The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure port security on Cisco NX-OS devices.
This chapter includes the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
Port security allows you to configure Layer 2 physical interfaces and Layer 2 port-channel interfaces to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.
 Note |
Unless otherwise specified, the term interface refers to both physical interfaces and port-channel interfacesphysical interfaces, port-channel interfaces, and vPCs; likewise, the term Layer 2 interface refers to both Layer 2 physical interfaces and Layer 2 port-channel interfaces. |
The process of securing a MAC address is called learning. A MAC address can be a secure MAC address on one interface only. For each interface that you enable port security on, the device can learn a limited number of MAC addresses by the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending upon how the device learned the secure MAC address.
The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure MAC addresses are unaffected if the device restarts.
A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
You explicitly remove the address from the configuration.
You configure the interface to act as a Layer 3 interface.
Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.
By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.
The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
The device restarts.
The interface restarts.
The address reaches the age limit that you configured for the interface.
You explicitly remove the address.
You configure the interface to act as a Layer 3 interface.
If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result, addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.
Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.
A sticky secure MAC address entry remains in the configuration of an interface until one of the following events occurs:
You explicitly remove the address.
You configure the interface to act as a Layer 3 interface.
The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached. You can configure the age limit on each interface. The range is from 1 to 1440 minutes. The default aging time is 0, which disables aging.
The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:
The length of time after the device last received a packet from the address on the applicable interface.
The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Note |
If the absolute method is used to age out a MAC address, then depending on the traffic rate, few packets may drop each time a MAC address is aged out and relearned. To avoid this use inactivity timeout. |
By default, an interface can have only one secure MAC address. You can configure the maximum number of MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.
Note |
In vPC domains, the configuration on the primary vPC takes effect. |
 Tip |
To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device. |
The following three limits can determine how many secure MAC addresses are permitted on an interface:
The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.
You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Sum of all interface maximums on a switch cannot exceed the system maximum.
You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. The sum of all VLAN maximums under an interface cannot exceed the configured interface maximum. VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.
You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first. Otherwise, the configuration of new limit is rejected.
Port security triggers security violations when either of the two following events occur:
Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
VLAN 1 has a maximum of 5 addresses
The interface has a maximum of 10 addresses
The interface has a maximum of 20 addresses
The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
Ingress traffic from a secure MAC address arrives at a different secured interface in the same VLAN as the interface on which the address is secured.
When a security violation occurs, the device increments the security violation counter for the interface and takes the action specified by the port security configuration of the interface. If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
The violation modes and the possible actions that a device can take are as follows:
Error disables the interface that received the packet triggering the violation and the port shuts down. The security violation count is set to 1. This action is the default. After you reenable the interface, it retains its port security configuration, including its static and sticky secure MAC addresses. However, the dynamic MAC addresses are not retained and have to relearned.
You can use the errdisable recovery cause pscecure-violation global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands. For detailed information about the commands, see the Security Command Reference for your platform.
Drops ingress traffic from any nonsecure MAC addresses.
The device keeps a count of the number of unique source MAC addresses of dropped packets, which is called the security violation count.
Violation is triggered for each unique nonsecure source MAC address and security violation count increments till 10, which is the maximum value. The maximum value of 10 is fixed and not configurable.
Address learning continues until the maximum security violations (10 counts) have occurred on the interface. Traffic from addresses learned after the first security violation are added as BLOCKED entries in the MAC table and dropped. These BLOCKED MAC address age out after 5 minutes. The BLOCKED MAC address age out time of 5 minutes is fixed and not configurable.
In case of MAX count violation, after the maximum number of MAX count violations (10) is reached, the device stops learning new MAC addresses. Interface remains up.
In case of MAC move violation, when the maximum security violations have occurred on the interface, the interface is error Disabled.
Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Security violation counter is set to 1, which is the maximum value. Further address learning stops. Interface remains up.
Note that the security violation is reset to 0 after the interface is recovered from violation through one of the following events:
Dynamic secure MAC addresses age out
Interface flap, link down, or link up events
Port-security disable and re-enable on the interface
Changing violation mode of the interface
Note |
If an interface is errDisabled, you can bring it up only by flapping the interface. |
You can configure port security only on Layer 2 interfaces. Details about port security and different types of interfaces or ports are as follows:
You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to the access VLAN. VLAN maximums are not useful for access ports.
You can configure port security on interfaces that you have configured as Layer 2 trunk ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
You can configure port security on SPAN source ports but not on SPAN destination ports.
You can configure port security on Layer 2 Ethernet port channels in either access mode or trunk mode.
Port security is supported on GEM and FEX ports.
Port Security is supported on ports that are enabled as Private VLAN ports.
You can configure Private VLANs (PVLANs) to provide traffic separation and security at the Layer 2 level. A PVLAN is one or more pairs of a primary VLAN and a secondary VLAN, all with the same primary VLAN.
You can configure a Layer 2 VLAN network interface, or switched virtual interface (SVI), on the PVLAN promiscuous port, which provides routing functionality to the primary PVLAN. This is supported on physical interfaces only.
You can configure PVLAN trunk secondary/promiscuous in the of switchport mode. This is supported for both physical interface and portchannel.
Port security is supported on Layer 2 port-channel interfaces. Port security operates on port-channel interfaces in the same manner as on physical interfaces, except as described in this section.
Port security on a port-channel interface operates in either access mode or trunk mode. In trunk mode, the MAC address restrictions enforced by port security apply to all member ports on a per-VLAN basis.
Enabling port security on a port-channel interface does not affect port-channel load balancing.
Port security does not apply to port-channel control traffic passing through the port-channel interface. Port security allows port-channel control packets to pass without causing security violations. Port-channel control traffic includes the following protocols:
Port Aggregation Protocol (PAgP)
Link Aggregation Control Protocol (LACP)
Inter-Switch Link (ISL)
IEEE 802.1Q
The port security configuration of a port-channel interface has no effect on the port security configuration of member ports.
If you add a secure interface as a member port of a port-channel interface, the device discards all dynamic secure addresses learned on the member port but retains all other port-security configuration of the member port in the running configuration. Sticky and static secure MAC addresses learned on the secure member port are also stored in the running configuration rather than NVRAM.
If port security is enabled on the member port and not enabled on the port-channel interface, the device warns you when you attempt to add the member port to the port-channel interface. You can use the force keyword with the channel-group command to forcibly add a secure member port to a nonsecure port-channel interface.
While a port is a member of a port-channel interface, you cannot configure port security on the member port. To do so, you must first remove the member port from the port-channel interface.
If you remove a member port from a port-channel interface, the device restores the port security configuration of the member port. Static and sticky secure MAC addresses that were learned on the port before you added it to the port-channel interface are restored to NVRAM and removed from the running configuration.
Note |
To ensure that all ports are secure as needed after you remove a port-channel interface, we recommend that you closely inspect the port-security configuration of all member ports. |
If you remove a secure port-channel interface, the following occurs:
The device discards all secure MAC addresses learned for the port-channel interface, including static and sticky secure MAC addresses learned on the port-channel interface.
The device restores the port-security configuration of each member port. The static and sticky secure MAC addresses that were learned on member ports before you added them to the port-channel interface are restored to NVRAM and removed from the running configuration. If a member port did not have port security enabled prior to joining the port-channel interface, port security is not enabled on the member port after the port-channel interface is removed.
Note |
To ensure that all ports are secure as needed after you remove a port-channel interface, we recommend that you closely inspect the port-security configuration of all member ports. |
If port security is enabled on any member port, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.
When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:
When you change a Layer 2 interface from an access port to a trunk port, the device deletes all secure addresses learned by the dynamic method. The device moves the addresses learned by the static method to the native trunk VLAN. The sticky MAC addresses remain in same VLAN if the VLAN exists. Otherwise, the MAC addresses move to the native VLAN of the trunk port.
When you change a Layer 2 interface from a trunk port to an access port, the device drops all secure addresses learned by the dynamic method. It also moves all addresses learned by the sticky method on the native trunk VLAN to the access VLAN. The device drops secure addresses learned by the sticky method if they are not on the native trunk VLAN.
When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.
When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.
The static secure addresses that are configured per access or trunk VLAN on an interface are not retained during the following events:
Changing global VLAN mode of the active VLANs on an interface between classical Ethernet and fabric path interfaces
Changing switchport mode access or trunk to private VLAN or vice versa
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
Port security learns the MAC address of the authenticated host.
Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows:
Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.
Port security drops the secure address from the list of secure addresses for the interface and notifies 802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.
Port security supports VDCs as follows:
Port security is local to each VDC. You enable and configure port security on a per-VDC basis.
Each VDC maintains secure MAC addresses separately.
The device cannot issue a security violation when a secured MAC address in one VDC is seen on a protected interface in another VDC.
Port security has the following prerequisites:
You must globally enable port security for the device that you want to protect with port security.
This table lists the default settings for port security parameters.
|
Parameters |
Default |
|---|---|
|
Port security enablement globally |
Disabled |
|
Port security enablement per interface |
Disabled |
|
MAC address learning method |
Dynamic |
|
Interface maximum number of secure MAC addresses |
1 |
|
Security violation action |
Shutdown |
|
Aging type |
Absolute |
|
Aging time |
0 |
When configuring port security, follow these guidelines:
Port security is supported on PVLAN ports.
Port security does not support switched port analyzer (SPAN) destination ports.
Port security does not depend upon other features.
If any member link in a port-channel is in the pre-provisioned state, that is, the module is offline, then the port security feature cannot be disabled on the port-channel.
Port security is not supported on vPC ports.
Port security operates with 802.1X on Layer 2 Ethernet interfaces.
You can enable or disable port security globally on a device. By default, port security is disabled globally.
When you disable port security, all port security configuration on the interface is ineffective. When you disable port security globally, all port security configuration is lost.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] feature port-security Example: |
Enables port security globally. The no option disables port security globally. |
|
Step 3 |
show port-security Example: |
Displays the status of port security. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable port security on a Layer 2 interface. By default, port security is disabled on all interfaces.
When you disable port security on an interface, all switchport port security configuration for the interface is lost.
You can enable port-security on a port-channel in the following ways:
Bundle member links into a port-channel by using the channel-group command and then enable port-security on the port-channel.
Create port-channel and configure port security. Configure port security on member links and then bundle member links by using the channel-group command. In case of pre-provisioned member links, you can bundle them to the port-channel after the module is online.
You must have enabled port security globally.
If a Layer 2 Ethernet interface is a member of a port-channel interface, you cannot enable or disable port security on the Layer 2 Ethernet interface.
If any member port of a secure Layer 2 port-channel interface has port security enabled, you cannot disable port security for the port-channel interface unless you first remove all secure member ports from the port-channel interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the Ethernet or port-channel interface that you want to configure with port security. |
|
Step 3 |
switchport Example: |
Configures the interface as a Layer 2 interface. |
|
Step 4 |
[no] switchport port-security Example: |
Enables port security on the interface. The no option disables port security on the interface. |
|
Step 5 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can disable or enable sticky MAC address learning on an interface. If you disable sticky learning, the device returns to dynamic MAC address learning on the interface, which is the default learning method.
By default, sticky MAC address learning is disabled.
You must have enabled port security globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface that you want to configure with sticky MAC address learning. |
|
Step 3 |
switchport Example: |
Configures the interface as a Layer 2 interface. |
|
Step 4 |
[no] switchport port-security mac-address sticky Example: |
Enables sticky MAC address learning on the interface. The no option disables sticky MAC address learning. |
|
Step 5 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can add a static secure MAC address on a Layer 2 interface.
Note |
If the MAC address is a secure MAC address on any interface, you cannot add it as a static secure MAC address to another interface until you remove it from the interface on which it is already a secure MAC address. |
By default, no static secure MAC addresses are configured on an interface.
You must have enabled port security globally.
Verify that the interface maximum has not been reached for secure MAC addresses. If needed, you can remove a secure MAC address or you can change the maximum number of addresses on the interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface that you specify. |
|
Step 3 |
[no] switchport port-security mac-address address [vlan vlan-ID] Example: |
Configures a static MAC address for port security on the current interface. Use the vlan keyword if you want to specify the VLAN that traffic from the address is allowed on. |
|
Step 4 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can remove a static secure MAC address on a Layer 2 interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface from which you want to remove a static secure MAC address. |
|
Step 3 |
no switchport port-security mac-address address Example: |
Removes the static secure MAC address from port security on the current interface. |
|
Step 4 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can remove a sticky secure MAC addresses, which requires that you temporarily disable sticky address learning on the interface that has the address that you want to remove.
You must have enabled port security globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface from which you want to remove a sticky secure MAC address. |
|
Step 3 |
no switchport port-security mac-address sticky Example: |
Disables sticky MAC address learning on the interface, which converts any sticky secure MAC addresses on the interface to dynamic secure MAC addresses. |
|
Step 4 |
clear port-security dynamic address address Example: |
Removes the dynamic secure MAC address that you specify. |
|
Step 5 |
(Optional) show port-security address interface {ethernet slot/ port | port-channel channel-number} Example: |
(Optional)
Displays secure MAC addresses. The address that you removed should not appear. |
|
Step 6 |
(Optional) switchport port-security mac-address sticky Example: |
(Optional)
Enables sticky MAC address learning again on the interface. |
You can remove dynamically learned, secure MAC addresses.
You must have enabled port security globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
clear port-security dynamic {interface ethernet slot/port | address address} [vlan vlan-ID] Example: |
Removes dynamically learned, secure MAC addresses, as specified. If you use the interface keyword, you remove all dynamically learned addresses on the interface that you specify. If you use the address keyword, you remove the single, dynamically learned address that you specify. Use the vlan keyword if you want to further limit the command to removing an address or addresses on a particular VLAN. |
|
Step 3 |
show port-security address Example: |
Displays secure MAC addresses. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure on an interface is 1025 addresses. The system maximum number of address is 8192.
By default, an interface has a maximum of one secure MAC address. VLANs have no default maximum number of secure MAC addresses.
Note |
When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the device rejects the command. To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface. |
You must have enabled port security globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode, where slot is the interface that you want to configure with the maximum number of MAC addresses. |
|
Step 3 |
[no] switchport port-security maximum number [vlan vlan-ID] Example: |
Configures the maximum number of MAC addresses that can be learned or statically configured for the current interface. The highest valid number is 1025. The no option resets the maximum number of MAC addresses to the default, which is 1. If you want to specify the VLAN that the maximum applies to, use the vlan keyword. |
|
Step 4 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the MAC address aging type and the length of time that the device uses to determine when MAC addresses learned by the dynamic method have reached their age limit.
Absolute aging is the default aging type.
By default, the aging time is 0 minutes, which disables aging.
You must have enabled port security globally.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface that you want to configure with the MAC aging type and time. |
||
|
Step 3 |
[no] switchport port-security aging type {absolute | inactivity} Example: |
Configures the type of aging that the device applies to dynamically learned MAC addresses. The no option resets the aging type to the default, which is absolute aging.
|
||
|
Step 4 |
[no] switchport port-security aging time minutes Example: |
Configures the number of minutes that a dynamically learned MAC address must age before the device drops the address. The maximum valid minutes is 1440. The no option resets the aging time to the default, which is 0 minutes (no aging). |
||
|
Step 5 |
show running-config port-security Example: |
Displays the port security configuration. |
||
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the action that the device takes if a security violation occurs. The violation action is configurable on each interface that you enable with port security.
The default security action is to shut down the port on which the security violation occurs.
You must have enabled port security globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
Enter one of the following commands:
Example: |
Enters interface configuration mode for the interface that you want to configure with a security violation action. |
|
Step 3 |
[no] switchport port-security violation {protect | restrict | shutdown} Example: |
Configures the security violation action for port security on the current interface. The no option resets the violation action to the default, which is to shut down the interface. |
|
Step 4 |
show running-config port-security Example: |
Displays the port security configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
To display the port security configuration information, perform one of the following tasks. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
|
Command |
Purpose |
|---|---|
|
show running-config port-security |
Displays the port security configuration. |
|
show port-security |
Displays the port security status of the device. |
|
show port-security interface |
Displays the port security status of a specific interface. |
|
show port-security address |
Displays secure MAC addresses. |
Use the show port-security address command to display secure MAC addresses. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference
The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.
feature port-security
interface Ethernet 2/1
switchport
switchport port-security
switchport port-security maximum 10
switchport port-security maximum 7 vlan 10
switchport port-security maximum 3 vlan 20
switchport port-security violation restrictThis table lists the release history for this feature.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Port security |
6.0(1) |
No change from Release 5.2. |
|
Port security |
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
Feedback