The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
The port security feature protects the ACI fabric from being flooded with unknown MAC addresses by limiting the number of MAC addresses learned per port. The port security feature support is available for physical ports, port channels, and virtual port channels.
The guidelines and restrictions are as follows:
Port security is available per port.
Port security is supported for physical ports, port channels, and virtual port channels (vPCs).
Static and dynamic MAC addresses are supported.
MAC address moves are supported from secured to unsecured ports and from unsecured ports to secured ports.
The MAC address limit is enforced only on the MAC address and is not enforced on a MAC and IP address.
Port security is not supported with the Fabric Extender (FEX).
In the APIC, the user can configure the port security on switch ports. Once the MAC limit has exceeded the maximum configured value on a port, all traffic from the exceeded MAC addresses is forwarded. The following attributes are supported:
Port Security Timeout—The current supported range for the timeout value is from 60 to 3600 seconds.
Violation Action—The violation action is available in protect mode. In the protect mode, MAC learning is disabled and MAC addresses are not added to the CAM table. Mac learning is re-enabled after the configured timeout value.
Maximum Endpoints—The current supported range for the maximum endpoints configured value is from 0 to 12000. If the maximum endpoints value is 0, the port security policy is disabled on that port.
|
Step 1 |
In the menu bar, click , and in the Navigation pane, expand . |
||
|
Step 2 |
Right-click Port Security and click Create Port Security Policy. |
||
|
Step 3 |
In the Create Port Security Policy dialog box, perform the following actions: |
||
|
Step 4 |
In the Navigation pane, click , and navigate to the desired leaf switch. Choose the appropriate port to configure the interface, and from the port security policy drop-down list, choose the desired port security policy to associate.
|
|
Configure the port security. Example: |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure Example: |
Enters configuration mode. |
|
Step 2 |
leaf node-id Example: |
Specifies the leaf to be configured. |
|
Step 3 |
interface type-or-range Example: |
Specifies an interface or a range of interfaces to be configured. |
|
Step 4 |
[no] switchport port-security maximum number-of-addresses Example: |
Sets the maximum number of secure MAC addresses for the interface. The range is 0 to 12000 addresses. The default is 1 address. |
|
Step 5 |
[no] switchport port-security violation protect Example: |
Sets the action to be taken when a security violation is detected. The protect action drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. |
|
Step 6 |
[no] switchport port-security timeout Example: |
Sets the timeout value for the interface. The range is from 60 to 3600. The default is 60 seconds. |
This example shows how to configure port security on an Ethernet interface.
apic1# configure
apic1(config)# leaf 101
apic1(config-leaf)# interface eth 1/2
apic1(config-leaf-if)# switchport port-security maximum 10
apic1(config-leaf-if)# switchport port-security violation protect
apic1(config-leaf-if)# switchport port-security timeout 300
This example shows how to configure port security on a port channel.
apic1# configure
apic1(config)# leaf 101
apic1(config-leaf)# interface port-channel po2
apic1(config-leaf-if)# switchport port-security maximum 10
apic1(config-leaf-if)# switchport port-security violation protect
apic1(config-leaf-if)# switchport port-security timeout 300
This example shows how to configure port security on a virtual port channel (VPC).
apic1# configure
apic1(config)# vpc domain explicit 1 leaf 101 102
apic1(config-vpc)# exit
apic1(config)# template port-channel po4
apic1(config-if)# exit
apic1(config)# leaf 101-102
apic1(config-leaf)# interface eth 1/11-12
apic1(config-leaf-if)# channel-group po4 vpc
apic1(config-leaf-if)# exit
apic1(config-leaf)# exit
apic1(config)# vpc context leaf 101 102
apic1(config-vpc)# interface vpc po4
apic1(config-vpc-if)# switchport port-security maximum 10
apic1(config-vpc-if)# switchport port-security violation protect
apic1(config-leaf-if)# switchport port-security timeout 300
For non-vPC ports or port channels, whenever a learn event comes for a new endpoint, a verification is made to see if a new learn is allowed. If the corresponding interface has a port security policy not configured or disabled, the endpoint learning behavior is unchanged with what is supported. If the policy is enabled and the limit is reached, the current supported action is as follows:
Learn the endpoint and install it in the hardware with a drop action.
Silently discard the learn.
If the limit is not reached, the endpoint is learned and a verification is made to see if the limit is reached because of this new endpoint. If the limit is reached, and the learn disable action is configured, learning will be disabled in the hardware on that interface (on the physical interface or on a port channel or vPC). If the limit is reached and the learn disable action is not configured, the endpoint will be installed in hardware with a drop action. Such endpoints are aged normally like any other endpoints.
When the limit is reached for the first time, the operational state of the port security policy object is updated to reflect it. A static rule is defined to raise a fault so that the user is alerted. A syslog is also raised when the limit is reached.
In case of vPC, when the MAC limit is reached, the peer leaf switch is also notified so learning can be disabled on the peer. As the vPC peer can be rebooted any time or vPC legs can become unoperational or restart, this state will be reconciled with the peer so vPC peers do not go out of sync with this state. If they get out of sync, there can be a situation where learning is enabled on one leg and disabled on the other leg.
By default, once the limit is reached and learning is disabled, it will be automatically re-enabled after the default timeout value of 60 seconds.
The protect mode prevents further port security violations from occurring. Once the MAC limit exceeds the maximum configured value on a port, all traffic from excess MAC addresses will be dropped and further learning is disabled.
|
Step 1 |
On the Cisco APIC, run a query for the l2PortSecurityPol class in Visore to verify the port security policy installation. |
|
Step 2 |
On the leaf switch, run a query for l2PortSecurityPolDef in Visore to confirm that the concrete object exists on the interface. |
|
Step 1 |
View the port security status on the switch interface as follows: Example: |
|
Step 2 |
View the port security status on the module interface as follows: Example: |
|
Step 3 |
View the port security status on the leaf switch as follows: Example: |
|
Step 4 |
Confirm the MAC limit on the module interface as follows: Example:Example: |
|
Step 5 |
View the port security status in the module and confirm the MAC limit as follows: Example:Example: |
Feedback