To configure an access class on a VTY line, use the following command:
access-class access-list-number { in | out }
Here, access-list-number is the number of the access list you want to apply to the line. The in option applies the access list to incoming connections, while the out option applies it to outgoing connections.
For example, to apply access list 1 to incoming connections on VTY lines, use the following command:
line vty 0 15
access-class 1 in
exit
5.1.b Authentication and authorization using AAA
Authentication, Authorization, and Accounting (AAA) is a security framework used to manage user access to network resources. AAA can be used to authenticate users, authorize access to specific resources, and log activities for auditing purposes.
To configure AAA on a Cisco device, the following steps can be taken:
1. Configure the authentication method(s) to be used, such as local authentication or an external authentication server like RADIUS or TACACS+.
For example, to configure local authentication, use the following commands:
sqlCopy code
aaa new-model
aaa authentication login default local
username <username> password <password>
To configure RADIUS authentication, use the following commands:
sqlCopy code
aaa new-model
radius-server host <ip_address> key <shared_secret>
aaa authentication login default group radius local
2. Configure the authorization method to be used. This specifies the level of access that users have to network resources.
For example, to configure local authorization, use the following commands:
sqlCopy code
aaa authorization exec default local
To configure RADIUS authorization, use the following commands:
sqlCopy code
aaa authorization exec default group radius local
3. Configure the accounting method to be used. This logs user activities for auditing purposes
For example, to configure local accounting, use the following commands:
sqlCopy code
aaa accounting exec default start-stop local
To configure RADIUS accounting, use the following commands:
sqlCopy code
aaa accounting exec default start-stop group radius
After configuring AAA, the device will prompt users to authenticate before they can access any resources. The level of access that users have will be determined by the authorization method configured, and their activities will be logged for auditing purposes if accounting is also configured.
5.2 Configure and verify infrastructure security features
5.2.a Access Control Lists (ACLs)
Access Control Lists (ACLs) are used to permit or deny traffic based on a set of rules. ACLs can be configured on Cisco devices to filter traffic at the network layer. They can be used to protect network devices, limit traffic to specific network segments, or block traffic from certain IP addresses.
ACLs can be configured using the following steps:
1. Determine the type of ACL to use (standard or extended).
2. Determine the criteria for filtering traffic (source IP address, destination IP address, protocol, port number, etc.).
3. Create an access control entry (ACE) that permits or denies traffic based on the criteria.
4. Apply the ACL to an interface in the inbound or outbound direction.
5.2.b Control Plane Policing (CoPP)
Control Plane Policing (CoPP) is a feature used to protect network devices from denial of service (DoS) attacks. CoPP limits the amount of traffic that can be sent to a device's control plane. This helps to prevent the control plane from becoming overwhelmed and unable to process legitimate traffic.
CoPP can be configured using the following steps:
1. Create a class map that defines the type of traffic to be controlled (e.g. ICMP, Telnet, SSH).
2. Create a policy map that applies the class map and defines the amount of traffic to be allowed.
3. Apply the policy map to the control plane interface.
Once configured, CoPP will limit the amount of traffic that can be sent to the control plane, helping to prevent DoS attacks from overwhelming the device.
Example configurations for ACL and CoPP:
Some example configurations for ACL and CoPP on Cisco devices:
Example configuration for ACL:
kotlinCopy code
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 deny any
interface GigabitEthernet0/0
ip access-group 10 in
This example configures an access control list (ACL) that permits traffic from the 10.1.1.0/24 network and denies all other traffic. The ACL is applied inbound on the GigabitEthernet0/0 interface.
Example configuration for CoPP:
pythonCopy code
class-map match-any copp-ssh-class
match access-group name copp-ssh-acl
policy-map copp-policy
class copp-ssh-class
police cir 2048 kbps
control-plane
service-policy input copp-policy
access-list 101 permit tcp any any eq 22
access-list copp-ssh-acl permit ip any any
access-list copp-ssh-acl permit tcp any any eq 22
This example configures a control plane policing (CoPP) policy that limits the amount of SSH traffic that can be sent to the control plane to 2048 kbps. The policy is applied to the control-plane interface using the service-policy input command. An ACL is also configured to permit SSH traffic (TCP port 22) and is matched by the class-map using the match access-group command. The police command limits the traffic to the specified rate. The access-list copp-ssh-acl is used to permit traffic in the copp-ssh-class class map.
