Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/27

Click to flip

27 Cards in this Set

  • Front
  • Back
Which of the following is not a core element addressed by NFP (Network Foundation Protection)?

a. Management plane


b. Control plane


c. Data plane


d. Executive plane

Executive Plane
If you add authentication to your routing protocol so that only trusted authorized routers share information, which plane in the NFP are you securing?

a. Management plane


b. Control plane


c. Data plane


d. Executive plane

B
If you use authentication and authorization services to control which administrators can access which networked devices and control what they are allowed to do, which primary plane of NFP are you protecting?

a. Management plane


b. Control plane


c. Data plane


d. Executive plane

A
Which of the following is not a best practice to protect the management plane?(Choose all that apply.)

a. HTTP


b. Telnet


c. HTTPS


d. SSH

A,B
Which of the following is a way to implement role-based access control related to the management plane? (Choose all that apply.)

a. Views


b. AAA services


c. Access lists


d. IPS

A,B
What do CoPP and CPPr have in common? (Choose all that apply.)

a. They both focus on data plane protection.


b. They both focus on management plane protection.


c. They both focus on control plane protection.


d. They both can identify traffic destined for the router that will likely require directCPU resources to be used by the router.

C, D
Which type of attack can you mitigate by authenticating a routing protocol? (Choose all that apply.)

a. Man-in-the-middle attack


b. Denial-of-service attack


c. Reconnaissance attack


d. Spoofing attack

A, B, and C
What is a significant difference between CoPP and CPPr?

a. One works at Layer 3, and the other works at Layer 2.


b. CPPr can classify and act on more-specific traffic than CoPP.


c. CoPP can classify and act on more-specific traffic than CPPr.


d. One protects the data plane, and the other protects the management plane.

B

Which of the following enables you to protect the data plane? (choose all that apply)

a. IOS zone-based firewall


b. IPS


c. Access lists


d. Port security

A, B, C, and D


DHCP snooping protects which component of NFP?a. Management planeb. Control planec. Data planed. Executive plane
C
Define the management plane?
Includes the protocols and traffic that admins use between his workstation and the router/switch. ie. using SSH to monitor router or switch.
Define the control plane?
Includes the protocols and traffice that the network devices use on their own with out any interaction from an administrator. ie. routing protocols. They can be dynamically learned and shared.
Define the Data Plane?
Includes the traffic that is being forwarded through the network. ie. user sending traffic from one part of the network to another.
Define the management plane security measures:
AAA, NTP, SSH, SSL/TLS, protected syslog, SNMPv3, parser views
Define the control plane security measures:
Control Plane Policing (CoPP) and Control Plane Protection (CPPr)
Define the data plane security measures:
ACLs, layer 2 controls like VLANs, STP guards, IOS IPS, zone based firewall.
What is role based access control? What plane does it operate under?
Creating group that has specific rights then placing users in that group, so that you can more easily manage and allocate administrators. We can create a role (like a group) and allocate that role to users that will be acting in that role. With the role comes permissions and access. This is part of the management plane and is best practice.
Should you keep constant time across network devices?
yes, use NTP across all devices,
What version of SNMP includes encryption and authentication?
SNMP v3
How can we manage the user accounts that need to connect to network devices?
Use AAA services and manage them from an ACS server. Keeps an audit trail of who has logged in and what commands they executed.
Explain Control Plane Policing
Can be configured for any traffic destined to an IP address on the router. You can specify that management traffic (SSH/HTTPS) can be rate-limited down to a specific level or dropped completely. Think of applying QoS to the valid management traffic and policing to the bogus management traffic. Applied to a logical control plane interface, so the policy can be applied globally
Explain Control Plane Protectoin
This allows for more detailed classification of traffic that is going to the CPU for handling. Applied to a logical control plane interface so that regardless of logical or physical interface the packets arrive on, the processor can still be protected.
What are the three specific subinterfaces fhat are classified?
Host subinterface - handles traffic to one of physical/logical interfaces of the router. Transit subinterface - handles data plane traffic that requires CPU intervention before forwarding (IP options)Cisco Express Forwarding (CEF) Exception traffic (keepalives, ttl packets) that has to involve the CPU.
What is the best way to block unwanted traffic at the data plane?
Access Control lists, can be set inbound or outbound on any layer 3 device. Set closer to the source to save resources.
How can you reduce the chance of DoS attacks?
TCP Intercept and firewall services reduce the risk of syn flood attacks
How can you reduce spoofing attacks?
You can deny packets trying to enter your network (from the outside) that have a source IP of your internal network.
You can also set protection on layer 2 devices. Name some:
port security, DHCP snooping, Dynamic ARP Inspection, IP source guard.