Home > Drag and Drop 2

Drag and Drop 2

July 7th, 2017 in ROUTE 300-101 Go to comments

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Note:

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs. Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic. Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.

Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release 11.1. This feature is dependent on Telnet, authentication (local or remote), and extended ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Comments
  1. svbg
    August 14th, 2017

    Images are pointing to localhost and are not visible.

  2. digitaltut
    August 14th, 2017

    @svbg: Thanks for your detection. We have just fixed it!

  3. Anonymous
    August 14th, 2017

    Thanks
    Updated just drag and drop or there is another update

  4. info on new questions
    August 16th, 2017

    found the information.
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat64-stateful.html

    I had this question on the last test. Which means the question was (as usual) worded incorrectly only to confuse The answer order is for the Stateful IPv4-to-IPv6 Packet Flow

    The packet flow of IPv4-initiated packets for Stateful NAT64 is as follows:

    The destination address is routed to a NAT Virtual Interface (NVI).

    A virtual interface is created when Stateful NAT64 is configured. For Stateful NAT64 translation to work, all packets must get routed to the NVI. When you configure an address pool, a route is automatically added to all IPv4 addresses in the pool. This route automatically points to the NVI.

    The IPv4-initiated packet hits static or dynamic binding.

    Dynamic address bindings are created by the Stateful NAT64 translator when you configure dynamic Stateful NAT64. A binding is dynamically created between an IPv6 and an IPv4 address pool. Dynamic binding is triggered by the IPv6-to-IPv4 traffic and the address is dynamically allocated. Based on your configuration, you can have static or dynamic binding.

    The IPv4-initiated packet is protocol-translated and the destination IP address of the packet is set to IPv6 based on static or dynamic binding. The Stateful NAT64 translator translates the source IP address to IPv6 by using the Stateful NAT64 prefix (if a stateful prefix is configured) or the Well Known Prefix (WKP) (if a stateful prefix is not configured).

    A session is created based on the translation information.

    All subsequent IPv4-initiated packets are translated based on the previously created session.
    Stateful IPv6-to-IPv4 Packet Flow

    The stateful IPv6-initiated packet flow is as follows:

    The first IPv6 packet is routed to the NAT Virtual Interface (NVI) based on the automatic routing setup that is configured for the stateful prefix. Stateful NAT64 performs a series of lookups to determine whether the IPv6 packet matches any of the configured mappings based on an access control list (ACL) lookup. Based on the mapping, an IPv4 address (and port) is associated with the IPv6 destination address. The IPv6 packet is translated and the IPv4 packet is formed by using the following methods:

    Extracting the destination IPv4 address by stripping the prefix from the IPv6 address. The source address is replaced by the allocated IPv4 address (and port).

    The rest of the fields are translated from IPv6-to-IPv4 to form a valid IPv4 packet.

    Note

    This protocol translation is the same for stateless NAT64.

    A new NAT64 translation is created in the session database and in the bind database. The pool and port databases are updated depending on the configuration. The return traffic and the subsequent traffic of the IPv6 packet flow will use this session database entry for translation.

  5. info on new questions
    August 16th, 2017

    Question about IPV6 access class vs filtering

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/12-2sr/ipv6-12-2sr-book/ip6-sec-trfltr-fw.html

    Access Class Filtering in IPv6

    Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.

    Access Control Lists for IPv6 Traffic Filtering

    The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.

    IPv6 extended ACLs augments standard IPv6 ACL functionality to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).

    Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
    Time-based and reflexive ACLs are not supported for IPv4 or IPv6 on the Cisco 12000 series platform. The reflect, timeout, and time-range keywords of the permit command in IPv6 are excluded on the Cisco 12000 series.

    SUMMARY STEPS for ipv6 Access Filter applied to interface

    1. enable

    2. configure terminal

    3. interface type number

    4. ipv6 traffic-filter access-list-name {in| out}

    SUMMARY STEPS for Access CLASS applied to VTY lines

    1. enable

    2. configure terminal

    3. line [aux| console| tty| vty] line-number[ending-line-number]

    4. ipv6 access-class ipv6-access-list-name {in| out}

  6. info on new questions
    August 16th, 2017

    CoPP and MPP
    https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

    Control Plane Policing (CoPP) – CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router. However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that “Control Plane Policing” is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.)

    CoPP Policy Construction and Deployment Concepts

    Before describing the details of CoPP policy construction and deployment, some of the important details related to MQC and its operation, especially within the context of CoPP are discussed.

    In MQC, the class-map command is used to define a traffic class. A traffic class contains three major elements: a name, one or a series of match commands, and an instruction on how to evaluate these match commands. Match commands are used to specify various criteria for classifying packets. Packets are checked to see whether they match the criteria specified in the match commands. If a packet matches the specified criteria, that packet is considered a member of the class and is treated according to the QoS specifications set in the service policy. Packets that fail to meet any of the matching criteria are classified as members of the default class.

    The instruction for evaluating match commands is specified as either match-any or match-all. When more than one match statement is included, match-any requires that a packet match at least one of the statements to be included in the class. If match-all is used, a packet must match all of the statements to be included in the class.

    The policy-map command is used to associate a traffic class, defined by the class-map command, with one or more QoS policies. The result of this association is called a service policy. A service policy contains three elements: a name, a traffic class (specified with the class command), and the QoS policies. The purpose of the service policy is to associate a traffic class with one or more QoS policies. Classes included within policy maps are processed top-down. When a packet is found to match a class, no further processing is performed. That is, a packet can only belong to a single class, and it is the first one to which a match occurs. When a packet does not match any of the defined classes, it is automatically placed in the class class-default. The default class is always applied, whether it is explicitly configured or not.

    The service-policy command is used to attach the service policy, as specified with the policy-map command, to an interface. In the case of CoPP, this is the control-plane interface. Because the elements of the service policy can be applied to packets entering, or in some versions of CoPP, leaving the interface, users are required to specify whether the service policy characteristics should be applied to incoming or outgoing packets.

    It is important to note that MQC is a general framework used for enabling all QoS throughout Cisco IOS, and not exclusively for CoPP. Not all features available within the MQC framework are available or applicable to CoPP policies. For example, only certain classification (match) criteria are applicable to CoPP. In some instances, there are MQC platform and/or IOS-dependencies that may apply to CoPP. Consult the appropriate product references and configuration guides for any CoPP-specific dependencies.

    Constructing the CoPP Policy
    Deploying the CoPP Policy
    Verifying the CoPP Policy
    Tuning the CoPP Policy

    https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1049321

    Management Plane

    The management plane is the logical path of all traffic related to the management of a routing platform. One of three planes in a communication architecture that is structured in layers and planes, the management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network.

    Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical.

    Benefits of the Management Plane Protection Feature

    Implementing the MPP feature provides the following benefits:

    •Greater access control for managing a device than allowing management protocols on all interfaces

    •Improved performance for data packets on nonmanagement interfaces

    •Support for network scalability

    •Simplifies the task of using per-interface ACLs to restrict management access to the device

    •Fewer ACLs needed to restrict access to the device

    •Management packet floods on switching and routing interfaces are prevented from reaching the CPU

  7. Bomber
    August 21st, 2017

    today passed with 876 , about 10 new questions in exam such as PPP authentication , Framerelay map.
    new Drag and Drops are inside. Labs are same as here.

  8. joe
    August 22nd, 2017

    @bomber : can yo share about DND topics?

  9. Steffy
    August 28th, 2017

    Hello friends, for latest valid dump with continuous update, please contact me at steffyshirls @ gmail .com

  10. EngelL
    August 29th, 2017

    not sure about Q6 here… I would say :
    – DnD
    reflexive – must be named
    standard – 1300-1399
    extended – apply closest to the source or origin
    time-based – access to device at certain times
    dynamic – it needs telnet to authenticate

    here are dynamic ACL:
    https://supportforums.cisco.com/t5/security-management/difference-between-static-dynamic-acl/td-p/2246320

  11. Shaun
    August 30th, 2017

    I was willing to know If the digital tut team could help me with this membership. My membership is expiring on Sep 3 and I have exam scheduled for September 6. Is it possible the team to extend my membership for two more days without renewing the membership. Please do let me know if thats possible
    Thank You.

  12. digitaltut
    August 31st, 2017

    @Shaun: Please send an email to support@digitaltut.com so that we can help you.

  13. Shaun
    September 26th, 2017

    Here is the best solution all that you need to passs route exam easily:
    VCE And PDF file
    Packet Tracer / GNS3 Labs

    DOWNLOAD:
    https://docs.google.com/document/d/1cp2vtCYSV_21JTZF9D14Ua2gHdijtZjfIDuyVT1NyJg/edit?usp=sharing

  14. learner
    October 13th, 2017

    Table 1 – ACL Number Ranges

    Protocol Range

    Standard IP
    1–99 and 1300–1999

    Extended IP
    100–199 and 2000–2699

    **************************************
    Standard near the destination; Extended near the Source.

  15. Chikku
    October 31st, 2017

    Anyone who took the exam recently can confirm which are the SIMs in the exam?????
    I’m gonna take it early next week.
    Please respond asap.

  16. durshen
    November 11th, 2017

    Hello buddies, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  17. sara
    November 13th, 2017

    Can anyone provide the drag and drop questions? I see just the explanations only and need to know the questions first.
    {email not allowed}

  18. sara
    November 13th, 2017

    Can anyone provide the drag and drop questions? I see just the explanations only and need to know the questions first.
    sara80abona at yahoo

  19. david hartuni
    December 1st, 2017

    I don’t know why I can’t see questions

  20. Can’t see the questions.
    December 4th, 2017

    I only see the question numbers not the actual questions. Could someone advise.

  1. No trackbacks yet.