Currently browsing tag

Security

Control Plane

1. CoPP – Control Plane Policing Control Plane Policing is used to apply policy maps to traffic going to or coming from the control plane. This feature also mitigates DoS attacks by filtering traffic that arrives at the processor. First, you should define a policy-map using MQC. Then, apply this …

Switch ACLs

1. Port ACLs Can only be applied on physical L2 interfaces on a switch (not on etherchannels). They can only be applied on the inbound direction. A port ACL can be either a Standard ACL, an Extended ACL or an Extended MAC ACL. Only one standard or extended ACL and …

Switchport Port Security

Port Security restricts the number of stations that are allowed to access a switch port. 1. Define allowed hosts Each time a host attempts to send a frame, the source MAC address is added to the list of secure MACs. This list of secure MAC addresses has a limited size, …

Controlling CLI Access

1. CLI Modes User EXEC Mode Privileged EXEC Mode Configuration Mode To protect access to the Privileged EXEC mode, use: 1.1 Custom Privilege Levels These commands are not compatible with AAA mode of operation. By default, there are only 3 privilege levels: Level 0 = no rights Level 1 = …

AAA 101

1. Enabling AAA new-model AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process …

Zone Based Firewall

1. Basics A Zone Based Firewall uses the same inspection engine as CBAC, but works with security zones, not with individual interfaces. A zone groups multiple interfaces together. By default, traffic is allowed between interfaces in the same zone, but is not allowed between interfaces in different zones. You can …

More ACLs

1. Time-based ACLs Define the time range: Add the time-range to the ACL: 2. Reflexive ACLs A reflexive ACL is used to permit outgoing traffic that was originated on one side of the connection (inside) and allow the returning packets from the other side (outside), but to deny traffic that …

Cisco IOS Firewall

1. CBAC – Context Based Access Control CBAC allows examination of traffic at the Application Layer, not just Layer 3 or Layer 4 as in ACLs. It can maintain session information and create temporary openings to allow return traffic for permissible sessions. CBAC maintains a state table both for TCP …

ACLs 101

An ACL contains one or more ACEs (Entries) that permit or deny traffic and have an implicit deny any at the end. 1. Numbered ACLs 1.1 Standard ACLs You cannot edit one individual entry in a numbered ACL. The ACL must be deleted and re-created. 1.2 Extended ACLs 1.2.1 Established …