Enable port security between Two switches

Similar Messages

• After enabling port-security host is not reachable

  Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
  interface fa 0/20
  switchport mode access
  switchport access vlan 20
  swicthport port-security
  switchport port-security maximum 2
  switchport port-security maximum 1 vlan access
  switchport port-security maximum 1 vlan voice
  switchport port-security mac-adress sticky
  1

  hello
  Possiblely to restrictive for that....can you post
  sh port-security int fa0/20
  res
  Paul

• What can be the max difference in cable lengths that we can have between the ISLs in a port-channel between MDS switches?

  Hello All
  What can be the max difference in cable lengths that we can have between the ISLs in a port-channel between MDS switches? Do we have any documentation?
  Thanks
  Chetan

   competitive solution instead recommends a distance variance of 30 meters or less among ISLs within a trunk. If the distance variance is greater than 30 meters, undesired and degraded performance will occur. For example, if a trunk has a distance of 100 kilometers, the competitive trunking solution allows a cable length variance of only 0.03 percent!
  ref;
  http://www.cisco.com/c/en/us/products/collateral/storage-networking/mds-9500-series-multilayer-directors/white_paper_c11-534878.html
  hth
  regards
  inayath
  **********PLZ dont forget to rate if this info is helpfull.

• Is there any way to enable eventlog replication between two nodes in windows 2008 failover cluster.

  Is there any way to enable eventlog replication between two nodes in windows 2008 failover cluster.
  Thanks Azam When you see answers please Mark as Answer if Helpful..vote as helpful.

  Hi,
  As far as I know there don’t have the log replica function between failover cluster node, if you want to have the Unified log management you can refer the following related
  KB:
  Configure Computers to Forward and Collect Events
  http://technet.microsoft.com/en-us/library/cc748890.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can I create a port channel to two switches that are not stacked?

  Two switches, not stacked, but connected together via 802.1q trunk.
  Server with four NICs, capable of trunking and LACP.
  Can the switches be setup to have an etherchannel between the two switches and the server?

  Hi,
  In short NO
  You would need to connect your server to only ONE switch if you want all 4 nics in the same TEAM.
  You could use 2 TEAMS and put 2 nics in each forming a 2 port etherchannel to each switch
  Regards,
  Alex.
  Please rate useful posts.

• Port isolation between two SRW swiches connected through fiber?

  Hi guys,
  i have one SRW2024P connected through fiber to SRW2048. I would like to create isolated link between these two switches consisting of at least one isolated port at each switch. Can this SRWs do this?
  Alternatively i need on the SRW2048 side few PoE ports so do you know any 16+ port PoE switch that can do this?
  THX for answer.

  Do you mean you want a port on each switch to be able to communicate with each other but not with any other ports on the switches ?
  i.e PC host at 192.168.1.3 on  port 2 on switch 1,  to be able to ping  a IP host at 192.18.1.2 on  switch 2 port 3 ?
  If this sort of functionality is required you want to create a new vlan to the switch.  If it is not the case please explain in more detail what you want and ignore the following.
  regards Dave
  Om my srw2008P i would do the following, i guess your interface is almost identical to my switch GUI interface.
  step 1  create a vlan, maybe vlan 2
  [make sure you scroll down to the bottom of the page at each step and save changes]
  step 2. alter alter port x to be a untagged member of vlan 2
  step 3 modify the vlan interface setting  on both switches to make the fiber uplink port a trunk in vlan 2.

• Port security detecting two MACs on 1 machine.

  I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
  Version 12.1(19)EA1
  switchport mode access
  switchport port-security
  switchport port-security maximum 1
  switchport port-security violation shutdown
  switchport port-security mac-address sticky
  I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
  Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
  Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
  Anybody ran into this before?
  Thanks.
  Brett

  After a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
  interface FastEthernet0/1
  switchport mode access
  switchport port-security
  switchport port-security violation restrict
  switchport port-security mac-address sticky
  switchport port-security mac-address sticky 00e0.988a.7ee6
  no ip address
  Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
  (Count) (Count) (Count)
  Fa0/1 1 1 3 Restrict
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 5463.0007.eb9e on port Fa0/1.
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
  2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
  MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
  Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
  Thanks for the response Thomas.

• Fiber connection between two switches

  Hi All,
  Here is the situation, I have two switches which are SF200 and SG300 and trying to link them up using sfp module ( fiber).
  They are both in trunk mode and the connection is up but nothing or no ip traffic goes through it .
  I have ensured allowed vlans are correct, native vlan do match but still nothing .
  Then i did a port monitor on it ( replicate it to another port) but all I could see was bunch of stp,arp , mdsn and llc traffic. nothing to do with do1q extension.
  I used wireshark , would I be able to monitor trunk traffic at all? would the protocol be dot1q ?
  However the fiber link works if I plug one of the connection which goes to the sg300 to a fiber convertor and then connect a rj45 cable from the convertor to the sg300 rj45 port. that is the only way which it works. This suggest to me a possible issue with the fiber module on the sg300 however I have tried few differnet modules and still nothing , I did even try the one which is on the sf200 ( working ) and still nothing .
  What boggles me is the fact that the link is seen as up and all good by both switches but nothing does go through them.
  Any one know what the cause could be ?
  Thanks

  Wrong forum, post in "Small Business switches". You can move your posting with the Actions panel on the right.

• Secure Tunneling Between Two Switches

  Hi,
  We have 3 buildings in a campus.  We occupy building 1 and 3.  Building 2 belongs to someone else.  However, building 2 switch connects both building 1 and 3.  How do I create a point-to-point secure tunnel between the two 3560v2 layer 2 switches in building 1 and 3 thru the transit switch in building 2 in a layer 2 environment?
  QinQ does not meet the requirement because we want to prevent man-in-the-middle access from the transit switch in Building 2.
  Thanks!
  Kevin

  Encryption of the uplink is the way to go but your 3560v2 switch does NOT support MACSec.
  MACSec support starts with 3560X/3750X, 3650/3850.

• Security between two jvm using JNDI

  Hi ,
     I want to access the UME service of the SAP J2EE Container using a stanalone client application.
  So the client would be running on remote JVM.
  Here we use the JNDI service to communicate between the client and server.
  p.put(Context.INITIAL_CONTEXT_FACTORY,"com.sap.engine.services.jndi.InitialContextFactoryImpl");
                      p.put(Context.PROVIDER_URL, providerURL.trim());
                      p.put(Context.SECURITY_PRINCIPAL, securityPrinciple.trim());
                      p.put(Context.SECURITY_CREDENTIALS, securityCredentials.trim());
                      Context ctx = (Context) new InitialContext(p);
                      Object objRef = ctx.lookup(ejbName.trim());
  I want to know that is the communication between the client and server secured in this scenario
  Best Regards
  Manoj

  Hi,
  Java Remote Method Invocation by default does not support authenticated and encrypted transport.
  That is, objects sent over the network are not encrypted.
  A firewall can be used to secure a Java RMI application. Here, the firewall must allow access to specifically known ports. That is, these ports cannot be denied access by the firewall. SOCKS provides a partial solution to the use of RMI through firewalls in that it protects outgoing RMI calls, but incoming RMI calls as well as RMI call-backs are not protected.
  This may be overcome by using bi-directional RMI implementation through the firewalls. However, it requires the use of specific settings that can relax the security or application level proxy servers, thus increasing the administrative overheads. Also, changing the security policy to allow bi directional RMI traffic should only be done with extreme care. A better solution towards securing RMI is by means of supporting authenticated and encrypted transport, so that a network attacker cannot alter data on communication. This can be achieved by running RMI on SSL.
  regards
  Vivek Nidhi

• Physical port security on Cisco switching

  We have a security problem I would like to resolve. Like most sites our wired network has live ports that periodically, non corporate PCs and laptops connect up to without our knowledge. In our network we do not filter for valid MAC addresses although Ive learned this is a poor approach to security as MAC can be changed in about 10 seconds.
  I would like a solution that would validate corporate systems and let them through the Cisco layer 3 switching and block out all other devices which attempt connection. We do not currently have IDS or IPS and are not likely to in short term.
  Is there a hardware or software or combination solution out there that works well for this ?
  Thank you

  Steve
  2 solutions spring to mind
  1) 802.1x authentication. Microsoft XP/Vista has built in 802.1x supplicant and Cisco switches support Network EAP used to pass the 802.1x messages. What you also need is an authentication server such as Cisco Secure ACS server although Microsoft IAS server also supports 802.1x.
  Basically before a client is allowed access to the network they have to authenticate to the network with valid credentials otherwise the port is shutdown.
  2) NAC - Network Admission Control. This goes one step further than 1) whereby the client is also checked to see if it conforms to company policy eg. does it have the right virus checker on it etc.. and if it doesn't the client can be quarantined.
  A search on Cisco's website for both NAC and 802.1x will provide a lot of useful links.
  Jon

• 8Gig Port Channel between two 6509s

  Hey all,
  I have two 6509s that I'm trying to configure an 8 Gig trunk/port channel. I have an 8 port fiber module in slot 3 on both switches. When I use the following command: "set port channel 3/1-8" on it seems to take the command, but if I do "show port channel" it shows two groups:
  3/1-4
  3/5-8
  Is there a limit as to how many gigs a port channel can be? If not, why does it split it like this?
  I should also note I'm using dot1q for the trunks using Auto mode on one switch and Desirable on the other.
  Thanks,
  Scott

  I did a show port cap on the interfaces and I didn't see any sort of restriction. I decided to run the command again 'set port channel 3/1-8 on' and for some reason it seemed to work this time. Not sure what changed, but it's working now.
  Thanks for your help!

• Port forwarding between two servers from Same subnet

   Hi,
  We have a Cisco ASA 5520 Version 8.4(3). There exists a site to site VPN tunnel between us and a client and the client sends us the data to our local host/server 10.x.x.20 on port 52944. So 10.x.x.20 gets data on port 52944. We want to forward this data to a test server 10.x.x.21( same subnet IP) on port 52945. so basically I want to forward traffic from 10.x.x.20:52944 to 10.x.x.21:52945.
  Is this possible. I am a new bee to the networking and still learning. Excuse me if this sounds silly. 
  I know we can add one more ACL in the VPN tunnel and add this test server IP in the ACL. but, then I have to ask the clinet to change their ACL too. I dont want to do this. So I want to wrok around it. Any help or suggestions is much appreciated.
  Thanks in advance :)
  This is my first ticket in the support community.
  cs

  VMs have nothing to do with it, as long as there's network communication between the servers.
  As I said, there must be a service or application listening on that port for it to respond. For example, try this:
  C:\> telnet
  When the telnet prompt opens, type in:
  open mail.messaging.microsoft.com 25
  If it works, you should see this:
  220 CH1EHSMHS035.bigfish.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2013 00:57:33 +0000
  That means that Microsoft's mail servers are LISTENING on port 25 and it responded. And note, telnetting to port 25 is a non-default telnet port, because port 23 is the default telnet port. When you type in a space and then a port number, you're telling
  the telnet client to use that port.
  That is the SAME THING if some sort of application or service is listening on port 8444 on that other server you're trying to telnet to. If there is no app or service listening, it will just time out.
  And no, installing the TELNET service on that sercver will NOT answer to any port other than 23. The telnet service by default, uses TCP 23, unless you specify otherwise.
  So once again, what service or app on that server is supposed to be listening on 8444?
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Port Security MIB on SF, SG series switches

  I need to setup some parameters related to port security features on my SG, SF series switches via SNMP. I've found that it is possible with port security MIB (1.3.6.1.4.1.9.9.315). I found out my devices has support of this MIB downloading archive with MIBs from cisco site. But when I try to read some parameters from this MIB via SNMP, for example "cps if port security status" (1.3.6.1.4.1.9.9.315.1.2.1.1.2) device answers with: "No Such Object available on this agent at this OID". But it is possible to do with web-interface in Security->Port Security section
  How is it possible to read/write such type of parameters ?

  The OID you mentioned cpsIfPortSecurityStatus has Read-Only permissions and hence you cannot set anything.
  You can only poll this object to know the operational status of the port security feature on an interface, which will result from one of the three status :
  1 : secureup
  2 : securedown
  3 : shutdown
  For more details check OID Translation.
  You can only set values which has Read-Write permissions, like cpsIfPortSecurityEnable, using which you can enable port security on an interface.
  Tell us what you want to achieve using SNMP Set operation?
  Also, I am not sure if these MIB features are completely implemented on 29xx/35xx/37xx devices.
  But are present in 45xx and 65xx series switches.

• Link two switch together?

  Hi
  I have two switchs (cat3750) and both them back to cat6500.
  one of our client, accidentally link one access port on one machine, and to another access port on another machine.
  the access port configuration is:
  interface FastEthernet1/0/2
   description standard Ports
   switchport access vlan 006
   switchport mode access
   switchport voice vlan 906
   switchport port-security maximum 2
   switchport port-security
   switchport port-security aging time 2
   switchport port-security violation restrict
   switchport port-security aging type inactivity
   srr-queue bandwidth share 1 30 35 5
   priority-queue out
   mls qos trust device cisco-phone
   mls qos trust cos
   auto qos voip cisco-phone
   macro description cisco-phone
   spanning-tree portfast
   spanning-tree bpduguard enable
   service-policy input AUTOQOS-STANDARD-POLICY
  And this link cause big multicast storm. and case eigrp routing unstable until the link is removed. I hardly to believe link a cable between two switch on access port will cause such big issue; only thing I know is at same time a multicast application also running in this area. and after I broke the link the application is still running without any problem.
  Could I get advice? if there is any possible to make configuration on access ports more secury on this case?  Could I get advice, priciply what is possible reason for this case?
  Any comments will be appreciated
  Thanks in advance
  Julxu

  both same. there is standard configuration. no different.