Hello All,
Yesterday , i did the control-plane security INE Vol 1 lab. It’s funny (and awesome at the same time) , that i’m learning something new everytime i do these vol 1 labs . Again, yesterday was a great learning expericence and i want to share some of the stuff that i learn, with you 
- There was a task which required me to configure a “port-filter” class-map , in order to block traffic going to closed-ports and also to ignore a couple of ports from this check.
- Now, i configured the whole task correctly and i was expecting it to work, just fine.
- But , i noticed that all the packets going to any port in the router were getting dropped. I could see telnet traffic and RIP updates being dropped. This started to bother me.
- After some digging, i figured out the problem. It was in the class-maps
- I had specified the matching criteria of the class-map as match-any. What this was doing is , that it was dropping the traffic that were even meant for legitimate ports as it was not checking all the lines of the port-filter class-map. To solve this issue, i just entered match-all instead of match-any and it started Working. This is a good thing to remember for the final lab.
- On a side note, remember , in an earlier blogpost , i had commented about how ZBPF config was not working because i was using match-all instead of match-any there. Well, this is just the opposite. Just 2 things to keep in mind when stepping into the lab
- There was a task which required the router to monitor the TCP connections from its peers, and ensure that TCP connections are torn down once the reachability between the Router and its peers goes down. I didn’t know how to do this. Apparently we use service tcp-keepalive for this.
- Next , i had to battle the monster of SNMP! I had gone through the SNMP configuration guide a day back and it definitely helped . The only thing that i needed to study was RMON configuration.
- Selective Packet Discard -> This is an awesome concept. I was discussing this with Ryan a couple of days back and we studied this topic together ( which really helped! ) . We should do that more often. One pothole which i encountered in configuring this is that, these commands are NOT VISIBLE IN THE CONTEXT SENSITIVE HELP. So we must memorize these commands! I remember having similar experience with 802.1x
- Finally, i had some Role Based CLI Access configuration to complete. In one of the tasks, i had to create a view which allowed to user to access only “interface fa 0/0″ and use all the IP related commands.
- This looked like a simple task, but it was’nt working. This was my configuration
- #parser view TEST
- #secret CISCO
- #commands exec include configure terminal
- #commands configure include interface fa 0/0
- #commands interface include all ip
- #parser view TEST
- Now, after switching to that view, i could see that from the exec mode, i could go into the Global configuration mode. So far, so good! Now, here, i was supposed to see the interface command available. But i couldn’t see it. I had configured for the interface command to appear, but it just didn’t. I later checked in the Doc-CD to find out what i’d configured wrong, and it turns out, i had to add this line to the view configuration
- #commands configure include interface
- Only then , do the interface commands appear in the global configuration menu. I don’t know why we have to inlcude interface twice. I have to ask someone regarding this. If you know why, please feel free to let me know
- This looked like a simple task, but it was’nt working. This was my configuration
Also, this morning i was configuring some GETVPN inside DMVPN (for practice) and i had a small discussion + lab with Ryan regarding this. Lotsa interesting things came out of this and i’m super excited to share them with you. That definitely deserves another blogpost. Watch out for that!
Cheers,
TacACK
