Network Automation
Network Assurance and Analytics
Software-Defined
Access
2 components
Cisco Campus Cisco DNA
fabric solution Center
Terminal Lines and
Password Protection
Host Mobility
Identity Services
Policy Enforcement
Secure Segmentation
Network Virtualization
3 Methods to add password protection: Password config
directly, User-name based authentication, AAA Server
5 Types of Password: Type 0 – Plain Text enable password, Type 5 – MD5 enable
secret, Type 7: Vignere cipher service password-encryption, Type 8: Password-
based Key Derivation Function 2 with SHA-256, Type 9: SCRYPT hashing algorithm
Password Encryption: service password-encryption
Passwords config prior to command not encrypted
Username and password encryption: 3 ways: 1) username {username} password {password} 2) username
{username} secret {password} 3) username {username} algorithm-type {md5|sha256|scrypt} secret {password}
Configure Line Local Password Authentication:
password password
login to enable password
Configure Line Local Username Password Authentication:
username {username} password {password}
login local to enable username-based authentication at login
 3 Levels: Privilege 0 : disable, enable, exit, help, logout; Privilege 1
Privilege Levels and Role- (User Exec): Prompt >; Privilege 15 (Privileged Exec) Prompt # Verify Privilege Levels:
Based Access Change privilege level for command using: privilege {mode} level show running configuration
{level} {command string}

Controlling Access to vty Verify access to vty lines with ACLs

access-class {access-list-number|access-list-name} {in|out}
lines with ACLs show running configuration

Controlling Access to vty lines Verify access to vty lines with Transport input
transport input {all|none|telnet|ssh}
with using Transport input show line

Enabling SSH vty access
hostname {hostname}
To force ssh server to only accept version 2
ip domain-name {domain-name}
ip ssh version 2
crypto key generate rsa

Auxiliary Port: For remote administration EXEC Timeout: Automatically times out idle exec session Absolute Timeout: Automatically times out exec session
through dialup modem connection. exec-timeout {minutes} {seconds} absolute-timeout {minutes}
Disabled by no exec under Line aux0 Default is 10 mins logout-warning {seconds}
 TACACS+ TCP 49, Separates AAA into independent functions, can request authorization parameters separately.
Encrypts entire payload, does not support EAP, supports CLI command accounting, network device access control

RADIUS: IETF Standard. Authr & Authn:UDP1645, Acc: UDP1646, AAA transport protocol for EAP returns all
authorization parameters in single reply, encrypts only password, supports EAP for 802.1x authentication, does
not support network device CLI accounting, secure network access
Config AAA for NDAC = Config of device + config of 1)Create local user full privilege username {username} privilege 15 algorithm-
TACACS+ AAA Server type {md5|sha256|scrypt} secret {password}
2)Enable AAA functions aaa new-model
Verifying AAA Config: Establish ssh session
3)Add TACACS+ server iOS < 15.x
Authentication,
tacacs-server host {hostname|host-ip-address} key ke
Authorization,
Accounting iOS >= 15.x
tacacs server name
address ipv4 {hostname|hostip}
key key-string
4)Create AAA group aaa group server tacacs+ group-name
server name server-name
5)Enable AAA AuthN aaa authentication login {default| custom-list}
method…
6)Enable AAA AuthR
aaa authorization exec {default| custom-list} method…
(EXEC)
7)Enable AAA AuthR aaa authorization console
(Console)
8)Enable AAA command aaa authorization commands {privilege level} {default|
AuthR (EXEC) custom-list} method…
9)Enable command AuthR aaa authorization config-commands
in global config mode
10)Enable login aaa accounting exec {privilege level} {default| custom-
accounting list} method…
11)Enable command aaa accounting commands {privilege level} {default|
accounting custom-list} method…
 Self Zone: System-level zone, includes all router IP
address. Traffic to and from the zone permitted by
default to support management and control plane

Default Zone: System-level zone, interface not

member of another zone is placed here automatically

ZBFW Config 1) Config security zones zone security zone-name

Zone Based Firewall: 2) Define inspection class
class-map type inspect [match-all|match-any] class-name
Integrated stateful map
firewall technology Verify show class-map type inspect
3) Define inspection policy policy-map type inspect policy-name
map
Define class map class type inspect class-name
Under class map, drop[log]: Default, silently discards packets
define action pass[log]: Router forward packets from source to destination
inspect: state-based traffic control
4) Apply policy map to zone-pair security zone-pair-name source source-zone-name
traffic flow destination destination-zone-name
Inspection policy map service-policy type inspect policy-name
applied to zone pair
5) Apply security zones to interface interface-id
interfaces zone-member security zone-name

View traffic statistics show policy-map type inspect zone-pair [zone-pair-name]

Verify ping
Control Plane Policing: QoS policy
Configuring ACL’s for
applied to traffic to or sourced by
CoPP
router control plane CPU.
Configuring Class Maps
class-map {match-all|match-any}
for CoPP
policy-map policy-map-name
Configuring Policy Maps class class-map-name
for CoPP police police-rate conform-action {transmit|drop} exceed-action {transmit|
drop} violate-action {transmit|drop}
Applying CoPP Policy
service-policy {input|output} policy-name
Map
Verifying CoPP Policy show policy-map control-plane input
Map

Device Hardening: Minimizes amount Disable topology discovery protocols no cdp enable, no lldp transmit, no lldp receive
of information exposed externally
Disable TCS and UDP small services Service tcp-keepalive-in, service keepalive-out

Disable IP redirect services no ip redirects

Disable proxy ARP no ip proxy-arp

Disable service config no service config

Disable Maintenance Operation Protocol no mop enabled

Disable packet assembler/disassembler no service pad