Port Security Enforcement
To enforce port security, configure the devices and switch port interfaces through which each device or switch
is connected, and activate the configuration.
•
Use the port world wide name (pWWN) or the node world wide name (nWWN) to specify the N port
connection for each device.
•
Use the switch world wide name (sWWN) to specify the xE port connection for each switch.
Each N and xE port can be configured to restrict a single port or a range of ports.
Enforcement of port security policies are done on every activation and when the port tries to come up.
The port security feature uses two databases to accept and implement configuration changes.
•
Configuration database
—
All configuration changes are stored in the configuration database.
•
Active database
—
The database currently enforced by the fabric. The port security feature requires all
devices connecting to a switch to be part of the port security active database. The software uses this
active database to enforce authorization.
Auto-Learning
You can instruct the switch to automatically learn (auto-learn) the port security configurations over a specified
period. This feature allows the switch to automatically learn about devices and switches that connect to it.
Use this feature when you activate the port security feature for the first time beacuse it saves tedious manual
configuration for each port. You must configure auto-learning per VSAN basis. If enabled, devices and
switches that are allowed to connect to the switch are automatically learned, even if you have not configured
any port access.
When auto-learning is enabled, learning occurs only for the devices or interfaces that were not already logged
into the switch. Learned entries on a port are cleaned up after you shut down that port if auto-learning is still
enabled.
Learning does not override the existing configured port security policies. For example, if an interface is
configured to allow a specific pWWN, auto-learning does not add a new entry to allow any other pWWN on
that interface. All other pWWNs are blocked even in auto-learning mode.
No entries are learned for a port in the shutdown state.
When you activate the port security feature, auto-learning is also automatically enabled.
If you enable auto-learning before activating port security, you cannot activate port security until
auto-learning is disabled.
Note
Port Security Activation
By default, the port security feature is not activated.
When you activate the port security feature, the following operations occur:
•
Auto-learning is also automatically enabled, which means the following:
Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x
246
OL-30895-01
Configuring Port Security
Information About Port Security