Configuring Port Security
• On a secondary vPC port, there is no limit check for static MACs configured. Cisco recommends that
• All learned MAC addresses are synchronized between vPC peers.
• Both vPC peers can be configured using the dynamic or static MAC address learning method. Cisco
• Dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.
• You set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC
• You must configure the violation action on the primary vPC. When a security violation is triggered, the
• You can use the show vpc consistency-parameters id command to verify that the configuration is correct
• While a switch undergoes an in-service software upgrade (ISSU), port security operations are stopped
• ISSU to higher versions is supported; however, ISSU to lower versions is not supported.
Configuring Port Security
Enabling or Disabling Port Security Globally
You can enable or disable port security globally on a device. By default, port security is disabled globally.
When you disable port security, all port security configuration on the interface is ineffective. When you disable
port security globally, all port security configuration is lost.
SUMMARY STEPS
1. configure terminal
2. [no] feature port-security
3. (Optional) show port-security
4. (Optional) copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
you configure the same number of static MACs on a secondary vPC port as defined in the maximum
MAC count.
recommends that you configure both vPC peers using the same method. This helps prevent port shut
down (errDisabled state) in certain cases, such as a vPC role change.
switch does the count validation and disregards any maximum number settings on the secondary switch.
security action defined on the primary vPC switch occurs.
on both vPC peers.
on its peer switch. The peer switch does not learn any new MAC addresses, and MAC moves occurring
during this operation are ignored. When the ISSU is complete, the peer switch is notified and normal
port security functionality resumes.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Purpose
Enters global configuration mode.
Configuring Port Security
311