FC Security for CCIE DC – FC Port Security

Fibre Channel port security prevents unauthorized Fibre Channel devices and switches from logging into the fabric. This protects the fabric from accidents, malicious intent or attacks such as WWN identity spoofing. It’s configured on a per-VSAN basis.  

Everything covered here can be found in this configuration guide:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/psec.html

You have a few options to choose from when configuring Port Security:

1. Configure with auto-learning and CFS distribution
2. Configure with auto-learning without CFS distribution
3. Configure with manual database

The first method is definitely most practical, as you can configure once, learn the current environment, and use Cisco Fabric Services (CFS) to distribute throughout the fabric. I’ll be following this method in this blog post, feel free to follow along.  Also added a quick template at the bottom.

Cisco config guide details the steps (order of operations are important!):

1. Enable port security

2. Enable CFS distribution

3. Activate port security on each VSAN (This turns on auto-learning by default unless specified not to)

4. Issue a CFS commit to copy the configuration to all switches in the fabric.
Note: At this point, all switches are activated and auto-learning

5. Wait until all switches and all hosts are automatically learned

6. Disable auto-learn on each VSAN

7. Issue a CFS commit to copy the configuration to all switches in the fabric.
Note: At this point, the auto-learnied entries from every switch are combined into a static active database that is distributed to all switches

8. Copy the active database to the configure database on each VSAN

9. Issue a CFS commit to copy the configuration to all swathes in the fabric.
Note: This ensures that the configure database is the same on all switches in the fabric

10. Copy run start

Here’s our topology, let’s begin.

fc-port-security

1. Enable port security

MDS1(config)# feature port-security 

MDS2(config)# feature port-security 

2. Enable CFS distribution (Optional, but preferred)

MDS1(config)# port-security distribute

MDS2(config)# port-security distribute

3. Activate port security on VSAN 101

This turns on auto-learning by default, unless you specified not to.  First, notice VSAN 101 has No Active databases, learning is disabled and no sessions are active

MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :No Active database, learning is disabled, No Session

To activate:

MDS1(config)# port-security activate vsan 101

MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :No Active database, learning is disabled, Session Lock Taken

Note: If choosing to do manual port security configuration, this is where you disable auto-learning

port-security activate vsan 101 no-auto-learn

4. Issue a CFS commit to copy the configuration to all switches in the fabric.

Once we commit, all switches in the distributed fabric should be activated and auto-learning

MDS1(config)# port-security commit vsan 101

MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is enabled, No Session

Remember, nothing was configured on MDS2, this was distributed via CFS

MDS2(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is enabled, No Session

5. Wait until all switches and all hosts are automatically learned

You have 2 databases in FC Port Security.

Configuration database – This is the local database on the switch where configuration changes are stored.

Active database – The active database is what is currently enforced by the fabric once auto-learning is disabled. All devices connecting to a switch must be in the port security active database to participate in the fabric.

When first activating port security in auto-learning mode, we build our active database of WWNs and what ports they are learned from. You can see that we have already learned some locally connected devices and our remote switch device on fc1/1:

MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          Yes
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          Yes
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         Yes
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          Yes
[Total 11 entries]

MDS2(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         Yes
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40(fc1/1)*          Yes

Notice our Configuration databases are empty

MDS1(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------

MDS2(config)# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------

6. Disable auto-learn on each VSAN

Remember, the active database is not yet enforced since we’re still in auto-learning mode.

MDS1(config)# no port-security auto-learn vsan 101

7. Issue a CFS commit to copy the configuration to all switches in the fabric.

Once we commit the change, the auto-learnied entries from every switch are combined into a static active database that is distributed to all switches

MDS1(config)# port-security commit vsan 101

Notice learning is now disabled:

MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is disabled, No Session

Check this out, now both MDS1 and MDS2 have a full active (and enforced) port-security database:

MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]

MDS2(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40(fc1/14)*         
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40(fc1/1)*          
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80*
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80*
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80*
[Total 20 entries]

However, our local Configuration database is empty. If we reboot this guy, we have no database = not good.

MDS1(config)# show port-security database 
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------

MDS2(config)# show port-security database 
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------

8. Copy the active database to the configure database on each VSAN

This had me beard-scratching for a second, because the commands to do this are hidden (at least in the version of code I’m running). The syntax is:

port-security database copy vsan 101

But notice there is no “copy”:

MDS1(config)# port-security database ?
  vsan  VSAN id for port-security
MDS1(config)# port-security database 

Addtionally, there is no “diff” which is used to view the differences between the active database and configuration database. Interestingly enough, if I type diff and then “?” I’ll see the next available commands.

MDS1(config)# port-security database ?
  vsan  VSAN id for port-security
MDS1(config)# port-security database diff ?
*** No matching command found in current mode, matching in (exec) mode ***
  active  Active database wrt Configured database
  config  Configured database wrt Active database

Notice below we can see the active database has all new entries, and the config database is missing all of the entries:

MDS1(config)# port-security database diff active vsan 101
Legend: "+" New Entry, "-" Missing Entry, "*" Possible Conflict Entry
---------------------------------------------------------------------
+  101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
+  101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
+  101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
+  101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
+  101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
+  101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*

MDS1(config)# port-security database diff config vsan 101
Legend: "+" New Entry, "-" Missing Entry, "*" Possible Conflict Entry
---------------------------------------------------------------------
-  101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
-  101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
-  101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
-  101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
-  101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
-  101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*

Let’s issue the copy to populate the configuration database:

MDS1(config)# port-security database copy vsan 101

9. Issue a CFS commit to copy the configuration to all switches in the fabric.

This ensures that the configure database is the same on all switches in the fabric

MDS1(config)# port-security commit vsan 101

We now have the full active and configuration databases on both switches

MDS1(config)# show port-security database vsan 101
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]

MDS1(config)# show port-security database active 
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]

10. Copy run start

Save your configuration!

Port Security Violation

Now, let’s see what happens if we bring up another interface in the fabric on VSAN 101, and a device tries to FLOGI a WWN that is not in our database.

fc-port-security2

MDS1(config)# vsan database
MDS1(config-vsan-db)# vsan 101 interface fc1/6
MDS1(config-vsan-db)# exit
MDS1(config)# interface fc1/6
MDS1(config-if)# no shut
MDS1(config-if)# 2014 Aug 17 11:22:49 MDS1 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 101%$  
2014 Aug 17 11:22:49 MDS1 %PORT-5-IF_DOWN_DENIED_DUE_TO_PORT_BINDING: %$VSAN 101%$ Interface fc1/6 is down(Suspended due to port binding) 

Bam! Denied! We can see this in the port-security violations:

MDS1(config-if)# show port-security violations 
-------------------------------------------------------------------------------
VSAN Interface        Logging-in Entity             Last-Time    [Repeat count]
-------------------------------------------------------------------------------
101  fc1/6            20:20:00:2a:6a:46:89:00(pwwn) Aug 17 11:22:49 2014 [1]
                      20:65:00:2a:6a:46:89:01(nwwn)
[Total 1 entries]

As well as our port-security statistics:

MDS1(config-if)# show port-security statistics 
Statistics For VSAN: 1 
------------------------
Number of pWWN permit: 0
Number of nWWN permit: 0
Number of sWWN permit: 0
Number of pWWN deny  : 0
Number of nWWN deny  : 0
Number of sWWN deny  : 0

Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 101 
------------------------
Number of pWWN permit: 0
Number of nWWN permit: 0
Number of sWWN permit: 0
Number of pWWN deny  : 1
Number of nWWN deny  : 1
Number of sWWN deny  : 0

Total Logins permitted  : 0
Total Logins denied     : 1

What if we wanted to add this to our database? Well, we could enable auto-learning again, build the new database and activate. We could also manually add this to our database.

Configure manual entry in port-security database

Notice our database in the running configuration:

MDS1(config)# sh run | b "port-security database"
port-security database vsan 101
  pwwn 20:1f:00:2a:6a:46:89:00 interface fc1/5
  pwwn 20:aa:00:25:b5:01:00:0f interface fc1/5
  pwwn 21:00:00:1d:38:1c:79:0a interface fc1/13
  pwwn 21:00:00:1d:38:1c:6f:24 interface fc1/13
  pwwn 21:00:00:1d:38:1c:78:fa interface fc1/13
  ...

We can add additional entries manually, and can get rather creative with this too. Some examples include from the Cisco config guide are:

 Cisco_MDS_9000_Family_NX-OS_Security_Configuration_Guide_-_Configuring_Port_Security__Cisco_MDS_9000_NX-OS_and_SAN-OS_Software__-_Cisco

Let’s manually allow the WWN we saw rejected into our database from fc1/6. Since I happen to know the other WWN behind this, I’ll add that to the database as well

MDS1(config)# port-security database vsan 101
MDS1(config-port-security)# pwwn 20:20:00:2a:6a:46:89:00 interface fc1/6
MDS1(config-port-security)# pwwn 20:aa:00:25:b5:01:00:0f interface fc1/6

Notice since a change just occurred, session lock was triggered:

MDS1(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :No Active database, learning is disabled, No Session
VSAN 101 :Activated database, learning is disabled, Session Lock Taken

We have not committed anything, so this does not show up in our configuration or active databases. No entries for fc1/6:

MDS1(config)# show port-security database 
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
[Total 20 entries]

To see the pending changes, run this command:

MDS1(config)# show port-security pending-diff vsan 101
Session Diff for VSAN: 101
-------------------------
Database Diff:
    +pwwn 20:20:00:2a:6a:46:89:00 interface fc1/6
    +pwwn 20:aa:00:25:b5:01:00:0f interface fc1/6

MDS1(config)# port-security commit vsan 101

Check the active database:

MDS1(config)# show port-security database active | i fc1/6

Nothing…

Check the configuration database:

MDS1(config)# show port-security database vsan 101 | i fc1/6
101  20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*  

MDS1 has the change. MDS2 does as well:

MDS2(config)# show port-security database 
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80*
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80*
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80*
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80*
101  20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80*
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80*
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*(fc1/14)          
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*(fc1/1)           
[Total 22 entries]    

Ok, so it’s in our configuration database on both switches, but not our active database. What gives? We actually need to commit this again for it to take affect. I know, strange…

MDS1(config)# port-security commit vsan 101
MDS1(config)# 2014 Aug 17 11:49:31 MDS1 %PORT-5-IF_UP: %$VSAN 101%$ Interface fc1/6 is up in mode F 

MDS1(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
101  20:1f:00:2a:6a:46:89:00(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:05:00:0d:ec:54:63:80(fc1/5)*          
101  21:00:00:1d:38:1c:79:0a(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:6f:24(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:fa(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:78:d9(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:0e:d9:5e(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:af(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:77:04(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  21:00:00:1d:38:1c:76:db(pwwn) 20:0d:00:0d:ec:54:63:80(fc1/13)*         
101  20:00:00:0d:ec:27:4f:40(swwn) 20:01:00:0d:ec:54:63:80(fc1/1)*          
101  22:00:00:1d:38:1c:77:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:77:05(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:b2(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:e7(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:6e:ba(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:78:18(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:76:d9(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  22:00:00:1d:38:1c:3f:fc(pwwn) 20:0e:00:0d:ec:27:4f:40*
101  20:00:00:0d:ec:54:63:80(swwn) 20:01:00:0d:ec:27:4f:40*
101  20:20:00:2a:6a:46:89:00(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*          
101  20:aa:00:25:b5:01:00:0f(pwwn) 20:06:00:0d:ec:54:63:80(fc1/6)*          
[Total 22 entries]

Quick Template

feature port-security			        -Enables the feature
port-security distribute			-Enables CFS for port-security
port-security activate vsan 101			-Enables auto-learning
port-security commit vsan 101			-Commits active database to all switches in CFS
no port-security auto-learn vsan 101	        -Disables auto-learning
port-security commit vsan 101			-Consolidate active database of all switches in CFS
port-security database copy vsan 101	        -Copy active database to local config database
port-security commit vsan 101			-Commits the copy action to all switches in CFS
copy run start

Add manual entry:

port-security database vsan 101
 pwwn 11:11:11:11:11:11:11:11 interface fc1/1
port-security commit vsan 101
port-security commit vsan 101

Helpful show commands

show port-security status
show port-security database
show port-security database active
show port-security database vsan 101
port-security database diff config vsan 101
port-security database diff active vsan 101
show port-security violations
show port-security statistics

And there you have it!

2 comments

  1. The following commands are hidden from the configuration mode but usable. You can also access these commands from exec mode.

    port-security database copy vsan 100
    port-security database diff active vsan 100
    port-security database diff config vsan 100

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s