WEBVTT 0:00:03.020000 --> 0:00:08.140000 Hello and welcome to this video titled, Port Security Demonstration. 0:00:08.140000 --> 0:00:10.200000 That's exactly what I'm going to do in this video. 0:00:10.200000 --> 0:00:13.360000 So I'm going to demonstrate the concepts that I've talked about in my 0:00:13.360000 --> 0:00:18.160000 other videos about this theory and configuration of port security in a 0:00:18.160000 --> 0:00:19.560000 live lab environment. 0:00:19.560000 --> 0:00:22.140000 So let's just get right to it. 0:00:22.140000 --> 0:00:24.000000 So here's my environment. 0:00:24.000000 --> 0:00:28.200000 In this environment, I don't have any actual hosts, so my routers are 0:00:28.200000 --> 0:00:33.940000 going to basically pretend to be hosts which are connecting to my devices. 0:00:33.940000 --> 0:00:40.600000 So first of all, let's just go ahead and see what we're dealing with here. 0:00:40.600000 --> 0:00:48.080000 So we're going to use, let's just use here router1 as my host. 0:00:48.080000 --> 0:00:54.000000 And I'm going to configure port security right here on zero slash one 0:00:54.000000 --> 0:01:00.000000 of switch1. So first of all, let's confirm what the MAC address is of 0:01:00.000000 --> 0:01:05.400000 router1. And we'll write that down somewhere. 0:01:05.400000 --> 0:01:10.560000 So to start with, I need to configure router1 with some kind of an IP 0:01:10.560000 --> 0:01:12.940000 address just so we can talk. 0:01:12.940000 --> 0:01:22.160000 Guess what help if I could spell, hostname r1. 0:01:22.160000 --> 0:01:24.980000 Now let's go on to his interface, fast ethernet 00. 0:01:24.980000 --> 0:01:32.920000 Let's just give him a basic IP address. 0:01:32.920000 --> 0:01:37.040000 Okay, so Cisco routers, the moment you bring up their interfaces, do something 0:01:37.040000 --> 0:01:39.060000 called a gratuitous ARP. 0:01:39.060000 --> 0:01:42.080000 So he's already sending out an ARP message saying, Hey everybody, I just 0:01:42.080000 --> 0:01:46.200000 came alive. My address is 1111 and here's my MAC address. 0:01:46.200000 --> 0:01:50.480000 So the switch that he's connected to should already have learned of his 0:01:50.480000 --> 0:01:52.920000 MAC address. Let's take a look. 0:01:52.920000 --> 0:01:59.600000 So show MAC address, dash table interface, fast ethernet 01. 0:01:59.600000 --> 0:02:03.160000 So where the router is connected, and sure enough, there is our MAC address. 0:02:03.160000 --> 0:02:12.640000 So let's just write down the last, let's move this up here. 0:02:12.640000 --> 0:02:20.020000 We know it ends with EAB zero. 0:02:20.020000 --> 0:02:24.160000 And let's see here, is there a way I can increase the font size of that? 0:02:24.160000 --> 0:02:36.700000 Yes. All right, so let's move this over here. 0:02:36.700000 --> 0:02:42.740000 Okay, so we know that that is the MAC address of the router. 0:02:42.740000 --> 0:02:48.340000 All right. So step number one, let's go ahead and shut down that port. 0:02:48.340000 --> 0:02:51.380000 Whenever you add a new port security configuration to an interface, you 0:02:51.380000 --> 0:02:53.300000 should do it when the port is disabled. 0:02:53.300000 --> 0:02:55.240000 You shouldn't do it while the port is running. 0:02:55.240000 --> 0:03:00.060000 And we'll just say switch port port dash security. 0:03:00.060000 --> 0:03:03.380000 Oh, rejected command dynamic port. 0:03:03.380000 --> 0:03:10.040000 So we have to configure this as switch port mode access. 0:03:10.040000 --> 0:03:13.340000 And this is not a port security thing, but we don't want spanning tree 0:03:13.340000 --> 0:03:14.080000 to get in our way. 0:03:14.080000 --> 0:03:16.680000 Spanning tree is going to make us wait a little bit of time for this port 0:03:16.680000 --> 0:03:21.620000 to come up. So let's just say spanning dash tree port fast, because after 0:03:21.620000 --> 0:03:23.900000 all, this is a host we're connecting to right here. 0:03:23.900000 --> 0:03:27.040000 So this will allow the port to just go directly into the forwarding state. 0:03:27.040000 --> 0:03:29.180000 Now let's reapply our port security. 0:03:29.180000 --> 0:03:31.240000 This time it should not give us an error. 0:03:31.240000 --> 0:03:35.900000 There we go. No shut. 0:03:35.900000 --> 0:03:39.340000 Okay, as soon as the port comes up, once again the router should send 0:03:39.340000 --> 0:03:41.800000 a gratuitous ARP. 0:03:41.800000 --> 0:03:45.240000 Let's see if we once again learn the router's MAC address. 0:03:45.240000 --> 0:03:49.240000 Yes, we have. Now knows the difference here. 0:03:49.240000 --> 0:03:53.340000 When we learned it the first time, it is learned as a dynamic MAC address, 0:03:53.340000 --> 0:03:55.440000 which is typical for a normal port. 0:03:55.440000 --> 0:04:00.280000 But knows down here, it's now learned as a static MAC address. 0:04:00.280000 --> 0:04:03.320000 Because port security has learned that, so now there's no aging timer. 0:04:03.320000 --> 0:04:08.380000 Set to that. So if we actually take a look at show port dash security 0:04:08.380000 --> 0:04:15.860000 address, there we see the MAC address, EAB0. 0:04:15.860000 --> 0:04:19.380000 Port security has learned it as a secure dynamic MAC address, a notice, 0:04:19.380000 --> 0:04:21.520000 remaining age, nothing. 0:04:21.520000 --> 0:04:23.840000 It's not going to age out. 0:04:23.840000 --> 0:04:29.260000 We can also do show port dash security interface and take a look at that 0:04:29.260000 --> 0:04:31.280000 specific interface on the switch. 0:04:31.280000 --> 0:04:34.100000 And we can see port security is enabled. 0:04:34.100000 --> 0:04:36.120000 Right now it's securely up. 0:04:36.120000 --> 0:04:38.480000 The violation mode is shut down. 0:04:38.480000 --> 0:04:42.940000 And here's the MAC address that has been learned. 0:04:42.940000 --> 0:04:46.820000 Total MAC addresses allowed are one. 0:04:46.820000 --> 0:04:50.500000 Okay, so now let's see what's going to happen if we go onto that router 0:04:50.500000 --> 0:04:52.320000 and we change his MAC address. 0:04:52.320000 --> 0:04:56.700000 If he starts sending any kind of a frame like CDP or maybe another gratuitous 0:04:56.700000 --> 0:05:01.520000 ARP with a different source MAC address, let's see how port security will 0:05:01.520000 --> 0:05:03.600000 respond to that. 0:05:03.600000 --> 0:05:13.700000 So first of all, we will logging buffer, logging buffer, pretty much all 0:05:13.700000 --> 0:05:18.540000 messages. Okay, clear log. 0:05:18.540000 --> 0:05:21.360000 So I'm going to leave the switch here for a moment. 0:05:21.360000 --> 0:05:23.960000 Go back to the router. 0:05:23.960000 --> 0:05:26.080000 Go into his interface. 0:05:26.080000 --> 0:05:28.340000 And I'm just going to use the MAC command. 0:05:28.340000 --> 0:05:29.820000 This allows me to change his MAC address. 0:05:29.820000 --> 0:05:35.460000 Let's just give him a fake MAC address of about 0.002. 0:05:35.460000 --> 0:05:41.360000 Actually, let's have 0.211. 0:05:41.360000 --> 0:05:43.700000 A-a-a-a-a-a-a-a-a-a-b-b-b. 0:05:43.700000 --> 0:05:50.600000 Alright, let's go back to our switch. 0:05:50.600000 --> 0:05:55.000000 Okay, so it looks like the moment I change the MAC address, the router 0:05:55.000000 --> 0:05:59.820000 basically bounced his interface, brought it down, brought it back up again. 0:05:59.820000 --> 0:06:04.340000 So by doing that, remember that whenever a switch's port goes down with 0:06:04.340000 --> 0:06:09.860000 port security, whatever MAC address was previously on that port is released, 0:06:09.860000 --> 0:06:13.620000 and now when the port comes back up again, that port is free to learn 0:06:13.620000 --> 0:06:15.260000 whatever the next MAC address is. 0:06:15.260000 --> 0:06:17.880000 And we should be able to view that here. 0:06:17.880000 --> 0:06:23.600000 Yep, see? So it's still enabled, it's still secure up, and now it just 0:06:23.600000 --> 0:06:26.440000 accepted the next MAC address. 0:06:26.440000 --> 0:06:31.320000 Okay, so let's see what can we do here to cause a violation? 0:06:31.320000 --> 0:06:33.300000 Well, what if we did this? 0:06:33.300000 --> 0:06:40.140000 What if we configured on that interface switch port port dash security 0:06:40.140000 --> 0:06:45.740000 MAC, and then let's type in this MAC right here. 0:06:45.740000 --> 0:06:49.080000 Let's just say that is the only authorized MAC that's allowed on that 0:06:49.080000 --> 0:06:53.500000 port. That's the fake MAC address, found duplicate MAC address, where 0:06:53.500000 --> 0:06:56.780000 it says, hey, I've already learned that, so we need to shut that port 0:06:56.780000 --> 0:07:04.680000 down. Alright, now it will let me put in the command, because he doesn't 0:07:04.680000 --> 0:07:05.960000 have that MAC address. 0:07:05.960000 --> 0:07:08.700000 Let's bring it back up. 0:07:08.700000 --> 0:07:20.680000 Okay, now if we take a look at port security, we can see that we have 0:07:20.680000 --> 0:07:27.620000 one configured MAC address, which is this, the port security is enabled 0:07:27.620000 --> 0:07:29.680000 currently, it is secure up. 0:07:29.680000 --> 0:07:35.720000 Now, if I go back to router one, and I remove that fake MAC address I 0:07:35.720000 --> 0:07:38.540000 put on there, and having go back to his default burned in MAC address 0:07:38.540000 --> 0:07:42.720000 of EAB0, that will cause a security violation. 0:07:42.720000 --> 0:07:47.000000 Because right now only one MAC address is authorized, and the one MAC 0:07:47.000000 --> 0:07:50.500000 address is this one I pre-configured, we can see it right here on the 0:07:50.500000 --> 0:07:55.300000 interface. Port security, and I've said, this is the only MAC address 0:07:55.300000 --> 0:07:58.240000 that's authorized in that access VLAN. 0:07:58.240000 --> 0:08:09.580000 So let's go back to the router, interface fast ethernet 00, do show run, 0:08:09.580000 --> 0:08:14.740000 interface fast ethernet 00, and let's get rid of that command, which will 0:08:14.740000 --> 0:08:17.500000 cause him to go back to his default MAC address. 0:08:17.500000 --> 0:08:25.940000 Okay, it bounces the port, but now even though the port is bounced, it 0:08:25.940000 --> 0:08:29.260000 doesn't matter. Because when it comes back up, he'll say, hey, the only 0:08:29.260000 --> 0:08:33.240000 MAC address I'm allowing is that AAABBB, and all of a sudden look at that, 0:08:33.240000 --> 0:08:36.000000 bam, port security violation. 0:08:36.000000 --> 0:08:39.740000 I just saw a MAC address that's not the configured MAC address. 0:08:39.740000 --> 0:08:43.220000 As a matter of fact, this line right here says violation occurred, and 0:08:43.220000 --> 0:08:48.320000 now we have our record of the malicious MAC address. 0:08:48.320000 --> 0:08:52.320000 And we can see, line protocol was changed state to down. 0:08:52.320000 --> 0:08:58.460000 So now if we do show port security interface, we can see the status is 0:08:58.460000 --> 0:09:01.100000 secure shutdown. 0:09:01.100000 --> 0:09:05.580000 It has been air-disabled, and we have our record, and it says, hey, this 0:09:05.580000 --> 0:09:10.460000 is the last MAC address that we saw, that's the one that caused the error. 0:09:10.460000 --> 0:09:16.740000 If we do show interface fast ethernet 01, we can see right there, line 0:09:16.740000 --> 0:09:21.180000 protocols down, air-disabled. 0:09:21.180000 --> 0:09:23.900000 Now normally when a port is air -disabled, what do you do? 0:09:23.900000 --> 0:09:31.240000 You go into that port, shut it down, wait a couple of seconds, bring it 0:09:31.240000 --> 0:09:36.120000 back up again, but if the root cause has not been fixed that caused it 0:09:36.120000 --> 0:09:39.220000 to go shut down, guess what, same thing's going to happen again. 0:09:39.220000 --> 0:09:42.740000 There we go, port security violation happened. 0:09:42.740000 --> 0:09:45.100000 All right, so what can we do to fix that? 0:09:45.100000 --> 0:09:46.180000 Well, let's do this. 0:09:46.180000 --> 0:09:53.720000 Let's go into that interface, shut it down, and now while it's down, let's 0:09:53.720000 --> 0:09:58.800000 just increase the maximum quantity of MAC addresses that can be learned. 0:09:58.800000 --> 0:10:04.720000 Switch port, port dash security, maximum, how about two? 0:10:04.720000 --> 0:10:14.620000 No shut. Now we've got the pre-configured MAC address, so show run interface 0:10:14.620000 --> 0:10:20.360000 0 slash 1. So now it says, okay, I'm allowed to have a maximum of two 0:10:20.360000 --> 0:10:22.060000 MAC addresses on this port. 0:10:22.060000 --> 0:10:26.900000 Here's one, and whatever the next one is that I learned, that'll be authorized. 0:10:26.900000 --> 0:10:35.200000 So now if we do show port dash security address, we can see under fast 0:10:35.200000 --> 0:10:40.140000 -ethent 0 slash 1, we've got the secure configured one that I manually 0:10:40.140000 --> 0:10:44.960000 typed in, and here's the second MAC address that was just learned. 0:10:44.960000 --> 0:10:55.000000 And show port dash security shows us that it has been enabled on fast 0:10:55.000000 --> 0:10:59.460000 -ethent 0,1. We have a maximum of two MAC addresses possible, and right 0:10:59.460000 --> 0:11:02.760000 now we do have two MAC addresses. 0:11:02.760000 --> 0:11:05.700000 Security violation 0. 0:11:05.700000 --> 0:11:11.520000 Now notice, this is since the interface last came up, because we actually 0:11:11.520000 --> 0:11:15.360000 saw we did have a security violation, after all, it did go air-disabled, 0:11:15.360000 --> 0:11:19.200000 and yet this is 0, so it's showing us it's not ever since the switch was 0:11:19.200000 --> 0:11:23.980000 actually alive and running, it's ever since the interface was last up. 0:11:23.980000 --> 0:11:37.520000 Now let's go back into the interface, shut it down, let's remove that 0:11:37.520000 --> 0:11:45.060000 maximum command to bring it back down to just a maximum of 1. 0:11:45.060000 --> 0:11:48.960000 Now before we bring it up, let's configure an IP address on the switch 0:11:48.960000 --> 0:11:50.900000 that router can ping. 0:11:50.900000 --> 0:12:02.200000 So interface VLAN 1, IP address 1111, no shut. 0:12:02.200000 --> 0:12:05.340000 All right, let's go back to the router, before we bring up the switch 0:12:05.340000 --> 0:12:09.800000 port and give the router this MAC address again, this fake MAC address, 0:12:09.800000 --> 0:12:13.140000 so MAC, put that in there. 0:12:13.140000 --> 0:12:19.140000 All right, let's go back to the switch, no shut. 0:12:19.140000 --> 0:12:25.380000 Okay, so once again we're back to where we're allowing one MAC address, 0:12:25.380000 --> 0:12:28.380000 because that's the default with this command, and the one MAC address 0:12:28.380000 --> 0:12:32.420000 that's all authorized is that, that is the MAC address that the router 0:12:32.420000 --> 0:12:48.280000 is currently using, and as soon as that port comes up, show port-security 0:12:48.280000 --> 0:12:52.980000 interface, fast-ethanet01, okay, so we're good. 0:12:52.980000 --> 0:12:57.840000 It's enabled, the port is currently up, it's allowed to learn one MAC 0:12:57.840000 --> 0:13:02.080000 address, it has learned one MAC address, which is the configured MAC address, 0:13:02.080000 --> 0:13:06.720000 everything is good, so right now that router should be able to ping the 0:13:06.720000 --> 0:13:13.080000 IP address that I just put on the switch, because they're both in the 0:13:13.080000 --> 0:13:18.180000 same subnet. There we go, ping is successful. 0:13:18.180000 --> 0:13:23.660000 Now, let's go back to the switch, and lastly, let's change the violation 0:13:23.660000 --> 0:13:27.760000 mode, instead of doing shutdown, well first of all, let's shut it down, 0:13:27.760000 --> 0:13:29.980000 because remember, whenever you modify port security, you should do it 0:13:29.980000 --> 0:13:32.640000 while the interface is in a down state. 0:13:32.640000 --> 0:13:39.720000 Now let's say switch port, port-security violation, and let's make it 0:13:39.720000 --> 0:13:45.120000 protect. Remember, protect is the violation mode where violating frames 0:13:45.120000 --> 0:13:48.220000 will be discarded, but no record will be kept. 0:13:48.220000 --> 0:13:52.180000 We won't see any syslog messages, the counter won't increase, they just 0:13:52.180000 --> 0:13:57.260000 won't be allowed through, so no shut. 0:13:57.260000 --> 0:14:06.300000 Let's go back to the router, change his MAC address, in other words, not 0:14:06.300000 --> 0:14:09.140000 fast ethant 0-1, we want 0-0. 0:14:09.140000 --> 0:14:15.640000 All right, so let's get rid of this one. 0:14:15.640000 --> 0:14:18.940000 Okay, so now he's going to go back, he's going to bounce his port, he's 0:14:18.940000 --> 0:14:23.900000 going to go back to using his burned -in MAC address, which is not the 0:14:23.900000 --> 0:14:26.320000 authorized MAC address on the switch. 0:14:26.320000 --> 0:14:34.540000 So if we go to the switch right now, show port-security interface, fast 0:14:34.540000 --> 0:14:44.540000 ethant 0-1. Notice it says enabled, secure up, it's now in protect mode, 0:14:44.540000 --> 0:14:52.940000 show interface, fast ethant 0-1 is up and connected. 0:14:52.940000 --> 0:15:05.000000 All right, but if we go to the router and we try doing that ping, now 0:15:05.000000 --> 0:15:09.160000 the ping fails. Once again, why is the pinging fail? 0:15:09.160000 --> 0:15:12.180000 Because the router is now sending his pings with the source MAC address 0:15:12.180000 --> 0:15:16.480000 of his real MAC address, EAB0. 0:15:16.480000 --> 0:15:20.360000 And EAB0 is not the authorized MAC address. 0:15:20.360000 --> 0:15:26.980000 This is the authorized MAC address, but because we were in protect mode, 0:15:26.980000 --> 0:15:31.800000 the switch was just silently discarding those pings, those violating frames. 0:15:31.800000 --> 0:15:36.080000 Notice the violating MAC address, we don't even see what it was, we have 0:15:36.080000 --> 0:15:40.700000 no idea, there's no record of the violation count, and there's no syslog 0:15:40.700000 --> 0:15:42.240000 messages to keep track of it. 0:15:42.240000 --> 0:15:49.960000 Show a log. So no indication that that happened. 0:15:49.960000 --> 0:15:53.140000 These are all these are older messages right here. 0:15:53.140000 --> 0:16:05.220000 Now lastly, let's go on to that interface again, shut it down, and now 0:16:05.220000 --> 0:16:10.000000 let's change the violation mode, switch port, port-security violation 0:16:10.000000 --> 0:16:12.660000 mode to restrict. 0:16:12.660000 --> 0:16:18.360000 Just like protect, this will discard the offending frame instead of bringing 0:16:18.360000 --> 0:16:20.580000 the whole interface down, but here's the difference. 0:16:20.580000 --> 0:16:25.600000 Now the offending frames will generate syslog messages, and we will have 0:16:25.600000 --> 0:16:28.900000 a record of them in the violation counter. 0:16:28.900000 --> 0:16:33.340000 As soon as that interface comes up, look at that, see? 0:16:33.340000 --> 0:16:37.060000 The router as soon as he detected the interface came up, that router automatically 0:16:37.060000 --> 0:16:41.500000 sent out a gratuitous ARP, which caused the violation. 0:16:41.500000 --> 0:16:51.200000 Now we see it in the syslog message, and we see it right here, we see 0:16:51.200000 --> 0:16:55.500000 his address, and the violation count is six, but notice the port status 0:16:55.500000 --> 0:16:56.940000 did not go down. 0:16:56.940000 --> 0:17:00.960000 The port status is still up. 0:17:00.960000 --> 0:17:05.000000 And the last thing I want to show you, show run interface fast-eathen 0:17:05.000000 --> 0:17:07.880000 at zero slash one. 0:17:07.880000 --> 0:17:16.240000 Okay, let's go ahead and shut this down. 0:17:16.240000 --> 0:17:22.380000 All right, now while it's down, let's go ahead and get rid of the command 0:17:22.380000 --> 0:17:25.320000 that we statically typed in the MAC address. 0:17:25.320000 --> 0:17:30.860000 So that's gone, do show run interface fast-eathen at zero one. 0:17:30.860000 --> 0:17:36.700000 So now we're just back to one MAC address, whatever the first MAC address 0:17:36.700000 --> 0:17:40.680000 is that we see, that's okay, and the violations restrict. 0:17:40.680000 --> 0:17:44.620000 And now I'm going to add in here, switch port, port dash security, MAC 0:17:44.620000 --> 0:17:47.300000 address, sticky. 0:17:47.300000 --> 0:17:52.780000 So before I bring the interface up, let's review what we've got here. 0:17:52.780000 --> 0:17:54.360000 So this is what we see, right? 0:17:54.360000 --> 0:17:58.480000 No mention of any MAC addresses in my running config. 0:17:58.480000 --> 0:18:05.440000 Now, no shut. In the background, the interface is coming up. 0:18:05.440000 --> 0:18:10.800000 The router is now using his burned -in MAC address to send out packets 0:18:10.800000 --> 0:18:13.920000 like gratuitous ARPs. 0:18:13.920000 --> 0:18:18.080000 And that very first MAC address is the known authorized MAC address, and 0:18:18.080000 --> 0:18:21.180000 now that will be added to the running config, and there we go. 0:18:21.180000 --> 0:18:24.340000 Now we see his MAC address as part of the configuration. 0:18:24.340000 --> 0:18:30.960000 So we could save our configuration, and now even if that port goes down 0:18:30.960000 --> 0:18:35.640000 and comes back up again, this will be the only authorized MAC address 0:18:35.640000 --> 0:18:39.020000 learned on that port that's allowed on that port. 0:18:39.020000 --> 0:18:45.900000 So that concludes this demonstration of port security. 0:18:45.900000 --> 0:18:47.620000 Thank you very much for watching.