routeprotocol.com

Security

  • Use a specific TACACS+ server when logging in

    If a TACACS+ server is misbehaving and rejecting login requests, you can pick a particular to use if you have this global configuration command configured: tacacs-server directed-request With this command configured, you can log into devices with the format <username>@<tacacs-ip-address> to select a specific working server

  • Cisco Device Hardening

    Disable Topology Discovery Tools Tools such as Cisco Discovery Protocol and Link Layer Discovery Protocol can provide unnecessary information to devices outside of your control. Disable the services on these interfaces with the commands no cdp enable, no lldp transmit, and no lldp receive Disable TCP and UDP Small Services The commands service tcp-keepalive-in and…

  • Verifying Control Plane Policing Policy (CoPP)

    When a control plane policing policy is applied to the control plane, it needs to be verified to ensure that it is not dropping packets when it shouldn’t. The command show policy-map control-plane input will give statistics on the packets that have conformed, exceeded, or violated the policies put in place.

  • Applying a Control Plane Policing Policy (CoPP) Map

    Any created control plane policing policy maps need to be applied to the control plane. control-plane service-policy input POLICY-CoPP

  • Configuring a Policy Map to be used in Control Plane Policing Policy (CoPP)

    The policy map will show how to police traffic at a given rate to minimise any ability to try overload the router. Finding the correct rate without overloading the network can be a difficult task. To try ensure that CoPP will not introduce issues, the violate action should be set to transmit for all the…

  • Configuring Access Control Lists (ACL) for Control Plane Policing Policies (CoPP)

    After network traffic rates to the control plane have been identified, an access list can be built for matching traffic in a class map. ip access-list extended ACL-CoPP-ICMP permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any unreadable permit icmp any any echo These access lists do not deny traffic,…

  • Control Plane Policing (CoPP)

    Control Plane Policing is a Quality of Service policy that is applide to traffic towards or from the routers control plane CPU. Control Plane Policing Policies are used to limit known traffic to a given rate to protect the CPU from unexpected extreme rates of traffic that could impact the stability of the router. CoPP…

  • Zone Based Firewall Configuation

    To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial. First of all, define the zones zone security OUTSIDE description Outside zone used for internet traffic zone security INSIDE description Inside zone used for internal traffic Next define the inspection class map. The class map for inspection defines…

  • Zone Based Firewall – Default Zone

    The default zone is a system-level zone, and any interface that is not a member of another security zone is placed into the default zone. When an interface that is not in a security zone sends traffic to an interface that is an a security zone, that traffic will be dropped. Network engineers may assume…

  • Zone Based Firewall – The Self Zone

    The self zone is a system level zone and includes all of the routers IP addresses. By default, traffic to and from this zone is permitted to support management protocols and control plane functions. The management protocols could be telnet, SSH, SNMP, etc. The control plane functions could be OSPF, EIGRP, RIP, etc. After a…