lab2-cciesecv4-questionset
-
Upload
pham-quoc-bao -
Category
Documents
-
view
202 -
download
0
description
Transcript of lab2-cciesecv4-questionset
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify these questions and the best order of configuration. Section do not have to be completed in the order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points.
6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP, VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure that additional addressing does not conflict with a network that is already used in your topology. Routing Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS, Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the following pages. Do NOT change these settings.
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIE Security Lab Equipment and Software v4.0
Hardware • Cisco 3800 Series Integrated Services Routers (ISR) • Cisco 1800 Series Integrated Services Routers (ISR) • Cisco 2900 Series Integrated Services Routers (ISR G2) • Cisco Catalyst 3560-24TS Series Switches • Cisco Catalyst 3750-X Series Switches • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances • Cisco IPS Series 4200 Intrusion Prevention System sensors • Cisco S-series Web Security Appliance • Cisco ISE 3300 Series Identity Services Engine • Cisco WLC 2500 Series Wireless LAN Controller • Cisco Aironet 1200 Series Wireless Access Point • Cisco IP Phone 7900 Series* • Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x • Cisco IPS Software Release 7.x • Cisco VPN Client Software for Windows, Release 5.x • Cisco Secure ACS System software version 5.3x • Cisco WLC 2500 Series software 7.2x • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) • Cisco WSA S-series software version 7.1x • Cisco ISE 3300 series software version 1.1x • Cisco NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Summary of username and Password for all devices
Device Username Password Router cisco Cisco
Switches cisco Cisco IPS cisco 123cisco123
WSA admin ironport WLC cisco Cisco123 AP ciscoAP CCie123
ESXi Server admin Cisco ISE admin Cisco123 Acs admin Cisco123 ASA admin cisco
Test-PC Test-PC Cisc0123
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 1: Test PC and Vmware ESXI server
Topology 2: Local Candidate PC
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 3: Switch Cabling
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 4 : layer 2
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any questions related to our workbooks at ([email protected])
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE R&S ----> WWW.CCIERNSLABS.COM
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS
Launched !!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION I – PERIMETER SECURITY
1.1 Configure routing and Basic Access on ASA1 5 Points
This question has three tasks.
Complete each task to provide basic connectivity and routing capabilities on ASA1.
1) ASA1 should be in single-context routed mode and configured using the information
in the table below:
Interface Nameif Switch Vlans Sec Level IP Address Gi 0/0 Outside 5 0 7.7.5.10/24 Gi 0/2 Inside 3 100 7.7.3.10/24 Gi 0/3 Dmz 8 50 7.7.8.10/24
Use exact names and numbers as shown in the table.
2) Add static routes as follows:
Interface Network Next Hop Inside Configure a Default Route 7.7.3.2
3) Configure a Secured OSPF process 1
Router-id should be 8.8.8.8
Configure OSPF area 1 to establish neighborship
Note: You are not allowed to change any routing configuration on devices.
Assign network 7.7.5.0 to area 0
Assign network 7.7.8.0 to area 1
Ensure that networks 192.168.11.11 and 192.168.22.22 (loopbacks on R1 and R2) are added to
the routing table on ASA1 but are not propagated into area 0.
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Verify by checking the routing table on R6.
Verify your solutions by successfully pinging the inside 150.1.7.0 network from the all major
7.7.0.0 subnets as well as pinging from outside subnets to dmz subnets.
For example:
R6#ping 7.7.8.1
R6#ping 150.1.7.20
R6#ping 7.7.3.2
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.2 Configure stateful failover between ASA1 and ASA2 (4 points)
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Configure LAN-based active-standby failover on ASA1 and ASA2
- Use GigabitEthernet 0/1 in VLAN 100 on SW2 for the failover LAN interface and name it fover.
- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby
- Enable stateful failover using fail-over interface GigabitEthernet 0/1
- Use all other parameters accordingly to achieve this task
Your output must match all parameters highlighted below:
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.3 Configure ASA3 in Multi-Context Firewall Mode
Part A: Initialize ASA3 (4 points)
ASA3 must be configured as a multi-context firewall. ASA3 requires a shared outside interface.
Use the following outputs to complete the initial configuration.
Context details
Name Config URL C1 C1.cfg C2 C2.cfg
Admin Admin.cfg
(NOTE: Above files are already there in flash & needs to be deleted before configuring)
The config-url file should be saved on the disk:0
You can permit ICMP traffic from any to any on both contexts.
You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping all major subnets within your
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
network, including the ISE1 150.1.7.20
Use exact names and numbers as shown in the table
Context “c1” initialization details:
Context “c1” routing configuration details:
Interface Network Next Hop Outside 0.0.0.0/0 7.7.3.2
Context “c2” initialization details:
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/2 Shared Inside 4 100 7.7.4.10/24 Gi 0/0 Shared Outside 33 0 7.7.3.12/24
Context “c2” routing configuration details:
Interface Network Next Hop Inside 0.0.0.0/0 7.7.4.1
Outside 7.7.0.0/16 7.7.3.2
Context “admin” initialization details:
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/2 Shared Management 4 100 7.7.4.200/24
Context “admin” routing configuration details:
Interface Network Next Hop Management 0.0.0.0/0 7.7.4.1
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/1 Not Shared Inside 2 100 7.7.2.10/24 Gi 0/0 Shared Outside 33 0 7.7.3.8/24
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Part B: Configure IP Services on ASA3 4 Points
Telnet access :-
Telnet must be allowed from VLAN4 IP 7.7.4.1 on SW1 to the admin context of ASA3
To verify your solution: SW1# telnet 7.7.4.200 /so vlan4
Twice Nat
Use NAT to translate the VLAN4 IP address 7.7.4.0 on SW1 to global IP address of 10.10.4.0, if its destined to 192.168.0.0/16 however other traffics should not be translated. Use Service-policy to limit concurrent telnet sessions from outside to 2 in C2. Verification: R3: Debug ip ICMP ICMP: echo reply sent, src 192.168.33.33, dst 10.10.4.1
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.4 Configure ASA4 in transparent mode with NAT support (6 points)
Configure ASA4 as a transparent firewall to be deployed between R3 and SW6 by completing the three tasks outlined below
1. ASA4 will be assigned the IP address 7.7.7.10/24 and use the following interfaces
Interface Type Nameif Switch Vlans Sec Level Gi 0/3 Physical Inside 7 100 Gi 0/0 Physical Outside 77 0
Note: Do not configure management interface 0/0.
2. Add static routes on ASA4 to match the following output
ASA# show route
0.0.0.0/0 via 7.7.7.3 outside
7.7.9.0/24 via 7.7.7.2 inside
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Verify your solution by pinging from ASA4 as followings:
ASA4# ping inside 7.7.7.2
ASA4# ping outside 7.7.7.3
3. Configure NAT on the Cisco ASA4 firewall using the following information NAT control is required
Configure a rule where any traffic sourced from 7.7.9.0/24 and destined to 7.7.0.0/16 is
mapped to a global add from 200.200.9.0/24. This NAT rule must allow for Bidirectional
connection initialization.
Ensure that traffic sourced from the 7.7.7.0/24 network and destined to 7.7.0.0/16 or
150.1.0.0/16 is not translated but still able to transit ASA4.
Verify your solution by initiating a ping from SW6 to R3 using VLAN9 as the source interface.
Enabling debug Ip icmp on R3 should show the translation has occurred
R3# ICMP: echo reply sent, src 7.7.7.3, dst 200.200.9.2
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION II. IPS and Context security
2.1 – Initialize the Cisco IPS Sensor Appliance (4 points)
Initialize the Cisco IPS Sensor appliance as follows:
Parameters Settings Hostname IPS
Management Configure the Command and control Management 0/0 interface in vlan 4 Sensor IP Address 7.7.4.100/24 Default Gateway 7.7.4.1
Sensor ACL 7.7.0.0/16, 150.100.7.0/24, 151.ss.1.0/24, 150.1.7.0/24 Telnet Enable telnet Management
Auto IP Logging Enable ip Logging on sig0, Log 200 pkts, log time 30 secs, log bytes 5024
Verify the Cisco IPS sensor configuration using the following:
The username and password for the Cisco IPS console are cisco and 123cisco123.
DO NOT CHANGE THEM.
Use the console to initialize the Cisco IPS sensor appliance using the defails in this table Ensure
that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
You can modify Cisco Catalyst switches configuration if required.
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
IPS# ping 7.7.4.1
IPS# ping 150.1.7.100
Ensure that the following ping and telnet connection is successful from SW1
SW1# ping 7.7.4.100
SW1# telnet 7.7.4.100
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair (4 points)
Configure the Cisco IPS appliance inline VLAN pair using these guidelines:
Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the Lab Topology diagram as follow:
Parameters Settings Interface Gig 0/0
Inline Vlan Pair Vlan 3 & Vlan 33 You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
Ensure that the sensor is passing traffic successfully.
For testing, ensure that this ping from SW6 is passing through the sensor with the packets
being displayed on the sensor console.
IPS# packet display gigabitethernet0/0
R6#ping 7.7.4.1
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.3 Implement custom signatures on the Cisco IPS sensor 4 Points
A custom signature 60000 is required on the Cisco IPS sensor as follows: Trigger - Whenever it detects an OSPF Hello packets from the inside interface of ASA 1. Action – Produce verbose Alert when OSPF Packet is detected Alert-severity – High Signature-Definition 0 Note: Inside interface of ASA1 should not participate in routing. Verify by configuring inside interface in ospf as below
router ospf 1
network 7.7.3.0 255.255.255.0 area 2
IPS should detect the same using Show event alert high
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.4 Initialize the Cisco WSA and Enable WCCP Support (6 points)
The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Security services:
Parameters Settings Web Proxy Enabled
Web Proxy Mode Transparent IP Spoofing Not Enabled
HTTP/S Proxy Enabled Native FTP Proxy Enabled
L4 Traffic Monitor Enabled L4 Traffic Monitor Action Enabled Acceptable User Controls Enabled Web Reputation Filters Enabled
Ironport DVS Engine Webroot: Enabled Mcafee: Enabled
Parameters Settings Hostname Wsa.cisco.com Interface M1 to be used for Management
Ip Address 7.7.4.150/24 Default Gateway 7.7.4.1
System Information Admin:ironport, [email protected], time:US/America/LA NTP Server 7.7.4.1
DNS 150.1.7.10 L4 Traffic Monitoring Duplex: T1 (in/out)
Accept all other defaults
From ASA/c2, verify that you can ping M1 interface of WSA:
ASA3/c2(config)# ping 7.7.4.150
Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:
Redirect-list: for all HTTP and HTTPS traffic
Group-list to limit redirections to the WSA only
Service-group must be in the appropriate range
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Note: You can use any names for your redirect-list and group-list.
Be sure to use a service-group. DO not use the default web-cache.
This question is dependent on the completion of Q1.3.
You may have to reboot WSA after configuration of WCCP if the ASA reports following event in the logs:
WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id.
Use the following to verify your solution from the Test-PC, and then check HTTP requests on
R3 for the address of the WSA:
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION III – Secure Access
3.1 Cisco IOS CA Server 5 Points
• The administrator wants to configure R1 as CA server which will be used for secure neighbour discovery between R4 and R5.
• SW1 is NTP Server, CA Server should need to use attribute for NTP • Use the following parameters
- Root Certificate lifetime = 1 Year - Identity Certificate lifetime = 200 days - CRL lifetime: 24 hours - Certificate should be encrypted using 3des and Passphrase cisco123
• CA server should be reachable for http access from anywhere • Kindly overwrite the certificates, if it prompts. • Kindly use the following output to configure CA
R1#show crypto key mypubkey rsa
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
R1# show crypto pki server
3.2 Remote-Access VPN or EzVPN Troubleshooting 5 Points
Easy VPN has been preconfigured on R6 (server) and R3 (client) using preshared key.
Identify the faults and ensure that tunnel is established. ACL defining the traffic is already preconfigured. Tunnel should be active ONLY when it detects the interesting traffic.
You are required to Match the following output :
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
R3#Show crypto ipsec client ezvpn
R3#Show crypto isakmp profile
R3# show crypto session
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
3.3 Troubleshooting DMVPN Phase 3 with Dual hubs (6 points)
In this question R1 and R2 are dual DMVPN Hubs with R4 and R5 as the spokes that peer with
hubs for redundancy. The hubs are pre-configured. Complete the configuration of the spokes
and troubleshoot the solution using the following information:
172.16.23.1/2 – IP addresses of DUAL Hubs
172.16.23.4/5 – IP addresses of DUAL Spokes
Each spoke must peer with both hubs and direct spoke to spoke communication should occur
using NHRP shortcut capabilities
EIGRP routing AS 123 is preconfigured & must be advertising the Lo 0 of R4 & R5 and network
10.2.2.0/24 of R1 and R2
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Verify your solution as follows:
R1#Show crypto session
R2#Show crypto session
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
3.4 Configure Security Features on the Cisco WLC 5 Points
The WLC manages the configuration and control of the Cisco AP 1242
(There is no need to change any settings on the AP itself)
To complete this question you can use the CLI on the WLC, or the web GUI via http://7.7.7.11/
Username =cisco Password=Cisco123.
1. Configure 802.1x support on the WLC. This information is pushed to the AP in the rack and will facilitate 802.1x authentication.
2. To protect the network from Rogue AP's associating with the WLC, configure the WLC with the following Rogue Rule
- Route Rule Name: Rogue - Type: Malicious - SSID: Rogue - Must be Heard of RSSI value of -60 or stronger - Classify only if the rogue is not using encryption
3. Configure Globally, Management frame protection for AP on WLC 4. Configure a policy for identifying AP1 in the rack, as a friendly AP
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION IV. System Hardening and Availability
4.1 Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS (4 points)
OSPFv3 has been partially pre-configured between R1 & R2 using command “ipv6 router ospf 2”
Complete configuration and troubleshooting as required to meet the following requirements:
1. Configure AH md5 authentication for area 0 to protect routing info.
You can define your own keys
2. Ensure that the IPV6 addresses from interface Loopback3 on R1 and R2 are being advertised
using OSPFv3 via Gig 0/0 on R1 and R2
4.2 Troubleshoot IP Options Handling on the Cisco ASA (3 points)
The following information has appeared in an error message on ASA1 for IGMPv2 traffic transiting ASA1:
%ASA-6-106012: Deny IP from 7.7.5.15 to 225.17.1.1, IP options: “Router Alert”
Configure ASA1 to prevent this error message and allow IGMPv2 to function correctly for all interfaces
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
4.3 Configure Netflow on Cisco IOS Router 3 Points
Configure Netflow version 9 on R6 using following requirements:
1. Define an IP Flow-top-talkers policy to be applied on gig 0/1.1 as follows - Display top 10 talkers for Telnet Traffic - Randomly sample traffic at a rate of one-out-of-10 packets
2. Verbose Netflow output must display
- IP Address - Mac Address - Vlan IDs
Verify your solution by doing telnet from R4 to R1 and check the output for below cmds
R6# Show ip Cache verbose Flow
R6# sh ip flow top-talker
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
4.4 Implement SNMP 4 Points
Configure SNMP on SW6 to sends traps to server management. Configure SNMP trap on SW6 to send message to ISE, if any interface goes up/down. You are not required to do any configuration on ISE in this Task Match the output for snmp trap message .
SW6# debug snmp packet
Jul 05 23:15:34.644: SNMP: Queuing packet to 150.1.7.20 Jul 05 23:15:34.644: SNMP: V2 Trap, reqid 32, errstat 0, erridx 0 sysUpTime.0 = 5085919 snmpTrapOID.0 = cmnMacChangedNotification cmnHistMacChangedMsg.1 = 02 00 07 E8 B7 48 D6 DA 4A 00 07 00 cmnHistTimestamp.1 = 5085919
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION V. Threat Identification and Mitigation
5.1 Implement IPV6 First Hop Security 6 Points
Administrator considers to protect vulnerable IPv6 Neighbor Discovery from attacker threats.
Configure security mechanisms for NDP with CGA and RSA signatures on R4 and R5
Configure CGA with minimum key length of 512 and minimum security level 1
Don’t enable full-secure globally this may affect other feature in the router.
Verify your output with the below output.
show crypto key mypubkey rsa
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
show crypto ca certificate
5.2 Preventing IP Spoofing 3 Points
There could be possible spoofing attack on subnet 10.2.2.0 internal to R1 and R2 in dmz, to mitigate the same, permit ip 7.7.3.0 255.255.255.0 is bad way of protecting ASA1 Prevent IP Spoofing using rfc 2827 on ASA1. Verify your solution using the following cmd
ASA1# show ip verify statistics
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION VI. Identity Management
6.1 Configure the Cisco Access Point as an 802.1X supplicant (6 points)
The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should be
allowed to communicate with 802.1X authorized Aps.
In this question you are required to configure 802.1X support for the AP on SW6 (RADIUS source interface 7.7.7.2/VLAN7) and ISE1 (150.1.7.20).
Use the information below to complete the question
1. Create an identity for the AP on ISE1 using the credentials created in the 802.1x task in Q3.4 that will be used for authentication and mapped to an authorization policy
2. Configure an Authorization Profile and Authorization Policy rule for Cisco Access point as follows
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Parameters Settings Name Cisco_Access_Points
Management Configure Command & control Management 0/0 interface in vlan 4 Description Permit Cisco AP 1242 Access Type Access_Accept
Common Tasks DACL Name AP_DACL DACL Policy Permit CAPWAP (UDP 5246/5247) and DNS
Vlan 7
3. Configure SW6 G1/0/5 for 802.1x support which will enable the Cisco AP to authenticate via Radius to ISE1 and receive and authorization Policy
4. SNMP traps from SW6 should be used for making policy for the switch.
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
6.2 Configure Support for MAB/802.1X for Voice and Data VLANs
Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)
The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via
DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).
The requirement is to add security to this connection through authentication and authorization on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to
move the phone into the voice VLAN.
Use the following information to complete this task:
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
permit on all traffic on ISE1.
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Voice VLAN will support MAB for authentication
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
If MAB is not successful, 802.1X endpoints should be allowed to connect.
The following output should be used to verify your solution
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Part B: (6 points)
Authentication and Authorization of 802.1X Client through a Cisco IP Phone
The Test-PC must be allowed to connect through the authenticated Cisco IP Phone
1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan in Part A of this
question
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
Attribute Value Group Name Test-PC_Group
Username/Password test-PC/Cisc0123 Access Type Access_Accept
Common Tasks DACL Name DATA_VLAN_DACL DACL Policy Permit ip any any
Vlan 99
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
The following output should be used for verification
CCIESECURITYLABS.COM FINAL RELEASE 1-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE R&S ----> WWW.CCIERNSLABS.COM
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS
LAUNCHED!!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM