SG-500-28P How to configure switchport port-security violation setting
Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
Seems like the default option is shutdown and I don't know how to change it.
Thank you!
Hi,
you can recover this Violation.By using below command:
To enable automatic re-activation of an interface after an Err-Disable shutdown,
use the errdisable recovery cause Global Configuration mode command. To
disable automatic re-activation, use the no form of this command.
Syntax
errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
For more information:
Refer this URL:page no :406
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
regards
Moorthy
Similar Messages
-
How to Configure SMTP Port in ODI
Hi,
Someone know how to configure SMTP port in the ODI tool? I tried changing the port number in the odiparams but I still encountered an error:"Could not connect to SMTP host." when executing the odisendmail package object though I can access the SMTP Server thru tracetcp.
TIA,
Cathy950484 wrote:
Hi Bhabani,
Thanks for the quick response :) . I saw your post and its a nice approach in sending mail instead of using an odi package object odisendmail. However, the requirement is not to use the gmail credentials but to use the credentials provided to us. But I noticed that the port used for the SMTP server is not the default port number which is 25. So I am guessing that the reason why I cannot connect to the SMTP host is because of the port number. Do you know how to solve this?If you want to change the SMTP port then do the following
edit smtplib.py located at <ODI_HOME>/oracledi/lib/scripting/LIB
change SMTP_PORT to what ever port you want .
restart ODI
execute your mail sending program -
Switchport port-security on Routers ?
Hi All,
Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
But the router doesn’t support the switchport command at all.
So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
thanks,
IvanHi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
Switchport port-security maximum
I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
I´m configuring the port-security maximum using the following commands:
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
I dont know why some times this work, some times do not work.
to solve the issue I had to use the three commands:
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
the documentation do not say nothing about if I have to use the three commands together.Hi,
This is an excerpt from the Configuration Guide for your box and IOS-XE release:
Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed per all configured vlans per port equals ONE at the default only.
I hope my English makes sense.
Best regards,
Antonin -
[switchport port-security mac ] on [interface VLAN n?]
Hello,
did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
I don't have the material to make that test, and I am not sure if it works or not.
Many thanks!Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
SCOM 2012 SP1 Cisco Port Security Violations
Hello,
I'm fairly new to System Center but have learning quite a bit over the last year. I am looking for some information on how to generate an alert off of a port-security violation. There's not much information about this so i'm wondering if anyone
out there has experience doing this.
Also, we run a fairly large Cisco environment (20000+ switchports), so my next question is, do I have to be monitoring every switchport to see a port-sec event happen. I've run some debug snmp packets on my Cisco devices, and I do see the SNMP trap
sent for the port-security violation.
The universal device poller that I setup for this is: OID 1.3.6.1.4.1.9.9.315.1.2.1.1.2 or the MIB CISCO-PORT_SECURITY-MIB:cpsIfPortSecurityStatus, so i'm pretty confident that i've got the right data. I'm just looking for a way to see these events happen
without having to monitor every single switchport on my network and if the alert will tell me which switch, which port had the violation.
Any help is always appreciated.Hi,
I have to say that I don't have experience doing this, but in my opinion, if you there is log files about that information, we can use SCOM to monitor the log file and fire alerts according to your requirements.
Based on my research, the output of the port-security debug may have information about which switch, which port had the violation. (I am not familiar with cisco device, if there is any misunderstanding, please feel free let know)
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Hi all,
I'm sending syslog messages from some access switches to CiscoWorks's syslog server. CiscoWorks is installed on a Windows 2003 machine.
I can see %PORT_SECURITY-2-PSECURE_VIOLATION messages in the syslog.log file (located in C:\Program Files\CSCOpx\log\),
but the messages do no appear in the RME \ Syslog Analyzer Severity Level Summary Report.
Are there some variables/options that I must set/check in order to get the port-security violation (severity=2) messages included in the report?
Thanks for any hints!Hello
I do also happened the same with a network point and place the mac as drop and so far has not been blocked port:
WS-C2960X-48FPD-L 15.0(2)EX5 C2960X-UNIVERSALK9-M
mac address-table static 7e77.3777.5776 vlan xx drop
mac address-table static 7e77.377a.57d6 vlan xx drop -
How to configure a port channel with VLAN trunking (and make it work..)
We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack. We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
We want the same ports to be able to allow multiple vlans to communicate. (trunked)
These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
We are only able to configure an IP on one of the vlans.
When we configure an IP from another vlan for the data lif, it does not respond to a ping.
Does anyone have any idea what I'm doing wrong on the Cisco switch?
interface GigabitEthernet4/0/12
description Netapp2-e0a
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet4/0/13
description Netapp2-e0c
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/12
description Netapp2-e0b
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/13
description Netapp2-e0d
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
spanning-tree portfast
spanning-tree bpduguard enable
endOur problem was fixed by the storage people. They changed the server end to trunk, and the encapsulation / etherchannel.
I like all the suggestions, and they probably helped out with the configuration getting this to work.
Thanks!
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
interface GigabitEthernet4/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet4/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active -
NAC and switchport port-security
Dear,Friends
I have NAC working on Out-Of-Band Vitual Gateway.
When I Enable Port Security on the CAM, this don't work very well.
I need allow two mac-address for interface, one workstation and one phone.
The first User is authenticated and placed in the correct VLAN according to the group. Total MAC Addresses increases the workstation and the phone correctly.
Switch#sh port-security interface gigabitEthernet 1/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : fcfb.fbca.2c65:89
Security Violation Count : 0
After if I:
- change of user
- bounce the interface
- plug another workstation on interface
Anything happens, and port remains on Access VLAN.
Somebody Know How Can I fix this problem?
RegardsCould you please elaborate on your question? I don't understand what's exactly the problem.
-
How to configure Symantec Mail Security for SMTP & Messaging Server 6.3
Hi!
I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.
- Could you help me with this issue?,
- Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.
Regards, CRctemp1 wrote:
I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.I take it that you have configured the symantec software like this?
internet -> symantec mail security system -> sun messaging server -> recipientA better approach is the following
internet -> sun messaging server -> recipient
|
V
symantec mail security system(refer here: http://blogs.sun.com/factotum/entry/messaging_server_correctly_deploying_the)
- Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.There is no documentation specifically for symantec software but we do document how to send emails via the symantec mail security server using the aliasdetourhost channel keyword:
http://docs.sun.com/app/docs/doc/819-4428/6n6j42615?a=view#bgaqy
Regards,
Shane. -
802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
Difference between protect/restrict port security violation action?
Hi all,
I've read the documentation, but found the explanations a bit vague. Could someone please explain the difference between these two?
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/comref/s1.htm#wp1184020
Thanks.Only difference is that, security violation counters are incremented in restrict, while its not incremented in protect.
So each time a violation occurs and you do a show port-security on that port.
Switch# show port-security interface fastethernet0/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses :50
Total MAC Addresses: 11
Configured MAC Addresses: 0
Sticky MAC Addresses :11
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
The counter above in bold will be incremented when restrict is configured, and will not increment, if protect is configured.
Either ways, the packets from the insecure hosts will be dropped, if a violation occurs.
HTH
Sankar. -
How do i recover a security trust setting password?
i dont know what happend but the password for my computer security trust setting is not working now. how can i change the password?
Mac OSX version? Mac model?
-
How i configure various ports in the same service in a CSS.
Hi,
I have the following scenario:
2 webserver running each one ports 80,81,82,83,84
and i have a content rule defined in port 80.
At the end i want that all the request that comes to the VIP port 80 be balanced through the 2 webservers in the differents ports(80,81,82,83,84).
Note: I have configured a range of ports in the same service but this doesn't function:
service PS
ip address 10.0.0.5
protocol tcp
port 80 range 5
keepalive type http
keepalive method get
active
What can i do?
gfiguereo.Hi,
The only thing that comes to mind is to have a service defined for each tcp port. So since you have 2 physical servers and 5 different ports for each, you would have 10 services.
service PS1
ip address 10.0.0.5
port 80
service PS2
ip address 10.0.0.5
port 81
then another 3 that look like this one only using ports 82,83,84
then another 5 like the above 5 only the ip address would be differnt.
Then you would have 10 services added to your port 80 content rule..
Regards
Pete.. -
How i configure various ports in the same service
Hi,
I have the following scenario:
2 webserver running each one ports 80,81,82,83,84
and i have a content rule defined in port 80.
At the end i want that all the request that comes to the VIP port 80 be balanced through the 2 webservers in the differents ports(80,81,82,83,84).
Note: I have configured a range of ports in the same service but this doesn't function:
service PS
ip address 10.0.0.5
protocol tcp
port 80 range 5
keepalive type http
keepalive method get
active
What can i do?
gfiguereo.Hi,
The only thing that comes to mind is to have a service defined for each tcp port. So since you have 2 physical servers and 5 different ports for each, you would have 10 services.
service PS1
ip address 10.0.0.5
port 80
service PS2
ip address 10.0.0.5
port 81
then another 3 that look like this one only using ports 82,83,84
then another 5 like the above 5 only the ip address would be differnt.
Then you would have 10 services added to your port 80 content rule..
Regards
Pete..
Maybe you are looking for
-
Multi-language navigation on portal
How can I create a multi-language navigation without a need to create same pages many times for different languages?
-
Cant see the music in my libary
I redownloaded my itunes to my computer and i cant see my music in my libary
-
How to prepare for install of Premiere Elements 10 and Photoshop 10
HI everyone - just rec'd the disks and want to prepare my pc as best as possible before installing. I have a HP Pavilion dv7 running Windows 7 64 bit 8gb ram, 640 gb hard drive Performace info tells me: intel core i5 CPU M 480 @ 2.67 GHz, ATI Mobilit
-
How to remove update notification?
How to remove the update notification as it shown '1' at the top of app store icon? I was asked to update 'facebook' but then it requires my friend's id password instead of mine.. I've signed out all of his data from my iphone, but still can't be upd
-
How do I create staging area after having copied Apps R12.1.1 DVD to disk
Hi! I have copied all DVDs for Apps R12 to our filer. Now I would want to create the staging area using autostage.pl, but it only stages the startCD, then it asks me to insert the DVd named "Rdbms Disk1", but the DVD is already on the filer. Giving i