PXE Imaging tripping port security
We are using Cisco switches in our environment and our network adminstrator
have enabled
port security so that only 1 MAC address works in the port.
On many PCs, when they PXE boot, it sends a different MAC address (always
starting with
00005A) then the MAC address of the NIC card and it trips port security.
We ar using the following configiration
Switch : Cisco Catalyst 4506 Switch
Server :Novell Netware 6.5 sp5 +Zenworks for Desktop 4.01 ir 7
Client OS: Windows 2000 SP4
It only occurs at a location with IR 7 for ZfD 4.01 installed.
Toine,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/
Similar Messages
-
Need a hint for home office / 871 does not support port-security - FPM ?
Hi,
i want to realize the following setup:
- Central Site 871 with Internet Connection and static IP
- Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.
To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).
Now i looked for an alternative...and came over to FPM (flexible packet matching).
If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.
Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).
I did the follwing config:
class-map type access-control match-any c2
match start l2-start offset 48 size 6 regex "0xabcd1234fedc"
match field ETHER source-mac regex "abcd1234fedc"
policy-map type access-control p2
class c2
drop
interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
service-policy type access-control input p2
service-policy type access-control output p2
As this feature is quite new, i'm not familiar with it's syntax.
I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).
As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?
Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?
bets regards,
AndyFor the FPM feature to work you will need PHDF files for the protocols you want to scan for to be loaded on your routers. The files can be downloaded from cisco's website. In your case you will have to download ether.phdf file.
-
Problem with hp laser jet 9050 mfp and port security
Hello,
I activaded the port-security configuration in all the printers that we have. I've noticed that all the printers send an ethernet package that includes the same mac address 1a3c.30a9.5a8f in all the cases and this makes the port go to shutdown. I have changed the configuration to a restrict mode to avoid the shutdown in the printers.
But it keeps sending the message. So I want to know if its the switch doesn't know how to interpretate it or if its a problem with the printer?
The switch i have is a Catalyst 4500-RE and here it's a log from the issue.
Nov 11 12:40:22 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet4/24.
Nov 11 12:01:45 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port GigabitEthernet3/25.
Nov 11 12:03:58.757 CENTRAL: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1a3c.30a9.5a8f on port FastEthernet7/16.
Thanks for the help.Hi,
this address has got the U/L bit set and even flipping the bit doesn't get any result in the IEE OUI database.
Can you post sh port-security address output.
Regards.
Alain -
I am using CMS on a 3550 to implement Port Security. I want to know how to clear the Violation Rejection count? I have tried changing the Violation, turned off Sticky Behavior and disabled Port Security. Nothing clears the Violation count. When I re-enable Port Security the Violation Rejection count is the same. Help!!!
Duplicate post.
Go HERE. -
Port Security Sticky Addresses
Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
switchport mode access
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security mac-address sticky
spanning-tree portfast
I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
JoshIt is not possible to age out sticky entries. With sticky entries, they are added to the running config. So the only way to remove it is through editing the running config.... If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...
-
CAM aging time VS Port-security aging time
Hi All
Please advise on the following:
- Without port-security configured, MACs per interface are learnt as "Dynamic" entries and the global CAM aging timer applies (300 seconds) unless tweaked manually.
- With switchport port-security enabled (without port-security mac-address sticky, which holds onto MACs infinitely) I see MACs being learnt as "Secure-Dynamic" in a show port-security interface gix/x output and as "Static" in the output of show mac address-table interface gix.x .
What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too? as I see their is also a option to configure port-security mac-address aging time / type, does this overrule / take precedence over the default CAM aging timer?
Please assist, its not documented anywhere and its driving me a bit nuts!
Thanks folksWhat I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too?
Any aging time you configure with port security will take precedence over the default aging time.
See this thread for details -
https://supportforums.cisco.com/discussion/11054341/switchport-port-security-commands-help
Jon -
Recommended port-security settings for ASA HA failover
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
interface GigabitEthernet0/8
description ASA-Primary-Out
switchport access vlan 200
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 500
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?Hello,
This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
Per the port-security config guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
-Mike -
Port Security based on Device Type
Hi all:
We need to know whether there is any feature or software that allows to block switch ports for type of devices.
For instance, we have some switches for IP phones and we do not want to have PCs connected to those ports.
We know that it can be done using MACs, but, as phones can be moved easily, it implies constant changes on port security.
Thanks
RegardsApologies if I have not understood the original question, however, can you use port security (max MAC / sticky MAC) to ensure only devices that are currently connected are successful, other violations will result in the port being shutdown.
You may want to investigate some 802.1x device authentication
http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
HTH
Steve -
Port security and 802.1x (ISE)
Hi everyone,
I'm implemmenting ISE in a network with Port Security enabled.
According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
Someone?
Thanks!Hi Neno,
Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
Please find below logs from switch -
Oct 1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
Oct 1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
Oct 1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
Oct 1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
Oct 1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
Oct 1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
Oct 1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
Oct 1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID Unassigned
Oct 1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
Oct 1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
Oct 1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
Oct 1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
Can you guide us how to fix this one
Regards
Pranav -
Packet drops on 2960 with port-security enabled
Hello,
We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
Port Security : EnabledPort Status : Secure-upViolation Mode : RestrictAging Time : 1 minsAging Type : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses : 10Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0011.aabb.ccdd:11Security Violation Count : 0
When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
I have found similar reports and bugs for the 2950 and 3750:
https://supportforums.cisco.com/thread/163910
https://supportforums.cisco.com/message/89560
https://tools.cisco.com/bugsearch/bug/CSCeg63177
https://tools.cisco.com/bugsearch/bug/CSCec21652
Is there anything we can do to fix this?
Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
Thank you.Hi Alioune,
This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
Regards -
Hi,
We currently have a few of these acting as access switches around our network.
These switches run our POE telephones and our Workstations. (Switch --> Phone --> Workstation).
Recently a user had brought a switch to the network and removed the telephone, he then plugged he's computer directly into the switch and a laptop he brought from home to download a few large files.
I am aware that there is an option under port security to set the max number of addresses allowed. The current Max is 1.
When I click a port in the web interface and go to edit there is two options [Interface Status] with a checkbox for "Lock" and [Learning Mode].
Learning Mode offers "Classic Lock and Dynamic Lock".
When clicking the "Lock" checkbox two options become available, "Dynamic Lock" where I can edit the number of Mac addresses however when using "Classic Lock" you cannot modify the amount of Mac addresses.
What does "Classic Lock" actually do since you cant edit the max number of mac addresses, the only options that become available when selecting the "Lock" checkbox and clicking "Classic Lock" is "Discard", "Forward" and "Shutdown"?
When clicking Limited Dynamic Lock you can select the number of mac addresses and again you have "Discard", "Forward" and "Shutdown"
Can someone explain what each option would do with the Limited Dynamic Lock?
Lastly, if I enable the Limited Dynamic Lock and put 1 as the max addresses would the telephones still work?
If not and I put this as 2, then couldnt the user just unplug he's telephone, put a switch and connect two machines again?
Thanks for your advice!I configured the Interface like this:
Then I connect Notebook 1 to the Port and it is connected to the network. If I connect notebook 2 to this Port it can also connect to the network. I set the Max No. of Address Allowed to 1 because I have only 2 Notebook for doing this test. Later I would set it to 2 or 3.
In the dynamic addresses list is always the current connected device listed:
Why does the second device not blocked?
Regards,
Dominique -
"Images Removed for Security Reasons"
Heya:
I'm new to Safari, just upgrading from an older OS9 Mac to a new one.
Can someone tell my why oh why I get e-mails from eBay or go to certain sites (including Apple) where images are removed with a big rectangle saying "images removed for security reasons"?????
In preferences I have show images checked....and I don't have anything weird in "security"....
or is this an e-mail problem?
any help would be appreciated....
Thanks!
iMac 5,1 Mac OS X (10.4.7)Who is your email provider? Some will screen images and not load them unless you tell them.
-
SCOM 2012 SP1 Cisco Port Security Violations
Hello,
I'm fairly new to System Center but have learning quite a bit over the last year. I am looking for some information on how to generate an alert off of a port-security violation. There's not much information about this so i'm wondering if anyone
out there has experience doing this.
Also, we run a fairly large Cisco environment (20000+ switchports), so my next question is, do I have to be monitoring every switchport to see a port-sec event happen. I've run some debug snmp packets on my Cisco devices, and I do see the SNMP trap
sent for the port-security violation.
The universal device poller that I setup for this is: OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus, so i'm pretty confident that i've got the right data. I'm just looking for a way to see these events happen
without having to monitor every single switchport on my network and if the alert will tell me which switch, which port had the violation.
Any help is always appreciated.Hi,
I have to say that I don't have experience doing this, but in my opinion, if you there is log files about that information, we can use SCOM to monitor the log file and fire alerts according to your requirements.
Based on my research, the output of the port-security debug may have information about which switch, which port had the violation. (I am not familiar with cisco device, if there is any misunderstanding, please feel free let know)
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Help desk users reset port security
I`m looking for a way through Cisco
works for helpdesk users to be able to reset port-securityYou can create a user defined task that in RME that basically does a shutdown and no shutdown to the interface under one job .
Or use CiscoView --> Select the device ---> Right Click the network interface that is disabled.Choose configure --> a popup will appear, select the interface and in the field labeled "Admin Status" choose "down" click apply. Do the steps again and in the admin status field, choose "up" and click apply. This should reset the port security. -
After enabling port-security host is not reachable
Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
interface fa 0/20
switchport mode access
switchport access vlan 20
swicthport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-adress sticky
1hello
Possiblely to restrictive for that....can you post
sh port-security int fa0/20
res
Paul
Maybe you are looking for
-
Issues with cisco 1242 aironets
We are currently experiencing and issue with the 1242 AG Wireless Access Points. We have have them configured as 1 Root Access point and 3 Repeaters. The repeaters seem to be experiencing frequency interference issues. The Root AP is using antenna mo
-
please help. I'm using mac 5D mark III
-
What is the best camcorder for final cut pro 5.1.4
yes i know it is an older program i am having problems uploading video from certain cameras to final cut pro. i was told it was a software problem with certain cameras and i cannot find any cameras that have firewire anymore that are not really expe
-
Hi Group, My client new requirement he want the purchase order in pdf formate. Can any one explain me the customization setting require to get the po in pdf formate in the out put determination of PO. Regards, sp
-
Just to give an example, Microsoft IIS webserver provides the performance counters, which one can read from registry using APIs provided by Microsoft from a C/C++ program and get all the performance related data ... r some similar interfaces provided