Cisco® CCNP Route Exam Notes : Configure And Verify Device Access Control

5. Infrastructure Security

5.4 Configure and verify device access control

an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS implements a client/server architecture, where typical client is a router, switch, or AP and the typical server is a Windows or Unix device that is running RADIUS software.

5.4.a Lines (VTY, AUX, console):

There are three types of lines on Cisco routers:

VTY - Virtual lines that allow SSH or Telnet access to the device

AUX - Provides CLI access via an aux cable.

CON - Provides CLI access via a console cable.

The range of privilege levels that can be set are from 0 to 15, that is sixteen in total. Level 1 is the default user EXEC privilege. Level 15 is the highest level and allows the user to have full access to the device commands. The command used to set additional privilege levels is:

privilege <mode> level <level>

For example, to assign a privilege level of 4 in exec mode, use the command:

privilege exec level 4 trace

Note that all commands that were assigned to the previous privilege levels are inherited along with the new command(s) defined in the privilege statement.

This type of granular control is very useful in large networks where there are many network administrators with different set of access rights.

The traceroute privileged EXEC command can be used to find the routes that a packet travels when passing from a router to its destination address.

TFTP can be used to download configuration files. However, note that TFTP (Trivial File Transfer Protocol) is known as unreliable protocol since it does not incorporate any error correction and packet sequencing. TFTP does not use passwords and hence considered insecure.

The following are the features of the ip unnumbered interface:

1. Any packet generated by an unnumbered interface will have the IP address of the interface that was defined in the creation of the unnumbered interface.

2. Certain protocols such as X.25, and SMDS do not support ip unnumbered interface.

3. Ping EXEC command is not supported by the unnumbered interface.

4. If the interface from which an unnumbered interface got the ip address is down, then the unnumbered interface also will be down. Therefore, it is advisable to use loop back interface while defining an unnumbered interface.

5.4.b Management plane protection

Management plane protection refers to allowing certain protocols on the management interface. When configuring protocols for security, you should use encrypted protocols wherever possible. For example, use SSH instead of telnet or https instead of http.

To create the Public/Private key pair used by SSH, the following command sequence is used.

Hostname other than the default "router" needs to be configured first before issuing the

command crypto key generate rsa. You also need to configure the domain name before issuing the crypto key generate command.

The correct sequence of commands would be:

hostname Frisco
ip domain-name
crypto key generate rsa

The following are the important features of CCP (Cisco Configuration Professional):

1. Cisco Configuration Professional supports secure protocols such as Secure Shell (SSH) Protocol and Secure HTTP (HTTPS) to communicate with the devices.

2. Cisco Configuration Professional manages only Cisco devices

3. Currently there is no limitation on the number of communities that can be created.

4. When you move away a router from one community to another, you need to rediscover the routers in the new community.

5. Cisco Configuration Professional is a GUI device-management tool for Cisco IOS Software-based access routers, the Cisco Integrated Services Routers

6. A community is a group of devices that are managed together.

The following precautions may be taken to harden network infrastructure:

a. Use physical barriers such as room lock so that un-authorized persons do not have access to the network devices.

b. Use firewall so that outsiders cannot access network devices from outside the network

c. Enable SSH so that passwords are transmitted in encrypted form

5.4.c Password encryption

Password protection enables that unauthorized users do not log into the network. However, once an authorized user logs into the network and leaves the device unattended, the session will remain open. An unauthorized person may misuse the login session initiated by an authorized user earlier.

To prevent such misuse, session timeout need to be configured on Cisco devices. The command for configuring session timeout on a router interface is:

Router(config-line)#exec-timeout <minutes> <seconds>

The command "ip unnumbered" is used for enabling an interface for IP processing without assigning any explicit IP address. The interface configured with unnumbered command uses the IP address of the interface specified in the command. The correct syntax for this command is : ip unnumbered <type number>

Ex: ip unnumbered Ethernet0

The above command enables the unnumbered interface to use the IP address of Ethernet0. Note that the interface specified by the must have explicit IP address, and not another unnumbered interface.

Previous   Contents   Next

CCNP Route Cram Notes Contents
certexams ad

simulationexams ad