CCIE - Security
with TFTP how do you specify the TFTP details of a router (i.e. with the router as a TFTP server?)
just simply using the command tftp: - you can thenspecify a alias and access list
What are the three modes of port security
restrict, protect and shutdown
What is the purpose of the established keyword in a ACL?
Checks the state of the ACK bit to ensure this is an established connection
Name a LSAP value for STP in a 802.3 frame
0x4242
Name the LSAP values for SNAP values (like VTP / CDP / DTP / UDLD)?
0xAAAA
what are the only policing commands that can be applied to a control plane policy?
police or drop
What takes precedence with a port acl, router acl or a vlan acl?
port acl
whats the difference between verify source and verify source port security?
port security filters on the check against the MAC as well as the IP - the other just does it against the IP
What message is delivered back to the source from the final destination in the traceroute?
port unreachable
why have dhcp snooping enabled?
prevent rogue dhcp servers, no enable ip source-guard, to enable DARP.
In order to view logs of the ARP requests in DAI, what must you do when the entries are static?
put the log command on the ACL
what does a similar job as ebgp-multihop?
ttl-security hops
with port security what is an important step to take in order for this to work
turn it on at the interface with the command switchport port-security
how can you control user telnet access to a router that has username and password for a limited login attempts?
under exec use the login command (not under line vty etc - this is not where this si controlled)
If the DHCP server is a IOS router, how can you configure the router to ensure that the fact that the giaddr is 0.0.0.0 a DHCP is still handed out?
use the command "ip dhcp relay information trusted"
what can we do to prevent traceroute responses on an interface?
use the command no ip unreachables
How can you stop a DHCP Snooping switch from inserting the option 82 details, which includes the giaddr setting to Zero?
use the command on the snoopnig switch: "no ip dhcp snooping information option"
how do you apply the view to a user?
username <NAME> view <VIEWNAME>
What does uRPF prevent?
IP address spoofed packets and malformed packets arriving at the router in interface its not expecting it on.
what is the HSRP group MAC address?
000.0c07.ACxy (where xy is the group number in HEX!)
What is the OUI in SNAP for CISCO?
00:00:0C
what is the MAC used for VTP/CDP/UDLD/DTP/PAgP?
01:00:0c:cc:cc:cc
what is the MAC used for PVST
01:00:0c:cc:cc:cd
Name the LSAP value for IP in a 802.3 frame
0x0606
what is the etherype for ARP in HEX?
0x0806
What are the 3 default authentication levels ?
0, 1, 15
What are the 5 key steps / commands to use a VLAN map?
1. create the IP / MAC ACL 2. Use the vlan access-map global command 3. Specify action (forward / drop) 4. Match against the ACL 5. Apply to VLAN with "vlan filter"
On what source port does a FTP server connect to a client in active mode?
20
If we define a time range that specifies a time of 2:00 - 3:00 what are the real times used?
2:00 - 3:00:59 - it uses up to the last second in the range
What is the port number that traceroute starts at?
33434
Which of the two uses port 20 in FTP, active or passive?
Active
What gets inspected first, a ARP ACL or the DHCP Snooping DB?
ACL then DB
For time-ranges how can you specifiy dates and times for an ACL, using absolute, or periodic ranges?
Absolute
Who is authorization process applied to?
Any authenticated users
What direction is uRPF configured on, ingress interface or egress?
Ingress
What needs to be on for uRPF to work?
CEF
What common CISCO processing services must be turned on for uRPF to work?
CEF - it uses the FIB table
What technology avoids ARP poisoning attacks?
DARP Inspection
With DARP, why would you have a arp access-list?
DARP relies on the DHCP Snooping Database. If you dont have the DHCP Snoopnig DB then you have to map the IPs to the MAc addresses somehow for permission.
Is uRPF an input or an output function?
Input - its configured on the input interface at the upstream end of a connection
the information option is inserted into packets when>
DHCP snooping is enabled on any switch, or when there is a IOS relay device
in uRPF what 2 things does the ACL do?
Determines if the packet should be dropped or permitted if the sources fails the RPF check, and also enables us to log the packets that get dropped.
If no ACL is specified in uRPF what does the router do with the packet by default?
Drops it with no log
T/F: MAC ACLs applied to a L2 port checks IP and non-IP based traffic?
False - they do not check ip based traffic.
T/F packets filtered via policy routing as applied to a local interface will always apply this if the destination is on the local router
False. The ICMP lab for packet size would only apply the route-map to packets transitting the router
what feature prtects the router from dictionary brute force attacks?
IOS Login Enhancements / Login Block
What do you specify in nbar in order to block https:// downloads of specific files
Ip nbar protocol http url
So if you have loose mode uRPF whats the point if it accepts the packet even though there are multiple routes out different interfaces
It check that there is even a route - no route the packets dropped.
How does uRPF work?
It checks the packet to ensure that the source address is in the routing table and matches the interface its being recieved on
What does a VLAN map do?
It control traffic INSIDE a VLAN
how does loose mode uRPF work?
It doesnt check if the best path to the source is on the same interface the packet was recieved on - thi sis checked in the FIB
What does IOS by default do to DHCP request that has a GIADDR address of 0.0.0.0?
It drops the packet
what does the command priviledge X level command actually do?
It reassigns the command to the level specified
What do VLAN maps filter on?
MAC address, L3 information and / or ethertype
Do VLAN maps have a direction (in/out)
No
Does a switch configured for DHCP snooping trust a DHCP request with a non zero address in the giaddr if its recieved on a non-trusted port?
No
Is outboudn traffic from the router subject to an ACL check?
No
Is port 20 used in passive mode in FTP?
No
Does the fragments keyword in the ACL apply to the initial fragment in the packet?
No - as the initial fragment contains the important port / Layer 4 information
Does a routers own traffic get applied to a outbound ACL?
No - only transit traffic
Is it helpful to use MAC addresses in MAC ACLs?
No as only non-IP based traffic is checked.
Can yu configure IP source guard on a routed port?
No, only on switchports
can port acls be applied to port-channel interfaces?
No, only physical interfaces
Can you apply L2 ACLs outbound?
No, unless the interface is a SVI
Does RCP need a password?
No, username only
If you were to filter out the Layer 2 MAC addresses corresponding to secure IP addresses in IPSG, what command would you use?
On the interface level : ip verify source port-security - this basically enables port-security and ipsg at the same time.
In PMTU Discovery what is the ICMP message recieved for a hop that doesnt have a high enough MTU ,i.e. fragmentation required but DF bit set"
Packet Too Big
In FP active mode, what is the port number that the server connects to the client on to transfer data?
Port 20
What are three different kinds of ACLs used on a a switch?
Port ACL, Router ACL, or VLAN ACL (VLAN Map)
What is something that ARP inspection can break, and how fo you resolve this?
Proxy ARP, fix with ARP inspection trusted ports which doesnt inspect any ARP messages
with IP source guard what is this protecting from?
Someone spoofing their neighbours IP address by tracking the IP address allocated to ports
if you wanted to enable a host / protocol during the login block-for quite-period, what command would you use?
Specify an ACL and then us login quiet-mode
what does lawful intercept view use as its basis for commands?
TAP-MIB which is a set of special SNMP commands
When applying MAC address filerting what do you need to be careful of?
That you dont filter out BPDU and STP items.
With uRPF if an ACL is applied to the rule, in order to deny or permit in the ACL, what must first happen regarding the traffic that arrives, and what does the ACL determine?
The ACL only comes into effect if the source fails the uRPF check, then the deny causes the packet to be dropped, or permit enables it to transit (be permitted)
Which bit in the most significant byte needs to be set in order to show this is a multicast MAC address?
The least significant bit
What is the other 2 bytes of the SNAP header if the first 3 are for the OUI?
The protocol ID (can be used as the ethertype in MAC filtering).
When private VLANs are configured, what can router ACLs be applied to?
The primary VLAN only
What does SNMP v3 essentially replace?
The requirements for the community security model
how does strict mode uRPF work?
The router checks if the path to the source is on the same interface the packet was recieved on - thi sis checked in the FIB - if it isnt (i.e. asymmetrical routing) then the packet is dropped
What is the key to getting rcp to work?
The usernames. Ensure the following is configured on server: 1. ip rcmd rcp-enable 2. ip rcmd remote-host <SERVER_LOCAL_USER> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable and on the client: 1. ip rcmd remote-username <SERVER_LOCAL_USER>
If you set the threshold for the packet per interval to be process switched (applied to logging on a ACL), what happens to the exceeding packets?
They are processed as per normal
when configuring the aaa authentication login what does the default keyword mean?
This is applied to all interfaces
Whats the point of a ip arp trusted port?
This isnt checked against the DARP database
What message is sent back to the source for each hop in the traceroute?
Time-exceeded messages to say that the TTL has expired
MAC ACLs and Port ACLs are the same thing - T/F?
True
T/F the traceroute utility increments the port number for each hop starting at 33434
True
t/f every logged packet is process switched
True
IP ACLs can be applied to L2 interfaces, T/F?
True, but only inbound.
whats a good way to restricta local database user from being able to use specific commands?
Use a priv X level command where X is the level they are on
If you wanted to increase the buffer size of the table that syslog uses, how would you do this?
Use command logging history size
How do you turn off MTU dicovery on a router?
Using the command np ip tcp path-mtu-discovery
When is a GIADDR changed to 0.0.0.0?
When DHCP snooping is enabled
Can a VLAN ACL use a MAC ext ACL as well as a IP ACL?
Yes
For IPSG do you have to enable DHCP Snooping?
Yes
Should you have TTLSEC configured on BOTH peers?
Yes - bad practise to have one ttl-sec and the other ebgp-mul
Can you have IPSG and MAC port-security enabled on the device at the same time?
Yes and this is recommended
Can ebgp-multihop and ttl-sec work together on different peers with each other?
Yes they can, ebgp mul though has to account for the fact that it LEAVES the peer with the configured value.
Can you assign views to specific users?
Yes with the command username <NAME> view <VIEWNAME>
Is ip source guard treated differently with static hosts on a Layer 2 Access port?
Yes, slightly. Other traditional methods account for any type of port (i.e. trunk) - Layer 2 Access Ports need the following commands: ip verify source tracking ip device tracking
Can you apply ACLs against uRPF statement?
Yes, to run this against certain IP addresses only.
what is the keyword that sets the view up to be a superview?
[superview]
In a traceroute if the receiving device of the probe is the destination what does this send back?
a ICMP port unreachable message (because the port above 30000 isnt open on the device)
what kind of probe does traceroute use?
a UDP probe sent three times to each hop, using port > 33434
How does MTU discovery work?
a packet is sent with the DF bit set, and the packet size is dropped until the router gets a response from the destination.
In a traceroute what does the recieving device send back to the sender when the TTL is 0
a time-exceeded icmp message
what is the command to configure aaa for authentication of logins?
aaa authentication login
if you were applying radius, tacacs and then a local database login how would you apply this on the router?
aaa authentication login default group radius group tacacs local
what command must be enabled for aaa to work?
aaa new-model
what needs to be enabled before you can configure views?
aaa new-model
Define the difference between periodic and absolute time-ranges
absolute define a certain date, say 10 Jan - 11 Jan 2015. Periodic are repeatitive
what are the key steps to ARP inspection logging?
add the log keyword to the acl line, turn on arp logging with "ip arp inspection vlan X logging acl-match Y
What does specifying a list-name in aaa authentication allow you to do?
apply the aaa authentication rule to a specific interface
when using ip arp inspection, if your not using DHCP snooping, what must you configure instead?
arp access-lists that specify the ip address and the mac addres
To what do untrusted snooping port face?
clients
What are the two ICMP commands that enable ping across an ACL?
echo and echo reply
if your in one view and you want to switch to another what commadn do you use?
enable view <NAME>
what state does the port go into with a shutdown?
err-disable
What does the command aaa authorization exec command allow?
exec level access to the router based on the local database, none, if-authenticated. This is applied to the vty / console with authorization exec command
what does GTSM stand for?
generic TTL Security Mechnism (applies to BGP)
Under what 3 senarios would you configure a port to be DHCP snooping trusted?
if this has a DHCP server attached to it, if it has a client attached to it and you just want DHCP to work, or if this has a relay agent / device attached to it. (usually you only set this is if this is a server port)
What direction can MAC ACLs be applied in?
inbound
what direction can port acls be applied in, only?
inbound
when using HSRP and port-security what do you need to consider
increase max MACs on the port to 2, or use the command standy use-bia (which doesnt use the default FHRP MAc address
What does uRPF do?
it mitigates spoofed or malformed packets by discarding packets with an unverifiable source IP address
what needs to be configured on the trusted ports with DynARP inspection?
ip arp inspection trusted
On the DHCP IOS server what do you have to configure to ensure that the giaddr 0.0.0.0 is ignored / accepted
ip dhcp relay information option trust (either globally or on the interface)
What command configured RCP?
ip rcmd
To run commands on a router using rsh what needs to be enabled on the server end?
ip rcmd rsh-enable and then: 1. Setup the user with priv 15 2. Specify: ip rcmd remote-host <USER_IN_1_ABOVE> <CLIENT_IP> <CLIENT_ROUTER_NAME> enable
Along with the ip verify source command, if your not using DHCP Snooping what else needs to be configured?
ip source binding list for static IP / MACs in that VLAN
What command enable unicast reverse path forwarding?
ip verify unicast on the interface
what is the uRPF command?
ip verify unicast source reachable-via {rx|any}
When syslog creates a snmp-trap event, where does this go to first before it gets sent to the NMS (SNMP SERVER)?
it goes into the history buffer on the router as a replicated event.
with a ARP ACL what does the static keyword mean when applied to a ip arp inspect filter NAME vlan x command?
it means that it DOESNT consult the DHCP snooping database after the ACL - it will simply drop the packet
in an ethernet packet a field is a ethertype in DIX / ethernet II but what is it in 802.3?
length (packets between length and FCS)
if you wanted to block a login attempt after x number of attempts what is the command you would use?
login block-for
What feature protects routers / switchs from a brute force attack?
login enhancements
What command do you use to setup a mac ACL?
mac access-list extended XXX
If using NBAR, what command do you use in the class-map that enables you to specify the website that the rule is applied to?
match protocol http host
can you use static source guard on trunk ports?
no
For NTP authentcation, what command must be configured for the keys to work?
ntp trusted-key
What ICMP message does PMTUD rely on?
packet too big (i.e. fragmentation required but DF bit set
what command enables you to setup a view?
parser view <NAME>
what command enables you to set up role-based views with specific ability to run specific commands?
parser view <ROLENAME>.
What mode does ftp client run in by default andhow do you change this to the other mode?
passive - you change this with no ip ftp passive
Whats the difference between ntp key words peer and serv-only
peer will allow a ntp client to have its date updated and permit control messages from those in the ACL and serv-only is configured on the server when it will allow it to update the client specified in the ACL only.
With local users, if you had a user under a specific low priviledge, how would you enable that user to execute exec commands?
set: priviledge X level Y "command" in exec mode
"switchport port-security aging type" does what
sets the aging to be based on inactivity or absolute timeframe
What command enables you to control the access of a user outbound for the likes of telnet / ssh access etc?
username BOB access-class, where the access-class references an access-list
what is the command used for HSRP?
standby
what are the two modes of uRPF?
strict and loose
what are the three view names?
superview, root view and lawful intercept view
In order to enable IPSG AND Mac port-security, what command must you have on the interface for MAC Port-Security?
switchport port-security - this MUST always be on if you will use the command ip verify source port-security (port-security keyword is optional)
what is a port-security feature / command that prevent MAC flooding on a port?
switchport port-security aging time
With traceroute, what is the destination IP of the probe packet?
the final destination
what happens to a port when the rate of ARP packets exceeds the configured threshold?
the port goes into a err-disabled state
When creating vlan ACLs what are thre things to configure?
the vlan access-list (ext|std), the vlan access-map and the vlan filter
what does control-plane policing actually control?
traffic destined to / from the router process
for the VTY line how is the view from the user applied to it?
via the aaa authorization exec default command - you have to setup the authorization exec default local command as well
How is ip source guard configured?
with DHCP snooping, or a static list (ip source binding) and then on the interface with ip verify source
with uRPF whats the difference between keywords rx and any?
with rx, the prefix MUST be in the routing table and the interface the prefix was recieved on MUST match the RIB. For any the route just has to be in the routing table, thats all.
how is a control-plane policy applied?
with the command control-plane the under that "service-policy"
how do you specify the tacacs or radius server to use?
with the command tacacs server