Chapter 6 - Securing the Management Plane

Question 1

What command do you use to check what privilege level you’re currently at?

Answer 1

show privilege

Question 2

How do you get out of privilege exec (Level 15)?

Answer 2

disable

Question 3

What are the requirements for enabling SSH on a router?

Answer 3

• Hostname (other than “router)
• domain name
• public / private key pair
• require “login” on VTY lines
• Have a user account configured either locally or on an ACS server.

Question 4

What command creates a public / private key pair on a router?

Answer 4

(config)# crypto key generate rsa

Question 5

How do you enable timestamps on log entries?

Answer 5

(config)# service timestamps log datetime

Question 6

Which two commands are needed to create a secure bootset on a router?

Answer 6

(config) # secure boot-image
(config) # secure boot-config

verify using show secure bootset

Router(config)# secure boot-image

Router(config)# %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image

Router(config)# secure boot-config

Router(config)# %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20101017-020040.ar]

Question 7

What happens to a router when you issue the no service password-recovery command?

Answer 7

You will lose access to ROMMON. (know this for the exam)

More info:

Without ROMMON you can not change the configuration register to bypass the startup configuration.

Question 8

When configuring role-based CLI on a router what do you have to do first?

Answer 8

Enable the root view on the router.

More info:

Basically execute the enable command and enter the secret password (or enable password)

You have to be the root view, not just a user that has level 15 privilege access.