Fundamental Router Security Concepts

Access Control Lists

  • How do you configure a time-based ACL?
    • time-range TIMER
         periodic weekdays 8:00 to 16:30
      access-list 100 permit tcp any host  eq 80 time-range TIMER
      interface Fa0/0
         ip access-group 100 in
    • You can set “periodic” or “absolute” time.
  • What problem might occur when configuring IPv6 ACL with ie.: OSPF?
    • The traffic filter need to permit the link-local addresses or else the OSPF neighborship will fail.

Management Plane Security

  • How do you configure SSH?
    • hostname name
      ip domain-name name
      username name privilege 15 secret password
      crypto key generate rsa modulus size-of-modulus
      line vty number
       transport input ssh
       login local
  • What is “enable secrect password“? How is it encrypted?
    • It is used to give the engineer full access on a router. The password appears in a router’s running config as a SHA-256 hash value.
    • In the running config “enable secret 4 … ” means SHA-256 and “enable secret 5 …” means MD5 hash (which is not as secure).
  • In case both “enable password pass” and “enable secret pass” is configured which one will be used? Why?
    • You will be prompted for the enable secret password. The “enable password” command is existing because of backward compatibility.
  • What is the difference between the following 2 commands?
      username paul privilege 15 secret cisco
      username david secret cisco

    • When paul logs in to the router he will be in privileged mode. David need to use the “enable” command to reach privileged mode.
  • What need to be known about line passwords? How do you configure it?
    • It is stored in clear text by default. When “service password-encryption” is enabled it will be encrypted using Type 7 encryption. This can be easily decripted.
    • line console 0
         password cisco
  • What are the login states under lines?
    • no login = do not asks for password, simply let you in
    • login = uses the password configured on the line
    • login local = asks for configured username/password
  • What is uRPF?
    • Unicast Reverse Path Forwarding can help block packets having a spoofed IP address. uRPF checks the source IP of an arriving packet on an interface and determine whether that IP address is reachable based on FIB. (Checks incoming packets)
  • What modes does uRPF have?
    • Strict (rx): Source IP address must be reachable  (based on FIB)  and reply must leave on the interface where the original packet arrived.
    • Loose (any): Source IP address must be reachable (based on FIB).
    • VRF: Like Loose mode but overlapping IP addresses can be used because of VRFs.
  • What are the dangers of Strict uRPF?
    • In case of assymetric routing packets will be dropped.
  • What if there is no exact match for the source IP in the FIB?
    • by default uRPF will drop the packet
    • if “allow-default” is enabled it will forward the packet
    • an ACL can be added to the uRPF, so when  uRPF fails (using FIB) it will check whether the IP is allowed in the ACL
  • How do you configure uRPF?

    • interface Fa1/0
         ip address
         ip verify unicast source reachable-via rx
      interface Serial2/0
         ip address
         ip verify unicast source reachable-via any allow-default
    • rx = Strict mode – source is reachable via interface on which packet was received
      any = Loose mode – source is reachable via any interface
      allow-default  = default route can match an IP
  • How do you verify whether uRPF is enabled on an interface?
    • show cef interface interface-id
  • What is the meaning of AAA?
    • Authentication: This service checks the user’s credentials. Login
    • Authorization: This service determines what the user is allowed to do.
    • Accounting: This service collect and store information about a user. Logins, used commands etc.
  • How do you configure AAA for authenticating remote logins?
    • aaa new-model    //enables AAA
      aaa authentication login ADMIN group tacacs+ local
      username kevin secret cisco
      tacacs server CISCO-ACS
        address ipv4
        key cisco
      line vty 0 4
        login authentication ADMIN
    • The second line defines the method list named ADMIN which attempts to perform authentication through a TACACS+ server. If TACACS+ server is unreachable the local keyword allows the device to perform authentication using the local user database (kevin).
  • How do you configure AAA fallback?
    • You can use the “local” parameter on the AAA command. If the TACACS server is not reachable the router will use local authentication.
  • What are the main differences between TACACS+ and RADIUS?
    • TACACS+
      • TCP port 49
      • support 15 privilege levels
      • encrypts the entire body of the packet
      • basic accounting features
      • cisco proprietary
      • heavy-weight protocol consuming more resources
      • mainly used for Device Administration
      • seperates authentication and authorization
    • RADIUS
      • UDP port 1812
      • robust accounting features
      • encrypts only the password
      • support authorization and authentications functions
  • How do you configure IOS local AAA?


  • What is an SNMP Manager?
    • The manager runs a network management application. Sometimes refered as NMS.
  • What is an SNMP Agent?
    • A piece of software which runs of the managed device.
  • What is the MIB?
    • Management Information Base: Information about the device’s resources and activity is defined by a series of objects.
  • What type of SNMP messages do you know?

    • GET: Retrieves information from a managed device.
    • SET: Sets a variable in a managed device or triggers an action on it.
    • Trap: The managed device sends a message to an NMS which can notify the SNMP manager about an event.
  • What kind of security exist on SNMPv1 and SNMPv2?
    • They use community string to gain read-only or read-write access. This considered weak.
  • How do you configure SNMPv2?
    • snmp-server community DRIZZT ro 10
      snmp-server community GERALT rw 10
      access-list 10 permit host
  • What is the difference between SNMP traps and informs?
    • TRAP: send a notification to the manager that something happened
    • INFORM: send a trap and wait for an acknowledgement from the manager. It will keep sending traps until acknowledgement is not received.
  • How do you configure SNMPv3?
    • ip access-list standard SNMPV3-ACL
      snmp-server view OPS sysUpTime included
      snmp-server view OPS ifOpenStatus included
      snmp-server group MY-GROUP v3 priv read OPS write OPS access SNMPV3-ACL
      snmp-server user ADMIN MY-GROUP v3 auth sha SNMP-Secret1 priv aes 256 SNMP-Secret2
      snmp-server enable traps
      snmp-server host traps version 3 priv ADMIN cpu
      snmp-server ifindex persist
  • What type of security models exist (SNMP)?
    • noAuthNoPriv: (no authentication, no privacy) This level uses a username for authentication but no encryption
    • authNoPriv: Authentication using Hash Message Authentication Code (HMAC) with MD5 or SHA-1. No encryption.
    • authPriv: HMAC authentication with encryptionsnmp-security.PNG
  • What if there is no read view defined? What if there is no write view defined?
    • When no read view: everything is readable
    • When no write view: nothing can be modified
  • What is the function of the snmp-server manager command?
    • To enable the device to send and receive SNMP requests and responses.


  • What is a stratum value?
    • It is used by NTP and indicates the believability of a time source.
    • Stratum range from 0-15. The lower the better. It works like a hop count.
  • What are the 4 modes that NTP can propagate time?
    • Server (or NTP master): Can be configured using ntp master stratum global command.
    • Client: Synchronizes its time with the NTP server.  ntp server IP
    • Peers: This is called symmetric mode. Peers exchange time synchronization information. This is often used between two or more servers operating as mutually redundant group. ntp peer IP
    • Broadcast/multicast: The NTP server provides one-way time announcements to receptive clients. Client config: (interface) ntp broadcast client
  • How do you configure NTP broadcast?
    • !Server
      interface Fa0/0
        ip addr
        ntp broadcast
      ntp server
      interface Fa0/0
        ip addr
        ntp broadcast client
  • How do you configure NTP multicast?
    • !Server
      ip multicast-routing
      interface Fa0/0
        ip addr
        ip pim dense-mode
        ntp multicast
      ip multicast-routing
      interface Fa0/0
        ip addr
        ip pim dense-mode
        ntp multicast client
  • What are the differences between NTPv3 and NTPv4?
    • NTPv4 supports IPv6
    • NTPv4 uses multicast instead of broadcast
    • improved security
  • What does the following command means?
    ntp access-group serve 10

    • The NTP server only serves the devices which are defined in ACL 10.
  • How do you configure authenticated NTP?
    • !Server
        ntp authentication-key key-id md5 key
        ntp authenticate
        ntp trusted-key key-id
        ntp master stratum-number 
        ntp authentication key-id md5 key
        ntp authenticate
        ntp trusted-key key-id
        ntp server ip-address-of-ntp-server key key-id 
    • The key and key-id must match on the Client and Server.
  • How do you verify NTP?
    • show ntp associations detail
    • show ntp status
  • What is SNTP?
    • SNTP cannot provide time service (master) to other systems
    • Also it does not provide complex filtering and statistical mechanism as NTP
    • SNTP and NTP cannot coexist on a device as the use the same port
  • How do you configure SNTP?
    • The same way as NTP only instead of “ntp..” you use the command “sntp..”


  • How can you enchance logging?
    • By increasing the logging history (logging buffer) and using time stamps.
  • How do you configure timestamps to logging?
    • (global) service timestamps log datetime
  • What is a core dump?
    • It a file containing a process’s address space (memory) when the process terminates unexpectedly to identify the cause of the crash. It is useful for crash collection when a device crashes without warning.
    • It is not recommended to do a core dump when the router is in operation.
  • How does debug condition works?
    • It only shows debug messages which relates to the condition parameter:
      ie.: debug condition interface Fa0/0
             debug ip RIP

      Only those RIP messages will appear which are related to Fa0/0
  • How do you apply an ACL to a debug command?
    • i.e.:: debug ip packet acl-number
  • How do you turn on local logging?
    • logging buffered severity-number
  • What kind of message logging types exists?
    • message loggging
  • What level does “logging console warning” command use?
    • level 4,3,2,1,0  =  warning, error, critical, alert, emergencies

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

Up ↑