Implementing port security
i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
What are the recommended steps? All are connected with users and all ports are already in use.
- Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
- It's tedious to go switch by switch, port by port
- Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.
The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
It sounds like you may have a hard time, since they don't seem to really care about security at this place.
Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.
Similar Messages
-
I am using CMS on a 3550 to implement Port Security. I want to know how to clear the Violation Rejection count? I have tried changing the Violation, turned off Sticky Behavior and disabled Port Security. Nothing clears the Violation count. When I re-enable Port Security the Violation Rejection count is the same. Help!!!
Duplicate post.
Go HERE. -
Looking for Tool - Port Security/err-disable
I have implemented port security on our new 3750X's. Does anyone know, or using, a tool that can report, poll or alert when an interface goes into err-disable and what caused the violation?
Thanks Marvin. I was hoping there was another utility, as well. We have a syslog server, which does get the syslog messages. I was hoping for a more proactive response versus a query for the information. Building trends and such is not a big deal with the syslog data.
Our environment is fairly large with 70 buildings at one location and 15 at another. Being a University we have students who try different things on the network as well as other "IT" arms doing their own thing. We have a monitoring tool, Intermapper, but I was hoping there was something else that could be used, or someone else using something better, to give us a real time view, and something that could collect all the data at once and provide a report.
I was not sure if Cisco Prime Infrastructure provided that functionality or not, or if there was another product recommended. -
Switchport port-security on Routers ?
Hi All,
Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
But the router doesn’t support the switchport command at all.
So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
thanks,
IvanHi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
We will be deploying approx. 5-10 switches campus wide. We will need to be able to administer port-security MAC filtering on these devices. This will be approx. 100 - 200 ports that will need to be configured. We will need to be able to add and delete MAC address on all of these devices at once as new devices are brought online and old ones are decommissioned.
I am assuming that this can be accomplished using device or port groups. I am unable to find where to actually implement the security part of the solution.
Can you please outline a solution that would accomplish my goals in the most efficient manner.Hi andrewgrech
wow 4 years old huh
taking a quick stab in the dark but may be there are no rules defined as to the mac addresses, i have not played with this often but imagine you need to either define the mac address that will be on the port or enable mac sticky to dynamically learn the addresses.
from there either have the coded or set some aging rules
but let me know if this helps at all :) -
Port Security MIB on SF, SG series switches
I need to setup some parameters related to port security features on my SG, SF series switches via SNMP. I've found that it is possible with port security MIB (1.3.6.1.4.1.9.9.315). I found out my devices has support of this MIB downloading archive with MIBs from cisco site. But when I try to read some parameters from this MIB via SNMP, for example "cps if port security status" (1.3.6.1.4.1.9.9.315.1.2.1.1.2) device answers with: "No Such Object available on this agent at this OID". But it is possible to do with web-interface in Security->Port Security section
How is it possible to read/write such type of parameters ?The OID you mentioned cpsIfPortSecurityStatus has Read-Only permissions and hence you cannot set anything.
You can only poll this object to know the operational status of the port security feature on an interface, which will result from one of the three status :
1 : secureup
2 : securedown
3 : shutdown
For more details check OID Translation.
You can only set values which has Read-Write permissions, like cpsIfPortSecurityEnable, using which you can enable port security on an interface.
Tell us what you want to achieve using SNMP Set operation?
Also, I am not sure if these MIB features are completely implemented on 29xx/35xx/37xx devices.
But are present in 45xx and 65xx series switches. -
Problem with hp laser jet 9050 mfp and port security
Hello,
I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
Thanks for the help.Hi,
this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
Can you post sh port-security address output.
Regards.
Alain -
What are the different options for implementing web security?
Hi,
Right now I am working on an internet website. We are using JSP for presentation and running Weblogic Application Server. I want to know different options for implementing website security. One of the options that I am aware of is to use LDAP. But we donot want to go and buy a LDAP Directory Server now. So I would really appreciate if somebody could let me know my choices here.
Thanks in advance.Hi,
If you are working on a Windows 2000 platform, the most obvious choice would be Active Directory Server as this is shipped free with Server 2000. It is LDAP compliant, although does have a few differences that set it apart from the other X500 standard based solutions which I will mention in a moment. Details on these differences can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/msdn_activedirvsnds.asp
Other options are openldap, an open source implementation of an ldap server or iPlanet's Directory Server. If you are initially doing an evaluation, a trial version is available of the iPlanet software and can be downloaded from their site. I found this particularly easy to get to grips with and their is excellent documentation available. There is also an offering from Novell, but I have no experience of this.
Hope this helps.
Jon -
Implementing Function Security in Oracle apps.
I wanted to restrict certain menus in Payables manager for a particular user. How should i implement it? Is there any live example of implementing function security in oracle apps? Please Help.
Hi,
One approach is to create a custom menu and attach to it all the menus and functions you want and the add this menu to a new responsibility. But this is not the best way to solve the issue because you have to define different menus + responsibilities for each different user. Other way is to create roles which can be assigned to users.
Thanks,
Bahchevanov. -
Need a hint for home office / 871 does not support port-security - FPM ?
Hi,
i want to realize the following setup:
- Central Site 871 with Internet Connection and static IP
- Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.
To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).
Now i looked for an alternative...and came over to FPM (flexible packet matching).
If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.
Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).
I did the follwing config:
class-map type access-control match-any c2
match start l2-start offset 48 size 6 regex "0xabcd1234fedc"
match field ETHER source-mac regex "abcd1234fedc"
policy-map type access-control p2
class c2
drop
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy type access-control input p2
service-policy type access-control output p2
As this feature is quite new, i'm not familiar with it's syntax.
I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).
As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?
Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?
bets regards,
AndyFor the FPM feature to work you will need PHDF files for the protocols you want to scan for to be loaded on your routers. The files can be downloaded from cisco's website. In your case you will have to download ether.phdf file.
-
Port Security Sticky Addresses
Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
switchport mode access
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security mac-address sticky
spanning-tree portfast
I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
JoshIt is not possible to age out sticky entries. With sticky entries, they are added to the running config. So the only way to remove it is through editing the running config.... If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...
-
CAM aging time VS Port-security aging time
Hi All
Please advise on the following:
- Without port-security configured, MACs per interface are learnt as "Dynamic" entries and the global CAM aging timer applies (300 seconds) unless tweaked manually.
- With switchport port-security enabled (without port-security mac-address sticky, which holds onto MACs infinitely) I see MACs being learnt as "Secure-Dynamic" in a show port-security interface gix/x output and as "Static" in the output of show mac address-table interface gix.x .
What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too? as I see their is also a option to configure port-security mac-address aging time / type, does this overrule / take precedence over the default CAM aging timer?
Please assist, its not documented anywhere and its driving me a bit nuts!
Thanks folksWhat I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too?
Any aging time you configure with port security will take precedence over the default aging time.
See this thread for details -
https://supportforums.cisco.com/discussion/11054341/switchport-port-security-commands-help
Jon -
Issue with implementing Object Security in RPD (OBIEE 11g)
Hello All,
I am following these steps to implement Object Security, but it doesn't work. Please let me know what am I doing wrong here:
1. I want to block a few presentation tables for the user 'weblogic'.
2. I open the RPD in online mode and in the Identity Manager, for the application role 'BIAdministrator', I setup permissions 'no access' to these presentation tables. It asks me to 'Check Out' which I do.
3. I check in the changes, save the RPD and deploy in back in EM.
4. I login into OBIEE Answers using 'weblogic' user but alas these presentation tables are still available for me to use.
I have tried looking for a solution on the internet before posting the solution here. Please don't ask me to read through the security setup guide because I have done that. Any specific answers are most welcome.
Thanks in advance.Try this:
Double click on the presentation table.
Go to permissions and then revoke the access to BI Administrators. -
Recommended port-security settings for ASA HA failover
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
interface GigabitEthernet0/8
description ASA-Primary-Out
switchport access vlan 200
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 500
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?Hello,
This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
Per the port-security config guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
-Mike -
Port Security based on Device Type
Hi all:
We need to know whether there is any feature or software that allows to block switch ports for type of devices.
For instance, we have some switches for IP phones and we do not want to have PCs connected to those ports.
We know that it can be done using MACs, but, as phones can be moved easily, it implies constant changes on port security.
Thanks
RegardsApologies if I have not understood the original question, however, can you use port security (max MAC / sticky MAC) to ensure only devices that are currently connected are successful, other violations will result in the port being shutdown.
You may want to investigate some 802.1x device authentication
http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
HTH
Steve
Maybe you are looking for
-
I would like to export my iPhoto slideshow as 16:9 but currently only see settings that would see me export to iDVD (not an option because I use DVD Studio Pro) or to export as a movie, but the dimmensions are 720x480 (not 16:9 dimmensions). How do I
-
Problem binding variable to query in procedure
Hi folks, I'm having an issue binding a variable to a query. For example the following works in my procedure; DECLARE V_PLANT NVARCHAR(4) := 'ACME'; tempVar = select field1 from myView where Plant = :V_PLANT; When I debug my procedure I can see the
-
Mail: How do I remove pictures in messageheads?
In the head of my messages in the mail program, I have managed to include a picture of myself in the right corner. Now I can´t find out how to remove it.
-
HT1391 I have purchased a song from itune but it is not listed under my purchased items, why
I have purchased a song from itune but it is not listed under my purchased items, why
-
Problem when saving to .pdf from .ai..
How do I fix this? I save a document from .ai to .pdf in CS5 and it automatically goes to the size of the artwork bounds instead of the artboard or paper size. Please help...