WEBVTT 1 00:00:00.080 --> 00:00:03.919 Okay, let's unpack this. In a world that feels well 2 00:00:04.000 --> 00:00:07.559 increasingly connected, have you ever stoked to think about the 3 00:00:07.599 --> 00:00:10.960 invisible architecture that actually makes it all possible? 4 00:00:11.119 --> 00:00:12.400 It's everywhere, isn't it? 5 00:00:12.640 --> 00:00:16.839 Right, From the simplest text message to complex cloud services, 6 00:00:17.039 --> 00:00:20.440 there's this intricate dance happening just beneath the surface, a 7 00:00:20.600 --> 00:00:23.320 huge digital highway moving data. 8 00:00:23.239 --> 00:00:25.519 Everywhere, absolutely a constant flow. 9 00:00:25.760 --> 00:00:28.199 Today we're taking a deep dive into the very backbone 10 00:00:28.320 --> 00:00:32.119 of our digital lives network technologies. We're going to try 11 00:00:32.119 --> 00:00:36.439 and demystify some foundational concepts, explore crucial protocols. 12 00:00:35.880 --> 00:00:39.079 And even peek into the future a bit with automation exactly. 13 00:00:39.520 --> 00:00:41.920 And our guides for this journey, well, we're drawing from 14 00:00:41.960 --> 00:00:46.280 an incredibly comprehensive set of sources, basically expert level stuff 15 00:00:46.759 --> 00:00:49.079 distilled into digestible insights. 16 00:00:49.200 --> 00:00:51.119 Yeah, breaking down the complex bits. 17 00:00:51.200 --> 00:00:53.560 Our mission really is to give you a shortcut to 18 00:00:53.600 --> 00:00:57.520 being truly well informed about how networks function, hopefully revealing 19 00:00:57.520 --> 00:00:59.560 some surprising facts, practical. 20 00:00:59.159 --> 00:01:02.000 Insights, things that might change how you see your connected world. 21 00:01:02.119 --> 00:01:05.599 Yeah, charity for some serious aha moments. Hopefully, let's do it. 22 00:01:06.000 --> 00:01:09.519 So to kick things off on our digital highway. We 23 00:01:09.599 --> 00:01:12.640 need to understand its basic structure. Think of it like 24 00:01:13.040 --> 00:01:16.959 building a complex building, maybe layer by layer, each floor 25 00:01:17.000 --> 00:01:17.840 with its own job. 26 00:01:18.120 --> 00:01:23.159 That's a good analogy. The OSI model is that blueprint. Essentially, 27 00:01:23.680 --> 00:01:27.120 it helps us grasp how information travels across a network, 28 00:01:27.400 --> 00:01:28.000 piece by. 29 00:01:27.920 --> 00:01:30.079 Piece, layer by invisible layer. Right. 30 00:01:30.359 --> 00:01:35.640 And it's remarkable how this layered approach breaks down immense complexity. 31 00:01:35.719 --> 00:01:38.200 If we start near the bottom at layer two, the 32 00:01:38.280 --> 00:01:41.159 data link layer, okay, you're in the immediate vicinity, like 33 00:01:41.200 --> 00:01:44.319 the local street in our digital neighborhood. This is where 34 00:01:44.400 --> 00:01:45.640 MBACK addresses are key. 35 00:01:45.840 --> 00:01:49.480 Ah. The MSSE addresses, those unique hardware identify. 36 00:01:49.239 --> 00:01:53.439 Exactly, those unique physical identifiers for devices. They're absolutely essential 37 00:01:53.560 --> 00:01:56.079 for communication within the same local network. 38 00:01:56.239 --> 00:01:58.400 So my laptop is talking to my printer right here, 39 00:01:58.640 --> 00:02:01.519 or my phone's hitting the Wi Fi. That's m ASSE 40 00:02:01.680 --> 00:02:04.239 addresses doing the work locally precisely. 41 00:02:04.400 --> 00:02:07.239 And the key devices here are switches. They're directing that 42 00:02:07.280 --> 00:02:11.000 local traffic based on those mass addresses. A switch basically 43 00:02:11.039 --> 00:02:15.479 keeps an address book a table for each separate segment, 44 00:02:15.560 --> 00:02:17.919 like different vlands if you have them, okay, and if 45 00:02:17.960 --> 00:02:21.000 it doesn't know where a specific m call address lives, Well, 46 00:02:21.560 --> 00:02:24.520 it'll temporarily send the data out to all connections in 47 00:02:24.560 --> 00:02:25.560 that segment. 48 00:02:25.360 --> 00:02:27.319 Sort of like shouting down the street anyone seeing this. 49 00:02:27.319 --> 00:02:30.479 Device kind of yeah, yeah, until it learns the correct path. 50 00:02:30.560 --> 00:02:34.400 And here's something that often surprises people. The Spanning Tree 51 00:02:34.439 --> 00:02:38.879 Protocol STP, or its faster cousin RSTP, operates right here 52 00:02:38.919 --> 00:02:40.639 at this very local layer two. 53 00:02:40.840 --> 00:02:43.319 Really at layer two. But isn't that the thing that 54 00:02:43.319 --> 00:02:46.120 stops networks from collapsing in on themselves with loops. 55 00:02:46.280 --> 00:02:50.240 It is. It's the unsung hero preventing those crippling network loops. 56 00:02:50.280 --> 00:02:51.479 You'd think it'd be higher up. 57 00:02:51.520 --> 00:02:54.919 Maybe. Yeah, that is surprising. It seems so fundamental. Okay, 58 00:02:54.960 --> 00:02:58.319 so if layer two is the local street, layer three, 59 00:02:58.439 --> 00:03:01.520 the network layer must be the GPS for the whole 60 00:03:01.639 --> 00:03:02.360 highway system. 61 00:03:02.479 --> 00:03:03.840 That's a great way to put it. This is where 62 00:03:03.840 --> 00:03:07.680 IP addresses come in. They enable communication between different networks. 63 00:03:07.280 --> 00:03:11.199 So from my home network to a website server halfway across. 64 00:03:10.919 --> 00:03:14.560 The world exactly. And writers are navigators here. They make 65 00:03:14.560 --> 00:03:17.360 the forwarding decisions to get data from network A to 66 00:03:17.439 --> 00:03:17.919 network B. 67 00:03:18.280 --> 00:03:18.639 Gotcha. 68 00:03:18.840 --> 00:03:22.639 And routers are truly crucial for segmenting networks. This helps 69 00:03:22.680 --> 00:03:25.879 control that broadcast traffic we mentioned, stops the shouting from 70 00:03:25.960 --> 00:03:28.840 echoing across the whole city, you know, right, keeps it local, 71 00:03:28.919 --> 00:03:32.120 keeps it local. And they also allow for really sophisticated 72 00:03:32.159 --> 00:03:35.680 filtering using access control lists ACLS. 73 00:03:35.800 --> 00:03:37.759 Okay, ACLS like a bouncer's. 74 00:03:37.360 --> 00:03:40.680 List sort of. Yeah, detailed rules saying exactly what traffic 75 00:03:40.719 --> 00:03:44.599 gets through, super important for security and just managing traffic 76 00:03:44.599 --> 00:03:45.360 flu efficiently. 77 00:03:45.719 --> 00:03:47.599 Okay, So we have these layers. Now let's move from 78 00:03:47.599 --> 00:03:51.840 that structure to how data actually gets well delivered. You 79 00:03:51.879 --> 00:03:55.520 mentioned TCP and UDP before the odd couple. 80 00:03:55.719 --> 00:03:58.240 Huh, yeah, the odd couple of data delivery. It really 81 00:03:58.280 --> 00:04:01.360 is a fundamental choice you have to make when sending information. 82 00:04:02.439 --> 00:04:05.919 Do you need absolute reliability or is speed the name 83 00:04:05.919 --> 00:04:06.319 of the game? 84 00:04:06.439 --> 00:04:07.759 Reliability versus speed? 85 00:04:07.800 --> 00:04:11.840 Okay, So TCP transmiss Control Protocol, that's your reliable messenger. 86 00:04:11.879 --> 00:04:15.879 It's connection oriented, meaning it sets up a formal conversation first. 87 00:04:16.120 --> 00:04:20.639 It uses something called a three way handshake Hello, Hello, okay, 88 00:04:20.759 --> 00:04:21.240 let's talk. 89 00:04:21.399 --> 00:04:23.560 Right, establishes the connection properly. 90 00:04:23.240 --> 00:04:28.800 Exactly, and this ensures data reliability. It guarantees delivery, provides 91 00:04:28.920 --> 00:04:32.000 flow control, so you don't overwhelm the receiver, and even 92 00:04:32.079 --> 00:04:35.240 includes error recovery. If packets get lost along the way, 93 00:04:35.519 --> 00:04:36.600 it'll ask for them again. 94 00:04:36.839 --> 00:04:40.160 So that sounds perfect For things like downloading a big 95 00:04:40.199 --> 00:04:43.240 file or browsing a website, where every single piece of 96 00:04:43.319 --> 00:04:45.160 data really matters. You can't have missing. 97 00:04:44.879 --> 00:04:48.639 Bits precisely, a corrupted file, a half loaded web page. Yeah, 98 00:04:48.759 --> 00:04:51.839 that's no good. Missing packets there would be well disastrous. 99 00:04:51.879 --> 00:04:53.839 Okay, makes sense. So what about the other one, UDP, 100 00:04:54.040 --> 00:04:54.839 the fast post. 101 00:04:54.720 --> 00:04:58.639 Card right, UDP User Datagram Protocol. It's the opposite in 102 00:04:58.680 --> 00:05:02.199 many ways. It's connectionless, so no handshake, no handshake, much 103 00:05:02.240 --> 00:05:05.399 lower overhead. It just sends the data, no guarantees it'll 104 00:05:05.399 --> 00:05:08.839 get there or in what order. That sounds risky it 105 00:05:08.879 --> 00:05:11.360 can be, But the application using it can build in 106 00:05:11.439 --> 00:05:13.600 its own checks like check sums if it needs to 107 00:05:13.680 --> 00:05:16.040 verify integrity. But the key is speed. 108 00:05:16.399 --> 00:05:20.439 Uh so where would that be useful? Where speed beats 109 00:05:20.680 --> 00:05:21.959 perfect reliability? 110 00:05:22.120 --> 00:05:26.560 Think about real time stuff like voiceover IP VoIP calls 111 00:05:26.680 --> 00:05:27.879 or video conferencing. 112 00:05:28.120 --> 00:05:31.079 Okay, yeah, like this call right now? Maybe exactly. 113 00:05:31.639 --> 00:05:33.800 If a few tiny bits of data get lost in 114 00:05:33.839 --> 00:05:36.279 a voice call, you might get a tiny glitch like 115 00:05:36.319 --> 00:05:38.199 a split second dropout. 116 00:05:38.000 --> 00:05:39.839 But the conversation keeps going, right. 117 00:05:40.040 --> 00:05:42.639 The alternative with TCP would be waiting for that lost 118 00:05:42.680 --> 00:05:45.879 packet to be resent, and that would cause noticeable delays 119 00:05:46.079 --> 00:05:51.519 and shoppiness, breaking the real time feel. UDP prioritizes keeping 120 00:05:51.519 --> 00:05:52.240 the flow going. 121 00:05:52.399 --> 00:05:55.279 That makes perfect sense. You accept tiny imperfections for the 122 00:05:55.319 --> 00:05:56.240 sake of immediacy. 123 00:05:56.319 --> 00:05:58.920 Okay, cool, It's all about the application's needs, right. 124 00:05:59.120 --> 00:06:02.279 So, speaking of IP addresses, which you mentioned for layer three, 125 00:06:02.839 --> 00:06:05.079 let's dive a bit deeper there. They're like our network 126 00:06:05.120 --> 00:06:07.560 identity but you said they're public and private ones. 127 00:06:07.839 --> 00:06:11.199 Correct. Think of private IP four addresses as the internal 128 00:06:11.240 --> 00:06:14.480 phone extensions within a large office building, or maybe addresses 129 00:06:14.480 --> 00:06:18.319 inside your internal clubhouse, your home network, a company's internal network. 130 00:06:18.399 --> 00:06:21.199 Okay, not visible from the outside world exactly. 131 00:06:21.560 --> 00:06:25.480 They're crucial for internal communication and importantly, they don't need 132 00:06:25.519 --> 00:06:28.839 to be globally unique. This was a really clever strategy 133 00:06:28.879 --> 00:06:32.160 early on. Why is that because it conserves the limited 134 00:06:32.199 --> 00:06:36.199 pool of public IPv four addresses. Plus devices on these 135 00:06:36.240 --> 00:06:39.040 private networks can chat amongst themselves without even needing an 136 00:06:39.040 --> 00:06:39.720 Internet connection. 137 00:06:39.879 --> 00:06:42.279 Ah, so my laptop talking to my smart speaker at 138 00:06:42.279 --> 00:06:44.480 home using those one undred and ninety two point one 139 00:06:44.560 --> 00:06:45.959 six eight addresses for example. 140 00:06:46.040 --> 00:06:50.240 Precisely those are from specific ranges defined in RFC nineteen eighteen, 141 00:06:50.399 --> 00:06:53.079 like ten taught something one seventy two point one six 142 00:06:53.120 --> 00:06:55.360 through one seventy two point three to one and one 143 00:06:55.439 --> 00:06:58.279 ninety two point one six eight taught something. They're non 144 00:06:58.360 --> 00:06:59.879 ratable on the public Internet. 145 00:07:00.040 --> 00:07:02.360 Clever way to save address space. But we are running 146 00:07:02.360 --> 00:07:04.879 out of IPv four addresses, right, That's where IPv six 147 00:07:04.920 --> 00:07:05.240 comes in. 148 00:07:05.600 --> 00:07:07.920 That's the big driver for IPv six. It's the next 149 00:07:07.959 --> 00:07:11.040 generation designed to solve that address exhaustion problem with a 150 00:07:11.160 --> 00:07:14.480 vastly larger address space, like unimaginably larger. 151 00:07:14.519 --> 00:07:16.319 Wow. And does I have different types of addresses too? 152 00:07:16.399 --> 00:07:18.600 It? Does you have global unicast addresses? Those are your 153 00:07:18.639 --> 00:07:22.800 publicly routable ones like public IPv four and unique local addresses. 154 00:07:22.360 --> 00:07:23.560 Like the private IPv. 155 00:07:23.279 --> 00:07:27.000 Four ones sort of yeah, similar idea for internal use, 156 00:07:27.120 --> 00:07:30.839 not globally routable. They start with FC zero zero point 157 00:07:30.879 --> 00:07:34.240 seven and then link local addresses starting with FE eighty 158 00:07:34.279 --> 00:07:37.319 point ten link local. Yeah. Those are only for communication 159 00:07:37.399 --> 00:07:40.800 on the immediate local network segment, like directly connected neighbors 160 00:07:40.839 --> 00:07:43.839 talking to each other automatically without needing any configuration. 161 00:07:44.000 --> 00:07:48.279 Huh. Interesting, And you mentioned something about tunneling IPv six 162 00:07:48.560 --> 00:07:49.639 over IPv four. 163 00:07:49.759 --> 00:07:52.720 Ah, yeah, six to four tunneling. It's a transition mechanism, 164 00:07:52.920 --> 00:07:55.600 a really smart way to bridge the gap, basically letting 165 00:07:55.639 --> 00:07:59.800 you route IPv six traffic over an existing itv four. 166 00:07:59.759 --> 00:08:02.639 In structure, so you don't have to upgrade everything everywhere, 167 00:08:02.680 --> 00:08:03.240 all at once. 168 00:08:03.439 --> 00:08:06.240 Exactly. It's like building an express lane for the new 169 00:08:06.319 --> 00:08:09.360 IPv six cars on the old ITV four highway smooths. 170 00:08:09.360 --> 00:08:11.959 The transition makes sense. And one more thing about IPv 171 00:08:12.040 --> 00:08:15.000 six when you enable it on an interface, the device 172 00:08:15.079 --> 00:08:18.480 automatically joins certain multicast groups like the All Nodes group 173 00:08:18.560 --> 00:08:20.720 and the All Routers group. Helps it discover things on 174 00:08:20.759 --> 00:08:21.199 the network. 175 00:08:21.240 --> 00:08:23.240 Okay, so it's designed to be a bit more plug 176 00:08:23.240 --> 00:08:24.120 and play in some ways. 177 00:08:24.399 --> 00:08:27.120 In some ways, yes, So we have all these addresses 178 00:08:27.240 --> 00:08:31.319 later two layer three, How do the routers the navigators 179 00:08:31.360 --> 00:08:34.720 actually make sense of this huge digital map and decide 180 00:08:34.720 --> 00:08:35.600 where to send stuff? 181 00:08:35.799 --> 00:08:39.080 Right? That's the network's core. How routers make decisions. They're 182 00:08:39.159 --> 00:08:42.000 constantly looking at their map, which we call a routing. 183 00:08:41.720 --> 00:08:43.120 Table, and what's in that table? 184 00:08:43.240 --> 00:08:46.879 It's got all sorts of vital info the destination network prefix, 185 00:08:47.000 --> 00:08:49.600 the mask, how to get there, the next hop router 186 00:08:50.000 --> 00:08:53.000 usually and some metrics about the path, maybe even a 187 00:08:53.039 --> 00:08:55.200 default route the gateway of last resort. 188 00:08:55.440 --> 00:08:58.480 Okay, but what happens if a router has, say two 189 00:08:58.559 --> 00:09:01.360 or three different ways to get to this same destination network. 190 00:09:01.440 --> 00:09:02.240 How does it choose? 191 00:09:02.440 --> 00:09:06.240 Ah? Good question. There's a very specific decision making hierarchy. 192 00:09:06.559 --> 00:09:07.519 It's not random. 193 00:09:07.600 --> 00:09:08.480 Okay, what's the order? 194 00:09:08.600 --> 00:09:11.720 First? The router prioritizes the longest prefix match. 195 00:09:11.840 --> 00:09:15.519 Longest match meaning the most specific. 196 00:09:15.120 --> 00:09:18.120 Route, exactly like choosing a route based on a full 197 00:09:18.120 --> 00:09:21.840 street address versus just the city name. More specific is better? 198 00:09:21.919 --> 00:09:23.960 Got it makes sense. What if there's a tie two 199 00:09:24.080 --> 00:09:26.039 routes with the same prefix length, then. 200 00:09:25.960 --> 00:09:28.559 It looks at something called administrative distance or AD. 201 00:09:29.080 --> 00:09:31.759 Administrative distance sounds official? 202 00:09:32.039 --> 00:09:34.759 It kind it is. It's basically a trust score that 203 00:09:34.799 --> 00:09:38.600 network admins assigned to routes learn from different riding protocols. 204 00:09:38.679 --> 00:09:41.960 AH. So it's about trusting one source of information over another. 205 00:09:42.080 --> 00:09:45.840 Precisely, a lower AD is preferred, it's considered more trustworthy. 206 00:09:45.919 --> 00:09:49.519 For example, a route learned via EIGRP usually has an 207 00:09:49.559 --> 00:09:53.240 ed of ninety while OSPF is UNDERD ten. So the 208 00:09:53.320 --> 00:09:57.080 router would generally prefer the EIGRP route if both protocols 209 00:09:57.120 --> 00:09:58.480 offered a path to the same place. 210 00:09:58.759 --> 00:10:01.519 Interesting, so longest my UCH first, then lowest AD. What 211 00:10:01.559 --> 00:10:03.960 if it's still a tie, same prefix, same AD. 212 00:10:04.240 --> 00:10:07.320 Then finally it looks at the routing protocol's own metric. 213 00:10:07.600 --> 00:10:09.879 That's the protocols calculation of the cost the path may 214 00:10:09.919 --> 00:10:12.879 be based on bandwidth delay things like that lower metric. 215 00:10:12.639 --> 00:10:17.000 Wins longest match AD than metric. Okay, that's a clear hierarchy. 216 00:10:17.120 --> 00:10:20.320 Yeah. It ensures predictable and optimal routing. And speaking of 217 00:10:20.360 --> 00:10:23.759 reliable routing, this all connects to making sure there's no 218 00:10:23.879 --> 00:10:27.240 single point of failure, right, especially for devices trying to 219 00:10:27.320 --> 00:10:28.480 leave their local network. 220 00:10:28.759 --> 00:10:33.000 Absolutely, you need redundancy for that default gateway. That's where 221 00:10:33.120 --> 00:10:37.720 first top redundancy protocols or fhrps come in. Things like HSRP, 222 00:10:38.080 --> 00:10:39.919 VRP GLBP. 223 00:10:39.799 --> 00:10:43.480 HSRP hot standby router protocol. That's a Cisco one, isn't it. 224 00:10:43.480 --> 00:10:47.320 It is, Yeah, Cisco proprietary. It uses an active standby model. 225 00:10:47.799 --> 00:10:51.720 Multiple routers share a virtual IP and a virtual MC address, 226 00:10:52.039 --> 00:10:54.399 but only one is actively forwarding traffic at. 227 00:10:54.360 --> 00:10:56.159 Any time, and the others just wait. 228 00:10:56.279 --> 00:10:58.440 They will wait, ready to take over instantly if the 229 00:10:58.440 --> 00:11:02.759 active one fails. There's often setting called preempt too. Preempt Yeah, 230 00:11:02.960 --> 00:11:05.440 it ensures that if the router with the highest priority 231 00:11:05.440 --> 00:11:08.679 comes back online after failing, it takes back the active 232 00:11:08.759 --> 00:11:11.440 role from a lower priority router that might have taken 233 00:11:11.440 --> 00:11:12.279 over temporarily. 234 00:11:12.399 --> 00:11:15.320 Ah. So it forces the best router to always be 235 00:11:15.399 --> 00:11:17.320 in charge when available exactly. 236 00:11:17.600 --> 00:11:20.679 This isn't just about basic availability. It's about ensuring high 237 00:11:20.720 --> 00:11:24.000 availability and eliminating that single point of failure that could 238 00:11:24.000 --> 00:11:26.759 stop everyone from reaching the Internet. For example, it makes 239 00:11:26.759 --> 00:11:27.799 fail over seamless. 240 00:11:28.039 --> 00:11:31.840 That is a huge benefit, makes a network much more resilient. Okay, 241 00:11:31.840 --> 00:11:34.919 so we've got the core routing down. Let's shift gears 242 00:11:34.919 --> 00:11:38.600 to building resilient and secure networks, starting with something we 243 00:11:38.639 --> 00:11:42.440 all use constantly wireless the Wi fi world. 244 00:11:42.559 --> 00:11:45.639 Ah. Yes, the airwaves, and one of the biggest headaches, 245 00:11:45.759 --> 00:11:48.559 especially in the older two point four gearhart span, is 246 00:11:48.960 --> 00:11:51.639 avoiding digital noise right interference. 247 00:11:51.799 --> 00:11:53.840 Yeah, like when your WiFi slows to a crawl because 248 00:11:53.840 --> 00:11:55.240 everyone nearby is using the same. 249 00:11:55.159 --> 00:11:59.600 Channel exactly, co channel congestion. The best practice, especially for 250 00:11:59.600 --> 00:12:03.240 two points for gigahertz is absolutely to use different non 251 00:12:03.279 --> 00:12:07.360 overlapping channels for nearby access points. Think channels one, six, 252 00:12:07.399 --> 00:12:07.919 and eleven. 253 00:12:08.080 --> 00:12:10.320 Right, those specific three don't interfere with each other. 254 00:12:10.399 --> 00:12:13.840 Correct. Spacing them out physically and using those channels drastically 255 00:12:13.840 --> 00:12:16.559 reduces interference and improves performance for everyone. 256 00:12:16.799 --> 00:12:20.480 Okay, simple but crucial. But what about larger places like 257 00:12:20.519 --> 00:12:23.480 an office building or a campus with tons of access points? Yeah, 258 00:12:23.559 --> 00:12:25.600 managing them individually sounds awful. 259 00:12:25.720 --> 00:12:28.000 It would be a nightmare. That's why we have wireless 260 00:12:28.039 --> 00:12:31.399 land controllers or wlc's. They act as a central brain 261 00:12:31.480 --> 00:12:32.559 for the wireless. 262 00:12:32.120 --> 00:12:33.879 Network, centralized command and control. 263 00:12:34.080 --> 00:12:39.159 Precisely, the WLC manages potentially hundreds or thousands of access points, 264 00:12:39.200 --> 00:12:45.399 pushing out configurations, handling, roaming, security, everything. It massively simplifies management. 265 00:12:45.440 --> 00:12:46.480 And they have smart features too. 266 00:12:46.639 --> 00:12:50.159 Oh yeah, things like band select or common. The WLC 267 00:12:50.240 --> 00:12:53.759 can actively encourage devices that support five gigaherts to connect 268 00:12:53.759 --> 00:12:55.919 to that band instead of the more crowded two point 269 00:12:55.960 --> 00:12:56.679 four gigaherds. 270 00:12:56.759 --> 00:13:00.120 Pushing clients to the faster, less congested lanes. 271 00:13:00.120 --> 00:13:03.440 Got it better performance. And there's also a cool feature 272 00:13:03.440 --> 00:13:05.159 called flex connect ap mode. 273 00:13:05.320 --> 00:13:06.440 Flex connection Yeah. 274 00:13:06.240 --> 00:13:09.120 Imagine an access point in a remote branch office connected 275 00:13:09.159 --> 00:13:12.320 back to a central WLC. If that connection to the 276 00:13:12.399 --> 00:13:16.080 WLC drops, a flex connect AP can actually keep serving 277 00:13:16.120 --> 00:13:20.039 its locally connected wireless clients, switching their traffic right onto 278 00:13:20.080 --> 00:13:21.240 the local wired network. 279 00:13:21.360 --> 00:13:23.679 Oh wow, so the local Wi Fi keeps working even 280 00:13:23.720 --> 00:13:27.120 if the main controller link is down. It's huge for resilience. 281 00:13:27.200 --> 00:13:31.240 It really is insure seamless connectivity locally. Now, speaking of wireless, 282 00:13:31.559 --> 00:13:35.240 security is obviously paramount. We've moved beyond wp thankfully hopefully. 283 00:13:35.320 --> 00:13:39.120 Yeah. So WPA two using PSK, the pre shared key, 284 00:13:40.320 --> 00:13:41.720 the strongest encryption there. 285 00:13:41.960 --> 00:13:44.799 For WPA two PSK you definitely want to be using 286 00:13:44.840 --> 00:13:48.960 as encryption. That's the standard. But the real enhancement now 287 00:13:49.080 --> 00:13:50.639 is WPA three. 288 00:13:50.679 --> 00:13:52.279 WPA three, what's the big deal there? 289 00:13:52.399 --> 00:13:56.200 It significantly steps up security. It uses something called SAE 290 00:13:56.559 --> 00:13:58.759 Simultaneous authentication. 291 00:13:58.159 --> 00:14:00.279 Of equals EA ease. 292 00:14:00.360 --> 00:14:04.399 Yeah, it provides much stronger protection against offline dictionary attacks 293 00:14:04.440 --> 00:14:07.200 people trying to guess your Wi Fi password, and it 294 00:14:07.279 --> 00:14:11.480 also provides individualized data encryption even on open networks. 295 00:14:11.600 --> 00:14:14.120 So safer connections, especially on public Wi Fi. 296 00:14:14.279 --> 00:14:17.360 Much safer. It's a big leap forward and wireless security 297 00:14:17.440 --> 00:14:19.720 is just one piece of the puzzle. Right, we need 298 00:14:19.720 --> 00:14:22.720 to think about guarding the gates across the entire network. 299 00:14:22.799 --> 00:14:26.440 Absolutely, network security essentials. Where do we start? Maybe with 300 00:14:26.600 --> 00:14:28.320 who's allowed on the network in the first place. 301 00:14:28.399 --> 00:14:32.600 That's the perfect starting point. Triple A, Authentication, authorization. 302 00:14:32.240 --> 00:14:34.120 And accounting the three pillars. 303 00:14:34.200 --> 00:14:37.879 The three pillars. Indeed, authentication is about verifying who you are, 304 00:14:38.519 --> 00:14:40.759 use your name, password, maybe. 305 00:14:40.679 --> 00:14:42.320 MFA okay, proving identity. 306 00:14:42.480 --> 00:14:45.559 Authorization is about what you're allowed to do once you're authenticated, 307 00:14:45.679 --> 00:14:48.320 Which resources can you access, what commands can you run? 308 00:14:48.559 --> 00:14:52.919 Defining permissions and accounting is about tracking what you did logging, 309 00:14:52.960 --> 00:14:57.559 access commands, run resources used crucial for auditing and troubleshooting. 310 00:14:57.679 --> 00:15:00.559 Got it often off ze AP, and. 311 00:15:00.559 --> 00:15:04.000 There are protocols for this, like Radius and TACAX plus ACT. 312 00:15:04.399 --> 00:15:06.879 A key difference people should know is that tac ass 313 00:15:06.879 --> 00:15:10.799 plus ACT, which is often used for device administration, separates 314 00:15:10.840 --> 00:15:13.559 the authentication and authorization. 315 00:15:13.080 --> 00:15:15.320 Steps, unlike Radius right. 316 00:15:15.399 --> 00:15:19.240 Radius tends to combine them. That separation in TACAX plus 317 00:15:19.320 --> 00:15:23.039 allows for much more granular control over exactly what authenticated 318 00:15:23.120 --> 00:15:24.480 users are authorized to do. 319 00:15:24.759 --> 00:15:28.240 Interesting distinction, okay, beyond user access what's the main network 320 00:15:28.279 --> 00:15:29.799 gatekeeper the firewall? 321 00:15:30.120 --> 00:15:33.279 The firewall absolutely think of it as the network's bouncer, 322 00:15:33.360 --> 00:15:34.360 standing at the main. 323 00:15:34.279 --> 00:15:36.039 Door, controlling what gets in. 324 00:15:36.039 --> 00:15:39.679 And out exactly. Its primary role is controlling which packets 325 00:15:39.679 --> 00:15:43.480 can cross between different security zones, typically between an untrusted 326 00:15:43.480 --> 00:15:46.399 network like the Internet and your trusted internal network. 327 00:15:46.480 --> 00:15:48.759 And modern firewalls are pretty smart about it, right. They 328 00:15:48.759 --> 00:15:50.679 don't just look at addresses. 329 00:15:50.120 --> 00:15:53.559 Not at all. They perform stateful inspection. They keep track 330 00:15:53.600 --> 00:15:55.639 of active connection stateful. 331 00:15:55.399 --> 00:15:58.360 Meaning they understand the context of the traffic. If you 332 00:15:58.440 --> 00:16:02.080 initiated a connection outward words to a website, the firewall 333 00:16:02.200 --> 00:16:05.559 knows to expect the return traffic for that specific conversation 334 00:16:05.879 --> 00:16:08.600 and allows it back in. It's not just looking at 335 00:16:08.600 --> 00:16:10.120 individual packets in isolation. 336 00:16:10.399 --> 00:16:12.879 Ah, like the bouncer remembering who went out for a 337 00:16:12.919 --> 00:16:14.159 smoke break and letting them. 338 00:16:14.080 --> 00:16:16.519 Back in exactly like that. It makes decisions based on 339 00:16:16.559 --> 00:16:19.360 the state of the conversation. Much more secure than older 340 00:16:19.559 --> 00:16:20.639 stateless firewalls. 341 00:16:20.720 --> 00:16:25.159 Okay, firewalls are critical, but what about security inside the 342 00:16:25.159 --> 00:16:29.600 local network on the switches themselves. Layer two security. 343 00:16:29.320 --> 00:16:33.240 Very important area often overlooked. There are several key features 344 00:16:33.360 --> 00:16:36.399 switches can implement. One is DHCP. 345 00:16:35.879 --> 00:16:38.759 Snooping DHCP snooping with that snooping on. 346 00:16:39.039 --> 00:16:42.720 It's watching the DHCP conversation the processed devices used to 347 00:16:42.720 --> 00:16:46.120 get an IP address automatically. It filters out malicious or 348 00:16:46.159 --> 00:16:49.600 abnormal DHCP messages like someone trying to set up a 349 00:16:49.679 --> 00:16:53.039 robe DHCP server to hijack traffic. It builds a table 350 00:16:53.080 --> 00:16:55.879 of legitimate IP to MBAG address. 351 00:16:55.480 --> 00:16:58.080 Bindings okay, prevents DHCP shenanigans. 352 00:16:58.080 --> 00:17:01.720 What else Dynamic ARP inspection or DAI. This uses the 353 00:17:01.720 --> 00:17:04.720 information gathered by DHCP snooping ARP. 354 00:17:05.079 --> 00:17:09.920 The address resolution protocol maps IPS to max. DAI checks 355 00:17:10.200 --> 00:17:15.319 ARP packets against that trusted DHCP snooping binding table. If 356 00:17:15.359 --> 00:17:18.000 an ARP packet comes in claiming an IP belongs to 357 00:17:18.039 --> 00:17:21.839 a MAC address that doesn't match the table, DAI drops it. 358 00:17:22.119 --> 00:17:24.599 Ah. So it stops attackers from pretending to be the 359 00:17:24.640 --> 00:17:28.160 gateway or another device man in the middle attacks exactly. 360 00:17:28.319 --> 00:17:32.680 It significantly reduces the risk of those specific layer two attacks. 361 00:17:32.720 --> 00:17:34.000 And then there's port security. 362 00:17:34.079 --> 00:17:37.640 Port security sounds straightforward, securing the switch port pretty much. 363 00:17:37.680 --> 00:17:40.759 It lets you limit the number of ASSE addresses allowed 364 00:17:40.759 --> 00:17:43.519 to connect to a specific switchport. You could say only 365 00:17:43.559 --> 00:17:46.039 a lie one device on this port or maybe allowed to, 366 00:17:46.240 --> 00:17:49.640 or even specify the exact APCI addresses allowed and. 367 00:17:49.720 --> 00:17:52.400 What happens if someone violates that plugs in an extra device. 368 00:17:52.559 --> 00:17:55.759 You can configure different violation modes. Shut Down just disables 369 00:17:55.759 --> 00:17:58.559 a port, restrict drops the violating traffic, but keeps the 370 00:17:58.559 --> 00:18:01.039 port up and sends an alert maybe a SNMP trap 371 00:18:01.119 --> 00:18:03.039 notification and increment's accounter. 372 00:18:03.240 --> 00:18:05.519 So you have options on how strictly to enforce it. 373 00:18:05.680 --> 00:18:08.799 Right and a basic but crucial step for unused ports 374 00:18:09.200 --> 00:18:11.599 to shut them down administratively and maybe assign them to 375 00:18:11.640 --> 00:18:13.960 an unused villain. Don't leave open doors. 376 00:18:14.039 --> 00:18:19.119 Good practice, yeah, simple but effective. Now circling back to 377 00:18:19.200 --> 00:18:22.759 users for a moment. Passwords alone aren't enough anymore, are they. 378 00:18:22.960 --> 00:18:26.400 Multi factor authentication MFA absolutely critical. 379 00:18:26.559 --> 00:18:28.920 MFA is huge. It requires more than one type of 380 00:18:28.960 --> 00:18:31.920 credential light something you know, password is something you have 381 00:18:32.240 --> 00:18:35.119 like a phone app notification, a hardwor token, or something 382 00:18:35.160 --> 00:18:38.920 you are biometrics like fingerprint. Using at least two of 383 00:18:38.960 --> 00:18:42.000 those drastically increases security, because. 384 00:18:41.720 --> 00:18:44.000 Even if someone steals your password. 385 00:18:43.559 --> 00:18:46.160 They still can't log in without that second factor, like 386 00:18:46.200 --> 00:18:49.720 the code from your phone. It massively reduces the risk 387 00:18:49.759 --> 00:18:52.920 of account compromise. It's becoming standard practice for a reason. 388 00:18:53.039 --> 00:18:56.039 Definitely seems worth a slight extra effort and one more 389 00:18:56.079 --> 00:19:00.720 security piece. VPNs for secure connections. 390 00:19:00.880 --> 00:19:05.279 Yes, virtual private networks essential for secure remote access or 391 00:19:05.319 --> 00:19:08.640 connecting different office sites securely over an untrusted network like 392 00:19:08.680 --> 00:19:09.200 the Internet. 393 00:19:09.319 --> 00:19:11.480 How do they work? Basically, they create. 394 00:19:11.200 --> 00:19:15.039 A secure encrypted tunnel. All the data traveling between your 395 00:19:15.160 --> 00:19:18.160 device or office and the VPN endpoint on the other 396 00:19:18.200 --> 00:19:18.599 side is. 397 00:19:18.640 --> 00:19:23.799 Encrypted, so even if someone intercepts the traffic on the public. 398 00:19:23.480 --> 00:19:27.480 Internet, they just see scrambled data. VPNs protect both the privacy, 399 00:19:27.759 --> 00:19:31.480 confidentiality and the integrity. Making sure data isn't tampered with 400 00:19:31.880 --> 00:19:33.960 of your connection super important. 401 00:19:34.079 --> 00:19:37.000