26. Network Device Access Control and Infrastructure Security Flashcards

1
Q

How does an access list process?

A

It starts at the top and proceeds down untill a matching pattern is identified. When a match is found the process stops.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is at the end of all ACLs?

A

An implicit deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What can ACLs be used for?

A
  • Qos
  • NAT
  • Identifying network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 5 types of ACL?

A
  • Standard numbered
  • Extended numbered
  • Named
  • Port (PACL)
  • VLAN (VACL)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the number of ACLs allowed per interface?

A

1 inbound and 1 outbound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the range for standard ACLs?

A

1-99 / 1300-1999

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

With what command is the ACL defined?

A

access-list number permit/deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does the command permit any does?

A

Permits all networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the command permit 172.16.0.0 0.0.255.255 does?

A

Permits all networks in the 172.16 range

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the command permit host 192.168.1.1 does?

A

Permits only the 192.168.1.1/32 network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the range of extended ACL?

A

100-199 / 2000-2699

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the command for a extended numbered ACL?

A

access-list number permit/deny protocol
source source wildcard
destination destination wildcard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the protcol option neq?

A

match only packets not on a given port number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the command to create a named ACL?

A

ip access-list standard/extended NAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the command to apply an ACL?

A

ip access-group in/out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a PACL?

A

Port access list that can be applied on L2 ports. Can support L3 standard/extended/name and L2 named MAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the restrictions for PACL?

A
  • Only support filtering incoming traffic
  • Cannot filter L2 control packets
  • Only supported in hardware
  • Does not support filter IPv6, ARP, MPLS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the command to create a PACL?

A

ip access-list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a VACL?

A

Can filter traffic bridged within a VLAN or that is router in/out a VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How to create a VACL?

A
  • Create an ACL (permit)
  • Create vlan access-map
  • Configure the match statement
  • Configure the action statement
  • Apply with VLAN filter
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is important to remember with creating the ACL for VACL?

A

It always needs a PERMIT statement!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the action statements for VACL?

A
  • Forward
  • Drop
  • Log (can only be used with drop)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the order for bridged traffic?

A
  • Inbound PACL
  • Inbound VACL
  • Outbound VACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the order for routed traffic?

A
  • Inbound PACL
  • Inbound VACL
  • Inbound ACL
  • Outbound ACL
  • Outbound VACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are te 3 basic methods to gain access to the CLI?

A
  • Console (cty)
  • Aux
  • Virtual (vty)
26
Q

What are the 3 ways to password protect the CLI access?

A
  • Password direct on the line
  • Username based authentication
  • AAA server
27
Q

What are the 5 types of passwords in IOS?

A
0 most insecure
5 MD5
7 weak
8 SHA 265
9 SCRYPT
28
Q

What command can be used to encrypt all type 0 passwords?

A

service password-encryption

29
Q

What is the disadvantage of the command service password-encryption?

A

It only encrypts passwords created after applying this command and it uses type 7 encryption which is not safe

30
Q

What are the 3 ways to configure a username in IOS?

A

USERNAME-password (type 0)
USERNAME-secret (type 5)
USERNAME-algo (type 5,8,9)

31
Q

How to configure a line local password?

A
  • password ….. (line con and vty)

- login

32
Q

How to configure a line local username and password?

A
  • username password in global

- login local

33
Q

What are the default types of privilege levels?

A

0, 1 & 15

34
Q

What are the command that can be used on privilege level 0?

A
Enable
Disable
Exit
Help
Logout
35
Q

Where do you place standard ACLs?

A

Closest to the destination

36
Q

Where do you place extended ACLs?

A

Closest to the source as possible

37
Q

What is the command to set a time-range?

A

time-range

periodic ….

38
Q

How to you control access to vty with ACLs?

A

Under line vty 0 4 set access-class in

39
Q

How to control access to vty with protocols?

A

transport input ….

40
Q

How to config SSH access?

A
  • hostname
  • domain name
  • crypto key generate rsa
  • ip ssh version 2
41
Q

Where is AAA commonly used for?

A
  • Network device access control (TACACS+)

- Secure network access control (RADIUS)

42
Q

What port number does TACACS+ use?

A

tcp 49

43
Q

What is the difference between TACACS+ & RADIUS?

A
  • TACACS+ supports separate AAA and full payload encryption

- RADIUS supports EAP

44
Q

What port number does RADIUS use?

A

UDP 1645 - Authentication/authorization

UDP 1646 - Accounting

45
Q

What are the steps for configuring TACACS+?

A
  • aaa new-model
  • add server
  • create group
  • enable login authentication
  • enable authorization exec
  • enable authorization console
  • enable authorization command
  • enable authorization global command
  • enable login accounting
  • enable login accounting command
46
Q

How can you prevent from commands being processed if the user is denied?

A

By adding the if-authenticated command

47
Q

How to enable TACACS+?

A

aaa new-model

48
Q

How to create group?

A

aaa group server tacacs+

server name

49
Q

How to enable login authentication?

A

aaa authentication login

50
Q

How to enable authorization exec?

A

aaa authorization exec

51
Q

How to enable authorization console?

A

aaa authorization console

52
Q

How to enable authorization command?

A

aaa authorization command

53
Q

How to enable authorization global command?

A

aaa authorization config-commands

54
Q

How to enable login accounting?

A

aaa accounting exec

55
Q

How to enable login accounting command?

A

aaa accounting commands

56
Q

How to add server?

A

tacacs server
address ipv4
key

57
Q

What is Cisco ZBFW?

A

Integrated statefull firewall technology included in IOS

58
Q

How does ZBWF work?

A

It groups interfaces in zones. Interfaces within a zone can communicate freely by default.

59
Q

What are the 2 type of zones?

A
  • Self zone

- Default zone

60
Q

What is the self zone?

A

Includes router IPs. By default traffic is permitted to support management and control plane functions

61
Q

What is the default zone?

A

Any interface that is not a member of a zone is placed in here automatically