1
00:00:00,830 --> 00:00:08,060
So let's configure and test port security in this example I've got to Jinnah's three running Iowas relate

2
00:00:08,060 --> 00:00:13,840
to that SAO switch in the topology and then I'll go to Cisco Iowas router.

3
00:00:14,000 --> 00:00:22,070
It's a 37 25 router image which I'm using as the PCs in the topology so Router one will actis PC one

4
00:00:22,430 --> 00:00:29,960
and router two will act as PC two will configure MAC addresses on the routers and then change them to

5
00:00:29,960 --> 00:00:32,970
prove that port security works.

6
00:00:33,160 --> 00:00:40,310
MAC addresses with vendor code 0 0 to 3:33 belong to Cisco Systems.

7
00:00:40,540 --> 00:00:47,760
So we'll use this MAC address range so that we can see the output and why shock and Krait easy to read

8
00:00:47,770 --> 00:00:50,350
MAC addresses in the lab.

9
00:00:50,920 --> 00:00:53,890
The Rawdon's switch have booted up with no configuration

10
00:00:57,300 --> 00:01:00,330
selfmade no configuration changes on these devices.

11
00:01:01,440 --> 00:01:09,250
Let's start off by naming this device which one rod of one has already configured and says router to

12
00:01:09,580 --> 00:01:16,360
based on the default configuration in G and has three but the switch has no configuration.

13
00:01:16,360 --> 00:01:23,230
So at the moment if we top show port security you'll notice that there's no output.

14
00:01:23,310 --> 00:01:29,560
Because port security is not currently enabled shows a MAC Address table.

15
00:01:31,280 --> 00:01:34,210
Shows that no MAC addresses have been learnt.

16
00:01:34,730 --> 00:01:50,640
Rather one let's configure first Ethan it is 0 0 with MAC address 0 0 T-3 3 3 0 0 TRIPLE 0 0 1 and 0

17
00:01:50,640 --> 00:02:02,180
no shut that port will do something similar on route to which just make this two rather than 1 and No

18
00:02:02,180 --> 00:02:10,610
shut to the port show MAC Address table shows us that the switch has learnt both these MAC addresses.

19
00:02:10,770 --> 00:02:17,010
So Rotto one is available on gigabit 00 router 2 is available on gigabit.

20
00:02:17,010 --> 00:02:20,880
0 1 both addresses were linked dynamically.

21
00:02:20,880 --> 00:02:23,970
In other words we didn't statically configured these MAC addresses.

22
00:02:24,090 --> 00:02:27,260
They have been dynamically learnt by the switch.

23
00:02:28,820 --> 00:02:33,180
So port security still shows us that port security hasn't been enabled.

24
00:02:33,180 --> 00:02:38,230
We have no output so going on to Gigabit is 00.

25
00:02:38,280 --> 00:02:41,810
Let's try and enable port security.

26
00:02:41,850 --> 00:02:43,430
Notice the command is rejected.

27
00:02:43,500 --> 00:02:49,050
And that's because we're running dynamic trunking protocol or DTP on this port.

28
00:02:49,080 --> 00:02:55,550
We haven't statically configured this port as an access port or as a trunk port.

29
00:02:55,690 --> 00:03:03,710
So let's top switch port mode access and will enable port security again.

30
00:03:04,120 --> 00:03:15,730
The command is now accepted so show port security shows us that the port is gigabit to 0 0 the maximum

31
00:03:15,730 --> 00:03:24,280
secure addresses allowed on the port is one by default only a maximum of one MAC addresses allowed on

32
00:03:24,280 --> 00:03:26,960
a port security port.

33
00:03:27,010 --> 00:03:31,420
How many MAC addresses have currently been learnt on his one.

34
00:03:31,490 --> 00:03:35,020
How many security violations have occurred.

35
00:03:35,090 --> 00:03:36,130
Zero.

36
00:03:36,770 --> 00:03:41,830
And what security action will be taken if there's a violation.

37
00:03:42,080 --> 00:03:43,970
The port will be shut down.

38
00:03:44,030 --> 00:03:45,680
In other words it will be disabled.

39
00:03:45,680 --> 00:03:50,800
We'll look at some of the other options in a moment but let's see what happens.

40
00:03:52,660 --> 00:03:54,520
Show port security.

41
00:03:54,520 --> 00:03:55,600
Let's look at some options.

42
00:03:55,600 --> 00:03:56,140
Address

43
00:03:59,110 --> 00:04:06,470
so he has the secure MAC Address table on villaine one this MAC address has been lent.

44
00:04:06,650 --> 00:04:08,910
The type is secure dynamic.

45
00:04:09,080 --> 00:04:12,570
We dynamically learnt about the address.

46
00:04:12,780 --> 00:04:22,230
The port is is 0 0 the remaining age is a hyphen you can determine how long a MAC address that is learnt

47
00:04:22,670 --> 00:04:26,420
is remembered before it's aged out on a port.

48
00:04:26,490 --> 00:04:32,370
Now notice this example is not restricting this port to specific MAC addresses.

49
00:04:32,400 --> 00:04:35,880
It's limiting the port to one MAC address.

50
00:04:36,030 --> 00:04:38,230
We didn't statically configure the port.

51
00:04:38,510 --> 00:04:45,680
So show run interface gigabit 00 shows us that we enabled port security and that's all we did.

52
00:04:45,750 --> 00:04:51,660
We didn't statically configure a MAC address but if we change the MAC address on the port to let's say

53
00:04:51,900 --> 00:04:58,170
three let's see what happens soon as the port came up.

54
00:04:58,230 --> 00:05:05,290
We get an error disable message port security violation error detected on gigabit is 0 0 0.

55
00:05:05,340 --> 00:05:12,630
The port is now being put into a disabled state the security violation occurred caused by this MAC address

56
00:05:13,350 --> 00:05:21,400
notice ending in three on port gigabit 0 00 the line protocol has gone down.

57
00:05:21,440 --> 00:05:23,070
So show interface.

58
00:05:23,210 --> 00:05:24,710
Gigabit 0 0

59
00:05:28,560 --> 00:05:32,370
there's the chemo and shows us that the port is down down.

60
00:05:32,520 --> 00:05:37,650
And the reason for that is irreducible disable the port was a disabled port has gone down

61
00:05:40,670 --> 00:05:49,280
this router and let's give it an IP address will not be able to send traffic to this device.

62
00:05:51,420 --> 00:05:58,540
Sarada to acting as PTT because the port is down.

63
00:05:59,970 --> 00:06:02,370
Show port security.

64
00:06:05,370 --> 00:06:08,280
Please note this is not the status of the port.

65
00:06:08,340 --> 00:06:11,740
This is the action that's taken when there's a violation.

66
00:06:11,780 --> 00:06:18,660
So port security interface gigabit to 0 0 shows us that port security is enabled in the port.

67
00:06:18,710 --> 00:06:20,910
The status is secure.

68
00:06:20,910 --> 00:06:24,630
Shut down the violation mode is shut down.

69
00:06:24,660 --> 00:06:27,410
This is the last MAC address that was seen on the port.

70
00:06:27,630 --> 00:06:33,750
Only one MAC addresses allowed the violation count is one.

71
00:06:33,860 --> 00:06:40,040
And that's because the MAC address that's allowed in that port which is not shown here because the port

72
00:06:40,040 --> 00:06:40,760
has gone down.

73
00:06:40,760 --> 00:06:48,030
I'll just scroll up to show you the output was the MAC address and we've changed the MAC address so

74
00:06:48,960 --> 00:06:53,410
ending in triple 0 1 is the MAC address that's permitted.

75
00:06:53,800 --> 00:07:01,170
But this is the last MAC address that was seen that caused a violation.

76
00:07:01,210 --> 00:07:05,460
So let's change the MAC address back to one.

77
00:07:05,640 --> 00:07:11,750
And on the side you go on to the port and shut it down.

78
00:07:13,240 --> 00:07:22,400
And then wait for that to go down and then no shut it show port.

79
00:07:22,470 --> 00:07:30,840
You can see that show port security before Precentor notice the porters come up supporters come up schematic

80
00:07:30,920 --> 00:07:35,020
MAC addresses one at the moment it hasn't to to MAC address.

81
00:07:35,070 --> 00:07:38,060
Let's do a ping to Rhonda

82
00:07:42,890 --> 00:07:49,780
as you can see now it's now learnt a MAC address.

83
00:07:49,820 --> 00:07:51,310
So now the pings succeed.

84
00:07:52,370 --> 00:07:52,560
Sure.

85
00:07:52,620 --> 00:07:57,640
Port security shows us that the max MAC address a lot is one current addresses one.

86
00:07:57,740 --> 00:07:59,090
So one has been learnt.

87
00:07:59,420 --> 00:08:05,190
Let's look at the interface again again of its 0 0 at the moment there is no violation.

88
00:08:05,300 --> 00:08:07,880
The port status is secure up

89
00:08:10,740 --> 00:08:13,500
the violation mode is to shut the port down.

90
00:08:13,620 --> 00:08:16,920
But currently the port is up scrolling back up

91
00:08:20,970 --> 00:08:26,950
previously noticed it was secure shut down based on the violation mode of shutdown.

92
00:08:27,060 --> 00:08:33,010
But now it's secure up because the correct MAC address is being learnt which is the MAC address.

93
00:08:33,030 --> 00:08:39,220
So notice here the first MAC address that was received was added to the list of permitted MAC addresses.

94
00:08:39,270 --> 00:08:41,100
It was dynamically learnt.

95
00:08:41,490 --> 00:08:45,130
So you would have to ensure that the right MAC address is received on the port.

96
00:08:45,510 --> 00:08:48,220
If you reboot the switch that information is lost.

97
00:08:48,450 --> 00:08:52,500
So the first host that's connected to that port will be permitted.

98
00:08:52,650 --> 00:08:54,670
And that may not be what you want.

99
00:08:54,690 --> 00:09:01,080
You may want to explicitly permit only certain MAC addresses associated with certain machines.

100
00:09:01,200 --> 00:09:02,440
So let's have a look at that.