Security

If a TACACS+ server is misbehaving and rejecting login requests, you can pick a particular to use if you have this global configuration command configured: tacacs-server directed-request With this command configured, you can log into devices with the format <username>@<tacacs-ip-address> to select a specific working server

Disable Topology Discovery Tools Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive Disable TCP and UDP Small Services The commands service tcp-keepalive-in and…

When a control plane policing policy is applied to the control plane, it needs to be verified to ensure that it is not dropping packets when it shouldn’t. The command show policy-map control-plane input will give statistics on the packets that have conformed, exceeded, or violated the policies put in place.

Any created control plane policing policy maps need to be applied to the control plane. control-plane service-policy input POLICY-CoPP

The policy map will show how to police traffic at a given rate to minimise any ability to try overload the router. Finding the correct rate without overloading the network can be a difficult task. To try ensure that CoPP will not introduce issues, the violate action should be set to transmit for all the…

After network traffic rates to the control plane have been identified, an access list can be built for matching traffic in a class map. ip access-list extended ACL-CoPP-ICMP permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any unreadable permit icmp any any echo These access lists do not deny traffic,…

Control Plane Policing is a Quality of Service policy that is applide to traffic towards or from the routers control plane CPU. Control Plane Policing Policies are used to limit known traffic to a given rate to protect the CPU from unexpected extreme rates of traffic that could impact the stability of the router. CoPP…

To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial. First of all, define the zones zone security OUTSIDE description Outside zone used for internet traffic zone security INSIDE description Inside zone used for internal traffic Next define the inspection class map. The class map for inspection defines…

The default zone is a system-level zone, and any interface that is not a member of another security zone is placed into the default zone. When an interface that is not in a security zone sends traffic to an interface that is an a security zone, that traffic will be dropped. Network engineers may assume…

The self zone is a system level zone and includes all of the routers IP addresses. By default, traffic to and from this zone is permitted to support management protocols and control plane functions. The management protocols could be telnet, SSH, SNMP, etc. The control plane functions could be OSPF, EIGRP, RIP, etc. After a…