Edited Layer 2 Security Quiz Recording | Cisco CCNA 200-301

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] and welcome everybody this quiz is all about layer 2 security if you have not already done so please subscribe make it easy to find me i've got a whole playlist of quiz questions if you're watching this recorded version please enjoy but also feel free to join us every sunday 11 a.m pacific for another online live ccna level quiz all right having said that here's our quiz for today buckle up here we go glad you are here and here's the first question which would provide the best prevention against dns and default gateway miss information how do we protect our clients that are getting ip addresses against this all right dhcp snooping and here is the reason and this happens accidentally all the time all the time in fact i'm guilty of doing it accidentally more than just once in my career it's if we have a network and let's say this represents uh the network it's a switch lots of ports hanging off and somebody brings in a home router just like uh link says uh whatever flavor he has and there or she has they bring it in they plug it in in their cube in their office or they connect the switch and they connect it well that guy is just he's broadcast advertising dhcp services like crazy so if there's a client let's say this is uh yar's so yar's is computers right here it boots up it's a dhcp client and then a quick review and i mean quick this client says hey shouts out is there a dhcp server available that's referred to as a discover message and any dhcp servers that hear that are going to go ahead and make an offer including the home router so you can have clients that are getting ip addresses from in the wrong range and everything else from the you know these rogue dhcp servers and then if this yar's computer loves it it'll say i'll request that ip address i'll take it and then after that the dhcp server sends an acknowledgement and that's the dora process the dora the explorer the four major packets in the dhcp exchange and uh if it's a whether it's a home router somebody brought in or whether it's an attacker which is more likely to cause real harm the attacker if they first of all they totally wipe out your existing dhcp server by making hundreds of requests for addresses and using basically dhcp exhaustion which is a real thing where it's not just means that your dhcp server is tired it means your dhcp server has no more iep addresses to hand out and so once the attacker exhausts the dhcp server or the real one it then goes ahead and puts up its own dhcp server on the network that it's directly connected to and that would extend to any vlans where that you know that vlan exists and then the attacker is now listening and when jars does the discover the attacker answers and the attacker supplies things like hey it's my ip address for the default gateway so it can be a man in the middle hey it's my ip address for the dns server so it can go ahead and lie about url information about the ip addresses behind it and basically own the whole network and to prevent that dhcp snooping if we enable it by default the switch has one big word and let me change my font to my pen for this here it is the word if we enable dhcp snooping is no i'm not allowing dhcp server messages coming in from anybody you might think well that's harsh you mean let's say this is vlan 1. no dhcp offers or acknowledgments or or messages at all and the switch says that's correct because i'm doing dhcp snooping what if we have the real dhcp server sitting right here how what do we do well we make this port a dhcp trusted port and that simply says yeah we will allow incoming traffic from a dhcp server on that port even though dhcp is enabled on the vlan we're going to trust dhcp server messages that are coming in on this exact port i do want to give you a heads up for another question coming up or two also that will help if you have a situation like this where you have a couple switches there's switch one there's switch two and there's our dhcp server right here dhcp and between them we have a trunk between the two switches well uh if both switches let's assume just one vlan here if both switches are doing dhcp snooping and we have yars the client again right here and yars does they discover that discover gets sent as a broadcast it goes over the trunk if it's the native vlan it won't be tagged but either way it goes over the trunk this switch receives it forwards that broadcast this dhcp server hears it and when it makes the offer that offer is now going in here on this trusted port so it's allowed in the switch too and then it gets sent over the trunk and this incoming trunk port right here if that's also not trusted it's going to say whoa whoa whoa uh dhcp stupid is enabled and i see a dhcp server message i'm going to kill it so dhcp snooping is really applicable and what we want to do is have it applied to access ports but we probably want to make our trunk ports all of them trusted and that way if we move a dhcp server somewhere else in the topology that dhcp server traffic can go across the trunks what we're really trying to do is prevent somebody from bringing in or attaching on an access port pretending to be a dhcp server all right all right all right let me clear that off that was fun that'll give you some heads up on several questions to come and let's see who's in first place kind dolphin way to go kind dolphin love it followed by mountain dragon dazzled quail witty fox and melodic goose if you have the courage to do so i would also have you in the chats right now uh type in your uh your game name that you're currently using for this game and that way that adds a little bit of additional excitement and pressure but if you're up for it just right now go ahead and type in i am kind dolphin or i am mountain dragon and so forth we're off to a great start here is question number two it is multiple select and it's double points no pressure but i'm looking for two specific answers regarding this port which is gigabit ethernet 2 0 3 which two things are true which of the following are true regarding this port and this port is not trusted our packets without ip market bindings are denied and wow we got look at that we have a whole bunch of people on blue why is that mac the max mac addresses learn will be too why is that i also gave double points in this quiz to every question that is based on some type of a cli output because that helps us to integrate what we're learning conceptually with how it actually works so here's what i know from this output which i created um in the running config it's doing ipr inspection for vlan 600 through 800. that's enabled i also see from this output that this interface gig 2 0 3 which is the port in question that it's associated as an access port and right access port in vlan 777 that means arp inspection is enabled on it so that means this yellow answer down here arp packets that are sent in from a device on this port if they're not congruent meaning the switch thinks that like layer three address a goes with layer two address a you know it has those matched let's say b has those matched up and if there's an arp message because arp inspection is on there's an art message where this guy claims oh my layer two address is c it's and it's not mapped up with what the switch believes it's gonna drop it that's because arp inspection that's what it does it just makes sure that nobody's lying on any ports that are not trusted for arp inspection and make sure that no ports are going to be lying about messages they're sending related to arp so that's why this yellow is true and uh the port is not trusted and with this it's not trusted for anything frankly it's not trusted for dhcp snooping it's not trusted for arp inspection all that's true it would be here in the config and that's why green is true um so why does so many people jump on blue the answer here switch port port security maximum too that looks like the maximum number of mac addresses however the feature is not enabled on this port that's the only problem here you can say the violation mode all you want you can specify a number of max maximum number of mac addresses you can specify the voice vlan you can just have a party talking about all the options that you want to set for port security but if we don't enable it which is not enabled it doesn't matter it's not being used so uh switch port port dash security enter is what turns on the feature and that is the most common misconfiguration when people are enabling port security is they set the maximum they set the violation action but they fail to enable the feature so is that a little bit of a trick question i would say i wrote this question to have you think about it and it's very common and so now we've seen it now we know let me go ahead and clear off the screen and let's continue on that also will help with a few questions coming up all right next here we go kind of oh mountain dragon followed by rockstar otter space zebra jolly frog and majestic dingo oh look at this up 59 places golden el is the highest climber oh it's anybody's game there's a lot of double points coming up too glad you're here this is multiple select i'm looking for three answers out of four just look for the one that's not true which baseline config can protect unused layer 2 switch ports and when i mean baseline i'm talking about you get a brand new switch you're about to roll it out what can we do to all the ports by default before we start configuring them to have the best possible security posture all right and those three answers that are marked correctly shut down the ports put them in a non-production vlan for example if you're not using vlan 999 maybe create one as a parking lot for uh ports that aren't being used so by default if there's a port that's plugged into that's not supposed to be available like somebody is going in the lobby and plugging something in they're going to end up with a port that shut down a port that if it wasn't shut down it goes to a nowhere vlan and then configuring them as a static access port is really important because if that port is willing to use dtp dynamic trunk protocol and it's willing to negotiate a trunk if you just see somebody on the other side who's willing in desirable state like a hacker machine with uh like yersinia or a number of tools we'll do it from kelly linux then the hacker now has a trunk into the switch and once they have a trunk they can then tag their frames and they can join any vlan they want just by tagging it and having an appropriate ip address all right so those are the three correct answers and that's why uh great to have everybody here as we continue on mountain dragon first place jolly frog rock star otter space zebra and dazzle quail top five the mount dragon man 7 1337 points amazing all right here's question four of nine and layer two security we're like almost halfway there which of the following are defaults for board security 60 seconds on the clock the faster you answer the more points you get if they are correct answers i'm looking for three just look for the one that's not related to port security and your gold choose all the others the three that are on the screen are the are the defaults maximum mac number of mac addresses is one it's disabled by default and the violation action by default is shut down and port security the feature port security isn't related to arp inspection it's not related to dhcp snooping that's why red is off the table there all right great job here we go continuing on question five of nine it's multiple select it's also double point so the heat is on a non dhcp client on this port that's about to show up here it can't access the network what are two solutions that could solve this i really enjoy these quizzes by the way they're so much fun and they keep getting better too we have more people show up i tweak them and make them more effective i think every single week so it's great to have you [Music] also the feature they added that allows the actual image and the question the answers to show up on your mobile device is great all right a non-dhcp client on this port cannot hey thanks solid shadow appreciate that a non-dhcp client on this port cannot access the network which two solutions could solve this and uh we've got you know a slight majority on the two correct answers let's talk about why for a moment let me bring up a pen and what do we know that's what i think when i look at an output i think what do we know from this output uh this says that arp inspection that means no lying about what your layer two address is in in arp related messages is enabled for vlan 600 601 602 all the way through 800 all right skip to the end and if we're looking at the output of gig 209 which is the question that we're involved here so i imagine we have a switch there's port 2 0 9 there's the user connected on that let's say it's uh let's say it's ari so ari is connected to that port and he can't ask access the network now why is that so it's in 675 so arpan's okay here we go he's a non-dhcp client i was just trying to put the pieces together so if this guy's a non-dhcp client that means that he has a static ip address that's configured on it let's say it's 10.1.0.99 or whatever it is um because he didn't do dhcp that means that dhcp snooping which not only this is important it's not only just protecting against dhcp rogue dhcp servers showing up but it's also building a binding table by default so it's paying attention to dhcp messages so when like uh let's say uh lois here lois gets an ipad recipe at dhcp let's say she got 98. when she gets that ip address that goes in dhcp snooping if it's also enabled adds that to the binding table it's going to say okay.98 is mapped with port 2 0 h we'll say that's the port louis is on and the mac address is 0 0 1 2 3 4 five six seven eight nine zero or something whatever the mac address is and that's the binding table and that's what arp inspection uses to make sure that the traffic the arp traffic coming in out in this port really going into this port is not being lied about it matches up with that binding table so if we have a client like ari who's connected and it's a dh it's not a dhcp client there's no binding entry so the solutions could be have re be a dhcp client and that way it would show up in the binding table for port 209 and that way arp inspection wouldn't be stopping his art messages from being ring sent out and the second option is we can create an arp acl and what the rpcl is effectively it's just a set of mappings that map layer three addresses ip addresses two layer two addresses and then we tell arp inspection to also we can say just use this list or we can say use the dhcp snooping binding table and the rpcl but i think that's the two solutions the only two options here that i saw uh based on this scenario let me clear that off and let's take a look let's go back and look at the question now they talked about all that um yeah make the client a dhcp client and configure an arp acl and then also apply that rpcl to the configuration for arp inspection all right if you didn't know that now you do appreciate you being here we're learning and growing together i learn new stuff all the time we had office hours yesterday and uh let me bring up this real quick so we had office hour yesterday and i demonstrated uh port security and dhcp snooping and also a cam table overflow attack that we stopped with port security and i had some results that i wasn't expecting and i still don't know what caused them exactly but it was all about troubleshooting out is it the client or is it the switch or who's causing this challenge and that's the benefit of labbing stuff up it gives you the opportunity to if i here's here's the deal i've been i've been doing networking for a long time and i still like it but i still learn a ton in fact whenever i go in and lab something i usually remember something or better understand something than i did previously so it's never too late to start learning and it's never too um you never want to stop labbing and that's the the big secret so lab it up lab it up lab it up if you have a question about something here here's what i do i'll be quick um if somebody asked me a question that was something i think i'm not good i'm not you know i don't recall how that works off top my head i will google it you know and then i'll usually lab it up if it's something you know that takes a few minutes just lab it up say yep that's the expected behavior that's how that works now i know and when we do that when we both research it and lab it up oh my gosh it's a winning combination just incredible so i encourage everybody to do it and these techniques and topics that we're learning they'll serve you for a long long time it's not just something you memorize for an exam it's something that you can use and then when you get to troubleshooting it's like okay i understand all these pieces and this isn't working how can i apply what i know to solving the problem so great again to have everybody here mountain dragon is still in first place clicking on next here we go question six of nine double points dhcp is failing for our device in vlan 55 we're looking here at switch one that's important to be aware of look at the host name we're we're looking at the output of switch one but the dhcp server is over on switch two in vlan55 the client's also in vlan55 so what is needed to help this device actually get an ip address via dhcp look at that make the trunk a trusted port there's so many people on the right answer i'm so pleased that means a couple things one is you were listening earlier which i do appreciate and um that's fantastic excellent work everybody i'm glad you're here and mountain dragon fifteen thousand two eighty four i need to know who mount well mountain dragon you mean you can maintain your anonymity unless you already posted it earlier i'll take a look on the next question so great job for everybody who's here and here's question seven of nine here we go it's multiple select it's double points that means there's going to be some kind of an output here that we're going to interpret which of the following are true and you got to choose you get to choose all that apply that could be one two three or all answers correct i'll let you be the judge of that and the the only one that wasn't the correct answer here is the maximum default for voice vlan is being used uh so learning mac address will go to the running config let's take a look at the output rule let me just mark it up right here it'll work so this is from the sticky s-t-i-c-k-y sticky learning says that when a mac address shows up assuming it's not above the threshold for port security sticky says please put that in the running config and that way if we had like say we had 400 ports to deal with we could turn on sticky learning turn on all 400 machines and then save the config to the startup config and that was a if that'd be a quick way of getting a whole bunch of computers and their mac addresses into the configuration without manually inputting them if you want to do that but that's what sticky does running config and then a save to startup config would actually permanently save those um 802.1q is in use on this port and that's because there's a voice vlan so with voice vlans here's the switch and there's the port and it's got a voice vlan and it's got a data vlan and then we are connected to a a phone i'm going to draw my phone there that's because i'm over 50 that's what my phones look like and there's a rotary dial just because we can alright so there's a phone actually it's an ip phone and then there's a little switch built in there and then off they hang off that phone then we have the pc this pc would be let's say it's going to be um amos so amos's are almost depending on how that is correctly pronounced so thomas's pc is here and when he sends traffic or when this computer sends traffic into the network the switch sees it and lets it go through untagged and then the phone when it sees when it's communicating with the network if the voice vlan is i forget what the voice feeling was let's say it's 9 as an example it would tag its own frames with a vlan of 9 with 802.1 q 802.1q and that would show up with a switch and that's how the switchboard knows that okay untagged data untagged frames belong to like vlan 4 or whatever the data vlan is and the tagged frames with vlan 9 are the voice vlan coming from the phone now that i did those let me clear that off and let me take a look at the media okay the voice behind is vlan 11 and the data vlan is vlan 10 and then there's some maximum setup for both of those and then they're sticky and let's see maximum yeah maximum default for access vlan is not being used the max the default maximum which is one is not being used 802.1q is in use and the learn mac addresses will go into the running config and that's because it's sticky all right we're learning and growing here we go continuing on stop the truck dazzled quail is in first place congratulations wow the competition is getting stiff here dazzled quail jolly frog witty fox smiling yak and mountain dragon it's on it's on there's only two more questions oh my gosh here we go double points which of the following is true regarding this port good luck everybody the pressure's on okay well we got 48 on the right answer uh let's talk about why the other ones weren't true we got quite a bit with red maximum number of mac addresses learned is two and why isn't that true let's take a peek and i think the reason that's not true is because of the number one failure in configuring port security it's not enabled so if it's not enabled none of those maximums or violation actions matter because they're not in use on that port so what else was here our traffic won't be inspected that's because this is a trusted port from the perspective of arp inspection if we wanted to make it a trusted port for dhcp snooping that would be a separate command but we could do that as well that is it [Laughter] all right i'm having a lot of fun i appreciate you being here all right moving on let's use the top dazzled quail i think we've got one oh my goodness we've got one more question that's it so dazzle quail jolly frog smiling yak mountain dragon and majestic dingo and also anybody else who's really in the top 20 right now here's your opportunity it's your opportunity to lose it all or win it big right now and the reality is all of you here everybody who's here right now studying and learning and practicing you're all winners because you're putting in the time i can i just from my experience working with it over the last three decades i can tell you that a lot of people are surprised and shocked like how did you get xyz certification or how did you get this knowledge or how did you get that job and the answer is one day at a time that's it like how did you learn xyz like whatever it is i just took it one day at a time and i just gradually and consistently chipped away and chipped away and chipped away this is not a sprint the the world of i.t is a marathon and you have to have the right shoes and you have to have the right gear and you have to have the right training and ccna is that it's the right gear and training and fundamentals for you to succeed as you continue past ccna this is just a stepping stone that i would love to help you accomplish so a lot of people say what do you need to get a ccna number one need to carve out the time two you need some kind of a study resource that covers all the blueprint items so my youtube channel does not do that my youtube channel is great i've got like 4 30 40 quiz you know sessions i've got like 150 videos regarding ccna but it's not going to cover every single bullet point but it covers what i think are the the most important ones and so if you ever associ let's get back on track time you need to have a study material of some type that covers everything and then use this channel as a resource to refresh reinforce dive in join me for office hour all the rest and the third thing that you need to do is lab it up in packet tracer it's free packet tracer is free i've got videos on that as well um so that's it yeah study material schedule time packet tracer and do it and don't let anybody stop you and don't make a big deal out of it either because what happens for me and i'll get last questions coming up what i do sometimes is i'll talk to people i'm going to do this and then i don't know something about the urgency of that once i've said i'm going to do this sometimes fades so if you have a if you're going to do something set out a plan and do it if you want to also talk about that's fine or you have your loved ones committed to helping you get that done but just fairly quietly with your head just a little bit down just focus on it and just don't listen to everybody who says you can't the people who say you can like me and network chalk and david bomble and jeremy's it lab and uh i guess neil off of udemy who they all make great content we all believe you can do it and it's gonna make a difference and so anybody else you see that says you can't do it just just just ignore that and just move on all right here we go uh last question and uh this is for all the marbles here it is what is the most oh my gosh the faster you answer the more points you get what's the most frequent mistake when configuring port security go go go go all right uh 90 people on the right answer forgetting to enable the feature on the port is indeed the number one most frequent mistake because you can configure the maximums for mac addresses you can configure the violation action but if you don't enable the feature it's not going to happen all right and kelvin just confirmed with me that right after this live stream on discord we are gonna our kelvin is gonna do an intro to python thank you i now recall um which is fantastic so if you're interested in python uh it's gonna be in the above ccna voice chat room on discord there's a link in this video for that you can join us there we'd love to have you and i appreciate all the people who are supporting each other all right here's the winner's table and number one is [Music] dazzled quail with almost 20 000 points my congratulations to everybody let me grab some feedback from you as well so these are the toughest four questions they are most valuable for me if we are to see these again because the tutorials we wove into this i think you do a lot better next time they come around so that's fantastic and oh and then i also have a question for you about office hour coming up in just a moment all right let me go ahead and grab that feedback if i could i'll bring this camera full screen so um let me say goodbye to everybody else and then we'll uh continue just for a few minutes with some q a right here on this live stream and that concludes our quiz thanks for joining us if you want to join us for the live events you're welcome to do so there every sunday 11 a.m pacific time right here on the keith barker channel so until the next live event be kind to everybody keep studying and have fun bye for now [Music] i'm walking on air [Music] [Music] oh

Info

Channel: Keith Barker

Views: 2,525

Rating: undefined out of 5

Keywords: ccna, cisco, 200-301, Cisco CCNA, Cisco Certification, ogit, Keith Barker

Id: jLcUI9EkNdY

Channel Id: undefined

Length: 30min 35sec (1835 seconds)

Published: Sun Apr 18 2021