Are you sure you want to cancel your subscription?

If you cancel, your subscription will remain active through the paid term. You will be able to reactivate the subscription until that date.

Sorry to see you go

Your subscription will remain active until . If you change your mind, you may rectivate your subscription anytime before that date.

Are you sure you want to reactivate?
Welcome Back!

Your subscription has been reactivated and you will continue to be charged on .

Reactivate Subscription

Thank you for choosing to reactivate your subscription. In order to lock in your previous subscription rate, you owe: .

Your Subscription term is from - .

Questions? Call Sales.

541-284-5522
Payment Due:

OK
Auto-Renew Subscription

To auto-renew your subscription you need to select or enter your payment method in "Your Account" under Manage Payments.

Click continue to set up your payments.

CBT Nuggets License Agreement


Unless otherwise stated all references to “training videos” or to “videos” includes both individual videos within a series, entire series, series packages, and streaming subscription access to CBT Nuggets content. All references to CBT or CBT Nuggets shall mean CBT Nuggets LLC, a Delaware limited liability company located at 44 Country Club Road, Ste. 150, Eugene, Oregon.


A CBT Nuggets license is defined as a single user license. Accounts may purchase multiple users, and each user is assigned a single license.


  • GRANT OF LICENSE. CBT Nuggets grants you a non-transferable, non-exclusive license to use the training videos contained in this package or streaming subscription access to CBT content (the “Products”), solely for internal use by your business or for your own personal use. You may not copy, reproduce, reverse engineer, translate, port, modify or make derivative works of the Products without the express consent of CBT. You may not rent, disclose, publish, sell, assign, lease, sublicense, market, or transfer the Products or use them in any manner not expressly authorized by this Agreement without the express consent of CBT. You shall not derive or attempt to derive the source code, source files or structure of all or any portion of the Products by reverse engineering, disassembly, decompilation or any other means. You do not receive any, and CBT Nuggets retains all, ownership rights in the Products. The Products are copyrighted and may not be copied, distributed or reproduced in any form, in whole or in part even if modified or merged with other Products. You shall not alter or remove any copyright notice or proprietary legend contained in or on the Products.
  • TERMINATION OF LICENSE. Once any applicable subscription period has concluded, the license granted by this Agreement shall immediately terminate and you shall have no further right to access, review or use in any manner any CBT Nuggets content. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you are in violation of this Agreement. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you have exceeded reasonable usage. In these events no refund will be made of any amounts previously paid to CBT.
  • DISCLAIMER OF WARRANTY AND LIABILITY. The products are provided to you on an “as is” and “with all faults” basis. You assume the entire risk of loss in using the products. The products are complex and may contain some nonconformities, defects or errors. CBT Nuggets does not warrant that the products will meet your needs, “expectations or intended use,” that operations of the products will be error-free or uninterrupted, or that all nonconformities can or will be corrected. CBT Nuggets makes and user receives no warranty, whether express or implied, and all warranties of merchantability, title, and fitness for any particular purpose are expressly excluded. In no event shall CBT Nuggets be liable to you or any third party for any damages, claim or loss incurred (including, without limitation, compensatory, incidental, indirect, special, consequential or exemplary damages, lost profits, lost sales or business, expenditures, investments, or commitments in connection with any business, loss of any goodwill, or damages resulting from lost data or inability to use data) irrespective of whether CBT Nuggets has been informed of, knew of, or should have known of the likelihood of such damages. This limitation applies to all causes of action in the aggregate including without limitation breach of contract, breach of warranty, negligence, strict liability, misrepresentation, and other torts. In no event shall CBT Nuggets’ liability to you or any third party exceed $100.00.
  • REMEDIES. In the event of any breach of the terms of the Agreement CBT reserves the right to seek and recover damages for such breach, including but not limited to damages for copyright infringement and for unauthorized use of CBT content. CBT also reserves the right to seek and obtain injunctive relief in addition to all other remedies at law or in equity.
  • MISCELLANEOUS. This is the exclusive Agreement between CBT Nuggets and you regarding its subject matter. You may not assign any part of this Agreement without CBT Nuggets’ prior written consent. This Agreement shall be governed by the laws of the State of Oregon and venue of any legal proceeding shall be in Lane County, Oregon. In any proceeding to enforce or interpret this Agreement, the prevailing party shall be entitled to recover from the losing party reasonable attorney fees, costs and expenses incurred by the prevailing party before and at any trial, arbitration, bankruptcy or other proceeding and in any appeal or review. You shall pay any sales tax, use tax, excise, duty or any other form of tax relating to the Products or transactions. If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions of this Agreement shall remain in effect. Any notice to CBT under this Agreement shall be delivered by U.S. certified mail, return receipt requested, or by overnight courier to CBT Nuggets at the following address: 44 Club Rd Suite 150, Eugene, OR 97401 or such other address as CBT may designate.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the License Agreement at any time, with or without notice.

Billing Agreement


  • By entering into a Billing Agreement with CBT Nuggets, you authorize CBT Nuggets to use automatic billing and to charge your credit card on a recurring basis.
  • You agree to pay subscription charges on a monthly basis, under the following terms and conditions:
    • CBT Nuggets will periodically charge your credit card each monthly billing cycle as your subscription charges become due;
    • All payments are non-refundable and charges made to the credit card under this agreement will constitute in effect a "sales receipt" and confirmation that services were rendered and received;
    • To terminate the recurring billing process and/or arrange for an alternative method of payment, you must notify CBT Nuggets at least 24 hours prior to the end of the monthly billing cycle;
    • You will not dispute CBT Nugget’s recurring billing charges with your credit card issuer so long as the amount in question was for periods prior to the receipt and acknowledgement of a written request to cancel your account or cancel individual licenses on your account.
  • You guarantee and warrant that you are the legal cardholder for the credit card associated with the account, and that you are legally authorized to enter into this recurring billing agreement.
  • You agree to indemnify, defend and hold CBT Nuggets harmless, against any liability pursuant to this authorization.
  • You agree that CBT Nuggets is not obligated to verify or confirm the amount for the purpose of processing these types of payments. You acknowledge and agree that Recurring Payments may be variable and scheduled to occur at certain times.
  • If your payment requires a currency conversion by us, the amount of the currency conversion fee will be determined at the time of your payment. You acknowledge that the exchange rate determined at the time of each payment transaction will differ and you agree to the future execution of payments being based on fluctuating exchange rates.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the Billing Agreement at any time, with or without notice.

Cisco CCNP SWITCH 642-813

Campus Security: Basic Port Security and 802.1x

This video is only available to subscribers.
Start your 7-day free trial today.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

00:00:00 - All right. It's time to make a major shift from all the technology
00:00:04 - we have talked about; wireless, voice over IP, switching architecture,
00:00:09 - spanning tree and so on and shift over to campus security which
00:00:13 - is the final section of the BCMSN series. Now campus security
00:00:18 - is focused on making sure that people don't intrude into your
00:00:22 - layer to architecture. And for a long time people have asked
00:00:26 - that question that I have right up front, our first topic to
00:00:28 - talk about. Why layer two? Is it really important to secure the
00:00:32 - switch architecture? I mean the only way somebody is getting
00:00:36 - there is if they plug into a port which means they are in your
00:00:39 - building. Isn't that physical security anyway? So, we will answer
00:00:43 - that question. Then I will talk about some of the common and
00:00:46 - very simple layer two attacks that somebody can execute and that
00:00:50 - kind of answer the why layer two. Then we will get into configuring
00:00:54 - catalyst port security which is a big part of what I think a
00:00:58 - lot of organizations miss or forget about and should be doing.
00:01:02 - And then we will talk about a final topic 802.1X and talk about
00:01:06 - where that fits into the grand scheme of things and how we can
00:01:10 - set our switches up to support it. So why should you worry about
00:01:13 - layer 2? I mean if those switches are locked up in a wiring closet
00:01:17 - than people shouldn't be able to get to them anyway right? Uh,
00:01:21 - not right, because people can get to them through the wire. And
00:01:25 - there are common attacks out there that can take out that data
00:01:28 - link layer and I would say it's one of the most forgotten about
00:01:33 - layers because everybody is worried about access list or Firewalls
00:01:36 - protecting the internet from reaching inside of your company
00:01:39 - when really the intruders have gone inside of the companies.
00:01:43 - They are your employees that are poisoning your MAC address table.
00:01:47 - And I will show you one more thing. This right here, poof, has
00:01:51 - changed the face of what we thought layer two securities should
00:01:55 - look like. And it's kind of amusing that until wireless access
00:02:00 - came about nobody even worried about layer two securities really.
00:02:04 - I mean not much anyway. Because people just figured you have
00:02:08 - to get inside the building to do layer two and we trust our employees.
00:02:14 - Now a lot of that mind set is going away. Not only do you not
00:02:18 - have to be in the building because people can tune into that
00:02:20 - wireless signal, but also employees aren't as trustworthy or
00:02:25 - proving to be as trustworthy as they once were. Let
00:02:29 - me give you an example of a common layer two attack that can
00:02:33 - be pulled off from somebody sitting in their cubical.
00:02:37 - Uh, side note: if you ever walk by somebody's cubical and it
00:02:40 - has got a soft red glow and the person is kind of shadowed out
00:02:44 - by the soft red glow behind them and it looks like they are working
00:02:47 - on pie charts or something on the screen, don't trust them. Not
00:02:53 - a trustworthy person. Because that person can use a utility,
00:02:57 - there is actually many of them out there. But a real common one
00:03:00 - is called, woops, dsniff,
00:03:04 - d.s.n.i.f.f. It was originally a Unix only utility and was ported
00:03:09 - over to Windows so both platforms can run it and its really a
00:03:13 - suite of utilities that are
00:03:17 - pitched as network auditing utilities, but of course can be used
00:03:20 - by the opposite side to attack a network. And one of the tools
00:03:25 - inside of that suite is called MACOF, M.A.C.O.F.,
00:03:31 - just one F. What that does is source many, many, many different
00:03:37 - packets, thousands of them on this port from different MAC addresses.
00:03:41 - So that port starts loading up MAC addresses. It's like, "Wow
00:03:45 - this is a busy board, and this must be like a major uplink to
00:03:48 - another area of the network. I just keep learning and learning
00:03:50 - MAC addresses". And MAC off is doing its thing. It just keeps
00:03:53 - generating more thousands and thousands of MAC addresses until
00:03:56 - finally the CAM table of your switch fills up. Meaning it can't
00:04:01 - learn anymore MAC addresses, it was never designed to learn the
00:04:04 - entire MAC address database that's out there. So what will end
00:04:08 - up happening is not the switch crashing. A lot of people think
00:04:11 - it does, but it doesn't, it is that the switch turns into a hub.
00:04:15 - It says, "Well, since I can't learn anymore MAC addresses I am
00:04:19 - just going to send everything everywhere to make sure that everybody
00:04:22 - gets the data they are looking for". And at that point this person
00:04:25 - over here opens a packet sniffer and has easy access to any data
00:04:30 - that is going across the network. Meaning you could be capturing
00:04:33 - voice over IP conversations. You could be capturing you know
00:04:36 - sequel transactions that are happening. There is a lot of stuff
00:04:39 - that could be captured once that happens and that's just one
00:04:42 - of many different attacks that can be pulled off. Most of these
00:04:46 - attacks focus around poisoning the MAC address table in some
00:04:51 - way. So port security is how we can stop it. After seeing that
00:04:58 - it should be a relief to you to know that Cisco switches out
00:05:01 - of the box can protect against those kinds of attacks, it's just
00:05:06 - that most people forget to turn on that kind of security. There
00:05:09 - is two ways to stop those common layer two attacks and one is
00:05:12 - using secure MAC addresses and I will talk about the three different
00:05:15 - kinds of MAC addresses. The other is to limit the number of MAC
00:05:20 - addresses per port. Now in doing this you not only gain the benefit
00:05:24 - of stopping MAC address flooding attacks, but you also stop those
00:05:28 - people from building little mini networks in their cubicle's.
00:05:31 - People that bring in their own little hubs and switches at home
00:05:33 - and can potentially introduce spanning tree loops and rogue devices
00:05:37 - into the network. So let's start with that one. Limiting the
00:05:40 - number of MAC addresses per port. All you need to do on you
00:05:44 - Cisco switch is to go under the port that you would like to limit
00:05:49 - this on and I will go ahead and use interface fastethernet0/21.
00:05:54 - I actually have that connected in this little mini network here
00:05:58 - to a hub that has just a single device attached. So on this port
00:06:03 - I am going to type in a couple of things; first off switch port,
00:06:06 - mode access. Now we will talk about the default which is dynamic
00:06:12 - desirable when we get into the next video. It's a horrible default,
00:06:16 - but the access is the mode that it must be on in order to do
00:06:22 - port security. Access says that this is an access port and the
00:06:27 - port will only connect to an end network. Meaning it won't be
00:06:31 - a trunk port connecting to another switch. It will connect to
00:06:34 - a PC or a hub, but everybody is on the same VLAN. Now the first
00:06:38 - thing we need to do is type in switchport port-security. It's
00:06:42 - a commonly forgotten one which turns on port security for that
00:06:46 - switchport. Then we get to type in our switch port, port security
00:06:50 - commands. And I will type in; first off, maximum and I will just
00:06:54 - say 1. To limit this port to a maximum of 1 MAC address. Now
00:07:00 - I can verify that configuration just by jumping out here and
00:07:03 - typing in show port security and we will type in interface fastethernet0/21.
00:07:11 - You can see that right here maximum MAC addresses, oops
00:07:15 - is 1, and the total MAC addresses is 1. The last one that has
00:07:19 - been on there is that MAC address. And that is in VLAN 100, that's
00:07:23 - the one that's configured. That's the one device I have plugged
00:07:26 - in. Now you also see right here the violation mode. The default
00:07:31 - violation mode when you turn on port security is shut down. Let
00:07:35 - me jump back under that interface fasethernet0/21
00:07:39 - and do switchport port-security violations so you can see the
00:07:43 - three modes. Shut down is pretty obvious. If you violate the
00:07:48 - policy it is going to shut down the port. In my opinion it is
00:07:51 - one of the best because you absolutely know when somebody shuts
00:07:56 - down a switchport. Its not that you are, you know, very good
00:08:02 - a reviewing all of your logs and seeing that, it's that you are
00:08:05 - going to get a phone call if somebody goofs up and plugs in multiple
00:08:08 - devices into a switchport you are going to hear a call because
00:08:11 - they can't get their work done anymore. Their port has been shut
00:08:14 - down. And you get to chastise them and have your own little power
00:08:18 - thrill for a moment and be like, "What are you doing"? And you
00:08:21 - feel, it's horrible, but every administrator lives for the moment
00:08:24 - they get to chew out a user. But you know you get to know exactly
00:08:29 - when it happens because you are going to get a phone call. The
00:08:32 - other two you may not know. First off I would completely
00:08:37 - recommend that you do not use protect.
00:08:42 - Protect is a mode where it will, when another MAC address adds
00:08:48 - on above the one that is already on there, above the maximum
00:08:52 - MAC addresses that you have added. It just ignores the other
00:08:56 - MAC addresses. Meaning your port security is still in effect,
00:08:59 - but you don't know when somebody violates the policy. And you
00:09:03 - will never be told either. Restrict is the one that I would recommend.
00:09:07 - If you are not so drastic that you want to shut down the port
00:09:10 - use restrict which does exactly the same thing as protect, but
00:09:16 - whenever somebody does violate your policy this little counter
00:09:23 - will tick up by one. It will say, "Oh, policy violated, security
00:09:26 - violation one". And you will also see a log message if you had
00:09:30 - the logging turned on. You know second one you will see two in
00:09:33 - that list. So even though you are not shutting down the port
00:09:36 - you will at least realize and have a counter to verify when somebody
00:09:40 - is violating the policy. Now keep I mind. If you do have protect
00:09:45 - or restrict turned on, if somebody plugs 2 MAC addresses into
00:09:49 - the port and realizes that one of them is not working they can
00:09:54 - unplug that one and then plug in the other one and allow that
00:09:58 - one to work. That may or may not be a good thing in your network.
00:10:01 - So you know, when they realize that say this MAC address is the
00:10:05 - only one that works, if they disconnect that MAC address they
00:10:07 - will go to a total of 0 and then the next MAC address that they
00:10:11 - plug in will take it back up to 1. So those are the different
00:10:14 - ways that you can do that. Now I will go ahead and leave it on
00:10:17 - a default state of shut down for the switchport port-security
00:10:21 - because I have my Macintosh which is a good hacking machine.
00:10:25 - And I am going to take this and plug this; this will be the second
00:10:28 - device that I add to that switchport. Let me just go ahead and
00:10:33 - plug that one in. Oh,
00:10:36 - good grief. Just as I plug that in, one of the devices I was
00:10:39 - using was, oh good, good it has, sorry I just turned around and
00:10:42 - looked a my screen to see all this. Look at this, as soon as
00:10:45 - I plugged in my MAC address it says, "Port security violation
00:10:48 - occurred on fastethernet0/21".
00:10:51 - I am putting it in the error disable state. So immediately you
00:10:55 - can see that the line protocol has been changed to down and fastethernet0/21
00:11:00 - is now down. So if I hit the upper and do those show port security
00:11:04 - you can see that the port status is secure and it has been shut
00:11:08 - down. So don't look at enabled and think, "Oh well my port is
00:11:12 - enabled". That means that it is actually down. And if I do a
00:11:15 - show IP interface brief and look right here at fastethernet0/21
00:11:21 - it just shows up as down. So by looking at that port in this
00:11:25 - state you are just going to think, "Oh well it's just down, there
00:11:28 - must not be anything plugged in". But if you type in show interface
00:11:31 - fastethernet, oops, did I, 0/21.
00:11:39 - You will see that the port is error disabled. That means either
00:11:43 - you have some kind of duplex miss match that has caused that
00:11:46 - or you have a security violation that has shut the port down.
00:11:50 - I also know that may of you are like me and love commands like
00:11:54 - show IP interface brief where you can see what's going on with
00:11:58 - your switchports all in one quick glance. Well there is another
00:12:01 - command I want to show you that is similar to it. It is show
00:12:04 - interfaces and do status. And you don't need to specify an interface.
00:12:10 - Now you get to see my home, but you can see that all of these
00:12:13 - different interfaces are plugged in. I have brief descriptions
00:12:16 - so this is a good way to know what those switchboards are, but
00:12:20 - look at this status column right here. There, as we go down we
00:12:24 - can see what's connected and what's not connected and which ones
00:12:28 - are errors disabled. So you have gone, you have chastised your
00:12:32 - users and flogged them appropriately. How do you get that port
00:12:35 - back up? Well there is no quick way to do it. The main way that
00:12:40 - you can go in is go under that port. We will say interface fastethernet0/21,
00:12:45 - do a shutdown and then do a no shutdown. Just typing in no shutdown
00:12:51 - will not re-enable that port. Oh, I still have my Macintosh
00:12:56 - plugged in. So I will plug that, unplug that quickly so that
00:12:59 - it doesn't shut itself down again. But now when I go back and
00:13:03 - do that show interface status you can see that it is restored
00:13:06 - and connected again. So that's how you can restore the down port.
00:13:12 - Now its not part of the official Cisco
00:13:16 - test prep curriculum so if you are studying for the exam don't
00:13:19 - worry about this stuff I am about to show you, but there is
00:13:24 - another method that not many people know about on Cisco switches.
00:13:28 - Now I am going to show error disable, followed by recovery. There
00:13:34 - is this feature that Cisco switches have called error disabled
00:13:38 - recovery that after, you can see all these different states that
00:13:42 - will cause an error disable. Uh, we just saw security violation
00:13:46 - as one of the reasons. But we have, channel misconfigurations
00:13:49 - that's like an ether channel where we have flapping links where
00:13:53 - we, I mean there's all kinds of things that can cause the error
00:13:55 - disable state. We can configure our switch to re-enable the port
00:14:01 - after a certain amount of time. Now you can see that default
00:14:05 - amount of time is 300. But error disable recovery is turned off
00:14:10 - by default. So you can see they are all disabled so even though
00:14:13 - it says that recovery will be in 300 seconds, its not going to
00:14:17 - be in 300 seconds unless you turn it on. So you can go into global
00:14:21 - configuration mode and type in error disabled recovery, type
00:14:25 - in a specific cause that you want to look for and you can see
00:14:29 - all of these timers to recover from some violation. We will say
00:14:33 - security violation right there, so SCC tab and you can say, "I
00:14:38 - want to enable recovery for that". You can then type in the error
00:14:43 - disable recovery interval and specify how many seconds you want
00:14:49 - to force the port to be shut down before it recovers itself.
00:14:53 - So now when I jump back here I will type in show, error, disable,
00:14:56 - recovery. You can see now that we are enabled for security violations.
00:15:00 - So if I were to plug in my Macintosh into this port and connect
00:15:05 - that thing up it is going to cause the violation, but now a little
00:15:09 - counter has begun in the background that is going to recover
00:15:13 - the port within 300 seconds for that violation.
00:15:19 - That may save you a couple of phone calls. Um, but overall it
00:15:23 - is primarily useful for some of the other ones, usually security
00:15:26 - violation. You want it to stay down. Um, so, uh, the last thing
00:15:30 - I want to show you on this note. I am going to type in show port
00:15:33 - security fastethernet,
00:15:36 - oops, interface fastethernet0/21.
00:15:41 - And you can see right here we do have a security violation counter
00:15:46 - that is ticking. Now I shut down and un-shut down the port and
00:15:50 - powered up the port so it reset that counter. But this counter
00:15:53 - will continue to tick however many security violations you have
00:15:57 - on a given interval. So that's one you can always refer to, to
00:16:01 - see what's going on. Now that's the limiting of MAC addresses
00:16:04 - per port. The last thing I want to talk about is secure MAC addresses.
00:16:09 - By default all your switches will learn dynamic MAC addresses.
00:16:13 - That is just what they do. And that's the default MAC address
00:16:17 - type. Now we can transform them from dynamic addresses over to
00:16:21 - static or sticky MAC addresses. Now static MAC addresses are
00:16:26 - pretty straight forward. I am going to go back up under the interface
00:16:29 - fastethernet0/21 and let's, let's do, let me first off do switchport
00:16:35 - port-security; I will do a maximum of 10. Just to allow me to
00:16:40 - plug multiple devices in there. But the first way I can configure
00:16:44 - static MAC addresses is by typing in switchport port-security
00:16:47 - MAC address and just type in whatever MAC address I want. I have
00:16:51 - seen a lot of government agencies use this to where they can
00:16:54 - type in the specific MAC address allowed on that port and no
00:16:59 - other MAC address will be able to access that. If you are going
00:17:04 - to use the static MAC address method and say, "My MAC address
00:17:08 - was this".
00:17:11 - Be sure to couple it with the maximum MAC address command. Now
00:17:16 - I just showed you, I just cranked it up right up on the screen
00:17:19 - above us, to 10 MAC addresses. If I statically type in MAC addresses
00:17:24 - and say, "You know 1, 1, 1, 1, 1, 1, 1" and that's the only MAC
00:17:27 - address I want on that port then make sure you change the maximum
00:17:30 - to 1; because if I leave it at 10 it will allow only that 1,
00:17:35 - 1, 1, 1, 1, 1, 1, 1 and 9 dynamic entries. It's kind of a combination
00:17:40 - of static and dynamic. So it will allow whatever static ones
00:17:44 - I have typed in plus whatever the maximum buffer is to the maximum
00:17:49 - number of MAC addresses I am allowing on that port. So, type
00:17:53 - in however many MAC addresses you want and then set the maximum.
00:17:58 - The second way that we can do this is by taking a calculated
00:18:04 - risk. Now you can see right below here I have sticky. Sticky
00:18:10 - MAC addresses are your way of allowing the switch to do the work
00:18:14 - for you. You can imagine how difficult it would be in a network
00:18:19 - of 100 or 1,000 PC's to sit there and type in all the MAC addresses
00:18:24 - of those PC's into the ports. I am not saying it can't be done
00:18:27 - and I am not saying it is very beneficial if you are paid by
00:18:30 - the hour. However, if you are salary you don't want to sit there
00:18:35 - all night typing those things in. So you can take a calculated
00:18:38 - risk. And that is using the sticky key-word. What will happen
00:18:42 - when you use sticky is the switch will automatically hard code
00:18:49 - any MAC address you have plugged into that point, port, into
00:18:53 - the running configuration. And as soon as you save that to the
00:18:57 - startup configuration
00:18:59 - that is set permanently. Let me give you an example. I am going
00:19:03 - to first off do, before I type this command in here, let me just
00:19:07 - hit enter. I am going to type in do, show, run, interface, fastethernet0/21
00:19:13 - and we can see that as of right now we have the port security
00:19:17 - turned on and the maximum is set to 10. Now I am also going to
00:19:22 - type in do who MAC address table and I will focus in on interface
00:19:27 - fastethernet0/21 and you can see as of right now, oh do I have
00:19:31 - both of those plugged in? Oh, no I just have, have not cleared
00:19:35 - out since I plugged both MAC addresses in. Let me just plug and
00:19:39 - unplug that port real quick and, uh, give it a sec to cycle.
00:19:46 - There we go, okay. I just unplugged the port and plugged it back
00:19:49 - in and so it's now just has that one MAC address. All right.
00:19:53 - So here is what I am going to do. I am going to type in switchport.
00:19:57 - Oh, let me clear all this junk off.
00:20:00 - I will type in switchport
00:20:03 - port-security maximum and then I will type in sticky.
00:20:10 - And when I said sticky I meant, oh, I am just losing it here.
00:20:15 - I am sorry. It is port-security MAC address. Sticky? I am saying
00:20:19 - that in a running-config, its blending together in my mind. Now
00:20:22 - watch what happened when I did that. I am going to do a show,
00:20:26 - run, interface, fastethernet0/21.
00:20:30 - Let me squeeze the do command in front of that. And you can see
00:20:33 - that it's got the command I typed in there, but look at that.
00:20:36 - It automatically hard coded the first MAC address that it saw
00:20:41 - on that port. I look at the up arrow and its right there. Now
00:20:44 - if I do a show start interface fastethernet0/21,
00:20:49 - oh it doesn't let me use the interface command. Its not saved
00:20:53 - in the startup-config is the point I am trying to prove. So,
00:20:56 - in order to save that MAC address we have to do a save-config,
00:21:00 - copy, run, start or write memory and that will allow you to save
00:21:04 - that MAC address to your startup-config. Now watch this. I am
00:21:07 - going to reach over and plug my Macintosh in here, click; I just
00:21:12 - plugged my Macintosh in. I am going to hit the up arrow and do
00:21:14 - a show, run and
00:21:17 - do it again and one more time. Oh where is my Macintosh? Let
00:21:24 - me do a show MAC address
00:21:29 - table interface fastethernet0/21.
00:21:33 - My Macintosh has died. Oh, are you kidding me. It just went into
00:21:37 - sleep mode. Sorry, let me; let me move the mouse around. There
00:21:41 - we go. I moved the mouse around. Let me hit the up arrow. Oh,
00:21:44 - there we go. It is now back in the list. I am going to go into
00:21:48 - do the show run again. This is the point I am trying to prove.
00:21:50 - I have got this sticky MAC address that has now learned a second
00:21:53 - MAC address and I can save my config. How many MAC addresses
00:21:57 - will this feature learn? As may as have I set for the maximum
00:22:01 - here. So if I know there is only going to be two MAC addresses
00:22:05 - on this port I will change this over and say switchport port-security
00:22:10 - maximum 2. And at that point I have already, I have set the maximum
00:22:15 - to 2 and I have used the sticky command so the only two MAC addresses
00:22:19 - that are allowed on that port are these two. You can see it's
00:22:22 - a calculated risk because if there is an intruder plugged into
00:22:25 - the network or a rogue device it will learn its MAC address just
00:22:30 - like everything else. So of course the more secure way is to
00:22:33 - manually type in every MAC address. However the more reasonable
00:22:37 - way to approach this is to use the sticky feature. Sometimes,
00:22:41 - you know, going on a port, by port, by port so you know what's
00:22:44 - plugged in, or you can be brave and use the interface range command
00:22:47 - and just learn everything that's on that switch at this given
00:22:51 - point. So that's your way of doing maximum number of MAC addresses
00:22:56 - per port and combining it with the secure MAC addresses. The
00:23:01 - last thing we will talk about is identity based network services,
00:23:05 - or what people call nowadays is 802.1X.
00:23:09 - IBNS was Cisco's name for it before 802.1X was released. But
00:23:14 - now 802.1X is out there and that's what everybody uses. So 802.1X
00:23:20 - kind of shook the world up quite a bit because it was the first
00:23:24 - authentication method that allowed the switch to participate
00:23:29 - in authentication without ever seeing the user name and password
00:23:33 - or authentication method that's used. Now the reason that is
00:23:36 - so huge is because all of the previous methods like if you think
00:23:40 - of MD5 hashing or you know certificate based authentication.
00:23:44 - All those kind of methods required that the supplicant provide
00:23:48 - its credentials to the switch. And the switch gets them, looks
00:23:51 - at them and says, "Okay that's good". Or you know even passes
00:23:54 - them to the authentication server and the authentication server
00:23:57 - checks them and sends them back and says "Hey that's okay". But
00:24:00 - the authenticator has to be intimately involved in the process.
00:24:05 - Meaning if you are using MD5 authentication then the authenticator
00:24:09 - or the switch in the middle has to support MD5. If you are using
00:24:12 - certificates the authenticator has to understand
00:24:16 - certificates. With 802.1X
00:24:19 - the beauty is this dotted line right here. Only the supplicant
00:24:24 - and the authentication server see the actual authentication attempt.
00:24:30 - The authenticator which is your Cisco switch sitting in the middle
00:24:33 - just says yea or any. Meaning the supplicant plugs in or this
00:24:37 - is the client and says, "Hey I want to use the network". The
00:24:40 - authenticator says, "Oh well you are required to authenticate".
00:24:43 - And the supplicant says, "Well here's my authentication". It
00:24:47 - goes through the switch to the authentication server and the
00:24:50 - authentication server looks at it and says, "Oh, well they either
00:24:53 - pass or they don't". And communicates back to the authenticator
00:24:57 - with RADIUS or TACACS+ and says, "You can either leave that port
00:25:01 - on or power that port down right now because they did not pass
00:25:04 - authentication". Using these methods we can swap out the authentication
00:25:10 - strategies as new methods are released. Meaning if MD5 is considered
00:25:15 - weak in a few years we can swap out MD5 for something else. If
00:25:19 - we want to use certificates we can swap those out. If some new
00:25:22 - fingerprinting technology where you have to do a fingerprint
00:25:26 - or retinal scan, or whatever your futuristic authentication you
00:25:29 - want to use is we can do that and the switch doesn't have to
00:25:34 - be upgraded. All we have to do is choose a different kind of
00:25:37 - EAP on the supplicant and the authentication server. That's what
00:25:41 - EAP stands for extensible authentication protocol. And you never
00:25:46 - deploy just EAP by itself because EAP is just an empty shell.
00:25:51 - It's kind of like, let me say this. We have got this big you
00:25:55 - know shell here that is the EAP standard and that's what the
00:25:59 - authenticator understands and understands that it is an EAP packet.
00:26:04 - But it does not look inside, which could contain the TLS method,
00:26:08 - it could contain PEAP, it could contain LEAP. You know they all
00:26:12 - kind of rhyme its funny. And each one of those supports a different
00:26:15 - kind of authentication. Some of them might be certificate based.
00:26:18 - Some of them might be clear text. It doesn't matter. The authenticator
00:26:21 - doesn't care because it just takes the EAP shell and passes it
00:26:25 - through via RADIUS or TACACS+ through the authentication server.
00:26:29 - Now we do not focus on and Cisco does not expect you to know
00:26:34 - how to set up the supplicant or the authentication server for
00:26:39 - 802.1X because there are so many platforms it could be. It could
00:26:43 - be a Linux client and a Windows server. Or a Windows server and
00:26:47 - a Windows client and you know each one has a slightly different
00:26:51 - way and slightly different software to make it happen. I don't
00:26:54 - want to leave you hanging on that though because we do talk about
00:26:57 - the authenticator configuring the switch to support 802.1X, but
00:27:01 - there is a great web link I ran across and this is, I am sure,
00:27:04 - one of many that are out there. It is at a university CS.UMD.EDU.
00:27:09 - Somebody just wrote a how to article on how to set up a supplicant
00:27:14 - Windows XP work station and an authentication server. A Windows
00:27:19 - 2000 server they use which works for 2003
00:27:23 - or 2008 or whatever version of Windows server you are using.
00:27:27 - To set those up and it's a step by step walk through. What we
00:27:31 - are going to focus on here is setting up the Cisco switch to
00:27:35 - support it. So let's jump into the switch right now. I am on
00:27:40 - the Catalyst 3550.
00:27:43 - What I need to do is go into global config mode and type in,
00:27:45 - first off if you haven't done it before, triple-A new model.
00:27:49 - Now that enables Cisco's triple-A, that's authentication, authorization
00:27:54 - and accounting.
00:27:56 - There are triple-A authentication mechanisms across the board.
00:27:59 - Now that can apply to anything. You can now use triple-A to authenticate
00:28:02 - people telneting into your router or people trying to access
00:28:07 - the web interface. There are all kinds of different things triple-A
00:28:09 - can be used for, but this just turns it on. We are then going
00:28:12 - to follow that up with triple-A authentication and it's going
00:28:15 - to ask what are you going to do authentication for? Is this for
00:28:19 - people to log into the router, for PPP sessions? We are going
00:28:23 - to chose.1X which you may need to upgrade your IOS on a switch
00:28:28 - because it is a more recent method. Oh, the last few years. So
00:28:32 - we choose 802.1X
00:28:34 - as what we are authenticating. Then we need to type in how it's
00:28:38 - going to be authenticated. Now this is where I will kind of let
00:28:42 - the CCSP course pick up, but the CCSP courses show you how to
00:28:46 - set up RADIUS servers or TACACS+ that have user databases that
00:28:50 - can be authenticated with. And we configure our Cisco routers
00:28:54 - or Cisco switches to point to those RADIUS servers by using the
00:28:58 - global command RADIUS-server or TACACS+-server.
00:29:03 - But we will just imagine that we created one of those. And I
00:29:06 - will say use the default authentication list for the server group
00:29:11 - RADIUS. Use the RADIUS servers to authenticate 802.1X clients.
00:29:15 - So what this command means in English is when somebody plugs
00:29:19 - in it is going to go to the predefined list of RADIUS servers
00:29:23 - that we are assuming was created, um to authenticate people that
00:29:28 - are using 802.1X.
00:29:30 - Now we type in .1X system off control, which is the way to globally
00:29:39 - turn on 802.1X on the switch. It is like the power switch on
00:29:43 - 802.1X. Now all we have to do is go under each individual interface
00:29:48 - and type in or use an interface range commands; type in .1X port
00:29:53 - control and what method we want. Most of the time you will be
00:29:57 - using port control auto. I know which goes against my auto not
00:30:02 - use it recommendation, but auto says when somebody plugs in and
00:30:06 - if they successfully authenticate than they will be allowed.
00:30:10 - If they do not successfully authenticate they will be denied.
00:30:13 - So that turns on 802.1X on the port. Now right below that you
00:30:18 - can see forced authorized and forced unauthorized.
00:30:22 - What those do is either lock the port into an authorized state
00:30:26 - meaning the client doesn't have to authenticate because they
00:30:30 - are already authorized or it can lock the port into an unauthorized
00:30:34 - state. Meaning it doesn't matter if they try or they don't try.
00:30:36 - They won't pass 802.1X authentication.
00:30:40 - That can be useful, at least the authorized one when you have
00:30:43 - things like servers or routers. Or wireless access points or
00:30:48 - some devices that don't support 802.1X, but you need to have
00:30:53 - them plugged into the network. We can go under their ports and
00:30:56 - type in forced authorized and that locks the port in an authorized
00:31:00 - state, so they don't, they are not required to authenticate
00:31:05 - using 802.1X. But most of them will use auto and that will, as
00:31:12 - soon as it transitions to a down state. I should mention that
00:31:15 - this isn't going to disrupt your current network, its just if
00:31:18 - they, if the interface goes down and then tries to come back
00:31:21 - online the switch will not allow it to come back online until
00:31:24 - successful authentication has happened. That should give you
00:31:28 - a good foundation of layer two security. So hitting the high
00:31:33 - points: we talked about why layer two. Well, why not layer two?
00:31:37 - It is such a big piece of our networks nowadays and if the foundation
00:31:41 - isn't secure, the rest of our network fails. Below that we talked
00:31:45 - about some of the common and simple layer two attacks using utilities
00:31:48 - like dsniff or MAC off to poison the CAM table of your switches
00:31:54 - and cause them to be fancy hubs. Then we looked at how we can
00:31:57 - prevent some of those attacks and we will continue as we go through
00:32:00 - the campus security section looking at others, but using port-security.
00:32:04 - Limiting the number of MAC addresses that can be used per port.
00:32:09 - Saying what MAC addresses can be used on a port. Sending sticky
00:32:12 - MAC addresses so it can be a little easier on your configuration.
00:32:16 - And then finally the ultimate security that doesn't require you
00:32:19 - to type in MAC addresses 802.1X.
00:32:22 - Requiring the user to either authenticate or have some sort of
00:32:25 - certificate installed on device before they can access your layer
00:32:29 - two fabric. I hope this has been informative for you and I would
00:32:32 - like to thank you for viewing.
00:00:00 - All right. It's time to make a major shift from all the technology
00:00:04 - we have talked about; wireless, voice over IP, switching architecture,
00:00:09 - spanning tree and so on and shift over to campus security which
00:00:13 - is the final section of the BCMSN series. Now campus security
00:00:18 - is focused on making sure that people don't intrude into your
00:00:22 - layer to architecture. And for a long time people have asked
00:00:26 - that question that I have right up front, our first topic to
00:00:28 - talk about. Why layer two? Is it really important to secure the
00:00:32 - switch architecture? I mean the only way somebody is getting
00:00:36 - there is if they plug into a port which means they are in your
00:00:39 - building. Isn't that physical security anyway? So, we will answer
00:00:43 - that question. Then I will talk about some of the common and
00:00:46 - very simple layer two attacks that somebody can execute and that
00:00:50 - kind of answer the why layer two. Then we will get into configuring
00:00:54 - catalyst port security which is a big part of what I think a
00:00:58 - lot of organizations miss or forget about and should be doing.
00:01:02 - And then we will talk about a final topic 802.1X and talk about
00:01:06 - where that fits into the grand scheme of things and how we can
00:01:10 - set our switches up to support it. So why should you worry about
00:01:13 - layer 2? I mean if those switches are locked up in a wiring closet
00:01:17 - than people shouldn't be able to get to them anyway right? Uh,
00:01:21 - not right, because people can get to them through the wire. And
00:01:25 - there are common attacks out there that can take out that data
00:01:28 - link layer and I would say it's one of the most forgotten about
00:01:33 - layers because everybody is worried about access list or Firewalls
00:01:36 - protecting the internet from reaching inside of your company
00:01:39 - when really the intruders have gone inside of the companies.
00:01:43 - They are your employees that are poisoning your MAC address table.
00:01:47 - And I will show you one more thing. This right here, poof, has
00:01:51 - changed the face of what we thought layer two securities should
00:01:55 - look like. And it's kind of amusing that until wireless access
00:02:00 - came about nobody even worried about layer two securities really.
00:02:04 - I mean not much anyway. Because people just figured you have
00:02:08 - to get inside the building to do layer two and we trust our employees.
00:02:14 - Now a lot of that mind set is going away. Not only do you not
00:02:18 - have to be in the building because people can tune into that
00:02:20 - wireless signal, but also employees aren't as trustworthy or
00:02:25 - proving to be as trustworthy as they once were. Let
00:02:29 - me give you an example of a common layer two attack that can
00:02:33 - be pulled off from somebody sitting in their cubical.
00:02:37 - Uh, side note: if you ever walk by somebody's cubical and it
00:02:40 - has got a soft red glow and the person is kind of shadowed out
00:02:44 - by the soft red glow behind them and it looks like they are working
00:02:47 - on pie charts or something on the screen, don't trust them. Not
00:02:53 - a trustworthy person. Because that person can use a utility,
00:02:57 - there is actually many of them out there. But a real common one
00:03:00 - is called, woops, dsniff,
00:03:04 - d.s.n.i.f.f. It was originally a Unix only utility and was ported
00:03:09 - over to Windows so both platforms can run it and its really a
00:03:13 - suite of utilities that are
00:03:17 - pitched as network auditing utilities, but of course can be used
00:03:20 - by the opposite side to attack a network. And one of the tools
00:03:25 - inside of that suite is called MACOF, M.A.C.O.F.,
00:03:31 - just one F. What that does is source many, many, many different
00:03:37 - packets, thousands of them on this port from different MAC addresses.
00:03:41 - So that port starts loading up MAC addresses. It's like, "Wow
00:03:45 - this is a busy board, and this must be like a major uplink to
00:03:48 - another area of the network. I just keep learning and learning
00:03:50 - MAC addresses". And MAC off is doing its thing. It just keeps
00:03:53 - generating more thousands and thousands of MAC addresses until
00:03:56 - finally the CAM table of your switch fills up. Meaning it can't
00:04:01 - learn anymore MAC addresses, it was never designed to learn the
00:04:04 - entire MAC address database that's out there. So what will end
00:04:08 - up happening is not the switch crashing. A lot of people think
00:04:11 - it does, but it doesn't, it is that the switch turns into a hub.
00:04:15 - It says, "Well, since I can't learn anymore MAC addresses I am
00:04:19 - just going to send everything everywhere to make sure that everybody
00:04:22 - gets the data they are looking for". And at that point this person
00:04:25 - over here opens a packet sniffer and has easy access to any data
00:04:30 - that is going across the network. Meaning you could be capturing
00:04:33 - voice over IP conversations. You could be capturing you know
00:04:36 - sequel transactions that are happening. There is a lot of stuff
00:04:39 - that could be captured once that happens and that's just one
00:04:42 - of many different attacks that can be pulled off. Most of these
00:04:46 - attacks focus around poisoning the MAC address table in some
00:04:51 - way. So port security is how we can stop it. After seeing that
00:04:58 - it should be a relief to you to know that Cisco switches out
00:05:01 - of the box can protect against those kinds of attacks, it's just
00:05:06 - that most people forget to turn on that kind of security. There
00:05:09 - is two ways to stop those common layer two attacks and one is
00:05:12 - using secure MAC addresses and I will talk about the three different
00:05:15 - kinds of MAC addresses. The other is to limit the number of MAC
00:05:20 - addresses per port. Now in doing this you not only gain the benefit
00:05:24 - of stopping MAC address flooding attacks, but you also stop those
00:05:28 - people from building little mini networks in their cubicle's.
00:05:31 - People that bring in their own little hubs and switches at home
00:05:33 - and can potentially introduce spanning tree loops and rogue devices
00:05:37 - into the network. So let's start with that one. Limiting the
00:05:40 - number of MAC addresses per port. All you need to do on you
00:05:44 - Cisco switch is to go under the port that you would like to limit
00:05:49 - this on and I will go ahead and use interface fastethernet0/21.
00:05:54 - I actually have that connected in this little mini network here
00:05:58 - to a hub that has just a single device attached. So on this port
00:06:03 - I am going to type in a couple of things; first off switch port,
00:06:06 - mode access. Now we will talk about the default which is dynamic
00:06:12 - desirable when we get into the next video. It's a horrible default,
00:06:16 - but the access is the mode that it must be on in order to do
00:06:22 - port security. Access says that this is an access port and the
00:06:27 - port will only connect to an end network. Meaning it won't be
00:06:31 - a trunk port connecting to another switch. It will connect to
00:06:34 - a PC or a hub, but everybody is on the same VLAN. Now the first
00:06:38 - thing we need to do is type in switchport port-security. It's
00:06:42 - a commonly forgotten one which turns on port security for that
00:06:46 - switchport. Then we get to type in our switch port, port security
00:06:50 - commands. And I will type in; first off, maximum and I will just
00:06:54 - say 1. To limit this port to a maximum of 1 MAC address. Now
00:07:00 - I can verify that configuration just by jumping out here and
00:07:03 - typing in show port security and we will type in interface fastethernet0/21.
00:07:11 - You can see that right here maximum MAC addresses, oops
00:07:15 - is 1, and the total MAC addresses is 1. The last one that has
00:07:19 - been on there is that MAC address. And that is in VLAN 100, that's
00:07:23 - the one that's configured. That's the one device I have plugged
00:07:26 - in. Now you also see right here the violation mode. The default
00:07:31 - violation mode when you turn on port security is shut down. Let
00:07:35 - me jump back under that interface fasethernet0/21
00:07:39 - and do switchport port-security violations so you can see the
00:07:43 - three modes. Shut down is pretty obvious. If you violate the
00:07:48 - policy it is going to shut down the port. In my opinion it is
00:07:51 - one of the best because you absolutely know when somebody shuts
00:07:56 - down a switchport. Its not that you are, you know, very good
00:08:02 - a reviewing all of your logs and seeing that, it's that you are
00:08:05 - going to get a phone call if somebody goofs up and plugs in multiple
00:08:08 - devices into a switchport you are going to hear a call because
00:08:11 - they can't get their work done anymore. Their port has been shut
00:08:14 - down. And you get to chastise them and have your own little power
00:08:18 - thrill for a moment and be like, "What are you doing"? And you
00:08:21 - feel, it's horrible, but every administrator lives for the moment
00:08:24 - they get to chew out a user. But you know you get to know exactly
00:08:29 - when it happens because you are going to get a phone call. The
00:08:32 - other two you may not know. First off I would completely
00:08:37 - recommend that you do not use protect.
00:08:42 - Protect is a mode where it will, when another MAC address adds
00:08:48 - on above the one that is already on there, above the maximum
00:08:52 - MAC addresses that you have added. It just ignores the other
00:08:56 - MAC addresses. Meaning your port security is still in effect,
00:08:59 - but you don't know when somebody violates the policy. And you
00:09:03 - will never be told either. Restrict is the one that I would recommend.
00:09:07 - If you are not so drastic that you want to shut down the port
00:09:10 - use restrict which does exactly the same thing as protect, but
00:09:16 - whenever somebody does violate your policy this little counter
00:09:23 - will tick up by one. It will say, "Oh, policy violated, security
00:09:26 - violation one". And you will also see a log message if you had
00:09:30 - the logging turned on. You know second one you will see two in
00:09:33 - that list. So even though you are not shutting down the port
00:09:36 - you will at least realize and have a counter to verify when somebody
00:09:40 - is violating the policy. Now keep I mind. If you do have protect
00:09:45 - or restrict turned on, if somebody plugs 2 MAC addresses into
00:09:49 - the port and realizes that one of them is not working they can
00:09:54 - unplug that one and then plug in the other one and allow that
00:09:58 - one to work. That may or may not be a good thing in your network.
00:10:01 - So you know, when they realize that say this MAC address is the
00:10:05 - only one that works, if they disconnect that MAC address they
00:10:07 - will go to a total of 0 and then the next MAC address that they
00:10:11 - plug in will take it back up to 1. So those are the different
00:10:14 - ways that you can do that. Now I will go ahead and leave it on
00:10:17 - a default state of shut down for the switchport port-security
00:10:21 - because I have my Macintosh which is a good hacking machine.
00:10:25 - And I am going to take this and plug this; this will be the second
00:10:28 - device that I add to that switchport. Let me just go ahead and
00:10:33 - plug that one in. Oh,
00:10:36 - good grief. Just as I plug that in, one of the devices I was
00:10:39 - using was, oh good, good it has, sorry I just turned around and
00:10:42 - looked a my screen to see all this. Look at this, as soon as
00:10:45 - I plugged in my MAC address it says, "Port security violation
00:10:48 - occurred on fastethernet0/21".
00:10:51 - I am putting it in the error disable state. So immediately you
00:10:55 - can see that the line protocol has been changed to down and fastethernet0/21
00:11:00 - is now down. So if I hit the upper and do those show port security
00:11:04 - you can see that the port status is secure and it has been shut
00:11:08 - down. So don't look at enabled and think, "Oh well my port is
00:11:12 - enabled". That means that it is actually down. And if I do a
00:11:15 - show IP interface brief and look right here at fastethernet0/21
00:11:21 - it just shows up as down. So by looking at that port in this
00:11:25 - state you are just going to think, "Oh well it's just down, there
00:11:28 - must not be anything plugged in". But if you type in show interface
00:11:31 - fastethernet, oops, did I, 0/21.
00:11:39 - You will see that the port is error disabled. That means either
00:11:43 - you have some kind of duplex miss match that has caused that
00:11:46 - or you have a security violation that has shut the port down.
00:11:50 - I also know that may of you are like me and love commands like
00:11:54 - show IP interface brief where you can see what's going on with
00:11:58 - your switchports all in one quick glance. Well there is another
00:12:01 - command I want to show you that is similar to it. It is show
00:12:04 - interfaces and do status. And you don't need to specify an interface.
00:12:10 - Now you get to see my home, but you can see that all of these
00:12:13 - different interfaces are plugged in. I have brief descriptions
00:12:16 - so this is a good way to know what those switchboards are, but
00:12:20 - look at this status column right here. There, as we go down we
00:12:24 - can see what's connected and what's not connected and which ones
00:12:28 - are errors disabled. So you have gone, you have chastised your
00:12:32 - users and flogged them appropriately. How do you get that port
00:12:35 - back up? Well there is no quick way to do it. The main way that
00:12:40 - you can go in is go under that port. We will say interface fastethernet0/21,
00:12:45 - do a shutdown and then do a no shutdown. Just typing in no shutdown
00:12:51 - will not re-enable that port. Oh, I still have my Macintosh
00:12:56 - plugged in. So I will plug that, unplug that quickly so that
00:12:59 - it doesn't shut itself down again. But now when I go back and
00:13:03 - do that show interface status you can see that it is restored
00:13:06 - and connected again. So that's how you can restore the down port.
00:13:12 - Now its not part of the official Cisco
00:13:16 - test prep curriculum so if you are studying for the exam don't
00:13:19 - worry about this stuff I am about to show you, but there is
00:13:24 - another method that not many people know about on Cisco switches.
00:13:28 - Now I am going to show error disable, followed by recovery. There
00:13:34 - is this feature that Cisco switches have called error disabled
00:13:38 - recovery that after, you can see all these different states that
00:13:42 - will cause an error disable. Uh, we just saw security violation
00:13:46 - as one of the reasons. But we have, channel misconfigurations
00:13:49 - that's like an ether channel where we have flapping links where
00:13:53 - we, I mean there's all kinds of things that can cause the error
00:13:55 - disable state. We can configure our switch to re-enable the port
00:14:01 - after a certain amount of time. Now you can see that default
00:14:05 - amount of time is 300. But error disable recovery is turned off
00:14:10 - by default. So you can see they are all disabled so even though
00:14:13 - it says that recovery will be in 300 seconds, its not going to
00:14:17 - be in 300 seconds unless you turn it on. So you can go into global
00:14:21 - configuration mode and type in error disabled recovery, type
00:14:25 - in a specific cause that you want to look for and you can see
00:14:29 - all of these timers to recover from some violation. We will say
00:14:33 - security violation right there, so SCC tab and you can say, "I
00:14:38 - want to enable recovery for that". You can then type in the error
00:14:43 - disable recovery interval and specify how many seconds you want
00:14:49 - to force the port to be shut down before it recovers itself.
00:14:53 - So now when I jump back here I will type in show, error, disable,
00:14:56 - recovery. You can see now that we are enabled for security violations.
00:15:00 - So if I were to plug in my Macintosh into this port and connect
00:15:05 - that thing up it is going to cause the violation, but now a little
00:15:09 - counter has begun in the background that is going to recover
00:15:13 - the port within 300 seconds for that violation.
00:15:19 - That may save you a couple of phone calls. Um, but overall it
00:15:23 - is primarily useful for some of the other ones, usually security
00:15:26 - violation. You want it to stay down. Um, so, uh, the last thing
00:15:30 - I want to show you on this note. I am going to type in show port
00:15:33 - security fastethernet,
00:15:36 - oops, interface fastethernet0/21.
00:15:41 - And you can see right here we do have a security violation counter
00:15:46 - that is ticking. Now I shut down and un-shut down the port and
00:15:50 - powered up the port so it reset that counter. But this counter
00:15:53 - will continue to tick however many security violations you have
00:15:57 - on a given interval. So that's one you can always refer to, to
00:16:01 - see what's going on. Now that's the limiting of MAC addresses
00:16:04 - per port. The last thing I want to talk about is secure MAC addresses.
00:16:09 - By default all your switches will learn dynamic MAC addresses.
00:16:13 - That is just what they do. And that's the default MAC address
00:16:17 - type. Now we can transform them from dynamic addresses over to
00:16:21 - static or sticky MAC addresses. Now static MAC addresses are
00:16:26 - pretty straight forward. I am going to go back up under the interface
00:16:29 - fastethernet0/21 and let's, let's do, let me first off do switchport
00:16:35 - port-security; I will do a maximum of 10. Just to allow me to
00:16:40 - plug multiple devices in there. But the first way I can configure
00:16:44 - static MAC addresses is by typing in switchport port-security
00:16:47 - MAC address and just type in whatever MAC address I want. I have
00:16:51 - seen a lot of government agencies use this to where they can
00:16:54 - type in the specific MAC address allowed on that port and no
00:16:59 - other MAC address will be able to access that. If you are going
00:17:04 - to use the static MAC address method and say, "My MAC address
00:17:08 - was this".
00:17:11 - Be sure to couple it with the maximum MAC address command. Now
00:17:16 - I just showed you, I just cranked it up right up on the screen
00:17:19 - above us, to 10 MAC addresses. If I statically type in MAC addresses
00:17:24 - and say, "You know 1, 1, 1, 1, 1, 1, 1" and that's the only MAC
00:17:27 - address I want on that port then make sure you change the maximum
00:17:30 - to 1; because if I leave it at 10 it will allow only that 1,
00:17:35 - 1, 1, 1, 1, 1, 1, 1 and 9 dynamic entries. It's kind of a combination
00:17:40 - of static and dynamic. So it will allow whatever static ones
00:17:44 - I have typed in plus whatever the maximum buffer is to the maximum
00:17:49 - number of MAC addresses I am allowing on that port. So, type
00:17:53 - in however many MAC addresses you want and then set the maximum.
00:17:58 - The second way that we can do this is by taking a calculated
00:18:04 - risk. Now you can see right below here I have sticky. Sticky
00:18:10 - MAC addresses are your way of allowing the switch to do the work
00:18:14 - for you. You can imagine how difficult it would be in a network
00:18:19 - of 100 or 1,000 PC's to sit there and type in all the MAC addresses
00:18:24 - of those PC's into the ports. I am not saying it can't be done
00:18:27 - and I am not saying it is very beneficial if you are paid by
00:18:30 - the hour. However, if you are salary you don't want to sit there
00:18:35 - all night typing those things in. So you can take a calculated
00:18:38 - risk. And that is using the sticky key-word. What will happen
00:18:42 - when you use sticky is the switch will automatically hard code
00:18:49 - any MAC address you have plugged into that point, port, into
00:18:53 - the running configuration. And as soon as you save that to the
00:18:57 - startup configuration
00:18:59 - that is set permanently. Let me give you an example. I am going
00:19:03 - to first off do, before I type this command in here, let me just
00:19:07 - hit enter. I am going to type in do, show, run, interface, fastethernet0/21
00:19:13 - and we can see that as of right now we have the port security
00:19:17 - turned on and the maximum is set to 10. Now I am also going to
00:19:22 - type in do who MAC address table and I will focus in on interface
00:19:27 - fastethernet0/21 and you can see as of right now, oh do I have
00:19:31 - both of those plugged in? Oh, no I just have, have not cleared
00:19:35 - out since I plugged both MAC addresses in. Let me just plug and
00:19:39 - unplug that port real quick and, uh, give it a sec to cycle.
00:19:46 - There we go, okay. I just unplugged the port and plugged it back
00:19:49 - in and so it's now just has that one MAC address. All right.
00:19:53 - So here is what I am going to do. I am going to type in switchport.
00:19:57 - Oh, let me clear all this junk off.
00:20:00 - I will type in switchport
00:20:03 - port-security maximum and then I will type in sticky.
00:20:10 - And when I said sticky I meant, oh, I am just losing it here.
00:20:15 - I am sorry. It is port-security MAC address. Sticky? I am saying
00:20:19 - that in a running-config, its blending together in my mind. Now
00:20:22 - watch what happened when I did that. I am going to do a show,
00:20:26 - run, interface, fastethernet0/21.
00:20:30 - Let me squeeze the do command in front of that. And you can see
00:20:33 - that it's got the command I typed in there, but look at that.
00:20:36 - It automatically hard coded the first MAC address that it saw
00:20:41 - on that port. I look at the up arrow and its right there. Now
00:20:44 - if I do a show start interface fastethernet0/21,
00:20:49 - oh it doesn't let me use the interface command. Its not saved
00:20:53 - in the startup-config is the point I am trying to prove. So,
00:20:56 - in order to save that MAC address we have to do a save-config,
00:21:00 - copy, run, start or write memory and that will allow you to save
00:21:04 - that MAC address to your startup-config. Now watch this. I am
00:21:07 - going to reach over and plug my Macintosh in here, click; I just
00:21:12 - plugged my Macintosh in. I am going to hit the up arrow and do
00:21:14 - a show, run and
00:21:17 - do it again and one more time. Oh where is my Macintosh? Let
00:21:24 - me do a show MAC address
00:21:29 - table interface fastethernet0/21.
00:21:33 - My Macintosh has died. Oh, are you kidding me. It just went into
00:21:37 - sleep mode. Sorry, let me; let me move the mouse around. There
00:21:41 - we go. I moved the mouse around. Let me hit the up arrow. Oh,
00:21:44 - there we go. It is now back in the list. I am going to go into
00:21:48 - do the show run again. This is the point I am trying to prove.
00:21:50 - I have got this sticky MAC address that has now learned a second
00:21:53 - MAC address and I can save my config. How many MAC addresses
00:21:57 - will this feature learn? As may as have I set for the maximum
00:22:01 - here. So if I know there is only going to be two MAC addresses
00:22:05 - on this port I will change this over and say switchport port-security
00:22:10 - maximum 2. And at that point I have already, I have set the maximum
00:22:15 - to 2 and I have used the sticky command so the only two MAC addresses
00:22:19 - that are allowed on that port are these two. You can see it's
00:22:22 - a calculated risk because if there is an intruder plugged into
00:22:25 - the network or a rogue device it will learn its MAC address just
00:22:30 - like everything else. So of course the more secure way is to
00:22:33 - manually type in every MAC address. However the more reasonable
00:22:37 - way to approach this is to use the sticky feature. Sometimes,
00:22:41 - you know, going on a port, by port, by port so you know what's
00:22:44 - plugged in, or you can be brave and use the interface range command
00:22:47 - and just learn everything that's on that switch at this given
00:22:51 - point. So that's your way of doing maximum number of MAC addresses
00:22:56 - per port and combining it with the secure MAC addresses. The
00:23:01 - last thing we will talk about is identity based network services,
00:23:05 - or what people call nowadays is 802.1X.
00:23:09 - IBNS was Cisco's name for it before 802.1X was released. But
00:23:14 - now 802.1X is out there and that's what everybody uses. So 802.1X
00:23:20 - kind of shook the world up quite a bit because it was the first
00:23:24 - authentication method that allowed the switch to participate
00:23:29 - in authentication without ever seeing the user name and password
00:23:33 - or authentication method that's used. Now the reason that is
00:23:36 - so huge is because all of the previous methods like if you think
00:23:40 - of MD5 hashing or you know certificate based authentication.
00:23:44 - All those kind of methods required that the supplicant provide
00:23:48 - its credentials to the switch. And the switch gets them, looks
00:23:51 - at them and says, "Okay that's good". Or you know even passes
00:23:54 - them to the authentication server and the authentication server
00:23:57 - checks them and sends them back and says "Hey that's okay". But
00:24:00 - the authenticator has to be intimately involved in the process.
00:24:05 - Meaning if you are using MD5 authentication then the authenticator
00:24:09 - or the switch in the middle has to support MD5. If you are using
00:24:12 - certificates the authenticator has to understand
00:24:16 - certificates. With 802.1X
00:24:19 - the beauty is this dotted line right here. Only the supplicant
00:24:24 - and the authentication server see the actual authentication attempt.
00:24:30 - The authenticator which is your Cisco switch sitting in the middle
00:24:33 - just says yea or any. Meaning the supplicant plugs in or this
00:24:37 - is the client and says, "Hey I want to use the network". The
00:24:40 - authenticator says, "Oh well you are required to authenticate".
00:24:43 - And the supplicant says, "Well here's my authentication". It
00:24:47 - goes through the switch to the authentication server and the
00:24:50 - authentication server looks at it and says, "Oh, well they either
00:24:53 - pass or they don't". And communicates back to the authenticator
00:24:57 - with RADIUS or TACACS+ and says, "You can either leave that port
00:25:01 - on or power that port down right now because they did not pass
00:25:04 - authentication". Using these methods we can swap out the authentication
00:25:10 - strategies as new methods are released. Meaning if MD5 is considered
00:25:15 - weak in a few years we can swap out MD5 for something else. If
00:25:19 - we want to use certificates we can swap those out. If some new
00:25:22 - fingerprinting technology where you have to do a fingerprint
00:25:26 - or retinal scan, or whatever your futuristic authentication you
00:25:29 - want to use is we can do that and the switch doesn't have to
00:25:34 - be upgraded. All we have to do is choose a different kind of
00:25:37 - EAP on the supplicant and the authentication server. That's what
00:25:41 - EAP stands for extensible authentication protocol. And you never
00:25:46 - deploy just EAP by itself because EAP is just an empty shell.
00:25:51 - It's kind of like, let me say this. We have got this big you
00:25:55 - know shell here that is the EAP standard and that's what the
00:25:59 - authenticator understands and understands that it is an EAP packet.
00:26:04 - But it does not look inside, which could contain the TLS method,
00:26:08 - it could contain PEAP, it could contain LEAP. You know they all
00:26:12 - kind of rhyme its funny. And each one of those supports a different
00:26:15 - kind of authentication. Some of them might be certificate based.
00:26:18 - Some of them might be clear text. It doesn't matter. The authenticator
00:26:21 - doesn't care because it just takes the EAP shell and passes it
00:26:25 - through via RADIUS or TACACS+ through the authentication server.
00:26:29 - Now we do not focus on and Cisco does not expect you to know
00:26:34 - how to set up the supplicant or the authentication server for
00:26:39 - 802.1X because there are so many platforms it could be. It could
00:26:43 - be a Linux client and a Windows server. Or a Windows server and
00:26:47 - a Windows client and you know each one has a slightly different
00:26:51 - way and slightly different software to make it happen. I don't
00:26:54 - want to leave you hanging on that though because we do talk about
00:26:57 - the authenticator configuring the switch to support 802.1X, but
00:27:01 - there is a great web link I ran across and this is, I am sure,
00:27:04 - one of many that are out there. It is at a university CS.UMD.EDU.
00:27:09 - Somebody just wrote a how to article on how to set up a supplicant
00:27:14 - Windows XP work station and an authentication server. A Windows
00:27:19 - 2000 server they use which works for 2003
00:27:23 - or 2008 or whatever version of Windows server you are using.
00:27:27 - To set those up and it's a step by step walk through. What we
00:27:31 - are going to focus on here is setting up the Cisco switch to
00:27:35 - support it. So let's jump into the switch right now. I am on
00:27:40 - the Catalyst 3550.
00:27:43 - What I need to do is go into global config mode and type in,
00:27:45 - first off if you haven't done it before, triple-A new model.
00:27:49 - Now that enables Cisco's triple-A, that's authentication, authorization
00:27:54 - and accounting.
00:27:56 - There are triple-A authentication mechanisms across the board.
00:27:59 - Now that can apply to anything. You can now use triple-A to authenticate
00:28:02 - people telneting into your router or people trying to access
00:28:07 - the web interface. There are all kinds of different things triple-A
00:28:09 - can be used for, but this just turns it on. We are then going
00:28:12 - to follow that up with triple-A authentication and it's going
00:28:15 - to ask what are you going to do authentication for? Is this for
00:28:19 - people to log into the router, for PPP sessions? We are going
00:28:23 - to chose.1X which you may need to upgrade your IOS on a switch
00:28:28 - because it is a more recent method. Oh, the last few years. So
00:28:32 - we choose 802.1X
00:28:34 - as what we are authenticating. Then we need to type in how it's
00:28:38 - going to be authenticated. Now this is where I will kind of let
00:28:42 - the CCSP course pick up, but the CCSP courses show you how to
00:28:46 - set up RADIUS servers or TACACS+ that have user databases that
00:28:50 - can be authenticated with. And we configure our Cisco routers
00:28:54 - or Cisco switches to point to those RADIUS servers by using the
00:28:58 - global command RADIUS-server or TACACS+-server.
00:29:03 - But we will just imagine that we created one of those. And I
00:29:06 - will say use the default authentication list for the server group
00:29:11 - RADIUS. Use the RADIUS servers to authenticate 802.1X clients.
00:29:15 - So what this command means in English is when somebody plugs
00:29:19 - in it is going to go to the predefined list of RADIUS servers
00:29:23 - that we are assuming was created, um to authenticate people that
00:29:28 - are using 802.1X.
00:29:30 - Now we type in .1X system off control, which is the way to globally
00:29:39 - turn on 802.1X on the switch. It is like the power switch on
00:29:43 - 802.1X. Now all we have to do is go under each individual interface
00:29:48 - and type in or use an interface range commands; type in .1X port
00:29:53 - control and what method we want. Most of the time you will be
00:29:57 - using port control auto. I know which goes against my auto not
00:30:02 - use it recommendation, but auto says when somebody plugs in and
00:30:06 - if they successfully authenticate than they will be allowed.
00:30:10 - If they do not successfully authenticate they will be denied.
00:30:13 - So that turns on 802.1X on the port. Now right below that you
00:30:18 - can see forced authorized and forced unauthorized.
00:30:22 - What those do is either lock the port into an authorized state
00:30:26 - meaning the client doesn't have to authenticate because they
00:30:30 - are already authorized or it can lock the port into an unauthorized
00:30:34 - state. Meaning it doesn't matter if they try or they don't try.
00:30:36 - They won't pass 802.1X authentication.
00:30:40 - That can be useful, at least the authorized one when you have
00:30:43 - things like servers or routers. Or wireless access points or
00:30:48 - some devices that don't support 802.1X, but you need to have
00:30:53 - them plugged into the network. We can go under their ports and
00:30:56 - type in forced authorized and that locks the port in an authorized
00:31:00 - state, so they don't, they are not required to authenticate
00:31:05 - using 802.1X. But most of them will use auto and that will, as
00:31:12 - soon as it transitions to a down state. I should mention that
00:31:15 - this isn't going to disrupt your current network, its just if
00:31:18 - they, if the interface goes down and then tries to come back
00:31:21 - online the switch will not allow it to come back online until
00:31:24 - successful authentication has happened. That should give you
00:31:28 - a good foundation of layer two security. So hitting the high
00:31:33 - points: we talked about why layer two. Well, why not layer two?
00:31:37 - It is such a big piece of our networks nowadays and if the foundation
00:31:41 - isn't secure, the rest of our network fails. Below that we talked
00:31:45 - about some of the common and simple layer two attacks using utilities
00:31:48 - like dsniff or MAC off to poison the CAM table of your switches
00:31:54 - and cause them to be fancy hubs. Then we looked at how we can
00:31:57 - prevent some of those attacks and we will continue as we go through
00:32:00 - the campus security section looking at others, but using port-security.
00:32:04 - Limiting the number of MAC addresses that can be used per port.
00:32:09 - Saying what MAC addresses can be used on a port. Sending sticky
00:32:12 - MAC addresses so it can be a little easier on your configuration.
00:32:16 - And then finally the ultimate security that doesn't require you
00:32:19 - to type in MAC addresses 802.1X.
00:32:22 - Requiring the user to either authenticate or have some sort of
00:32:25 - certificate installed on device before they can access your layer
00:32:29 - two fabric. I hope this has been informative for you and I would
00:32:32 - like to thank you for viewing.

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

This forum is for community use – trainers will not participate in conversations. Share your thoughts on training content and engage with other members of the CBT Nuggets community. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Community Standards

We encourage you to share your wisdom, opinions, and questions with the CBT Nuggets community. To keep things civil, we have established the following policy.

We reserve the right not to post comments that:
contain obscene, indecent, or profane language; contain threats or defamatory statements; contain personal attacks; contain hate speech directed at race, color, sex, sexual orientation, national origin, ethnicity, age, religion, or disability; contributes to a hostile atmosphere; or promotes or endorses services or products. Non-commercial links, if relevant to the topic, are acceptable. Comments are not moderated, however, all comments will automatically be filtered for content that might violate our comment policies. If your comment is flagged by our filter, it will not be published.

We will be continually monitoring published comments and any content that violates our policies will be removed. Users who repeatedly violate our comments policy may be prohibited from commenting.

Course Features

Speed Control

Play videos at a faster or slower pace.

Bookmarks

Pick up where you left off watching a video.

Notes

Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

MP3 Downloads

Listen to videos anytime, anywhere

Annual Course Features

Transcender Practice Exams

These practice tests help you review your knowledge and prepare you for exams.
Available only with the annual subscription.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Certifications:
Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Add training to a playlist
or create a new list
Add to current playlist
or add to an existing list
Add to new playlist
Add New Bookmark

Campus Security: Basic Port Security and 802.1x
Bookmark Title:
Whoops

Login is required to access this feature.

Your browser cannot access Virtual Labs
Video Options

This advanced buffering is applied to all streams regardless if you installed the doublespeed control or not. Sometimes the advanced buffering causes the video to hang or behave erratically. If you are experienceing issues with video playback please disable the doublespeed buffer.

Remember to re-enable the buffer if you want to use the doublespeed control.

If you are experiencing problems with our content delivery, please click here to switch to our alternate content delivery network or go to our network FAQ.
For other common video playback issues, including firewall and corporate network issues, please visit our Tech Support forum.