Time
3 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:00
welcome the rhesus CO C C and be switched 201 05 example of serious when it was professionally and it is every thought we're gonna focus on port security. We can apply for security at the port level by restricted, which mark addresses allowed the access the port. Ideally, you would enable port security on your access layer. Searches connected their devices.
00:19
You could choose tighter statically configure the Mac address that are allowed on the port. Or you could go to figure the port the dynamically lorne a secure mark address only the Mac address or mark addresses which are configured eider, statically or dynamically, will be allowed to use support the game Network access
00:38
the conference report Security from the interfere stop configuration. Would you would issue the command switch port port security. This would enable port security with its default settings. The boxing, um, back address allowed is gonna be one
00:50
on a default violation is gonna be shut down.
00:53
Say, for instance, you plug in the device into the port airport security is enabled on, and you quickly unplug it and plug in order devices that I see in port the port would go into the air, a disabled state and it will be shut down. Then you would have to re label a pork either manually or you could use the air disable recovery feature which recovered
01:10
in a previous episode.
01:14
Actually, you could set the maximum no more secure mark addresses with a command switchboard. Port security maximum. AnAnd you It entered a number of secure maximum market dress.
01:23
He was for the sport, optionally because Stanley said the mark address or the command switchboard Port security mark address. And you attended a mark address
01:32
seeking under multiple static entries.
01:34
The mark addresses limit is gonna be based on the maximum load off secured mark addresses on the port. By default, we turn in. Port security is gonna be one. See if you want multiple mark addresses on the port. Well, then you would have to use this command switchboard. Port security maximum
01:51
optional. You could set the port the Lord Marke address dynamically with a common switchboard. Port security mark. Address sticky
01:57
honey. For example. If you have a number of mark addresses which you want to restrict from this particular port, you could use a commander switch port port security mark address forbidden. And then you would enter the mouth addresses, which you wanted deny access on the sport. Optionally. You could change the violation from the default being shut down, the either protect or restrict.
02:16
Not if he chews. The protect option is gonna silently draughts on it would not generate
02:22
any notification, nor would it shut down the port
02:25
as opposed to restrict, which is going to generate on alert. In addition to drop in the pockets. But with a strict on protect, the port would remain up.
02:35
Only the shot dung violation option would shut the poor dog.
02:38
Not also the shotgun violation, which is the default also generates a lot message whenever a violation, of course, in a port goes into the area the sale of state. So just keep that in mind when you're changing the violation for reports in your switches to verify your duties to the commander show port security. I'm gonna bring up a lot no, so we can see how we would set up port security
02:59
in this love will enable port security on the facet net 10 12 interferes
03:04
on it like work to its end
03:06
connected. That's is quite the food
03:08
we leave it with a default violation would've shot dung
03:12
so we can see the message that is gonna be generated
03:15
once a violation, of course.
03:16
So over here and then, like work, too.
03:20
Currently, then the fierce is in its default mode. So we'll configure the port as an access port.
03:24
No, we will enable port security but a combined switch. Port port security.
03:30
So instead of my newly entering the secure mark address which we won't allow in the sport weaken dynamically, Lorna, Mark address with a sticky option. So I'll use a combined switch. Port Port Security
03:44
mark address
03:45
on the keyword Sticky? No. By default, only one mark address is going to be allowed. We can quickly very frighten us by using common show port security.
03:54
Here we can see the know of ports that off port security enable. But if we want to see more information, we can talk on the keyword interference on specified interfaced. Dario, we can see a maximum Mac addresses allowed is currently one port security is currently enabled
04:12
for its status is secure up on the default violation mode
04:16
is currently shut down. Know what this sticky option. Did
04:19
it? Learned the market resident comically for us on it. Ha recorded it on the interface, or we want to see a violation occur for us. We're gonna shut down the interference. Then we need to clear the market dress, which was learned by sticky.
04:35
So are you gonna easy to come on,
04:38
Clear
04:39
Port security. I'm gonna specify this sticky option.
04:44
No, we'll specify the Inter fierce Gary Go
04:46
says you can see the mark address is no longer listed on the report. No. We'll go into the port. I will configure a fictitious Mac address, which is different from that of the device connected to the fast ones. You're 12 interface, so use a command switch. Port,
05:02
port security and well defined a fictitious Mac address,
05:06
which is a lot with connected a sport.
05:11
No, we're going to re enable the port within no shot. Come on.
05:15
It's gonna take a few seconds. But we should get the violation according here, so we can see the device is being powered up. There we go
05:21
after the device. Sort of boot it up. We get a notification message telling us
05:28
era disable.
05:30
Be secure. Violation, error detected on the faceted 10 12 interferes
05:36
and in the face is being placed in the air. A disabled state
05:45
port security
05:46
security violation occurred
05:49
on it was caused by this particular mark address, which is the actual device mark addresses. But because we hard coded
05:57
I'm back address which is allowed to access support
06:00
the difference with the actual device mark address
06:03
the port was placed in there the stable state.
06:08
Similarly, for your on the shore port security
06:12
specify the interferes.
06:15
No, we can see it seems the port status
06:17
is secure. Shutdown.
06:23
You can also run to showing the freest status. Come on
06:28
and pipe it include error.
06:30
There we go. We can see the interface listed on it, says very disabled.
06:33
To bring about the interference, we would have to manually shut the no shoddy in defense. Or we can use the air a disabled recovery feature, which we covered in a previous episode. In this case, we'll use the manual method.
06:53
Then the face is gonna come up. But we'll also need to take off the static entry which we entered because the port is going to go back into the area. Disable state
07:05
So we will begin the common with no key work in front of a common.
07:16
We could see the into feast port status is back to sick Europe.
07:24
So that's how we would set up for its security. All right, let's go back the slights. We have a post assessment question which command dynamically creates a mark entry under the interferes a spaceport Port security. Sticky muck be
07:38
so export Port security mark Address sticky
07:41
or a C so export port security hardware sticky
07:45
on answers be so export Port security, Mac address sticky.
07:49
And that is luxury worked with port security before us. Look at how we would enable poor security with its default settings.
07:56
Next, we saw how the Lord Mac address dynamically with a sticky option. Finally, we saw how to bring interferes out of the area. The stable state. In the next video, we will look at private villain. This is Philip Pension. Only one tank, which was in cyber

Up Next

CCNP Switch - 300-115

This course is engineered to prepare you for your CISCO Certified Network Professional CCNP Switch 300 - 115. In this course, we will cover all the main domains present in the current version of the CCNP Exam which are centered around infrastructure security and services and layer 2 technologies.

Instructed By

Instructor Profile Image
Philip Inshanally
Network Administrator
Instructor