1
00:00:14,590 --> 00:00:21,070
In this packet tracer lab, you need to configure port security, so what is port security and why is

2
00:00:21,070 --> 00:00:21,790
it important?

3
00:00:22,480 --> 00:00:29,470
Port security is one of the most basic ways to enable a level of security on wired switched networks.

4
00:00:30,070 --> 00:00:33,160
Wired Ethernet networks don't have any security.

5
00:00:33,160 --> 00:00:40,540
by default, a user could simply plug in their PC into any port in a switch and start sending and receiving

6
00:00:40,540 --> 00:00:42,280
traffic. So port

7
00:00:42,310 --> 00:00:48,540
security is a basic way to start implementing security on wired Ethernet infrastructures.

8
00:00:49,120 --> 00:00:55,390
We can limit the number of Mac addresses on a port and we can specify exactly which Mac addresses

9
00:00:55,390 --> 00:00:57,220
are permitted on specific ports.

10
00:00:57,910 --> 00:01:04,330
In this example, users have plugged hubs into ports on a switch which allow them to connect multiple

11
00:01:04,330 --> 00:01:06,070
devices to the network.

12
00:01:06,790 --> 00:01:11,710
You need to stop that by enabling port security in this network.

13
00:01:13,370 --> 00:01:15,870
In this lab, we have a single switch, switch

14
00:01:15,890 --> 00:01:16,310
1

15
00:01:17,760 --> 00:01:26,220
and it has multiple hubs connected to it, hub 1, 2 and hub 3, each hub has two PCs connected

16
00:01:26,220 --> 00:01:26,890
to it.

17
00:01:27,630 --> 00:01:33,780
We also have a DHCP server that's allocating IP addresses to hosts in the topology.

18
00:01:34,320 --> 00:01:37,350
In this lab you need to configure port security as follows.

19
00:01:39,270 --> 00:01:46,950
On gigabit 101 configure port security with a single command and then answer these questions.

20
00:01:54,260 --> 00:02:01,610
By default, how many Mac addresses are permitted if you only use a single port security command on

21
00:02:01,640 --> 00:02:02,420
that interface?

22
00:02:02,960 --> 00:02:05,240
How many Mac addresses are permitted by default?

23
00:02:05,900 --> 00:02:07,430
This kind of gives you the answer.

24
00:02:07,790 --> 00:02:10,430
Verify that only the first host is allowed.

25
00:02:10,789 --> 00:02:14,240
So don't just configure port security.

26
00:02:14,370 --> 00:02:17,620
Verify that it works as you think it works.

27
00:02:18,320 --> 00:02:21,610
What happens when the second host sends traffic into the network?

28
00:02:22,190 --> 00:02:28,300
In other words, once you've got port security enabled, what happens when the first host sends messages?

29
00:02:28,730 --> 00:02:31,190
What happens when the second host sends messages?

30
00:02:31,850 --> 00:02:35,470
Is the first host Mac address written to the running configuration?

31
00:02:36,050 --> 00:02:39,110
So in other words when you type show run on the switch

32
00:02:39,110 --> 00:02:42,680
do you see the hosts Mac address in the running config?

33
00:02:43,250 --> 00:02:50,930
And what happens when you power cycle the switch? Save the config first and then reboot the switch.

34
00:02:51,650 --> 00:02:58,220
Is the original Mac address remembered or can a different host send traffic into the network when the

35
00:02:58,220 --> 00:02:59,230
switch is rebooted?

36
00:02:59,990 --> 00:03:05,660
So think about those questions with regards to a default configuration using port security.

37
00:03:06,180 --> 00:03:14,210
Then on Port Gigabit 103 enable port security and automatically add the Mac address to the

38
00:03:14,210 --> 00:03:18,880
running configuration of the first host that sends traffic.

39
00:03:19,460 --> 00:03:26,300
So don't just enable port security and have the Mac address in the Mac address table and port security

40
00:03:26,300 --> 00:03:29,950
database, but also have it added to the running configuration.

41
00:03:30,530 --> 00:03:32,900
What happens when the second host sends traffic?

42
00:03:33,440 --> 00:03:38,120
What happens when the switch is power cycled and you haven't saved the configuration?

43
00:03:38,780 --> 00:03:45,490
So in the second example, ensure that the Mac address is shown in the running configuration reboot

44
00:03:45,500 --> 00:03:49,190
the switch, but don't save the running configuration.

45
00:03:49,670 --> 00:03:56,390
Will that Mac address be lost and can a different Mac address be written to the running configuration

46
00:03:56,780 --> 00:03:58,190
when the switch is rebooted?

47
00:03:58,890 --> 00:04:05,990
Then enable port security on gigabit 103 by manually specifying PC 5 MAC address.

48
00:04:06,770 --> 00:04:12,200
So on PC 5, the device is configured with this Mac address.

49
00:04:13,100 --> 00:04:18,079
You can also verify that by using the IP config special command.

50
00:04:19,490 --> 00:04:28,160
And here you can see the Mac address of the PC enabled port security on this port by manually specifying

51
00:04:28,250 --> 00:04:29,840
the Mac address of PC 5

52
00:04:30,350 --> 00:04:36,530
but on this port, drop other traffic and send a log messages when a violation occurs.

53
00:04:36,890 --> 00:04:40,000
Don't use the default behavior.

54
00:04:40,730 --> 00:04:45,080
Drop traffic over the offending host and log messages.

55
00:04:45,090 --> 00:04:53,030
Don't simply shut the port down and then increase the number of devices allowed on gigabit 10

56
00:04:53,030 --> 00:05:01,240
1 to two devices and verify that both PCs can now send traffic and receive IP addresses from the DHCP

57
00:05:01,250 --> 00:05:01,700
server.

58
00:05:02,810 --> 00:05:10,940
At the moment, the switch doesn't have port security enabled on it, so show run shows us that the

59
00:05:10,940 --> 00:05:13,160
switch has a basic configuration.

60
00:05:13,640 --> 00:05:20,300
No configuration exists on these interfaces, so which has a very basic default config.

61
00:05:21,420 --> 00:05:24,840
That means that PC such as PC 1

62
00:05:26,160 --> 00:05:33,270
Will receive an IP address from the DHCP server and so will other devices such as PC 2.

63
00:05:35,810 --> 00:05:38,420
Notice it's got IP address 10.111

64
00:05:40,280 --> 00:05:46,460
but once you've got port security enabled on your switch, users won't be able to plug in hubs and simply

65
00:05:46,460 --> 00:05:48,800
add additional devices to the network.

66
00:05:49,960 --> 00:05:56,500
So can you complete the slap and answer these questions, do you know how to configure port security,

67
00:05:56,980 --> 00:06:01,750
download the packet tracer file and see if you can complete the lab yourself.

68
00:06:02,140 --> 00:06:05,680
Otherwise, watch the next video where I complete the lab.