CCNA Security Chapter 2
Securing Network Devices
2.1.1.1 Describe an edge router:
2.1.1.2 Describe three different
approaches to securing the
internal (protected) network:
2.1.1.3 Describe three critical areas of
router security:
Page 1 of 21
The edge router is the last router between
the internal network and an untrusted
network such as the Internet. All of an
organization's Internet traffic goes through
this edge router; therefore, it often
functions as the first and last line of
defense for a network.
In the Single Router Approach, a single
router connects the protected network, or
internal LAN, to the Internet. All security
policies are configured on this device.
Defense-in-Depth Approach
In the Defense-In-Depth approach the
edge router acts as the first line of
defense and is known as a screening
router. It passes all connections that are
intended for the internal LAN to the
firewall which picks up where the edge
router leaves off and performs additional
filtering.
The DMZ Approach is a variation of the
defense-in-depth approach that offers an
intermediate area which can be used for
servers that must be accessible from the
Internet or some other external network.
Physical security: Place the router and
physical devices that connect to it in a
secure locked room that is accessible only
to authorized personnel, is free of
electrostatic or magnetic interference, and
has controls for temperature and humidity.
Install an uninterruptible power supply
(UPS) and keep spare components
available. This reduces the possibility of a
DoS attack from power loss to the
building.
CCNA Security Chapter 2
Securing Network Devices
2.1.1.4 Describe the important tasks
involved in securing
administrative access:
Page 2 of 21
Operating System Security: Configure
the router with the maximum amount of
memory possible. The availability of
memory can help protect the network from
some DoS attacks, while supporting the
widest range of security services. Use the
latest stable version that meets the
feature requirements of the network.
Security features in an operating system
evolve over time. Keep in mind that the
latest version of an operating system
might not be the most stable version
available. Keep a secure copy of the
router operating system image and router
configuration file as a backup.
Router Hardening: Secure administrative
control. Ensure that only authorized
personnel have access and that their level
of access is controlled. Disable unused
ports and interfaces. Reduce the number
of ways a device can be accessed.
Disable unnecessary services. Similar to
many computers, a router has services
that are enabled by default. Some of
these services are unnecessary and can
be used by an attacker to gather
information or for exploitation.
Restrict device accessibility - Limit the
accessible ports, restrict the permitted
communicators, and restrict the permitted
methods of access.
Log and account for all access - For
auditing purposes, record anyone who
accesses a device, including what occurs
and when.
Authenticate access - Ensure that
access is granted only to authenticated
users, groups, and services. Limit the
CCNA Security Chapter 2
Securing Network Devices
2.1.1.5 When accessing the network
remotely, what precautions
should be taken?
2.1.2.1 Visit:
http://sectools.org/crackers.html
to see a list of password attack
tools.
Page 3 of 21
number of failed login attempts and the
time between logins.
Authorize actions - Restrict the actions
and views permitted by any particular
user, group, or service.
Present Legal Notification - Display a
legal notice, developed in conjunction with
company legal counsel, for interactive
sessions.
Ensure the confidentiality of data -
Protect locally stored sensitive data from
viewing and copying. Consider the
vulnerability of data in transit over a
communication channel to sniffing,
session hijacking, and man-in-the-middle
(MITM) attacks.
Encrypt all traffic between the
administrator computer and the router. For
example, instead of using Telnet, use
SSH. Or instead of using HTTP, use
HTTPS.
Establish a dedicated management
network. The management network
should include only identified
administration hosts and connections to a
dedicated interface on the router.
Configure a packet filter to allow only
the identified administration hosts and
preferred protocols to access the router.
For example, permit only SSH requests
from the IP address of the administration
host to initiate a connection to the routers
in the network.?
CCNA Security Chapter 2
Securing Network Devices
2.1.2.1 Describe some common
guidelines for choosing strong
passwords:
2.1.2.2 Describe the enable secret
password global configuration
command:
2.1.2.2 How can you protect Console
Port access?
Page 4 of 21
1. Use a password length of 10 or more
characters. The longer, the better.
2. Make passwords complex. Include a
mix of uppercase and lowercase letters,
numbers, symbols, and spaces.
3. Avoid passwords based on repetition,
dictionary words, letter or number
sequences, usernames, relative or pet
names, biographical information, such as
birthdates, ID numbers, ancestor names,
or other easily identifiable pieces of
information..
4. Deliberately misspell a password. For
example, Smith = Smyth = 5mYth or
Security = 5ecur1ty.
5. Change passwords often. If a password
is unknowingly compromised, the window
of opportunity for the attacker to use the
password is limited.
6. Do not write passwords down and leave
them in obvious places such as on the
desk or monitor.
The enable secret password global
configuration command: restricts access
to privileged EXEC mode. The enable
secret password is always hashed inside
the router configuration using a Message
Digest 5 (MD5) hashing algorithm. If the
enable secret password is lost or
forgotten, it must be replaced using the
Cisco router password recovery
procedure.
By default, the console port does not
require a password for console
administrative access; however, it should
always be configured as a console port
line-level password. Use the line console
CCNA Security Chapter 2
Securing Network Devices
2.1.2.2 How can you protect Virtual
Terminal Line (vty) access?
2.1.2.2 How can you protect Auxiliary
Port (aux) access?
2.1.2.3 What can be done to increase
the security of passwords?
2.1.2.4 What command creates a
secure list of usernames and
passwords in a database on
the router for local login
authentication?
2.1.3.1 What should be done to better
configure security for virtual
login connections?
2.1.3.2 What commands are available
Page 5 of 21
0 command followed by the login and
password subcommands to require login
and establish a login password on the
console line.
Use the line vty 0 4 command followed by
the login and password subcommands
to require login and establish a login
password on incoming Telnet sessions.
To access the auxiliary line use the line
aux 0 command. Use the login and
password subcommands to require login
and establish a login password on
incoming auxiliary port connections.
Enforce minimum password lengths.
(security passwords min-length
length)
Disable unattended connections.
(exec-timeout minutes [seconds])
Encrypt all passwords in the configuration
file
(service password-encryption)
username name secret password
Delays between successive login
attempts
Login shutdown if DoS attacks are
suspected
Generation of system logging messages
for login detection
Router# configure terminal
CCNA Security Chapter 2
Securing Network Devices

to configure a Cisco IOS device Router(config)# login block-for seconds

to support enhanced login
features?
attempts tries within seconds
Router(config)# login quiet-mode
access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log
[every login]
Router(config)# login on-success log
[every login]

2.1.3.3 Describe the two login block- Normal mode (watch mode) - The router
for feature modes of operation: keeps count of the number of failed login
attempts within an identified amount of
time.
Quiet mode (quiet period) - If the
number of failed logins exceeds the
configured threshold, all login attempts
using Telnet, SSH, and HTTP are
denied.* business continuity management;

2.1.3.4 What commands can be used login on-failure log generates logs for
to keep track of the number of failed login requests.
successful and failed login login on-success log generates log
attempts.? messages for successful login requests.

2.1.3.4 What command generates a security authentication failure rate

log message when the login threshold-rate log
failure rate is exceeded?

2.1.3.4 How can you verify that the Use the show login command.
login block-for command is
configured and which mode the
router is currently in?

2.1.3.4 What command displays more The show login failures command
information regarding failed
Page 6 of 21
CCNA Security Chapter 2
Securing Network Devices
login attempts?
2.1.3.5 Why are banners important and Banner messages should be used to
how can they be configured?
2.1.4.1 How can a secure remote
access connection be
established to manage Cisco
IOS devices?
2.1.4.1 Describe the four steps to
configure routers for the SSH
protocol:
2.1.4.2 Describe the four steps to
configure SSH on a Cisco
router and the commands to
accomplish each step:
present legal notification to would-be
intruders to inform them that they are not
welcome on a network.
Banners are activated with the banner
command:
banner {exec | incoming | login | motd |
slip-ppp} # message #
SSH has replaced Telnet as the
recommended practice for providing
remote router administration with
connections that support confidentiality
and session integrity. A SSH connection
is encrypted and operates on port 22.
1. Target routers must have an IOS that
supports SSA
2. Target routers have unique host name
3. Target routers have correct domain
name
4. Target routers are configured for
authentication
1. Configure the IP domain name
R1(config)#ip domain-name span.com
2. Generate one-way secret keys
R1(config)#crypto key generate rsa
general-keys modulus modulus-size
3. Verify or create a local database entry
R1(config)#username Mark secret
cisco
4. Enable VTY inbound SSH sessions
R1(config)#line vty 0 4
R1(config-line)# login local
R1(config-line)#transport input ssh
Page 7 of 21
CCNA Security Chapter 2
Securing Network Devices

2.1.4.3 Describe how to configure and R1(config)# ip ssh version {1 | 2}

confirm: R1(config)# ip ssh time-out seconds
SSH version R1(config)#ip ssh authentication-
SSH timeout period retries integer
Number of authentication R1#show ip ssh
retries

2.1.4.4 Describe the two ways to Connect using an SSH-enabled Cisco

connect to an SSH-enabled router using the privileged EXEC mode
router: ssh command.

How can connection status be Connect using a publicly and

verified? commercially available SSH client running
on a host. Examples of these clients are
PuTTY, OpenSSH, and TeraTerm.

R1#show ssh

2.1.4.5 How can Cisco SDM be used to To see the current SSH key settings,
configure an SSH daemon on a choose Configure > Additional Tasks >
router? Router Access > SSH.

2.1.4.5 Using Cisco SDM how are the Configure > Additional Tasks > Router
vty lines configured to support Access > VTY
SSH? click Edit button to configure

2.2.1.1 What two levels of access to
commands does Cisco IOS
software CLI have?
User EXEC mode (privilege level 1) -
Provides the lowest EXEC mode user
privileges and allows only user-level
commands available at the router>
prompt.
Privileged EXEC mode (privilege level
15) - Includes all enable-level commands
at the router# prompt.

2.2.1.2 Describe the privilege levels Level 0: Predefined for user-level access
available in the Cisco IOS CLI. privileges. Seldom used, but includes five
Page 8 of 21
CCNA Security Chapter 2
Securing Network Devices
2.2.1.2 What is the command to set
privilege levels?
2.2.1.3 What are the two methods for
assigning passwords to
different levels for
authentication?
2.2.2.1 How can the limitations of
assigning privilege levels be
overcome?
2.2.2.2 Role-based CLI provides which
three types of views?
Page 9 of 21
commands: disable, enable, exit, help,
and logout
Level 1: The default level for login with the
router prompt router>. A user cannot
make any changes or view the running
configuration file.
Levels 2 –14: May be customized for
user-level privileges. Commands from
lower levels may be moved up to another
higher level, or commands from higher
levels may be moved down to a lower
level.
Level 15: Reserved for the enable mode
privileges (enable command). Users can
change configurations and view
configuration files.
Router(config)# privilege mode {level level
command | reset} command
To the privilege level using the global
configuration command enable secret
level level password.
To a user that is granted a specific
privilege level, using the global
configuration command username name
privilege level secret password.
By utilizing Role-Based CLI Access
Root view: has the same access
privileges as a user who has level 15
privileges. However, only a root view user
can configure a new view and add or
remove commands from the existing
views.
CLI view: must be assigned all
CCNA Security Chapter 2
Securing Network Devices
2.2.2.2 Describe the characteristics of
Superviews:
2.2.2.3 Describe the steps to create
and manage a specific view:
Page 10 of 21
commands associated with that view, and
a view does not inherit commands from
any other views
Superview: allows a network
administrator to assign users and groups
of users multiple CLI views at once
A single CLI view can be shared within
multiple superviews.
Commands cannot be configured for a
superview. An administrator must add
commands to the CLI view and add that
CLI view to the superview.
Users who are logged into a superview
can access all the commands that are
configured for any of the CLI views that
are part of the superview.
Each superview has a password that is
used to switch between superviews or
from a CLI view to a superview.
Step 1. Enable AAA with the aaa new-
model global configuration command. Exit
and enter the root view with the enable
view command.
Step 2. Create a view using the parser
view view-name command. This enables
the view configuration mode. Excluding
the root view, there is a maximum limit of
15 views in total.
Step 3. Assign a secret password to the
view using the secret encrypted-
password command.
Step 4. Assign commands to the selected
view using the commands parser-mode
{include | include-exclusive | exclude}
[all] [interface interface-name |
command] command in view
configuration mode.
CCNA Security Chapter 2
Securing Network Devices
2.2.2.4 Describe the steps to create
and manage a superview:
2.3.1.2 1. What command enables
Cisco IOS image resilience?
2. What command takes a
snapshot of the router running
configuration and securely
archives it in persistent
storage?
2.3.1.3 What command is used to
verify the existence of the
secured files in the archive?
2.3.1.3 Describe the steps to restore a
primary bootset from a secure
archive after the router has
been tampered with:
Page 11 of 21
Step 5. Exit view configuration mode by
typing the exit command.
Step 1. Create a view using the parser
view view-name superview command
and enter superview configuration mode.
Step 2. Assign a secret password to the
view using the secret encrypted-
password command.
Step 3. Assign an existing view using the
view view-name command in view
configuration mode.
Step 4. Exit superview configuration mode
by typing the exit command.
1. secure boot-image
2. secure boot-config
show secure bootset
Step 1. Reload the router using the reload
command.
Step 2. From ROMmon mode, enter the
dir command to list the contents of the
device that contains the secure bootset
file. From the CLI, the device name can
be found in the output of the show secure
bootset command.
Step 3. Boot the router with the secure
bootset image using the boot command
with the filename found in Step 2. When
the compromised router boots, change to
privileged EXEC mode and restore the
CCNA Security Chapter 2
Securing Network Devices
2.3.1.4 Describe the steps necessary
to recover a lost router
password:
Page 12 of 21
configuration.
Step 4. Enter global configuration mode
using conf t.
Step 5. Restore the secure configuration
to the supplied filename using the secure
boot-config restore filename command.
Step 1. Connect to the console port.
Step 2. Use the show version command
to view and record the configuration
register.
Step 3. Use the power switch to power
cycle the router.
Step 4. Press “CTRL break” within 60
seconds of power up to put the router into
ROMmon mode.
Step 5. Type confreg 0x2142 at the
rommon 1> prompt.
Step 6. Type reset at the rommon 2>
prompt.
Step 7. Type no after each setup
question, or press Ctrl-C to skip the initial
setup procedure.
Step 8. Type enable at the Router>
prompt. This puts the router into enable
mode and allows you to see the Router#
prompt.
Step 9. Type copy startup-config
running-config to copy the NVRAM into
memory.
Step 10. Type show running-config. An
administrator can now see the passwords
(enable password, enable secret, vty, and
console passwords) either in encrypted or
unencrypted format. Unencrypted
passwords can be reused, but encrypted
passwords need a new password to be
created.
Step 11. Enter global configuration and
CCNA Security Chapter 2
Securing Network Devices
2.3.1.5 What command secures the
router from the normal
password recovery process?
2.3.2.2 Describe the two paths that the
flow can take when logging and
managing information flow
between management hosts
and the managed devices:
2.3.3.1 Describe 5 different facilities to
which Cisco routers can send
log messages:
Page 13 of 21
type the enable secret password
command to change the enable secret
password.
Step 12. Issue the no shutdown
command on every interface to be used.
Step 13. From global configuration mode
type config-register 0x2102 (typically)
Step 14. Save the configuration changes
using the copy running-config startup-
config command.
no service password-recovery
Out-of-band (OOB) - Information flows on
a dedicated management network on
which no production traffic resides.
In-band - Information flows across an
enterprise production network, the
Internet, or both using regular data
channels.
Console - Console logging is on by
default. Messages log to the console and
can be viewed when modifying or testing
the router using terminal emulation
software while connected to the console
port of the router.
Terminal lines - Enabled EXEC sessions
can be configured to receive log
messages on any terminal lines. Similar to
console logging, this type of logging is not
stored by the router and, therefore, is only
valuable to the user on that line.
Buffered logging - Buffered logging is a
little more useful as a security tool
because log messages are stored in
router memory for a time. However,
CCNA Security Chapter 2
Securing Network Devices
2.3.3.1 What are the three main parts
of Cisco router log messages?
2.3.3.1 Describe the eight levels that
Cisco router log messages fall
into in order of severity from
highest to lowest:
Page 14 of 21
events are cleared whenever the router is
rebooted.
SNMP traps - Certain thresholds can be
preconfigured on routers and other
devices. Router events, such as
exceeding a threshold, can be processed
by the router and forwarded as SNMP
traps to an external SNMP server. SNMP
traps are a viable security logging facility
but require the configuration and
maintenance of an SNMP system.
Syslog - Cisco routers can be configured
to forward log messages to an external
syslog service. This service can reside on
any number of servers or workstations,
including Microsoft Windows and UNIX-
based systems, or the Cisco Security
MARS appliance. Syslog is the most
popular message logging facility, because
it provides long-term log storage
capabilities and a central location for all
router messages.
Timestamp
Log message name and severity level
Message text
0 – emergencies - System is unusable.
LOG_EMERG
1 - alerts - Immediate action is needed.
LOG_ALERT
2 - critical - Critical conditions exist.
LOG_CRIT
3 - errors - Error conditions exist.
LOG_ERR
4 - warnings - Warning conditions exist.
LOG_WARNING
5 - notifications - Normal but significant
condition. LOG_NOTICE
CCNA Security Chapter 2
Securing Network Devices
2.3.3.2 Describe the two types of
systems contained in Syslog
implementations:
2.3.3.2 Describe Cisco Security MARS The Cisco Security Monitoring, Analysis,
and explain how it uses logging and Response System (MARS) is a Cisco
information:
2.3.3.3 Describe the steps to activate
and configure system logging:
Page 15 of 21
6 - informational - Informational
messages only. LOG_INFO
7 - debugging - Debugging messages.
LOG_DEBUG
Syslog servers - Also known as log hosts,
these systems accept and process log
messages from syslog clients.
Syslog clients - Routers or other types of
equipment that generate and forward log
messages to syslog servers.
security appliance that can receive and
analyze syslog messages from various
networking devices and hosts from Cisco
and other vendors. Cisco Security MARS
combines all of this log data into a series
of sessions which it then compares to a
database of rules. If the rules indicate that
there might be a problem, an incident is
triggered.
1. Set the destination logging host using
the logging host [hostname | ip
address]command.
Step 2. (Optional) Set the log severity
(trap) level using the logging trap level
command.
Step 3. Set the source interface using the
logging source-interface interface-type
interface-number command. This
specifies that syslog packets contain the
IPv4 or IPv6 address of a particular
interface, regardless of which interface the
packet uses to exit the router.
Step 4. Enable logging with the logging
on command. You can turn logging on
CCNA Security Chapter 2
Securing Network Devices
2.3.3.4 Describe the steps to enable
syslog logging using Cisco
Security Device Manager:
2.3.4.1 Describe SNMP:
2.3.4.1 Describe the components of
SNMP:
Page 16 of 21
and off for these destinations individually
using the logging buffered, logging
monitor, and logging global
configuration commands.
1. Choose Configure > Additional Tasks
> Router Properties > Logging.
2. From the Logging pane, click Edit.
3. In the Logging window, select Enable
Logging Level and choose the logging
level from the Logging Level list box.
Messages will be logged for the level
selected and below.
4. Click Add, and enter an IP address of
a logging host in the IP
Address/Hostname field.
5. Click OK to return to the Logging dialog
box.
6. Click OK to accept the changes and
return to the Logging pane.
SNMP was developed to manage nodes,
such as servers, workstations, routers,
switches, hubs, and security appliances,
on an IP network. SNMP is an Application
Layer protocol that facilitates the
exchange of management information
between network devices.
SNMP enables network administrators to
manage network performance, find and
solve network problems, and plan for
network growth.
Network Management Systems - at
least one manager node runs SNMP
CCNA Security Chapter 2
Securing Network Devices
2.3.4.1 What are the three actions that
a manager node can use to
view or alter information in a
managed device?
2.3.4.2 Describe the two types of
community strings as they
relate to SNMP versions 1 and
2:
2.3.4.3 How does SNMP version 3
address the vulnerabilities of
versions 1 and 2?
2.3.4.4 Describe the security levels
available for the three SNMP
Page 17 of 21
management software
Agents - network devices that need to be
managed, such as switches, routers,
servers, and workstations
Management Information Bases – a
database that reflects the resources and
activity of a managed device
Get – view information about a managed
device
Set - change configuration variables in the
agent device
Trap (Notification) - enable an agent to
notify the management station of
significant events
Read-only community strings - Provides
read-only access to all objects in the MIB,
except the community strings. Allows only
GET requests.
Read-write community strings - Provides
read-write access to all objects in the MIB,
except the community strings. Allows
GET and SET requests but should be
used only on an OOB network.
SNMPv3 provides three security features.
Message integrity - Ensures that a
packet has not been tampered with in
transit.
Authentication - Determines that the
message is from a valid source.
Encryption - Scrambles the contents of a
packet to prevent it from being seen by an
unauthorized source.
noAuth - Authenticates a packet by a
string match of the username or
CCNA Security Chapter 2
Securing Network Devices
security models:
2.3.4.5 This page shows the steps to
activate an SNMP trap receiver.
2.3.5.1 Describe two ways to set date
and time on a Cisco router.
2.3.5.2 Describe the process of setting
date and time on Cisco routers
using NTP:
2.3.5.3 Describe the security features
of NTP:
Page 18 of 21
community string. Available with
SNMPv1, 2, and 3.
auth - Authenticates a packet by using
either the Hashed Message
Authentication Code (HMAC) with MD5
method or Secure Hash Algorithms (SHA)
method. The HMAC method is described
in RFC 2104, HMAC: Keyed-Hashing for
Message Authentication. Available with
SNMPv3 only.
priv - Authenticates a packet by using
either the HMAC MD5 or HMAC SHA
algorithms and encrypts the packet using
the Data Encryption Standard (DES),
Triple DES (3DES), or Advanced
Encryption Standard (AES) algorithms.
Available with SNMPv3 only.
Manually editing the date and time
Configuring the Network Time Protocol
(NTP)
NTP clients either contact the master or
listen for messages from the master to
synchronize their clocks. To contact the
master, use the ntp server ntp-server-
address command.
In a LAN environment, NTP can be
configured to use IP broadcast messages
instead by using the ntp broadcast client
command.
1. ACL-based restriction scheme
Encrypted authentication mechanism
CCNA Security Chapter 2
Securing Network Devices
2.3.5.3 This page shows the
configuration steps for CLI
based NTP authentication:
2.3.5.4 This page shows the
configuration steps for SDM
based NTP authentication:
2.4.1.2 Describe some of the practices
that help ensure that a network
device is secure:
2.4.1.3 What is best way to determine
and fix the vulnerabilities that
exist with a current
configuration?
2.4.1.4 What actions does the Security
Audit wizard in Cisco Security
Device Manager (SDM)
perform?
2.4.2.1 Differentiate between the
management plane and the
forwarding plane of a Cisco
router:
Page 19 of 21
offered by NTP version 3 or later
Disable unnecessary services and
interfaces.
Disable and restrict commonly configured
management services, such as SNMP.
Disable probes and scans, such as ICMP.
Ensure terminal access security.
Disable gratuitous and proxy Address
Resolution Protocol.
Disable IP-directed broadcasts.
Use security audit tools such as:
Security Audit Wizard in Cisco SDM
One-Step Lockdown in Cisco SDM
Cisco auto secure command in the Cisco
IOS CLI
Shuts down unneeded servers.
Disables unneeded services.
Applies the firewall to the outside
interfaces.
Disables or hardens SNMP.
Shuts down unused interfaces.
Checks password strength.
Enforces the use of ACLs.
The management plane is the logical
path of all traffic related to the
management of a routing platform.
The forwarding plane is responsible for
packet forwarding (or packet switching),
which is the act of receiving packets on
CCNA Security Chapter 2
Securing Network Devices
2.4.2.1 List management plane and
forwarding plane services and
functions which can be secured
with auto secure:
2.4.3.2 Describe the features of Cisco
AutoSecure that are not
implemented or are
implemented differently in
Cisco SDM one-step lockdown:
Page 20 of 21
the router interfaces and sending them out
on other interfaces.
Management plane:
Secure BOOTP, CDP, FTP, TFTP, PAD,
UDP, and TCP small servers, MOP, ICMP
(redirects, mask-replies), IP source
routing, Finger, password encryption, TCP
keepalives, gratuitous ARP, proxy ARP,
and directed broadcast
Legal notification using a banner
Secure password and login functions
Secure NTP
Secure SSH access
TCP intercept services
Forwarding plane:
Enables CEF
Enables traffic filtering with ACLs
Implements Cisco IOS firewall inspection
for common protocols
Disabling NTP - Based on input, Cisco
AutoSecure disables NTP if it is not
necessary. Otherwise, NTP is configured
with MD5 authentication. Cisco SDM does
not support disabling NTP.
Configuring AAA - If the AAA service is
not configured, Cisco AutoSecure
configures local AAA and prompts for the
configuration of a local username and
password database on the router. Cisco
SDM does not support AAA configuration.
Setting Selective Packet Discard (SPD)
values - Cisco SDM does not set SPD
values.
Enabling TCP intercepts - Cisco SDM
does not enable TCP intercepts.
Configuring antispoofing ACLs on
CCNA Security Chapter 2
Securing Network Devices

outside interfaces - Cisco AutoSecure

creates three named access lists to
prevent antispoofing source addresses.
Cisco SDM does not configure these
ACLs.

Enable SSH for access to the router -

Cisco SDM enables and configures SSH
on Cisco IOS images that have the IPsec
feature set; however, unlike Cisco
AutoSecure, Cisco SDM does not enable
Secure Copy Protocol (SCP) or disable
other access and file transfer services,
such as FTP.
Disable SNMP - Cisco SDM disables
SNMP; however, unlike Cisco
AutoSecure, Cisco SDM does not provide
an option for configuring SNMPv3. The
SNMPv3 option is not available on all
routers.

Page 21 of 21