1
00:00:00,720 --> 00:00:08,010
So let's configure and test port security in this example, I've got GNS3 running iOS via layer

2
00:00:08,020 --> 00:00:13,550
2 that is our switch in the topology and then I've got a Cisco iOS router.

3
00:00:13,860 --> 00:00:19,560
It's a 3725 router image, which I'm using as the PCs in the topology.

4
00:00:19,910 --> 00:00:27,510
So router 1 will activate PC 1 and router 2 will act as PC 2, we'll configure Mac addresses

5
00:00:27,510 --> 00:00:31,740
on the routers and then change them to prove that port security works.

6
00:00:33,030 --> 00:00:38,940
Mac addresses with a vendor code 002333 belong to Cisco Systems.

7
00:00:40,420 --> 00:00:47,710
So we'll use this Mac address range so that we can see the output in Wireshark and create easy to read

8
00:00:47,710 --> 00:00:53,860
Mac addresses in the lab, the routers and switch have booted up with no configuration.

9
00:00:57,130 --> 00:01:00,100
So I've made no configuration changes on these devices.

10
00:01:01,320 --> 00:01:02,280
Let's start off

11
00:01:03,580 --> 00:01:10,930
by naming this device switch 1, router 1 is already configured and so is router 2 based on the default

12
00:01:11,500 --> 00:01:13,060
configuration GNS3.

13
00:01:13,990 --> 00:01:19,570
But the switch has no configuration, so at the moment, if we top show port security.

14
00:01:20,760 --> 00:01:26,190
You'll notice that there's no output here because port security is not currently enabled.

15
00:01:27,080 --> 00:01:29,000
Show, Mac, address table.

16
00:01:31,160 --> 00:01:39,770
Shows that no Mac addresses have been learnt, so on router one, let's configure FastEthernet 00

17
00:01:40,460 --> 00:01:43,910
with Mac address 0023

18
00:01:45,410 --> 00:01:51,860
3300 0001 and I'll no shut that port.

19
00:01:53,610 --> 00:01:56,070
We'll do something similar in router 2.

20
00:01:58,540 --> 00:02:03,160
We'll just make this 2 rather than 1 and no, shut the port.

21
00:02:05,250 --> 00:02:12,000
Show Mac address table shows us that the switch has learnt both these Mac addresses, so router 1 is

22
00:02:12,000 --> 00:02:17,610
available on Gigabit 00, router 2 is available on gigabit 01.

23
00:02:18,060 --> 00:02:20,250
Both addresses were learnt dynamically.

24
00:02:20,730 --> 00:02:23,580
In other words, we don't statically configure these Mac addresses.

25
00:02:23,970 --> 00:02:27,030
They have been dynamically learnt by the switch.

26
00:02:28,710 --> 00:02:33,090
Show port-security still shows us that port security hasn't been enabled.

27
00:02:33,120 --> 00:02:34,190
We have no output.

28
00:02:35,370 --> 00:02:41,210
So going on to gigabit00, let's try and enable port security.

29
00:02:41,700 --> 00:02:43,340
Notice the command is rejected

30
00:02:43,350 --> 00:02:48,440
and that's because we're running dynamic trunking protocol or DTP on this port.

31
00:02:48,930 --> 00:02:54,240
We haven't statically configured this port as an access port or as a trunk port.

32
00:02:55,550 --> 00:03:05,240
So let's type switch port mode access and we'll enable port security again, the command is now accepted.

33
00:03:06,810 --> 00:03:17,580
So show port-security shows us that the secure port is gigabit00 the maximum secure address is allowed

34
00:03:17,580 --> 00:03:26,110
on the port is one by default, only a maximum of one Mac addresses allowed on a port security port.

35
00:03:26,880 --> 00:03:30,240
How many Mac addresses have currently been learnt? Answer is one. 

36
00:03:31,390 --> 00:03:40,600
How many security violations have occurred? zero, and what security action will be taken if there's

37
00:03:40,600 --> 00:03:43,280
a violation? The port will be shut down.

38
00:03:43,870 --> 00:03:45,570
In other words, it will be error disabled.

39
00:03:45,580 --> 00:03:50,350
We'll look at some of the other options in a moment, but let's see what happens.

40
00:03:52,550 --> 00:03:56,030
Show port security, let's look at some options address.

41
00:03:59,060 --> 00:04:05,540
So here's the secure Mac address table on VLAN 1, this Mac address has been learnt.

42
00:04:06,530 --> 00:04:15,950
The type is secure, dynamic, we dynamically learnt about the address, the port is gigabit 00, the

43
00:04:15,950 --> 00:04:18,290
remaining age is a hyphen.

44
00:04:18,860 --> 00:04:25,740
You can determine how long a Mac address that is learnt is remembered before it's aged out on a port.

45
00:04:26,330 --> 00:04:32,270
Now, notice, this example is not restricting this port to specific Mac addresses.

46
00:04:32,270 --> 00:04:35,420
It's limiting the port to one Mac address.

47
00:04:35,900 --> 00:04:43,070
We didn't statically configure the port, so show run interface gigabit 00 shows us that we enabled

48
00:04:43,220 --> 00:04:45,590
port security and that's all we did.

49
00:04:45,620 --> 00:04:51,230
We didn't statically configure a Mac address, but if we change the Mac address on this port to let's

50
00:04:51,230 --> 00:04:54,380
say 3, let's see what happens.

51
00:04:56,480 --> 00:04:58,910
As soon as the port came up, we get an error

52
00:04:58,910 --> 00:05:04,760
disabled message port-security violation error detected on gigabit 00.

53
00:05:05,240 --> 00:05:07,280
The port is now being put into error

54
00:05:07,280 --> 00:05:15,320
disabled state, a security violation occurred caused by this Mac address notice ending in 3 on

55
00:05:15,380 --> 00:05:17,240
Port Gigabit 00.

56
00:05:18,220 --> 00:05:24,670
The line protocol has gone down, so show interface gigabit 00.

57
00:05:28,510 --> 00:05:34,900
There's the command shows us that the port is down, down, and the reason for that is error disable the

58
00:05:34,900 --> 00:05:37,600
port was error disabled port has gone down.

59
00:05:40,570 --> 00:05:48,790
This router, and let's give it an IP address, will not be able to send traffic to this device.

60
00:05:51,320 --> 00:05:53,240
So router 2 acting as PC2

61
00:05:54,090 --> 00:05:54,870
because

62
00:05:56,890 --> 00:06:01,990
the port is down show port security.

63
00:06:05,250 --> 00:06:07,860
Please note, this is not to the status of the port.

64
00:06:08,220 --> 00:06:15,570
This is the action that's taken when there's a violation show port security interface Gigabit 00 shows

65
00:06:15,570 --> 00:06:18,210
us that port security is enabled on the port.

66
00:06:18,930 --> 00:06:23,970
The status is secure, shut down, the violation mode is shut down.

67
00:06:24,550 --> 00:06:26,970
This is the last Mac address that was seen on the port.

68
00:06:27,480 --> 00:06:29,190
Only one Mac address is allowed.

69
00:06:29,940 --> 00:06:32,280
The violation count is 1

70
00:06:33,680 --> 00:06:39,740
and that's because the Mac address that's allowed on that port, which is not shown here because the

71
00:06:39,740 --> 00:06:42,590
port has gone down, I'll just scroll up to show you the output.

72
00:06:44,380 --> 00:06:52,330
Was this Mac address and we've changed the Mac address, so ending in triple zero one, is the Mac address that's

73
00:06:52,340 --> 00:06:54,130
permitted but

74
00:06:55,690 --> 00:06:59,830
this is the last Mac address that was seen that caused a violation.

75
00:07:01,090 --> 00:07:11,230
So let's change the Mac address back to one and on this side, we'll go into the port and shut it down

76
00:07:13,090 --> 00:07:14,470
and then wait for that

77
00:07:15,730 --> 00:07:17,590
to go down and then no, shut it.

78
00:07:19,800 --> 00:07:20,670
Show port

79
00:07:22,310 --> 00:07:28,790
you can see that show port security before I press enter notice, the port has come up, so port has come up.

80
00:07:30,430 --> 00:07:35,920
Secure mac address is 1 at the moment, it hasn't learnt to mac address, let's do a ping

81
00:07:37,220 --> 00:07:38,150
to router 2.

82
00:07:42,730 --> 00:07:45,850
As you can see now, it's now learnt a Mac address.

83
00:07:49,670 --> 00:07:50,960
So now the ping succeed.

84
00:07:52,340 --> 00:07:58,160
Show port security shows us that the max mac ddress allowed is one current address is one, so one has

85
00:07:58,160 --> 00:07:58,680
been learnt.

86
00:07:59,270 --> 00:08:00,680
Let's look at the interface again.

87
00:08:00,680 --> 00:08:01,910
So gigabit 00

88
00:08:02,510 --> 00:08:04,670
at the moment, there is no violation.

89
00:08:05,180 --> 00:08:07,790
The port status is secure up.

90
00:08:10,620 --> 00:08:16,830
The violation mode is to shut the port down, but currently the port is up, scrolling back up.

91
00:08:20,860 --> 00:08:27,690
Previously noticed it was secure, shut it down based on the violation mode of shutdown, but now it's

92
00:08:27,700 --> 00:08:32,520
go up because the correct Mac address has been learnt, which is this Mac address.

93
00:08:32,890 --> 00:08:38,740
So notice, the first Mac address that was received was added to the list of permitted Mac addresses.

94
00:08:39,100 --> 00:08:40,780
It was dynamically learnt.

95
00:08:41,350 --> 00:08:46,720
So you would have to ensure that the right Mac address is received on the port if you reboot the switch

96
00:08:46,750 --> 00:08:47,910
that information is lost.

97
00:08:48,340 --> 00:08:52,210
So the first host that's connected to that port will be permitted.

98
00:08:52,480 --> 00:08:54,190
and that may not be what you want.

99
00:08:54,560 --> 00:09:00,660
You may want to explicitly permit only certain Mac addresses associated with certain machines.

100
00:09:01,060 --> 00:09:02,200
So let's have a look at that.