Professional Documents
Culture Documents
Lab3 Cciesecv4 Questionset PDF
Lab3 Cciesecv4 Questionset PDF
LAB 3
REAL LABS
www.cciesecuritylabs.com
CCIE
voicelabs.com1
CCIESECURITYLABS.COM First Release 5-Aug-2013
Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that
you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify
these questions and the best order of configuration. Section do not have to be completed in the
order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware
issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before
starting the exam, confirm that all devices in you rack are in working order. During the exam, if any
device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure
that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the
functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and
switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,
VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the
pre configurations at any time, unless the change is specified in a question.
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the
following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are
instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8
respectively
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure
that additional addressing does not conflict with a network that is already used in your topology. Routing
Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin
and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS,
Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the
following pages. Do NOT change these settings.
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Hardware
Notes:
The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools.
*Device Authentication only, provisioning of IP phones is NOT required.
Software Versions
• Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
• Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release
12.2SE/15.0(x)SE
• Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x,
8.6x
• Cisco IPS Software Release 7.x
• Cisco VPN Client Software for Windows, Release 5.x
• Cisco Secure ACS System software version 5.3x
• Cisco WLC 2500 Series software 7.2x
• Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
• Cisco WSA S-series software version 7.1x
• Cisco ISE 3300 series software version 1.1x
• Cisco NAC Posture Agent v4.X
• Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Topology 4 : layer 2
To be attached soon...
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
www.cciesecuritylabs.com www.cciesecuritylabs.com
Topology 5 : LOGICAL
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
www.cciesecuritylabs.com www.cciesecuritylabs.com
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any
questions related to our workbooks at (ccieseclabs@gmail.com)
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
Launched !!!
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
1) ASA3 should be in single-context routed mode and configured using the information
3) Configure NTP
R3#ping 7.7.8.3
R3#ping 150.1.7.20
R3#ping 7.7.19.1
R3#ping 7.7.4.1
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Context details
You can permit ICMP traffic from any to any on both contexts.
You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping all major subnets within your
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
ASA2#show failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet4 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 8.6, Mate 8.6
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
1) ASA4 should be in single-context routed mode and configured using the information
Make sure the default route originated from R6 should be installed in the Routing Table
Ensure that networks 10.10.110.0/24 and 10.10.120.0/24 (SW6) are added to the routing table
If traffic destined for network 150.1.7.0/24 via outside interface, does not have reachability
to 7.7.6.6 then the traffic should be diverted using backup interface. Configure max-timeout to
2 seconds.
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Ensure all packets sourced with 10.10.110.10 and 10.10.120.10 needs to be translated to
Outside/Backup interface (whichever is UP) in order to pass through the ASA. However packets
sourced with 7.7.0.0/16 and destined ti 7.7.0.0/16 and 150.1.0.0/16 should not be translated.
SW1 is hosting HTTP and TELENT using the 20.20.20.1 (loopback 1).
Using Static port mapping translate 20.20.20.1 to 7.7.8.20 for HTTP traffic arriving from dmz
interface and translate 20.20.20.1 to 7.7.3.20 for TELNET traffic arriving from outside interface
- Ensure ICMP and Telnet traffic is inspected and allowed from outside interface
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
The username and password for the Cisco IPS console are cisco and 123cisco123.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table Ensure
that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
Ensure that the following ping and telnet connection is successful from SW1
2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair
Configure the Cisco IPS appliance using these guidelines:
I) G0/0 port connected to SW5 should be in promiscuous mode using virtual sensor vs0
II) Configure the interface pairing as shown in the Lab Topology diagram and assign vs2
Parameters Settings
Interface Gig 0/2 & Gig 0/3
Vlan Vlan 33 & Vlan 55
You are allowed to modify the switch parameters as appropriate to achieve this task.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
For testing, ensure that this ping from R6 is passing through the sensor with the packets
R6#ping 7.7.4.1
However ensure that this ping from R6 is not passing through the sensor
R6#ping 7.7.8.3
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Alert-severity – High
Signature-Definition 0
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Parameters Settings
Hostname Wsa.cisco.com
Interface M1 to be used for Management
Ip Address 7.7.4.150/24
Default Gateway 7.7.4.1
System Information Admin:ironport, foobar@cisco.com, time:US/America/LA
NTP Server 7.7.4.1
DNS 150.1.7.10
L4 Traffic Monitoring Duplex: T1 (in/out)
Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:
Note: You can use any names for your redirect-list and group-list.
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
You may have to reboot WSA after configuration of WCCP if the ASA reports following event in
the logs:
WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id.
Use the following to verify your solution from the Test-PC, and then check HTTP requests on
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
R6 has been partially configured and will indicate the policy parameters to use.
Ensure that traffic 192.168.6.6 (lo) from R6 is able to communicate to 20.20.20.1 (lo) on SW1
There are faults on R6 and ASA3 that must be corrected to complete this question.
and R5) networks. R2 is must be used as the keyserver and R1, R4 and R5 are group members
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Restrict port f0/2 and f0/3 on SW3 connected to R4 and R5 respectively from untrusted traffic.
Upon WLAN client matching the source IP address should automatically discontinue the network acess
• 10.20.203.33
• 10.20.203.101
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).
The requirement is to add security to this connection through authentication and authorization
on SW6 (RADIUS source interface 7.7.99.1/VLAN99) and ISE1 (150.1.7.20) using MAC
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
The Test-PC must be allowed to connect through the authenticated Cisco IP Phone
1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Attribute Value
Group Name Test-PC_Group
Username/Password Test-PC/Cisc0123
Access Type Access_Accept
Common Tasks
DACL Name DATA_VLAN_DACL
DACL Policy Permit ip any any
Vlan 99
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
In this question you are required to configure port g1/0/1 to use web authentication as fallback
1. Create an identity on ISE1 with the name: guest and password: cisco that will be used for
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
Parameters Settings
Name Guest
Description Permit Guest User
Access Type Access_Accept
Common Tasks
Web Authentication Centralized
ACL Web-Auth
DACL Name Guest_DACL
DACL Policy Permit HTTP/HTTPS and DOMAIN
3. Configure SW6 G1/0/1 for web authentication support which will enable the Test-PC to
authenticate via centralized web authentication server and receive an authorization Policy
Verify your solution by disabling the dot1z authentication on test-PC and authenticate via the
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
LAUNCHED!!!
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM First Release 5-Aug-2013
CCIESECURITYLABS.COM CCIESECURITYLABS.COM