1
00:00:14,740 --> 00:00:22,750
So on gigabit 104 show run, at the moment, we don't have any configuration on that port.

2
00:00:25,110 --> 00:00:27,490
Interface Gigabit 104.

3
00:00:27,870 --> 00:00:33,960
Once again, you have to make the port an access port before you enable port security.

4
00:00:34,410 --> 00:00:36,840
So switch port mode access.

5
00:00:37,350 --> 00:00:39,510
Switch Port port security.

6
00:00:39,870 --> 00:00:41,850
Switch port Mac address.

7
00:00:45,750 --> 00:00:48,930
And we need to specify the Mac address manually here.

8
00:00:50,710 --> 00:00:52,690
So I'm going to specify it as

9
00:00:53,910 --> 00:00:57,450
this Mac address, I know that because

10
00:00:59,520 --> 00:01:04,360
that is the Mac address configured on this PC.

11
00:01:05,040 --> 00:01:09,420
We can see that again by using IP config slash all.

12
00:01:10,630 --> 00:01:13,990
That is the Mac address of PC 5.

13
00:01:16,520 --> 00:01:25,070
So what have we done, we've configured this port with port security and we've manually configured this

14
00:01:25,070 --> 00:01:28,220
Mac address per these instructions.

15
00:01:28,920 --> 00:01:34,670
But notice, what we've been told to do is drop other traffic and send a log messages when a violation

16
00:01:34,670 --> 00:01:35,180
occurs.

17
00:01:39,220 --> 00:01:43,850
By default of that port will be shut down when a violation occurs.

18
00:01:44,410 --> 00:01:46,630
So I need to change that

19
00:01:48,530 --> 00:01:49,810
to say violation.

20
00:01:50,650 --> 00:01:53,740
We have three options protect, restrict, and shut down.

21
00:01:53,920 --> 00:01:56,110
The one that we want to use is restrict.

22
00:01:56,800 --> 00:02:03,580
On Cisco's website, we told the differences protect drops packets with unknown source Mac addresses

23
00:02:03,580 --> 00:02:09,910
until you remove a sufficient number of secure Mac addresses to drop below the maximum value.

24
00:02:10,690 --> 00:02:16,780
Restrict does something very similar, but also causes the security violation counter to increment

25
00:02:17,170 --> 00:02:19,990
so you can get a logging of what's taken place.

26
00:02:20,710 --> 00:02:29,680
Shut down changes the port to error, disabled mode, error, disabled state and sends a SNMP trap notification.

27
00:02:30,100 --> 00:02:30,480
Notice

28
00:02:30,490 --> 00:02:33,610
this is different to a simple shutdown of the port.

29
00:02:34,000 --> 00:02:39,520
The port is error disabled, so it will be shut down, but it's not simply administratively shut down

30
00:02:39,520 --> 00:02:39,970
port.

31
00:02:41,500 --> 00:02:44,330
So show run gigabit 104.

32
00:02:44,860 --> 00:02:49,840
We've configured it for port security violation, restrict Mac address is this.

33
00:02:50,590 --> 00:02:55,270
So show port security, we can see restrict here.

34
00:02:55,900 --> 00:02:58,960
We can see that one Mac address has been learnt on this port.

35
00:02:59,530 --> 00:03:07,570
Maximum is one security violation is restrict show port security interface gigabit 104.

36
00:03:08,560 --> 00:03:10,180
No violations have occurred.

37
00:03:10,990 --> 00:03:12,970
So let's cause that to happen.

38
00:03:16,130 --> 00:03:18,260
PC 6 IP config slash all.

39
00:03:19,590 --> 00:03:24,690
Is that let's do a review, rather, that should cause a violation.

40
00:03:25,700 --> 00:03:33,740
On the switch now we can see that this command shows us that a violation took place, security violation

41
00:03:33,740 --> 00:03:40,520
count is two maximum Mac address is one total Mac addresses is one configured

42
00:03:40,520 --> 00:03:41,420
mac address is one.

43
00:03:41,780 --> 00:03:44,810
The port is still enabled and it's still secure

44
00:03:45,740 --> 00:03:48,030
but the violation counters are going up.

45
00:03:48,650 --> 00:03:52,520
So notice the difference interfaces green, not red.

46
00:03:53,960 --> 00:04:01,790
Even though we see the violations, three violations have occurred on this port, port hasn't been shut

47
00:04:01,790 --> 00:04:04,250
down, though, because

48
00:04:05,160 --> 00:04:07,290
we are using restricted mode.

49
00:04:09,330 --> 00:04:12,630
This address is allowed on this port

50
00:04:12,690 --> 00:04:20,190
it was manually configured, this address was learnt dynamically, but added to the running configuration

51
00:04:20,430 --> 00:04:22,140
because of the sticky command.

52
00:04:23,470 --> 00:04:29,890
So notice the difference with this method, you don't have to manually configure Mac addresses this

53
00:04:29,890 --> 00:04:34,510
way, you'd have to find out the Mac addresses of your devices and manually add them.

54
00:04:35,350 --> 00:04:37,720
Default mode is to shut the port down.

55
00:04:38,200 --> 00:04:43,210
Restrict doesn't shut the port down, but you do get logging information.

56
00:04:43,750 --> 00:04:50,140
Protect simply drops violating packets but doesn't log that information here.

57
00:04:50,140 --> 00:04:54,820
We dropping violating frames but logging that information.

58
00:04:56,500 --> 00:04:59,680
So here are three examples of how to set up port security.

59
00:05:00,520 --> 00:05:06,790
Next thing we need to do is increase the number of devices allowed on gigabit 101 to 2.

60
00:05:08,880 --> 00:05:10,740
So show run,

61
00:05:12,580 --> 00:05:21,310
this port by default only allows one Mac address, so let's say switch port port-security, maximum

62
00:05:21,610 --> 00:05:27,940
Mac addresses allowed is two, so I'll shut the port down and no shut it to re-enable it.

63
00:05:28,570 --> 00:05:30,280
So show port security

64
00:05:31,800 --> 00:05:39,040
two Mac addresses are now allowed on this port, currently, none have been learnt on that port.

65
00:05:39,060 --> 00:05:43,740
We haven't learnt any Mac addresses, so let's generate some traffic, 

66
00:05:46,240 --> 00:05:50,740
IP config slash renew on PC1

67
00:05:52,470 --> 00:05:53,640
on PC 2

68
00:05:56,410 --> 00:05:59,590
IP config slash renew.

69
00:06:01,960 --> 00:06:08,800
On the switch show, port security interface gigabit 101, we've now learnt about two Mac addresses.

70
00:06:08,800 --> 00:06:13,690
The last one that we learnt was this one, there have been no violations.

71
00:06:15,700 --> 00:06:19,600
So back on PC 1, if I send a renew again.

72
00:06:21,490 --> 00:06:29,290
Last a Mac address learnt is now PC one, but again, there have been no violations, so show Port Security, 

73
00:06:30,440 --> 00:06:37,790
two Mac addresses have been learnt on this port out of a maximum of two, show port security interface

74
00:06:38,300 --> 00:06:43,400
gigabit 101 again shows us that the port is up

75
00:06:44,150 --> 00:06:45,770
and if we look at addresses

76
00:06:48,220 --> 00:06:55,660
we've learnt about two addresses on gigabit 101 that however, is not written to the running

77
00:06:55,660 --> 00:06:56,290
config.

78
00:06:56,890 --> 00:06:59,130
So those Mac addresses are not written here.

79
00:06:59,620 --> 00:07:03,550
If the switch rebooted, new devices could send traffic

80
00:07:04,820 --> 00:07:12,260
But at this point, while the switch knows about those Mac addresses, if we change the Mac address

81
00:07:12,260 --> 00:07:15,530
of this PC to something like this

82
00:07:16,520 --> 00:07:23,840
and then send a DHCP request, what we should see is that the port goes down and there you go, it went

83
00:07:23,840 --> 00:07:24,230
down.

84
00:07:26,240 --> 00:07:31,850
Show port security address, we don't see those Mac addresses because the port has been shut down,

85
00:07:32,330 --> 00:07:37,190
interface gigabit 101 last Mac address learned was this.

86
00:07:37,670 --> 00:07:39,200
It's a security violation.

87
00:07:39,830 --> 00:07:41,330
Port has been shut down.

88
00:07:42,020 --> 00:07:47,810
The problem with shutting a port down is that you have to manually go and shut and then no shut the

89
00:07:47,810 --> 00:07:49,100
port to re-enable it.

90
00:07:49,730 --> 00:07:57,620
Whereas if you use restricted mode, the port is not shut down, but violating traffic is dropped.

91
00:07:58,400 --> 00:08:04,100
You could use shutdown to force the users to, for instance, contact you to re-enable the port

92
00:08:04,100 --> 00:08:08,630
and then you can ask them what happened and why they plugging in devices into the network that they

93
00:08:08,630 --> 00:08:09,100
shouldn't.

94
00:08:09,980 --> 00:08:15,750
Whereas with restrict you simply blocking them, you're not having to manually go and re-enable ports.

95
00:08:16,740 --> 00:08:17,990
Okay, so how did you do?

96
00:08:18,200 --> 00:08:21,470
Were you able to configure port security in the lab?

97
00:08:22,250 --> 00:08:25,760
Do you understand all the different options in port security?

98
00:08:26,270 --> 00:08:30,440
You need to understand port security for the CCNA exam.