Port security and DHCP
Hi all.
I have configured the port security in some ports, and I don't think it handles images as it should. the following settings are
-max: adds the correct number of MAC
-permanent safe mode
-throw
I connect the legitimate devices to determine the maximum number of MACs, the port must learn and then I connect a device with Mac unsafe. I can get an IP address from the DHCP server, but no traffic is being so forward. I think that no legitimate unit should not be able to get an IP address as port security ignores all frames with an unknown source Mac
Hi Stelios,
Your configuration seems to be fine. Mine was connected only with the safety of ports and addresses max I put at 1. I see only 1 MAC address sends bootp all other devices connect via the switch on this port send no bootp.
You could also make the capture of packets using the capabilities mirror port switch and application of wireshark. Devices are perhaps using old known IP addresses...
Kind regards
Aleksandra
Tags: Cisco Support
Similar Questions
-
Errors of run Switchport Port-Security
So I'm a bit new to switchport security. I work on most of the ports in one location. Its ports where I either switchport voice and switchport access VLAN or just switchport voice VLAN. For some reason, these types of ports going into err - disable. Here are a few examples. Indications as to why it would stop even when I have the right MAC address would be very useful. Interface Fa0/3 has a phone attached to it and a connected computer the phone is off.
interface FastEthernet0/2
Description Table phone
switchport mode access
switchport voice vlan 2
switchport port-security
security violation restrict port switchport
switchport port-security-address mac 34a8.4ea6.0f95
spanning tree portfastinterface FastEthernet0/3
SAM PHONE x 1623 description
switchport access vlan 3
switchport mode access
switchport voice vlan 2
switchport port-security maximum 2
switchport port-security-address mac 442b.031a.2975 - phone MAC
switchport port-security-address mac e840.f223.8842 - MAC computer
spanning tree portfast2 442b.031a.2975 DYNAMICS Fa0/3
2 34a8.4ea6.0f95 DYNAMICS Fa0/2
The newspaper says this whenever I turn on port security. Any other port where there is only 1 VLAN or 1 device, it works fine no problem.
27 June 2015 23:59:56: % PORT_SECURITY-2-PSECURE_VIOLATION: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.
June 28, 2015 00:00:01: PM-4-ERR_DISABLE %: psecure-violation error found on Fa0/3, putting the Fa0/3 in State of err - disable
June 28, 2015 00:00:02: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state down
June 28, 2015 00:00:03: % LINK-3-UPDOWN: Interface FastEthernet0/3, changed State to down
June 28, 2015 00:00:04: PORT_SECURITY-2-PSECURE_VIOLATION %: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.I know I'm missing something because I am new to using switchport security. I am wanting to lock the ports to prevent devices not allowed to plug in on my network. I have disabled all DHCP, but I want to take a little further and prevent them to enter the network even and probe the network.
EDIT - You forgot to mention that it is a 2960 version 15.0 (2) SE5
Thank you
David
David, Kevin,
Let me join you.
The way I see the Fa0/2 work with its original configuration is:
- The maximum number of secure MAC addresses is 1.
- Access to the VIRTUAL LAN is 1, the voice VLAN is 2.
- The static safe MAC address 34a8.4ea6.0f95 is added to the access VLAN, not to the voice VLAN
- When the phone starts to make known by the voice VLAN, MAC address cannot be dynamically added to the list because the maximum allowed number of MAC secure is 1 and the list is already full. The fact that its MAC address is configured statically is irrelevant, because it is not associated with the voice VLAN.
Try to delete the line
switchport port-security-address mac 34a8.4ea6.0f95
and replace with
voice of vlan switchport port-security-address mac 34a8.4ea6.0f95
and see if it solves the problem.
Best regards
Peter -
Several VLANS and DHCP relay on two stacked switch SGE2000-G5
We were put to the task of securing a small desktop system managed that is currently set up with a standard switch for each of the offices (with different companies) to see each other and in some cases, access to each of the other documents on the network.
Obviously, this is far from adequate set up and our goal is to isolate each office using VIRTUAL networks, but share a common internet connection provided by managed offices. We have two switches for layer 3 Cisco SGE2000-G5, but we are new on Cisco equipment and VLAN, so we are not quite sure on how to implement this. DHCP must be provided by a router, there is no server. We are open to suggestions on the router as we still buy a.
I hope that someone may be useful.
Thank you very much
Jim
Hi Jim,.
SGE2000 switches you are using must be able to handle this without issue. What type of router you are using? As long as you have a router that will take in charge VLAN / several subnets, it should be a simple configuration.
Here's a quick run down of the measures to be implemented. (using vlan1 and vlan2)
On the router, create a vlan / subnet 2 and set the port to connect to your shared resources with the two VLAN 1 and 2 switch. (it will be untagged, two will be marked)
On the switch, create vlan2 and do the same for the port connected to the router. (vlan1 marked and tagged vlan2)
Now for each switch port that you want to assign the port access and vlan1 and vlan2. (this vlan will be without a label)
If your router allows, disable routing inter - vlan. If this isn't the case, you must create rules to block traffic from one network to the other.
All this happens under the assumption that your router can support VLAN and can also make DHCP for this VLAN.
Hope this information helps
-
opening ports 2077 and 2078 to use web disk
Hello, I can't see my web files with webdisk and I would like to know how to manually open ports 2077 and 2078. I already read an article on the Microsoft Web site, but form a certain point the indication does not match what I see on my screen. Thank you
Which firewall do you use? If the built-in Windows Firewall, open the Security Center in Control Panel and select the Windows Firewall applet. Select the Exceptions tab, and then click Add Port. Specify your port. Use the button change the scope to restrict the port to the correct network or IP addresses is not wide open to the Internet (unless that's what you need). Brian Tillman [MVP-Outlook]
------------------------------
If a response may help, please vote it as useful. If a response to the problem, please mark it as an answer. -
I had to reinstall Vista when my hard drive crashed, and Windows Mail does not work completely correctly. I think remember me an email from Microsoft told me to change the ports/security settings. Could someone tell me what they should be?
A "error message indicating", what exactly? No error code or the relevant text?Make sure these settings match exactly.Set up Windows Mail for E-mail XFINITY/Comcast
http://customer.Comcast.com/help-and-support/Internet/configuring-Windows-Mail-Xfinity-email
Leave messages on the server and it clutter? -
WRT320N - loss of internet connection after redirect port 80 and 443
Hello
I have a problem with my new WRT320N. When I activate the port forwarding on my local server (ports 80 and 443), after a while I completely lose internet connection on all my computers connected to the router (wifi and lan computers). The router itself can ping and trace any Internet site through diagnostics to Web administration. When I turn off and click on save changes button, my internet connection works immediately again. I have the latest firmware installed and I tried to reset the router several times and set it manually since the beginning.
My previously detained WRP400 has been configured to redirect these exactly the same ports and everything worked perfectly. Could someone advise me where could be a mistake? Thank you.
I solved it. There was a problem with the combination of the service 'DHCP Reservation"of the router and client DHCP of Ubuntu. I disabled "Booking DHCP" and set the IP settings manually in the Ubuntu computer and now it works perfectly
-
Hi Experts,
Only, we have deployed a new site that uses the Dell N2048 switches in a stack.
Now we would add port security to the switch, Port-MAC locking to lockdown one port if another computer.
According to the manual, to put in place we only need of to the port to locked under the MISTLETOE under switching, network security, port security.
This does not activate it.
We tried to add via the command line, in the ports of test, it now shows:
switchport security of dynamic ports 1
Still, port security is not enabled. There is another thing that must be enabled in the world to do this job or other commands?
Thank you
The output of port security-# show is as follows:
Port Security Administration Mode: enabled
It is possible that the tests were not done fast enough. I spent the time-out and ask them to test again.
Thank you
-
PowerConnect 35XX port security
Hello. I am trying to locate a CLI command that will allow me quickly clear course MAC addresses for a port secure with port security.
My configuration of the interface is fairly simple.
dot1x multiple-host
dry port max 2
dry port stop throwIf I connect to a different host, the original at the port this as it should and travel to port security. Now, everything is fine, if I plan on the reconnection of the original host. Issue the global command "set interface active ethernet eth #" and the port is back online. The problem comes when I want to change the host. I have to completely remove the dot1x and the security configuration of the port [minus the max], 'set active interface' and then add security dot1x port for the interface configuration.
Is there a way to quickly clean the secure the port addresses so that the new addresses can be learned?
Thanks in advance.
-Andrew
Try this command and see if it works. Console # dot1x to re-authenticate ethernet 1/eXX
-
Need help to reset/compensation port security on a PowerConnect 35XX
I implement port security on our network, and I've never worked with these before switches. I'm used to the Cisco CLI, who was the command exec "int sticky clear dry port", but it doesn't seem to be anything of the sort on the CLI of Dell.
Here is the config, I have in place on the switchport in question.
dot1x multiple-host
safe standing of port security mode
port security throw
For the moment, that the port has done what is supposed to to, but remove the configuration of the interface completely that I am unable to find how the CLI reference or online at how 'quickly' to reset the port.
Any help would be appreciated.
Do not take into account. I found buried in the CLI reference command.
There are actually two commands necessary to reactivate the interface
"dot1x to re-authenticate ethernet [port]".
'set interface active ethernet [port] ".
Thank you
-
switchport port-security problem
Hi all
I wanted to test using the switchport port-security with mac address fixed for voip and sticky for the vlan access.
to do this, I created the following configuration:switchport port-security maximum 2
switchport port-security
aging of the switchport port security 5
switchport port-security-address mac sticky
voice of vlan switchport port-security-address mac e8ba.7006.59a4the problem is the mac address that switch learns to access vlan, never goes away even if the device is no longer connected.
switchport port-security maximum 2
switchport port-security
aging of the switchport port security 5
switchport port-security-address mac sticky
switchport port-security-address mac c434.6b24.5db9 sticky vlan access
voice of vlan switchport port-security-address mac e8ba.7006.59a4Can you help me?
This should make them disappear without having to use any statement when the switchport learns a new mac again if his manual, you have to bounce the port as well
Disable them sticky interface port-security
-
Laboratory of port security exercise - do not behave as expected.
Hello
I'm working on a CCENT training lab to demonstrate the configuration of port security.
I have a Catalyst 3550 switch software Cisco's IOS, software of C3550 (C3550-IPSERVICESK9-M), SE Version 12.2 (52), VERSION of the SOFTWARE (fc3). I have two computers connected on ports fa0/1 and fa0/2 with IP addresses of 10.0.0.20/24 and 10.0.0.12/24 respectively. Without active port security, each computer can ping successfully the other.
As soon as I change the configuration to add port security on fa0/1 I am not able to ping between the two computers, nor can I ping 10.0.0.20 from the console of the switch, but I don't know why! If I delete it again the pings succeed again.
I expect that the switch must learn the computer connected to fa0/1 MAC and stop if there is subsequently any traffic from another Mac.
Interestingly, the 'show mac address-table' command shows that the MAC connected to fa0/1 when port security is not enabled. I don't know if this is relevant.
Can someone help me diagnose what is happening?
Thank you.
Configuration before change:
interface FastEthernet0/1
switchport mode access
Speed 100
full duplex
spanning tree portfast
!
interface FastEthernet0/2
switchport mode access
Speed 100
full duplex
spanning tree portfast
!
Configuration after modification:
interface FastEthernet0/1
switchport mode access
switchport port-security
Speed 100
full duplex
spanning tree portfast
!
interface FastEthernet0/2
switchport mode access
Speed 100
full duplex
spanning tree portfast
!
Other diagnoses (after change):
S1 # show ip interface brief
Interface IP-Address OK? Method State Protocol
Vlan1 10.0.0.5 YES NVRAM up up
FastEthernet0/1 no YES unset upward, upward
FastEthernet0/2 not assigned YES unset upward, upward
#show S1 port-security
Secure the security Port MaxSecureAddr CurrentAddr SecurityViolation Action
(County) (County) (County)
---------------------------------------------------------------------------
FA0/1 1 0 0 stop
---------------------------------------------------------------------------
Total addresses in the system (with the exception of a mac per port): 0
Limit Max addresses in the system (with the exception of a mac per port): 5120
S1 #show - interface fa0/1 port security
Port security: enabled
Port State: Secure-up
Mode of violation: stop
Aging time: 0 mins
Type of aging: absolute
Aging of SecureStatic address: disabled
Maximum MAC addresses: 1
MAC addresses total: 0
Configured MAC addresses: 0
Sticky MAC addresses: 0
Last Source address: Vlan: 0000.0000.0000:0
Security Violation count: 0
S1 #show interfaces fa0/1
FastEthernet0/1 is up, line protocol is up (connected)
Material is Fast Ethernet, the address is 000f.f796.d781 (bia 000f.f796.d781)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-duplex, 100 MB/s, media type is 10/100BaseTX
input stream control is turned off, output flow control is not supported
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry exit ever, 00:00:01, blocking exit ever
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
3494 packets input, 587250 bytes, 0 no buffer
Received 1593 broadcasts (0 multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
0 watchdog, 1254 multicast, break 0 comments
entry packets 0 with condition of dribble detected
39631 packets output, 3311977 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, collision end 0, 0 deferred
carrier, 0 no carrier, lost 0 0 output BREAK
output buffer, the output buffers 0 permuted 0 failures
#show mac address table S1 | include DYN
1 b827.ebed.e2d9 DYNAMICS Fa0/2
S1 #show ip arp
Protocol of age (min) address Addr Type Interface equipment
Internet 10.0.0.12 5 b827.ebed.e2d9 ARPA Vlan1
Internet 10.0.0.5 - 000f.f796.d780 ARPA Vlan1
Internet 10.0.0.20 32 10dd.b1f1.0c64 ARPA Vlan1
Do you have any other platform to configure your lab? because it should work ideally and the configuration is fine. However, to complete your lab, you already have workaround...
I suspect that this question is something related to the hardware you use or due to a BUG.
Please note the useful comment
-
Hi all
I'm having a bit of difficulty up a SG300 - 28 p to L3 and DHCP. I will attach a basic network diagram and a very short list of my needs.
I'm building a temporary network for a company event 1 day that I can't make it work in our office "Lab".
L3 - SG300 - 28 p connects to our provider using a connection of the SFP.
I have to be able to address IP DHCP 300 + using the SG300 - 28 p
My problem is that I can ping my 2 machines test (manually configured IP) about 172.16.0.3 and 172.16.0.4, but cannot ping after the (internet) referral. Also DHCP distributes no intellectual property for the range 172.16.0.10 - 172.16.1.200
VLAN 1 is set to 10.2.2.20 access port (to the provider through a connection on port 28 FPS)
VLAN 100 is 172.16.0.2 access port (ports 1-26)
I have the WLC and WAP tri...
Is the set of even possible? I know that the EQ network is a bit budget for users, but for a one day business event I just do not have a budget for the purchase of switches better.
Please excuse the gross chart.
Thank you in advance.
-RJ
Thanks for the reply.
With the information that you have provided, it seems the only part missing is the way return the unit for service providers. Unfortunately there is no way around that, and no, you will not be able to put anything between the two, because the device doing the NATting is unity of suppliers.
I think that what is happening is that traffic is actually the side provider, but there is no way to do so as soon as the provider is not a route for the subnet in 172.16.x.x.
Out of curiosity, why do you use a VLAN for the devices connected to the SG300? Could you use the 10 subnet Ip addresses? If you do this, you will not need to have a route back from the supplier, as all devices will be on the same subnet.
-
Hello world.
A dhcp server assigns ip address based on the mac address by equipment of the customer field in the dhcp packets.
A potential attack is when a crowd of thugs mimics different mac addresses and causes the dhcp server to assign ip addresses until no ip address is left for legitimate host.
For example, a host with mac1 h1 is designated by the ip address of the dhcp server as:
199.199.199.1 mac1
DHCP server has this entry in its database.
Using hacking tools such as Yersinia or Gobbler can create a DHCP discover messages every time that create another mac for material scope of the client to the dhcp server, thereby causing a dhcp server to assign ip addresses because they are of legitimate dhcp to dhcp server discover messages with matching each another Mac in hardware of client addresses.
You could use dhcp snooping and it will avoid that (exhaustion of dhcp scope) and configure the switch to check if the CBC mac fits the hardware address of the client in the dhcp message. But when even we can creat spoofed discover messages where mac src in the ethernet header will match the client hardware address in dhcp discovery message. It did not always overcome the problem.
You might say use IP source guard characteristic but it really will prevent this problem from happening?
Let me illustrate:
H1 - f1/1SW - DHCP server
Let's say that we have configured dhcp snooping on sw1 and f1/1 is untrusted port. Switch a suite dhcp binding
199.199.199.1 mac1 vlan1 f1/1
Then, we configure source ip guard in order to validate the mac src and src ip against the dhcp bindings. When you configure keep source ip first, it will allow dhcp only if a host can request ip address and dhcp binding can be built. After that IP keep source will validate ip or mac src src or both against the binding.depending dhcp on how configure us source ip guard.
In our case, we have configured source ip guard in order to validate the mac src and src ip against the dhcp binding.
A dhcp connection is already created as:
199.199.199.1 mac1 vlan 1 f1/1
Now, using hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discovery message where mac src = mac2 ethernet header and client harware address = mac2 in dhcp discovery message. As the switch is configured with the function of guard of source ip and therefore allows dhcp discover message to pass through. DHCP server after you receive the message dhcp assigns another IP from the pool. The dhcp server has now after the entries:
199.199.199.1 mac1
199.199.199.2 mac2.
We continue to spoofed dhcp to craft discover messages as described above and are dhcp server keep ip address assignment until exhausts the entire pool.
So my question is how ip source guard in conjunction with dhcp snooping doesn't stop this attack does not happen? (IE DHCP scope exhaustion)
I really appreciate your comments.
Thank you and have a week.
Hi Sara,.
Ask was quite interesting. As far as I know that whatever it is port snooping untrusted won't let your fake dhcp server.
You can take this query in the Sub forum of experts mentioned that is specific for dhcp snooping and source of guard.
https://supportforums.Cisco.com/message/3689811#3689811
Please assess whether the information provided is useful.
By
Knockaert
-
Dear,
I am desperately looking for a solution for my specific problem how access my NAS.
I have a hard drive from Western Digital NAS (Book Live) which worked fine until now. Yet, I just changed my internet provider and I now have a new Fritzbox 6360. Now, I can not access the hard disk of the commune of programs in Windows. I contacted two suppliers already, but without success. I think I have some incorrect settings in my Windows 7, 64 bit. This is the situation:
-NAS is still working with my old Fritzbox, for testing that I went back-> ok
-I can access the NAS via the dashboard or a TwonkyServer-> ok
-When I access it via Windows Explorer, I wonder is to give my credentials (which don't work) or I get the error message: the device is not configured to accept connections on port 'files and printers sharing (SMB).
-J' changed my IP address (dynamic even static) and connections, password-> without success.
-J' tried SFC with the result that found no violation of integrity. -> ok.
Any idea?
Can you please turn off the NAS, unplug the cable and Ethernet cable? Wait about 2 minutes then plug all the cables back in. Any security program or firewall to this computer? Try disabling it for now.
You have another PC or laptop which has Windows 7/8 and try to access the NAS?
You have a smartphone or a Tablet and download an application for the WD NAS and then try to access files.
-
Cisco SG300 - 28 p - Port security issue.
Hi, I would like to activate the port security on a Cisco SG300 PoE 28 p Switch. I would like to know how this can be done in cases where port is more connected to desktop switches 8 ports and in cases where computers are connected directly to the switch.
Thanking you in advance,
Parth.
This is described in detail in the section 'Configuration of Port Security' on page 326 to 329 of the document Cisco Small Business 300 Series Managed Switch Administration Guide.
The difference between a port serving a desktop switch and the other directly serving endpoint is just the number of MAC addresses that you want to leave.
You have any specific questions?
Maybe you are looking for
-
Windows 7 Ultimate, FF 32.0.2. Nothing else that clickable 'OK' and 'Cancel' buttons is displayed in the parameters window, while everything else in the browser works as it should. Help me to solve it? Thank you!
-
By default, Thunderbird in Firefox eMai
I opened Options, clicked mailto, click on 'use others' open window, I selected 'Cancel' and chose another application, press OK it does not solved the problem. I have Firefox 25. This problem started when I added and then deleted an add-on for Firef
-
I have an iPhone 6 with 9.2 running on it. When I finally upgraded, I continued request to enter my iCloud password settings. I think that I have fixed (somehow), but now my battery runs completely in 12 hours. The info on my phone says that my e-
-
The doc for the function of the subset of the table shows the extensible function
In LabView 2010 the doc for the function of the subset of the table shows that the function is expandable with indexes and multiple lengths. I can't expand the function for multiple indexes. How can I do this? Is the documentation for the function by
-
Updates to Windows vistsa stuck in step 3
My laptop has been updated the vista software while my laptop was in mode 'sleep', I woke up thinking, I had not turned off and just opened and closed, it does not on the screen... the screen must have said, once again updated step 3 of 3, 0% complet