1
00:00:15,190 --> 00:00:22,870
So on gigabit 103, we want to automatically add the Mac address to the running configuration

2
00:00:23,440 --> 00:00:27,700
so that we limit specific Mac addresses on that port.

3
00:00:29,400 --> 00:00:30,390
So to do that

4
00:00:33,300 --> 00:00:40,650
on interface gigabit103, we're going to type switch mode access has to be an access port

5
00:00:41,130 --> 00:00:45,000
switch port, port security Mac address

6
00:00:46,000 --> 00:00:54,730
sticky that allows the switch to automatically learn the Mac address of a PC and write it to the running

7
00:00:54,730 --> 00:00:58,270
configuration. Switch port port security,

8
00:01:00,960 --> 00:01:04,769
show port security notice on this port

9
00:01:05,980 --> 00:01:12,400
maximum Mac addresses allowed is 1, nothing's been learnt at the moment, there's been no violations

10
00:01:12,880 --> 00:01:13,660
show run.

11
00:01:14,850 --> 00:01:16,110
On this port

12
00:01:17,480 --> 00:01:24,470
we've got our configuration, but we don't see any Mac addresses in the running configuration show port

13
00:01:24,470 --> 00:01:27,050
security gigabit 103,

14
00:01:28,960 --> 00:01:36,610
interface gigabit 103 rather, we've enabled port security status is secure up, violation mode

15
00:01:36,690 --> 00:01:41,980
shut down maximum number of Mac addresses allowed is one at the moment

16
00:01:41,980 --> 00:01:43,930
we haven't learnt any Mac addresses.

17
00:01:45,830 --> 00:01:47,030
So on PC 3

18
00:01:48,820 --> 00:01:55,750
what I'll do is use IP config, slash, renew to force the PC to request an IP address, it's been given

19
00:01:55,750 --> 00:01:56,050
one.

20
00:01:57,420 --> 00:02:00,540
So show port security interface gigabit 103.

21
00:02:01,000 --> 00:02:07,830
Notice we've now learned to Mac address on that interface, total number of Mac addresses is one Sticky

22
00:02:07,830 --> 00:02:08,960
Mac addresses is one.

23
00:02:09,330 --> 00:02:10,600
So notice the difference, 

24
00:02:10,650 --> 00:02:11,520
show run

25
00:02:12,700 --> 00:02:19,990
Shows us the Mac address in the running configuration of the switch, we didn't type that command,

26
00:02:20,360 --> 00:02:23,460
it was automatically added to the running configuration.

27
00:02:24,250 --> 00:02:28,690
So again, show port security shows us that one Mac address has been learnt.

28
00:02:29,380 --> 00:02:31,750
Maximum is one on this port.

29
00:02:32,970 --> 00:02:36,360
On that interface, we've learnt this Mac address.

30
00:02:37,610 --> 00:02:43,770
Which means it's written to the running configuration total Mac addresses is one maximum Mac addresses

31
00:02:43,770 --> 00:02:47,930
is one a violation results in the port being shut down.

32
00:02:49,460 --> 00:02:58,010
If you look at addresses, we've learnt this Mac address in VLAN 1 onto this port, it's a secure,

33
00:02:58,030 --> 00:03:04,160
sticky Mac address, which means, again, that it's written to the running configuration.

34
00:03:08,550 --> 00:03:11,130
So what happens when the second host sends traffic?

35
00:03:12,680 --> 00:03:15,800
So PC 4 IP CONFIG slash renew.

36
00:03:16,790 --> 00:03:24,060
On the switch notice, we get a violation of the port is shut down, so port security address, this

37
00:03:24,080 --> 00:03:31,220
address is allowed on this port, but we learnt about a different address.

38
00:03:32,680 --> 00:03:39,790
On that port so show port security interface gigabit 103 shows us the last Mac address

39
00:03:39,800 --> 00:03:42,700
learnt violation mode is shut down.

40
00:03:42,910 --> 00:03:45,550
So the port has now been shut down.

41
00:03:46,720 --> 00:03:47,620
Previously.

42
00:03:49,790 --> 00:03:53,600
the violation mode was shut down, but the port was up.

43
00:03:56,190 --> 00:04:03,180
But because the violation took place, the port is now shut down and in packet tracer, we can see

44
00:04:03,180 --> 00:04:04,710
that the port is shut down.

45
00:04:06,570 --> 00:04:11,670
So what happens if we reboot to the switch, if I save the config to this point?

46
00:04:12,240 --> 00:04:21,810
This will be written to the saved configuration of the switch, but if I save the config before that

47
00:04:21,810 --> 00:04:22,290
point.

48
00:04:24,700 --> 00:04:29,500
That configuration is not written to the saved configuration of the switch.

49
00:04:31,270 --> 00:04:38,020
Which means that a different Mac address could be learnt, I'll no shut the port again and save the configuration.

50
00:04:38,560 --> 00:04:42,870
So at the moment and I need to shut and then no shut actually.

51
00:04:43,450 --> 00:04:51,820
So interface gigabit 103 shut and then not shut the port to bring it up and save the configuration.

52
00:04:53,760 --> 00:04:54,390
So again

53
00:04:55,760 --> 00:05:02,960
assume at this point that the switch hasn't learnt a Mac address, that's the running configuration

54
00:05:03,650 --> 00:05:06,560
show port security, at the moment

55
00:05:06,630 --> 00:05:09,410
the switch has not learnt a Mac address on this port.

56
00:05:10,770 --> 00:05:13,200
Send traffic from PC 3

57
00:05:15,040 --> 00:05:22,570
switch has now learnt about a Mac address, on that port it's learnt about this Mac address.

58
00:05:23,330 --> 00:05:30,160
So in other words, in the running configuration and in the Mac address table, the switch knows about

59
00:05:30,220 --> 00:05:31,180
this Mac address.

60
00:05:31,720 --> 00:05:35,100
There's the Mac address in the Mac address table.

61
00:05:35,530 --> 00:05:42,850
There's the Mac address in the running configuration, but in the startup configuration

62
00:05:44,050 --> 00:05:53,890
We don't have that Mac address, so if the switch is now power cycled, what you'll notice is that the

63
00:05:53,890 --> 00:05:56,980
switch can learn a different Mac address on that port.

64
00:05:59,570 --> 00:06:01,520
So again show Mac address table.

65
00:06:03,250 --> 00:06:09,540
No Mac addresses are learnt at the moment, show run, that Sticky Mac address has been lost.

66
00:06:10,180 --> 00:06:17,260
So if this PC was the first PC to send out a DHCP request.

67
00:06:18,180 --> 00:06:21,630
That's the Mac address that would be learnt on

68
00:06:22,690 --> 00:06:24,700
Gigabit 103 of the switch

69
00:06:26,560 --> 00:06:33,520
and notice, that's what's happened here, this Mac address was written to the running config was previously

70
00:06:33,520 --> 00:06:36,670
we had the Mac address of PC3.

71
00:06:37,510 --> 00:06:41,350
Notice that port has gone down now show port security.

72
00:06:42,130 --> 00:06:44,560
We've had a violation take place

73
00:06:46,470 --> 00:06:52,950
on that port and the devices that are violated was PC3.

74
00:06:53,990 --> 00:06:57,390
So what's the point of using Sticky Mac addresses?

75
00:06:57,980 --> 00:06:59,900
What does it do and what doesn't do?

76
00:07:00,350 --> 00:07:06,920
Well, Sticky Mac addresses save you the trouble of finding the Mac addresses of devices and writing

77
00:07:06,920 --> 00:07:10,370
that to the running configuration. On the last port

78
00:07:10,380 --> 00:07:13,030
we're going to have to manually configure the Mac addresses.

79
00:07:13,700 --> 00:07:19,340
So that means that you need to find out what the Mac addresses are of your devices.

80
00:07:19,850 --> 00:07:25,280
Sticky saves you the trouble because it automatically learns the Mac address and then writes it to the

81
00:07:25,280 --> 00:07:26,360
running configuration.

82
00:07:27,540 --> 00:07:34,650
But that means that the first device that sends traffic into the network needs to be the device that

83
00:07:34,650 --> 00:07:35,200
you trust.

84
00:07:35,640 --> 00:07:39,600
In other words, it needs to be the device that you want connected to that port.

85
00:07:40,080 --> 00:07:45,510
If another device sends traffic that devices Mac address will be written to the running configuration

86
00:07:45,780 --> 00:07:50,490
and not to the Mac address of the device that you actually want on that port.

87
00:07:51,060 --> 00:07:55,700
Secondly, sticky configuration is written to the running config of the switch.

88
00:07:55,710 --> 00:08:00,450
You have to save the switch configuration if you want to make that permanent.

89
00:08:01,290 --> 00:08:09,180
So again, on this port interface, gigabit 103, let's remove this command

90
00:08:12,050 --> 00:08:16,350
and I'll shut the port down and then no, shut it.

91
00:08:17,060 --> 00:08:21,270
So at the moment, no Mac address has been learnt on that port.

92
00:08:22,520 --> 00:08:27,020
I'll send a DHCP request from PC 3.

93
00:08:30,860 --> 00:08:37,909
Hopefully what should happen now is PC3s Mac address should be written to the running config of the

94
00:08:37,909 --> 00:08:38,360
switch.

95
00:08:39,710 --> 00:08:41,539
Have to wait for spending tree to converge.

96
00:08:43,130 --> 00:08:44,510
So let's try that again.

97
00:08:47,840 --> 00:08:51,990
There you go, PC3s Mac address has been written to the running config.

98
00:08:52,610 --> 00:08:54,880
I'm going to save the config at this point.

99
00:08:56,650 --> 00:09:03,250
So now we've been able to learn the Mac address of PC three and save it to the running config of the

100
00:09:03,250 --> 00:09:08,580
switch, and I've been able to save it to the Start-Up config of the switch.

101
00:09:09,010 --> 00:09:12,100
So it's both in the startup configuration.

102
00:09:13,860 --> 00:09:16,380
As you can see there, as well as

103
00:09:19,090 --> 00:09:20,680
the running configuration.

104
00:09:22,690 --> 00:09:31,240
But notice the problem, this port is now being shut down because PC four sent traffic, so notice the

105
00:09:31,240 --> 00:09:34,060
difference between start up and running config shows.

106
00:09:34,060 --> 00:09:38,560
Start up config shows us that configuration

107
00:09:39,670 --> 00:09:40,930
with the port enabled.

108
00:09:41,940 --> 00:09:47,080
So running config shows us that configuration with the port shut down.

109
00:09:47,490 --> 00:09:53,850
So if I reloaded or rebooted to the switch or it lost power and came back again.

110
00:09:54,940 --> 00:09:58,840
It will revert back to the state that we wanted to be in.

111
00:10:00,050 --> 00:10:10,250
Which essentially means that it only allows traffic on gigabit one zero three from the Mac address that's

112
00:10:10,340 --> 00:10:18,380
different to gigabit 101 where any Mac address could send traffic as long as it was the first

113
00:10:18,380 --> 00:10:19,910
Mac address to send traffic.

114
00:10:21,590 --> 00:10:24,050
So Sticky Mac addresses make your life a lot easier.

115
00:10:24,860 --> 00:10:32,810
Let's configure port security on gigabit 104 by manually configuring the Mac address.