Cisco WAN :: Port Security Action On 3750?
May 22, 2012
I was wondering if there is a workaround to have a mac access-list bond to a port security violation action our need is the following: we have a range of 10 mac addresses that can use any port on the 3750, we only want to allow those ones yet we also need to tak action if a denied mac appears on any port of the switch.the only work around I found is to basically go into a port-rage mode and list all the allowed mac addresses under all the ports of the switch. I would also add to that a port violation action. did not test it but should work. problem is, it would be a huge config.I did read that we can create a mac access list and then bind that mac to physical ports wich will actually simplify our solution yet I did not find a way to bind the mac list with a port violation action.
View 1 Replies
ADVERTISEMENT
Sep 2, 2012
Is it possible to use Port Security mechanism between two switch (3750 or 3560) ports while trunk has been configured? If it's not possible, is there any other way to ensure that no other Switch can be connected other then the one switch which has been configured/placed by a network engineer?
View 4 Replies
View Related
Jun 5, 2012
We have several 3750 stacks across our campus that we are unable to completely clear port security on. We have mac address stick set up on all access ports. When we clear the sticky address on the port, the mac address is removed from the running config like normal, but we keep getting port-security voilations. If port security is taken off the port completely, i.e. no switchport port-security, traffic still doesn't pass the port. Even clear port security across the stack doesn't work. If we try to reload the stack, only the master reboots, and the other switches in the stack lose switch capabilities.
View 1 Replies
View Related
Mar 5, 2013
our C3750 like the one described here [URL]
We have the port on the switch set like this:
switchport port-security maximum 25
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
In case a device connected to the port is inactive for more than 2 minues ( aging time ) the first frame/packet the device generates arrives to the port on the switch, but the switch does not forward it to the appropriate port ( discards it or whatever ).
So far I tested on
1 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
2 30 WS-C3750E-24PD 15.0(2)SE2 C3750E-IPBASEK9-M
3 52 WS-C3750G-48PS 15.0(2)SE2 C3750-IPBASEK9-M
[Code].....
When we remove port security from the port, it works perfectly fine, as expected.
It seems this is not HW or IOS version related. It seems it is not a stack synchronization issue, it does not matter if a device is connected to the first or other stack member. I tested on C3560 too, here there are no problems, so seems it is 3750 related.
View 1 Replies
View Related
Oct 20, 2010
My group has recently started configuring traps on our switches to alert us of issues as they arise vs. waiting for the Helpdesk to receive user complaints and then responding.We have successfully configured the 2950 and 2960 switches to alert us when a port-security violation happens. However, the 3750 switches refuse to fire the port-security violation traps. The 3750's will fire an errdisable trap when the port goes down though.
Here is one of the port configurations:
interface FastEthernet1/0/45
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security mac-address sticky
[code].....
And here is the output of the port-security debug:
2522070: Oct 21 16:37:04: %LINK-3-UPDOWN: Interface FastEthernet1/0/45, changed state to down
2522089: Oct 21 16:37:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/45, putting Fa1/0/45 in err-disable state
2522100: Oct 21 16:37:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0012.3f07.95d3 on port FastEthernet1/0/45.
All of the 3750's are running C3750-IPBASEK9-M, Version 12.2(53) SE2. Wireshark also shows the errdisable traps, but no other traps so I've ruled out the traps being missed. All of the switches have been reloaded and power cycled.
View 3 Replies
View Related
May 21, 2012
We have a stack of switches that is at the max number of members allowed in the stack. Problem is we are running out of port density and need to add more ports. So instead of adding a whole new stack I would rather replace 2 of the 24-port swicthes with 48-port switches.
If the two 24-port swicthes we are removing are stack members and neither of them are the stack master, I should be able to replace the 24-port switches with the 48-port switches without bringing the master offline? If the new 48-port switches are running the same IOS version as the current 24-port swicthes, they should add themselves to the stack?Would I have to tell the new 48-port swicthes what switch numbers they are replacing in order for them to be added to the stack since we are at the max number of members?Also since the 48-port swicthes are replacing 24-port switches will the master give the 48-port switches the configuration for only the 24-ports?
View 11 Replies
View Related
Aug 13, 2012
I'm trying to enable port security on several 4507R's. When I try to configure a range of ports the switch will randomly put 1 or 2 in err-disable. It's different every time I apply the config to the same group of ports. However if I do them one at a time it seems to work. But I really don't want to configure 6 fully populated switches one port at a time. We also have a lot of 3750's and they gave me no problem using a port range. [code]
View 4 Replies
View Related
Jul 2, 2012
I have Cisco Catalyst 6500 with IOS Version 12.2(17r)SX5I need real-time monitornig of failed interface, to shut it administratively down and after 5 minutes "no shutdown" it.I think is good idea to use Cisco EEM for this task.My algorithm is below:
1. EEM script is looking for event about failed interface.
2. EEM script is shutting interface down.
3. EEM script is waiting 5 minutes.
4. EEM script is enabling interface.
I know how to configure EEM for steps 1, 2 and 4, but step 3 I do not.
View 2 Replies
View Related
Jul 4, 2011
migrating from LMS 3.0.1 to 4.0.1 it was relatively simple but we had a simple configuration which does'nt run on our new Ciscoworks version:
1) Routers sends SYSLOGS to Ciscoworks server.
2) Our ..CSCOpxlogsyslog.log file updates correctly and saves syslog data coming from various devices.
3) The same automated action we had on LMS 3.0.1 (it was a trivial ALL FACILITIES *-*-*-*-* send email to) does not work on LMS 4.0.1
View 1 Replies
View Related
Jul 18, 2011
my Cisco anyconnect VPN clients are able to access all of my internal networks accept to another site which has a IPSEC VPN site-to-site. The Cisco ASA forwards the packets destined to this remote site to a Cisco router which NATS the source addresses (pool 10.17.252.0/24) to a 192.168.46.0 range. The remote network is 155.x.x.x which I have included in my internal subnets object-group and added a route on the ASA to route it inside.
I have configured NAT so that it does not NAT anything from the anyconnect client range to the internal subnets. I am using version 8.3(2) and the NAT rule is:
nat (outside,inside) source static SSLPOOL SSLPOOL destination static INSIDE_NETS INSIDE_NETS
I can still not connect to the remote side via the VPN; when I run this throught packet-tracer, I get a failure on phase 6:
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Result:Drop reason: (acl-drop) Flow is denied by configured rule
I cant seem to work out what it is that is blocking it. The NAT rule above is rule 1 in case some other NAT rule is causing the issue..
View 1 Replies
View Related
Jun 2, 2011
If we use an ACE4710 to load balance two real servers, obviously it will use health checks to determine if a server is down.When it detects a server is down, it will not send it any more traffic.But can we also have it take any other action? For example maybe email an admin, or send an SNMP trap? Or better yet, can we use a custom TCL script to do other things, like launch some custom activities?
View 2 Replies
View Related
Mar 23, 2011
I have two questions about ZBF on ASR1000 with Firewall and Flexible Packet Inspection license:
1 is IPv6 supported?
2 can I use police action in an inspect rule? I want to limit some protocols to low bandwidth. There is no police command in ZBF policy map.
View 7 Replies
View Related
May 1, 2012
We have a Cisco 2911 router. We installed a EHWIC-4ESG module and configured the router based on configuration below.
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.
7 Gigabit Ethernet interfaces
1 terminal line(code)
View 3 Replies
View Related
Apr 9, 2013
Cisco 4500-X do not support egress queing on VLAN interfaces (SVI) which means cannot do a traffic-shapping, is there a work around via policing? I can police the traffic and then on the trunk interfaces do "per-port-per-VLAN" QoS but again only the policing not shapping so I was wondering what is the effect of "exceed-action transmit" command
policy-map SHAPE
class class-default
shape-average 8000000
Versus...
policy-map POLICE
class class-default
police 8000000 4000 conform-action transmit exceed-action transmit
View 10 Replies
View Related
Apr 20, 2013
I have RV042 V01 and V03 and RV082 V03.I'm wondering if there's a difference between the default actions taken by the "Logs" interfaces?
In the case of the V01 systems, it appears that I get a Security Notification every hour.In the case of the V03 system, it appears that I rarely get a Security Notification.
View 1 Replies
View Related
Dec 25, 2011
while ago, I got a virus that tried to mimic windows activity center. Since then, I have use malwarebytes anti malware, ccleaner and microsoft security essentials to scan and remove the virus.Usually what happens is that I will be using firefox, and all of a sudden most of my programs would exit, and one of those fake virus scanners come up (Microsoft security essentials also turns off if that is important). I open the task manager, and identify the program. I open explorer (as i can't open mbam, or mse) and delete the file. While it is in the recycle bin, I can open mbam (for some reason, it asks what program to open mbam with, I just pick mbam from the list) and I scan, and remove the threats. Then I empty the recycle bin, and use ccleaner to fix the registries. Lastly, I use mse to scan the computer.Everything works for a while until it comes back again....and again....and again. I've tried the same steps in safe mode and again in regular mode. It's still happening.
View 9 Replies
View Related
Mar 2, 2011
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies
View Related
Feb 7, 2013
My company has an 881-w ISR that provides wireless and wired network functions for our small office (about 20 users). I was attempting to create a new V LAN (another story), and was able to create the V LAN (4) and assign it a new IP. However, when i came in today, and when i attempted to connect to the ISR, the serial console started spewing this over and over:
*Feb 8 13:31:32.479: %SYS-2-MALLOCFAIL: Memory allocation of 8 bytes failed from 0x81528DF0, alignment 0
Pool: Processor Free: 131305952 Cause: Interrupt level allocation
Alternate Pool: I/O Free: 17850656 Invalid memory action (malloc) at interrupt level -Traceback= 0x820168A0z 0x82E4
-Process= "<interrupt level>", ipl= 4 -Traceback= 0x81FF6FC8z 0x820168D0z 0x82E49944z 0x81528DF4z 0x800C3AF8z 0x800C4760z 0x810A1208z 0x810A6F8Cz 0x810BA9E0z 0x810BACBCz 0x80241A24z 0x8025ADE8z 0x8025E2F8z 0x8030ACD4z 0x804E1518z 0x80310368z
[code]....
Now, I did leave the console session up overnight, as that's the only thing that I can think of. As expected, our service contract had expired. I did reboot the ISR, and I am looking to see if this can be fixed, or symptomatic of a larger issue, and time to replace? At this point i can't even get it to stop, and thus cannot log in.
View 1 Replies
View Related
Jul 15, 2012
when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
port config:
interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500
[code]....
View 3 Replies
View Related
Dec 29, 2011
I have an ASA 5510 that I want to connect to 2 isp (one of my private network uses the isp1, and all others the isp2). Excluding the 5510 does not accept PBR(policy based routing), i saw that you could put a router, like cisco 2811 in front of the ISP. my questions are : can i put a switch 3750 in place of the 2811 router? , I have vpn connections in isp1, this architecture is compatible?
View 2 Replies
View Related
May 24, 2011
I'm currently investigating an issue for one of our customers where one of their 3750 Core Switch Stacks crash / becomes unresponsive during a NESSUS Scan.
They've diabled DoS testing and have ensured that safe scanning is enabled. For the test they are port scanning all of their VLANs (around 600 internal addresses).
The network consists of 2x 3750 Switch Stacks connected via fiber, edge switches connect into these cores. Both cores are running HSRP, for VLAN gateway redundancy.
Issue Being faced is as follows:
During the scan, Core 1 becomes unreachable from Core 2. We can telnet to Core 2 and administer as necessary. However we cannot telnet to Core1, a console connection also fails - the switch stack is unresponsive, but does respond to pings.
On Core 2 I've performed a show proc cpu sorted and can see the IP Input process is running at around 60% and the CPU is highly utilised.
Once Core 1 becomes unreachable the network gradually grinds to a halt, almost mimicking some sort of broadcast storm or Spanning Tree loop.
Interestingly Core 1 HSRP is still active, so the hello packets are still being sent.
The only resolution to the issue is to perform a hard reset of the Core to restore service.
Logs from core 1 show the CPU becomes fully utilised. There is also an error logged indiciating:
%FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring "ip cef [distributed]"
Both cores are running IOS 12.2.(52) SE IPBASE. I've attempted to reproduce the issue in the office here and although a NESSUS scan does increase switch CPU utilisation I couldn't reproduce the failure scenario.
What may be causing the 1st core to become unresponsive? I've found some articles with regard to a 6500 switch rebooting during a NESSUS scan, and also some HP switches exhibiting similar behaviour but nothing that matches the exact scenario I'm investigating.
View 4 Replies
View Related
May 21, 2012
I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.What is the best way to prevent VLANs from talking to each other?At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????
View 2 Replies
View Related
Feb 28, 2008
We are looking for a solution to avoid VPNs to encrypt data between HQ and Bldgs (point-to-multipoint) Gigabit fiber(untrusted media).Is there any cisco's product providing layer2 encryption over Giga fiber?The HQ has a 6509s and remote bldgs have mixed of 3750s,4500s in trunks.
View 2 Replies
View Related
Feb 12, 2004
i want to know if the new Catalyst 3750 Support Private Vlan ?
or any other small Switches
View 3 Replies
View Related
Feb 29, 2012
Does Catalyst Cisco 3750 supports NAC Fail Open Feature? Symantec Network Access control has been deployed in our network to protect the end user systems and access control.we initiate to enhance failover/fail open solutions on the switches to minimize the minimum downtime for disaster recovery in case of major disasters in the Data centres.Kindly request to let us know if NAC fail Open works on Cisco Catalyst 3750 Switches or not?
View 0 Replies
View Related
May 27, 2010
I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
Config and debug file attached.
I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
View 5 Replies
View Related
Dec 21, 2009
i tried to create a customized web-authentication page that will re-direct any user to the web-page once they are connected to the network.
The problem is, i just cant attach/upload the image of the logo into the customized web-page (welcome/login page).Been researching about it, found and tried some clue bout it on cisco documentation, but still can't solve the problem.
Cisco document :Catalyst 3750 Switch Software Configuration GuideCisco IOS Release 12.2(52)SESeptember 2009
switch version :WS-C3750-48TS
show flash :2 -rwx 12305677 Mar 1 1993 01:27:03 +00:00 c3750-ipservicesk9-mz.122-52.SE.bin3 -rwx 131 Mar 1 1993 00:17:25 +00:00 log.text5 -rwx 3254 Mar 1 1993 00:01:01 +00:00 config.old8 -rwx 113 Mar 1 1993 03:24:33 +00:00 pass.htm9 -rwx 1088 Mar 1 1993 03:39:18 +00:00 login.htm10 -rwx 113 Mar 1 1993 03:21:30 +00:00 fail.htm11 -rwx 104 Mar 1 1993 03:25:32 +00:00 expire.htm12 -rwx 856 Mar 1 1993 00:05:19 +00:00 vlan.dat14 -rwx 2479 Mar 1 1993 01:25:05 +00:00 web_auth_logo.jpg16 -rwx 1048 Mar 1 1993 00:01:01 +00:00 multiple-fs27 -rwx 1053 Mar 1 1993 02:18:34 +00:00 webauthpage.html38 -rwx 6551 Mar 1 1993 01:19:33 +00:00 logotest.html
following is my running configuration :Building configuration...
Current configuration : 4205 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Switch!boot-start-markerboot-end-marker!!!!aaa new-model!!aaa authentication login default group radiusaaa authentication login line-console noneaaa authentication dot1x default group radiusaaa authorization auth-proxy default group radius!!!aaa session-id commonswitch 1 provision ws-c3750-48tssystem mtu routing 1500authentication mac-move permitip subnet-zeroip
[code]....
View 1 Replies
View Related
Jul 14, 2011
Does Cisco 3750 ip sla can monitor, let's say, monitor 3750 G1/0/1 port status, once it is down, then 3750 also make G1/0/2 also down. If yes, what is the command to do it?
View 3 Replies
View Related
Jul 27, 2011
We are using 3750 switches as WAN router facing the WAN cloud. To configure QoS for its WAN port, should I use 'auto qos voip trust" or treat it like a router port and configure class-maps, policy-maps, and attact service-policy input or output?
Because switches have different queuing and dropping methods than routers, auto qos can generate QoS configs that are considered most appropriate for 3750 switches. However the switch functions as WAN router. Maybe it should be configured using router type of QoS with policy-maps and service-policy?
View 9 Replies
View Related
Nov 7, 2012
I have 2 3750x switches connected via a pair of stackwise cables, but I keep seeing error messages about the stack&switch ports going up and down,Performance wise, it seems to work, but I'd like to eliminate this message... Sometimes it will go hours without bouncing, sometimes it does it a few times a minute....
*Mar 4 12:56:57.903: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
*Mar 4 13:16:48.070: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state UP
*Mar 4 13:16:49.093: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN
*Mar 4 13:38:55.802: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP
*Mar 4 13:38:56.809: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
[code]...
View 4 Replies
View Related
May 4, 2012
Scenario: I have a vmserver w four virtual servers all in configured w in different subnets. What's the best way to configure a 3750-x switch to route traffic from the virtual servers to their vlans?
View 2 Replies
View Related
Jul 17, 2011
What is the load balance method of 3750 port channel ( by source ip , or by source mac ) to diver traffic to paths? I have tried to use 10.242.104.101 and 10.242.104.102 as source ip, it will travel to the same link (G0/1) within one port channel (G0/1+G0/2). Howerver, if I later use 10.242.104.109, then this time it will traffic to G0/2 link. What's the concept behind.
View 1 Replies
View Related
Jun 3, 2012
We use Orion for monitoring. We recently started monitoring a workstation switch and find many occurances of port speed changes indicated. Our workstation ports are configured with auto speed and duplex. Is it normal that we are detecting speed changes on the ports? Do workstations running XP automatically adjust their speed for traffic management or power save? Perhaps something like speeds changing when PC goes to sleep mode but has wake on LAN enabled? Is it possible that the MIB is misreporting?
I realize that there are many different NIC vendors/drivers that might act differently. Just wondering (in others experience) if it is somewhat normal or if there is anything on network I should be looking into as to why speeds are changing? We plan to not monitor workstation ports (only uplinks) on the switch.. but before we do, I thought I would see if what we are detecting needs to be addressed?
Here is an example from Orion of a speed changing. Seems always off hours:
6/1/2012 6:17:52 AM eventWoRKSTATION-3750-CLUSTER - GigabitEthernet1/0/14 · 2nd Floor Patch#11 Interface Speed changed from 10000000 to 1000000000 bps
6/1/2012 2:47:52 AM eventWoRKSTATION-3750-CLUSTER - GigabitEthernet1/0/14 · 2nd Floor Patch#11 Interface Speed changed from 1000000000 to 10000000 bps
View 1 Replies
View Related
