I have been learning about Cisco MDS port-security recently and I have been struggling with this feature because it was different from what I expected. What I was expecting was something very similar (and easy) like the good old Ethernet Port-Security feature.

This is clearly not the case and I will show you how to configure a basic port-security using auto learning. You still can manually configure entries on the MDS but I wanted to check how to feature was interacting with CFS and how it was implemented.

We will use the same topology as the one we used previously:

 

VSAN 10 is the only VSAN created in the topology for clarity’s sake.

As every feature in NX-OS, there is a need to activate the feature on both MDS:

Since we want to play with the feature auto learning and CFS distribution , we need to enable it since it is not enabled by default.

As we can see above, if you enable the distribution of the port-security feature, this will not replicate to other switches in the fabric. Here the behavior is different than what we can experience when activating enhanced zoning within a storage fabric.

We do have to activate it on the other switches as well.

As soon as it is done we now need to learn some WWN into the fabric. As soon as you activate port-security for a particular VSAN, auto-learning is automagically (type made on purpose and copyrighted by Vik Malhi 🙂 ) started as well.

The output above shows us that the fabric has been locked for this particular VSAN and application.

In order to remove the lock and spread the configuration into the fabric, we need to commit the changes we’ve done here:

So, learning is enabled and a database has been activated as well. Same analogy as zoning here, there is a config database and active database. The active database has been replicated to the other switches but not the config database … Sounds like basic zoning right ? but the problem here is that the config database has NOT been replicated on MDS01 where we typed the configuration. So we need to replicate that active database to the config database on both MDS.

Let’s check what’s in the database first and :

On MDS01, we can see 3 WWN :

• 21:00:00:18:62:8d:e8:b7(pwwn) is the pwwn owned by my JBOD and attached to the logging point 20:05:00:0d:ec:71:f1:40 on int fc1/5
• 20:00:00:0d:ec:94:3c:c0(swwn) is the swwn owned by MDS02 and attached to the logging point 20:01:00:0d:ec:71:f1:40 on int fc1/1
• 20:00:00:0d:ec:94:3c:c0(swwn) is the swwn owned by MDS02 and attached to the logging point 20:01:00:0d:ec:71:f1:40 on int fc1/2

The logging point here is just the switch wwn (swwn) where we type the commands, we can verify it

We will have the same kind of output on MDS02 :

The tricky part here is that you cannot copy the active database to the config database if auto-learn is running on the VSAN:

So we need to de-activate that feature:

After a copy run start we should be good to go !

But we have to bear in mind that since auto learning is now DISABLED, if any array tries to login within the fabric,it will be blocked 🙂

Feel free to comment or correct me by posting a comment below 🙂

Nicolas

EDIT:

If you now try to connect an Array to the fabric here is what you will have 🙂