Blog‎ > ‎

NX-OS Port Security

posted Apr 24, 2014, 8:21 PM by Rick McGee   [ updated Apr 24, 2014, 8:22 PM ]
MAC to Port Mapping 
    Don't allow any MAC addresses other then those mapped to pass traffic 
        Static= Static MAC-to-Port Mapping 
        
        Dynamic= Learn the MAC and map to the port, then don't allow any other MAC addresses
        one or mored depending on the setting. Can age the dynamic mapping age out 

        Sticky= Same as dynamic, but stores mapping in NVRAM (think after reboot)

Violations
    Shutdown= Shuts down the port

    Restrict= Drops traffic from any other MAC addresses 

    Protect= Same as Restrict, but will learn the MAC address of the first violator and will log the 
                   violator, but will not learn any other MAC's. It will still drop the traffic
                   This SHOULD be the setting used in ISE deployments

Configure port security only on L2 interfaces 
    Access Port: You can configure port security on interfaces that you have configured as L2 access
                        ports

    Trunk Ports: You can configure port security on interfaces that you have configured as L2 trunk
                        ports and will allow VLAN maximums only for VLAN associated with the trunk port

    Span Ports: You can configured port security on SPAN SRC ports, but not on SPAN DEST ports

    Ethernet Port-Channels: You can configure port security on L2 ethernet port-channel in either
                                        access mode or trunk mode

    Virtual Port-Channels: Port security is supported on orphan ports, switch virtual port-channel
                                        (vPC's), stright-through vPC's, active-active vPC's, and enchanted 
                                        L2 vPC's 
    
    Fabric Extenders (FEX) Ports: Port security is supported on GEM (generic expansion modules) and 
                                                 FEX ports 

    Private VLAN Enabled Ports: Ports Security is supported on port that are enabled as private
                                                VLAN ports.



Comments