Port security and DHCP

Similar Questions

• Errors of run Switchport Port-Security

  So I'm a bit new to switchport security.  I work on most of the ports in one location.  Its ports where I either switchport voice and switchport access VLAN or just switchport voice VLAN.  For some reason, these types of ports going into err - disable.  Here are a few examples.  Indications as to why it would stop even when I have the right MAC address would be very useful. Interface Fa0/3 has a phone attached to it and a connected computer the phone is off.

  interface FastEthernet0/2
  Description Table phone
  switchport mode access
  switchport voice vlan 2
  switchport port-security
  security violation restrict port switchport
  switchport port-security-address mac 34a8.4ea6.0f95
  spanning tree portfast

  interface FastEthernet0/3
  SAM PHONE x 1623 description
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  switchport port-security maximum 2
  switchport port-security-address mac 442b.031a.2975 - phone MAC
  switchport port-security-address mac e840.f223.8842 - MAC computer
  spanning tree portfast

  2 442b.031a.2975 DYNAMICS Fa0/3

  2 34a8.4ea6.0f95 DYNAMICS Fa0/2

  The newspaper says this whenever I turn on port security.  Any other port where there is only 1 VLAN or 1 device, it works fine no problem.

  27 June 2015 23:59:56: % PORT_SECURITY-2-PSECURE_VIOLATION: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.
  June 28, 2015 00:00:01: PM-4-ERR_DISABLE %: psecure-violation error found on Fa0/3, putting the Fa0/3 in State of err - disable
  June 28, 2015 00:00:02: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state down
  June 28, 2015 00:00:03: % LINK-3-UPDOWN: Interface FastEthernet0/3, changed State to down
  June 28, 2015 00:00:04: PORT_SECURITY-2-PSECURE_VIOLATION %: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.

  I know I'm missing something because I am new to using switchport security.  I am wanting to lock the ports to prevent devices not allowed to plug in on my network.  I have disabled all DHCP, but I want to take a little further and prevent them to enter the network even and probe the network.

  EDIT - You forgot to mention that it is a 2960 version 15.0 (2) SE5

  Thank you

  David

  David, Kevin,

  Let me join you.

  The way I see the Fa0/2 work with its original configuration is:

  • The maximum number of secure MAC addresses is 1.
  • Access to the VIRTUAL LAN is 1, the voice VLAN is 2.
  • The static safe MAC address 34a8.4ea6.0f95 is added to the access VLAN, not to the voice VLAN
  • When the phone starts to make known by the voice VLAN, MAC address cannot be dynamically added to the list because the maximum allowed number of MAC secure is 1 and the list is already full. The fact that its MAC address is configured statically is irrelevant, because it is not associated with the voice VLAN.

  Try to delete the line

  switchport port-security-address mac 34a8.4ea6.0f95

  and replace with

  voice of vlan switchport port-security-address mac 34a8.4ea6.0f95

  and see if it solves the problem.

  Best regards
  Peter

• Several VLANS and DHCP relay on two stacked switch SGE2000-G5

  We were put to the task of securing a small desktop system managed that is currently set up with a standard switch for each of the offices (with different companies) to see each other and in some cases, access to each of the other documents on the network.

  Obviously, this is far from adequate set up and our goal is to isolate each office using VIRTUAL networks, but share a common internet connection provided by managed offices.  We have two switches for layer 3 Cisco SGE2000-G5, but we are new on Cisco equipment and VLAN, so we are not quite sure on how to implement this.  DHCP must be provided by a router, there is no server.  We are open to suggestions on the router as we still buy a.

  I hope that someone may be useful.

  Thank you very much

  Jim

  Hi Jim,.

  SGE2000 switches you are using must be able to handle this without issue. What type of router you are using? As long as you have a router that will take in charge VLAN / several subnets, it should be a simple configuration.

  Here's a quick run down of the measures to be implemented. (using vlan1 and vlan2)

  On the router, create a vlan / subnet 2 and set the port to connect to your shared resources with the two VLAN 1 and 2 switch. (it will be untagged, two will be marked)

  On the switch, create vlan2 and do the same for the port connected to the router. (vlan1 marked and tagged vlan2)

  Now for each switch port that you want to assign the port access and vlan1 and vlan2. (this vlan will be without a label)

  If your router allows, disable routing inter - vlan. If this isn't the case, you must create rules to block traffic from one network to the other.

  All this happens under the assumption that your router can support VLAN and can also make DHCP for this VLAN.

  Hope this information helps

• opening ports 2077 and 2078 to use web disk

  Hello, I can't see my web files with webdisk and I would like to know how to manually open ports 2077 and 2078. I already read an article on the Microsoft Web site, but form a certain point the indication does not match what I see on my screen. Thank you

  Which firewall do you use?  If the built-in Windows Firewall, open the Security Center in Control Panel and select the Windows Firewall applet.  Select the Exceptions tab, and then click Add Port.  Specify your port.  Use the button change the scope to restrict the port to the correct network or IP addresses is not wide open to the Internet (unless that's what you need). Brian Tillman [MVP-Outlook]
  ------------------------------
  If a response may help, please vote it as useful. If a response to the problem, please mark it as an answer.

• What should be the port/security settings for Windows Mail with Vista - I think they changed?

  I had to reinstall Vista when my hard drive crashed, and Windows Mail does not work completely correctly. I think remember me an email from Microsoft told me to change the ports/security settings. Could someone tell me what they should be?

  A "error message indicating", what exactly? No error code or the relevant text?
   
  Make sure these settings match exactly.
   
  Set up Windows Mail for E-mail XFINITY/Comcast
  http://customer.Comcast.com/help-and-support/Internet/configuring-Windows-Mail-Xfinity-email
   
  
  Leave messages on the server and it clutter?
   
   

• WRT320N - loss of internet connection after redirect port 80 and 443

  Hello

  I have a problem with my new WRT320N. When I activate the port forwarding on my local server (ports 80 and 443), after a while I completely lose internet connection on all my computers connected to the router (wifi and lan computers). The router itself can ping and trace any Internet site through diagnostics to Web administration. When I turn off and click on save changes button, my internet connection works immediately again. I have the latest firmware installed and I tried to reset the router several times and set it manually since the beginning.

  My previously detained WRP400 has been configured to redirect these exactly the same ports and everything worked perfectly. Could someone advise me where could be a mistake? Thank you.

  I solved it. There was a problem with the combination of the service 'DHCP Reservation"of the router and client DHCP of Ubuntu. I disabled "Booking DHCP" and set the IP settings manually in the Ubuntu computer and now it works perfectly

• N2048 port security does not

  Hi Experts,

  Only, we have deployed a new site that uses the Dell N2048 switches in a stack.

  Now we would add port security to the switch, Port-MAC locking to lockdown one port if another computer.

  According to the manual, to put in place we only need of to the port to locked under the MISTLETOE under switching, network security, port security.

  This does not activate it.

  We tried to add via the command line, in the ports of test, it now shows:

  switchport security of dynamic ports 1

  Still, port security is not enabled. There is another thing that must be enabled in the world to do this job or other commands?

  Thank you

  The output of port security-# show is as follows:

  Port Security Administration Mode: enabled

  It is possible that the tests were not done fast enough. I spent the time-out and ask them to test again.

  Thank you

• PowerConnect 35XX port security

  Hello. I am trying to locate a CLI command that will allow me quickly clear course MAC addresses for a port secure with port security.

  My configuration of the interface is fairly simple.

  dot1x multiple-host
  dry port max 2
  dry port stop throw

  If I connect to a different host, the original at the port this as it should and travel to port security. Now, everything is fine, if I plan on the reconnection of the original host. Issue the global command "set interface active ethernet eth #" and the port is back online. The problem comes when I want to change the host. I have to completely remove the dot1x and the security configuration of the port [minus the max], 'set active interface' and then add security dot1x port for the interface configuration.

  Is there a way to quickly clean the secure the port addresses so that the new addresses can be learned?

  Thanks in advance.

  -Andrew

  Try this command and see if it works. Console # dot1x to re-authenticate ethernet 1/eXX

• Need help to reset/compensation port security on a PowerConnect 35XX

  I implement port security on our network, and I've never worked with these before switches. I'm used to the Cisco CLI, who was the command exec "int sticky clear dry port", but it doesn't seem to be anything of the sort on the CLI of Dell.

  Here is the config, I have in place on the switchport in question.

  dot1x multiple-host

  safe standing of port security mode

  port security throw

  For the moment, that the port has done what is supposed to to, but remove the configuration of the interface completely that I am unable to find how the CLI reference or online at how 'quickly' to reset the port.

  Any help would be appreciated.

  Do not take into account. I found buried in the CLI reference command.

  There are actually two commands necessary to reactivate the interface

  "dot1x to re-authenticate ethernet [port]".

  'set interface active ethernet [port] ".

  Thank you

• switchport port-security problem

  Hi all

  I wanted to test using the switchport port-security with mac address fixed for voip and sticky for the vlan access.
  to do this, I created the following configuration:

  switchport port-security maximum 2
  switchport port-security
  aging of the switchport port security 5
  switchport port-security-address mac sticky
  voice of vlan switchport port-security-address mac e8ba.7006.59a4

  the problem is the mac address that switch learns to access vlan, never goes away even if the device is no longer connected.

  switchport port-security maximum 2
  switchport port-security
  aging of the switchport port security 5
  switchport port-security-address mac sticky
  switchport port-security-address mac c434.6b24.5db9 sticky vlan access
  voice of vlan switchport port-security-address mac e8ba.7006.59a4

  Can you help me?

  This should make them disappear without having to use any statement when the switchport learns a new mac again if his manual, you have to bounce the port as well

  Disable them sticky interface port-security

• Laboratory of port security exercise - do not behave as expected.

  Hello

  I'm working on a CCENT training lab to demonstrate the configuration of port security.

  I have a Catalyst 3550 switch software Cisco's IOS, software of C3550 (C3550-IPSERVICESK9-M), SE Version 12.2 (52), VERSION of the SOFTWARE (fc3). I have two computers connected on ports fa0/1 and fa0/2 with IP addresses of 10.0.0.20/24 and 10.0.0.12/24 respectively. Without active port security, each computer can ping successfully the other.

  As soon as I change the configuration to add port security on fa0/1 I am not able to ping between the two computers, nor can I ping 10.0.0.20 from the console of the switch, but I don't know why! If I delete it again the pings succeed again.

  I expect that the switch must learn the computer connected to fa0/1 MAC and stop if there is subsequently any traffic from another Mac.

  Interestingly, the 'show mac address-table' command shows that the MAC connected to fa0/1 when port security is not enabled. I don't know if this is relevant.

  Can someone help me diagnose what is happening?

  Thank you.

  Configuration before change:

  interface FastEthernet0/1

  switchport mode access

  Speed 100

  full duplex

  spanning tree portfast

  !

  interface FastEthernet0/2

  switchport mode access

  Speed 100

  full duplex

  spanning tree portfast

  !

  Configuration after modification:

  interface FastEthernet0/1

  switchport mode access

  switchport port-security

  Speed 100

  full duplex

  spanning tree portfast

  !

  interface FastEthernet0/2

  switchport mode access

  Speed 100

  full duplex

  spanning tree portfast

  !

  Other diagnoses (after change):

  S1 # show ip interface brief

  Interface IP-Address OK? Method State Protocol

  Vlan1 10.0.0.5 YES NVRAM up up

  FastEthernet0/1 no YES unset upward, upward

  FastEthernet0/2 not assigned YES unset upward, upward

  #show S1 port-security

  Secure the security Port MaxSecureAddr CurrentAddr SecurityViolation Action

  (County)       (County)          (County)

  ---------------------------------------------------------------------------

  FA0/1 1 0 0 stop

  ---------------------------------------------------------------------------

  Total addresses in the system (with the exception of a mac per port): 0

  Limit Max addresses in the system (with the exception of a mac per port): 5120

  S1 #show - interface fa0/1 port security

  Port security: enabled

  Port State: Secure-up

  Mode of violation: stop

  Aging time: 0 mins

  Type of aging: absolute

  Aging of SecureStatic address: disabled

  Maximum MAC addresses: 1

  MAC addresses total: 0

  Configured MAC addresses: 0

  Sticky MAC addresses: 0

  Last Source address: Vlan: 0000.0000.0000:0

  Security Violation count: 0

  S1 #show interfaces fa0/1

  FastEthernet0/1 is up, line protocol is up (connected)

  Material is Fast Ethernet, the address is 000f.f796.d781 (bia 000f.f796.d781)

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

  reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  KeepAlive set (10 sec)

  Full-duplex, 100 MB/s, media type is 10/100BaseTX

  input stream control is turned off, output flow control is not supported

  Type of the ARP: ARPA, ARP Timeout 04:00

  Last entry exit ever, 00:00:01, blocking exit ever

  Final cleaning of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

  Strategy of queues: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bps, 0 packets/s

  5 minute output rate 0 bps, 0 packets/s

  3494 packets input, 587250 bytes, 0 no buffer

  Received 1593 broadcasts (0 multicasts)

  0 Runts, 0 giants, 0 shifters

  entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

  0 watchdog, 1254 multicast, break 0 comments

  entry packets 0 with condition of dribble detected

  39631 packets output, 3311977 bytes, 0 underruns

  0 output errors, 0 collisions, 1 interface resets

  0 babbles, collision end 0, 0 deferred

  carrier, 0 no carrier, lost 0 0 output BREAK

  output buffer, the output buffers 0 permuted 0 failures

  #show mac address table S1 | include DYN

  1 b827.ebed.e2d9 DYNAMICS Fa0/2

  S1 #show ip arp

  Protocol of age (min) address Addr Type Interface equipment

  Internet 10.0.0.12 5 b827.ebed.e2d9 ARPA Vlan1

  Internet 10.0.0.5 - 000f.f796.d780 ARPA Vlan1

  Internet 10.0.0.20 32 10dd.b1f1.0c64 ARPA Vlan1

  Do you have any other platform to configure your lab? because it should work ideally and the configuration is fine. However, to complete your lab, you already have workaround...

  I suspect that this question is something related to the hardware you use or due to a BUG.

  Please note the useful comment

• L3 - SG300 - 28 p and DHCP

  Hi all

  I'm having a bit of difficulty up a SG300 - 28 p to L3 and DHCP. I will attach a basic network diagram and a very short list of my needs.

  I'm building a temporary network for a company event 1 day that I can't make it work in our office "Lab".

  L3 - SG300 - 28 p connects to our provider using a connection of the SFP.

  I have to be able to address IP DHCP 300 + using the SG300 - 28 p

  My problem is that I can ping my 2 machines test (manually configured IP) about 172.16.0.3 and 172.16.0.4, but cannot ping after the (internet) referral. Also DHCP distributes no intellectual property for the range 172.16.0.10 - 172.16.1.200

  VLAN 1 is set to 10.2.2.20 access port (to the provider through a connection on port 28 FPS)

  VLAN 100 is 172.16.0.2 access port (ports 1-26)

  I have the WLC and WAP tri...

  Is the set of even possible? I know that the EQ network is a bit budget for users, but for a one day business event I just do not have a budget for the purchase of switches better.

  Please excuse the gross chart.

  Thank you in advance.

  -RJ

  Thanks for the reply.

  With the information that you have provided, it seems the only part missing is the way return the unit for service providers. Unfortunately there is no way around that, and no, you will not be able to put anything between the two, because the device doing the NATting is unity of suppliers.

  I think that what is happening is that traffic is actually the side provider, but there is no way to do so as soon as the provider is not a route for the subnet in 172.16.x.x.

  Out of curiosity, why do you use a VLAN for the devices connected to the SG300? Could you use the 10 subnet Ip addresses? If you do this, you will not need to have a route back from the supplier, as all devices will be on the same subnet.

• function of guard of source IP and dhcp DHCP scope of exhaustion (customer parodies other customers)

  Hello world.

  A dhcp server assigns ip address based on the mac address by equipment of the customer field in the dhcp packets.

  A potential attack is when a crowd of thugs mimics different mac addresses and causes the dhcp server to assign ip addresses until no ip address is left for legitimate host.

  For example, a host with mac1 h1 is designated by the ip address of the dhcp server as:

  199.199.199.1 mac1

  DHCP server has this entry in its database.

  Using hacking tools such as Yersinia or Gobbler can create a DHCP discover messages every time that create another mac for material scope of the client to the dhcp server, thereby causing a dhcp server to assign ip addresses because they are of legitimate dhcp to dhcp server discover messages with matching each another Mac in hardware of client addresses.

  You could use dhcp snooping and it will avoid that (exhaustion of dhcp scope) and configure the switch to check if the CBC mac fits the hardware address of the client in the dhcp message. But when even we can creat spoofed discover messages where mac src in the ethernet header will match the client hardware address in dhcp discovery message. It did not always overcome the problem.

  You might say use IP source guard characteristic but it really will prevent this problem from happening?

  Let me illustrate:

  H1 - f1/1SW - DHCP server

  Let's say that we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  Switch a suite dhcp binding

  199.199.199.1 mac1 vlan1 f1/1

  Then, we configure source ip guard in order to validate the mac src and src ip against the dhcp bindings. When you configure keep source ip first, it will allow dhcp only if a host can request ip address and dhcp binding can be built. After that IP keep source will validate ip or mac src src or both against the binding.depending dhcp on how configure us source ip guard.

  In our case, we have configured source ip guard in order to validate the mac src and src ip against the dhcp binding.

  A dhcp connection is already created as:

  199.199.199.1 mac1 vlan 1 f1/1

  Now, using hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discovery message where mac src = mac2 ethernet header and client harware address = mac2 in dhcp discovery message. As the switch is configured with the function of guard of source ip and therefore allows dhcp discover message to pass through. DHCP server after you receive the message dhcp assigns another IP from the pool. The dhcp server has now after the entries:

  199.199.199.1 mac1

  199.199.199.2 mac2.

  We continue to spoofed dhcp to craft discover messages as described above and are dhcp server keep ip address assignment until exhausts the entire pool.

  So my question is how ip source guard in conjunction with dhcp snooping doesn't stop this attack does not happen? (IE DHCP scope exhaustion)

  I really appreciate your comments.

  Thank you and have a week.

  Hi Sara,.

  Ask was quite interesting. As far as I know that whatever it is port snooping untrusted won't let your fake dhcp server.

  You can take this query in the Sub forum of experts mentioned that is specific for dhcp snooping and source of guard.

  https://supportforums.Cisco.com/message/3689811#3689811

  Please assess whether the information provided is useful.

  By

  Knockaert

• NAS hard drive not accessible more: the device is not configured to accept connections on port 'files and printers sharing (SMB).

  Dear,

  I am desperately looking for a solution for my specific problem how access my NAS.

  I have a hard drive from Western Digital NAS (Book Live) which worked fine until now. Yet, I just changed my internet provider and I now have a new Fritzbox 6360. Now, I can not access the hard disk of the commune of programs in Windows. I contacted two suppliers already, but without success. I think I have some incorrect settings in my Windows 7, 64 bit. This is the situation:

  -NAS is still working with my old Fritzbox, for testing that I went back-> ok

  -I can access the NAS via the dashboard or a TwonkyServer-> ok

  -When I access it via Windows Explorer, I wonder is to give my credentials (which don't work) or I get the error message: the device is not configured to accept connections on port 'files and printers sharing (SMB).

  -J' changed my IP address (dynamic even static) and connections, password-> without success.

  -J' tried SFC with the result that found no violation of integrity. -> ok.

  Any idea?

  Can you please turn off the NAS, unplug the cable and Ethernet cable? Wait about 2 minutes then plug all the cables back in. Any security program or firewall to this computer? Try disabling it for now.

  You have another PC or laptop which has Windows 7/8 and try to access the NAS?

  You have a smartphone or a Tablet and download an application for the WD NAS and then try to access files.

• Cisco SG300 - 28 p - Port security issue.

  Hi, I would like to activate the port security on a Cisco SG300 PoE 28 p Switch. I would like to know how this can be done in cases where port is more connected to desktop switches 8 ports and in cases where computers are connected directly to the switch.

  Thanking you in advance,

  Parth.

  This is described in detail in the section 'Configuration of Port Security' on page 326 to 329 of the document Cisco Small Business 300 Series Managed Switch Administration Guide.

  The difference between a port serving a desktop switch and the other directly serving endpoint is just the number of MAC addresses that you want to leave.

  You have any specific questions?