Showing results for 
Search instead for 
Did you mean: 

Configuring Nexus 1000v Port Security



Port security lets you configure Layer 2 interfaces permitting inbound traffic from a restricted, secured set of MAC addresses. Traffic from secured MAC addresses is not allowed on another interface within the same VLAN. The Port security feature allows you to configure a maximum number of hosts or MAC addresses that are allowed to connect to the interface. One flexibility in the feature that has been introduced in the Nexus switches is that it’s possible to configure the port-security maximum amounts per VLAN.


Secure MAC Address Learning

The process of securing a MAC address is called learning. The number of addresses that can be learned is restricted. Address learning can be accomplished using the following methods on any interface where port security is enabled:

Static Method - The static learning method lets you manually add or remove secure MAC addresses in the configuration of an interface.

Dynamic Method (the default method) - With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.

Sticky Method - If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning. These addresses can be made persistent through a reboot by copying the running-configuration to the startup-configuration, copy run start.



Port Types


You can configure port security only on Layer 2 interfaces. Following is detail about port security and different types of interfaces or ports:

Access ports: You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN.
Trunk ports: You can configure port security on interfaces that you have configured as Layer 2 trunk veth ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
SPAN ports: You can configure port security on SPAN source ports but not on SPAN destination ports.
Ethernet Ports: Port security is not supported on Ethernet ports.
Ethernet Port Channels: Port security is not supported on Ethernet port channels.


Rule Violation and Actions

Rule violation occurs when any of the following happens:

  • Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
  • Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.

Following actions can be taken depending on the rule violation:
Shutdown : Means that the interface will go into errdisable state and the interface is completely shutdown at that point. After it is re-enabled it keeps its port-security configuration without changing anything. This is the default mode.

Restrict: Traffic from secure MAC addresses is allowed on the interface, but traffic from any unsecured MAC addresses is dropped and a count is kept for the dropped packets.

Protect: Traffic from secure MAC addresses is still allowed, but the interface is protected as MAC address learning is disabled right after the first unsecured MAC address is seen. This means that new MAC addresses are no longer learnt. Traffic from previously learned safe MAC addresses can still pass through the interface.


Sample Configuration

 port-profile type vethernet ESXi
     switchport port-security
     switchpor port-security maximum 10
     switchport-security violation shutdown

 port-profile type vethernet Linux
     switchport port-sec aging type inactivity
     switchport port-sec aging time 6

 port-profile type vethernet VLAN505
     switchport port-security
     switchport port-security maximum 5
     switchport port-security violation restrict


Related Information

Nexus 1000V Port Profiles
Nexus 1000V Recovery from Failed VEM