Security

Question 1

What are the commands to set a password on a router’s console port (two commands)?

Answer 1

Router(config)# line console 0
Router(config-line)# password {the-password}

Question 2

What are the commands to set a password on a router’s auxiliary port (two commands)?

Answer 2

Router(config)# line aux 0
Router(config-line)# password {the-password}

Question 3

What are the commands to set a password on a router’s ssh/telnet ports (two commands)?

Answer 3

Router(config)# line vty 0 4
Router(config-line)# password {the-password}

Question 4

What is the command to create a local username and password on a router?

Answer 4

Router(config)# username {user} [privilege {0-15}] password {the-password}

Question 5

What is the command to specific use of the local username and password for logging into a telnet or ssh session?

Answer 5

Router(config-line)# login local

Question 6

What is the command to set a session timeout on a telnet/ssh port?

Answer 6

Router(config)# line vty 0 4
Router(config-line)# exec-timeout {number in minutes}

Question 7

What are the commands to setup SSH on a router including local login? (7 commands)

Answer 7

Router(config)# username {user} password {password}
Router(config)# ip domain-name {domain.com}
Router(config)# crypto key generate rsa modulus {bits}
Router(config)# ip ssh version 2
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local

Question 8

What does AAA mean?

Answer 8

Authentication, Authorization and Accounting:

Authentication - login
Authorization - privilege
Accounting - logging the activity

Question 9

What is TACACS+?

Answer 9

Terminal Access Controller Access Control System: A security protocol developed by Cisc for Authentication and Authorization to a device. TACACS can give a very granular level of authorization specific to what commands a user can enter on a device.

Question 10

What is Radius?

Answer 10

An industry standard security protocol for centralized device access authentication.

Question 11

What is the biggest difference between TACACS and RADIUS?

Answer 11

TACACS provides granular and separate services for authentication, authorization, and accounting. Where RADIUS is basically only used for secure device access.

Question 12

What is the Windows Server role that allows a domain controller to be used as a RADIUS server?

Answer 12

Network Policy and Access Services

Question 13

When configuring privilege levels for a user account, what do the built-in privilege levels 0, 1, and 15 mean?

Answer 13

0 - only allows five commands: logout, enable, disable, help and exit.
1 - read only and “ping”
15 - full access to all commands

Question 14

When configuring privilege levels for a user account, what do levels 2 through 14 do?

Answer 14

Privilege 2 through 14 are custom configurable levels. In theory the higher levels would have more access but this depends on what was configured.

Question 15

What command enables AAA services on a Cisco device?

Answer 15

Router1(config)# aaa new-model

Question 16

What are the commands to set a TACACS server on a Cisco device?
(3 commands)

Answer 16

Router1(config)# tacacs server NAME
Router1(config-server-tacacs)# address ipv4 {ip-address}
Router1(config-server-tacacs)# key {key-string}

Question 17

What are the commands to create a TACACS server group?
(2 commands)

Answer 17

Router1(config)# aaa group server tacacs+ GROUP-NAME
Router1(config-sg-tacacs+)# server name SERVER-NAME

Question 18

What is the command to set AAA authentication to look at the TACACS group for all interface types (con, aux, vty)?

Answer 18

Router1(config)# aaa authentication login default group GROUP-NAME [local]

Question 19

What is the command to set AAA authorization for exec mode to look at the TACACS group for all interface types (con, aux, vty)?

Answer 19

Router1(config)# aaa authorization exec default group TACACS-GRP1 [if-authenticated]

Question 20

What is the command to set AAA authorization for privileged exec mode to look at the TACACS group for all interface types (con, aux, vty)?

Answer 20

Router1(config)# aaa authorization enable default group TACACS-GRP1 [local] [enable]

Question 21

What is CoPP?

Answer 21

Control Plane Policing - the concept of controlling what and how much traffic is handled by a routing device’s CPU so it does not get overloaded. (and DDoS prevention)

Question 22

What is MQC?

Answer 22

Modular Quality of Service Command Line Interface - the basic structure of QoS configuration from the command line. This model fits well for CoPP.

Question 23

What are the 3 main pieces of MQC?

Answer 23

• Class-Map: identify traffic
• Policy-Map: take action/police traffic
• Service-Policy: where to apply the policy (for CoPP its the control plane)

Question 24

What are the commands to create a class-map and match on an ACL that was created named ICMP_ACL? (2 commands)

Answer 24

Router(config)# class-map match-any CLASS_NAME
Router(config-cmap)# match access-group name ACL_NAME

Question 25

What is the command to create a policy map?

Answer 25

R1(config)# policy-map POLICY_NAME

Question 26

What is are the commands to add treatment to a class-map inside a policy map?

Answer 26

R1(config-pmap)# class CLASS_NAME
R1(config-pmap-c)# police {target-bps} conform-action {action} exceed-action {action} violate-action {action}

Example:

R1(config-pmap)# class ICMP_CLASS
R1(config-pmap-c)# police 8000 conform-action transmit exceed-action drop violate-action drop

Question 27

What are the commands to apply the policy map to the control plane on a Cisco device? (2 commands)

Answer 27

R1(config)# control-plane
R1(config-cp)# service-policy input POLICY_NAME

Question 28

What command can you use to verify the service policy applied to a control plane?

Answer 28

R1# show policy-map control-plane input

Question 29

What is 802.1X?

Answer 29

An IEEE Standard for authenticating devices that are trying to connect to a network. AAA, Radius, WLCs, and/or Cisco are core components in an 802.1X deployment.

Question 30

In 802.1X, what is MAB?

Answer 30

MAC Address Bypass - when 802.1X authentication is unavailable, check to see if the MAC address is on the preconfigured whitelist to bypass the 802.1X authentication.

Question 31

What is the Cisco solution for endpoint protection?

Answer 31

AMP Advanced Malware Protection - Not only endpoint protection but also integrates with web proxy servers, firewalls, email proxy servers, and other security devices to block and contain malware across the network.

Question 32

What are the key features of a Next Generation Firewall (NGFW) besides legacy features such as stateful inspection and access control?

Answer 32

• Web/URL filtering
• Application layer packet inspection

Question 33

What is TrustSec?

Answer 33

Policy based treatment of a device based on a device’s MAC address, the group the MAC address belongs to, and the policies applied to the group. This is one of the key components to Cisco ISE.

Question 34

In TrustSec, what is SGA?

Answer 34

Security Group Access - applying security tags to traffic (SGT Security Group Tags) so that it can be handled with policies and encryption.

Question 35

What is MACsec?

Answer 35

Encrypting Layer 2 traffic from one node to the next. This is typically used in conjunction with TrustSec and SGA.

Question 36

What are the two types of MACsec?

Answer 36

Downlink MACsec - encryption from a host device to a switch.

Uplink MACsec - encryption between two switches.