Port Security MIB on SF, SG series switches

Similar Messages

• 802.1x port security auth MXP and C series with Cerficiates

  Is there a way to load a digital certificate for 802.1x authentication on MXP and C series codecs? I looked in the settings and command line input options, but I don't see a way to do client certificate authentication.
  thanks!

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server

• Psecure violation in 2900 series switch

  Hi,
  could any one plz tell me the reason for pseure violation.
  m using 2924 model switch with ver 12.0(s)wc17, how can i configure errdisable recovery commands in this switch?
  In this switch Errdisable recovery option is available only for  "udld" but not for  "psecure violation". How can i rectify this psecure violation problem
  in cisco 2900 series switch?
  regards,
  rammi

  hi
  By default the port security any violation happed it automaticaly the port goes shutdown state
  here some examples for configuring port security
  Switch(config)# interface FastEthernet1/0/1
  Switch(config-if)# switchport access vlan 21
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport voice vlan 22
  Switch(config-if)# switchport port-security
  Switch(config-if)# switchport port-security maximum 20
  Switch(config-if)# switchport port-security violation restrict
  Switch(config-if)# switchport port-security mac-address sticky
  Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
  Switch(config-if)# switchport port-security mac-address 0000.0000.0003
  Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
  Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
  Switch(config-if)# switchport port-security maximum 10 vlan access
  Switch(config-if)# switchport port-security maximum 10 vlan voice
  regards
  krishna kumar

• Allowing a device blocked by port-security

  Lets say I have port security configured on a switch's ports like this:
      Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                      (Count)       (Count)          (Count)
            Et0/2              1            1                  0         Shutdown
  And also that I use sticky to allow all connected devices.
  Now lets say an admin unplugs the computer that was plugged into a port and plugs in another one. The switch port shutdowns as expected. Now the admin calls and asked that the currently connected computer be allowed access. What is the proper way to allow access to that computer?
  I ran sticky again on that specific interface and did a no shut, but it is still shutdown. Do I need to completely disable and re-enable port-security on that interface to allow the new device?

  Hi,
  In the line command, write:
  switch(conf-if)#shutdown
  and
  switch#clear port-security dynamic interface XX/XX
  and
  switch#clear mac address-table dynamic interface XX/XX
  and
  switch(conf-if)#no shutdown
  In the 2 interfaces - old and new interfaces.
  Thanks.

• Enable port security between Two switches

  Hi Everyone,
  I connected two switches together  via below config
  Switch A
  int gi0/1
  switch mode access
  switchport access vlan 10
  Switch B
  int gi0/1
  switch mode access
  switchport access vlan 10
  They work fine with above config.
  I did the Test below
  However when i changed Config of Switch B  as below
  int gi0/1
  switch mode access
  switchport access vlan 10
  switchport port-security  
  Switch B is unable to ping its default gateway.
  Also Switch B is not reachable via SSH.
  Port is up up and in STP forwarding state.
  Switch B can see Switch A as a neighbour.
  Also Switch B is not reachable via SSH.
  I know that switchport port-security we use only when connecting to PC.
  S does this mean that  on above scenario layer 1 and layer 2 are up but layers beyond 3 and above are not reachable like ping,ssh etc??
  Regards
  MAhesh

  I was just trying to see how the switches behave with this config.Nothing much just  exploring the options in the network world
  Ideally if you want to connect two switches together in Layer 2, Dot1Q trunking is the way to go.  You do not want to put port security because it is useless. 

• HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone

  Hellow all!
  I'm want use port-security for ports on my HP 3800. But PC connected
  to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
  for data - 1 VLAN (native). Cisco phone add self mac-address in these
  two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
  switchport port-security maximum 3
  switchport port-security mac-address pc_mac
  switchport port-security mac-address ip_phone_mac
  switchport port-security mac-address ip_phone_mac vlan voice
  How i can add one mac in two VLAN's on HP 3800 Switch?
  Sorry for my English, please ^_^
  This topic first appeared in the Spiceworks Community

  Hi Kuarzo, please reference the following;
  https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
  https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300

• SCOM 2012 SP1 Cisco Port Security Violations

  Hello,
  I'm fairly new to System Center but have learning quite a bit over the last year. I am looking for some information on how to generate an alert  off of a port-security violation.  There's not much information about this so i'm wondering if anyone
  out there has experience doing this.
  Also, we run a fairly large Cisco environment (20000+ switchports), so my next question is, do I have to be monitoring every switchport to see a port-sec event happen.  I've run some debug snmp packets on my Cisco devices, and I do see the SNMP trap
  sent for the port-security violation.
  The universal device poller that I setup for this is: OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus, so i'm pretty confident that i've got the right data.  I'm just looking for a way to see these events happen
  without having to monitor every single switchport on my network and if the alert will tell me which switch, which port had the violation.
  Any help is always appreciated.

  Hi,
  I have to say that I don't have experience doing this, but in my opinion, if you there is log files about that information, we can use SCOM to monitor the log file and fire alerts according to your requirements.
  Based on my research, the output of the port-security debug may have information about which switch, which port had the violation. (I am not familiar with cisco device, if there is any misunderstanding, please feel free let know)
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Switchport port-security on Routers ?

  Hi All,
  Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
  But the router doesn’t support the switchport command at all.
  So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
  Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
  thanks,
  Ivan

  Hi,
  Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
  HTH
  Sundar

• Snmpset on SG, SF series switches

  I need to set up some parameters on SG, SF series switches with snmset command from NET-Snmp tools. It is possible for me to set up some simple parameters like ifAdminStatus of the port. The command to do this looks like:
  snmpset -m ALL -v 3 -u secName -l authPriv -a sha -A secret -x des -X secret switchIP ifAdminStatus.49 i 1
  But I'd like to get static addresses table. I can snmwalk it with command:
  snmpwalk -v 3 -u secName -l authPriv -a sha -A secret -x des -X secret switchIP iso.3.6.1.2.1.17.7.1.3.1.1.4
  and it returns me the key->value list:
  iso.3.6.1.2.1.17.7.1.3.1.1.4.101.60.151.14.68.239.217.64 = INTEGER: 3
  iso.3.6.1.2.1.17.7.1.3.1.1.4.101.120.132.60.0.230.199.52 = INTEGER: 3 etc...
  where iso.3.6.1.2.1.17.7.1.3.1.1.4 - dot1qStaticUnicastStatus, 101 - VLAN id, 60.151.14.68.239.217 - mac in decimal form, 64 - port number and 3 - status (permanent). These are the only occurence of this information in MIB list.
  Is it possible to set up static addresses table with snmset?

   Are you facing issue with  ONLY this OID  iso.3.6.1.2.1.17.7.1.3.1.1.4   from this MIB Q-BRIDGE ?
  Thanks-
  Afroz

• Problem with hp laser jet 9050 mfp and port security

  Hello,
  I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f  in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
  But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
  The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
  Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
  Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
  Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
  Thanks for the help.

  Hi,
  this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
  Can you post sh port-security address output.
  Regards.
  Alain

• Port Security Sticky Addresses

  Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
  switchport mode access
  switchport port-security
  switchport port-security aging time 1
  switchport port-security aging type inactivity
  switchport port-security mac-address sticky
  spanning-tree portfast
  I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
  Josh

  It is not possible to age out sticky entries.  With sticky entries, they are added to the running config.  So the only way to remove it is through editing the running config....  If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...

• Recommended port-security settings for ASA HA failover

  I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
  interface GigabitEthernet0/8
  description ASA-Primary-Out
  switchport access vlan 200
  switchport mode access
  switchport port-security maximum 2
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  ip arp inspection limit rate 500
  no cdp enable
  spanning-tree portfast
  spanning-tree bpduguard enable
  Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
  %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
  I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

  Hello,
  This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
  Per the port-security config guide:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
  "...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
  Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
  -Mike

• Port Security based on Device Type

  Hi all:
  We need to know whether there is any feature or software that allows to block switch ports for type of devices.
  For instance, we have some switches for IP phones and we do not want to have PCs connected to those ports.
  We know that it can be done using MACs, but, as phones can be moved easily, it implies constant changes on port security.
  Thanks
  Regards

  Apologies if I have not understood the original question, however, can you use port security (max MAC / sticky MAC) to ensure only devices that are currently connected are successful, other violations will result in the port being shutdown.
  You may want to investigate some 802.1x device authentication
  http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
  HTH
  Steve

• Port security and 802.1x (ISE)

  Hi everyone,
  I'm implemmenting ISE in a network with Port Security enabled.
  According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
  I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
  Someone?
  Thanks!

  Hi Neno,
  Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
  Please find below logs from switch - 
  Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
  Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
  Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
  Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Can you guide us how to fix this one
  Regards
  Pranav

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal