Scribd
Upload
9 views

CCNA Security

The document discusses key security concepts like assets, vulnerabilities, threats and countermeasures. It also covers topics like types of network traffic, enabling and configuring telnet access on routers, password security policies and configuring user privilege levels on routers.

Uploaded by

Sanjay Kesharwani
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
9 views

CCNA Security

The document discusses key security concepts like assets, vulnerabilities, threats and countermeasures. It also covers topics like types of network traffic, enabling and configuring telnet access on routers, password security policies and configuring user privilege levels on routers.

Uploaded by

Sanjay Kesharwani
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 49

Terms Which is Important/ Used for Security –

Anything which is Important for us is known as Asset. For Ex. For Company Data is Asset

Vulnerability is Loopholes/ Weak point to breach your security. For Ex. In HTTP the Data
travel in the Plain text is example of the Vulnerability but in HTTPS the Data travels in
the Encrypted format so this is the example of Countermeasure for the Vulnerability.
Same In Telnet Data travels in Plain Text but in SSH Data Travels in Encrypted format.

Countermeasure is nothing
Threat is simply, The it is of
Possibility justDanger/
to remove the Vulnerability
Trouble. For Ex. If anyfrom yourattacks
attacker network. For
in our
Ex. – To Secure your Website from HTTP to HTTTPS
Network by using our Vulnerability is known as Threat.
Data in Motion is also called as the Traffic.

Types of Traffic/ Planes: There are 3 types of traffic known as Plane –

Examples Of Control Plain Traffic –


R1# Show TCP Brief => To Show TCP Running Services as Telnet is by default enabled on CISCO Routers so
we can check by running this command.

We Can configure Telnet on any Routers by Using 3 Ways –

1. Enabling Telnet Without Password – We Can enable telnet without Password, but this is problem as
anyone can access our Router if he has IP of our Router. So, we never Use this Method.
R1(Config)#line vty 0 4
R1(config-line) no login => This command will enable to login through Telnet without Password
2. Enabling Telnet with Password – We Can Enable Telnet with Login Password so that it will be
secured from anonymous access and will be password protected but there is also one problem, If We
do have 4 Network Administrator then there is no any option to track which User is doing changes on
Router through Telnet because Telnet password would be the Common Password for every user
without having Username.
R1(Config)#line vty 0 4
R1(config-line)# Password CISCO
R1(config-line)#login
3. Enabling Telnet with Username and Password – This is Very helpful method of Enabling telnet as Telnet login
would be password protected, and also for multiple Users different Username and Password would be configured so that easy to
track the changes done by the Username. Here is also one Problem that is – If We do have multiple Routers in Our Network then
we have to create multiple Local Database on Every Router to get login of all Users on every Routers. So for this either we can
create AAA Server or We can merge Router with AD so that It would Use Username and Password from AD Server.
R1(Config)#Username Sanjay Password Sanjay@123
R1(Config)#line vty 0 4
R1(config-line)#login Local
R1(Config)#service Password-encryption => To Encrypt all password configured in Router
Note => Always Remember above password encryption command encrypt the Password in Type 7 which
can be easily decrypt either from Google or From KeyChain Command in Router so we will not make simple
Username and Password on Router instead we will Create Secret Username and Password as mentioned
below –
R1(Config)#key chain Sanjay
R1(Config-keychain)#Key 1
R1(Config-keychain-key)#key-string 7 <Copy and Paste encrypted Password)
R1#Show key chain Sanjay => Will show the decrypted password in Plain Text
R1(Config)#username Sanjay secret Sanjay@123 => Will create Encrypted Password for User
Password Security Policies Commands –
R1(Config)#Security password min-length <0-16> => To Set Min length of Password for User/ Enable Passw
R1#Show Users => To show Number of Users Connected through Remote Protocol with Line VTY No.
R1(Config)# Clear Line <Line No.> => To Close/ Terminate the connection of Running Remote Connection
from Router

Types of Passwords –
1) Type 0 Password – It is Plain Text Password.
2) Type 5 Password – It Used MD5 Algorithm to create Password
3) Type 7 Password – It is used Cisco Algorithm (Vingenero Algorithm) to Create Password
1) Type 0 Password – It is Plain Text Password. How to create type 0 Password –
R1(Config)#enable password enable
R1(Config)# username Sanjay password sanjay@123
R1(Config)# line con 0 / line vty 0 4
R1(Config-line)# password cisco
R1(Config-line)#login
Note => All Above commands will create password in Plain Text which will be visible in show run-config
command and that’s why these Passwords would be known as Type 0 Password.
2) Type 7 Password – It used Cisco Algorithm (Vingenero Algorithm) to Create Password. How to
Create Type 7 Password –
R1(Config)#service password-encryption
Note => Above Command will convert all Type 0 Password into Type 7 Password. But as we know this is
very week password as anyone can decrypt this password either form Google or from Key Chain command
in Router.
How to Decrypt Type 7 Password in Cisco Using Key Chain –
R1(Config)#key chain Sanjay
R1(Config-Key-chain)# key 1
R1(Config-Keychain-key)#key-string <Copy and Paste any type 7 Password>
R1# Show key chain Sanjay => Will decrypt and show password in plain text
3) Type 5 Password – It Used MD5 (Message Digest Type 5) Hashing Algorithm to create Password.
How to create Type 5 Password –
R1(config)#enable secret enable
R1(Config)#username Sanjay secret Sanjay@123

Privilege Level – Privilege Level is the Security level of the User, defining that What commands a user
can run after authentication. We assign a set of commands to the privilege level and assign that privilege
Level to the User so that User will not be able to run other commands except which we assigned on his/her
privilege level.
There is total 16 Privilege levels starting from 0 to 15 and by default there are 3 privilege levels available in
the Router. i.e. –
1) Default 0 Privilege level – No Authentication to run any single Command
2) Default 1 Privilege Level – Have some Show and Clear commands running authentication
3) Default 15 Privilege Level – It has Admin Rights so this level user can run any command.
Rest Privilege levels (2-14) – These are Customized privilege levels; we can create privilege level from 2 to
14 and we can give a bunch of Commands on privilege level as per requirement and can assign that
privilege level to the User on which we want.
Note: Always Remember that Higher Privilege level User will have automatically all lower privilege level
Commands running Authority. Privilege Level uses hierarchy architecture.
For Suppose if We have any user for his we want to give limited access to that user- As per requirement.
For Ex. –

R1# show privilege => To Show Current User Privilege Level


R1(Config)#privilege exec level 2 show ip interface brief => This command will create Level 2 Privilege
level with Execution Mode/Privilege Mode Command access i.e. only Show IP int brief.
R1(Config)#username Sanjay Privilege 2 Password Sanj@123 => This Command will assign Privilege Level 2
Only to the User Sanjay so that Sanjay User can run only show ip int br rest command cannot be run by
User Sanjay even can’t go to Global Config Mode. This User will also have access of Level 1 and 0 as per the
rule Inheritance - that the User will have automatically get access of Lower Privilege Level Commands.
R1(Config)#privilege exec level 2 config terminal => Used to Add more command of Exec Mode. (Now User
will be able to go to Global Config Mode but still User will be unable to access any Other Command in
Global Config Mode.
R1(Config)#privilege configure level 2 interface => Used to give access of Interface command into Global
Config Mode and the Configure Term here denote the Mode of Router that What mode command we are
giving access.
Note: Still User Sanjay will not be able to add IP Address so always remember that we need to add all
commands to which we need to give access to the User with the Command running Mode. For Ex. If We
want to give access to add IP address and need to give Shut and No Shut Command Access then We need
to run below Command –
R1(Config)#privilege interface level 2 ip add => To Add ip add command in the privilege Level 2
R1(Config)#privilege interface level 2 shut => To Add shut Command in the privilege Level 2
R1(Config)#privilege interface level 2 no Shut => To Add No Shut command of Interface mode in level 2

Another Example - Now we will create Privilege level 5 and assign this level to the New User with some
Global Config Mode Commands and will see this new User will get all access of Level 2 as Level 5 is higher
level than level 2 so as per inherit rule always Higher level will get all-commands access of Lower privilege
level –
R1(Config)#privilege exec level 5 config terminal => To create a new Privilege Level 5 with New Commands
R1(Config)#privilege config level 5 router OSPF => To Add only OSPF routing protocol commands in
Privilege level 5
R1(Config)#username Prakash privilege 5 password 123 => To Create a new user named – Prakash with
Privilege Level 5 access and will see that this User will inherit the Commands access of Privilege Level 2.
DES Algorithm can be Decrypt within an Hour While AES Algorithm is highly secured than DES Algorithm as
It can’t be decrypted, if possible, to decrypt than takes at least a year to decrypt in AES algorithm.

There are 3 ways to Enable SSH in Routers/ Switches –


1) With Using Domain Name and Hostname
2) Without Using Domain Name and Hostname
3) SSH With Https

Enabling SSH With Using Domain and Hostname – Steps to Enable SSH With Using Domain & Hostname
1) Need to Configure Hostname => Router(Config)# hostname R1
2) Need to create Username and Password => R1(Config)# Username Sanjay Password Sanjay@123
3) Need to Enable SSH Version => R1(Config)#ip ssh version 2
4) Need to enable SSH Protocol on VTY Line => R1(Config)#line vty 0 4
R1(Config-line)# transport input ssh
R1(Config-line)# Login Local
Command To show your Crypto Key – R1#show crypto key mypubkey rsa
When want to Access SSH From V2 to V1 => R2# ssh -l Sanjay -v 1 12.1.1.1

Enabling SSH Without Using Domain and Hostname –


1) Need to Create Crypto Key => R2(Config)#crypto key generate rsa label Sanjay
2) Need to create Username and Password => R1(Config)# Username Sanjay Password Sanjay@123
3) Need to Enable SSH Version => R1(Config)#ip ssh version 2
4) Need to enable SSH Protocol on VTY Line => R1(Config)#line vty 0 4
R1(Config-line)# transport input ssh
R1(Config-line)# Login Local
Enabling SSH With Https –
1) Need to Enable Https Service => R3(Config)# ip http secure-server => This Command will generate
RSA Key for Encryption and Decryption
2) Need to create Username and Password => R1(Config)# Username Sanjay Password Sanjay@123
3) Need to Enable SSH Version => R1(Config)#ip ssh version 2
4) Need to enable SSH Protocol on VTY Line => R1(Config)#line vty 0 4
R1(Config-line)# transport input ssh
R1(Config-line)# Login Local

IOS Login Enhancement (Router Security) –


It is a feature in cisco router to secure the router from DOS (Denial of Service) Attack by disabling the
Remote login service on the Router so no one can take remote of the Router either Attacker or any other
Devices in the N/w by any method till the time frame decided by us.
DOS Attack – It is a type of attack which continuously trying to connect your Router by sending nonstop
guess Username and Password.
For Ex. – If R2 is our Core Router and R3 is Outsider Router and we want to protect our Core Router from
DOS Attack then we need to enable Login Enhancement Feature. To Enable this feature, we need to create
a policy –
1) After How Many Wrong Attempts (Min 0 and Max 65535) Login Services would be blocked.
2) Wrong Login attempts should be occurred within how much Time (Min 0 & Max 65535 Sec) => Kitne
Minute ke Andar Wron Login Attempts Ho.
3) For How long Time Period Router should be blocked the Login Service (Min 0 & Max 65535 Sec) =>
Kitne time ke liye Router Block ho jaye remote login ke Liye
Command to Enable Login Enhancements –
R2(config)#login block-for (Time in Sec) attempts 2 within (Time in Sec)
R2# show login => To Show the Status of Login Enhancement Feature and also after blocked it will
show the time for again enable login feature.
Note: When we enable this feature within that time, Router create a self ACL list where it mentioned to
block SSH, Telnet and HTTP Access of Router and this the way how Router Blocks all login method for given
time period. We can see that access list –

R2#Show ip access-lists
Note: Now here is the Problem that If Attacker attacks in the Router, then Router will be in the Quiet Mode
(Blocked Login Services) for Everyone even for Inside router then it will be difficult to manage. So, we will
allow inside network to access the Router even the Router is in Quiet Mode and for that we need to create
an Access list with Permit command for inside network and need to call that access list in Quiet Mode.

R2(config)#ip access-list standard 10 => To create access List


R2(config-std-nacl) #permit host 10.1.1.1 => To Permit single Host IP to access
R2(Config)# login quiet-mode access-class 10 => Call the access list inside the quiet mode.

How to Slowdown Attacks (Asking Username and Password in a delay) =>


As we know that by default 1 Sec delay in prompting to put Username and Password when we put wrong
Username and Password. So, anyone can give wrong Username and Password in every 1 Sec which is bad
for Network from Security point of view so We Will make a delay in prompting for Username and Password
R2(config)# login delay (Time in Sec Min. 1 and Max. 10)
R2(config)# login on-failure log => to Create a log message for Failed Login attempt and also send this log
to Syslog Server
R2(Config)# login on-success log => to create a log message for Successful login attempt and also send this
log to Syslog Server

Create Extended Access List and Call Extended List in Quiet Mode –
R2(Config)# ip access-list extended 101
R2(Config-ext-nacl)# permit tcp host 10.1.1.1 host 10.1.1.2 eq 23 => (Permit <Protocol> <Source>
<Destination> eq <Port Number>
R2(Config)#login quiet-mode access-class 101 => To Call Access List in the Quiet Mode
R2# Show Login => To Show the access list applied or Not

Note: Above access list will not work on Login as we have called extended access list on access class and
Always Remember access lists can be called in 2 way one is on Access-class and another one is access group
So Access class applied to the device that’s why always destination should be any on access list when we
call that access list in Access Class. An Access Group applied on the interface that’s why here we need
particular source and destination host address so above created extended access list will work when we
call in access group. In Login access class only applied not access group.
Extended Access List for Access Class – This access list work for Inside User –
R2(Config)# ip access-list extended 101
R2(config-ext-nacl)#permit tcp host 10.1.1.1 any eq telnet/ 23
R2(Config)# login quiet-mode access-class 101 => Now This access list will work properly.

AAA (Authentication, Authorization and Accounting)


We are using AAA to overcome the problems of Privilege Level. Such As –
Problems of Privilege Level –
1) Inheritance Rule – Higher Privilege Level can run Lower Privilege Level commands as per inheritance
rule and this is a very big problem.
2) Argument Not Supported – Only Command Supports in Privilege Levels but their argument does not
support. For Ex. If we give a command in Privilege level for any user – Show running-config (Here
Show is a command and running-config is an argument) means all show command will be applicable.
Same if we give Router EIGRP 10 commands in Privilege level for any User then as per rule Router
command will be allowed means User Can run Router OSPF, Router IGRP, Router BGP means all
Router Commands. Means Argument not Supported.
3) All the config will be on the Local Router not in Centralized.
There are 2 Ways to overcome the Privilege Level Problems –
1) AAA (Authentication, Authorization and Accounting)
2) Parser View
AAA (Authentication, Authorization and Accounting) – AAA Server provides Authentication, Authorization
and Accounting feature for all Routers, Switches and Network Devices. By Default, AAA feature disabled in
all CISCO Routers and Switches but by default enabled in ASA. AAA Server uses 2 protocols to communicate
with the Routers –
1) RADIUS
2) TACACS+
1) RADIUS => It stands for Remote authentication dial-in User services. It is open standard protocol and
it is an UDP Protocol. Works on UDP Port Number 1645 and 1646
2) TACACS+ => It is Cisco Proprietary protocol and it is TCP Protocol. Works on TCP Port Number 49
Authentication – Which User can Login, AAA Server provides authentication for Routers/ Switches. For this
we need to configure AAA Server and need to create user database in AAA Server instead of Local database
and also need to give AAA Server IP in all Routers/ Switches so that Router can send request to AAA Server.
Authorization – Which Commands User Can Run after Authentication. We can configure Privilege for all
users in AAA Server so no need to configure User wise privilege level in the all Routers for all users.
Accounting – Keep accounts/ history of command ran by authenticated and authorized User. AAA Server
also maintain accounts of all User’s means what user when logged in and what command runs.

Local Database Scenario for Telnet/ Ssh of Routers -


AAA Database Scenario for Telnet/ SSH Access of Routers –
Deployment of AAA Server => To Deploy or configure AAA Server we need to have one Linux
Server on which we will install ACS (Access Control Server) OS and after installing ACS OS our server will
become AAA Server. ACS Server is CENT O. There are 2 version of ACS Services/ Software –
1) 4.x and 2) 5.x

Create a Linux Server in VMWare and give good RAM and Processor for fast booting and change some
Settings => Change VM Net Adapter to VMNET1 from NAT and in CD/DVD Drive change from default to ACS
ISO file location. Once Setup installed then do configuration of ACS Server =>
Setup => Give Hostname for your ACS Server => ACS => Enter IP Address : 192.168.1.100 => Subnet Mask:
255.255.255.0 => Enter Default Gateway:192.168.1.1 (Router’s IP)=> Enter Domain name: acs.com (Domain
Name) => Enter Primary Name Server: Give Name Server’s IP (Or can give Router’s IP) => Add Secondary
Name Server : Y/N => Enter NTP Server Name : Press Enter => Add Another NTP Server: Y/N => Enter
System Time Zone: Simply Enter => Enable SSH Service: Y/N => Enter Username for ACS Server => admin=>
Enter Password: Give Password for ACS Server => After Reboot your machine need to be logged in with the
Username and Password created for ACS Server.
Now Change the IP Address of VMNet1 same as ACS Server and Router subnet IP.
Now check the connectivity from ACS Server to Router => Ping IP 192.168.1.1
Now Create User database for Authentication of Network Devices in ACS Server =>
Go to any web Browser => https:// ACS Server IP (192.168.1.100) => Username: ACSADMIN => Password:
default => Now reset your Password => Now Give License File for ACS Server without license GUI Will not
work.
Deployment of AAA Server Using Radius Protocol =>
1) RADIUS stands for Remote Access Dial-In User Service and it is an Open standard Protocol.
2) RADIUS Protocol works on UDP as a transmission Protocol, and It uses port number 1812 for
authentication and authorization and 1813 for accounting.
3) It is open standard protocol and works on every Vendor Devices.
4) Authentication and Authorization are combined in RADIUS
5) Only the password is encrypted while the other information such as username, accounting
information, etc are not encrypted.

Open your ACS Server in GUI => Default UserName acsadmin and password set by you.

R1(config)# AAA new-model => To Enable AAA Service

R1(Config)# aaa authentication login <Any Group Name> group <Radius> => Command to add aaa
authentication for created Group in above command and with Radius Protocol.
R1(config)#line vty 0 4
R1(Config-line)# login authentication <Group Name Given in AAA Authentication Command>
R1(config-line)# exit
R1(config)# radius-server host <ACS/AAA Server Address> key <Give any key & remember will use in AAA
Server when we configure AAA/ACS Server>

Now Configuration on ACS/ AAA Server =>


GUI Login in AAA/ ACS Server => Network Resources => Network Devices and AAA Clients (To add your Router as Client in AAA Server so
that AAA Server can communicate with your network devices and provide authentication whenever request reach to AAA Server) =>
Give Name anything (For. Ex.- For R1 Router Keep it R1) => Give IP Address of your Router Interface connected to ACS/ AAA Server =>
Check on Radius Server => Give Pre-shared key configured in Router => Submit => Rest configuration will do as per your requirement.

Now Create Users on ACS/ AAA Server for Routers Authentication =>
GUI Login in AAA? ACS Server => Users and Identity stores => Users => Create => Give User Name => rest configuration will do as per
your requirement => Give Password and Confirm Password => Give enable password too if you required => Submit

R1#test aaa group radius <Username> <user Password> legacy => To test User created on AAA Server is
authenticating from AAA Server or Not
Packet Capturing for Radius Server and look into it by Wireshark =>
In the Radius Server Packet total 4 fields are available in the Header, i.e. –
1) Code 2) Packet Identifier
2) Packet Length 4) Authenticator

1) Code => Total 3 codes are there in the Radius Header Code field -

2) Packet Identifier => it is used to identify the packets and always will be same for every codes. For Ex.
– If R1 send access request code from Router to AAA Server then Code will be 1 and Packet Identifier
will be 1 and when AAA Server reply to that access request then either AAA Server send Code 2
(Access Accept) or Code 3 (Access Reject) from AAA Server to Router back but packet identifier will
be still same. As per below figure =>

3) Authenticator => Authenticator is nothing it is Pre shared Key which we created in the router and in
AAA Server at the time of Radius Configuration. It will also travel into Radius Header to verify that
the request comes from right Place.
Deployment of AAA Server Using TACACS+ Protocol =>
1) TACACS+ stands for Terminal Access Controller Access Control System+, it is enhanced version of
TACACS Protocol. TACACS works on UDP while TACACS+ works on TCP Protocol.
2) It is a CISCO Proprietary protocol and works on only CISCO Devices.
3) TACACS+ Protocol uses TCP protocol as a transmission protocol, and works on TCP Port Number 49
4) Authentication, Authorization, and Accounting are separated in TACACS+
5) All the AAA packets are encrypted. Such As – Username, Password and etc.

Configuration of AAA Server Using TACACS+ Protocol =>


R1(Config)#aaa new-model => To Enable AAA Services
R1(Config)#aaa authentication login <GroupName> group tacacs+ => To Create a TACACS Group & Enable
TACACS+ Protocol
R1(Config)# tacacs-server host <AAA/ ACS Server IP> key 12345 => To Give AAA Server IP & Pre-Shared
Key which will be configured on AAA
Server

R1(Config)#line vty 0 4
R1(Config-line)#login authentication <Group Name> => To tell to line VTY that take login from AAA Group

Configuration of AAA Server Using TACACS+, RADIUS Protocol and Local Database =>

This thing we used only when we do have 2 ACS/ AAA Server either both are different or both
are same and we want to use those Servers as a Primary Server and Secondary Server and if
Primary and Secondary both will be failed then we need to get Router/ Device logged in
through local Database. We Used Below Command –

For Ex. – If our Primary AAA Server is 10.1.1.1 and Secondary is 10.1.1.2

R1(Config)# aaa authentication login <Group Name> <group radius> <group Tacacs+> <local>

Group Radius is – Primary AAA/ACS Server


Group TACACS+ is – Secondary AAA/ ACS Server
Local is – for Local Database, in this situation local devices should have Local User & Password

R1(Config)# radius-server host 10.1.1.1 key 12345


R1(Config)# tacacs-server host 10.1.1.2 key 12345
Differences –

TACACS+ RADIUS

Cisco proprietary protocol open standard protocol

It uses TCP as a transmission protocol It uses UDP as a transmission protocol

It uses UDP port number 1812 for authentication and authorization


It uses TCP port number 49. and 1813 for accounting.

Authentication, Authorization, and Accounting are


separated in TACACS+. Authentication and Authorization are combined in RADIUS.

Only the password is encrypted while the other information such a


All the AAA packets are encrypted. username, accounting information, etc are not encrypted.

preferably used for ACS. used when ISE is used

It provides more granular control i.e can specify


the particular command for authorization. No external authorization of commands is supported.

TACACS+ offers multiprotocol support No multiprotocol support.

Used for device administration. used for network access

Advantages (TACACS+ over RADIUS) –

1. As TACACS+ uses TCP therefore more reliable than RADIUS.

2. TACACS+ provides more control over the authorization of commands while in RADIUS, no
external authorization of commands is supported.

3. All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted in
RADIUS i.e more secure.

Advantage (RADIUS over TACACS+) –

1. As it is an open standard therefore RADIUS can be used with other vendor’s devices while
because TACACS+ is Cisco proprietary, it can be used with Cisco devices only.

2. It has more extensive accounting support than TACACS+.


AAA Authorization:
AAA authorization by Using TACACS+ =>

R1(config)# aaa new-model


R1(config)# aaa authentication login <Group Name> group tacas+
R1(config)# tacacs-server host <Server IP> key <Pre-Shared Key>

R1(config)#aaa authorization <Router Mode/Exec> <groupname> group tacacs+


R1(config)#aaa authorization commands <Enable Level – 0/1/15> <Group Name> group
tacacs+
R1(config)#aaa authentication enable default group tacacs+ => To Provide Enable Password by
TACACS Server.
R1(config)#aaa authorization config-commands

R1(config)#line vty 0 4
R1(config-line) # login authentication <Group Name>
R1(config-line) # authorization <exec> <groupname(Jo Upar Dia hai Ki Kaun Sa Grp Privilege
Level Dega User Ko After Login)>
R1(config-line) #authorization commands <Privilege Level 0/1/15> <Privilege GroupName
(Jo Upar Dia Tha Ki Kaun Sa Group kis level ki commands dega>

Configuration on ACS/ AAA Server => Total 4 steps to configure Authorization –

1) Add AAA Client (Means adding Routers into AAA Server for Authentication)
2) Create Groups and Users into the appropriate Group (To Implement privilege level on
the group)
3) Create Privilege level and also create a set of commands into the privilege level
4) Binding the Privilege Levels to the Group/ Users.
For Ex. – We are planning to create authorization Policy as Below –
Group Users Privilege Level Set of Commands

Creating Groups and Adding Users into Groups =>

GUI login into ACS/ AAA Server => Users and Identity Stores => Identity Groups => Create => Give Group Name and Add
Internal Identity Stores => Users => Give User Name => Select your Identity Group on which group you want to add this User => set
password for this User => set enable password if you want => Submit => Same process will be repeat for another User and Group.
Creating Privilege Level and Set of Commands =>

Go to the Policy Elements => authorization and Permission => Device Administration => Shell Profile (Means to create Privilege Level) =>
Give Name (For Example- Layer1) => Common Tasks => Default Privilege => Static => Value (1) (Value 1 Means Privilege Level 1 – Means
when User get logged in then will default go to the Privilege level 1) => Maximum Privilege => Static => 5/10 whatever you want – means
after login it will directly login into default level 1 and when you put enable command with enable privilege Level (For Ex. – enable 5)
then your privilege level will be implemented i.e. maximum privilege level given by you. => Same Process will be repeat for another
Privilege Level only Maximum Privilege level will be changes as per requirement.

Go to the Policy Elements => authorization and Permission => Device Administration =>Command Sets => Create => give command set
name same as the Group name created on the Router for this Privilege Level => Give Commands such as show => Add => enable => Add
=> exit => Add => Submit

Again, click on create for another Command Sets => Give another Group name same as given in the Router for other Privilege level =>
check on the Permit any command that is not in the table below (For Permitting Full Command Access => Submit

Same process will be repeated for every Command Sets.

Binding the Privilege Level to the Group/ User =>

Go to the Access Policies => Access Services => Default Device Admin => Authorization => customize => Select Identity Group and
Protocol and move it from Left to right in Customize condition and add shell profiles and Commands Sets in Customize results => OK
 Create => Rule Group => Give Rule Name => Check on Identity Group => in => Select your group name => Protocol match to
TACACS select => ok => Shell Profile => give the Shell profile/ Privilege Level what you want to give this group added above => Ok
=> Command Set => Select your command set given to the Shell profile => ok => ok
 Same again create rule 2 for full access group => identity group => in => select your group name => protocol match tacacs =>
shell profile => L2 Shell => ok => command => L2Command => ok => save changes
Parser View RBAC (Role Based Access Control) :
Parser View: It is used to limit the number of Commands can run/ Execute by a User. Same as Privilege
Level but there is a small difference between Parser View and Privilege Level that Parser View removed the
limitations of Privilege Level.
It is used to Create a role-based Access Control Users. And also known as RBAC.

Limitations of the Privilege Level:


1) In Privilege Level – No way to exclude any commands (Remove Commands from the List) only include
the commands is available but In Parser-view – we can include commands as well can exclude the
commands.
2) Inheritance – In Privilege Level inheritance was there means Higher Level privilege level will also get
all the commands given to lower-level privilege level. However, in Parser view No inheritance
Problem.
3) Privilege Level always created in the Numbers starting from 0 to 15 and default privilege Levels are
0,1 and 15 but Parser view always created in the Names and have one default parser view named –
Root view with full permission.
Features of Parser View:
1) Include: We can add any commands.
2) Exclude: We can remove any commands from any Parser-View
3) Include-exclusive: It include any commands in a particular Parser View and can exclude those
particular commands from any other Parser View. For Ex. –
If we do have 3 Parser View A, B, and C and we want to give Ping command in Parser view A and
don’t want same command in Parser view B and C so we can do this by using Include-Exclusive
Feature.
Difference Between Root View and Privilege Level 15:
1) If any user logged in with the Root View Parser view permission, then that user can create both
Parser view as well as Privilege level too
2) If any User logged in with the Privilege Level 15 permission, then that user can create only privilege
level that user can’t create Parser view.

How To Configure Parser View :


Task-1: Create a Parser View with the Name “Level-1” and add below commands in this view –
- Ping, Telnet, TraceRoute
- All Show Commands
- Configure Terminal
- Shut/ No Shut any Interface
Requirement to Configure Parser View –
1) AAA Must be Configured
2) Enable Password should be configured for Privilege Level 15
3) And the Device should be Logged in with Root View Parser View

Commands Practice –
R1(config)#aaa new-model => To Enable AAA
R1(config)#enable password enable => To Set Enable Password on Privilege Level 15
R1(config)#enable view root => To login with the Root View Parser View
R1# show privilege/ show parser view => to Show current Parser view (Parser View should be as Root View)
R1(config)#parser view <View_Name> => To Create Parser View for any Name. For Ex. =>
R1(config)#parser view Level-1 => To Create Parser View with the Name Level-1
R1(config-view)# secret <Password> => To give password for Newly created Parser view
R1(config-view)# commands <Mode> <include/exclude> <Actual Command> => To Add Commands in
Parser View
R1(config-view)# commands exec include ping => To Add Ping Command
R1(config-view)# commands exec include telnet => To Add Telnet Command
R1(config-view)# commands exec include traceroute => To Add Traceroute Command
R1(config-view)# commands exec include all Show => To Add All Show Commands
R1(config-view)# commands exec include configure terminal => To Add Config Terminal Command
R1(config-view)# commands configure include interface fastethernet 0/0=> To add Interface Command
R1(config-view)# commands interface include shutdown => To Give Interface Shutdown command
R1(config-view)# commands interface include no shutdown => To Give Interface No Shut Command
R1(config-view)# commands interface include all interface => To Give permission to run all interface
commands
R1(config)# username Sanjay Password Sanjay@123 => Any User Can Configure with the Parser View

Command to Login with The Parser View from another Router =>
R2# telnet 10.1.1.1 => UserName Sanjay/ Password Sanjay@123
R1>enable view <Parser View Name>
R1>enable Level-1
Give Password of Parser View Level-1
R1# => Now You Can run all commands given to This Parser View
Task-1: Create a Parser View with the Name “Level-2” with Secret Cisco@123 and add below
commands in this view –
- All Show Commands except “Show IP Route”
- Ping Command (Make Sure This command is included only in this Parser View not in
others Parser View available in the Router)
- All Interface Level Command
- All Routing Protocol

Solution:
R1(config)# parser view Level-2 => To Create Level-2 Named Parser View
R1(config)# secret <Password for this Parser View> => To Create Password for Parser View Level-2
R1(config-view)# commands exec include all show => To Add All Show Commands
R1(config-view)# commands exec exclude show ip route => To Exclude
R1(config-view)# commands exec include-exclusive ping => Will Include Ping Command only in the Level-2
Parser View and permanently remove from all other Parser views even if you have added on those Parser
Views but this command will not run on any other Parser Views.
R1(config-view)# commands exec include configure terminal
R1(config-view)# commands configure include all interface
R1(config-view)# commands interface include all
R1(config-view)# commands configure include all router
R1(config-view)# commands configure include no all router

How to Bind Parser View with the User =>


R1(config)# show run | sec Username => To Show All Users created in the Router
R1(config)# username Sanjay view Level-1 => To Bind Level-1 Named with Sanjay User
R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)# line vty 0 4
R1(config)# login authentication default
Super view: Super View Concept is used when we want to inherit commands from 2 or more
than 2 Parser Views to a newly created parser view.

Difference Between Parser View and Super View:


Parser View Super View
Need to Configure Secret Password Need to Configure Secret Password
Need to Add Commands one by One Need to Run View (Add) Command only to
Command to Configure Super View =>
R1(Config)# parser view <Super View Name> super view
R1(Config-view)# secret Cisco@123
R1(Config-view)# view <One Parser View Name> => To Inherit that Parser View All Commands
R1(Config-view)# view <Another Parser View Name> To Inherit another Parser View
Commands
Command to Access Router from Super View =>
R2# telnet R1 => Give Username and Password and Got Logged In
R1> enable <Super View Name> => Give Super View Password Name

How Many Views We Can Configure => We have by default 1 Parser view and apart from this
View we can create 15 more Parser views inclusive Super View. Means Total 15Views (Parser
Views+Super Views)
NTP (Network Time Protocol) :
- It is Used to Sync time from a centralized location.
- It is a layer 7 Protocol.
- It can be configured as a Server in any Network Device like Switch/ Router.
- Apart from NTP Server all devices should be configured as a NTP Client.
- It is mostly used for time-based ACL’s and Time-Based Policies so that all devices should
run correctly.
- In A network multiple NTP Servers can be configured.
- Every NTP Servers need to configure its own stratum number and lowest stratum
number always wins and become trustworthy means the NTP Server has lowest
stratum number treated as primary NTP Server and all NTP client will sync from lowest
stratum number NTP Server.

Commands to Configure NTP Server =>


R1(config)# Firstly configure IP Addresses on connected Interfaces on all Devices.
R1# show clock => To Check current Time on Your Router
R1# clock set hh:mm:ss Date Month Year => To Set New Clock Time in Router
R1(config)# ntp master <Stratum number (from 1-15)>
R1(config)# ntp master 1 => To Make it Primary NTP Server
R2(config)# ntp master 2 => To Make it Secondary NTP Server
R3(config)# ntp server 10.1.1.1 => To Make NTP Client
R3(config)# ntp server 10.1.1.2 => To Add one More NTP Server
R3# show NTP Status => To Show NTP Status and it should be synchronized from Correct NTP
Server
R3# show NTP Associations => To Show Master NTP Server and rest NTP Servers Configured
on the Router
R3# show run | sec NTP => To Show All Configuration of NTP

New Scenario =>

In the Above Scenario, We have one Global NTP Server which is located on Internet but we Can’t give that
NTP Server to all of our Local Devices due to high Bandwidth Consuming issues so we will configure
Router1 which is also our edge Router as a NTP Client of Global NTP Server and also will configure R1 as a
NTP Server for rest Network Devices but again here is the problem that The R1 is already having a lot of
load due to edge router so we can’t configure this router as a NTP Server for all devices in our Network so
we will again configure R1 as a NTP Server for R2 and R3 and then Will configure R2 and R3 as a NTP Server
for rest network Devices.
All Above Configuration will be based on Stratum numbers.

NTP Authentication =>


R1(Config)# ntp authentication-key <Key Name> MD5 <Password>
R1(Config)# ntp authentication-key 1 MD5 Cisco@123 => To Create Authentication key and Password and
will Use same Key and Password on the NTP Clients
R1(Config)# ntp trusted-key 1 => To Make Key-1 as a Trusted key for authentication

Configuration on Clients =>


R2(Config)# ntp authentication-key 1 Cisco@123 => Will use same what used in NTP Server
R2(Config)# ntp trusted-key 1 => Will Use Same what used in NTP Server
R2(Config)# ntp authenticate
R2(Config)# ntp server <Server Address> key 1
All NTP Servers Troubleshooting/ Show Commands =>
R2(Config)# show run | sec NTP => To Show All NTP Configuration on your Router
R2(Config)# show NTP Status => Run on Client and will show is your client is synchronized with NTP Server
or Not if Synchronized then will show +1 Stratum Number from your Server. For Ex. If your NTP Server
Stratum number is 2 then it will show 3
R2(Config)# show ntp association => Will Show all NTP Server Lists configured on your Device with their
staus means which NTP Server plays what role
R2(Config)# show ntp association details =-> Will Show all NTP Servers List configured on your Device in
details including if your NTP Client is authenticating with key or not

Troubleshooting NTP with Debugs:


Some of the most common causes of NTP issues are:
 NTP packets are not received.
 NTP packets are received, but are not processed by the NTP process on the IOS.
 NTP packets are processed, but erroneous factors or packet data causes the loss of synchronization.
 NTP clock-period is manually set.
Important debug commands that help isolate the cause of these issues include:
 debug ip packets <acl>
 debug ntp packets
 debug ntp validity
 debug ntp sync
 debug ntp events
SYSLOG Server:
- Syslog stands for System Logging Protocol and is a standard protocol used to send system log or
event messages to a specific server, called a syslog server. It is primarily used to collect various device logs
from several different machines in a central location for monitoring and review.
- It works on Layer 7 and uses UDP Port number 514.
- Log Messages generates in the severity levels and there is total 8 severity levels from 0 to 7 –
1) Level 0 – Emergency Log Messages
2) Level 1 – Alert Log Messages
3) Level 2 – Critical Log Messages
4) Level 3 – Error Log Messages
5) Level 4 – Warning Log Messages
6) Level 5 – Notification Log Messages
7) Level 6 – Information
8) Level 7 – Debug

We can Download “Kiwi Syslog Server Manager” in Our Laptop and make it connected to the GNS Lab
through and check connectivity and then Configure for Syslog and then check for Logs.
Download SysLog Server from www.kiwisyslog.com => Download Free tol => Fill the Form => Procedd to
free download => Install this Software => Agree => Next => Select Install Kiwi Syslog server as a service =>
Next => Select the Local System Account => Next => Next => Install => Next => Next => Accept => Install
=> Close => Accept => install => Next => Finish
Double Click on the Shortcut => Close, Try with the 15 Days Trial Version => Manage => Start syslog
Service => Go to GNS3 => Connect with the cloud and Connect cloud with any of your laptop/ Desktop
Interface

Commands:
How to Configure SYSLOG Server :
R1(config)#logging host <Syslog Server IP> => To Send Logs to the Syslog Server
R1(config)# logging on => To enable Syslog Logging
R1(config)# no service timestamp => Top Stop sending time along with the logs
Other Commands:
R1# show Logging => To Show Log Messages on Local Device
R1(Config)# logging Console 7 => By Default ye Command Enable hoti hai and it
means that all types of severity log messages will be generated from Severity 0 to
severity 7
R1(Config)# no logging console => To stop Logging messages to record or generate
R1(Config)# logging Console 7 => To Start Logging messages to record or generate
from Severity level 0 to 7
R1(Config)# logging console 6 => To start logging message to record or generate
from severity 0 to 6 but not for severity 7 (Debugging Log Messages)
R1(Config)# logging console filtered <Severity Level Name/ Number> => To filter
particular Severity log message so that will not generate log for this particular
Severity Level
R1# show run all | sec eigrp => to Show all default runned commands in particulars
R1(Config)# router eigrp 100 => To Enter into Routing Protocol EIGRP AS 100
R1(Config-router)# no eigrp log-neighbor-changes =>To Stop Neighbor Change Logs
R1(Config-router)# eigrp log-neighbor-changes => To start Neighbor Change Logs
R1(Config-router)# do show run all | sec eigrp => To show all Default already
running commands for EIGRP
R1(Config-router)# do show run all | sec ospf => To Show All default Already
running commands for OSPF Router. We can check all already running commands
for Anything by such commands and stop/ Strat whatever we want
R1(Config-if)#no logging event link-status => To Stop logging for interface Status
Up/ Down
R1(Config-if)# logging event link-status => To Start Logging for Interface Status
SNMP (Simple Network Management Protocol) :
- This is used to manage the Network: Like Router, Switches, Firewalls
- SNMP Server can also be called as NMS (Network Management Station Server)

SNMP Components – There are three components of SNMP –


1) NMS 2) SNMP Client 3) MIB’s
1) NMS (Network Management Station ) – This is a device that will manage the network and
play a role as a Server.
2) SNMP Client – These are the devices that will be managed by the NMS. For Ex. – Router,
Switches, Firewalls, Load Balancers.
3) MIB (Management Information Base) – This is the information which is stored in the form
of variables. The MIB’s need to be stored in the NMS.

SNMP Versions – There are 3 versions of SNMP –


1) SNMP Version1: Also Known as V1 – It works on UDP Port Number 161. But is has a
problem that the communication between Server and Client is in the Plain Text.
Commands in SNMP V1: There are 4 Commands in the SNMP V1 –
a) Get: It is Used to retrieve information from SNMP Client and store to NMS Server.
Such As – IOS Version, Uptime of the Device, Interface Details and Status, etc.
b) Set: It is used to set the information from the NMS to the Clients. Such As –
Changing the Host name of the Device, Clock Set, Configuration Changes.
c) Inform: it is used to send “IF” and “Then” Statement from SNMP Clients to the NMS.
Such as – If CPU increased by 80% then send a syslog message to SNMP Server/
NMS. Or If the Router Interface goes Down then send a syslog Message to SNMP
Server/ NMS. It does not send acknowledgement of receiving the Data/ Information.
d) Get Next: It is used to retrieve some additional information from the SNMP Clients.
Such as – How many packets on any interfaces going OUT/ IN, Or Packet drops on
Interface.
2) SNMP Version2: Also Known as V2c –
- It introduced the concept of Community String. It uses UDP Port Number 161 and 162.
- String community is nothing it is just Plain Text Password used to make
communication between server and Client.
- It introduced 2 new Commands. i.e., Bulk Command and Trap Command.
- In SNMP V2 communication is also in Plain Text but it has a Community String to
provide authentication between SNMP Server and Client, so It is secure than V1.
a) Bulk Command – It is also called as Get Bulk Command, and used to get/ retrieve the
detailed information from SNMP Client to the SNMP Server/ NMS.
b) TRAP Command – It works same as the Inform command like to get the information on If
and Then Statement from SNMP Client to SNMP Server, but Inform Command doesn’t
send acknowledgement while TRAP Command send acknowledgement on UDP Port 162.

3) SNMP Version3: Also known as V3 –


- It works on UDP Port number 161 and 162
- It supports all commands of V1 and V2 except Inform Command. It used TRAP
Command in the place of Inform Command
- It Uses either MD5 or SHA hashing Algorithm to generate HASH Key which is used to
protect the key generated by you. The same key should be created on both devices
and same algorithm should be used on both devices so that key can match on both
devices and communication can be established.
- It uses either AES (Advanced Encryption Standard), DES, or 3-DES encryption
method to encrypt the communication between SNMP Client and Server.
Deployment Modes of SNMP V3: It has 3 Deployment Modes –
a) No Auth: No Authentication between NMS and Client. Like V1
b) Auth: It will authenticate the NMS and NMS Will Authenticate to the Client. Like V2
c) Priv+Auth (Privacy+Authentication) : Authentication and Encryption both will happened in
this mode.

How to Deploy SNMP:


There are 3 Steps need to be configured on SNMP Client -
1) Will Create a Group and In the Group will define a V3 mode
2) Will Define NMS/ SNMP Server Location
3) Create a User account of SNMP Client and Define an authentication key and Privacy key

Configuration On SNMP Client =>


R1(Config)# access-list 10 permit host <SNMP/NMS Server IP> => To create an access list for SNMP Server
so that no other SNMP Server will manage this device
R1(Config)#snmp-server group <Grp Name> <Version> <SNMP Mode for V3> <Access-List> => To Create a
Group and in group defining the Version and V3 Mode also Calling Access-List so that only defined SNMP
Server inside the Access List can manage this Device
R1(Config)#snmp-server User <Username> <GroupName Created> <Version> <Authentication> <Hashing
Algorithm> <Hash Password> <SNMP Server V3 Mode> <Encryption Algorithm> <Algorithm bits> <NewKey
for Encryption and Decryption>
R1(Config)#snmp-server host <SNMP Server IP> traps <UserName> <What you want in SNMP Ex. EIGRP>
R1(Config)# snmp-server enable traps
R1(Config)#show snmp user => To show SNMP User all details

Example:
R1(Config)# snmp-server group SanjayGRP V3 priv access 10 => Creating a group Names Sanjay V3, Priv
Mode
R1(Config)#snmp-server User Sanju SanjayGRP V3 auth md5 cisco priv aes 128 cisco@123 => To create
User and Defining Authentication Key and Privacy Key
R1(Config)# snmp-server host 192.168.29.70 traps Sanju EIGRP => To Locate SNMP Server Location and the
Protocol/ Service Details about which you want to get details in SNMP Server.
R1(Config)#snmp-server enable traps

Configuration On SNMP-Server =>


We Will Download “ManageEngineMIBBroser free tool” from Google, it will work as SNMP Server/NMS =>
Next=>Next=>Finish=> Open your Software => Minimize the CMD Tab => Edit => settings => Select Version => Increase
Timeout => add => Target Host (SNMP Client IP) => User Name (Created on SNMP Client) => Security Level => Auth+Priv =>
Auth Protocol = MD5 => Auth Password Set in Client => Select Privacy Protocol = AES 128 => Give Priv password configured
in SNMP Client => Apply => OK => OK

How To Get Information on SNMP Server =>


IF-MIB in the SNMP Server Application => Internet => MGMT => Right Click => SNMPWALK (Get Query) => It
will get All Information of Device => Once All information gathered then => MIB2 => Interface => You Can
Check all information about your Device interface at here.
Right Click on MGMT => GETNEXT => Will show your request and its result, You Will be able to see your
system Description
Control Plane Policing
- It is used to reduce any kind of attack that is destinated to the Router/ Device CPU.
- Normally these attacks are happening to increase CPU Usage by sending n numbers of traffics to
the Device.
- Always remember that you can’t directly called Protocol Class-Map into Control Plain Policing so
we need to create ACL and on ACL we can call Protocol then we call that ACL into Class Map and
then we call that Class Map into Policy Map and then That policy map can be called into Control
Plane Policing except ARP and pppoe protocol. ARP and PPPOE Protocol can be directly called into
Class-map and such policy map can be called in Control Plane Policing.
- There are 2 Things in the Router one is CPU and another one is FIB.
- FIB is a Forwarding Information Base Also Known as a Forwarding Table or MAC Table which
receives the packets and look into it’s information and send to the Destination but if Destination
not in its information base, then send it the local router CPU and CPU Process that traffic that’s
why if 1000’s of Packets is reached to the CPU then CPU usage will be increased.
- Any Traffic comes for local router will also received by FIB and forwarded to CPU.

- With the help of Control plane policing, we can limit the traffic so that CPU Usage will not be
increased and this type of limit is known as Rate Limit.
- We can do traffic rate limit by using 2 ways/ options –
1) Bit Per Second 2) Packet Per Second

Steps to Create and Assign the Rate Limit –


1) Will Create an ACL with Permit then Create Class-Map & Call Created ACL into it => Will Create an
ACL to identify the traffic by its Protocol and Permit that traffic=> Used to Identify the type of Traffic
2) Will create the Policy MAP => Used to Define the Action
3) Will Create Service Policy => To Apply the Traffic
Example -1
Want to create and Configure ICMP traffic Rate Limit from R1 to R2 –

Step-1 –
Will create an ACL & Class Map with Permit =>
R2(config)# ip access-lists extended <Number or Name of the List> => To create Access Lists
R2(Config-nacl)# permit icmp host <Source IP> host <Dest IP> => To Allow ICMP Traffic
R2(Config)# class-map <Class Map Name> => To Create Classmap for Rate Limit
R2(config-cmap)# match access-group <ACL Name/ Number> => To Call Access List into Class
MAP

Step-2 –
Define the Action – Will Create a policy Map and Call the Class MAP into this Policy Map =>
R2(Config)# policy-map <Policy MAP Name> => To Create a Policy MAP
R2(config-pmap) # class <Class Map Name> => Created Earlier to Call Class Map into Policy
MAP
R2(config-pmap-c)# police 5000 conform-action transmit exceed-action drop => To Define the
policy that only 5000 bits per second will be allowed and if Exceed 5000 per second then drop.

Step-3 –
Will Create Service Policy and Call Policy Map into Service Policy – To Apply the Traffic =>
R2(config)# control-plane => To go into Control Plane
R2(Config-cp)# service-policy input <Policy MAP Name Created earlier> => To call Policy Map
into Service Policy to allow the rate limit the Traffic
Complete Configuration of Above Example for Bits per second rate limit =>
R2(config)# ip access-list extended 100 => To Create Extended ip access List
R2(config-nacl)# permit tcp host <Source> host <Destination> eq 23 => To Permit Telnet Protocol
R2(config)# class-map cmap1 => To Create Class Map
R2(config-cmap)# match access-group 100 => To Call Access List into Class Map
R2(config)# policy-map pmap1 => To Create Policy Map Names Pmap1
R2(config-pmap)# class cmap1 => To Call Class Map into Policy MAP
R2(config-pmap-c)# police <Bits Per Second Value> conform-action transmit exceed-action drop => To
Define Policy
R2(config)# control-plane => To Go into Control-Plane
R2(config-cp)# service-policy input pmap1 => To call Policy Map into Control Plane
R2(config-cp)# log => To Log the Control Plain Traffic
R2# show control-plane features => To Show Control-Plane Policing is allowed or not
R2# show control-plane counters => To Show that How many bits/ Packets transmitted transmitted from
your control plane policing or dropped.
R2# show control-plane host open-ports => To Show what Protocols/ Ports are opened for Host Traffic

Complete Configuration of Above Example =>


R2(config)# ip access-list extended 100 => To Create Extended ip access List
R2(config-nacl)# permit tcp host <Source> host <Destination> eq 23 => To Permit Telnet Protocol
R2(config)# class-map cmap1 => To Create Class Map
R2(config-cmap)# match access-group 100 => To Call Access List into Class Map
R2(config)# policy-map pmap1 => To Create Policy Map Names Pmap1
R2(config-pmap)# class cmap1 => To Call Class Map into Policy MAP
R2(config-pmap-c)# police rate <Packets per second in numeric Value> <pps> conform-action transmit
exceed-action drop => To Define Policy
R2(config-pmap-c)#drop => To drop the Packets
R2(config-pmap-c)# log => To Generate the Logs
R2(config)# control-plane => To Go into Control-Plane
R2(config-cp)# service-policy input pmap1 => To call Policy Map into Control Plane
R2(config-cp)# log => To Log the Control Plain Traffic
Problems in the Control Plane Policing =>
1) It doesn’t understand the type of Traffics and never separate the traffic => The Control Plain
Policing will apply on all types of traffic forwarding to the CPU. Will Not separate the traffic that 4000
bits per second will be allowed for Host Traffic, 2000 bits per second will be allowed for Transit traffic
and 5000 bits per second will be allowed for CEF Exception traffic. Control Plain Policing never have
control on this.
2) It works on all types of traffic => Any Control Plain Policing created on the router will be
implemented on all 3 types of traffic. Can’t create and apply individual rate limit for individual traffic.

Types of Traffic Handing over from FIB to CPU => There are 3 types of Traffic –
1) Host Traffic => The Traffic destinated to the Device/ Router itself.
2) Transit Traffic => The Traffic is going through the Device but it requires some special treatment.
For Ex. If NAT is configured on the Router and the traffic is comes from R1 to and wants to go to
Internet/ Next Router then Traffic will receive by FIB and sends to Next Router if NAT is not required
for that traffic but if NAT is required then FIB forward that traffic to CPU and CPU process for NAT
and assign a NAT’d IP and again send back to FIB now FIB will send it to the Internet/ Next Router. So
sometimes some traffic needs a special treatment and that’s why send from FIB to CPU and this
traffic called as Transit traffic.
3) CEF Exception Traffic => The traffic whose ttl value is 1 then FIB forwards that traffic to the CPU and
this type of traffic is known as CEF exception Traffic.
Control Plane Protection:
- It introduces to remove the problem of Control-Plain Policing, where we can’t create
individual policy for individual traffic.
- By using control plain Protection, we can configure individual policy for the individual
Traffic.
- Means We Can Configure Different types of policy for different types of Traffic.

CPU

FIB
Example To Configure Host Traffic Policy on R2 =>

Complete Configuration of Above Example for Host Traffic =>


R2(config)# ip access-list extended 100 => To Create Extended ip access List
R2(config-nacl)# permit tcp host <Source> host <Destination> eq 23 => To Permit Telnet Protocol
R2(config)# class-map cmap1 => To Create Class Map
R2(config-cmap)# match access-group 100 => To Call Access List into Class Map
R2(config)# policy-map pmap1 => To Create Policy Map Names Pmap1
R2(config-pmap)# class cmap1 => To Call Class Map into Policy MAP
R2(config-pmap-c)# police <Bits Per Second Value> conform-action transmit exceed-action drop => To
Define Policy
R2(config)# control-plane host => To Go into Control-Plane for host traffic
R2(config-cp)# service-policy input pmap1 => To call Policy Map into the Control Plane for host traffic only
Control Plane Protection for CEF Exception Traffic =>
- CEF Exception traffic is the traffic which has ttl is equal to 1. For Ex. ARP Traffic is CEF Exception
traffic.
- We Can Directly call ARP and PPOE Protocol in Class Map without using ACL.

Complete Configuration of CEF Exception Traffic Example =>


R2(config)# class-map cmap1 => To Create Class Map
R2(config-cmap)# match protocol ARP => To Call ARP Protocol into Class Map
R2(config)# policy-map pmap1 => To Create Policy Map Names Pmap1
R2(config-pmap)# class cmap1 => To Call Class Map into Policy MAP
R2(config-pmap-c)# police <Bits Per Second Value> conform-action transmit exceed-action drop => To
Define Policy
R2(config)# control-plane cef-exception => To Go into Control-Plane for host traffic
R2(config-cp-sef-exception)# service-policy input pmap1 => To call Policy Map into the Control Plane for
host traffic only

To Check Cef-Exception Traffic =>


R1# clear arp-cache
R1# ping R2 => Then ARP Will Generate and Log will generate in R2

Control Plane Protection for Transit Traffic =>

Transit traffic means the traffic comes from FIB to CPU and NAT is the best example for this but here we
will configure Log for the traffic moving through Transit Router i.e. R2 so when R1 sends trafiic for R3 the
traffic will go through R2 and now R2 FIB will send that traffic to CPU to generate log and then forward to
R3 so now this traffic is treated as Transtit Traffic.

Commands to Generate Log Messages for IP Traffic –


R2(Config)# ip access-list extended 100 => To Create Extended access list
R2(Config-nacl)# permit ip any any log => Permit any ip traffic from any host to any destination with
Creating log
Note: By Default, Any Log generates 1 log for any packets if that packet comes many times within 300
seconds to reduce CPU Load. We can also change the time limit =>
R2(Config)# ip access-list log-update threshold <time for per packet>

Commands to Configure Control Plane Policing for Transit Traffic =>


R2(Config)# ip access list extended 100
R2(Config-nacl)# permit ip any any log => To Permit all IP traffics.
R2(Config)# int fa0/1 => to Apply above created Access-List on any interface
R2(Config-int)# ip access-group 100 in/out => Ki packet In ho raha hai ya Out
R2(config)# class-map cmap1 => To Create Class Map
R2(config-cmap)# match access-group 100 => To Call Access List into Class Map
R2(config)# policy-map pmap1 => To Create Policy Map Names Pmap1
R2(config-pmap)# class cmap1 => To Call Class Map into Policy MAP
R2(config-pmap-c)# police <Bits Per Second Value> conform-action transmit exceed-action drop => To
Define Policy
R2(config)# control-plane transit => To Go into Control-Plane for host traffic
R2(config-cp)# service-policy input pmap1 => To call Policy Map into the Control Plane for host traffic only
URPF (Unicast Reverse Path Forwarding) =>
- If Any Attacker Spoof our N/w Packet and get Source IP Address and can attack in our N/w so we will
prevent such Attacks by using URPF.
- It implemented on the interface and mostly on the Edge Router of the Entry interface for our N/w as
Attacks come from the Outside N/w.
- URPF Simply check the Source address should be reachable from the interface on which it gets
request if found then will transmit the packet and if no then drop the packet immediately and to
check the reachability of Source address it checks its router routing table where mentioned the
reachability of Source address from which interface.
- In the below example we put URPF in the R3 Router interface fa0/1 as it is our Edge Router and its
interface fa0/1 is the entry interface from outside n/w to inside N/w.
- We can also use URPF to protect our N/w from Asymmetric Routing. (There are 2 types of Routing
Symmetric routing and Asymmetric Routing. Symmetric routing is the routing where incoming and
outgoing both paths are same for Packets but asymmetric routing is the routing where Incoming
and Outgoing both path are different and in Asymmetric routing, we can face many issues like
slowness).
- URPF also does not support default route for giving reply via default route so to accept default route
we need to give command allow-default when we use new command for URPF.

In the Above Example We Will Design a Topology to See the Attacks =>
- In the Above topology we will take 4 Router and Treat R4 is our Outsider Router who is works as
Attacker and R4 knows the Source IP Address of R1 and will generate ping echo request – where will
take 12.1.1.1 as source IP and 23.1.1.2 as destination IP but R4 doesn’t have 12.1.1.1 IP so it will
create Loopback Interface and configure the 12.1.1.1 IP then can send PING Request packet by
making 12.1.1.1 source IP. When R3 receives this packet, it will see only in the Destination IP and
send forward this packet to R2 and R2 will send reply to R1 not to R4. So, May by attacker will send
thousands of same packets so CPU utilization of R2 and R1 will increase and if CPU utilization reach
to 100% then both Routers will reload and our N/w will get affected.
R1(config)# int fa 0/0 => ip add 12.1.1.1 255.255.255.0 => no Shut => To Configure interface
R1(config)#router eigrp 100 => no auto-summary => network 12.1.1.0 => To enable routing for reachability
R1#debug ip icmp => To enable ICMP Packets Debugging to check for reply
R2(config)#int fa 0/0 => ip add 12.1.1.2 255.255.255.0 => no shut
R2(config)#int fa 0/1 => ip add 23.1.1.2 255.255.255.0 => no shut
R2(config)# router eigrp 100 => no auto-summary => network 12.1.1.0 => network 23.1.1.0
R2#debug ip icmp => To enable ICMP Packets Debugging to check for echo request receiving
R3(config)#int fa0/0 => ip add 23.1.1.1 255.255.255.0 => no shut
R3(config)#int fa 0/1 => ip add 30.1.1.1 255.255.255.0 => no shut
R3(config)#router eigrp 100 => no auto-summary => network 23.1.1.0 => network 30.1.1.0
R4(config)#int fa 0/0 => ip add 30.1.1.2 255.255.255.0 => no shut
R4(config)#int loopback 1 => ip add 12.1.1.1 255.255.255.0 => no shut
R4(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.1 => Or will assign 30.0.0.1 as a Gateway IP to make reachability
R4# ping 23.1.1.2 source loopback1 repeat => Now Packet will reach to R2 and Reply will receive R1

Now We will Protect Our N/w by using URPF (Unicast Reverse Path Forwarding) =>
Means of URPF:
U (Unicast Packet) => It Means Unicast Packet
RPF (Reverse Path Forwarding) => Means, The Source IP address should be reachable on the Same
interface from where the Packet received. Means Agar R2 me fa0/1 interface me ICMP request packet
receive ho raha hai to us packet ka Source IP address fa0/1 se hi reachable hona Chahiye.

Asymmetric Routing =>


Above Example is the example of Asymmetric routing – Here we have created loopback interfaces in both
Routers and given IP addresses as 1.1.1.1 in R1 and 2.2.2.2 in R2, now we want to make communication
and for reachability we configured Static route in R1 and R2 and for R1 we have given next hop IP Address
is 12.1.1.2 and for R2 we have given next hop IP Address is 21.1.1.1.
Now When R1 send packets to R2 then it will go through SW1 and When R2 send back reply to R1 then it
will go through SW2 as per static route configured and this is known as Asymmetric routing because
incoming and Outgoing both paths are different. And This may cause many issues, such as – Slowness.
We can protect asymmetric routing by using URPF (Unicast Reverse Path First) =>
R1(config)#int fa 0/0 => ip add 12.1.1.1 255.255.255.0 => no Shut
R1(config)#int fa 0//1 => ipa dd 21.1.1.1 255.255.255.0 => No shut
R1(config)#int loopback 0 => ip add 1.1.1.1 255.255.255.255 => no shut
R1(config)# ip route 2.2.2.2 255.255.255.255 12.1.1.1 => To give Static Route for 2.2.2.2
R2(config)#int fa0/0 => ip add 12.1.1.2 255.255.255.0 => No Shut
R2(config)# int fa0/1 => ip add 23.1.1.2 255.255.255.0 => No Shut
R2(config)# int loopback 0 => ip add 2.2.2.2 255.255.255.255 => no shut
R2(config)# ip route 1.1.1.1 255.255.255.255 23.1.1.1 => To give Static route for 1.1.1.1
R2(config)# int fa0/0 => ip verify unicast reverse-path => To Enable URPF on Int Fa0/0 to prevent sending
reply from other interface but now R1 will not get reply because reverse Route is not available from fa0/0.
And this is also Old Way to enable URPF now we are not using this way instead we use Source Keyword.
R2(config-if) #ip verify unicast source reachable-via rx => Work same as reverse-path command
R2(config-if)# ip verify unicast source reachable-via any => Will send response from any interface no matter
either that interface is same as source interface or not. Will use only in the case of Load Balancing.
R2(config)# no ip route 1.1.1.1 255.255.255.255 23.1.1.1 => To Stop static route
R2(config)# ip route 0.0.0.0 0.0.0.0 12.1.1.1 => To give default rule but still it will not work and R1 will not
get response from R2 Loopback as URPF by default doesn’t support Default routing so we need add
default-allow keyword with URPF enabling command.
R2(config-if)# ip verify unicast source reachable-via rx => To apply URPF same as Reverse path
R2(config-if)# ip verify unicast source reachable-via any => To apply URPF even if source will be any
interface . It will use in case of Load Balancing.
R2(config-if)# ip verify unicast source reachable-via rx allow-default => Will allow Default Routing with
URPF and now R1 will get response from R2.
Troubleshooting Commands =>
R2# show ip route => To check that routing table mentioned that Source packet received from which
interface and Destination packet will go from which interface
R2#show ip int <interface number on which URPF Applied> => To show that what URPF applied and how
many packets drops by URPF

Exception Packets allowed while URPF Applied =>


We used this way of trafficking while we want to enable some reliable protocols/ Source Packets on
the same interface where the URPF is allowed on the Particular interface to protect from Asymmetric
Routing and also from Outsider source spoofing packets = For this we will create access list with Permit
command mentioned the Protocol allowed and source IP and Destination IP Address.
For Ex.- If we want to do not give response for IP and still Telnet will work. Means URPF is applicable but
exception for Telnet or we can give exception for any IP Address –
R2(Config)#ip access-list extended 101
R2(config-nacl)#permit tcp host 1.1.1.1 host 2.2.2.2 eq 23 => Creating Access List to permit telnet protocol
from Source 1.1.1.1 to destination 2.2.2.2
R2(config)# int fa 0/0
R2(config-if)#ip verify unicast reachable-via rx <Access List Number> => This command will implement
URPF for all IP’s and Protocol except Telnet as we have given access-list for exception allowing.

Testing from R1 =>


R1# ping 2.2.2.2 source lopback0 => Will not give response as URPF is applicable.
R1# telnet 2.2.2.2 /source-interface loopback 0 => To Telnet the Router by using Different Source
Reflexive ACL:
Reflexive ACL’s work as a Stateful firewall – means keep track of any connections, by default a normal
access-list on a cisco Router doesn’t keep track of any connections means only permit/ deny on the basis of
statement configured. The only thing it cares about is whether an incoming packet matches a certain
statement or not. When it matches a statement, it will perform an action (permit or deny) and if it doesn’t
match. It’ll check the next statement. If none of the statements match it will hit the implicit deny any and
the packet will be dropped.
When using the reflexive access-list, your Cisco IOS router will keep track (or will remember) of the
outgoing connection(s) and it will automatically allow/ deny the return traffic. It’s best to explain this with
an example, so let’s take a look at the following topology:

Above we have 3 routers…nothing fancy. Let’s say I want to protect R1 and R2 from whatever traffic R3
might send. I could do this with a very simple but effective access-list on R2 fa0/1 interface with deny
statement so this will resolve our problem but what if there is a HTTP Server behind R3 and we want to
reach that Server from R1. Perhaps our network is a bit too secure. The packets from R1 will make it to R3
but the return traffic will be dropped. If I want to allow this return traffic, I have to punch a hole in that
access-list that I just created. There’s a better method, and that’s the reflexive access-list.

Remember that, Reflexive access lists do not work with some applications that use port numbers that
change during a session. For example, if the port numbers for a return packet are different from the
originating packet, the return packet will be denied, even if the packet is actually part of the same session.
The TCP application of FTP is an example of an application with changing port numbers. With reflexive
access lists, if you start an FTP request from within your network, the request will not complete. Instead,
you must use Passive FTP when originating requests from within your network.

Example => In a very simple language in the Above Example if we consider that R1 is our Inside Router,
R2 is an Edge Router and R3 is an Outside Router and we want R1 can communicate to Outside N/w (R3)
but R3 can’t communicate to our Inside N/w. Then simply we can create an access list on R2 on outbound
interface stated that permit traffic from R1 to R3 but in this case R3 can also Communicate to R1 if we
create another statement mentioning that the traffic from R3 to R1 will deny then All traffic will be denied
and it means R1 Traffic will also not get response from R3. So to tackle this type of situation we create
Reflexive ACL, In Reflexive ACL We State that R1 traffic permit to R3 only and Reflexive ACL Maintain
Session list and track record so when R1 tries to connect to R3 the traffic will be permit as per ACL and an
auto session will be created and when R3 reply to that traffic so just because of session/ tracking the record
as a reply this traffic will be allowed from R3 to R1. But When R3 generate a new traffic for R1/ R2 the
traffic would be dropped on R2 Outside interface because in that time no session list will be available.
Commands to Configure Reflexive ACL => We enabled Telnet on both Routers to check and then we create
Reflexive ACL to disable telnet access from Outside Router =>

Reflexive acl will be always extended named mode ACL, numbered ACL is not allowed for Reflexive ACL’s –

R2(config)#ip access-list extended reflexive-ACL => To Create reflexive Access List

R2(config-nacl)# permit tcp host 10.1.1.1 host 23.1.1.2 eq 23 reflect <Any Name for reflexive Access List>

R2(config)#int fa0/1 => ip access-group <reflexive-acl> outbound => To apply reflexive ACL on outbound
interface for Outbound traffic

R2(config)# ip access-list extended Inreflexive-ACL => To create another ACL for / reply inbound traffic to
be allowed only traffic matches.

R2(config-nacl)# evaluate <Name which you provided inside statement of reflexive ACL> => Will evaluate
the traffic which gone through your reflexive ACL

R2(config-nacl)# deny ip any any => rest all Ip Protocols will be denied from R3 to inside

R2(config)#int fa 0/1 => ip access-list Inreflexive-ACL in => To Put this ACL for Inbound Traffic

Note: Now Telnet will work from R1 to R3 but not work from R3 to R1

Problem in The Reflexive ACL => Now there is problem in Reflexive ACL that without any session list it will
not allow any traffic from R3 to R2 as well R1 and Inside Network. And suppose if we have to allow any
particular traffic with Reflexive ACL then we need to edit the reply/ inbound traffic on R2 and need to add
manual entry for EIGRP traffic.

For Ex. – If we are running EIGRP Routing Protocol then Hello message will go from R2 to R3 but it is self-
generated message so session will not be created and reply of Hello message will not be received to R2
from R3 and Neighborship will not be happened so now we will resolve such type issues too by editing
reply ACL=>

R2(config)# ip access-list extended Inreflexive-ACL => to Edit already created reply ACL List

R2(Config-nacl)#5 permit eigrp any any => To manual add EIGRP Traffic to be allowed

Fortigate 200E

You might also like