Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:03,198 --> 00:00:06,759
This is a free, complete course for the CCNA.
2
00:00:06,759 --> 00:00:10,580
If you like these videos, please subscribe\n
3
00:00:10,580 --> 00:00:15,339
Also, please like and leave a comment, and\n
4
00:00:18,379 --> 00:30:21,606
In this video we will talk about port security.
5
00:00:21,730 --> 00:00:26,519
Port security is a security feature on Cisco\n
6
00:00:26,519 --> 00:00:31,250
MAC addresses are allowed on a switch port,\n
7
00:00:32,909 --> 00:00:38,589
It’s covered in exam topic 5.7, which says\n
8
00:00:38,590 --> 00:00:44,630
features, including DHCP snooping, ARP inspection,\n
9
00:00:44,630 --> 00:00:50,400
Those other two, DHCP snooping and ARP inspection,\n
10
00:00:50,399 --> 00:00:53,759
But for this video, we’ll focus on port\nsecurity.
11
00:00:53,759 --> 00:00:56,570
Here’s what we’ll cover in this video.
12
00:00:56,570 --> 00:01:00,549
First, I’ll introduce what port security\nis.
13
00:01:00,549 --> 00:01:02,729
But knowing what it is isn’t enough.
14
00:01:02,729 --> 00:01:08,420
I’ll also explain why we use port security,\n
15
00:01:08,420 --> 00:01:12,579
And I’ll show you various port security\n
16
00:01:12,579 --> 00:01:17,259
As always, watch until the end of the video\n
17
00:01:17,260 --> 00:01:24,020
ExSim for CCNA, my recommended practice exams\nfor the CCNA.
18
00:01:24,019 --> 00:01:25,890
First up, what is port security?
19
00:01:25,890 --> 00:01:30,260
Well, it’s a security feature of Cisco switches.
20
00:01:30,260 --> 00:01:34,799
It allows you to control which source MAC\n
21
00:01:35,799 --> 00:01:40,049
So, it’s configured on a per-interface basis.
22
00:01:40,049 --> 00:01:45,490
By the way, throughout this video I’ll probably\n
23
00:01:47,090 --> 00:01:52,350
So, if a frame with an unauthorized source\n
24
00:01:54,069 --> 00:01:58,250
There are a few possible actions that you\n
25
00:01:58,250 --> 00:02:00,989
place the interface in an err-disabled state.
26
00:02:00,989 --> 00:02:04,989
In effect, this is like shutting down the\ninterface.
27
00:02:04,989 --> 00:02:09,039
Traffic will no longer be sent or received\nby that interface.
28
00:02:10,179 --> 00:02:14,500
PC1 is connected to SW1’s G0/1 interface.
29
00:02:18,079 --> 00:02:22,421
As you know, MAC addresses are actually 12\n
30
00:02:22,420 --> 00:02:25,408
them here to make it easier to read.
31
00:02:25,408 --> 00:02:31,700
The user of PC1 brought in his personal laptop\n
32
00:02:32,919 --> 00:02:39,719
The network admin has configured port security\n
33
00:02:39,719 --> 00:02:46,549
allow frames with a source MAC address of\n
34
00:02:46,549 --> 00:02:53,209
When PC1 sends a frame, SW1 will check the\n
35
00:02:53,209 --> 00:02:56,780
so it will forward it to the destination as\nnormal.
36
00:02:56,780 --> 00:03:02,669
But the user unplugs the cable from PC1 and\n
37
00:03:02,669 --> 00:03:05,229
What will happen when PC2 sends a frame?
38
00:03:05,229 --> 00:03:12,509
Well, SW1 will check the source MAC address\n
39
00:03:13,750 --> 00:03:18,259
So, SW1 will place G0/1 in an err-disabled\nstate.
40
00:03:18,259 --> 00:03:22,308
It won’t send or receive data until you\n
41
00:03:22,308 --> 00:03:27,169
Now, as I said there are a few possible actions\n
42
00:03:27,169 --> 00:03:31,819
later, but for now let’s assume the default\naction of shutdown.
43
00:03:31,818 --> 00:03:37,078
So, noticing that his laptop isn’t able\n
44
00:03:37,079 --> 00:03:42,090
unplugs the cable from his laptop and connects\nit back to PC1.
45
00:03:42,090 --> 00:03:44,360
What happens when PC1 sends a frame?
46
00:03:44,360 --> 00:03:50,129
Well, the interface is still err-disabled,\n
47
00:03:51,870 --> 00:03:56,159
There are two ways to enable an interface\n
48
00:03:58,139 --> 00:04:02,730
Okay let’s cover a few more points about\nport security.
49
00:04:02,729 --> 00:04:07,778
When you enable port security on an interface\n
50
00:04:09,218 --> 00:04:12,628
You can configure the allowed MAC address\nmanually if you want.
51
00:04:12,628 --> 00:04:16,920
But if you don’t configure it manually,\n
52
00:04:16,920 --> 00:04:19,590
address that enters the interface.
53
00:04:19,589 --> 00:04:24,250
That MAC address will be allowed on the interface,\n
54
00:04:24,250 --> 00:04:28,579
However, you can change the maximum number\n
55
00:04:28,579 --> 00:04:33,060
Here’s one situation in which you should\n
56
00:04:34,269 --> 00:04:40,379
Phone1 is directly connected to SW1, and PC1\n
57
00:04:40,379 --> 00:04:44,899
The default port security setting, which allows\n
58
00:04:44,899 --> 00:04:50,259
this situation, because both PC1 and phone1\n
59
00:04:50,259 --> 00:04:54,110
MAC address as the source, so that’s two\nMAC addresses.
60
00:04:54,110 --> 00:05:00,939
So, in this case let’s say we configured\n
61
00:05:00,939 --> 00:05:05,569
But we didn’t configure them manually, we\n
62
00:05:07,160 --> 00:05:13,400
So, if phone1 sends a frame SW1 will add it\n
63
00:05:15,680 --> 00:05:22,410
Then if PC1 sends a frame, SW1 will also add\n
64
00:05:22,410 --> 00:05:27,740
But now SW1’s G0/1 interface has reached\n
65
00:05:30,250 --> 00:05:34,939
If the interface is connected to another device\n
66
00:05:34,939 --> 00:05:38,850
interface because the source MAC address isn’t\nauthorized.
67
00:05:38,850 --> 00:05:42,170
Okay, in this introduced two main points.
68
00:05:42,170 --> 00:05:47,341
First, the default number of allowed MAC addresses\n
69
00:05:47,341 --> 00:05:49,710
you can configure it to allow more.
70
00:05:49,709 --> 00:05:55,409
Second, the allowed MAC addresses can be manually\n
71
00:05:55,410 --> 00:06:00,530
In this example, both were dynamically learned,\n
72
00:06:00,529 --> 00:06:08,299
SW1 to allow C.C.C on G0/1, and then allow\n
73
00:06:09,370 --> 00:06:14,410
So, if more than one MAC address is allowed,\n
74
00:06:14,410 --> 00:06:20,050
or all have to be dynamically learned, a combination\n
75
00:06:20,050 --> 00:06:24,780
You can probably imagine how port security\n
76
00:06:24,779 --> 00:06:29,949
It’s useful because it allows network admins\n
77
00:06:31,509 --> 00:06:35,560
Someone can’t just plug an unauthorized\n
78
00:06:36,740 --> 00:06:40,000
However, MAC address spoofing is a simple\ntask.
79
00:06:40,000 --> 00:06:44,560
It’s easy to configure a device to send\n
80
00:06:44,560 --> 00:06:48,899
So, be aware that port security isn’t a\n
81
00:06:48,899 --> 00:06:54,399
But, rather than manually specifying the MAC\n
82
00:06:54,399 --> 00:07:00,209
ability to limit the number of MAC addresses\n
83
00:07:00,209 --> 00:07:07,239
For example, think back to the DHCP starvation\n
84
00:07:07,240 --> 00:07:12,780
The attacker spoofed thousands of fake MAC\n
85
00:07:12,779 --> 00:07:18,000
addresses to those fake MAC addresses, exhausting\nthe DHCP pool.
86
00:07:18,000 --> 00:07:22,850
But not just that, switches can’t learn\n
87
00:07:22,850 --> 00:07:27,730
switch’s MAC address table can also become\n
88
00:07:27,730 --> 00:07:31,830
Then the switch can no longer learn new MAC\n
89
00:07:33,870 --> 00:07:38,050
Using port security to limit the number of\n
90
00:07:40,939 --> 00:07:45,709
Both aspects of port security are useful:\n
91
00:07:45,709 --> 00:07:49,841
and controlling how many MAC addresses are\n
92
00:07:53,060 --> 00:07:58,490
Now, before going deeper into other areas\n
93
00:08:00,259 --> 00:08:05,149
Port security is enabled directly on the interface,\n
94
00:08:05,149 --> 00:08:09,138
G0/1 and try the command SWITCHPORT PORT-SECURITY.
95
00:08:09,139 --> 00:08:15,710
However, it’s rejected with a message saying\n
96
00:08:17,129 --> 00:08:22,709
To check I used SHOW INTERFACES G0/1 SWITCHPORT.\n
97
00:08:22,709 --> 00:08:28,638
By default, switchports have an administrative\n
98
00:08:28,639 --> 00:08:33,788
SWITCHPORT MODE DYNAMIC AUTO, I covered that\n
99
00:08:33,788 --> 00:08:38,759
Port security can be enabled on access ports\n
100
00:08:38,759 --> 00:08:41,249
configured as access or trunk.
101
00:08:41,249 --> 00:08:44,229
Dynamic auto and dynamic desirable are not\nallowed.
102
00:08:44,229 --> 00:08:50,610
So, I used SWITCHPORT MODE ACCESS to configure\n
103
00:08:50,610 --> 00:08:56,430
Then I used SHOW INTERFACES G0/1 SWITCHPORT\n
104
00:08:56,429 --> 00:09:01,919
is now static access, so the SWITCHPORT PORT-SECURITY\n
105
00:09:01,919 --> 00:09:07,399
And indeed it does, so port security is now\nenabled on G0/1.
106
00:09:07,399 --> 00:09:11,620
When you use just this command, port security\n
107
00:09:11,620 --> 00:09:15,438
Let’s check out those default settings.
108
00:09:15,438 --> 00:09:20,679
The command SHOW PORT-SECURITY INTERFACE,\n
109
00:09:22,730 --> 00:09:28,450
First, port security is enabled, and the port\n
110
00:09:28,450 --> 00:09:33,370
Secure-up just means port security is enabled,\n
111
00:09:33,370 --> 00:09:36,970
The default violation mode is shutdown, as\nI said before.
112
00:09:36,970 --> 00:09:41,829
If an unauthorized frame enters the interface,\n
113
00:09:41,828 --> 00:09:44,620
Here are some default settings regarding the\ntimers.
114
00:09:44,620 --> 00:09:49,179
The aging time of 0 minutes means that the\n
115
00:09:52,808 --> 00:09:55,909
Here we can see information about the MAC\naddresses.
116
00:09:55,909 --> 00:10:01,778
The maximum is 1, currently it knows 0, 0\n
117
00:10:01,778 --> 00:10:06,220
0 sticky MAC addresses, that’s also something\n
118
00:10:06,220 --> 00:10:11,610
SW1 hasn’t received any traffic on this\n
119
00:10:11,610 --> 00:10:14,829
is all 0s, with VLAN number 0.
120
00:10:14,828 --> 00:10:19,888
Finally, there have been no violations so\n
121
00:10:19,889 --> 00:10:25,490
Now I sent a ping from PC1 to R1, let’s\n
122
00:10:25,490 --> 00:10:29,318
I’ve highlighted the two places that have\nchanged.
123
00:10:29,318 --> 00:10:35,360
Total MAC addresses has changed from 0 to\n
124
00:10:35,360 --> 00:10:40,839
Note that the maximum is also 1, so SW1 won’t\n
125
00:10:42,058 --> 00:10:48,360
Also, the last source address has changed\n
126
00:10:50,360 --> 00:10:55,019
Now let’s bring back PC2, and connect the\ncable to it instead.
127
00:10:55,019 --> 00:10:58,308
What will happen when PC2 tries to ping R1?
128
00:11:00,528 --> 00:11:07,049
From the top of the output, the port status\n
129
00:11:07,049 --> 00:11:12,278
By the way, if you check SHOW INTERFACES STATUS,\n
130
00:11:14,220 --> 00:11:18,129
But in the SHOW PORT-SECURITY INTERFACE command,\n
131
00:11:18,129 --> 00:11:22,829
Also, the total MAC addresses count has reset\nto 0.
132
00:11:22,828 --> 00:11:28,188
So, it dynamically learned PC1’s MAC address\n
133
00:11:30,999 --> 00:11:35,430
The last source address is PC2’s MAC address,\nB.B.B.
134
00:11:35,429 --> 00:11:38,258
And the security violation count is now 1.
135
00:11:38,259 --> 00:11:44,129
Okay, so let’s see how to re-enable an interface\n
136
00:11:44,129 --> 00:11:49,220
Okay, here’s how to manually re-enable the\ninterface.
137
00:11:49,220 --> 00:11:54,899
But before entering any commands, you should\n
138
00:11:54,899 --> 00:11:58,749
After disconnecting the unauthorized device,\n
139
00:11:59,999 --> 00:12:05,769
SHUTDOWN, which puts it in administratively\n
140
00:12:07,409 --> 00:12:10,860
Let’s check out SHOW PORT-SECURITY INTERFACE.
141
00:12:10,860 --> 00:12:13,699
The port status is back to secure-up.
142
00:12:13,698 --> 00:12:19,099
The last source address, which was PC2’s\n
143
00:12:19,100 --> 00:12:23,409
And at the bottom, the security violation\n
144
00:12:24,799 --> 00:12:30,088
So, with the default violation mode, shutdown,\n
145
00:12:31,539 --> 00:12:37,539
Now, there’s another way to re-enable an\n
146
00:12:39,070 --> 00:12:45,490
It causes err-disabled interfaces to be automatically\n
147
00:12:45,490 --> 00:12:49,889
There are actually various reasons an interface\n
148
00:12:49,889 --> 00:12:54,948
I used the command SHOW ERRDISABLE RECOVERY,\n
149
00:12:54,948 --> 00:13:00,938
There are so many that I had to omit a lot\n
150
00:13:00,938 --> 00:13:06,058
On the left is each err-disable reason, and\n
151
00:13:08,559 --> 00:13:14,649
By default, it is disabled for all reasons,\n
152
00:13:15,828 --> 00:13:22,208
The one we’re looking for is psecure-violation,\n
153
00:13:22,208 --> 00:13:24,799
Notice the default timer is 300 seconds.
154
00:13:24,799 --> 00:13:31,939
So, every 5 minutes by default, all err-disabled\n
155
00:13:31,940 --> 00:13:36,200
recovery has been enabled for the cause of\n
156
00:13:36,200 --> 00:13:40,470
So, let’s enable it for port security violations.
157
00:13:42,958 --> 00:13:48,879
The command is ERRDISABLE RECOVERY CAUSE,\n
158
00:13:50,659 --> 00:13:56,110
And just to demonstrate the command, I shortened\n
159
00:13:56,110 --> 00:13:58,870
and then specified 180 seconds.
160
00:13:58,870 --> 00:14:02,528
Here’s SHOW ERRDISABLE RECOVERY again.
161
00:14:02,528 --> 00:14:07,489
Notice that the psecure-violation recovery\n
162
00:14:07,489 --> 00:14:11,110
is 180 seconds, as configured.
163
00:14:11,110 --> 00:14:16,620
And just to demonstrate I caused G0/1 to become\n
164
00:14:16,620 --> 00:14:21,639
will be enabled at the next timeout, and there\n
165
00:14:21,639 --> 00:14:26,889
So, this is a useful feature, but it’s useless\n
166
00:14:26,889 --> 00:14:29,499
the interface to enter the err-disabled state.
167
00:14:29,499 --> 00:14:32,928
So, that will always be step 1.
168
00:14:32,928 --> 00:14:37,389
Disconnect the unauthorized device, and then\n
169
00:14:37,389 --> 00:14:41,600
let errdisable recovery do it for you automatically.
170
00:14:41,600 --> 00:14:45,019
What will happen if you don’t disconnect\n
171
00:14:45,019 --> 00:14:50,009
Well, if you manually configured the secure\n
172
00:14:50,009 --> 00:14:55,189
disabled again when it receives another frame\n
173
00:14:55,190 --> 00:14:59,489
But if you let the switch dynamically learn\n
174
00:14:59,489 --> 00:15:02,009
when the interface is disabled.
175
00:15:02,009 --> 00:15:06,720
When the interface is re-enabled, the unauthorized\n
176
00:15:06,720 --> 00:15:11,709
secure MAC address on the interface, which\n
177
00:15:11,708 --> 00:15:15,928
So, remember to disconnect the unauthorized\ndevice.
178
00:15:15,928 --> 00:15:19,730
Okay, now let’s talk about those violation\nmodes.
179
00:15:19,730 --> 00:15:24,820
I just showed you the default mode, shutdown,\n
180
00:15:27,019 --> 00:15:30,889
But there are three different violation modes\n
181
00:15:30,889 --> 00:15:35,769
an unauthorized frame enters an interface\n
182
00:15:35,769 --> 00:15:38,269
The first is the default, shutdown.
183
00:15:38,269 --> 00:15:43,568
It effectively shuts down the port by placing\n
184
00:15:46,028 --> 00:15:51,298
It will also generate a Syslog and/or SNMP\n
185
00:15:53,339 --> 00:15:59,810
However, after the interface is down it won’t\n
186
00:15:59,809 --> 00:16:03,188
device continues trying to send traffic.
187
00:16:03,188 --> 00:16:07,759
Only one message is generated to say that\nthe port was disabled.
188
00:16:07,759 --> 00:16:12,240
The violation counter is set to 1 when the\n
189
00:16:12,240 --> 00:16:16,639
reset to 0 when the interface is re-enabled,\nas you saw before.
190
00:16:16,639 --> 00:16:20,308
Okay, the next violation mode is restrict.
191
00:16:20,308 --> 00:16:23,899
The switch will discard traffic from unauthorized\nMAC addresses.
192
00:16:23,899 --> 00:16:27,429
However, the interface is not disabled.
193
00:16:27,429 --> 00:16:32,128
Devices with authorized MAC addresses will\n
194
00:16:32,129 --> 00:16:37,558
The switch generates a syslog and/or SNMP\n
195
00:16:39,278 --> 00:16:43,419
And the violation counter is incremented by\n
196
00:16:43,419 --> 00:16:47,208
Okay, that’s restrict mode, now the last\none.
197
00:16:48,629 --> 00:16:53,739
Like restrict mode, the switch discards traffic\n
198
00:16:55,249 --> 00:17:01,170
However, it does not generate syslog or SNMP\n
199
00:17:01,169 --> 00:17:04,119
And it doesn’t increment the violation counter\neither.
200
00:17:04,119 --> 00:17:07,029
It just silently discards unauthorized traffic.
201
00:17:07,029 --> 00:17:12,609
Okay, so we already saw the shutdown mode,\n
202
00:17:12,609 --> 00:17:15,869
Here’s the restrict violation mode.
203
00:17:15,869 --> 00:17:22,159
I’m starting from a fresh port-security\n
204
00:17:22,160 --> 00:17:28,210
This time, I manually authorized PC1’s MAC\n
205
00:17:28,210 --> 00:17:30,180
followed by PC1’s MAC address.
206
00:17:30,180 --> 00:17:33,880
And here’s how to enable restrict mode.
207
00:17:33,880 --> 00:17:37,480
SWITCHPORT PORT-SECURITY VIOLATION RESTRICT.
208
00:17:37,480 --> 00:17:43,120
Then I tried to ping R1 from PC2, and I got\n
209
00:17:43,119 --> 00:17:49,139
tells us that a security violation occurred,\n
210
00:17:50,140 --> 00:17:53,770
Let’s check SHOW PORT-SECURITY INTERFACE.
211
00:17:53,769 --> 00:17:57,710
First, notice the violation mode of restrict.
212
00:17:57,710 --> 00:18:01,740
And you can see that the violation count has\n
213
00:18:02,740 --> 00:18:07,500
However, the port status is secure-up, not\nsecure-shutdown.
214
00:18:07,500 --> 00:18:13,069
So, if I were to connect the cable back to\n
215
00:18:13,069 --> 00:18:18,509
no problem, because the interface is still\n
216
00:18:18,509 --> 00:18:21,470
Okay, that’s the restrict violation mode.
217
00:18:21,470 --> 00:18:24,710
And here’s the last one, protect.
218
00:18:24,710 --> 00:18:29,890
We’re starting with a fresh configuration\n
219
00:18:30,890 --> 00:18:34,820
I once again manually authorized PC1’s MAC\naddress.
220
00:18:34,819 --> 00:18:39,509
And then I configured SWITCHPORT PORT-SECURITY\n
221
00:18:39,509 --> 00:18:41,930
And then sent some traffic from PC2.
222
00:18:41,930 --> 00:18:47,150
PC2’s pings failed, but there were no syslog\nmessages on SW1.
223
00:18:47,150 --> 00:18:49,730
Let’s check this command again.
224
00:18:49,730 --> 00:18:54,860
The port status is secure-up, the violation\n
225
00:18:56,049 --> 00:19:02,450
So, SW1 discarded the traffic from PC2, but\n
226
00:19:03,990 --> 00:19:06,779
That’s the protect violation mode.
227
00:19:06,779 --> 00:19:11,859
OK, here’s that summary of the violation\nmodes again.
228
00:19:11,859 --> 00:19:17,309
These are how you control what the switch\n
229
00:19:17,309 --> 00:19:21,279
You should definitely learn the actions taken\n
230
00:19:24,259 --> 00:19:29,829
Okay, moving down to the next part of the\n
231
00:19:29,829 --> 00:19:32,849
check out secure MAC address aging.
232
00:19:32,849 --> 00:19:37,329
By the way, MAC addresses dynamically learned\n
233
00:19:37,329 --> 00:19:41,579
enabled port are called secure MAC addresses.
234
00:19:41,579 --> 00:19:44,919
By default, secure MAC addresses will not\nage out.
235
00:19:44,920 --> 00:19:49,600
There is no timer, they are permanent unless\n
236
00:19:49,599 --> 00:19:52,309
or the port is disabled and then re-enabled.
237
00:19:52,309 --> 00:19:56,179
That’s what the aging time of 0 minutes\nmeans.
238
00:19:56,180 --> 00:20:01,150
However, you can configure this timer with\n
239
00:20:01,150 --> 00:20:04,200
TIME, and then the time in minutes.
240
00:20:04,200 --> 00:20:09,309
If you do configure an aging time, the default\n
241
00:20:09,309 --> 00:20:11,259
Let me explain what that means.
242
00:20:11,259 --> 00:20:16,950
Absolute aging means that, after the secure\n
243
00:20:16,950 --> 00:20:21,930
and the MAC address is removed after the timer\n
244
00:20:21,930 --> 00:20:26,180
frames from that source MAC address while\nit is counting down.
245
00:20:26,180 --> 00:20:31,759
However, after the MAC address ages out it\n
246
00:20:31,759 --> 00:20:35,450
frame with that source MAC is received.
247
00:20:35,450 --> 00:20:38,120
The other aging type is inactivity.
248
00:20:38,119 --> 00:20:41,179
This is like regular MAC address aging.
249
00:20:41,180 --> 00:20:45,670
After the MAC address is learned the aging\n
250
00:20:45,670 --> 00:20:48,860
frame from that source MAC address is received.
251
00:20:48,859 --> 00:20:55,469
So, if the switch keeps receiving frames from\n
252
00:20:55,470 --> 00:21:00,900
You can configure the aging type with SWITCHPORT\n
253
00:21:02,630 --> 00:21:08,670
Now, by default only dynamically-learned secure\n
254
00:21:08,670 --> 00:21:14,050
If you configure a MAC with SWITCHPORT PORT-SECURITY\n
255
00:21:15,259 --> 00:21:19,371
The command will remain in the running-config\n
256
00:21:21,079 --> 00:21:26,109
But with the command SWITCHPORT PORT-SECURITY\n
257
00:21:26,109 --> 00:21:29,139
out static secure MAC addresses, too.
258
00:21:29,140 --> 00:21:33,240
The command will be removed from the running\n
259
00:21:33,240 --> 00:21:37,140
the MAC address table if it ages out.
260
00:21:37,140 --> 00:21:38,850
Let me show you those commands in the CLI.
261
00:21:38,849 --> 00:21:45,419
I configured an aging time of 30 minutes,\n
262
00:21:45,420 --> 00:21:48,580
of static secure MAC addresses.
263
00:21:48,579 --> 00:21:53,619
Then I checked SHOW PORT-SECURITY INTERFACE\n
264
00:21:55,519 --> 00:22:01,470
Aging time 30 minutes, aging type inactivity,\n
265
00:22:01,470 --> 00:22:05,740
Okay, that’s all you really need to know\nabout the timers.
266
00:22:05,740 --> 00:22:10,269
But before moving on to the next topic, let\n
267
00:22:12,609 --> 00:22:17,829
It displays which interfaces have port security\n
268
00:22:17,829 --> 00:22:24,009
addresses on those interfaces, their security\n
269
00:22:24,009 --> 00:22:28,690
In this case, I only have port security enabled\n
270
00:22:28,690 --> 00:22:34,320
many this is a useful command to get an overview\n
271
00:22:34,319 --> 00:22:41,659
Next, here’s the last major topic of the\n
272
00:22:41,660 --> 00:22:45,570
Sticky secure MAC address learning can be\n
273
00:22:45,569 --> 00:22:49,500
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY.
274
00:22:49,500 --> 00:22:54,009
When enabled, dynamically-learned secure MAC\n
275
00:22:55,079 --> 00:23:00,710
So, if you look in the running config you’ll\n
276
00:23:00,710 --> 00:23:06,069
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY,\n
277
00:23:06,069 --> 00:23:10,470
These sticky secure MAC addresses will never\n
278
00:23:12,130 --> 00:23:17,370
However, because they are added to the running-config,\n
279
00:23:17,369 --> 00:23:22,119
the running-config to the startup-config to\n
280
00:23:24,730 --> 00:23:29,319
If you don’t do that, they will be lost\n
281
00:23:31,279 --> 00:23:36,619
When you issue the SWITCHPORT PORT-SECURITY\n
282
00:23:36,619 --> 00:23:40,849
secure MAC addresses will be converted to\n
283
00:23:40,849 --> 00:23:44,469
So, they will be added to the running config.
284
00:23:46,289 --> 00:23:50,559
If you remove sticky learning, sticky secure\n
285
00:23:52,500 --> 00:23:56,309
Okay, let’s check it out in the CLI.
286
00:23:56,309 --> 00:24:00,599
So, as always I enabled port-security first.
287
00:24:00,599 --> 00:24:07,939
Then I issued SWITCHPORT PORT-SECURITY MAC-ADDRESS\n
288
00:24:07,940 --> 00:24:15,090
I then checked the G0/1 interface in the running-config,\n
289
00:24:15,089 --> 00:24:19,379
SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY,\n
290
00:24:19,380 --> 00:24:24,630
I didn’t configure that command, it was\n
291
00:24:25,970 --> 00:24:32,100
So, sticky MAC addresses are basically a way\n
292
00:24:32,099 --> 00:24:34,149
without actually having to manually configure\nthem
293
00:24:34,150 --> 00:24:41,710
Okay, before moving on to review and the quiz,\n
294
00:24:41,710 --> 00:24:46,950
Secure MAC addresses will be added to the\n
295
00:24:46,950 --> 00:24:52,360
Sticky and static secure MAC addresses will\n
296
00:24:52,359 --> 00:24:57,369
secure MAC addresses that aren’t sticky\n
297
00:24:57,369 --> 00:25:03,250
And you can view all secure MAC addresses\n
298
00:25:03,250 --> 00:25:07,950
I used the command, and here is PC1’s MAC\n
299
00:25:09,490 --> 00:25:13,490
Notice the type of static, even though I didn’t\n
300
00:25:16,029 --> 00:25:19,460
Here’s a summary of the commands we covered\nin this video.
301
00:25:21,180 --> 00:25:25,730
You’ll definitely want to experiment with\n
302
00:25:25,730 --> 00:25:29,730
Follow my packet tracer lab, and also try\nmaking your own.
303
00:25:29,730 --> 00:25:34,940
If you don’t remember any of these commands,\n
304
00:25:34,940 --> 00:25:38,799
Before moving on to the quiz, let’s review\nwhat we learned.
305
00:25:38,799 --> 00:25:42,690
First I gave an intro to port security, and\n
306
00:25:42,690 --> 00:25:48,039
Basically, it allows you to control what source\n
307
00:25:48,039 --> 00:25:50,379
are allowed to enter a switch interface.
308
00:25:50,380 --> 00:25:55,000
I also briefly explained why we should use\nport security.
309
00:25:55,000 --> 00:25:59,690
First of all, it allows us to prevent unauthorized\n
310
00:25:59,690 --> 00:26:04,410
And secondly, it helps defend against attacks\n
311
00:26:04,410 --> 00:26:09,880
in a previous video, in which thousands of\n
312
00:26:11,460 --> 00:26:16,700
Then, while explaining various aspects of\n
313
00:26:18,240 --> 00:26:22,470
Make sure to watch until the end of the quiz\n
314
00:26:22,470 --> 00:26:26,079
ExSim, my recommended practice exams for the\nCCNA.
315
00:26:26,079 --> 00:26:31,279
Okay, let’s go to quiz question 1.
316
00:26:31,279 --> 00:26:33,730
Examine the show command output below.
317
00:26:33,730 --> 00:26:37,059
How many secure MAC addresses were dynamically\n
318
00:26:37,059 --> 00:26:43,490
Pause the video now to examine the output\n
319
00:26:48,230 --> 00:26:53,200
So, according to the output 4 total MAC addresses\n
320
00:26:53,200 --> 00:26:56,830
1 was configured, that’s not dynamic.
321
00:26:56,829 --> 00:27:00,609
There are 3 sticky MAC addresses, what about\nthem?
322
00:27:00,609 --> 00:27:04,799
Although sticky MAC addresses are inserted\n
323
00:27:04,799 --> 00:27:10,089
address, and their type in the MAC address\n
324
00:27:11,089 --> 00:27:16,359
So those 3 sticky MAC addresses were dynamically\n
325
00:27:20,299 --> 00:27:24,789
Which of the following occur when a port-security\n
326
00:27:24,789 --> 00:27:32,619
(select the two best answers) Okay, pause\n
327
00:27:32,619 --> 00:27:40,799
Okay, the best answers are B, unauthorized\n
328
00:27:42,500 --> 00:27:46,619
In addition, a syslog message and SNMP trap\nwill be sent.
329
00:27:46,619 --> 00:27:51,929
However, an SNMP Get message, as in D, will\nnot be sent.
330
00:27:51,930 --> 00:27:56,990
GET messages are sent from the SNMP manager\n
331
00:28:03,799 --> 00:28:08,960
What will SW1 do when an unauthorized frame\narrives on G0/1?
332
00:28:08,960 --> 00:28:14,940
Pause the video now to examine the output\n
333
00:28:14,940 --> 00:28:21,900
Okay, the best answer is A, unauthorized traffic\n
334
00:28:21,900 --> 00:28:26,650
The violation mode is protect, which means\n
335
00:28:26,650 --> 00:28:30,580
However, the interface won’t be err-disabled.
336
00:28:30,579 --> 00:28:32,799
Authorized frames will still be forwarded.
337
00:28:32,799 --> 00:28:37,579
No syslog or SNMP messages will be sent, and\n
338
00:28:42,960 --> 00:28:47,500
Which of the following will re-enable an interface\n
339
00:28:49,900 --> 00:28:57,870
Okay, pause the video now to select the two\nbest answers.
340
00:28:57,869 --> 00:29:04,529
The best answers are A, SHUTDOWN and NO SHUTDOWN\n
341
00:29:04,529 --> 00:29:08,329
CAUSE PSECURE-VIOLATION in global config mode.
342
00:29:08,329 --> 00:29:11,949
Either of these will work to re-enable the\ninterface.
343
00:29:11,950 --> 00:29:17,750
C, unplugging the unauthorized device, is\n
344
00:29:19,390 --> 00:29:25,000
Note that, you should unplug the unauthorized\n
345
00:29:25,000 --> 00:29:27,759
the device itself won’t re-enable the interface.
346
00:29:35,400 --> 00:29:40,650
What will happen when the switchport port-security\n
347
00:29:40,650 --> 00:29:46,280
Pause the video now to examine the output\n
348
00:29:46,279 --> 00:29:52,069
Okay, the answer is a, the command will be\naccepted.
349
00:29:52,069 --> 00:29:57,809
The administrative mode of G0/1 is static\n
350
00:29:57,809 --> 00:30:03,000
However, if it was the default administrative\n
351
00:30:04,670 --> 00:30:09,590
Port security can be configured on access\n
352
00:30:09,589 --> 00:30:13,539
configured with SWITCHPORT MODE ACCESS or\nSWITCHPORT MODE TRUNK.
353
00:30:13,539 --> 00:30:16,359
Okay, that’s all for the quiz.
354
00:30:16,359 --> 00:30:21,605
Now let’s take a look at a bonus question\n
355
00:33:00,640 --> 00:33:04,060
There are supplementary materials for this\nvideo.
356
00:33:04,059 --> 00:33:08,099
There is a flashcard deck to use with the\nsoftware ‘Anki’.
357
00:33:08,099 --> 00:33:12,719
There will also be a packet tracer practice\n
358
00:33:12,720 --> 00:33:16,308
That will be in the next video.
359
00:33:16,308 --> 00:33:20,829
Before finishing today’s video I want to\n
360
00:33:20,829 --> 00:33:25,279
To join, please click the ‘Join’ button\nunder the video.
361
00:33:25,279 --> 00:33:31,680
Thank you to Samil, C Mohd, Scott, Martin,\n
362
00:33:31,680 --> 00:33:38,360
Serge, Njoku, Viktor, Roger, Suki, Kenneth,\n
363
00:33:38,359 --> 00:33:44,479
Prakaash, Nasir, Erlison, Marko, Daming, Ed,\n
364
00:33:44,480 --> 00:33:47,069
Software, Devin, Yonatan, and Vance.
365
00:33:47,069 --> 00:33:52,439
Sorry if I pronounced your name incorrectly,\n
366
00:33:52,440 --> 00:33:58,620
This is the list of JCNP-level members at\n
367
00:33:59,619 --> 00:34:04,199
If you signed up recently and your name isn’t\n
368
00:34:08,289 --> 00:34:12,199
Please subscribe to the channel, like the\n
369
00:34:12,199 --> 00:34:15,529
with anyone else studying for the CCNA.
370
00:34:15,530 --> 00:34:18,380
If you want to leave a tip, check the links\nin the description.
371
00:34:18,380 --> 00:34:24,289
I'm also a Brave verified publisher and accept\n
30523
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.