LPCONFIG Logical Port security setting WS security where to give login ID?

Similar Messages

• SG-500-28P How to configure switchport port-security violation setting

  Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
  Seems like the default option is shutdown and I don't know how to change it.
  Thank you!

  Hi,
  you can recover this Violation.By using below command:
  To enable automatic re-activation of an interface after an Err-Disable shutdown, 
  use the errdisable recovery cause Global Configuration mode command. To 
  disable automatic re-activation, use the no form of this command.
  Syntax
  errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
  stp-bpdu-guard | loopback-detection | udld }
  no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
  stp-bpdu-guard | loopback-detection | udld }
  For more information:
  Refer this URL:page no :406
  http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
  regards
  Moorthy

• SG-300-28P Port Security

  Hi,
  We currently have a few of these acting as access switches around our network.
  These switches run our POE telephones and our Workstations. (Switch --> Phone --> Workstation).
  Recently a user had brought a switch to the network and removed the telephone, he then plugged he's computer directly into the switch and a laptop he brought from home to download a few large files.
  I am aware that there is an option under port security to set the max number of addresses allowed. The current Max is 1.
  When I click a port in the web interface and go to edit there is two options [Interface Status] with a checkbox for "Lock" and [Learning Mode].
  Learning Mode offers "Classic Lock and Dynamic Lock".
  When clicking the "Lock" checkbox two options become available, "Dynamic Lock" where I can edit the number of Mac addresses however when using "Classic Lock" you cannot modify the amount of Mac addresses.
  What does "Classic Lock" actually do since you cant edit the max number of mac addresses, the only options that become available when selecting the "Lock" checkbox and clicking "Classic Lock" is "Discard", "Forward" and "Shutdown"?
  When clicking Limited Dynamic Lock you can select the number of mac addresses and again you have "Discard", "Forward" and "Shutdown"
  Can someone explain what each option would do with the Limited Dynamic Lock?
  Lastly, if I enable the Limited Dynamic Lock and put 1 as the max addresses would the telephones still work?
  If not and I put this as 2, then couldnt the user just unplug he's telephone, put a switch and connect two machines again?
  Thanks for your advice!

  I configured the Interface like this:
  Then I connect Notebook 1 to the Port and it is connected to the network. If I connect notebook 2 to this Port it can also connect to the network. I set the Max No. of Address Allowed to 1 because I have only 2 Notebook for doing this test. Later I would set it to 2 or 3.
  In the dynamic addresses list is always the current connected device listed:
  Why does the second device not blocked?
  Regards,
  Dominique

• Port security in Prime

  We will be deploying approx. 5-10 switches campus wide.  We will need to be able to administer port-security MAC filtering on these devices.  This will be approx. 100 - 200 ports that will need to be configured. We will need to be able to add and delete MAC address on all of these devices at once as new devices are brought online and old ones are decommissioned.
  I am assuming that this can be accomplished using device or port groups.  I am unable to find where to actually implement the security part of the solution.
  Can you please outline a solution that would accomplish my goals in the most efficient manner.

  Hi andrewgrech
  wow 4 years old huh
  taking a quick stab in the dark but may be there are no rules defined as to the mac addresses, i have not played with this often but imagine you need to either define the mac address that will be on the port or enable mac sticky to dynamically learn the addresses.
  from there either have the coded or set some aging rules
  but let me know if this helps at all :)

• Problem with hp laser jet 9050 mfp and port security

  Hello,
  I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f  in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
  But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
  The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
  Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
  Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
  Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
  Thanks for the help.

  Hi,
  this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
  Can you post sh port-security address output.
  Regards.
  Alain

• Recommended port-security settings for ASA HA failover

  I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
  interface GigabitEthernet0/8
  description ASA-Primary-Out
  switchport access vlan 200
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 500
  no cdp enable
  spanning-tree portfast
  spanning-tree bpduguard enable
  Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
  %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
  I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

  Hello,
  This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
  Per the port-security config guide:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
  "...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
  Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
  -Mike

• Switchport port-security on Routers ?

  Hi All,
  Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
  But the router doesn’t support the switchport command at all.
  So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
  Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
  thanks,
  Ivan

  Hi,
  Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
  HTH
  Sundar

• Scope of port security

  Hi,
  I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
  Port one had this equipment already in situe and we wanted to add another laptop to the domain,
  We connected a 2nd laptop to port one and successfully joined the domain.
  We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
  We found that for the laptop to work on port 2 we had to flush port 1.
  My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
  Cheers
  Dave

  Hi David Imrie
  You have to check the configuration of your switch interface, probably  a switch's  port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the  “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x”  command to be assigned statically.
  You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
  IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
  For example if the maximum is 2,  change to 3
  Switchx (config-if) # switchport port-security maximum 2.
  Switchx (config-if) # no switchport port-security maximum 2.
  Switchx (config-if) # switchport port-security maximum 3.
  If these solutions do not fix your problem, send me your switch configuration or
  If this answer was satisfactory for you, please mark the question as Answered.
  Thank you
  Greetings, Johnnatan Rodriguez Miranda.

• Port-security and Nexus 1000v

  Is there really any true need for port-security on Nexus 1000v for vethernet ports? Can a VM be assigned a previously used vethernet port that would trigger a port-security action?

  If you want to prevent admins or malicious users from being able change the mac address of a VM then port-security is a useful feature. Especially in VDI environments where users might have full admin control of the VM and can change the mac of the vnic.
  Now about veths ports. A veth gets assigned to a VM and stays with that VM. A veth is only released when either the nic on the VM is deleted or the nic is assigned to another port-profile on the N1KV or a port-group on a vSwitch or VMware DVS. Now when the veth is released it does not retain any of the piror information. It's freed up and added to a pool of available veths. When a veth is needed for a VM in either the same port-profile or a different port-profile the free veth will be grabbed and initialized. It does not retain any of the previous settings.
  So assigning a VM to a previsously used veth port should not trigger a violation. The MAC should get learned and traffic should be able to flow.

• About port security

  in the dorm
  I have 80 srw224g4 switch
  only mac and ip correct on the database can surf internet
  but some students steal other mac address
  i want to bind mac and port
  in the begining learn port and mac address only allow 1 mac pass this port
  i find the fuction similar port security
  but i set up max 1 and lock
  it can't lock
  how i set up it will work? 

  I don't understand. What is the problem with the Port Security function?
  First you have to enable Multiple Hosts on all those ports.
  Then you have three options:
  1. You can lock the ports immediately to the MAC addresses currently learned.
  2. You can lock the ports to a certain number of MAC addresses being learned. However, relearning and aging is active at that moment which means MAC addresses can still get "stolen" if the MAC address was removed due to aging.
  3. You manually assign MAC addresses to ports.
  For no. 1: you select the port on the Port Security page. Choose Learning Mode "Classic Lock" and select the "Lock Interface" check box. Press the Update button to get the change into the table. Then click on Save Settings at the bottom to save the changes into the configuration. The switch will store the currently learned MAC addresses on that port. The MAC addresses learned and locked on the interface can be seen on the Admin - Static Addresses page. The addresses will appear with status "Secure" on that interface. No other MAC addresses are accepted on that port anymore. Violations will be handled according to the action defined on the Port Security page for that interface. (Choose "Discard Disable" if you want to force your students to contact you in case of violation and to regain network access). You can manually add/remove secured mac addresses on the Admin - Static Addresses page.
  For no. 2: for learning mode choose "Limited Dynamic Lock". Enter the number of MAC addresses you want to accept on any given port. Default is "1". Press the Update button to update the table. Save settings at the bottom of the page. Now select the interface again and choose "Lock Interface", press Update and save settings again. Now the port is in learning mode and locked. Again: aging and relearning is enabled. The default aging interval is 300 seconds/5 minutes. If a MAC address is not used for 5 minutes it is removed and the port is open to learn a new MAC address. But at any given time, only the max entries number of mac addresses is active on a port.
  For no. 3: permanently fix the MAC addresses to ports on the Admin - Static Addresses page. Of course, you have to do that all manually which is a lot of work. I guess, you will probably prefer no. 1 to this option as it is pretty similar...

• Port-security MAC address restrictions and flexconnect

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

• 3550 port-security

  i've managed to set up port security and i need to lock the ports down by one mac well after going through each port step by step all the mac's are in the table but it shows them as dynamic address's i thought they were supposed to be static secure? i also thought that setting up port security would make so if someone changed ports on the switch that it would cause a security violation i havent been able to create a security violation yet.

  Hi,
  How have you configured this on your switch ports, all you need to do to restrict the port to a single MAC address is:
  switchport port-security
  switchport port-security violation restrict
  When you look at the CAM table for a specific port, the MAC address learned on that port should be listed as static and not dynamic.
  my_switch#sh mac-address-table int fa 2/0/7
  Mac Address Table
  Vlan Mac Address Type Ports
  134 0003.47a4.db43 STATIC Fa2/0/7
  Total Mac Addresses for this criterion: 1
  EDIT: You can also issue the following command:
  my_switch#sh port-security int fa 2/0/7
  Port Security : Enabled
  Port Status : Secure-up
  Violation Mode : Restrict
  Aging Time : 0 mins
  Aging Type : Absolute
  SecureStatic Address Aging : Disabled
  Maximum MAC Addresses : 1
  Total MAC Addresses : 1
  Configured MAC Addresses : 0
  Sticky MAC Addresses : 0
  Last Source Address:Vlan : 0003.47a4.db43:134
  Security Violation Count : 0
  This shows the max allowed MACs on the port, the MAC that has been allowed and the port status as Secure_up
  I believe that's all you need to do.
  HTH
  Paddy

• Port-Security violation

  Hi all,
  I'm sending syslog messages from some access switches to CiscoWorks's syslog server. CiscoWorks is installed on a Windows 2003 machine.
  I can see %PORT_SECURITY-2-PSECURE_VIOLATION messages in the syslog.log file (located in C:\Program Files\CSCOpx\log\),
  but the messages do no appear in the RME \ Syslog Analyzer Severity Level Summary Report.
  Are there some variables/options that I must set/check in order to get the port-security violation (severity=2) messages included in the report?
  Thanks for any hints!

  Hello
  I do also happened the same with a network point and place the mac as drop and so far has not been blocked port:
  WS-C2960X-48FPD-L  15.0(2)EX5            C2960X-UNIVERSALK9-M
  mac address-table static 7e77.3777.5776 vlan xx drop
  mac address-table static 7e77.377a.57d6 vlan xx drop

• Port Security MIB on SF, SG series switches

  I need to setup some parameters related to port security features on my SG, SF series switches via SNMP. I've found that it is possible with port security MIB (1.3.6.1.4.1.9.9.315). I found out my devices has support of this MIB downloading archive with MIBs from cisco site. But when I try to read some parameters from this MIB via SNMP, for example "cps if port security status" (1.3.6.1.4.1.9.9.315.1.2.1.1.2) device answers with: "No Such Object available on this agent at this OID". But it is possible to do with web-interface in Security->Port Security section
  How is it possible to read/write such type of parameters ?

  The OID you mentioned cpsIfPortSecurityStatus has Read-Only permissions and hence you cannot set anything.
  You can only poll this object to know the operational status of the port security feature on an interface, which will result from one of the three status :
  1 : secureup
  2 : securedown
  3 : shutdown
  For more details check OID Translation.
  You can only set values which has Read-Write permissions, like cpsIfPortSecurityEnable, using which you can enable port security on an interface.
  Tell us what you want to achieve using SNMP Set operation?
  Also, I am not sure if these MIB features are completely implemented on 29xx/35xx/37xx devices.
  But are present in 45xx and 65xx series switches.

• 2800 etherswitch module port security

  Am trying to set up port-security on an etherswitch module port
  when i put in switchport ?
  i dont get the option port-security so i then cant use mac-address
  so i thought about doing it via a mac based acl but again when i try to set up the interface for the mac based access list i dont get the option
  (config-if)#mac ?
  H.H.H MAC address
  any one any ideas
  Cheers for info

  Hi Friend,
  Try this and see if it helps you
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t11/ft1636nm.htm#wp1433808
  HTH, if yes please rate the post.
  Ankur