Security Maximum 1
Hello gents.
Anyone know how to block/shutdown laptop WiFi shared hotspots?
For some reason our 3750 does not recognize the multiply mac´s on a laptop hotspot.
Our currently security:
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
switchport port-security
switchport port-security aging time 1
ip arp inspection limit rate 100
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
The second we take a phone or a router and plug it in on a port with maximum 1, the port shuts down. However, when a laptop shares a wifi hotspot, nothing happens.
Any suggestions?
Duplicate post.
Go here: https://supportforums.cisco.com/discussion/12233036/port-security-maximum-1
Similar Messages
-
Switchport port-security maximum
I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
I´m configuring the port-security maximum using the following commands:
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
I dont know why some times this work, some times do not work.
to solve the issue I had to use the three commands:
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
the documentation do not say nothing about if I have to use the three commands together.Hi,
This is an excerpt from the Configuration Guide for your box and IOS-XE release:
Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed per all configured vlans per port equals ONE at the default only.
I hope my English makes sense.
Best regards,
Antonin -
Recommended port-security settings for ASA HA failover
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
interface GigabitEthernet0/8
description ASA-Primary-Out
switchport access vlan 200
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 500
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?Hello,
This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
Per the port-security config guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
-Mike -
Packet drops on 2960 with port-security enabled
Hello,
We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
Port Security : EnabledPort Status : Secure-upViolation Mode : RestrictAging Time : 1 minsAging Type : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses : 10Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0011.aabb.ccdd:11Security Violation Count : 0
When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
I have found similar reports and bugs for the 2950 and 3750:
https://supportforums.cisco.com/thread/163910
https://supportforums.cisco.com/message/89560
https://tools.cisco.com/bugsearch/bug/CSCeg63177
https://tools.cisco.com/bugsearch/bug/CSCec21652
Is there anything we can do to fix this?
Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
Thank you.Hi Alioune,
This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
Regards -
After enabling port-security host is not reachable
Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
interface fa 0/20
switchport mode access
switchport access vlan 20
swicthport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-adress sticky
1hello
Possiblely to restrictive for that....can you post
sh port-security int fa0/20
res
Paul -
i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
What are the recommended steps? All are connected with users and all ports are already in use.
- Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
- It's tedious to go switch by switch, port by port
- Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
It sounds like you may have a hard time, since they don't seem to really care about security at this place.
Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically. -
Hi,
I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
Port one had this equipment already in situe and we wanted to add another laptop to the domain,
We connected a 2nd laptop to port one and successfully joined the domain.
We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
We found that for the laptop to work on port 2 we had to flush port 1.
My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
Cheers
DaveHi David Imrie
You have to check the configuration of your switch interface, probably a switch's port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x” command to be assigned statically.
You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
For example if the maximum is 2, change to 3
Switchx (config-if) # switchport port-security maximum 2.
Switchx (config-if) # no switchport port-security maximum 2.
Switchx (config-if) # switchport port-security maximum 3.
If these solutions do not fix your problem, send me your switch configuration or
If this answer was satisfactory for you, please mark the question as Answered.
Thank you
Greetings, Johnnatan Rodriguez Miranda. -
HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone
Hellow all!
I'm want use port-security for ports on my HP 3800. But PC connected
to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
for data - 1 VLAN (native). Cisco phone add self mac-address in these
two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
switchport port-security maximum 3
switchport port-security mac-address pc_mac
switchport port-security mac-address ip_phone_mac
switchport port-security mac-address ip_phone_mac vlan voice
How i can add one mac in two VLAN's on HP 3800 Switch?
Sorry for my English, please ^_^
This topic first appeared in the Spiceworks CommunityHi Kuarzo, please reference the following;
https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300 -
I had configured this, but when i plug in other machine with different MAC, how come it still able to access the network?
interface FastEthernet0/22
switchport mode access
switchport protected
switchport port-security
switchport port-security maximum 22
switchport port-security violation restrict
switchport port-security mac-address 0060.97ed.6092
Switch_242#show port interface fastEthernet 0/22 address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
(mins)
1 0060.97ed.6092 SecureConfigured Fa0/22 -
Total Addresses: 1Hello,
you are allowing a maximum of 22 MAC addresses on the port:
switchport port-security maximum 22
But you have only configured one secure MAC address:
switchport port-security mac-address 0060.97ed.6092
If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. In order to actually allow only one MAC address on the port, remove the statement 'switchport port-security maximum 22'.
HTH,
GP -
Port security detecting two MACs on 1 machine.
I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
Version 12.1(19)EA1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
Anybody ran into this before?
Thanks.
BrettAfter a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00e0.988a.7ee6
no ip address
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/1 1 1 3 Restrict
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 5463.0007.eb9e on port Fa0/1.
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
Thanks for the response Thomas. -
802.1x takes a long time to authenticate
I'm currently testing 802.1x in our evironment and one of the things I want to do is mac-address authentication (basically a machine trying to connect to a port has to come up against our ACS server with these addresses). I can get it to work but for some reason it takes close to 5 minutes for it to authenticate. This seems to be the case whether its a reboot of the same mac address or a new mac-address. I'm thinking this might be something on the switch to ACS side because the ACS server doesn't receive an authentication request until a few minutes after the machine is plugged in. Anyone ever seen something like this?
Here is a sanitized copy of the switch config:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
hostname switchA
enable secret 5 blah
enable password 7 blah
username blah password blah
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+ local
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
clock timezone UTC -5
clock summer-time UTC recurring
ip subnet-zero
ip dhcp snooping vlan 1
ip dhcp snooping
cluster commander-address mem
dot1x system-auth-control
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1
switchport port-security violation protect
switchport port-security aging type inactiv
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
dot1x guest-vlan 23
spanning-tree portfast
ip dhcp snooping limit rate 100
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
interface GigabitEthernet0/2
switchport mode dynamic desirable
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface Vlan1
ip address 10.10.10.1 255.255.252.0
no ip route-cache
ip classless
ip http server
ip http access-class 1
ip http secure-server
snmp-server community
snmp-server community
tacacs-server host 10.10.10.6
tacacs-server directed-request
tacacs-server key 7 blah
radius-server host 10.10.10.6 auth-port 1645 acct-port 1646 key 7 blah
radius-server source-ports 1645-1646
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
alias exec macsh sh mac-address | include
alias exec arpsh sh arp | include
line con 0
line vty 0 4
access-class 1 in
password 7 blah
line vty 5 15
password 7 blah
ntp clock-period 36029099
ntp server 10.10.10.9
endA couple of things here.
* Not sure about a debug and an DHCP with a debug from your reeference. Suffice it to say though, that if you're running 1X on a port, don't even expect DHCP to work (or anything else for that matter) until 802.1X has authorized the port (and out of the way of the data-plane). And DHCP is completely controleld from the client anyway, that should have predictable timing, expected operation, etc.
The tx-period is a timer written into the 1X spec. An authenticator (switch) has the responsibility of re-transmitting frames it expects an answer to. In this case, it's the very first frame (EAPOL-Id-Request) when the switch is looking for a suppliant. The tx-period (30-sec default) is the period for how often the switch will re-transmit the frames. 30-sec is the recommended timer from the 1X spec (since packet loss should be a null concern). But in your case, bear it in mind, if your wanting a non-1x port to "enable". The Guest-VLAN and MAC-Auth-Bypass can only execute after 802.1X has timed out. So, you may want to consider tweaking the timer down in the interest of giving this non-1X device some "more immediate" access. There's security built-in to trying 1X first, however, so there's no silver bullet recommendation here.
The other value I mentioned before was max-reauth-req. This is how many times 1X will REtransmit the initil EAPOL-Id-Req frame before giving up on the fact that a supplicant is not there.
So effectively, the formula for timing out on 1X for these supplemental techniques is.
[tx-period * (1+max-reuath-req).]
Hope this helps, -
How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Recording Cisco phones registered on CUCM 8.6 with Verint Impact 360 not working.
Hello,
We're trying to record audio from Cisco IP phones registered to a CUCM 8.6 using SPAN and Verint Impact 360 with no success.
Verint provided us with some information to do the integration but we understand we don't need to do much on Cisco side besides configuring SPAN session to monitor the traffic we want.
We configured the following SPAN session:
monitor session 2 source interface Gi1/0/1 - 48
monitor session 2 source interface Gi2/0/1 - 47
monitor session 2 destination interface Gi2/0/48
Verint Impact 360 NIC is connected on port Gi2/0/48 but no RTP traffic is being detected.
Phones are connected to ports 1/0/5 and 1/0/6, this is a two 3750E switches stack. The configuration on the ports is:
interface GigabitEthernet1/0/5
switchport access vlan 186
switchport mode access
switchport voice vlan 176
switchport port-security maximum 2
switchport port-security
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet1/0/6
switchport access vlan 186
switchport mode access
switchport voice vlan 176
switchport port-security maximum 2
switchport port-security
speed 100
duplex full
spanning-tree portfast
Vlan 176 is the voice vlan we're using. Wireshark will see SCCP traffic but nothing else.
Does anybody have any tips or recommendations we could try?
Regards,
Daniel G.is there any difference when you SPAN based on vlan?
monitor session 1 source vlan 176
monitor session 1 destination interface Gi2/0/48 -
Printer aging-time "best practice"
Hi,
Our new printers are loosing their ip address'es after some time with no use...
I guess that they are not sending any frames onto the port, and the aging-time on the vlan is kicking in.
And when reading this forum a few suggestions comes up.
Changing aging-time on vlan for printers. (are there any known caveats changing this?)
Static mac address settings on port (we have ~500 printers, so that feels somewhat funky)
How do you guys handle this?
This is a normal port config for our printer ports on a 2960 tc-l 12.2(58)SE1.
interface FastEthernet0/21
description printerVlan
switchport access vlan 3
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 2
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging static
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust cos
storm-control broadcast level 10.00
auto qos voip trust
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
All ideas are welcome.
Regards FalkIf you create a new ASO (remember, this does not work in BSO) database, right click in the outline (okay, the completely blank outline).
You should see a pop up menu with "Create date-time dimension..."
I should also note that you have to click on the word "Outline: dbname" to do this.
I wonder if you are trying to do this in a BSO app as that will make the menu item show up unselected.
Regards,
Cameron Lackpour -
Best practice for unmanaged switch to cisco switch
In our environment, I have to allow some users to have a unmanaged switch which is connected to access port.
I put this configuration for each port which is connected to unmanaged switch (Netgear 8 port)
interface GigabitEthernet1/0/47
switchport port-security maximum 3
spanning-tree guard root
end
port-security maximum 3: only allow 3 mac
spanning-tree guard root: just in case to protect root bridge if someone put managed switch with lower bridge ID.
I connected one cable from unmanaged switch to another port to make a loop for test.
It showed that switch got "Loop-back detected" and put err-disable port automatically. So I don' t need to worry about this.
Apr 7 18:33:01.370: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/47.
Apr 7 18:33:01.370: %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/47, putting Gi1/0/47 in err-disable state
Apr 7 18:33:02.373: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
Apr 7 18:33:03.379: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
LAB_HQ_Fiber(config-if)#
What are the option do you use usually to protect from unmanaged switch?
I am not able to use "spanning-tree bpduguard" because it will block a port
I can use "spanning-tree bpdufilter" to protect a STP area, but I don't think this is a big matter.Hello
If you need to attached these kind of switches/hubs - Make sure you shutdown all unused ports on the managed switch so to limit any further unauthorized attachments looping back into the network from the unmanageable device, This way you can managed these unmanageable devices to a certain extent.
As for the stp root, you should manually set your stp priority on the managed switch to a low level anyway so as to not allow any other new device negotiate its self to become the root, and for the ports you are aware of that will have these devices attached, i would disable portfast and also advise against using bpdufilter as this negates the stp process.
Int range fa0/x -xxx
description unmanaged devices
no cdp enable
On all managed switches and on all ports you DONT expect to have unmanaged hubs/switches I would suggest to apply
spanning-tree loopguard default
udld enable
udld aggressive
int range fa0/x -xxx
description access ports
switchport port-security
switchport port-security aging type inactivity
switchport port-security violation restrict/shutdown
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no cdp enable
One last thing I also wouldn't enable error recover either, as you would want to know the reason why your ports are erroring and not go chasing your tail as the reason why your having intermittent network issues.
res
Paul
Maybe you are looking for
-
I already have an itunes account on my laptop but have been setup on a mac and have songs that have not been purchased from the itunes store, I cannot get the songs from my iPhone onto my itunes account on the mac. how can I do this?
-
Cd Rom DVD Drive no longer working
I have attempted and tried everything known to man to fix this issue. I have no upper or lower filters. I've done everything on this page: http://support2.microsoft.com/kb/314060 with NO luck. Need help! HP Pavilion g7-2270us Notebook PC
-
Please help-i lost all my songs on my ipod
Hi, I have an ipod photo which i have had for nearly two years. I had over 400 songs in it. i was listening to my ipod last night on my speakers, and this morning i have tried to listen to it again and all the songs have disappeared. my hard drive on
-
Data centre connectivity options
Hello I am currently investigating a dual data centre design running in active/active mode. The data centres will each have connectivity to our WAN (MPLS) and to the Internet. They will have also have dedicated links to each other for site replicatio
-
I click on settings and it does not OPEN what can I do? Thanks