NET4009-Module 7- Infra Security - Management Tool ver 2

Infrastructure Security

For IPv6 ACLS, what is implicit?

there is an implicit permit icmp nd: If the packet is an NA or NS message, permit it

What does IPv6 rely on to determine the MAC address associated with an IPv6 address?

Neighbor Discovery Protocol (NDP) NA (neighbor advertisement) and NS (neighbor solicitation) messages

What will break a IPv6 ACL?

“deny ipv6 any any log" command

what command can be used for IPv6 packet filtering?

ipv6 traffic-filter acl-name {in | out}

How to configure a route map?

route-map route-map-name [permit | deny]

what rules apply to route-map statements?

• if a processing action is not provided, permit is default

• if a sequence number is not provided, it automatically increments by 10

• if a matching statement is not included, an implied all prefixes is associated with the statement

What 4 steps are required for configureing CoPP?

1. Create ACLs to identify the traffic

2. Create class maps to define a traffic class

3. Create policy maps to define a service policy

4. Apply the service policy to the control plane

Why are ACLs used with CoPP?

ACLs are used with CoPP for identifying traffic. When the traffic is matched, it becomes the object of the policy action

What are the 5 things to focus on when troubleshooting CoPP?

1. Grouping

2. Action

3. Protocol

4. Source and destination

5. Operators and ports

Class maps are used to define a traffic class that is composed which of three different elements

• There is a name.

• One or more match commands are used to identify the packets that are part of the class.

• There are instructions on how the match commands will be evaluated

What are the 5 things to focus on when troubleshooting Class Maps?

1. Access group

2. Instruction

3. Protocol

4. IP PREC/IP DSCP

5. Case

What are policy maps used for within CoPP?

Policy maps are used with CoPP to associate the traffic class (as defined by the class map) with one or more policies, resulting in a service policy

What are the 5 things to focus on when troubleshooting Policy Maps?

1. Order of operations

2. Class map

3. Policy

4. Default class

5. Case

When troubleshooting the application of the service policy, what should be focused on?

• The correct interface ~ verify using show policy-map control-plane [input|output]

• Direction

• Case

What 4 steps should be taken when troubleshooting CoPP?

1. verify the service policy ~ show policy-map control-plane

2. verify the policy map ~ show policy-map control-plane

3. verify the class map ~ show class-map

4. verify the ACL ~ show access-list

What is AAA?

Authentication, Authorisation and Accounting

how to enable aaa on cisco device?

aaa new-model command

What command is used to create a AAA method list called VTY_ACCESS for login authentication

aaa authentication login VTY_ACCESS group RADIUSMETHOD local

What 8 things should be considered when troubleshooting AAA?

1. AAA needs to be enabled using the aaa new-model command

2. AAA relies on local username and password database (or AAA server such as RADIUS or TACACS+)

3. a method list defines the authentication methods

4. Method list service is incorrect

5. AAA method lists are not applied to the lines

6. The router needs to be able to reach the AAA server

7. The correct authenticating and accounting ports need to be configured ~ 1812 or 1645 and 1813 or 1646

8. The AAA server group needs to have the correct AAA server IP address

What does the keyword default specify when used with the aaa authentication login command?

• The named method list is the default one (default).
• There are two authentication methods (group radius and loca

how to debug AAA authentication?

debug aaa authentication

What is uRPF (unicast reverse path forwarding)?

uRPF is a security feature that helps limit or even eliminate spoofed IP packets on a network

What must be enabled for uRPF to work?

CEF (Cisco Express Forwarding) must be enabled on the IOS device

What are the 3 modes that uRPF can use?

1. Strict

2. Loose

3. VRF

uRPF strict mode condtions?

1. accept packet if the source IP of the packet is in the routing table
2. accept packet if the source IP is reachable via the interface on which the packet is recieved

uRPF loose mode condition

accept packet if the source ip address of the packet is present in the routing table

What are 4 tools for IPv6 First Hop Security?

1. Router Advertisement (RA) Guard - filters out unwanted RAs from unauthorized devices

2. DHCPv6 Guard - protects the DHCP server

3. IPv6 Neighbor Discovery Inspection - valid is where IPv6-to-MAC mapping can be verified

4. Source Guard - Layer 2 snooping interface feature for validating source