Sunday, May 10, 2026

Cisco Nexus SVI and Port Security Configuration Guide | NX-OS Step-by-Step Lab

Cisco Nexus SVI and Port Security Configuration Guide | NX-OS Part 4 and 5

Cisco Nexus SVI and Port Security Configuration Guide

This is Part 4 and Part 5 of the Cisco Nexus NX-OS configuration series.

In this guide we will configure:

  • SVI Interfaces
  • Interface VLAN IP addressing
  • Inter-switch VLAN communication
  • Port Security
  • Static secure MAC addresses
  • Sticky MAC learning
  • Errdisable recovery
  • Dynamic MAC learning
  • Security verification and troubleshooting

Previous Parts

Next Part

  • Part 5 - Cisco Nexus Security Configuration

    • Table of Contents

    1. Understanding SVIs

    SVI stands for:

    Switched Virtual Interface

    An SVI is a logical Layer 3 interface associated with a VLAN.

    Why SVIs are Important

    • Provides Layer 3 gateway functionality
    • Allows inter-VLAN communication
    • Enables switch management
    • Supports routing features
    • Acts as default gateway for hosts

    Traditional Layer 2 VLAN

    VLAN = Broadcast Domain Only
No IP Interface

    SVI-Based VLAN

    VLAN + IP Interface = Routed VLAN

    2. Enable Interface VLAN Feature

    NX-OS uses modular features. Before configuring SVIs, the feature must be enabled.

    NX-01

    
configure terminal

feature interface-vlan

end

    NX-02

    
configure terminal

feature interface-vlan

end

    NX-03

    
configure terminal

feature interface-vlan

end

    3. Configure SVI Interfaces

    Now we configure:

    • VLAN 10 interfaces
    • VLAN 20 interfaces
    • IP addressing

    Addressing Table

    Switch VLAN IP Address
    NX-01 10 10.10.10.1/24
    NX-01 20 10.20.20.1/24
    NX-02 10 10.10.10.2/24
    NX-02 20 10.20.20.2/24
    NX-03 10 10.10.10.3/24
    NX-03 20 10.20.20.3/24

    NX-01 Configuration

    
configure terminal

interface vlan10
 ip address 10.10.10.1/24
 no shutdown

interface vlan20
 ip address 10.20.20.1/24
 no shutdown

end

    NX-02 Configuration

    
configure terminal

interface vlan10
 ip address 10.10.10.2/24
 no shutdown

interface vlan20
 ip address 10.20.20.2/24
 no shutdown

end

    NX-03 Configuration

    
configure terminal

interface vlan10
 ip address 10.10.10.3/24
 no shutdown

interface vlan20
 ip address 10.20.20.3/24
 no shutdown

end

    CLI Verification Example

    Click to Expand SVI Verification 
    NX-01# show ip interface brief

Interface      IP Address      Status
Vlan10         10.10.10.1      protocol-up/link-up
Vlan20         10.20.20.1      protocol-up/link-up

    4. Verify VLAN Connectivity

    Devices inside the same VLAN should now communicate successfully.

    Example Pings

    
ping 10.10.10.2

ping 10.10.10.3

ping 10.20.20.2

ping 10.20.20.3

    Expected Output

    Click to Expand Ping Output 
    NX-01# ping 10.10.10.2

64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=2 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=1 ms

Success rate is 100 percent

    5. Understanding Port Security

    Port Security restricts which MAC addresses can connect to switch ports.

    Why Port Security Matters

    • Prevents unauthorized access
    • Stops rogue devices
    • Protects Layer 2 infrastructure
    • Reduces attack surface
    • Improves endpoint control

    Common Attacks Prevented

    • MAC flooding
    • Unauthorized laptop connections
    • Rogue switches
    • Layer 2 spoofing

    6. Enable Port Security Feature

    NX-01

    
configure terminal

feature port-security

end

    NX-02

    
configure terminal

feature port-security

end

    NX-03

    
configure terminal

feature port-security

end

    7. Configure Static Secure MACs

    NX-01 Port E1/5

    Only:

    \[ 0010.1111.2222 \]

    should be allowed. 

    
configure terminal

interface ethernet1/5
 switchport port-security
 switchport port-security mac 0010.1111.2222

end

    NX-02 Port E1/5

    Only:

    \[ 0010.2222.4444 \]

    should be allowed. 

    
configure terminal

interface ethernet1/5
 switchport port-security
 switchport port-security mac 0010.2222.4444

end

    Security Logic

    If:

    \[ MAC_{incoming} \neq MAC_{allowed} \]

    Then:

    \[ Port = Shutdown \]

    8. Configure Sticky MAC Learning

    Sticky MAC dynamically learns MAC addresses and stores them into the running configuration.

    NX-03 Configuration

    
configure terminal

interface ethernet1/5-6
 switchport port-security
 switchport port-security mac sticky

end

    What Sticky MAC Does

    • Learns MAC dynamically
    • Adds MAC into running-config
    • Maintains persistent security
    • Combines dynamic and static benefits

    9. Configure Maximum Secure MAC Addresses

    NX-01 interface E1/6 should:

    • Allow maximum 5 MAC addresses
    • Statically configure 2 MAC addresses
    • Learn remaining MAC addresses dynamically
    
configure terminal

interface ethernet1/6
 switchport port-security
 switchport port-security maximum 5
 switchport port-security mac 0001.1010.AB12
 switchport port-security mac 0001.1010.AB13
 switchport port-security mac sticky

end

    MAC Capacity Formula

    If:

    \[ Maximum = 5 \]

    And:

    \[ Static = 2 \]

    Then:

    \[ Dynamic = Maximum - Static \]

    \[ Dynamic = 5 - 2 \]

    \[ Dynamic = 3 \]

    Three additional MAC addresses can be learned dynamically.

    10. Configure Errdisable Recovery

    When a port-security violation occurs, interfaces may become:

    Error Disabled

    Automatic recovery improves operational efficiency.

    NX-01 Configuration

    
configure terminal

errdisable recovery cause psecure-violation
errdisable recovery interval 240

end

    What This Means

    After:

    \[ 240\ seconds \]

    the switch automatically attempts recovery.

    Since:

    \[ 240\ seconds = 4\ minutes \]

    11. Security and VLAN Mathematics

    Subnet Calculation

    Given:

    \[ 10.10.10.0/24 \]

    Subnet mask:

    \[ 255.255.255.0 \]

    Available hosts:

    \[ 2^{8} - 2 \]

    \[ 256 - 2 = 254 \]

    A /24 network supports 254 usable hosts.

    Port Security Capacity

    Suppose:

    \[ Ports = 48 \]

    Maximum\ secure\ MACs\ per\ port = 5

    Total secure MAC capacity:

    \[ 48 \times 5 \]

    \[ 240 \]

    The switch can securely learn up to 240 MAC addresses.

    12. Modern Security Best Practices

    Modern Nexus deployments typically include:

    • 802.1X authentication
    • Dynamic segmentation
    • MACsec encryption
    • NAC integration
    • TrustSec
    • VXLAN security policies

    Modern Best Practice Example

    
configure terminal

feature port-security

interface ethernet1/5
 description SECURE_USER_PORT
 switchport
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac sticky
 spanning-tree port type edge
 no shutdown

end

    13. Troubleshooting

    Verification Commands

    
show ip interface brief

show interface vlan 10

show port-security interface ethernet1/5

show port-security address

show errdisable recovery

    Check Sticky MAC Addresses

    Click to Expand Sticky MAC Output 
    NX-03# show port-security address

Secure Mac Address Table
-------------------------------------------

Vlan Mac Address       Type       Ports
---- -----------       ----       -----
10   0011.2233.4455    Sticky     Eth1/5

    Check Errdisable Recovery

    Click to Expand Errdisable Output 
    NX-01# show errdisable recovery

ErrDisable Reason Timer Status
------------------------------
psecure-violation Enabled

Timer interval: 240 seconds

    Complete Final Configuration

    
configure terminal

feature interface-vlan
feature port-security

interface vlan10
 ip address 10.10.10.1/24
 no shutdown

interface vlan20
 ip address 10.20.20.1/24
 no shutdown

interface ethernet1/5
 switchport port-security
 switchport port-security mac 0010.1111.2222

interface ethernet1/6
 switchport port-security
 switchport port-security maximum 5
 switchport port-security mac 0001.1010.AB12
 switchport port-security mac 0001.1010.AB13
 switchport port-security mac sticky

errdisable recovery cause psecure-violation
errdisable recovery interval 240

end

copy running-config startup-config

    Key Takeaways

    ✔ SVIs provide Layer 3 interfaces for VLANs.

    ✔ Interface VLAN feature must be enabled in NX-OS.

    ✔ Port Security restricts unauthorized MAC addresses.

    ✔ Sticky MAC dynamically learns and stores MAC addresses.

    ✔ Errdisable recovery automatically restores violated ports.

    ✔ Modern networks combine Port Security with NAC and 802.1X.

    Conclusion

    In this Cisco Nexus NX-OS guide, we configured SVIs and Port Security across NX-01, NX-02, and NX-03.

    We implemented:

    • Interface VLANs
    • IP addressing
    • VLAN communication
    • Static secure MAC addresses
    • Sticky MAC learning
    • Maximum MAC limits
    • Automatic errdisable recovery

    These features form an essential foundation for securing modern enterprise and data center switching environments.

    By at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Featured Post

    How HMT Watches Lost the Time: A Deep Dive into Disruptive Innovation Blindness in Indian Manufacturing

    The Rise and Fall of HMT Watches: A Story of Brand Dominance and Disruptive Innovation Blindness The Rise and Fal...

    Popular Posts