[c-nsp] Port security on vPC on n5k => need help

Nicolas V nicovpp59 at gmail.com
Fri Dec 19 03:42:04 EST 2014


Hi,

I am thinking about enabling the port security feature on 2* 5548 for a vPC
interface (need to specify a static mac address).

I have :
- vPC1 => peer link
- vPC2 => need to specify static mac address

I have read the following cisco doc, but this is not clear to me :

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1/b_Cisco_n5k_security_config_gd_513_n1_1_chapter_01001.html#concept_22FB5A78C7A94A028979AFF30B34FDF8

This guideline says :
"You must configure a static secure MAC address on the primary vPC peer.
This MAC address is synchronized with the secondary vPC peer. Do not
configure a static secure MAC address on the secondary peer. This MAC
address appears in the secondary vPC configuration, but does not take
affect. "

I am not using the "config sync" feature, and would like to know how to
setup port security on a vPC safely (I do not want that the vPC1 to be shut
in case mac address is learn on vPC1 instead of vPC2).

Config should be :
on both nexus :

conf
feature port-security

then on nexus1 :
int po2
switchport port-security
switchport port-security mac-address 0011.2233.4455
vpc 2

Do you know :
- How I should configure po2/vpc2 on nexus 2
- if po2 is down on nexus 1, it will se mac address 0011.2233.4455. Could
it block po1/vpc1 ?

Thanks !


More information about the cisco-nsp mailing list