Solved: Port-Security NX-OS

KPKing · ‎08-24-2017

I'm having issues configuring port security on a Nexus 9504. I'm familiar with port security on IOS but NX-OS is new to me. I'm stuck at turning on the feature, it simply isn't available as a feature and according to the documentation it should be. Additional licensing isn't required. What am I missing?

Ver: nxos.7.0.3.I4.6

Cisco Docs: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_010101.htm...

Any help is appreciated!

Andrea Testino · ‎09-14-2017

Hi,

I realize where the confusion is coming from - When I said "upgrade the chassis", I was referring to the NX-OS version of it (not the HW by any means). Sorry about that. TAC habit.

Thanks!

- Andrea

- Andrea, CCIE #56739 R&S

View solution in original post

Reza Sharifi · ‎08-24-2017

So, "feature port-security" command is not availbe?

What is the output of "feature port?

HTH

KPKing · ‎08-25-2017

That’s correct. See output below…

9504(config)# feature port

^

% Invalid command at '^' marker.

Or…

9504(config)# feature p?

password Credential(s) for the user(s)/device(s)

pbr Enable/Disable Policy Based Routing(PBR)

pim Enable/Disable Protocol Independent Multicast (PIM)

private-vlan Enable/Disable private-vlan

privilege Enable/Disable IOS type privilege level support

ptp Enable/Disable PTP

Reza Sharifi · ‎08-29-2017

Maybe this platform does not support port security.

HTH

KPKing · ‎09-01-2017

It does according to the configuration guide.

R0n1n · ‎09-12-2017

Can you run show port-security and post the output of that?

KPKing · ‎09-13-2017

Command not available. It acts like it requires additional licensing but according to the documentation it shouldn't. See output below...

9504# sho port-?
port-channel Show port-channel information

Andrea Testino · ‎09-13-2017

Hi there,

The reason this CLI isn't parsing out is because port-security was introduced in NX-OS 7.0(3)I5(1) and later. I see that your current version is I4(6).

This is documented both in the Release Notes for 7.0(3)I5(1) under the "Security Feature" section:

Security Features

Port security – Configures Layer 2 physical interfaces and Layer 2 port-channel interfaces to allow inbound traffic from only a restricted set of MAC addresses. Port security is not supported on vPCs, and we do not recommend enabling port security in vPC deployments.

It is also listed in the "New and Changed information" for the 7.x Security Configuration Guide

Port security

Introduced this feature.

7.0(3)I5(1)

Configuring Port Security

You'd have to upgrade the chassis to a version in which this feature is supported.

Hope that helps!

- Andrea

- Andrea, CCIE #56739 R&S

KPKing · ‎09-14-2017

Andrea,

Thank you very much for you input. I do have a couple of follow up questions. You refer to nxos.7.0.3.I4.6 as the issue and recommend a chassis upgrade. Shouldn't I be able to upgrade the NXOS to 7.0(3)I5(1)?

Andrea Testino · ‎09-14-2017

Hi there,

That is correct. You would have to upgrade to 7.0(3)I5(1) or later to support this feature. Personally, I'd go to 7.0(3)I7(1) which was recently released and contains vast integrated fixes versus the I5(x) short lived release.

Thank you!

- Andrea

- Andrea, CCIE #56739 R&S

KPKing · ‎09-14-2017

Great, but...do I also need to upgrade the chassis?

Andrea Testino · ‎09-14-2017

Hi,

I realize where the confusion is coming from - When I said "upgrade the chassis", I was referring to the NX-OS version of it (not the HW by any means). Sorry about that. TAC habit.

Thanks!

- Andrea

- Andrea, CCIE #56739 R&S

KPKing · ‎09-14-2017

Gotcha. Thank you for the clarification. I really didn't want to update my chassis, especially since it's less then six months old.

I'll try this during our next maintenance window.

Thanks again!