Shared Flashcard Set

Details

CCNA 6
Security
25
Engineering
Professional
11/16/2008

Additional Engineering Flashcards

 


 

Cards

Term
What are some of the best practices for configuring security on a new Cisco router?
Definition

use SSH instead of telnet

updated IOS

configure ACLs

use difficult & encrypted passwords

  disable unneeded services

Term

What are the ACL number ranges for:

 

IP Standard ACL

IP Extended ACL

IP Standard Expanded Range ACL

IP Extended Expanded Range ACL

Definition

IP Standard ACL : 1-99

IP Extended ACL : 100-199

 

IP Standard Expanded Range ACL : 1300-1999

IP Extended Expanded Range ACL : 2000-2699

Term
What are the characteristics and syntax of Standard ACLs?
Definition
Can filter only on a source network/host (classful)
Cannot filter on destination, protocol, or port
 
Global config:
access-list # [permit|deny] x.x.x.x [wildcard mask]
Term
What are the characteristics and general syntax for Extended ACLs?
Definition
 
filter based on: source/destination IP/ports, protocol, ICMP message
 
Global command:
access-list # [permit|deny] [proto] [source] [mask] (operators) [dest] [mask] (operators) (advanced opt)
Term

What are the characteristics/advantages of named ACLs?

 

What is the syntax for configuring it?

Definition

Meaningful to read, allows removal of individual lines

 Supports both standard and extended ACLs

 

R(config)#ip access-list [standard|extended] [name]
R(config-ext-nacl)#[permit|deny] ...
...etc. 
Term
What are the syntax for port operators and ICMP operators in Extended ACL config?
Definition
Port operators:
eq (equal to port number)
gt/lt (match greater/less than given port number)
range (specify range)
 
ICMP operators:
echo, echo-reply, etc.
Term

What are the three advanced options/keywords that can be configured on an ACL line?

 

What are their functions and what kind of ACLs support them?

Definition
log : logs source IP to log buffer when a match is made (5 min intervals); supports standard and extended ACL
 
log-input : also logs L2 source MAC or DLCI number; supported for extended ACL only
 
established : allow traffic only if TCP session already established; only for extended ACLs filtering TCP
Term
What are the commands to verify (show) the configuration of ACLs?
Definition
"show ACLs" - shows what ACLS are configured
 
"show access-list" & "show ip ACLs"
- shows only the IP ACLs
 
"show ip interface" - shows the direction and placement of ACLs
Term
What is implied at the end/default of an ACL?
Definition
"... deny any any" statement
Term
Where should standard / extended ACLs be placed in the network?
Definition

standard - close to the destination of filtered traffic

 

extended - close to the source of filtered traffic

Term
In NAT, what does the "inside" and "outside" refer to?
Definition

Inside: Private side of the network, usually the source of addresses being translated (eg. "your" company network)

 

Outside: Public side of the network; address space to which inside/private hosts are being translated to (eg. "another's" company network)

Term
In NAT, what does "inside local", "inside global", "outside local", "outside global" refer to?
Definition
Inside local: addresses assigned on your private network
 
Inside global: public addresses assigned by the ISP to represent your private addresses
 
Outside global: Internet routeable IP of a host outside your company
 
Outside local: private IP address of the end host on the other/destination private network
Term

What are the characteristics of the following issues that NAT is used to resolve?

 

1. Overlapping address space

 

2. Well-meaning admin error

Definition

1. Overlapping address space: When a network connects with another network that uses the same IP range (eg. during a merger)

 

2. Well-meaning admin error: Designer of network fails to plan for future growth of network or makes a mistake (eg. giving private hosts addresses of public IPs belonging to someone else)

Term
How does NAT contribute to load distribution?
Definition
Give a cluster of machines a single IP for clients to use
Term
What are the main advantages and disadvatages of NAT?
Definition

Pros: Conserves the registered IP address space, adds security by hiding originating IP & preventing inside access

 

Cons: Application incompatibilities with the nature of changing the source IP of traffic, introduces additional latency to transmission

Term
What are the characteristics, general use, and config syntax of static NAT?
Definition
One-on-one mapping of inside local to inside global IP
 
Gives hosts such as mail/web servers on the private network access to the public internet & vice-versa
 
Global command:
ip nat inside source static [in-local ip] [in-global ip]
On interfaces:
ip nat [inside|outside]
Term

What are the characteristics of Dynamic NAT?

(Any cons?)

Definition

Enables an inside host to get to an outside address when/as needed.

 

Cons: Still doesn't conserve IP

Term

What is PAT and how is it related to NAT?

 

What is the config syntax?

Definition

Port Address Translation (aka extended NAT entry)

 

Uses source ports of hosts to distinguish translated flows, possibly to a single outside address

 

Global config:
ip nat inside source [...] interface [intfc] overload
Term

What are the commands to verify (show) NAT configuration/stats?

 

What is the command to clear dynamic NAT entries?

Definition

show ip nat translations

 

"show ip nat statistics" - snapshot of how many translations performed, overview of config, amount of pool used

 

clear ip nat translation *

Term
What are the characteristics of dynamic access lists and how what benefits does it offer over standard and static extended ACLs?
Definition

AKA Lock and Key

Dynamic user access through firewall, based on telnet connection and authentication

  • Challenge mechanism to authenticate users
  • Simplified management in large internetworks
  • Reduction in router processing
  • Reduction of chance for network break-ins 
Term

What are the characteristics of reflexive ACLs and what are its benefits over normal ACLs?

Definition

AKA IP-Session-Filtering ACLs

Denies traffic from outside sources, while allowing traffic for a session initiated from the inside network.

  • Can be included in a firewall defense
  • Simple to use
  • Greater control of packets entering network
  • Additional security against spoofing and DoS
Term

What is commonly used to define the outside and inside IP ranges in dynamic NAT?

 

What is the config syntax?

Definition
inside source: access list
outside IP range: NAT pool
 
Global config:
ip nat pool [name] [1stIP] [lastIP] netmask [mask]
or
ip nat pool [name] [1stIP] [lastIP] prefix-length [#]
 
ip nat inside source list [acl#] pool [name]
Term

What is the syntax for applying an ACL on an interface versus for telnet/ssh?

 

Definition
Interface config:
 
ip access-group [acl#] [in|out]
 
Line vty config:
 
access-class [acl#] [in|out]
Term
Where are the ACL commands for access-class vs access-group placed?
Definition

access-class on line vty

access-group on the interface

Term
What commands are configured on the interface level for general NAT configuration?
Definition

ip nat inside

ip nat outside

Supporting users have an ad free experience!