Cisco ACI Port Security – MAC Limit, Protect Mode & APIC Configuration Guide
Cisco ACI Port Security is a critical feature for securing access layer ports in your ACI fabric. It controls the number of MAC addresses that can be learned on an interface, protecting against MAC flooding attacks and unauthorized device access.
In this guide, we cover everything you need to know — how it works, its restrictions, configuration steps in APIC, and how to monitor violations.
🔐 What is Cisco ACI Port Security?
Port Security in Cisco ACI limits the number of MAC addresses allowed to be learned on a given interface. When the limit is exceeded, ACI takes a Protect action — dropping traffic from unknown MAC addresses and temporarily halting MAC learning on that port.
This is especially useful in environments where you want to prevent rogue devices from flooding the ACI fabric's endpoint table (COOP database).
⚙️ Key Features of ACI Port Security
- MAC Limit: Set a maximum of 0 to 12,000 MAC addresses per interface.
- Protect Mode: The only supported violation action. Excess MACs are dropped silently.
- Learning Timeout: MAC learning is disabled temporarily (default: 60 seconds) when the limit is breached, then resumes automatically.
- Supported Interfaces: Physical ports, Port Channels, and vPCs.
- Monitoring: ACI generates faults and syslogs when the MAC limit is exceeded.
🚫 Restrictions & Limitations
- Port Security is not supported on FEX (Fabric Extender) ports.
- Only MAC address limits are enforced — MAC+IP sticky binding is not supported in ACI.
- You cannot configure "Shutdown" or "Restrict" violation modes (unlike classic NX-OS port security).
🛠️ Configuration Steps in APIC GUI
Follow these steps to configure Port Security in Cisco ACI via the APIC GUI:
- Navigate to Fabric → Access Policies → Interface Policies → Port Security
- Click + to create a new Port Security Policy
- Set the Maximum Endpoints (MAC limit) — e.g., 5 for an access port
- Set the Violation Action to Protect
- Set the Timeout value (default 60 seconds)
- Attach this policy to an Interface Policy Group (Leaf Access Port or vPC Policy Group)
- Bind the Policy Group to your Interface Profile under the correct Switch Profile
📊 How Protect Mode Works — Step by Step
- ACI learns MAC addresses on the port normally until the configured limit is hit.
- Once the limit is reached, any new (unknown) source MAC is dropped at the leaf.
- MAC learning is paused on that interface for the timeout duration.
- After the timeout expires, learning resumes — if original MACs age out, new ones can be learned.
- A fault is raised in APIC and a syslog is generated for visibility.
🔍 Monitoring Port Security Violations
You can monitor Port Security violations from:
- APIC GUI → Fabric → Inventory → Leaf → Faults
- Operations → Faults (filter by "port-security")
- Syslog forwarding to your external syslog server
💡 Interview Questions — Cisco ACI Port Security
If you are preparing for CCNP DC or CCIE Data Center interviews, here are common questions on this topic:
- What violation modes are supported in ACI Port Security?
- Can you configure Port Security on FEX ports?
- What happens when a MAC limit is exceeded in Protect mode?
- How long does the learning timeout last by default?
- Where do you attach the Port Security policy in ACI?
- What is the maximum MAC address limit you can set per interface in ACI?
- How does ACI Port Security differ from NX-OS Port Security?
📚 Related Posts You May Also Like
- 👉 Cisco ACI – Fabric Secure Mode Overview
- 👉 Concept of vPC in ACI
- 👉 Complete Steps to Create vPC in Cisco ACI (via APIC)
- 👉 vPC EPG Deployment Rule
- 👉 ACI Contracts Components – Contracts vs Filters
- 👉 What is a Contract Preferred Group in ACI?
- 👉 Comparison Between CDP and LLDP in Cisco ACI
- 👉 ACI BFD Support Overview
- 👉 COOP: Council of Oracle Protocol – Cisco ACI
- 👉 ACI Leaf as Ethernet Hub – Spanning Tree Handling
Found this helpful? Leave a comment below or share it with your network. For Cisco ACI / Nexus consulting or freelancing, reach out at rockingoa@gmail.com