5.2.a Implement and troubleshoot switch security features

5.2.a [iv] IP source-guard

IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address . IP source guard is a port-based feature that automatically creates an implicit port access control list (PACL).

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5214-5217).  . Kindle Edition.





5.2.a Implement and troubleshoot switch security features

5.2.a [v] Dynamic ARP inspection

ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host. An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5224).  . Kindle Edition. .

5.2.a Implement and troubleshoot switch security features

5.2.a [vi] port-security

You can use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.

A security violation occurs in either of these situations:

● When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.

● If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5242-5247).  . Kindle Edition.



5.2.a Implement and troubleshoot switch security features

5.2.a [vii] Private VLAN

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into sub-domains, allowing you to isolate the ports on the switch from each other. A sub-domain consists of a primary VLAN and one or more secondary VLANs.

All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one sub-domain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5254).  . Kindle Edition.




5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [i] AAA with TACACS+ and RADIUS

RADIUS is an access server that uses AAA protocol and combines authentication and authorization. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. TACACS + provides session encryption and can provide CLI authorization by user groups.

RADIUS comprises three components:

● A protocol with a frame format that utilizes User Datagram Protocol (UDP)/ IP

● A server

● A client

RADIUS uses UDP while TACACS + uses TCP. TCP offers several advantages over UDP. TCP offers a connection -oriented transport , while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as retransmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:

● TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.

● TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.

● Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.

● TCP is more scalable and adapts to growing, as well as congested, networks.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5110-5113).  . Kindle Edition.



5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [ii] Local privilege authorization fallback

The local database can act as a fallback method for several functions. This behavior is designed to help prevent accidental lockout . For users who need fallback support, it is recommended that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

The local database supports the following fallback functions:

● Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.

● Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.

● VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command , available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133).  . Kindle Edition.


5.1.c Implement and troubleshoot control plane policing

Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. Route processor resource exhaustion, in this case, refers to all resources associated with the punt path and route processor( s) such as Cisco IOS process memory and buffers, and ingress packet queues.

More than just control plane packets can punt and affect the route processor and system resources. Management plane traffic, as well as certain data plane exceptions IP packets and some services plane packets , may also require the use of route processor resources. Even so, it is common practice to identify the resources associated with the punt path and route processor (s) as the Control Plane. The feature in Cisco IOS is CoPP.

CoPP protects the route processor on network devices by treating route processor resources as a separate entity with its own ingress interface (and in some implementations, egress also). Because of this behavior, a CoPP policy can be developed and applied only to those packets within the control plane. Unlike interface ACLs, for example, no effort is wasted investigating data plane ( transit) packets that will never reach the control plane. This action has a significant simplifying implication on the construction of policies for CoPP.

CoPP is implemented using the Cisco IOS Modular QoS CLI (MQC), a highly flexible framework that allows users to create and attach traffic polices to interfaces The Cisco Modular QoS CLI (MQC) mechanisms are used by CoPP to define the classification and policing descriptions for its policies. In this way, in addition to the limited permit and deny actions associated with simple ACLs, specific packets may be permitted but rate-limited when using the MQC structure. For example, you may wish to permit certain ICMP packet types, but rate limit them so that the route processor is not adversely impacted. This action adds tremendously to the capabilities and flexibility of developing and deploying a useable CoPP policy.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5086-5087).  . Kindle Edition.


5.1.b Implement and troubleshoot device access control

5.1.b [i] Lines [VTY, AUX, console]

The use of password protection to control or restrict access to the command line interface (CLI) of your router is one of the fundamental elements of an overall security plan. Protecting the router from unauthorized remote access , typically Telnet, is the most common security that needs configuring, but protecting the router from unauthorized local access cannot be overlooked.

The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software – there is no hardware associated with them. They appear in the configuration as line vty 0 4. Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users , or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication.

To specify a password on a line, use the password command in line configuration mode. To enable password checking at login, use the login command in line configuration mode.

While transport preferred none provides the same output, it also disables auto telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 4988).  . Kindle Edition.


5.1.b Implement and troubleshoot device access control

5.1.b [ii] SNMP

SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

The SNMP framework has three components:

● An SNMP manager

● An SNMP agent


The SNMP manager is the system used to control and monitor the activities of network hosts using SNMP. The most common managing system is called a Network Management System (NMS). The term NMS can be applied to either a dedicated device used for network management, or the applications used on such a device. A variety of network management applications are available for use with SNMP. These features range from simple command-line applications to feature-rich graphical user interfaces (such as the CiscoWorks2000 line of products).

The SNMP agent is the software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems . The agent and MIB reside on the routing device (router, access server , or switch). To enable the SNMP agent on a Cisco routing device, you must define the relationship between the manager and the agent. The Management Information Base (MIB) is a virtual information storage area for network management information, which consists of collections of managed objects . Within the MIB there are collections of related objects, defined in MIB modules.

The SNMP agent contains MIB variables whose values the SNMP manager can request or change through Get or Set operations. A manager can get a value from an agent or store a value into that agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to manager requests to Get or Set data.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5031).  . Kindle Edition.


5.1.b Implement and troubleshoot device access control

5.1.b [iii] Management plane protection

The Management Plane Protection (MPP) feature in Cisco IOS provides the capability to restrict the interfaces on which network management packets are allowed to enter a device . The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on non management interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5034-5042).  . Kindle Edition.