CCIE Security V4 Workbook v2.3 - Lab 1

CCIE
voicelabs.com1
QUESTIONSLAB1WORKBOOK

RealLabsV1
www.ccieseclabs.com
CCIESECLABS.COM CCIESECLABS.COM
InitialGuidelines
1.Readallofthequestionsinasectionbeforeyoustarttheconfiguration.Itisevenrecommendedthat
youreadtheentirelabexambeforeyouproceedwithanyconfiguration.
2.Examquestionshavedependenciesonothers.Readthroughtheentireworkbooktohelpidentify
thesequestionsandthebestorderofconfiguration.Sectiondonothavetobecompletedinthe
orderpresentedintheworkbook.
3.Mostquestionsincludeverificationoutputthatcanbeusedtocheckyoursolutions.
HighlightedsectioninoutputverificationdisplaysMUSTbematchedtoensurecorrectness.
4.Ifyouneedclarificationofthemeaningofaquestions,orifyoususpectthattheremaybehardware
issuesinyourequipment,contacttheonsitelabproctorassoonaspossible.
5.Theequipmentontherackassignedtoyouisphysicallycabled,sodoNOTtamperwithit.Before
startingtheexam,confirmthatalldevicesinyourackareinworkingorder.Duringtheexam,ifany
deviceislockedorinaccessibleforanyreason,youmustrecoverit.Whenyoufinishtheexam,ensure
thatalldevicesareaccessibletothegradingproctor.Adevicethatisnotaccessibleforgradingcannot
bemarkedandmaycauseyoutolosesubstantialpoints.
6.Knowledgeofimplementationandtroubleshootingtechniquesispartofthelabexam.
7.Pointsareawardedonlyforworkingconfigurations.Towardstheendoftheexam,youshouldtestthe
functionalityofallsectionsoftheexam.
8.Youwillbepresentedwithpreconfiguredroutersandswitchesinyourtopology.Theroutersand
switchesarepreconfiguredwithbasicIPaddressing,hostname,enablepassword(cisco),switching,VTP,
VLANs,FrameRelayDLCImapping,IProutingandConsoleportconfiguration.DoNOTchangeanyofthe
preconfigurationsatanytime,unlessthechangeisspecifiedinaquestion.
9.Throughouttheexam,assumethesevaluesforvariablesifrequired:
YYisyourtwodigitracknumber.Forexample,theYYvalueforRack01is01andforRack11is11
SSisyourSiteIDforthelabexamlocation,Readthenextpageforyourlocation.
BBisthebackbonenumber.Forexample,theBBvalueforBackbone2is2.Backbonesubnetsusethe
followingaddressconvention:150.BB.YY.0/24.DoNOTchangebackboneaddressesunlessyouare
instructedtodoso.
Xisyourrouternumber.Forexample,thevalueofXforRouter1is1,forSwitch1&2is7&8
respectively
Zisanynumber.
10.Youareallowedtoaddstaticanddefaultroutes(ifrequired)onanydevice.
11.InanyconfigurationwhereadditionaladdressingisindicatedintheLabTopologyDiagram,Ensure
thatadditionaladdressingdoesnotconflictwithanetworkthatisalreadyusedinyourtopology.Routing
ProtocolspreconfiguredareshownintheLabRoutingDiagram.
12.FullaccesstotheVMWareESXiServerfromyourworkstationisprovided.Usetheusernameadmin
andthepasswordciscotologin.Youcanadd,modifyordeleteanysettingsontheCiscoSecureACS,
TestPCandCiscoISEsasrequiredinthequestion.
13.Alldevicenames,accessinformationandusername/passwordcombinationsaresummarizedonthe
followingpages.DoNOTchangethesesettings.
CCIESecurityLabEquipmentandSoftwarev4.0
Hardware
Cisco3800SeriesIntegratedServicesRouters(ISR)
Cisco1800SeriesIntegratedServicesRouters(ISR)
Cisco2900SeriesIntegratedServicesRouters(ISRG2)
CiscoCatalyst356024TSSeriesSwitches
CiscoCatalyst3750XSeriesSwitches
CiscoASA5500and5500XSeriesAdaptiveSecurityAppliances
CiscoIPSSeries4200IntrusionPreventionSystemsensors
CiscoSseriesWebSecurityAppliance
CiscoISE3300SeriesIdentityServicesEngine
CiscoWLC2500SeriesWirelessLANController
CiscoAironet1200SeriesWirelessAccessPoint
CiscoIPPhone7900Series*
CiscoSecureAccessControlSystem
Notes:
TheASAappliancescanbeconfiguredusingCLIorASDM/CiscoPrimeTools.
*DeviceAuthenticationonly,provisioningofIPphonesisNOTrequired.
SoftwareVersions
CiscoISRSeriesrunningIOSSoftwareVersion15.1(x)Tand15.2(x)T
CiscoCatalyst3560/3750SeriesSwitchesrunningCiscoIOSSoftwareRelease
12.2SE/15.0(x)SE
CiscoASA5500SeriesAdaptiveSecurityAppliancesOSSoftwareVersions8.2x,8.4x,
8.6x
CiscoIPSSoftwareRelease7.x
CiscoVPNClientSoftwareforWindows,Release5.x
CiscoSecureACSSystemsoftwareversion5.3x
CiscoWLC2500Seriessoftware7.2x
CiscoAironet1200seriesAPCiscoIOSSoftwareRelease12.4J(x)
CiscoWSASseriessoftwareversion7.1x
CiscoISE3300seriessoftwareversion1.1x
CiscoNACPostureAgentv4.X
CiscoAnyConnectClientv3.0X
SummaryofusernameandPasswordforalldevices
Device Username Password
Router cisco Cisco
Switches cisco Cisco
IPS cisco 123cisco123
WSA admin Ironport
WLC cisco Cisco123
AP ciscoAP CCie123
ESXiServer admin Cisco
ISE admin Ise@123
Acs admin Acs@123
ASA admin Asa@123
TestPC TestPC Cisco123
Topology1:TestPCandVmwareESXIserver
Topology2:LocalCandidatePC
Topology3:SwitchCabling
Topology4:layer2
PreConfiguration
OnR1
conft
hostnameR1
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
dot11syslog
ipcef
!
noipdomainlookup
ipv6unicastrouting
ipv6cef
!
multilinkbundlenameauthenticated
!
voicecard0
!
cryptopkitokendefaultremovaltimeout0
!
licenceudipidcisco3825snFTX1236A0D9
!
archive
logconfig
hidekeys
usernameciscoprivilege15password0cisco
!
redundancy
!
iptcpsynwaittime5
ipsshversion1
!
cryptoisakmppolicy10
encr3des
authenticationpreshare
group2
cryptoisakmpkeyciscoaddress0.0.0.00.0.0.0
!
!
cryptoipsectransformsetcisco1esp3desespmd5hmac
modetransport
!
!
cryptoipsecprofileDMVPN
settransformsetcisco1
!
!
interfaceloopback0
ipaddress192.168.1.1255.255.255.255
!
interfaceloopback2
ipaddress192.68.11.11255.255.255.255
!
interfaceloopback3
noipaddress
ipv6address3001:0:1:3::/64eui64
!
interfacetunnel0
bandwidth1000
ipaddress172.16.23.1255.255.255.0
noipredirects
ipmtu1360
ipnhrpauthenticationcisco
ipnhrpmapmulticastdynamic
ipnhrpnetworkid23
ipnhrpholdtime300
delay1000
tunnelsourceGigabitEthernet0/0
tunnelmodegremultipoint
tunnelkey123
tunnelprotectionipsecprofileDMVPN
!
interfaceGigabitEthernet0/0
ipaddress7.7.8.1255.255.255.0
duplexauto
speedauto
mediatyperj45
ipv6address2001:128:BAD:8::1/64
ipv6enable
ipv6ospf2area0
!
ipaddress10.2.2.1255.255.255.0
duplexauto
speedauto
mediatyperj45
!
!
routereigrp123
network10.0.0.0
network172.16.0.0
!
routerospf2
routerid11.11.11.11
network7.7.8.00.0.0.255area1
network192.168.11.110.0.0.0area1
!
ipforwardprotocolnd
iphttpserver
noiphttpsecureserver
!
iproute0.0.0.00.0.0.07.7.8.10
!
loggingesmconfig
ipv6routerospf2
redistributeconnected
!
controlplane
!
mgcpprofiledefault
!
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
exectimeout00
passwordcisco
loggingsynchronous
transportinputtelnet
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
exit
schedulerallocate200001000
ntpserver7.7.4.1
!
end
OnR2
en
conft
hostnameR2
!
bootstartmarker
bootendmarker
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
dot11syslog
ipcef
!
!
!
!
noipdomainlookup
ipv6unicastrouting
ipv6cef
!
!
voicecard0
!
!
licenceudipidcisco3825snFTX123A0DN
!
archive
logconfig
hidekeys
!
redundancy
!
iptcpsynwaittime5
ipsshversion1
!
encr3des
group2
!
modetransport
!
!
!
!
interfaceloopback0
ipaddress192.168.2.2255.255.255.255
!
interfaceloopback1
ipaddress192.68.22.22255.255.255.255
!
interfaceloopback2
noipaddress
!
interfaceloopback3
noipaddress
ipv6enable
!
interfacetunnel0
bandwidth1000
ipaddress172.16.23.2255.255.255.0
noipredirects
ipmtu1360
ipnhrpmapmulticastdynamic
ipnhrpnetworkid24
ipnhrpholdtime300
delay1000
tunnelsourceGigabitEthernet0/0
tunnelkey123
!
ipaddress7.7.8.2255.255.255.0
duplexauto
speedauto
mediatyperj45
ipv6address2001:128:BAD:8::2/64
ipv6enable
ipv6ospf2area0
!
ipaddress10.2.2.2255.255.255.0
duplexauto
speedauto
mediatyperj45
!
!
routereigrp123
network10.0.0.0
network172.16.0.0
!
routerospf2
routerid11.11.11.11
network7.7.8.00.0.0.255area1
network192.168.22.220.0.0.0area1
!
ipforwardprotocolnd
iphttpserver
!
!
iproute0.0.0.00.0.0.07.7.8.10
!
loggingesmconfig
ipv6routerospf2
!
controlplane
!
!
mgcpprofiledefault
!
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
exectimeout00
passwordcisco
loggingsynchronous
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
!
exit
ntpserver7.7.4.1
!
end
OnR3
en
conft
hostnameR3
!
bootstartmarker
bootendmarker
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
dot11syslog
ipsourceroute
!
ipcef
!
noipdomainlookup
ipv6unicastrouting
ipv6cef
!
!
voicecard0
!
!
licenceudipidcisco3825snFTX123A0DL
!
archive
logconfig
hidekeys
usernameciscopassword0cisco
!
redundancy
!
iptcpsynwaittime5
ipsshversion1
!
cryptokeyringipv6keys
presharedkeyaddressipv6::/0keycisco123
presharedkeyaddress7.7.7.10keycisco123
!
encr3des
group2
cryptoisakmpprofileipv6
matchidentityaddressipv62001:DB8:23::1/64
cryptoisakmpprofilesecuremanagement
matchidentityaddress7.7.7.10255.255.255.255
!
!
cryptoipsectransformset3desahshahmacesp3des
cryptoipsectransformsetmanagementesp3desespshahmac
modetransport
!
cryptoipsecprofileprofile0
settransformset3des
setisakmpprofileipv6
!
cryptomapsecuremanagement1ipsecisakmp
setpeer7.7.7.10
settransformsetmanagement
setisakmpprofilesecuremanagement
matchaddress120
!
!
!
interfaceloopback0
ipaddress7.7.53.3255.255.255.255
!
interfaceloopback1
ipaddress192.68.33.33255.255.255.255
!
interfaceloopback3
noipaddress
ipv6address2010::/64eui64
!
interfacetunnel0
noipaddress
ipv6address2001:DB8::1:2/64
ipv6enable
ipv6eigrp1
tunnelsourceGigabitEthernet0/1.2
tunnelprotectionipsecprofileprofile0
!
ipaddress7.7.7.3255.255.255.0
ipospfpriority10
duplexauto
speedauto
mediatyperj45
!
noipaddress
duplexauto
speedauto
mediatyperj45
!
interfaceGigabit0/1.1
encapsulationdot1Q19
ipaddressdhcp
!
interfaceGigabit0/1.2
ipaddress7.7.13.3255.255.255.0
ipospfpriority0
ipv6address2001:DB8:23::2/64
ipv6enable
!
routereigrp123
network192.168.33.330.0.0.0
!
routerospf1
routerid3.3.3.3
redistributeconnectedmetric1subnets
redistributestatic
redistributeeigrp100metric1subnets
network7.7.13.00.0.0.255area0
!
ipforwardprotocolnd
iphttpserver
!
!
iproute0.0.0.00.0.0.07.7.8.10
!
loggingesmconfig
accesslist120permitiphost7.7.7.3host7.7.7.10
ipv6routereigrp1
routerid10.10.10.10
!
controlplane
!
!
mgcpprofiledefault
!
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
exectimeout00
passwordcisco
loggingsynchronous
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
!
exit
ntpserver7.7.4.1
!
end
OnR4
en
conft
hostnameR4
!
bootstartmarker
bootendmarker
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
dot11syslog
ipsourceroute
!
ipcef
!
!
!
ipdomainlistcisco.com
noipdomainlookup
ipv6unicastrouting
ipv6cef
!
!
!
licenceudipidcisco1841snFTX12362013
!
archive
logconfig
hidekeys
!
redundancy
!
iptcpsynwaittime5
!
encr3des
group2
!
modetransport
!
!
settransformset3des
!
!
!
interfaceloopback0
ipaddress192.168.44.44255.255.255.255
!
interfaceloopback1
ipaddress10.1.1.1255.255.255.255
!
interfaceloopback2
ipaddress7.7.54.5255.255.255.0
!
interfaceloopback3
noipaddress
!
interfacetunnel0
bandwidth1000
ipaddress172.16.23.4255.255.255.0
noipredirects
ipmtu1360
ipnhrpnhs172.16.23.1
tunnelsourceFastethernet0/1.1
!
interfaceFastEthernet0/0
ipaddress7.7.11.4255.255.255.0
duplexauto
speedauto
ipv6addressFE80::linklocal
ipv6addressautoconfig
ipv6enable
!
!
noipaddress
ipospfpriority10
duplexauto
speedauto
!
interfaceFastethernet0/1.1
encapsulationdot1Q6
ipaddress7.7.6.4255.255.255.0
ipospfpriority10
ipv6addressdhcprapidcommit
ipv6enable
!
interfaceFastEthernet0/1.2
ipaddress7.7.13.4255.255.255.0
ipv6enable
!
routereigrp123
network172.16.0.0
network192.168.44.0
!
routerospf1
routerid4.4.4.4
network7.7.6.00.0.0.255area0
network7.7.13.00.0.0.255area0
network7.7.54.00.0.0.255area0
!
ipforwardprotocolnd
iphttpserver
!
!
loggingesmconfig
ipv6routereigrp1
routerid40.40.40.40
!
controlplane
!
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
exectimeout00
passwordcisco
loggingsynchronous
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
!
exit
!
end
OnR5
en
conft
hostnameR5
!
bootstartmarker
bootendmarker
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
dot11syslog
ipsourceroute
!
ipcef
!
!
!
ipdomainlistcisco.com
noipdomainlookup
ipdomainnamecisco.com
ipv6unicastrouting
ipv6cef
!
!
!
licenceudipidcisco1841snFTX1236W022
!
archive
logconfig
hidekeys
!
redundancy
!
iptcpsynwaittime5
!
presharedkeyaddressipv6::/0keycisco123
!
encr3des
group2
cryptoisakmpprofileipv6
keyringipv6keys
matchidentityaddressipv62001:DB8:23::2/64
!
modetransport
!
!
settransformset3des
!
!
!
interfaceloopback0
ipaddress192.168.55.55255.255.255.255
!
interfaceloopback2
ipaddress7.7.52.5255.255.255.255
!
interfaceloopback3
noipaddress
!
interfacetunnel0
bandwidth1000
ipaddress172.16.23.5255.255.255.0
noipredirects
ipmtu1360
ipnhrpnetworkid23
delay1000
tunnelsourceFastethernet0/1.1
tunnelkey123
!
!
interfaceTunnel2
noipaddress
ipv6address2001:DB8::1:1/64
ipv6enable
ipv6eigrp1
tunnelsourceFastEthernet0/1.2
tunnelmodeipsecipv4
tunnelprotectionipsecprofileprofile0
!
ipaddress7.7.11.5255.255.255.0
duplexauto
speedauto
ipv6addressFE80::linklocal
ipv6addressautoconfig
ipv6enable
!
noipaddress
duplexauto
speedauto
!
interfaceFastethernet0/1.1
encapsulationdot1Q6
ipaddress7.7.6.5255.255.255.0
ipospfpriority10
ipv6enable
!
ipaddress7.7.13.5255.255.255.0
ipv6enable
!
routereigrp123
network172.16.0.0
network192.168.55.0
!
routerospf1
routerid5.5.5.5
network7.7.6.00.0.0.255area0
network7.7.13.00.0.0.255area0
network7.7.52.00.0.0.255area0
!
ipforwardprotocolnd
iphttpserver
!
!
loggingesmconfig
ipv6routereigrp1
routerid50.50.50.50
!
controlplane
!
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
exectimeout00
passwordcisco
loggingsynchronous
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
!
exit
!
end
OnR6
en
conft
hostnameR6
!
bootstartmarker
bootendmarker
!
nologgingconsole
enablepasswordcisco
!
aaanewmodel
!
aaaauthenticationloginlkey1listlocal
aaaauthorizationnetworklkey1listlocal
!
aaasessionidcommon
!
!
ipv6unicastrouting
ipv6cef
noipsourceroute
ipauthproxymaxloginattempts5
ipadmissionmaxloginattempts5
!
ipdhcpexcludedaddress7.7.19.17.7.19.5
!
ipdhcppoolpool19
network7.7.19.0255.255.255.0
leaseinfinite
!
noipdomainlookup
ipcef
!
!
voicecard0
!
licenceudipidcisco2951/k9snFTX1625AJRS
hwmoduleism0
!
hwmodulesm1
!
!
redundancy
!
iptcpsynwaittime5
ipsshversion1
!
cryptoisakmppolicy1
encr3des
group2
!
!
cryptoipsecprofileikey1
!
!
interfaceloopback0
ipaddress192.168.6.1255.255.255.255
!
interfaceEmbeddedServiceEngine0/0
noipaddress
shutdown
!
ipaddress7.7.5.3255.255.255.0
ipospfpriority10
duplexauto
speedauto
!
noipaddress
duplexauto
speedauto
!
interfaceGigabitEthernet0/1.1
encapsulationdot1Q6
ipaddress7.7.6.3255.255.255.0
ipv6enable
!
ipaddress7.7.19.1255.255.255.0
!
!
ipaddress7.7.20.3255.255.255.0
duplexauto
speedauto
!
noipaddress
shutdown
!
descriptionInternalswitchinterfaceconnectedtoEtherSwitchServiceModule
noipaddress
!
routerospf1
routerid1.1.1.1
redistributestaticmetric1subnetsroutemapexcludenets
network7.7.5.00.0.0.255area0
network7.7.6.00.0.0.255area0
defaultinformationoriginatealways
!
iplocalpoolpool213.1.1.113.1.1.10
ipforwardprotocolnd
!
iphttpserver
iphttpauthenticationlocal
!
iproute0.0.0.00.0.0.07.7.5.10
iproute7.7.9.0255.255.255.07.7.20.1
iproute7.7.10.0255.255.255.07.7.20.1
!
accesslist10deny7.7.9.0
accesslist10deny7.7.10.0
accesslist20permit13.0.0.0
!
nlsresptimeout1
cpdcrid1
routemapexcludenetspermit10
matchipaddress10
routemapexcludenetspermit20
matchipaddress20
!
!
controlplane
!
calladmissionlimit75000
!
mgcpprofiledefault
!
!
gatekeeper
shutdown
!
telephonyservice
maxephones10
maxdn144
ipsourceaddress7.7.20.3port2000
cnffileperphone
load79607940P0030702T023
load7965P0030702T023
maxconferences8gain6
transfersystemfullconsult
createcnffilesversionstampJan01200200:00:00
!
ephonedntemplate1
callforwardbusy4000
callforwardnoan4000timeout20
holdalert30originator
!
ephonedn7
number007
nameCCIESecurityLab
ephonedntemplate1
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
lineaux0
line2
noactivatorcharacter
noexec
transportpreferrednone
transportinputall
transportoutputlatpadtelnetrloginlapbtamopudptnv120ssh
stopbits1
line67
noactivationcharacter
noexec
transportinputall
stopbits1
flowcontrolsoftware
line193
noactivationcharacter
noexec
transportinputall
stopbits1
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
!
ntpsourceGigabitEthernet0/2
ntpmaster2
!
end
OnSW1
en
conft
hostnameSW1
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
systemmturouting1500
iprouting
noipdomainlookup
!
spanningtreemodepvst
spanningtreeextendsystemid
!
vlaninternalallocationpolicyascending
!
iptcpsynwaittime5
!
switchportaccessvlan150
switchportmodeaccess
!
!
!
!
!
!
!
!
shutdown
!
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfacevlan1
noipaddress
shutdown
!
interfacevlan2
ipaddress7.7.2.1255.255.255.0
!
interfacevlan4
ipaddress7.7.4.1255.255.255.0
!
interfacevlan150
ipaddress150.1.7.1255.255.255.0
!
ipclassless
iproute0.0.0.00.0.0.0150.1.7.254
iproute7.7.0.0255.255.0.07.7.4.10
noiphttpserver
!
!
ntpclockperiod36028811
ntpserver150.1.7.254
!
end
OnSW2
en
conft
hostnameSw2
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
iprouting
noipdomainlookup
!
cryptopkitrustpointTPselfsigned87258368
enrollmentselfsigned
subjectnameen=IOSSelfSignedCertificate87258368
revocationchecknone
rsakeypairTpselfsgned87258368
!
exit
!
!
iptcpsynwaittime5
!
!
!
!
!
!
!
!
!
!
!
!
switchportmodetrunk
!
switchportmodetrunk
!
switchportmodetrunk
!
interfaceVlan1
noipaddress
shutdown
end
OnSW3
en
conft
hostnameSW3
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
iprouting
noipdomainlookup
!
ipv6unicastrouting
ipv6dhcppooldhcppool
dnsserver2001:DB8:A:B::1
dnsserver2001:DB8:3000:3000::42
domainnamecisco.com
!
revocationchecknone
rsakeypairTPselfsgned87257344
!
!
!
iptcpsynwaittime5
!
!
!
!
!
switchportmodetrunk
!
interfacevlan1
ipaddress7.7.11.1255.255.255.0
ipv6address2001:DB8:1234:42::1/64
ipv6ndotherconfigflag
ipv6dhcpserverdhcppool
!
ipv6routerospf1
logadjacencychanges
!
end
OnSW4
en
conft
hostnameSW4
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
iprouting
noipdomainlookup
!
revocationchecknone
!
!
!
iptcpsynwaittime5
!
!
!
switchportmodetrunk
!
switchportmodetrunk
!
switchportmodetrunk
!
switchportmodetrunk
!
!
!
switchportmodetrunk
!
!
!
!
switchportmodetrunk
!
interfacevlan1
noipaddress
shutdown
!
end
OnSW5
en
conft
hostnameSW5
!
nologgingconsole
enablepasswordcisco
!
noaaanewmodel
switch1provisionwsws3750x12s
iprouting
!
noipdomainlookup
ipv6unicastrouting
!
revocationchecknone
!
!
!
iptcpsynwaittime5
!
interfaceloopback1
noipaddress
ipv6ospf1area0
!
interfaceloopback2
noipaddress
ipv6ospf1area0
!
noipaddress
noiproutecache
shutdown
!
!
interfaceGigabitEthernet1/0/3
!
!
noswitchport
ipaddress7.7.20.1255.255.255.0
!
noswitchport
ipaddress7.7.10.2255.255.255.0
ipv6address2001:128:ABC:10::2/64
!
switchportmodetrunk
!
switchportmodetrunk
!
switchportmodetrunk
!
interfacevlan1
noipaddress
shutdown
!
interfacevlan3
ipaddress7.7.3.2255.255.255.0
noipredirects
!
iproute0.0.0.00.0.0.07.7.3.12
iproute7.7.0.0255.255.0.07.7.3.10
iproute7.7.2.0255.255.255.07.7.3.8
iproute7.7.4.0255.255.255.07.7.3.12
iproute7.7.9.0255.255.255.07.7.10.1
iproute7.7.99.0255.255.255.07.7.10.1
iproute200.200.9.0255.255.255.07.7.3.10
!
loggingesmconfig
ipv6routerospf1
routerid35.35.35.35
!
linecon0
exectimeout00
passwordcisco
loggingsynchronous
linevty04
exectimeout00
passwordcisco
loggingsynchronous
login
linevty515
exectimeout00
passwordcisco
login
!
ntpserver7.7.20.3
!
end
OnSW6
en
conft
hostnameSw6
!
nologgingconsole
enablepasswordcisco
!
usernameciscoAPpassword0CCie123
aaanewmodel
!
aaasessionidcommon
switch1provisionwsw3750x12s
iprouting
!
!
ipdhcppoolpool7
network7.7.7.0255.255.255.0
defaultrouter7.7.7.2
option43ip7.7.7.11
leaseinfinite
!
ipdhcppoolvoice
network7.7.9.0255.255.255.0
option150ip7.7.20.1
!
ipdhcppooldata
network7.7.99.0255.255.255.0
dnsserver150.1.7.10
!
ipdomainnamecisco.com
ipv6unicastrouting
!
revocationchecknone
!
!
!
iptcpsynwaittime5
!
interfaceloopback0
ipaddress192.168.66.66255.255.255.0
!
interfaceloopback1
noipaddress
ipv6ospf1area0
!
interfaceloopback2
noipaddress
ipv6ospf1area0
!
noipaddress
noiproutecache
!
!
descriptionWLC
switchportmodetrunk
!
!
!
!
noswitchport
ipaddress7.7.10.1255.255.255.0
ipaddress7.7.10.1255.255.255.0
ipv6address2001:128:ABC:10::1/64
ipv6ospf1area0
!
switchporttrunkallowedvlan16,84094
switchportmodetrunk
!
interfacevlan1
noipaddress
shutdown
!
interfacevlan7
ipaddress7.7.7.2255.255.255.0
ipv6enable
!
interfacevlan9
ipaddress7.7.9.2255.255.255.0
!
interfacevlan99
ipaddress7.7.99.1255.255.255.0
!
ipclassless
noiphttpserver
!
iproute0.0.0.00.0.0.07.7.7.1
iproute7.7.20.0255.255.255.07.7.10.2
!
!
ipaccesslistextendedACLDEFAULT
remarkDHCP
permitudpanyeqbootpcanyeqbootps
remarkDNS
permitudpanyanyeqdomain
remarkPing
permiticmpanyany
remarkPXL/TFTP
permitudpanyanyeqtftp
denyipanyanylog
!
ipradiussourceinterfacevlan7
loggingesmconfig
ipv6routerospf1
routerid36.36.36.36
!
exit
radiusserverattribute8includeinaccessreq
radiusserverattribute25accessrequestinclude
radiusserverdeadcriteriatime5tries3
radiusserverhost150.1.7.20authport1812acctport1813keycisco
radiusservervsasendaccounting
radiusservervsasendauthentication
!
ntpserver7.7.20.3
!
end
SectionI.Perimetersecurity
1.1ConfigureroutingandBasicAccessonASA1 (6Points)
Thisquestionhasthreetasks.
CompleteeachtasktoprovidebasicconnectivityandroutingcapabilitiesonASA1.
Verifyyoursolutionbysuccessfullypingingtheinside150.1.7.0networkfromtheallmajor7.7.0.0
subnetsaswellaspingingfromoutsidesubnetstoDMZsubnets
Example:
R3#ping7.7.8.1
R3#ping150.1.7.20
R3#ping7.7.3.2
1.2ConfigurestatefulfailoverbetweenASA1andASA2 (4points)
configureLANbasedactivestandbyfailoveronASA1andASA2
UseGigabitEthernet0/1inVLAN100onSW2forthefailoverLANinterfaceandnameitfailover.
UseIPaddress7.7.100.100/24foractiveand7.7.100.101/24forstandby
EnablestatefulfailoverusingfailoverinterfaceGigabitEthernet0/1
Useallotherparametersaccordinglytoachievethistask
Youroutputmustmatchallparametershighlightedbelow:
1.3ConfigureASA3inMultiContextFirewallMode
PartA:InitializeASA3 (4points)
ASA3mustbeconfiguredasamulticontextfirewall.ASA3requiresasharedoutsideinterface.Usethe
followingoutputstocompletetheinitialconfiguration.
Contextdetails
(NOTE:Belowfilesarealreadythereinflash&needstobedeletedbeforeconfiguring)
YoucanpermitICMPtrafficfromanytoanyonbothcontexts.
YoucanmodifytheCatalystswitchconfigurationtocompletethistask.
Whenthetaskiscompleted,ensurethatyouareabletopingallmajorsubnetswithinyournetwork,
includingtheISE1150.1.7.20
Useexactnamesandnumbersasshowninthetable
Contextc1initializationdetails:
PartB:ConfigureIPServicesonASA3 (4points)
TelnetaccesstelnetmustbeallowedfromVLAN4IP7.7.4.1onSW1totheadmincontextofASA3
Toverifyyoursolution:SW1#telnet7.7.4.200/sovlan4
ObjectNATandPorttoApplicationMappingUseobjectNATtotranslatetheVLAN4IPaddress7.7.4.1
onSW1toaglobaladdressof7.7.3.3.DevicesontheoutsideofASA3mustbeabletoTelnettothe
globaladdressusinganonstandardportof2300.
Toverifyyoursolution:R6#telnet7.7.3.32300
1.4ConfigureASA4intransparentmodewithNATsupport (6points)
ConfigureASA4asatransparentfirewalltobedeployedbetweenR3andSW6bycompleting
thethreetasksoutlinedbelow
ASA#showroute
0.0.0.0/0via7.7.7.3
7.7.9.0/24via7.7.7.2
VerifyyoursolutionbypingingfromASA4asfollowings:
ASA4#pinginside7.7.7.2
ASA4#pingoutside7.7.7.3
NATcontrolisrequired
Configurearulewhereanytrafficsourcedfrom7.7.9.0/24anddestinedto7.7.0.0/16ismapped
toaglobaladdressfrom200.200.9.0/24.ThisNATrulemustallowforBidirectionalconnection
initialization.
Ensurethattrafficsourcedfromthe7.7.7.0/24networkanddestinedto7.7.0.0/16or
150.1.0.0/16isnottranslatedbutstillabletotransitASA4.
VerifyyoursolutionbyinitiatingapingfromSW6toR3usingVLAN9asthesourceinterface.
EnablingdebugIpicmponR3shouldshowthetranslationhasoccurred
R3#ICMP:echoreplysent,src7.7.7.3,dst200.200.9.2
SECTIONII.IPSandContextsecurity
2.1InitializetheCiscoIPSSensorAppliance (4points)
InitializetheCiscoIPSSensorapplianceasfollows:
VerifytheCiscoIPSsensorconfigurationusingthefollowing:
TheusernameandpasswordfortheCiscoIPSconsoleareciscoand123cisco123.DoNOTchangethem.
UsetheconsoletoinitializetheCiscoIPSsensorapplianceusingthedefailsinthistableEnsurethatthe
Management0/0interfaceisupandfunctioning(refertotheLabTopologydiagram).
YoucanmodifyCiscoCatalystswitchesconfigurationifrequired.
EnsurethattheCiscoIPSsensorisabletopingthedefaultgatewayandTestPC:
IPS#ping7.7.4.1
IPS#ping150.1.7.100
EnsurethatthefollowingpingandtelnetconnectionissuccessfulfromSW1
SW1#ping7.7.4.100
SW1#telnet7.7.4.100
2.2DeploytheCiscoIPSSensorUsinganInlineVLANPair (4points)
ConfiguretheCiscoIPSapplianceinlineVLANpairusingtheseguidelines:
ConfiguretheCISCOIPSsensorappliancefortheinlineVLANpairasshownintheLabTopologydiagram
asfollow:
Youareallowedtomodifytheswitchparametersasappropriatetoachievethistask.
Refertothelabdiagramfortherequiredinformation.
YoumayaccesstheIPSmanagementGUI(IME)eitherfromyourTestPCoryourlocalCandidatePCto
helpwiththetask.TheIMEpasswordisCisc0123.Youareallowedtoadjustanyfirewalland/orrouting
configurationtoensurethatthisworks.
Ensurethatthesensorispassingtrafficsuccessfully.
Fortesting,ensurethatthispingfromSW6ispassingthroughthesensorwiththepacketsbeing
displayedonthesensorconsole.
IPS#packetdisplaygigabitethernet0/0
R6#ping7.7.4.1
2.3ImplementcustomsignaturesontheCiscoIPSsensor (4points)
Acustomsignature61000isrequiredontheCiscoIPSsensorasfollows:
TriggerUsersareallowedtotelnettoSW1viatranslatedaddress(seeQ1.3),however,theymustnot
beallowedtolaunchanothertelnetfromSW1toanydeviceonthe150.1.0.0/16network.
ActionresettcpconnectionwhenatelnetsessionisattemptedfromwithinanexistingsessiontoSW1
Alertseverityhigh
Signaturedefinition0
Note:TheresadependencyontheNATobject&PorttoApplicationMappingconfigfromQ1.3.
Youcanuseanysignatureenginetocompletethistaskthatsatisfiesthequestionrequirements.
VerifyyoursolutionbyconnectingtoSW1fromanotherdeviceinthetopologyusingthetranslated
addressspecifiedinQ1.3andthereafterlaunchaTelnetfromSW1toyourTestPC(150.1.7.100)as
follows:
SW1>enable
SW1#telnet150.1.7.
2.4InitializetheCiscoWSAandEnableWCCPSupport (6points)
TheCiscoWSAhasbeeninitializedwithanIPaddressof7.7.4.150andconnectedviaSW1inVLAN4.
UsingtheTestPCorCandidatePC,connecttoWSAandconfigureasfollowing
ConnectionInformation:http://7.7.4.150:8080/Username=adminPassword=ironport
InitializetheCiscoWSAsensorapplianceasfollowsusingthesystemsetupwizard:
Securityservices:
Acceptallotherdefaults
FromASA/c2,verifythatyoucanpingM1interfaceofWSA:
ASA3/c2(config)#ping7.7.4.150
ConfigureWCCPredirectfromtheinsideinterfaceofASA3/c2toWSAusing:
Redirectlist:forallHTTPandHTTPStraffic
GrouplisttolimitredirectionstotheWSAonly
Servicegroupmustbeintheappropriaterange
Note:Youcanuseanynamesforyourredirectlistandgrouplist.
Besuretouseaservicegroup.DOnotusethedefaultwebcache.
ThisquestionisdependentonthecompletionofQ1.3.
YoumayhavetorebootWSAafterconfigurationWCCPiftheASAreportsfollowingeventinthelogs:
WCCPEVNT:D90:Here_I_Anpacketfrom7.7.4.150ignored:badwebcacheid.
UsethefollowingtoverifyyoursolutionfromtheTestPC,andthencheckHTTPrequestsonR3forthe
addressoftheWSA:
2.5AddacustomURLAccessPolicytotheWSA (3points)
AddacustomURLcategorycalledRestrictedSitewhichwillblocktheSite7.7.7.2.AddthecustomURL
filtertotheGlobalaccesspolicyandensurethattheactiontakenwillbetoblockthecorrection
UsethefollowingtoverifyyoursolutionfromtheTestPC:
SECTIONIII.SecureAccess
3.1TroubleshootingIPsecManagementofASA4 (4points)
CompletetheconfigurationofanIPsecsecuredmanagementtunnelbetweenR3andASA4.
R3hasbeenpartiallyconfiguredandwillindicatetheIKEandIPsec,policyparameterstouse.
EnsurethatyouareabletolaunchtheIPsecprotectedTelnetsessionfromR3toASA4.
TherearefaultsonR3thatmustbecorrectedtocompletethisquestion.
Donotusewildcard(0.0.0.0)presharedkeys.
Youcanuseanynamesforpoliciesthathavenotbeenpreconfigured.
Verifyyoursolutionasfollows:
3.2TroubleshootingIPsecStaticVTIwithIPv6 (5points)
AnIPsecstaticvirtualtunnelinterfaceisrequiredbetweenR3andR5.ThisinterfacesupportsIPv6traffic
andEIGRPv6routes(thenetworksfromLoopback3)mustbeexchangedsecurelyforAS1viaTunnel.
Completeandtroubleshoottheconfiguration:
EnsurethattheinterfaceLoopbck3subnetsoneitherrouterarebeingadvertisedviaEIGRPv6.
R3#showipv6route
EX1010::/64[170/27008000]
ViaFE80::21E:BEFF:FE80:B5C,Tunnel0
R5#shoipv6route
EX2010::/64[170/27008000]
ViaFE80::21E:4AFF:FE2F:CA50,Tunnel2
3.3TroubleshootingDMVPNPhase3withDualhubs (6points)
InthisquestionR1andR2aredualDMVPNHubswithR4andR5asthespokesthatpeerwithhubsfor
redundancy.Thehubsarepreconfigured.Completetheconfigurationofthespokesandtroubleshoot
thesolutionusingthefollowinginformation:
172.16.23.1/2IPaddressesofDUALHubs
172.16.23.4/5IPaddressesofDUALSpokes
Eachspokemustpeerwithbothhubsanddirectspoketospokecommunicationshouldoccurusing
NHRPshortcutcapabilities
EIGRProutingAS123ispreconfiguredandmustbeadvertisingtheLoopback0ofR4andR5andnetwork
10.2.2.0/24ofR1andR2
3.4ConfigureSecurityFeaturesontheCiscoWLC (4points)
TheWLCmanagestheconfigurationandcontroloftheCiscoAP1242
(ThereisnoneedtochangeanysettingsontheAPitself)
TocompletethisquestionyoucanusetheCLIontheWLC,orthewebGUIviahttp://7.7.7.11/
Username=ciscoPassword=Cisco123.
SECTIONIV.SystemHardeningandAvailability
4.1TroubleshootSecureRoutingUsingOSPFv3inCiscoIOS (4points)
OSPFv3hasbeenpartiallypreconfiguredbetweenR1andR2usingthecommandipv6routerospf2
Completeconfigurationandtroubleshootingasrequiredtomeetthefollowingrequirements:

4.2TroubleshootIPOptionsHandlingontheCiscoASA (3points)
ThefollowinginformationhasappearedinanerrormessageonASA1forIGMPv2traffictransitingASA1:
%ASA6106012:DnyIPfrom7.7.5.15to225.17.1.1,IPoptions:RouterAlert
ConfigureASA1topreventthiserrormessageandallowIGMPv2tofunctioncorrectlyforallinterfaces
4.3ConfigureNetflowonaCiscoIOSRouter (3points)
ConfigureNetflowversion9onR6usingfollowingrequirements:

R6#showipcacheverboseflow
R6#showipflowtoptalker
SECTIONV.ThreatIdentificationandMitigation
5.1TuningApplicationInspectionontheCiscoASA (4points)
HTTPinspectionmustbeconfiguredtologGEToperationwithlevel15privilegemadetoCiscoIOSHTTP
serversbehindASA1.ThepacketcaptureoutputbelowwhichshowsanHTTPsessionto7.7.8.1from
TestPCshouldbeusedtohelpdefineyourmatchcriteria.
5.2ConfigureDynamicARPInspectioninaDHCPEnvironment (4points)
R3receivesanIPaddressforinterfaceg0/1.1fromR6whichisconsideredatrustedDHCPServer.
ConfigureSW4forDAIusingDHCPsnoopingfortheappropriateVLAN.
SW4#showipdhcpsnoopingbinding
5.3LDAP(Outdated)
MicrosoftwindowsusersutilizethemsNPAllowDialinattributetograntorwithdrawpermissionsto
dialintoregistrationadmisstionandstatusserver(RASS)
ConfigureASAadmincontexttomapthisMicrosoftattributetoCiscocVPN3000IETFRadiusclass:
AvalueofFALSEshouldbemappedtoavalueofACCESSDENY
AvalueofTRUEshouldbemappedtoavalueofACCESSALLOW
SECTIONVI.IdentityManagement
6.1ConfiguretheCiscoAccessPointasan802.1Xsupplicant (6points)
TheCiscoAccessPoint1242ismanagedandcontrolledbytheCiscoWLCwhichshouldbeallowedto
communicatewith802.1XauthorizedAps.Inthisquestionyouarerequiredtoconfigure802.1Xsupport
fortheAPonSW6(RADIUSsourceinterface7.7.7.2/VLAN7)andISE1(150.1.7.20).
Usetheinformationbelowtocompletethequestion
6.2ConfigureSupportforMAB/802.1XforVoiceandDataVLANs
PartA:AuthenticationandAuthorizationofCiscoIPPhonewithMAB (6points)
TheCiscoIPPhoneisconnectedtotheinterfaceg1/0/1onSW6.ItreceivesanIPaddressviaDHCPfrom
the7.7.9.0/24subnetandregisterswithCUCMEonR6(via7.7.20.3).Therequirementistoaddsecurity
tothisconnectionthroughauthenticationandauthorizationonSW6usingMACAuthenticationBypass
(MAB)toassigntheRADIUSattributesrequiredtomovethephoneintothevoiceVLAN.
Usethefollowinginformationtocompletethistask:
CreateanEndpointIdentityfortheIPPhoneinyourRackonISE1(150.1.7.20)
VerifythatyouhaveanauthenticationruleforMABontheCiscoISE.
VerifythatthestandardauthorizationpolicyforCiscoIPPhonesexistsandisallowingapermitonall
trafficonISE1.
Configureg1/0/1onSW6tosupportavoiceVLAN(9)anddataVLAN(99)
VoiceVLANwillsupportMABforauthentication
DataVLANwillprovidesupportfortheTestPCthatmustconnectthroughPhoneusing802.1X.
SW6mustattemptaMABauthenticationfirstafterlearningtheMACaddressofanEndpoint.IfMAB
isnotsuccessful,802.1Xendpointsshouldbeallowedtoconnect.
Thefollowingoutputshouldbeusedtoverifyyoursolution
PartB:AuthenticationandAuthorizationof802.1XClientthroughaCiscoIPPhone (6points)
TheTestPCmustbeallowedtoconnectthroughtheauthenticatedCiscoIPPhone
Thefollowingoutputshouldbeusedforverification
ThankYouforusingccieseclabsworkbooks.

CCIE Security V4 Workbook v2.3 - Lab 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Security V4 Workbook v2.3 - Lab 1

Uploaded by

Copyright:

Available Formats

CCIE

You might also like