site_logo

Previous Next


  1. ENARSI Practice Exam
  2. ENCOR Practice Tests
  3. CCNA Practice Tests

CCNP ENARSI Certification Cram Notes : Infrastructure Security

3.1 Troubleshoot device security using IOS AAA (TACACS+, RADIUS, local database)

IOS AAA (Authentication, Authorization, and Accounting) is a security feature in Cisco IOS that provides a framework for controlling access to network resources. It allows network administrators to centrally manage user authentication, authorization, and accounting information for all network devices.

To troubleshoot device security using IOS AAA, you can start by verifying the configuration of the authentication, authorization, and accounting servers that are being used. This includes checking the configuration of TACACS+, RADIUS, and local user databases on the network devices.

For TACACS+ and RADIUS servers, you can verify that the network device is able to reach the server using the appropriate protocols and ports. You can also verify that the shared secret between the device and the server is configured correctly.

To troubleshoot local user databases, you can verify that the correct usernames and passwords are configured on the device, and that the local database is being used for authentication and authorization.

You can also use debug commands to troubleshoot issues with IOS AAA. For example, the "debug aaa authentication" command can be used to show detailed information about authentication attempts on the device.

Other troubleshooting steps may include checking for any ACLs or policy maps that may be blocking or restricting access, and verifying the configuration of any related features such as SSH, SNMP, and NTP.

Overall, troubleshooting device security using IOS AAA involves verifying the configuration of authentication, authorization, and accounting servers, checking for any issues with local user databases, and using debug commands and other tools to identify and resolve any issues that may be impacting security on the network device.

3.2 Troubleshoot router security features

3.2.a IPv4 access control lists (standard, extended, time-based)

IPv4 Access Control Lists (ACLs) are used to filter network traffic based on criteria such as source IP address, destination IP address, protocol, and port number. They can be used to permit or deny traffic and can be applied to interfaces, inbound or outbound direction.

To troubleshoot router security features related to IPv4 ACLs, you should be able to:

  • Identify the source of the problem: Check if the ACL is configured correctly, if it is applied to the correct interface and direction, and if the rules are written in the correct order.

  • Verify the configuration of the ACL: Use the "show access-lists" command to verify the configuration of the ACL and make sure that it is matching the intended traffic.

  • Verify the application of the ACL: Use the "show ip interface" command to check if the ACL is applied to the correct interface and direction.

  • Test the ACL: Use a tool such as ping or traceroute to test if the traffic is being permitted or denied by the ACL.

  • Modify the ACL if necessary: Modify the ACL rules if they are not filtering the traffic as intended, and verify the changes.

In addition to standard and extended ACLs, time-based ACLs can also be used to permit or deny traffic based on the time of day. To troubleshoot time-based ACLs, the same steps as above should be followed with a focus on verifying the time-based rules are set up correctly.

3.2.b IPv6 traffic filter

IPv6 traffic filter can be used to limit or block traffic based on various criteria such as source/destination address, protocol type, and port numbers. Some of the common features of IPv6 traffic filters are:

1. Filter types: IPv6 traffic filters can be classified into two types: prefix-list filters and access-list filters.

2. Prefix-list filters: Prefix-list filters match traffic based on the prefix of the IPv6 source or destination address. Prefix-list filters are often used in combination with route maps to filter specific traffic.

3. Access-list filters: Access-list filters can match traffic based on source/destination address, protocol type, and port numbers. Access-list filters can be used for both inbound and outbound traffic.

4. Implicit deny: By default, all traffic is denied unless explicitly allowed by a rule in the access-list.

5. Sequence numbers: Each rule in an access-list is assigned a sequence number, which determines the order in which the rules are applied.

6. Logging: Access-list filters can be configured to log matching traffic, which can be useful for troubleshooting.

When troubleshooting router security, it is important to ensure that the appropriate IPv6 traffic filters are in place to limit or block unwanted traffic.

3.2.c Unicast reverse path forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) is a router security feature that helps to prevent IP spoofing attacks by checking the source IP address of incoming packets against the router's routing table to ensure that the packet arrived on the expected interface. uRPF is commonly used in networks to prevent Distributed Denial of Service (DDoS) attacks that use spoofed IP addresses.

uRPF can be implemented in three modes: strict mode, loose mode, and VRF mode. In strict mode, the router checks the routing table to verify that the source address of a packet received on an interface matches the best path back to that source. If the packet's source address doesn't match, the router drops the packet. In loose mode, the router checks if the source address matches any route in the routing table. If a matching route exists, the router accepts the packet. In VRF mode, uRPF is enabled on a per-VRF basis, which allows for more granular control of traffic.

When troubleshooting router security, uRPF can be used to verify that incoming traffic is arriving on the expected interface and to prevent IP spoofing attacks. However, care must be taken when implementing uRPF, as it can potentially drop legitimate traffic if the routing table is not properly configured.


Previous Next



simulationexams.com ad

certexams.com ad