1
00:00:14,520 --> 00:00:19,200
So let's enable port security on this network, on the switch

2
00:00:20,880 --> 00:00:27,570
we don't have any port security currently enabled, so no port security has been configured on gigabit

3
00:00:27,570 --> 00:00:28,740
101.

4
00:00:31,510 --> 00:00:36,340
We've been told to enable port security under that port with a single command.

5
00:00:37,470 --> 00:00:42,620
So CONFT interface gigabit 101 switch port.

6
00:00:43,380 --> 00:00:45,100
Look at the options available to us.

7
00:00:45,510 --> 00:00:46,770
We've got this option.

8
00:00:46,770 --> 00:00:50,890
Port security, port security, enter.

9
00:00:51,420 --> 00:00:52,620
Notice what we're told

10
00:00:52,620 --> 00:00:54,030
this is a dynamic port.

11
00:00:54,720 --> 00:01:00,360
So we've got to firstly type switch port mode access to make the port and access port

12
00:01:01,680 --> 00:01:05,580
and then we can enter our single port security command.

13
00:01:07,390 --> 00:01:10,330
What we'll do, actually, is just name the switch, switch 1

14
00:01:11,740 --> 00:01:13,870
per the diagram.

15
00:01:14,960 --> 00:01:23,990
So now show port security enter, we can see that port security has been enabled on this port gigabit

16
00:01:24,020 --> 00:01:25,280
101.

17
00:01:25,910 --> 00:01:30,230
We can also see that the maximum Mac address count is 1.

18
00:01:30,830 --> 00:01:34,230
In other words, only one Mac address is permitted.

19
00:01:34,640 --> 00:01:41,750
What is the action? The action is to shut the port down so when a second host sends traffic onto the

20
00:01:41,750 --> 00:01:42,320
network

21
00:01:43,560 --> 00:01:49,500
the port should be shut down. If we look at the interface so gigabit 101

22
00:01:51,510 --> 00:02:00,180
at the moment, we can see that this command shows us that port security is enabled, the status is

23
00:02:00,180 --> 00:02:03,510
secure up, violation mode is shut down.

24
00:02:04,110 --> 00:02:06,780
Maximum number of Mac addresses is 1.

25
00:02:09,240 --> 00:02:10,470
Look at addresses.

26
00:02:12,460 --> 00:02:14,770
No addresses have been learnt at the moment.

27
00:02:15,760 --> 00:02:23,350
So what I'll do is send traffic from PC 1, I'll do an IP config slash renew.

28
00:02:24,570 --> 00:02:27,150
PC has received an IP address again.

29
00:02:28,370 --> 00:02:37,100
On the switch, show port security address notice, we've now learned about this address, it was dynamically

30
00:02:37,100 --> 00:02:42,890
configured on this port gigabit 101 that wasn't shown previously.

31
00:02:44,360 --> 00:02:49,230
Look at this interface, gigabit 101 port security is enabled.

32
00:02:49,760 --> 00:02:53,450
We've now learnt this Mac address, maximum

33
00:02:53,450 --> 00:02:57,380
number of Mac addresses allowed is 1 total Mac addresses is 1.

34
00:02:59,120 --> 00:03:06,560
Previously, we hadn't learnt about that Mac address, so last source Mac address was blank.

35
00:03:07,710 --> 00:03:13,260
0 total Mac addresses were learnt, so that looks good.

36
00:03:15,060 --> 00:03:22,590
Show port security again, maximum Mac addresses allowed on this port is 1 current Mac addresses is

37
00:03:22,590 --> 00:03:22,950
1.

38
00:03:23,700 --> 00:03:30,210
So let's see what happens when we use IP config slash renew on PC 2.

39
00:03:31,310 --> 00:03:33,320
On the switch, we see some output.

40
00:03:34,940 --> 00:03:41,510
We can see that the interface was changed to down notice the DHCP request failed.

41
00:03:42,780 --> 00:03:46,170
In packet tracer, we can see that the interfaces have gone red

42
00:03:47,470 --> 00:03:54,280
and we're told that once again, the interface has gone down, so show port security, we can see that

43
00:03:54,280 --> 00:03:59,860
a violation took place, action is to shut the port down and that's what happened.

44
00:04:01,500 --> 00:04:05,730
If you look at the interface, this is the last Mac address that we saw.

45
00:04:06,700 --> 00:04:13,030
A violation took place because we went over the maximum number of Mac addresses permitted.

46
00:04:14,130 --> 00:04:19,380
Notice the port status is secure, shut down to show IP interface brief.

47
00:04:20,399 --> 00:04:22,470
This port is being shut down

48
00:04:24,200 --> 00:04:24,920
because

49
00:04:25,840 --> 00:04:30,460
of the violation that took place and the fact

50
00:04:32,530 --> 00:04:40,300
that the action is shut down. So again, maximum Mac addresses allowed on this port is one violation

51
00:04:40,300 --> 00:04:40,900
took place,

52
00:04:41,020 --> 00:04:42,780
action is to shut the port down.

53
00:04:43,120 --> 00:04:47,950
So the port is being securely shut down because the violation mode is shut down.

54
00:04:48,950 --> 00:04:52,550
Again, that's because PC 2 sent traffic into the network.

55
00:04:53,480 --> 00:04:55,940
So by default, how many Mac addresses are permitted?

56
00:04:56,270 --> 00:05:00,810
1 is the answer, verify that only the first host is allowed.

57
00:05:00,860 --> 00:05:01,970
That's what we verified.

58
00:05:02,000 --> 00:05:05,810
Now, what happens when the second host sends traffic?

59
00:05:05,870 --> 00:05:11,550
The port is shut down, is the first host Mac address written to the running configuration?

60
00:05:12,050 --> 00:05:14,930
The answer is no, show run

61
00:05:16,150 --> 00:05:25,060
shows us that port security is enabled on this port, but we don't see the Mac address of PC 1, show

62
00:05:25,060 --> 00:05:32,290
mac address table will show us Mac addresses that the switch learns when interfaces are up

63
00:05:32,680 --> 00:05:36,700
but the Mac address is not written to the running configuration.

64
00:05:38,460 --> 00:05:42,720
So if I go back onto that interface and no, shut the port

65
00:05:46,330 --> 00:05:47,950
that port should go up

66
00:05:49,300 --> 00:05:51,880
unless there's a security violation that took place.

67
00:05:54,630 --> 00:05:59,700
No shut the port, so I'll shut it down first, actually, and then no shut it.

68
00:06:01,220 --> 00:06:02,540
Notice it's now come up.

69
00:06:03,750 --> 00:06:05,940
So I had to shut it and then no shut it.

70
00:06:06,780 --> 00:06:10,470
Don't forget to shut and then no shut the port to re-enable it.

71
00:06:11,730 --> 00:06:21,330
So show Mac, address table, what we should see is we should see the switch or learn the Mac address

72
00:06:21,330 --> 00:06:22,410
of PC 1.

73
00:06:26,010 --> 00:06:29,760
Notice its learned the Mac address of PC 1 on gigabit 101.

74
00:06:31,590 --> 00:06:34,500
Port is up, show port security

75
00:06:35,830 --> 00:06:37,180
current Mac address is 1.

76
00:06:38,240 --> 00:06:44,720
Maximum Mac addresses allowed is 1 show run again shows us that the Mac address is not written to

77
00:06:44,720 --> 00:06:45,920
the running configuration.

78
00:06:46,360 --> 00:06:50,750
So if I save the configuration and then reload the switch.

79
00:06:53,400 --> 00:07:01,290
What can happen is that a different Mac address could be learnt, so I'll set both PC 1 and PC 2

80
00:07:01,680 --> 00:07:05,430
to use static IP addresses rather than dynamic IP addresses

81
00:07:05,940 --> 00:07:08,940
and what you'll see happen is that

82
00:07:11,090 --> 00:07:18,590
the Mac address can change under that port because it's not written to the running configuration, so

83
00:07:18,590 --> 00:07:23,330
current addresses 0, maximum allowed is 1.

84
00:07:24,370 --> 00:07:28,340
If we look at that interface, no Mac address has been learnt.

85
00:07:28,900 --> 00:07:35,200
So now if I set PC 2 to DHCP, what happens is this Mac address is learnt .

86
00:07:35,710 --> 00:07:40,590
So in other words, a different PC was able to send traffic into the network.

87
00:07:41,080 --> 00:07:46,960
The limit is still only one PC, but a different PCs Mac address was learnt.

88
00:07:47,380 --> 00:07:54,550
So show Mac address table shows us that PC 2s Mac address was learnt on this interface.

89
00:07:55,660 --> 00:07:59,360
It's not written to the running configuration but

90
00:07:59,410 --> 00:08:05,020
the problem with that is that we're not specifying which Mac addresses are allowed to send traffic.

91
00:08:05,380 --> 00:08:09,390
We're only limiting the number of Mac addresses on the interface.

92
00:08:10,060 --> 00:08:18,970
So if PC 1 now started using DHCP and sent a message into the network, notice the port goes down.

93
00:08:20,050 --> 00:08:21,490
Mac addresses are not shown.

94
00:08:23,130 --> 00:08:30,790
Show port security shows us that a violation took place because on this interface, this Mac address is

95
00:08:30,790 --> 00:08:33,970
now seen as a violating Mac address.

96
00:08:34,659 --> 00:08:39,970
Only one Mac address is allowed, but we're not specifying what that Mac address is.

97
00:08:40,510 --> 00:08:46,540
So in other words, what happens when the switch is power cycled a different Mac address could be learnt.

98
00:08:47,140 --> 00:08:50,180
We are not restricting Mac addresses on the port.

99
00:08:50,590 --> 00:08:55,450
We are only restricting the number of Mac addresses allowed on that port.

100
00:08:55,870 --> 00:09:03,400
But anyone could plug a PC into that port as long as they're the first PC that the switch learns.

101
00:09:04,090 --> 00:09:10,870
If the switch reboots, a different Mac address could be launched on that port and the original Mac

102
00:09:10,870 --> 00:09:14,320
address could be seen as a violating Mac address.