CCIE Security Lab Exam v3.

0 Checklist
1.0
1.01. 1.02. 1.03. 1.04. 1.05. 1.06. 1.07. 1.08. 1.09. 1.10. 1.11. 1.12. 1.13. 1.14. 1.15. 1.16. 1.17. 1.18. 1.19. 1.20. 1.21. 1.22. 1.23. 1.24. 1.25. 1.26. 1.27. 1.28. 1.29. 1.30. 1.31. 1.32. 1.33. Implementing Secure Networks Using Cisco ASA Firewalls Configuring and Troubleshooting Cisco ASA Firewalls Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.) Understanding Security Levels (Same Security Interface) Understanding Single vs. Multimode Understanding Firewall vs. Transparent Mode Understanding Multiple Security Contexts Understanding Shared Resources for Multiple Contexts Understanding Packet Classification in Multiple-Contexts Mode VLAN Subinterfaces Using 802.1Q Trunking Multiple-Mode Firewall with Outside Access Single-Mode Firewall Using the Same Security Level Multiple-Mode, Transparent Firewall Single-Mode, Transparent Firewall with NAT ACLs in Transparent Firewall (for Pass-Through Traffic) Understanding How Routing Behaves on the Adaptive Security Appliance (Egress and Next-Hop Selection Process) Understanding Static vs. Dynamic Routing Static Routes RIP with Authentication OSPF with Authentication EIGRP with Authentication Managing Multiple Routing Instances Redistribution Between Protocols Route Summarization Route Filtering Static Route Tracking Using an SLA Dual ISP Support Using Static Route Tracking Redundant Interface Pair LAN-Based Active/Standby Failover (Routed Mode) LAN-Based Active/Active Failover (Routed Mode) LAN-Based Active/Standby Failover (Transparent Mode) LAN-Based Active/Active Failover (Transparent Mode) Stateful Failover Link Device Access Management Enabling Telnet

60. 1. 1. 2.42. Protocol.46.40.55. 1. no nat-control Command Enabling Address Translation (NAT.01. 1. 1. 1. 1. Global.07.51. 1.35.43. 1. 2. and Static) Dynamic NAT Dynamic PAT Static NAT Static PAT Policy NAT Destination NAT Bypassing NAT When NAT Control Is Enabled Using Identity NAT Bypassing NAT When NAT Control Is Enabled Using NAT Exemption Port Redirection Using NAT Tuning Default Connection Limits and Timeouts Basic Interface Access Lists and Access Group (Inbound and Outbound) Time-Based Access Lists ICMP Commands Enabling Syslog and Parameters NTP with Authentication Object Groups (Network. 1.41. 2. 1. 1.49.57. 1. 2. and Services) Nested Object Groups URL Filtering Java Filtering ActiveX Filtering ARP Inspection Modular Policy Framework (MPF) Application-Aware Inspection Identifying Injected Errors in Troubleshooting Scenarios Understanding and Interpreting Adaptive Security Appliance show and debug Outputs Understanding and Interpreting the packet-tracer and capture Commands Implementing Secure Networks Using Cisco IOS Firewalls Configuring and Troubleshooting Cisco IOS Firewalls Zone-Based Policy Firewall Using Multiple-Zone Scenarios Transparent Cisco IOS Firewall (Layer 2) Context-Based Access Control (CBAC) Proxy Authentication (Auth Proxy) Port-to-Application Mapping (PAM) Usage with ACLs Use of PAM to Change System Default Ports PAM Custom Ports for Specific Applications 2.61. . 1. 1. 1.44.56.53.34. 1. 1.02. 1.37.05. 2.1. 1.36.50. ICMP.47. 1.52. 1.38.39.62. 1.45.48. Enabling SSH The nat-control Command vs.59.58. 1.54.04. 1.03. 1. 1. 1.0 2. 2.06.

IPsec.04. and COOP) Implementing GET VPN (Using Preshared Keys and Certificates) GET VPN Unicast Rekey GET VPN Multicast Rekey GET VPN Group Member Authorization List GET VPN Key Server Redundancy GET VPN Through Firewalls and NAT Devices Integrating GET VPN with a DMVPN Solution Basic VRF-Aware IPsec Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance) CA Enrollment Process on a Router Client CA Enrollment Process on a Cisco ASA Security Appliance Client CA Enrollment Process on a PC Client Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs) .21. 3. Routing) DMVPN Using NHRP and mGRE (Hub-and-Spoke) DMVPN Using NHRP and mGRE (Full-Mesh) DMVPN Through Firewalls and NAT Devices Understanding GET VPN Architecture (GDOI.10. ESP.06. CA) IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance Configuring VPNs Using ISAKMP Profiles Configuring VPNs Using IPsec Profiles GRE over IPsec Using IPsec Profiles Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and Certificates) Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and Certificates) Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates) Understanding DMVPN architecture (NHRP. 3. 3. Group Member.20. 3.22. .02. KEK. 2. 3. 3.14.12. Authentication Header. 3. Key Server.18.23.11. 3.12. 2. 2.14. 3.16.01. 3.2.0 3. TEK.24. 3. 3. 3. 3. Header Preservation. Mapping Nonstandard Ports to Standard Applications Performance Tuning Tuning Half-Open Connections Understanding and Interpreting the show ip port-map Commands Understanding and Interpreting the show ip inspect Commands Understanding and Interpreting the debug ip inspect Commands Understanding and Interpreting the show zone|zone-pair Commands Understanding and Interpreting the debug zone Commands Implementing Secure Networks Using Cisco VPN Solutions Configuring and Troubleshooting Cisco VPN Solutions Understanding Cryptographic Protocols (ISAKMP. 2. Rekey.19. 3. 3. 3.05. 3. 3. IKE. 3. 3. 3.10. 2. 2. 3. 3.25.11.15.09. Policy.09.03. 2.17.07. mGRE.15. 3.08.26.08.13.13.

3.08. 3. DMVPN.40. Global. 3.38. Service. 3. Operator.3.39. 3. 3.01. 4.07.29. 3. Inline (IPS) Monitoring Initialization Basic Sensor (IP Address.05. Alternate TCP Reset) Understanding Promiscuous (IDS) vs. 3. 4. Service) Understanding Cisco IPS Command Modes (Privileged.09. 3.45. 4.04.27. 4.31.10.36.46. 3. Sensing. 3. 4. SensorApp. MainApp. Default Route.37.02.47.30. Network. 4. 3. 4. Multi-Instance) Understanding Cisco IPS Interfaces (Command and Control.42. AnyConnect VPN Client on Cisco IOS Software AnyConnect VPN Client on the Cisco ASA Security Appliance Remote Access Using a Traditional Cisco VPN Client – on a Cisco IOS Router Remote Access Using a Traditional Cisco VPN Client – on a Cisco ASA Security Appliance Cisco Easy VPN – Router Server and Router Client (Using DVTI) Cisco Easy VPN – Router Server and Router Client (Using Classical Style) Cisco Easy VPN – Cisco ASA Server and Router Client Cisco Easy VPN Remote Connection Modes (Client. 3.06. 4.32.28. 4. Configuring Cisco IPS to Mitigate Network Threats Configuring and Troubleshooting Cisco IPS 4. etc. Understanding Cisco IPS System Architecture (System Design.03. Viewer. 3. 3. 3. Network+) Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security Appliance Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security Appliance Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP) High Availability Using Link Resiliency (with Loopback Interface for Peering) High Availability Using HSRP and RRI High Availability Using IPsec Backup Peers High Availability Using GRE over IPsec (Dynamic Routing) Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site.34. 3.33.0 4. and Cisco Easy VPN) Understanding and Interpreting the show crypto Commands Understanding and Interpreting the debug crypto Commands 4. Mask. 3. 3.41. 3.44. GET VPN.35.43.) Troubleshooting Basic Connectivity Issues Managing Sensor ACLs Allowing Services Ping and Telnet from/to Cisco IPS Enabling Physical Interfaces Promiscuous Mode .11. EventStore) Understanding Cisco IPS User Roles (Administrator.

4.46. 4.19.28.42. 4. rules1) Understanding and Configuring Signatures (sig0.12. 4. 4.44. 4.31. 4. vs1) Assigning Interfaces to the Virtual Sensor Understanding and Configuring Event Action Rules (rules0. 4. 4.26.16. 4.15.29. 4. 4. 4. 4.36. Inline Interface Mode Inline VLAN Pair Mode VLAN Group Mode Inline Bypass Mode Interface Notifications Understanding the Analysis Engine Creating Multiple Security Policies and Applying Them to Individual Virtual Sensors Understanding and Configuring Virtual Sensors (vs0.35. 4. 4.33. 4. 4. 4.13. 4. 4. 4.41. 4.45.17.43. 4.34.24.14.37.23. 4.39.21. 4.47.48. 4. 4. sig1) Adding Signatures to Multiple Virtual Sensors Understanding and Configuring Anomaly Detection (ad0.25.4. 4.38. 4. 4.40.32.27. 4. 4. 4.20. 4.30.18. 4. ad1) Using the Cisco IDM (IPS Device Manager) Using Cisco IDM Event Monitoring Displaying Events Triggered Using the Cisco IPS Console Troubleshooting Events Not Triggering Displaying and Capturing Live Traffic on the Cisco IPS Console (Packet Display and Packet Capture) SPAN and RSPAN Rate Limiting Configuring Event Action Variables Target Value Ratings Event Action Overrides Event Action Filters Configuring General Settings General Signature Parameters Alert Frequency Alert Severity Event Counter Signature Fidelity Rating Signature Status Assigning Actions to Signatures AIC Signatures IP Fragment Reassembly TCP Stream Reassembly IP Logging Configuring SNMP .22.

4.64.03 5. 4. 4.50. 4.71.g.x Signature File onto the Router Understanding the Signature Engines for Cisco IOS IPS Transparent Cisco IOS IPS 5.69.x Format Signatures Loading a Version 5. Signature Tuning (Severity Levels.60. 4. 4.06 5.10.05 5.51. 4.4.63..59.ARP Engine Signature Creating a Custom ATOMIC. 4.66.58.07 5. 4.09 5.56.IP Engine Signature Creating a Custom TCP Sweep Signature Creating a Custom ICMP Sweep Signature Creating a Custom Trojan Engine Signature Enabling Shunning and Blocking (Enabling Blocking Properties) Shunning on a Router Shunning on the Cisco ASA Security Appliance Enabling the TCP Reset Function Cisco IOS IPS on a Router Using Version 5.52.62.0 5.02 5.65. Deny Packets for High-Risk Events by Default) Creating a Custom String TCP Signature Creating a Custom Flood Engine Signature Creating a Custom AIC MIME-Type Engine Signature Creating a Custom Service HTTP Signature Creating a Custom Service FTP Signature Creating a Custom ATOMIC. 4. Implementing Identity Management Configuring and Troubleshooting Identity Management Understanding the AAA Framework Understanding the RADIUS Protocol Understanding RADIUS Attributes (Cisco AV-PAIRS) Understanding the TACACS+ Protocol Understanding TACACS+ Attributes Comparison of RADIUS and TACACS+ Configuring Basic LDAP Support Overview of Cisco Secure ACS How to Navigate Cisco Secure ACS Cisco Secure ACS – Network Settings Parameters Cisco Secure ACS – User Settings Parameters .57. 4.67.08 5. 4. 4.53.54. Throttle Parameters.61. 5.11. Event Actions) Creating Custom Signatures (Using the CLI and Cisco IDM) Understanding Various Types of Signature Engines Understanding Various Types of Signature Variables Understanding Various Types of Event Actions Understanding New Cisco IPS 6. 4. 4. 4.55.49. 4.68. 4.0 Features (e.72.70. 4.01 5. 4. 4. 4.04 5. 4.

Command Author.32. 5. 5.31. 5. Downloadable ACL.03 Implementing Control Plane and Management Plane Security Configuring and Troubleshooting Router Traffic Plane Security Understanding Four Types of Traffic Planes on a Cisco Router (Control.25. 5. Management.5.26.19. 5. etc. Cisco Secure ACS – Group Settings Parameters Cisco Secure ACS – Shared Profiles Components (802.1X on a Switch NAC-L2-IP on a Switch Troubleshooting Failed AAA Authentication or Authorization Troubleshooting Using Cisco Secure ACS Logs Using the test aaa Command on the Router. and HTTP).02 6.37. 5. 5.13.12. and Services) Understanding Control Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Control Plane Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane . Data.36.38.) Cisco Secure ACS – Shell Command Authorization Sets Using Both Per-Group Setup and Shared Profiles Cisco Secure ACS – System Configuration Parameters Cisco Secure ACS – Posture Validation Policies for NAC Setup Cisco Secure ACS – Using Network Access Profiles (NAPs) Cisco Secure ACS – MAC Authentication Bypass (MAB) Using NAP Enabling AAA on a Router for vty Lines Enabling AAA on a Switch for vty Lines Enabling AAA on a Router for HTTP Enabling AAA on the Cisco ASA Security Appliance for Telnet and SSH Protocols Using Default vs. 5.16.18.34. 5.20.14. 5. Switch.23.28. and Relevant Cisco Secure ACS Profiles Using Virtual Telnet on the Cisco ASA Security Appliance Using Virtual HTTP on the Cisco ASA Security Appliance Downloadable ACLs AAA 802.24. NAF. 5.15. and Relevant Cisco Secure ACS Profiles Proxy Service Authentication and Authorization on the Cisco ASA Security Appliance for PassThrough Traffic (FTP. 5.30.21. 5.33.0 6.29. 5.01 6.1X. 5. 5.22. 5. 5. 5. 5.35. 5.39.17. or Cisco ASA Security Appliance Understanding and Interpreting the debug radius Command Understanding and Interpreting the debug tacacs+ Command Understanding and Interpreting the debug aaa authentication Command Understanding and Interpreting the debug aaa authorization Command Understanding and Interpreting the debug aaa accounting Command 6. 5. 5. Telnet. 5.27. NAR. 5. 5. 5.1X Authentication Using RADIUS on a Switch NAC-L2-802. Named Method Lists Complex Command Authorization and Privilege Levels.

08 6.11 6. HTTP) Network Telemetry Identification and Classification of Security Events (IP Traffic Flow.) Selective Packet Discard (SPD) MQC and FPM Types of Service Policy on the CoPP Interface Broadcast Control on a Switch Catalyst Switch Port Security Cisco IOS Software-Based CPU Protection Mechanisms (Options Drop.13 6.14 6. etc. Cisco Discovery Protocol.02 7.0 7.26 Configuring Control Plane Policing (CoPP) Control Plane Rate Limiting Disabling Unused Control Plane Services (IP Source Routing.21 6.09 6.16 6.23 6.05 6.06 7.15 6. SSH Access. Privilege Levels) SNMP Security System Banners Secure Cisco IOS File Systems Understanding and Enabling Syslog NTP with Authentication Role-Based CLI Views and Cisco Secure ACS Setup Service Authentication on Cisco IOS Software (FTP. Proxy ARP.05 7.12 6.18 6.06 6. etc. BOOTP. IP Mask Reply. NetFlow.04 6.01 7. Gratuitous ARP. RMON) 7. etc. HTTP ACL.03 7.) Disabling Unused Management Plane Services (Finger. etc.20 6. (Named vs.25 6. Logging Interval.22 6. Syslog.07 7.08 Configuring Advanced Security Configuring and Troubleshooting Advanced Security Features Implementing RFC 1918 Antispoofing Filtering Implementing RFC 2827 Antispoofing Filtering Implementing RFC 2401 Antispoofing Filtering Marking Packets Using DSCP and IP Precedence and Other Values Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode) RTBH Filtering (Remote Triggered Black Hole) Basic Traffic Filtering Using Access Lists: SYN Flags.24 6.19 6. Telnet. IP Redirect.17 6.) MPP (Management Plane Protection) and Understanding OOB (Out-of-Band) Management Interfaces Configuring Protocol Authentication Route Filtering and Protocol-Specific Filters ICMP Techniques to Reduce the Risk of ICMP-Related DoS Attacks (IP Unreachable. CPU Threshold) The Generalized TTL Security Mechanism Known as “BGP TTL Security Hack” (BTSH) Device Access Control (vty ACL.04 7. Established. Numbered ACLs) Managing Time-Based Access Lists .10 6. SNMP.07 6. DHCP.6.

29 7.18 7.30 7.15 7.11 7. TCP SYN Attack Understanding and Interpreting ARP Header Structure Understanding and Interpreting IP Header Structure Understanding and Interpreting TCP Header Structure Understanding and Interpreting UDP Header Structure . Smurf Attack.05 8.31 7.23 7. MAC Spoofing.27 7. Reactive Measures Knowledge of Protocols: TCP.19.02 8.10 7.21 7.28 7. FTP Knowledge of Common Attacks: Network Reconnaissance. DNS Spoofing.32 7.13 7.17 7. SMTP.24 7.16 7.33 Enabling NAT and PAT on a Router Conditional NAT on a Router Multihome NAT on a Router Enabling a TCP Intercept on a Router Enabling a TCP Intercept on the Cisco ASA Security Appliance FPM (Flexible Packet Matching) and Protocol Header Definition File (PHDF) Files and Configuration of Nested Policy Maps CAR Rate Limiting with Traffic Classification Using ACLs PBR (Policy-Based Routing) and Use of Route Maps Advanced MQC (Modular QoS CLI) on a Router Advanced Modular Policy Framework (MPF) on the Cisco ASA Security Appliance Classification Using NBAR Understanding and Enabling NetFlow on a Router Traffic Policing on a Router Port Security on a Switch Storm Control on a Switch Private VLAN (PVLAN) on a Switch Port Blocking on a Switch Port ACL on a Switch MAC ACL on a Switch VLAN ACL on a Switch Spanning Tree Protocol (STP) Protection Using BPDU Guard and Loop Guard on a Switch DHCP Snooping on a Switch IP Source Guard on a Switch Dynamic ARP Inspection (DAI) on a Switch Disabling DTP on All Nontrunking Access Ports 8. DHCP Snooping.25 7. 7. HTTP. ICMP.20.01 8. but with greater focus and emphasis on reactive measures and attack mitigation Concept of Proactive vs.0 8. UDP. IP Spoofing.7.04 8. ARP Snooping.09 7.22 7. 7.12 7. Fragment Attack.26 7.06 8.03 8.14 7.07 Identifying and Mitigating Network Attacks Configuring and Troubleshooting Network Attacks Note: This section uses the same products and technologies discussed in all the previous sections above particularly the “Configuring Advanced Security” section.

g.38 8.42 8. TCPDump) Understanding Different Types of Attack Vectors Interpreting Various show and debug Outputs Traffic Characterization Packet Classification Packet-Marking Techniques Classifying Attack Patterns Using FPM Memorizing Common Protocol and Port Numbers Preventing an ICMP Attack Using ACLs Preventing an ICMP Attack Using NBAR Preventing an ICMP Attack Using Policing Preventing an ICMP Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance Preventing a SYN Attack Using ACLs Preventing a SYN Attack Using NBAR Preventing a SYN Attack Using Policing Preventing a SYN Attack Using CBAC Preventing a SYN Attack Using CAR Preventing a SYN Attack Using a TCP Intercept Preventing a SYN Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance Preventing Application Protocol–Specific Attacks Using FPM (e.8.20 8.12 8. HTTP.24 8.15 8.18 8.17 8.g. SMTP) Preventing IP Spoofing Attacks Using Antispoofing ACLs Preventing IP Spoofing Attacks Using uRPF Preventing IP Spoofing Attacks Using IP Source Guard Preventing Fragment Attacks Using ACLs Preventing MAC Spoofing Attacks Using Port Security Preventing ARP Spoofing Attacks Using DAI Preventing VLAN Hopping Attacks Using the switchport mode access Command Preventing STP Attacks Using the Root Guard or BPDU Guard Preventing DHCP Spoofing Attacks Using Port Security Preventing DHCP Spoofing Attacks Using DAI .g.08 8.43 Understanding and Interpreting HTTP Header Structure Understanding and Interpreting ICMP Header structure Understanding and Interpreting ICMP Type Name and Codes Understanding and Interpreting Syslog Messages Understanding and Interpreting Packet Capture Outputs (Sniffer.21 8.39 8..40 8.37 8.10 8. SMTP) Preventing Application Protocol–Specific Attacks Using NBAR (e.31 8..23 8.14 8.25 8.34 8.36 8.26 8.30 8.33 8.16 8. SMTP) Preventing Application Protocol–Specific Attacks Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance (e.29 8.11 8.41 8.27 8. HTTP.32 8.19 8. HTTP.09 8.28 8.13 8.22 8.35 8. Wireshark.. Ethereal.

8.44 Preventing Port Redirection Attacks Using ACLs .

Sign up to vote on this title
UsefulNot useful