Security switches

Hello, does anyone know if there is a place or site Cisco.com that has scripts or guides of changes minimuun or configurations that you need to implement on Catalyst 6500 to improve their security.

http://www.Cisco.com/Web/about/security/security_services/CIAG/workforce_development/securing_cisco_lan_switches.html

some of it seems basic, but you can try it.

Tags: Cisco Security

Similar Questions

  • HP ZBook 15 G3: BSOD when connecting to the HP Elite Thunderbolt 3 docking station

    I recently (yesterday, 16/08/16) began to experience the dreaded Blue Screen of Death, whenever my laptop is connected to my HP Elite Thunderbolt 3 Dock.

    The machine is a HP ZBook 15 G3. It was connected to the docking station for more than a month without this problem. I don't know why at the time because I don't remember any updates or new software before that happens.

    The dock is connected to 2 x monitors via HDMI cables and an ethernet cable. I connect a mouse and wireless keyboard to a USB3 port on the laptop.

    If the dock is connected to the laptop at the start, he reached the login screen front of BSOD. If I start without it connected, it will be BSOD a few seconds after connecting the dock. He never to the point where the monitors display anything. It can be started with the dock connected in Safe Mode, as it seems to disable job.

    I've updated all the drivers and BIOS (including download the Softpaq Download Manager), but there has been no change. I have also updated the NVIDIA drivers to the latest version without change.

    What should I do next to solve the problem?

    Did you analyze the dump files, they said?

    I would also like to update these:

    Intel's Thunderbolt sure Connect utility (15.3.40.275)
    Thunderbolt from Intel for the Dock Thunderbolt from HP (16.1.7.0.8) Firmware update
    ASMedia eXtensible Host Controller Driver (1.16.35.1)
    ASMedia ASM1042A Firmware Update for HP Thunderbolt 3 Dock (131025.10.11.23)

    More BIOS if you're not on 1.09 or 1.10, some people say that they have problems with 1.10, so maybe try downgrade to 1.09.

    You can also try experimenting with the 'Thunderbolt security level' setting in the bios security switching No. If it is authorized by the user, or vice versa.

  • HP Pavilion g6-1371sa cannot connect wireless Internet

    Hello

    Just bought a new laptop for my son, but cannot make it work wireless (he connects very well with an ethernet cable). Have been well than all the assistants of troubleshooting, but with no joy.

    Relevant information;

    1. Network adapter updated - Ralink RT5390 - to the latest version (3.2.12.0) but made no difference
    2. The mac Get command does not show all physical addresses are connected (unless the ethernet cable is installed). IP config command also suggests that the wireless network adapter is not connected. Device Manager seems however...
    3. Have any other windows 7 (dell) laptop computers, access to the Linksys wireless router (using 802.11 g) without any problem.

    Help appreciated...

    Apologies for wasting peoples - my fault! The problem is with the security of the router, I have a list of MAC address filters that allows specified devices to connect. When I connected to the Internet, I entered the mac address that was then appear as connected but it was actually the address of the Ethernet adapter. When I added the other address (as displayed when you enter the Getmac command) then the Internet was born in life. What was slightly confused me was that address before that point showed as disconnected and only after that the connection has been established has made this change (of direction really).

    Lesson to learn - security switch router up to created this first connection?

  • Why I see 2 other computers on my network?

    I noticed in my network that there are 2 other computers and mine, in a "working group", but I'm an end user and I'm not part of a working group. This is a very recent appearance. I couldn't find a way to determine why I see other computers in this working group, and I can't find information on the activation or deactivation of "working group" on my system. I connect via the wireless router for my Internet service provider, and it's a bit confusing to me.

    I had problems with slow browsers and I noticed in the performance monitoring that is spiking my CPU (dual core AMD 2 gig), and my use of memory (2 GB) is 50% or more almost constantly, but I can't see anything using resources in 'programs' or 'services '. I tried to eliminate all junk startup and uninstall all the frivolous programs. Of course, I'm still under a bunch of stuff, but I suspect that something is not right.

    All the comments about the browser of fortification and slow CPU and if so or not, this could have something to do with the working group that I see?

    Hello

    If your wireless connection is not secure, it could be neighbors connecting to your Internet connection.

    -------------------
    Of the weaker for wireless security, more strong capacity is.

    No security
    Switch Off SSID (even has No Security. SSID can be sniffed easily even if it is turned off)
    MAC Filtering___ (Band Aid if nothing else is available, MAC number can be easily Spoofed).
    WEP64___ (Easy, "Break" by knowledgeable people).
    WEP128___ (a little more difficult to activate, but "Piraté" too).
    -------------------
    The three above are not considered safe.
    Safe starts here at WPA.
    -------------------

    WPA-PSK__(Very Hard to Break).
    WPA-AES__(Not functionally Breakable)
    WPA2___ (not functionally breakable).

    Note 1: WPA - AES the current interpretation level entry of WPA2.

    Documentation of your devices (router wireless and computer wireless card) must indicate the type of security that is available with your wireless hardware.

    All devices MUST be set to the same level of security using the same password.
    Therefore, security must be set according to what is the best possible one of the wireless devices.

    I.e. even if most of your system may be able to be configured to the maximum with WPA2, but a device is able to be configured for maximum of the WEP Protocol, to the whole system must be configured to WEP.

    If you need more security and a device (such as a wireless card that can only do WEP) is now better security for the entire network, replace with a better device.

    Wireless Security - http://www.ezlan.net/Wireless_Security.html

  • How can I block others access to my wireless router?

    I have performance slow and even lose connections.  I have Comcast and they have suggested that it is 'noisy' of what they see on their end.  The technology said that he receives many complaints from users of wireless router.

    Hello

    Quote: "How can I block others access to my wireless router?

    By setting up the wireless router security encryption.

    Of the weaker for wireless security, more strong capacity is.

    No security
    Switch Off SSID (even has No Security. SSID can be sniffed easily even if it is turned off)
    MAC Filtering___ (Band Aid if nothing else is available, MAC number can be easily Spoofed).
    WEP64___ (Easy, "Break" by knowledgeable people).
    WEP128___ (a little more difficult to activate, but "Piraté" too).

    -------------------
    The three above are not considered safe.
    Safe starts here at WPA.
    -------------------

    WPA-PSK__(Very Hard to Break).

    WPA-AES__(Not functionally Breakable)

    WPA2___ (not functionally breakable).

    Note 1: WPA - AES the current interpretation level entry of WPA2.

    Note 2: If you use WinXP SP3 bellows and not updated, you need to download
    the WPA2 Microsoft's fix.

    Documentation of your devices (router wireless and computer wireless card) must indicate the type of security that is available with your wireless hardware.

    All devices MUST be set to the same level of security using the same password.
    Therefore, security must be set according to what is the best possible one of the wireless devices.

    I.e. even if most of your system may be able to be configured to the maximum with WPA2, but a device is able to be configured for maximum of the WEP Protocol, to the whole system must be configured to WEP.

    If you need more security and a device (such as a wireless card that can only do WEP) is now better security for the entire network, replace with a better device.

  • Cannot find my wireless router

    IM so confused, im of the problems with my wireless router, when I connected my nintendo wii, that it worked fine, so I decided to make a secure connection by giving a password and other then on the pc finds the router, I made a password for wireless connection and then my wii wouldn't connect , and when I returned to the pc change back I couldn't find the router anywhere all that I can see is my ethernet, theres nothing no wireless adapter. but on my laptop, I can see my wireless connection, but I can't connect to the internet on this subject. IM desperate I don't much about computers know pls if use small words haha, btw, after what happened, I installed windows 7 on the pc to see if it would fix itself, but no luck.

    Hello

    The type of encryption and password must be exactly the same and fully compatible with all wireless devices that use the wireless router.

    So first connect to the router using lead wire and disable security.

    Then read this and restore security.

    Of the weaker for wireless security, more strong capacity is.
    No security
    Switch Off SSID (even has No Security. SSID can be sniffed easily even if it is turned off)
    MAC Filtering___ (Band Aid if nothing else is available, MAC number can be easily Spoofed).
    WEP64___ (Easy, "Break" by knowledgeable people).
    WEP128___ (a little more difficult to activate, but "Piraté" too).
    -------------------
    The solutions above are not considered safe.
    Safe starts here at WPA.
    -------------------
    WPA-PSK__(Very Hard to Break).
    WPA-AES__(Not functionally Breakable)
    WPA2___ (not functionally breakable).

    Note 1: WPA - AES the current interpretation level entry of WPA2.

    Note 2: If you use WinXP SP3 bellows and not updated, you need to download the fix from Microsoft WPA2. http://support.Microsoft.com/kb/893357

    Documentation of your devices (router wireless and computer wireless card) must indicate the type of security that is available with your wireless hardware.

    All devices MUST be set to the same level of security using the same password.

    Therefore, security must be set according to what is the best possible one of the wireless devices.

    I.e. even if most of your system may be able to be configured to the maximum with WPA2, but a device is able to be configured for maximum of the WEP Protocol, to the whole system must be configured to WEP.

    If you need more security and a device (such as a wireless card that can only do WEP) is now better security for the entire network, replace with a better device.

    Definition of wireless security - http://www.ezlan.net/Wireless_Security.html

    Jack MVP-networking. EZLAN.NET

  • ISE Server - query of multiple networks

    Hi guys

    We intend to deploy a Cisco ISE server to handle NAC for 300 users (Windows, WYSE, phones Avaya and HP printers). DHCP is running on the domain controller and the ISE interface Layer 2 visibility of all of the network segment management.

    We received an additional amount for a dedicated/completely separate switch VLAN which provides unlimited Internet access. It would be connected to a third-party router connected to the Internet, allowing connections directly on the internet. Indeed, it is a completely separate network of a single VLAN and Internet access.

    Is it not possible to manage the security of the ports for that VLAN from the ISE Server? If so, the server ISE would need an additional NIC configured in the VIRTUAL Internet LAN subnet?

    Basically, I wonder if a single ISE server can be used to manage 2 totally independent networks. The Internet would not use AD authentication and access would have to grant manually on a case by case basis.

    Thank you very much

    M

    Just to clarify, ISE has NO need to be Layer2-adjacent to clients to work. Only if you use specific profiles of the probes is this useful ever. Has no use when you perform the validation of the mac addresses or 802. 1 x.

    As for your question, yes ISE can manage the addresses of mac validation by the ex. say requiring access to your 'Internet' VLAN and your internal VLANS at the same time. However, it is not made with the 'port security' switch feature, but rather by entering the mac addresses that need access to your server to ISE and using the "group" you put them in ISE, in ads a condition when the permission access to ISE.

  • TrustSec on WS-C3850-24 t

    Hello

    I want to configure security switch-switch link. (manual mode) on a Cisco 3850 IP basis.

    But under "sap... mode-list" is the only entry: No.-encap

    I need to gcm - encrypt, but this option is not displayed.

    SW version: 03.06.00E

    SW Image: cat3k_caa-universalk9

    License level: Ipbase

    Model: WS-C3850-24 t

    What could be the problem?

    Best regards

    3850 material is able to effect, but it is not yet implemented in the software:

    It's the 3850 Q & A:

    Q. what service modules for the Cisco Catalyst 3850?
    A. There is no service for the Cisco Catalyst 3850 module. Features supported by the service module of 3750-X (including Flexible NetFlow and effect *) are natively supported by the Cisco Catalyst 3850.
    * Software support effect could be added later as part of a software update.

  • Disorders of slow internet with Asus G73JH wireless (Atheros AR9825) card/adapter

    Hi, I'm the owner of a new computer laptop asus stealth bomber with windows 7 installed. I feel very slow download speed (50 KB/s - 100 kb/s). My wireless adapter is an Atheros AR9825 came with the laptop. I also tested my ping is the path up to 375. On the other hand, my laptop computer sony Vaio downloads usually at a speed of 1 Mbps. I checked and I'm on the same network it. I use a wireless connection and mistaken by my router and the modem. I have comcast with increase in power and a cisco/linksys wireless N Router and a modem. Any help is appreciated. I also tried the troubleshooter from the wireless network and unplugged then replugged but nothing seems to help. Also, I have the trial of trend Antivirus installed and also took down windows firewall.  I also have the latest drivers installed.

    Hello

    Watch Windows Advanced Power Management and make sure that the wireless adapter is configured for maximum performance.

    http://www.ezlan.NET/Win7/adv_power-sav.jpg

    Try to connect to the wireless router and change the operation of the radio channel.  Ch.1, or 11 are good choices. But you can try them all one at a time and choose the best.

    If you don't use WEP security, switch to WPA or WPA2. A lot of maps N work well with WEP.

    Jack - Microsoft MVP, Windows networking. WWW.EZLAN.NET

  • Insert the statement with & in the chain

    Hello

    When you use the insert in varchar2 column having below value, it's the slightest mistake out.
    But, if I remove & symbol... It's inclusion.
    suggestions to insert any string

    "Networking - Cisco SMARTnet-6600 | Security & Switch Service Cont-6620 | Not used-0000"

    Thank you

    use

    SET DEFINE OFF

    before the insert statement.

    Concerning
    Arun

  • SG300 security problem for the Switch

    I think it's a security risk to have a port configured as anything other than access if it's only to be "dumb" connected hosts (printers, workstations, etc.).  So, I usually only assign the VLAN management as the PVID of a trunk port that goes to a server or another switch / virtual machine host and a port configured in the access mode with him VLAN management implemented because its PVID (unidentified), and then a PC can be connected directly to access the web management interface.

    My concern is that no matter what VLAN I assign a port to, both when trunk or access, I can connect a PC and navigate to any IP VLAN (*. 254) and press canvas logical interface of the switch.  What a security risk?  How can I configure the switch so that the only way to access the management interface is via a host that is directly connected to a port that has the management VLAN, as is PVID?

    That sounds about right. But something can be done about it.

    Let's say that there are management VLAN 10. Also, there is a production 5 VLAN - 20, 30, 40, 50, 60. It is a place that allows traffic to pass from one VLAN to the other router.

    Someone of VLAN 50 will be able to access the 10 VLAN (VLAN management).

    By implementing a firewall on the router we can restrict access to certain hosts or networks to VLAN 10. For example, VLAN 20 is admin VLAN (your computer is connected to this VLAN), so we load the firewall to reject all traffic to VLAN 10 unless it comes from VLAN 20.

    At this point, there will be no access to the page web of the switch to anyone else than you.

  • The security design: DMZ ports on internal switch - bad idea?

    Hi all

    I'm looking for a compelling - or he said is not serious - why a customer should not creator of DMZ VLAN on a cat internal-6509.

    Basic topology is a 6509 in a controller area and 2 x ASA - 5510 to active / standby. They finally agreed to start using the DMZ for different services, but because they have no other switch on the domain controller, they are happy to have these DMZ on VLANS separated on the 6509.

    Is this a security risk? (They do NOT use the 6509 as an 'outside' switch so it's something that I guess)

    How the risk can be mitigated?

    How their environments could be compromised?

    Any suggestion is appreciated. Thanks in advance,

    Mike

    I don't see a problem with this setup as:

    (1) External / DMZ is LAYER2 ONLY! Use a safety device to manage all Layer 3 (Firewall, FWSM, etc...)

    (2) you turn off the proxy arp on ALL layer 3 interfaces on the switch.

    (3) you don't give anyone access the switch unless they know what they do (understand the implications of having mixed traffic on the switch)

    (4) configure you a vlan fake, make sure that everyone knows what it is (put a name in it and it document) and make the vlan by default for your switchports.

    (5) you turn off the trunk negotiation (all ports must be configured "switchport mode trunk" or switchport mode access and also "switchport nonegotiate". If you use 802. 1 q (or isl - ugh), explicitly set the VLANs that are allowed to pass "trunk allowed vlan switchport x, y.

    (6) use VTP transparent and not trunk VLAN external to other switches, unless you know what you're doing.

    The most important is probably #3. A layer interface moved 3 or IVR and game over, you filled just Internet to your internal network. I can't emphasize enough that, if this is possible and safe if done correctly, it is VERY dangerous if you don't know what you're doing. Some consider too high of a risk to take and to believe in the physical separation to eliminate the risk. I agree, however, I understand that not all of us can afford to purchase several 6500 s.

    Another thing to consider, did you think to use VRF-Lite?

  • Impact security to disable the content switch SSL closure alert?

    HI: I have a few problems troubleshooting of applications at the level of the SSL layer. Based on a few known bugs of IE with Cisco solutions for the content switch with SSL accelerator, we intend to disable the

    where to pass the content of the feature sends not SSL closure alert.

    Wondering if anyone out there have ideas if this (disable SSL closure alert to the server) will have an impact or if there are security holes?

    Thank you

    Ravi

    For the CSM = "close-Protocol No" tells the SSL module not

    for sending the SSL close notify alert all by closing the connection.

    One of the ramifications of this could be that IE browser client might

    not to negotiate the resumption of the SSL session for later ssl

    connection...

    This does not impair the functionality, could result in gradient

    performance from the SSL module should establish more new sessions

    instead of the resumed session.

  • How to change the security policy of a group of distributed in a distributed virtual switch ports?

    Hello

    I am trying to write a Perl script that can modify the security policy of a group of distributed in a distributed virtual switch ports. I can access the values of security policy by using the following:


    $port_group_view-> config - > defaultPortConfig-> securityPolicy - > allowPromiscuous-> value

    $port_group_view-> config - > defaultPortConfig-> securityPolicy - > forgedTransmits-> value

    $port_group_view-> config - > defaultPortConfig-> securityPolicy - > macChanges-> value

    I try to use the method ReconfigureDVPortgroup_Task() of the managed object DistributedVirtualPortGroup. While creating a new instance of DVPortgroupConfigSpec, within the data spec config defaultPortConfig property object there is property of security policy and I couldn't find any other property pointing me to that I can update the security policy. I discovered that it is accessible via defaultPortConfig, stretching from VMwareDVSPortSetting where securityPolicy is a property of VMwareDVSPortSetting.

    What is the way to update? I am bit confused about terminology Extends and extended by and how it relates to the other.

    Concerning

    Akmal

    It is in DVPortgroupConfigSpec, but you will need to use the extended VMwareDVSPortSetting object.

    My $dvpg_spec = new DVPortgroupConfigSpec();

    $dvpg_spec-> {defaultPortConfig} = new VMwareDVSPortSetting();

    $dvpg_spec-> {defaultPortConfig} {securityPolicy} = new DVSSecurityPolicy();

    $dvpg_spec-> {defaultPortConfig} {securityPolicy} {allowPromiscuous} = new BoolPolicy (value-online 1, inherited-0 online);

    $dvpg_spec-> {defaultPortConfig} {securityPolicy} {forgedTransmits} = new BoolPolicy (value-online 1, inherited-0 online);

    $dvpg_spec-> {defaultPortConfig} {securityPolicy} {macChanges} = new BoolPolicy (value-online 1, inherited-0 online);

    You could probably simplify this by getting the config spec VGA and change it before using it in the ReconfigureDVPorgroup_Task() method.

  • Virtual script for security of Distributed Switch settings

    Hello

    Is there a script I can use to list the security settings of the distributed virtual switches (dvS)?

    output should be like:

    Enable Promiscuous: false
    Allow the change of MAC address: true
    Allow to forged allows transmission: true

    The following PowerCLI script lists the security settings of the distributed virtual switches (dvS):

    Get-View -ViewType VmwareDistributedVirtualSwitch -Property Name,Config.DefaultPortConfig | `
Select-Object -Property Name,
  @{N="Allow Promiscuous";E={$_.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
  @{N="Allow MAC Address Change";E={$_.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}},
  @{N="Allow Forged Transmits";E={$_.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}}

    Best regards, Robert

Maybe you are looking for