CCNP Enterprise Core (350-401) Cisco Security

Use a specific TACACS+ server when logging in

If a TACACS+ server is misbehaving and rejecting login requests, you can pick a particular to use if you have this global configuration command configured:

tacacs-server directed-request

With this command configured, you can log into devices with the format <username>@<tacacs-ip-address> to select a specific working server

CCNP Enterprise Core (350-401) Cisco Security

Cisco Device Hardening

Disable Topology Discovery Tools

Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive

Disable TCP and UDP Small Services

The commands service tcp-keepalive-in and tcp-keepalive-out ensure that devices send TCP keepalives for inbound and outbound TCP sessions. This will ensure devices on the remote end of the link is still accessible and that half open or orphaned connections are removed from the device.

Disable IP Redirect Services

An ICMP redirect is used to inform a device of a better path to a destination network. An IOS device will send a ICMP redirect if it detects network traffic hair pinning. This can be disabled with the command no ip redirects

Disable proxy Address Resolution Protocol (ARP)

Proxy ARP allows a router to answer ARP requests that are intended for a different router.

The router fakes its identity and sends out an ARP response for the router that it is responsible for that network.

Disable proxy ARP on the interface with the command no ip proxy-arp

Disable service configuration

Cisco devices support automatic configuration from remote devices through TFTP and other methods. This can be disabled with the command no service config

Disable the Maintenance Operation Protocol (MOP) Service

The MOP service is not needed and should be disabled globally with the command no mop enabled

Disable the packet assembler/disassembler (PAD) Service

The PAD service is used for X.25 and is not required. It can be disabled with the command no service pad

CCNP Enterprise Core (350-401) Cisco Security

Verifying Control Plane Policing Policy (CoPP)

When a control plane policing policy is applied to the control plane, it needs to be verified to ensure that it is not dropping packets when it shouldn’t.

The command show policy-map control-plane input will give statistics on the packets that have conformed, exceeded, or violated the policies put in place.

CCNP Enterprise Core (350-401) Cisco Security

Applying a Control Plane Policing Policy (CoPP) Map

Any created control plane policing policy maps need to be applied to the control plane.

 service-policy input POLICY-CoPP
CCNP Enterprise Core (350-401) Cisco Security

Configuring a Policy Map to be used in Control Plane Policing Policy (CoPP)

The policy map will show how to police traffic at a given rate to minimise any ability to try overload the router.

Finding the correct rate without overloading the network can be a difficult task.

To try ensure that CoPP will not introduce issues, the violate action should be set to transmit for all the vital classes until a baseline of normal traffic can be established. Over time, the rate can be adjusted as required.

policy-map POLICY-CoPP
  police 5000 conform-action transit exceed-action transmit violate-action transmit

Once a baseline of traffic has been established, you can change the violate-action option to drop instead.

policy-map POLICY-CoPP  
 class CLASS-CoPP-ICMP   
  police 7500 conform-action transit exceed-action transmit violate-action drop
CCNP Enterprise Core (350-401) Cisco Security

Configuring Access Control Lists (ACL) for Control Plane Policing Policies (CoPP)

After network traffic rates to the control plane have been identified, an access list can be built for matching traffic in a class map.

ip access-list extended ACL-CoPP-ICMP
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any unreadable
 permit icmp any any echo

These access lists do not deny traffic, but are simply for matching against various protocols, in this case, ICMP.

class-map match-all CLASS-CoPP-ICMP
 match access-group name ACL-CoPP-ICMP
CCNP Enterprise Core (350-401) Cisco Security

Control Plane Policing (CoPP)

Control Plane Policing is a Quality of Service policy that is applide to traffic towards or from the routers control plane CPU.

Control Plane Policing Policies are used to limit known traffic to a given rate to protect the CPU from unexpected extreme rates of traffic that could impact the stability of the router.

CoPP policies usually only have an input policy that allow traffic to the control plane to be policed at a desired rate.

A properly planned Control Plane Policing Policy, network traffic is placed into various classes based on the type of traffic, such as management, routing protocols or known IP addresses. The CoPP policy is used to limit traffic to the control plane for each of these classes.

When a rate for a CoPP policy is being defined, the rate for a class may not be known without requiring further investigation. The quality of service police command can use confirm, exceed or violate actions that can be programmed to drop or transmit traffic. By choosing to transmit traffic that exceeds the policed rate and monitoring CoPP, the policy can be adjusted to meet requirements.

CCNP Enterprise Core (350-401) Cisco Security

Zone Based Firewall Configuation

To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.

First of all, define the zones

zone security OUTSIDE
 description Outside zone used for internet traffic
zone security INSIDE
 description Inside zone used for internal traffic

Next define the inspection class map. The class map for inspection defines a method for classification of traffic.

The class map is configured using the command class-map type inspect and is used with an ACL

ip access-list extended ACL-ICMP
 permit icmp any any
ip access-list extended ACL-GRE
 permit gre any any
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT
 match access-group name ACL-GRE
class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS
 match access-group name ACL-ICMP

The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.

 class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS
 class class-default

The inspect keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy

The pass keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.

The drop keyword silently drops packets that match the class map. The log keyword will add syslog information that will include the source and destination information

The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.

The policy map can be checked with the command show policy-map type inspect

Next the policy map needs to be attached to a traffic flow source to a destination using the command zone-pair security

zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE

Finally, the zone needs to be attached to an interface

interface GigabitEthernet0/0
 zone-member security OUTSIDE
interface GigabitEthernet0/1
 zone-member security INSIDE
CCNP Enterprise Core (350-401) Cisco Security

Zone Based Firewall – Default Zone

The default zone is a system-level zone, and any interface that is not a member of another security zone is placed into the default zone.

When an interface that is not in a security zone sends traffic to an interface that is an a security zone, that traffic will be dropped.

Network engineers may assume that a policy can not be configured to permit these flows, but it can if the default zone is enabled.

When the default zone is initialised, any interface that is not associated with a security zone will be placed into the default zone.

A policy can be created between the default zone and the target zone to permit traffic.

CCNP Enterprise Core (350-401) Cisco Security

Zone Based Firewall – The Self Zone

The self zone is a system level zone and includes all of the routers IP addresses.

By default, traffic to and from this zone is permitted to support management protocols and control plane functions.

The management protocols could be telnet, SSH, SNMP, etc.

The control plane functions could be OSPF, EIGRP, RIP, etc.

After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined.