Currently browsing category

6 Security

Control Plane

1. CoPP – Control Plane Policing Control Plane Policing is used to apply policy maps to traffic going to or coming from the control plane. This feature also mitigates DoS attacks by filtering traffic that arrives at the processor. First, you should define a policy-map using MQC. Then, apply this …

Switch ACLs

1. Port ACLs Can only be applied on physical L2 interfaces on a switch (not on etherchannels). They can only be applied on the inbound direction. A port ACL can be either a Standard ACL, an Extended ACL or an Extended MAC ACL. Only one standard or extended ACL and …

802.1x

1. Device Roles Client – aka “The Supplicant” – The client device that connects to the network. It must rung an 802.1x compliant software Authentication Server – performs the actual authentication based on the client credentails. Switch – aka “The authenticator” – acts as a proxy between the Client and …

DHCP Snooping and DAI

1. DHCP Snooping DHCP snooping can prevent unauthorized DHCP servers to reply to DHCP requests. A switch can define interfaces as trusted or untrusted. A trusted interface is where a DHCP server should be connected. On such interfaces, DHCP server messages are allowed. On all other untrusted ports, DHCP server …

Switchport Port Security

Port Security restricts the number of stations that are allowed to access a switch port. 1. Define allowed hosts Each time a host attempts to send a frame, the source MAC address is added to the list of secure MACs. This list of secure MAC addresses has a limited size, …

Switchport Traffic Control

1. Strom Control The Storm Control feature, will disable the interface as soon as a specific threshold is passed. The threshold is measured every 1 second. The threshold can represent the amount of broadcast, multicast or unicast traffic and it can configured with: All traffic on the interface will be …

Controlling CLI Access

1. CLI Modes User EXEC Mode Privileged EXEC Mode Configuration Mode To protect access to the Privileged EXEC mode, use: 1.1 Custom Privilege Levels These commands are not compatible with AAA mode of operation. By default, there are only 3 privilege levels: Level 0 = no rights Level 1 = …

AAA 101

1. Enabling AAA new-model AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process …

Zone Based Firewall

1. Basics A Zone Based Firewall uses the same inspection engine as CBAC, but works with security zones, not with individual interfaces. A zone groups multiple interfaces together. By default, traffic is allowed between interfaces in the same zone, but is not allowed between interfaces in different zones. You can …

More ACLs

1. Time-based ACLs Define the time range: Add the time-range to the ACL: 2. Reflexive ACLs A reflexive ACL is used to permit outgoing traffic that was originated on one side of the connection (inside) and allow the returning packets from the other side (outside), but to deny traffic that …