1 00:00:00,800 --> 00:00:07,340 In this video, we're going to discuss port security, which is used to provide a level of authentication 2 00:00:07,610 --> 00:00:14,030 in an Ethernet environment. In a wired Ethernet environment, as an example, there's nothing stopping 3 00:00:14,030 --> 00:00:19,030 you, simply plugging in your PC into any open port in the network. 4 00:00:19,550 --> 00:00:27,320 So as an example, there's nothing stopping a user connecting their PC to a port in a director's office, 5 00:00:27,590 --> 00:00:31,470 which then results in them having access to the directors VLAN. 6 00:00:32,090 --> 00:00:38,990 There's also nothing stopping a user connecting a wireless access point to the network and allowing 7 00:00:38,990 --> 00:00:43,970 multiple users to access the wired network through that wireless access point. 8 00:00:44,480 --> 00:00:46,150 That's a major security risk. 9 00:00:46,670 --> 00:00:53,210 What port security does is it looks at the source Mac address of frames received on a port and you can 10 00:00:53,210 --> 00:01:01,070 restrict the frames allowed on a specific port to either a single Mac address that you configure or 11 00:01:01,070 --> 00:01:07,070 to a a limited number of Mac addresses that are dynamically learnt their various options, which we'll 12 00:01:07,070 --> 00:01:07,580 discuss. 13 00:01:07,800 --> 00:01:14,750 But as an example, you could say on the port that connects to the director's office, only the Mac 14 00:01:14,750 --> 00:01:21,530 address associated with their laptop or their PC is allowed to send frames to the switch and therefore 15 00:01:21,530 --> 00:01:24,230 belong to the directors VLAN 16 00:01:24,740 --> 00:01:27,890 or you could limit the number of Mac addresses allowed on a port. 17 00:01:28,730 --> 00:01:34,940 As an example, you could limit the number of Mac addresses to one which would only allow a single PC 18 00:01:34,940 --> 00:01:37,280 to access the network through that port. 19 00:01:37,910 --> 00:01:44,450 Or if you have a PC connected to an IP phone, you may limit the Mac addresses to three, two for the 20 00:01:44,450 --> 00:01:48,350 IP phone and one for the PC attached to the IP phone. 21 00:01:48,830 --> 00:01:56,240 That would stop a user connecting an access point or a hub to the network and allowing multiple unauthorized 22 00:01:56,240 --> 00:01:58,980 devices access to the Ethernet network. 23 00:01:59,540 --> 00:02:02,480 Please note, this is not a user authentication. 24 00:02:02,840 --> 00:02:06,480 User authentication can be implemented using 802.1x. 25 00:02:07,070 --> 00:02:13,880 This is a more basic authentication based on MAC addresses, so only frames from specific MAC addresses 26 00:02:13,880 --> 00:02:21,080 are allowed or a limited number of Mac addresses are permitted on a port on a switch that solves the 27 00:02:21,080 --> 00:02:27,350 issue of a user connecting to a port that they're not authorized to connect to, or stopping a user 28 00:02:27,350 --> 00:02:33,410 connecting a hub or wireless access point to the network and therefore allowing unauthorized access 29 00:02:33,410 --> 00:02:34,250 to the network. 30 00:02:35,150 --> 00:02:42,170 You can decide what happens when there's a violation of port security, you could simply drop the frames 31 00:02:42,170 --> 00:02:49,220 or you could shut the port down using what's called an error disabled state in the most secure implementation 32 00:02:49,220 --> 00:02:54,590 where you ever disable the port, you as an administrator have to manually re-enable the port. 33 00:02:54,890 --> 00:03:00,290 So the user would have to contact the helpdesk as an example and explain that they no longer have access 34 00:03:00,290 --> 00:03:01,100 to the network 35 00:03:01,310 --> 00:03:06,620 and then you could investigate what happened and you'd be able to see if an unauthorized MAC address 36 00:03:06,620 --> 00:03:11,240 or group of Mac addresses have tried to access the network through that port. 37 00:03:14,830 --> 00:03:21,610 Port security is one of multiple security mechanisms that you can implement in a network, security 38 00:03:21,610 --> 00:03:24,980 is kind of like a castle of old has shown here. 39 00:03:25,390 --> 00:03:31,810 The idea is, is that you have multiple security mechanisms that involve themselves, don't provide 40 00:03:31,810 --> 00:03:39,700 total security, but each a layer of security or each mechanism adds another level of security. 41 00:03:40,210 --> 00:03:46,840 So in this example, you'd have to get across the sea to get to the castle, then you'd have to scale 42 00:03:46,840 --> 00:03:51,130 the outer wall and you're still not at the core of the castle. 43 00:03:51,430 --> 00:03:58,780 You'd have to climb up this hill and then scale the inner wall to be able to get to the king in the 44 00:03:58,780 --> 00:04:00,070 castle as an example. 45 00:04:00,580 --> 00:04:06,940 So in security, you implement multiple walls or mechanisms to make it harder for a hacker to attack 46 00:04:06,940 --> 00:04:07,630 your network. 47 00:04:08,050 --> 00:04:14,830 This also applies to users who inadvertently or without being malicious, do something that they shouldn't 48 00:04:14,830 --> 00:04:15,730 on your network. 49 00:04:16,120 --> 00:04:23,020 So port security isn't a catch-all security mechanism, it's just one of many and provides a basic or 50 00:04:23,020 --> 00:04:26,410 entry level security mechanism to your network. 51 00:04:26,950 --> 00:04:30,190 Ethernet once again has no security built into it. 52 00:04:30,670 --> 00:04:35,950 A user could simply plug a laptop into your network and gain full access to the network. 53 00:04:37,480 --> 00:04:40,700 Now, there's several ways that Mac addresses can be learnt. 54 00:04:41,170 --> 00:04:47,710 The first is static, where you statically configure specific Mac addresses that are allowed or permitted 55 00:04:47,710 --> 00:04:48,340 on a port. 56 00:04:48,910 --> 00:04:52,610 Any Mac addresses that you don't specify are not allowed on the port. 57 00:04:53,380 --> 00:04:57,730 The advantage with this method is that you have a lot of control, but the disadvantage is that you 58 00:04:57,730 --> 00:05:04,660 have to manually work out what the Mac addresses are of all your devices and then manually configure 59 00:05:04,660 --> 00:05:04,940 them. 60 00:05:05,530 --> 00:05:11,530 You could also use dynamic learning where you specify how many Mac addresses are permitted on a port 61 00:05:11,860 --> 00:05:13,620 and they are dynamically learnt. 62 00:05:14,080 --> 00:05:19,150 So as an example, you could say that only two Mac addresses are permitted on a port and the first two 63 00:05:19,150 --> 00:05:21,040 Mac addresses that are learnt are permitted. 64 00:05:21,220 --> 00:05:23,730 Any subsequent Mac addresses are not permitted. 65 00:05:24,310 --> 00:05:30,430 You would use this as an example to limit the Mac addresses permitted, but not to which Mac addresses 66 00:05:30,430 --> 00:05:31,130 are permitted. 67 00:05:31,570 --> 00:05:38,410 So you're limiting the number of Mac addresses and not limiting based on specific MAC addresses. 68 00:05:38,860 --> 00:05:44,890 The thing to remember about dynamic learning is that when the switch is rebooted or the port goes down, 69 00:05:45,250 --> 00:05:51,430 the Mac address has learnt or removed and new Mac addresses would then be permitted when the port comes 70 00:05:51,430 --> 00:05:51,920 up again. 71 00:05:52,300 --> 00:06:00,010 You could also specify aging interval to allow Mac addresses to be forgotten after a period of time. 72 00:06:00,490 --> 00:06:07,030 So if you had a situation where you had a hot desk or a boardroom, you may only allow a certain number 73 00:06:07,030 --> 00:06:08,260 of Mac addresses on a port 74 00:06:08,650 --> 00:06:11,070 but those Mac addresses can change over time. 75 00:06:11,710 --> 00:06:16,780 You could also do a combination of static and dynamic learning where you explicitly permit certain Mac 76 00:06:16,780 --> 00:06:17,350 addresses. 77 00:06:17,800 --> 00:06:23,950 So as an example, you could limit the number of Mac addresses on a port to four, but only statically 78 00:06:23,950 --> 00:06:25,450 configured two Mac addresses. 79 00:06:26,110 --> 00:06:29,110 The remaining two Mac addresses can be dynamically learnt. 80 00:06:29,560 --> 00:06:35,290 The static Mac addresses do not age out, but you could allow it dynamically learnt Mac addresses to 81 00:06:35,290 --> 00:06:44,050 agent Sticky learning allows you to automatically add a Mac address to the running configuration of 82 00:06:44,050 --> 00:06:44,590 the switch. 83 00:06:45,070 --> 00:06:50,140 So rather than statically configuring Mac addresses, you could allow the switch to learn Mac addresses 84 00:06:50,380 --> 00:06:52,480 and then add them to the configuration. 85 00:06:52,900 --> 00:06:58,900 When you save your running configuration to start up configuration, those Mac addresses will be kept 86 00:06:58,900 --> 00:07:02,700 in NVRam and therefore won't be lost if the switch reboots. 87 00:07:03,250 --> 00:07:04,600 So there are various options. 88 00:07:05,140 --> 00:07:09,120 Remember, port security is an initial way to implement security. 89 00:07:09,520 --> 00:07:16,150 It allows you to limit the number of Mac addresses permitted on a port and it allows you to specify 90 00:07:16,300 --> 00:07:19,170 which Mac addresses are permitted on a port. 91 00:07:19,720 --> 00:07:24,070 You have the option of just committing to Mac addresses on a port, but not worrying what those Mac 92 00:07:24,070 --> 00:07:24,820 addresses are. 93 00:07:25,270 --> 00:07:32,140 That would stop a user bringing a access point to home router to work and plugging it into the network 94 00:07:32,350 --> 00:07:34,990 and allowing their friends to access the network. 95 00:07:35,350 --> 00:07:42,790 Or you could be stricter and only allow specific Mac addresses on a port so a user can't connect to 96 00:07:42,790 --> 00:07:47,320 a director's port and therefore have access to the director's VLAN.