1 00:00:00,760 --> 00:00:08,650 In the previous video, we configured port security on Gigabit 00 by making the port an access port 2 00:00:08,650 --> 00:00:13,540 and then enabling port security, Mac addresses were dynamically learnt. 3 00:00:14,870 --> 00:00:20,690 So this Mac address was dynamically learnt on Port Gigabit 00 and hence 4 00:00:22,100 --> 00:00:23,420 show port security 5 00:00:24,480 --> 00:00:31,560 shows us that the address permitted on that port is this Mac address, it was dynamically learnt and 6 00:00:31,560 --> 00:00:35,070 has been added to the database of permitted Mac addresses on the port. 7 00:00:35,550 --> 00:00:37,800 Only one Mac address is allowed. 8 00:00:40,840 --> 00:00:49,480 On gigabit 00 so max secured Mac addresses as one if a violation does take place, the security 9 00:00:49,480 --> 00:00:51,310 action is to shut the port down. 10 00:00:52,530 --> 00:00:59,190 Now, let's configure Mac addresses statically, so let's configure port security on gigabit 01 11 00:00:59,550 --> 00:01:02,570 but do it manually. 12 00:01:03,030 --> 00:01:13,020 So I'm going to use the commands, switch port, port security to specify maximum the default is 1. 13 00:01:13,890 --> 00:01:15,080 So I'll say 1 here 14 00:01:15,570 --> 00:01:23,250 and what you'll notice is the output is not shown because that is a default command on this interface. 15 00:01:23,940 --> 00:01:26,160 But what we'll do now is type switch port 16 00:01:27,470 --> 00:01:37,100 port security mac address and what I'll do is explicitly specify the Mac address that's allowed, and 17 00:01:37,820 --> 00:01:42,080 just to prove the point, I'll specify a different Mac address of, let's say, 3. 18 00:01:43,210 --> 00:01:44,260 Now at the moment 19 00:01:46,110 --> 00:01:48,990 the Mac address on 20 00:01:50,850 --> 00:01:59,430 this router acting as our PC, is this. So it's a different Mac address, the PC can still ping router 21 00:01:59,430 --> 00:02:03,600 1 because we haven't explicitly enabled port security yet. 22 00:02:05,980 --> 00:02:12,450 So we've configured what the Mac address is, we've configured the maximum Mac addresses allowed, I'll 23 00:02:12,460 --> 00:02:13,270 specify 24 00:02:14,340 --> 00:02:16,830 the action to take if there's a violation. 25 00:02:19,240 --> 00:02:26,140 Notice we have protect, restrict and shut down the default, as we've seen the shutdown now protect 26 00:02:26,140 --> 00:02:32,620 drops packets with unknown source MAC addresses until you remove a sufficient number of secure Mac addresses 27 00:02:32,620 --> 00:02:34,480 to drop below the maximum value. 28 00:02:34,990 --> 00:02:40,720 In other words, we are dropping packets from unknown source MAC addresses, but there's no logging at 29 00:02:40,720 --> 00:02:41,110 the moment 30 00:02:41,110 --> 00:02:43,340 we're only allowing one Mac address 31 00:02:43,480 --> 00:02:49,210 but as an example, if you had specified a maximum Mac address of three and a fourth device, tried 32 00:02:49,210 --> 00:02:55,630 to send traffic that to devices, traffic would be dropped, restrict drops packets with unknown source 33 00:02:55,630 --> 00:03:01,720 MAC addresses until you remove a sufficient number of secure Mac addresses to drop below the maximum 34 00:03:01,720 --> 00:03:02,270 value. 35 00:03:02,860 --> 00:03:05,230 So that's very much the same as protect 36 00:03:05,410 --> 00:03:09,940 but in addition, it causes the security violation counter to increment. 37 00:03:10,750 --> 00:03:17,500 In other words, there's going to be the generation of log messages and counters will increment, shutdown 38 00:03:17,500 --> 00:03:24,010 is the default which we've already seen, and that puts the port into error disable mode and sends an 39 00:03:24,010 --> 00:03:28,000 SNMP trap notification if SNMP is configured. 40 00:03:28,930 --> 00:03:36,130 So I'll continue to use shut down so that we can see the output, our configuration looks as follows. 41 00:03:37,060 --> 00:03:41,480 Remember, the Mac address of this device is a different Mac address. 42 00:03:41,500 --> 00:03:45,310 It's this, but we are only permitting this Mac address. 43 00:03:46,240 --> 00:03:52,060 But because we haven't globally enabled port security, port security is not active. 44 00:03:52,570 --> 00:03:55,600 So we can use the commands do show port security. 45 00:03:56,770 --> 00:04:02,200 At the moment, port security is enabled on gigabit 00, but not on gigabit 01. 46 00:04:03,260 --> 00:04:12,200 We can also use the command do show interface status at the moment, both Gigabit 00 and 01 are connected. 47 00:04:12,620 --> 00:04:15,560 So port hasn't been shut down because of port security. 48 00:04:16,930 --> 00:04:23,560 But now when we type switch port port security, we're actually enabling port security and once again, 49 00:04:23,560 --> 00:04:29,140 we need to have this configured as an access port, can't use DTP. 50 00:04:30,640 --> 00:04:34,410 So do show run interface gigabit 01 51 00:04:35,560 --> 00:04:41,200 and while I was doing that notice, we received a port security violation message. 52 00:04:41,950 --> 00:04:45,340 We were told that there was an issue 53 00:04:46,390 --> 00:04:53,650 with this Mac address ending in 2 on gigabit 01, we have only permitted the Mac address ending 54 00:04:53,650 --> 00:05:01,090 in 3 maximum Mac addresses that would be permitted are one, only one Mac addresses permitted in this 55 00:05:01,090 --> 00:05:03,070 case when we look at the command. 56 00:05:04,180 --> 00:05:10,390 Do show interface status, we can see that the port was error disabled, so show interface status is 57 00:05:10,390 --> 00:05:12,430 a command that shows us the status of the ports. 58 00:05:12,440 --> 00:05:16,210 We can see this is connected, but this port is error disabled. 59 00:05:17,480 --> 00:05:26,180 So show port security once again shows us once again that gigabit 00 and 01 have a security action of 60 00:05:26,180 --> 00:05:33,910 shut down, but the only port that's currently shut down is Port 01. 61 00:05:34,430 --> 00:05:39,770 So show interface status shows us that this port is still connected, this port is error-disabled 62 00:05:40,340 --> 00:05:45,950 and now this host can't ping router 1 because the port is error disabled. 63 00:05:48,740 --> 00:05:51,920 Show Port Security Interface Gigabit 01. 64 00:05:54,160 --> 00:05:56,620 We can see that port security is enabled on this port. 65 00:05:57,760 --> 00:06:01,960 It's currently shut down because of the mode being shut down. 66 00:06:02,530 --> 00:06:08,470 This is the last Mac address that violated the security policy on that interface. 67 00:06:09,690 --> 00:06:14,780 So in router 2 if we change the Mac address to 68 00:06:17,480 --> 00:06:18,410 the Mac address 69 00:06:19,530 --> 00:06:22,170 expected by the switch. 70 00:06:23,910 --> 00:06:28,410 It still won't be able to ping because of the violation that took place. 71 00:06:29,490 --> 00:06:30,900 So we need to go into the 72 00:06:32,130 --> 00:06:36,810 port and shut it down and then, no, shut it 73 00:06:38,560 --> 00:06:44,410 and once that's done and the switch learns the correct Mac address. 74 00:06:48,390 --> 00:06:54,450 The device should be able to ping, so at the moment, the Mac address hasn't been learnt. 75 00:06:57,230 --> 00:06:58,840 Just waiting for the interface to come up. 76 00:07:01,300 --> 00:07:06,550 So show interface status, let's see what's going on, interfaces connected 77 00:07:09,480 --> 00:07:11,410 and now the ping succeeds. 78 00:07:11,910 --> 00:07:17,550 I was just too impatient and I needed to wait for spanning tree and other protocols to sort themselves 79 00:07:17,550 --> 00:07:25,680 out but show port security interface gigabit 01, we can see port security is enabled. 80 00:07:26,520 --> 00:07:27,930 Violation mode is shut down. 81 00:07:28,820 --> 00:07:34,520 At the moment, the port status is secure and the interface is up, last Mac address that was seen was 82 00:07:34,520 --> 00:07:38,240 this on that port, no security violations occurred. 83 00:07:38,690 --> 00:07:44,300 Maximum Mac address is once again allowed is one total Mac address is seen as one, one Mac address has 84 00:07:44,300 --> 00:07:50,920 been configured because we manually configured the Mac address on the switch. 85 00:07:51,290 --> 00:07:59,450 So if I save this configuration and the switch reboots, this Mac address is stored in the saved configuration. 86 00:08:00,310 --> 00:08:09,070 So that's different to what we have on Gigabit 00 here when the switch reboots, it would simply learn 87 00:08:09,430 --> 00:08:11,800 the source Mac address from a frame received. 88 00:08:12,100 --> 00:08:18,580 So the first device that connects will have its Mac address added to the database to show port security 89 00:08:21,320 --> 00:08:26,700 address, as an example, shows us the two addresses, this one was statically configured. 90 00:08:27,410 --> 00:08:29,900 This one was dynamically learnt. 91 00:08:30,080 --> 00:08:32,750 So the Mac address on this interface was configured. 92 00:08:33,230 --> 00:08:34,429 This was dynamically learnt. 93 00:08:34,940 --> 00:08:41,659 Now, the example on the right is where you explicitly allowing a specific Mac address onto the network. 94 00:08:42,289 --> 00:08:48,050 The example on the left is where you are restricting the number of Mac addresses permitted on a port. 95 00:08:48,740 --> 00:08:55,610 So on the left, you would stop a user connecting a hub as an example to the network and connecting 96 00:08:55,610 --> 00:08:57,320 multiple devices to the port. 97 00:08:57,560 --> 00:09:04,220 Whereas the example on the right is where we are limiting traffic to a specific MAC address. 98 00:09:05,030 --> 00:09:12,740 The problem with this method is we are having to work out what the Mac addresses of the devices are 99 00:09:13,100 --> 00:09:16,340 and then manually configuring those Mac addresses. 100 00:09:16,760 --> 00:09:18,400 So let's look at another way of doing it.