Tag Archives: 5.1b

5.1.b Implement and troubleshoot device access control

5.1.b [i] Lines [VTY, AUX, console]

The use of password protection to control or restrict access to the command line interface (CLI) of your router is one of the fundamental elements of an overall security plan. Protecting the router from unauthorized remote access , typically Telnet, is the most common security that needs configuring, but protecting the router from unauthorized local access cannot be overlooked.

The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software – there is no hardware associated with them. They appear in the configuration as line vty 0 4. Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users , or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication.

To specify a password on a line, use the password command in line configuration mode. To enable password checking at login, use the login command in line configuration mode.

While transport preferred none provides the same output, it also disables auto telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 4988).  . Kindle Edition.


5.1.b Implement and troubleshoot device access control

5.1.b [ii] SNMP

SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network.

The SNMP framework has three components:

● An SNMP manager

● An SNMP agent


The SNMP manager is the system used to control and monitor the activities of network hosts using SNMP. The most common managing system is called a Network Management System (NMS). The term NMS can be applied to either a dedicated device used for network management, or the applications used on such a device. A variety of network management applications are available for use with SNMP. These features range from simple command-line applications to feature-rich graphical user interfaces (such as the CiscoWorks2000 line of products).

The SNMP agent is the software component within the managed device that maintains the data for the device and reports these data, as needed, to managing systems . The agent and MIB reside on the routing device (router, access server , or switch). To enable the SNMP agent on a Cisco routing device, you must define the relationship between the manager and the agent. The Management Information Base (MIB) is a virtual information storage area for network management information, which consists of collections of managed objects . Within the MIB there are collections of related objects, defined in MIB modules.

The SNMP agent contains MIB variables whose values the SNMP manager can request or change through Get or Set operations. A manager can get a value from an agent or store a value into that agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to manager requests to Get or Set data.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5031).  . Kindle Edition.


5.1.b Implement and troubleshoot device access control

5.1.b [iii] Management plane protection

The Management Plane Protection (MPP) feature in Cisco IOS provides the capability to restrict the interfaces on which network management packets are allowed to enter a device . The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on non management interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5034-5042).  . Kindle Edition.

5.1.b Implement and troubleshoot device access control

5.1.b [iv] Password encryption

The enable password command is not recommended since password is stored in cleartext. Use the enable secret command instead for better security. Enable secrets are hashed using the MD5 algorithm . As far as anyone at Cisco knows, it is impossible to recover an enable secret based on the contents of a configuration file (other than by obvious dictionary attacks). Almost all passwords and other authentication strings in Cisco IOS configuration files are encrypted using the weak, reversible scheme used for user passwords. To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file.

To configure the Cisco IOS software to encrypt passwords, use the following command in global configuration mode:

Router( config)# service password-encryption

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5064-5067).  . Kindle Edition.