1 00:00:06,630 --> 00:00:08,100 - [Instructor] How many MAC addresses, 2 00:00:08,100 --> 00:00:11,883 should legitimately show up inbound, on an access port? 3 00:00:12,800 --> 00:00:14,040 Port security controls, 4 00:00:14,040 --> 00:00:16,650 how many MAC addresses can be learned, 5 00:00:16,650 --> 00:00:18,190 on a single switch port. 6 00:00:18,190 --> 00:00:21,321 This feature is implemented on a port by port basis. 7 00:00:21,321 --> 00:00:26,130 A typical user uses just a single MAC address. 8 00:00:26,130 --> 00:00:29,430 Exceptions to this may be a virtual machine or two, 9 00:00:29,430 --> 00:00:34,240 that might use different MAC addresses than their host 10 00:00:34,240 --> 00:00:38,020 or if there is a IP phone with a built in switch, 11 00:00:38,020 --> 00:00:42,023 which may also account for additional MAC addresses. 12 00:00:42,940 --> 00:00:47,145 In any case to avoid a user connecting dozens of devices, 13 00:00:47,145 --> 00:00:50,650 to a rogue switch that is then connected, 14 00:00:50,650 --> 00:00:52,260 to their access port, 15 00:00:52,260 --> 00:00:55,440 you can use port security to limit the number of devices 16 00:00:55,440 --> 00:00:58,110 or MAC addresses on each port. 17 00:00:58,110 --> 00:01:01,470 This also protects against malicious applications, 18 00:01:01,470 --> 00:01:05,060 that may be sending thousands of frames into the network, 19 00:01:05,060 --> 00:01:07,900 with a different bogus MAC address for each frame, 20 00:01:07,900 --> 00:01:10,010 as the user tries to exhaust the limits, 21 00:01:10,010 --> 00:01:12,920 of the dynamic MAC address table on the switch, 22 00:01:12,920 --> 00:01:16,520 which might cause the switch to forward all frames, 23 00:01:16,520 --> 00:01:18,610 to all ports within a VLAN, 24 00:01:18,610 --> 00:01:22,130 so that the attacker can begin to sniff all packets. 25 00:01:22,130 --> 00:01:25,928 This is referred to as a CAM table overflow attack. 26 00:01:25,928 --> 00:01:29,800 Content Addressable Memory, CAM, is a fancy way, 27 00:01:29,800 --> 00:01:33,641 to refer to the MAC address table on the switch. 28 00:01:33,641 --> 00:01:36,540 Port security also prevents the client, 29 00:01:36,540 --> 00:01:39,970 from depleting DHCP server resources, 30 00:01:39,970 --> 00:01:41,410 which could have been done, 31 00:01:41,410 --> 00:01:44,630 by sending thousands of DHCP requests, 32 00:01:44,630 --> 00:01:47,260 each using a different source MAC address, 33 00:01:47,260 --> 00:01:50,080 DHCP spoofing attacks take place, 34 00:01:50,080 --> 00:01:53,370 when devices purposely attempt to generate, 35 00:01:53,370 --> 00:01:57,250 enough DHCP requests, to exhaust the number of IP addresses, 36 00:01:57,250 --> 00:02:00,130 allocated to a DHCP pool. 37 00:02:00,130 --> 00:02:01,890 With the port security feature, 38 00:02:01,890 --> 00:02:05,146 the default violation action is to shut down the port. 39 00:02:05,146 --> 00:02:09,849 Alternatively, we can configure the violation response, 40 00:02:09,849 --> 00:02:13,722 to be to protect, which will not shut down the port, 41 00:02:13,722 --> 00:02:17,820 but will deny any frames from new MAC addresses, 42 00:02:17,820 --> 00:02:19,920 over the set limit. 43 00:02:19,920 --> 00:02:23,230 The restrict action does the same as protect, 44 00:02:23,230 --> 00:02:26,320 but generates a Syslog message as well. 45 00:02:26,320 --> 00:02:30,203 You can see an example of port security configuration here. 46 00:02:31,990 --> 00:02:32,870 In this demo, 47 00:02:32,870 --> 00:02:36,290 we will be enabling the port security interface, 48 00:02:36,290 --> 00:02:37,893 on a specific interface. 49 00:02:38,830 --> 00:02:43,830 We'll start out by entering the interface configuration. 50 00:02:44,009 --> 00:02:47,070 From there, we'll enable the switch port, 51 00:02:47,070 --> 00:02:50,407 port security configuration using, 52 00:02:50,407 --> 00:02:52,793 the command switch port, port security. 53 00:02:53,990 --> 00:02:58,990 Moving on, we'll set the maximum number of MAC addresses, 54 00:02:59,340 --> 00:03:03,663 that are allowed to connect to this interface. 55 00:03:04,880 --> 00:03:06,350 The default is one, 56 00:03:06,350 --> 00:03:09,978 so if we administratively set the maximum to one, 57 00:03:09,978 --> 00:03:13,260 the command won't show in the running configuration 58 00:03:13,260 --> 00:03:17,770 because the configuration matches the default value. 59 00:03:17,770 --> 00:03:21,120 Next we'll set the violation action. 60 00:03:21,120 --> 00:03:24,267 The switch port, port security violation protect command, 61 00:03:24,267 --> 00:03:29,080 will simply not allow frames from MAC addresses, 62 00:03:29,080 --> 00:03:30,433 above the maximum. 63 00:03:32,100 --> 00:03:36,760 Next we'll set the MAC address, sticky command, 64 00:03:36,760 --> 00:03:40,130 this will cause the dynamic MAC addresses to be placed, 65 00:03:40,130 --> 00:03:41,693 into the running config. 66 00:03:47,120 --> 00:03:48,950 To verify all of our commands, 67 00:03:48,950 --> 00:03:51,473 we can run the show port security command.