Cisco
-
Configuring Access Control Lists (ACL) for Control Plane Policing Policies (CoPP)
After network traffic rates to the control plane have been identified, an access list can be built for matching traffic in a class map. ip access-list extended ACL-CoPP-ICMP permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any unreadable permit icmp any any echo These access lists do not deny traffic,…
-
Control Plane Policing (CoPP)
Control Plane Policing is a Quality of Service policy that is applide to traffic towards or from the routers control plane CPU. Control Plane Policing Policies are used to limit known traffic to a given rate to protect the CPU from unexpected extreme rates of traffic that could impact the stability of the router. CoPP…
-
Zone Based Firewall Configuation
To configure a Zone Based firewall with a basic outside and inside interface configuration, follow this tutorial. First of all, define the zones zone security OUTSIDE description Outside zone used for internet traffic zone security INSIDE description Inside zone used for internal traffic Next define the inspection class map. The class map for inspection defines…
-
Zone Based Firewall – Default Zone
The default zone is a system-level zone, and any interface that is not a member of another security zone is placed into the default zone. When an interface that is not in a security zone sends traffic to an interface that is an a security zone, that traffic will be dropped. Network engineers may assume…
-
Zone Based Firewall – The Self Zone
The self zone is a system level zone and includes all of the routers IP addresses. By default, traffic to and from this zone is permitted to support management protocols and control plane functions. The management protocols could be telnet, SSH, SNMP, etc. The control plane functions could be OSPF, EIGRP, RIP, etc. After a…
-
Zone Based Firewall
ACLs control access based on protocol, source IP address, destination IP address and ports. These ACLs are stateless and do not inspect the traffic actually going through the router. Stateful firewalls can look at Layer 4 to 7 of packets to verify the state of the transmission, and detect whether a port is being piggybacked…
-
Configuring AAA for Network Device Access Control
Create a local user with full privilege for fallback username fallback_admin privilege 15 algorithm-type scrypt secret Bananas123 Enable AAA functions with the command aaa new-model Next add a TACACS server and group tacacs server authentication_server address 192.168.1.50 key tacacskey aaa group server tacacs+ authentication_group server name authentication_server Finally enable AAA login authentication with the following…
-
Comparison of RADIUS and TACACS+
Component RADIUS TACACS+ Protocol and Ports Cisco:UDP Port 1645 (Authentication/Authorisation)UDP Port 1646(Accounting)Industry Standard:UDP Port 1812 (Authentication/Authorisation)UDP Port 1813(Accounting) TCP Port 49 Encryption Encrypts the password fieldSupports EAP for 802.1x authentication Encrypts entire payloadDoes not support EAP Authentication and Authorisation Combines authentication and authorisationCannot be used to authorise individual CLI commands Separates authentication and authorisationCan be…
-
RADIUS
RADIUS is an Internet Engineering Task Force AAA protocol. It follows a client-server model where the client can initiate a request to the server. RADIUS is the AAA protocol of choice for network access. The main reason is RADIUS is the AAA transport protocol for Extensible Authentication Protocol, whilst TACACS+ does not support any EAP…
-
TACACS+
TACACS+ is developed by Cisco and release as an open standard in the early 1990s. TACACS+ is mainly used for AAA device access control but it is possible for to be used for network access too. TACACS+ uses TCP port 49 to communicate between TACACS+ clients and the TACACS+ server TACACS+ can provide authentication, authorisation…