Home > Articles > Cisco Certification > CCNP Security / CCSP > Cisco CCNP Security Cert Guide: Implementing and Configuring Cisco IOS Routed Data Plane Security

Cisco CCNP Security Cert Guide: Implementing and Configuring Cisco IOS Routed Data Plane Security

Chapter Description

Several different parts of a network need to be secured from internal and external attack. This chapter addresses the routed data plane, including the Cisco IOS Software features that can be used to secure the network user data that traverses the network, and discusses how to configure these features on the network devices within the network.

Exam Preparation

As mentioned in the section, "How to Use This Book," in the Introduction, you have several choices for exam preparation: the exercises here, the memory tables in Appendix D, the final exam preparation chapter, and the exam simulation questions on the CD-ROM. The following questions present a bigger challenge than the exam itself because they use an open-ended question format. By using this more difficult format, you exercise your memory better and prove your conceptual and factual knowledge of this chapter. You can find the answers to these questions in Appendix A, "Answers to the DIKTA Quizzes and Fill in the Blanks Questions."

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the margin of the page. Table 8-6 lists a reference of these key topics and the page numbers on which each is found.

Table 8-6. Key Topics

Key Topic Element

Description

Page

Figure 8-1

High-level overview of how an ACL is processed by a router

188

List

ACL types

189

Table 8-2

Protocols and their corresponding number identification for an ACL

190

List

FPM restrictions

196

List

FPM class-map types

198

Table 8-3

Flexible NetFlow components

204

Table 8-4

NetFlow original/NetFlow IPv4 original input format

205

Table 8-5

NetFlow IPv4 original output format

205

List

Flow sampling modes

208

List

Unicast RPF modes

210

Complete Tables and Lists from Memory

Print a copy of Appendix C, "Memory Tables" (found on the CD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix D, "Memory Table Answers," also on the CD, includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the Glossary:

  • access control list (ACL), stateless

Use Command Reference to Check Your Memory

Table 8-7 lists the important commands from this chapter. To test your memory, cover the right side of the table with a piece of paper, read the description on the left side, and then see how much of the command you can remember.

Table 8-7. Command Reference

Task

Command Syntax

Create a standard access list

access-list access-list-number {permit | deny} {host | source source-wildcard | any} [log]

or

ip access-list standard {access-list-number | access-list-name}

permit {host host | source source-wildcard | any} [log]

Create an extended access list

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

or

ip access-list extended {access-list-number | access-list-name}

[sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [time-range time-range-name] [log]

Assign an access list to an interface

ip access-group number {in | out}

Create a reflexive access list

ip access-list extended {access-list-number | access-list-name}

[sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard reflect name

and

evaluate

Create a time-based access list

time-range time-range-name

periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm

absolute [start time date] [end time date]

access-list access-list-number protocol source source-wildcard destination destination-wildcard [time-range time-range-name]

or

ip access-list extended {access-list-number | access-list-name}

[sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [time-range time-range-name]

Load a specific PHDF file

load protocol location:filename

Load a specific TCDF file

load classification location:filename

Create an FPM class map

class-map type [stack | access-control] [match-all | match-any] class-map-name

Match specific traffic to classify within a class map

match field protocol protocol-field [eq | neq | gt | lt | range range] value next next-protocol

match start [l2-start | l3-start] offset offset size size [eq | neq | gt | lt | range range] value

Create an FPM policy map

policy-map type access-control policy-map-name

Associate a class map with a policy map

class class-name

Specify a policy map action

drop

or

service-policy policy-map-name

Assign a policy map to an interface

service-policy type access-control [input | output] policy-map-name

Create a user-defined NetFlow flow record format

flow record flow-record-name

Specify NetFlow key fields

match [ipv4 | ipv6 | datalink | routing |flow | interface} options

Specify NetFlow nonkey fields

collect [counter | ipv4 | ipv6 | datalink | routing |flow | interface | timestamp] options

Configure a NetFlow flow monitor

flow monitor flow-monitor-name

Specify a NetFlow record format

record [flow-record-name | netflow | netflow-original] {ipv4 | ipv6} {original-input | original-output}

Configure a NetFlow flow exporter

flow exporter flow-exporter-name

Specify a NetFlow flow exporter server

destination [hostname | ip-address]

Specify a NetFlow flow exporter server port

transport udp port

Configure a NetFlow flow exporter with a flow monitor

exporter flow-exporter-name

Configure a NetFlow flow sampler

sampler sampler-name

Specify a NetFlow flow sampler mode

mode {deterministic | random} 1 out-of window-size

Associate a NetFlow flow monitor with an interface

ip flow monitor flow-monitor-name {sampler sampler-name} [input | output]

Enable CEF

ip cef {distributed}

Configure Unicast RPF on a specific interface

ip verify unicast source reachable-via [rx | any] {access-list}

Display the contents of all current access lists

show access-list [access-list-number | access-list-name}

Display the contents of all current IP access lists

show ip access-list [access-list-number | access-list-name}

Display which specific PHDFs are loaded and which fields are supported

show protocols phdf phdf-name

Display the current traffic classes configured and their matching criteria

show class-map type [stack | access-control]

Display the current traffic policies

show policy-map type access-control {interface interface}

Display NetFlow flow monitor configuration

show flow monitor

Display NetFlow flow monitor interface configuration

show flow interface interface

Display NetFlow flow exporter configuration

show flow exporter

Display NetFlow cache

show flow monitor name flow-monitor-name cache format [csv | record | table]

Display NetFlow sampler configuration

show sampler

Display Unicast RPF status

show cef interface interface

Display global Unicast RPF packet count

show ip traffic

Display the number of interface Unicast RPF packet drops

show ip interface interface

Fill in the Blanks

  1. There is a(n) _____ at the end of each access list.
  2. An extended access list can use the number ranges of _____ and _____.
  3. The wildcard mask that would be used with a subnet mask of 255.255.255.192 would be _____.
  4. When assigning reflexive access lists to an interface, they are typically placed _____ on an interface facing away from the internal network or _____ on an interface facing toward the internal network.
  5. Both PHDF and TCDF are formatted using _____.
  6. When using FPM, traffic can be classified using _____ files or using the _____.
  7. FPM is only able to inspect _____ unicast packets.
  8. _____ fields are used by NetFlow to identify specific flows.
  9. Unicast RPF can operate in _____ or _____ mode.
  10. When configuring Unicast RPF, the first thing that must be configured is _____.