CCIE - Security

with TFTP how do you specify the TFTP details of a router (i.e. with the router as a TFTP server?)

just simply using the command tftp: - you can thenspecify a alias and access list

What are the three modes of port security

restrict, protect and shutdown

What is the purpose of the established keyword in a ACL?

Checks the state of the ACK bit to ensure this is an established connection

Name a LSAP value for STP in a 802.3 frame

0x4242

Name the LSAP values for SNAP values (like VTP / CDP / DTP / UDLD)?

0xAAAA

what are the only policing commands that can be applied to a control plane policy?

police or drop

What takes precedence with a port acl, router acl or a vlan acl?

port acl

whats the difference between verify source and verify source port security?

port security filters on the check against the MAC as well as the IP - the other just does it against the IP

What message is delivered back to the source from the final destination in the traceroute?

port unreachable

why have dhcp snooping enabled?

prevent rogue dhcp servers, no enable ip source-guard, to enable DARP.

In order to view logs of the ARP requests in DAI, what must you do when the entries are static?

put the log command on the ACL

what does a similar job as ebgp-multihop?

ttl-security hops

with port security what is an important step to take in order for this to work

turn it on at the interface with the command switchport port-security

how can you control user telnet access to a router that has username and password for a limited login attempts?

under exec use the login command (not under line vty etc - this is not where this si controlled)

If the DHCP server is a IOS router, how can you configure the router to ensure that the fact that the giaddr is 0.0.0.0 a DHCP is still handed out?

use the command "ip dhcp relay information trusted"

what can we do to prevent traceroute responses on an interface?

use the command no ip unreachables

How can you stop a DHCP Snooping switch from inserting the option 82 details, which includes the giaddr setting to Zero?

use the command on the snoopnig switch: "no ip dhcp snooping information option"

how do you apply the view to a user?

username <NAME> view <VIEWNAME>

What does uRPF prevent?

IP address spoofed packets and malformed packets arriving at the router in interface its not expecting it on.

what is the HSRP group MAC address?

000.0c07.ACxy (where xy is the group number in HEX!)

What is the OUI in SNAP for CISCO?

00:00:0C

what is the MAC used for VTP/CDP/UDLD/DTP/PAgP?

01:00:0c:cc:cc:cc

what is the MAC used for PVST

01:00:0c:cc:cc:cd

Name the LSAP value for IP in a 802.3 frame

0x0606

what is the etherype for ARP in HEX?

0x0806

What are the 3 default authentication levels ?

0, 1, 15

What are the 5 key steps / commands to use a VLAN map?

1. create the IP / MAC ACL 2. Use the vlan access-map global command 3. Specify action (forward / drop) 4. Match against the ACL 5. Apply to VLAN with "vlan filter"

On what source port does a FTP server connect to a client in active mode?

20

If we define a time range that specifies a time of 2:00 - 3:00 what are the real times used?

2:00 - 3:00:59 - it uses up to the last second in the range

What is the port number that traceroute starts at?

33434

Which of the two uses port 20 in FTP, active or passive?

Active

What gets inspected first, a ARP ACL or the DHCP Snooping DB?

ACL then DB

For time-ranges how can you specifiy dates and times for an ACL, using absolute, or periodic ranges?

Absolute

Who is authorization process applied to?

Any authenticated users

What direction is uRPF configured on, ingress interface or egress?

Ingress

What needs to be on for uRPF to work?

CEF

What common CISCO processing services must be turned on for uRPF to work?

CEF - it uses the FIB table

What technology avoids ARP poisoning attacks?

DARP Inspection

With DARP, why would you have a arp access-list?

DARP relies on the DHCP Snooping Database. If you dont have the DHCP Snoopnig DB then you have to map the IPs to the MAc addresses somehow for permission.

Is uRPF an input or an output function?

Input - its configured on the input interface at the upstream end of a connection

the information option is inserted into packets when>

DHCP snooping is enabled on any switch, or when there is a IOS relay device

in uRPF what 2 things does the ACL do?

Determines if the packet should be dropped or permitted if the sources fails the RPF check, and also enables us to log the packets that get dropped.

If no ACL is specified in uRPF what does the router do with the packet by default?

Drops it with no log

T/F: MAC ACLs applied to a L2 port checks IP and non-IP based traffic?

False - they do not check ip based traffic.

T/F packets filtered via policy routing as applied to a local interface will always apply this if the destination is on the local router

False. The ICMP lab for packet size would only apply the route-map to packets transitting the router

what feature prtects the router from dictionary brute force attacks?

IOS Login Enhancements / Login Block

What do you specify in nbar in order to block https:// downloads of specific files

Ip nbar protocol http url

So if you have loose mode uRPF whats the point if it accepts the packet even though there are multiple routes out different interfaces

It check that there is even a route - no route the packets dropped.

How does uRPF work?

It checks the packet to ensure that the source address is in the routing table and matches the interface its being recieved on

What does a VLAN map do?

It control traffic INSIDE a VLAN

how does loose mode uRPF work?

It doesnt check if the best path to the source is on the same interface the packet was recieved on - thi sis checked in the FIB

What does IOS by default do to DHCP request that has a GIADDR address of 0.0.0.0?

It drops the packet

what does the command priviledge X level command actually do?

It reassigns the command to the level specified

What do VLAN maps filter on?

MAC address, L3 information and / or ethertype

Do VLAN maps have a direction (in/out)

No

Does a switch configured for DHCP snooping trust a DHCP request with a non zero address in the giaddr if its recieved on a non-trusted port?

No

Is outboudn traffic from the router subject to an ACL check?

No

Is port 20 used in passive mode in FTP?

No

Does the fragments keyword in the ACL apply to the initial fragment in the packet?

No - as the initial fragment contains the important port / Layer 4 information

Does a routers own traffic get applied to a outbound ACL?

No - only transit traffic

Is it helpful to use MAC addresses in MAC ACLs?

No as only non-IP based traffic is checked.

Can yu configure IP source guard on a routed port?

No, only on switchports

can port acls be applied to port-channel interfaces?

No, only physical interfaces

Can you apply L2 ACLs outbound?

No, unless the interface is a SVI

Does RCP need a password?

No, username only

If you were to filter out the Layer 2 MAC addresses corresponding to secure IP addresses in IPSG, what command would you use?

On the interface level : ip verify source port-security - this basically enables port-security and ipsg at the same time.

In PMTU Discovery what is the ICMP message recieved for a hop that doesnt have a high enough MTU ,i.e. fragmentation required but DF bit set"

Packet Too Big

In FP active mode, what is the port number that the server connects to the client on to transfer data?

Port 20

What are three different kinds of ACLs used on a a switch?

Port ACL, Router ACL, or VLAN ACL (VLAN Map)

What is something that ARP inspection can break, and how fo you resolve this?

Proxy ARP, fix with ARP inspection trusted ports which doesnt inspect any ARP messages

with IP source guard what is this protecting from?

Someone spoofing their neighbours IP address by tracking the IP address allocated to ports

if you wanted to enable a host / protocol during the login block-for quite-period, what command would you use?

Specify an ACL and then us login quiet-mode

what does lawful intercept view use as its basis for commands?

TAP-MIB which is a set of special SNMP commands

When applying MAC address filerting what do you need to be careful of?

That you dont filter out BPDU and STP items.

With uRPF if an ACL is applied to the rule, in order to deny or permit in the ACL, what must first happen regarding the traffic that arrives, and what does the ACL determine?

The ACL only comes into effect if the source fails the uRPF check, then the deny causes the packet to be dropped, or permit enables it to transit (be permitted)

Which bit in the most significant byte needs to be set in order to show this is a multicast MAC address?

The least significant bit

What is the other 2 bytes of the SNAP header if the first 3 are for the OUI?

The protocol ID (can be used as the ethertype in MAC filtering).

When private VLANs are configured, what can router ACLs be applied to?

The primary VLAN only

What does SNMP v3 essentially replace?

The requirements for the community security model

how does strict mode uRPF work?

The router checks if the path to the source is on the same interface the packet was recieved on - thi sis checked in the FIB - if it isnt (i.e. asymmetrical routing) then the packet is dropped

What is the key to getting rcp to work?

The usernames. Ensure the following is configured on server: 1. ip rcmd rcp-enable 2. ip rcmd remote-host <SERVER_LOCAL_USER> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable and on the client: 1. ip rcmd remote-username <SERVER_LOCAL_USER>

If you set the threshold for the packet per interval to be process switched (applied to logging on a ACL), what happens to the exceeding packets?

They are processed as per normal

when configuring the aaa authentication login what does the default keyword mean?

This is applied to all interfaces

Whats the point of a ip arp trusted port?

This isnt checked against the DARP database

What message is sent back to the source for each hop in the traceroute?

Time-exceeded messages to say that the TTL has expired

MAC ACLs and Port ACLs are the same thing - T/F?

True

T/F the traceroute utility increments the port number for each hop starting at 33434

True

t/f every logged packet is process switched

True

IP ACLs can be applied to L2 interfaces, T/F?

True, but only inbound.

whats a good way to restricta local database user from being able to use specific commands?

Use a priv X level command where X is the level they are on

If you wanted to increase the buffer size of the table that syslog uses, how would you do this?

Use command logging history size

How do you turn off MTU dicovery on a router?

Using the command np ip tcp path-mtu-discovery

When is a GIADDR changed to 0.0.0.0?

When DHCP snooping is enabled

Can a VLAN ACL use a MAC ext ACL as well as a IP ACL?

Yes

For IPSG do you have to enable DHCP Snooping?

Yes

Should you have TTLSEC configured on BOTH peers?

Yes - bad practise to have one ttl-sec and the other ebgp-mul

Can you have IPSG and MAC port-security enabled on the device at the same time?

Yes and this is recommended

Can ebgp-multihop and ttl-sec work together on different peers with each other?

Yes they can, ebgp mul though has to account for the fact that it LEAVES the peer with the configured value.

Can you assign views to specific users?

Yes with the command username <NAME> view <VIEWNAME>

Is ip source guard treated differently with static hosts on a Layer 2 Access port?

Yes, slightly. Other traditional methods account for any type of port (i.e. trunk) - Layer 2 Access Ports need the following commands: ip verify source tracking ip device tracking

Can you apply ACLs against uRPF statement?

Yes, to run this against certain IP addresses only.

what is the keyword that sets the view up to be a superview?

[superview]

In a traceroute if the receiving device of the probe is the destination what does this send back?

a ICMP port unreachable message (because the port above 30000 isnt open on the device)

what kind of probe does traceroute use?

a UDP probe sent three times to each hop, using port > 33434

How does MTU discovery work?

a packet is sent with the DF bit set, and the packet size is dropped until the router gets a response from the destination.

In a traceroute what does the recieving device send back to the sender when the TTL is 0

a time-exceeded icmp message

what is the command to configure aaa for authentication of logins?

aaa authentication login

if you were applying radius, tacacs and then a local database login how would you apply this on the router?

aaa authentication login default group radius group tacacs local

what command must be enabled for aaa to work?

aaa new-model

what needs to be enabled before you can configure views?

aaa new-model

Define the difference between periodic and absolute time-ranges

absolute define a certain date, say 10 Jan - 11 Jan 2015. Periodic are repeatitive

what are the key steps to ARP inspection logging?

add the log keyword to the acl line, turn on arp logging with "ip arp inspection vlan X logging acl-match Y

What does specifying a list-name in aaa authentication allow you to do?

apply the aaa authentication rule to a specific interface

when using ip arp inspection, if your not using DHCP snooping, what must you configure instead?

arp access-lists that specify the ip address and the mac addres

To what do untrusted snooping port face?

clients

What are the two ICMP commands that enable ping across an ACL?

echo and echo reply

if your in one view and you want to switch to another what commadn do you use?

enable view <NAME>

what state does the port go into with a shutdown?

err-disable

What does the command aaa authorization exec command allow?

exec level access to the router based on the local database, none, if-authenticated. This is applied to the vty / console with authorization exec command

what does GTSM stand for?

generic TTL Security Mechnism (applies to BGP)

Under what 3 senarios would you configure a port to be DHCP snooping trusted?

if this has a DHCP server attached to it, if it has a client attached to it and you just want DHCP to work, or if this has a relay agent / device attached to it. (usually you only set this is if this is a server port)

What direction can MAC ACLs be applied in?

inbound

what direction can port acls be applied in, only?

inbound

when using HSRP and port-security what do you need to consider

increase max MACs on the port to 2, or use the command standy use-bia (which doesnt use the default FHRP MAc address

What does uRPF do?

it mitigates spoofed or malformed packets by discarding packets with an unverifiable source IP address

what needs to be configured on the trusted ports with DynARP inspection?

ip arp inspection trusted

On the DHCP IOS server what do you have to configure to ensure that the giaddr 0.0.0.0 is ignored / accepted

ip dhcp relay information option trust (either globally or on the interface)

What command configured RCP?

ip rcmd

To run commands on a router using rsh what needs to be enabled on the server end?

ip rcmd rsh-enable and then: 1. Setup the user with priv 15 2. Specify: ip rcmd remote-host <USER_IN_1_ABOVE> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable

Along with the ip verify source command, if your not using DHCP Snooping what else needs to be configured?

ip source binding list for static IP / MACs in that VLAN

What command enable unicast reverse path forwarding?

ip verify unicast on the interface

what is the uRPF command?

ip verify unicast source reachable-via {rx|any}

When syslog creates a snmp-trap event, where does this go to first before it gets sent to the NMS (SNMP SERVER)?

it goes into the history buffer on the router as a replicated event.

with a ARP ACL what does the static keyword mean when applied to a ip arp inspect filter NAME vlan x command?

it means that it DOESNT consult the DHCP snooping database after the ACL - it will simply drop the packet

in an ethernet packet a field is a ethertype in DIX / ethernet II but what is it in 802.3?

length (packets between length and FCS)

if you wanted to block a login attempt after x number of attempts what is the command you would use?

login block-for

What feature protects routers / switchs from a brute force attack?

login enhancements

What command do you use to setup a mac ACL?

mac access-list extended XXX

If using NBAR, what command do you use in the class-map that enables you to specify the website that the rule is applied to?

match protocol http host

can you use static source guard on trunk ports?

no

For NTP authentcation, what command must be configured for the keys to work?

ntp trusted-key

What ICMP message does PMTUD rely on?

packet too big (i.e. fragmentation required but DF bit set

what command enables you to setup a view?

parser view <NAME>

what command enables you to set up role-based views with specific ability to run specific commands?

parser view <ROLENAME>.

What mode does ftp client run in by default andhow do you change this to the other mode?

passive - you change this with no ip ftp passive

Whats the difference between ntp key words peer and serv-only

peer will allow a ntp client to have its date updated and permit control messages from those in the ACL and serv-only is configured on the server when it will allow it to update the client specified in the ACL only.

With local users, if you had a user under a specific low priviledge, how would you enable that user to execute exec commands?

set: priviledge X level Y "command" in exec mode

"switchport port-security aging type" does what

sets the aging to be based on inactivity or absolute timeframe

What command enables you to control the access of a user outbound for the likes of telnet / ssh access etc?

username BOB access-class, where the access-class references an access-list

what is the command used for HSRP?

standby

what are the two modes of uRPF?

strict and loose

what are the three view names?

superview, root view and lawful intercept view

In order to enable IPSG AND Mac port-security, what command must you have on the interface for MAC Port-Security?

switchport port-security - this MUST always be on if you will use the command ip verify source port-security (port-security keyword is optional)

what is a port-security feature / command that prevent MAC flooding on a port?

switchport port-security aging time

With traceroute, what is the destination IP of the probe packet?

the final destination

what happens to a port when the rate of ARP packets exceeds the configured threshold?

the port goes into a err-disabled state

When creating vlan ACLs what are thre things to configure?

the vlan access-list (ext|std), the vlan access-map and the vlan filter

what does control-plane policing actually control?

traffic destined to / from the router process

for the VTY line how is the view from the user applied to it?

via the aaa authorization exec default command - you have to setup the authorization exec default local command as well

How is ip source guard configured?

with DHCP snooping, or a static list (ip source binding) and then on the interface with ip verify source

with uRPF whats the difference between keywords rx and any?

with rx, the prefix MUST be in the routing table and the interface the prefix was recieved on MUST match the RIB. For any the route just has to be in the routing table, thats all.

how is a control-plane policy applied?

with the command control-plane the under that "service-policy"

how do you specify the tacacs or radius server to use?

with the command tacacs server