Cisco IOS Security Configuration, Exams of Advanced Data Analysis

A wide range of cisco ios security features and configurations, including aaa authentication, acls, urpf, vlan maps, mac acls, port security, dhcp snooping, arp inspection, ip source guard, and more. It provides detailed explanations and step-by-step instructions on how to set up and configure these security mechanisms on cisco routers and switches. Likely intended for network administrators, security professionals, or advanced cisco ios users who need to secure their network infrastructure and protect against various threats and attacks. It covers a comprehensive set of cisco ios security topics and could be useful as study notes, lecture materials, or reference documentation for those working with cisco networking equipment.

Typology: Exams

2024/2025

Available from 09/18/2024

bestscore1
bestscore1 🇺🇸

4.6

(7)

2.6K documents

1 / 14

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CCIE - Security Exam with complete
solution 2024/2025
What command must be enabled for aaa to work? - ANSWER-aaa new-model
What is the command to configure aaa for authentication of logins? - ANSWER-
aaa authentication login
when configuring the aaa authentication login what does the default keyword
mean? - ANSWER-This is applied to all interfaces
What does specifying a list-name in aaa authentication allow you to do? -
ANSWER-apply the aaa authentication rule to a specific interface
if you were applying radius, tacacs and then a local database login how would
you apply this on the router? - ANSWER-aaa authentication login default group
radius group tacacs local
how do you specify the tacacs or radius server to use? - ANSWER-with the
command tacacs server
What are the two ICMP commands that enable ping across an ACL? - ANSWER-
echo and echo reply
what kind of probe does traceroute use? - ANSWER-a UDP probe sent three times
to each hop, using port > 33434
How does MTU discovery work? - ANSWER-a packet is sent with the DF bit set,
and the packet size is dropped until the router gets a response from the
destination.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe

Partial preview of the text

Download Cisco IOS Security Configuration and more Exams Advanced Data Analysis in PDF only on Docsity!

CCIE - Security Exam with complete

solution 2024/

What command must be enabled for aaa to work? - ANSWER-aaa new-model What is the command to configure aaa for authentication of logins? - ANSWER- aaa authentication login when configuring the aaa authentication login what does the default keyword mean? - ANSWER-This is applied to all interfaces What does specifying a list-name in aaa authentication allow you to do? - ANSWER-apply the aaa authentication rule to a specific interface if you were applying radius, tacacs and then a local database login how would you apply this on the router? - ANSWER-aaa authentication login default group radius group tacacs local how do you specify the tacacs or radius server to use? - ANSWER-with the command tacacs server What are the two ICMP commands that enable ping across an ACL? - ANSWER- echo and echo reply what kind of probe does traceroute use? - ANSWER-a UDP probe sent three times to each hop, using port > 33434 How does MTU discovery work? - ANSWER-a packet is sent with the DF bit set, and the packet size is dropped until the router gets a response from the destination.

What is the purpose of the established keyword in a ACL? - ANSWER-Checks the state of the ACK bit to ensure this is an established connection Does a routers own traffic get applied to a outbound ACL? - ANSWER-No - only transit traffic Is port 20 used in passive mode in FTP? - ANSWER-No In FP active mode, what is the port number that the server connects to the client on to transfer data? - ANSWER-Port 20 With traceroute, what is the destination IP of the probe packet? - ANSWER-the final destination What message is sent back to the source for each hop in the traceroute? - ANSWER-Time-exceeded messages to say that the TTL has expired What message is delivered back to the source from the final destination in the traceroute? - ANSWER-port unreachable In PMTU Discovery what is the ICMP message recieved for a hop that doesnt have a high enough MTU ,i.e. fragmentation required but DF bit set" - ANSWER-Packet Too Big For time-ranges how can you specifiy dates and times for an ACL, using absolute, or periodic ranges? - ANSWER-Absolute What does uRPF do? - ANSWER-it mitigates spoofed or malformed packets by discarding packets with an unverifiable source IP address How does uRPF work? - ANSWER-It checks the packet to ensure that the source address is in the routing table and matches the interface its being recieved on Is uRPF an input or an output function? - ANSWER-Input - its configured on the input interface at the upstream end of a connection If no ACL is specified in uRPF what does the router do with the packet by default?

  • ANSWER-Drops it with no log

What command do you use to setup a mac ACL? - ANSWER-mac access-list extended XXX MAC ACLs and Port ACLs are the same thing - T/F? - ANSWER-True What are the 5 key steps / commands to use a VLAN map? - ANSWER-1. create the IP / MAC ACL

  1. Use the vlan access-map global command
  2. Specify action (forward / drop)
  3. Match against the ACL
  4. Apply to VLAN with "vlan filter" Which bit in the most significant byte needs to be set in order to show this is a multicast MAC address? - ANSWER-The least significant bit what is the etherype for ARP in HEX? - ANSWER-0x what is the MAC used for VTP/CDP/UDLD/DTP/PAgP? - ANSWER- 01:00:0c:cc:cc:cc what is the MAC used for PVST - ANSWER-01:00:0c:cc:cc:cd in an ethernet packet a field is a ethertype in DIX / ethernet II but what is it in 802.3? - ANSWER-length (packets between length and FCS) What does a VLAN map do? - ANSWER-It control traffic INSIDE a VLAN IP ACLs can be applied to L2 interfaces, T/F? - ANSWER-True, but only inbound. T/F: MAC ACLs applied to a L2 port checks IP and non-IP based traffic? - ANSWER-False - they do not check ip based traffic. Is it helpful to use MAC addresses in MAC ACLs? - ANSWER-No as only non-IP based traffic is checked. What is the OUI in SNAP for CISCO? - ANSWER-00:00:0C What is the other 2 bytes of the SNAP header if the first 3 are for the OUI? - ANSWER-The protocol ID (can be used as the ethertype in MAC filtering).

Name the LSAP values for SNAP values (like VTP / CDP / DTP / UDLD)? - ANSWER-0xAAAA Name the LSAP value for IP in a 802.3 frame - ANSWER-0x Name a LSAP value for STP in a 802.3 frame - ANSWER-0x with port security what is an important step to take in order for this to work - ANSWER-turn it on at the interface with the command switchport port-security What are the three modes of port security - ANSWER-restrict, protect and shutdown what state does the port go into with a shutdown? - ANSWER-err-disable what is the command used for HSRP? - ANSWER-standby what is the HSRP group MAC address? - ANSWER-000.0c07.ACxy (where xy is the group number in HEX!) when using HSRP and port-security what do you need to consider - ANSWER- increase max MACs on the port to 2, or use the command standy use-bia (which doesnt use the default FHRP MAc address the information option is inserted into packets when> - ANSWER-DHCP snooping is enabled on any switch, or when there is a IOS relay device On the DHCP IOS server what do you have to configure to ensure that the giaddr 0.0.0.0 is ignored / accepted - ANSWER-ip dhcp relay information option trust (either globally or on the interface) when using ip arp inspection, if your not using DHCP snooping, what must you configure instead? - ANSWER-arp access-lists that specify the ip address and the mac addres what needs to be configured on the trusted ports with DynARP inspection? - ANSWER-ip arp inspection trusted what happens to a port when the rate of ARP packets exceeds the configured threshold? - ANSWER-the port goes into a err-disabled state

In order to enable IPSG AND Mac port-security, what command must you have on the interface for MAC Port-Security? - ANSWER-switchport port-security - this MUST always be on if you will use the command ip verify source port-security (port-security keyword is optional) For IPSG do you have to enable DHCP Snooping? - ANSWER-Yes Can you apply L2 ACLs outbound? - ANSWER-No, unless the interface is a SVI When applying MAC address filerting what do you need to be careful of? - ANSWER-That you dont filter out BPDU and STP items. if you wanted to block a login attempt after x number of attempts what is the command you would use? - ANSWER-login block-for if you wanted to enable a host / protocol during the login block-for quite-period, what command would you use? - ANSWER-Specify an ACL and then us login quiet-mode What feature protects routers / switchs from a brute force attack? - ANSWER- login enhancements what needs to be enabled before you can configure views? - ANSWER-aaa new- model what are the three view names? - ANSWER-superview, root view and lawful intercept view what does lawful intercept view use as its basis for commands? - ANSWER-TAP- MIB which is a set of special SNMP commands what command enables you to setup a view? - ANSWER-parser view what is the keyword that sets the view up to be a superview? - ANSWER- [superview] how do you apply the view to a user? - ANSWER-username view

for the VTY line how is the view from the user applied to it? - ANSWER-via the aaa authorization exec default command - you have to setup the authorization exec default local command as well if your in one view and you want to switch to another what commadn do you use?

  • ANSWER-enable view what does control-plane policing actually control? - ANSWER-traffic destined to / from the router process what are the only policing commands that can be applied to a control plane policy? - ANSWER-police or drop how is a control-plane policy applied? - ANSWER-with the command control- plane the under that "service-policy" what does a similar job as ebgp-multihop? - ANSWER-ttl-security hops Can ebgp-multihop and ttl-sec work together on different peers with each other? - ANSWER-Yes they can, ebgp mul though has to account for the fact that it LEAVES the peer with the configured value. Should you have TTLSEC configured on BOTH peers? - ANSWER-Yes - bad practise to have one ttl-sec and the other ebgp-mul What do you specify in nbar in order to block https:// downloads of specific files - ANSWER-Ip nbar protocol http url Who is authorization process applied to? - ANSWER-Any authenticated users With local users, if you had a user under a specific low priviledge, how would you enable that user to execute exec commands? - ANSWER-set: priviledge X level Y "command" in exec mode whats a good way to restricta local database user from being able to use specific commands? - ANSWER-Use a priv X level command where X is the level they are on What does the command aaa authorization exec command allow? - ANSWER- exec level access to the router based on the local database, none, if-

If we define a time range that specifies a time of 2:00 - 3:00 what are the real times used? - ANSWER-2:00 - 3:00:59 - it uses up to the last second in the range T/F packets filtered via policy routing as applied to a local interface will always apply this if the destination is on the local router - ANSWER-False. The ICMP lab for packet size would only apply the route-map to packets transitting the router What command enable unicast reverse path forwarding? - ANSWER-ip verify unicast on the interface What needs to be on for uRPF to work? - ANSWER-CEF What direction is uRPF configured on, ingress interface or egress? - ANSWER- Ingress with uRPF whats the difference between keywords rx and any? - ANSWER-with rx, the prefix MUST be in the routing table and the interface the prefix was recieved on MUST match the RIB. For any the route just has to be in the routing table, thats all. What does uRPF prevent? - ANSWER-IP address spoofed packets and malformed packets arriving at the router in interface its not expecting it on. Can you apply ACLs against uRPF statement? - ANSWER-Yes, to run this against certain IP addresses only. With uRPF if an ACL is applied to the rule, in order to deny or permit in the ACL, what must first happen regarding the traffic that arrives, and what does the ACL determine? - ANSWER-The ACL only comes into effect if the source fails the uRPF check, then the deny causes the packet to be dropped, or permit enables it to transit (be permitted) in uRPF what 2 things does the ACL do? - ANSWER-Determines if the packet should be dropped or permitted if the sources fails the RPF check, and also enables us to log the packets that get dropped. If using NBAR, what command do you use in the class-map that enables you to specify the website that the rule is applied to? - ANSWER-match protocol http host t/f every logged packet is process switched - ANSWER-True

If you set the threshold for the packet per interval to be process switched (applied to logging on a ACL), what happens to the exceeding packets? - ANSWER-They are processed as per normal When creating vlan ACLs what are thre things to configure? - ANSWER-the vlan access-list (ext|std), the vlan access-map and the vlan filter Can a VLAN ACL use a MAC ext ACL as well as a IP ACL? - ANSWER-Yes what is a port-security feature / command that prevent MAC flooding on a port? - ANSWER-switchport port-security aging time "switchport port-security aging type" does what - ANSWER-sets the aging to be based on inactivity or absolute timeframe What does IOS by default do to DHCP request that has a GIADDR address of 0.0.0.0? - ANSWER-It drops the packet When is a GIADDR changed to 0.0.0.0? - ANSWER-When DHCP snooping is enabled why have dhcp snooping enabled? - ANSWER-prevent rogue dhcp servers, no enable ip source-guard, to enable DARP. How can you stop a DHCP Snooping switch from inserting the option 82 details, which includes the giaddr setting to Zero? - ANSWER-use the command on the snoopnig switch: "no ip dhcp snooping information option" Under what 3 senarios would you configure a port to be DHCP snooping trusted?

  • ANSWER-if this has a DHCP server attached to it, if it has a client attached to it and you just want DHCP to work, or if this has a relay agent / device attached to it. (usually you only set this is if this is a server port) If the DHCP server is a IOS router, how can you configure the router to ensure that the fact that the giaddr is 0.0.0.0 a DHCP is still handed out? - ANSWER-use the command "ip dhcp relay information trusted" Does a switch configured for DHCP snooping trust a DHCP request with a non zero address in the giaddr if its recieved on a non-trusted port? - ANSWER-No

what does GTSM stand for? - ANSWER-generic TTL Security Mechnism (applies to BGP) What does SNMP v3 essentially replace? - ANSWER-The requirements for the community security model If you wanted to increase the buffer size of the table that syslog uses, how would you do this? - ANSWER-Use command logging history size When syslog creates a snmp-trap event, where does this go to first before it gets sent to the NMS (SNMP SERVER)? - ANSWER-it goes into the history buffer on the router as a replicated event. What mode does ftp client run in by default andhow do you change this to the other mode? - ANSWER-passive - you change this with no ip ftp passive with TFTP how do you specify the TFTP details of a router (i.e. with the router as a TFTP server?) - ANSWER-just simply using the command tftp: - you can thenspecify a alias and access list What command configured RCP? - ANSWER-ip rcmd What is the key to getting rcp to work? - ANSWER-The usernames. Ensure the following is configured on server:

  1. ip rcmd rcp-enable
  2. ip rcmd remote-host <SERVER_LOCAL_USER> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable and on the client:
  3. ip rcmd remote-username <SERVER_LOCAL_USER> Does RCP need a password? - ANSWER-No, username only To run commands on a router using rsh what needs to be enabled on the server end? - ANSWER-ip rcmd rsh-enable and then:
  4. Setup the user with priv 15
  5. Specify: ip rcmd remote-host <USER_IN_1_ABOVE> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable For NTP authentcation, what command must be configured for the keys to work?
  • ANSWER-ntp trusted-key

Whats the difference between ntp key words peer and serv-only - ANSWER-peer will allow a ntp client to have its date updated and permit control messages from those in the ACL and serv-only is configured on the server when it will allow it to update the client specified in the ACL only.