CCNP Enterprise Core (350-401)

User identification can be best carried out with not just a password, but a username and password. Username accounts can be used for several applications, including console, AUX and VTY lines. To start a username and password login system, the usernames need to be configured on the device in global configuration mode. ! Creates a…

service password-encryption will change any Type 0 passwords entered in the router configuration to Type 7 in an attempt to stop unauthorised users from being able to easily view the password. This includes any passwords entered earlier in configuration, they will be converted to Type 7 passwords when service password-encryption is entered Password encryption is…

enable password stores the password in plain text (Type 0) in the Ciscos configuration. service password-encryption will encrypt the plain text into a Type 7 password but this is still considered weak. enable secret will store the password in a Type 5 encryption and is considered more secure. If both enable password and enable secret…

There are five available types of password security in Cisco IOS Type 0 Type 0 are most insecure as they are not encrypted and are visible in the device configuration in plaintext. Type 4 Type 4 is a discontinued password encryption that was discontinued from IOS 15.3 due a flaw in its implementation, it should…

Password protection to control or restrict access to the command line interface is important to protect from unauthorised access. There are three methods of accessing the command line interface of an IOS device: Console Port (CTY) On any Cisco device, the console port appears in configuration as line con 0 and in the output of…

A downloadable ACL is another from of Port ACL that can be assigned dynamically by a RADIUS authentication server such as Cisco ISE. After successful network authentication, if a PACL is configured on the switchport and a dACL is assigned by the authoritative server, the PACL will be overwritten by the dACL.

If a PACL, VACL, and RACL (Router ACL) are all configured in the same VLAN. The ACLs are evaluated in a certain order. Bridged Traffic Inbound PACL on the switchport Inbound VACL on the VLAN Outbound VACL on the VLAN Routed Traffic Inbound PACL on the switchport Inbound VACL on the VLAN Inbound ACL on…

A VACL can filter traffic bridged within a VLAN or routed in and out of a VLAN. ! Block ICMP ip access-list extended ICMP deny icmp any any ! Forward everything else ip access-list extended OTHER permit ip any any ! Construct the access map vlan access-map VACL_10 10 match ip address ICMP action drop…

The syntax for configuring a Port Access Control List is the same as creating any other access control list. The difference is Port Access Control lists support filtering via MAC address via a different CLI syntax. PACLs can only support filtering of incoming traffic with no outbound filtering support. PACLs can not filter control packets…

Named access control lists allow for easier identification of an access control lists purpose if a suitable naming convention is followed. They function in the same way as standard and extended access control lists – they just have a different method of being created. ip access-list standard restrict_vty permit host 192.168.10.20 permit host 10.55.55.20 deny…