CCIE notes – Security part 2

Layer 3 Security


1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF


General Layer3 Security Considerations

1. Smurf Attacks

– a large number of ICMP Echo Requires with same typical IP address in the packet
– the destination address is a subnet broadcast address, also known as a direct broadcast address


CCIE notes – Security part 1

Router & Switch Device Security

– to encrypt passwords with the following command #service password-encryption
– “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
– #enable secret – encrypts the password as md5
– #enable password – type 7 password
#username password <pass> – encrypts the password as MD5


AAA – Authentication, Authorization and Accounting

Radius vs Tacacs

Scope of Encryption: Packet Payload or just Password  Password Only  Entire Payload
 Layer 4 Protocol  UDP  TCP
 Well Known ports  1812/1645  49/49
 Standard or Cisco Propriety  Standard  Cisco

CCIE notes – MPLS

Below are some notes from my CCIE written. Hope you enjoy them


MPLS IP Forwarding: Data Plane

– MPLS routers inject (push) or remove (pop) or forwards packets based on labels
– MPLS relies on the CEF while expanding the logic and data structures as well


LSR (Label Switch Router)

– any router that has awareness of MPLS Labels
FIB – used for incoming unlabled packets
LFIB – used for incoming labeled packets

MPLS header and Label
– header of 4 bytes, located before the IP header

MPLS header

Fortigate CFG_CMDBAPI_ERR Error



It seems there is a new error that i found on a few Fortigate firewalls: CFG_CMDBAPI_ERR


To fix the issue you can do 2 things:

1. Upgrade the Fortigate to the latest version

2. Reboot the IPS of the Fortigate (this is was it causing the issue). Below is the command(through CLI):

diagnose test application ipsmonitor 99


Hope it helps!

Fortigate FortiOS 5 preview


I have found the following video on Youtube that presents the FortiOS 5 in 5 minutes.

The new features look really good.

Check it out:

What do you think?!