24 - Implementing Infrastructure Security Flashcards Preview

CCNP Enterprise ENCOR 350-401 > 24 - Implementing Infrastructure Security > Flashcards

Flashcards in 24 - Implementing Infrastructure Security Deck (27)
Loading flashcards...
1
Q

What are the features of standard ACLs?

A
  • check the source IP address
  • permit or denies an entire protocol suit
  • Named or numbered
  • Place as close to destination as possible
2
Q

What are the features of extended ACLs?

A
  • Checks the source and destination IP addresses
  • Generally, permits or denies specific protocols and applications
  • Named or numbered
  • Place as close to source as possible
3
Q

What are the number ranges for numbered standard ACLs?

A

1-99, 1300-1999

4
Q

What are the number ranges for numbered extended ACLs?

A

100-199, 2000-2699

5
Q

How do you configure a standard ACL?

A

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255

6
Q

How do you configure a extended ACL?

A

RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
RouterX(config)# access-list 101 permit ip any any

7
Q

How do you configure a standard named ACL?

A

Branch(config)# ip access-list standard Subnet_ONLY

Branch(config-std-nacl)# permit 10.1.1.0 0.0.0.255

8
Q

How do you configure a extended named ACL?

A

Branch(config)# ip access-list extended WWW-ACCESS
Branch(config-ext-nacl)# 30 permit tcp 10.1.1.0 0.0.0.255 any eq 80
Branch(config-ext-nacl)# 40 permit tcp 10.1.1.0 0.0.0.255 any eq 443

9
Q

A reload will change the sequence numbers in an ACL. The sequence numbers will be 10 and 20 instead of 5 and 10 after the reload. Use the ___ command to renumber the ACL entries without having to reload.

A

access-list resequence

10
Q

Packets may be divided in to four distinct logical groups:

A

Data plane packets
Control plane packets
Management plane packets
Services plane packets

11
Q

__ plane packets – end-station, user generated packets that are always forwarded by network devices to other end-station devices

A

Data

12
Q

__ plane packets – network device generated or received packets that are used for the creation and operation of the network itself. From the perspective of the network device, __ plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Examples include protocols such as ARP, NGP, OSPF and other protocols that glue the network together

A

Control

13
Q

__ plane packets – network device generated or received packets, or management station generated or received packets that are used to manage the network. From the perspective of the network device, __ plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor. Examples include protocols suchj as Telnet, SSH, TFTP, SNMP, FTP, NTP and other protocols used to manage the devices and/or network

A

Management

14
Q

__ plane packets – A special case of data plane packets, __ plane packets are also user-generated packets that are forwarded by the network devices to the other end-station devices, but that require high-touch handling by the network device (above and beyond normal, destination IP address-based forwarding) to forward the packet. Examples of high-touch handling include such functions as GRE encapsulation, QoS, MPLS VPNs, and SSL/IPsec encryption/decryption etc. From the perspective of the network device, __ plane packets may have a transit destination IP address, or may have a receive destination IP address (for example, in the case of a VPN tunnel endpoint).

A

Services

15
Q

From the perspective of the network device, three general types of packets exist:

A

Transit packets
Receive packets
Exception IP and non-IP packets

16
Q

__ packets – data plane and some services plane packets that are subjected to standard, destination IP-based forwarding functions. __ packets are typically forwarded by CEF mechanisms.

A

Transit

17
Q

___ packets – control plane and management plane packets that are destined to the network device itself. __ packets must be handled by the CPU within the route processor, as they are ultimately destined to and handled by applications running at the process level with IOS.

A

Receive

18
Q

___ packets – __ packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. L2 keepalives, IS-IS packets, CDP packets and PPP LCP packets are example of __packets. All these packets must be handled by the route processor.

A

Exception IP and non-IP, Exception, non-IP

19
Q

The interface ACL is the traditional and most generally available approach for managing all packets enter or exiting a network device. ACLs are well understood are generally applicable to data, servers, control, and management plane packets. However, ACLs are applied at the interface level to each __ ingressing (or egressing) the interface – not just control plane packets. In addition, ACLs must be applied to every individual interface to which the policy is applied – on large routers, this can be an onerous task.

A

packet

20
Q

__ is specifically designed to protect the route processor.

A

Control Plane Policing (CoPP)

21
Q

CoPP is a cisco IOS feature which is designed to allow administrators to specify controls over traffic that is directed to a devices ___. The goal is to prevent low-priority or unnecessary traffic from overwhelming system resources, which could leave to issues in system performance.

A

control plane

22
Q

CoPP treats the control plane as a separate entity with its own __ and __ ports. CoPP not only allows you to specify what traffic is allowed and what traffic is denied on the control plane interface, it also provides for rate limiting of allowed traffic for the control plane. Therefore, expected traffic that us of lower priority can be allowed, but attacks where floods of lower priority traffic are sent to the control plane will be mitigated.

A

ingress, egress

23
Q

How is CoPP configured?

A

Step 1 – Define ACL and create class map
R1(config)# access-list 100 permit udp any any eq snmp
R1(config)# access-list 100 permit tcp any any eq www
R1(config)# access-list 100 permit tcp any any eq 443
R1(config)# access-list 100 permit tcp any any eq 22
R1(config)# class-map COPP_class
R1(config-cmap)# match access-group 100

Step 2 – Define service policy and policing rates for each class map
R1(config)# policy-map COPP_policy
R1(config-pmap)# class COPP_class
R1(config-pmap-c)# police 300000 conform-action transmit exceed-action drop
R1(config-pmap-c)# class class-default
R1(config-pmap-c)# police rate 50 pps conform-action transmit exceed-action drop

Step 3 – Apply service policy to the control plane
R1(config)# control-plane
R1(config-cp)# service-policy input COPP_policy

24
Q

What command displays configured ACLS and any hit counters?

A

Show access-lists

25
Q

What command verifies the configured class maps?

A

Show class-map

26
Q

What command verifies configured policy maps

A

Show policy-map

27
Q

What command displays dynamic information about the actual policy including rate information and number of bytes that conformed to or exceeded the configured polices?

A

Show policy-map control-plane