Skip to main content

Infrastructure Security and Services

Device Security on Cisco IOS XE

Control Plane Policing and Protection

  • Control Plane Policing (CoPP): Protects routers/switches from DoS attacks by managing control plane traffic through a separate interface (punt/inject). QoS rules are applied to control the rate of traffic, ensuring consistent performance.
  • Example Configuration: A QoS policy for Telnet traffic limits unwanted traffic while allowing trusted hosts unrestricted access.

Terminal Lines and Password Protection

  • Access Methods: Devices can be accessed through console ports (local), auxiliary ports (remote via modem), or virtual terminals (Telnet/SSH).
  • Password Types:
    • Type 0: Unencrypted, insecure.
    • Type 5: Stronger encryption (MD5), used with enable secret.
    • Type 7: Weak encryption, easily cracked.
    • Type 8/9: Secure passwords using modern hashing (PBKDF2, SCRYPT).

Configuring Local Password Authentication

  • Commands: Use password and login to enable basic password checks or configure username-based authentication with username and login local.

Privilege Levels & Role-Based Access Control (RBAC)

  • Privilege Levels:
    • 0: Basic commands.
    • 1 (User EXEC): Limited access.
    • 15 (Privileged EXEC): Full administrative control.

Configuring SSH

  • Basic Steps: Configure hostname, username, domain name, and generate RSA keys to enable SSH.

AAA (Authentication, Authorization, and Accounting)

  • TACACS+: Preferred for device access control, uses TCP port 49. Separates authentication, authorization, and accounting.
  • RADIUS: Preferred for network access, uses UDP, supports EAP for secure network authentication.

Configuring AAA

  • Example: Create AAA groups for TACACS+ servers, and enable login authentication using method lists (TACACS+, local, enable password).

Zone-Based Firewall (ZBFW)

  • Stateful Firewall: Inspects Layers 4-7, mitigating DDoS and improving network security at branch sites with built-in firewall capabilities.
Labels:

Comments

Post a Comment

Popular posts from this blog

Basic MPLS BGP and L3VPN Lab Setup

In this lab, we’ve set up a basic MPLS, BGP, and L3VPN environment, which is a great foundation for understanding how service providers build scalable networks. The lab uses the EVE-NG simulator along with Router IOS C7200-ADVENTERPRISEK9-M, Version 15.2(4)M8 to emulate a realistic MPLS environment. Below is a summary of the key components and roles of each router in the lab. MPLS Core Routers : The MPLS core consists of the routers responsible for label switching and forwarding customer traffic through the network: PE1 (Provider Edge 1) : Connects customer networks to the MPLS core and handles both MPLS and BGP routing. It also hosts VRF (Virtual Routing and Forwarding) instances for customers. PE2 (Provider Edge 2) : Functions similarly to PE1, connecting another customer network to the MPLS core. P1 (Core Router 1) and P2 (Core Router 2) : These routers serve as MPLS core routers and handle label switching but do not store or process customer routes directly. They simply f
Post a Comment
Read more

OSPF Adjacency Stuck in EXSTART on Cisco IOS XR – Issue and Solution

In a recent lab setup using Cisco IOS XR on EVE-NG, I faced a common but frustrating issue with OSPF adjacencies getting stuck in the EXSTART state. After spending considerable time troubleshooting interface MTUs and configurations, I discovered that the root cause was related to the virtual network interface type being used. This post outlines the issue, troubleshooting steps, and the eventual solution that got everything working. Issue: While configuring OSPF between two routers running Cisco IOS XR in my lab, OSPF adjacencies were getting stuck in the EXSTART state. I verified that interface configurations, MTU settings, and OSPF parameters were correct, but the problem persisted. I tried adjusting the MTU size, using the mtu-ignore command, and even checked for ACLs, but nothing seemed to resolve the issue. Troubleshooting Steps: MTU Settings: I started by verifying that both sides of the OSPF adjacency had matching MTUs. I used the default MTU and even tried different values wit
Post a Comment
Read more

How to Properly Clone an EVE-NG Lab with Configurations

Cloning labs in EVE-NG is a great way to duplicate setups and expand or experiment on a new copy without affecting the original lab. However, if not done correctly, the cloned lab may only copy the topology without configurations. In this guide, I’ll show you how to properly clone a lab in EVE-NG with all configurations using the EVE-NG GUI . Follow these steps to ensure that both the topology and router configurations are retained when cloning your lab. Steps to Clone an EVE-NG Lab with Configurations Save Running Configuration on All Devices In your original lab, make sure all devices have their configurations saved to NVRAM. Go into the CLI of each router and run the command: copy running-config startup-config Export All Configurations (CFGs) On the left sidebar in the EVE-NG Web UI , click on the "More Actions" option. Then select "Export all CFGs" . This step exports the configurations of all devices in the lab. Shutdown All Devices After exporting the confi
Post a Comment
Read more