Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

00:00:00

All right. It's time to make a major shift from all the technology we have talked about; wireless, voice over IP, switching architecture, spanning tree and so on and shift over to campus security which is the final section of the BCMSN series. Now campus security

00:00:18

is focused on making sure that people don't intrude into your layer to architecture. And for a long time people have asked that question that I have right up front, our first topic to talk about. Why layer two? Is it really important to secure the switch architecture? I mean the only way somebody is getting there is if they plug into a port which means they are in your building. Isn't that physical security anyway? So, we will answer

00:00:43

that question. Then I will talk about some of the common and very simple layer two attacks that somebody can execute and that kind of answer the why layer two. Then we will get into configuring catalyst port security which is a big part of what I think a lot of organizations miss or forget about and should be doing.

00:01:02

And then we will talk about a final topic 802.1X and talk about where that fits into the grand scheme of things and how we can set our switches up to support it. So why should you worry about layer 2? I mean if those switches are locked up in a wiring closet than people shouldn't be able to get to them anyway right? Uh, not right, because people can get to them through the wire. And

00:01:25

there are common attacks out there that can take out that data link layer and I would say it's one of the most forgotten about layers because everybody is worried about access list or Firewalls protecting the internet from reaching inside of your company when really the intruders have gone inside of the companies.

00:01:43

They are your employees that are poisoning your MAC address table. And I will show you one more thing. This right here, poof, has changed the face of what we thought layer two securities should look like. And it's kind of amusing that until wireless access

00:02:00

came about nobody even worried about layer two securities really. I mean not much anyway. Because people just figured you have to get inside the building to do layer two and we trust our employees. Now a lot of that mind set is going away. Not only do you not

00:02:18

have to be in the building because people can tune into that wireless signal, but also employees aren't as trustworthy or proving to be as trustworthy as they once were. Let me give you an example of a common layer two attack that can be pulled off from somebody sitting in their cubical.

00:02:37

Uh, side note: if you ever walk by somebody's cubical and it has got a soft red glow and the person is kind of shadowed out by the soft red glow behind them and it looks like they are working on pie charts or something on the screen, don't trust them. Not

00:02:53

a trustworthy person. Because that person can use a utility, there is actually many of them out there. But a real common one is called, woops, dsniff, d.s.n.i.f.f. It was originally a Unix only utility and was ported over to Windows so both platforms can run it and its really a suite of utilities that are pitched as network auditing utilities, but of course can be used by the opposite side to attack a network. And one of the tools

00:03:25

inside of that suite is called MACOF, M.A.C.O.F., just one F. What that does is source many, many, many different packets, thousands of them on this port from different MAC addresses. So that port starts loading up MAC addresses. It's like, "Wow this is a busy board, and this must be like a major uplink to another area of the network. I just keep learning and learning

00:03:50

MAC addresses". And MAC off is doing its thing. It just keeps generating more thousands and thousands of MAC addresses until finally the CAM table of your switch fills up. Meaning it can't learn anymore MAC addresses, it was never designed to learn the entire MAC address database that's out there. So what will end

00:04:08

up happening is not the switch crashing. A lot of people think it does, but it doesn't, it is that the switch turns into a hub. It says, "Well, since I can't learn anymore MAC addresses I am just going to send everything everywhere to make sure that everybody gets the data they are looking for". And at that point this person

00:04:25

over here opens a packet sniffer and has easy access to any data that is going across the network. Meaning you could be capturing voice over IP conversations. You could be capturing you know sequel transactions that are happening. There is a lot of stuff

00:04:39

that could be captured once that happens and that's just one of many different attacks that can be pulled off. Most of these attacks focus around poisoning the MAC address table in some way. So port security is how we can stop it. After seeing that it should be a relief to you to know that Cisco switches out of the box can protect against those kinds of attacks, it's just that most people forget to turn on that kind of security. There

00:05:09

is two ways to stop those common layer two attacks and one is using secure MAC addresses and I will talk about the three different kinds of MAC addresses. The other is to limit the number of MAC addresses per port. Now in doing this you not only gain the benefit

00:05:24

of stopping MAC address flooding attacks, but you also stop those people from building little mini networks in their cubicle's. People that bring in their own little hubs and switches at home and can potentially introduce spanning tree loops and rogue devices into the network. So let's start with that one. Limiting the

00:05:40

number of MAC addresses per port. All you need to do on you Cisco switch is to go under the port that you would like to limit this on and I will go ahead and use interface fastethernet0/21. I actually have that connected in this little mini network here to a hub that has just a single device attached. So on this port

00:06:03

I am going to type in a couple of things; first off switch port, mode access. Now we will talk about the default which is dynamic desirable when we get into the next video. It's a horrible default, but the access is the mode that it must be on in order to do port security. Access says that this is an access port and the

00:06:27

port will only connect to an end network. Meaning it won't be a trunk port connecting to another switch. It will connect to a PC or a hub, but everybody is on the same VLAN. Now the first thing we need to do is type in switchport port-security. It's a commonly forgotten one which turns on port security for that switchport. Then we get to type in our switch port, port security

00:06:50

commands. And I will type in; first off, maximum and I will just say 1. To limit this port to a maximum of 1 MAC address. Now I can verify that configuration just by jumping out here and typing in show port security and we will type in interface fastethernet0/21. You can see that right here maximum MAC addresses, oops is 1, and the total MAC addresses is 1. The last one that has been on there is that MAC address. And that is in VLAN 100, that's the one that's configured. That's the one device I have plugged

00:07:26

in. Now you also see right here the violation mode. The default violation mode when you turn on port security is shut down. Let me jump back under that interface fasethernet0/21 and do switchport port-security violations so you can see the three modes. Shut down is pretty obvious. If you violate the

00:07:48

policy it is going to shut down the port. In my opinion it is one of the best because you absolutely know when somebody shuts down a switchport. Its not that you are, you know, very good a reviewing all of your logs and seeing that, it's that you are going to get a phone call if somebody goofs up and plugs in multiple devices into a switchport you are going to hear a call because they can't get their work done anymore. Their port has been shut

00:08:14

down. And you get to chastise them and have your own little power thrill for a moment and be like, "What are you doing"? And you feel, it's horrible, but every administrator lives for the moment they get to chew out a user. But you know you get to know exactly

00:08:29

when it happens because you are going to get a phone call. The other two you may not know. First off I would completely recommend that you do not use protect. Protect is a mode where it will, when another MAC address adds on above the one that is already on there, above the maximum MAC addresses that you have added. It just ignores the other

00:08:56

MAC addresses. Meaning your port security is still in effect, but you don't know when somebody violates the policy. And you will never be told either. Restrict is the one that I would recommend. If you are not so drastic that you want to shut down the port use restrict which does exactly the same thing as protect, but whenever somebody does violate your policy this little counter will tick up by one. It will say, "Oh, policy violated, security

00:09:26

violation one". And you will also see a log message if you had the logging turned on. You know second one you will see two in that list. So even though you are not shutting down the port you will at least realize and have a counter to verify when somebody is violating the policy. Now keep I mind. If you do have protect

00:09:45

or restrict turned on, if somebody plugs 2 MAC addresses into the port and realizes that one of them is not working they can unplug that one and then plug in the other one and allow that one to work. That may or may not be a good thing in your network. So you know, when they realize that say this MAC address is the only one that works, if they disconnect that MAC address they will go to a total of 0 and then the next MAC address that they plug in will take it back up to 1. So those are the different ways that you can do that. Now I will go ahead and leave it on

00:10:17

a default state of shut down for the switchport port-security because I have my Macintosh which is a good hacking machine. And I am going to take this and plug this; this will be the second device that I add to that switchport. Let me just go ahead and plug that one in. Oh,

00:10:36

good grief. Just as I plug that in, one of the devices I was using was, oh good, good it has, sorry I just turned around and looked a my screen to see all this. Look at this, as soon as I plugged in my MAC address it says, "Port security violation occurred on fastethernet0/21". I am putting it in the error disable state. So immediately you

00:10:55

can see that the line protocol has been changed to down and fastethernet0/21 is now down. So if I hit the upper and do those show port security you can see that the port status is secure and it has been shut down. So don't look at enabled and think, "Oh well my port is

00:11:12

enabled". That means that it is actually down. And if I do a show IP interface brief and look right here at fastethernet0/21 it just shows up as down. So by looking at that port in this state you are just going to think, "Oh well it's just down, there must not be anything plugged in". But if you type in show interface

00:11:31

fastethernet, oops, did I, 0/21. You will see that the port is error disabled. That means either you have some kind of duplex miss match that has caused that or you have a security violation that has shut the port down. I also know that may of you are like me and love commands like show IP interface brief where you can see what's going on with your switchports all in one quick glance. Well there is another

00:12:01

command I want to show you that is similar to it. It is show interfaces and do status. And you don't need to specify an interface. Now you get to see my home, but you can see that all of these different interfaces are plugged in. I have brief descriptions

00:12:16

so this is a good way to know what those switchboards are, but look at this status column right here. There, as we go down we can see what's connected and what's not connected and which ones are errors disabled. So you have gone, you have chastised your

00:12:32

users and flogged them appropriately. How do you get that port back up? Well there is no quick way to do it. The main way that you can go in is go under that port. We will say interface fastethernet0/21, do a shutdown and then do a no shutdown. Just typing in no shutdown

00:12:51

will not re-enable that port. Oh, I still have my Macintosh plugged in. So I will plug that, unplug that quickly so that it doesn't shut itself down again. But now when I go back and do that show interface status you can see that it is restored and connected again. So that's how you can restore the down port.

00:13:12

Now its not part of the official Cisco test prep curriculum so if you are studying for the exam don't worry about this stuff I am about to show you, but there is another method that not many people know about on Cisco switches. Now I am going to show error disable, followed by recovery. There

00:13:34

is this feature that Cisco switches have called error disabled recovery that after, you can see all these different states that will cause an error disable. Uh, we just saw security violation as one of the reasons. But we have, channel misconfigurations

00:13:49

that's like an ether channel where we have flapping links where we, I mean there's all kinds of things that can cause the error disable state. We can configure our switch to re-enable the port after a certain amount of time. Now you can see that default

00:14:05

amount of time is 300. But error disable recovery is turned off by default. So you can see they are all disabled so even though it says that recovery will be in 300 seconds, its not going to be in 300 seconds unless you turn it on. So you can go into global configuration mode and type in error disabled recovery, type in a specific cause that you want to look for and you can see all of these timers to recover from some violation. We will say

00:14:33

security violation right there, so SCC tab and you can say, "I want to enable recovery for that". You can then type in the error disable recovery interval and specify how many seconds you want to force the port to be shut down before it recovers itself.

00:14:53

So now when I jump back here I will type in show, error, disable, recovery. You can see now that we are enabled for security violations. So if I were to plug in my Macintosh into this port and connect that thing up it is going to cause the violation, but now a little counter has begun in the background that is going to recover the port within 300 seconds for that violation. That may save you a couple of phone calls. Um, but overall it

00:15:23

is primarily useful for some of the other ones, usually security violation. You want it to stay down. Um, so, uh, the last thing I want to show you on this note. I am going to type in show port security fastethernet, oops, interface fastethernet0/21. And you can see right here we do have a security violation counter that is ticking. Now I shut down and un-shut down the port and

00:15:50

powered up the port so it reset that counter. But this counter will continue to tick however many security violations you have on a given interval. So that's one you can always refer to, to see what's going on. Now that's the limiting of MAC addresses per port. The last thing I want to talk about is secure MAC addresses.

00:16:09

By default all your switches will learn dynamic MAC addresses. That is just what they do. And that's the default MAC address type. Now we can transform them from dynamic addresses over to static or sticky MAC addresses. Now static MAC addresses are pretty straight forward. I am going to go back up under the interface

00:16:29

fastethernet0/21 and let's, let's do, let me first off do switchport port-security; I will do a maximum of 10. Just to allow me to plug multiple devices in there. But the first way I can configure static MAC addresses is by typing in switchport port-security MAC address and just type in whatever MAC address I want. I have

00:16:51

seen a lot of government agencies use this to where they can type in the specific MAC address allowed on that port and no other MAC address will be able to access that. If you are going to use the static MAC address method and say, "My MAC address was this".

00:17:11

Be sure to couple it with the maximum MAC address command. Now I just showed you, I just cranked it up right up on the screen above us, to 10 MAC addresses. If I statically type in MAC addresses and say, "You know 1, 1, 1, 1, 1, 1, 1" and that's the only MAC address I want on that port then make sure you change the maximum to 1; because if I leave it at 10 it will allow only that 1, 1, 1, 1, 1, 1, 1, 1 and 9 dynamic entries. It's kind of a combination of static and dynamic. So it will allow whatever static ones

00:17:44

I have typed in plus whatever the maximum buffer is to the maximum number of MAC addresses I am allowing on that port. So, type in however many MAC addresses you want and then set the maximum. The second way that we can do this is by taking a calculated risk. Now you can see right below here I have sticky. Sticky

00:18:10

MAC addresses are your way of allowing the switch to do the work for you. You can imagine how difficult it would be in a network of 100 or 1,000 PC's to sit there and type in all the MAC addresses of those PC's into the ports. I am not saying it can't be done

00:18:27

and I am not saying it is very beneficial if you are paid by the hour. However, if you are salary you don't want to sit there all night typing those things in. So you can take a calculated risk. And that is using the sticky key-word. What will happen when you use sticky is the switch will automatically hard code any MAC address you have plugged into that point, port, into the running configuration. And as soon as you save that to the

00:18:57

startup configuration that is set permanently. Let me give you an example. I am going to first off do, before I type this command in here, let me just hit enter. I am going to type in do, show, run, interface, fastethernet0/21 and we can see that as of right now we have the port security turned on and the maximum is set to 10. Now I am also going to type in do who MAC address table and I will focus in on interface fastethernet0/21 and you can see as of right now, oh do I have both of those plugged in? Oh, no I just have, have not cleared out since I plugged both MAC addresses in. Let me just plug and

00:19:39

unplug that port real quick and, uh, give it a sec to cycle. There we go, okay. I just unplugged the port and plugged it back in and so it's now just has that one MAC address. All right. So here is what I am going to do. I am going to type in switchport.

00:19:57

Oh, let me clear all this junk off. I will type in switchport port-security maximum and then I will type in sticky. And when I said sticky I meant, oh, I am just losing it here. I am sorry. It is port-security MAC address. Sticky? I am saying that in a running-config, its blending together in my mind. Now

00:20:22

watch what happened when I did that. I am going to do a show, run, interface, fastethernet0/21. Let me squeeze the do command in front of that. And you can see that it's got the command I typed in there, but look at that. It automatically hard coded the first MAC address that it saw on that port. I look at the up arrow and its right there. Now

00:20:44

if I do a show start interface fastethernet0/21, oh it doesn't let me use the interface command. Its not saved in the startup-config is the point I am trying to prove. So, in order to save that MAC address we have to do a save-config, copy, run, start or write memory and that will allow you to save that MAC address to your startup-config. Now watch this. I am

00:21:07

going to reach over and plug my Macintosh in here, click; I just plugged my Macintosh in. I am going to hit the up arrow and do a show, run and do it again and one more time. Oh where is my Macintosh? Let me do a show MAC address table interface fastethernet0/21. My Macintosh has died. Oh, are you kidding me. It just went into

00:21:37

sleep mode. Sorry, let me; let me move the mouse around. There we go. I moved the mouse around. Let me hit the up arrow. Oh, there we go. It is now back in the list. I am going to go into do the show run again. This is the point I am trying to prove. I have got this sticky MAC address that has now learned a second MAC address and I can save my config. How many MAC addresses

00:21:57

will this feature learn? As may as have I set for the maximum here. So if I know there is only going to be two MAC addresses on this port I will change this over and say switchport port-security maximum 2. And at that point I have already, I have set the maximum to 2 and I have used the sticky command so the only two MAC addresses that are allowed on that port are these two. You can see it's

00:22:22

a calculated risk because if there is an intruder plugged into the network or a rogue device it will learn its MAC address just like everything else. So of course the more secure way is to manually type in every MAC address. However the more reasonable way to approach this is to use the sticky feature. Sometimes,

00:22:41

you know, going on a port, by port, by port so you know what's plugged in, or you can be brave and use the interface range command and just learn everything that's on that switch at this given point. So that's your way of doing maximum number of MAC addresses

00:22:56

per port and combining it with the secure MAC addresses. The last thing we will talk about is identity based network services, or what people call nowadays is 802.1X. IBNS was Cisco's name for it before 802.1X was released. But now 802.1X is out there and that's what everybody uses. So 802.1X kind of shook the world up quite a bit because it was the first authentication method that allowed the switch to participate in authentication without ever seeing the user name and password or authentication method that's used. Now the reason that is

00:23:36

so huge is because all of the previous methods like if you think of MD5 hashing or you know certificate based authentication. All those kind of methods required that the supplicant provide its credentials to the switch. And the switch gets them, looks at them and says, "Okay that's good". Or you know even passes

00:23:54

them to the authentication server and the authentication server checks them and sends them back and says "Hey that's okay". But the authenticator has to be intimately involved in the process. Meaning if you are using MD5 authentication then the authenticator or the switch in the middle has to support MD5. If you are using certificates the authenticator has to understand certificates. With 802.1X the beauty is this dotted line right here. Only the supplicant

00:24:24

and the authentication server see the actual authentication attempt. The authenticator which is your Cisco switch sitting in the middle just says yea or any. Meaning the supplicant plugs in or this is the client and says, "Hey I want to use the network". The

00:24:40

authenticator says, "Oh well you are required to authenticate". And the supplicant says, "Well here's my authentication". It goes through the switch to the authentication server and the authentication server looks at it and says, "Oh, well they either pass or they don't". And communicates back to the authenticator

00:24:57

with RADIUS or TACACS+ and says, "You can either leave that port on or power that port down right now because they did not pass authentication". Using these methods we can swap out the authentication strategies as new methods are released. Meaning if MD5 is considered weak in a few years we can swap out MD5 for something else. If we want to use certificates we can swap those out. If some new

00:25:22

fingerprinting technology where you have to do a fingerprint or retinal scan, or whatever your futuristic authentication you want to use is we can do that and the switch doesn't have to be upgraded. All we have to do is choose a different kind of EAP on the supplicant and the authentication server. That's what

00:25:41

EAP stands for extensible authentication protocol. And you never deploy just EAP by itself because EAP is just an empty shell. It's kind of like, let me say this. We have got this big you know shell here that is the EAP standard and that's what the authenticator understands and understands that it is an EAP packet.

00:26:04

But it does not look inside, which could contain the TLS method, it could contain PEAP, it could contain LEAP. You know they all kind of rhyme its funny. And each one of those supports a different kind of authentication. Some of them might be certificate based.

00:26:18

Some of them might be clear text. It doesn't matter. The authenticator doesn't care because it just takes the EAP shell and passes it through via RADIUS or TACACS+ through the authentication server. Now we do not focus on and Cisco does not expect you to know how to set up the supplicant or the authentication server for 802.1X because there are so many platforms it could be. It could be a Linux client and a Windows server. Or a Windows server and

00:26:47

a Windows client and you know each one has a slightly different way and slightly different software to make it happen. I don't want to leave you hanging on that though because we do talk about the authenticator configuring the switch to support 802.1X, but there is a great web link I ran across and this is, I am sure, one of many that are out there. It is at a university CS.UMD.EDU.

00:27:09

Somebody just wrote a how to article on how to set up a supplicant Windows XP work station and an authentication server. A Windows 2000 server they use which works for 2003 or 2008 or whatever version of Windows server you are using. To set those up and it's a step by step walk through. What we

00:27:31

are going to focus on here is setting up the Cisco switch to support it. So let's jump into the switch right now. I am on the Catalyst 3550. What I need to do is go into global config mode and type in, first off if you haven't done it before, triple-A new model.

00:27:49

Now that enables Cisco's triple-A, that's authentication, authorization and accounting. There are triple-A authentication mechanisms across the board. Now that can apply to anything. You can now use triple-A to authenticate people telneting into your router or people trying to access the web interface. There are all kinds of different things triple-A

00:28:09

can be used for, but this just turns it on. We are then going to follow that up with triple-A authentication and it's going to ask what are you going to do authentication for? Is this for people to log into the router, for PPP sessions? We are going to chose.1X which you may need to upgrade your IOS on a switch because it is a more recent method. Oh, the last few years. So

00:28:32

we choose 802.1X as what we are authenticating. Then we need to type in how it's going to be authenticated. Now this is where I will kind of let the CCSP course pick up, but the CCSP courses show you how to set up RADIUS servers or TACACS+ that have user databases that can be authenticated with. And we configure our Cisco routers

00:28:54

or Cisco switches to point to those RADIUS servers by using the global command RADIUS-server or TACACS+-server. But we will just imagine that we created one of those. And I will say use the default authentication list for the server group RADIUS. Use the RADIUS servers to authenticate 802.1X clients. So what this command means in English is when somebody plugs in it is going to go to the predefined list of RADIUS servers that we are assuming was created, um to authenticate people that are using 802.1X. Now we type in .1X system off control, which is the way to globally turn on 802.1X on the switch. It is like the power switch on 802.1X. Now all we have to do is go under each individual interface and type in or use an interface range commands; type in .1X port control and what method we want. Most of the time you will be

00:29:57

using port control auto. I know which goes against my auto not use it recommendation, but auto says when somebody plugs in and if they successfully authenticate than they will be allowed. If they do not successfully authenticate they will be denied. So that turns on 802.1X on the port. Now right below that you can see forced authorized and forced unauthorized.

00:30:22

What those do is either lock the port into an authorized state meaning the client doesn't have to authenticate because they are already authorized or it can lock the port into an unauthorized state. Meaning it doesn't matter if they try or they don't try.

00:30:36

They won't pass 802.1X authentication. That can be useful, at least the authorized one when you have things like servers or routers. Or wireless access points or some devices that don't support 802.1X, but you need to have them plugged into the network. We can go under their ports and

00:30:56

type in forced authorized and that locks the port in an authorized state, so they don't, they are not required to authenticate using 802.1X. But most of them will use auto and that will, as soon as it transitions to a down state. I should mention that this isn't going to disrupt your current network, its just if they, if the interface goes down and then tries to come back online the switch will not allow it to come back online until successful authentication has happened. That should give you

00:31:28

a good foundation of layer two security. So hitting the high points: we talked about why layer two. Well, why not layer two? It is such a big piece of our networks nowadays and if the foundation isn't secure, the rest of our network fails. Below that we talked

00:31:45

about some of the common and simple layer two attacks using utilities like dsniff or MAC off to poison the CAM table of your switches and cause them to be fancy hubs. Then we looked at how we can prevent some of those attacks and we will continue as we go through the campus security section looking at others, but using port-security.

00:32:04

Limiting the number of MAC addresses that can be used per port. Saying what MAC addresses can be used on a port. Sending sticky MAC addresses so it can be a little easier on your configuration. And then finally the ultimate security that doesn't require you to type in MAC addresses 802.1X. Requiring the user to either authenticate or have some sort of certificate installed on device before they can access your layer two fabric. I hope this has been informative for you and I would

00:32:32

like to thank you for viewing. All right. It's time to make a major shift from all the technology we have talked about; wireless, voice over IP, switching architecture, spanning tree and so on and shift over to campus security which is the final section of the BCMSN series. Now campus security

00:00:18

is focused on making sure that people don't intrude into your layer to architecture. And for a long time people have asked that question that I have right up front, our first topic to talk about. Why layer two? Is it really important to secure the switch architecture? I mean the only way somebody is getting there is if they plug into a port which means they are in your building. Isn't that physical security anyway? So, we will answer

00:00:43

that question. Then I will talk about some of the common and very simple layer two attacks that somebody can execute and that kind of answer the why layer two. Then we will get into configuring catalyst port security which is a big part of what I think a lot of organizations miss or forget about and should be doing.

00:01:02

And then we will talk about a final topic 802.1X and talk about where that fits into the grand scheme of things and how we can set our switches up to support it. So why should you worry about layer 2? I mean if those switches are locked up in a wiring closet than people shouldn't be able to get to them anyway right? Uh, not right, because people can get to them through the wire. And

00:01:25

there are common attacks out there that can take out that data link layer and I would say it's one of the most forgotten about layers because everybody is worried about access list or Firewalls protecting the internet from reaching inside of your company when really the intruders have gone inside of the companies.

00:01:43

They are your employees that are poisoning your MAC address table. And I will show you one more thing. This right here, poof, has changed the face of what we thought layer two securities should look like. And it's kind of amusing that until wireless access

00:02:00

came about nobody even worried about layer two securities really. I mean not much anyway. Because people just figured you have to get inside the building to do layer two and we trust our employees. Now a lot of that mind set is going away. Not only do you not

00:02:18

have to be in the building because people can tune into that wireless signal, but also employees aren't as trustworthy or proving to be as trustworthy as they once were. Let me give you an example of a common layer two attack that can be pulled off from somebody sitting in their cubical.

00:02:37

Uh, side note: if you ever walk by somebody's cubical and it has got a soft red glow and the person is kind of shadowed out by the soft red glow behind them and it looks like they are working on pie charts or something on the screen, don't trust them. Not

00:02:53

a trustworthy person. Because that person can use a utility, there is actually many of them out there. But a real common one is called, woops, dsniff, d.s.n.i.f.f. It was originally a Unix only utility and was ported over to Windows so both platforms can run it and its really a suite of utilities that are pitched as network auditing utilities, but of course can be used by the opposite side to attack a network. And one of the tools

00:03:25

inside of that suite is called MACOF, M.A.C.O.F., just one F. What that does is source many, many, many different packets, thousands of them on this port from different MAC addresses. So that port starts loading up MAC addresses. It's like, "Wow this is a busy board, and this must be like a major uplink to another area of the network. I just keep learning and learning

00:03:50

MAC addresses". And MAC off is doing its thing. It just keeps generating more thousands and thousands of MAC addresses until finally the CAM table of your switch fills up. Meaning it can't learn anymore MAC addresses, it was never designed to learn the entire MAC address database that's out there. So what will end

00:04:08

up happening is not the switch crashing. A lot of people think it does, but it doesn't, it is that the switch turns into a hub. It says, "Well, since I can't learn anymore MAC addresses I am just going to send everything everywhere to make sure that everybody gets the data they are looking for". And at that point this person

00:04:25

over here opens a packet sniffer and has easy access to any data that is going across the network. Meaning you could be capturing voice over IP conversations. You could be capturing you know sequel transactions that are happening. There is a lot of stuff

00:04:39

that could be captured once that happens and that's just one of many different attacks that can be pulled off. Most of these attacks focus around poisoning the MAC address table in some way. So port security is how we can stop it. After seeing that it should be a relief to you to know that Cisco switches out of the box can protect against those kinds of attacks, it's just that most people forget to turn on that kind of security. There

00:05:09

is two ways to stop those common layer two attacks and one is using secure MAC addresses and I will talk about the three different kinds of MAC addresses. The other is to limit the number of MAC addresses per port. Now in doing this you not only gain the benefit

00:05:24

of stopping MAC address flooding attacks, but you also stop those people from building little mini networks in their cubicle's. People that bring in their own little hubs and switches at home and can potentially introduce spanning tree loops and rogue devices into the network. So let's start with that one. Limiting the

00:05:40

number of MAC addresses per port. All you need to do on you Cisco switch is to go under the port that you would like to limit this on and I will go ahead and use interface fastethernet0/21. I actually have that connected in this little mini network here to a hub that has just a single device attached. So on this port

00:06:03

I am going to type in a couple of things; first off switch port, mode access. Now we will talk about the default which is dynamic desirable when we get into the next video. It's a horrible default, but the access is the mode that it must be on in order to do port security. Access says that this is an access port and the

00:06:27

port will only connect to an end network. Meaning it won't be a trunk port connecting to another switch. It will connect to a PC or a hub, but everybody is on the same VLAN. Now the first thing we need to do is type in switchport port-security. It's a commonly forgotten one which turns on port security for that switchport. Then we get to type in our switch port, port security

00:06:50

commands. And I will type in; first off, maximum and I will just say 1. To limit this port to a maximum of 1 MAC address. Now I can verify that configuration just by jumping out here and typing in show port security and we will type in interface fastethernet0/21. You can see that right here maximum MAC addresses, oops is 1, and the total MAC addresses is 1. The last one that has been on there is that MAC address. And that is in VLAN 100, that's the one that's configured. That's the one device I have plugged

00:07:26

in. Now you also see right here the violation mode. The default violation mode when you turn on port security is shut down. Let me jump back under that interface fasethernet0/21 and do switchport port-security violations so you can see the three modes. Shut down is pretty obvious. If you violate the

00:07:48

policy it is going to shut down the port. In my opinion it is one of the best because you absolutely know when somebody shuts down a switchport. Its not that you are, you know, very good a reviewing all of your logs and seeing that, it's that you are going to get a phone call if somebody goofs up and plugs in multiple devices into a switchport you are going to hear a call because they can't get their work done anymore. Their port has been shut

00:08:14

down. And you get to chastise them and have your own little power thrill for a moment and be like, "What are you doing"? And you feel, it's horrible, but every administrator lives for the moment they get to chew out a user. But you know you get to know exactly

00:08:29

when it happens because you are going to get a phone call. The other two you may not know. First off I would completely recommend that you do not use protect. Protect is a mode where it will, when another MAC address adds on above the one that is already on there, above the maximum MAC addresses that you have added. It just ignores the other

00:08:56

MAC addresses. Meaning your port security is still in effect, but you don't know when somebody violates the policy. And you will never be told either. Restrict is the one that I would recommend. If you are not so drastic that you want to shut down the port use restrict which does exactly the same thing as protect, but whenever somebody does violate your policy this little counter will tick up by one. It will say, "Oh, policy violated, security

00:09:26

violation one". And you will also see a log message if you had the logging turned on. You know second one you will see two in that list. So even though you are not shutting down the port you will at least realize and have a counter to verify when somebody is violating the policy. Now keep I mind. If you do have protect

00:09:45

or restrict turned on, if somebody plugs 2 MAC addresses into the port and realizes that one of them is not working they can unplug that one and then plug in the other one and allow that one to work. That may or may not be a good thing in your network. So you know, when they realize that say this MAC address is the only one that works, if they disconnect that MAC address they will go to a total of 0 and then the next MAC address that they plug in will take it back up to 1. So those are the different ways that you can do that. Now I will go ahead and leave it on

00:10:17

a default state of shut down for the switchport port-security because I have my Macintosh which is a good hacking machine. And I am going to take this and plug this; this will be the second device that I add to that switchport. Let me just go ahead and plug that one in. Oh,

00:10:36

good grief. Just as I plug that in, one of the devices I was using was, oh good, good it has, sorry I just turned around and looked a my screen to see all this. Look at this, as soon as I plugged in my MAC address it says, "Port security violation occurred on fastethernet0/21". I am putting it in the error disable state. So immediately you

00:10:55

can see that the line protocol has been changed to down and fastethernet0/21 is now down. So if I hit the upper and do those show port security you can see that the port status is secure and it has been shut down. So don't look at enabled and think, "Oh well my port is

00:11:12

enabled". That means that it is actually down. And if I do a show IP interface brief and look right here at fastethernet0/21 it just shows up as down. So by looking at that port in this state you are just going to think, "Oh well it's just down, there must not be anything plugged in". But if you type in show interface

00:11:31

fastethernet, oops, did I, 0/21. You will see that the port is error disabled. That means either you have some kind of duplex miss match that has caused that or you have a security violation that has shut the port down. I also know that may of you are like me and love commands like show IP interface brief where you can see what's going on with your switchports all in one quick glance. Well there is another

00:12:01

command I want to show you that is similar to it. It is show interfaces and do status. And you don't need to specify an interface. Now you get to see my home, but you can see that all of these different interfaces are plugged in. I have brief descriptions

00:12:16

so this is a good way to know what those switchboards are, but look at this status column right here. There, as we go down we can see what's connected and what's not connected and which ones are errors disabled. So you have gone, you have chastised your

00:12:32

users and flogged them appropriately. How do you get that port back up? Well there is no quick way to do it. The main way that you can go in is go under that port. We will say interface fastethernet0/21, do a shutdown and then do a no shutdown. Just typing in no shutdown

00:12:51

will not re-enable that port. Oh, I still have my Macintosh plugged in. So I will plug that, unplug that quickly so that it doesn't shut itself down again. But now when I go back and do that show interface status you can see that it is restored and connected again. So that's how you can restore the down port.

00:13:12

Now its not part of the official Cisco test prep curriculum so if you are studying for the exam don't worry about this stuff I am about to show you, but there is another method that not many people know about on Cisco switches. Now I am going to show error disable, followed by recovery. There

00:13:34

is this feature that Cisco switches have called error disabled recovery that after, you can see all these different states that will cause an error disable. Uh, we just saw security violation as one of the reasons. But we have, channel misconfigurations

00:13:49

that's like an ether channel where we have flapping links where we, I mean there's all kinds of things that can cause the error disable state. We can configure our switch to re-enable the port after a certain amount of time. Now you can see that default

00:14:05

amount of time is 300. But error disable recovery is turned off by default. So you can see they are all disabled so even though it says that recovery will be in 300 seconds, its not going to be in 300 seconds unless you turn it on. So you can go into global configuration mode and type in error disabled recovery, type in a specific cause that you want to look for and you can see all of these timers to recover from some violation. We will say

00:14:33

security violation right there, so SCC tab and you can say, "I want to enable recovery for that". You can then type in the error disable recovery interval and specify how many seconds you want to force the port to be shut down before it recovers itself.

00:14:53

So now when I jump back here I will type in show, error, disable, recovery. You can see now that we are enabled for security violations. So if I were to plug in my Macintosh into this port and connect that thing up it is going to cause the violation, but now a little counter has begun in the background that is going to recover the port within 300 seconds for that violation. That may save you a couple of phone calls. Um, but overall it

00:15:23

is primarily useful for some of the other ones, usually security violation. You want it to stay down. Um, so, uh, the last thing I want to show you on this note. I am going to type in show port security fastethernet, oops, interface fastethernet0/21. And you can see right here we do have a security violation counter that is ticking. Now I shut down and un-shut down the port and

00:15:50

powered up the port so it reset that counter. But this counter will continue to tick however many security violations you have on a given interval. So that's one you can always refer to, to see what's going on. Now that's the limiting of MAC addresses per port. The last thing I want to talk about is secure MAC addresses.

00:16:09

By default all your switches will learn dynamic MAC addresses. That is just what they do. And that's the default MAC address type. Now we can transform them from dynamic addresses over to static or sticky MAC addresses. Now static MAC addresses are pretty straight forward. I am going to go back up under the interface

00:16:29

fastethernet0/21 and let's, let's do, let me first off do switchport port-security; I will do a maximum of 10. Just to allow me to plug multiple devices in there. But the first way I can configure static MAC addresses is by typing in switchport port-security MAC address and just type in whatever MAC address I want. I have

00:16:51

seen a lot of government agencies use this to where they can type in the specific MAC address allowed on that port and no other MAC address will be able to access that. If you are going to use the static MAC address method and say, "My MAC address was this".

00:17:11

Be sure to couple it with the maximum MAC address command. Now I just showed you, I just cranked it up right up on the screen above us, to 10 MAC addresses. If I statically type in MAC addresses and say, "You know 1, 1, 1, 1, 1, 1, 1" and that's the only MAC address I want on that port then make sure you change the maximum to 1; because if I leave it at 10 it will allow only that 1, 1, 1, 1, 1, 1, 1, 1 and 9 dynamic entries. It's kind of a combination of static and dynamic. So it will allow whatever static ones

00:17:44

I have typed in plus whatever the maximum buffer is to the maximum number of MAC addresses I am allowing on that port. So, type in however many MAC addresses you want and then set the maximum. The second way that we can do this is by taking a calculated risk. Now you can see right below here I have sticky. Sticky

00:18:10

MAC addresses are your way of allowing the switch to do the work for you. You can imagine how difficult it would be in a network of 100 or 1,000 PC's to sit there and type in all the MAC addresses of those PC's into the ports. I am not saying it can't be done

00:18:27

and I am not saying it is very beneficial if you are paid by the hour. However, if you are salary you don't want to sit there all night typing those things in. So you can take a calculated risk. And that is using the sticky key-word. What will happen when you use sticky is the switch will automatically hard code any MAC address you have plugged into that point, port, into the running configuration. And as soon as you save that to the

00:18:57

startup configuration that is set permanently. Let me give you an example. I am going to first off do, before I type this command in here, let me just hit enter. I am going to type in do, show, run, interface, fastethernet0/21 and we can see that as of right now we have the port security turned on and the maximum is set to 10. Now I am also going to type in do who MAC address table and I will focus in on interface fastethernet0/21 and you can see as of right now, oh do I have both of those plugged in? Oh, no I just have, have not cleared out since I plugged both MAC addresses in. Let me just plug and

00:19:39

unplug that port real quick and, uh, give it a sec to cycle. There we go, okay. I just unplugged the port and plugged it back in and so it's now just has that one MAC address. All right. So here is what I am going to do. I am going to type in switchport.

00:19:57

Oh, let me clear all this junk off. I will type in switchport port-security maximum and then I will type in sticky. And when I said sticky I meant, oh, I am just losing it here. I am sorry. It is port-security MAC address. Sticky? I am saying that in a running-config, its blending together in my mind. Now

00:20:22

watch what happened when I did that. I am going to do a show, run, interface, fastethernet0/21. Let me squeeze the do command in front of that. And you can see that it's got the command I typed in there, but look at that. It automatically hard coded the first MAC address that it saw on that port. I look at the up arrow and its right there. Now

00:20:44

if I do a show start interface fastethernet0/21, oh it doesn't let me use the interface command. Its not saved in the startup-config is the point I am trying to prove. So, in order to save that MAC address we have to do a save-config, copy, run, start or write memory and that will allow you to save that MAC address to your startup-config. Now watch this. I am

00:21:07

going to reach over and plug my Macintosh in here, click; I just plugged my Macintosh in. I am going to hit the up arrow and do a show, run and do it again and one more time. Oh where is my Macintosh? Let me do a show MAC address table interface fastethernet0/21. My Macintosh has died. Oh, are you kidding me. It just went into

00:21:37

sleep mode. Sorry, let me; let me move the mouse around. There we go. I moved the mouse around. Let me hit the up arrow. Oh, there we go. It is now back in the list. I am going to go into do the show run again. This is the point I am trying to prove. I have got this sticky MAC address that has now learned a second MAC address and I can save my config. How many MAC addresses

00:21:57

will this feature learn? As may as have I set for the maximum here. So if I know there is only going to be two MAC addresses on this port I will change this over and say switchport port-security maximum 2. And at that point I have already, I have set the maximum to 2 and I have used the sticky command so the only two MAC addresses that are allowed on that port are these two. You can see it's

00:22:22

a calculated risk because if there is an intruder plugged into the network or a rogue device it will learn its MAC address just like everything else. So of course the more secure way is to manually type in every MAC address. However the more reasonable way to approach this is to use the sticky feature. Sometimes,

00:22:41

you know, going on a port, by port, by port so you know what's plugged in, or you can be brave and use the interface range command and just learn everything that's on that switch at this given point. So that's your way of doing maximum number of MAC addresses

00:22:56

per port and combining it with the secure MAC addresses. The last thing we will talk about is identity based network services, or what people call nowadays is 802.1X. IBNS was Cisco's name for it before 802.1X was released. But now 802.1X is out there and that's what everybody uses. So 802.1X kind of shook the world up quite a bit because it was the first authentication method that allowed the switch to participate in authentication without ever seeing the user name and password or authentication method that's used. Now the reason that is

00:23:36

so huge is because all of the previous methods like if you think of MD5 hashing or you know certificate based authentication. All those kind of methods required that the supplicant provide its credentials to the switch. And the switch gets them, looks at them and says, "Okay that's good". Or you know even passes

00:23:54

them to the authentication server and the authentication server checks them and sends them back and says "Hey that's okay". But the authenticator has to be intimately involved in the process. Meaning if you are using MD5 authentication then the authenticator or the switch in the middle has to support MD5. If you are using certificates the authenticator has to understand certificates. With 802.1X the beauty is this dotted line right here. Only the supplicant

00:24:24

and the authentication server see the actual authentication attempt. The authenticator which is your Cisco switch sitting in the middle just says yea or any. Meaning the supplicant plugs in or this is the client and says, "Hey I want to use the network". The

00:24:40

authenticator says, "Oh well you are required to authenticate". And the supplicant says, "Well here's my authentication". It goes through the switch to the authentication server and the authentication server looks at it and says, "Oh, well they either pass or they don't". And communicates back to the authenticator

00:24:57

with RADIUS or TACACS+ and says, "You can either leave that port on or power that port down right now because they did not pass authentication". Using these methods we can swap out the authentication strategies as new methods are released. Meaning if MD5 is considered weak in a few years we can swap out MD5 for something else. If we want to use certificates we can swap those out. If some new

00:25:22

fingerprinting technology where you have to do a fingerprint or retinal scan, or whatever your futuristic authentication you want to use is we can do that and the switch doesn't have to be upgraded. All we have to do is choose a different kind of EAP on the supplicant and the authentication server. That's what

00:25:41

EAP stands for extensible authentication protocol. And you never deploy just EAP by itself because EAP is just an empty shell. It's kind of like, let me say this. We have got this big you know shell here that is the EAP standard and that's what the authenticator understands and understands that it is an EAP packet.

00:26:04

But it does not look inside, which could contain the TLS method, it could contain PEAP, it could contain LEAP. You know they all kind of rhyme its funny. And each one of those supports a different kind of authentication. Some of them might be certificate based.

00:26:18

Some of them might be clear text. It doesn't matter. The authenticator doesn't care because it just takes the EAP shell and passes it through via RADIUS or TACACS+ through the authentication server. Now we do not focus on and Cisco does not expect you to know how to set up the supplicant or the authentication server for 802.1X because there are so many platforms it could be. It could be a Linux client and a Windows server. Or a Windows server and

00:26:47

a Windows client and you know each one has a slightly different way and slightly different software to make it happen. I don't want to leave you hanging on that though because we do talk about the authenticator configuring the switch to support 802.1X, but there is a great web link I ran across and this is, I am sure, one of many that are out there. It is at a university CS.UMD.EDU.

00:27:09

Somebody just wrote a how to article on how to set up a supplicant Windows XP work station and an authentication server. A Windows 2000 server they use which works for 2003 or 2008 or whatever version of Windows server you are using. To set those up and it's a step by step walk through. What we

00:27:31

are going to focus on here is setting up the Cisco switch to support it. So let's jump into the switch right now. I am on the Catalyst 3550. What I need to do is go into global config mode and type in, first off if you haven't done it before, triple-A new model.

00:27:49

Now that enables Cisco's triple-A, that's authentication, authorization and accounting. There are triple-A authentication mechanisms across the board. Now that can apply to anything. You can now use triple-A to authenticate people telneting into your router or people trying to access the web interface. There are all kinds of different things triple-A

00:28:09

can be used for, but this just turns it on. We are then going to follow that up with triple-A authentication and it's going to ask what are you going to do authentication for? Is this for people to log into the router, for PPP sessions? We are going to chose.1X which you may need to upgrade your IOS on a switch because it is a more recent method. Oh, the last few years. So

00:28:32

we choose 802.1X as what we are authenticating. Then we need to type in how it's going to be authenticated. Now this is where I will kind of let the CCSP course pick up, but the CCSP courses show you how to set up RADIUS servers or TACACS+ that have user databases that can be authenticated with. And we configure our Cisco routers

00:28:54

or Cisco switches to point to those RADIUS servers by using the global command RADIUS-server or TACACS+-server. But we will just imagine that we created one of those. And I will say use the default authentication list for the server group RADIUS. Use the RADIUS servers to authenticate 802.1X clients. So what this command means in English is when somebody plugs in it is going to go to the predefined list of RADIUS servers that we are assuming was created, um to authenticate people that are using 802.1X. Now we type in .1X system off control, which is the way to globally turn on 802.1X on the switch. It is like the power switch on 802.1X. Now all we have to do is go under each individual interface and type in or use an interface range commands; type in .1X port control and what method we want. Most of the time you will be

00:29:57

using port control auto. I know which goes against my auto not use it recommendation, but auto says when somebody plugs in and if they successfully authenticate than they will be allowed. If they do not successfully authenticate they will be denied. So that turns on 802.1X on the port. Now right below that you can see forced authorized and forced unauthorized.

00:30:22

What those do is either lock the port into an authorized state meaning the client doesn't have to authenticate because they are already authorized or it can lock the port into an unauthorized state. Meaning it doesn't matter if they try or they don't try.

00:30:36

They won't pass 802.1X authentication. That can be useful, at least the authorized one when you have things like servers or routers. Or wireless access points or some devices that don't support 802.1X, but you need to have them plugged into the network. We can go under their ports and

00:30:56

type in forced authorized and that locks the port in an authorized state, so they don't, they are not required to authenticate using 802.1X. But most of them will use auto and that will, as soon as it transitions to a down state. I should mention that this isn't going to disrupt your current network, its just if they, if the interface goes down and then tries to come back online the switch will not allow it to come back online until successful authentication has happened. That should give you

00:31:28

a good foundation of layer two security. So hitting the high points: we talked about why layer two. Well, why not layer two? It is such a big piece of our networks nowadays and if the foundation isn't secure, the rest of our network fails. Below that we talked

00:31:45

about some of the common and simple layer two attacks using utilities like dsniff or MAC off to poison the CAM table of your switches and cause them to be fancy hubs. Then we looked at how we can prevent some of those attacks and we will continue as we go through the campus security section looking at others, but using port-security.

00:32:04

Limiting the number of MAC addresses that can be used per port. Saying what MAC addresses can be used on a port. Sending sticky MAC addresses so it can be a little easier on your configuration. And then finally the ultimate security that doesn't require you to type in MAC addresses 802.1X. Requiring the user to either authenticate or have some sort of certificate installed on device before they can access your layer two fabric. I hope this has been informative for you and I would

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003