26. Network Device Access Control and Infrastructure Security

Question 1

How does an access list process?

Answer 1

It starts at the top and proceeds down untill a matching pattern is identified. When a match is found the process stops.

Question 2

What is at the end of all ACLs?

Answer 2

An implicit deny

Question 3

What can ACLs be used for?

Answer 3

• Qos
• NAT
• Identifying network

Question 4

What are the 5 types of ACL?

Answer 4

• Standard numbered
• Extended numbered
• Named
• Port (PACL)
• VLAN (VACL)

Question 5

What is the number of ACLs allowed per interface?

Answer 5

1 inbound and 1 outbound

Question 6

What is the range for standard ACLs?

Answer 6

1-99 / 1300-1999

Question 7

With what command is the ACL defined?

Answer 7

access-list number permit/deny

Question 8

What does the command permit any does?

Answer 8

Permits all networks

Question 9

What does the command permit 172.16.0.0 0.0.255.255 does?

Answer 9

Permits all networks in the 172.16 range

Question 10

What does the command permit host 192.168.1.1 does?

Answer 10

Permits only the 192.168.1.1/32 network

Question 11

What is the range of extended ACL?

Answer 11

100-199 / 2000-2699

Question 12

What is the command for a extended numbered ACL?

Answer 12

access-list number permit/deny protocol
source source wildcard
destination destination wildcard

Question 13

What is the protcol option neq?

Answer 13

match only packets not on a given port number

Question 14

What is the command to create a named ACL?

Answer 14

ip access-list standard/extended NAME

Question 15

What is the command to apply an ACL?

Answer 15

ip access-group in/out

Question 16

What is a PACL?

Answer 16

Port access list that can be applied on L2 ports. Can support L3 standard/extended/name and L2 named MAC

Question 17

What are the restrictions for PACL?

Answer 17

• Only support filtering incoming traffic
• Cannot filter L2 control packets
• Only supported in hardware
• Does not support filter IPv6, ARP, MPLS

Question 18

What is the command to create a PACL?

Answer 18

ip access-list

Question 19

What is a VACL?

Answer 19

Can filter traffic bridged within a VLAN or that is router in/out a VLAN

Question 20

How to create a VACL?

Answer 20

• Create an ACL (permit)
• Create vlan access-map
• Configure the match statement
• Configure the action statement
• Apply with VLAN filter

Question 21

What is important to remember with creating the ACL for VACL?

Answer 21

It always needs a PERMIT statement!

Question 22

What are the action statements for VACL?

Answer 22

• Forward
• Drop
• Log (can only be used with drop)

Question 23

What is the order for bridged traffic?

Answer 23

• Inbound PACL
• Inbound VACL
• Outbound VACL

Question 24

What is the order for routed traffic?

Answer 24

• Inbound PACL
• Inbound VACL
• Inbound ACL
• Outbound ACL
• Outbound VACL

Question 25

What are te 3 basic methods to gain access to the CLI?

Answer 25

- Console (cty) - Aux - Virtual (vty)

Question 26

What are the 3 ways to password protect the CLI access?

Answer 26

- Password direct on the line - Username based authentication - AAA server

Question 27

What are the 5 types of passwords in IOS?

Answer 27

``` 0 most insecure 5 MD5 7 weak 8 SHA 265 9 SCRYPT ```

Question 28

What command can be used to encrypt all type 0 passwords?

Answer 28

service password-encryption

Question 29

What is the disadvantage of the command service password-encryption?

Answer 29

It only encrypts passwords created after applying this command and it uses type 7 encryption which is not safe

Question 30

What are the 3 ways to configure a username in IOS?

Answer 30

USERNAME-password (type 0) USERNAME-secret (type 5) USERNAME-algo (type 5,8,9)

Question 31

How to configure a line local password?

Answer 31

- password ..... (line con and vty) | - login

Question 32

How to configure a line local username and password?

Answer 32

- username password in global | - login local

Question 33

What are the default types of privilege levels?

Answer 33

0, 1 & 15

Question 34

What are the command that can be used on privilege level 0?

Answer 34

``` Enable Disable Exit Help Logout ```

Question 35

Where do you place standard ACLs?

Answer 35

Closest to the destination

Question 36

Where do you place extended ACLs?

Answer 36

Closest to the source as possible

Question 37

What is the command to set a time-range?

Answer 37

time-range | periodic ....

Question 38

How to you control access to vty with ACLs?

Answer 38

Under line vty 0 4 set access-class in

Question 39

How to control access to vty with protocols?

Answer 39

transport input ....

Question 40

How to config SSH access?

Answer 40

- hostname - domain name - crypto key generate rsa - ip ssh version 2

Question 41

Where is AAA commonly used for?

Answer 41

- Network device access control (TACACS+) | - Secure network access control (RADIUS)

Question 42

What port number does TACACS+ use?

Answer 42

tcp 49

Question 43

What is the difference between TACACS+ & RADIUS?

Answer 43

- TACACS+ supports separate AAA and full payload encryption | - RADIUS supports EAP

Question 44

What port number does RADIUS use?

Answer 44

UDP 1645 - Authentication/authorization | UDP 1646 - Accounting

Question 45

What are the steps for configuring TACACS+?

Answer 45

- aaa new-model - add server - create group - enable login authentication - enable authorization exec - enable authorization console - enable authorization command - enable authorization global command - enable login accounting - enable login accounting command

Question 46

How can you prevent from commands being processed if the user is denied?

Answer 46

By adding the if-authenticated command

Question 47

How to enable TACACS+?

Answer 47

aaa new-model

Question 48

How to create group?

Answer 48

aaa group server tacacs+ | server name

Question 49

How to enable login authentication?

Answer 49

aaa authentication login

Question 50

How to enable authorization exec?

Answer 50

aaa authorization exec

Question 51

How to enable authorization console?

Answer 51

aaa authorization console

Question 52

How to enable authorization command?

Answer 52

aaa authorization command

Question 53

How to enable authorization global command?

Answer 53

aaa authorization config-commands

Question 54

How to enable login accounting?

Answer 54

aaa accounting exec

Question 55

How to enable login accounting command?

Answer 55

aaa accounting commands

Question 56

How to add server?

Answer 56

tacacs server address ipv4 key

Question 57

What is Cisco ZBFW?

Answer 57

Integrated statefull firewall technology included in IOS

Question 58

How does ZBWF work?

Answer 58

It groups interfaces in zones. Interfaces within a zone can communicate freely by default.

Question 59

What are the 2 type of zones?

Answer 59

- Self zone | - Default zone

Question 60

What is the self zone?

Answer 60

Includes router IPs. By default traffic is permitted to support management and control plane functions

Question 61

What is the default zone?

Answer 61

Any interface that is not a member of a zone is placed in here automatically