Section 9 – Security – 9 Points
Security is another one of those topics with which I am not very familiar. I was able to use the DOC to pull out a few points so I was pretty happy, especially after tanking QoS.
Task 9.1 was very straight-forward. You needed to disable CDP on an interface (“no cdp enable”) and disable BOOTP (“no ip bootp server). Next, you are asked to:
“Drop all source routed packets”
I pulled this one out of my ass. I looked for “source route” and then “source-route” in the command list and found:
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route command in global configuration mode. To have the software discard any IP datagram containing a source-route option, use the no form of this command.
Interesting verification command:
r4#sh ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 –listen– 18.104.22.168 2887 0 0 11 0
17 0.0.0.0 0 22.214.171.124 67 0 0 2211 0
88 –listen– 126.96.36.199 10 0 0 0 0
Next up was:
“A banner message should be displayed to all users that telnet into the router…”
There are plenty of banner choices:
LINE c banner-text c, where ‘c’ is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
I went with the obvious choice:
Managing Connections, Menus, and System Bannersbanner login
To define and enable a customized banner to be displayed before the username and password login prompts, use the banner login command in global configuration mode. To disable the login banner, use no form of this command.
9.2 asked you to filter SNMP polling. I have to remember that SNMP is UDPand not TCP. :-)
Also, it seems that I got lucky:
ip access-list extended FILTER_SNMP_FROM_BB1
deny udp any any eq snmp
permit ip any any
From solution guide:
“The two UDP ports used by SNMP are 161 and 162. UDP port 161 is used by network management devices to poll managed devices. UDP port 162 is used by managed devices to send SNMP traps. Since this section stated r2 and r4 were being polled via SNMP, only UDP port 161 needs to be denied.”
So using “udp eq snmp” in an extended ACL only filters on UDP port 161? Lucky for me. :-)
9.3 – I didn’t have a clue, but they give you enough information to get you started. Using the DOC I was able to pick up these points.
9.4 – Completely over my head. Task requires CBAC and Reflexive ACLs. I completely skipped this as I need to study the underlying technologies a lot more.
I was pleasantly surprised to nab 6 points in this section. Of course, the tasks pretty much spelled out what you needed to do (no tricky wording) so it was a matter of just hitting the DOC to get the answers. I don’t expect the actual lab tasks to be this pointed.