Ch 26: Network Device Access Control and Infrastructure Security

Question 1

Which command is used to apply an ACL to an interface?

1. ip access-group {access-list-number | name} {in|out}
2. ip access-class {access-list-number | name} {in|out}
3. ip access-list {access-list-number | name} {in|out}

Answer 1

1.

ACLs are applied to interfaces with the command:

• ip access-group {access-list-number | name} {in|out}.

For reference:

• access-class is used to apply an ACL to a VTY line
• access-list is used to configure an ACL

Question 2

Which of the following password types is the weakest?

1. Type 5
2. Type 7
3. Type 8
4. Type 9

Answer 2

2.

Type 7 passwords use a Cisco proprietary Vigenere cypher encryption algorithm that is very weak and can be easily decrypted using multiple online password decryption utilities.

Question 3

What type of encryption does the command service password encryption provide?

a. Type 0 encryption
b. Type 5 encryption
c. Type 7 encryption

Answer 3

C.

The command service password encryption encrypts plaintext passwords in the configuration and Telnet sessions with type 7 password encryption.

Question 4

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

1. The login command is used to enable line password authentication.
2. The login command is used to enable username-based authentication.
3. The login local command is used to enable line and username-based authentication.
4. The login local command is used to enable username-based authentication.

Answer 4

1 and 4.

The login command is used to enable line password authentication, and the login local command is used to enable username-based authentication.

Question 5

Which of these commands are available to a user logged in with privilege level 0?

(Choose all that apply.)

1. disable
2. enable
3. show
4. configure terminal
5. exit
6. logout

Answer 5

1, 2, 5, and 6..

Privilege level 0 makes available the disable, enable, exit, help, and logout commands.

Question 6

Which of the following options can be used to only allow inbound SSH access to the vty lines of a router? (Choose two.)

1. line vty 0 4 transport output ssh
2. line vty 0 4 transport input all
3. line vty 0 4 transport input ssh
4. ip access-list extended SSH permit tcp any any eq 22
   
   • line vty 0 4
   • access-class SSH in

Answer 6

C and D.

Using the command transport input ssh and applying an ACL to the line that only allows port 22 are valid options to allow only SSH traffic into the line. The other two options are not valid because the command transport output ssh does not affect inbound connections, and the command transport input all allows all inbound SSH and Telnet sessions.

Question 7

T/F: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

Answer 7

False.

This is false because AAA authorization for the console is disabled by default to prevent unexperienced users from locking themselves out. Authorization for the console is enabled with the command:

• aaa authorization console

Question 8

Which of the following AAA functions can help log the commands executed by a user on a network device?

1. AAA next-generation logging
2. Authorization
3. Accounting
4. Auditing

Answer 8

C.

Accounting provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

Question 9

What is the protocol of choice for network device access control?

a. RADIUS
b. SSHv2
c. Telnet
d. TACACS+

Answer 9

D.

TACACS+ is preferred for device access control because it can individually authorize every command that a user tries to execute after logging in to a device. In contrast, RADIUS requires those commands to be sent in the initial authentication response, and because there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device.

Question 10

Which of the following options describe ZBFW? (Choose two.)

1. Provides high security with stateless inspection functionality
2. Provides stateful firewall functionality
3. Is a network interface module
4. Is an integrated IOS solution
5. Is a security appliance similar to an ASA 5500-X

Answer 10

B and D.

ZBFW is an integrated IOS solution that provides router stateful firewall functionality.

Question 11

What are the two system-built zones for ZBFW? (Choose two.)

1. Inside zone
2. Twilight zone
3. System zone
4. Outside zone
5. Self zone
6. Default zone

Answer 11

E and F.

Within the ZBFW architecture, there are two system-built zones: self and default.

Question 12

Which of the following features was developed specifically to protect the CPU of a router?

a. ZBFW
b. AAA
c. CoPP
d. ACLs

Answer 12

C.

Control plane policing (CoPP) was created with the sole purpose of protecting the CPU or control plane of a router.

Question 13

T/F: CoPP supports input and output policies to control inbound and outbound traffic.

Answer 13

True.

CoPP supports inbound and outbound policies; however, outbound policies are not commonly used.

Question 14

Which of the following should be disabled to improve the security posture of a router? (choose two)

a. CoPP
b. CDP
c. ZBFW
d. LLDP
e. LDP

Answer 14

B and D.

Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) can provide unnecessary information to routers outside of the organization and should be disabled where applicable.

Question 15

What is RBAC?

Answer 15

role-based access control (RBAC)

Question 16

What is a ZBFW?

Answer 16

Zone-Based Firewall (ZBFW

Question 17

What is CoPP?

Answer 17

Control Plane Policing (CoPP): This is used to protect the route processor (RP) or CPU of a router.

Question 18

What are the ranges of numbered standard ACLs?

Answer 18

Numbered standard ACLs: These ACLs define packets based solely on the source network, and they use the numbered entries 1–99 and 1300–1999.

For reference:

Numbered extended ACL ranges: 100–199 and 2000–2699

Question 19

What are the ranges of Numbered extended ACLs?

Answer 19

Numbered extended ACLs: These ACLs define packets based on source, destination, protocol, port, or a combination of other packet attributes, and they use the numbered entries 100–199 and 2000–2699.

26

Question 20

Which type of ACL is generally preferred and why?

1. Standard ACLs
2. Extended ACLs
3. Named ACLs
4. Port ACLs
5. VLAN ACLs

Answer 20

Named ACLs: These ACLs allow standard and extended ACLs to be given names instead of numbers and are generally preferred because they can provide more relevance to the functionality of the ACL.

Question 21

What is a PACL?

Answer 21

Port ACLs (PACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on Layer 2 switchports.

Question 22

What is a VACL?

Answer 22

VLAN ACLs (VACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on VLANs.

Question 23

ACLs use __________ masks instead of subnet masks to classify packets that are being evaluated.

Answer 23

ACLs use wildcard masks instead of subnet masks to classify packets that are being evaluated.

All that is required to convert a subnet mask into a wildcard mask is to subtract the subnet mask from 255.255.255.255. The following shows a subnet mask 255.255.128.0 being converted into a wildcard mask by subtracting it from 255.255.255.255. The end result is a 0.0.127.255 wildcard mask.

255 255 255 255
− 255 255 128 0 Subnet Mask

0 0 127 255 Wildcard Mask

Basically, a one’s complement of the subnet mask.

Question 24

What is the numerical equivalent ACL to:

• access-list 1 permit any

Answer 24

access-list 1 permit 0.0.0.0 255.255.255.255 is equivalent to access-list 1 permit any.

Question 25

What do these three ACLs permit?

1. permit any
2. permit 172.16.0.0 0.0.255.255
3. permit host 192.168.1.1

Answer 25

1. Permits all networks
2. Permits all networks in the 172.16.0.0/16 range
3. Permits only the 192.168.1.1/32 network

Question 26

Write a numbered standard ACL and apply it to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.

Answer 26

Example 26-1 demonstrates how a numbered standard ACL is created and applied to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.

Notice that the last ACE in the ACL explicitly permits all traffic (permit any). If this ACE is not included, all traffic will be dropped because of the implicit deny (deny any) at the end of every ACL.

• R1(config)# access-list 1 deny 172.16.0.0 0.0.255.255
• R1(config)# access-list 1 deny host 192.168.1.1
• R1(config)# access-list 1 permit any
• R1(config)# interface GigabitEthernet0/1
• R1(config-if)# ip access-group 1 in

Question 27

What are the TCP/UDP protocol-options in an ACL?

Answer 27

The protocol-options keyword differs based on the protocol specified in the ACE.

For example, when TCP or UDP protocols are defined, eq, lt, and gt (equal to, less than, and greater than) keywords become available to specify ports to be matched as well as more granular options, such as SYN and ACK.

Question 28

Write and apply to G0/1 a numbered extended ACL to block all Telnet and ICMP traffic as well as deny all IP traffic from host 10.1.2.2 to host 10.1.2.1. Permit all other traffic.

Answer 28

Example 26-2 demonstrates how a numbered extended ACL is created and applied to an interface to block all Telnet and ICMP traffic as well as deny all IP traffic from host 10.1.2.2 to host 10.1.2.1.

Notice how Telnet’s TCP port 23 is being matched with the eq keyword.

• R1(config)# access-list 100 deny tcp any any eq 23
• R1(config)# access-list 100 deny icmp any any
• R1(config)# access-list 100 deny ip host 10.1.2.2 host 10.1.2.1
• R1(config)# access-list 100 permit ip any any
• R1(config)# interface GigabitEthernet0/1
• R1(config-if)# ip access-group 100 in

Question 29

Which ACL type(s) begins with ip instead of just access-list?

Answer 29

Configuration of named ACLs starts with ip instead of just access-list and that the standard and extended ACL keywords need to be explicitly defined.

Question 30

Write a standard named ACL to:

1. deny traffic from the 172.16.0.0/24 subnet
2. deny traffic from host 192.168.1.1/32
3. allow all other traffic coming into interface Gi0/1

Answer 30

• R1(config) ip access-list standard STANDARD_ACL
• R1(config-std-nacl)# deny 172.16.0.0 0.0.0.255
• R1(config-std-nacl)# deny host 192.168.1.1
• R1(config-ext-nacl)# permit any
• R1(config-ext-nacl)# exit
• R1(config)# interface GigabitEthernet0/1
• R1(config-if)# ip access-group STANDARD_ACL in

Question 31

Write an extended named ACL to do the following on G0/1:

1. block all Telnet and ICMP traffic
2. deny all IP traffic from host 10.1.2.2 to host 10.1.2.1.
3. permit all other traffic

Answer 31

• R1(config)# ip access-list extended EXTENDED_ACL
• R1(config-ext-nacl)# deny tcp any any eq 23
• R1(config-ext-nacl)# deny icmp any any
• R1(config-ext-nacl)# deny ip host 10.1.2.2 host 10.1.2.1
• R1(config-ext-nacl)# permit ip any any
• R1(config-ext-nacl)# exit
• R1(config)# interface GigabitEthernet0/1
• R1(config-if)# ip access-group EXTENDED_ACL in

Question 32

T/F: The CLI syntax for configuring PACLs that are used to filter Layer 3 traffic is the same as the syntax for RACLs on any IOS router.

Answer 32

True. They are almost exactly the same… the only difference is that PACLs also support Layer 2 MAC address-based filtering, which uses different CLI syntax.

PACLs can be standard, extended, or named IPv4 ACLs for Layer 3, and they can be named MAC address ACLs for Layer 2.

PACLs have a few restrictions that vary from platform to platform. The following are some of the most common restrictions:

• PACLs only support filtering incoming traffic on an interface (no outbound filtering support).
• PACLs cannot filter Layer 2 control packets, such as CDP, VTP, DTP, PAgP, UDLD, and STP.
• PACLs are supported only in hardware.
• PACLs do not support ACLs to filter IPv6, ARP, or Multiprotocol Label Switching (MPLS) traffic.

Question 33

How is a PACL applied?

Answer 33

An IPv4 PACL is applied to an interface with the ip access-group access-list-name in command.

Example 26-4 shows a PACL applied to a Layer 2 interface Gi0/1 to block RDP, Telnet traffic, and host 10.1.2.2 access to host 10.1.2.1.

Question 34

What traffic is a VACL capable of filtering?

Answer 34

VACLs can filter traffic that is bridged within a VLAN or that is routed into or out of a VLAN.

Question 35

Write a VACL and apply it to VLAN 20 to drop ICMP and Telnet traffic and allow other traffic.

Answer 35

Example 26-5 shows a VLAN access map applied to VLAN 20 to drop ICMP and Telnet traffic and allow other traffic.

Notice that the named ACLs, ICMP and TELNET, only include ACEs with a permit statement. This is because the ACLs are only used as matching criteria by the VLAN access maps, while the VLAN access maps are configured with the action to drop the matched traffic.

Question 36

When a PACL, a VACL, and a RACL are all configured in the same VLAN, the ACLs are applied in a specific order, depending on whether the incoming traffic needs to be bridged or routed.

What is the order for:

1. Bridged traffic (within the same VLAN)
2. Routed traffic processing order (across VLANs):

Answer 36

When a PACL, a VACL, and a RACL are all configured in the same VLAN, the ACLs are applied in a specific order, depending on whether the incoming traffic needs to be bridged or routed:

Bridged traffic processing order (within the same VLAN):

• Inbound PACL on the switchport (for example, VLAN 10)
• Inbound VACL on the VLAN (for example, VLAN 10)
• Outbound VACL on the VLAN (for example, VLAN 10)

Routed traffic processing order (across VLANs):

• Inbound PACL on the switchport (for example, VLAN 10)
• Inbound VACL on the VLAN (for example, VLAN 10)
• Inbound ACL on the SVI (for example, SVI 10)
• Outbound ACL on the SVI (for example, SVI 20)
• Outbound VACL on the VLAN (for example, VLAN 20)

Question 37

What is a dACL?

Answer 37

Downloadable ACLs (dACLs) are another form of PACL that can be assigned dynamically by a RADIUS authentication server, such as Cisco ISE. After successful network access authentication, if a PACL is configured on a switchport and a dACL is assigned by Cisco ISE on the same switchport, the dACL overwrites the PACL.

Question 38

What are the three most common ways to gain CLI access to a Cisco device?

Answer 38

There are three basic methods to gain access to the CLI of an IOS device:

1. Console port (cty) line: On any IOS device, this appears in configuration as line con 0 and in the output of the command show line as cty. The console port is mainly used for local system access using a console terminal.
2. Auxiliary port (aux) line: This appears in the configuration as line aux 0. The aux port is mainly used for remote access into the device through a modem.
3. Virtual terminal (vty) lines: These lines are displayed by default in the configuration as line vty 0 4. They are used solely for remote Telnet and SSH connections. They are virtual because they are logical lines with no physical interface associated to them.

Question 39

Which of these three methods of protecting access to a VTY line is preferred?

1. Using a password configured directly on the line
2. Using username-based authentication
3. Using an AAA server

Answer 39

Each of these types of terminal lines should be password protected. There are three ways to add password protection to the lines:

1. Using a password configured directly on the line: Not recommended
2. Using username-based authentication: Recommended as a fallback
3. Using an AAA server: Highly recommended and covered later in this chapter, in the section “Authentication, Authorization, and Accounting (AAA)”

Question 40

What are these types of Cisco IOS passwords?

1. Type 0
2. Type 5
3. Type 7
4. Type 8
5. Type 9

Answer 40

There are five available password types in Cisco IOS:

Type 0 passwords: These passwords are the most insecure because they are not encrypted and are visible in the device configuration in plaintext. The command enable password is an example of a command that uses a type 0 password. Type 0 passwords should be avoided whenever possible.

Type 5 passwords: These passwords use an improved Cisco proprietary encryption algorithm that makes use of the MD5 hashing algorithm. This makes them much stronger because they are considered not reversible (uncrackable). The only way to crack type 5 passwords is by performing brute-force attacks. It is strongly recommended that you use type 5 encryption instead of type 0 or type 7 whenever possible. Type 5 encryption is applied by using the command enable secret to specify an additional layer of security over the command enable password. The command enable password should be used only on platforms with legacy IOS that do not support the command enable secret. If the command enable secret and the command enable password are configured concurrently, the command enable secret is preferred. The username secret command also uses type 5 encryption.

Type 7 passwords: These passwords use a Cisco proprietary Vigenere cypher encryption algorithm and are known to be weak. There are multiple online password utilities available that can decipher type 7 encrypted passwords in less than a second. Type 7 encryption is enabled by the command service password-encryption for commands that use type 0 passwords, such as the enable password, username password, and line password commands.

Type 8 passwords: Type 8 passwords specify a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret and are considered to be uncrackable.

Type 9 passwords: These use the SCRYPT hashing algorithm. Just like type 8 passwords, they are considered to be uncrackable.

Question 41

What are the three different ways to configure a username on IOS? (Think password encryption types.)

Answer 41

There are three different ways to configure a username on IOS:

1. Using the command:
   
   • username {username} password {password} configures a plaintext password (type 0).
2. Using the command:
   
   • username {username} secret {password} provides type 5 encryption.
3. Using the command:
   
   • username {username} algorithm-type {md5 | sha256 | scrypt} secret {password}
   • This provides type 5, type 8, or type 9 encryption, respectively.

Of the three username commands, the command username {username} algorithm-type {md5 | sha256 | scrypt} secret {password}} is the recommended one because it allows for the highest level of password encryption (type 8 and type 9).

Question 42

How is a local password configured on a line?

Answer 42

To enable password authentication on a line, the following two commands are required under line configuration mode:

1. password password -to configure the password
2. login -to enable password checking at login

Question 43

How do you configure line local username and password?

Answer 43

To enable username and password authentication, the following two commands are required:

1. The command username username in global configuration mode
2. The command login local under line configuration mode to enable username-based authentication at login

Question 44

What are the rights granted to these privilege levels?

• 0
• 1
• 5
• 15

Answer 44

The Cisco IOS CLI by default includes three privilege levels, each of which defines what commands are available to a user:

Privilege level 0: Includes the disable, enable, exit, help, and logout commands.

Privilege level 1: Also known as User EXEC mode. The command prompt in this mode includes a greater-than sign (R1>). From this mode it is not possible to make configuration changes; in other words, the command configure terminal is not available.

Privilege level 5: A user would be allowed to go into any interface on the router and shut it down, unshut it, and configure an IP address on it, which are the only commands allowed under privilege level 5 in interface configuration mode.

Privilege level 15: Also known as Privileged EXEC mode. This is the highest privilege level, where all CLI commands are available. The command prompt in this mode includes a hash sign (R1#).

Question 45

What is the command to show your current priv level?

Answer 45

R1# show privilege
Current privilege level is 5

Question 46

How is an access list applied to a vty line?

Answer 46

To apply a standard or an extended access list to a vty line, use the command:

• access-class {access-list-number | access-list-name} {in|out}

under line configuration mode. The in keyword applies an inbound ACL, and the out keyword applies an outbound ACL.

Question 47

What is the command to restrict access to the vty lines to just ssh?

Answer 47

transport input ssh

Another way to further control what type of protocols are allowed to access the vty lines is to use the command:

• transport input {all | none | telnet | ssh}

under line configuration mode. Table 26-3 includes a description for each of the transport input command keywords.

Question 48

What is the command to show the vty lines in use?

Answer 48

show line

Question 49

What are the required steps for configuring ssh access?

Answer 49

The steps needed to configure SSH on an IOS device are as follows:

1. Configure a hostname other than Router by using the command:
   
   • hostname {name}.
2. Configure a domain name by using the command:
   
   • ip domain-name {domain-name}.
3. Generate crypto keys by using the command:
   
   • crypto key generate rsa.
   • When entering this command, you are prompted to enter a modulus length. The longer the modulus, the stronger the security. However, a longer modulus takes longer to generate. The modulus length needs to be at least 768 bits for SSHv2.

Question 50

What is the minimum modulus length for SSHv2?

Answer 50

The modulus length needs to be at least 768 bits for SSHv2.

Question 51

What is the command to limit SSH access to SSHv2?

Answer 51

To force the IOS SSH server to disable SSHv1 and accept only SSHv2 connections, under global configuration mode enter the command:

• ip ssh version 2

Question 52

How can an auxiliary port be disabled?

Answer 52

Some devices have an auxiliary (aux) port available for remote administration through a dialup modem connection. In most cases, the aux port should be disabled by using these commands

• line aux 0:
• no exec

Question 53

What command will timeout and disconnect a vty or console session after four minutes and twenty seconds of inactivity?

What is the default timeout of a session if you were to issue the command without specifying a time?

Answer 53

exec-timeout 4 20

By default, an idle EXEC session is not terminated, which poses an enormous security risk. The command:

• exec-timeout {minutes}{seconds}

under line configuration mode can be used to disconnect idle user sessions. The default setting is 10 minutes.

Example 26-17 shows a configuration in which the exec-timeout for the console line is configured to time out after 5 minutes of inactivity and 2 minutes and 30 seconds for the vty lines.

Question 54

What is the result of these two commands?

1. exec-timeout 0 0
2. no exec-timeout

Answer 54

The commands exec-timeout 0 0 and no exec-timeout disable the EXEC timeout. While using them is useful for lab environments, it is not recommended for production environments.

Question 55

What command will disconnect a session after a specified time, regardless of activity?

What command will display a “line termination” warning to users about an impending forced timeout?

Answer 55

The command:

• absolute-timeout {minutes}

under line configuration mode terminates an EXEC session after the specified timeout period has expired, even if the connection is being used at the time of termination.

It is recommended to use it in combination with the command:

• logout-warning {seconds}

under line configuration mode to display a “line termination” warning to users about an impending forced timeout.

Example 26-18 shows the commands absolute-timeout and logout-warning configured on the vty lines.

Question 56

What are the three As in AAA?

Answer 56

AAA is an architectural framework for enabling a set of three independent security functions:

Authentication: Enables a user to be identified and verified prior to being granted access to a network device and/or network services.

Authorization: Defines the access privileges and restrictions to be enforced for an authenticated user.

Accounting: Provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

AAA requires a protocol designed to carry authentication requests and responses, including authorization results and accounting logs. There are many AAA protocols available, but the two most popular ones are Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+).

Question 57

T/F: One of the key differentiators of TACACS+ is its capability to separate authentication, authorization, and accounting into independent functions.

Answer 57

True.

Another major difference between TACACS+ and RADIUS is that RADIUS needs to return all authorization parameters in a single reply, while TACACS+ can request authorization parameters separately and multiple times throughout a session.

For example, a network device, such as a Cisco switch or router, can request a TACACS+ server to individually authorize every command that a user tries to execute after logging in to the device. In contrast, RADIUS would require those commands to be sent in the initial authenti- cation response, and since there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device. This is the main reason TACACS+ is preferred for network device access control. However, if all that is required is AAA authentication without authorization, then either RADIUS or TACACS+ can be used.

Question 58

What are the commands to configure TACACS?

Answer 58

See attached diagram.

Question 59

Within the ZBFW architecture, there are two system-built zones: _____ and __________.

Answer 59

Within the ZBFW architecture, there are two system-built zones: self and default.

The self zone is a system-level zone and includes all the routers’ IP addresses.

• By default, traffic to and from this zone is permitted to support management (for example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP) functions. After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined.

The default zone is a system-level zone, and any interface that is not a member of another security zone is placed in this zone automatically.

• When an interface that is not in a security zone sends traffic to an interface that is in a security zone, the traffic is dropped. Most network engineers assume that a policy cannot be configured to permit these traffic flows, but it can, if you enable the default zone. Upon initialization of this zone, any interface not associated to a security zone is placed in this zone. When the unassigned interfaces are in the default zone, a policy map can be created between the two security zones.

Question 60

What is the command to configure a security zone?

Answer 60

Configure the security zones by first using the command:

• zone security zone-name

A zone needs to be created for the outside zone (the Internet). The self zone is defined automatically.

Then you must:

1. Define the inspection class map. The class map for inspection defines a method for classification of traffic.
2. Define the inspection policy map, which applies firewall policy actions to the class maps defined in the policy map.
3. Apply a policy map to a traffic flow source to a destination.
4. Apply the security zones to the appropriate interfaces.

Question 61

What is the command to configure a class-map?

Answer 61

The class map is configured using the command:

• class-map type inspect [match-all | match-any] class-name

The match-all keyword requires that network traffic match all the conditions listed in the class map to qualify (Boolean AND), whereas match-any requires that network traffic match only one of the conditions in the class map to qualify (Boolean OR). If neither keyword is specified, the match-all function is selected. Example 26-22 shows a sample configuration of inspection class maps and their associated ACLs.

Question 62

What is the command to define a policy map?

Answer 62

The inspection policy map is defined with the command:

• policy-map type inspect policy-name.

After the policy map is defined, the various class maps are defined with the command class type inspect class-name. Under the class map, the firewall action is defined with these commands:

Question 63

What is the command to view the inspection policy map?

Answer 63

The inspection policy map can be verified with the command:

• show policy-map type inspect [policy-name]
• ​*as shown in Example 26-25.

Question 64

What is the command to apply a policy map to a traffic flow source to a destination?

Answer 64

Apply a policy map to a traffic flow source to a destination by using the command:

• zone-pair security zone-pair-name source source-zone-name destination destination-zone-name.

The inspection policy map is then applied to the zone pair with the command service-policy type inspect policy-name. Traffic is statefully inspected between the source and destination, and return traffic is allowed. Example 26-26 defines the zone pairs and associates the policy map to the zone pair.

Question 65

What command is used to apply the security zones to the appropriate interfaces? What context, or configuration sub-mode, is the command issued from?

Answer 65

An interface is assigned to the appropriate zone by entering the interface configuration submode with the command:

• interface interface-id

and associating the interface to the correct zone with the command:

• zone-member security zone-name.

Question 66

What is the command to view the traffic statistics of an “outside-to-self policy”?

Answer 66

Traffic statistics can be viewed with the command:

• show policy-map type inspect zone-pair [zone-pair-name]

Example 26-28 demonstrates the verification of the configured ZBFW policy.

Question 67

What is CoPP?

Answer 67

A control plane policing (CoPP) policy is a QoS policy that is applied to traffic to or sourced by the router’s control plane CPU. CoPP policies are used to limit known traffic to a given rate while protecting the CPU from unexpected extreme rates of traffic that could impact the stability of the router.

Question 68

T/F: Typical CoPP implementations use only an input policy that allows traffic to the data plane to be policed to a desired rate.

Answer 68

False.

Typical CoPP implementations use only an input policy that allows traffic to the control plane to be policed to a desired rate.

In a properly planned CoPP policy, network traffic is placed into various classes, based on the type of traffic (management, routing protocols, or known IP addresses). The CoPP policy is then implemented to limit traffic to the control plane CPU to a specific rate for each class.

When defining a rate for a CoPP policy, the rate for a class may not be known without further investigation. The QoS police command uses conform, exceed, and violate actions, which can be configured to transmit or drop traffic. By choosing to transmit traffic that exceeds the policed rate, and monitoring CoPP, the policy can be adjusted over time to meet day-to-day requirements.