Infrastructure Security

Question 1

ACL

(What is it?)
(Sample uses?)
(How it works?)

2023.12.28 - added clarification and revised answer

Answer 1

1) List of permit and deny statements used to identify traffic based on header values in IP packets

2) Uses include controling route advertisements, specifying interesting traffic for VPN, and controlling NATs

3) Evaluated top-down and stops after a match
4) Implicit deny at end
5) Only one ACL per interface, per direction, per L3 protocol allowed

Question 2

ACL Wildcard Masking

0 vs 1 bits

2023.12.28 - revised answer

Answer 2

• 0 bits means to match the value of the corresponding address bit; all 0’s means match everything
• 1 bits means to ignore the value of the corresponding address bit; all 1’s means match exactly

Question 3

ACL Abbreviations

Answer 3

1) ‘host’ means exact match - 0.0.0.0
2) ‘any’ means any - 255.255.255.255

Question 4

ACL Types

Answer 4

1) Standard ACL
2) Extended ACL

Question 5

Standard ACLs
(what it does?)
(number ranges?)
(best practice?)

2023.12.28 - revised clarification and answer

Answer 5

1) checks only source IP and permits or denies all ports
2) Number range 1-99, 1300-1999
3) Place close to destination

Question 6

Extended ACLs
(what it does?)
(number ranges?)
(best practice?)

Answer 6

1) checks the source & dst IP, and generally permits/denies specific ports
2) Number range 100-199, 2000-2699
3) Place closest to source

Question 7

Command to create Standard Numbered ACL

2023.12.28 - new card

Answer 7

RouterA(config)# access-list 4 permit 12.34.56.0 0.0.0.255
- global config mode
- default wildcard mask is 0.0.0.0
- numbered 1-99, or 1300-1999
- verify with “show access-lists”
- to delete, must remove entire ACL and re-add it with the revision

Question 8

Command to create Extended Numbered ACL

2023.12.28 - new card

Answer 8

RouterA(config)# access-list 100 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
- global config mode
- numbered 100-199, or 2000-2699
- to delete, must remove entire ACL and re-add it with the revision

Question 9

Extended ACL Abbreviations For Specifying TCP/UDP Ports

2023.12.28 - new card

Answer 9

1) lt = less than
2) gt = greater than
3) eq = equals
4) neq = not equal to
5) range = inclusive range

Question 10

Inbound vs Outbound ACLs

2023.12.28 - new card

Answer 10

Outbound - Packets are routed to the outbound interface first, and then processed by the ACL. If permitted, packets forwarded through the interface.
Inbound - Packets are processed by the ACL before being routed. If permitted, packets are processed for routing next.

Question 11

Command to Apply ACL to Interface

2023.12.28 - new card

Answer 11

RouterA(config-if)# ip access-group 1 in
- in for inbound, out for outbound
- interface config mode
- only one ACL per protocol, per direction, per interface is allowed

Question 12

Command to create Named Standard ACL

2023.12.28 - new card

Answer 12

RouterA(config)# ip access-list standard BLAHBLAH
RouterA(config-std-nacl)# permit 10.1.1.0 0.0.0.255

• alphanumeric string number
• sequence numbers start at 10 and increment by 10 if left blank
• can delete specific entries

Question 13

Command to create Named Extended ACL

Answer 13

RouterA(config)# ip access-list extended BLAHBLAH
RouterA(config-std-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq 443

• alphanumeric string number
• sequence numbers start at 10 and increment by 10 if left blank
• can delete specific entries

Question 14

How to resequence ACL

2023.12.28 - new card

Answer 14

1) access-list resequence or
2) reload the router

Question 15

Logical Packet Groups

Answer 15

1) Data Plane Packets
2) Control Plane Packets
3) Management Plane Packets
4) Services Plane Packets

Question 16

Data Plane Packets

Answer 16

• end user traffic traversing the network device

Question 17

Control Plane Packets

- 2 traits + examples

Answer 17

• self-generated or self-destined packets that are used for the creation and operation of the network itself
• control plane packets always have a receive destination IP and are handled by the CPU in the route processor
• examples include ARP, BGP, OSPF, and other protocols that glue the network together

Question 18

Management Plane Packets

Answer 18

• self-generated or self-destined packets, or management station generated/received packets that are used to manage the network
• mgmt plane packets always have a receive destination IP and are handled by the CPU in the route processor
• examples include Telnet, SSH, TFTP, SNMP, FTP, NTP, and other protocols used to manage the device or network

Question 19

Services Plane Packets

Answer 19

• a special case of data plane packets that require high-touch handling by the network device
• examples include GRE, QoS, MPLS VPNs, and SSL/IPSec encryption/decryption

Question 20

Exception IP and Non-IP Packets

2023.12.28 - new card

Answer 20

• exception IP packets include IPv4 packets containing header options, IP TTL expires, and unreachable destinations.
• non-IP packets include L2 keepalives, IS-IS, CDP, and PPP Link Control Protocol (LCP) packets.
• All of these are handled by the route processor

Question 21

Control Plane Policing (CoPP) Steps

Answer 21

1) Define ACL and create class-map
2) Define service pollicy and policing rates for each class map
3) Apply service policy to the control plane

Question 22

Useful CoPP Commands

Answer 22

• show access-list
• show class-map
• show policy-map
• show policy-map control-plane

Question 23

class-default

- 4 points

Answer 23

• automatically placed at the end of a policy map
• match criteria cannot be configured for class-default b/c it is the implied catch-all
• some packets will always fall into the default class so never set the conform and exceed actions both to drop
• best practice to never rate-limit the class-default class