Cisco: Implementing Secure Converged Wide Area Networks1 | 2 |
Single answer, multiple-choice
You have experienced a connectivity issue between your TACACS+ server and a Cisco router and are concerned that you will be locked out of the router if the TACACS+ server is unavailable. You have created usernames and passwords on the router for the IT staff. Which command will allow access to the router if the TACACS+ server is unavailable?
A. aaa authentication login default group tacacs+ local
B. aaa authentication login default group local tacacs+
C. aaa authentication login default group tacacs+ none
D. aaa authentication login default group tacacs+
The aaa authentication login default group tacacs+ local command will allow access to the router if the TACACS+ server is unavailable.
The router will attempt to authenticate a user by using the methods configured using the aaa authentication command. The methods are processed in the order in which they are defined. The aaa authentication login default group tacacs+ local command specifies that the TACACS+ server should be used. If the server is unavailable, the authentication request will time out and the next method, local, will be used.
The aaa authentication login default group local tacacs+ command specifies the use of the local database first. The local database will always be available, and the router will never try to use the TACACS+ server.
The aaa authentication login default group tacacs+ none command specifies the use of the TACACS+ server first. If the TACACS+ server is unavailable, the next method, none, will be used. When none is specified as an authentication method, no authentication will be used and everyone will have access to the router.
The aaa authentication login default group tacacs+ command specifies the use of the TACACS+ server only. If the TACACS+ server is unavailable, authentication will fail.
Single answer, multiple-choice
You have configured a Cisco IOS Intrusion Protection System (IPS) using the Cisco Router and Security Device Manager (SDM). You are required to configure the Cisco IPS to create a dynamic access list entry to block all traffic matching the IP Localhost Source Spoof signature. Which action should you assign to the signature?
You should set the denyAttackerInline action.
Cisco IPS provides many actions that can be taken when a traffic pattern matches a signature. Depending on the nature of the signature, you can set the action to:
* alarm - Generate an alarm message.
* denyAttackerInline - Create an ACL that denies all traffic from the IP address that the Cisco IOS IPS system considers to be the source of the attack. Same as deny-attacker-inline.
* deny-connection-inline - Drop the packet and all future packets on this TCP flow.
* deny-packet-inline - Do not transmit this packet (inline only). Same as drop.
* denyFlowInline - Create an ACL that denies all traffic belonging to the 5-tuple (src ip, src port, dst ip, dst port and l4 protocol) from the IP address that is considered the source of the attack.
* drop - Drop the offending packet. Same as deny-packet-inline.
* reset - Reset the connection and drop the offending packet.
* reset-tcp-connection - Send TCP RESETS to terminate the TCP flow.
Configuring Cisco IOS IPS Using Cisco SDM and CLI
Cisco IOS IPS Signature Deployment Guide