CSS management port securit
Hi,
Is it possible someone can let me know if the management port on the CSS is out of band? I am assuming it is but haven't managed to fine this in the docs.
Thanks
Modem support through a console port provides the option of out-of-band command-line interface (CLI) management through a modem, providing flexibility for remote administration.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_bulletin09186a008017dc5d.html
Similar Messages
-
Unable to set CSS management port to 100Mbits-FD.
This is the first time I've encountered this problem. Thanks in advance!
CSS 11501 running code 7.30.1.06.
Below is the error I receive:
ARLTRKBAXPS1001(config-if[Ethernet-Mgmt])# phy 100Mbits-FD
^
%% Command is not available on Cirrus Logic Ethernet-Mgmt port.this is normal.
As indicated by the message, the CSS11501 does not support this setting on the ethernet management port.
Only possible to us 10Mb either full or half duplex.
Regards,
Gilles. -
I have a simple question. Can someone tell me how to access the management port on the css 11150?
I configured the ip and mask on the management port and condigured my laptop for a ip on the same network. But i am unable to connect.what do you mean by connect ?
Are you trying telnet or HTTP ?
Are you able to ping ?
Is the interface showing up ?
Try 10Mb Half duplex set manually and see if it works.
Also, did you reboot the CSS after configuring the ip address/mask for the management interface ?
Gilles. -
CSS 11500 Serial Management Port Parameters
How to change / check the baud rate, parity, and stop bits of the serial management port.
My PC is currently set to 9600,8,1,N and I am receiving garbage. Telnet is ok
Thanks,
Stevebe carefull that the cable for console access is different from any other Cisco device. So, if your cable works for a Cisco router or a Cisco switch, than this is the wrong cable for the CSS.
If you search www.cisco.com for 'css console pinouts' you should find the right settings.
Gilles. -
CSS: Mgt port for management vs normal port for Maqnagement
What are the pros and cons of using the ethenet management port for managing a CSS and using a normal ethernet port for managing a CSS.
Is any functionality of CSS depends on Management ethernet port? Is connecting via local lan still an issue/requirement?you can use whatever port.
People usually wants to use a management port that is *separated* from the rest of the device so that if a regular port gets hacked and somebody gain access to the device, you can't access the management network.
To obtain this separation between regular port and the management port, a lot of restriction have been created on the management port.
You can't configure a default route on the management port, you can't have routes overlapping between management port and regular ports, ...
Therefore, personally, I prefer not to use the management port. The chance that somebody gain access to the CSS via a regular port is almost null so it does not justify the pain to use the management port.
Regards,
Gilles. -
ILO & XSCF Management Port does it have port security.
Did Oracle implemented LDAP/AD Secuirty to their management port which includes ILO and XSCF
Hi.
For XSCF - it already do.
http://download.oracle.com/docs/cd/E19855-01/821-2797-10/21ch2p.html#50450504_11757
About ILO - pleaase clear - what server.
Regards. -
How to manage port open/close on MacMini server
Dear all,
In order to secure my server, I discover than some port are open.
Is there a way to close all port and open only 445 and 548.
I would like to make sure that no body can access the server from outside of the society ecepted if the have VPN client configured.
The collaborator should be able to connect the server via afp, but form out side they need to use VPN.
Then I am looking for a way to manage port on macmini server
Many thank for your help
CheersHi,
I finally heart that port can not be closed on the router because I am usinf 1:1NAT.
How can close all port on my Macmini and open only the port ssh. I will not use VPN.?
If I turn on the firewall with the option to close all protocole. Is there a command to open a selected port?
If there is only the port 22 (SSH) how can I mount a remote folder with afp or with somethin else? I also have on PC over the 7 iMac.
Many thank for your help
Cheers -
Hi,
I have got ASA 5520. How to use the management port as a normal port on ASA. What are the basic reqirements for that.
Regards,
- MeroHello,
The managment port under regular circunstances will look like this:
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
As you can see the only difference between a regular traffic port and the managment port is the management-only keyword.
So in order to use it as a regular port all you need to do is :
ciscoasa(config)# interface management 0/0
ciscoasa(config-if)# no management-only
And it will look now just like all the other ports,
interface Management0/0
shutdown
no nameif
no security-level
no ip address
Hope this helps, any other question let me know!!
Do rate helpful posts.
Julio, -
C2960s ethernet management port
Hi,
Can the ethernet management port on a 2960s be used to source syslog, snmp traps, ntp updates... ?
this is not mentioned in the software configuration guide (http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swint.html#wp2220949) and what worries is the instability warning in the bottom..
thanks,
barthi Bart,
The Ethernet management port supports these features: <<< from the documentation...
•Express Setup (only in switch stacks)
•Network Assistant
•Telnet with passwords
•TFTP
•Secure Shell (SSH)
•DHCP-based autoconfiguration
•SMNP (only the ENTITY-MIB and the IF-MIB)
•IP ping
•Interface features
–Speed—10 Mb/s, 100 Mb/s, and autonegotiation
–Duplex mode—Full, half, and autonegotiation
–Loopback detection
•Cisco Discovery Protocol (CDP)
•DHCP relay agent
•IPv4 and IPv6 access control lists (ACLs) -
Port-security MAC address restrictions and flexconnect
Hi - has anyone else seen this issue?
We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
This was the model and version of the switches.
WS-C2960X-24PS-L 15.0(2)EX4 C2960X-UNIVERSALK9-M
Has anyone else had this?
Any help much appreciated.Hi - has anyone else seen this issue?
We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
This was the model and version of the switches.
WS-C2960X-24PS-L 15.0(2)EX4 C2960X-UNIVERSALK9-M
Has anyone else had this?
Any help much appreciated. -
i've managed to set up port security and i need to lock the ports down by one mac well after going through each port step by step all the mac's are in the table but it shows them as dynamic address's i thought they were supposed to be static secure? i also thought that setting up port security would make so if someone changed ports on the switch that it would cause a security violation i havent been able to create a security violation yet.
Hi,
How have you configured this on your switch ports, all you need to do to restrict the port to a single MAC address is:
switchport port-security
switchport port-security violation restrict
When you look at the CAM table for a specific port, the MAC address learned on that port should be listed as static and not dynamic.
my_switch#sh mac-address-table int fa 2/0/7
Mac Address Table
Vlan Mac Address Type Ports
134 0003.47a4.db43 STATIC Fa2/0/7
Total Mac Addresses for this criterion: 1
EDIT: You can also issue the following command:
my_switch#sh port-security int fa 2/0/7
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0003.47a4.db43:134
Security Violation Count : 0
This shows the max allowed MACs on the port, the MAC that has been allowed and the port status as Secure_up
I believe that's all you need to do.
HTH
Paddy -
CSS11503 Management port connection loss
Hi we run 2 x CSS11503 with box-box redundancy. I have configured both management ports with IP's and default gateways. The management ports work fine when the box is in "master mode" but as soon as it goes in to "ackup mode"I loose connection to the management port. It seems to me that when the box is in back up it shuts down it's TCP/IP stack??? Is there anyway to override this on the Management port?
Cheersthe management port should not be down when the CSS is in passive state.
Are you sure the response from the CSS was going out via the management port ?
Where you in the same vlan of the management port ?
If not, did you configure a management route to reach your pc ?
Regards,
Gilles. -
Port security detecting two MACs on 1 machine.
I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
Version 12.1(19)EA1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
Anybody ran into this before?
Thanks.
BrettAfter a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00e0.988a.7ee6
no ip address
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/1 1 1 3 Restrict
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 5463.0007.eb9e on port Fa0/1.
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
Thanks for the response Thomas. -
Problem with hp laser jet 9050 mfp and port security
Hello,
I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
Thanks for the help.Hi,
this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
Can you post sh port-security address output.
Regards.
Alain -
Need a hint for home office / 871 does not support port-security - FPM ?
Hi,
i want to realize the following setup:
- Central Site 871 with Internet Connection and static IP
- Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.
To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).
Now i looked for an alternative...and came over to FPM (flexible packet matching).
If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.
Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).
I did the follwing config:
class-map type access-control match-any c2
match start l2-start offset 48 size 6 regex "0xabcd1234fedc"
match field ETHER source-mac regex "abcd1234fedc"
policy-map type access-control p2
class c2
drop
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy type access-control input p2
service-policy type access-control output p2
As this feature is quite new, i'm not familiar with it's syntax.
I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).
As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?
Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?
bets regards,
AndyFor the FPM feature to work you will need PHDF files for the protocols you want to scan for to be loaded on your routers. The files can be downloaded from cisco's website. In your case you will have to download ether.phdf file.
Maybe you are looking for
-
Mail downloads one email at a time. ???
Just noticed this problem today. My main gmail account (I have 4 gmail and 1 yahoo account) will only download one email at a time. One click of "Get Mail", one email. My other accounts all work properly, leading me to think that it's not a gmail pro
-
A few years ago I was running out of room on my Windows laptop so I followed instructions on how to move all of the music to an external hard drive and then had all music added to the always connected external hard drive instead of the laptop. That o
-
Error calling pl/sql function in target column
Hi guys, I get this error when calling my function in ODI: Caused By: java.sql.SQLSyntaxErrorException: ORA-00904: "mySchema"."GET_ODI_DEFAULT_VALUE(1)": ongeldige ID --> 1 is an IN parameter while in sql developer I get a good result with following
-
PSUNX failed to post files to the report repository
Dear All, i've just faced this issue. Before submitting here, this i've tried various things posted on web but not getting the solution,So posting here. If someone might have an idea about this... These are my settings Report Node Definition URL http
-
Java script on hotmail keeps reloading page and cant read my email
Firefox 4 B 10 my Hotmail just keeps reloading the page and when I try to scroll down it just jumps to the top cant read my email without going to tools and turning off Java script then have to turn back on to see next email!!!