Device Security

Question 1

What are the ranges for standard ACLs?

Answer 1

1-99

1300-1999

Question 2

Syntax for an extended numbered ACL

Answer 2

access-list access-list-number {deny | permit} protocol source IP wildcard mask destination IP wildcard mask [log]

Question 3

3 primary differences that named ACLs have vs numbered

Answer 3

1. Names instead of numbers
2. Uses ACL subcommands vs global commands to define the ACL
3. ACL editing allows users to edit delete and add individual lines

Question 4

Command to delete a line from a numbered ACL with sequence numbers.

Answer 4

conf t
ip access-list {standard | extended} number
no seq number

Question 5

Syntax to assign an ACL to a vty

Answer 5

access-class number {in | out}

Question 6

TCP version of an extended ACL

Answer 6

access-list access-list-number {deny | permit}tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log]

Question 7

If an ACL omits the wildcard mask, what is the implied mask?

Answer 7

0.0.0.0

Question 8

What are the ranges for extended ACLs?

Answer 8

100 - 199

2000 - 2699

Question 9

Syntax for a standard numbered ACL

Answer 9

access-list {1-99 | 1300-1999} {permit | deny} [subnet wildcard mask | any ]

Question 10

Operational command to see: -IPv4 ACLs -All ACLs

Answer 10

show ip access-lists

show access-list

Question 11

Command to see access list application status on an interface

Answer 11

show ip interface interface

Question 12

Keyword to add to an ACL to help keep track of it’s activity

Answer 12

log

Question 13

What are the 3 types of ACLs?

Answer 13

Standard
Extended
Named

Question 14

Are named ACLs standard or extended?

Answer 14

Either, depends on how they are configured

Question 15

What is the difference between standard and extended ACLs?

Answer 15

Standard ACLs filter on source address
Extended ACLs filter on:    
  Source and Dest IP    
  Source and Dest Port    
  Other criteria

Question 16

What do extended ACLs filter on?

Answer 16

Source & Dest. IP

Source & Dest. Port

Question 17

Command to implement an ACL on an interface

Answer 17

ip access-group number|name {in | out}

Question 18

ACL keyword that means “0.0.0.0” wildcard

Answer 18

host

Question 19

ACL keyword that means 0.0.0.0 255.255.255.255

Answer 19

any

Question 20

ACL keywords for
greater than
less than
equal to

Answer 20

gt
lt
eq

Question 21

Command to instantiate a named ACL

Answer 21

ip access-list {standard | extended} name

Question 22

If a numbered ACL doesn’t use sequence numbers, how would a user remove one of it’s lines?

Answer 22

They can’t. The ACL must be deleted and re-added entirely.

Question 23

What effect does the log keyword have on an ACL?

Answer 23

It sends messages to the log file about the activity pertinent to that line in the ACL

Question 24

What advantage does SNMPv3 have over older versions?

Answer 24

Security

Question 25

What 3 features in SNMPv3 support higher levels of security?

Answer 25

1. Message integrity (tamper detection) 2. Authentication 3. Encryption

Question 26

What are the 3 security modes for SNMPv3?

Answer 26

noAuthNoPriv authNoPriv authPriv

Question 27

Configuration keyword for the noAuthNoPriv level of SNMPv3 security

Answer 27

noauth

Question 28

Configuration keyword for the authNoPriv level of SNMPv3 security

Answer 28

auth

Question 29

Configuration keyword for the authPriv level of SNMPv3 security

Answer 29

priv

Question 30

Command to see the status of the SSH service on the device

Answer 30

show ip ssh

Question 31

5 steps to enabling SSH

Answer 31

1. Configure VTY lines to use either local or AAA security 2. If local, add usernames 3. Configure the ip domain-name 4. Create the encryption key 5. Enable version 1 or version 2

Question 32

Command to enable port security on an interface

Answer 32

switchport port-security

Question 33

2 mandatory and 4 optional steps to enabling port security

Answer 33

1. Set a port to either trunk or access mode 2. enable port security Optional 3. Change the default number of MAC addresses allowed 4. Change the default port security violation behavior 5. Define any permitted MAC addresses 6. Tell the switch to sticky-learn any dynamically learned mac addresses

Question 34

Command to see the security state of switch ports

Answer 34

show port-security [interface *interface*]

Question 35

What are the 3 port security violation options, and which is default?

Answer 35

1. Shutdown (default) 2. Protect 3. Restrict

Question 36

3 steps to create a key for use in routing authentication

Answer 36

1. Create the key chain 2. Create the key 3. Set the key string

Question 37

Syntax to create a key chain

Answer 37

conf t | key chain *name*

Question 38

Syntax to create a key under a key chain

Answer 38

key *#*

Question 39

Syntax to set a text string for a key

Answer 39

key-string *text-string*

Question 40

Command to create the encryption key for SSH

Answer 40

crypto key generate rsa

Question 41

Command to set the device to use SSH2

Answer 41

ip ssh version 2