Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,826 --> 00:00:05,366
>> Imagine with me for a moment that you're
making a recipe, and you're, you know, getting--
2
00:00:05,366 --> 00:00:08,496
assembling all the ingredients together for
this brand new recipe that you're creating,
3
00:00:08,496 --> 00:00:10,936
and you know, five of cups
of sugar, two [laughs]--
4
00:00:10,936 --> 00:00:14,746
actually that's a lot of sugar,
two cups of flour, you know.
5
00:00:14,746 --> 00:00:19,646
And then at the very bottom of the
recipe it says contents of the black bag,
6
00:00:20,576 --> 00:00:22,216
and you go "Well, that's interesting."
7
00:00:22,216 --> 00:00:24,886
And then in parentheses that's
where it says, "Ask your grocer."
8
00:00:25,216 --> 00:00:28,316
So, you go to the grocery store and you're
like, "Hey, I've got this recipe asking
9
00:00:28,316 --> 00:00:31,246
for the black bag, and they
go, "Oh, we know what that is."
10
00:00:31,246 --> 00:00:36,016
And, they go to the back and they pull out this
black bag, no labels or anything like that,
11
00:00:36,206 --> 00:00:39,416
all there is, is a $2.53 price tag.
12
00:00:39,416 --> 00:00:42,466
And you go, "Okay, what's in here?"
13
00:00:42,466 --> 00:00:43,746
And the grocer's like "I don't know.
14
00:00:43,746 --> 00:00:47,386
Honestly a lot of people ask for this, it's
some recipe out there that needs a black bag."
15
00:00:47,386 --> 00:00:53,036
So, you get home and you open up the black
bag and inside is this orange greenish powder
16
00:00:53,706 --> 00:00:57,666
and you're like, "Aah" okay,
so let me ask you right there,
17
00:00:58,076 --> 00:01:01,746
would you feel comfortable pouring
the contents of that black bag
18
00:01:01,746 --> 00:01:05,926
into your recipe not only comfortable with
the five cups of sugar but also that black--
19
00:01:05,926 --> 00:01:08,616
you know, the orange-greenish
powder and kind of mixing up
20
00:01:08,616 --> 00:01:12,116
and making whatever it is that this recipe is?
21
00:01:12,576 --> 00:01:14,886
No, you wouldn't feel comfortable with that.
22
00:01:15,066 --> 00:01:18,966
You're going to be like, "I want
to know what's in that black bag.
23
00:01:18,966 --> 00:01:24,816
I mean for all you know it could be pesticide,
it could be strychnine poison immediate--
24
00:01:24,816 --> 00:01:26,616
I mean it could something really good.
25
00:01:26,616 --> 00:01:31,886
I mean, the point is you don't know, and
that's the whole point of Port Security.
26
00:01:32,826 --> 00:01:39,766
One of the keys to a solid network is knowing
what kind of stuff is attaching to it.
27
00:01:40,146 --> 00:01:45,256
There's this whole new [inaudible] nowadays
and actually if you Google it, B-Y-O-D,
28
00:01:45,626 --> 00:01:50,046
Bring Your Own Device networks, which
is this is a big debate right now going
29
00:01:50,046 --> 00:01:54,676
on in the network community of like, now that
we have all of these kinds of devices, Ipads,
30
00:01:54,716 --> 00:01:57,176
Smartphones, everybody's got their own laptop.
31
00:01:57,176 --> 00:02:00,676
I want to use a McIntosh but my
corporation only supports Windows.
32
00:02:00,676 --> 00:02:02,626
I want to bring my own device.
33
00:02:02,626 --> 00:02:08,106
And, we're in this world now towards like
a B-Y-O-D device world where people expect
34
00:02:08,106 --> 00:02:10,366
that I can just bring whatever I
want and I plug it in my network.
35
00:02:10,366 --> 00:02:13,196
From your perspective it's black bags.
36
00:02:13,656 --> 00:02:18,316
It's people that are bringing-- I mean, inside
this is orange-green powder, is that bad?
37
00:02:18,606 --> 00:02:19,566
I hope not.
38
00:02:19,566 --> 00:02:23,656
But what if somebody brings their own
little black bag that is Strychnine.
39
00:02:23,656 --> 00:02:28,436
It's got a virus, it's got a Trojan, it's--
I mean, I would say at least it's infected
40
00:02:28,436 --> 00:02:33,566
with something that's running peer-to peer file
sharing and it's gobbling up all your bandwidth.
41
00:02:33,566 --> 00:02:37,436
In my opinion, Bring Your
Own Device is a bad idea.
42
00:02:37,436 --> 00:02:41,046
But, corporations are now
expecting it, you know,
43
00:02:41,046 --> 00:02:44,996
management is now approving it not
realizing exactly what they're improving.
44
00:02:44,996 --> 00:02:48,146
So, you're starting to see a lot
of security methods out that there
45
00:02:48,146 --> 00:02:55,246
that help you manage this B-Y-O-D, this kind of
management of the unmanaged world that exist,
46
00:02:55,246 --> 00:02:59,226
so that's what this nugget is
all about, is port security.
47
00:02:59,226 --> 00:03:04,076
How do you manage-- at least to
some level, what kind of devices
48
00:03:04,076 --> 00:03:06,566
or what devices are attaching to your network?
49
00:03:06,776 --> 00:03:08,456
That's what Port Security is all about.
50
00:03:08,946 --> 00:03:13,666
So, we've already stepped a little bit
into this slide by answering the question,
51
00:03:13,666 --> 00:03:15,956
why we care what plugs into our network?
52
00:03:16,546 --> 00:03:20,366
We care because there's just
messed up stuff out there.
53
00:03:20,506 --> 00:03:25,726
I mean, there's-- it's common for
laptops to come in and be infected.
54
00:03:25,726 --> 00:03:27,986
And a matter of fact, one of the businesses
55
00:03:27,986 --> 00:03:33,476
that I operate is a business called
school desk [phonetic] and its goal is
56
00:03:33,476 --> 00:03:36,716
to do a complete IT management
system for schools.
57
00:03:37,096 --> 00:03:43,816
Well, one of the schools that we manage had
a B-Y-O-D Day, essentially for the students.
58
00:03:43,816 --> 00:03:48,226
They said, "Okay, well, this week is"-- I think
it was like midterms or finals or something.
59
00:03:48,226 --> 00:03:51,956
So, we want all of our students-- they
didn't tell me this but they said,
60
00:03:51,956 --> 00:03:55,086
"We want all of our students to
bring in their laptops, their Ipads
61
00:03:55,086 --> 00:03:59,426
or whatever device they feel comfortable
working on from home so that they can work
62
00:03:59,426 --> 00:04:03,506
from the classroom or from the
school on their own device.
63
00:04:03,616 --> 00:04:09,426
Well, come Monday morning "bam"
internet connection is just solid pegged,
64
00:04:09,626 --> 00:04:15,166
the school is calling me, going, "Hey, our
internet connection is down, what's the deal?"
65
00:04:15,306 --> 00:04:16,856
And I said, "I don't know, let me look."
66
00:04:16,856 --> 00:04:17,916
And, I'm starting-- I'm like.
67
00:04:18,086 --> 00:04:22,386
"Hey, there's-- I'm seeing all kinds of devices
that are going up and just trying to gobble
68
00:04:22,386 --> 00:04:25,376
up every single bit of bandwidth
that's available, what's going--
69
00:04:25,376 --> 00:04:28,526
and they go, "Oh, this is a
Bring Your Device to School Day."
70
00:04:28,736 --> 00:04:30,046
And I'm like, "What?"
71
00:04:30,046 --> 00:04:31,606
You know, I'm like, "What?
72
00:04:31,606 --> 00:04:33,976
Who authorized this?"
73
00:04:33,976 --> 00:04:39,636
And so, they-- well, can you find out who
is using all the bandwidth and block them?
74
00:04:39,636 --> 00:04:41,376
And I go, "I can try."
75
00:04:41,376 --> 00:04:45,466
So, sure enough you can-- in Cisco Firewalls,
you can actually identify top users.
76
00:04:45,836 --> 00:04:50,746
And, here's the funny thing, think of it
this way, I had a school that I managed
77
00:04:50,746 --> 00:04:56,396
to use their internet connection which is only
3 megabits per second, they got bonded T1 lines
78
00:04:56,396 --> 00:05:01,346
which feeds this whole school and
they've got all of these new laptops.
79
00:05:01,346 --> 00:05:05,016
So, literally here is me sitting on the--
no, not literally sitting on the Firewall,
80
00:05:05,016 --> 00:05:09,186
but logged into the Firewall and I see--
okay, this guy is eating all the bandwidth
81
00:05:09,186 --> 00:05:10,586
so I'm like, "Okay, block that guy."
82
00:05:10,896 --> 00:05:14,466
A soon as I blocked him, another
guy starts eating all the bandwidth.
83
00:05:14,466 --> 00:05:15,506
I'm like, "Oh, block him."
84
00:05:15,666 --> 00:05:19,166
And finally I called him, I said,
"I can't" I said every single--
85
00:05:19,166 --> 00:05:24,426
it's like, you know, one of those like
crazy sci-fi movies where, you know,
86
00:05:24,426 --> 00:05:28,106
you've got a guy with a sword sitting
there, and all these little lemmings are
87
00:05:28,106 --> 00:05:30,006
like [inaudible] they're running
like trying to beat them all--
88
00:05:30,006 --> 00:05:32,446
this is kind of a weird scenario,
but that's what I felt like.
89
00:05:32,446 --> 00:05:33,766
I'm like, "I can't get them all."
90
00:05:33,766 --> 00:05:35,176
I'm like they're all just running at me.
91
00:05:35,426 --> 00:05:39,436
I'm swinging like mad and I
can't knock them all down.
92
00:05:39,436 --> 00:05:40,776
And, the reason why?
93
00:05:41,096 --> 00:05:44,816
We brought in a whole-- we brought
in hundreds of student laptops.
94
00:05:44,816 --> 00:05:47,006
What do students do in their spare time?
95
00:05:47,306 --> 00:05:48,326
Steal stuff.
96
00:05:48,556 --> 00:05:50,156
[laughs] I'm being serious.
97
00:05:50,256 --> 00:05:55,576
They're on peer-to-peer networks
downloading illegal software, music, games,
98
00:05:55,576 --> 00:05:59,346
and when they do that they infect--
unknowingly they infect their device
99
00:05:59,346 --> 00:06:01,086
with all kinds of stuff.
100
00:06:01,086 --> 00:06:04,456
I mean, the kind of-- anyway, you get my point.
101
00:06:04,576 --> 00:06:06,576
Why do we care what plugs into my network?
102
00:06:06,856 --> 00:06:08,216
I think I've made the case.
103
00:06:08,216 --> 00:06:14,876
Because people bring in things that disrupt the
normal operation of every single day business
104
00:06:14,876 --> 00:06:17,886
at your organization, so that's--
again, that's why I go back
105
00:06:17,886 --> 00:06:22,156
to that Bring Your Own Device
model, is just-- it's crazy.
106
00:06:22,206 --> 00:06:25,316
There's ways that you can
manage it but it just gets ugly.
107
00:06:25,316 --> 00:06:31,276
So, Port Security, the topic-- I feel like
I'm saw [phonetic] box, I'm getting done.
108
00:06:32,056 --> 00:06:37,726
Port Security allows you to restrict
connection to the LAN in two ways.
109
00:06:38,156 --> 00:06:42,476
One, by limiting the number
of MAC addresses per port.
110
00:06:43,216 --> 00:06:47,436
Two, by choosing what MAC
address is allowed on a port.
111
00:06:47,816 --> 00:06:51,926
So, for example, one of the things
that we don't want is somebody
112
00:06:51,926 --> 00:06:57,286
in their cubicle office whatever plugging
in for example a wireless access point
113
00:06:57,286 --> 00:07:00,716
that we don't know about, that is now
broadcasting our network out into the world
114
00:07:00,716 --> 00:07:05,906
and all these strange devices start connecting
and getting into our internal network and,
115
00:07:05,906 --> 00:07:07,996
you know, that's not good for security at all.
116
00:07:07,996 --> 00:07:14,396
So, what I can do is I can say, "Well, I'm only
going to allow one MAC address on that port.
117
00:07:14,396 --> 00:07:18,486
If there's any more than one MAC address that
shows up there, like somebody plugged in this
118
00:07:18,486 --> 00:07:22,636
and all these devices are starting to come in,
disable the port, you know, block the port,
119
00:07:22,636 --> 00:07:26,426
don't allow it to happen, or you know, somebody
tries to build their own little network,
120
00:07:26,426 --> 00:07:30,996
they plug in a little hub or switch
from home that, you know, people--
121
00:07:30,996 --> 00:07:34,046
well, they mean to be harmless
can sometimes do a lot of damage.
122
00:07:34,186 --> 00:07:36,656
I mean, what is that device
that they just plugged in?
123
00:07:36,656 --> 00:07:42,216
They think it's a hub or a switch but
maybe it's one of those, you know,
124
00:07:42,216 --> 00:07:46,576
D-link all in one router switch
devices that are out there.
125
00:07:46,576 --> 00:07:50,506
And, the problem with that is they
just brought in a rogue DHCP server,
126
00:07:50,676 --> 00:07:54,976
not even knowing that that's what they brought
in so it's handing bad IP addresses to the rest
127
00:07:54,976 --> 00:07:58,526
of my network, and all my clients are starting
to get those IP addresses and fall off
128
00:07:58,526 --> 00:08:00,536
because it's on a different subnet
[phonetic] it's on a different--
129
00:08:00,536 --> 00:08:03,596
it's totally different network than
my own, that would be another example.
130
00:08:03,596 --> 00:08:07,766
So, doing-- setting a-- this
is-- I would say a no-brainer.
131
00:08:08,926 --> 00:08:13,446
Almost every company should limit how
many devices are allowed per port.
132
00:08:13,906 --> 00:08:17,666
This one is a little more high maintenance.
133
00:08:17,666 --> 00:08:22,406
For instance I talked to somebody that worked
at the Phoenix Police Department here in Arizona
134
00:08:22,876 --> 00:08:28,526
and they used this to where-- literally they
say, "This PC is plugged into that port,
135
00:08:28,526 --> 00:08:34,366
its MAC address is 0011.bb, you
know, 11.111, something like that,
136
00:08:34,546 --> 00:08:39,726
to where if somebody disconnects that
computer and plugs in any other kind of device
137
00:08:40,396 --> 00:08:44,236
that has a different MAC address, and they all
will, it will immediately shut down that port.
138
00:08:44,556 --> 00:08:47,896
A little higher maintenance because, you
know, for instance moving people around,
139
00:08:47,986 --> 00:08:50,326
connecting devices on a whim goes away.
140
00:08:50,616 --> 00:08:53,686
But, for high level security
that's something that you can do.
141
00:08:54,966 --> 00:09:00,456
Our ports can react and shut
down, protect or restrict modes.
142
00:09:00,806 --> 00:09:04,046
Shutdown does exactly what it says it does.
143
00:09:04,046 --> 00:09:08,636
As soon as you violate the policy, be at
the number of MAC addresses on the port,
144
00:09:08,636 --> 00:09:12,326
maybe you have two that come in
here, it will shut down the port.
145
00:09:12,326 --> 00:09:16,856
And actually it doesn't-- you know, we've talked
about shutdown, right, administratively down.
146
00:09:16,926 --> 00:09:24,706
It doesn't do that, it puts it into a state
known as error-disable, which is deceiving
147
00:09:25,166 --> 00:09:29,276
because you'll be doing show commands
and it will look like the port is up
148
00:09:29,806 --> 00:09:33,216
or just down like a cable is
unplugged, but really it's disabled.
149
00:09:33,216 --> 00:09:36,806
So you have to do some special show
commands to seaports that are error-disabled.
150
00:09:37,446 --> 00:09:41,586
Now, protect and restrict are
kind of the kinder, gentler ways.
151
00:09:41,756 --> 00:09:43,516
By the way the default is shutdown.
152
00:09:43,896 --> 00:09:47,766
The good thing about shutdown
is you know about it.
153
00:09:47,766 --> 00:09:52,086
I mean, as soon as somebody disables the
port they now have to call in to tech support
154
00:09:52,086 --> 00:09:56,966
and say "Hey, I-- yeah, sorry, I
plugged in what I didn't know."
155
00:09:56,966 --> 00:10:00,246
You know, now-- okay, well,
thanks for letting me know,
156
00:10:00,536 --> 00:10:02,836
I'll power that port back
on, so you know about it.
157
00:10:03,056 --> 00:10:07,226
But, it also-- I mean, shutdown can be
somebody-- taking down your network when,
158
00:10:07,256 --> 00:10:10,256
you know, somebody comes in
into the office and they plugged
159
00:10:10,256 --> 00:10:12,276
in a laptop that's not supposed to be there.
160
00:10:12,566 --> 00:10:15,996
What it looks like from their perspective is
they'll see the network call active [phonetic]
161
00:10:16,256 --> 00:10:18,046
and then disable itself.
162
00:10:18,046 --> 00:10:23,476
You know, in Windows-- Windows is where
you see-- let me drag you down here.
163
00:10:24,796 --> 00:10:30,796
This guy to where you can actually see I'm
connected to, you know, such and such network
164
00:10:30,796 --> 00:10:34,236
and if you're not connected, if
you've seen that before it goes red
165
00:10:34,236 --> 00:10:36,736
and it disables itself, that's what they see.
166
00:10:36,736 --> 00:10:38,276
They see it go active like this.
167
00:10:38,276 --> 00:10:40,246
It's like, "Hey, I'm online", and then
all of a sudden it goes back to red.
168
00:10:40,536 --> 00:10:45,416
So, not knowing exactly what they're
doing-- oh no, how do I get my screen back?
169
00:10:46,306 --> 00:10:47,846
[laughs] Oh, there you go, hang on.
170
00:10:47,976 --> 00:10:48,596
There we go.
171
00:10:48,666 --> 00:10:52,596
Not knowing what they're doing,
they can start roaming around.
172
00:10:52,596 --> 00:10:53,816
They're like, "Oh, let's try this one.
173
00:10:53,816 --> 00:10:54,896
No? That one doesn't work either.
174
00:10:54,896 --> 00:10:56,096
Oh, let's try this one."
175
00:10:56,156 --> 00:10:56,716
What are they doing?
176
00:10:56,716 --> 00:10:59,206
They're shutting down your network, one
port at a time, you know, it's like,
177
00:10:59,206 --> 00:11:00,836
"Go tackle them, stop them from doing that."
178
00:11:00,836 --> 00:11:03,816
So, protect and restrict are kindler or gentler
179
00:11:03,816 --> 00:11:07,566
because what they do is just
ignore the violating MAC Address.
180
00:11:07,566 --> 00:11:12,216
So, for instance if they plugged in a wireless
access point, all these devices will join,
181
00:11:12,306 --> 00:11:14,236
you know, and the ports--
the port is still working
182
00:11:14,236 --> 00:11:19,706
but it only allows whatever one MAC
address has been learned on that port
183
00:11:19,706 --> 00:11:21,626
which is probably the MAC
address of the access point.
184
00:11:21,816 --> 00:11:27,876
It only allows that one to work, like this
just don't work, or, you know, if I plug--
185
00:11:27,876 --> 00:11:32,346
if I restrict it and say only that MAC address
is allowed and I plugged in another device,
186
00:11:32,346 --> 00:11:35,996
it won't shut the port down, it just won't work.
187
00:11:36,186 --> 00:11:39,096
Now, difference-- you might say,
what do they have different modes?
188
00:11:39,366 --> 00:11:45,866
The difference between protect and restrict,
protect will ignore the offending devices,
189
00:11:45,866 --> 00:11:50,906
it just won't work, and you'll
never know about it, actually good.
190
00:11:50,906 --> 00:11:52,996
So, it's doing its job but
it's not going to tell you.
191
00:11:53,326 --> 00:11:57,286
Restrict will actually generate a
syslog message and say, "Hey, hey,
192
00:11:57,506 --> 00:11:59,776
there's a violation on that port, FYI.
193
00:11:59,776 --> 00:12:04,516
And they'll actually put this little ticker that
shows violating counts, they will say one, two--
194
00:12:04,516 --> 00:12:07,536
so you'll actually know, you know,
when somebody calls and like "Hey,
195
00:12:07,716 --> 00:12:09,606
my whatever device doesn't work."
196
00:12:09,846 --> 00:12:11,226
you can in and be like, "Oh, well, that's"--
197
00:12:11,356 --> 00:12:14,096
'cause you're plugging it into a port
that you're not supposed to plug it into,
198
00:12:14,096 --> 00:12:17,526
you'll actually see the log messages ticking up.
199
00:12:18,786 --> 00:12:23,166
Okay, let me clear off all the chicken scratch
and now let's get going with the configuration.
200
00:12:23,406 --> 00:12:26,986
So, I'm going to bring up
the connection to our switch,
201
00:12:26,986 --> 00:12:29,086
we got CBT switch, we'll
get into privilege mode.
202
00:12:29,726 --> 00:12:34,156
And, I'm going to get into global
config-- actually before I do that,
203
00:12:34,156 --> 00:12:38,746
let's do a Show IP Interface Brief
so we're able to see what we've got.
204
00:12:38,936 --> 00:12:42,106
Okay, I've got one port, this
is my computer that I've plugged
205
00:12:42,106 --> 00:12:47,476
in FastEthernet0/14 which
is currently status of up.
206
00:12:47,476 --> 00:12:50,676
Now, these other ones, you can see we've got
down, down, that means nothing is plugged
207
00:12:50,676 --> 00:12:52,586
in there and then administratively down,
208
00:12:52,586 --> 00:12:55,946
which means that it is shutdown,
we did that in the last nugget.
209
00:12:55,946 --> 00:13:02,126
So, when you go into global config mode and
let's get into interface FastEthernet0/14,
210
00:13:04,096 --> 00:13:07,946
and now we're going to-- well, first
off let me hit the number 1 thing,
211
00:13:07,946 --> 00:13:10,076
and this is going to take a little explanation.
212
00:13:10,616 --> 00:13:16,666
Before we can do anything we have to convert
this port into what's called an access port.
213
00:13:17,006 --> 00:13:20,496
Now, this is a special kind of
port and it's difficult to describe
214
00:13:20,496 --> 00:13:22,716
because we haven't truly talked about VLANs yet.
215
00:13:22,716 --> 00:13:26,516
We've covered kind of the concept of them
but not really talked about them because--
216
00:13:26,676 --> 00:13:29,556
and we'll find out when we get
there that between two switches,
217
00:13:29,816 --> 00:13:33,446
Cisco has a special kind of
port that they call a Trunk.
218
00:13:33,896 --> 00:13:40,096
And a Trunk says, "I am going between switches,
I send all the VLANs between these switches--
219
00:13:40,096 --> 00:13:42,246
and again, when we'll get to
VLANs, we'll talk about that.
220
00:13:42,466 --> 00:13:45,446
Well, Trunks are not valid for port security.
221
00:13:45,446 --> 00:13:48,436
It won't let you because you're not
supposed to security between switches
222
00:13:48,436 --> 00:13:51,596
like how many MAC address-- I mean,
those are considered trusted links,
223
00:13:51,596 --> 00:13:53,856
support security just doesn't work on a Trunk.
224
00:13:54,186 --> 00:13:56,926
What we want is we want an access port.
225
00:13:57,316 --> 00:14:00,876
Now, access ports are-- think
of those as your normal ports.
226
00:14:01,216 --> 00:14:06,416
Those are the ones that are connected to
printers and servers and routers and computers
227
00:14:06,416 --> 00:14:08,416
and all of the normal stuff we expect to find.
228
00:14:08,686 --> 00:14:14,566
Access, meaning it accesses one VLAN,
that's the big key and it's expected
229
00:14:14,566 --> 00:14:16,876
that one device will be attached.
230
00:14:16,876 --> 00:14:20,316
Now, that's not a rule, that's
just kind of gutt expectation.
231
00:14:20,566 --> 00:14:25,226
Now, the default mode on Cisco
switches is horrific, I can say that.
232
00:14:25,226 --> 00:14:27,106
It is absolutely horrific.
233
00:14:27,106 --> 00:14:32,196
I'm going to explain more when we get
to VLANs, but it is considered dynamic.
234
00:14:33,436 --> 00:14:38,256
And, what that means is this port-- every port,
out of the box-- in fact let me show it to you.
235
00:14:38,796 --> 00:14:41,516
We'll go back here, let's a do, show, run.
236
00:14:42,356 --> 00:14:46,066
And you can see that as I scroll
into the-- hey look there's our--
237
00:14:46,066 --> 00:14:50,946
these is our encryption keys that we
generated for SSH in the last nugget.
238
00:14:50,946 --> 00:14:55,026
So, I look at all my ports and all of them,
this is out of the box, have the modes,
239
00:14:55,026 --> 00:14:57,726
switchport mode, dynamic, desirable.
240
00:14:58,046 --> 00:15:04,536
What that means is dynamic, I will change
between an access port or a trunk port depending
241
00:15:04,536 --> 00:15:10,126
on what plugs in, I'll detect and I'll try
and figure it out, but I really desired
242
00:15:10,126 --> 00:15:12,166
to be a Trunk, that's what the desire is.
243
00:15:12,166 --> 00:15:14,826
So, I'm going to try and be a Trunk
but if the other side is like "No,
244
00:15:14,826 --> 00:15:17,846
I'm not a trunk" they'll say, "Okay,
fine we'll be an access port."
245
00:15:18,016 --> 00:15:20,776
That's terrific because of
security, that means somebody--
246
00:15:20,776 --> 00:15:25,286
if you leave your ports on dynamic somebody
can bring in another switch and really mess
247
00:15:25,286 --> 00:15:33,476
up your VLANs and we don't want that, again more
on that in the VLAN Nuggets but for now in order
248
00:15:33,476 --> 00:15:37,996
to enable port security we need to make
sure that we are set up as access ports.
249
00:15:37,996 --> 00:15:46,086
Well, I'll even prove it to you, I'll go
into-- let's say I'm in the port right now
250
00:15:46,086 --> 00:15:50,256
and I'll show you the command, this is how you
turn on Port Security I'll type in switchport,
251
00:15:50,596 --> 00:15:54,836
then the command is port security,
I hit enter it's like, rejected.
252
00:15:54,836 --> 00:15:58,146
This interface is a dynamic port, you
know, it's saying it could be a Trunk
253
00:15:58,146 --> 00:16:01,776
and you can't do Port Security on Trunk
so I'm not going to let you do this.
254
00:16:01,806 --> 00:16:07,736
So, the very first command we
type in is switchport mode access,
255
00:16:08,896 --> 00:16:13,416
which says I am an access port, I am only going
to access end devices, I'm not really designed
256
00:16:13,416 --> 00:16:17,556
to be plugged in to another switch or
anything like that, so I am in access port.
257
00:16:17,586 --> 00:16:22,296
Now, we can get into the command I was
showing you switchport port-security.
258
00:16:22,296 --> 00:16:24,056
Now, what the-- the command I just typed
259
00:16:24,056 --> 00:16:26,886
in where I type switchport
port-security turns it on.
260
00:16:27,726 --> 00:16:30,536
Think of that as your activation
button and it's--
261
00:16:30,606 --> 00:16:34,196
I would say probably the number one
forgotten command when they're--
262
00:16:34,196 --> 00:16:36,546
people are configuring this 'cause
you can configure it all day,
263
00:16:36,546 --> 00:16:41,056
you can say okay maximum is this, this is
what happens if somebody violates the policy.
264
00:16:41,206 --> 00:16:44,596
I mean, there's all kinds of things you
can do with it but it won't actually work
265
00:16:44,596 --> 00:16:46,796
until you just type in switchport port-security
266
00:16:46,796 --> 00:16:49,526
and hit the enter key but
we want to do that last.
267
00:16:49,696 --> 00:16:52,666
We want to get-- and this goes for
of most things, we want to get all
268
00:16:52,666 --> 00:16:57,016
of our settings the way that we want them then
turn on the feature, we don't want to, you know,
269
00:16:57,016 --> 00:17:01,186
be changing things with it on 'cause
it gives you unpredictable results.
270
00:17:01,546 --> 00:17:04,556
So, it's not-- let me provide that.
271
00:17:04,556 --> 00:17:07,736
I'm not saying we're going to blow
something up like switch is dead or--
272
00:17:07,736 --> 00:17:10,036
I mean, it is nothing like that but it's just--
273
00:17:10,036 --> 00:17:13,616
you'll be doing configurations and you'll be
like, "Oh sorry that's invalid you can't."
274
00:17:13,616 --> 00:17:14,726
And you're like, "Why can't I do that?"
275
00:17:14,726 --> 00:17:19,796
It might just because-- because it's active
and online, you know, something may have come
276
00:17:19,796 --> 00:17:21,556
in there that kind of goose up your config.
277
00:17:21,556 --> 00:17:24,976
So, it's best to do the subcommands
before we turn this on.
278
00:17:24,976 --> 00:17:29,226
So, first off, let me show you that the
one that I would suggest every network do
279
00:17:29,226 --> 00:17:35,906
and that is switchport port-security maximum and
whatever the maximum number of address is this,
280
00:17:35,906 --> 00:17:40,846
hopefully you're not going that high,
5,120, maximum number of addresses.
281
00:17:40,846 --> 00:17:42,946
So, between 1 and 5,120.
282
00:17:42,946 --> 00:17:50,086
So, this says, I will allow this mini
MAC addresses at a time on the port.
283
00:17:50,336 --> 00:17:54,286
So, if I were to come in here and type
in maximum 1 and hit the enter key what
284
00:17:54,286 --> 00:17:58,216
that says is one device at a time can plug in.
285
00:17:58,786 --> 00:18:02,836
Now, it's not-- it's not saying only
this device, that's the second form
286
00:18:02,836 --> 00:18:04,886
where it saying what MAC address is on port?
287
00:18:04,886 --> 00:18:06,076
It was just saying only one device.
288
00:18:06,076 --> 00:18:08,116
So, I can switch devices all day long.
289
00:18:08,116 --> 00:18:10,496
As long as there's only one I'm okay.
290
00:18:10,756 --> 00:18:14,206
And, for most people 1 is a good thing to do.
291
00:18:14,206 --> 00:18:19,606
Now, there are some environment specially
with voice over IP where you'll have IP phones
292
00:18:19,606 --> 00:18:23,136
that is phones that plugged into the
network that are connected to the switch
293
00:18:23,136 --> 00:18:27,916
and then we can daisy chain a computer from
that, saves a ton on cabling cost to do
294
00:18:27,916 --> 00:18:32,876
that because in the back of the phone is an
incoming switchport and an outgoing switchport,
295
00:18:32,876 --> 00:18:35,726
so I can take the cable plugged in there, and
then plugged it right there in the computer.
296
00:18:35,916 --> 00:18:42,526
Now, for those kinds of devices or environments
we will have two MAC addresses on a port
297
00:18:42,526 --> 00:18:45,896
so we could do a maximum of two and do that.
298
00:18:45,896 --> 00:18:48,386
So-- and the commands overwrite each other.
299
00:18:48,386 --> 00:18:51,706
So, when I type in 2 it automatically
overwrites the 1 and vice versa.
300
00:18:51,706 --> 00:18:54,856
I'm going to keep at 1 because
I want to show you what happens
301
00:18:54,856 --> 00:18:57,496
if I blow this us, if I violate the policy.
302
00:18:57,916 --> 00:18:59,166
So, that's first a piece.
303
00:18:59,166 --> 00:19:04,486
Now, I'm going to do switchport
port-security, next piece is the violation.
304
00:19:05,236 --> 00:19:09,386
Violation is what will it do
if you violate the policy.
305
00:19:09,386 --> 00:19:13,856
What will it do if you exceed
the maximum of one MAC address?
306
00:19:14,136 --> 00:19:18,156
And we have shutdown which is the
default, which means it will error disable,
307
00:19:18,156 --> 00:19:23,986
the port will no longer work until we as an
administrator get involved and re-enable it.
308
00:19:24,276 --> 00:19:29,376
We've got protect and we've got
restrict and I describe those.
309
00:19:29,376 --> 00:19:30,896
So, we can type in whatever we want.
310
00:19:30,896 --> 00:19:35,086
I'm going to keep it-- now it's the default
but I'll just type it in [inaudible].
311
00:19:35,086 --> 00:19:38,746
Switchport port-security violation
shutdown, so that's now in there as well.
312
00:19:40,286 --> 00:19:43,966
From there we typed in-- if we
want this is if we want to go
313
00:19:43,966 --> 00:19:48,966
to the next level switchport
port-security and we have the MAC address.
314
00:19:49,386 --> 00:19:54,346
If I want to go to this kind of level, or I
say, what MAC address is allowed on a port?
315
00:19:54,346 --> 00:19:59,976
I can type in MAC address and literally
type in the MAC address that I want to use.
316
00:20:00,046 --> 00:20:06,496
So, a couple ways to get that, one, I can
go to a command prompt and do an ipconfig.
317
00:20:06,496 --> 00:20:10,326
Now, you can see ipconfig gives you a
kind of the overview, it's the summary.
318
00:20:10,326 --> 00:20:13,126
Here's my first network card,
here's my next network card.
319
00:20:13,446 --> 00:20:17,446
But it doesn't give me too much so
I'm going to do an ipconfig/all.
320
00:20:18,536 --> 00:20:23,366
And I can look up here at
the top and I'm connected
321
00:20:23,366 --> 00:20:25,936
to the switch using my Apple USB adaptor.
322
00:20:26,206 --> 00:20:29,166
And, right below it is the physical address.
323
00:20:29,166 --> 00:20:32,896
You see B8-8D-12-52, that's my MAC address.
324
00:20:32,896 --> 00:20:35,756
Now, Microsoft writes it
differently than Cisco does.
325
00:20:35,756 --> 00:20:38,696
Cisco does three sets of four digits each.
326
00:20:38,696 --> 00:20:41,616
So, you know, if I were to translate
that I would say, okay B88--
327
00:20:41,616 --> 00:20:51,186
wait, let me just move this up there, b88d.125--
I would have to kind of translate this flavor
328
00:20:51,186 --> 00:20:54,846
into the flavor that Cisco
likes and that's fine.
329
00:20:54,846 --> 00:20:56,316
So we can type in that.
330
00:20:56,316 --> 00:20:58,106
And here's another way that we can do it.
331
00:20:58,106 --> 00:21:02,026
I could do a show MAC address-table.
332
00:21:02,026 --> 00:21:06,676
Just let me put my pen down
in the table, there you go,
333
00:21:06,676 --> 00:21:09,706
which will show me all the MAC
addresses that this switch knows about.
334
00:21:09,706 --> 00:21:13,816
Now, you can see it from there that the
switch has a bunch of MAC addresses.
335
00:21:13,816 --> 00:21:16,116
Initially it's like "Wow, what are all those?"
336
00:21:16,376 --> 00:21:18,846
Well, these belong to the switch itself.
337
00:21:18,846 --> 00:21:23,766
My switch, my Cisco 3550, when it communicates
we'll use one of these MAC addresses.
338
00:21:23,766 --> 00:21:25,126
It has a lot that it's able to use.
339
00:21:25,126 --> 00:21:30,166
I know this because it says it's a static
MAC address, like I can't change it,
340
00:21:30,166 --> 00:21:36,146
it's statically in there, and it's used by the
CPU port whereas you can see at the very bottom,
341
00:21:36,466 --> 00:21:41,246
at the bottom I see this MAC address
which happens if you look up here, B8-8D.
342
00:21:41,246 --> 00:21:43,006
See that? See that right here between the two?
343
00:21:43,176 --> 00:21:44,196
It's the same MAC address.
344
00:21:44,196 --> 00:21:46,906
It's learned that dynamically on this port.
345
00:21:47,096 --> 00:21:49,896
It's just, that's how the--
that's what this switch does,
346
00:21:49,896 --> 00:21:52,196
it's to learn about those kinds of things.
347
00:21:52,196 --> 00:21:53,566
So, I can take it from there.
348
00:21:53,566 --> 00:21:54,526
That makes a lot easier.
349
00:21:54,666 --> 00:21:58,636
I can just copy and paste it, you know,
so that way I save the mistype [phonetic].
350
00:21:58,636 --> 00:22:03,906
So I can do that, you know, switchport,
port-security, MAC address and then bam,
351
00:22:03,906 --> 00:22:05,406
paste it in there and I'm good to go.
352
00:22:05,406 --> 00:22:06,656
That would be another way of doing.
353
00:22:07,136 --> 00:22:12,216
Let me show you yet one more and you're go
love this one, switchport, port-security,
354
00:22:12,476 --> 00:22:17,506
MAC address, sticky, sticky, sticky, sticky.
355
00:22:17,586 --> 00:22:22,986
Sticky allows you to take
what is currently there
356
00:22:22,986 --> 00:22:26,206
and make it the permanent MAC
address that's on that port.
357
00:22:26,976 --> 00:22:27,756
Let me show you what I mean.
358
00:22:28,106 --> 00:22:31,876
As soon as I type in sticky,
the switch says "Okay,
359
00:22:32,516 --> 00:22:36,246
I will now make whatever MAC
address is currently on the port,
360
00:22:36,406 --> 00:22:40,566
the only one that is allowed
to use that port" or in this--
361
00:22:40,566 --> 00:22:43,576
this really integrates with
this command right here.
362
00:22:43,766 --> 00:22:46,086
Let's say I do a maximum of five, right?
363
00:22:46,326 --> 00:22:48,126
And then I say mac-address sticky.
364
00:22:48,336 --> 00:22:53,106
What it's going to do is learn the first
five MAC addresses that come in that port
365
00:22:53,386 --> 00:22:55,906
and then those will be the
only five MAC addresses
366
00:22:55,906 --> 00:22:58,476
that are allowed to use that port forevermore.
367
00:22:59,656 --> 00:23:00,376
Pretty cool, huh?
368
00:23:00,376 --> 00:23:03,186
So, it's-- you can think of
it like a calculated risk.
369
00:23:03,536 --> 00:23:06,646
You're saying, "Okay, whatever
is there right now is good."
370
00:23:07,066 --> 00:23:11,946
So as long as the devices that you think
are there are really there you're good.
371
00:23:12,156 --> 00:23:16,206
But if somebody maybe has a-- you know, somebody
brought in there laptop from home and plugged it
372
00:23:16,206 --> 00:23:18,016
in for today then sticky is going to make
373
00:23:18,016 --> 00:23:20,516
that laptop the only MAC
address allowed on that port.
374
00:23:20,516 --> 00:23:24,526
But I would say, compare that
to manually typing MAC addresses
375
00:23:24,526 --> 00:23:29,916
and you probably have a much better chance of--
much less of a chance for error by using sticky
376
00:23:30,196 --> 00:23:32,256
than you do a manually typing
in 'cause a mistype
377
00:23:32,256 --> 00:23:34,526
of MAC address causes the
port to shutdown too, right?
378
00:23:35,146 --> 00:23:35,916
So, let's go back.
379
00:23:35,916 --> 00:23:39,786
I want to show you-- let's do a
show, run and I'm going to zoom
380
00:23:39,786 --> 00:23:43,336
in on the interface FastEthernet0/14.
381
00:23:43,336 --> 00:23:49,646
So, so far, you can see right here, switchport,
port-security, mac-address sticky is there.
382
00:23:50,606 --> 00:23:52,066
No, wait a second.
383
00:23:52,666 --> 00:23:53,366
Wait a second.
384
00:23:53,366 --> 00:23:58,126
Didn't I type in a maximum, maximum one?
385
00:23:58,566 --> 00:24:00,346
Yeah, it's right there, it's right there.
386
00:24:00,346 --> 00:24:01,416
I typed it didn't I?
387
00:24:01,896 --> 00:24:06,316
Now, wait, whoa, whoa, wait a
second, didn't I typed in switchport,
388
00:24:06,316 --> 00:24:08,306
port-security violation shutdown?
389
00:24:08,306 --> 00:24:10,036
Yeah, it's right there.
390
00:24:10,356 --> 00:24:13,256
Now, how come those aren't
showing up in the running config?
391
00:24:13,956 --> 00:24:17,276
The reason why is those are default commands.
392
00:24:17,426 --> 00:24:25,526
Meaning, if I turned on port-security by default
it's only going to allow one MAC address.
393
00:24:25,786 --> 00:24:28,906
By default, the violation mode is shutdown.
394
00:24:29,166 --> 00:24:32,996
So, default commands don't
show up in the running config.
395
00:24:32,996 --> 00:24:35,856
A matter of fact, do you
see shutdown under there?
396
00:24:37,046 --> 00:24:40,696
No. Or-- I should say do
see no shutdown under there?
397
00:24:40,876 --> 00:24:47,036
No. And now I could type in shutdown
and go back and see, you know,
398
00:24:47,036 --> 00:24:50,936
this interface is now shutdown and I
just cut off my computer's connection
399
00:24:50,936 --> 00:24:55,336
so it's now turned off so I see that
in there, but when I do a no shutdown,
400
00:24:56,156 --> 00:24:59,816
I don't see the shutdown command
anymore because no shutdown,
401
00:24:59,816 --> 00:25:03,086
meaning the port being active
is considered a default.
402
00:25:03,086 --> 00:25:05,276
So you're going to see that a lot
of times, don't worry about it.
403
00:25:05,476 --> 00:25:08,566
If you type a command and you're like,
"Hey, it's not in the running config."
404
00:25:08,816 --> 00:25:12,476
Of course make sure you type the
command, but at the same time a lot
405
00:25:12,476 --> 00:25:15,386
of the default commands just don't show up.
406
00:25:15,656 --> 00:25:18,986
So, the last thing I have to--
you know, you might say, "Well,
407
00:25:19,206 --> 00:25:21,516
I expected it to learn your MAC
address or something", right?
408
00:25:21,516 --> 00:25:22,426
Isn't that was it does?
409
00:25:22,556 --> 00:25:24,876
But we haven't turned port-security on yet.
410
00:25:25,116 --> 00:25:27,706
Let's do that, I'm going to
do switchport, port-security
411
00:25:27,706 --> 00:25:30,776
and hit the enter key, and now we're enabled.
412
00:25:30,836 --> 00:25:33,006
Now, we'll start learning MAC address.
413
00:25:33,006 --> 00:25:35,586
So, I'm going to-- I'm just
going to generate some traffic
414
00:25:35,826 --> 00:25:38,536
to make sure that it does get my MAC address.
415
00:25:38,536 --> 00:25:39,926
So let's do a quick ping.
416
00:25:41,116 --> 00:25:42,936
There we go.
417
00:25:43,016 --> 00:25:44,756
Okay, so we've got some traffic going through.
418
00:25:44,756 --> 00:25:49,636
Now I'm going to go back and do a show run
fast-- Oh, look at fast [inaudible] 014,
419
00:25:49,636 --> 00:25:53,436
look at what's done, we've got port security
which is now on, it's not the default
420
00:25:53,436 --> 00:25:55,786
so it shows up, mac-address sticky is enabled
421
00:25:55,786 --> 00:25:59,166
and all of a sudden we've got this sticky
address that has shown up in the list.
422
00:25:59,376 --> 00:26:04,486
That will be the only address, because I have
a maximum of one that is in there, because--
423
00:26:04,486 --> 00:26:08,156
and that's going to be now the
only address that is allowed.
424
00:26:08,466 --> 00:26:12,056
Now, the thing that I have to make
sure of is when I use sticky addresses
425
00:26:12,096 --> 00:26:16,396
like this it's actually making
them sticky in the running config.
426
00:26:16,866 --> 00:26:21,786
So, in order for this to say okay, now that
will be permanently the only one for all time,
427
00:26:21,786 --> 00:26:24,106
all eternity until you erase
this switch and start over.
428
00:26:24,416 --> 00:26:27,816
The only MAC address that's allowed in
there, you want to save your config.
429
00:26:28,006 --> 00:26:30,606
Remember, how to do that?
430
00:26:30,606 --> 00:26:33,786
Official Cisco method, copy, run start.
431
00:26:34,356 --> 00:26:38,156
I hit enter, and now we've save our config.
432
00:26:38,156 --> 00:26:41,016
Now, that sticky MAC address
is committed that that's going
433
00:26:41,016 --> 00:26:43,136
to be the only that allowed on that port.
434
00:26:43,596 --> 00:26:46,766
Okay, let's do a little verification now.
435
00:26:47,186 --> 00:26:51,636
I'm going to sit on the switch
and do a show port security
436
00:26:51,636 --> 00:26:53,836
and you can see here I don't
really have too many options,
437
00:26:53,836 --> 00:26:57,896
I have interact you just press the enter key,
and it gives me kind of a big picture summary.
438
00:26:57,946 --> 00:27:03,356
It's saying, "Okay, the only secure port
that we have is that one, maximum address",
439
00:27:03,356 --> 00:27:08,206
remember I said it was the default is
one, current address is one and there--
440
00:27:08,206 --> 00:27:12,326
up till today there has been no
security violations, you know.
441
00:27:12,326 --> 00:27:17,246
So at this time no-- nothing is violated,
but if somebody does violate it we will shut
442
00:27:17,246 --> 00:27:19,976
down that port, so we can get a
little more detailed information,
443
00:27:19,976 --> 00:27:24,556
I can type in show port-security address and
this will actually show me the MAC address
444
00:27:24,556 --> 00:27:28,376
that is allowed in the port, and say okay,
I've got this address on the security port,
445
00:27:28,606 --> 00:27:31,186
it is a type of secure sticky, okay?
446
00:27:31,186 --> 00:27:34,316
I can go once that-- for this
probably the most detailed you'll get.
447
00:27:34,496 --> 00:27:40,636
I'll say interface FastEthernet0/14 and
I'll say, okay, port security is enabled,
448
00:27:40,946 --> 00:27:44,446
the status is it is secure and
it's up, it's up and running.
449
00:27:44,806 --> 00:27:46,596
Violation mode it will shut me down.
450
00:27:46,706 --> 00:27:49,286
Aging time meaning it will never remove sticky.
451
00:27:49,286 --> 00:27:55,476
You can actually turn on aging that says, "Okay,
after we've been idle for, you know, nine hours
452
00:27:55,476 --> 00:27:59,476
or two days or whatever, go ahead and
remove the sticky addresses out of this."
453
00:27:59,476 --> 00:28:03,886
That's kind of handy when for instance you are
doing in office move and you say, "Okay, well,
454
00:28:04,196 --> 00:28:06,856
you know, I want to kind of age
out all these sticky addresses
455
00:28:06,856 --> 00:28:08,966
over the weekend-- excuse me over the weekend.
456
00:28:09,186 --> 00:28:11,966
Now, I have to go in and do a no
sticky address, no sticky address."
457
00:28:11,966 --> 00:28:13,596
So you-- you can do that.
458
00:28:13,596 --> 00:28:15,536
So, right now I'm not aging them out.
459
00:28:15,536 --> 00:28:20,086
We've got the maximum MAC address is one, total
MAC address once configured, I haven't type in,
460
00:28:20,086 --> 00:28:21,896
in but I do have sticky MAC addresses.
461
00:28:21,896 --> 00:28:24,796
So, this is if you manually
type it, this is a bit sticky.
462
00:28:25,116 --> 00:28:28,956
And then it says the last MAC address
to access this port is this one,
463
00:28:29,336 --> 00:28:31,436
but no security has been violated.
464
00:28:31,436 --> 00:28:35,856
So, you can kind of read that through in a plain
English as you're looking at each one of those.
465
00:28:36,076 --> 00:28:38,436
But I know you send it like
come on Jeremy [phonetic],
466
00:28:38,666 --> 00:28:41,386
cause of violation, show me what it does.
467
00:28:41,506 --> 00:28:45,696
Okay. So, what we're going to
do is I'm going to unplug--
468
00:28:45,696 --> 00:28:49,106
I actually have two network
cards on my computer.
469
00:28:49,106 --> 00:28:56,266
I'm going to unplug my Apple USB adapter and I'm
going to plug in, well, this may cause problems.
470
00:28:56,446 --> 00:28:59,466
I just disconnected my-- I guess you
opt [phonetic] my production link,
471
00:28:59,796 --> 00:29:01,776
the one that allows me to
connect to the internet.
472
00:29:01,776 --> 00:29:04,676
So, I've unplugged one and plugged in another.
473
00:29:04,676 --> 00:29:08,426
So, let's see if we can cause
some kind of violation.
474
00:29:09,046 --> 00:29:12,296
So, I'm going to go here, let's do an IP config.
475
00:29:13,726 --> 00:29:15,686
Oh, hey [inaudible] didn't take it long.
476
00:29:15,686 --> 00:29:19,946
It didn't really have to do too much
but-- so you can see LAN2 is unplugged.
477
00:29:20,206 --> 00:29:21,246
I plugged LAN1 in.
478
00:29:21,246 --> 00:29:25,296
And, as soon as LAN1 came up
essentially went back media disconnected.
479
00:29:25,296 --> 00:29:26,966
Let's look at the messages it says.
480
00:29:27,296 --> 00:29:32,386
It says, error disabled, port secure violation
error detected on this, this is now being put
481
00:29:32,386 --> 00:29:36,376
in error disable state, we are
terminated, security violation occurred.
482
00:29:36,376 --> 00:29:39,556
Don't you feel like, you know, you're in
some kind of like government environment?
483
00:29:39,776 --> 00:29:42,006
Violation occurred caused by
MAC address such and such.
484
00:29:42,006 --> 00:29:44,906
It's saying this MAC address
is not allowed on that port,
485
00:29:44,906 --> 00:29:48,386
on port FastEthernet0/14,
state is change to down.
486
00:29:48,386 --> 00:29:53,216
So now if I were to do the same command
we can see that the status has changed
487
00:29:53,216 --> 00:29:55,606
to secure-shut down, like we have violated.
488
00:29:55,816 --> 00:29:58,976
And the cool thing is actually captured
the last MAC address to cause this.
489
00:29:59,106 --> 00:30:03,346
So if I'm in a production environment I'm
like, "All right, who's that MAC address?"
490
00:30:03,426 --> 00:30:06,436
That's where your work really begins,
right, 'cause you got to find out where
491
00:30:06,436 --> 00:30:10,716
in the environment is that MAC address,
but the port security has happened.
492
00:30:10,716 --> 00:30:12,146
Now, here's the tough thing.
493
00:30:13,346 --> 00:30:17,636
If I'm looking at who IP Interface
Brief or show interface or anything
494
00:30:17,636 --> 00:30:20,006
like that it looks like it's just down.
495
00:30:20,006 --> 00:30:22,026
It doesn't actually go administratively down.
496
00:30:22,026 --> 00:30:25,806
So it can be deceitful because I'm
looking, I'm like, okay, it's down,
497
00:30:25,806 --> 00:30:27,266
it looks like nothing is plugged in.
498
00:30:27,496 --> 00:30:30,256
It doesn't actually show me like
violation or anything like that.
499
00:30:30,256 --> 00:30:35,296
You have to be under here or I can
do a show interface FastEthernet0/14,
500
00:30:35,516 --> 00:30:37,876
which really gives me the needy greedy of it.
501
00:30:37,876 --> 00:30:41,276
And we can see it's actually down,
line protocol down, but look at this.
502
00:30:41,276 --> 00:30:42,216
This is the giveaway.
503
00:30:42,756 --> 00:30:46,846
When you see that in parenthesis afterward
you're like, ah, okay, so it's something else,
504
00:30:46,846 --> 00:30:48,976
it's been error disabled, like
something else is shutting down.
505
00:30:48,976 --> 00:30:51,526
Now, the only-- I'm going
to switch my cables back.
506
00:30:52,446 --> 00:30:58,866
So, I'm moving back to my little
Apple USB network adapter.
507
00:30:58,866 --> 00:31:02,896
So, the right one, the one that's allowed
there, blood rushing into my head,
508
00:31:02,896 --> 00:31:04,646
I'm upside down, all right, there we go.
509
00:31:04,646 --> 00:31:07,926
Plug the originals back in
the way they should go.
510
00:31:07,926 --> 00:31:09,356
But it's not going to come back up.
511
00:31:09,806 --> 00:31:14,206
It is going to stay down until I,
because I use shutdown mode until I
512
00:31:14,206 --> 00:31:16,436
as an administrator come in and revise it.
513
00:31:16,436 --> 00:31:24,696
Now, the way to get a port out of error
disable is to go under that port, shut it down.
514
00:31:25,486 --> 00:31:26,776
Oh, we have to spell it right.
515
00:31:27,316 --> 00:31:29,356
Shut it down and then turn it back on again.
516
00:31:29,726 --> 00:31:32,436
So, shutdown clears the error disable.
517
00:31:32,896 --> 00:31:39,116
No shut down, brings the port back online, okay?
518
00:31:39,356 --> 00:31:43,336
So now that I have the right MAC
address in the place I can do a show,
519
00:31:43,676 --> 00:31:48,526
port security interface FastEthernet 0/14,
and now we can see okay, we're good again.
520
00:31:48,526 --> 00:31:54,626
We've got the-- we're backup, we're back in
action, and, you know, we're chugging along.
521
00:31:56,126 --> 00:31:58,776
And one thing I do-- I want to show you,
I paused it [phonetic] and I was like oh,
522
00:31:58,776 --> 00:31:59,796
yeah, wait I want to show you this.
523
00:31:59,996 --> 00:32:05,396
You might be going, well, wait a sec, why is
that zero security violation count is zero?
524
00:32:05,396 --> 00:32:07,056
Didn't we violate the policy?
525
00:32:07,246 --> 00:32:12,086
Well, anytime you shut the interface down
and then back up, that will zero itself out.
526
00:32:12,086 --> 00:32:13,956
It's very much-- since the
interface is been shut
527
00:32:13,956 --> 00:32:16,476
down we've had this many security violations.
528
00:32:16,476 --> 00:32:23,496
Now you notice, right back [inaudible]
scroll back up a little bit, right back here.
529
00:32:24,036 --> 00:32:24,586
Can I do that?
530
00:32:24,586 --> 00:32:25,866
Oh, right there, right?
531
00:32:25,866 --> 00:32:29,066
Yeah, right here when we first
caused the violation when I did
532
00:32:29,066 --> 00:32:32,036
that command it showed the
security violation as one.
533
00:32:32,256 --> 00:32:35,776
Now, if you're using the shutdown mode you
probably will never see it go beyond one,
534
00:32:36,096 --> 00:32:40,166
because shutdown, shut support down and
you go in and reset it and come back in.
535
00:32:40,166 --> 00:32:45,556
However, if you're using the other methods
of violation modes, the protect or restrict,
536
00:32:45,796 --> 00:32:49,376
that one just ignores it when it happens, but
that's where you'll see this thing ticker count
537
00:32:49,376 --> 00:32:51,486
up to where it's like, "Oh,
we had another violation,
538
00:32:51,486 --> 00:32:52,886
another MAC address, another [inaudible]."
539
00:32:52,886 --> 00:32:58,226
So that one will take up overtime with the other
two, but stay at one with the shutdown mode
540
00:32:58,226 --> 00:33:02,636
because it clears every single time you
turn the interface off and back on, okay.
541
00:33:02,936 --> 00:33:06,856
So what we have seen here-- isn't
that-- I think that's pretty unique.
542
00:33:06,906 --> 00:33:12,296
What we have seen here is how to at least
initially secure our switch environment
543
00:33:12,836 --> 00:33:15,346
to make sure that the people
that are there belong there,
544
00:33:15,346 --> 00:33:17,166
without getting on my whole soap box again
545
00:33:17,166 --> 00:33:20,526
on controlling the devices
that plugged into our network.
546
00:33:20,526 --> 00:33:24,646
This makes sure that we have the
ability to have that control.
547
00:33:24,956 --> 00:33:29,316
To where we have the ability to, you
know, say what MAC addresses are allowed,
548
00:33:29,316 --> 00:33:31,126
to say how many MAC address is allowed.
549
00:33:31,126 --> 00:33:32,096
Now, is it full proof?
550
00:33:32,686 --> 00:33:36,736
No, security is like an onion, you
have layers that you work through.
551
00:33:37,106 --> 00:33:39,206
But people can change their MAC addresses.
552
00:33:39,396 --> 00:33:42,216
You can go into the network properties
and Windows and say, "You know,
553
00:33:42,216 --> 00:33:45,956
if you know this is going on and you know
what MAC address is allowed on the port?"
554
00:33:45,956 --> 00:33:48,676
Now obviously you're probably
malicious if you're doing that,
555
00:33:48,916 --> 00:33:51,036
or/and you really know what's going on.
556
00:33:51,036 --> 00:33:53,966
You kind of know the inner
workings of the network.
557
00:33:53,966 --> 00:33:58,186
You can go in and hard-code your
MAC address on a rogue device
558
00:33:58,216 --> 00:33:59,966
to match the one that's allowed on the port.
559
00:34:00,496 --> 00:34:03,306
But to do that I mean you really--
I mean that's a malicious person,
560
00:34:03,306 --> 00:34:07,766
that's why we design our network in
terms of layers of security instead
561
00:34:07,766 --> 00:34:09,766
of just one method to rule them all.
562
00:34:10,006 --> 00:34:13,126
So, for now in this nugget
we have seen port security.
563
00:34:13,126 --> 00:34:14,446
What it is and what is all about?
564
00:34:14,446 --> 00:34:19,316
We've gone through the configuration to
limit the devices allowed on a port as well
565
00:34:19,316 --> 00:34:24,396
as limit the ports to specific where you
can type them in, and sticky MAC addresses.
566
00:34:24,656 --> 00:34:27,496
I hope this been informative for you
and I'd like to thank you for viewing.
57569
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.