In preparation of your CCNA Security 640-553 exam, we want to make sure we cover the topics that you will encounter on your CCNA exam. So to assist you, below we will discuss the CCNA Security concept, Configuring and verifying IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI. As you progress through your CCNA exam studies, I am sure with repetition you will find that all the topics become much easier. So even though this may be a difficult concept initially, keep at it as no one said getting your Cisco certification would be easy!

IP ACLs filter IP traffic destined for Telnet

Configure IP ACL to deny any telnet traffic to the WEB Server10, ensure that rest all traffic to the wenb server will be reachable to server.

Router# configure terminal

Router(config)#ip access-list extended webserver10

Router(config-ext-nacl)#deny tcp any host 10.40.100.5 eq telnet

Router(config-ext-nacl)#permit ip any any

You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router's interface. Applies the ACL to the serial0 interface creating an ACL.

Applying the ACL to the serial0 Interface

Router(config)#interface serial0

Router(config-if)# ip access-group webserver2 in

IP ACLs filter IP traffic destined for SNMP

Simple Network Management Protocol (SNMP) is widely used for router monitoring and configuration changes. If not configured properly, SNMP could provide a wealth of information about the device to intruders running SNMP discovery tools.

1. Configure the filter which only allows SNMP access to specific hosts

access-list 20 remark SNMP ACL

access-list 20 permit <IP Address of SNMP server>

access-list 20 deny any log

2. Configure SNMP to have READ-ONLY access and treat the COMMUNITY

string as a password - keep it difficult to guess.

snmp-server community <COMMUNITY> RO 20

IP ACLs to mitigate the DDOS attack

A DoS attack is designed to deny user access to systems or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, it can be easy to overwhelm that system by running scripts that generate multiple requests. It is possible to greatly increase the magnitude of a DoS attack by launching the attack from multiple systems against a single target. This practice is referred to as a DDoS attack.

Use CAR to rate limit ICMP packets.

interface xy

rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop

access-list 2020 permit icmp any any echo-reply

Configure rate limiting for SYN packets.

access-list 152 permit tcp any host eq www

access-list 153 permit tcp any host eq www established

interface {int}

rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop

rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop

In the above example, replace:

45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values

Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

Verify IP ACL

dcr1.STO_LUN#sh ip access-lists ?

<1-199> Access list number

<1300-2699> Access list number (expanded range)

WORD Access list name

dynamic List dynamic IP access lists

| Output modifiers

<cr>

We hope you found this Cisco CCNA Security 640-553 certification article helpful. We pride ourselves on not only tons of free Cisco CCNA exam information, but also providing you with the real world Cisco CCNA skills to advance in your networking career as you exercise the many CCNA lab scenarios in our lab workbooks.