
Learn how to enable and manage device log messages on Cisco devices, using console, buffer, and short logging to monitor interface events, audits, and troubleshooting, including debugging considerations and verification.
Enable and configure logging to an external destination, send and filter log messages, and monitor events across interfaces using console and license-based tools.
Network Time Protocol ensures all devices share a common time for accurate logging and event correlation. Configure time sources, servers, and clients to synchronize to a trusted clock.
Explore how network time protocol synchronizes device clocks using external time sources and NTP servers, configuring stratum values to ensure accurate timing across networks.
Learn to configure ntp for time synchronization between client and server, including unicast delivery, acl considerations, and implementing authentication with keys to prevent spoofing.
Identify possible threats on the control plane, such as spoofing and false routing, and discuss mitigations like protocol authentication and control plane policing.
Explore routing protocol authentication and how to prevent spoofed updates and unauthorized changes. Compare password-based authentication with hash-based methods, using key IDs and hash values to secure password exchanges.
Explore class maps and policy maps in a hierarchical framework for traffic policing and quality of service. Learn to match traffic and apply actions on interfaces or the control plane.
Explore control plane policing (CoPP) configuration with class maps and policy maps to limit control plane traffic, using rates like 200 packets per second and 50 pps, emphasizing testing.
Explore common internal threats in the LAN. See how security features like firewalls and ACLs mitigate them to protect end devices and guest users.
Discuss disabling unused ports on switches to prevent unauthorized access, ensuring idle ports don’t hand out IP addresses and connect to lab resources.
Explore how dynamic trunking protocol negotiates trunk links between switches using auto, desirable, and manual modes to decide trunk versus access ports, with DTV messages every 30 seconds.
Identify dynamic trunking protocol vulnerabilities and mitigate by configuring switch ports as access and disabling DTP negotiation to prevent attackers from manipulating trunking.
Explore how native vlan handling on trunks works with 802.1q tagging, the default behavior, and how to prevent misconfigurations by using a dedicated unused vlan and matching on both sides.
Disable dtp negotiations and configure all ports as access to mitigate vlan hopping; zone unused ports to vlan 99 and set a non-existent native vlan to harden trunking.
Discover how the Cisco discovery protocol (cdp) helps troubleshoot by revealing neighbor devices and topology, using show cdp neighbors and show cdp neighbors detail on directly connected Cisco devices.
Explore the LLDP overview, a protocol that provides neighbor device information such as identity and capabilities, and learn how to enable and verify it on interfaces, contrasting with CDP.
Explore CDP and LLDP vulnerabilities that expose neighbor information and how attackers can use captured data, then implement mitigation by disabling CDP and LLDP globally or per interface.
Explore how a mac flooding attack floods a switch's mac table with invalid addresses. Learn how port security limits learned macs per port and uses shutdown, protect, or restrict modes.
Explore MAC spoofing and its man-in-the-middle implications, and explain port security by binding MAC addresses to ports, using static, dynamic, or sticky bindings to drop unauthorized traffic.
Configure port security on switches with sticky MAC learning, set a max of two MACs, and enforce violation actions such as shutdown, protect, or restrict.
Learn how BPDU guard and BPDU filter secure portfast access ports by preventing loops, with global or interface filtering and automatic recovery options.
Demonstrates practical verification of bpdu guard and portfast on an access port, showing how to enable portfast and bpdu guard, and observe bpdu messages for recovery.
Use root guard to prevent downstream switches with superior bridge IDs from becoming the root in spanning-tree. Apply it to customer-facing interfaces to block superior BPDU messages and preserve topology.
Learn how UDLD detects unidirectional link faults by exchanging periodic heartbeat messages between devices; automatically disables a faulty port, with global or per-interface configuration for fiber and non-fiber links.
Learn how to recover a switch port from err-disable state using err-disable recovery, configuring auto timeout after security events, and verifying with show interface and show errdisable recovery commands.
Explore how DHCP spoofing allows attackers to assign wrong IP addresses and how Cisco DHCP snooping uses untrusted and trusted ports to block rogue DHCP responses, preventing man-in-the-middle attacks.
Learn how DHCP starvation attacks exhaust DHCP resources and how to mitigate them by enforcing port security and limiting the number of MAC addresses per interface.
Learn how dynamic arp inspection prevents arp spoofing attacks by building ip-to-mac bindings through dhcp snooping or manual entries, then validating replies and dropping mismatches.
Learn how VLAN ACLs filter traffic between VLANs using access maps to match networks or MAC addresses and drop or permit packets on selected interfaces.
Demonstrate configuring vlan access control lists to restrict inter-vlan traffic, using access lists, access maps, and filters to drop specific packets while validating connectivity in a practical lab.
Configure protected ports and private VLAN edge to isolate devices on the same VLAN, preventing inter-host communication while preserving access to shared services.
Explore private VLANs overview and how isolated and community VLANs separate traffic among devices in the same subnet. Promiscuous ports enable access to the server while keeping other devices isolated.
Explore private VLAN configuration lab: designates primary and secondary VLANs (isolated and community), assigns ports, maps hosts to private VLANs, and verifies isolation and promiscuous access.
This Course is designed to prepare CCNA Security candidates for the exam topics covered by the 210-260 IINS exam.
This is Third of 6 parts of the Complete CCNA Security 210-260 Exam..
This course allows learners to understand common security concepts, and deploy basic security techniques utilizing a variety of popular security appliances within a "real-life" network infrastructure. It focuses on security principles and technologies, using Cisco security products to provide hands-on examples.
This Cisco self-paced course is designed to be as effective as classroom training.
Course content is presented in easily-consumable segments via both Instructor Video and text. Makes the learning experience hands-on, increasing course effectiveness
The revised CCNA Security (IINS v3.0) curriculum is designed to bring data, device, and administration together to have better network security, which is more relevant and valuable than ever. It is destined to meet the current business demand so that the network security professionals are able to acquire new knowledge, training and vital skills to be successful in evolving job roles.
1. Security Concepts – This section includes security principles, threats, cryptography, and network topologies. It constitutes 12% of the questions asked in the exam.
2. Secure Access – This section deals with secure management, AAA concepts, 802.1X authentication, and BYOD. It makes 14% of the exam.
3. VPN (Virtual Private Networks) – This focuses on VPN concepts, remote access VPNs, and site-to-site VPNs. It is 17% of the exam.
4. Secure Routing & Switching – This section concentrates on VLAN security, mitigation techniques, layer 2 attacks, routing protocols, and overall security of Cisco routers. That is 18% of the exam.
5. Cisco Firewall Technologies – This section is 18% of the exam and focuses on stateful and stateless firewalls, proxy firewalls, application, and personal firewalls. Additionally, it concentrates on Network Address Translation (NAT) and other features of Cisco ASA 9.x.
6. IPS – It is 9% of the exam and this portion focuses on network-based and host-based IPS, deployment, and IPS technologies.
7. Content and Endpoint Security –Constituting 12% of the exam, this section checks your understanding on the endpoint, web-based, and email-based threats. Later it leads to apt and effective mitigation technology and techniques to counter those threats.