Access Control Lists
- How do you configure a time-based ACL?
time-range TIMER periodic weekdays 8:00 to 16:30 ! access-list 100 permit tcp any host 192.168.0.1 eq 80 time-range TIMER ! interface Fa0/0 ip access-group 100 in
- You can set “periodic” or “absolute” time.
- What problem might occur when configuring IPv6 ACL with ie.: OSPF?
- The traffic filter need to permit the link-local addresses or else the OSPF neighborship will fail.
Management Plane Security
- How do you configure SSH?
hostname name ip domain-name name username name privilege 15 secret password crypto key generate rsa modulus size-of-modulus ! line vty number transport input ssh login local
- What is “enable secrect password“? How is it encrypted?
- It is used to give the engineer full access on a router. The password appears in a router’s running config as a SHA-256 hash value.
- In the running config “enable secret 4 … ” means SHA-256 and “enable secret 5 …” means MD5 hash (which is not as secure).
- In case both “enable password pass” and “enable secret pass” is configured which one will be used? Why?
- You will be prompted for the enable secret password. The “enable password” command is existing because of backward compatibility.
- What is the difference between the following 2 commands?
username paul privilege 15 secret cisco
username david secret cisco
- When paul logs in to the router he will be in privileged mode. David need to use the “enable” command to reach privileged mode.
- What need to be known about line passwords? How do you configure it?
- It is stored in clear text by default. When “service password-encryption” is enabled it will be encrypted using Type 7 encryption. This can be easily decripted.
line console 0 password cisco login
- What are the login states under lines?
- no login = do not asks for password, simply let you in
- login = uses the password configured on the line
- login local = asks for configured username/password
- What is uRPF?
- Unicast Reverse Path Forwarding can help block packets having a spoofed IP address. uRPF checks the source IP of an arriving packet on an interface and determine whether that IP address is reachable based on FIB. (Checks incoming packets)
- What modes does uRPF have?
- Strict (rx): Source IP address must be reachable (based on FIB) and reply must leave on the interface where the original packet arrived.
- Loose (any): Source IP address must be reachable (based on FIB).
- VRF: Like Loose mode but overlapping IP addresses can be used because of VRFs.
- What are the dangers of Strict uRPF?
- In case of assymetric routing packets will be dropped.
- What if there is no exact match for the source IP in the FIB?
- by default uRPF will drop the packet
- if “allow-default” is enabled it will forward the packet
- an ACL can be added to the uRPF, so when uRPF fails (using FIB) it will check whether the IP is allowed in the ACL
- How do you configure uRPF?
interface Fa1/0 ip address 192.168.1.1 255.255.255.0 ip verify unicast source reachable-via rx interface Serial2/0 ip address 172.16.0.1 255.255.255.252 ip verify unicast source reachable-via any allow-default
- rx = Strict mode – source is reachable via interface on which packet was received
any = Loose mode – source is reachable via any interface
allow-default = default route can match an IP
- How do you verify whether uRPF is enabled on an interface?
- show cef interface interface-id
- What is the meaning of AAA?
- Authentication: This service checks the user’s credentials. Login
- Authorization: This service determines what the user is allowed to do.
- Accounting: This service collect and store information about a user. Logins, used commands etc.
- How do you configure AAA for authenticating remote logins?
aaa new-model //enables AAA aaa authentication login ADMIN group tacacs+ local ! username kevin secret cisco ! tacacs server CISCO-ACS address ipv4 192.168.0.40 key cisco ! line vty 0 4 login authentication ADMIN
- The second line defines the method list named ADMIN which attempts to perform authentication through a TACACS+ server. If TACACS+ server is unreachable the local keyword allows the device to perform authentication using the local user database (kevin).
- How do you configure AAA fallback?
- You can use the “local” parameter on the AAA command. If the TACACS server is not reachable the router will use local authentication.
- What are the main differences between TACACS+ and RADIUS?
- TCP port 49
- support 15 privilege levels
- encrypts the entire body of the packet
- basic accounting features
- cisco proprietary
- heavy-weight protocol consuming more resources
- mainly used for Device Administration
- seperates authentication and authorization
- UDP port 1812
- robust accounting features
- encrypts only the password
- support authorization and authentications functions
- How do you configure IOS local AAA?
- What is an SNMP Manager?
- The manager runs a network management application. Sometimes refered as NMS.
- What is an SNMP Agent?
- A piece of software which runs of the managed device.
- What is the MIB?
- Management Information Base: Information about the device’s resources and activity is defined by a series of objects.
- What type of SNMP messages do you know?
- GET: Retrieves information from a managed device.
- SET: Sets a variable in a managed device or triggers an action on it.
- Trap: The managed device sends a message to an NMS which can notify the SNMP manager about an event.
- What kind of security exist on SNMPv1 and SNMPv2?
- They use community string to gain read-only or read-write access. This considered weak.
- How do you configure SNMPv2?
snmp-server community DRIZZT ro 10 snmp-server community GERALT rw 10 ! access-list 10 permit host 10.0.0.1
- What is the difference between SNMP traps and informs?
- TRAP: send a notification to the manager that something happened
- INFORM: send a trap and wait for an acknowledgement from the manager. It will keep sending traps until acknowledgement is not received.
- How do you configure SNMPv3?
ip access-list standard SNMPV3-ACL permit 10.1.1.0 0.0.0.255 ! snmp-server view OPS sysUpTime included snmp-server view OPS ifOpenStatus included snmp-server group MY-GROUP v3 priv read OPS write OPS access SNMPV3-ACL snmp-server user ADMIN MY-GROUP v3 auth sha SNMP-Secret1 priv aes 256 SNMP-Secret2 ! snmp-server enable traps ! snmp-server host 10.1.1.254 traps version 3 priv ADMIN cpu snmp-server ifindex persist
- What type of security models exist (SNMP)?
- noAuthNoPriv: (no authentication, no privacy) This level uses a username for authentication but no encryption
- authNoPriv: Authentication using Hash Message Authentication Code (HMAC) with MD5 or SHA-1. No encryption.
- authPriv: HMAC authentication with encryption
- What if there is no read view defined? What if there is no write view defined?
- When no read view: everything is readable
- When no write view: nothing can be modified
- What is the function of the snmp-server manager command?
- To enable the device to send and receive SNMP requests and responses.
- What is a stratum value?
- It is used by NTP and indicates the believability of a time source.
- Stratum range from 0-15. The lower the better. It works like a hop count.
- What are the 4 modes that NTP can propagate time?
- Server (or NTP master): Can be configured using ntp master stratum global command.
- Client: Synchronizes its time with the NTP server. ntp server IP
- Peers: This is called symmetric mode. Peers exchange time synchronization information. This is often used between two or more servers operating as mutually redundant group. ntp peer IP
- Broadcast/multicast: The NTP server provides one-way time announcements to receptive clients. Client config: (interface) ntp broadcast client
- How do you configure NTP broadcast?
!Server interface Fa0/0 ip addr 10.0.0.1 255.255.255.0 ntp broadcast ntp server 192.168.88.1 !Client interface Fa0/0 ip addr 10.0.0.2 255.255.255.0 ntp broadcast client
- How do you configure NTP multicast?
!Server ip multicast-routing ! interface Fa0/0 ip addr 10.0.0.1 255.255.255.0 ip pim dense-mode ntp multicast 188.8.131.52 !Client ip multicast-routing ! interface Fa0/0 ip addr 10.0.0.2 255.255.255.0 ip pim dense-mode ntp multicast client 184.108.40.206
- What are the differences between NTPv3 and NTPv4?
- NTPv4 supports IPv6
- NTPv4 uses multicast instead of broadcast
- improved security
- What does the following command means?
ntp access-group serve 10
- The NTP server only serves the devices which are defined in ACL 10.
- How do you configure authenticated NTP?
!Server ntp authentication-key key-id md5 key ntp authenticate ntp trusted-key key-id ntp master stratum-number !Client ntp authentication key-id md5 key ntp authenticate ntp trusted-key key-id ntp server ip-address-of-ntp-server key key-id
- The key and key-id must match on the Client and Server.
- How do you verify NTP?
- show ntp associations detail
- show ntp status
- What is SNTP?
- SNTP cannot provide time service (master) to other systems
- Also it does not provide complex filtering and statistical mechanism as NTP
- SNTP and NTP cannot coexist on a device as the use the same port
- How do you configure SNTP?
- The same way as NTP only instead of “ntp..” you use the command “sntp..”
- How can you enchance logging?
- By increasing the logging history (logging buffer) and using time stamps.
- How do you configure timestamps to logging?
- (global) service timestamps log datetime
- What is a core dump?
- It a file containing a process’s address space (memory) when the process terminates unexpectedly to identify the cause of the crash. It is useful for crash collection when a device crashes without warning.
- It is not recommended to do a core dump when the router is in operation.
- How does debug condition works?
- It only shows debug messages which relates to the condition parameter:
ie.: debug condition interface Fa0/0
debug ip RIP
Only those RIP messages will appear which are related to Fa0/0
- It only shows debug messages which relates to the condition parameter:
- How do you apply an ACL to a debug command?
- i.e.:: debug ip packet acl-number
- How do you turn on local logging?
- logging buffered severity-number
- What kind of message logging types exists?
- What level does “logging console warning” command use?
- level 4,3,2,1,0 = warning, error, critical, alert, emergencies