26. Network Device Access Control and Infrastructure Security Flashcards
How does an access list process?
It starts at the top and proceeds down untill a matching pattern is identified. When a match is found the process stops.
What is at the end of all ACLs?
An implicit deny
What can ACLs be used for?
- Qos
- NAT
- Identifying network
What are the 5 types of ACL?
- Standard numbered
- Extended numbered
- Named
- Port (PACL)
- VLAN (VACL)
What is the number of ACLs allowed per interface?
1 inbound and 1 outbound
What is the range for standard ACLs?
1-99 / 1300-1999
With what command is the ACL defined?
access-list number permit/deny
What does the command permit any does?
Permits all networks
What does the command permit 172.16.0.0 0.0.255.255 does?
Permits all networks in the 172.16 range
What does the command permit host 192.168.1.1 does?
Permits only the 192.168.1.1/32 network
What is the range of extended ACL?
100-199 / 2000-2699
What is the command for a extended numbered ACL?
access-list number permit/deny protocol
source source wildcard
destination destination wildcard
What is the protcol option neq?
match only packets not on a given port number
What is the command to create a named ACL?
ip access-list standard/extended NAME
What is the command to apply an ACL?
ip access-group in/out
What is a PACL?
Port access list that can be applied on L2 ports. Can support L3 standard/extended/name and L2 named MAC
What are the restrictions for PACL?
- Only support filtering incoming traffic
- Cannot filter L2 control packets
- Only supported in hardware
- Does not support filter IPv6, ARP, MPLS
What is the command to create a PACL?
ip access-list
What is a VACL?
Can filter traffic bridged within a VLAN or that is router in/out a VLAN
How to create a VACL?
- Create an ACL (permit)
- Create vlan access-map
- Configure the match statement
- Configure the action statement
- Apply with VLAN filter
What is important to remember with creating the ACL for VACL?
It always needs a PERMIT statement!
What are the action statements for VACL?
- Forward
- Drop
- Log (can only be used with drop)
What is the order for bridged traffic?
- Inbound PACL
- Inbound VACL
- Outbound VACL
What is the order for routed traffic?
- Inbound PACL
- Inbound VACL
- Inbound ACL
- Outbound ACL
- Outbound VACL
What are te 3 basic methods to gain access to the CLI?
- Console (cty)
- Aux
- Virtual (vty)
What are the 3 ways to password protect the CLI access?
- Password direct on the line
- Username based authentication
- AAA server
What are the 5 types of passwords in IOS?
0 most insecure 5 MD5 7 weak 8 SHA 265 9 SCRYPT
What command can be used to encrypt all type 0 passwords?
service password-encryption
What is the disadvantage of the command service password-encryption?
It only encrypts passwords created after applying this command and it uses type 7 encryption which is not safe
What are the 3 ways to configure a username in IOS?
USERNAME-password (type 0)
USERNAME-secret (type 5)
USERNAME-algo (type 5,8,9)
How to configure a line local password?
- password ….. (line con and vty)
- login
How to configure a line local username and password?
- username password in global
- login local
What are the default types of privilege levels?
0, 1 & 15
What are the command that can be used on privilege level 0?
Enable Disable Exit Help Logout
Where do you place standard ACLs?
Closest to the destination
Where do you place extended ACLs?
Closest to the source as possible
What is the command to set a time-range?
time-range
periodic ….
How to you control access to vty with ACLs?
Under line vty 0 4 set access-class in
How to control access to vty with protocols?
transport input ….
How to config SSH access?
- hostname
- domain name
- crypto key generate rsa
- ip ssh version 2
Where is AAA commonly used for?
- Network device access control (TACACS+)
- Secure network access control (RADIUS)
What port number does TACACS+ use?
tcp 49
What is the difference between TACACS+ & RADIUS?
- TACACS+ supports separate AAA and full payload encryption
- RADIUS supports EAP
What port number does RADIUS use?
UDP 1645 - Authentication/authorization
UDP 1646 - Accounting
What are the steps for configuring TACACS+?
- aaa new-model
- add server
- create group
- enable login authentication
- enable authorization exec
- enable authorization console
- enable authorization command
- enable authorization global command
- enable login accounting
- enable login accounting command
How can you prevent from commands being processed if the user is denied?
By adding the if-authenticated command
How to enable TACACS+?
aaa new-model
How to create group?
aaa group server tacacs+
server name
How to enable login authentication?
aaa authentication login
How to enable authorization exec?
aaa authorization exec
How to enable authorization console?
aaa authorization console
How to enable authorization command?
aaa authorization command
How to enable authorization global command?
aaa authorization config-commands
How to enable login accounting?
aaa accounting exec
How to enable login accounting command?
aaa accounting commands
How to add server?
tacacs server
address ipv4
key
What is Cisco ZBFW?
Integrated statefull firewall technology included in IOS
How does ZBWF work?
It groups interfaces in zones. Interfaces within a zone can communicate freely by default.
What are the 2 type of zones?
- Self zone
- Default zone
What is the self zone?
Includes router IPs. By default traffic is permitted to support management and control plane functions
What is the default zone?
Any interface that is not a member of a zone is placed in here automatically
