WEBVTT 0:00:02.740000 --> 0:00:06.020000 Hello and welcome this video where I'm going to do a review and refresher 0:00:06.020000 --> 0:00:09.700000 of securing switch ports with port security. 0:00:09.700000 --> 0:00:14.360000 So we're going to talk about an overview and configuration of it, security 0:00:14.360000 --> 0:00:17.620000 violations, and what sticky Macs are. 0:00:17.620000 --> 0:00:21.560000 So recall that the whole idea behind port security is that in a normal 0:00:21.560000 --> 0:00:26.700000 default behavior, the moment you plug anything into a switch port, whether 0:00:26.700000 --> 0:00:31.180000 it be an IP phone, a laptop, a server PC, whatever it is, that thing is 0:00:31.180000 --> 0:00:34.900000 immediately granted access to the network because switch ports by default 0:00:34.900000 --> 0:00:39.260000 are up. They are administratively up and so they're just waiting for something 0:00:39.260000 --> 0:00:43.240000 to connect. So port security allows you to add a little bit of security 0:00:43.240000 --> 0:00:48.220000 restrictions as far as how many things are plugged into a port and what 0:00:48.220000 --> 0:00:51.840000 Mac addresses are allowed to be plugged into a port. 0:00:51.840000 --> 0:00:56.180000 So it's used to limit access to what can be connected to your switch ports. 0:00:56.180000 --> 0:01:00.000000 Now this feature is not available on dynamic ports. 0:01:00.000000 --> 0:01:02.540000 What do I mean by dynamic port? 0:01:02.540000 --> 0:01:08.100000 Most switch ports by default, their mode is dynamic auto. 0:01:08.100000 --> 0:01:11.420000 Some are dynamic desirable but most are dynamic auto. 0:01:11.420000 --> 0:01:14.260000 So most switch ports are not access mode. 0:01:14.260000 --> 0:01:17.100000 You have to configure that as switch port mode access. 0:01:17.100000 --> 0:01:20.520000 So if you're on a switch port that's in the default mode of switch port 0:01:20.520000 --> 0:01:26.280000 mode dynamic auto or dynamic desirable and you try to apply a port security 0:01:26.280000 --> 0:01:29.020000 command, you will get an error message. 0:01:29.020000 --> 0:01:33.240000 So you have to first convert a port over to switch port mode access, then 0:01:33.240000 --> 0:01:36.280000 you can file that up with port security. 0:01:36.280000 --> 0:01:40.240000 So what can be secured or another way of saying this is what can you do 0:01:40.240000 --> 0:01:41.620000 with port security? 0:01:41.620000 --> 0:01:43.440000 Well, you have a combination of things you can do. 0:01:43.440000 --> 0:01:48.180000 You can limit the quantity of Mac addresses that are learned on a port. 0:01:48.180000 --> 0:01:51.400000 For example, if you know that a port on a switch is leading to somebody's 0:01:51.400000 --> 0:01:54.760000 cube and in that cube, there should only be two devices. 0:01:54.760000 --> 0:02:00.500000 There should be an IP phone connected to the RG45 jack in that cube and 0:02:00.500000 --> 0:02:03.700000 then behind the IP phone, there should be a laptop or a PC. 0:02:03.700000 --> 0:02:07.220000 So really, there should only be two Mac addresses learned on that switch 0:02:07.220000 --> 0:02:10.260000 port. Well, there's no default limit. 0:02:10.260000 --> 0:02:14.120000 So there's nothing preventing more than that being learned on that port. 0:02:14.120000 --> 0:02:18.640000 But if you switch port port security, you can limit it to two Mac addresses. 0:02:18.640000 --> 0:02:22.400000 If you know what the authorized Mac addresses are, if you know, hey, on 0:02:22.400000 --> 0:02:26.260000 this port, this particular Mac address is the only Mac address I should 0:02:26.260000 --> 0:02:30.160000 ever see. Anything other than that is a violation. 0:02:30.160000 --> 0:02:33.500000 You can configure port security to look for that specific Mac address 0:02:33.500000 --> 0:02:36.840000 and cause a violation if it sees anything else. 0:02:36.840000 --> 0:02:39.240000 Or you can do a combination of these two things. 0:02:39.240000 --> 0:02:41.280000 You can have them work together. 0:02:41.280000 --> 0:02:45.100000 So here's our basic configuration command. 0:02:45.100000 --> 0:02:47.240000 So you can enable it with just that one command. 0:02:47.240000 --> 0:02:49.180000 Now, here are the questions. 0:02:49.180000 --> 0:02:50.300000 What are the defaults? 0:02:50.300000 --> 0:02:53.720000 If I just go on to an access port and that's all I configure is switch 0:02:53.720000 --> 0:02:55.000000 port port dash security. 0:02:55.000000 --> 0:02:57.920000 You should be aware of what will that do? 0:02:57.920000 --> 0:02:59.480000 Well, the default behavior is this. 0:02:59.480000 --> 0:03:03.940000 Number one, it will allow only one Mac address to be learned. 0:03:03.940000 --> 0:03:08.120000 And whatever the first Mac address is that it sees when that port first 0:03:08.120000 --> 0:03:11.980000 comes up, that will be considered to be the one and only authorized Mac 0:03:11.980000 --> 0:03:16.300000 address. Any other Mac addresses that learns after that point will cause 0:03:16.300000 --> 0:03:18.800000 a security violation. 0:03:18.800000 --> 0:03:22.740000 Now, what can we do above and beyond this one command right here? 0:03:22.740000 --> 0:03:24.700000 Well, there's some additional things we can do. 0:03:24.700000 --> 0:03:29.060000 For example, we could use the switch port port dash security maximum command 0:03:29.060000 --> 0:03:32.300000 to give us more than one address. 0:03:32.300000 --> 0:03:35.880000 So if we know this port like I in my previous description, if I know this 0:03:35.880000 --> 0:03:39.060000 port is ultimately going to learn two Mac addresses, an IP phone and a 0:03:39.060000 --> 0:03:42.900000 laptop, we might want to use this command right here to increase the maximum 0:03:42.900000 --> 0:03:46.820000 to two instead of just the default of one. 0:03:46.820000 --> 0:03:52.400000 If we know that this port is connected to a device with a static IP address 0:03:52.400000 --> 0:03:56.580000 like a server or router or something that never changes and never moves 0:03:56.580000 --> 0:04:01.800000 and we know what the Mac address is of that authorized device, well, we 0:04:01.800000 --> 0:04:06.280000 can use the switch port port dash security Mac command and then pre type 0:04:06.280000 --> 0:04:10.500000 in the Mac address of that known device. 0:04:10.500000 --> 0:04:14.220000 We can apply an aging timer to authorize Mac addresses. 0:04:14.220000 --> 0:04:19.560000 You see, once you plug in your, for example, let's do this. 0:04:19.560000 --> 0:04:20.980000 Here's an example. 0:04:20.980000 --> 0:04:22.380000 Let's say I had this. 0:04:22.380000 --> 0:04:32.860000 Let's say here I had switch one switch two and I decided that both ends 0:04:32.860000 --> 0:04:37.920000 of this link are going to be configured as access ports. 0:04:37.920000 --> 0:04:42.100000 Switch port mode access. 0:04:42.100000 --> 0:04:46.560000 Now port security is normally meant to be done on your edge ports. 0:04:46.560000 --> 0:04:50.400000 Your ports actually connecting to hosts, but there could be a scenario 0:04:50.400000 --> 0:04:55.500000 where you want to actually configure port security right here on this 0:04:55.500000 --> 0:04:58.500000 port. After all, it is an access port. 0:04:58.500000 --> 0:05:03.580000 So it is a candidate for securing port security on it. 0:05:03.580000 --> 0:05:10.760000 Now, if you did it right there and then let's say this PC here with the 0:05:10.760000 --> 0:05:16.220000 Mac address of AA connected to switch one and he sends a DHCP frame or 0:05:16.220000 --> 0:05:24.020000 whatever it is. So now we learn AA on this port port security has learned 0:05:24.020000 --> 0:05:29.660000 it. Now, let's say that this guy goes away. 0:05:29.660000 --> 0:05:31.820000 He disconnects from switch one. 0:05:31.820000 --> 0:05:35.740000 Well, switch one is aware of that because the port he was connected to 0:05:35.740000 --> 0:05:37.840000 just went down. He pulled out of it. 0:05:37.840000 --> 0:05:39.420000 Switch two is not aware of it. 0:05:39.420000 --> 0:05:42.440000 Switch two's port that has port security on it is still up and functional 0:05:42.440000 --> 0:05:46.940000 and it will continue to have AA learn in its Mac address table. 0:05:46.940000 --> 0:05:51.760000 You see Mac addresses learned by port security are not subject to the 0:05:51.760000 --> 0:05:56.640000 normal aging time of regular dynamic Mac addresses, which is five minutes, 0:05:56.640000 --> 0:06:00.160000 300 seconds. When a Mac address is learned by port security, it's static. 0:06:00.160000 --> 0:06:03.960000 It stays in the Mac address table as long as that interface is up. 0:06:03.960000 --> 0:06:07.580000 So this might be a good situation where you say, hey, you know, on switch 0:06:07.580000 --> 0:06:12.280000 two, if a Mac addresses learn via port security, I do want to apply an 0:06:12.280000 --> 0:06:13.440000 aging timer to it. 0:06:13.440000 --> 0:06:15.580000 I don't want to stay in there forever. 0:06:15.580000 --> 0:06:19.380000 So if that's what you want to do, you can see right here, the command 0:06:19.380000 --> 0:06:22.040000 is switch port port dash security, aging time. 0:06:22.040000 --> 0:06:26.020000 And you can apply an aging time to those types of statically learned Mac 0:06:26.020000 --> 0:06:33.980000 addresses. We can also have an aging type of absolute or inactivity. 0:06:33.980000 --> 0:06:39.260000 So we could say, all right, let's say I do an aging time of 10 minutes 0:06:39.260000 --> 0:06:43.560000 with the first command, then I could say, okay, what I want that 10 minutes 0:06:43.560000 --> 0:06:47.360000 to apply to, I could say absolute, which means, hey, after 10 minutes 0:06:47.360000 --> 0:06:51.940000 is over, even if that guy has been talking the whole time, I've seen frames 0:06:51.940000 --> 0:06:54.240000 from that Mac address, it doesn't matter. 0:06:54.240000 --> 0:06:56.380000 I'm going to age it out and I'm going to relearn it. 0:06:56.380000 --> 0:07:00.260000 The next time I see that Mac address again, that would be absolute. 0:07:00.260000 --> 0:07:04.820000 Or we could say inactivity, which means, hey, from the moment I stop seeing 0:07:04.820000 --> 0:07:09.760000 frames from that Mac address, I will wait 10 minutes or whatever it is 0:07:09.760000 --> 0:07:13.140000 I configured. And then I will age it out. 0:07:13.140000 --> 0:07:15.340000 Those are the differences there. 0:07:15.340000 --> 0:07:19.660000 What about violations? 0:07:19.660000 --> 0:07:26.020000 Well, the default violation is it says shutdown because in the command 0:07:26.020000 --> 0:07:30.940000 when you're configuring the port security mode, the violation mode, one 0:07:30.940000 --> 0:07:33.820000 of the violation modes has the word shutdown. 0:07:33.820000 --> 0:07:38.720000 In reality, if this violation occurs, it's not really going to shut down 0:07:38.720000 --> 0:07:44.020000 the port instead is going to put the port into air disabled state. 0:07:44.020000 --> 0:07:46.000000 Now, what's the difference? 0:07:46.000000 --> 0:07:51.020000 If you're like me, when I hear the term, oh, a port is shut down, I think 0:07:51.020000 --> 0:07:53.440000 administratively disabled. 0:07:53.440000 --> 0:07:56.520000 I think that someone has issued the shutdown command and that port is 0:07:56.520000 --> 0:07:58.140000 electrically inactive. 0:07:58.140000 --> 0:08:00.240000 It's dead. It might as well not even be there. 0:08:00.240000 --> 0:08:02.020000 That's what I think when I think shut down. 0:08:02.020000 --> 0:08:06.520000 When a port goes into the air disabled state, it's not like a shutdown. 0:08:06.520000 --> 0:08:09.560000 It's not like it's administratively disabled and all the way down at layer 0:08:09.560000 --> 0:08:14.360000 one. Now, if a port does go into the air disabled state, for all intents 0:08:14.360000 --> 0:08:18.720000 and purposes, it's going to be shut down because nothing can go in or 0:08:18.720000 --> 0:08:21.220000 out of that port at that point. 0:08:21.220000 --> 0:08:25.260000 Just know that the actual thing it will do if it's triggered to go into 0:08:25.260000 --> 0:08:29.960000 the shutdown state is it will air disable the port, which means you would 0:08:29.960000 --> 0:08:35.980000 have to go onto that interface in the command line and type shutdown no 0:08:35.980000 --> 0:08:38.460000 shutdown to bring it back out of that state. 0:08:38.460000 --> 0:08:41.120000 Now, there are some other states you can do. 0:08:41.120000 --> 0:08:47.260000 For example, let's say that what you want to have happen, for example, 0:08:47.260000 --> 0:09:01.180000 let's say that we said switch port, port dash security, maximum five. 0:09:01.180000 --> 0:09:04.300000 So I do that on my interface. 0:09:04.300000 --> 0:09:11.180000 Config dash IF. So my objective is it's okay if this interface learns 0:09:11.180000 --> 0:09:13.100000 up to five MAC addresses. 0:09:13.100000 --> 0:09:14.920000 Nothing beyond that though. 0:09:14.920000 --> 0:09:17.220000 Okay, it learns five MAC addresses. 0:09:17.220000 --> 0:09:20.800000 It's fine and all of a sudden a sixth MAC address comes in. 0:09:20.800000 --> 0:09:25.080000 In the default violation mode, everybody is going to suffer because in 0:09:25.080000 --> 0:09:28.160000 the default violation mode that six MAC address will cause that interface 0:09:28.160000 --> 0:09:30.160000 to go into the air disabled state. 0:09:30.160000 --> 0:09:34.000000 So not only does that person pay the price, my first five MAC addresses 0:09:34.000000 --> 0:09:38.080000 which were legitimately using that port, they also pay the price because 0:09:38.080000 --> 0:09:39.840000 the port went air disabled. 0:09:39.840000 --> 0:09:42.560000 So you might want to say, hey, you know what, I don't want that to happen. 0:09:42.560000 --> 0:09:43.700000 Here's what I want. 0:09:43.700000 --> 0:09:47.800000 Whatever the offending frame is that causes the violation, I want that 0:09:47.800000 --> 0:09:52.500000 offending frame dropped, but I don't want to penalize my other MAC addresses 0:09:52.500000 --> 0:09:55.540000 which are legitimate, which we're learned which are okay. 0:09:55.540000 --> 0:09:58.800000 So I don't want to have a violation mode of shutdown in that case. 0:09:58.800000 --> 0:10:02.680000 In that case, I want to switch my violation mode to either protect or 0:10:02.680000 --> 0:10:06.380000 restrict. What's the difference between those two? 0:10:06.380000 --> 0:10:09.520000 Well, both of them, their action is the same. 0:10:09.520000 --> 0:10:13.100000 If I have a violation of mode of protect or restrict, when an offending 0:10:13.100000 --> 0:10:16.320000 frame comes in, a frame that would trigger violation, we're just going 0:10:16.320000 --> 0:10:18.720000 to drop it. We're going to discard that frame. 0:10:18.720000 --> 0:10:20.140000 Here's the difference. 0:10:20.140000 --> 0:10:24.120000 With protect, there's no record of that drop. 0:10:24.120000 --> 0:10:28.480000 There's no syslog messages that indicate that anything caused a violation. 0:10:28.480000 --> 0:10:31.960000 There's no counters that are increased to show you how many violations 0:10:31.960000 --> 0:10:34.020000 have occurred over time. 0:10:34.020000 --> 0:10:38.680000 All that happens with protect is that the violating frame gets discarded. 0:10:38.680000 --> 0:10:42.140000 That's it. Which might be fine for what you need to do. 0:10:42.140000 --> 0:10:45.020000 If you want a little bit more visibility, though, you probably want to 0:10:45.020000 --> 0:10:46.860000 set it to restrict. 0:10:46.860000 --> 0:10:52.540000 Restrict will show you a syslog message when a violation occurs and it 0:10:52.540000 --> 0:10:55.880000 will increase the violation counters in some of the commands we're going 0:10:55.880000 --> 0:11:00.760000 to see in just a moment, your show commands, report security. 0:11:00.760000 --> 0:11:04.560000 We also see on the bottom of the slide here that switch port port security 0:11:04.560000 --> 0:11:09.080000 MAC address command, which allows us to statically configure a well-known 0:11:09.080000 --> 0:11:10.740000 MAC address in advance. 0:11:10.740000 --> 0:11:14.340000 Now, let's paint out a different scenario. 0:11:14.340000 --> 0:11:16.420000 We're going to talk about sticky Macs. 0:11:16.420000 --> 0:11:22.360000 Let's say that I'm designing a network, I'm putting a new switch into 0:11:22.360000 --> 0:11:28.000000 place. And on this new switch, let's say 25 of the interfaces, I'm going 0:11:28.000000 --> 0:11:31.040000 to cable the system up to devices with static IP addresses. 0:11:31.040000 --> 0:11:33.600000 Some of those interfaces are going to go to a couple routers. 0:11:33.600000 --> 0:11:36.140000 Some of those interfaces are going to go to servers. 0:11:36.140000 --> 0:11:41.540000 And so what I want to do is I want to have the default of one MAC address. 0:11:41.540000 --> 0:11:48.080000 It's perfectly fine for me to do interface range. 0:11:48.080000 --> 0:11:52.460000 How about gig zero slash one through 40. 0:11:52.460000 --> 0:11:57.480000 And I'm going to say switch port mode access. 0:11:57.480000 --> 0:12:00.480000 Turn them all into access ports. 0:12:00.480000 --> 0:12:05.140000 And switch port port dash security. 0:12:05.140000 --> 0:12:10.940000 Okay, so remember the default now is that only one MAC address is going 0:12:10.940000 --> 0:12:14.500000 to be allowed, which is okay, because all 40 of these ports are only connected 0:12:14.500000 --> 0:12:18.200000 to one host, a bunch of servers or maybe a couple of routers. 0:12:18.200000 --> 0:12:21.220000 And the default is if there's a violation, we're going to air disable 0:12:21.220000 --> 0:12:24.620000 the port. I might want to change that. 0:12:24.620000 --> 0:12:30.200000 Maybe I want to say switch port port dash security. 0:12:30.200000 --> 0:12:40.200000 Violation. How about restrict so I can see a record of when a violation 0:12:40.200000 --> 0:12:43.960000 occurs. Now here's the next thing I say, you know what? 0:12:43.960000 --> 0:12:51.880000 I don't really know what the MAC address is of these, you know, 38 servers 0:12:51.880000 --> 0:12:53.820000 on these two routers. 0:12:53.820000 --> 0:12:57.800000 If I did know what that MAC address was, I would love to add that to my 0:12:57.800000 --> 0:13:01.860000 configuration. Therefore, no other MAC address would ever be authorized. 0:13:01.860000 --> 0:13:04.900000 But that I don't want somebody because here's the default behavior. 0:13:04.900000 --> 0:13:08.240000 The default behavior is maybe one of those ports is connected to a legitimate 0:13:08.240000 --> 0:13:13.520000 server. Somebody can just come around, disconnect that server that disconnect 0:13:13.520000 --> 0:13:15.440000 the ethernet cable from that server. 0:13:15.440000 --> 0:13:19.180000 Port goes down. So whatever the MAC address was of the server gets deleted 0:13:19.180000 --> 0:13:19.900000 from the switch. 0:13:19.900000 --> 0:13:23.740000 And now they can take that ethernet cable, stick it into their own server 0:13:23.740000 --> 0:13:25.240000 or stick it into their own laptop. 0:13:25.240000 --> 0:13:26.440000 And guess what's going to happen? 0:13:26.440000 --> 0:13:30.920000 Now the port's going to come up and that rogue unauthorized device, whatever 0:13:30.920000 --> 0:13:35.340000 his MAC address is, that's the first MAC address that's learned that's 0:13:35.340000 --> 0:13:36.760000 considered authorized. 0:13:36.760000 --> 0:13:37.760000 I don't want that. 0:13:37.760000 --> 0:13:41.800000 Whether this port goes down or up, down or up, I only want the known authorized 0:13:41.800000 --> 0:13:44.260000 MAC address to be the one that's allowed. 0:13:44.260000 --> 0:13:48.260000 Well, how do I do that if I don't know what those 40 MAC addresses are? 0:13:48.260000 --> 0:13:51.780000 I can use this command right here that we see. 0:13:51.780000 --> 0:13:55.820000 I can say, well, that's actually not the command. 0:13:55.820000 --> 0:13:57.900000 I can do the command right here. 0:13:57.900000 --> 0:14:02.300000 Switch port, port dash security, MAC address, sticky. 0:14:02.300000 --> 0:14:07.980000 Let's just go ahead and read some of that. 0:14:07.980000 --> 0:14:12.220000 Switch port, port security, MAC address, sticky. 0:14:12.220000 --> 0:14:16.060000 And so what that does is the moment the interface comes up. 0:14:16.060000 --> 0:14:18.420000 So let's just assume that right now everything's good. 0:14:18.420000 --> 0:14:24.220000 All 40 of these interfaces are connected to my well-known authorized devices. 0:14:24.220000 --> 0:14:28.560000 So after doing interface range, I do a shut, no shut. 0:14:28.560000 --> 0:14:32.580000 Now what happens is as those interfaces come up, those devices are going 0:14:32.580000 --> 0:14:33.520000 to start sending stuff. 0:14:33.520000 --> 0:14:39.440000 You know, ARPS, DHCP, the routers might send CDP frames, whatever it is 0:14:39.440000 --> 0:14:42.600000 they send. They're going to start sending stuff and their MAC addresses 0:14:42.600000 --> 0:14:45.220000 are going to be learned on the switch. 0:14:45.220000 --> 0:14:49.100000 But even better than that, once those MAC addresses are learned, they're 0:14:49.100000 --> 0:14:55.040000 actually going to show up in the running config of my switch. 0:14:55.040000 --> 0:15:00.880000 As if I had configured the MAC addresses myself manually. 0:15:00.880000 --> 0:15:05.600000 And now, so this one is probably just easier to demonstrate than to talk 0:15:05.600000 --> 0:15:14.120000 about. So for example, if we look at our topology diagram. 0:15:14.120000 --> 0:15:17.840000 We got to hear for a second. 0:15:17.840000 --> 0:15:26.740000 Go back to our topology diagram, which is this. 0:15:26.740000 --> 0:15:31.960000 Okay, so let's take a look at switch three. 0:15:31.960000 --> 0:15:41.700000 And his. Gig zero slash one is connected to gig zero slash one on router 0:15:41.700000 --> 0:15:46.620000 three. Now it's also connected to this guy right here, but for all intents 0:15:46.620000 --> 0:15:49.480000 and purposes, let's, let's forget about him for a moment. 0:15:49.480000 --> 0:15:50.940000 So here's what I'm going to do. 0:15:50.940000 --> 0:15:53.940000 I'm going to configure port security on gig zero slash one. 0:15:53.940000 --> 0:15:55.780000 Let's just go ahead and do that. 0:15:55.780000 --> 0:15:58.600000 I'll switch three. 0:15:58.600000 --> 0:16:08.620000 Your face gig zero slash one. 0:16:08.620000 --> 0:16:10.400000 Let's shut it down first. 0:16:10.400000 --> 0:16:15.940000 Switch port mode access. 0:16:15.940000 --> 0:16:18.400000 Switch port access. 0:16:18.400000 --> 0:16:22.660000 Nope, not switch port access switch port port dash security. 0:16:22.660000 --> 0:16:25.460000 The default will be one. 0:16:25.460000 --> 0:16:28.000000 That's fine. Let's go ahead and raise that. 0:16:28.000000 --> 0:16:31.100000 Because there actually is there are two things on there, the Ubuntu host 0:16:31.100000 --> 0:16:32.120000 and that router. 0:16:32.120000 --> 0:16:36.660000 So switch port port dash security maximum. 0:16:36.660000 --> 0:16:39.980000 Let's just raise that to two. 0:16:39.980000 --> 0:16:46.120000 Okay, do show run interface gig zero slash one. 0:16:46.120000 --> 0:16:48.840000 Okay, so we can see right now. 0:16:48.840000 --> 0:16:50.720000 The interface is shut down. 0:16:50.720000 --> 0:16:52.900000 It's configured for port security. 0:16:52.900000 --> 0:16:55.740000 I've raised it to a maximum of two addresses. 0:16:55.740000 --> 0:16:58.800000 That's the only port security thing I have on there. 0:16:58.800000 --> 0:17:01.500000 Now I do a no shut. 0:17:01.500000 --> 0:17:09.820000 All right, so. Let's go to router three here. 0:17:09.820000 --> 0:17:12.520000 And just to make sure he's sending something. 0:17:12.520000 --> 0:17:16.100000 Let's do cdp timer. 0:17:16.100000 --> 0:17:25.900000 Of five. Okay, let's go back on a switch three. 0:17:25.900000 --> 0:17:34.580000 Show Mac address dash table interface gig zero one. 0:17:34.580000 --> 0:17:36.500000 Okay, so we have learned a Mac address. 0:17:36.500000 --> 0:17:39.160000 I'm not sure if that's the Ubuntu device or if that's the router, but 0:17:39.160000 --> 0:17:40.980000 we've learned something on that interface. 0:17:40.980000 --> 0:17:42.500000 And notice it says static. 0:17:42.500000 --> 0:17:43.640000 I didn't type that in. 0:17:43.640000 --> 0:17:44.840000 I didn't type that in myself. 0:17:44.840000 --> 0:17:46.460000 It's just there. 0:17:46.460000 --> 0:17:52.440000 Now show run interface gig zero slash one shows no mention of that Mac 0:17:52.440000 --> 0:17:54.420000 address, right? It's not there. 0:17:54.420000 --> 0:17:59.180000 So if I shut down that port and then re enabled it, whatever the next 0:17:59.180000 --> 0:18:02.640000 Mac address is, the very first one to be learned, that would take its 0:18:02.640000 --> 0:18:04.680000 place. I don't want that. 0:18:04.680000 --> 0:18:06.740000 I say this is my authorized Mac address. 0:18:06.740000 --> 0:18:09.020000 Now let's say I didn't know that in advance. 0:18:09.020000 --> 0:18:10.520000 Here's what I could do. 0:18:10.520000 --> 0:18:13.120000 Interface gig zero slash one. 0:18:13.120000 --> 0:18:20.440000 Shut it down. Then we could say switch port. 0:18:20.440000 --> 0:18:23.340000 Ort dash security Mac. 0:18:23.340000 --> 0:18:27.700000 And instead of typing in the Mac, it's drastically I could stay sticky. 0:18:27.700000 --> 0:18:29.360000 I could say that. 0:18:29.360000 --> 0:18:38.000000 No shut. Show run interface gig zero one. 0:18:38.000000 --> 0:18:42.940000 And see that? That command was just dynamically placed in there. 0:18:42.940000 --> 0:18:46.720000 It took the Mac address it learned, put it right into the config. 0:18:46.720000 --> 0:18:49.320000 And now I can save my config. 0:18:49.320000 --> 0:18:54.060000 And now no matter how often this interface bounces up and down, no matter 0:18:54.060000 --> 0:18:58.780000 how often this switch crashes and reloads, this will always be part of 0:18:58.780000 --> 0:19:05.560000 my config. So right now, this is a sort of pre reserved, well known authorized 0:19:05.560000 --> 0:19:10.080000 Mac address. Now because I did a maximum of two, it has the ability to 0:19:10.080000 --> 0:19:13.900000 learn one more and also put that as part of the config. 0:19:13.900000 --> 0:19:18.600000 So that is what sticky Mac addresses are all about. 0:19:18.600000 --> 0:19:26.000000 And that concludes this video refresher of the port security feature and 0:19:26.000000 --> 0:19:27.300000 how you configure it.