Cisco Security :: 3750 / Dynamic ARP Inspection - Windows 7?
Mar 2, 2011
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies
ADVERTISEMENT
Jun 14, 2010
We have ip arp inspection and dhcp snooping enable in couple of 3750 and 3560 switches. Everything works fine, excepted few case that DAI packet rate trigger and errdisable the port. Later on we found out that most of computer that trigger DAI is Windows 7 and especially when they are in sleep mode. Not sure if anyone experiencing it with Windows 7. Also we have it rate limit at 64.
View 2 Replies
View Related
Mar 6, 2013
How config dynamic alp inspection for 300 or 500 series ? I find in admin guide it's no simple to do.
View 8 Replies
View Related
Jun 5, 2012
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
View 1 Replies
View Related
Apr 22, 2013
I have enabled IP DHCP snooping on a 24 port 3560 switch (v small office) and let the database fill up, now I have added dynamic arp inspection on the single vlan and I amd getting these errors.
Apr 23 16:15:34: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([5835.d9b0.b9d1/172.30.5.2/0000.0000.0000/172.30.5.3/16:15:33 BST Tue Apr 23 2013])
Apr 23 16:15:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:39 BST Tue Apr 23 2013])
Apr 23 16:15:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/8, vlan 1.([0004.f2be.55e4/172.30.5.5/0000.0000.0000/172.30.5.8/16:15:40 BST Tue Apr 23 2013])
[Code] .....
View 2 Replies
View Related
Aug 22, 2012
I have an Internet link, connected to my Cisco Router. The package I subscribed for comes with a dynamic IP Address. I was told, if I need to remote access into the Cisco Router, I need to enable the DDNS feature. Can this be done on a Cisco Router?
View 1 Replies
View Related
Apr 17, 2011
I'm having some issues configuring NAT statements on my ASA5505 which has recently been upgraded to 8.41.
I have a single dynamic IP on the outside interface of the ASA and would like all internal hosts to NAT/PAT to it. In addition, I would like to have several ports 'forwarded' to internal hosts, one of which is TCP/4343. With the current configuration all hosts are NATing to the external interface properly but the service running on TCP/4343 is not accessible from the outside. See command output below:
"sh run object" output:
object network DrJones host 10.81.220.90object network LAN-10.81.220.0 subnet 10.81.220.0 255.255.255.0
"sh run nat" output:
object network DrJones nat (inside,outside) static interface service tcp 4343 4343object network LAN-10.81.220.0 nat (inside,outside) dynamic interface
"sh run access-list" output:
access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 anyaccess-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit tcp any interface outside eq 4343
View 6 Replies
View Related
Oct 2, 2012
I have connected a 10BaseT device to a CISCO Catalyst 3560xPOE switch with dynamic port security. All seems to work fine when the distance between the two devices is closer then 200ft. When I connect to 10BaseT devices farther out near 300ft the response from the attached device is lost. It works ok on unmanaged switches at the longer distance. Is there a minimum response time from attached devices for dynamic port security to work properly? Is there any other explanation why it would work on cheaper switches, but not on the Port Secured Switch?
View 2 Replies
View Related
Jan 9, 2013
I have a home server that I'm using to host a site with a domain purchased from Go Daddy. I understand how to set up a static IP address on Win Server 2008, but my provider will not allow for me to purchase a static IP because I'm a home customer, not a business.My question is this: should I just ipconfig my ip address every seven days and then change my server's address? Is there a software alternative? Is it necessary for me to change it at all?
View 1 Replies
View Related
Aug 30, 2011
Does any know of a Windows utility than can send an alert via e-mail to me when my dynamic IP address changes?
View 5 Replies
View Related
Oct 23, 2012
How to change my dynamic ip address in windows 7
View 2 Replies
View Related
May 22, 2012
I was wondering if there is a workaround to have a mac access-list bond to a port security violation action our need is the following: we have a range of 10 mac addresses that can use any port on the 3750, we only want to allow those ones yet we also need to tak action if a denied mac appears on any port of the switch.the only work around I found is to basically go into a port-rage mode and list all the allowed mac addresses under all the ports of the switch. I would also add to that a port violation action. did not test it but should work. problem is, it would be a huge config.I did read that we can create a mac access list and then bind that mac to physical ports wich will actually simplify our solution yet I did not find a way to bind the mac list with a port violation action.
View 1 Replies
View Related
Dec 29, 2011
I have an ASA 5510 that I want to connect to 2 isp (one of my private network uses the isp1, and all others the isp2). Excluding the 5510 does not accept PBR(policy based routing), i saw that you could put a router, like cisco 2811 in front of the ISP. my questions are : can i put a switch 3750 in place of the 2811 router? , I have vpn connections in isp1, this architecture is compatible?
View 2 Replies
View Related
Sep 2, 2012
Is it possible to use Port Security mechanism between two switch (3750 or 3560) ports while trunk has been configured? If it's not possible, is there any other way to ensure that no other Switch can be connected other then the one switch which has been configured/placed by a network engineer?
View 4 Replies
View Related
May 24, 2011
I'm currently investigating an issue for one of our customers where one of their 3750 Core Switch Stacks crash / becomes unresponsive during a NESSUS Scan.
They've diabled DoS testing and have ensured that safe scanning is enabled. For the test they are port scanning all of their VLANs (around 600 internal addresses).
The network consists of 2x 3750 Switch Stacks connected via fiber, edge switches connect into these cores. Both cores are running HSRP, for VLAN gateway redundancy.
Issue Being faced is as follows:
During the scan, Core 1 becomes unreachable from Core 2. We can telnet to Core 2 and administer as necessary. However we cannot telnet to Core1, a console connection also fails - the switch stack is unresponsive, but does respond to pings.
On Core 2 I've performed a show proc cpu sorted and can see the IP Input process is running at around 60% and the CPU is highly utilised.
Once Core 1 becomes unreachable the network gradually grinds to a halt, almost mimicking some sort of broadcast storm or Spanning Tree loop.
Interestingly Core 1 HSRP is still active, so the hello packets are still being sent.
The only resolution to the issue is to perform a hard reset of the Core to restore service.
Logs from core 1 show the CPU becomes fully utilised. There is also an error logged indiciating:
%FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring "ip cef [distributed]"
Both cores are running IOS 12.2.(52) SE IPBASE. I've attempted to reproduce the issue in the office here and although a NESSUS scan does increase switch CPU utilisation I couldn't reproduce the failure scenario.
What may be causing the 1st core to become unresponsive? I've found some articles with regard to a 6500 switch rebooting during a NESSUS scan, and also some HP switches exhibiting similar behaviour but nothing that matches the exact scenario I'm investigating.
View 4 Replies
View Related
May 21, 2012
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
View 2 Replies
View Related
Jun 5, 2012
We have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
View 1 Replies
View Related
Feb 28, 2008
We are looking for a solution to avoid VPNs to encrypt data between HQ and Bldgs (point-to-multipoint) Gigabit fiber(untrusted media).Is there any cisco's product providing layer2 encryption over Giga fiber?The HQ has a 6509s and remote bldgs have mixed of 3750s,4500s in trunks.
View 2 Replies
View Related
Feb 12, 2004
i want to know if the new Catalyst 3750 Support Private Vlan ?
or any other small Switches
View 3 Replies
View Related
Feb 29, 2012
Does Catalyst Cisco 3750 supports NAC Fail Open Feature? Symantec Network Access control has been deployed in our network to protect the end user systems and access control.we initiate to enhance failover/fail open solutions on the switches to minimize the minimum downtime for disaster recovery in case of major disasters in the Data centres.Kindly request to let us know if NAC fail Open works on Cisco Catalyst 3750 Switches or not?
View 0 Replies
View Related
May 27, 2010
I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
View 5 Replies
View Related
Dec 21, 2009
i tried to create a customized web-authentication page that will re-direct any user to the web-page once they are connected to the network.
The problem is, i just cant attach/upload the image of the logo into the customized web-page (welcome/login page).Been researching about it, found and tried some clue bout it on cisco documentation, but still can't solve the problem.
Cisco document :Catalyst 3750 Switch Software Configuration GuideCisco IOS Release 12.2(52)SESeptember 2009
switch version :WS-C3750-48TS
show flash :2 -rwx 12305677 Mar 1 1993 01:27:03 +00:00 c3750-ipservicesk9-mz.122-52.SE.bin3 -rwx 131 Mar 1 1993 00:17:25 +00:00 log.text5 -rwx 3254 Mar 1 1993 00:01:01 +00:00 config.old8 -rwx 113 Mar 1 1993 03:24:33 +00:00 pass.htm9 -rwx 1088 Mar 1 1993 03:39:18 +00:00 login.htm10 -rwx 113 Mar 1 1993 03:21:30 +00:00 fail.htm11 -rwx 104 Mar 1 1993 03:25:32 +00:00 expire.htm12 -rwx 856 Mar 1 1993 00:05:19 +00:00 vlan.dat14 -rwx 2479 Mar 1 1993 01:25:05 +00:00 web_auth_logo.jpg16 -rwx 1048 Mar 1 1993 00:01:01 +00:00 multiple-fs27 -rwx 1053 Mar 1 1993 02:18:34 +00:00 webauthpage.html38 -rwx 6551 Mar 1 1993 01:19:33 +00:00 logotest.html
following is my running configuration :Building configuration...
Current configuration : 4205 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Switch!boot-start-markerboot-end-marker!!!!aaa new-model!!aaa authentication login default group radiusaaa authentication login line-console noneaaa authentication dot1x default group radiusaaa authorization auth-proxy default group radius!!!aaa session-id commonswitch 1 provision ws-c3750-48tssystem mtu routing 1500authentication mac-move permitip subnet-zeroip
[code]....
View 1 Replies
View Related
Mar 5, 2013
our C3750 like the one described here [URL]
We have the port on the switch set like this:
switchport port-security maximum 25
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on
1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
[Code].....
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
View 1 Replies
View Related
Oct 20, 2010
My group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
Here is one of the port configurations:
interface FastEthernet1/0/45
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
[code].....
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
View 3 Replies
View Related
Apr 30, 2013
ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem. Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor. This is happening with Windows 7 and Windows 2008 devices.
Windows XP clients don't get the issue.
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB. Not noticed the problem with 802.1x clients but it always occurs on MAB.
I came across a similar issue here: URL
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
The switches are 3750 switches running version 12.2(58)SE2.
All I have is "count, interval, use-svi" as extra options.
Catalyst 4500 switch guide has "delay" option but no "count, interval or use-svi".
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client. This is fine for the odd server but not realistic when there will be hundreds of other clients.
View 5 Replies
View Related
Jan 31, 2012
More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
View 4 Replies
View Related
Jul 8, 2011
We have ASA 5580 with multiple context in our company. On the one of the context (where the DNS servers are located) i can see a lot of DNS drops.
View 1 Replies
View Related
Sep 22, 2011
I am aware there is a feature request but don't see any updates. Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS. We are currently running 7.0(5a)E4. I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.
View 1 Replies
View Related
Aug 17, 2011
I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
View 2 Replies
View Related
May 25, 2011
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
View 3 Replies
View Related
Jan 20, 2013
I have Dell Vostro 3750 with Windows 8. Bluetooth stopped working. I had problems with it from the start.I installed the driver: [URL]tried different drivers before.In Device Manager this driver has a yellow exclamation. ^Tasks and Settings Bluetooth^Bluetooth option is grayed in charm bar.
View 3 Replies
View Related
Feb 27, 2011
Whether ACS Se and Remote Agent 4.2.1.15.4 supports Windows 2008 R2.
View 6 Replies
View Related
Mar 13, 2011
I have installed CSA on windows 7 with rule to block rpc port 135.But when i am scannig this host, this port is still opened.I changed OS to Win Vista,Win7 x86, but there is no changes.Is it possible to block port 135 using CSA on windows 7?
View 2 Replies
View Related
