Network Security Concepts You Must Master (CCNA / CCNP)
Home › Security › Network Security CCNA/CCNP
Table of Contents
- Security Fundamentals — CIA Triad & Threat Landscape
- Access Control Lists (ACLs) — Standard, Extended & Named
- AAA — Authentication, Authorization & Accounting
- 802.1X — Port-Based Network Access Control
- Layer 2 Security — DAI, IP Source Guard & Storm Control
- VPN & IPsec — Site-to-Site & Remote Access
- Zone-Based Firewall (ZBF)
- IPS & IDS — Intrusion Prevention & Detection
- Control Plane Policing (CoPP)
- Cryptography & PKI Fundamentals
- Exam Tips & Quick-Reference Table
Network security is no longer a specialization — it is a core competency for every network engineer. The days of security being an afterthought bolted onto an otherwise finished network design are long gone. Modern networks are built with security woven into every layer — from the access port authenticating a device with 802.1X, to the control plane protected by CoPP, to encrypted site-to-site tunnels connecting every branch. Both the CCNA (200-301) and CCNP ENCOR (350-401) exams test network security heavily, and it is the topic most likely to separate candidates who truly understand networking from those who have only memorized commands.
This guide covers every security concept tested across both exams — with architecture explanations, real-world context, and production-ready Cisco IOS commands for each topic.
1. Security Fundamentals — CIA Triad & Threat Landscape
Every security control, every protocol, every configuration on this page is designed to protect one or more properties of the CIA Triad — the three foundational pillars of information security.
CONFIDENTIALITY
Only authorized users can access data. Enforced by encryption, ACLs, VPNs, and strong authentication.
✅
INTEGRITY
Data is not altered in transit or at rest. Protected by hashing (SHA-256), HMAC, digital signatures, and IPS.
⚡
AVAILABILITY
Systems remain accessible to authorized users. Protected by HA, redundancy, CoPP, rate-limiting, and anti-DDoS.
Common Threat Types
| Threat / Attack | Layer | Mitigation |
|---|---|---|
| MAC Flooding | Layer 2 | Port Security, dynamic MAC limits |
| VLAN Hopping | Layer 2 | Disable DTP, set native VLAN ≠ 1, prune allowed VLANs |
| Rogue DHCP Server | Layer 2/3 | DHCP Snooping — trusted/untrusted ports |
| ARP Spoofing / Poisoning | Layer 2 | Dynamic ARP Inspection (DAI) |
| IP Spoofing | Layer 3 | IP Source Guard, uRPF, ACLs |
| DoS / DDoS | Layer 3/4 | CoPP, rate-limiting, blackhole routing |
| Man-in-the-Middle (MITM) | Layer 2–7 | DAI, 802.1X, TLS/HTTPS, IPsec |
| STP Attack (Root Takeover) | Layer 2 | BPDU Guard, Root Guard, PortFast |
2. Access Control Lists (ACLs) — Standard, Extended & Named
ACLs are ordered lists of permit/deny statements that filter traffic based on packet header fields. They are the most fundamental and widely used security mechanism on Cisco routers and switches — used for traffic filtering, route map matching, QoS classification, NAT translation matching, and VPN interesting traffic definition. The router tests each packet against the ACL from top to bottom and stops at the first match. An implicit deny all exists at the end of every ACL.
Standard ACL
Filters on source IP only. Numbered 1–99 and 1300–1999. Apply closest to the destination to avoid blocking traffic unnecessarily.
access-list 10 permit 192.168.1.0 0.0.0.255
Extended ACL
Filters on source IP, destination IP, protocol, and port. Numbered 100–199 and 2000–2699. Apply closest to the source to prevent wasted bandwidth.
access-list 110 permit tcp 10.0.0.0 0.0.0.255 any eq 443
Named ACL
Same filtering as standard/extended but referenced by name, not number. Supports entry-level editing with sequence numbers — add or delete individual lines without recreating the entire ACL.
ip access-list extended BLOCK-TELNET
ACL Placement Rules
Standard ACL Placement
Place as close to the destination as possible. Standard ACLs only match source IP — placing them near the source could accidentally block traffic destined for other networks.
Extended ACL Placement
Place as close to the source as possible. Extended ACLs can match both source and destination — blocking at the source prevents unwanted traffic from consuming bandwidth across the network.
! Named Extended ACL — permit HTTPS, deny Telnet, log SSH attempts
Router(config)# ip access-list extended PERIMETER-IN
Router(config-ext-nacl)# 10 permit tcp 10.0.0.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# 20 permit tcp 10.0.0.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# 30 deny tcp any any eq 23 log
Router(config-ext-nacl)# 40 permit ip any any
! Apply ACL to interface (inbound filters traffic entering the router)
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group PERIMETER-IN in
! Apply ACL to VTY lines (restrict remote management access)
Router(config)# line vty 0 4
Router(config-line)# access-class 10 in
Router(config)# access-list 10 permit 192.168.10.0 0.0.0.255
Router(config)# access-list 10 deny any log
! Edit named ACL — add sequence 25, delete sequence 20
Router(config)# ip access-list extended PERIMETER-IN
Router(config-ext-nacl)# 25 permit tcp 10.0.0.0 0.0.0.255 any eq 8443
Router(config-ext-nacl)# no 20
! Verify
Router# show access-lists
Router# show ip interface GigabitEthernet0/0 | include access list
3. AAA — Authentication, Authorization & Accounting
AAA is the security framework that controls who can log in (Authentication), what they can do (Authorization), and what they did (Accounting). In enterprise environments, AAA is implemented using a centralized security server — either RADIUS or TACACS+ — rather than local credentials stored on each device.
RADIUS vs TACACS+
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Transport | UDP 1812/1813 | TCP 49 (reliable delivery) |
| Encryption | Password only encrypted | Entire packet body encrypted |
| AAA Separation | Auth + Authz combined | Auth, Authz, Acct fully separated |
| Best Use Case | Network access (Wi-Fi, VPN, 802.1X) | Device administration (router/switch CLI) |
| Vendor | Open standard (RFC 2865) | Cisco proprietary (enhanced) |
! Enable AAA new-model (required first)
Router(config)# aaa new-model
! Define RADIUS server
Router(config)# radius server ISE-PRIMARY
Router(config-radius-server)# address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
Router(config-radius-server)# key Str0ngSecretKey!
! Define TACACS+ server
Router(config)# tacacs server TACACS-PRIMARY
Router(config-server-tacacs)# address ipv4 10.0.0.11
Router(config-server-tacacs)# key Str0ngTACKey!
! Create server group
Router(config)# aaa group server tacacs+ ADMIN-SERVERS
Router(config-sg-tacacs)# server name TACACS-PRIMARY
! Authentication — try TACACS+, fallback to local on failure
Router(config)# aaa authentication login default group ADMIN-SERVERS local
! Authorization — what commands are allowed
Router(config)# aaa authorization exec default group ADMIN-SERVERS local
Router(config)# aaa authorization commands 15 default group ADMIN-SERVERS local
! Accounting — log all exec commands
Router(config)# aaa accounting exec default start-stop group ADMIN-SERVERS
Router(config)# aaa accounting commands 15 default start-stop group ADMIN-SERVERS
! Verify
Router# show aaa servers
Router# debug aaa authentication
4. 802.1X — Port-Based Network Access Control
IEEE 802.1X is a port-based authentication framework that prevents unauthorized devices from connecting to the network at the switch port level. Before a device is allowed to send any traffic beyond authentication, it must prove its identity to an authentication server (typically Cisco ISE or FreeRADIUS). 802.1X is the cornerstone of Zero Trust network access for wired and wireless infrastructure.
! Enable 802.1X globally
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
! Configure RADIUS server for 802.1X
Switch(config)# radius server ISE
Switch(config-radius-server)# address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key RadiusSecret123
! Enable 802.1X on access port
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# spanning-tree portfast
! Open authentication (allow traffic before auth — for phased rollout)
Switch(config-if)# authentication open
! Guest VLAN (for devices without 802.1X supplicant)
Switch(config-if)# authentication event no-response action authorize vlan 99
Switch(config-if)# dot1x guest-vlan 99
! Auth-fail VLAN (for failed credentials)
Switch(config-if)# authentication event fail authorize vlan 50
Switch# show dot1x all
Switch# show authentication sessions interface Gi0/1
5. Layer 2 Security — DAI, IP Source Guard & Storm Control
Dynamic ARP Inspection (DAI)
DAI prevents ARP spoofing attacks by validating ARP packets against the DHCP Snooping binding table. Untrusted ports have every ARP request and reply checked — if the IP-to-MAC mapping in the ARP packet does not match a binding in the snooping table, the packet is dropped. DAI requires DHCP Snooping to be enabled first to build the binding database.
! Step 1: Enable DHCP Snooping (DAI depends on its binding table)
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 100,110
! Trust uplink toward DHCP server
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip dhcp snooping trust
! Step 2: Enable DAI on VLANs
Switch(config)# ip arp inspection vlan 100,110
! Trust uplink ports for ARP too
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip arp inspection trust
! Optional: Rate-limit ARP on untrusted ports (prevent ARP floods)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection limit rate 100
! Static ARP ACL for devices using static IPs (no DHCP binding)
Switch(config)# arp access-list STATIC-SERVERS
Switch(config-arp-nacl)# permit ip host 192.168.100.10 mac host aabb.ccdd.eeff
Switch(config)# ip arp inspection filter STATIC-SERVERS vlan 100
Switch# show ip arp inspection
Switch# show ip arp inspection statistics vlan 100
IP Source Guard
IP Source Guard prevents IP spoofing by filtering packets based on both the source IP and MAC address, validating each against the DHCP Snooping binding table. Only packets matching a known IP-MAC-port binding are allowed. For devices with static IPs, manual bindings must be added.
! Enable IP Source Guard on access ports (after enabling DHCP snooping)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip verify source port-security
! "port-security" adds MAC address verification in addition to IP
! Add static binding for device with static IP
Switch(config)# ip source binding aabb.ccdd.0011 vlan 100 192.168.100.50 interface Gi0/2
Switch# show ip verify source
Switch# show ip source binding
Storm Control
Storm Control protects against broadcast, multicast, and unknown unicast traffic storms by monitoring the traffic level on each port and taking action (shutdown or drop) when the level exceeds a defined threshold. A traffic storm can cripple an entire network segment within seconds.
! Enable storm control on access port
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# storm-control broadcast level 20.00 10.00
! Rise threshold 20% | Fall threshold 10%
Switch(config-if)# storm-control multicast level pps 1000
Switch(config-if)# storm-control action shutdown
! "shutdown" = err-disable | "trap" = SNMP alert only
Switch# show storm-control GigabitEthernet0/1 broadcast
6. VPN & IPsec — Site-to-Site & Remote Access
IPsec is a suite of protocols that provides confidentiality, integrity, and authentication for IP packets. It operates at Layer 3, making it transparent to applications. IPsec uses two main protocols and two modes:
AH — Authentication Header
Provides integrity and authentication only — no encryption. Authenticates the entire IP packet including headers. Incompatible with NAT (NAT changes IP headers, breaking the hash).
ESP — Encapsulating Security Payload
Provides encryption, integrity, and authentication. Only authenticates the ESP header and payload (not original IP header). Works with NAT-T (NAT Traversal — wraps ESP in UDP 4500).
Transport Mode
Encrypts payload only. Original IP header is preserved and visible. Used for end-to-end host-to-host encryption (e.g., GRE over IPsec).
Tunnel Mode
Encrypts the entire original packet and adds a new IP header. Standard for site-to-site VPNs. The original source/destination IPs are hidden inside the encrypted tunnel.
IKE (Internet Key Exchange) — Phase 1 & Phase 2
! ── SITE-TO-SITE IKEv2 IPsec VPN ──
! Phase 1 — IKEv2 Proposal
Router(config)# crypto ikev2 proposal IKEV2-PROP
Router(config-ikev2-proposal)# encryption aes-cbc-256
Router(config-ikev2-proposal)# integrity sha256
Router(config-ikev2-proposal)# group 14
! IKEv2 Policy (matches peer proposals)
Router(config)# crypto ikev2 policy IKEV2-POL
Router(config-ikev2-policy)# proposal IKEV2-PROP
! IKEv2 Keyring (pre-shared key)
Router(config)# crypto ikev2 keyring KEYRING
Router(config-ikev2-keyring)# peer BRANCH
Router(config-ikev2-keyring-peer)# address 203.0.113.2
Router(config-ikev2-keyring-peer)# pre-shared-key Sup3rSecretVPN!
! IKEv2 Profile
Router(config)# crypto ikev2 profile IKEV2-PROF
Router(config-ikev2-profile)# match identity remote address 203.0.113.2 255.255.255.255
Router(config-ikev2-profile)# authentication remote pre-share
Router(config-ikev2-profile)# authentication local pre-share
Router(config-ikev2-profile)# keyring local KEYRING
! Phase 2 — IPsec Transform Set
Router(config)# crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
Router(cfg-crypto-trans)# mode tunnel
! IPsec Profile
Router(config)# crypto ipsec profile IPSEC-PROF
Router(ipsec-profile)# set transform-set TS
Router(ipsec-profile)# set ikev2-profile IKEV2-PROF
! Tunnel Interface (Virtual Tunnel Interface — VTI)
Router(config)# interface Tunnel0
Router(config-if)# ip address 172.16.0.1 255.255.255.252
Router(config-if)# tunnel source GigabitEthernet0/0
Router(config-if)# tunnel destination 203.0.113.2
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel protection ipsec profile IPSEC-PROF
! Verify
Router# show crypto ikev2 sa
Router# show crypto ipsec sa
Router# show interfaces Tunnel0
7. Zone-Based Firewall (ZBF)
Zone-Based Firewall (ZBF) replaces the legacy ip inspect (CBAC) model with a more flexible, zone-oriented policy framework. Interfaces are assigned to security zones, and policies control traffic flowing between zones. Traffic within the same zone is permitted by default; traffic between different zones is denied by default unless an explicit policy permits it. The self zone represents the router itself — traffic destined for the router.
INSIDE
Gi0/0 — LAN
→ Zone-Pair →
Inspect HTTP/HTTPS/DNS
← Drop ←
DMZ
Gi0/1 — Web Server
→ Zone-Pair →
Permit HTTP only
← Drop ←
OUTSIDE
Gi0/2 — Internet
! Step 1: Define Security Zones
Router(config)# zone security INSIDE
Router(config)# zone security DMZ
Router(config)# zone security OUTSIDE
! Step 2: Define Class Maps (match interesting traffic)
Router(config)# class-map type inspect match-any INSIDE-TO-OUTSIDE
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https
Router(config-cmap)# match protocol dns
Router(config-cmap)# match protocol icmp
! Step 3: Define Policy Maps (action per class)
Router(config)# policy-map type inspect PM-INSIDE-TO-OUTSIDE
Router(config-pmap)# class type inspect INSIDE-TO-OUTSIDE
Router(config-pmap-c)# inspect
! "inspect" = stateful inspection — return traffic auto-permitted
! Step 4: Define Zone-Pairs and apply policy
Router(config)# zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)# service-policy type inspect PM-INSIDE-TO-OUTSIDE
Router(config)# zone-pair security OUTSIDE-TO-DMZ source OUTSIDE destination DMZ
Router(config-sec-zone-pair)# service-policy type inspect PM-HTTP-ONLY
! Step 5: Assign interfaces to zones
Router(config)# interface GigabitEthernet0/0
Router(config-if)# zone-member security INSIDE
Router(config)# interface GigabitEthernet0/1
Router(config-if)# zone-member security DMZ
Router(config)# interface GigabitEthernet0/2
Router(config-if)# zone-member security OUTSIDE
Router# show zone-pair security
Router# show policy-map type inspect zone-pair
8. IPS & IDS — Intrusion Prevention & Detection
Firewalls and ACLs control which traffic is allowed — but they cannot determine whether allowed traffic contains a threat. An attacker sending an exploit payload over permitted port 443 will bypass a firewall. IDS and IPS inspect the content of allowed traffic against a database of attack signatures to detect and/or block malicious activity.
IDS — Intrusion Detection System
Passive mode — a copy of traffic (via SPAN port) is analyzed out-of-band. The IDS detects and alerts on malicious traffic but cannot block it — the original traffic flows uninterrupted.
- Zero impact on live traffic performance
- Cannot stop an attack in real time
- Useful for forensics, baselining, and compliance alerting
IPS — Intrusion Prevention System
Inline mode — traffic flows through the IPS device. Malicious packets are dropped in real time before reaching the target. Can reset connections, block source IPs, and generate alerts simultaneously.
- Adds latency to forwarded traffic (must be sized correctly)
- False positives can accidentally block legitimate traffic
- Requires regular signature updates (FortiGuard, Snort, etc.)
IPS Detection Methods
Signature-Based
Matches traffic against known attack patterns. Low false positives but blind to zero-day attacks not yet in signature database.
Anomaly-Based
Establishes a baseline of "normal" behavior and alerts on deviations. Can detect zero-days but generates more false positives.
Policy-Based
Alerts when traffic violates an explicitly defined security policy (e.g., P2P traffic on corporate network, even if no known attack signature).
9. Control Plane Policing (CoPP)
The control plane is the most critical — and most vulnerable — part of a router or switch. It handles routing protocol updates (OSPF, BGP), management traffic (SSH, SNMP), and any packet destined for the device itself. A DoS attack flooding the CPU with malformed packets or excessive routing updates can crash the device and take down the entire network segment. CoPP uses QoS mechanisms to rate-limit traffic destined for the control plane, protecting the router's CPU from being overwhelmed.
⚠ Critical Point: CoPP does not filter data-plane traffic (packets being forwarded through the router). It only protects the router's CPU (process switching, punt path) from traffic directed at the router — such as routing protocol hellos, SSH sessions, SNMP queries, ARP requests, and TTL-exceeded ICMP messages.
! Step 1: ACLs to classify control-plane traffic types
Router(config)# ip access-list extended ROUTING-PROTOCOLS
Router(config-ext-nacl)# permit ospf any any
Router(config-ext-nacl)# permit eigrp any any
Router(config)# ip access-list extended MGMT-TRAFFIC
Router(config-ext-nacl)# permit tcp 10.0.0.0 0.0.0.255 any eq 22
Router(config-ext-nacl)# permit udp 10.0.0.0 0.0.0.255 any eq 161
Router(config)# ip access-list extended ALL-REMAINING
Router(config-ext-nacl)# permit ip any any
! Step 2: Class Maps per traffic type
Router(config)# class-map match-all ROUTING-CLASS
Router(config-cmap)# match access-group name ROUTING-PROTOCOLS
Router(config)# class-map match-all MGMT-CLASS
Router(config-cmap)# match access-group name MGMT-TRAFFIC
! Step 3: Policy Map with policing actions
Router(config)# policy-map COPP-POLICY
Router(config-pmap)# class ROUTING-CLASS
Router(config-pmap-c)# police rate 256000 bps conform-action transmit exceed-action drop
Router(config-pmap)# class MGMT-CLASS
Router(config-pmap-c)# police rate 64000 bps conform-action transmit exceed-action drop
Router(config-pmap)# class class-default
Router(config-pmap-c)# police rate 32000 bps conform-action transmit exceed-action drop
! Step 4: Apply to Control Plane
Router(config)# control-plane
Router(config-cp)# service-policy input COPP-POLICY
Router# show policy-map control-plane
10. Cryptography & PKI Fundamentals
Understanding cryptography is essential for understanding why security protocols work — not just how to configure them. Every VPN, 802.1X certificate, HTTPS session, and SSH connection relies on these foundations.
Symmetric Encryption
Same key encrypts and decrypts. Fast — used for bulk data encryption. Key exchange is the challenge. AES-128/256 is the current standard (replaced DES/3DES).
Asymmetric Encryption (PKI)
Public/Private key pair. Encrypted with public key; decrypted with private key. Slow — used only for key exchange and digital signatures. RSA, ECDSA are common algorithms.
Hashing & HMAC
One-way transformation — produces fixed-length digest. Used to verify data integrity. SHA-256/SHA-384 replace MD5 (broken). HMAC adds a secret key to prevent tampering.
Diffie-Hellman (DH)
Key agreement protocol — allows two parties to securely agree on a shared symmetric key over an untrusted channel without transmitting the key itself. Used in IKE Phase 1. DH Group 14 (2048-bit) minimum for production; Group 19/20 (ECDH) preferred.
SSH Hardening (Secure Device Management)
! Harden device management — disable Telnet, enforce SSH v2
Router(config)# hostname R1
Router(config)# ip domain-name thenetworkdna.com
Router(config)# crypto key generate rsa modulus 2048
Router(config)# ip ssh version 2
Router(config)# ip ssh time-out 60
Router(config)# ip ssh authentication-retries 3
! Enforce SSH-only on VTY lines
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local
Router(config-line)# exec-timeout 10 0
! Create local user with privilege level
Router(config)# username admin privilege 15 algorithm-type scrypt secret Admin$ecure2025
! Disable unused services
Router(config)# no service tcp-small-servers
Router(config)# no service udp-small-servers
Router(config)# no ip http server
Router(config)# no cdp run
Router(config)# no ip source-route
Router# show ip ssh
11. Exam Tips & Quick-Reference Table
| Topic | Key Fact | Common Exam Trap |
|---|---|---|
| ACL Implicit Deny | Every ACL ends with an implicit deny any |
An ACL with only a permit statement still blocks everything else — add explicit deny + log to capture blocked traffic |
| ACL Wildcard Mask | Wildcard = inverse of subnet mask. /24 → 0.0.0.255 | 0 = "must match," 1 = "don't care" — opposite of subnet mask logic |
| RADIUS vs TACACS+ | RADIUS = UDP, password-only encryption. TACACS+ = TCP, full encryption | TACACS+ preferred for device administration; RADIUS for network access (802.1X, VPN) |
| 802.1X Guest VLAN | Activated when no EAP response from supplicant (no client software) | Auth-fail VLAN = wrong credentials. Guest VLAN = no 802.1X client at all |
| DAI Dependency | DAI requires DHCP Snooping to be enabled first | Static IP devices need ARP ACL entries or they'll be blocked by DAI |
| IPsec AH vs ESP | AH = integrity only, no encryption. ESP = encryption + integrity | AH is incompatible with NAT — always use ESP in NAT environments (NAT-T) |
| ZBF Default Policy | Traffic between different zones is denied by default | Traffic within the same zone is permitted by default — no policy needed for intra-zone |
| CoPP Traffic | Only protects traffic destined for the router (control plane) | CoPP does NOT affect transit traffic being forwarded through the router (data plane) |
| DH Group Strength | Group 1/2/5 are deprecated — minimum Group 14 (2048-bit) | DH group determines Perfect Forward Secrecy strength in IKE Phase 1 |
| VLAN Hopping | Switch spoofing or double tagging to reach other VLANs | Mitigation: switchport nonegotiate + change native VLAN from 1 + explicit trunk allowed list |
Master Checklist — Before Your CCNA/CCNP Exam
☑ Explain CIA Triad with one example each
☑ Configure named extended ACL with sequence editing
☑ Explain where to place standard vs extended ACLs
☑ Configure AAA with TACACS+ and local fallback
☑ Explain difference between RADIUS and TACACS+
☑ Configure 802.1X with Guest VLAN and Auth-Fail VLAN
☑ Enable DAI with static ARP entry for static IP device
☑ Configure IKEv2 site-to-site VTI IPsec tunnel
☑ Explain IKE Phase 1 vs Phase 2 negotiations
☑ Configure Zone-Based Firewall with 3 zones
☑ Explain IDS passive vs IPS inline and detection methods
☑ Configure CoPP to protect OSPF and SSH traffic
Tags
