Exam weight: 20% | Labs: 6 | ← Back to CCNP ENCOR
5.1 Device Access Control
Secure Management Baseline
- Use Type 9 (scrypt) password hashing for local users
- Generate RSA key ≥2048 bits and enforce SSH v2
- Set exec-timeout on all VTY lines
- Disable HTTP server; allow only HTTPS management
- Restrict VTY access with ACL limiting source IPs
AAA (TACACS+ and RADIUS)
- TACACS+: TCP/49; separates Authentication, Authorization, Accounting; Cisco proprietary; encrypts full packet
- RADIUS: UDP/1812 (auth) + UDP/1813 (acct); IETF standard; encrypts only password field; better for 802.1X
- Configure method lists with fallback to local in case server is unreachable
5.2 Infrastructure Security
Access Control Lists (ACLs)
- Ordered permit/deny rules; implicit deny at end
- Standard ACL: Matches source IP only; apply close to destination
- Extended ACL: Matches src/dst IP, protocol, port; apply close to source
- Named ACLs allow per-line editing
Control Plane Policing (CoPP)
Rate-limits CPU-destined traffic (OSPF, SSH, SNMP, etc.) using MQC policies. Applied in the input direction on the control-plane interface. Prevents DoS attacks against the routing engine.
5.3 Secure REST API Access
- HTTPS-only transport (never HTTP)
- Token-based authentication (OAuth/JWT); never hardcode credentials
- Store credentials in environment variables or secrets managers
- Implement RBAC and rate limiting on API endpoints
5.4 Wireless Security
Authentication Models
- Open: No authentication (OWE adds opportunistic encryption in WPA3)
- PSK: Pre-shared key; WPA2 uses PBKDF2; WPA3 uses SAE
- 802.1X/EAP: Per-user/device certificates or credentials via RADIUS
- WebAuth: Captive portal redirect; guest networks
WPA2 vs WPA3
| Feature | WPA2 | WPA3 |
|---|---|---|
| PSK method | PBKDF2 | SAE (Simultaneous Authentication of Equals) |
| Forward secrecy | No | Yes |
| PMF | Optional | Mandatory |
| Cipher | AES-CCMP | AES-GCMP |
| Open network | No encryption | OWE (opportunistic encryption) |
EAP Types
- EAP-TLS: Mutual certificate authentication; most secure
- PEAP-MSCHAPv2: Server cert + client username/password; most common
- EAP-FAST: Cisco; PAC-based; no certs required
- EAP-TTLS: Server cert only; flexible inner authentication
5.5 Network Security Design
Firewall Evolution
Packet-filter → Stateful → NGFW → IPS. NGFW adds application awareness, user identity, URL filtering, and inline IPS.
IOS Zone-Based Firewall (ZBF)
- Interfaces assigned to security zones; traffic between same zone is permitted by default
- Zone-pair policies control inter-zone traffic (inspect = stateful, drop, pass)
- Traffic with no zone-pair policy is dropped by default
Cisco TrustSec / SGT
- Classification: SGT assigned at ingress (802.1X, MAB, IP-SGT mapping)
- Propagation: Inline tagging or SXP (SGT Exchange Protocol) for non-capable devices
- Enforcement: SGACL applied at egress based on src/dst SGT pair
MACsec (802.1AE)
- Layer 2 hop-by-hop AES-GCM encryption
- MKA (MACsec Key Agreement) manages key exchange
- Protects against Layer 2 attacks (MITM, replay)
Cloud Security Platforms
- Umbrella: DNS-layer blocking of malicious domains
- Secure Endpoint: EDR (Endpoint Detection and Response)
- Duo: MFA enforcement
- SecureX/XDR: Correlation across security platforms
Hands-On Labs
Lab 1: Secure SSH Device Access
Baseline hardening: generate RSA 2048-bit key, enforce SSHv2, create privilege-15 local user with Type 9 hash, restrict VTY with ACL, set exec-timeout.
Lab 2: AAA with TACACS+/RADIUS
Register TACACS+ and RADIUS servers; define authentication and authorization method lists; configure 802.1X on an access port.
Lab 3: Control Plane Policing (CoPP)
Classify traffic into CRITICAL, IMPORTANT, NORMAL, UNDESIRABLE classes via ACLs; bind to policy-map with tiered rate limits; apply to control-plane.
Lab 4: IOS Zone-Based Firewall
Define INSIDE, OUTSIDE, DMZ zones; create class-map/policy-map with inspect actions; configure zone-pair service-policies for each traffic direction.
Lab 5: WPA3-Enterprise
Configure RADIUS server on WLC; set WLAN to WPA3 with akm dot1x-sha256; enforce PMF mandatory; test client 802.1X authentication.
Lab 6: TrustSec & MACsec
Provision PAC via ISE; configure inline SGT tagging; set up SXP peers for non-capable switches; define and apply SGACL; enable MKA key-chain for MACsec.
