Overview of CPPr

This topic describes the basic function and benefits of the Cisco IOS CPPr feature. This topic describes the basic function and benefits of the Cisco IOS CPPr feature. Provides for all policing and protection 2007 Cisco Systems, Inc. All rights reserved. One tool mentioned in the previous section is CPPr, which includes CoPP, port filtering, and queue thresholding. CPPr is a framework that encompasses all policing and protection features in the control plane. The CPPr feature extends the...

Common Cisco Ios Aaa Authorization Configuration

To enable AAA authorization and create an authorization method list for a particular authorization type, use the aaa authorization command. dev(config) aaa authorization auth-proxy network exec commands level reverse-access configuration default listname methodl method2 Applies specific security policies on a per-user basis. Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote...

Defining Port Filter Packet Classification Criteria

Before you can attach a port-filter service policy to the control plane host subinterface, you must first create the policy to define a port-filter class map and policy map type for control plane traffic. A new class map type called port-filter was created for the port-filter feature. You must first create one or more port-filter class maps before you can create your port-filter service policy. Your port-filter class maps will separate your traffic into classes of traffic. Then, your service...

Enable AAA

Aaa authentication dotlx < list name> default group radius Create an IEEE 802.1X authentication method list aaa authorization network default group radius (Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment 2007 Cisco Systems, Inc. All rights re Complete these steps to enable AAA services on the switch. Specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running...

DHCP Starvation and Spoofing Attacks

This topic describes the DHCP spoofing and starvation attacks. Attacker attempting to set up rogue DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to set up rogue DHCP server Attacker attempting to starve DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to starve DHCP server 2007 Cisco Systems, Inc. All rights re A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such...

Flexible Packet Matching

All rights re 2007 Cisco Systems, Inc. All rights re Many of the tools available today are not designed with deep packet inspection as a requirement instead, they are designed to provide matching for predefined fields in well-known protocol headers. If an attack uses a field outside the limited range of inspection of these features, you are left without a defense against the attack. FPM provides the means to configure match criteria for any or all fields in a packet...

Student Guide

Editorial, Production, and Web Services 02.06.07 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-4000 800 553-NETS (6387) Fax 408 527-0883 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel +31 0 8000200791 Fax +31 0 20 357 1100 Cisco Systems, Inc. 168 Robinson Road 28-01 Capital Tower Singapore 068912 www.cisco.com Tel +65 6317 7777 Fax +65 6317 7799 Cisco has more than...

Data Plane Protection

This topic describes some strategies for protecting the data plane. 2007 Cisco Systems, Inc. All rights reserved. Cisco IOS Software includes various tools for dealing with attacks that may affect the data plane. Some of these security features include the following Access control lists (ACLs) Filter traffic through network devices Flexible Packet Matching Provides a flexible Layer 2 to Layer 7 stateless classification mechanism. Unicast Reverse Path Forwarding (uRPF) Helps mitigate problems...

CAM Table Overflow Attack

Attacker sees traffic to servers B and D 2007 Cisco Systems, Inc. All rights re This diagram illustrates a CAM table overflow attack. In this figure, the attacker is sending out multiple packets with various source MAC addresses. Over a short period of time, the CAM table in the switch fills up until it cannot accept new entries. As long as the flood is left running, the CAM table on the switch will remain full. When this happens, the switch begins to broadcast all packets that it receives out...

Control Plane Interface and Subinterface

The concept of early rate-limiting protocol specific traffic destined to the processor by applying QoS policies to the aggregate control plane interface was introduced with CoPP. CPPr extends this control plane functionality by providing three additional control plane subinterfaces under the top-level (aggregate) control plane interface. Each subinterface receives and processes a specific type of control plane traffic. The three sub interfaces are as follows Control plane host subinterface...

Entering Aggregate Control Plane Configuration Mode

After you create a class of traffic and define the service policy for the control plane, you need to apply the policy to either the aggregate control plane interface or one of the subinterfaces. After you enter the control-plane command, you can define aggregate CoPP policies for the RP. You can configure a service policy to police all traffic destined to the control plane from all line cards on the router (aggregate control plane services). Note Aggregate control plane services manage traffic...

Mitigating Pvlan Proxy Attacks

Router(config) access-list 101 deny ip 172.30.1.0 0.0.0.255 172.30.1.0 0.0.0.255 router(config) access-list 101 permit ip any any router(config-if) ip access-group 101 in Build ACL for subnet and apply ACL to interface 2007 Cisco Systems, Inc. All rights reseived. SNRS v2.0 1-20 Configure access control lists (ACLs) on the router port to mitigate PVLAN attacks. An example of using ACLs on the router port is if a server farm segment existed on subnet 172.30.1.0 24 and target C was in the server...

What Is EAP

EAP the Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication information not the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-10 EAP, based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types...

Cisco Certified Security Professional

Expand Your Professional Options and Advance Your Career Professional level recognition in Cisco Certified Security Professional Cisco Certified Security Professional Cisco Certified Security Professional 2007 Cisco Systems, Inc. All rights re Recommended Training Through Cisco Learning Partners Securing Cisco Network Devices (SND) Securing Networks with Cisco Routers and Switches (SNRS) Securing Networks with PIX and ASA (SNPA) Implementing Cisco Intrusion Prevention Systems (IPS) Securing...

Configuring Port Security

Switch(config-if) switchport mode access Set the interface mode as access switch(config-if) switchport port-security Enable port security on the interface switchport port-security maximum value Set the maximum number of secure MAC addresses for the interface (optional) 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-8 Complete these steps to configure port security on an interface. Step 1 Enter interface configuration mode. switch(config) interface FastEthernet 0 8 Step 2 Configure...

TACACS and Radius Comparison

Authentication Authorization 1645 and 1812 Encrypts only passwords up to 16 bytes Separate control of each AAA service 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems. Cisco Secure ACS conforms to the RADIUS protocol as defined in these RFCs RFC 2138, Remote Authentication Dial In User Service (RADIUS) RFC 2139, RADIUS Accounting RFC 2284, PPP...

Defining a CoPP Service Policy

Use the policy-map global configuration command to specify the service policy name, and use the configuration commands to associate a traffic class that was configured with the class-map command. The traffic class is associated with the service policy when you use the class command. You must then issue the class command after entering policy map configuration mode. After entering the class command, you are automatically in policy map class configuration mode. Follow these steps to define a...

PEAP with MSCHAPv2

EAP Request TLS start EAP Response TLS client hello EAP Request TLS start EAP Response TLS client hello EAP Response TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response Cert Verify, Change Ciph Spec EAP Request TLS Change_Ciph_Spec Identity Request EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response Identity response EAP-MS-CHAPv2 Challenge This diagram illustrates PEAP with MS-CHAPv2 message exchange between the supplicant, authenticator, and authentication server....

Web Interface

2 S Kh ffiFjvunte Medu 0 G- S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...

Working in Cisco Secure ACS

3 11 t3 Search 111 Favorites Media S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...