350-401 ENCOR – Cisco CCIE Enterprise – Security part 2
January 27, 2023

5. ISE Switch Configuration

In this section I will show you that how you can configure this switch for your AAA and what are the configuration required over the interfaces. So you can see here I have interface gig zero one that is connected with two domain. One is the voice domain one is the data domain voice VLAN is ten data VLAN is 30. The other interface gig two is connected with access point. So we’ll do the configuration for the switch in this particular section. And in the next recording I’m going to do the configuration with respect to say r one SSH method and then the ASA firewall for AAA. Okay, so let me go log to switch number two. And then I will walk you all the steps. So here I am inside the switch. First of all I will enable the AAA new model. Then I can go here to authentication login say no authentication for line console zero. So for line console zero logging authentication is no Auth.

Then I am going to give a name for the radius server. So the radius server name is for example CCI. What is the address for our radius server? That is 1981, 910, 27. And here you can see what is the Auth port. So Auth port is accounting, port is 1646, key is Cisco. So everywhere we are using radius key as a Cisco. Now once I have this radius server defined, which is the IP address and the radius key, then I’ll create a AAA group. And this AAA group say for server radius name is ice, where my server name is CCI. Now once I have this basic configuration, then I will do configuration for AAA, that is authentication, authorization and accounting.

So authentication one x default group is then AAA authorization. So authorization I need to give network default group is Ice. Then AAA accounting one x and then they start so I can type question mark here. Okay. So default start stop is group Ice. We can check here what are the configuration we have done with respect to AAA and these many configuration we have done so far. Okay, now next is to give the configuration related to radius attributes. So I can go to radius server say attribute six on for login Auth. Then eight and 25. So for eight I will give include access and then for 25. So let me go back.

Yeah, so what attribute I have used, let me click up arrow and that’s then we have attribute say 25 that will for access request include. Now we have some vendor specific attribute. So that also I’ll give radius server vendor specific attribute send authentication. Authentication and authorization will happen in the single packet. So we don’t have command related to authorization, authentication and accounting. So we are very much done with the say global configuration related to AAA. Over the switch I will give IP device tracking. If you have several VLANs then you can do IP routing as well. Finally I will give one x system auth control as well. So we are done with the device configuration. Now what I can do here I can go to gig zero one so we can give the interface related command.

First of all I’ll do switch port mode access. Then the second thing we have that is the switch port via VLAN is 30. Then I have to give authentication command. So authentication host mode is say multi auth because we have two domain authentication order say map and one x authentication priority authentication port control auto. So these are the commands related to authentication now because here we are using the Mac address authentication as well. So I can give MAB, thenx peauthenticator and we are very much done. Finally we have spanning tree portfast and then we can do shut no shut. All right. Now we can check the interface related command gig zero slash one. And here you have all the commands. Now next we have interface zero slash two. So we’ll go to interface zero slash two here also switchport mode access, then authentication. Now this time the host mode is multihost because here I don’t have two domains here only I am doing Macvist authentication because I have only Macbist authentication. So order I can give MAB authentication port control is auto MAB one x pae is so pae is authenticated and we are very much done. Finally we have spanning tree portfast so port fast and then we can do shut no shut. We can can check the configuration. We can type showrun interface two as well. So this is the configuration where I have connected my access point. So this is the way that I can configure my switch.

6. ISE Switch Configuration_backup

Once we create the authentication authorization profile and the authorization policies, then I’m going to configure this switch. This switch over gig zero slash one, it has both the VLAN say voice and data VLAN. This interface that is connected with gig zero to it is connected with the access point. Okay, and here it is VLAN 20. So I’m going to do the configuration that is required for AAA authentication while doing authentication with respect to the Ice. So let me log in and do the configuration. First of all I will do the configuration related to AAA. So new model, it will start the AAA, then authentication say login no auth just don’t want to mess up with my console port. So for that time doing this configuration say line none. Then I’ll go to my console and say login authentication, no authentication.

Now I’ll go here and give the radius server name. Say, for example, CCI. What is the address for this? So my Ice address is say 1981 910 27. What are the ports we have? So for authentication I have port number 1645 and for accounting I have support number 1646 key everywhere. I’m using Cisco. We are done. Now I’ll create AAA group server radius name Ice as we have done configuration in the ice server name is CCI that we have created here. Okay, now we can give AAA type of configuration like say AAA authentication, authorization and accounting default group is then AAA authorization network default group is Ice, then AAA accounting one x default start, stop and group is again ice even no need to mug up all the commands if you know what you try to do.

Simply you can type cushion mark and you can get the options. Now, radius server attribute, I’m going to add attribute number six, eight and 25. So what is the attribute? Attribute is six, that is for login Auth, then radius server. All right, attribute number eight and that is for include in access required. Then finally the third attribute that is 25, that is access request include. Okay, even you can search all these attributes as well. We have so many different type of attributes in Ice. Here we are using three very important attributes because we have all sort of communication related to any connect SSH map one x AP and IP phone authentication. So that’s why we are using selectively these attributes. I need to use IP device tracking as well. Finally we need to give some vendor specific attribute as well. So radius server, vendor specific attribute send authentication because in the same package radius will do authentication and authorization.

So that’s why we don’t have vendor specific attribute for authorization. Then we have accounting and then finally we can give dot one x system Auth control. So these are the commands that actually we needed here to do full authentication authorization. After that I need to move to the interfaces and provide the configuration. So I have interface gigs, one that is connected with IP phone. I’ll make that switch port mode access switch port voice VLAN. What voice VLAN we have for voice VLAN is 30. That is 30, not a switching port. So I can make that. First of all, switch port and then switchboard wise VLAN. All right. Then authentication, we are getting some error here, inconsistent local VLAN. So VLAN 30. Let me create that switchport voice VLAN 30 and switch port mode access.

 I’m not able to do the authentication here. Let me go and check the interface is status okay, for the moment, switchboard access, say VLAN is ten. Okay, we need to create VLAN ten as well. Some of the VLANs are not created. So that’s why we are getting some of the problem here. Okay, so switch port access VLAN pin and if I do show an interface, last one. All right. Okay, no switch port access. So I’m just showing you that how you can execute all these commands. So here the host mode is multi auth that we have already discussed in the initial recordings. Then order say map one x, then priority one x map. So all these things we have already discussed earlier, port control is auto map because this port is doing both the authentication mag and x.

So that’s why I’m giving all these commands and then the spanning query portfast. Likewise, you can go to the other interface that is say gig zero two. And here also you can give the configuration because this is connected with the access point. So authentication before authentication we can make this as switch port mode access. Then authentication, let’s do the authentication as well. Okay? Authentication host mode multihost, then authentication order map, authentication, port control, auto. This is also doing Mac based authentication. So that’s why map pi authenticator and then finally spanning tree portfast shut, no shirt. So just for reference, I have shown you this command that you need to use this command to enable the authentication. Over the devices we have triple A commands and then over the interfaces we have these commands.

7. Router & ASA Configuration

Next we have to do the configuration for router R one and the ASA. So let’s enable here then the authentication login same thing that we have done in the switch. Say no auth none. Then I can go to line console zero and and login authentication is no Auth. Okay, then I can go and create say radius server. That radius server name is CCI and what is the address? IB before at 1981 910 27 auth port I can give as 1645 and account port I can give say 1646. The key is Cisco exit. Then again I can create AAA group and that is radius ice. The server name is CCI that we have created. Then we have triple the commands like AAA authentication and authorization. So let’s do that.

The logging is SSH, but our group is Ice. Likewise authorization is exec mode SSH and the group is Ice. I can go to line with UI to say for example 98 I can give say login authentication SSH authorization exec is SSH and then if you have requirement for session time out, you can give that. If you have exec time out, that also you can mention that’s it. Let’s do the firewall configuration firewall side. It’s very simple. You can go to AAA server, say ice protocol is radius, then say AAA server ice and some management. Obviously you can give the hosted is say 1981 910 27 and you can give key as a Cisco score and that’s it. So this is the configuration related to SSH and this is configuration related to ASA communicating with high server.

8. Access Control List

In five, two a we have to learn understand the access control list or ACLs. Now we have two form of ACL. One is a standard ACL, one is extended ACL. Now as name suggests that when we are using a standard ACL then we have limited capability. That means that we can create rules or table entries related to source IP for example. But when you have extended SEL so at that time you have options that you can match source address, destination address, UDP port numbers, protocol, etc. TCP, UDP, port numbers, protocol, etcd. Okay, so let’s try to understand one by one. That how ACL works. Now here you can see the normal flow of ACL traffic ACL. You can think this just a table. And if certain packet will go and hit that table, this processing is from top to bottom. First of all it will check the first entry, second entry like that and then it will go to bottom.

Now again, when it will match the entry, it will check that do, it has permission. So is it permit or deny? If it is denied, obviously it will block it if it is applied on certain interfaces either ingress or egress depending upon how we are applied this policy. But if they deny statement is there, that means the ACL wants to block this if permitted statement is there, ACL will allow it. So here you can see that incoming packet. You have the table, do you have match? Yes. This table is permitted. Yes, packet will get processed. Now, no access list configured. Again, if you don’t have ACL configured, that means the packet will get processed. If you have ACL configured and apply to certain interface then according to that table it will match and process. So for example here you can see that ACL is configured. Yes. Is packet permitted? No, that’s the deny.

So this is the denial statement and this is the permit statement. And this is without ACL. So that means we have three condition with ACL permit deny without ACL obviously the packet will go and get processed. Now, when we are talking about the standard ACL and extended ACL. So at that time again we have option. We can go and create named based ACL. Now, when we are talking about named based ACL, so that means that instead of numbers here you can see on your screen that 1299 and 1300 to 1999. This is the numeric range for standard SEL.

And for extended you have range 100 to one nine nine and 2000 onwards 2002, six nine nine. Okay, now we have options that we can use these numbers for a standard or extended or we can use named CCL as well. Now, what is the syntax for the standard SEL? I told you, it’s very easy and straightforward. You can go and give say for example access list, access list number. So access list for example eight. Then you have these statements permit deny and remark. Suppose if you want to put some sort of remark or comment, you can go and use this remark keyword. Otherwise we can go and give the permit deny.

And then you can see you have to go and give the source address and the wild card. Now this wild card is interesting and it is mostly covered in the CCNA world. So suppose if your subnet mask is two 5525-525-5255, then your wild card will become wild card is just the reverse of the subnet mask. Suppose if the subnet mask is 255-255-2550, the wild card will become 00255. Just the wild card means which particular network you want to allow, you want to deny and if you want to use the range. So then you can go and use the wild card bits. Again, the syntax here you can see and the description, access number, the permission, the source address and then the wild card. That’s for the standard ACL. Now if we go and see this is standard ACL, this is not going to solve the purpose because still there are so many things that we want to use inside the ACL entry or inside the permit denied entry.

 So when we are creating the table, so table creation is one thing and again where you want to apply this table, either going outside or coming inside and which interface here or here. So all these things are very important. Now when we are talking about applying the policy or applying the access list, applying ACL is same, either it’s a standard or it’s extended. Okay? So application, how you’re applying this ACL is the same, is the common in both the case, but the fields are different. So now if you want some more options, we should go and use the extended ACL. So let me show you that how this extended SEL look like. Again, all these examples that we are seeing here. And you can make this or put this as your personal document or notes as well. I have given all these notes here. So you can create the ACL. Here you can see still we are talking about the standard ACL. You can create it, you can create it and then you can apply it. We’ll see these things in the lab section. Okay. Now let’s quickly go and learn about the extended ACL.

Okay. And then I’ll come back and we have one use case that I just skipped. So I’ll come back and I’ll show you this use case as well. So when we are talking about the extended ACL, you can see the numeric range is 100 to one nine nine. 2002 six nine nine. But the good thing about it is that you have long entries, long list of things that you can match. So you can match for example, ICMP, I can go and create access list related to ICMP ICMP. And then here we can see that ICMP. Let me highlight it. So ICMP source, the wild card destination, the wild card. Because here you have source, address, destination address, then ICMP type, the echo, type, message type, residence, toss log even we can use the log keyword as well. Likewise, we can go and create the ACL policy or access list policy related to IGMP as well.

 So ICMP and IGMP both, we can go and create inside the extended ACL. Then we can go and create the ACL based on TCP, ACL based on UDP, and we’ll see that we can go and match different type of protocols as well. So here we can see that we have the list of services that we can match related to TCP UDP. Not only that, but we can go and we can specify or we can match certain fields related to EIGRP, Greicmp, IGMP, High, GRP, Ipospft, CPU, DB, et cetera. Correct? So this is the power we have with the access control list, and it’s actually quite powerful in terms of defining or creating the ACL. So extended ACL is quite powerful. Here you can see the example that you have one statement, ACL 100. You want to permit ACP, any source, any destination equal to SMTP.

So if you have any mail transfer protocol, you can go and match like that, you can go and match the DNS query for any to any equal to DNS, any to any related to ICMP, eco, reply, ospftcne, any service BGP because BGP is using TCP port number 179. Okay, so these are the formats. In the lab section, we’ll check both the ACL, that’s the standard ACL, and then we’ll go and check the format for the extended ACL as well. Now, in between, we have one nice example that will help you to understand more about the wild card bit. So suppose you have this type of segmented network, say 1411-0810, again you have 101213, etc to, but it is divided into two segments odd network and even network. And suppose you want to block the odd network and if this list will grow, that means you have to put so many lines for ACL.

 And that’s not a good thing because all the ACL entries will get processed. With respect to CPU, the CPU utilization will be more this is an important point here, is that whenever we are using ACL, ACL is something that is going to consume not only the CPU cycles, but it is going to consume the Mac as well. So all the platform, they have their allocation related to ACL Macintos as well. So it’s very important for us that either it’s a router switch or firewall, we should group the ACL if we are not able to group the ACL in the object. So we should use the wild card carefully. So we should have the summarization or summary type of network, ACL permission or deny. Okay, so now the use case here is that that you create one ACL instead of 20 lines, you use only one line where you want to permit all the even network, but you want to block all the or network. Now, how this can be achieved, this can be achieved with single network statement. And that single network statement here is access list one, permit 1411-0820. And then the wildcard that we are using, 0025-4255.

 Now, how we can do that and how we can understand this. So you can understand this when you are talking about odd network. So 1357, if you go and convert this into decimal. So here you can see the odd numbers, say for example, 1357. All these, they are ending with one. All the even numbers, they are ending with zero. And that’s the thing we have. So in wildcard bit terminology, one is don’t care, zero is must match. Now, if you create this particular, let me show you the mathematics. So if I go here and if I have eight digits, say 1234-5678, we know one, two, 4816, 32, 64 and one, two eight. Okay? So that means when you have two five five, if you have all the eight bits are one, it will give you two five five.

But when you have 254, that means you have 4567 and then zero. So if you have zero in the last bit, that means you are going to allow the even network. This ACL will go and block the odd network. Okay? Again, you can pause the recording and you can read this busy slide that we have. But this is the overall concept. That how we can efficiently go and utilize the wildcard bit. And this is true for both the standard and the extended ACL. Even if we have the extended ACL, we should use the wild card bit carefully. All right, so these are the terms and theory we have related to a standard and extended ACL. Let’s stop here. And in this section, we’ll go and create few of the ACL and we’ll play around with that.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!