Section 9: Security (8 Points)

Previous page
Table of content
Next page

  • Configure a reflexive access list on R6 and apply it to the R6-a3/0 internal interface, allowing BGP and any other interesting traffic.

If you configured this correctly as shown in Example 5-45, you have scored 3 points.

Example 5-45 has the output configuration for the reflexive access list that accomplishes the question requirements. Reflexive access list s allow IP packets to be filtered based on upper-layer session information and the requirements implies to look at BGP packets on R6 and the relevant traffic is ICMP.

Example 5-45. R6 Reflexive Access List Configuration
 R6#sh run int a3/0 Building configuration... Current configuration : 147 bytes ! interface ATM3/0 ip access-group in_filters in  ip access-group out_filters out  R6# R6#sh run Building configuration... Current configuration : 2604 bytes ! ip access-list extended in_filters  permit tcp any any reflect TCP_Traffic ip access-list extended out_filters  permit tcp any any eq bgp  permit pim any any  permit icmp any any  deny ip any any  evaluate TCP_Traffic ! R6#sh access-lists ! Reflexive IP access list TCP_Traffic     permit tcp host 160.10.6.6 eq bgp host 160.10.3.3 eq 11003 (70 matches) (time left 91)     permit tcp host 170.100.10.1 eq 11000 host 170.100.10.254 eq bgp (24 matches) (time left 61) Extended IP access list in_filters     permit tcp any any reflect TCP_Traffic Extended IP access list out_filters     permit tcp any any eq bgp     permit pim any any     permit icmp any any     deny ip any any     evaluate TCP_Traffic R6#

  • Consider having a server with an IP address of 160.10.33.1 on VLAN_33 and configure R3 to intercept all TCP traffic to this server. Also, configure R3 to drop random connections.

If you configured this correctly as shown in Example 5-46, you have scored 2 points.

Example 5-46 shows the configuration for IP Intercept to monitor all traffic going to the server 160.10.33.1.

Example 5-46. R3 TCP Intercept Configuration
 R3#sh run Building configuration... Current configuration : 2729 bytes ! hostname R3 ! ip tcp intercept list 101 ip tcp intercept drop-mode random R3# access-list 101 permit tcp any any

  • Configure Sw1-fa0/17 to allow only the host MAC address 0010.DE48.2223 to access the switch through this interface. If a security violation occurs, force the interface to go into restrict mode.

If you configured this correctly as shown in Example 5-47 you have scored 3 points.

The configuration in Example 5-47, is the minimum configuration needed to enable the port-security feature applying another violation mode: restrict.

Example 5-47. Sw1 Port-Security Configuration
 Sw1#show run int fa0/17 Building configuration... Current configuration : 152 bytes ! interface FastEthernet0/17  switchport mode access  switchport port-security switchport port-security violation restrict  switchport port-security mac-address 0010.de48.2223  no ip address end Sw1# ! ! Sw1#show port-security int fa0/17 Port Security : Enabled Port status : SecureUp Violation mode : Restrict Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0 Sw1#



Previous page
Table of content
Next page
CCIE Routing and Switching Practice Labs
CCIE Routing and Switching Practice Labs
ISBN: 1587051478
EAN: 2147483647
Year: 2006
Pages: 268
Authors: Martin J. Duggan, Maurilio P. Gorito
BUY ON AMAZON
CISSP Exam Cram 2
VBScript Programmers Reference
Managing Enterprise Systems with the Windows Script Host
Data Structures and Algorithms in Java
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy