Currently browsing tag

Security

Control Plane

1. CoPP – Control Plane Policing Control Plane Policing is used to apply policy maps to traffic going to or coming from the control plane. This feature also mitigates DoS attacks by filtering traffic that arrives at the processor. First, you should define a policy-map using MQC. Then, apply this …

Switch ACLs

1. Port ACLs Can only be applied on physical L2 interfaces on a switch (not on etherchannels). They can only be applied on the inbound direction. A port ACL can be either a Standard ACL, an Extended ACL or an Extended MAC ACL. Only one standard or extended ACL and …

Switchport Port Security

Port Security restricts the number of stations that are allowed to access a switch port. 1. Define allowed hosts Each time a host attempts to send a frame, the source MAC address is added to the list of secure MACs. This list of secure MAC addresses has a limited size, …

Controlling CLI Access

1. CLI Modes User EXEC Mode R> ! To enter the Privileged Exec Mode R> enable Privileged EXEC Mode R# ! To go back to the User Exec Mode R# disable Configuration Mode ! To enter config mode R# config terminal ! To exit config mode: R(config)# end To protect …

AAA 101

1. Enabling AAA new-model AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process …

Zone Based Firewall

1. Basics A Zone Based Firewall uses the same inspection engine as CBAC, but works with security zones, not with individual interfaces. A zone groups multiple interfaces together. By default, traffic is allowed between interfaces in the same zone, but is not allowed between interfaces in different zones. You can …

More ACLs

1. Time-based ACLs Define the time range: R(config)# time-rage TIME-RANGE R(config-time-range)# periodic DAYS-OF-WEEK HH:MM to [DAYS-OF-WEEK] HH:MM ! adds a recurring time to the time-range ! DAYS-OF-WEEK: daily (M-S), weekdays(M-F), weekend(S,S), Monday, Tuesday, … R(config-time-range)# absolute [start TIME DATE][end TIME DATE] ! adds an absoulte time to the time-range ! …

Cisco IOS Firewall

1. CBAC – Context Based Access Control CBAC allows examination of traffic at the Application Layer, not just Layer 3 or Layer 4 as in ACLs. It can maintain session information and create temporary openings to allow return traffic for permissible sessions. CBAC maintains a state table both for TCP …

ACLs 101

An ACL contains one or more ACEs (Entries) that permit or deny traffic and have an implicit deny any at the end. 1. Numbered ACLs 1.1 Standard ACLs R(config)# access-list ACL-NUMBER {permit|deny} {IP-ADDRESS [WILDCARD] | any} [log] ! ACL-NUMBER: 1-99, 1300-1999 ! when the wildcard is missing, a default of …