1
00:00:01,000 --> 00:00:07,270
Previously we configured this port with a static Mac address, the disadvantage with that method

2
00:00:07,270 --> 00:00:13,270
is that you have to manually configure every Mac address that you want to add to your system.

3
00:00:13,450 --> 00:00:20,380
So if you had a 48 port switch and you wanted to permit two Mac addresses per port, that's already 96 Mac addresses

4
00:00:20,380 --> 00:00:21,480
that you need to configure.

5
00:00:21,820 --> 00:00:27,050
So that's a lot of work on this Port Gigabit 00.

6
00:00:27,550 --> 00:00:29,790
We simply enabled port security.

7
00:00:30,100 --> 00:00:34,930
But the problem with that method is when the switch reboots, well, the port goes down and then comes

8
00:00:34,930 --> 00:00:37,880
up again and new Mac address can simply be launched.

9
00:00:38,500 --> 00:00:46,360
So if we want to limit that port to specific MAC addresses and add those Mac addresses to the configuration

10
00:00:46,360 --> 00:00:51,970
automatically, we could use the command switchboard port security MAC address

11
00:00:53,990 --> 00:01:01,910
and now, rather than manually configuring the Mac address, we can use the option sticky to configure

12
00:01:02,060 --> 00:01:08,630
a dynamic, secure Mac address, a sticky now to put that in plain English, that essentially adds the

13
00:01:08,630 --> 00:01:12,180
Mac address to the running configuration of the switch.

14
00:01:12,710 --> 00:01:19,820
So when the Mac address is discovered, we talked to this command, but notice this command was automatically

15
00:01:19,820 --> 00:01:21,860
added to the configuration.

16
00:01:23,440 --> 00:01:26,080
That Mac address wasn't there previously.

17
00:01:27,900 --> 00:01:34,680
We only typed these two commands, but now when we added this command, the Mac address was automatically

18
00:01:34,680 --> 00:01:36,120
added to the configuration.

19
00:01:36,690 --> 00:01:40,950
The advantage with that is that when we save the configuration.

20
00:01:44,360 --> 00:01:51,110
So notice when we go to the start up config at the moment, no Mac address has been added to the start

21
00:01:51,110 --> 00:01:56,960
up config, but as soon as we save the configuration and then look at these start up config

22
00:01:58,440 --> 00:02:02,340
that Mac address has added. So show start up config

23
00:02:06,300 --> 00:02:12,120
Mac address has been added, so the advantage of that is, once again, if you have a 48 port switch

24
00:02:12,330 --> 00:02:18,060
and you want to add a Mac address per port, you don't have to configure 48 Mac addresses statically or

25
00:02:18,530 --> 00:02:24,030
if you want to allow two Mac addresses per port, you don't have to configure 96 Mac addresses.

26
00:02:24,360 --> 00:02:30,480
You can simply use the sticky option and allow the switch to learn the Mac addresses and then you save

27
00:02:30,480 --> 00:02:31,160
your config.

28
00:02:31,680 --> 00:02:37,470
Just remember, you need to make sure that the Mac address has learnt initially of the correct Mac addresses.

29
00:02:38,150 --> 00:02:44,460
The idea is, is that you initially control which devices access the network and hence which Mac addresses

30
00:02:44,460 --> 00:02:44,880
are learnt.

31
00:02:45,750 --> 00:02:51,540
So the advantage of sticky once again is that you don't have to manually type all the Mac addresses

32
00:02:51,540 --> 00:02:51,720
in.

33
00:02:53,630 --> 00:03:00,440
When a violation occurs at the moment, we've configured the ports to shut down SASHO port security.

34
00:03:02,030 --> 00:03:07,870
Shows us that the security action, when there's a violation is to shut the port down.

35
00:03:08,420 --> 00:03:13,820
So as an example, if we change the Mac address of the first router.

36
00:03:16,350 --> 00:03:18,390
Do some other value, let's say 4

37
00:03:20,980 --> 00:03:24,010
an error disable message is displayed

38
00:03:25,290 --> 00:03:31,710
and the port is put into error disabled state, and that was caused by this Mac address being learnt on

39
00:03:31,710 --> 00:03:32,170
the port.

40
00:03:33,420 --> 00:03:37,470
So now show interface status shows us

41
00:03:41,540 --> 00:03:48,710
that the port is error disabled, the problem here is that you would have to manually re-enable that

42
00:03:48,710 --> 00:03:51,820
port, which causes a large administrative overhead.

43
00:03:52,850 --> 00:03:57,790
So rather than doing that, you can go into global configuration mode on the switch and use the error

44
00:03:57,800 --> 00:04:05,230
disable recovery command to specify a cause and a recovery value.

45
00:04:05,900 --> 00:04:12,380
So there are multiple causes here, but the one that we're looking for is this one port security violation

46
00:04:13,690 --> 00:04:22,570
and then we could say error disable recovery interval and specify an interval for recovery, so I'll

47
00:04:22,600 --> 00:04:26,530
go on to gigabit00 shut to the port down

48
00:04:28,030 --> 00:04:30,970
and then no, shut it sent some traffic

49
00:04:33,360 --> 00:04:37,360
from this router on port, 1 to the other router

50
00:04:38,400 --> 00:04:45,360
and what we should see is that an error disabled message takes place when a security violation occurs.

51
00:04:47,880 --> 00:04:49,770
So let's confirm our config.

52
00:04:54,160 --> 00:04:54,810
At the moment

53
00:04:56,690 --> 00:05:02,310
traffic is failing and now we get a irresistable violation taking place,

54
00:05:02,750 --> 00:05:03,920
so port has gone down.

55
00:05:05,380 --> 00:05:13,750
But what I'll do now is configure the Mac address to what it should be and then I'll do a continuous

56
00:05:13,750 --> 00:05:14,140
ping

57
00:05:15,900 --> 00:05:17,460
and hopefully after a while

58
00:05:20,780 --> 00:05:28,070
that should start succeeding, so notice the port does not come up again after 30 seconds, pings are

59
00:05:28,070 --> 00:05:28,760
still failing.

60
00:05:30,770 --> 00:05:36,230
We have to wait for spanning tree and other protocols to converge, and again, I'm impatient here,

61
00:05:37,160 --> 00:05:41,360
I'll speed up the video so that you don't have to wait for the entire process to take place.

62
00:05:45,050 --> 00:05:48,230
But there you go, notice the ping started succeeding.

63
00:05:50,240 --> 00:05:53,210
So scrolling up, we had an error disabled message.

64
00:05:54,280 --> 00:06:00,730
Because there was a port security violation caused by this Mac address, port went down, but then there

65
00:06:00,730 --> 00:06:07,090
was an error recovery with the switch attempted to recover from the port security violation error,

66
00:06:07,090 --> 00:06:10,840
disable on gigabit 00 and the port came up.

67
00:06:11,500 --> 00:06:13,060
So it succeeded

68
00:06:14,090 --> 00:06:20,860
but if I change the Mac address again

69
00:06:25,460 --> 00:06:27,770
error occurs port violation.

70
00:06:31,750 --> 00:06:37,840
Set it back to what it should be while we're waiting for it to recover, show port security, at the

71
00:06:37,840 --> 00:06:42,240
moment a security violation has occurred on gigabit 00.

72
00:06:45,370 --> 00:06:50,210
We can see the last Mac address lunch because of the security violation.

73
00:06:51,070 --> 00:06:59,890
The port is shut down at the moment, but now the port was shut down when I showed the output, but

74
00:06:59,890 --> 00:07:01,590
now it's recovering.

75
00:07:02,200 --> 00:07:08,410
So if I do, the command again can see as an example that the port is going up, so do the command again.

76
00:07:08,710 --> 00:07:10,330
We can see the port has come up again.

77
00:07:11,490 --> 00:07:13,680
There's no security violation on this port.

78
00:07:17,230 --> 00:07:21,640
So that's a nice way to recover from a shutdown through port security.

79
00:07:23,180 --> 00:07:32,930
Use sticky in this example to configure Mac addresses, and we can do an automatic recovery by using

80
00:07:32,930 --> 00:07:39,830
the error disable global configuration command, saying recovery causes port security violation and

81
00:07:39,830 --> 00:07:42,450
it's going to take 30 seconds before it tries to recover.

82
00:07:43,040 --> 00:07:46,250
You could obviously set that to a larger number.

83
00:07:46,940 --> 00:07:52,250
But as an example, if a user by mistake connected the wrong device to the port, the traffic would

84
00:07:52,250 --> 00:07:55,870
be blocked and a log message would be generated.

85
00:07:56,330 --> 00:08:01,370
But if they then connected the right device to the port, you wouldn't have to telnet to the switch

86
00:08:01,370 --> 00:08:03,890
as an example and re-enable port

87
00:08:04,280 --> 00:08:06,050
it would automatically be enabled.