1
00:00:01,120 --> 00:00:07,420
Previously reconfigure the sport with a steady cam MAC address the disadvantage with that method is

2
00:00:07,420 --> 00:00:13,480
that you have to manually configure every MAC address that you want to add to your system.

3
00:00:13,600 --> 00:00:19,780
So if you had a 48 port switch and you wanted to promote to MAC addresses per port that's already 96

4
00:00:19,780 --> 00:00:21,910
and MAC addresses that you need to configure.

5
00:00:21,970 --> 00:00:23,250
So that's a lot of work.

6
00:00:24,470 --> 00:00:30,200
On this port gigabit 00 we simply enabled port security.

7
00:00:30,200 --> 00:00:35,120
But the problem with that method is when the switch reboots when the port goes down and then comes up

8
00:00:35,120 --> 00:00:38,600
again a new MAC address can simply be learnt.

9
00:00:38,630 --> 00:00:46,400
So if we want to limit that port to specific MAC addresses and add those MAC addresses to the configuration

10
00:00:46,430 --> 00:00:51,320
automatically we can use the command switch for port security.

11
00:00:51,320 --> 00:01:01,330
MAC address and now rather than manually configuring the MAC address we can use the option stickie to

12
00:01:01,330 --> 00:01:05,320
configure a dynamic secure MAC address as sticky.

13
00:01:05,320 --> 00:01:11,080
Now to put that in plain English that essentially adds the MAC address to the running configuration

14
00:01:11,530 --> 00:01:12,790
of the switch.

15
00:01:12,850 --> 00:01:17,380
So when the MAC address is discovered we talked to this command.

16
00:01:17,530 --> 00:01:27,940
But notice the command was automatically added to the configuration that MAC address wasn't previously.

17
00:01:28,060 --> 00:01:30,110
We only taught those two commands.

18
00:01:30,490 --> 00:01:36,780
But now when we added this command the MAC address was automatically added to to the configuration.

19
00:01:36,790 --> 00:01:41,020
The advantage with that is that when we save the configuration

20
00:01:44,420 --> 00:01:51,250
so noticed when we go to the startup config at the moment no MAC address has been added to the startup

21
00:01:51,250 --> 00:01:52,370
config.

22
00:01:53,020 --> 00:01:59,700
But as soon as we save the configuration and then look at the startup config that MAC address is added

23
00:02:00,930 --> 00:02:02,400
so show startup config

24
00:02:06,430 --> 00:02:08,170
MAC address has been added.

25
00:02:08,200 --> 00:02:14,200
So the advantage of that is once again if you have a 48 port switch and you want to add a MAC address

26
00:02:14,200 --> 00:02:18,500
per port you don't have to configure Forty-Eight MAC addresses statically.

27
00:02:18,700 --> 00:02:24,400
If you want to allow two MAC addresses per port you don't have to configure 96 MAC addresses.

28
00:02:24,520 --> 00:02:30,550
You can simply use the stickie option and allow the switch to learn the MAC addresses and then you save

29
00:02:30,550 --> 00:02:31,810
your config.

30
00:02:31,810 --> 00:02:38,200
Just remember you need to make sure that the MAC addresses learnt initially are the correct MAC addresses.

31
00:02:38,230 --> 00:02:44,500
The idea is that you initially control which devices access the network and hence which MAC addresses

32
00:02:44,500 --> 00:02:45,430
are linked.

33
00:02:45,880 --> 00:02:51,580
So the advantage of stickie once again is that you don't have to manually type all the MAC addresses

34
00:02:51,580 --> 00:02:58,780
in when a violation occurs at the moment we've configured the ports to shutdown.

35
00:02:58,840 --> 00:03:07,590
So show port security shows us that the security action when there's a violation is to shut the port

36
00:03:07,590 --> 00:03:08,190
down.

37
00:03:08,550 --> 00:03:18,470
So as an example if we change the MAC address of the first Rodda to some other Valley let's say for

38
00:03:21,160 --> 00:03:28,690
an error a disable message is displayed and the port is put into a disabled state and that was caused

39
00:03:28,690 --> 00:03:33,550
by the MAC address being lent on the port.

40
00:03:33,570 --> 00:03:37,560
So now shoyu interface status shows us

41
00:03:41,680 --> 00:03:44,410
that the port is error disabled.

42
00:03:44,410 --> 00:03:51,370
The problem here is that you would have to manually re-enable that port which causes a large administrative

43
00:03:51,370 --> 00:03:52,850
overhead.

44
00:03:52,960 --> 00:03:57,830
So rather than doing that you can go into a global configuration mode on the switch and use the error

45
00:03:57,850 --> 00:04:05,640
disable recovery command to specify a cause and a recovery value.

46
00:04:06,010 --> 00:04:12,620
So there are multiple causes here but the one that we're looking for is this one port security violation.

47
00:04:13,850 --> 00:04:22,430
And then we could say it disable recovery interval and specify an interval for recovery.

48
00:04:22,430 --> 00:04:34,660
So I'll go into gigabit 00 shut the port down and then shut it will send some traffic from this router

49
00:04:35,720 --> 00:04:42,830
on port one to the other router and what we should see is that an error disable message takes place.

50
00:04:43,350 --> 00:04:45,390
When a security violation occurs

51
00:04:48,120 --> 00:04:49,900
let's confirm or can fake

52
00:04:54,270 --> 00:04:55,220
the moment.

53
00:04:56,840 --> 00:05:02,870
Traffic is failing and now we get a disable violation taking place.

54
00:05:02,870 --> 00:05:04,120
Support has gone down.

55
00:05:05,470 --> 00:05:13,810
But what I'll do know is configure the MAC address to what it should be and then I'll do a continuous

56
00:05:13,810 --> 00:05:17,580
ping and hopefully off for a while

57
00:05:20,890 --> 00:05:23,220
that should start succeeding.

58
00:05:23,290 --> 00:05:27,790
So notice the porters not come up again after 30 seconds.

59
00:05:27,790 --> 00:05:29,110
Pings are still failing.

60
00:05:30,900 --> 00:05:34,540
We have to wait for spending tree and all protocols to converge.

61
00:05:34,540 --> 00:05:40,750
And again I'm impatient to speed up the video see that you don't have to wait for the entire process

62
00:05:40,750 --> 00:05:44,950
to take place.

63
00:05:45,180 --> 00:05:46,530
But there you go.

64
00:05:46,530 --> 00:05:51,510
Notice the pings started succeeding so scrolling up.

65
00:05:51,590 --> 00:05:58,510
We had an error disable message because there was a port security violation caused by this MAC address.

66
00:05:58,700 --> 00:06:00,120
Port went down.

67
00:06:00,290 --> 00:06:06,350
But then there was an error recovery where the switch attempted to recover from the port security violation

68
00:06:06,950 --> 00:06:11,630
error disable on gigabit 00 and the port came up.

69
00:06:11,630 --> 00:06:13,600
So it succeeded.

70
00:06:14,210 --> 00:06:20,950
But if I change the MAC address again

71
00:06:25,710 --> 00:06:27,830
error port violation

72
00:06:31,870 --> 00:06:33,130
set it back to what it should be.

73
00:06:33,130 --> 00:06:40,660
While we're waiting for it to recover show port security at the moment a security violation has occurred

74
00:06:40,810 --> 00:06:42,270
on gigabit 00

75
00:06:45,490 --> 00:06:51,110
we can see the last MAC address learnt because of the security violation.

76
00:06:51,190 --> 00:06:57,580
The port is shut down at the moment but now the port was shut down.

77
00:06:57,670 --> 00:07:02,290
When I showed the output but now it's recovering.

78
00:07:02,320 --> 00:07:07,270
So if I do the command again can see it as an example of the port has gone up.

79
00:07:07,270 --> 00:07:10,580
So do the command again we can see the port has come up again.

80
00:07:11,620 --> 00:07:17,320
There's no security violation on this port.

81
00:07:17,360 --> 00:07:22,080
So that's a nice way to recover from a shutdown through port security.

82
00:07:23,300 --> 00:07:33,080
You sticky in this example to configure MAC addresses and we can do an automatic recovery by using the

83
00:07:33,290 --> 00:07:40,190
disable global configuration Command saying recovery causes port security violation and it's going to

84
00:07:40,190 --> 00:07:43,190
take 30 seconds before it tries to recover.

85
00:07:43,190 --> 00:07:49,880
You could obviously set that to a larger number but as an example if a use by mistake connected the

86
00:07:49,880 --> 00:07:56,430
wrong device to the port the traffic would be blocked and a log message would be generated.

87
00:07:56,460 --> 00:08:01,500
But if they then connected the right device to the port you wouldn't have to telnet to the switches

88
00:08:01,550 --> 00:08:06,110
an example and re-enabled port it would automatically be enabled.