Ch 26: Network Device Access Control and Infrastructure Security Flashcards

1
Q

Which command is used to apply an ACL to an interface?

  1. ip access-group {access-list-number | name} {in|out}
  2. ip access-class {access-list-number | name} {in|out}
  3. ip access-list {access-list-number | name} {in|out}
A

1.

ACLs are applied to interfaces with the command:

  • ip access-group {access-list-number | name} {in|out}.

For reference:

  • access-class is used to apply an ACL to a VTY line
  • access-list is used to configure an ACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following password types is the weakest?

  1. Type 5
  2. Type 7
  3. Type 8
  4. Type 9
A

2.

Type 7 passwords use a Cisco proprietary Vigenere cypher encryption algorithm that is very weak and can be easily decrypted using multiple online password decryption utilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What type of encryption does the command service password encryption provide?

a. Type 0 encryption
b. Type 5 encryption
c. Type 7 encryption

A

C.

The command service password encryption encrypts plaintext passwords in the configuration and Telnet sessions with type 7 password encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

  1. The login command is used to enable line password authentication.
  2. The login command is used to enable username-based authentication.
  3. The login local command is used to enable line and username-based authentication.
  4. The login local command is used to enable username-based authentication.
A

1 and 4.

The login command is used to enable line password authentication, and the login local command is used to enable username-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of these commands are available to a user logged in with privilege level 0?

(Choose all that apply.)

  1. disable
  2. enable
  3. show
  4. configure terminal
  5. exit
  6. logout
A

1, 2, 5, and 6..

Privilege level 0 makes available the disable, enable, exit, help, and logout commands.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following options can be used to only allow inbound SSH access to the vty lines of a router? (Choose two.)

  1. line vty 0 4 transport output ssh
  2. line vty 0 4 transport input all
  3. line vty 0 4 transport input ssh
  4. ip access-list extended SSH permit tcp any any eq 22
    • line vty 0 4
    • access-class SSH in
A

C and D.

Using the command transport input ssh and applying an ACL to the line that only allows port 22 are valid options to allow only SSH traffic into the line. The other two options are not valid because the command transport output ssh does not affect inbound connections, and the command transport input all allows all inbound SSH and Telnet sessions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

T/F: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

A

False.

This is false because AAA authorization for the console is disabled by default to prevent unexperienced users from locking themselves out. Authorization for the console is enabled with the command:

  • aaa authorization console
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following AAA functions can help log the commands executed by a user on a network device?

  1. AAA next-generation logging
  2. Authorization
  3. Accounting
  4. Auditing
A

C.

Accounting provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the protocol of choice for network device access control?

a. RADIUS
b. SSHv2
c. Telnet
d. TACACS+

A

D.

TACACS+ is preferred for device access control because it can individually authorize every command that a user tries to execute after logging in to a device. In contrast, RADIUS requires those commands to be sent in the initial authentication response, and because there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following options describe ZBFW? (Choose two.)

  1. Provides high security with stateless inspection functionality
  2. Provides stateful firewall functionality
  3. Is a network interface module
  4. Is an integrated IOS solution
  5. Is a security appliance similar to an ASA 5500-X
A

B and D.

ZBFW is an integrated IOS solution that provides router stateful firewall functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the two system-built zones for ZBFW? (Choose two.)

  1. Inside zone
  2. Twilight zone
  3. System zone
  4. Outside zone
  5. Self zone
  6. Default zone
A

E and F.

Within the ZBFW architecture, there are two system-built zones: self and default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following features was developed specifically to protect the CPU of a router?

a. ZBFW
b. AAA
c. CoPP
d. ACLs

A

C.

Control plane policing (CoPP) was created with the sole purpose of protecting the CPU or control plane of a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: CoPP supports input and output policies to control inbound and outbound traffic.

A

True.

CoPP supports inbound and outbound policies; however, outbound policies are not commonly used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following should be disabled to improve the security posture of a router? (choose two)

a. CoPP
b. CDP
c. ZBFW
d. LLDP
e. LDP

A

B and D.

Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) can provide unnecessary information to routers outside of the organization and should be disabled where applicable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is RBAC?

A

role-based access control (RBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a ZBFW?

A

Zone-Based Firewall (ZBFW

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is CoPP?

A

Control Plane Policing (CoPP): This is used to protect the route processor (RP) or CPU of a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the ranges of numbered standard ACLs?

A

Numbered standard ACLs: These ACLs define packets based solely on the source network, and they use the numbered entries 1–99 and 1300–1999.

For reference:

Numbered extended ACL ranges: 100–199 and 2000–2699

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the ranges of Numbered extended ACLs?

A

Numbered extended ACLs: These ACLs define packets based on source, destination, protocol, port, or a combination of other packet attributes, and they use the numbered entries 100–199 and 2000–2699.

26

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which type of ACL is generally preferred and why?

  1. Standard ACLs
  2. Extended ACLs
  3. Named ACLs
  4. Port ACLs
  5. VLAN ACLs
A

Named ACLs: These ACLs allow standard and extended ACLs to be given names instead of numbers and are generally preferred because they can provide more relevance to the functionality of the ACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a PACL?

A

Port ACLs (PACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on Layer 2 switchports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a VACL?

A

VLAN ACLs (VACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on VLANs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

ACLs use __________ masks instead of subnet masks to classify packets that are being evaluated.

A

ACLs use wildcard masks instead of subnet masks to classify packets that are being evaluated.

All that is required to convert a subnet mask into a wildcard mask is to subtract the subnet mask from 255.255.255.255. The following shows a subnet mask 255.255.128.0 being converted into a wildcard mask by subtracting it from 255.255.255.255. The end result is a 0.0.127.255 wildcard mask.

255 255 255 255
− 255 255 128 0 Subnet Mask

0 0 127 255 Wildcard Mask

Basically, a one’s complement of the subnet mask.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the numerical equivalent ACL to:

  • access-list 1 permit any
A

access-list 1 permit 0.0.0.0 255.255.255.255 is equivalent to access-list 1 permit any.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What do these three ACLs permit?

  1. permit any
  2. permit 172.16.0.0 0.0.255.255
  3. permit host 192.168.1.1
A
  1. Permits all networks
  2. Permits all networks in the 172.16.0.0/16 range
  3. Permits only the 192.168.1.1/32 network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Write a numbered standard ACL and apply it to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.

A

Example 26-1 demonstrates how a numbered standard ACL is created and applied to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.

Notice that the last ACE in the ACL explicitly permits all traffic (permit any). If this ACE is not included, all traffic will be dropped because of the implicit deny (deny any) at the end of every ACL.

  • R1(config)# access-list 1 deny 172.16.0.0 0.0.255.255
  • R1(config)# access-list 1 deny host 192.168.1.1
  • R1(config)# access-list 1 permit any
  • R1(config)# interface GigabitEthernet0/1
  • R1(config-if)# ip access-group 1 in
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the TCP/UDP protocol-options in an ACL?

A

The protocol-options keyword differs based on the protocol specified in the ACE.

For example, when TCP or UDP protocols are defined, eq, lt, and gt (equal to, less than, and greater than) keywords become available to specify ports to be matched as well as more granular options, such as SYN and ACK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Write and apply to G0/1 a numbered extended ACL to block all Telnet and ICMP traffic as well as deny all IP traffic from host 10.1.2.2 to host 10.1.2.1. Permit all other traffic.

A

Example 26-2 demonstrates how a numbered extended ACL is created and applied to an interface to block all Telnet and ICMP traffic as well as deny all IP traffic from host 10.1.2.2 to host 10.1.2.1.

Notice how Telnet’s TCP port 23 is being matched with the eq keyword.

  • R1(config)# access-list 100 deny tcp any any eq 23
  • R1(config)# access-list 100 deny icmp any any
  • R1(config)# access-list 100 deny ip host 10.1.2.2 host 10.1.2.1
  • R1(config)# access-list 100 permit ip any any
  • R1(config)# interface GigabitEthernet0/1
  • R1(config-if)# ip access-group 100 in
29
Q

Which ACL type(s) begins with ip instead of just access-list?

A

Configuration of named ACLs starts with ip instead of just access-list and that the standard and extended ACL keywords need to be explicitly defined.

30
Q

Write a standard named ACL to:

  1. deny traffic from the 172.16.0.0/24 subnet
  2. deny traffic from host 192.168.1.1/32
  3. allow all other traffic coming into interface Gi0/1
A
  • R1(config) ip access-list standard STANDARD_ACL
  • R1(config-std-nacl)# deny 172.16.0.0 0.0.0.255
  • R1(config-std-nacl)# deny host 192.168.1.1
  • R1(config-ext-nacl)# permit any
  • R1(config-ext-nacl)# exit
  • R1(config)# interface GigabitEthernet0/1
  • R1(config-if)# ip access-group STANDARD_ACL in
31
Q

Write an extended named ACL to do the following on G0/1:

  1. block all Telnet and ICMP traffic
  2. deny all IP traffic from host 10.1.2.2 to host 10.1.2.1.
  3. permit all other traffic
A
  • R1(config)# ip access-list extended EXTENDED_ACL
  • R1(config-ext-nacl)# deny tcp any any eq 23
  • R1(config-ext-nacl)# deny icmp any any
  • R1(config-ext-nacl)# deny ip host 10.1.2.2 host 10.1.2.1
  • R1(config-ext-nacl)# permit ip any any
  • R1(config-ext-nacl)# exit
  • R1(config)# interface GigabitEthernet0/1
  • R1(config-if)# ip access-group EXTENDED_ACL in
32
Q

T/F: The CLI syntax for configuring PACLs that are used to filter Layer 3 traffic is the same as the syntax for RACLs on any IOS router.

A

True. They are almost exactly the same… the only difference is that PACLs also support Layer 2 MAC address-based filtering, which uses different CLI syntax.

PACLs can be standard, extended, or named IPv4 ACLs for Layer 3, and they can be named MAC address ACLs for Layer 2.

PACLs have a few restrictions that vary from platform to platform. The following are some of the most common restrictions:

  • PACLs only support filtering incoming traffic on an interface (no outbound filtering support).
  • PACLs cannot filter Layer 2 control packets, such as CDP, VTP, DTP, PAgP, UDLD, and STP.
  • PACLs are supported only in hardware.
  • PACLs do not support ACLs to filter IPv6, ARP, or Multiprotocol Label Switching (MPLS) traffic.
33
Q

How is a PACL applied?

A

An IPv4 PACL is applied to an interface with the ip access-group access-list-name in command.

Example 26-4 shows a PACL applied to a Layer 2 interface Gi0/1 to block RDP, Telnet traffic, and host 10.1.2.2 access to host 10.1.2.1.

34
Q

What traffic is a VACL capable of filtering?

A

VACLs can filter traffic that is bridged within a VLAN or that is routed into or out of a VLAN.

35
Q

Write a VACL and apply it to VLAN 20 to drop ICMP and Telnet traffic and allow other traffic.

A

Example 26-5 shows a VLAN access map applied to VLAN 20 to drop ICMP and Telnet traffic and allow other traffic.

Notice that the named ACLs, ICMP and TELNET, only include ACEs with a permit statement. This is because the ACLs are only used as matching criteria by the VLAN access maps, while the VLAN access maps are configured with the action to drop the matched traffic.

36
Q

When a PACL, a VACL, and a RACL are all configured in the same VLAN, the ACLs are applied in a specific order, depending on whether the incoming traffic needs to be bridged or routed.

What is the order for:

  1. Bridged traffic (within the same VLAN)
  2. Routed traffic processing order (across VLANs):
A

When a PACL, a VACL, and a RACL are all configured in the same VLAN, the ACLs are applied in a specific order, depending on whether the incoming traffic needs to be bridged or routed:

Bridged traffic processing order (within the same VLAN):

  • Inbound PACL on the switchport (for example, VLAN 10)
  • Inbound VACL on the VLAN (for example, VLAN 10)
  • Outbound VACL on the VLAN (for example, VLAN 10)

Routed traffic processing order (across VLANs):

  • Inbound PACL on the switchport (for example, VLAN 10)
  • Inbound VACL on the VLAN (for example, VLAN 10)
  • Inbound ACL on the SVI (for example, SVI 10)
  • Outbound ACL on the SVI (for example, SVI 20)
  • Outbound VACL on the VLAN (for example, VLAN 20)
37
Q

What is a dACL?

A

Downloadable ACLs (dACLs) are another form of PACL that can be assigned dynamically by a RADIUS authentication server, such as Cisco ISE. After successful network access authentication, if a PACL is configured on a switchport and a dACL is assigned by Cisco ISE on the same switchport, the dACL overwrites the PACL.

38
Q

What are the three most common ways to gain CLI access to a Cisco device?

A

There are three basic methods to gain access to the CLI of an IOS device:

  1. Console port (cty) line: On any IOS device, this appears in configuration as line con 0 and in the output of the command show line as cty. The console port is mainly used for local system access using a console terminal.
  2. Auxiliary port (aux) line: This appears in the configuration as line aux 0. The aux port is mainly used for remote access into the device through a modem.
  3. Virtual terminal (vty) lines: These lines are displayed by default in the configuration as line vty 0 4. They are used solely for remote Telnet and SSH connections. They are virtual because they are logical lines with no physical interface associated to them.
39
Q

Which of these three methods of protecting access to a VTY line is preferred?

  1. Using a password configured directly on the line
  2. Using username-based authentication
  3. Using an AAA server
A

Each of these types of terminal lines should be password protected. There are three ways to add password protection to the lines:

  1. Using a password configured directly on the line: Not recommended
  2. Using username-based authentication: Recommended as a fallback
  3. Using an AAA server: Highly recommended and covered later in this chapter, in the section “Authentication, Authorization, and Accounting (AAA)”
40
Q

What are these types of Cisco IOS passwords?

  1. Type 0
  2. Type 5
  3. Type 7
  4. Type 8
  5. Type 9
A

There are five available password types in Cisco IOS:

Type 0 passwords: These passwords are the most insecure because they are not encrypted and are visible in the device configuration in plaintext. The command enable password is an example of a command that uses a type 0 password. Type 0 passwords should be avoided whenever possible.

Type 5 passwords: These passwords use an improved Cisco proprietary encryption algorithm that makes use of the MD5 hashing algorithm. This makes them much stronger because they are considered not reversible (uncrackable). The only way to crack type 5 passwords is by performing brute-force attacks. It is strongly recommended that you use type 5 encryption instead of type 0 or type 7 whenever possible. Type 5 encryption is applied by using the command enable secret to specify an additional layer of security over the command enable password. The command enable password should be used only on platforms with legacy IOS that do not support the command enable secret. If the command enable secret and the command enable password are configured concurrently, the command enable secret is preferred. The username secret command also uses type 5 encryption.

Type 7 passwords: These passwords use a Cisco proprietary Vigenere cypher encryption algorithm and are known to be weak. There are multiple online password utilities available that can decipher type 7 encrypted passwords in less than a second. Type 7 encryption is enabled by the command service password-encryption for commands that use type 0 passwords, such as the enable password, username password, and line password commands.

Type 8 passwords: Type 8 passwords specify a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret and are considered to be uncrackable.

Type 9 passwords: These use the SCRYPT hashing algorithm. Just like type 8 passwords, they are considered to be uncrackable.

41
Q

What are the three different ways to configure a username on IOS? (Think password encryption types.)

A

There are three different ways to configure a username on IOS:

  1. Using the command:
    • username {username} password {password} configures a plaintext password (type 0).
  2. Using the command:
    • username {username} secret {password} provides type 5 encryption.
  3. Using the command:
    • username {username} algorithm-type {md5 | sha256 | scrypt} secret {password}
    • This provides type 5, type 8, or type 9 encryption, respectively.

Of the three username commands, the command username {username} algorithm-type {md5 | sha256 | scrypt} secret {password}} is the recommended one because it allows for the highest level of password encryption (type 8 and type 9).

42
Q

How is a local password configured on a line?

A

To enable password authentication on a line, the following two commands are required under line configuration mode:

  1. password password -to configure the password
  2. login -to enable password checking at login
43
Q

How do you configure line local username and password?

A

To enable username and password authentication, the following two commands are required:

  1. The command username username in global configuration mode
  2. The command login local under line configuration mode to enable username-based authentication at login
44
Q

What are the rights granted to these privilege levels?

  • 0
  • 1
  • 5
  • 15
A

The Cisco IOS CLI by default includes three privilege levels, each of which defines what commands are available to a user:

Privilege level 0: Includes the disable, enable, exit, help, and logout commands.

Privilege level 1: Also known as User EXEC mode. The command prompt in this mode includes a greater-than sign (R1>). From this mode it is not possible to make configuration changes; in other words, the command configure terminal is not available.

Privilege level 5: A user would be allowed to go into any interface on the router and shut it down, unshut it, and configure an IP address on it, which are the only commands allowed under privilege level 5 in interface configuration mode.

Privilege level 15: Also known as Privileged EXEC mode. This is the highest privilege level, where all CLI commands are available. The command prompt in this mode includes a hash sign (R1#).

45
Q

What is the command to show your current priv level?

A

R1# show privilege
Current privilege level is 5

46
Q

How is an access list applied to a vty line?

A

To apply a standard or an extended access list to a vty line, use the command:

  • access-class {access-list-number | access-list-name} {in|out}

under line configuration mode. The in keyword applies an inbound ACL, and the out keyword applies an outbound ACL.

47
Q

What is the command to restrict access to the vty lines to just ssh?

A

transport input ssh

Another way to further control what type of protocols are allowed to access the vty lines is to use the command:

  • transport input {all | none | telnet | ssh}

under line configuration mode. Table 26-3 includes a description for each of the transport input command keywords.

48
Q

What is the command to show the vty lines in use?

A

show line

49
Q

What are the required steps for configuring ssh access?

A

The steps needed to configure SSH on an IOS device are as follows:

  1. Configure a hostname other than Router by using the command:
    • hostname {name}.
  2. Configure a domain name by using the command:
    • ip domain-name {domain-name}.
  3. Generate crypto keys by using the command:
    • crypto key generate rsa.
    • When entering this command, you are prompted to enter a modulus length. The longer the modulus, the stronger the security. However, a longer modulus takes longer to generate. The modulus length needs to be at least 768 bits for SSHv2.
50
Q

What is the minimum modulus length for SSHv2?

A

The modulus length needs to be at least 768 bits for SSHv2.

51
Q

What is the command to limit SSH access to SSHv2?

A

To force the IOS SSH server to disable SSHv1 and accept only SSHv2 connections, under global configuration mode enter the command:

  • ip ssh version 2
52
Q

How can an auxiliary port be disabled?

A

Some devices have an auxiliary (aux) port available for remote administration through a dialup modem connection. In most cases, the aux port should be disabled by using these commands

  • line aux 0:
  • no exec
53
Q

What command will timeout and disconnect a vty or console session after four minutes and twenty seconds of inactivity?

What is the default timeout of a session if you were to issue the command without specifying a time?

A

exec-timeout 4 20

By default, an idle EXEC session is not terminated, which poses an enormous security risk. The command:

  • exec-timeout {minutes}{seconds}

under line configuration mode can be used to disconnect idle user sessions. The default setting is 10 minutes.

Example 26-17 shows a configuration in which the exec-timeout for the console line is configured to time out after 5 minutes of inactivity and 2 minutes and 30 seconds for the vty lines.

54
Q

What is the result of these two commands?

  1. exec-timeout 0 0
  2. no exec-timeout
A

The commands exec-timeout 0 0 and no exec-timeout disable the EXEC timeout. While using them is useful for lab environments, it is not recommended for production environments.

55
Q

What command will disconnect a session after a specified time, regardless of activity?

What command will display a “line termination” warning to users about an impending forced timeout?

A

The command:

  • absolute-timeout {minutes}

under line configuration mode terminates an EXEC session after the specified timeout period has expired, even if the connection is being used at the time of termination.

It is recommended to use it in combination with the command:

  • logout-warning {seconds}

under line configuration mode to display a “line termination” warning to users about an impending forced timeout.

Example 26-18 shows the commands absolute-timeout and logout-warning configured on the vty lines.

56
Q

What are the three As in AAA?

A

AAA is an architectural framework for enabling a set of three independent security functions:

Authentication: Enables a user to be identified and verified prior to being granted access to a network device and/or network services.

Authorization: Defines the access privileges and restrictions to be enforced for an authenticated user.

Accounting: Provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

AAA requires a protocol designed to carry authentication requests and responses, including authorization results and accounting logs. There are many AAA protocols available, but the two most popular ones are Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+).

57
Q

T/F: One of the key differentiators of TACACS+ is its capability to separate authentication, authorization, and accounting into independent functions.

A

True.

Another major difference between TACACS+ and RADIUS is that RADIUS needs to return all authorization parameters in a single reply, while TACACS+ can request authorization parameters separately and multiple times throughout a session.

For example, a network device, such as a Cisco switch or router, can request a TACACS+ server to individually authorize every command that a user tries to execute after logging in to the device. In contrast, RADIUS would require those commands to be sent in the initial authenti- cation response, and since there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device. This is the main reason TACACS+ is preferred for network device access control. However, if all that is required is AAA authentication without authorization, then either RADIUS or TACACS+ can be used.

58
Q

What are the commands to configure TACACS?

A

See attached diagram.

59
Q

Within the ZBFW architecture, there are two system-built zones: _____ and __________.

A

Within the ZBFW architecture, there are two system-built zones: self and default.

The self zone is a system-level zone and includes all the routers’ IP addresses.

  • By default, traffic to and from this zone is permitted to support management (for example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP) functions. After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined.

The default zone is a system-level zone, and any interface that is not a member of another security zone is placed in this zone automatically.

  • When an interface that is not in a security zone sends traffic to an interface that is in a security zone, the traffic is dropped. Most network engineers assume that a policy cannot be configured to permit these traffic flows, but it can, if you enable the default zone. Upon initialization of this zone, any interface not associated to a security zone is placed in this zone. When the unassigned interfaces are in the default zone, a policy map can be created between the two security zones.
60
Q

What is the command to configure a security zone?

A

Configure the security zones by first using the command:

  • zone security zone-name

A zone needs to be created for the outside zone (the Internet). The self zone is defined automatically.

Then you must:

  1. Define the inspection class map. The class map for inspection defines a method for classification of traffic.
  2. Define the inspection policy map, which applies firewall policy actions to the class maps defined in the policy map.
  3. Apply a policy map to a traffic flow source to a destination.
  4. Apply the security zones to the appropriate interfaces.
61
Q

What is the command to configure a class-map?

A

The class map is configured using the command:

  • class-map type inspect [match-all | match-any] class-name

The match-all keyword requires that network traffic match all the conditions listed in the class map to qualify (Boolean AND), whereas match-any requires that network traffic match only one of the conditions in the class map to qualify (Boolean OR). If neither keyword is specified, the match-all function is selected. Example 26-22 shows a sample configuration of inspection class maps and their associated ACLs.

62
Q

What is the command to define a policy map?

A

The inspection policy map is defined with the command:

  • policy-map type inspect policy-name.

After the policy map is defined, the various class maps are defined with the command class type inspect class-name. Under the class map, the firewall action is defined with these commands:

63
Q

What is the command to view the inspection policy map?

A

The inspection policy map can be verified with the command:

  • show policy-map type inspect [policy-name]
  • ​*as shown in Example 26-25.
64
Q

What is the command to apply a policy map to a traffic flow source to a destination?

A

Apply a policy map to a traffic flow source to a destination by using the command:

  • zone-pair security zone-pair-name source source-zone-name destination destination-zone-name.

The inspection policy map is then applied to the zone pair with the command service-policy type inspect policy-name. Traffic is statefully inspected between the source and destination, and return traffic is allowed. Example 26-26 defines the zone pairs and associates the policy map to the zone pair.

65
Q

What command is used to apply the security zones to the appropriate interfaces? What context, or configuration sub-mode, is the command issued from?

A

An interface is assigned to the appropriate zone by entering the interface configuration submode with the command:

  • interface interface-id

and associating the interface to the correct zone with the command:

  • zone-member security zone-name.
66
Q

What is the command to view the traffic statistics of an “outside-to-self policy”?

A

Traffic statistics can be viewed with the command:

  • show policy-map type inspect zone-pair [zone-pair-name]

Example 26-28 demonstrates the verification of the configured ZBFW policy.

67
Q

What is CoPP?

A

A control plane policing (CoPP) policy is a QoS policy that is applied to traffic to or sourced by the router’s control plane CPU. CoPP policies are used to limit known traffic to a given rate while protecting the CPU from unexpected extreme rates of traffic that could impact the stability of the router.

68
Q

T/F: Typical CoPP implementations use only an input policy that allows traffic to the data plane to be policed to a desired rate.

A

False.

Typical CoPP implementations use only an input policy that allows traffic to the control plane to be policed to a desired rate.

In a properly planned CoPP policy, network traffic is placed into various classes, based on the type of traffic (management, routing protocols, or known IP addresses). The CoPP policy is then implemented to limit traffic to the control plane CPU to a specific rate for each class.

When defining a rate for a CoPP policy, the rate for a class may not be known without further investigation. The QoS police command uses conform, exceed, and violate actions, which can be configured to transmit or drop traffic. By choosing to transmit traffic that exceeds the policed rate, and monitoring CoPP, the policy can be adjusted over time to meet day-to-day requirements.