Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,826 --> 00:00:05,366 >> Imagine with me for a moment that you're making a recipe, and you're, you know, getting-- 2 00:00:05,366 --> 00:00:08,496 assembling all the ingredients together for this brand new recipe that you're creating, 3 00:00:08,496 --> 00:00:10,936 and you know, five of cups of sugar, two [laughs]-- 4 00:00:10,936 --> 00:00:14,746 actually that's a lot of sugar, two cups of flour, you know. 5 00:00:14,746 --> 00:00:19,646 And then at the very bottom of the recipe it says contents of the black bag, 6 00:00:20,576 --> 00:00:22,216 and you go "Well, that's interesting." 7 00:00:22,216 --> 00:00:24,886 And then in parentheses that's where it says, "Ask your grocer." 8 00:00:25,216 --> 00:00:28,316 So, you go to the grocery store and you're like, "Hey, I've got this recipe asking 9 00:00:28,316 --> 00:00:31,246 for the black bag, and they go, "Oh, we know what that is." 10 00:00:31,246 --> 00:00:36,016 And, they go to the back and they pull out this black bag, no labels or anything like that, 11 00:00:36,206 --> 00:00:39,416 all there is, is a $2.53 price tag. 12 00:00:39,416 --> 00:00:42,466 And you go, "Okay, what's in here?" 13 00:00:42,466 --> 00:00:43,746 And the grocer's like "I don't know. 14 00:00:43,746 --> 00:00:47,386 Honestly a lot of people ask for this, it's some recipe out there that needs a black bag." 15 00:00:47,386 --> 00:00:53,036 So, you get home and you open up the black bag and inside is this orange greenish powder 16 00:00:53,706 --> 00:00:57,666 and you're like, "Aah" okay, so let me ask you right there, 17 00:00:58,076 --> 00:01:01,746 would you feel comfortable pouring the contents of that black bag 18 00:01:01,746 --> 00:01:05,926 into your recipe not only comfortable with the five cups of sugar but also that black-- 19 00:01:05,926 --> 00:01:08,616 you know, the orange-greenish powder and kind of mixing up 20 00:01:08,616 --> 00:01:12,116 and making whatever it is that this recipe is? 21 00:01:12,576 --> 00:01:14,886 No, you wouldn't feel comfortable with that. 22 00:01:15,066 --> 00:01:18,966 You're going to be like, "I want to know what's in that black bag. 23 00:01:18,966 --> 00:01:24,816 I mean for all you know it could be pesticide, it could be strychnine poison immediate-- 24 00:01:24,816 --> 00:01:26,616 I mean it could something really good. 25 00:01:26,616 --> 00:01:31,886 I mean, the point is you don't know, and that's the whole point of Port Security. 26 00:01:32,826 --> 00:01:39,766 One of the keys to a solid network is knowing what kind of stuff is attaching to it. 27 00:01:40,146 --> 00:01:45,256 There's this whole new [inaudible] nowadays and actually if you Google it, B-Y-O-D, 28 00:01:45,626 --> 00:01:50,046 Bring Your Own Device networks, which is this is a big debate right now going 29 00:01:50,046 --> 00:01:54,676 on in the network community of like, now that we have all of these kinds of devices, Ipads, 30 00:01:54,716 --> 00:01:57,176 Smartphones, everybody's got their own laptop. 31 00:01:57,176 --> 00:02:00,676 I want to use a McIntosh but my corporation only supports Windows. 32 00:02:00,676 --> 00:02:02,626 I want to bring my own device. 33 00:02:02,626 --> 00:02:08,106 And, we're in this world now towards like a B-Y-O-D device world where people expect 34 00:02:08,106 --> 00:02:10,366 that I can just bring whatever I want and I plug it in my network. 35 00:02:10,366 --> 00:02:13,196 From your perspective it's black bags. 36 00:02:13,656 --> 00:02:18,316 It's people that are bringing-- I mean, inside this is orange-green powder, is that bad? 37 00:02:18,606 --> 00:02:19,566 I hope not. 38 00:02:19,566 --> 00:02:23,656 But what if somebody brings their own little black bag that is Strychnine. 39 00:02:23,656 --> 00:02:28,436 It's got a virus, it's got a Trojan, it's-- I mean, I would say at least it's infected 40 00:02:28,436 --> 00:02:33,566 with something that's running peer-to peer file sharing and it's gobbling up all your bandwidth. 41 00:02:33,566 --> 00:02:37,436 In my opinion, Bring Your Own Device is a bad idea. 42 00:02:37,436 --> 00:02:41,046 But, corporations are now expecting it, you know, 43 00:02:41,046 --> 00:02:44,996 management is now approving it not realizing exactly what they're improving. 44 00:02:44,996 --> 00:02:48,146 So, you're starting to see a lot of security methods out that there 45 00:02:48,146 --> 00:02:55,246 that help you manage this B-Y-O-D, this kind of management of the unmanaged world that exist, 46 00:02:55,246 --> 00:02:59,226 so that's what this nugget is all about, is port security. 47 00:02:59,226 --> 00:03:04,076 How do you manage-- at least to some level, what kind of devices 48 00:03:04,076 --> 00:03:06,566 or what devices are attaching to your network? 49 00:03:06,776 --> 00:03:08,456 That's what Port Security is all about. 50 00:03:08,946 --> 00:03:13,666 So, we've already stepped a little bit into this slide by answering the question, 51 00:03:13,666 --> 00:03:15,956 why we care what plugs into our network? 52 00:03:16,546 --> 00:03:20,366 We care because there's just messed up stuff out there. 53 00:03:20,506 --> 00:03:25,726 I mean, there's-- it's common for laptops to come in and be infected. 54 00:03:25,726 --> 00:03:27,986 And a matter of fact, one of the businesses 55 00:03:27,986 --> 00:03:33,476 that I operate is a business called school desk [phonetic] and its goal is 56 00:03:33,476 --> 00:03:36,716 to do a complete IT management system for schools. 57 00:03:37,096 --> 00:03:43,816 Well, one of the schools that we manage had a B-Y-O-D Day, essentially for the students. 58 00:03:43,816 --> 00:03:48,226 They said, "Okay, well, this week is"-- I think it was like midterms or finals or something. 59 00:03:48,226 --> 00:03:51,956 So, we want all of our students-- they didn't tell me this but they said, 60 00:03:51,956 --> 00:03:55,086 "We want all of our students to bring in their laptops, their Ipads 61 00:03:55,086 --> 00:03:59,426 or whatever device they feel comfortable working on from home so that they can work 62 00:03:59,426 --> 00:04:03,506 from the classroom or from the school on their own device. 63 00:04:03,616 --> 00:04:09,426 Well, come Monday morning "bam" internet connection is just solid pegged, 64 00:04:09,626 --> 00:04:15,166 the school is calling me, going, "Hey, our internet connection is down, what's the deal?" 65 00:04:15,306 --> 00:04:16,856 And I said, "I don't know, let me look." 66 00:04:16,856 --> 00:04:17,916 And, I'm starting-- I'm like. 67 00:04:18,086 --> 00:04:22,386 "Hey, there's-- I'm seeing all kinds of devices that are going up and just trying to gobble 68 00:04:22,386 --> 00:04:25,376 up every single bit of bandwidth that's available, what's going-- 69 00:04:25,376 --> 00:04:28,526 and they go, "Oh, this is a Bring Your Device to School Day." 70 00:04:28,736 --> 00:04:30,046 And I'm like, "What?" 71 00:04:30,046 --> 00:04:31,606 You know, I'm like, "What? 72 00:04:31,606 --> 00:04:33,976 Who authorized this?" 73 00:04:33,976 --> 00:04:39,636 And so, they-- well, can you find out who is using all the bandwidth and block them? 74 00:04:39,636 --> 00:04:41,376 And I go, "I can try." 75 00:04:41,376 --> 00:04:45,466 So, sure enough you can-- in Cisco Firewalls, you can actually identify top users. 76 00:04:45,836 --> 00:04:50,746 And, here's the funny thing, think of it this way, I had a school that I managed 77 00:04:50,746 --> 00:04:56,396 to use their internet connection which is only 3 megabits per second, they got bonded T1 lines 78 00:04:56,396 --> 00:05:01,346 which feeds this whole school and they've got all of these new laptops. 79 00:05:01,346 --> 00:05:05,016 So, literally here is me sitting on the-- no, not literally sitting on the Firewall, 80 00:05:05,016 --> 00:05:09,186 but logged into the Firewall and I see-- okay, this guy is eating all the bandwidth 81 00:05:09,186 --> 00:05:10,586 so I'm like, "Okay, block that guy." 82 00:05:10,896 --> 00:05:14,466 A soon as I blocked him, another guy starts eating all the bandwidth. 83 00:05:14,466 --> 00:05:15,506 I'm like, "Oh, block him." 84 00:05:15,666 --> 00:05:19,166 And finally I called him, I said, "I can't" I said every single-- 85 00:05:19,166 --> 00:05:24,426 it's like, you know, one of those like crazy sci-fi movies where, you know, 86 00:05:24,426 --> 00:05:28,106 you've got a guy with a sword sitting there, and all these little lemmings are 87 00:05:28,106 --> 00:05:30,006 like [inaudible] they're running like trying to beat them all-- 88 00:05:30,006 --> 00:05:32,446 this is kind of a weird scenario, but that's what I felt like. 89 00:05:32,446 --> 00:05:33,766 I'm like, "I can't get them all." 90 00:05:33,766 --> 00:05:35,176 I'm like they're all just running at me. 91 00:05:35,426 --> 00:05:39,436 I'm swinging like mad and I can't knock them all down. 92 00:05:39,436 --> 00:05:40,776 And, the reason why? 93 00:05:41,096 --> 00:05:44,816 We brought in a whole-- we brought in hundreds of student laptops. 94 00:05:44,816 --> 00:05:47,006 What do students do in their spare time? 95 00:05:47,306 --> 00:05:48,326 Steal stuff. 96 00:05:48,556 --> 00:05:50,156 [laughs] I'm being serious. 97 00:05:50,256 --> 00:05:55,576 They're on peer-to-peer networks downloading illegal software, music, games, 98 00:05:55,576 --> 00:05:59,346 and when they do that they infect-- unknowingly they infect their device 99 00:05:59,346 --> 00:06:01,086 with all kinds of stuff. 100 00:06:01,086 --> 00:06:04,456 I mean, the kind of-- anyway, you get my point. 101 00:06:04,576 --> 00:06:06,576 Why do we care what plugs into my network? 102 00:06:06,856 --> 00:06:08,216 I think I've made the case. 103 00:06:08,216 --> 00:06:14,876 Because people bring in things that disrupt the normal operation of every single day business 104 00:06:14,876 --> 00:06:17,886 at your organization, so that's-- again, that's why I go back 105 00:06:17,886 --> 00:06:22,156 to that Bring Your Own Device model, is just-- it's crazy. 106 00:06:22,206 --> 00:06:25,316 There's ways that you can manage it but it just gets ugly. 107 00:06:25,316 --> 00:06:31,276 So, Port Security, the topic-- I feel like I'm saw [phonetic] box, I'm getting done. 108 00:06:32,056 --> 00:06:37,726 Port Security allows you to restrict connection to the LAN in two ways. 109 00:06:38,156 --> 00:06:42,476 One, by limiting the number of MAC addresses per port. 110 00:06:43,216 --> 00:06:47,436 Two, by choosing what MAC address is allowed on a port. 111 00:06:47,816 --> 00:06:51,926 So, for example, one of the things that we don't want is somebody 112 00:06:51,926 --> 00:06:57,286 in their cubicle office whatever plugging in for example a wireless access point 113 00:06:57,286 --> 00:07:00,716 that we don't know about, that is now broadcasting our network out into the world 114 00:07:00,716 --> 00:07:05,906 and all these strange devices start connecting and getting into our internal network and, 115 00:07:05,906 --> 00:07:07,996 you know, that's not good for security at all. 116 00:07:07,996 --> 00:07:14,396 So, what I can do is I can say, "Well, I'm only going to allow one MAC address on that port. 117 00:07:14,396 --> 00:07:18,486 If there's any more than one MAC address that shows up there, like somebody plugged in this 118 00:07:18,486 --> 00:07:22,636 and all these devices are starting to come in, disable the port, you know, block the port, 119 00:07:22,636 --> 00:07:26,426 don't allow it to happen, or you know, somebody tries to build their own little network, 120 00:07:26,426 --> 00:07:30,996 they plug in a little hub or switch from home that, you know, people-- 121 00:07:30,996 --> 00:07:34,046 well, they mean to be harmless can sometimes do a lot of damage. 122 00:07:34,186 --> 00:07:36,656 I mean, what is that device that they just plugged in? 123 00:07:36,656 --> 00:07:42,216 They think it's a hub or a switch but maybe it's one of those, you know, 124 00:07:42,216 --> 00:07:46,576 D-link all in one router switch devices that are out there. 125 00:07:46,576 --> 00:07:50,506 And, the problem with that is they just brought in a rogue DHCP server, 126 00:07:50,676 --> 00:07:54,976 not even knowing that that's what they brought in so it's handing bad IP addresses to the rest 127 00:07:54,976 --> 00:07:58,526 of my network, and all my clients are starting to get those IP addresses and fall off 128 00:07:58,526 --> 00:08:00,536 because it's on a different subnet [phonetic] it's on a different-- 129 00:08:00,536 --> 00:08:03,596 it's totally different network than my own, that would be another example. 130 00:08:03,596 --> 00:08:07,766 So, doing-- setting a-- this is-- I would say a no-brainer. 131 00:08:08,926 --> 00:08:13,446 Almost every company should limit how many devices are allowed per port. 132 00:08:13,906 --> 00:08:17,666 This one is a little more high maintenance. 133 00:08:17,666 --> 00:08:22,406 For instance I talked to somebody that worked at the Phoenix Police Department here in Arizona 134 00:08:22,876 --> 00:08:28,526 and they used this to where-- literally they say, "This PC is plugged into that port, 135 00:08:28,526 --> 00:08:34,366 its MAC address is 0011.bb, you know, 11.111, something like that, 136 00:08:34,546 --> 00:08:39,726 to where if somebody disconnects that computer and plugs in any other kind of device 137 00:08:40,396 --> 00:08:44,236 that has a different MAC address, and they all will, it will immediately shut down that port. 138 00:08:44,556 --> 00:08:47,896 A little higher maintenance because, you know, for instance moving people around, 139 00:08:47,986 --> 00:08:50,326 connecting devices on a whim goes away. 140 00:08:50,616 --> 00:08:53,686 But, for high level security that's something that you can do. 141 00:08:54,966 --> 00:09:00,456 Our ports can react and shut down, protect or restrict modes. 142 00:09:00,806 --> 00:09:04,046 Shutdown does exactly what it says it does. 143 00:09:04,046 --> 00:09:08,636 As soon as you violate the policy, be at the number of MAC addresses on the port, 144 00:09:08,636 --> 00:09:12,326 maybe you have two that come in here, it will shut down the port. 145 00:09:12,326 --> 00:09:16,856 And actually it doesn't-- you know, we've talked about shutdown, right, administratively down. 146 00:09:16,926 --> 00:09:24,706 It doesn't do that, it puts it into a state known as error-disable, which is deceiving 147 00:09:25,166 --> 00:09:29,276 because you'll be doing show commands and it will look like the port is up 148 00:09:29,806 --> 00:09:33,216 or just down like a cable is unplugged, but really it's disabled. 149 00:09:33,216 --> 00:09:36,806 So you have to do some special show commands to seaports that are error-disabled. 150 00:09:37,446 --> 00:09:41,586 Now, protect and restrict are kind of the kinder, gentler ways. 151 00:09:41,756 --> 00:09:43,516 By the way the default is shutdown. 152 00:09:43,896 --> 00:09:47,766 The good thing about shutdown is you know about it. 153 00:09:47,766 --> 00:09:52,086 I mean, as soon as somebody disables the port they now have to call in to tech support 154 00:09:52,086 --> 00:09:56,966 and say "Hey, I-- yeah, sorry, I plugged in what I didn't know." 155 00:09:56,966 --> 00:10:00,246 You know, now-- okay, well, thanks for letting me know, 156 00:10:00,536 --> 00:10:02,836 I'll power that port back on, so you know about it. 157 00:10:03,056 --> 00:10:07,226 But, it also-- I mean, shutdown can be somebody-- taking down your network when, 158 00:10:07,256 --> 00:10:10,256 you know, somebody comes in into the office and they plugged 159 00:10:10,256 --> 00:10:12,276 in a laptop that's not supposed to be there. 160 00:10:12,566 --> 00:10:15,996 What it looks like from their perspective is they'll see the network call active [phonetic] 161 00:10:16,256 --> 00:10:18,046 and then disable itself. 162 00:10:18,046 --> 00:10:23,476 You know, in Windows-- Windows is where you see-- let me drag you down here. 163 00:10:24,796 --> 00:10:30,796 This guy to where you can actually see I'm connected to, you know, such and such network 164 00:10:30,796 --> 00:10:34,236 and if you're not connected, if you've seen that before it goes red 165 00:10:34,236 --> 00:10:36,736 and it disables itself, that's what they see. 166 00:10:36,736 --> 00:10:38,276 They see it go active like this. 167 00:10:38,276 --> 00:10:40,246 It's like, "Hey, I'm online", and then all of a sudden it goes back to red. 168 00:10:40,536 --> 00:10:45,416 So, not knowing exactly what they're doing-- oh no, how do I get my screen back? 169 00:10:46,306 --> 00:10:47,846 [laughs] Oh, there you go, hang on. 170 00:10:47,976 --> 00:10:48,596 There we go. 171 00:10:48,666 --> 00:10:52,596 Not knowing what they're doing, they can start roaming around. 172 00:10:52,596 --> 00:10:53,816 They're like, "Oh, let's try this one. 173 00:10:53,816 --> 00:10:54,896 No? That one doesn't work either. 174 00:10:54,896 --> 00:10:56,096 Oh, let's try this one." 175 00:10:56,156 --> 00:10:56,716 What are they doing? 176 00:10:56,716 --> 00:10:59,206 They're shutting down your network, one port at a time, you know, it's like, 177 00:10:59,206 --> 00:11:00,836 "Go tackle them, stop them from doing that." 178 00:11:00,836 --> 00:11:03,816 So, protect and restrict are kindler or gentler 179 00:11:03,816 --> 00:11:07,566 because what they do is just ignore the violating MAC Address. 180 00:11:07,566 --> 00:11:12,216 So, for instance if they plugged in a wireless access point, all these devices will join, 181 00:11:12,306 --> 00:11:14,236 you know, and the ports-- the port is still working 182 00:11:14,236 --> 00:11:19,706 but it only allows whatever one MAC address has been learned on that port 183 00:11:19,706 --> 00:11:21,626 which is probably the MAC address of the access point. 184 00:11:21,816 --> 00:11:27,876 It only allows that one to work, like this just don't work, or, you know, if I plug-- 185 00:11:27,876 --> 00:11:32,346 if I restrict it and say only that MAC address is allowed and I plugged in another device, 186 00:11:32,346 --> 00:11:35,996 it won't shut the port down, it just won't work. 187 00:11:36,186 --> 00:11:39,096 Now, difference-- you might say, what do they have different modes? 188 00:11:39,366 --> 00:11:45,866 The difference between protect and restrict, protect will ignore the offending devices, 189 00:11:45,866 --> 00:11:50,906 it just won't work, and you'll never know about it, actually good. 190 00:11:50,906 --> 00:11:52,996 So, it's doing its job but it's not going to tell you. 191 00:11:53,326 --> 00:11:57,286 Restrict will actually generate a syslog message and say, "Hey, hey, 192 00:11:57,506 --> 00:11:59,776 there's a violation on that port, FYI. 193 00:11:59,776 --> 00:12:04,516 And they'll actually put this little ticker that shows violating counts, they will say one, two-- 194 00:12:04,516 --> 00:12:07,536 so you'll actually know, you know, when somebody calls and like "Hey, 195 00:12:07,716 --> 00:12:09,606 my whatever device doesn't work." 196 00:12:09,846 --> 00:12:11,226 you can in and be like, "Oh, well, that's"-- 197 00:12:11,356 --> 00:12:14,096 'cause you're plugging it into a port that you're not supposed to plug it into, 198 00:12:14,096 --> 00:12:17,526 you'll actually see the log messages ticking up. 199 00:12:18,786 --> 00:12:23,166 Okay, let me clear off all the chicken scratch and now let's get going with the configuration. 200 00:12:23,406 --> 00:12:26,986 So, I'm going to bring up the connection to our switch, 201 00:12:26,986 --> 00:12:29,086 we got CBT switch, we'll get into privilege mode. 202 00:12:29,726 --> 00:12:34,156 And, I'm going to get into global config-- actually before I do that, 203 00:12:34,156 --> 00:12:38,746 let's do a Show IP Interface Brief so we're able to see what we've got. 204 00:12:38,936 --> 00:12:42,106 Okay, I've got one port, this is my computer that I've plugged 205 00:12:42,106 --> 00:12:47,476 in FastEthernet0/14 which is currently status of up. 206 00:12:47,476 --> 00:12:50,676 Now, these other ones, you can see we've got down, down, that means nothing is plugged 207 00:12:50,676 --> 00:12:52,586 in there and then administratively down, 208 00:12:52,586 --> 00:12:55,946 which means that it is shutdown, we did that in the last nugget. 209 00:12:55,946 --> 00:13:02,126 So, when you go into global config mode and let's get into interface FastEthernet0/14, 210 00:13:04,096 --> 00:13:07,946 and now we're going to-- well, first off let me hit the number 1 thing, 211 00:13:07,946 --> 00:13:10,076 and this is going to take a little explanation. 212 00:13:10,616 --> 00:13:16,666 Before we can do anything we have to convert this port into what's called an access port. 213 00:13:17,006 --> 00:13:20,496 Now, this is a special kind of port and it's difficult to describe 214 00:13:20,496 --> 00:13:22,716 because we haven't truly talked about VLANs yet. 215 00:13:22,716 --> 00:13:26,516 We've covered kind of the concept of them but not really talked about them because-- 216 00:13:26,676 --> 00:13:29,556 and we'll find out when we get there that between two switches, 217 00:13:29,816 --> 00:13:33,446 Cisco has a special kind of port that they call a Trunk. 218 00:13:33,896 --> 00:13:40,096 And a Trunk says, "I am going between switches, I send all the VLANs between these switches-- 219 00:13:40,096 --> 00:13:42,246 and again, when we'll get to VLANs, we'll talk about that. 220 00:13:42,466 --> 00:13:45,446 Well, Trunks are not valid for port security. 221 00:13:45,446 --> 00:13:48,436 It won't let you because you're not supposed to security between switches 222 00:13:48,436 --> 00:13:51,596 like how many MAC address-- I mean, those are considered trusted links, 223 00:13:51,596 --> 00:13:53,856 support security just doesn't work on a Trunk. 224 00:13:54,186 --> 00:13:56,926 What we want is we want an access port. 225 00:13:57,316 --> 00:14:00,876 Now, access ports are-- think of those as your normal ports. 226 00:14:01,216 --> 00:14:06,416 Those are the ones that are connected to printers and servers and routers and computers 227 00:14:06,416 --> 00:14:08,416 and all of the normal stuff we expect to find. 228 00:14:08,686 --> 00:14:14,566 Access, meaning it accesses one VLAN, that's the big key and it's expected 229 00:14:14,566 --> 00:14:16,876 that one device will be attached. 230 00:14:16,876 --> 00:14:20,316 Now, that's not a rule, that's just kind of gutt expectation. 231 00:14:20,566 --> 00:14:25,226 Now, the default mode on Cisco switches is horrific, I can say that. 232 00:14:25,226 --> 00:14:27,106 It is absolutely horrific. 233 00:14:27,106 --> 00:14:32,196 I'm going to explain more when we get to VLANs, but it is considered dynamic. 234 00:14:33,436 --> 00:14:38,256 And, what that means is this port-- every port, out of the box-- in fact let me show it to you. 235 00:14:38,796 --> 00:14:41,516 We'll go back here, let's a do, show, run. 236 00:14:42,356 --> 00:14:46,066 And you can see that as I scroll into the-- hey look there's our-- 237 00:14:46,066 --> 00:14:50,946 these is our encryption keys that we generated for SSH in the last nugget. 238 00:14:50,946 --> 00:14:55,026 So, I look at all my ports and all of them, this is out of the box, have the modes, 239 00:14:55,026 --> 00:14:57,726 switchport mode, dynamic, desirable. 240 00:14:58,046 --> 00:15:04,536 What that means is dynamic, I will change between an access port or a trunk port depending 241 00:15:04,536 --> 00:15:10,126 on what plugs in, I'll detect and I'll try and figure it out, but I really desired 242 00:15:10,126 --> 00:15:12,166 to be a Trunk, that's what the desire is. 243 00:15:12,166 --> 00:15:14,826 So, I'm going to try and be a Trunk but if the other side is like "No, 244 00:15:14,826 --> 00:15:17,846 I'm not a trunk" they'll say, "Okay, fine we'll be an access port." 245 00:15:18,016 --> 00:15:20,776 That's terrific because of security, that means somebody-- 246 00:15:20,776 --> 00:15:25,286 if you leave your ports on dynamic somebody can bring in another switch and really mess 247 00:15:25,286 --> 00:15:33,476 up your VLANs and we don't want that, again more on that in the VLAN Nuggets but for now in order 248 00:15:33,476 --> 00:15:37,996 to enable port security we need to make sure that we are set up as access ports. 249 00:15:37,996 --> 00:15:46,086 Well, I'll even prove it to you, I'll go into-- let's say I'm in the port right now 250 00:15:46,086 --> 00:15:50,256 and I'll show you the command, this is how you turn on Port Security I'll type in switchport, 251 00:15:50,596 --> 00:15:54,836 then the command is port security, I hit enter it's like, rejected. 252 00:15:54,836 --> 00:15:58,146 This interface is a dynamic port, you know, it's saying it could be a Trunk 253 00:15:58,146 --> 00:16:01,776 and you can't do Port Security on Trunk so I'm not going to let you do this. 254 00:16:01,806 --> 00:16:07,736 So, the very first command we type in is switchport mode access, 255 00:16:08,896 --> 00:16:13,416 which says I am an access port, I am only going to access end devices, I'm not really designed 256 00:16:13,416 --> 00:16:17,556 to be plugged in to another switch or anything like that, so I am in access port. 257 00:16:17,586 --> 00:16:22,296 Now, we can get into the command I was showing you switchport port-security. 258 00:16:22,296 --> 00:16:24,056 Now, what the-- the command I just typed 259 00:16:24,056 --> 00:16:26,886 in where I type switchport port-security turns it on. 260 00:16:27,726 --> 00:16:30,536 Think of that as your activation button and it's-- 261 00:16:30,606 --> 00:16:34,196 I would say probably the number one forgotten command when they're-- 262 00:16:34,196 --> 00:16:36,546 people are configuring this 'cause you can configure it all day, 263 00:16:36,546 --> 00:16:41,056 you can say okay maximum is this, this is what happens if somebody violates the policy. 264 00:16:41,206 --> 00:16:44,596 I mean, there's all kinds of things you can do with it but it won't actually work 265 00:16:44,596 --> 00:16:46,796 until you just type in switchport port-security 266 00:16:46,796 --> 00:16:49,526 and hit the enter key but we want to do that last. 267 00:16:49,696 --> 00:16:52,666 We want to get-- and this goes for of most things, we want to get all 268 00:16:52,666 --> 00:16:57,016 of our settings the way that we want them then turn on the feature, we don't want to, you know, 269 00:16:57,016 --> 00:17:01,186 be changing things with it on 'cause it gives you unpredictable results. 270 00:17:01,546 --> 00:17:04,556 So, it's not-- let me provide that. 271 00:17:04,556 --> 00:17:07,736 I'm not saying we're going to blow something up like switch is dead or-- 272 00:17:07,736 --> 00:17:10,036 I mean, it is nothing like that but it's just-- 273 00:17:10,036 --> 00:17:13,616 you'll be doing configurations and you'll be like, "Oh sorry that's invalid you can't." 274 00:17:13,616 --> 00:17:14,726 And you're like, "Why can't I do that?" 275 00:17:14,726 --> 00:17:19,796 It might just because-- because it's active and online, you know, something may have come 276 00:17:19,796 --> 00:17:21,556 in there that kind of goose up your config. 277 00:17:21,556 --> 00:17:24,976 So, it's best to do the subcommands before we turn this on. 278 00:17:24,976 --> 00:17:29,226 So, first off, let me show you that the one that I would suggest every network do 279 00:17:29,226 --> 00:17:35,906 and that is switchport port-security maximum and whatever the maximum number of address is this, 280 00:17:35,906 --> 00:17:40,846 hopefully you're not going that high, 5,120, maximum number of addresses. 281 00:17:40,846 --> 00:17:42,946 So, between 1 and 5,120. 282 00:17:42,946 --> 00:17:50,086 So, this says, I will allow this mini MAC addresses at a time on the port. 283 00:17:50,336 --> 00:17:54,286 So, if I were to come in here and type in maximum 1 and hit the enter key what 284 00:17:54,286 --> 00:17:58,216 that says is one device at a time can plug in. 285 00:17:58,786 --> 00:18:02,836 Now, it's not-- it's not saying only this device, that's the second form 286 00:18:02,836 --> 00:18:04,886 where it saying what MAC address is on port? 287 00:18:04,886 --> 00:18:06,076 It was just saying only one device. 288 00:18:06,076 --> 00:18:08,116 So, I can switch devices all day long. 289 00:18:08,116 --> 00:18:10,496 As long as there's only one I'm okay. 290 00:18:10,756 --> 00:18:14,206 And, for most people 1 is a good thing to do. 291 00:18:14,206 --> 00:18:19,606 Now, there are some environment specially with voice over IP where you'll have IP phones 292 00:18:19,606 --> 00:18:23,136 that is phones that plugged into the network that are connected to the switch 293 00:18:23,136 --> 00:18:27,916 and then we can daisy chain a computer from that, saves a ton on cabling cost to do 294 00:18:27,916 --> 00:18:32,876 that because in the back of the phone is an incoming switchport and an outgoing switchport, 295 00:18:32,876 --> 00:18:35,726 so I can take the cable plugged in there, and then plugged it right there in the computer. 296 00:18:35,916 --> 00:18:42,526 Now, for those kinds of devices or environments we will have two MAC addresses on a port 297 00:18:42,526 --> 00:18:45,896 so we could do a maximum of two and do that. 298 00:18:45,896 --> 00:18:48,386 So-- and the commands overwrite each other. 299 00:18:48,386 --> 00:18:51,706 So, when I type in 2 it automatically overwrites the 1 and vice versa. 300 00:18:51,706 --> 00:18:54,856 I'm going to keep at 1 because I want to show you what happens 301 00:18:54,856 --> 00:18:57,496 if I blow this us, if I violate the policy. 302 00:18:57,916 --> 00:18:59,166 So, that's first a piece. 303 00:18:59,166 --> 00:19:04,486 Now, I'm going to do switchport port-security, next piece is the violation. 304 00:19:05,236 --> 00:19:09,386 Violation is what will it do if you violate the policy. 305 00:19:09,386 --> 00:19:13,856 What will it do if you exceed the maximum of one MAC address? 306 00:19:14,136 --> 00:19:18,156 And we have shutdown which is the default, which means it will error disable, 307 00:19:18,156 --> 00:19:23,986 the port will no longer work until we as an administrator get involved and re-enable it. 308 00:19:24,276 --> 00:19:29,376 We've got protect and we've got restrict and I describe those. 309 00:19:29,376 --> 00:19:30,896 So, we can type in whatever we want. 310 00:19:30,896 --> 00:19:35,086 I'm going to keep it-- now it's the default but I'll just type it in [inaudible]. 311 00:19:35,086 --> 00:19:38,746 Switchport port-security violation shutdown, so that's now in there as well. 312 00:19:40,286 --> 00:19:43,966 From there we typed in-- if we want this is if we want to go 313 00:19:43,966 --> 00:19:48,966 to the next level switchport port-security and we have the MAC address. 314 00:19:49,386 --> 00:19:54,346 If I want to go to this kind of level, or I say, what MAC address is allowed on a port? 315 00:19:54,346 --> 00:19:59,976 I can type in MAC address and literally type in the MAC address that I want to use. 316 00:20:00,046 --> 00:20:06,496 So, a couple ways to get that, one, I can go to a command prompt and do an ipconfig. 317 00:20:06,496 --> 00:20:10,326 Now, you can see ipconfig gives you a kind of the overview, it's the summary. 318 00:20:10,326 --> 00:20:13,126 Here's my first network card, here's my next network card. 319 00:20:13,446 --> 00:20:17,446 But it doesn't give me too much so I'm going to do an ipconfig/all. 320 00:20:18,536 --> 00:20:23,366 And I can look up here at the top and I'm connected 321 00:20:23,366 --> 00:20:25,936 to the switch using my Apple USB adaptor. 322 00:20:26,206 --> 00:20:29,166 And, right below it is the physical address. 323 00:20:29,166 --> 00:20:32,896 You see B8-8D-12-52, that's my MAC address. 324 00:20:32,896 --> 00:20:35,756 Now, Microsoft writes it differently than Cisco does. 325 00:20:35,756 --> 00:20:38,696 Cisco does three sets of four digits each. 326 00:20:38,696 --> 00:20:41,616 So, you know, if I were to translate that I would say, okay B88-- 327 00:20:41,616 --> 00:20:51,186 wait, let me just move this up there, b88d.125-- I would have to kind of translate this flavor 328 00:20:51,186 --> 00:20:54,846 into the flavor that Cisco likes and that's fine. 329 00:20:54,846 --> 00:20:56,316 So we can type in that. 330 00:20:56,316 --> 00:20:58,106 And here's another way that we can do it. 331 00:20:58,106 --> 00:21:02,026 I could do a show MAC address-table. 332 00:21:02,026 --> 00:21:06,676 Just let me put my pen down in the table, there you go, 333 00:21:06,676 --> 00:21:09,706 which will show me all the MAC addresses that this switch knows about. 334 00:21:09,706 --> 00:21:13,816 Now, you can see it from there that the switch has a bunch of MAC addresses. 335 00:21:13,816 --> 00:21:16,116 Initially it's like "Wow, what are all those?" 336 00:21:16,376 --> 00:21:18,846 Well, these belong to the switch itself. 337 00:21:18,846 --> 00:21:23,766 My switch, my Cisco 3550, when it communicates we'll use one of these MAC addresses. 338 00:21:23,766 --> 00:21:25,126 It has a lot that it's able to use. 339 00:21:25,126 --> 00:21:30,166 I know this because it says it's a static MAC address, like I can't change it, 340 00:21:30,166 --> 00:21:36,146 it's statically in there, and it's used by the CPU port whereas you can see at the very bottom, 341 00:21:36,466 --> 00:21:41,246 at the bottom I see this MAC address which happens if you look up here, B8-8D. 342 00:21:41,246 --> 00:21:43,006 See that? See that right here between the two? 343 00:21:43,176 --> 00:21:44,196 It's the same MAC address. 344 00:21:44,196 --> 00:21:46,906 It's learned that dynamically on this port. 345 00:21:47,096 --> 00:21:49,896 It's just, that's how the-- that's what this switch does, 346 00:21:49,896 --> 00:21:52,196 it's to learn about those kinds of things. 347 00:21:52,196 --> 00:21:53,566 So, I can take it from there. 348 00:21:53,566 --> 00:21:54,526 That makes a lot easier. 349 00:21:54,666 --> 00:21:58,636 I can just copy and paste it, you know, so that way I save the mistype [phonetic]. 350 00:21:58,636 --> 00:22:03,906 So I can do that, you know, switchport, port-security, MAC address and then bam, 351 00:22:03,906 --> 00:22:05,406 paste it in there and I'm good to go. 352 00:22:05,406 --> 00:22:06,656 That would be another way of doing. 353 00:22:07,136 --> 00:22:12,216 Let me show you yet one more and you're go love this one, switchport, port-security, 354 00:22:12,476 --> 00:22:17,506 MAC address, sticky, sticky, sticky, sticky. 355 00:22:17,586 --> 00:22:22,986 Sticky allows you to take what is currently there 356 00:22:22,986 --> 00:22:26,206 and make it the permanent MAC address that's on that port. 357 00:22:26,976 --> 00:22:27,756 Let me show you what I mean. 358 00:22:28,106 --> 00:22:31,876 As soon as I type in sticky, the switch says "Okay, 359 00:22:32,516 --> 00:22:36,246 I will now make whatever MAC address is currently on the port, 360 00:22:36,406 --> 00:22:40,566 the only one that is allowed to use that port" or in this-- 361 00:22:40,566 --> 00:22:43,576 this really integrates with this command right here. 362 00:22:43,766 --> 00:22:46,086 Let's say I do a maximum of five, right? 363 00:22:46,326 --> 00:22:48,126 And then I say mac-address sticky. 364 00:22:48,336 --> 00:22:53,106 What it's going to do is learn the first five MAC addresses that come in that port 365 00:22:53,386 --> 00:22:55,906 and then those will be the only five MAC addresses 366 00:22:55,906 --> 00:22:58,476 that are allowed to use that port forevermore. 367 00:22:59,656 --> 00:23:00,376 Pretty cool, huh? 368 00:23:00,376 --> 00:23:03,186 So, it's-- you can think of it like a calculated risk. 369 00:23:03,536 --> 00:23:06,646 You're saying, "Okay, whatever is there right now is good." 370 00:23:07,066 --> 00:23:11,946 So as long as the devices that you think are there are really there you're good. 371 00:23:12,156 --> 00:23:16,206 But if somebody maybe has a-- you know, somebody brought in there laptop from home and plugged it 372 00:23:16,206 --> 00:23:18,016 in for today then sticky is going to make 373 00:23:18,016 --> 00:23:20,516 that laptop the only MAC address allowed on that port. 374 00:23:20,516 --> 00:23:24,526 But I would say, compare that to manually typing MAC addresses 375 00:23:24,526 --> 00:23:29,916 and you probably have a much better chance of-- much less of a chance for error by using sticky 376 00:23:30,196 --> 00:23:32,256 than you do a manually typing in 'cause a mistype 377 00:23:32,256 --> 00:23:34,526 of MAC address causes the port to shutdown too, right? 378 00:23:35,146 --> 00:23:35,916 So, let's go back. 379 00:23:35,916 --> 00:23:39,786 I want to show you-- let's do a show, run and I'm going to zoom 380 00:23:39,786 --> 00:23:43,336 in on the interface FastEthernet0/14. 381 00:23:43,336 --> 00:23:49,646 So, so far, you can see right here, switchport, port-security, mac-address sticky is there. 382 00:23:50,606 --> 00:23:52,066 No, wait a second. 383 00:23:52,666 --> 00:23:53,366 Wait a second. 384 00:23:53,366 --> 00:23:58,126 Didn't I type in a maximum, maximum one? 385 00:23:58,566 --> 00:24:00,346 Yeah, it's right there, it's right there. 386 00:24:00,346 --> 00:24:01,416 I typed it didn't I? 387 00:24:01,896 --> 00:24:06,316 Now, wait, whoa, whoa, wait a second, didn't I typed in switchport, 388 00:24:06,316 --> 00:24:08,306 port-security violation shutdown? 389 00:24:08,306 --> 00:24:10,036 Yeah, it's right there. 390 00:24:10,356 --> 00:24:13,256 Now, how come those aren't showing up in the running config? 391 00:24:13,956 --> 00:24:17,276 The reason why is those are default commands. 392 00:24:17,426 --> 00:24:25,526 Meaning, if I turned on port-security by default it's only going to allow one MAC address. 393 00:24:25,786 --> 00:24:28,906 By default, the violation mode is shutdown. 394 00:24:29,166 --> 00:24:32,996 So, default commands don't show up in the running config. 395 00:24:32,996 --> 00:24:35,856 A matter of fact, do you see shutdown under there? 396 00:24:37,046 --> 00:24:40,696 No. Or-- I should say do see no shutdown under there? 397 00:24:40,876 --> 00:24:47,036 No. And now I could type in shutdown and go back and see, you know, 398 00:24:47,036 --> 00:24:50,936 this interface is now shutdown and I just cut off my computer's connection 399 00:24:50,936 --> 00:24:55,336 so it's now turned off so I see that in there, but when I do a no shutdown, 400 00:24:56,156 --> 00:24:59,816 I don't see the shutdown command anymore because no shutdown, 401 00:24:59,816 --> 00:25:03,086 meaning the port being active is considered a default. 402 00:25:03,086 --> 00:25:05,276 So you're going to see that a lot of times, don't worry about it. 403 00:25:05,476 --> 00:25:08,566 If you type a command and you're like, "Hey, it's not in the running config." 404 00:25:08,816 --> 00:25:12,476 Of course make sure you type the command, but at the same time a lot 405 00:25:12,476 --> 00:25:15,386 of the default commands just don't show up. 406 00:25:15,656 --> 00:25:18,986 So, the last thing I have to-- you know, you might say, "Well, 407 00:25:19,206 --> 00:25:21,516 I expected it to learn your MAC address or something", right? 408 00:25:21,516 --> 00:25:22,426 Isn't that was it does? 409 00:25:22,556 --> 00:25:24,876 But we haven't turned port-security on yet. 410 00:25:25,116 --> 00:25:27,706 Let's do that, I'm going to do switchport, port-security 411 00:25:27,706 --> 00:25:30,776 and hit the enter key, and now we're enabled. 412 00:25:30,836 --> 00:25:33,006 Now, we'll start learning MAC address. 413 00:25:33,006 --> 00:25:35,586 So, I'm going to-- I'm just going to generate some traffic 414 00:25:35,826 --> 00:25:38,536 to make sure that it does get my MAC address. 415 00:25:38,536 --> 00:25:39,926 So let's do a quick ping. 416 00:25:41,116 --> 00:25:42,936 There we go. 417 00:25:43,016 --> 00:25:44,756 Okay, so we've got some traffic going through. 418 00:25:44,756 --> 00:25:49,636 Now I'm going to go back and do a show run fast-- Oh, look at fast [inaudible] 014, 419 00:25:49,636 --> 00:25:53,436 look at what's done, we've got port security which is now on, it's not the default 420 00:25:53,436 --> 00:25:55,786 so it shows up, mac-address sticky is enabled 421 00:25:55,786 --> 00:25:59,166 and all of a sudden we've got this sticky address that has shown up in the list. 422 00:25:59,376 --> 00:26:04,486 That will be the only address, because I have a maximum of one that is in there, because-- 423 00:26:04,486 --> 00:26:08,156 and that's going to be now the only address that is allowed. 424 00:26:08,466 --> 00:26:12,056 Now, the thing that I have to make sure of is when I use sticky addresses 425 00:26:12,096 --> 00:26:16,396 like this it's actually making them sticky in the running config. 426 00:26:16,866 --> 00:26:21,786 So, in order for this to say okay, now that will be permanently the only one for all time, 427 00:26:21,786 --> 00:26:24,106 all eternity until you erase this switch and start over. 428 00:26:24,416 --> 00:26:27,816 The only MAC address that's allowed in there, you want to save your config. 429 00:26:28,006 --> 00:26:30,606 Remember, how to do that? 430 00:26:30,606 --> 00:26:33,786 Official Cisco method, copy, run start. 431 00:26:34,356 --> 00:26:38,156 I hit enter, and now we've save our config. 432 00:26:38,156 --> 00:26:41,016 Now, that sticky MAC address is committed that that's going 433 00:26:41,016 --> 00:26:43,136 to be the only that allowed on that port. 434 00:26:43,596 --> 00:26:46,766 Okay, let's do a little verification now. 435 00:26:47,186 --> 00:26:51,636 I'm going to sit on the switch and do a show port security 436 00:26:51,636 --> 00:26:53,836 and you can see here I don't really have too many options, 437 00:26:53,836 --> 00:26:57,896 I have interact you just press the enter key, and it gives me kind of a big picture summary. 438 00:26:57,946 --> 00:27:03,356 It's saying, "Okay, the only secure port that we have is that one, maximum address", 439 00:27:03,356 --> 00:27:08,206 remember I said it was the default is one, current address is one and there-- 440 00:27:08,206 --> 00:27:12,326 up till today there has been no security violations, you know. 441 00:27:12,326 --> 00:27:17,246 So at this time no-- nothing is violated, but if somebody does violate it we will shut 442 00:27:17,246 --> 00:27:19,976 down that port, so we can get a little more detailed information, 443 00:27:19,976 --> 00:27:24,556 I can type in show port-security address and this will actually show me the MAC address 444 00:27:24,556 --> 00:27:28,376 that is allowed in the port, and say okay, I've got this address on the security port, 445 00:27:28,606 --> 00:27:31,186 it is a type of secure sticky, okay? 446 00:27:31,186 --> 00:27:34,316 I can go once that-- for this probably the most detailed you'll get. 447 00:27:34,496 --> 00:27:40,636 I'll say interface FastEthernet0/14 and I'll say, okay, port security is enabled, 448 00:27:40,946 --> 00:27:44,446 the status is it is secure and it's up, it's up and running. 449 00:27:44,806 --> 00:27:46,596 Violation mode it will shut me down. 450 00:27:46,706 --> 00:27:49,286 Aging time meaning it will never remove sticky. 451 00:27:49,286 --> 00:27:55,476 You can actually turn on aging that says, "Okay, after we've been idle for, you know, nine hours 452 00:27:55,476 --> 00:27:59,476 or two days or whatever, go ahead and remove the sticky addresses out of this." 453 00:27:59,476 --> 00:28:03,886 That's kind of handy when for instance you are doing in office move and you say, "Okay, well, 454 00:28:04,196 --> 00:28:06,856 you know, I want to kind of age out all these sticky addresses 455 00:28:06,856 --> 00:28:08,966 over the weekend-- excuse me over the weekend. 456 00:28:09,186 --> 00:28:11,966 Now, I have to go in and do a no sticky address, no sticky address." 457 00:28:11,966 --> 00:28:13,596 So you-- you can do that. 458 00:28:13,596 --> 00:28:15,536 So, right now I'm not aging them out. 459 00:28:15,536 --> 00:28:20,086 We've got the maximum MAC address is one, total MAC address once configured, I haven't type in, 460 00:28:20,086 --> 00:28:21,896 in but I do have sticky MAC addresses. 461 00:28:21,896 --> 00:28:24,796 So, this is if you manually type it, this is a bit sticky. 462 00:28:25,116 --> 00:28:28,956 And then it says the last MAC address to access this port is this one, 463 00:28:29,336 --> 00:28:31,436 but no security has been violated. 464 00:28:31,436 --> 00:28:35,856 So, you can kind of read that through in a plain English as you're looking at each one of those. 465 00:28:36,076 --> 00:28:38,436 But I know you send it like come on Jeremy [phonetic], 466 00:28:38,666 --> 00:28:41,386 cause of violation, show me what it does. 467 00:28:41,506 --> 00:28:45,696 Okay. So, what we're going to do is I'm going to unplug-- 468 00:28:45,696 --> 00:28:49,106 I actually have two network cards on my computer. 469 00:28:49,106 --> 00:28:56,266 I'm going to unplug my Apple USB adapter and I'm going to plug in, well, this may cause problems. 470 00:28:56,446 --> 00:28:59,466 I just disconnected my-- I guess you opt [phonetic] my production link, 471 00:28:59,796 --> 00:29:01,776 the one that allows me to connect to the internet. 472 00:29:01,776 --> 00:29:04,676 So, I've unplugged one and plugged in another. 473 00:29:04,676 --> 00:29:08,426 So, let's see if we can cause some kind of violation. 474 00:29:09,046 --> 00:29:12,296 So, I'm going to go here, let's do an IP config. 475 00:29:13,726 --> 00:29:15,686 Oh, hey [inaudible] didn't take it long. 476 00:29:15,686 --> 00:29:19,946 It didn't really have to do too much but-- so you can see LAN2 is unplugged. 477 00:29:20,206 --> 00:29:21,246 I plugged LAN1 in. 478 00:29:21,246 --> 00:29:25,296 And, as soon as LAN1 came up essentially went back media disconnected. 479 00:29:25,296 --> 00:29:26,966 Let's look at the messages it says. 480 00:29:27,296 --> 00:29:32,386 It says, error disabled, port secure violation error detected on this, this is now being put 481 00:29:32,386 --> 00:29:36,376 in error disable state, we are terminated, security violation occurred. 482 00:29:36,376 --> 00:29:39,556 Don't you feel like, you know, you're in some kind of like government environment? 483 00:29:39,776 --> 00:29:42,006 Violation occurred caused by MAC address such and such. 484 00:29:42,006 --> 00:29:44,906 It's saying this MAC address is not allowed on that port, 485 00:29:44,906 --> 00:29:48,386 on port FastEthernet0/14, state is change to down. 486 00:29:48,386 --> 00:29:53,216 So now if I were to do the same command we can see that the status has changed 487 00:29:53,216 --> 00:29:55,606 to secure-shut down, like we have violated. 488 00:29:55,816 --> 00:29:58,976 And the cool thing is actually captured the last MAC address to cause this. 489 00:29:59,106 --> 00:30:03,346 So if I'm in a production environment I'm like, "All right, who's that MAC address?" 490 00:30:03,426 --> 00:30:06,436 That's where your work really begins, right, 'cause you got to find out where 491 00:30:06,436 --> 00:30:10,716 in the environment is that MAC address, but the port security has happened. 492 00:30:10,716 --> 00:30:12,146 Now, here's the tough thing. 493 00:30:13,346 --> 00:30:17,636 If I'm looking at who IP Interface Brief or show interface or anything 494 00:30:17,636 --> 00:30:20,006 like that it looks like it's just down. 495 00:30:20,006 --> 00:30:22,026 It doesn't actually go administratively down. 496 00:30:22,026 --> 00:30:25,806 So it can be deceitful because I'm looking, I'm like, okay, it's down, 497 00:30:25,806 --> 00:30:27,266 it looks like nothing is plugged in. 498 00:30:27,496 --> 00:30:30,256 It doesn't actually show me like violation or anything like that. 499 00:30:30,256 --> 00:30:35,296 You have to be under here or I can do a show interface FastEthernet0/14, 500 00:30:35,516 --> 00:30:37,876 which really gives me the needy greedy of it. 501 00:30:37,876 --> 00:30:41,276 And we can see it's actually down, line protocol down, but look at this. 502 00:30:41,276 --> 00:30:42,216 This is the giveaway. 503 00:30:42,756 --> 00:30:46,846 When you see that in parenthesis afterward you're like, ah, okay, so it's something else, 504 00:30:46,846 --> 00:30:48,976 it's been error disabled, like something else is shutting down. 505 00:30:48,976 --> 00:30:51,526 Now, the only-- I'm going to switch my cables back. 506 00:30:52,446 --> 00:30:58,866 So, I'm moving back to my little Apple USB network adapter. 507 00:30:58,866 --> 00:31:02,896 So, the right one, the one that's allowed there, blood rushing into my head, 508 00:31:02,896 --> 00:31:04,646 I'm upside down, all right, there we go. 509 00:31:04,646 --> 00:31:07,926 Plug the originals back in the way they should go. 510 00:31:07,926 --> 00:31:09,356 But it's not going to come back up. 511 00:31:09,806 --> 00:31:14,206 It is going to stay down until I, because I use shutdown mode until I 512 00:31:14,206 --> 00:31:16,436 as an administrator come in and revise it. 513 00:31:16,436 --> 00:31:24,696 Now, the way to get a port out of error disable is to go under that port, shut it down. 514 00:31:25,486 --> 00:31:26,776 Oh, we have to spell it right. 515 00:31:27,316 --> 00:31:29,356 Shut it down and then turn it back on again. 516 00:31:29,726 --> 00:31:32,436 So, shutdown clears the error disable. 517 00:31:32,896 --> 00:31:39,116 No shut down, brings the port back online, okay? 518 00:31:39,356 --> 00:31:43,336 So now that I have the right MAC address in the place I can do a show, 519 00:31:43,676 --> 00:31:48,526 port security interface FastEthernet 0/14, and now we can see okay, we're good again. 520 00:31:48,526 --> 00:31:54,626 We've got the-- we're backup, we're back in action, and, you know, we're chugging along. 521 00:31:56,126 --> 00:31:58,776 And one thing I do-- I want to show you, I paused it [phonetic] and I was like oh, 522 00:31:58,776 --> 00:31:59,796 yeah, wait I want to show you this. 523 00:31:59,996 --> 00:32:05,396 You might be going, well, wait a sec, why is that zero security violation count is zero? 524 00:32:05,396 --> 00:32:07,056 Didn't we violate the policy? 525 00:32:07,246 --> 00:32:12,086 Well, anytime you shut the interface down and then back up, that will zero itself out. 526 00:32:12,086 --> 00:32:13,956 It's very much-- since the interface is been shut 527 00:32:13,956 --> 00:32:16,476 down we've had this many security violations. 528 00:32:16,476 --> 00:32:23,496 Now you notice, right back [inaudible] scroll back up a little bit, right back here. 529 00:32:24,036 --> 00:32:24,586 Can I do that? 530 00:32:24,586 --> 00:32:25,866 Oh, right there, right? 531 00:32:25,866 --> 00:32:29,066 Yeah, right here when we first caused the violation when I did 532 00:32:29,066 --> 00:32:32,036 that command it showed the security violation as one. 533 00:32:32,256 --> 00:32:35,776 Now, if you're using the shutdown mode you probably will never see it go beyond one, 534 00:32:36,096 --> 00:32:40,166 because shutdown, shut support down and you go in and reset it and come back in. 535 00:32:40,166 --> 00:32:45,556 However, if you're using the other methods of violation modes, the protect or restrict, 536 00:32:45,796 --> 00:32:49,376 that one just ignores it when it happens, but that's where you'll see this thing ticker count 537 00:32:49,376 --> 00:32:51,486 up to where it's like, "Oh, we had another violation, 538 00:32:51,486 --> 00:32:52,886 another MAC address, another [inaudible]." 539 00:32:52,886 --> 00:32:58,226 So that one will take up overtime with the other two, but stay at one with the shutdown mode 540 00:32:58,226 --> 00:33:02,636 because it clears every single time you turn the interface off and back on, okay. 541 00:33:02,936 --> 00:33:06,856 So what we have seen here-- isn't that-- I think that's pretty unique. 542 00:33:06,906 --> 00:33:12,296 What we have seen here is how to at least initially secure our switch environment 543 00:33:12,836 --> 00:33:15,346 to make sure that the people that are there belong there, 544 00:33:15,346 --> 00:33:17,166 without getting on my whole soap box again 545 00:33:17,166 --> 00:33:20,526 on controlling the devices that plugged into our network. 546 00:33:20,526 --> 00:33:24,646 This makes sure that we have the ability to have that control. 547 00:33:24,956 --> 00:33:29,316 To where we have the ability to, you know, say what MAC addresses are allowed, 548 00:33:29,316 --> 00:33:31,126 to say how many MAC address is allowed. 549 00:33:31,126 --> 00:33:32,096 Now, is it full proof? 550 00:33:32,686 --> 00:33:36,736 No, security is like an onion, you have layers that you work through. 551 00:33:37,106 --> 00:33:39,206 But people can change their MAC addresses. 552 00:33:39,396 --> 00:33:42,216 You can go into the network properties and Windows and say, "You know, 553 00:33:42,216 --> 00:33:45,956 if you know this is going on and you know what MAC address is allowed on the port?" 554 00:33:45,956 --> 00:33:48,676 Now obviously you're probably malicious if you're doing that, 555 00:33:48,916 --> 00:33:51,036 or/and you really know what's going on. 556 00:33:51,036 --> 00:33:53,966 You kind of know the inner workings of the network. 557 00:33:53,966 --> 00:33:58,186 You can go in and hard-code your MAC address on a rogue device 558 00:33:58,216 --> 00:33:59,966 to match the one that's allowed on the port. 559 00:34:00,496 --> 00:34:03,306 But to do that I mean you really-- I mean that's a malicious person, 560 00:34:03,306 --> 00:34:07,766 that's why we design our network in terms of layers of security instead 561 00:34:07,766 --> 00:34:09,766 of just one method to rule them all. 562 00:34:10,006 --> 00:34:13,126 So, for now in this nugget we have seen port security. 563 00:34:13,126 --> 00:34:14,446 What it is and what is all about? 564 00:34:14,446 --> 00:34:19,316 We've gone through the configuration to limit the devices allowed on a port as well 565 00:34:19,316 --> 00:34:24,396 as limit the ports to specific where you can type them in, and sticky MAC addresses. 566 00:34:24,656 --> 00:34:27,496 I hope this been informative for you and I'd like to thank you for viewing. 57569