Fibre Channel port security prevents unauthorized Fibre Channel devices and switches from logging into the fabric. This protects the fabric from accidents, malicious intent or attacks such as WWN identity spoofing. It’s configured on a per-VSAN basis.
Everything covered here can be found in this configuration guide:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/psec.html
You have a few options to choose from when configuring Port Security:
1. Configure with auto-learning and CFS distribution
2. Configure with auto-learning without CFS distribution
3. Configure with manual database
The first method is definitely most practical, as you can configure once, learn the current environment, and use Cisco Fabric Services (CFS) to distribute throughout the fabric. I’ll be following this method in this blog post, feel free to follow along. Also added a quick template at the bottom.
Cisco config guide details the steps (order of operations are important!):
1. Enable port security
2. Enable CFS distribution
3. Activate port security on each VSAN (This turns on auto-learning by default unless specified not to)
4. Issue a CFS commit to copy the configuration to all switches in the fabric.
Note: At this point, all switches are activated and auto-learning
5. Wait until all switches and all hosts are automatically learned
6. Disable auto-learn on each VSAN
7. Issue a CFS commit to copy the configuration to all switches in the fabric.
Note: At this point, the auto-learnied entries from every switch are combined into a static active database that is distributed to all switches
8. Copy the active database to the configure database on each VSAN
9. Issue a CFS commit to copy the configuration to all swathes in the fabric.
Note: This ensures that the configure database is the same on all switches in the fabric
10. Copy run start
Here’s our topology, let’s begin.
1. Enable port security
MDS1(config)# feature port-security
MDS2(config)# feature port-security
2. Enable CFS distribution (Optional, but preferred)
MDS1(config)# port-security distribute
MDS2(config)# port-security distribute
3. Activate port security on VSAN 101
This turns on auto-learning by default, unless you specified not to. First, notice VSAN 101 has No Active databases, learning is disabled and no sessions are active
MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :No Active database, learning is disabled, No Session
To activate:
MDS1(config)# port-security activate vsan 101
MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :No Active database, learning is disabled, Session Lock Taken
Note: If choosing to do manual port security configuration, this is where you disable auto-learning
port-security activate vsan 101 no-auto-learn
4. Issue a CFS commit to copy the configuration to all switches in the fabric.
Once we commit, all switches in the distributed fabric should be activated and auto-learning
MDS1(config)# port-security commit vsan 101
MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is enabled, No Session
Remember, nothing was configured on MDS2, this was distributed via CFS
MDS2(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is enabled, No Session
5. Wait until all switches and all hosts are automatically learned
You have 2 databases in FC Port Security.
Configuration database – This is the local database on the switch where configuration changes are stored.
Active database – The active database is what is currently enforced by the fabric once auto-learning is disabled. All devices connecting to a switch must be in the port security active database to participate in the fabric.
When first activating port security in auto-learning mode, we build our active database of WWNs and what ports they are learned from. You can see that we have already learned some locally connected devices and our remote switch device on fc1/1:
MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)* Yes
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)* Yes
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)* Yes
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)* Yes
[Total 11 entries]
MDS2(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)* Yes
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40(fc1/1)* Yes
Notice our Configuration databases are empty
MDS1(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
MDS2(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
6. Disable auto-learn on each VSAN
Remember, the active database is not yet enforced since we’re still in auto-learning mode.
MDS1(config)# no port-security auto-learn vsan 101
7. Issue a CFS commit to copy the configuration to all switches in the fabric.
Once we commit the change, the auto-learnied entries from every switch are combined into a static active database that is distributed to all switches
MDS1(config)# port-security commit vsan 101
Notice learning is now disabled:
MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is disabled, No Session
Check this out, now both MDS1 and MDS2 have a full active (and enforced) port-security database:
MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]
MDS2(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40(fc1/1)*
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80*
[Total 20 entries]
However, our local Configuration database is empty. If we reboot this guy, we have no database = not good.
MDS1(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
MDS2(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
8. Copy the active database to the configure database on each VSAN
This had me beard-scratching for a second, because the commands to do this are hidden (at least in the version of code I’m running). The syntax is:
port-security database copy vsan 101
But notice there is no “copy”:
MDS1(config)# port-security database ?
vsan VSAN id for port-security
MDS1(config)# port-security database
Addtionally, there is no “diff” which is used to view the differences between the active database and configuration database. Interestingly enough, if I type diff and then “?” I’ll see the next available commands.
MDS1(config)# port-security database ?
vsan VSAN id for port-security
MDS1(config)# port-security database diff ?
*** No matching command found in current mode, matching in (exec) mode ***
active Active database wrt Configured database
config Configured database wrt Active database
Notice below we can see the active database has all new entries, and the config database is missing all of the entries:
MDS1(config)# port-security database diff active vsan 101
Legend: "+" New Entry, "-" Missing Entry, "*" Possible Conflict Entry
---------------------------------------------------------------------
+ 101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
+ 101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
+ 101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
+ 101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
+ 101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
+ 101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
MDS1(config)# port-security database diff config vsan 101
Legend: "+" New Entry, "-" Missing Entry, "*" Possible Conflict Entry
---------------------------------------------------------------------
- 101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
- 101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
- 101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
- 101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
- 101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
- 101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
Let’s issue the copy to populate the configuration database:
MDS1(config)# port-security database copy vsan 101
9. Issue a CFS commit to copy the configuration to all switches in the fabric.
This ensures that the configure database is the same on all switches in the fabric
MDS1(config)# port-security commit vsan 101
We now have the full active and configuration databases on both switches
MDS1(config)# show port-security database vsan 101
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]
MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]
10. Copy run start
Save your configuration!
Port Security Violation
Now, let’s see what happens if we bring up another interface in the fabric on VSAN 101, and a device tries to FLOGI a WWN that is not in our database.
MDS1(config)# vsan database
MDS1(config-vsan-db)# vsan 101 interface fc1/6
MDS1(config-vsan-db)# exit
MDS1(config)# interface fc1/6
MDS1(config-if)# no shut
MDS1(config-if)# 2014 Aug 17 11:22:49 MDS1 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 101%$
2014 Aug 17 11:22:49 MDS1 %PORT-5-IF_DOWN_DENIED_DUE_TO_PORT_BINDING: %$VSAN 101%$ Interface fc1/6 is down(Suspended due to port binding)
Bam! Denied! We can see this in the port-security violations:
MDS1(config-if)# show port-security violations
-------------------------------------------------------------------------------
VSAN Interface Logging-in Entity Last-Time [Repeat count]
-------------------------------------------------------------------------------
101 fc1/6 20:20:00:2a:6a:46:89:00(pwwn) Aug 17 11:22:49 2014 [1]
20:65:00:2a:6a:46:89:01(nwwn)
[Total 1 entries]
As well as our port-security statistics:
MDS1(config-if)# show port-security statistics
Statistics For VSAN: 1
------------------------
Number of pWWN permit: 0
Number of nWWN permit: 0
Number of sWWN permit: 0
Number of pWWN deny : 0
Number of nWWN deny : 0
Number of sWWN deny : 0
Total Logins permitted : 0
Total Logins denied : 0
Statistics For VSAN: 101
------------------------
Number of pWWN permit: 0
Number of nWWN permit: 0
Number of sWWN permit: 0
Number of pWWN deny : 1
Number of nWWN deny : 1
Number of sWWN deny : 0
Total Logins permitted : 0
Total Logins denied : 1
What if we wanted to add this to our database? Well, we could enable auto-learning again, build the new database and activate. We could also manually add this to our database.
Configure manual entry in port-security database
Notice our database in the running configuration:
MDS1(config)# sh run | b "port-security database"
port-security database vsan 101
pwwn 20:1f:00:2a:6a:46:89:00 interface fc1/5
pwwn 20:aa:00:25:b5:01:00:0f interface fc1/5
pwwn 21:00:00:1d:38:1c:79:0a interface fc1/13
pwwn 21:00:00:1d:38:1c:6f:24 interface fc1/13
pwwn 21:00:00:1d:38:1c:78:fa interface fc1/13
...
We can add additional entries manually, and can get rather creative with this too. Some examples include from the Cisco config guide are:
Let’s manually allow the WWN we saw rejected into our database from fc1/6. Since I happen to know the other WWN behind this, I’ll add that to the database as well
MDS1(config)# port-security database vsan 101
MDS1(config-port-security)# pwwn 20:20:00:2a:6a:46:89:00 interface fc1/6
MDS1(config-port-security)# pwwn 20:aa:00:25:b5:01:00:0f interface fc1/6
Notice since a change just occurred, session lock was triggered:
MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is disabled, Session Lock Taken
We have not committed anything, so this does not show up in our configuration or active databases. No entries for fc1/6:
MDS1(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]
To see the pending changes, run this command:
MDS1(config)# show port-security pending-diff vsan 101
Session Diff for VSAN: 101
-------------------------
Database Diff:
+pwwn 20:20:00:2a:6a:46:89:00 interface fc1/6
+pwwn 20:aa:00:25:b5:01:00:0f interface fc1/6
MDS1(config)# port-security commit vsan 101
Check the active database:
MDS1(config)# show port-security database active | i fc1/6
Nothing…
Check the configuration database:
MDS1(config)# show port-security database vsan 101 | i fc1/6
101 20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*
MDS1 has the change. MDS2 does as well:
MDS2(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80*
101 20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*(fc1/1)
[Total 22 entries]
Ok, so it’s in our configuration database on both switches, but not our active database. What gives? We actually need to commit this again for it to take affect. I know, strange…
MDS1(config)# port-security commit vsan 101
MDS1(config)# 2014 Aug 17 11:49:31 MDS1 %PORT-5-IF_UP: %$VSAN 101%$ Interface fc1/6 is up in mode F
MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
101 20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*
101 21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*
101 20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*
101 22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101 20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
101 20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*
101 20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*
[Total 22 entries]
Quick Template
feature port-security -Enables the feature
port-security distribute -Enables CFS for port-security
port-security activate vsan 101 -Enables auto-learning
port-security commit vsan 101 -Commits active database to all switches in CFS
no port-security auto-learn vsan 101 -Disables auto-learning
port-security commit vsan 101 -Consolidate active database of all switches in CFS
port-security database copy vsan 101 -Copy active database to local config database
port-security commit vsan 101 -Commits the copy action to all switches in CFS
copy run start
Add manual entry:
port-security database vsan 101
pwwn 11:11:11:11:11:11:11:11 interface fc1/1
port-security commit vsan 101
port-security commit vsan 101
Helpful show commands
show port-security status
show port-security database
show port-security database active
show port-security database vsan 101
port-security database diff config vsan 101
port-security database diff active vsan 101
show port-security violations
show port-security statistics
And there you have it!
Reblogged this on 12081986.
The following commands are hidden from the configuration mode but usable. You can also access these commands from exec mode.
port-security database copy vsan 100
port-security database diff active vsan 100
port-security database diff config vsan 100