Cisco Port Security and Sticky MAC Addresses

I recently reevaluated how we do port security as a result of a recent customer’s information security audit.  We normally turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected).  The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.

However during testing I discovered this didn’t work exactly like I expected.  Port security was enforced as long as a device stayed connected to the port.  If the port was disconnected, the switch would remove the pre-existing MAC’s and ANY new device could connect, as long as the maximum was not exceeded.  While this prevents unauthorized hubs and switches, it doesn’t prevent someone from unplugging a device and plugging in a different unauthorized device.

The solution to this is to use the sticky option on the port security interface command:

  • switchport port-security – enables port security, optional “maximum <n>” to set the max greater than 1
  • switchport port-security mac-address sticky – turns on the sticky MAC feature

After enabling, you will notice the currently connected MAC address(es) will appear in the running config:

  • switchport port-security
  • switchport port-security mac-address sticky
  • switchport port-security mac-address sticky 0080.6433.xxxx

This will stay in the config until the switch is rebooted, so it’s important to write the config. Continue reading “Cisco Port Security and Sticky MAC Addresses”

Active Directory Health Check

Weekly or bi-weekly Active Directory Health Checks are an important part of a Microsoft SysAdmin’s responsibility. Busy or inexperienced SysAdmin’s often overlook some of the important Health Check steps or don’t do them at all. Taking the time to routinely review and assess your Microsoft Active Directory is the difference between a proactive SysAdmin and a reactive SysAdmin.

First of all, monitoring the Windows Event Viewer is a must. Take the time to check through all of the Event Log queues including the Application, Security and System log. On Domain Controllers the DFS Replication, Directory Service and DNS Server logs should also be reviewed. Leverage the sort and error fields to filter out the information you don’t need to see.

Next, run command line diagnostics and pipe the results to a text document for in-depth review. This allows you to analyze the results in detail and compare results after you’ve fixed any issues you identify. Its also much easier to read the logs in a NotePad++ window and search for events then trying to dig through command line output.

The following reports can be ran from the Windows command prompt:

DC Diag

This report will identify issues with domain controllers and any services associated with them:

C:\>dcdiag.exe /v >> c:\pre_dcdiag.txt Continue reading “Active Directory Health Check”

Cisco IOS Diagnostic Tools

There are certain a number of diagnostic tools that can be used to troubleshoot and monitor the different elements of a network. This article takes a look at a number of the built-in tools/command that exists within Cisco IOS. Any experienced IOS engineer knows that many issues can be diagnosed using only the tools that exist within the IOS itself; the target audience of this article includes engineers with less experience looking to become more familiar with the available tools and those preparing for the CCNP TSHOOT exam.

Show Processes CPU

One of the most basic commands to run on a Cisco device is show processes cpu. In its full view the command will show all of the active processes on a device and how much of the processor time the process is taking both currently and historically. Figure 1 below shows a shortened version of the command:

Cisco IOS Show Processes CPU

This command would typically be used when troubleshooting a problem with a device that is having trouble performing basic functions; for example if a router is having trouble forwarding and routing pa Continue reading “Cisco IOS Diagnostic Tools”

Cisco Linksys Secret CLI

Cisco’s consumer branded “Linksys” SRW, SFE and SGE switches have a “hidden” light-weight command line interface (LCLI) which is very similar to Cisco’s IOS command line environment. Here’s how to access it:

1. SSH, Telnet or Console into your switch as you normally would. Note: Do not use the web interface.

2. Login to the menu system using your existing admin account.

3. Once logged in type:

# execute

4. You should receive a response that says “Operation Complete”.

5. At the Switch “Main Menu” press:

CTRL+Z

6. A carrot (>) command line will appear. Type:

# lcli

Then press enter.

7. Login again using your admin account and you will be in the Light-weight Command Line Interface (LCLI).

8. Type: ? for possible commands.

Note: There is no need to “write mem”, all changes are committed immediately. “show startup” will dump the switch configuration, to disable console logging type “no logging console”, ‘show bridge addr” will dump the CAM table, “show inter status” which show you switch port status.

Using a Dell Wireless 5620 EV-DO-HSPA in Thailand

The Dell Wireless 5620 Multi-Mode Gobi Mobile Broadband Mini-Card is a great way to add mobile broadband (HSDPA, EVDO, EDGE, 3G) to your Dell Latitude E series laptop without having to use an external modem or Internet tethering.

The modem is generally shipped with an AT&T configuration profile so I’ve drafted up some instructions on how to make the card work with other providers, specifically those in Thailand.

First of all, install the Dell Mobile Broadband Utility (DMBU) also known as: R275082.exe from http://support.dell.com. This is the “Dell Mobile Broadband Utility” also referred to as the Novatel Wireless HSUPA manager.

Once you have installed the Dell Mobile Broadband Utility (DMBU), reboot your machine then insert your True, AIS or DTAC SIM card into the rear of your laptop. On the Dell Latitude E6400 and E6410 the SIM card slot is located underneith the battery. Reboot your machine again.

Open the DMBU and select the wireless icon in the top left corner. Select “Settings” then “Network Selection” then select:

Provider: Generic
Technology: UMTS
Region: EU
Version: 0A090012

Then click “Load”. Continue reading “Using a Dell Wireless 5620 EV-DO-HSPA in Thailand”