1
00:00:00,240 --> 00:00:01,859
Access control list.

2
00:00:01,859 --> 00:00:03,630
In this lesson, we're going to discuss

3
00:00:03,630 --> 00:00:05,400
how we can best secure our network

4
00:00:05,400 --> 00:00:08,039
using access control list, firewall rule sets,

5
00:00:08,039 --> 00:00:10,410
and how to configure role-based access.

6
00:00:10,410 --> 00:00:12,540
Now, an access control list, or ACL,

7
00:00:12,540 --> 00:00:14,010
is a list of permissions associated

8
00:00:14,010 --> 00:00:16,379
with a given system or network resource.

9
00:00:16,379 --> 00:00:19,200
An ACL can be applied to any packet filtering device

10
00:00:19,200 --> 00:00:22,680
such as a router, a Layer 3 switch, or a firewall.

11
00:00:22,680 --> 00:00:24,630
In an ACL, you're going to have a list of rules

12
00:00:24,630 --> 00:00:26,700
that are being applied based on an IP address,

13
00:00:26,700 --> 00:00:29,520
a port, or an application, depending on the type of device

14
00:00:29,520 --> 00:00:31,440
you're applying this ACL onto.

15
00:00:31,440 --> 00:00:32,880
Now, as the access control list

16
00:00:32,880 --> 00:00:34,470
is being processed by the device,

17
00:00:34,470 --> 00:00:36,180
it's going to start at the top of the list

18
00:00:36,180 --> 00:00:37,440
and work through each line

19
00:00:37,440 --> 00:00:39,360
until it reaches the end of that list.

20
00:00:39,360 --> 00:00:41,310
So we're going to work from top to bottom.

21
00:00:41,310 --> 00:00:43,020
Therefore, you always want to make sure

22
00:00:43,020 --> 00:00:45,120
your most specific rules are at the top

23
00:00:45,120 --> 00:00:47,640
and your most generic rules are at the bottom.

24
00:00:47,640 --> 00:00:50,550
For example, let's pretend I had an access control list

25
00:00:50,550 --> 00:00:52,620
as I'm working as a bouncer at a nightclub.

26
00:00:52,620 --> 00:00:53,670
Now at the top of the list,

27
00:00:53,670 --> 00:00:55,320
I might have something very specific,

28
00:00:55,320 --> 00:00:57,150
like somebody's name, John Smith.

29
00:00:57,150 --> 00:00:59,400
He came in last week and he caused all sorts of trouble,

30
00:00:59,400 --> 00:01:01,740
so John Smith cannot come in the club.

31
00:01:01,740 --> 00:01:02,910
Now as I move down the list,

32
00:01:02,910 --> 00:01:04,709
I may get to something more generic.

33
00:01:04,709 --> 00:01:05,850
So I might get to something that says

34
00:01:05,850 --> 00:01:07,290
anybody whose driver's license

35
00:01:07,290 --> 00:01:08,640
says they live in Montana,

36
00:01:08,640 --> 00:01:10,470
because I'm running a club in Florida.

37
00:01:10,470 --> 00:01:12,510
If that was the case, I might want to block that

38
00:01:12,510 --> 00:01:13,560
because maybe we had a lot of people

39
00:01:13,560 --> 00:01:15,360
coming with fake IDs from Montana,

40
00:01:15,360 --> 00:01:17,190
so we're not going to accept those anymore.

41
00:01:17,190 --> 00:01:18,720
Now as we get to the end of that list,

42
00:01:18,720 --> 00:01:20,550
we might see something very generic,

43
00:01:20,550 --> 00:01:22,170
something like, no men allowed.

44
00:01:22,170 --> 00:01:23,760
Maybe this is a woman's only club.

45
00:01:23,760 --> 00:01:25,650
Now, this is a pretty generic rule, right?

46
00:01:25,650 --> 00:01:27,720
'Cause half of the people on the planet are men.

47
00:01:27,720 --> 00:01:30,030
So this is a very generic way of saying things.

48
00:01:30,030 --> 00:01:31,740
So as we go from the top to the bottom,

49
00:01:31,740 --> 00:01:33,060
we go from very specific

50
00:01:33,060 --> 00:01:35,190
to more general to the most general.

51
00:01:35,190 --> 00:01:37,290
Now, the same thing happens in our networks.

52
00:01:37,290 --> 00:01:39,390
If I'm going to create a rule to block SSH

53
00:01:39,390 --> 00:01:41,670
for a single computer based on its IP address,

54
00:01:41,670 --> 00:01:43,680
that's going to be towards the top of my list.

55
00:01:43,680 --> 00:01:46,830
If I want to block any IP address that's using port 110,

56
00:01:46,830 --> 00:01:48,210
that's going to be a bit more generic,

57
00:01:48,210 --> 00:01:49,740
so it'll be somewhere in the middle.

58
00:01:49,740 --> 00:01:52,800
Finally, if I want to block any IP going to any port,

59
00:01:52,800 --> 00:01:54,750
that is going to be something that is really generic

60
00:01:54,750 --> 00:01:56,640
and it should be at the end of my list.

61
00:01:56,640 --> 00:01:58,590
So, let's talk about some things

62
00:01:58,590 --> 00:02:00,600
that we may want to block using our ACLs

63
00:02:00,600 --> 00:02:03,300
in order to help secure our networks better.

64
00:02:03,300 --> 00:02:05,370
Now first, we want to make sure we're blocking

65
00:02:05,370 --> 00:02:07,110
incoming requests from internal

66
00:02:07,110 --> 00:02:08,580
or private loop back addresses

67
00:02:08,580 --> 00:02:12,090
or multicast IP ranges or experimental ranges

68
00:02:12,090 --> 00:02:13,410
if we have something that's coming

69
00:02:13,410 --> 00:02:16,080
from outside of the network going into our network.

70
00:02:16,080 --> 00:02:18,210
So, if you have something that says it's coming from

71
00:02:18,210 --> 00:02:21,150
192.168 dot something dot something,

72
00:02:21,150 --> 00:02:23,040
and it's coming from the internet interface,

73
00:02:23,040 --> 00:02:24,990
well, that's a non-writeable IP

74
00:02:24,990 --> 00:02:26,280
and it shouldn't be coming from there.

75
00:02:26,280 --> 00:02:27,930
So you should be blocking that.

76
00:02:27,930 --> 00:02:29,970
That should never be allowed to come into your network

77
00:02:29,970 --> 00:02:32,310
from the internet because usually it's an attacker

78
00:02:32,310 --> 00:02:33,960
trying to spoof their IP.

79
00:02:33,960 --> 00:02:36,450
Similarly, if you start seeing source IP addresses

80
00:02:36,450 --> 00:02:38,040
coming from areas that are reserved for things

81
00:02:38,040 --> 00:02:40,590
like loop back or experimental IP ranges,

82
00:02:40,590 --> 00:02:43,620
those things should also be blocked immediately.

83
00:02:43,620 --> 00:02:46,770
Second, you want to block incoming requests from protocols

84
00:02:46,770 --> 00:02:48,540
that should only be used locally.

85
00:02:48,540 --> 00:02:53,310
For example, if you have ICMP, DHCP, OSPF, SMB,

86
00:02:53,310 --> 00:02:54,720
and other things like that,

87
00:02:54,720 --> 00:02:56,820
you want to block those at the firewall

88
00:02:56,820 --> 00:02:58,740
as things try to enter your network.

89
00:02:58,740 --> 00:03:00,630
Now if you have something like Windows file sharing

90
00:03:00,630 --> 00:03:02,700
for instance, which operates over SMB,

91
00:03:02,700 --> 00:03:04,710
that should not be happening over the internet.

92
00:03:04,710 --> 00:03:05,820
That is something that should happen

93
00:03:05,820 --> 00:03:07,740
inside the local network only.

94
00:03:07,740 --> 00:03:10,350
So again, you should be blocking that at the firewall

95
00:03:10,350 --> 00:03:11,910
at the border of your network.

96
00:03:11,910 --> 00:03:14,040
If somebody has a VPN and they're working from home,

97
00:03:14,040 --> 00:03:16,080
they'll be able to tunnel through your firewall,

98
00:03:16,080 --> 00:03:19,440
access the local network, and then use SMB that way.

99
00:03:19,440 --> 00:03:21,960
But they shouldn't be using it straight from their home

100
00:03:21,960 --> 00:03:23,580
over the internet to your network.

101
00:03:23,580 --> 00:03:25,620
They should only do it through a VPN.

102
00:03:25,620 --> 00:03:27,390
Now, the third thing you want to consider

103
00:03:27,390 --> 00:03:29,850
is how you want to configure IPv6.

104
00:03:29,850 --> 00:03:32,160
Now, I recommend you either configure IPv6

105
00:03:32,160 --> 00:03:34,290
to block all IPv6 traffic,

106
00:03:34,290 --> 00:03:37,410
or you allow it only to authorize hosts and ports

107
00:03:37,410 --> 00:03:39,660
if you're using IPv6 in your network.

108
00:03:39,660 --> 00:03:41,850
The reason for this is because a lot of hosts

109
00:03:41,850 --> 00:03:44,670
will run dual-stack TCP IP implementations

110
00:03:44,670 --> 00:03:47,220
with IPv6 enabled by default.

111
00:03:47,220 --> 00:03:48,570
And if you're not aware of that,

112
00:03:48,570 --> 00:03:50,790
you're going to be having a lot of these things open

113
00:03:50,790 --> 00:03:52,560
and you're letting people have unfettered access

114
00:03:52,560 --> 00:03:53,670
to your network.

115
00:03:53,670 --> 00:03:56,730
A lot of organizations are still running IPv4 only,

116
00:03:56,730 --> 00:03:58,890
and if they're doing that, they definitely need to turn off

117
00:03:58,890 --> 00:04:00,600
IPv6 on those hosts,

118
00:04:00,600 --> 00:04:03,120
and they need to configure their firewall to block it.

119
00:04:03,120 --> 00:04:05,550
If you don't do this, you could have a misconfiguration

120
00:04:05,550 --> 00:04:07,710
that could allow adversaries unfiltered access

121
00:04:07,710 --> 00:04:11,400
into your networks by using that IPv6 IP address area,

122
00:04:11,400 --> 00:04:13,980
because a lot of administrators simply haven't locked down

123
00:04:13,980 --> 00:04:15,690
IPv6 well enough yet.

124
00:04:15,690 --> 00:04:18,089
So, keep this in mind as you're doing your configurations

125
00:04:18,089 --> 00:04:20,820
on your firewalls and your access control list.

126
00:04:20,820 --> 00:04:23,520
Alright, now that we have some basic rules out of the way,

127
00:04:23,520 --> 00:04:25,830
let's take a look at an access control list

128
00:04:25,830 --> 00:04:27,360
and walk through it together.

129
00:04:27,360 --> 00:04:29,790
Now this one is an example from a Cisco firewall.

130
00:04:29,790 --> 00:04:31,500
But that really doesn't matter for this exam,

131
00:04:31,500 --> 00:04:33,630
because when we're talking about CompTIA exams,

132
00:04:33,630 --> 00:04:35,220
they're device agnostic.

133
00:04:35,220 --> 00:04:36,420
This could have come from a router,

134
00:04:36,420 --> 00:04:37,650
it could have come from a firewall,

135
00:04:37,650 --> 00:04:39,540
it could have come from Cisco or Juniper or Brocade,

136
00:04:39,540 --> 00:04:40,920
it really doesn't matter.

137
00:04:40,920 --> 00:04:42,630
The point is, I want you to be able to read

138
00:04:42,630 --> 00:04:45,180
a basic firewall like this and understand it

139
00:04:45,180 --> 00:04:47,820
because that will make sure you're doing well on the exam.

140
00:04:47,820 --> 00:04:50,070
So, let's start out with the first line,

141
00:04:50,070 --> 00:04:53,160
ip access-list extended From-DMZ.

142
00:04:53,160 --> 00:04:55,230
This just says that this is an access list,

143
00:04:55,230 --> 00:04:58,410
and in this case I'm using it for my DMZ.

144
00:04:58,410 --> 00:05:00,840
The second line is a comment or remark line.

145
00:05:00,840 --> 00:05:03,180
This is going to tell you what this section is about.

146
00:05:03,180 --> 00:05:05,400
Basically it's saying that we're going to have responses

147
00:05:05,400 --> 00:05:07,410
to HTTP requests and that we're going to get

148
00:05:07,410 --> 00:05:09,360
a bunch of permit statements here.

149
00:05:09,360 --> 00:05:11,280
Now, as we go through these permit statements,

150
00:05:11,280 --> 00:05:12,870
we're going to look at them one at a time,

151
00:05:12,870 --> 00:05:13,920
and it's going to tell us which things

152
00:05:13,920 --> 00:05:15,660
are being permitted or denied.

153
00:05:15,660 --> 00:05:17,010
Now, when we see the word permit,

154
00:05:17,010 --> 00:05:18,530
that means we're going to allow something.

155
00:05:18,530 --> 00:05:21,390
In this case, we're going to allow TCP traffic.

156
00:05:21,390 --> 00:05:23,220
So we have permit TCP,

157
00:05:23,220 --> 00:05:24,810
and then we have the IP address

158
00:05:24,810 --> 00:05:26,430
that's going to be associated with it.

159
00:05:26,430 --> 00:05:28,770
In this case, we're going to permit TCP traffic

160
00:05:28,770 --> 00:05:32,460
coming from the IP address, 10.0.2.0.

161
00:05:32,460 --> 00:05:35,040
The next thing we have is going to be our wild card mask,

162
00:05:35,040 --> 00:05:36,780
which acts like a subnet mask.

163
00:05:36,780 --> 00:05:39,480
Now, this looks a little funny because it's a wild card mask

164
00:05:39,480 --> 00:05:41,400
and it's technically a reverse wild card,

165
00:05:41,400 --> 00:05:44,730
and it's written as 0.0.0.255.

166
00:05:44,730 --> 00:05:47,310
So, if you want to read this as a subnet mask,

167
00:05:47,310 --> 00:05:48,690
you actually have to convert it

168
00:05:48,690 --> 00:05:52,890
and essentially you're going to make it 255.255.255.0.

169
00:05:52,890 --> 00:05:54,270
This is a Cisco thing.

170
00:05:54,270 --> 00:05:56,880
When you see the zero in the reverse wild card,

171
00:05:56,880 --> 00:05:58,500
treat that as a 255.

172
00:05:58,500 --> 00:06:00,930
If you see a 255, treat it as a zero.

173
00:06:00,930 --> 00:06:02,610
Don't let this get you confused.

174
00:06:02,610 --> 00:06:05,190
Essentially, what we're saying here is that we're permitting

175
00:06:05,190 --> 00:06:10,190
TCP traffic from any IP that is 10.0.2.something

176
00:06:10,470 --> 00:06:13,770
because this is the 10.0.2.0 network,

177
00:06:13,770 --> 00:06:17,160
and it has 256 possible IPs that we're going to use here.

178
00:06:17,160 --> 00:06:20,760
Anything in this IP range will be permitted under this rule.

179
00:06:20,760 --> 00:06:24,180
The next part you see is eq, which stands for equal.

180
00:06:24,180 --> 00:06:27,570
So, the IP address has whatever is beyond this equal sign,

181
00:06:27,570 --> 00:06:29,160
and that's going to be allowed.

182
00:06:29,160 --> 00:06:32,100
In this case, we're equaling www.

183
00:06:32,100 --> 00:06:33,420
Now what does that mean?

184
00:06:33,420 --> 00:06:34,800
It means port 80.

185
00:06:34,800 --> 00:06:38,430
Www is Cisco's way of saying this is web traffic.

186
00:06:38,430 --> 00:06:40,440
Somebody can make a request over port 80

187
00:06:40,440 --> 00:06:42,060
and we're going to allow it.

188
00:06:42,060 --> 00:06:44,100
Next, we have the part that says any,

189
00:06:44,100 --> 00:06:45,900
and this says that we're going to be going to

190
00:06:45,900 --> 00:06:48,480
any IP address as our destination.

191
00:06:48,480 --> 00:06:51,330
So we can go to any web server of the world over port 80

192
00:06:51,330 --> 00:06:52,710
and we're going to allow it.

193
00:06:52,710 --> 00:06:54,960
This will allow us to make an established connection there

194
00:06:54,960 --> 00:06:56,280
and then start traffic.

195
00:06:56,280 --> 00:06:58,050
So anytime we want to make an established connection

196
00:06:58,050 --> 00:07:02,040
from 10.0.2.something to some website over port 80,

197
00:07:02,040 --> 00:07:04,230
we're going to allow that using TCP.

198
00:07:04,230 --> 00:07:05,940
Essentially, that's what we're saying.

199
00:07:05,940 --> 00:07:07,890
People can go out and access a website

200
00:07:07,890 --> 00:07:10,020
from our DMZ out to the internet.

201
00:07:10,020 --> 00:07:12,690
And this is all we're saying with this particular line.

202
00:07:12,690 --> 00:07:13,710
Now, as you go through

203
00:07:13,710 --> 00:07:16,260
and you read all these different lines in the ACL,

204
00:07:16,260 --> 00:07:17,250
you can start figuring out

205
00:07:17,250 --> 00:07:19,290
what is permitted and what is denied.

206
00:07:19,290 --> 00:07:21,690
In this case, everything shown here is permitted

207
00:07:21,690 --> 00:07:24,240
because we're doing explicit allow permissions.

208
00:07:24,240 --> 00:07:27,330
What we're saying is, yes, all these things are allowed,

209
00:07:27,330 --> 00:07:29,040
permit them from this IP

210
00:07:29,040 --> 00:07:31,980
and this port going to that IP and that port.

211
00:07:31,980 --> 00:07:34,350
But as we go through to the bottom of this list,

212
00:07:34,350 --> 00:07:36,720
you'll see one statement that looks a little different.

213
00:07:36,720 --> 00:07:39,330
It says deny ip any any.

214
00:07:39,330 --> 00:07:42,150
Now this is what's known as an implicit deny.

215
00:07:42,150 --> 00:07:44,370
This says that anything that is not already allowed

216
00:07:44,370 --> 00:07:46,200
above in my ACL rule set

217
00:07:46,200 --> 00:07:48,480
is something we're just going to deny by default.

218
00:07:48,480 --> 00:07:50,160
So if we get down this list

219
00:07:50,160 --> 00:07:55,110
and you see things like www, 443, echo-reply, domain,

220
00:07:55,110 --> 00:07:56,940
these are all things that we're allowing.

221
00:07:56,940 --> 00:07:59,010
And then, when I talk about domain here,

222
00:07:59,010 --> 00:08:01,290
I'm not really talking about domain in general,

223
00:08:01,290 --> 00:08:03,390
but we're talking about DNS as a service,

224
00:08:03,390 --> 00:08:06,090
because this is the way Cisco talks about DNS services.

225
00:08:06,090 --> 00:08:07,320
When they say domain,

226
00:08:07,320 --> 00:08:10,440
we are really talking about equaling port 53.

227
00:08:10,440 --> 00:08:13,260
So, in this case everything you see listed here

228
00:08:13,260 --> 00:08:15,060
is all these different permit statements

229
00:08:15,060 --> 00:08:18,270
that are going to allow traffic from our DMZ to the internet.

230
00:08:18,270 --> 00:08:19,950
The DMZ can go out and get web traffic

231
00:08:19,950 --> 00:08:22,110
over port 80 or port 443.

232
00:08:22,110 --> 00:08:24,870
It can reply to echo requests, which is ICMP.

233
00:08:24,870 --> 00:08:28,980
It can use port 53, which is domain over UDP and TCP.

234
00:08:28,980 --> 00:08:31,200
These are all things that we're going to be allowed to do

235
00:08:31,200 --> 00:08:32,820
from this DMZ.

236
00:08:32,820 --> 00:08:35,070
But when I get down to that last statement,

237
00:08:35,070 --> 00:08:38,159
if any of those things didn't happen, we're going to deny it.

238
00:08:38,159 --> 00:08:39,750
So for example, if somebody tries

239
00:08:39,750 --> 00:08:42,600
to go to port 21 and access FTP,

240
00:08:42,600 --> 00:08:45,600
we're going to reach that deny IP any any statement,

241
00:08:45,600 --> 00:08:47,220
and it's going to be blocked.

242
00:08:47,220 --> 00:08:49,680
This is because that statement will deny any IP

243
00:08:49,680 --> 00:08:52,530
going from any IP to any IP.

244
00:08:52,530 --> 00:08:54,870
It's only going to allow things that are being permitted

245
00:08:54,870 --> 00:08:57,030
explicitly listed in this list,

246
00:08:57,030 --> 00:08:59,100
and everything else is going to be blocked.

247
00:08:59,100 --> 00:09:01,320
This is a good way of doing your security.

248
00:09:01,320 --> 00:09:04,050
Now, we just mentioned the concept of explicit allow,

249
00:09:04,050 --> 00:09:05,850
but we can also have firewall rules

250
00:09:05,850 --> 00:09:08,970
that will use explicit deny or implicit deny.

251
00:09:08,970 --> 00:09:11,190
Now when you have an explicit deny statement,

252
00:09:11,190 --> 00:09:12,450
you're creating a rule to block

253
00:09:12,450 --> 00:09:14,070
some kind of matching traffic.

254
00:09:14,070 --> 00:09:15,450
In this example I showed you,

255
00:09:15,450 --> 00:09:17,610
we didn't have any explicit deny statements,

256
00:09:17,610 --> 00:09:19,050
but they would look exactly the same

257
00:09:19,050 --> 00:09:20,310
as our permit statements,

258
00:09:20,310 --> 00:09:22,710
except we would change the word permit to deny.

259
00:09:22,710 --> 00:09:25,260
Now, this allows us to go from an explicit allow

260
00:09:25,260 --> 00:09:26,760
to an explicit deny.

261
00:09:26,760 --> 00:09:28,920
So, let's say I wanted to block traffic

262
00:09:28,920 --> 00:09:31,980
going to the IP address of 8.8.8.8.

263
00:09:31,980 --> 00:09:33,090
I could create a rule that says

264
00:09:33,090 --> 00:09:38,090
deny ip 8.8.8.8 0.0.0.0 any any,

265
00:09:38,700 --> 00:09:41,100
and it's going to block all ports and all protocols

266
00:09:41,100 --> 00:09:44,280
going to the IP address of 8.8.8.8.

267
00:09:44,280 --> 00:09:48,330
Now, notice my reverse card mass there was 0.0.0.0,

268
00:09:48,330 --> 00:09:51,240
which tells me I only want to match this IP,

269
00:09:51,240 --> 00:09:55,200
not a whole network, just the IP of 8.8.8.8.

270
00:09:55,200 --> 00:09:58,050
On the other hand, I could also use an implicit deny,

271
00:09:58,050 --> 00:10:01,560
which blocks traffic to anything not explicitly specified.

272
00:10:01,560 --> 00:10:03,300
In the example ACL I showed you,

273
00:10:03,300 --> 00:10:06,300
that last statement had that implicit deny.

274
00:10:06,300 --> 00:10:09,210
Basically, anything not already explicitly allowed

275
00:10:09,210 --> 00:10:11,460
by an allow statement is going to get blocked

276
00:10:11,460 --> 00:10:14,310
because we had that deny ip any any statement

277
00:10:14,310 --> 00:10:17,160
as the last statement at the end of our ACL.

278
00:10:17,160 --> 00:10:20,100
Finally, we need to talk about role-based access.

279
00:10:20,100 --> 00:10:22,530
Role-based access allows you to define the privileges

280
00:10:22,530 --> 00:10:24,780
and responsibilities of administrative users

281
00:10:24,780 --> 00:10:27,330
who control your firewalls and their ACLs.

282
00:10:27,330 --> 00:10:29,550
With role-based access, we put different accounts

283
00:10:29,550 --> 00:10:32,400
into groups based on their roles or job functions.

284
00:10:32,400 --> 00:10:35,010
Then, based on those roles, we're going to assign permissions

285
00:10:35,010 --> 00:10:37,740
to which devices they can configure and modify.

286
00:10:37,740 --> 00:10:39,540
So for example, if I'm responsible

287
00:10:39,540 --> 00:10:41,430
for updating and configuring the border gateway

288
00:10:41,430 --> 00:10:42,840
or firewall for the network,

289
00:10:42,840 --> 00:10:45,150
I would get access to add things to the ACL

290
00:10:45,150 --> 00:10:47,100
that would open or restrict communication

291
00:10:47,100 --> 00:10:49,290
between the internet and the internal network.

292
00:10:49,290 --> 00:10:51,570
On the other hand, if I'm just a switch technician

293
00:10:51,570 --> 00:10:53,700
who's responsible for adding and removing users

294
00:10:53,700 --> 00:10:55,260
when they're assigned to a new office,

295
00:10:55,260 --> 00:10:57,180
my role would not allow me to modify

296
00:10:57,180 --> 00:10:59,460
a Layer 3 switch's ACLs,

297
00:10:59,460 --> 00:11:01,620
but instead would only allow me to shut down

298
00:11:01,620 --> 00:11:04,473
or re-enable switch ports and configure port security.