3 February 2015 | Written by Nicolas Michel | Published in Data Center
I have been learning about Cisco MDS port-security recently and I have been struggling with this feature because it was different from what I expected. What I was expecting was something very similar (and easy) like the good old Ethernet Port-Security feature.
This is clearly not the case and I will show you how to configure a basic port-security using auto learning. You still can manually configure entries on the MDS but I wanted to check how to feature was interacting with CFS and how it was implemented.
We will use the same topology as the one we used previously:
As every feature in NX-OS, there is a need to activate the feature on both MDS:
1 2 3 |
MDS-01(config)# feature port-security MDS-02(config)# feature port-security |
Since we want to play with the feature auto learning and CFS distribution , we need to enable it since it is not enabled by default.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
MDS-01(config)# show port-security status Fabric Distribution Disabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, No Session MDS-02(config)# show port-security status Fabric Distribution Disabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, No Session MDS-01(config)# port-security distribute MDS-01(config)# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, No Session MDS-02(config)# show port-security status Fabric Distribution Disabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, No Session |
As we can see above, if you enable the distribution of the port-security feature, this will not replicate to other switches in the fabric. Here the behavior is different than what we can experience when activating enhanced zoning within a storage fabric.
We do have to activate it on the other switches as well.
1 2 3 4 5 |
MDS-02(config)# port-security distribute MDS-02(config)# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, No Session |
As soon as it is done we now need to learn some WWN into the fabric. As soon as you activate port-security for a particular VSAN, auto-learning is automagically (type made on purpose and copyrighted by Vik Malhi 🙂 ) started as well.
1 2 3 4 5 |
MDS-01(config)# port-security activate vsan 10 MDS-01(config)# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :No Active database, learning is disabled, Session Lock Taken |
The output above shows us that the fabric has been locked for this particular VSAN and application.
In order to remove the lock and spread the configuration into the fabric, we need to commit the changes we’ve done here:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
MDS-01(config)# show cfs lock Application: port-security Scope : Logical ----------------------------------------------------------------------- VSAN Domain IP Address User Name User Type ----------------------------------------------------------------------- 10 34 172.16.40.41 admin CLI/SNMP v3 MDS-01 Total number of entries = 1 MDS-02(config)# show cfs lock Application: port-security Scope : Logical ----------------------------------------------------------------------- VSAN Domain IP Address User Name User Type ----------------------------------------------------------------------- 10 34 172.16.40.41 admin CLI/SNMP v3 Total number of entries = 1 MDS-01(config)# port-security commit vsan 10 MDS-01(config)# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :Activated database, learning is enabled, No Session MDS-02(config)# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :Activated database, learning is enabled, No Session |
So, learning is enabled and a database has been activated as well. Same analogy as zoning here, there is a config database and active database. The active database has been replicated to the other switches but not the config database … Sounds like basic zoning right ? but the problem here is that the config database has NOT been replicated on MDS01 where we typed the configuration. So we need to replicate that active database to the config database on both MDS.
Let’s check what’s in the database first and :
1 2 3 4 5 6 7 8 9 10 11 12 |
MDS-01(config)# show port-security database active vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) Learnt -------------------------------------------------------------------------------- 10 21:00:00:18:62:8d:e8:b7(pwwn) 20:05:00:0d:ec:71:f1:40(fc1/5)* Yes 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:01:00:0d:ec:71:f1:40(fc1/1)* Yes 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:02:00:0d:ec:71:f1:40(fc1/2)* Yes MDS-01(config)# show port-security database vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) -------------------------------------------------------------------------------- |
On MDS01, we can see 3 WWN :
The logging point here is just the switch wwn (swwn) where we type the commands, we can verify it
1 2 |
MDS-01# show wwn switch Switch WWN is 20:00:00:0d:ec:71:f1:40 |
We will have the same kind of output on MDS02 :
1 2 3 4 5 6 |
MDS-02# show port-security database active vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) Learnt -------------------------------------------------------------------------------- 10 20:00:00:0d:ec:71:f1:40(swwn) 20:01:00:0d:ec:94:3c:c0(fc1/1)* Yes 10 20:00:00:0d:ec:71:f1:40(swwn) 20:02:00:0d:ec:94:3c:c0(fc1/2)* Yes |
The tricky part here is that you cannot copy the active database to the config database if auto-learn is running on the VSAN:
1 2 |
MDS-01(config)# port-security database copy vsan 10 Error for VSAN 10: Copy of active to config db not allowed when distribution and auto-learn are on |
So we need to de-activate that feature:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
MDS-01(config)# no port-security auto-learn vsan 10 MDS-01(config)# port-security commit vsan 10 MDS-01# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :Activated database, learning is disabled, No Session MDS-02# show port-security status Fabric Distribution Enabled VSAN 1 :No Active database, learning is disabled, No Session VSAN 10 :Activated database, learning is disabled, No Session MDS-01(config)# port-security database copy vsan 10 MDS-01(config)# port-security commit vsan 10 MDS-01(config)# show port-security database vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) -------------------------------------------------------------------------------- 10 21:00:00:18:62:8d:e8:b7(pwwn) 20:05:00:0d:ec:71:f1:40(fc1/5)* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:01:00:0d:ec:71:f1:40(fc1/1)* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:02:00:0d:ec:71:f1:40(fc1/2)* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:01:00:0d:ec:94:3c:c0* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:02:00:0d:ec:94:3c:c0* [Total 5 entries] MDS-01(config)# show port-security database active vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) Learnt -------------------------------------------------------------------------------- 10 21:00:00:18:62:8d:e8:b7(pwwn) 20:05:00:0d:ec:71:f1:40(fc1/5)* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:01:00:0d:ec:71:f1:40(fc1/1)* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:02:00:0d:ec:71:f1:40(fc1/2)* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:01:00:0d:ec:94:3c:c0* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:02:00:0d:ec:94:3c:c0* MDS-02# show port-security database vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) -------------------------------------------------------------------------------- 10 21:00:00:18:62:8d:e8:b7(pwwn) 20:05:00:0d:ec:71:f1:40* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:01:00:0d:ec:71:f1:40* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:02:00:0d:ec:71:f1:40* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:01:00:0d:ec:94:3c:c0*(fc1/1) 10 20:00:00:0d:ec:71:f1:40(swwn) 20:02:00:0d:ec:94:3c:c0*(fc1/2) [Total 5 entries] MDS-02# MDS-02# MDS-02# show port-security database active vsan 10 -------------------------------------------------------------------------------- VSAN Logging-in Entity Logging-in Point (Interface) Learnt -------------------------------------------------------------------------------- 10 20:00:00:0d:ec:71:f1:40(swwn) 20:01:00:0d:ec:94:3c:c0(fc1/1)* 10 20:00:00:0d:ec:71:f1:40(swwn) 20:02:00:0d:ec:94:3c:c0(fc1/2)* 10 21:00:00:18:62:8d:e8:b7(pwwn) 20:05:00:0d:ec:71:f1:40* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:01:00:0d:ec:71:f1:40* 10 20:00:00:0d:ec:94:3c:c0(swwn) 20:02:00:0d:ec:71:f1:40* [Total 5 entries] |
After a copy run start we should be good to go !
But we have to bear in mind that since auto learning is now DISABLED, if any array tries to login within the fabric,it will be blocked 🙂
Feel free to comment or correct me by posting a comment below 🙂
Nicolas
EDIT:
If you now try to connect an Array to the fabric here is what you will have 🙂
1 2 3 4 5 6 7 8 9 |
2015 Feb 3 21:00:50 MDS-01 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 10%$ <Port Binding:: Interface: fc1/5 -- pWWN: 21:00:00:18:62:8d:e8:b8, nWWN: 20:00:00:18:62:8d:e8:b7> 2015 Feb 3 21:00:50 MDS-01 %PORT-5-IF_DOWN_DENIED_DUE_TO_PORT_BINDING: %$VSAN 10%$ Interface fc1/5 is down(Suspended due to port binding) MDS-01(config-if)# show port-security violations ------------------------------------------------------------------------------- VSAN Interface Logging-in Entity Last-Time [Repeat count] ------------------------------------------------------------------------------- 10 fc1/5 21:00:00:18:62:8d:e8:b8(pwwn) Feb 3 21:00:50 2015 [1] 20:00:00:18:62:8d:e8:b8(nwwn) |