Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:03,198 --> 00:00:06,759 This is a free, complete course for the CCNA. 2 00:00:06,759 --> 00:00:10,580 If you like these videos, please subscribe\n 3 00:00:10,580 --> 00:00:15,339 Also, please like and leave a comment, and\n 4 00:00:18,379 --> 00:30:21,606 In this video we will talk about port security. 5 00:00:21,730 --> 00:00:26,519 Port security is a security feature on Cisco\n 6 00:00:26,519 --> 00:00:31,250 MAC addresses are allowed on a switch port,\n 7 00:00:32,909 --> 00:00:38,589 It’s covered in exam topic 5.7, which says\n 8 00:00:38,590 --> 00:00:44,630 features, including DHCP snooping, ARP inspection,\n 9 00:00:44,630 --> 00:00:50,400 Those other two, DHCP snooping and ARP inspection,\n 10 00:00:50,399 --> 00:00:53,759 But for this video, we’ll focus on port\nsecurity. 11 00:00:53,759 --> 00:00:56,570 Here’s what we’ll cover in this video. 12 00:00:56,570 --> 00:01:00,549 First, I’ll introduce what port security\nis. 13 00:01:00,549 --> 00:01:02,729 But knowing what it is isn’t enough. 14 00:01:02,729 --> 00:01:08,420 I’ll also explain why we use port security,\n 15 00:01:08,420 --> 00:01:12,579 And I’ll show you various port security\n 16 00:01:12,579 --> 00:01:17,259 As always, watch until the end of the video\n 17 00:01:17,260 --> 00:01:24,020 ExSim for CCNA, my recommended practice exams\nfor the CCNA. 18 00:01:24,019 --> 00:01:25,890 First up, what is port security? 19 00:01:25,890 --> 00:01:30,260 Well, it’s a security feature of Cisco switches. 20 00:01:30,260 --> 00:01:34,799 It allows you to control which source MAC\n 21 00:01:35,799 --> 00:01:40,049 So, it’s configured on a per-interface basis. 22 00:01:40,049 --> 00:01:45,490 By the way, throughout this video I’ll probably\n 23 00:01:47,090 --> 00:01:52,350 So, if a frame with an unauthorized source\n 24 00:01:54,069 --> 00:01:58,250 There are a few possible actions that you\n 25 00:01:58,250 --> 00:02:00,989 place the interface in an err-disabled state. 26 00:02:00,989 --> 00:02:04,989 In effect, this is like shutting down the\ninterface. 27 00:02:04,989 --> 00:02:09,039 Traffic will no longer be sent or received\nby that interface. 28 00:02:10,179 --> 00:02:14,500 PC1 is connected to SW1’s G0/1 interface. 29 00:02:18,079 --> 00:02:22,421 As you know, MAC addresses are actually 12\n 30 00:02:22,420 --> 00:02:25,408 them here to make it easier to read. 31 00:02:25,408 --> 00:02:31,700 The user of PC1 brought in his personal laptop\n 32 00:02:32,919 --> 00:02:39,719 The network admin has configured port security\n 33 00:02:39,719 --> 00:02:46,549 allow frames with a source MAC address of\n 34 00:02:46,549 --> 00:02:53,209 When PC1 sends a frame, SW1 will check the\n 35 00:02:53,209 --> 00:02:56,780 so it will forward it to the destination as\nnormal. 36 00:02:56,780 --> 00:03:02,669 But the user unplugs the cable from PC1 and\n 37 00:03:02,669 --> 00:03:05,229 What will happen when PC2 sends a frame? 38 00:03:05,229 --> 00:03:12,509 Well, SW1 will check the source MAC address\n 39 00:03:13,750 --> 00:03:18,259 So, SW1 will place G0/1 in an err-disabled\nstate. 40 00:03:18,259 --> 00:03:22,308 It won’t send or receive data until you\n 41 00:03:22,308 --> 00:03:27,169 Now, as I said there are a few possible actions\n 42 00:03:27,169 --> 00:03:31,819 later, but for now let’s assume the default\naction of shutdown. 43 00:03:31,818 --> 00:03:37,078 So, noticing that his laptop isn’t able\n 44 00:03:37,079 --> 00:03:42,090 unplugs the cable from his laptop and connects\nit back to PC1. 45 00:03:42,090 --> 00:03:44,360 What happens when PC1 sends a frame? 46 00:03:44,360 --> 00:03:50,129 Well, the interface is still err-disabled,\n 47 00:03:51,870 --> 00:03:56,159 There are two ways to enable an interface\n 48 00:03:58,139 --> 00:04:02,730 Okay let’s cover a few more points about\nport security. 49 00:04:02,729 --> 00:04:07,778 When you enable port security on an interface\n 50 00:04:09,218 --> 00:04:12,628 You can configure the allowed MAC address\nmanually if you want. 51 00:04:12,628 --> 00:04:16,920 But if you don’t configure it manually,\n 52 00:04:16,920 --> 00:04:19,590 address that enters the interface. 53 00:04:19,589 --> 00:04:24,250 That MAC address will be allowed on the interface,\n 54 00:04:24,250 --> 00:04:28,579 However, you can change the maximum number\n 55 00:04:28,579 --> 00:04:33,060 Here’s one situation in which you should\n 56 00:04:34,269 --> 00:04:40,379 Phone1 is directly connected to SW1, and PC1\n 57 00:04:40,379 --> 00:04:44,899 The default port security setting, which allows\n 58 00:04:44,899 --> 00:04:50,259 this situation, because both PC1 and phone1\n 59 00:04:50,259 --> 00:04:54,110 MAC address as the source, so that’s two\nMAC addresses. 60 00:04:54,110 --> 00:05:00,939 So, in this case let’s say we configured\n 61 00:05:00,939 --> 00:05:05,569 But we didn’t configure them manually, we\n 62 00:05:07,160 --> 00:05:13,400 So, if phone1 sends a frame SW1 will add it\n 63 00:05:15,680 --> 00:05:22,410 Then if PC1 sends a frame, SW1 will also add\n 64 00:05:22,410 --> 00:05:27,740 But now SW1’s G0/1 interface has reached\n 65 00:05:30,250 --> 00:05:34,939 If the interface is connected to another device\n 66 00:05:34,939 --> 00:05:38,850 interface because the source MAC address isn’t\nauthorized. 67 00:05:38,850 --> 00:05:42,170 Okay, in this introduced two main points. 68 00:05:42,170 --> 00:05:47,341 First, the default number of allowed MAC addresses\n 69 00:05:47,341 --> 00:05:49,710 you can configure it to allow more. 70 00:05:49,709 --> 00:05:55,409 Second, the allowed MAC addresses can be manually\n 71 00:05:55,410 --> 00:06:00,530 In this example, both were dynamically learned,\n 72 00:06:00,529 --> 00:06:08,299 SW1 to allow C.C.C on G0/1, and then allow\n 73 00:06:09,370 --> 00:06:14,410 So, if more than one MAC address is allowed,\n 74 00:06:14,410 --> 00:06:20,050 or all have to be dynamically learned, a combination\n 75 00:06:20,050 --> 00:06:24,780 You can probably imagine how port security\n 76 00:06:24,779 --> 00:06:29,949 It’s useful because it allows network admins\n 77 00:06:31,509 --> 00:06:35,560 Someone can’t just plug an unauthorized\n 78 00:06:36,740 --> 00:06:40,000 However, MAC address spoofing is a simple\ntask. 79 00:06:40,000 --> 00:06:44,560 It’s easy to configure a device to send\n 80 00:06:44,560 --> 00:06:48,899 So, be aware that port security isn’t a\n 81 00:06:48,899 --> 00:06:54,399 But, rather than manually specifying the MAC\n 82 00:06:54,399 --> 00:07:00,209 ability to limit the number of MAC addresses\n 83 00:07:00,209 --> 00:07:07,239 For example, think back to the DHCP starvation\n 84 00:07:07,240 --> 00:07:12,780 The attacker spoofed thousands of fake MAC\n 85 00:07:12,779 --> 00:07:18,000 addresses to those fake MAC addresses, exhausting\nthe DHCP pool. 86 00:07:18,000 --> 00:07:22,850 But not just that, switches can’t learn\n 87 00:07:22,850 --> 00:07:27,730 switch’s MAC address table can also become\n 88 00:07:27,730 --> 00:07:31,830 Then the switch can no longer learn new MAC\n 89 00:07:33,870 --> 00:07:38,050 Using port security to limit the number of\n 90 00:07:40,939 --> 00:07:45,709 Both aspects of port security are useful:\n 91 00:07:45,709 --> 00:07:49,841 and controlling how many MAC addresses are\n 92 00:07:53,060 --> 00:07:58,490 Now, before going deeper into other areas\n 93 00:08:00,259 --> 00:08:05,149 Port security is enabled directly on the interface,\n 94 00:08:05,149 --> 00:08:09,138 G0/1 and try the command SWITCHPORT PORT-SECURITY. 95 00:08:09,139 --> 00:08:15,710 However, it’s rejected with a message saying\n 96 00:08:17,129 --> 00:08:22,709 To check I used SHOW INTERFACES G0/1 SWITCHPORT.\n 97 00:08:22,709 --> 00:08:28,638 By default, switchports have an administrative\n 98 00:08:28,639 --> 00:08:33,788 SWITCHPORT MODE DYNAMIC AUTO, I covered that\n 99 00:08:33,788 --> 00:08:38,759 Port security can be enabled on access ports\n 100 00:08:38,759 --> 00:08:41,249 configured as access or trunk. 101 00:08:41,249 --> 00:08:44,229 Dynamic auto and dynamic desirable are not\nallowed. 102 00:08:44,229 --> 00:08:50,610 So, I used SWITCHPORT MODE ACCESS to configure\n 103 00:08:50,610 --> 00:08:56,430 Then I used SHOW INTERFACES G0/1 SWITCHPORT\n 104 00:08:56,429 --> 00:09:01,919 is now static access, so the SWITCHPORT PORT-SECURITY\n 105 00:09:01,919 --> 00:09:07,399 And indeed it does, so port security is now\nenabled on G0/1. 106 00:09:07,399 --> 00:09:11,620 When you use just this command, port security\n 107 00:09:11,620 --> 00:09:15,438 Let’s check out those default settings. 108 00:09:15,438 --> 00:09:20,679 The command SHOW PORT-SECURITY INTERFACE,\n 109 00:09:22,730 --> 00:09:28,450 First, port security is enabled, and the port\n 110 00:09:28,450 --> 00:09:33,370 Secure-up just means port security is enabled,\n 111 00:09:33,370 --> 00:09:36,970 The default violation mode is shutdown, as\nI said before. 112 00:09:36,970 --> 00:09:41,829 If an unauthorized frame enters the interface,\n 113 00:09:41,828 --> 00:09:44,620 Here are some default settings regarding the\ntimers. 114 00:09:44,620 --> 00:09:49,179 The aging time of 0 minutes means that the\n 115 00:09:52,808 --> 00:09:55,909 Here we can see information about the MAC\naddresses. 116 00:09:55,909 --> 00:10:01,778 The maximum is 1, currently it knows 0, 0\n 117 00:10:01,778 --> 00:10:06,220 0 sticky MAC addresses, that’s also something\n 118 00:10:06,220 --> 00:10:11,610 SW1 hasn’t received any traffic on this\n 119 00:10:11,610 --> 00:10:14,829 is all 0s, with VLAN number 0. 120 00:10:14,828 --> 00:10:19,888 Finally, there have been no violations so\n 121 00:10:19,889 --> 00:10:25,490 Now I sent a ping from PC1 to R1, let’s\n 122 00:10:25,490 --> 00:10:29,318 I’ve highlighted the two places that have\nchanged. 123 00:10:29,318 --> 00:10:35,360 Total MAC addresses has changed from 0 to\n 124 00:10:35,360 --> 00:10:40,839 Note that the maximum is also 1, so SW1 won’t\n 125 00:10:42,058 --> 00:10:48,360 Also, the last source address has changed\n 126 00:10:50,360 --> 00:10:55,019 Now let’s bring back PC2, and connect the\ncable to it instead. 127 00:10:55,019 --> 00:10:58,308 What will happen when PC2 tries to ping R1? 128 00:11:00,528 --> 00:11:07,049 From the top of the output, the port status\n 129 00:11:07,049 --> 00:11:12,278 By the way, if you check SHOW INTERFACES STATUS,\n 130 00:11:14,220 --> 00:11:18,129 But in the SHOW PORT-SECURITY INTERFACE command,\n 131 00:11:18,129 --> 00:11:22,829 Also, the total MAC addresses count has reset\nto 0. 132 00:11:22,828 --> 00:11:28,188 So, it dynamically learned PC1’s MAC address\n 133 00:11:30,999 --> 00:11:35,430 The last source address is PC2’s MAC address,\nB.B.B. 134 00:11:35,429 --> 00:11:38,258 And the security violation count is now 1. 135 00:11:38,259 --> 00:11:44,129 Okay, so let’s see how to re-enable an interface\n 136 00:11:44,129 --> 00:11:49,220 Okay, here’s how to manually re-enable the\ninterface. 137 00:11:49,220 --> 00:11:54,899 But before entering any commands, you should\n 138 00:11:54,899 --> 00:11:58,749 After disconnecting the unauthorized device,\n 139 00:11:59,999 --> 00:12:05,769 SHUTDOWN, which puts it in administratively\n 140 00:12:07,409 --> 00:12:10,860 Let’s check out SHOW PORT-SECURITY INTERFACE. 141 00:12:10,860 --> 00:12:13,699 The port status is back to secure-up. 142 00:12:13,698 --> 00:12:19,099 The last source address, which was PC2’s\n 143 00:12:19,100 --> 00:12:23,409 And at the bottom, the security violation\n 144 00:12:24,799 --> 00:12:30,088 So, with the default violation mode, shutdown,\n 145 00:12:31,539 --> 00:12:37,539 Now, there’s another way to re-enable an\n 146 00:12:39,070 --> 00:12:45,490 It causes err-disabled interfaces to be automatically\n 147 00:12:45,490 --> 00:12:49,889 There are actually various reasons an interface\n 148 00:12:49,889 --> 00:12:54,948 I used the command SHOW ERRDISABLE RECOVERY,\n 149 00:12:54,948 --> 00:13:00,938 There are so many that I had to omit a lot\n 150 00:13:00,938 --> 00:13:06,058 On the left is each err-disable reason, and\n 151 00:13:08,559 --> 00:13:14,649 By default, it is disabled for all reasons,\n 152 00:13:15,828 --> 00:13:22,208 The one we’re looking for is psecure-violation,\n 153 00:13:22,208 --> 00:13:24,799 Notice the default timer is 300 seconds. 154 00:13:24,799 --> 00:13:31,939 So, every 5 minutes by default, all err-disabled\n 155 00:13:31,940 --> 00:13:36,200 recovery has been enabled for the cause of\n 156 00:13:36,200 --> 00:13:40,470 So, let’s enable it for port security violations. 157 00:13:42,958 --> 00:13:48,879 The command is ERRDISABLE RECOVERY CAUSE,\n 158 00:13:50,659 --> 00:13:56,110 And just to demonstrate the command, I shortened\n 159 00:13:56,110 --> 00:13:58,870 and then specified 180 seconds. 160 00:13:58,870 --> 00:14:02,528 Here’s SHOW ERRDISABLE RECOVERY again. 161 00:14:02,528 --> 00:14:07,489 Notice that the psecure-violation recovery\n 162 00:14:07,489 --> 00:14:11,110 is 180 seconds, as configured. 163 00:14:11,110 --> 00:14:16,620 And just to demonstrate I caused G0/1 to become\n 164 00:14:16,620 --> 00:14:21,639 will be enabled at the next timeout, and there\n 165 00:14:21,639 --> 00:14:26,889 So, this is a useful feature, but it’s useless\n 166 00:14:26,889 --> 00:14:29,499 the interface to enter the err-disabled state. 167 00:14:29,499 --> 00:14:32,928 So, that will always be step 1. 168 00:14:32,928 --> 00:14:37,389 Disconnect the unauthorized device, and then\n 169 00:14:37,389 --> 00:14:41,600 let errdisable recovery do it for you automatically. 170 00:14:41,600 --> 00:14:45,019 What will happen if you don’t disconnect\n 171 00:14:45,019 --> 00:14:50,009 Well, if you manually configured the secure\n 172 00:14:50,009 --> 00:14:55,189 disabled again when it receives another frame\n 173 00:14:55,190 --> 00:14:59,489 But if you let the switch dynamically learn\n 174 00:14:59,489 --> 00:15:02,009 when the interface is disabled. 175 00:15:02,009 --> 00:15:06,720 When the interface is re-enabled, the unauthorized\n 176 00:15:06,720 --> 00:15:11,709 secure MAC address on the interface, which\n 177 00:15:11,708 --> 00:15:15,928 So, remember to disconnect the unauthorized\ndevice. 178 00:15:15,928 --> 00:15:19,730 Okay, now let’s talk about those violation\nmodes. 179 00:15:19,730 --> 00:15:24,820 I just showed you the default mode, shutdown,\n 180 00:15:27,019 --> 00:15:30,889 But there are three different violation modes\n 181 00:15:30,889 --> 00:15:35,769 an unauthorized frame enters an interface\n 182 00:15:35,769 --> 00:15:38,269 The first is the default, shutdown. 183 00:15:38,269 --> 00:15:43,568 It effectively shuts down the port by placing\n 184 00:15:46,028 --> 00:15:51,298 It will also generate a Syslog and/or SNMP\n 185 00:15:53,339 --> 00:15:59,810 However, after the interface is down it won’t\n 186 00:15:59,809 --> 00:16:03,188 device continues trying to send traffic. 187 00:16:03,188 --> 00:16:07,759 Only one message is generated to say that\nthe port was disabled. 188 00:16:07,759 --> 00:16:12,240 The violation counter is set to 1 when the\n 189 00:16:12,240 --> 00:16:16,639 reset to 0 when the interface is re-enabled,\nas you saw before. 190 00:16:16,639 --> 00:16:20,308 Okay, the next violation mode is restrict. 191 00:16:20,308 --> 00:16:23,899 The switch will discard traffic from unauthorized\nMAC addresses. 192 00:16:23,899 --> 00:16:27,429 However, the interface is not disabled. 193 00:16:27,429 --> 00:16:32,128 Devices with authorized MAC addresses will\n 194 00:16:32,129 --> 00:16:37,558 The switch generates a syslog and/or SNMP\n 195 00:16:39,278 --> 00:16:43,419 And the violation counter is incremented by\n 196 00:16:43,419 --> 00:16:47,208 Okay, that’s restrict mode, now the last\none. 197 00:16:48,629 --> 00:16:53,739 Like restrict mode, the switch discards traffic\n 198 00:16:55,249 --> 00:17:01,170 However, it does not generate syslog or SNMP\n 199 00:17:01,169 --> 00:17:04,119 And it doesn’t increment the violation counter\neither. 200 00:17:04,119 --> 00:17:07,029 It just silently discards unauthorized traffic. 201 00:17:07,029 --> 00:17:12,609 Okay, so we already saw the shutdown mode,\n 202 00:17:12,609 --> 00:17:15,869 Here’s the restrict violation mode. 203 00:17:15,869 --> 00:17:22,159 I’m starting from a fresh port-security\n 204 00:17:22,160 --> 00:17:28,210 This time, I manually authorized PC1’s MAC\n 205 00:17:28,210 --> 00:17:30,180 followed by PC1’s MAC address. 206 00:17:30,180 --> 00:17:33,880 And here’s how to enable restrict mode. 207 00:17:33,880 --> 00:17:37,480 SWITCHPORT PORT-SECURITY VIOLATION RESTRICT. 208 00:17:37,480 --> 00:17:43,120 Then I tried to ping R1 from PC2, and I got\n 209 00:17:43,119 --> 00:17:49,139 tells us that a security violation occurred,\n 210 00:17:50,140 --> 00:17:53,770 Let’s check SHOW PORT-SECURITY INTERFACE. 211 00:17:53,769 --> 00:17:57,710 First, notice the violation mode of restrict. 212 00:17:57,710 --> 00:18:01,740 And you can see that the violation count has\n 213 00:18:02,740 --> 00:18:07,500 However, the port status is secure-up, not\nsecure-shutdown. 214 00:18:07,500 --> 00:18:13,069 So, if I were to connect the cable back to\n 215 00:18:13,069 --> 00:18:18,509 no problem, because the interface is still\n 216 00:18:18,509 --> 00:18:21,470 Okay, that’s the restrict violation mode. 217 00:18:21,470 --> 00:18:24,710 And here’s the last one, protect. 218 00:18:24,710 --> 00:18:29,890 We’re starting with a fresh configuration\n 219 00:18:30,890 --> 00:18:34,820 I once again manually authorized PC1’s MAC\naddress. 220 00:18:34,819 --> 00:18:39,509 And then I configured SWITCHPORT PORT-SECURITY\n 221 00:18:39,509 --> 00:18:41,930 And then sent some traffic from PC2. 222 00:18:41,930 --> 00:18:47,150 PC2’s pings failed, but there were no syslog\nmessages on SW1. 223 00:18:47,150 --> 00:18:49,730 Let’s check this command again. 224 00:18:49,730 --> 00:18:54,860 The port status is secure-up, the violation\n 225 00:18:56,049 --> 00:19:02,450 So, SW1 discarded the traffic from PC2, but\n 226 00:19:03,990 --> 00:19:06,779 That’s the protect violation mode. 227 00:19:06,779 --> 00:19:11,859 OK, here’s that summary of the violation\nmodes again. 228 00:19:11,859 --> 00:19:17,309 These are how you control what the switch\n 229 00:19:17,309 --> 00:19:21,279 You should definitely learn the actions taken\n 230 00:19:24,259 --> 00:19:29,829 Okay, moving down to the next part of the\n 231 00:19:29,829 --> 00:19:32,849 check out secure MAC address aging. 232 00:19:32,849 --> 00:19:37,329 By the way, MAC addresses dynamically learned\n 233 00:19:37,329 --> 00:19:41,579 enabled port are called secure MAC addresses. 234 00:19:41,579 --> 00:19:44,919 By default, secure MAC addresses will not\nage out. 235 00:19:44,920 --> 00:19:49,600 There is no timer, they are permanent unless\n 236 00:19:49,599 --> 00:19:52,309 or the port is disabled and then re-enabled. 237 00:19:52,309 --> 00:19:56,179 That’s what the aging time of 0 minutes\nmeans. 238 00:19:56,180 --> 00:20:01,150 However, you can configure this timer with\n 239 00:20:01,150 --> 00:20:04,200 TIME, and then the time in minutes. 240 00:20:04,200 --> 00:20:09,309 If you do configure an aging time, the default\n 241 00:20:09,309 --> 00:20:11,259 Let me explain what that means. 242 00:20:11,259 --> 00:20:16,950 Absolute aging means that, after the secure\n 243 00:20:16,950 --> 00:20:21,930 and the MAC address is removed after the timer\n 244 00:20:21,930 --> 00:20:26,180 frames from that source MAC address while\nit is counting down. 245 00:20:26,180 --> 00:20:31,759 However, after the MAC address ages out it\n 246 00:20:31,759 --> 00:20:35,450 frame with that source MAC is received. 247 00:20:35,450 --> 00:20:38,120 The other aging type is inactivity. 248 00:20:38,119 --> 00:20:41,179 This is like regular MAC address aging. 249 00:20:41,180 --> 00:20:45,670 After the MAC address is learned the aging\n 250 00:20:45,670 --> 00:20:48,860 frame from that source MAC address is received. 251 00:20:48,859 --> 00:20:55,469 So, if the switch keeps receiving frames from\n 252 00:20:55,470 --> 00:21:00,900 You can configure the aging type with SWITCHPORT\n 253 00:21:02,630 --> 00:21:08,670 Now, by default only dynamically-learned secure\n 254 00:21:08,670 --> 00:21:14,050 If you configure a MAC with SWITCHPORT PORT-SECURITY\n 255 00:21:15,259 --> 00:21:19,371 The command will remain in the running-config\n 256 00:21:21,079 --> 00:21:26,109 But with the command SWITCHPORT PORT-SECURITY\n 257 00:21:26,109 --> 00:21:29,139 out static secure MAC addresses, too. 258 00:21:29,140 --> 00:21:33,240 The command will be removed from the running\n 259 00:21:33,240 --> 00:21:37,140 the MAC address table if it ages out. 260 00:21:37,140 --> 00:21:38,850 Let me show you those commands in the CLI. 261 00:21:38,849 --> 00:21:45,419 I configured an aging time of 30 minutes,\n 262 00:21:45,420 --> 00:21:48,580 of static secure MAC addresses. 263 00:21:48,579 --> 00:21:53,619 Then I checked SHOW PORT-SECURITY INTERFACE\n 264 00:21:55,519 --> 00:22:01,470 Aging time 30 minutes, aging type inactivity,\n 265 00:22:01,470 --> 00:22:05,740 Okay, that’s all you really need to know\nabout the timers. 266 00:22:05,740 --> 00:22:10,269 But before moving on to the next topic, let\n 267 00:22:12,609 --> 00:22:17,829 It displays which interfaces have port security\n 268 00:22:17,829 --> 00:22:24,009 addresses on those interfaces, their security\n 269 00:22:24,009 --> 00:22:28,690 In this case, I only have port security enabled\n 270 00:22:28,690 --> 00:22:34,320 many this is a useful command to get an overview\n 271 00:22:34,319 --> 00:22:41,659 Next, here’s the last major topic of the\n 272 00:22:41,660 --> 00:22:45,570 Sticky secure MAC address learning can be\n 273 00:22:45,569 --> 00:22:49,500 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY. 274 00:22:49,500 --> 00:22:54,009 When enabled, dynamically-learned secure MAC\n 275 00:22:55,079 --> 00:23:00,710 So, if you look in the running config you’ll\n 276 00:23:00,710 --> 00:23:06,069 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY,\n 277 00:23:06,069 --> 00:23:10,470 These sticky secure MAC addresses will never\n 278 00:23:12,130 --> 00:23:17,370 However, because they are added to the running-config,\n 279 00:23:17,369 --> 00:23:22,119 the running-config to the startup-config to\n 280 00:23:24,730 --> 00:23:29,319 If you don’t do that, they will be lost\n 281 00:23:31,279 --> 00:23:36,619 When you issue the SWITCHPORT PORT-SECURITY\n 282 00:23:36,619 --> 00:23:40,849 secure MAC addresses will be converted to\n 283 00:23:40,849 --> 00:23:44,469 So, they will be added to the running config. 284 00:23:46,289 --> 00:23:50,559 If you remove sticky learning, sticky secure\n 285 00:23:52,500 --> 00:23:56,309 Okay, let’s check it out in the CLI. 286 00:23:56,309 --> 00:24:00,599 So, as always I enabled port-security first. 287 00:24:00,599 --> 00:24:07,939 Then I issued SWITCHPORT PORT-SECURITY MAC-ADDRESS\n 288 00:24:07,940 --> 00:24:15,090 I then checked the G0/1 interface in the running-config,\n 289 00:24:15,089 --> 00:24:19,379 SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY,\n 290 00:24:19,380 --> 00:24:24,630 I didn’t configure that command, it was\n 291 00:24:25,970 --> 00:24:32,100 So, sticky MAC addresses are basically a way\n 292 00:24:32,099 --> 00:24:34,149 without actually having to manually configure\nthem 293 00:24:34,150 --> 00:24:41,710 Okay, before moving on to review and the quiz,\n 294 00:24:41,710 --> 00:24:46,950 Secure MAC addresses will be added to the\n 295 00:24:46,950 --> 00:24:52,360 Sticky and static secure MAC addresses will\n 296 00:24:52,359 --> 00:24:57,369 secure MAC addresses that aren’t sticky\n 297 00:24:57,369 --> 00:25:03,250 And you can view all secure MAC addresses\n 298 00:25:03,250 --> 00:25:07,950 I used the command, and here is PC1’s MAC\n 299 00:25:09,490 --> 00:25:13,490 Notice the type of static, even though I didn’t\n 300 00:25:16,029 --> 00:25:19,460 Here’s a summary of the commands we covered\nin this video. 301 00:25:21,180 --> 00:25:25,730 You’ll definitely want to experiment with\n 302 00:25:25,730 --> 00:25:29,730 Follow my packet tracer lab, and also try\nmaking your own. 303 00:25:29,730 --> 00:25:34,940 If you don’t remember any of these commands,\n 304 00:25:34,940 --> 00:25:38,799 Before moving on to the quiz, let’s review\nwhat we learned. 305 00:25:38,799 --> 00:25:42,690 First I gave an intro to port security, and\n 306 00:25:42,690 --> 00:25:48,039 Basically, it allows you to control what source\n 307 00:25:48,039 --> 00:25:50,379 are allowed to enter a switch interface. 308 00:25:50,380 --> 00:25:55,000 I also briefly explained why we should use\nport security. 309 00:25:55,000 --> 00:25:59,690 First of all, it allows us to prevent unauthorized\n 310 00:25:59,690 --> 00:26:04,410 And secondly, it helps defend against attacks\n 311 00:26:04,410 --> 00:26:09,880 in a previous video, in which thousands of\n 312 00:26:11,460 --> 00:26:16,700 Then, while explaining various aspects of\n 313 00:26:18,240 --> 00:26:22,470 Make sure to watch until the end of the quiz\n 314 00:26:22,470 --> 00:26:26,079 ExSim, my recommended practice exams for the\nCCNA. 315 00:26:26,079 --> 00:26:31,279 Okay, let’s go to quiz question 1. 316 00:26:31,279 --> 00:26:33,730 Examine the show command output below. 317 00:26:33,730 --> 00:26:37,059 How many secure MAC addresses were dynamically\n 318 00:26:37,059 --> 00:26:43,490 Pause the video now to examine the output\n 319 00:26:48,230 --> 00:26:53,200 So, according to the output 4 total MAC addresses\n 320 00:26:53,200 --> 00:26:56,830 1 was configured, that’s not dynamic. 321 00:26:56,829 --> 00:27:00,609 There are 3 sticky MAC addresses, what about\nthem? 322 00:27:00,609 --> 00:27:04,799 Although sticky MAC addresses are inserted\n 323 00:27:04,799 --> 00:27:10,089 address, and their type in the MAC address\n 324 00:27:11,089 --> 00:27:16,359 So those 3 sticky MAC addresses were dynamically\n 325 00:27:20,299 --> 00:27:24,789 Which of the following occur when a port-security\n 326 00:27:24,789 --> 00:27:32,619 (select the two best answers) Okay, pause\n 327 00:27:32,619 --> 00:27:40,799 Okay, the best answers are B, unauthorized\n 328 00:27:42,500 --> 00:27:46,619 In addition, a syslog message and SNMP trap\nwill be sent. 329 00:27:46,619 --> 00:27:51,929 However, an SNMP Get message, as in D, will\nnot be sent. 330 00:27:51,930 --> 00:27:56,990 GET messages are sent from the SNMP manager\n 331 00:28:03,799 --> 00:28:08,960 What will SW1 do when an unauthorized frame\narrives on G0/1? 332 00:28:08,960 --> 00:28:14,940 Pause the video now to examine the output\n 333 00:28:14,940 --> 00:28:21,900 Okay, the best answer is A, unauthorized traffic\n 334 00:28:21,900 --> 00:28:26,650 The violation mode is protect, which means\n 335 00:28:26,650 --> 00:28:30,580 However, the interface won’t be err-disabled. 336 00:28:30,579 --> 00:28:32,799 Authorized frames will still be forwarded. 337 00:28:32,799 --> 00:28:37,579 No syslog or SNMP messages will be sent, and\n 338 00:28:42,960 --> 00:28:47,500 Which of the following will re-enable an interface\n 339 00:28:49,900 --> 00:28:57,870 Okay, pause the video now to select the two\nbest answers. 340 00:28:57,869 --> 00:29:04,529 The best answers are A, SHUTDOWN and NO SHUTDOWN\n 341 00:29:04,529 --> 00:29:08,329 CAUSE PSECURE-VIOLATION in global config mode. 342 00:29:08,329 --> 00:29:11,949 Either of these will work to re-enable the\ninterface. 343 00:29:11,950 --> 00:29:17,750 C, unplugging the unauthorized device, is\n 344 00:29:19,390 --> 00:29:25,000 Note that, you should unplug the unauthorized\n 345 00:29:25,000 --> 00:29:27,759 the device itself won’t re-enable the interface. 346 00:29:35,400 --> 00:29:40,650 What will happen when the switchport port-security\n 347 00:29:40,650 --> 00:29:46,280 Pause the video now to examine the output\n 348 00:29:46,279 --> 00:29:52,069 Okay, the answer is a, the command will be\naccepted. 349 00:29:52,069 --> 00:29:57,809 The administrative mode of G0/1 is static\n 350 00:29:57,809 --> 00:30:03,000 However, if it was the default administrative\n 351 00:30:04,670 --> 00:30:09,590 Port security can be configured on access\n 352 00:30:09,589 --> 00:30:13,539 configured with SWITCHPORT MODE ACCESS or\nSWITCHPORT MODE TRUNK. 353 00:30:13,539 --> 00:30:16,359 Okay, that’s all for the quiz. 354 00:30:16,359 --> 00:30:21,605 Now let’s take a look at a bonus question\n 355 00:33:00,640 --> 00:33:04,060 There are supplementary materials for this\nvideo. 356 00:33:04,059 --> 00:33:08,099 There is a flashcard deck to use with the\nsoftware ‘Anki’. 357 00:33:08,099 --> 00:33:12,719 There will also be a packet tracer practice\n 358 00:33:12,720 --> 00:33:16,308 That will be in the next video. 359 00:33:16,308 --> 00:33:20,829 Before finishing today’s video I want to\n 360 00:33:20,829 --> 00:33:25,279 To join, please click the ‘Join’ button\nunder the video. 361 00:33:25,279 --> 00:33:31,680 Thank you to Samil, C Mohd, Scott, Martin,\n 362 00:33:31,680 --> 00:33:38,360 Serge, Njoku, Viktor, Roger, Suki, Kenneth,\n 363 00:33:38,359 --> 00:33:44,479 Prakaash, Nasir, Erlison, Marko, Daming, Ed,\n 364 00:33:44,480 --> 00:33:47,069 Software, Devin, Yonatan, and Vance. 365 00:33:47,069 --> 00:33:52,439 Sorry if I pronounced your name incorrectly,\n 366 00:33:52,440 --> 00:33:58,620 This is the list of JCNP-level members at\n 367 00:33:59,619 --> 00:34:04,199 If you signed up recently and your name isn’t\n 368 00:34:08,289 --> 00:34:12,199 Please subscribe to the channel, like the\n 369 00:34:12,199 --> 00:34:15,529 with anyone else studying for the CCNA. 370 00:34:15,530 --> 00:34:18,380 If you want to leave a tip, check the links\nin the description. 371 00:34:18,380 --> 00:34:24,289 I'm also a Brave verified publisher and accept\n 30523