as default gateway.But if I have single address space in both DC, what is best practice for this case?...