About port security

Similar Messages

• SCOM 2012 SP1 Cisco Port Security Violations

  Hello,
  I'm fairly new to System Center but have learning quite a bit over the last year. I am looking for some information on how to generate an alert  off of a port-security violation.  There's not much information about this so i'm wondering if anyone
  out there has experience doing this.
  Also, we run a fairly large Cisco environment (20000+ switchports), so my next question is, do I have to be monitoring every switchport to see a port-sec event happen.  I've run some debug snmp packets on my Cisco devices, and I do see the SNMP trap
  sent for the port-security violation.
  The universal device poller that I setup for this is: OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus, so i'm pretty confident that i've got the right data.  I'm just looking for a way to see these events happen
  without having to monitor every single switchport on my network and if the alert will tell me which switch, which port had the violation.
  Any help is always appreciated.

  Hi,
  I have to say that I don't have experience doing this, but in my opinion, if you there is log files about that information, we can use SCOM to monitor the log file and fire alerts according to your requirements.
  Based on my research, the output of the port-security debug may have information about which switch, which port had the violation. (I am not familiar with cisco device, if there is any misunderstanding, please feel free let know)
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Implementing port security

  i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
  What are the recommended steps? All are connected with users and all ports are already in use.
  - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
  - It's tedious to go switch by switch, port by port
  - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

  The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
  With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
  When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
  If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
  It sounds like you may have a hard time, since they don't seem to really care about security at this place.
  Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

• PXE Imaging tripping port security

  We are using Cisco switches in our environment and our network adminstrator
  have enabled
  port security so that only 1 MAC address works in the port.
  On many PCs, when they PXE boot, it sends a different MAC address (always
  starting with
  00005A) then the MAC address of the NIC card and it trips port security.
  We ar using the following configiration
  Switch : Cisco Catalyst 4506 Switch
  Server :Novell Netware 6.5 sp5 +Zenworks for Desktop 4.01 ir 7
  Client OS: Windows 2000 SP4
  It only occurs at a location with IR 7 for ZfD 4.01 installed.

  Toine,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• About port 4567

  Firstly, I know there have been many other posts concerning port 4567 on the BT Home Hub; I know many other people are concerned, as I am, about what appears to be a glaring hole in the Hub's security. However, I think people need to remember that BT's hub isn't the only one to have this issue; a quick search on Google will show quite a few other branded routers have the same 'hole' in their security. And they often cite the same 'excuses' for why it is there: firmware updates, and general network monitoring. So maybe we should stop giving BT the boot about this?
  I used to be really concerned about port 4567, after both grc.com and t1shopper.com both kept showing it was "open" while virtually every other port was "stealthed". But today I ran a simple, free program called TCPView. It shows you, in real-time, the state of TCP/UDP ports on your computer; the processes using them; the connection state, and so on. When I ran it for the first time, it only showed 4 ports with "established" connection. And all those I was familiar with. I looked down the list and not once did I see "port 4567" "established", or "listening", or "time_wait". There was no evidence it was being used by anything; it wasn't listed at all, even though grc.com  - at the same time - still showed the port was "open". So this got me thinking: could these be false positives? Is it possible we're making something out of nothing? Is it really a security risk? Would BT really jeopardise their customers' security like this? I highly doubt it.
  BTW: I used to be able to use port forwarding on my Hub to stealth port 4567. But now port forwarding no longer seems to work. Either I am doing it wrong, or somehow a firmware update has rendered it useless. Also, don't bother telling me to use a software firewall; I have tried practically all of them and not one of them stealthed port 4567. In my experience the router renders software firewalls virtually redundant. Either that, or I'm configuring them wrong.

  'open' just means that someone trying to connect from the outside can see it.  If there is a service to process it (with appropriate port forwarding if on a device other than the router itself) it may connect; but in the more likely event there isn't such a service they will get some kind of 'not connected' message.  That is different from 'stealth' where they just don't see any response at all.   The response from the open port shown that there is something at the ip address, and that it might therefore be worth trying to attack.
  TCPView tells you what is actually connected at the moment.  You are pretty unlikely to see anyone who did attack unless you happened to look exactly as the attack was happening.  Also, TCPView is looking from the computer at connections to the computer, not at the router.  You wouldn't see anything connected to the router, or to any other device on your network, only to things connected (via the router) to the computer.

• Port-security and Nexus 1000v

  Is there really any true need for port-security on Nexus 1000v for vethernet ports? Can a VM be assigned a previously used vethernet port that would trigger a port-security action?

  If you want to prevent admins or malicious users from being able change the mac address of a VM then port-security is a useful feature. Especially in VDI environments where users might have full admin control of the VM and can change the mac of the vnic.
  Now about veths ports. A veth gets assigned to a VM and stays with that VM. A veth is only released when either the nic on the VM is deleted or the nic is assigned to another port-profile on the N1KV or a port-group on a vSwitch or VMware DVS. Now when the veth is released it does not retain any of the piror information. It's freed up and added to a pool of available veths. When a veth is needed for a VM in either the same port-profile or a different port-profile the free veth will be grabbed and initialized. It does not retain any of the previous settings.
  So assigning a VM to a previsously used veth port should not trigger a violation. The MAC should get learned and traffic should be able to flow.

• Switchport port-security maximum

  I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
  I´m configuring the port-security maximum using the following commands:
  switchport port-security maximum 1 vlan access
  switchport port-security maximum 1 vlan voice
  I dont know why some times this work, some times do not work.
  to solve the issue I had to use the three commands:
  switchport port-security maximum 2
  switchport port-security maximum 1 vlan access
  switchport port-security maximum 1 vlan voice
  the documentation do not say nothing about if I have to use the three commands together.

  Hi,
  This is an excerpt from the Configuration Guide for your box and IOS-XE release:
  Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
  The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed  per all configured vlans per port equals ONE at the default only.
  I hope my English makes sense.
  Best regards,
  Antonin

• 2800 etherswitch module port security

  Am trying to set up port-security on an etherswitch module port
  when i put in switchport ?
  i dont get the option port-security so i then cant use mac-address
  so i thought about doing it via a mac based acl but again when i try to set up the interface for the mac based access list i dont get the option
  (config-if)#mac ?
  H.H.H MAC address
  any one any ideas
  Cheers for info

  Hi Friend,
  Try this and see if it helps you
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t11/ft1636nm.htm#wp1433808
  HTH, if yes please rate the post.
  Ankur

• Port security detecting two MACs on 1 machine.

  I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
  Version 12.1(19)EA1
  switchport mode access
  switchport port-security
  switchport port-security maximum 1
  switchport port-security violation shutdown
  switchport port-security mac-address sticky
  I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
  Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
  Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
  Anybody ran into this before?
  Thanks.
  Brett

  After a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
  interface FastEthernet0/1
  switchport mode access
  switchport port-security
  switchport port-security violation restrict
  switchport port-security mac-address sticky
  switchport port-security mac-address sticky 00e0.988a.7ee6
  no ip address
  Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
  (Count) (Count) (Count)
  Fa0/1 1 1 3 Restrict
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 5463.0007.eb9e on port Fa0/1.
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
  Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
  Thanks for the response Thomas.

• Port Security & Trunk Port

  Hello,
  One of the recommendations in MES is to configure Port Security in the ME Services, such as ERS.
  I know that Cat4500 is not part of the MES, and I found some Cisco Documentation about configuring Port Security in a 802.1Q port is not supported in Cat4500.
  Does anybody knows if this is supported using SupV?
  Thanks!

  As far as my knowledge goes, this is not supported on Sup V either

• When I tried to log into my itunes account, I was asked to update my credit card information. When I confirmed my credit card info, I got a response about my security code not being accurate -which is not the case-it is 100% accurate. How do I fix?

  I keep getting a message about my security code not being accurate. I tried 3 different cards & have the same issue. Is this a systems issue? I need to get my apps installed on my new iPhone 4. I am unable to download without confirming my credit card info- My security codes are 100% accurate.Anyone else having this issue? What is the fix for this?

  Ohemod,
  There are 120+ countries that have iTunes Stores, but that leaves many that do not.  You can consult this document:  iTunes Store: Which types of items can I buy in my country?
  Opening in a new country requires a tremendous amount of legal, commercial and financial investment, but I am sure Apple would be interested in knowing where there is unmet demand.  If you wish to make suggestions to Apple, you can use the iTunes Feedback page.

• I am getting messages that I can't download and read .pdf files since I have the wrong Adobe reader. I know about their security disasters of course, but I downloaded the latest version of Adobe Reader from the Adobe web site and I have other ,pdf file re

  I am getting messages that I can't download and read .pdf files since I have the wrong Adobe reader. I know about their security disasters of course, but I downloaded the latest version of Adobe Reader from the Adobe web site and I have other ,pdf file readers as well, and for some reason they won't work either. I have 5 computers running top end processors and RAM. By this I mean I have one, this one which I am using that has an AMD Phenom Black 3.2 Quad-core with 8 GBs of Corsair top DDR2 RAM, my other two AMD have either an Athlon II triple core with 4 GBs of DDR2 Corsair RAM, one with the Phenom X4 965 3.4 GHz Quad-core with 8 GBs of their best DDR2 RAM, and two Intels with the i7 920 Processors using the triple channel 1366 socket processors and one with 8 GBs of low latency DDR3 RAM and the other with 4 GBs of the same RAM. I am getting the message on this one, which has a fresh install of XP Pro X64 operating system, as do the other 4 as well. I have run Avast Business Pro Anti-virus on this one, which I am getting the message on with a single result which I deleted, and also both Spybot Search and Destroy, which came back clean as well as Malwarebytes Antimalware, which got a lot of tracing cookies now removed, and SuperAntiSpware which also found a few cookies also now deleted. Can you tell me what I need to do to get these files to show as .pdf files rather than as a clean blank page. One other issue is that I wish to know how to turn off my downloads so they are saved and Mozilla will give me the option of returning them instead of me losing them all together as it does now. Thanks for your assistance. If there is another Adobe reader I should download and install, could you provide me with the link to it? I appreciate your assistance here
  == When I download and try to read a .pdf file and when I am asked to turn off all Firefox files and if I do, I lose them since I need to know how to save them without rebooting my computer.

  Brilliant! Problem solved! Thanks so much.

• Help about Warning Security IE 8.0

  Hello Guys,
  I need help about warning security IE 8.0.
  When I try install a software from my webserver is display the following message:
  I can't check the publisher.Are you sure install the software?
  This file does not have a valide digital signature that verifies its publisher.
  You should only install software from publishers you trust.
  Well, I already enable:
  Download signed ActiveX controls
  Download unsigned ActiveX controls
  Allow active content from CDs to run on user machines Enabled 
  Allow software to run or install even if the signature is invalid Enabled 
  Check for server certificate revocation Disabled 
  Check for signatures on downloaded programs Disabled 
  Is there somewhere I disable all settings warning's about IE or one specific GPO I need disable for this warning don't display for me?
  In the same installation a lot of about file .cab are installed, only one specifc I don't have sucess.
  I try some troubleshootings too:
  https://social.technet.microsoft.com/Forums/windows/en-US/8f8293c4-0920-462f-9c69-0a8e3f92aa02/unknown-publishers-warning
  https://www.youtube.com/watch?v=UknQn6tZZis
  http://windows-3322.blogspot.com.br/2011/02/how-to-repair-activex-error.html
  Thanks a lot who answer me or about any idea about my issue.

  This file does not have a valide digital signature that verifies its publisher.
  Did you see your result
  https://social.technet.microsoft.com/Forums/windows/en-US/8f8293c4-0920-462f-9c69-0a8e3f92aa02/unknown-publishers-warning
  <quote>
  Changing the time zone actually worked.
  </quote>
  Robert Aldwinckle

• Problem with hp laser jet 9050 mfp and port security

  Hello,
  I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f  in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
  But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
  The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
  Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
  Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
  Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
  Thanks for the help.

  Hi,
  this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
  Can you post sh port-security address output.
  Regards.
  Alain

• Please help me about question security because in my apple id no have for restart or chenge my answer

  please help me about answer security question in my apple id because im forgot for my answer, in my apple id no have for change answer, tell me for this please because i love my iphone.
  <Email Edited by Host>

  You need to ask Apple to reset your security questions; this can be done by clicking here and picking a method, or if your country isn't listed, filling out and submitting this form.
  They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
  (110899)