If a TACACS+ server is misbehaving and rejecting login requests, you can pick a particular to use if you have this global configuration command configured:
tacacs-server directed-request
With this command configured, you can log into devices with the format <username>@<tacacs-ip-address> to select a specific working server
Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive
The commands service tcp-keepalive-in and tcp-keepalive-out ensure that devices send TCP keepalives for inbound and outbound TCP sessions. This will ensure devices on the remote end of the link is still accessible and that half open or orphaned connections are removed from the device.
An ICMP redirect is used to inform a device of a better path to a destination network. An IOS device will send a ICMP redirect if it detects network traffic hair pinning. This can be disabled with the command no ip redirects
Proxy ARP allows a router to answer ARP requests that are intended for a different router.
The router fakes its identity and sends out an ARP response for the router that it is responsible for that network.
Disable proxy ARP on the interface with the command no ip proxy-arp
Cisco devices support automatic configuration from remote devices through TFTP and other methods. This can be disabled with the command no service config
The MOP service is not needed and should be disabled globally with the command no mop enabled
The PAD service is used for X.25 and is not required. It can be disabled with the command no service pad
When a control plane policing policy is applied to the control plane, it needs to be verified to ensure that it is not dropping packets when it shouldn’t.
The command show policy-map control-plane input will give statistics on the packets that have conformed, exceeded, or violated the policies put in place.
Any created control plane policing policy maps need to be applied to the control plane.
control-plane service-policy input POLICY-CoPP
The policy map will show how to police traffic at a given rate to minimise any ability to try overload the router.
Finding the correct rate without overloading the network can be a difficult task.
To try ensure that CoPP will not introduce issues, the violate action should be set to transmit for all the vital classes until a baseline of normal traffic can be established. Over time, the rate can be adjusted as required.
policy-map POLICY-CoPP class CLASS-CoPP-ICMP police 5000 conform-action transit exceed-action transmit violate-action transmit
Once a baseline of traffic has been established, you can change the violate-action option to drop instead.
policy-map POLICY-CoPP class CLASS-CoPP-ICMP police 7500 conform-action transit exceed-action transmit violate-action drop
After network traffic rates to the control plane have been identified, an access list can be built for matching traffic in a class map.
ip access-list extended ACL-CoPP-ICMP permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any unreadable permit icmp any any echo
These access lists do not deny traffic, but are simply for matching against various protocols, in this case, ICMP.
class-map match-all CLASS-CoPP-ICMP match access-group name ACL-CoPP-ICMP
Control Plane Policing is a Quality of Service policy that is applide to traffic towards or from the routers control plane CPU.
Control Plane Policing Policies are used to limit known traffic to a given rate to protect the CPU from unexpected extreme rates of traffic that could impact the stability of the router.
CoPP policies usually only have an input policy that allow traffic to the control plane to be policed at a desired rate.
A properly planned Control Plane Policing Policy, network traffic is placed into various classes based on the type of traffic, such as management, routing protocols or known IP addresses. The CoPP policy is used to limit traffic to the control plane for each of these classes.
When a rate for a CoPP policy is being defined, the rate for a class may not be known without requiring further investigation. The quality of service police command can use confirm, exceed or violate actions that can be programmed to drop or transmit traffic. By choosing to transmit traffic that exceeds the policed rate and monitoring CoPP, the policy can be adjusted to meet requirements.
To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial.
First of all, define the zones
zone security OUTSIDE description Outside zone used for internet traffic zone security INSIDE description Inside zone used for internal traffic
Next define the inspection class map. The class map for inspection defines a method for classification of traffic.
The class map is configured using the command class-map type inspect and is used with an ACL
ip access-list extended ACL-ICMP permit icmp any any ip access-list extended ACL-GRE permit gre any any class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-INSPECT match access-group name ACL-GRE class-map type inspect match-any CLASS-OUTSIDE-TO-INSIDE-PASS match access-group name ACL-ICMP
The inspection policy map is required to be configured next. It applies the class map actions that were created earlier.
policy-map type POLICY-OUTSIDE-TO-INSIDE class type inspect CLASS-OUTSIDE-TO-INSIDE-INSPECT inspect class type inspect CLASS-OUTSIDE-TO-INSIDE-PASS pass class class-default drop
The inspect keyword offers state-based traffic control. The router will maintain connection/session information and permits return traffic from the destination zone without the need to specify it in a second policy
The pass keyword makes the router forward packets from the source zone to the destination zone. Packets are forwarded in only one direction. A policy must be applied for traffic to be forwarded in the opposite direction.
The drop keyword silently drops packets that match the class map. The log keyword will add syslog information that will include the source and destination information
The inspect policy map will have an implicit default that uses a default drop action. The is the same implicit ‘deny all’ that can be found in an access control list.
The policy map can be checked with the command show policy-map type inspect
Next the policy map needs to be attached to a traffic flow source to a destination using the command zone-pair security
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
Finally, the zone needs to be attached to an interface
interface GigabitEthernet0/0 zone-member security OUTSIDE interface GigabitEthernet0/1 zone-member security INSIDE
The default zone is a system-level zone, and any interface that is not a member of another security zone is placed into the default zone.
When an interface that is not in a security zone sends traffic to an interface that is an a security zone, that traffic will be dropped.
Network engineers may assume that a policy can not be configured to permit these flows, but it can if the default zone is enabled.
When the default zone is initialised, any interface that is not associated with a security zone will be placed into the default zone.
A policy can be created between the default zone and the target zone to permit traffic.
The self zone is a system level zone and includes all of the routers IP addresses.
By default, traffic to and from this zone is permitted to support management protocols and control plane functions.
The management protocols could be telnet, SSH, SNMP, etc.
The control plane functions could be OSPF, EIGRP, RIP, etc.
After a policy is applied to the self zone and another security zone, interzone communication must be explicitly defined.