Port Security | CCNA 200-301
ฝัง
- เผยแพร่เมื่อ 21 ส.ค. 2024
- Free TH-cam Playlists from Keith:
Master Playlist for Cisco CCNA 200-301 ogit.online/sloth
Cisco CCNA 200-301 Security ogit.online/20...
Cisco CCNA 200-301 IPv4 Subnetting ogit.online/su...
And…
Keith’s Content at CBT Nuggets ogit.online/Ke...
Damn Keith really be doing the most for CCNA Training. Best IT related content I've ever seen
Thank you Shanebagel!
When I get my CCNA this year through hell or high water, I will thank three people. You are one of those three. So future twitter message there. Jeremy C. My co-worker and Process Control automation manager whom I helped put on the track to get his CCNA 4 years ago and now has both a renewed CCNA as well CCNA Industrial 🏭. Jeremy brings his over the top raw enthusiasm which I enjoy. But you Keith brings for me the inspiration and learning Nuts and Bolts to make what seems complex at first understandable. All three people propelling me to move ever closer towards the CCNA Cert. And though the Cert is just one goal, what’s important is that your really teaching me fundamentally how what seems at first complex, actually works. It still takes a lot of effort everyday to study. It’s just getting easier day by day though. One day somewhere you should be recognized by the impact you’ve had on so many people being able to obtain their CCNA+.
Thank you so much for that feedback, and kind words. Love what I do here and at CBT Nuggets, and alway happy to hear about making a difference in a persons life. That is what keeps me going. Thanks again!
The funniest thing you said was, 'Happy 2020 ! It is going to be so BEAUTIFUL too " lol I wish your wish came true :P hahaha
Thank you, and "who knew"???
2021 will be better, fingers crossed.
@@KeithBarker We will strive to make it better :)
Thanks a lot for taking your time to share your knowledge.
So not only configure verify and troubleshoot but also ask why we need said protocols. Great content
Watching your video is a lot of fun.
hey Keith,
Thanks so much for this video. your explanations are super easy to understand. I love how you explain it in a casual simple way. For me it's very hard to watch and understand lecturers who make it all serious and formal. Thanks again.😀
Thank you Ranjana Dissanayaka!
who could possibly dislike this wonderful presentation *sigh*
Thank you Abdul. Sometimes my mom watches, and doesn't always understand. :) She is in her late 80s. Perhaps she expresses that with a thumbs down.
@@KeithBarker being modest here now :)
I like your way of teaching, you really enjoy teaching networking....love it, and good staff to prepare for CCNA
It's my pleasure
This is the first video about port security that I can follow! Thank you.
Glad it helped!
So I already have studied port security and had general knowledge of how it works and how to configure but its like a lightbulb goes off when you explain it in such practical ways. I really feel like after you study a topic and then see your interpretation of it, it makes it alot easier to stick. Thanks!
Thank you DJ Foster!
You're simply the best
This content is more understandable than the one in CBT. Thanks mwalimu Keith.
I commented on one of your videos a couple of months ago I just want you to know I just landed my first network engineer job today.
Thank you! All the doubts are gone now, greetings from El Salvador
Awesome! Thank you for being part of this channel!
Great video as usual from the Master!. As much as I enjoy these videos, I would really like to see Videos on Advanced CCIE topic from Keith and Jeremy, "The Two Big Guns" of Networking.
Thank you Farmedi! I enjoy collaborating, and Jeremy is awesome. We are both working on the CCNP level content at CBT Nuggets currently. Perhaps we will have a chance some day to work on the CCIE stuff together. Thank you for the comments and ideas. I appreciate it. Cheers!
@16:40 thats terrible, thats fantastic! I love your excited way of explaining things :,D Thanks for your content!
Thanks for watching!
Again!!! Thanks, Keith you make learning so relatable and fun. Don't understand why that has to be so rare?
Thank you Mark
thank you keith you are the best
Happy to do it, thanks for the feedback or itzhak.
The way you present things kieth, is amazing. You should have also demonstrated statically assigning mac address and sticky in port-security. Love from India.🥰
Noted, thank you Rishabh.
Already loving these videos 😍
Happy to make them, thanks for the comment!
Give thanks Keith for these good lessons, very well explained, waw💥🙏
Happy to do it, thanks for the feedback Zakaria Bendada.
Thanks buddy.. just loved the way you do it
Thanks a ton
amazing video Keith, i like the way to talk to the devices and you shows the fun way of learning networking, i learn a lot from your videos and you made very easy to remember all this.
Glad you enjoyed it
Love the way how beautifully you illustrate all the things.. And thanks a lot for all the videos.. 😊
My pleasure 😊
Great explanation, Keith.Good on you..
Thank you Asela Perera!
These videos are dope. Thanks man for teaching us in such an easy and understandable way!!!
My pleasure!
Love the port security technology ❤️
Thank you Va Virak! Me too!
Excellent keith sir....loved alot ji ... great stuff
Thank you Nikhila!
My bf brags about your skills all the time. I’ve started to listen in on Sunday’s when’s he’s streaming. Ok 1) Keep the facial hair 😍 always. 2) Can you post a playlist of your intro and outro tracks pretty please?
Thank you Torri for comments! Regarding the intro and outro tracks, I subscribe to www.epidemicsound.com, and I just grab a random song each time. :|
Glad to have you join us in the stream. You both could get the CCNA! Having more in common can help make good relationships even stronger! Cheers to the both of you.
Thank you so much for the playlist.
man.... that switchport host is awesome.... no other ccna material that I went through had this command. i used Ostinato to generate traffic.
Thank you Zoltron30, glad it is useful.
Love them videos. Really appreciate it.
Thanks for watching!
Thank you so much
I love your videos
Thank you Daniel
Thanks, Keith!
Happy to do it, thanks for the feedback Collab Crush.
Thanks for this amazing tutorial !
You're very welcome!
Hi Keith!
Thank you so much for the video!
I have been practicing myself with packet tracer and managed to get it working by putting multiple clients on a rogue switch connected to an access port with port security enabled!
I did have an issue with the “errdisable recovery” though. It seems as though no matter what model of switch I select on multiple versions of packet tracer it the feature doesn’t seem available...
Is this something that doesn’t work in packet tracer? Very odd!
Thank you for all your help and time uploading these videos, I can tell my networking knowledge is increasing daily! :D
Awesome 👏
Thank you! Cheers!
Thanks Keith !!
Happy to do it, thanks for the feedback Akshay.
Thanks man!
You bet!
quality content 😍
Thank you Waqar Ahmed
Thanks fro the playlist thing
Any time!
❤
great as always, but ... You use a switchport host command to overcome an inability of enabling a port-security on a trunk port.
Would you just do it that way and convert it to an access port? Probably not, as it would be against the design. So the question is: do you ever use a switchport port-security on a trunk/etherchannel port or you just don't? Although you are saying it can be applied to any port type, what is the benefit of using it on a trunk/etherchannel ports?
Regards and thank you for a great materials to prepare for CCNA!
Thank you for the question Marcin. It is fairly rare to implement port security on a trunk port.
@@KeithBarker thank you for answering my question :) Regards from Poland!
Thank you
Happy to do it, thanks for the feedback Andrew.
good
Good stuff as always Keith, did you ever upload a follow up video with a more detailed look into spanning tree protocol?
Feron thanks for your input! That is definitely in my queue. Stay tuned, and thanks for the suggestion.
Where can I find this beautiful soundtrack? Thanks for explaining about Port Security.
Magnificent demostration Mr Keith. Do you used GNS3 for that enviroment? Thank You.
Thank you for the question. I have used GNS3 for a long time, but more and more I have started using Eve-NG, and CML Personal Edition.
@@KeithBarker CML Requires a cisco license?
???? VPN question. I try and block most the router ports and only have 2 to 5 ports unblocked and just NAT'ed with the router firewall. I try to block any ports that are traditionally used for signing in remotely, administration, server related; such as I block the Telenet port on the router. I prefer to only unblock ports that are pretty much ignored for any services on my pc or devices, or I just have to hopes for the web browsing. If a port with protocol would traditionally/naturaly have more security, I would prefer that port.
With this in mind I would like to know what ports are best, most secure and least at risk for malicious attacks? Also would it be more secure to use TCP or UDP for the respective port, as it can change by port?
What would be the best ports and protocols for that port that would be ignored and protected by the router/device/pc to unblock on the router at port 1024 or higher for the Local Port?
What would be the best port and protocol that would be ignored and protected on the router/device/pc to unblock on the router for the Remote Port?
Of course I will be leaving the router firewall on and not responding to pings. I just want the best ports to unblock. If there is an additional step I might be able to add only to connect to communicate with the VPN network on those ports, I might set up another router for that just to insure there is still firewall protection on my closest router.
Keith I LOVE YOURS VIDEOS!!! You re awsome!! Thanks!! I have a question, what about configuring Port-Security in a Trunk port that have an Ap on it, lets say, Port-Security Sticky.
Thank you Miguel for the kind words, and the question! The sticky option adds the MAC address to the running config. On a static trunk (not dynamically negotiated) you can customize the port security setting per-VLAN as well. Here is more information: www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.html
Thanks again for the question.
Thanks for putting out these videos Keith love your channel!
Quick question, I currently don't have my CCNA. If I were to pass all 3 exams of the current CCNP, would I still be grandfathered in to the new CCNP given there is no longer a requirement to get a CCNA first anymore?
Thank you for the question, and yes! Based on the migration tool, if you pass those 3 exams before 2/24/2020 you will get the new CCNP (even if you never took the original CCNA).
www.cisco.com/c/en/us/training-events/training-certifications/certifications/professional/ccnp-routing-switching-migration-tool.html
@@KeithBarker Hey Keith Thank you for the reply! I just asked Jeremy on his TH-cam and he said that I wont! I called Cisco today and spoke with one person who said I would, and then a second time to confirm and the second person said i wont and need to take the CCNA. I'm so Confused!
@@fooschnicken2112 Based on the tool, (link above), a person who has taken those 3 exams, will receive the new CCNP Enterprise certification and these Specialist certifications:
Cisco Certified Specialist - Enterprise Core
Cisco Certified Specialist - Enterprise Advanced Infrastructure Implementation
Perhaps overthinking this, isn't the best option.
If you don't get all three by 2/24, there are still partial credit options. Use the link above, and check out the possibilities.
Cheers, best wishes, and a great 2020 to you!
Great explanation @Keith You are awesome as always, Just to be sure when you used "switchport host" which made it access port, Do we use "switchport nonegotiation" on Trunk port so it disables DTP To configure port security on trunk port ? also in what scenario do we need to configure port-security on a trunk port ? just being curious ;-)
Thank you for the question Darshan.
I will be creating a live stream on that. Thank you for the idea/suggestion!
Keith Barker wow!! Excited for the stream already, it's great feeling your reply made my day ,thank you so much ❤️
Protect mode: enable 😶
Thank you for this wonderful video Keith. Reading on Cisco's documentation about this, there is a note that says "If the port shuts down, all dynamically learned addresses are removed", I've been practicing for my CCNA exam on PT and testing this and i am trying to replicate a situation where an user disconnects its PC and connects a "Rogue laptop" that we simply do not trust, at that point the port goes down and up again so we lost the learned MAC address and that laptop gets access to the network, it does not matter if a put the sticky command, so ¿Is there a configuration to avoid that, or just simply put the specific trusted MAC address on the config?
Thank you for the question.
May be a PT issue.
I just labbed this up to check on live IOS, and here is what I found.
No sticky: MAC learned on interface is removed after a bounce (down/up interface) and is not there when port comes up.
With sticky: MAC shows up again on interface after a bounce (even without the device on that port sending any new frames).
On a side note, issuing the command copy run start will make sure that MAC is there on the port after a reboot as well, (and you likely already knew that part. :)
Thanks again for the question, and now we both know.
Cheers!
@@KeithBarker It is definitely a PT issue, plus it does not show a log entry when a security violation occurs, I've reported that bug so hopefully they can fix it, people can get confused on that.
Thank you to take your time on testing that.
Cheers.
With the reality of Covid-19 and businesses are allowing their employees to work from home which seems like the new normal, how does this affect people with CCNA certs and what does the future looks like for us cert holders?
I will the job market be forever changed?
What do we do to increase our employment marketability?
Additionally, it seems that allowing people to work from home is ongoing and it may not be reversed for many businesses, specifically because of building cost & rental fees. I'd like to know your opinion on this, please?
Thank you for the question Hassan Sikes. The need for IT people has, and will continue to rise. Especially now. Yes, job markets change, but for IT people who are willing to keep learning and growing, the options are fantastic.
Hi Keith could you explain please how to enable security on trunk port
Thank you for the question ilaysys.
Configure the port as a static trunk, then enable port security as you would normally do on any port.
Dear Keith sir
I have a doubt in "Mac over flood attack"- for that port security is there okay.
But I want to know this how the attacker will influence or change ports and respect mac addresses.
I mean this the switch is intelligent device right it will maintain CAM table.
In CAM table which mac address is connecting to which port right?
So which will learn from each port receiving source mac address .Then how attacker can change all the ports mac addresses.
Only one port he can change at a time right?
Or is he using Kali Linux type tools???
Thank you for the question Sreejith. Imagine a switch that only has enough memory to store 5,000 dynamically learned MAC addresses, and then it is out of memory for any new addresses. If 10,000 new MAC addresses are pumped in every few seconds, the switch will (or may) forget about where most of the real MAC addresses live, and consume all its storage on the new 10,000 bogus addresses that just showed up. As a result, the switch may then not know where a MAC address lives (for a valid host) and in that case would flood it to all the other ports (allowing the attacker to eavesdrop and see that frame that he normally would not see. Hope that helps a little, and thanks for being here!
@@KeithBarker Now it's clear.
Hi Keith, when configure unused ports it should be added to "black hole" VLAN before shutdown or to nondefault native Vlan ?
Thank you for the question Kolezka Kolezki. Best practice is to create a new VLAN, and to assign unused ports to that VLAN, and to administratively shutdown those ports, and configure them as access-ports.
Which switch I should buy for home lab?
Hey Keith, I've got a question for u. What if the attacker comes from the other switch. Should we enable port security between the two switches ? If yes, what would be the value of port-security ? Give me an example. reply reply reply :3 :3 :3
Thank you Alex James. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Alex James!
Hey Keith could you help me figure out why i can't change aging type to Inactivity ?
show port-security int fa0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 60 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1(config-if)#switchport port-security aging type inactivity
^
% Invalid input detected at '^' marker.
S1(config-if)#switchport port-security aging ?
time Port-security aging time
there is only time for aging, do i need to enable/disable any configs for aging type to activate or is the switch doesn't support it ?
im working on packet tracer , switch 2960 !
thanks in advance
hi Keith I am trying to build a network environment of my own my I have hit a small problem that my switches cannot learn the Mac-address of the end devices I tried everything but it doesn't work...is there any way if I can send you the .pkt file if you can guide
hey, I got a problem. In the above viedio to enable the port-security.we use the command "switch-port host"-what the host refers to?, is it(Linux laptop)...i just take two PCs and a switch .i want to place port - security to one PC. I'm not able to enable the port-security. what u suggest?
Thank you for the question. On a live switch port, "switchport host" sets the switch port (on the switch) as an access port, and enables portfast.
With port-security, you enable that on a specific port as well. The port can't be a dynamically negotiated port though. If you use the command switchport morde access, then the port is no longer a dynamic port, and the switchport port-security command can then be used. Hope that help, and enjoy your studies.
hi keith, im new on networking i just have some question about spanning tree. is it ok to have multiple blocking port over the network if the switches detected the loop? what are the possible network problem if keeping this multiple block port?
Thank you for the question JM. Here is the play by play:
Root Bridge elected, based on lowest bridge ID.
A Designated Port is a port role that is forwarding away from the root bridge. Only one designated port per segment.
All of the Root Bridges ports are designated.
For all the non-root switches, they will select exactly 1 root port, a port that is forwarding towards the root. Lower cost wins.
For all the ports that are NOT root ports, or NOT designated ports, they will be placed in a blocking state. If there are multiple ports being blocked, that is ok, as they are preventing a loop.
I will be doing a follow-up video about spanning tree, so stay tuned.
Thanks for the question, and happy studies.
Each week I am adding the new videos to this CCNA playlist here: ogit.online/sloth
Keith I have a question. If we connect a router to switch instead of pc and all laptops use wifi then how port security will work?
Thank you Umar Afzal. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Umar Afzal!
if attacker get use of mac spoofing he can bypass port security than how to prevent from that attack?
Thank you Shan Ali. Feel free to join my Discord sever. Lots of people there helping each other out. Each Saturday at 10am Pacific I hold my "Office Hour" where learners can ask questions about the topics they are studying. Mostly focusing on Cisco CCNA 200-301 topics. Feel free to join us there live if you are available. Here is the link ogit.online/Join_OGIT_on_Discord
Thanks again Shan Ali!
Is there a MIB counter in protect mode violations?
Thank you for the question Bernd Eckenfels. I am not sure about that.
Hi @Keith, thanks for the videos, this video stops playing after 13:10 for some reason. Can you help pls? Thanks
Thank you for the question V R. I just tried it and it seemed to be fine. Perhaps there was a problem but it has been corrected. Give it another try and let me know.
Happy studies.
What happens if the device connected is an AP which allows guests to join the network. How would we be able to stop users from spoofing / ddos attacks.
That is a good question, with not a simple answer.
@@KeithBarker separate the guest network with a different vlan.and packet filtering
Hello Keith, I’ve tried several times to watch this particular video and it will not play. Please advise and thanks!
Thank you for the question Liz A. I just checked, and it seems like it will play now. Try it again when you get a chance, and thank you for watching!
Keith Barker thanks! I cannot miss any of the videos, I watch them religiously. Lol
Hi keith .. please how do i get the free trial on cbt nuggets before i subscribe or is it after the subscription i am going to get it.
Thank you for the question. Use this link. learn.gg/ogit-cbtn , and then choose your subscription. Your first week is free, and you have the option to cancel. I think you will love it!
Don't you just hate it when you accidentally macof all over your table? WHAT A MESS!
😁
Hi Keith, this video stops working at 13:13. Thanks
Thanks for the heads up. Looks like it may have been corrected now. Thanks, and enjoy the video.
Keith Barker no worries, thank you for your reply. I have my CCNA exam on the 4th feb.
I had the same issue where the video stopped at least three times over its duration. At first I restarted but then it put me right back to where I was originally and as I git back to the where it stopped, it did it again. Luckily I had pre stopped it before it completely quit and went blank. I don’t know what caused it. But for the next two times I simply fast forward 1-2 minutes and it was ok until I hit some other time index in which it completely did it again. I just fast forward through that time index and wasn’t an issue.
The danger of access-list 1 deny is ?
hi Keith I am stuck on a project of my own where I tried to build a networking environment the problem I am encountering is my switches cannot learn the Mac address of the end devices is there any chance you can have a look into it ?.if yes please provide me with your email id and send you the .pkt file