1 00:00:00,930 --> 00:00:08,920 In the previous video we configure port security on gigabit 00 by making the port an access port and 2 00:00:08,920 --> 00:00:11,370 then enabling port security. 3 00:00:11,680 --> 00:00:14,890 MAC address is dynamically learnt. 4 00:00:14,990 --> 00:00:25,000 So this MAC address was dynamically learnt on port to Gigabit 00 and hence Shope port security shows 5 00:00:25,000 --> 00:00:28,000 us that the address permitted on that port. 6 00:00:28,150 --> 00:00:29,860 Is this MAC address. 7 00:00:29,860 --> 00:00:35,110 It was done I meekly learnt and has been added to the database of permitted MAC addresses on the port 8 00:00:35,680 --> 00:00:37,860 only one MAC address is allowed 9 00:00:41,000 --> 00:00:43,650 on gigabit 00. 10 00:00:43,750 --> 00:00:50,930 So Max schem accuracy's is one if a violation does take place the security action is to shut the port 11 00:00:50,930 --> 00:00:51,550 down. 12 00:00:52,680 --> 00:00:58,440 Now let's configure MAC addresses statically So let's configure port security on gigabit. 13 00:00:58,480 --> 00:01:02,920 0 1 but do it manually. 14 00:01:03,150 --> 00:01:08,460 So I'm going to use the commotions switch Port. 15 00:01:08,460 --> 00:01:11,560 Port security specify a maximum. 16 00:01:11,760 --> 00:01:13,840 The default is 1. 17 00:01:13,970 --> 00:01:15,390 So I'll say one here. 18 00:01:15,750 --> 00:01:23,960 And what you'll notice is the output is not shown because that is a default command on the interface. 19 00:01:24,030 --> 00:01:34,640 But what we'll do now is type switch port Port Security MAC address and what I'll do is explicitly specify 20 00:01:34,640 --> 00:01:36,460 the MAC address that's allowed. 21 00:01:36,620 --> 00:01:43,230 And just to prove the point or specify a different MAC address of let's say three. 22 00:01:43,390 --> 00:01:55,090 Now at the moment the MAC address on this router acting as our PC is thus. 23 00:01:55,170 --> 00:02:02,550 So it's a different MAC address the PC can still ping rather one because we haven't explicitly enabled 24 00:02:02,550 --> 00:02:08,440 port security yet so we've configured what the MAC address is. 25 00:02:08,700 --> 00:02:11,970 We've configured the maximum MAC addresses allowed. 26 00:02:12,410 --> 00:02:16,890 I'll specify the action to take if there's a violation 27 00:02:19,390 --> 00:02:26,620 notice we have protect restrict and shut down the default as we've seen is shut down now protect drops 28 00:02:26,650 --> 00:02:32,680 packets with unknown source MAC addresses until you remove a sufficient number of secure MAC addresses 29 00:02:32,680 --> 00:02:35,130 to drop below the maximum value. 30 00:02:35,140 --> 00:02:38,930 In other words we are dropping packets from unknown source MAC addresses. 31 00:02:39,160 --> 00:02:43,630 But there's no logging at the moment only allowing one MAC address. 32 00:02:43,630 --> 00:02:49,840 But as an example if you had specified a maximum MAC address of three and a fourth a device try to send 33 00:02:49,840 --> 00:02:56,530 traffic that to devices traffic would be dropped restrict drops packets with unknown source MAC addresses 34 00:02:56,830 --> 00:03:02,960 until you remove a sufficient number of secure MAC addresses to drop below the maximum value. 35 00:03:02,980 --> 00:03:05,410 So that's very much the same as protect. 36 00:03:05,410 --> 00:03:10,610 But in addition it causes the security violation counted to increment. 37 00:03:10,900 --> 00:03:17,470 In other words there's going to be the generation of log messages and counter's will increment shutdown 38 00:03:17,520 --> 00:03:20,260 is the default which we've already seen. 39 00:03:20,260 --> 00:03:28,600 And that puts the port into a disable mode and Saens and SMP trap notification if SMP is configured. 40 00:03:29,050 --> 00:03:37,110 So I'll continue to use shutdown so that we can see the output configuration looks as follows. 41 00:03:37,180 --> 00:03:41,630 Remember the MAC address of this device is a different MAC address. 42 00:03:41,650 --> 00:03:42,730 It's thus. 43 00:03:42,940 --> 00:03:50,650 But we are only permitting this MAC address but because we haven't globally enabled port security port 44 00:03:50,650 --> 00:03:52,430 security is not active. 45 00:03:52,690 --> 00:03:57,580 So we can use the commode to show port security at the moment. 46 00:03:57,580 --> 00:04:03,380 Port security is enabled on gigabit 00 but not on gigabit 0 1. 47 00:04:03,390 --> 00:04:11,510 We can also use the command do show interface status at the moment both gigabit 0 0 and 0 1. 48 00:04:11,520 --> 00:04:16,080 Our connected support hasn't been shut down because of port security. 49 00:04:17,050 --> 00:04:22,740 But now when we type which port Port Security we are actually enabling port security. 50 00:04:23,050 --> 00:04:33,300 And once again we need to have this configured as an access port Conti's TTP to do show run interface 51 00:04:33,310 --> 00:04:35,050 gigabit 0 1. 52 00:04:35,740 --> 00:04:41,990 And while I was doing that notice we received a port security violation message. 53 00:04:42,100 --> 00:04:50,190 We were told that there was an issue with this mac address ending in two on gigabit. 54 00:04:50,210 --> 00:04:57,050 0 1 we have only permitted the MAC address ending in three maximum MAC addresses that would be permitted. 55 00:04:57,080 --> 00:05:01,720 One only one MAC addresses permitted in this case. 56 00:05:01,730 --> 00:05:08,720 When we look at the Comeau and do show interface status we can see that the port was disabled. 57 00:05:08,980 --> 00:05:13,870 So show interface status is a command that shows us the status of the ports we can see this is connected 58 00:05:14,710 --> 00:05:22,210 but this port has a disabled so show port security once again shows us once again that gigabit is 0 59 00:05:22,210 --> 00:05:27,110 0 and 0 1 have a security action of shutdown. 60 00:05:27,420 --> 00:05:34,380 But the only port that's currently shut down is port 0 1. 61 00:05:34,560 --> 00:05:38,600 So show interface status shows us that this port is still connected. 62 00:05:38,650 --> 00:05:45,990 The supporters area disabled and now this host can ping right of one because the port porters are disabled 63 00:05:48,790 --> 00:05:54,080 show port security interface gigabit to 0 1. 64 00:05:54,310 --> 00:05:57,890 We can see that port security is enabled on this port. 65 00:05:57,910 --> 00:06:02,620 It's currently shut down because of the mode being shut down. 66 00:06:02,650 --> 00:06:08,770 This is the last MAC address that violated the security policy on that interface. 67 00:06:09,790 --> 00:06:24,560 So on brought it to if we change the MAC address to the the MAC address expected by the switch it still 68 00:06:24,560 --> 00:06:28,660 won't be able to ping because of the violation that took place. 69 00:06:29,620 --> 00:06:38,590 So we need to go into the port and shut it down and then no shut it. 70 00:06:38,750 --> 00:06:44,480 And once that's done and the switch learns the correct MAC address 71 00:06:48,510 --> 00:06:52,530 the device should be able to ping. 72 00:06:52,560 --> 00:06:54,540 So at the moment the MAC address hasn't been learnt 73 00:06:57,380 --> 00:06:59,360 just waiting for the interface to come up. 74 00:07:01,370 --> 00:07:03,240 So show interface status. 75 00:07:03,250 --> 00:07:09,420 Let's see what's going on interfaces connected. 76 00:07:09,640 --> 00:07:11,890 And now the ping succeeds. 77 00:07:12,040 --> 00:07:17,620 I was just too impatient and I needed to wait for spending tree and other protocols to sort themselves 78 00:07:17,620 --> 00:07:23,820 out but show port security interface gigabit 0 1. 79 00:07:24,040 --> 00:07:31,070 We can see port security is enabled violation mode shut down at the moment the port status is secure 80 00:07:31,070 --> 00:07:36,200 and the interfaces up last MAC address that was seen was this on that port. 81 00:07:36,200 --> 00:07:38,550 No security violations occurred. 82 00:07:38,810 --> 00:07:43,540 Maximum MAC address is once again allowed as one total MAC address is seen as one. 83 00:07:43,550 --> 00:07:51,410 One MAC address is being configured because we manually configured the MAC address on the switch. 84 00:07:51,420 --> 00:07:59,680 So if I save this configuration and the switch reboot the MAC address is stored in the saved configuration. 85 00:08:00,460 --> 00:08:06,600 So that's different to what we have on gigabit 00 here. 86 00:08:06,610 --> 00:08:12,190 When the switch reboots it would simply learn the source MAC address from a frame received. 87 00:08:12,220 --> 00:08:18,630 So the first device that connects will have its MAC address added to the database to show port security 88 00:08:21,400 --> 00:08:24,730 address as an example shows us the two addresses. 89 00:08:24,750 --> 00:08:27,430 This one was statically configured. 90 00:08:27,600 --> 00:08:30,240 This one was dynamically learnt. 91 00:08:30,240 --> 00:08:33,240 So the MAC address on the interface was configured. 92 00:08:33,330 --> 00:08:35,070 This was done chemically learnt. 93 00:08:35,070 --> 00:08:42,390 Now the example on the right is where you explicitly allowing a specific MAC address onto the network. 94 00:08:42,390 --> 00:08:48,120 The example on the left is where you are restricting the number of MAC addresses permitted on a port 95 00:08:48,990 --> 00:08:49,650 on the left. 96 00:08:49,650 --> 00:08:56,730 You would stop a user connecting a hub as an example to the network and connecting multiple devices 97 00:08:56,730 --> 00:09:05,140 to the port whereas the example on the right is where we are limiting traffic to a specific MAC address. 98 00:09:05,160 --> 00:09:12,780 The problem with this method is we are having to work out what the MAC addresses of the devices are 99 00:09:13,260 --> 00:09:16,860 and then manually configuring those MAC addresses. 100 00:09:16,890 --> 00:09:18,660 So let's look at another way of doing it.