Chapter 0 - General 650-554 Questions Flashcards
When looking at this console message. What does the 5 in “SYS-5-Config” stand for?
Feb 1 10:1208 PST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6)
The 5 means this is a level 5 notification message.
0 Emergency
1 Alert 2 Critical 3 Error 4 Warning 5 Notificational 6 Informational 7 Debugging
What is referred to in a “bootset”?
The combination of the IOS image and configuration file (startup config) is a bootset.
What does DSCP mean?
Differentiated Services Code Point (DSCP) is a field in an IP packet that enables different levels of service to be assigned to network traffic. This is achieved by marking each packet on the network with a DSCPcode and appropriating to it the corresponding level of service.
What does “EF” stand for in DSCP EF?
The Expedited Forwarding (EF) model is used to provide resources to latency (delay) sensitive real-time, interactive traffic.
The EF model uses one marking – DSCP 46
What is a class-map used for?
The class-map command defines a named object representing a class of traffic, specifying the packet matching criteria that identifies packets that belong to this class.
hostname(config)# access-list tcp_traffic permit tcp any any
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match access-list tcp_traffic
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
What are the “traditional” pieces of a QoS strategy?
- Defining traffic classes (class-map command).
- Associating policies and actions with each class of traffic (policy-map command).
- Attaching policies to logical or physical interfaces (service-policy command).
What is a policy-map used for?
The policy-map command defines a named object that represents a set of policies to be applied to a set of traffic classes. An example of such a policy is policing the traffic class to some maximum rate. For example:
hostname(config)# policy-map qos\_policy hostname(config-pmap)# class voip\_traffic hostname(config-pmap-c)# priority
This policy-map would tag all traffic identified by the voip_traffic class into the low latency queue (LLQ) which has priority over all other traffic.
What does a service-policy do?
The service-policy command attaches a policy-map and its associated policies to a target, named interface.
hostname(config)# service-policy policy-map-name interface outside
IMPORTANT: if you are differentiating between priority traffic and best-effort traffic, you must define a low-latency queue (priority-queue command) on each named, physical interface transmitting prioritized traffic.
hostname(config)# priority-queue interface
Only one interface policy-map can be applied to an interface at any one time.
How would you use a class-map to identify traffic on mutiple ports?
The following commands show how to use an access list to identify multiple TCP ports with an access list:
hostname(config)# access-list interesting_traffic any any tcp eq 23
hostname(config)# access-list interesting_traffic any any tcp eq 80
hostname(config)# class-map telnet_web_traffic
hostname(config-cmap)# match access-list interesting_traffic
How are Cisco Configuration Professional and Cisco Security Manager different?
CCP - Free / Used only for routers and switches
CSM - Enterprise-level confguration tool used to manage most all of Cisco products (Paid software)
What are the 4 main features about TACACS+ you need to know?
Uses port TCP 49
Encrypts entire packet payload
Separates AAA functions
Cisco proprietary
What are some key things to know about RADIUS?
RADIUS:
Combines authentication and authorization functions
Has no option to authorize router commands
ALSO:
Uses UDP ports 1645 or 1812
Is an open standard (not proprietary)
Encrypts only the password in the Access-Request packet.
How can stored passwords hashed by MD5 be saved more securely?
By using a technique known as SALT.
We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing. This makes the same password hash into a completely different string every time. To check if a password is correct, we need the salt, so it is usually stored in the user account database along with the hash, or as part of the hash string itself.
The salt does not need to be secret. Just by randomizing the hashes, lookup tables, reverse lookup tables, and rainbow tables become ineffective. An attacker won’t know in advance what the salt will be, so they can’t pre-compute a lookup table or rainbow table.
How do you enable IOS image resilience on a Cisco router?
- enable
- configure terminal
- secure boot-image
- secure boot-config
to view: show secure bootset
The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
What is Perfect Forward Secrecy?
Perfect Forward Secrecy (PFS) is a data encoding property that ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session.
