24 - Implementing Infrastructure Security

Question 1

What are the features of standard ACLs?

Answer 1

• check the source IP address
• permit or denies an entire protocol suit
• Named or numbered
• Place as close to destination as possible

Question 2

What are the features of extended ACLs?

Answer 2

• Checks the source and destination IP addresses
• Generally, permits or denies specific protocols and applications
• Named or numbered
• Place as close to source as possible

Question 3

What are the number ranges for numbered standard ACLs?

Answer 3

1-99, 1300-1999

Question 4

What are the number ranges for numbered extended ACLs?

Answer 4

100-199, 2000-2699

Question 5

How do you configure a standard ACL?

Answer 5

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255

Question 6

How do you configure a extended ACL?

Answer 6

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
RouterX(config)# access-list 101 permit ip any any

Question 7

How do you configure a standard named ACL?

Answer 7

Branch(config)# ip access-list standard Subnet_ONLY

Branch(config-std-nacl)# permit 10.1.1.0 0.0.0.255

Question 8

How do you configure a extended named ACL?

Answer 8

Branch(config)# ip access-list extended WWW-ACCESS
Branch(config-ext-nacl)# 30 permit tcp 10.1.1.0 0.0.0.255 any eq 80
Branch(config-ext-nacl)# 40 permit tcp 10.1.1.0 0.0.0.255 any eq 443

Question 9

A reload will change the sequence numbers in an ACL. The sequence numbers will be 10 and 20 instead of 5 and 10 after the reload. Use the ___ command to renumber the ACL entries without having to reload.

Answer 9

access-list resequence

Question 10

Packets may be divided in to four distinct logical groups:

Answer 10

Data plane packets
Control plane packets
Management plane packets
Services plane packets

Question 11

__ plane packets – end-station, user generated packets that are always forwarded by network devices to other end-station devices

Answer 11

Data

Question 12

__ plane packets – network device generated or received packets that are used for the creation and operation of the network itself. From the perspective of the network device, __ plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Examples include protocols such as ARP, NGP, OSPF and other protocols that glue the network together

Answer 12

Control

Question 13

__ plane packets – network device generated or received packets, or management station generated or received packets that are used to manage the network. From the perspective of the network device, __ plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Examples include protocols suchj as Telnet, SSH, TFTP, SNMP, FTP, NTP and other protocols used to manage the devices and/or network

Answer 13

Management

Question 14

__ plane packets – A special case of data plane packets, __ plane packets are also user-generated packets that are forwarded by the network devices to the other end-station devices, but that require high-touch handling by the network device (above and beyond normal, destination IP address-based forwarding) to forward the packet. Examples of high-touch handling include such functions as GRE encapsulation, QoS, MPLS VPNs, and SSL/IPsec encryption/decryption etc. From the perspective of the network device, __ plane packets may have a transit destination IP address, or may have a receive destination IP address (for example, in the case of a VPN tunnel endpoint).

Answer 14

Services

Question 15

From the perspective of the network device, three general types of packets exist:

Answer 15

Transit packets
Receive packets
Exception IP and non-IP packets

Question 16

__ packets – data plane and some services plane packets that are subjected to standard, destination IP-based forwarding functions. __ packets are typically forwarded by CEF mechanisms.

Answer 16

Transit

Question 17

___ packets – control plane and management plane packets that are destined to the network device itself. __ packets must be handled by the CPU within the route processor, as they are ultimately destined to and handled by applications running at the process level with IOS.

Answer 17

Receive

Question 18

___ packets – __ packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. L2 keepalives, IS-IS packets, CDP packets and PPP LCP packets are example of __packets. All these packets must be handled by the route processor.

Answer 18

Exception IP and non-IP, Exception, non-IP

Question 19

The interface ACL is the traditional and most generally available approach for managing all packets enter or exiting a network device. ACLs are well understood are generally applicable to data, servers, control, and management plane packets. However, ACLs are applied at the interface level to each __ ingressing (or egressing) the interface – not just control plane packets. In addition, ACLs must be applied to every individual interface to which the policy is applied – on large routers, this can be an onerous task.

Answer 19

packet

Question 20

__ is specifically designed to protect the route processor.

Answer 20

Control Plane Policing (CoPP)

Question 21

CoPP is a cisco IOS feature which is designed to allow administrators to specify controls over traffic that is directed to a devices ___. The goal is to prevent low-priority or unnecessary traffic from overwhelming system resources, which could leave to issues in system performance.

Answer 21

control plane

Question 22

CoPP treats the control plane as a separate entity with its own __ and __ ports. CoPP not only allows you to specify what traffic is allowed and what traffic is denied on the control plane interface, it also provides for rate limiting of allowed traffic for the control plane. Therefore, expected traffic that us of lower priority can be allowed, but attacks where floods of lower priority traffic are sent to the control plane will be mitigated.

Answer 22

ingress, egress

Question 23

How is CoPP configured?

Answer 23

Step 1 – Define ACL and create class map
R1(config)# access-list 100 permit udp any any eq snmp
R1(config)# access-list 100 permit tcp any any eq www
R1(config)# access-list 100 permit tcp any any eq 443
R1(config)# access-list 100 permit tcp any any eq 22
R1(config)# class-map COPP_class
R1(config-cmap)# match access-group 100

Step 2 – Define service policy and policing rates for each class map
R1(config)# policy-map COPP_policy
R1(config-pmap)# class COPP_class
R1(config-pmap-c)# police 300000 conform-action transmit exceed-action drop
R1(config-pmap-c)# class class-default
R1(config-pmap-c)# police rate 50 pps conform-action transmit exceed-action drop

Step 3 – Apply service policy to the control plane
R1(config)# control-plane
R1(config-cp)# service-policy input COPP_policy

Question 24

What command displays configured ACLS and any hit counters?

Answer 24

Show access-lists

Question 25

What command verifies the configured class maps?

Answer 25

Show class-map

Question 26

What command verifies configured policy maps

Answer 26

Show policy-map

Question 27

What command displays dynamic information about the actual policy including rate information and number of bytes that conformed to or exceeded the configured polices?

Answer 27

Show policy-map control-plane