WEBVTT 0:00:03.000000 --> 0:00:06.680000 Hello and welcome to this video on port security. 0:00:06.680000 --> 0:00:11.040000 In this video I'm going to cover what the problem was that was solved 0:00:11.040000 --> 0:00:14.500000 by port security, why you might want to use this feature. 0:00:14.500000 --> 0:00:16.600000 I'm going to give you an overview of its operation. 0:00:16.600000 --> 0:00:19.640000 I'm going to show you the various configuration options for it. 0:00:19.640000 --> 0:00:23.980000 We're going to talk about the port security violation modes, the default 0:00:23.980000 --> 0:00:28.020000 violation mode and some other optional violation modes you can switch 0:00:28.020000 --> 0:00:34.140000 to. And we'll also talk about something called sticky max. 0:00:34.140000 --> 0:00:38.040000 All right, so why might we want to use port security? 0:00:38.040000 --> 0:00:40.060000 Well, the main reason is this. 0:00:40.060000 --> 0:00:44.060000 We know that switch ports by default are ready to go. 0:00:44.060000 --> 0:00:47.600000 And although there's the moment you connect anything to them like this 0:00:47.600000 --> 0:00:52.000000 laptop or PC here when you connect a cable to it, that port has now just 0:00:52.000000 --> 0:00:53.860000 connected you to the network. 0:00:53.860000 --> 0:00:57.900000 There's no checking of who you are, there's no verification of your device, 0:00:57.900000 --> 0:01:00.880000 you are now connected to the corporate network. 0:01:00.880000 --> 0:01:04.620000 So if you happen to be someone who's not supposed to be there, like someone 0:01:04.620000 --> 0:01:08.780000 who tailgated in behind someone with a badge, you now have the ability 0:01:08.780000 --> 0:01:12.020000 to get on that network and mess it up. 0:01:12.020000 --> 0:01:16.980000 So port security at a real high level saying, hey, let's put some restrictions 0:01:16.980000 --> 0:01:21.720000 on the port, let's secure the port to give us a little bit more control 0:01:21.720000 --> 0:01:29.440000 over who and what many devices can connect to that port. 0:01:29.440000 --> 0:01:33.020000 So as this mentions right here, just as a recap, by default routers and 0:01:33.020000 --> 0:01:36.600000 switches don't perform any security checks against a device that connects 0:01:36.600000 --> 0:01:41.960000 to them. Now routers of course, by default their interfaces are administratively 0:01:41.960000 --> 0:01:46.560000 shut down. So if you connect your laptop or PC to a router's interface, 0:01:46.560000 --> 0:01:49.540000 well, first of all, you probably won't have connection to it, so being 0:01:49.540000 --> 0:01:50.900000 a locked closet somewhere. 0:01:50.900000 --> 0:01:54.800000 But let's say theoretically, you actually could connect a cable, boop, 0:01:54.800000 --> 0:01:57.800000 right into that router's interface, it's not going to do you any good, 0:01:57.800000 --> 0:02:01.160000 because that router's interface will be shut down and I'm assuming you 0:02:01.160000 --> 0:02:04.600000 don't have the password to get onto the command line of the router and 0:02:04.600000 --> 0:02:06.400000 bring that interface up. 0:02:06.400000 --> 0:02:08.280000 However, switches like we said are a little bit different. 0:02:08.280000 --> 0:02:12.960000 If you can plug into a switch port, it's up by default, it lets you in. 0:02:12.960000 --> 0:02:16.740000 So as it mentions right here, if you're able to connect to an active interface 0:02:16.740000 --> 0:02:20.800000 on a router switch, it'll automatically start forwarding your information 0:02:20.800000 --> 0:02:23.720000 based on two simple requirements. 0:02:23.720000 --> 0:02:27.820000 Number one, the appropriate protocol has to be enabled on the ingress 0:02:27.820000 --> 0:02:32.380000 interface. Now for switches, there really isn't any protocol, it will 0:02:32.380000 --> 0:02:34.440000 allow any Ethernet frame in. 0:02:34.440000 --> 0:02:37.000000 If we're talking about a router, what we're talking about here in this 0:02:37.000000 --> 0:02:41.680000 bullet point is, if I send an IP packet to that router's interface, well, 0:02:41.680000 --> 0:02:45.000000 the router's interface might be up, but if it has not been configured 0:02:45.000000 --> 0:02:49.520000 with IP, if it hasn't been given an IP address, it's just going to drop 0:02:49.520000 --> 0:02:53.000000 my packet, because it'll say, I don't recognize that, I don't know how 0:02:53.000000 --> 0:02:54.400000 to process that. 0:02:54.400000 --> 0:02:57.320000 But switches, hey, as soon as you send an Ethernet frame, switches by 0:02:57.320000 --> 0:03:02.160000 default, know what Ethernet is, they know how to parse an Ethernet frame, 0:03:02.160000 --> 0:03:05.440000 so without you doing anything, it'll automatically know how to handle 0:03:05.440000 --> 0:03:11.320000 that. And secondly, the appropriate forwarding tables or trees must exist. 0:03:11.320000 --> 0:03:15.380000 So once again, with switches, yes and no, you see with switches, they 0:03:15.380000 --> 0:03:20.140000 have things called Mac address tables, which is useful if a frame comes 0:03:20.140000 --> 0:03:24.080000 in and you want that frame to go out only one port. 0:03:24.080000 --> 0:03:29.680000 However, if I'm an unauthorized user and I connect to a switch port, even 0:03:29.680000 --> 0:03:34.040000 on the very off chance that the Mac address table is empty and has nothing 0:03:34.040000 --> 0:03:37.520000 in it, that switch will still know how to process my frame. 0:03:37.520000 --> 0:03:40.780000 In that case, it'll just flood my frame and whatever frame I send into 0:03:40.780000 --> 0:03:45.540000 it, it'll be flooded out all the other ports in that exact same VLAN. 0:03:45.540000 --> 0:03:49.700000 Now, of course, once again, with routers, if I send an IPv4 or an IPv6 0:03:49.700000 --> 0:03:54.440000 packet into that router's interface, number one, it has to have an IPv4 0:03:54.440000 --> 0:03:58.220000 or an IPv6 address in order to process that. 0:03:58.220000 --> 0:04:01.120000 And then number two, like this last bullet point says, it has to have 0:04:01.120000 --> 0:04:02.000000 a routing table. 0:04:02.000000 --> 0:04:05.700000 If it doesn't have a routing table, game over, packet gets dropped. 0:04:05.700000 --> 0:04:09.280000 But we're focusing primarily on switches in this presentation. 0:04:09.280000 --> 0:04:12.220000 So, how do I limit switch access? 0:04:12.220000 --> 0:04:16.360000 In other words, how do I prevent just anybody from connecting to my switch 0:04:16.360000 --> 0:04:19.500000 port and now getting access to my network? 0:04:19.500000 --> 0:04:23.820000 Or maybe, you know, John is sitting in his cube, John is an authorized 0:04:23.820000 --> 0:04:29.200000 employee, but how do I prevent John from creating a little mini lab in 0:04:29.200000 --> 0:04:32.520000 his cube? What if John comes in with his own routers and switches and 0:04:32.520000 --> 0:04:34.680000 firewalls that he purchased from eBay or something? 0:04:34.680000 --> 0:04:40.520000 And on his cube, he creates a little, you know, six foot tall rack himself. 0:04:40.520000 --> 0:04:41.900000 Well, that's not authorized. 0:04:41.900000 --> 0:04:44.380000 We're not supposed to have rogue labs in our building. 0:04:44.380000 --> 0:04:48.660000 How do I prevent him from doing that and connecting his unauthorized lab 0:04:48.660000 --> 0:04:54.300000 into our corporate production network simply by connecting some port on 0:04:54.300000 --> 0:04:58.320000 his lab into the switch port in his cube or in his office wall? 0:04:58.320000 --> 0:04:59.760000 How do I stop that? 0:04:59.760000 --> 0:05:04.780000 Well, that is exactly what port security was designed to fix. 0:05:04.780000 --> 0:05:08.240000 Now, port security, when you configure it, like it says here, it's not 0:05:08.240000 --> 0:05:10.500000 available on dynamic ports. 0:05:10.500000 --> 0:05:11.540000 What's that mean? 0:05:11.540000 --> 0:05:16.140000 Well, most Cisco switches, right out of the box, their switch port mode 0:05:16.140000 --> 0:05:22.340000 is dynamic. Most switches on Cisco are switch port mode dynamic auto by 0:05:22.340000 --> 0:05:26.860000 default. A very few of them are switch port mode dynamic desirable by 0:05:26.860000 --> 0:05:29.680000 default. But either way, they're dynamic ports. 0:05:29.680000 --> 0:05:33.520000 So if you try configuring port security on a dynamic port, it won't let 0:05:33.520000 --> 0:05:36.620000 you. You'll actually get an error message that looks something like this 0:05:36.620000 --> 0:05:45.040000 right here. So if I get on a switch and I go on to an interface, I'm just 0:05:45.040000 --> 0:05:46.580000 going to, I'm just picking one at random here. 0:05:46.580000 --> 0:05:53.200000 I'm hoping it's a dynamic port and I say switch port port dash security. 0:05:53.200000 --> 0:05:55.000000 There we go. See that? 0:05:55.000000 --> 0:05:55.920000 Command rejected. 0:05:55.920000 --> 0:05:58.300000 Fast Ethenet 02 is a dynamic port. 0:05:58.300000 --> 0:06:03.060000 So the only way port security will work is if I first say switch port 0:06:03.060000 --> 0:06:08.820000 mode access. This is really meant to be done on access ports. 0:06:08.820000 --> 0:06:12.260000 Then I can configure port security without any errors. 0:06:12.260000 --> 0:06:14.760000 Now, that's just the basic command to turn it on. 0:06:14.760000 --> 0:06:18.020000 We'll talk about what that command does, but there are other optional 0:06:18.020000 --> 0:06:20.940000 things I could do above and beyond that. 0:06:20.940000 --> 0:06:26.400000 All right, so what can port security actually do for you? 0:06:26.400000 --> 0:06:27.980000 How is it securing a port? 0:06:27.980000 --> 0:06:30.560000 Well, port security has two things it can do. 0:06:30.560000 --> 0:06:35.380000 You can do them each separately or you can combine them and do them together. 0:06:35.380000 --> 0:06:40.020000 So number one, you could limit the maximum amount of MAC addresses that 0:06:40.020000 --> 0:06:42.400000 can potentially be learned on an interface. 0:06:42.400000 --> 0:06:46.900000 Recall that on a switch, a switch has no limit as far as how many MAC 0:06:46.900000 --> 0:06:48.660000 addresses can be learned on a port. 0:06:48.660000 --> 0:06:51.860000 Now, if a switch is at the edge of the network, if it's an access layer 0:06:51.860000 --> 0:06:56.580000 switch, then presumably each port will probably be connected to an individual 0:06:56.580000 --> 0:07:01.820000 device like a laptop or PC or a server, in which case that port would 0:07:01.820000 --> 0:07:06.240000 be learning one, maybe two MAC addresses if it's connected to an IP phone 0:07:06.240000 --> 0:07:09.400000 and then hanging off of that IP phone is a laptop. 0:07:09.400000 --> 0:07:11.180000 That would be two MAC addresses. 0:07:11.180000 --> 0:07:15.380000 But certainly, if that switch is connected, for example, to a server that 0:07:15.380000 --> 0:07:19.940000 has a bunch of virtual machines in it, a server with VMware's ESXi, for 0:07:19.940000 --> 0:07:24.080000 example, could have dozens or even hundreds of VMs, depending on how powerful 0:07:24.080000 --> 0:07:28.380000 that server is, each one of those VMs could potentially be using its own 0:07:28.380000 --> 0:07:32.180000 unique MAC address, which could translate to lots of MAC addresses learned 0:07:32.180000 --> 0:07:34.060000 on that one switch port. 0:07:34.060000 --> 0:07:38.020000 Or, if the switch is at the distribution or core layer of the network, 0:07:38.020000 --> 0:07:42.300000 it's a couple layers up, now certainly its interfaces are connecting to 0:07:42.300000 --> 0:07:45.960000 other switches, it could certainly learn dozens or even hundreds or even 0:07:45.960000 --> 0:07:49.460000 potentially thousands of MAC addresses on its ports. 0:07:49.460000 --> 0:07:54.580000 Well, what if I say, hey, this port on my switch is going to John's Cube? 0:07:54.580000 --> 0:07:58.100000 And there should really only be two MAC addresses learned and that's it. 0:07:58.100000 --> 0:08:01.860000 The MAC address of his IP phone and the MAC address of his laptop that's 0:08:01.860000 --> 0:08:03.480000 connected to that IP phone. 0:08:03.480000 --> 0:08:05.800000 Well, with port security, we can do that. 0:08:05.800000 --> 0:08:09.860000 We can say, hey, on that port, only two MAC addresses are authorized. 0:08:09.860000 --> 0:08:14.460000 If there's any more than that that are seen, that will cause a violation. 0:08:14.460000 --> 0:08:19.240000 Alternatively, we could use port security to have static authorized MAC 0:08:19.240000 --> 0:08:20.760000 addresses are pre-configured. 0:08:20.760000 --> 0:08:26.080000 For example, if I know in advance what the MAC address is of John's IP 0:08:26.080000 --> 0:08:30.860000 phone and of John's laptop, I can go onto that port on the switch and 0:08:30.860000 --> 0:08:35.400000 say, hey, these two MAC addresses here are the only authorized MAC addresses. 0:08:35.400000 --> 0:08:37.040000 I'm going to pre-configure them. 0:08:37.040000 --> 0:08:40.660000 If you see any MAC addresses other than these two right here, that will 0:08:40.660000 --> 0:08:42.800000 cause a port security violation. 0:08:42.800000 --> 0:08:44.900000 Or you can do a combination of both. 0:08:44.900000 --> 0:08:48.280000 For example, let's say you had a training room and there was an instructor 0:08:48.280000 --> 0:08:49.780000 who was always in that room. 0:08:49.780000 --> 0:08:54.040000 So you know in advance what MAC address that instructor has on his or 0:08:54.040000 --> 0:08:58.920000 her laptop. And you know that the fire marshal has said no more than 10 0:08:58.920000 --> 0:09:01.520000 people should be in that room at any given time. 0:09:01.520000 --> 0:09:05.300000 Otherwise, it's a violation of the fire marshal code. 0:09:05.300000 --> 0:09:08.940000 Well, you could go if you've got a port on your switch that leads into 0:09:08.940000 --> 0:09:12.140000 that room and then let's say you've got a hub in that room. 0:09:12.140000 --> 0:09:15.000000 So when everybody comes in, including the instructor, they connect their 0:09:15.000000 --> 0:09:18.940000 ethernet cables into the central hub and then the hub has a cable leading 0:09:18.940000 --> 0:09:21.240000 to the switch port that's on the wall. 0:09:21.240000 --> 0:09:25.300000 We could use port security to say number one, a maximum of 10 MAC addresses 0:09:25.300000 --> 0:09:30.720000 is allowed, and number two, we can figure the instructor's MAC address 0:09:30.720000 --> 0:09:35.920000 as a known authorized MAC address in advance, which would leave us nine 0:09:35.920000 --> 0:09:39.900000 MAC addresses that could be learned dynamically after that. 0:09:39.900000 --> 0:09:43.640000 So let's take a look at the real basic initial configuration of port security 0:09:43.640000 --> 0:09:45.840000 and then we'll build on top of that. 0:09:45.840000 --> 0:09:49.160000 So as you saw when I just did in the lab here, technically, you can enable 0:09:49.160000 --> 0:09:52.040000 port security with just one command on the interface. 0:09:52.040000 --> 0:09:55.620000 There it is. Switch port, port dash security. 0:09:55.620000 --> 0:09:59.580000 Now, if that's all you type in, what's going to happen? 0:09:59.580000 --> 0:10:00.700000 What are the defaults? 0:10:00.700000 --> 0:10:04.800000 Well, number one, the default is that port will only be allowed to learn 0:10:04.800000 --> 0:10:06.420000 one MAC address. 0:10:06.420000 --> 0:10:10.460000 So it'll automatically put a maximum of one MAC address on there. 0:10:10.460000 --> 0:10:14.080000 And whatever the first MAC address is that's learned, the first MAC address 0:10:14.080000 --> 0:10:18.560000 that's seen on the port, that will be assumed to be the authorized MAC 0:10:18.560000 --> 0:10:23.440000 address. Any subsequent MAC addresses are learned after that will cause 0:10:23.440000 --> 0:10:25.560000 a port security violation. 0:10:25.560000 --> 0:10:26.640000 So that is the default. 0:10:26.640000 --> 0:10:29.780000 If you just type in that one command, if that's all you need, there you 0:10:29.780000 --> 0:10:32.320000 go. Type that in, walk away, and you're done. 0:10:32.320000 --> 0:10:35.520000 And of course, you could do this across a range of interfaces. 0:10:35.520000 --> 0:10:39.600000 Now, there are some optional things that you can configure above and beyond 0:10:39.600000 --> 0:10:43.560000 this, but to enable port security at a minimum, you have to type this 0:10:43.560000 --> 0:10:47.300000 one command. So the next commands I'm going to show you are in addition 0:10:47.300000 --> 0:10:49.180000 to what you see here. 0:10:49.180000 --> 0:10:52.120000 All right, so what are some of those additional things we can do that 0:10:52.120000 --> 0:10:53.280000 I just talked about? 0:10:53.280000 --> 0:10:58.840000 What if I want to, like I said, allow a predefined quantity of MAC addresses? 0:10:58.840000 --> 0:11:01.900000 Well, on the interface, you can use the command switch port, port dash 0:11:01.900000 --> 0:11:03.620000 security, maximum. 0:11:03.620000 --> 0:11:07.260000 Remember, the default is one, so if we want to make it higher than that, 0:11:07.260000 --> 0:11:12.140000 like two or five or fifteen, we would want to use this command right here. 0:11:12.140000 --> 0:11:17.480000 What if I want to configure in advance a MAC address that I already know, 0:11:17.480000 --> 0:11:21.720000 and I want to assign that to that port as being the authorized MAC address? 0:11:21.720000 --> 0:11:25.580000 Well, then you can use the switch port, port dash security, MAC command, 0:11:25.580000 --> 0:11:28.140000 and then type in the MAC address right here. 0:11:28.140000 --> 0:11:29.740000 And you can use these two commands together. 0:11:29.740000 --> 0:11:32.680000 You can use them separately, or you can use them together. 0:11:32.680000 --> 0:11:34.160000 It's your choice. 0:11:34.160000 --> 0:11:38.300000 Now, let's take a look at something here for a second. 0:11:38.300000 --> 0:11:47.320000 Let's say that here I have a PC or a laptop, whatever it is, which is 0:11:47.320000 --> 0:11:53.920000 connected to switch X, maybe port number zero slash two, switch X in turn 0:11:53.920000 --> 0:12:02.040000 is connected upstream to switch Y on port zero slash four. 0:12:02.040000 --> 0:12:07.060000 Okay, and let's say that I decide, for whatever reason, that I want to 0:12:07.060000 --> 0:12:10.180000 put port security on this interface right here. 0:12:10.180000 --> 0:12:15.840000 Now, normally port security would be placed on the axis layer switch, 0:12:15.840000 --> 0:12:22.140000 which is switch X, but hey, if port zero slash four is not a dynamic port, 0:12:22.140000 --> 0:12:24.240000 you could put port security on it. 0:12:24.240000 --> 0:12:26.480000 Now, here's the point I want to bring up. 0:12:26.480000 --> 0:12:34.440000 Okay, so let's say I do this and this PC connects, and let's say I even 0:12:34.440000 --> 0:12:38.440000 type in, let's say this guy's MAC address is a a a a a a you know, let's 0:12:38.440000 --> 0:12:39.520000 make it something simple. 0:12:39.520000 --> 0:12:40.680000 So I do that right here. 0:12:40.680000 --> 0:12:45.920000 I use this command on this port and I statically authorized the MAC address 0:12:45.920000 --> 0:12:48.580000 of a a. All right, I put that in there. 0:12:48.580000 --> 0:12:52.920000 All right, so the PC connects, we know that one of the very first things 0:12:52.920000 --> 0:12:57.300000 that PC is going to do is most likely send like a DHCP request or something. 0:12:57.300000 --> 0:13:02.420000 Whatever it is, his frame will have a source MAC address of that a a that 0:13:02.420000 --> 0:13:09.920000 we looked at. So port Y here will say, oh, okay, that's authorized. 0:13:09.920000 --> 0:13:12.240000 I'm already pre-configured to authorize that. 0:13:12.240000 --> 0:13:14.440000 So that'll become the authorized port. 0:13:14.440000 --> 0:13:16.280000 Now here's the thing. 0:13:16.280000 --> 0:13:22.140000 What if this PC disconnects from switch X? 0:13:22.140000 --> 0:13:27.280000 Well, switch X knows that because zero slash two that interface just went 0:13:27.280000 --> 0:13:32.140000 down as it's no longer electrically active but to switch Y know that. 0:13:32.140000 --> 0:13:34.020000 No, he doesn't. Right? 0:13:34.020000 --> 0:13:44.200000 This connection right here between switch Y and switch X is still left. 0:13:44.200000 --> 0:13:49.240000 As a matter of fact, let's take it even one step further. 0:13:49.240000 --> 0:13:53.460000 Let's say that we did not pre-configure the authorized MAC address. 0:13:53.460000 --> 0:13:56.940000 All right, so let's just figure assume that we did not do that command. 0:13:56.940000 --> 0:14:02.600000 So let's assume that the only command we did on that interface with the 0:14:02.600000 --> 0:14:07.600000 port security command and that's it. 0:14:07.600000 --> 0:14:13.860000 Which we know allows one MAC and is dynamic learning. 0:14:13.860000 --> 0:14:18.420000 In other words, whatever the first MAC is that scene, that's the MAC that's 0:14:18.420000 --> 0:14:22.580000 authorized. Okay, let's say that this is the first MAC address that's 0:14:22.580000 --> 0:14:30.100000 seen. So on port zero slash four, now a a a a a a a a a will be the secured 0:14:30.100000 --> 0:14:34.440000 MAC because that was the first one that was seen. 0:14:34.440000 --> 0:14:39.840000 Well, like I said, if this PC goes away, this isn't going to go away. 0:14:39.840000 --> 0:14:41.720000 See, here's a big difference. 0:14:41.720000 --> 0:14:46.300000 When a MAC address is dynamically learned on a port that does not have 0:14:46.300000 --> 0:14:50.520000 port security, it gets put into the MAC address table as what's called 0:14:50.520000 --> 0:14:54.980000 a dynamic entry, which means there's a timer associated with it. 0:14:54.980000 --> 0:14:58.620000 If that MAC address, if we never hear from that MAC address again, like 0:14:58.620000 --> 0:15:02.960000 in this case, if that PC disconnects, but somehow the switch doesn't know 0:15:02.960000 --> 0:15:07.500000 that he disconnected like in switch wise case, that MAC address will eventually 0:15:07.500000 --> 0:15:10.660000 age out. It's got a five minute aging timer. 0:15:10.660000 --> 0:15:12.260000 Where will age out? 0:15:12.260000 --> 0:15:16.620000 That's not the case on MAC addresses that are learned on port security 0:15:16.620000 --> 0:15:21.620000 ports. Those addresses by default don't age out. 0:15:21.620000 --> 0:15:25.300000 Now, if the port goes down, if the port physically goes down like if that 0:15:25.300000 --> 0:15:29.440000 PC had been physically connected to Y, well, then yes, the moment the 0:15:29.440000 --> 0:15:33.620000 PC disconnected from the switch, the switch port would go down, and that 0:15:33.620000 --> 0:15:37.800000 case port security would be smart enough to say, oh, okay, clearly I don't 0:15:37.800000 --> 0:15:40.380000 need to watch this MAC address anymore because he's gone. 0:15:40.380000 --> 0:15:44.480000 So it would strip it out of the MAC address table, and now that port would 0:15:44.480000 --> 0:15:48.220000 be free to learn whatever the next MAC address was that connected to that 0:15:48.220000 --> 0:15:52.520000 port. But that's not the case here with Y because on switch Y, that port 0:15:52.520000 --> 0:15:56.680000 0 slash 4 is not going to go down, even though the PC has taken off and 0:15:56.680000 --> 0:16:02.020000 moved away. So in this case, we might want to apply some sort of an aging 0:16:02.020000 --> 0:16:06.620000 timer to those MAC addresses that are learned via port security. 0:16:06.620000 --> 0:16:10.860000 Just in case they actually do walk off, we don't want them in there forever. 0:16:10.860000 --> 0:16:14.400000 As a matter of fact, if we didn't put an aging timer and let's say that 0:16:14.400000 --> 0:16:20.540000 PC connected right here, that would cause a problem because switch Y would 0:16:20.540000 --> 0:16:24.320000 say, wait a second, I already learned your MAC address as a static secure 0:16:24.320000 --> 0:16:31.060000 MAC on 0 slash 4, you can't have moved over to 0 slash 8, that's not allowed. 0:16:31.060000 --> 0:16:34.160000 So in this case, we might want to apply an aging timer to these types 0:16:34.160000 --> 0:16:38.140000 of MAC addresses, and that is what the next couple of commands are for. 0:16:38.140000 --> 0:16:42.420000 We can do that. So here's where you apply the aging timer, and you get 0:16:42.420000 --> 0:16:46.300000 to choose and notice that this is in minutes, not in seconds. 0:16:46.300000 --> 0:16:47.920000 So this command is in minutes. 0:16:47.920000 --> 0:16:52.500000 And then you get to choose, okay, what type of secure MAC addresses do 0:16:52.500000 --> 0:16:54.560000 you want this timer to apply to? 0:16:54.560000 --> 0:16:57.500000 And notice this is on the interface level, this is not a global command 0:16:57.500000 --> 0:17:00.400000 here, this is an interface by interface command. 0:17:00.400000 --> 0:17:06.160000 We can choose to apply this to as an absolute timer or an inactivity timer. 0:17:06.160000 --> 0:17:11.160000 So an absolute timer would mean, hey, even if that MAC address has been 0:17:11.160000 --> 0:17:16.600000 active, let's say we put port security aging time to 10 minutes, okay? 0:17:16.600000 --> 0:17:19.800000 And let's say over the course of the next 10 minutes, that MAC address 0:17:19.800000 --> 0:17:23.620000 has been seen. He has been active, he's been actively on the network. 0:17:23.620000 --> 0:17:27.860000 Well, if we put this as an absolute timer, after 10 minutes, port security 0:17:27.860000 --> 0:17:32.260000 will release that MAC address, and now if that MAC address happens to 0:17:32.260000 --> 0:17:36.720000 be the very next MAC address we see on that port, we will relearn it as 0:17:36.720000 --> 0:17:38.340000 a secure MAC address. 0:17:38.340000 --> 0:17:42.880000 Or alternatively, we could set the aging type to inactivity, and that 0:17:42.880000 --> 0:17:47.200000 now turns that secure MAC address into sort of like a dynamic MAC address, 0:17:47.200000 --> 0:17:52.280000 where, hey, only if he's inactive for 10 minutes as an example, then port 0:17:52.280000 --> 0:17:55.140000 security can release that MAC address. 0:17:55.140000 --> 0:18:00.340000 All right, so let's talk about port security violations. 0:18:00.340000 --> 0:18:03.360000 So what is the default violation, you know, regardless of whether we've 0:18:03.360000 --> 0:18:09.500000 configured a maximum quantity of MAC addresses or a MAC address in advance, 0:18:09.500000 --> 0:18:12.460000 what happens if a violation occurs? 0:18:12.460000 --> 0:18:16.940000 Well, by default, the port will go into the air-disabled state. 0:18:16.940000 --> 0:18:22.340000 Now, the actual violation mode is called shutdown, but just be aware here, 0:18:22.340000 --> 0:18:25.980000 it's not going to administratively disable the port. 0:18:25.980000 --> 0:18:29.200000 Okay, so if a violation happens, it's not like you're going in there typing 0:18:29.200000 --> 0:18:31.120000 the shutdown command on the interface. 0:18:31.120000 --> 0:18:32.240000 It doesn't do that. 0:18:32.240000 --> 0:18:35.600000 But it will put the port into what's called the air-disabled state, which 0:18:35.600000 --> 0:18:39.560000 for all intents and purposes is like shutting down the port, because once 0:18:39.560000 --> 0:18:43.780000 the switch port goes into that state, nothing is allowed in or out of 0:18:43.780000 --> 0:18:48.500000 that port. Normally, by default, you'd have to fix the root cause of the 0:18:48.500000 --> 0:18:52.600000 problem, why it went into air-disabled, and then you'd have to go onto 0:18:52.600000 --> 0:18:56.700000 the interface and simply do a shutdown and no shutdown command to bring 0:18:56.700000 --> 0:19:00.900000 it back up. And by the way, if you're not familiar with that term of air 0:19:00.900000 --> 0:19:06.380000 -disabled, there's about 15 or 20 different features, which if they detect 0:19:06.380000 --> 0:19:10.040000 a problem or they detect an error, can end up putting a port into the 0:19:10.040000 --> 0:19:11.220000 air-disabled state. 0:19:11.220000 --> 0:19:14.860000 Port security is just one of those features. 0:19:14.860000 --> 0:19:17.880000 Now, alternatively, you might say, well, that's a little too aggressive. 0:19:17.880000 --> 0:19:22.660000 For example, let me paint that picture once again of a training room. 0:19:22.660000 --> 0:19:26.380000 Okay, you're the instructor in training room A. 0:19:26.380000 --> 0:19:31.060000 That training room has a maximum of 10 people that are allowed, so you 0:19:31.060000 --> 0:19:32.580000 and nine other students. 0:19:32.580000 --> 0:19:35.880000 So we set up an advance, and let's say once again, okay, let's just draw 0:19:35.880000 --> 0:19:39.700000 this here. So here's the training room right here. 0:19:39.700000 --> 0:19:43.280000 Okay, here's you instructing, oh, you're so excited. 0:19:43.280000 --> 0:19:49.020000 And there's a hub right here, which is connected onto the wall jack, and 0:19:49.020000 --> 0:19:50.920000 this connects back to our switch. 0:19:50.920000 --> 0:19:53.000000 Okay, there we go. 0:19:53.000000 --> 0:19:56.320000 And you can have one, two, three, four, five, six, seven, eight, nine. 0:19:56.320000 --> 0:19:59.060000 You can have up to nine people connected to that hub. 0:19:59.060000 --> 0:20:01.240000 Those are your students, in addition to you. 0:20:01.240000 --> 0:20:04.660000 So we configure port security on the center face right here. 0:20:04.660000 --> 0:20:08.240000 Maybe your MAC address is AAAA. 0:20:08.240000 --> 0:20:13.460000 So we configure that as a secure MAC address, and they also put in a maximum 0:20:13.460000 --> 0:20:17.760000 of 10. All right, so you and nine other people. 0:20:17.760000 --> 0:20:22.460000 Great. But then come Monday morning before class begins, you're going 0:20:22.460000 --> 0:20:23.840000 to call from your boss. 0:20:23.840000 --> 0:20:28.560000 And your boss says, hey, the CEO's son is in town, and he's sort of been 0:20:28.560000 --> 0:20:32.280000 thinking about maybe pursuing his Cisco certification. 0:20:32.280000 --> 0:20:34.500000 He wants to sit in your class today. 0:20:34.500000 --> 0:20:37.860000 Okay, well, you're probably not going to tell the CEO, hey, that's against 0:20:37.860000 --> 0:20:38.640000 the fire marshal. 0:20:38.640000 --> 0:20:40.080000 You probably shouldn't do that. 0:20:40.080000 --> 0:20:41.580000 No, this is a CEO's son. 0:20:41.580000 --> 0:20:44.160000 If you value your job and you don't want to work at the burger shop down 0:20:44.160000 --> 0:20:46.880000 the road, you're probably going to let that guy in. 0:20:46.880000 --> 0:20:50.220000 So here comes the son, you know, wearing his million dollar suit, and 0:20:50.220000 --> 0:20:52.320000 he sits down right here. 0:20:52.320000 --> 0:20:55.100000 All right, and he connects to the hub. 0:20:55.100000 --> 0:20:59.440000 Well, this would cause a port security violation because now his MAC address 0:20:59.440000 --> 0:21:01.980000 will be the 11th MAC address. 0:21:01.980000 --> 0:21:05.240000 And by default, that port will go air disabled. 0:21:05.240000 --> 0:21:08.640000 So guess what? You and everybody else in that room are going to pay the 0:21:08.640000 --> 0:21:12.720000 price because that guy caused a violation. 0:21:12.720000 --> 0:21:15.200000 Maybe you don't want that to happen. 0:21:15.200000 --> 0:21:18.100000 So what else can we do as a violation mode? 0:21:18.100000 --> 0:21:21.680000 Well, we have two other modes we can configure in this situation. 0:21:21.680000 --> 0:21:25.240000 Which are protect and restrict. 0:21:25.240000 --> 0:21:27.380000 Now, what do these things do? 0:21:27.380000 --> 0:21:32.020000 They're both similar in that if an Ethernet frame comes into the port 0:21:32.020000 --> 0:21:36.880000 security port. And the port says, oh, this is a violating frame. 0:21:36.880000 --> 0:21:39.740000 Both of them will just discard the frame. 0:21:39.740000 --> 0:21:41.000000 It won't shut down the port. 0:21:41.000000 --> 0:21:44.920000 It won't penalize all the other people on that port who are authorized 0:21:44.920000 --> 0:21:47.820000 and okay. It'll discard that frame. 0:21:47.820000 --> 0:21:52.040000 So in this particular case, the CEO's son will say, oh, hello, I can't 0:21:52.040000 --> 0:21:53.000000 get on the network here. 0:21:53.000000 --> 0:21:54.940000 What's the problem? 0:21:54.940000 --> 0:21:57.640000 And so in this case, you'll say, oh, okay, well, just listen to me for 0:21:57.640000 --> 0:22:00.940000 the next hour. And then during our next break, we'll research this. 0:22:00.940000 --> 0:22:04.920000 And then you can go into the switch and increase the maximum amount. 0:22:04.920000 --> 0:22:08.800000 So protect and restrict, just drop the offending frame. 0:22:08.800000 --> 0:22:10.580000 So what's different between them? 0:22:10.580000 --> 0:22:13.980000 Well, what's different between them and to explain what's different is 0:22:13.980000 --> 0:22:15.480000 I need to go forward. 0:22:15.480000 --> 0:22:19.020000 Well, not going to go forward in this video presentation, but there's 0:22:19.020000 --> 0:22:21.220000 a command you can type. 0:22:21.220000 --> 0:22:23.500000 I'll show it on here. 0:22:23.500000 --> 0:22:28.580000 Show port dash security. 0:22:28.580000 --> 0:22:30.960000 Type in your interface number. 0:22:30.960000 --> 0:22:36.280000 So this is one of several commands you can use to monitor port security. 0:22:36.280000 --> 0:22:40.940000 And what I specifically want to draw your attention to is the violation 0:22:40.940000 --> 0:22:50.600000 count. Now, if we were using the default violation of shutdown right there, 0:22:50.600000 --> 0:22:54.760000 then that means every time a violation happens and the port goes shut 0:22:54.760000 --> 0:22:59.700000 down or air disabled, this counter at the bottom would increase. 0:22:59.700000 --> 0:23:01.660000 We would have a record of that. 0:23:01.660000 --> 0:23:05.360000 Not only that, but every time it happened, a syslog message would print 0:23:05.360000 --> 0:23:06.220000 up on your screen. 0:23:06.220000 --> 0:23:10.040000 So if you were capturing your syslogs, you would see that on Monday at 0:23:10.040000 --> 0:23:13.580000 10 10 a.m., there was a violation on this port. 0:23:13.580000 --> 0:23:16.160000 And here is the MAC address that caused the violation. 0:23:16.160000 --> 0:23:18.000000 So that's the default behavior. 0:23:18.000000 --> 0:23:23.740000 Now, if we do protect, you lose that visibility. 0:23:23.740000 --> 0:23:29.000000 So protect will discard the offending frame, but that violation counter 0:23:29.000000 --> 0:23:30.800000 will not increment. 0:23:30.800000 --> 0:23:33.260000 And you won't get any syslog messages. 0:23:33.260000 --> 0:23:36.860000 So if you don't really care about keeping track of violations, if you 0:23:36.860000 --> 0:23:40.080000 just say, hey, I don't care how often or when they happen, all I care 0:23:40.080000 --> 0:23:43.740000 about is that violating frame is thrown away and that's it, then protect 0:23:43.740000 --> 0:23:45.340000 will work great for you. 0:23:45.340000 --> 0:23:49.220000 If you want that visibility, if you want to see the syslog message, and 0:23:49.220000 --> 0:23:53.480000 if you want the violation counter to keep track of those violations, then 0:23:53.480000 --> 0:23:55.880000 you'll want to move to restrict. 0:23:55.880000 --> 0:24:00.040000 So once again, protect and restrict both have the same action. 0:24:00.040000 --> 0:24:03.820000 They just drop the violating frame, but they keep the port up for everybody 0:24:03.820000 --> 0:24:08.060000 else. The only difference is protect is completely silent about it. 0:24:08.060000 --> 0:24:10.360000 You have no visibility into what's happening. 0:24:10.360000 --> 0:24:14.740000 Whereas restrict still gives you your syslog messages, still keeps a track 0:24:14.740000 --> 0:24:18.740000 of those violations in the counter. 0:24:18.740000 --> 0:24:22.420000 Now, there's one last feature here of port security I want to talk about 0:24:22.420000 --> 0:24:26.380000 in this video, which is called sticky max. 0:24:26.380000 --> 0:24:29.840000 Now, keep in mind that I said that the default behavior port security 0:24:29.840000 --> 0:24:37.320000 is that, well, for example, let's say here's my switch right here. 0:24:37.320000 --> 0:24:43.140000 And these are several interfaces are going up to people's cubes and offices. 0:24:43.140000 --> 0:24:46.720000 And I know that every single one of those interfaces is supposed to be 0:24:46.720000 --> 0:24:48.520000 connected to two devices. 0:24:48.520000 --> 0:24:55.080000 They're physically connected to an IP phone and then hang off the IP phone 0:24:55.080000 --> 0:25:02.160000 when the person comes in, they connect their laptop. 0:25:02.160000 --> 0:25:07.960000 So what that means is that, and let's say I can figure on each one of 0:25:07.960000 --> 0:25:13.460000 these, switch port port security maximum two. 0:25:13.460000 --> 0:25:15.980000 I do that on all of these interfaces right here. 0:25:15.980000 --> 0:25:20.500000 Switch port port security, switch port port dash security maximum two. 0:25:20.500000 --> 0:25:25.280000 Okay, well, the moment the port comes up, the phone should be learned 0:25:25.280000 --> 0:25:28.540000 because the phone is going to power on, the phone is going to send something. 0:25:28.540000 --> 0:25:32.840000 And so whatever the phone's MAC address is, let's say it's AA, that'll 0:25:32.840000 --> 0:25:37.180000 be learned. And then once John or Sally or Sue comes sauntering into the 0:25:37.180000 --> 0:25:40.980000 office in the morning and plugs in their laptop, their MAC address will 0:25:40.980000 --> 0:25:42.260000 also be learned. 0:25:42.260000 --> 0:25:49.260000 Great, but what's to prevent somebody with evil intent? 0:25:49.260000 --> 0:25:53.900000 Let's say that John here is gone for the day, so he's out on vacation 0:25:53.900000 --> 0:25:58.420000 and we've got Aaron the evil person. 0:25:58.420000 --> 0:26:01.780000 Alright, Aaron the evil malicious actor comes in. 0:26:01.780000 --> 0:26:03.060000 What does Aaron do? 0:26:03.060000 --> 0:26:06.520000 Aaron disconnects this cable right here from the phone. 0:26:06.520000 --> 0:26:10.540000 Well, that means that this interface on the switch is going to go down. 0:26:10.540000 --> 0:26:14.460000 What's the default behavior port security when an interface goes down? 0:26:14.460000 --> 0:26:18.240000 Whatever the MAC addresses that were learned on it are released, they're 0:26:18.240000 --> 0:26:24.560000 wiped out. And now when Aaron plugs in his device, guess what? 0:26:24.560000 --> 0:26:28.220000 We now have two MAC addresses that are available, so Aaron's MAC address 0:26:28.220000 --> 0:26:31.020000 will be learned as an authorized MAC address. 0:26:31.020000 --> 0:26:37.220000 No problem. So we say, hmm, we don't want that. 0:26:37.220000 --> 0:26:42.600000 So is there something we could do to where when the interface first comes 0:26:42.600000 --> 0:26:47.760000 up and the phone starts speaking, it learns the phone's MAC address, but 0:26:47.760000 --> 0:26:51.960000 even better than that, what if it put that MAC address as part of the 0:26:51.960000 --> 0:26:56.440000 running config? What if it actually added this command right here? 0:26:56.440000 --> 0:26:57.520000 You see, we didn't type this in. 0:26:57.520000 --> 0:27:01.060000 We didn't know what the MAC addresses were of all the phones and all the 0:27:01.060000 --> 0:27:02.100000 laptops in advance. 0:27:02.100000 --> 0:27:03.060000 We didn't know that. 0:27:03.060000 --> 0:27:07.400000 If we had, we could have gone on to each port and manually typed in. 0:27:07.400000 --> 0:27:11.060000 Switch port port security MAC address AA.AA. 0:27:11.060000 --> 0:27:13.920000 Switch port port security MAC address BB.BB. 0:27:13.920000 --> 0:27:15.920000 We could have done that, but we don't know that. 0:27:15.920000 --> 0:27:18.820000 We don't know the MAC addresses in advance. 0:27:18.820000 --> 0:27:22.160000 Wouldn't it be nice if there was a feature where as soon as the port comes 0:27:22.160000 --> 0:27:25.980000 up, it dynamically learns the MAC address just like port security normally 0:27:25.980000 --> 0:27:30.000000 does, but it then takes that MAC address and applies it to the running 0:27:30.000000 --> 0:27:35.160000 config as if we had statically configured that MAC address as a known 0:27:35.160000 --> 0:27:38.240000 authorized MAC address. 0:27:38.240000 --> 0:27:41.700000 Then, what we could do is, once those MAC addresses are in the running 0:27:41.700000 --> 0:27:45.640000 config, we can just save that running config to the startup config, and 0:27:45.640000 --> 0:27:50.660000 now, even if the port goes down, the next time it comes up, those two 0:27:50.660000 --> 0:27:54.480000 MAC addresses are the only authorized MAC addresses that will ever be 0:27:54.480000 --> 0:27:56.820000 allowed on that port. 0:27:56.820000 --> 0:27:59.800000 And that's what sticky MAC addresses are. 0:27:59.800000 --> 0:28:03.320000 It allows us to dynamically learn MAC addresses just like port security 0:28:03.320000 --> 0:28:05.460000 would normally do, but here's the difference. 0:28:05.460000 --> 0:28:11.180000 It puts those MAC addresses as part of the running configuration. 0:28:11.180000 --> 0:28:15.500000 And now, if we save our memory, they're always in there. 0:28:15.500000 --> 0:28:19.040000 So, a use case for this would be, I say, okay, I'm going to come in at 0:28:19.040000 --> 0:28:21.180000 five o'clock in the morning today. 0:28:21.180000 --> 0:28:24.780000 I'm going to apply port security across all my interfaces that are connecting 0:28:24.780000 --> 0:28:28.860000 to people's rooms, cubes, training rooms. 0:28:28.860000 --> 0:28:29.960000 I'm going to do that. 0:28:29.960000 --> 0:28:34.400000 I'm going to put in my maximum of two MAC addresses or whatever it is. 0:28:34.400000 --> 0:28:37.520000 And then, I'm going to do this command right here on every single port. 0:28:37.520000 --> 0:28:44.160000 I'm going to type in switch port, port -security, MAC-address, sticky. 0:28:44.160000 --> 0:28:46.260000 Now, I'm going to bring up all my ports. 0:28:46.260000 --> 0:28:47.580000 I'm going to wait. 0:28:47.580000 --> 0:28:50.640000 Now, the moment I do a no shut on those ports, even though it's five o 0:28:50.640000 --> 0:28:53.400000 'clock in the morning, those IP phones are still there. 0:28:53.400000 --> 0:28:56.920000 So, those IP phones will register with a switch, and as a part of doing 0:28:56.920000 --> 0:29:00.700000 that, the port security will learn their MAC addresses and apply their 0:29:00.700000 --> 0:29:03.820000 MAC addresses as part of the running config. 0:29:03.820000 --> 0:29:07.440000 So, if I just issue the show run command, now on every single port, right 0:29:07.440000 --> 0:29:08.800000 there, I'll see. 0:29:08.800000 --> 0:29:11.900000 Switch port port security MAC address, AA.AA. 0:29:11.900000 --> 0:29:13.960000 Oh, there's the IP phone of John's Cube. 0:29:13.960000 --> 0:29:16.500000 Let's take a look at FastEthernet0 slash seven. 0:29:16.500000 --> 0:29:19.340000 Oh, there's the MAC address of Sally's IP phone. 0:29:19.340000 --> 0:29:22.720000 And now, as John and Sally and my other employees start coming in in the 0:29:22.720000 --> 0:29:27.680000 morning, and the switch learns their individual MAC addresses, their MAC 0:29:27.680000 --> 0:29:31.300000 addresses will also be applied to the running configuration. 0:29:31.300000 --> 0:29:33.880000 So, at about nine thirty or ten o'clock in the morning, I can look at 0:29:33.880000 --> 0:29:36.460000 my configuration on every single port. 0:29:36.460000 --> 0:29:41.760000 I can see two MAC addresses as part of my config, the MAC address of the 0:29:41.760000 --> 0:29:43.780000 phone, the MAC address of the laptop. 0:29:43.780000 --> 0:29:49.080000 Now, I just simply do a right memory or a copy run start, and so now even 0:29:49.080000 --> 0:29:54.440000 if that switch reloads, those MAC addresses are now the only, those pairings 0:29:54.440000 --> 0:29:58.820000 of MAC addresses per port are the only MAC addresses that are now authorized 0:29:58.820000 --> 0:30:01.120000 on that interface. 0:30:01.120000 --> 0:30:07.660000 So, that concludes this theory section of port security and how it works. 0:30:07.660000 --> 0:30:08.380000 Thank you for watching.