Professional Documents
Culture Documents
版本号 :1.4
文档类型:讨论 测试 正式
文档等级:开放 内部 机密
修订记录
修订日期 修订人 版 本 审核人 修订说明
2017-04-10 飞天剑舞 号1.0 飞天剑舞 正式发布
2017-04-20 飞天剑舞 1.1 飞天剑舞 完善需求
2017-05-30 飞天剑舞 1.2 飞天剑舞 更新拓扑
1. 更新 1.2 FO 子接口以及 NAT
2. 更新 1.3 cluster 配置
3. 更新 3.3 site_a AS 号
2017-06-30 飞天剑舞 1.3 飞天剑舞 4. 更新 3.2 证书访问控制列表
5. 更新 3.3 GETVPN ACL
6. 更新 4.1 支持远程桌面拨号
Task 1.1b : configure ASA2_V and ASA22_V For Active-Standby Failover ........................................ 6
Task 1.2 : configure ASA1 and ASA2 For the Active-Active Failover .......................................... 10
1.2 : Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to server1 and server2 ................. 39
1.3 : Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to server1 and server2 .................. 44
Task 2.1 : configure WCCP Redirection On R2 For server1 and server2 HTTP traffic originated From client_pc1 . 48
Task 2.3 : Install FireAMP connector on candidate PC and configure FireAMP Cloud ........................... 64
Task 3.1 : configure Clientless SSL VPN between ASA2_V and Client_PC2 ...................................... 65
Task 3.2 : configure Site-To-Site certificate Based VPN between R15 R16 and R17 ............................ 72
Task 3.5 : configure SXP between SW2_P and ASA3 .......................................................... 101
Task 4.1 : configure anyconnect IKEv2 between ASA1_V and client_pc1 ....................................... 108
Task 4.2 : configure SW2_P Gig1/0/9 To Authentication Dot1x Session From dot1x_pc ......................... 124
Task 4.4 : configure SW2_P Gig1/0/9 To authentication And Authorize PC mab_pc And IP Phone ................ 146
Task 5.2 : configure secure wireless deployment between WLC ISE SW2_P AP And wireless_client .............. 149
Task 5.3 : configure NTP Between R1 R2 R15 R16 and R17 ................................................... 163
ASA1_V
Interface Gi0/0 :
Address Primary-Standby: 20.1.1.1/24-20.1.1.2/24
Name: outside
Interface Gi0/1:
Address Primary-Standby: 10.1.11.1/24-10.1.1.11.2/24
Name: inside
Failover :
Unit primary
Lan-link interface: Gi0/2
Primary-standby:10.10.11.1/24-10.10.11.2/24
Name: FO
EIGRP Routing :
Autonomous system : 12
Network:10.1.11.0/24
EIGRP Authentication :
Mode MD5
Key-ID : 1
Password:cisco
ASA11_V
Failover:
Unit secondary
Lan-link interface Gi0/2
Primary-standby : 10.10.11.1/24-10.10.11.2/24
Name : FO
Note:
Make sure that all the interface are being monitored for this failover implementation。
Points:2
Solution
=======================================
ASA1v/ASA11v
ASA1v(config)# show firewall
Firewall mode: Router
ASA1v(config)#
========================================
ASA1v/ASA11v:
interface GigabitEthernet0/2
no shutdown
=========================================
ASA1_V:
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
ASA11_V:
failover lan unit secondary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.11.1 255.255.255.0 standby 10.10.11.2
ASA1v:
Failover
ASA11v:
Failover
========================================
Verify
=====================================================
ASA1v: primary/active
interface GigabitEthernet0/0
no shutdown
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.2
interface GigabitEthernet0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
interface Management0/0
no shutdown
nameif mgmt
security-level 100
ip address 150.1.7.53 255.255.255.0 standby 150.1.7.54
EIGRP:
router eigrp 12
network 10.1.11.0 255.255.255.0
redistribute static metric 1000 100 255 1 1500
================================================
verify
ASA2_V
Interface Gi0/0:
Address primary-standby :20.1.2.1/24-20.1.2.2/24
Name : outside
interface Gi0/1:
address primary-standby: 10.1.22.1/24-10.1.22.2/24
name : inside
failover :
unit primary
lan-link interface :Gi0/2
primary-standby:10.10.22.1/24-10.10.22.2/24
name: FO
EIGRP Routing:
Autonomous system: 12
Network : 10.1.22.0/24
EIGRP authentication:
Mode md5
Key-id: 1
Password : cisco
ASA22_V
failover :
unit secondary
lan-link interface :Gi0/2
primary-standby:10.10.22.1/24-10.10.22.2/24
name: FO
Note:
Make sure that all the interfaces are being monitored for this failover implementation
Points: 2
Solution
=======================================
ASA1v/ASA11v
ASA1v(config)# show firewall
Firewall mode: Router
ASA1v(config)#
========================================
ASA1v/ASA11v:
interface GigabitEthernet0/2
no shutdown
==========================================
ASA2_v:
failover lan unit primary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
ASA22_v:
failover lan unit secondary
failover lan interface FO GigabitEthernet0/2
failover link FO GigabitEthernet0/2
failover interface ip FO 10.10.22.1 255.255.255.0 standby 10.10.22.2
ASA2v:
Failover
ASA22v:
Failover
==============================================
Verify
==========================================================
ASA2v:
interface GigabitEthernet0/0
no shutdown
nameif outside
security-level 0
ip address 20.1.2.1 255.255.255.0 standby 20.1.2.2
interface GigabitEthernet0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.22.1 255.255.255.0 standby 10.1.22.2
authentication key eigrp 12 cisco key-id 1
authentication mode eigrp 12 md5
interface Management0/0
no shutdown
nameif mgmt
security-level 100
ip address 150.1.7.55 255.255.255.0 standby 150.1.7.56
EIGRP:
router eigrp 12
network 10.1.22.0 255.255.255.0
======================================================
Verify
Task 1.2 : configure ASA1 and ASA2 For the Active-Active Failover
ASA1-system
Interface Gi0/0.1:
Vlan 2
Interface Gi0/0.2:
Vlan 3
Interface Gi0/1.1:
Vlan 4
Interface Gi0/1.2:
Vlan 5
Interface Gi0/2.1
Vlan 6
Interface Gi0/2.2:
Vlan 7
Failover :
Unit primary
Lan interface Gi0/3
Primary-standby: 10.100.201.1/24-10.100.201.2
Name: LAN
Unit primary
Lan interface Gi0/4
Primary-standby : 10.100.202.1/24-10.100.202.2
Name : STATE
Contexts:
Name : admin
Allocate interface: management 0/0
URL : admin.cfg
Name: c1
Allocate interface: GigabitEthernet0/0.1 GigabitEthernet0/1.1 GigabitEthernet0/2.1
Labels Respectively : inside_c1 , dmz_c1 , outside_c1
Join failover group : 1
URL: c1.cfg
Name: c2
Allocate interfaces : GigabitEthernet0/0.2 GigabitEthernet0/1.2 GigabitEthernet0/2.2
Labels Respectively : inside_c2 , dmz_c2 , outside_c2
Join failover group : 2
URL: c2.cfg
ASA1-admin
Interface management0/0:
Address primary-standby: 150.1.7.57/24-150.1.7.58
Name: management
Security level : 100
ASA1-c1
Interface inside_c1:
Address primary-standby : 10.100.2.1/24-10.100.2.2
Name : inside
Interface dmz_c1:
Address primary-standby : 10.100.4.1/24-10.100.4.2
Name : dmz
Security level : 50
Interface outside_c1:
Address primary-standby : 10.100.6.1/24-10.100.6.2
Name : outside
Address Translation :
server5 should be accessible from outside using outside interface.
Network object used for the translation should be named server5_c1
Traffic Filtering:
Server5 should be accessible only from 192.168.10.0/24 network for the HTTP traffic at port
80 and ICMP Echo message.
ACL for the traffic filtering should be named server5_c1.
ACL Should be network and host specific.
static routes:
Server5 network accessible via next hop R7
192.168.10.0/24 network accessible via next hop R9
ASA1-c2
Interface inside_c2
Address primary-standby: 10.100.3.1/24-10.100.3.2
Name : inside
Interface dmz_c2
Address primary-standby:10.100.5.1/24-10.100.5.2
Name: dmz
Security level: 50
Interface outside_c2
Address primary-standby : 10.100.7.1/24-10.100.7.2
Name : outside
Address translation :
Server6 should be accessible from outside using outside interface
Network object used for the translation should be named server6_c2
Traffic filtering:
Server6 should be accessible only from 192.168.11.0/24 network for the HTTP at port 80 and
ICMP Echo messages.
ACL For the traffic filtering should be named server6_c2.
ACL should be network and host specific.
Static routes:
Server6 network accessible via next hop R8.
192.168.11.0/24 network accessible via next hop R9.
ASA2-system
Failover :
Unit secondary
Note:
Make sure that all the interface are being monitored for this failover implementation.
Points : 5
Solution
=======================================================
ASA1/ASA2
ASA1(config)# show mode
Security context mode: multiple
ASA1(config)# show firewall
Firewall mode: Router
ASA1(config)#
---------------------------------------------------------------------
ASA1/ASA2
Mode multiple
Delete *.cfg
no firewall transparent
=======================================================
Interface initial
=======================================================
ASA1:
interface e0
no shutdown
interface e1
no shutdown
interface e2
no shutdown
interface e3
no shutdown
interface e4
no shutdown
interface e5 ------instead management 0/0
no shutdown
interface Ethernet0.1
vlan 2
!
interface Ethernet0.2
vlan 3
!
interface Ethernet1.1
vlan 4
!
interface Ethernet1.2
vlan 5
!
interface Ethernet2.1
vlan 6
!
interface Ethernet2.2
vlan 7
!
====================================================
Failover
====================================================
ASA1:
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
config-url disk0:/c2.cfg
join-failover-group 2
----------------------------------------------------------------------
ASA2:
Interface e3
No shutdown
Exit
Interface e4
No shutdown
failover lan unit secondary
failover lan interface LAN Ethernet3
failover link STATE Ethernet4
failover interface ip LAN 10.100.201.1 255.255.255.0 standby 10.100.201.2
failover interface ip STATE 10.100.202.1 255.255.255.0 standby 10.100.202.2
failover group 1
secondary
preempt
failover group 2
primary
preempt
context c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
config-url disk0:/c2.cfg
join-failover-group 2
ASA1#ping 10.100.201.2
ASA1#ping 10.100.202.2
ASA1(config)# failover
ASA2(config)# failover
=======================================================
Verify
ASA1:
=======================================================
Creat context
========================================================
ASA1
admin-context admin
context admin
allocate-interface Ethernet5
config-url disk0:/admin.cfg
!
context c1
allocate-interface Ethernet0.1 inside_c1
allocate-interface Ethernet1.1 dmz_c1
allocate-interface Ethernet2.1 outside_c1
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
allocate-interface Ethernet0.2 inside_c2
allocate-interface Ethernet1.2 dmz_c2
allocate-interface Ethernet2.2 outside_c2
config-url disk0:/c2.cfg
join-failover-group 2
!
==================================================
Context c1
===================================================
ASA1-C1:
changeto context c1
interface inside_c1
nameif inside
security-level 100
ip address 10.100.2.1 255.255.255.0 standby 10.100.2.2
interface dmz_c1
nameif dmz
security-level 50
ip address 10.100.4.1 255.255.255.0 standby 10.100.4.2
interface outside_c1
nameif outside
security-level 0
ip address 10.100.6.1 255.255.255.0 standby 10.100.6.2
monitor-interface inside
monitor-interface dmz
monitor-interface outside
---------------------------------------------------------------------------
Verify:
===========================================================
Static Route
===========================================================
ASA1-C1:
route outside 192.168.10.0 255.255.255.0 10.100.6.9
route dmz 192.168.105.7 255.255.255.255 10.100.4.7
===========================================================
NAT
===========================================================
ASA1-C1 NAT:
object network server5_c1
host 192.168.105.7
nat (dmz,outside) static interface
-----------------------------------------------------------------------
Verify: After Task 3.4
=====================================================
Traffic filter
======================================================
ASA1-C1:
R7:
Ip http server
================================================
Context C2
================================================
ASA2-C2:
Changeto context c2
interface inside_c2
nameif inside
security-level 100
ip address 10.100.3.1 255.255.255.0 standby 10.100.3.2
interface dmz_c2
nameif dmz
security-level 50
ip address 10.100.5.1 255.255.255.0 standby 10.100.5.2
interface outside_c2
nameif outside
security-level 0
ip address 10.100.7.1 255.255.255.0 standby 10.100.7.2
monitor-interface inside
monitor-interface dmz
monitor-interface outside
-------------------------------------------------------------------------
Verify :
=======================================================
Static route
======================================================
ASA1-C2:
route outside 192.168.11.0 255.255.255.0 10.100.7.9
route dmz 192.168.106.8 255.255.255.255 10.100.5.8
=======================================================
NAT
========================================================
ASA1-C2:
object network server6_c2
host 192.168.106.8
nat (dmz,outside) static interface
-----------------------------------------------------------------
Verify: After Task 3.4
=====================================================
Traffic filter
=====================================================
R8:
Ip http server
ASA1-C2:
access-list server6_c2 extended permit tcp 192.168.11.0 255.255.255.0 host 192.168.106.8 eq
www
access-list server6_c2 extended permit icmp 192.168.11.0 255.255.255.0 host 192.168.106.8
echo
access-group server6_c2 in interface outside
=====================================================
Context admin
=====================================================
ASA1-admin:
ASA1-admin
Interface e5 -----instead Management0/0
management-only
nameif management
security-level 100
ip address 150.1.7.57 255.255.255.0 standby 150.1.7.58
------------------------------------------------------------------------
Verify:
===========================================================
failover verification ! important !!!
===========================================================
Task 1.3 : configure ASA3 and ASA4 for Clustering
ASA3-system
Interface mode:
Interface: port-channel1:
Subinterface:1.8
Vlan number: vlan 8
Subinterface:1.9
Vlan number: vlan 9
Subinterface:1.10
Vlan number: vlan 10
Interface : Gi0/0
Member of channel-group: 1
Interface : Gi0/1
Member of channel-group: 1
Group : ccie
Interface: Gi0/2
Addresss : 10.100.203.1/24
Name: ASA3
Master
ASA3-admin
Management pool:
Mgmt.-pool
150.1.7.60-150.1.7.61
Management interface :
Mgmt.
Address : 150.1.7.59/24
Interface port-channel1.8
Address 10.100.8.1/24
Name inside
Interface port-channel1.10
Address 10.100.10.1/24
name dmz
Security level 50
Address translation :
Traffic filtering:
Server3 192.168.103.14 should be accessible only from security-group name pc1 for the HTTP
traffic at port 80.
Server4 192.168.104.14 should be accessible only from security-group name pc2 for the HTTP
traffic at port 80.
ACL for the traffic filtering should be named server3-4
ACL should be host specific.
Static routes:
Server3 network accessible via next hop R14.
Server4 network accessible via next hop R14.
ASA4-system
Group ccie
Interface Gi0/2
Address 10.100.203.2/24
Name ASA4
Slave
Points : 4
Solution
==============================
ASA3(config)# show mode
Security context mode: multiple
ASA3(config)#
ASA4(config)# show mode
Security context mode: multiple
ASA4(config)#
======================================================
Cluster
======================================================
ASA3/ASA4:
cluster interface-mode spanned force
interface gigabitEthernet 2
no shutdown
------------------------------------------------------------
ASA3:
cluster group ccie
local-unit ASA3
cluster-interface GigabitEthernet2 ip 10.100.203.1 255.255.255.0
priority 1
enable (ASA 5512X only)
Would you like to remove these commands? [Y]es/[N]o:Y
--------------------------------------------------------------
ASA4:
cluster group ccie
local-unit ASA4
cluster-interface GigabitEthernet2 ip 10.100.203.2 255.255.255.0
priority 2
enable as-slave(ASA 5512X only)
Would you like to remove these commands? [Y]es/[N]o:Y
-------------------------------------------------------------------------
Verify: (ASA 5512X only)
==========================================================
SW1(physical)=SW1_P(virtual) SW2(physical)=SW2_P(virtual)=SW22_P(virtual)
===========================================================
SW1/SW1_P:
Vlan 8-10
Vlan 150
-----------------------------------------------------------------
SW2/SW2_P:
Vlan 8-10
Vlan 150
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 8-10
switchport mode trunk
exit
==============================================
Initial interface
===============================================
ASA3:
interface Port-channel1
port-channel span-cluster
!
interface gigabitEthernet 0
no shutdown
channel-group 1 mode on ---virtual
channel-group 1 mode active ---physical
interface gigabitEthernet 1
no shutdown
channel-group 1 mode on ---virtual
channel-group 1 mode active ---physical
interface Port-channel1.8
vlan 8
!
interface Port-channel1.9
vlan 9
!
interface Port-channel1.10
vlan 10
admin-context admin
context admin
allocate-interface GigabitEthernet3
allocate-interface Port-channel1.8-Port-channel1.10
config-url disk0:/admin.cfg
=======================================
Context admin
=======================================
interface Port-channel1.8
nameif inside
security-level 100
ip address 10.100.8.1 255.255.255.0
interface Port-channel1.9
nameif outside
security-level 0
ip address 10.100.9.1 255.255.255.0
interface Port-channel1.10
nameif dmz
security-level 50
ip address 10.100.10.1 255.255.255.0
=========================================
Static route
==========================================
route dmz 192.168.103.14 255.255.255.255 10.100.10.14
route dmz 192.168.104.14 255.255.255.255 10.100.10.14
-----------------------------------------------------------------
verify :
====================================================
NAT
====================================================
ASA3:
object network server3_t
host 19.16.103.14
object network server4_t
host 19.16.104.14
R14:
Ip http server
------------------------------------------------------------
Verify:
Server3:
Server4:
Solution
========================================================
NGIPS initial
=========================================================
====================================================
FMC initial
===================================================
Registered successful:
===========================================================
Permit EIGRP traffic
==========================================================
OR
Permit eigrp in application table when license installed
-------------------------------------------------------------------------------
verify:
1.2: Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to server1 and server2
solution
==========================================================
IPS
==========================================================
========================================================
R3 server
========================================================
Ip http server
Ip http port 8080
------------------------------------------------------------------------------
Verify : After Task 2.1 2.2 4.1
RDP client_pc1 :
FMC:
1.3: Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to server1 and server2
Points : 5
=====================================================
IPS
=====================================================
--------------------------------------------------------------------
Verify: After Task 2.1 2.2 3.1
Task 2.1 configure WCCP Redirection On R2 For server1 and server2 HTTP
Any traffic filtering applied should be network and host specific for the HTTP port 8080
Note:
This task can only be verified after the successful implementation of Task 1.1a Task 1.4 and
Task 4.1 ( to be able to perform end-to-end connectivity test )
Points : 5
=================================================
WSA initial:
===================================================
WCCP config:
R2:
Ip access-list extended RED
permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq 8080
permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq 8080
exit
interface e0/2
ip wccp 90 redirect in
verify:
HTTP traffic at port 8080 originated from 172.16.1.0/24 network directed to server1 and
server2 should be allowed if Firefox as a browser is used but dropped if originated from
the internet explorer , all the other traffic should be allowed .
identification profile 1:
Name: monitor profile
For source 172.16.1.0/24
For browser type-version Firefox-any
Identification profile 2:
Name: Block profile
Check For source 172.16.1.0/24
Check For browser type-version IE-Any
URL Category should be named as CCIE Lab Rule monitoring for server1.cisco.com and
server2.cisco.com
Responding Access policies should be named as monitor policy and block policy
respectively and referencing CCIE Lab Rule
Note:
This task can only be verified after the successful implementation of Task 1.1a Task 2.1 and
Task 4.2 ( to be able to perform end-to-end connectivity test )
Points : 4
Solution
=============================================
----------------------------------------------------------------
Change http port
identification profile 1:
identification profile 2:
-------------------------------------------------------------------------------
verify:finish Task 1.4 Task 4.1
Task 2.3 : Install FireAMP connector on candidate PC and configure FireAMP
Cloud
Points : 4
Solution
=================================================
=================================================
Task 3.1 : configure Clientless SSL VPN between ASA2_V and Client_PC2
The web ACL implementation should only allow the following URLs:
http://server1.cisco.com:8080
http://server2.cisco.com:8080
the bookmarks for the above servers should appear in the WebVPN portal as server1 and
server2 respectively.
Notes:
On client_pc2 connection stub ssl_vpn has been created in the FireFox to test the
implementation.
The verification of this task depends on successful implementation of Task 1.1b and Task 1.4
VPN session should be in established state and you are able to open the sessions to server1
and server2 when you have ended your lab.
The VPN session should terminate on ASA2_v being the Active ASA in the pair.
Make sure that even when you close the RDP connection to client_pc2 that should not tear
down the established VPN session.
The DNS server is at 150.1.7.200
Note:
Any information not provided for this task can be assumed by the candidate.
Points : 3
Solution
===============================================
DNS !!!
===============================================
ASA2v
dns domain-lookup mgmt
dns name-server 150.1.7.200
domain-name cisco.com
=================================================
Enroll certificate
================================================
webvpn
enable outside
tunnel-group-list enable
===========================================================
bookmark
===========================================================
Verify: finish Task 1.4 Task 2.1 Task 2.2
===================================================
ACTIVE ASA22v AND APPLY BOOKMARK AGAIN.
====================================================
ASA2v:
ASA2v(config)# no failover active
ASA2v(config)#
Switching to Standby
ASA2v(config)#
Task 3.2 : configure Site-To-Site certificate Based VPN between R15 R16 and
R17
Note:
Any information not provided for this task can be assumed by the candidate.
Points : 3
Solution
=============================================
NTP Task 5.3
================================================
================================================
R17 CA Server PRE-CONFIG
================================================
crypto key generate rsa label ccier17 modulus 1024 ---pre-config maybe , need to verify
below .
Ip http server
crypto pki server ccieca
database level complete
issuer-name CN=r17 O=cisco.com
grant auto
no shutdown
password : cisco123 ---shutdown→no shutdown ---verify server enable
-----------------------------------------------------
Verify:
================================================
R15 enroll certificate
====================================================
Ip domain-name cisco.com
Ip name-server 150.1.77.200
crypto key generate rsa label ccier15 modulus 1024
----------------------------------------------------------------
-----------------------------------------------------------------------------
Verify
====================================================
R16 enroll certificate
====================================================
Ip domain-name cisco.com
Ip name-server 150.1.7.200
----------------------------------------------------
Verify:
*************************************************************************************
Note: PKI error , should delete trustpoint and keypair !!!
***************************************************************************************
No crypto pki trustpoint ccier16
yes
Crypto key zeroized rsa
yes
-------------------------------------------------------------------------
Verify :
=====================================================
R15
======================================================
Crypto isakmp policy 10
Authentication rsa-sig
Exit
Crypto ipsec transform-set TS esp-aes esp-sha-hmac
Mode tunnel
Exit
Interface g 1
Crypto map VPN
Exit
=================================================
R16
=================================================
Crypto isakmp policy 10
Authentication rsa-sig
Exit
interface g2
crypto map VPN
exit
=================================================
certificate map --- Suggestion
=================================================
R15:
crypto pki certificate map CERTMAP 10
subject-name co cn = r16 o=cisco.com
crypto isakmp profile IKEV1PROFILE
ca trust-point ccier15
match certificate CERTMAP
-------------------------------------------------------------------
R16:
crypto pki certificate map CERTMAP 10
subject-name co cn = r15 o=cisco.com
Rekeyring authentication should use RSA key cciekey for both sites
The implementation should secure traffic site_a between 192.168.4.0/24 and 192.168.5.0/24
networks.
The implementation should secure traffic site_b between 192.168.4.0/24 and 192.168.5.0/24
networks.
EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and
password ccie
Notes:
Prefer to the topology for addressing VLAN and EIGRP routing information.
SW1_V is preconfigured for this task.
Any information not provided for this task can be assumed by the candidate.
Points : 3
Solution
=======================================================
EIGRP ROUTE
========================================================
-----------------------------------------------------------------------
R4:
ip vrf mgmt
rd 20:20
!
ip vrf site_a
rd 100:100
!
ip vrf site_b
rd 200:200
!
key chain ccie
key 1
key-string ccie ---ccie
!
interface Loopback100
ip vrf forwarding site_a
ip address 192.168.4.4 255.255.255.255
!
interface Loopback200
ip vrf forwarding site_b
ip address 192.168.4.4 255.255.255.255
!
!
interface Ethernet0/2.20
encapsulation dot1Q 20
ip vrf forwarding mgmt
ip address 10.1.20.4 255.255.255.0
!
interface Ethernet0/2.100
encapsulation dot1Q 100
ip vrf forwarding site_a
ip address 10.1.45.4 255.255.255.0
ip authentication mode eigrp 403 md5
ip authentication key-chain eigrp 403 ccie
!
interface Ethernet0/2.200
encapsulation dot1Q 200
ip vrf forwarding site_b
ip address 10.1.45.4 255.255.255.0
ip authentication mode eigrp 405 md5
ip authentication key-chain eigrp 405 ccie
!
router eigrp 45
!
address-family ipv4 vrf site_a autonomous-system 403
network 10.1.45.0 0.0.0.255
network 192.168.4.0
exit-address-family
!
address-family ipv4 vrf site_b autonomous-system 405
network 10.1.45.0 0.0.0.255
network 192.168.4.0
exit-address-family
!
----------------------------------------------------------------------
R5:
ip vrf mgmt
rd 20:20
!
ip vrf site_a
rd 100:100
!
ip vrf site_b
rd 200:200
!
key chain ccie
key 1
key-string cisco ---ccie
!
interface Loopback100
ip vrf forwarding site_a
ip address 192.168.5.5 255.255.255.255
!
interface Loopback200
ip vrf forwarding site_b
ip address 192.168.5.5 255.255.255.255
!
interface Ethernet0/2.20
encapsulation dot1Q 20
ip vrf forwarding mgmt
ip address 10.1.20.5 255.255.255.0
!
interface Ethernet0/2.100
encapsulation dot1Q 100
ip vrf forwarding site_a
ip address 10.1.45.5 255.255.255.0
ip authentication mode eigrp 403 md5
ip authentication key-chain eigrp 403 ccie
!
interface Ethernet0/2.200
encapsulation dot1Q 200
ip vrf forwarding site_b
ip address 10.1.45.5 255.255.255.0
ip authentication mode eigrp 405 md5
ip authentication key-chain eigrp 405 ccie
!
!
router eigrp 45
!
address-family ipv4 vrf site_a autonomous-system 403
network 10.1.45.0 0.0.0.255
network 192.168.5.0
exit-address-family
!
address-family ipv4 vrf site_b autonomous-system 405
network 10.1.45.0 0.0.0.255
network 192.168.5.0
exit-address-family
!
----------------------------------------------------------
Verify:
==================================================
KS Server R3
=================================================
===========================================================
verify
===========================================================
R4 site_a:
R4 site_b:
R5 site_a:
R5 site_b:
R3 ks:
-------------------------------------------------------------------------------
verify:
Task 3.4 : configure FLEXVPN between R9 R10 and R11
Loopback1 interfaces on R9 R10 and R11 should be included in the EIGRP routing domain.
Tu34 should secure the traffic between 192.168.10.0/24 and host 10.100.6.1
Tu35 should secure the traffic between 192.168.11.0/24 and host 10.100.7.1
Notes:
The verification of this task depends on the successful implementation of Task 1.2
Refer to the topology for addressing and EIGRP routing information.
Any information not provided for this task can be assumed by the candidate
Points : 3
Solution
Note:
============================================
R9
============================================
======================================================
R10
======================================================
crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy POLICY
match fvrf any
proposal PROPOSAL
!
crypto ikev2 keyring KEYRING
peer R9
address 20.1.3.9
pre-shared-key ccier10
!
!
crypto ikev2 profile IKEV2PROFILE
match identity remote address 20.1.3.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSECPROFILE
set transform-set TS
set ikev2-profile IKEV2PROFILE
!
interface Tunnel34
ip address 172.16.2.10 255.255.255.0
ip nhrp network-id 10
ip nhrp nhs 172.16.2.9
tunnel source 20.1.4.10
tunnel destination 20.1.3.9
tunnel key KEY1
tunnel protection ipsec profile IPSECPROFILE
!
!
router eigrp 34
network 172.16.2.0 0.0.0.255
network 192.168.10.0
!
=============================================
R11
=============================================
crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy POLICY
match fvrf any
proposal PROPOSAL
!
crypto ikev2 keyring KEYRING
peer R9
address 20.1.3.9
pre-shared-key ccier11
!
crypto ikev2 profile IKEV2PROFILE
match identity remote address 20.1.3.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSECPROFILE
set transform-set TS
set ikev2-profile IKEV2PROFILE
!
crypto ipsec profile IPSPROFILE
set transform-set TS
set ikev2-profile IKEV2PROFILE
!
interface Tunnel35
ip address 172.16.3.11 255.255.255.0
ip nhrp network-id 11
ip nhrp nhs 172.16.3.9
tunnel source 20.1.5.11
tunnel destination 20.1.3.9
tunnel key KEY2
tunnel protection ipsec profile IPSPROFILE
!
router eigrp 35
network 172.16.3.0 0.0.0.255
network 192.168.11.0
================================================
Verify:
-----------------------------------------------
R10:
----------------------------------------------
R11:
Task 3.5 : configure SXP between SW2_P and ASA3
The SXP session between SW2_P and ASA3 should be authenticated using password ccie
ASA3 should download the CTS enviroment data from ISE .
Note:
TFTP server is available on candidate_pc
SW2 will receive supplicant authentication/authorization request.
Any information not provided in this task can be assumed by the candidate.
Points : 3
===============================================
ISE:
AAA client:
Generate PAC:
Transfer PAC to ASA3:
---------------------------------------------------------------
ASA3:
aaa-server ISE protocol radius
aaa-server ISE (mgmt) host 150.1.7.212
key cisco
cts server-group ISE
=======================================================
SXP
=======================================================
ASA3:
cts sxp enable
cts sxp default password ccie
cts sxp default source-ip 150.1.7.59
cts sxp connection peer 150.1.7.45 source 150.1.7.59 password default mode peer speaker
SW2/SW2P/SW22_P:
cts sxp enable
cts sxp default source-ip 150.1.7.45
cts sxp default password ccie
cts sxp connection peer 150.1.7.59 source 150.1.7.45 password default mode peer listener
-----------------------------------------------------------------------------
Verify:
===========================================================
traffic filtering
===========================================================
ASA3:
--------------------------------------------------------------------------
Verify:
mab_pc:
-----------------------------------------------------------------------
dot1x_pc:
Task 4.1 :configure anyconnect IKEv2 between ASA1_V and client_pc1
The tunnel should negotiate IKEv2 policy and IPsec proposal for AES-256 encryption.
The tunnel should only secure traffic for server1 and server2.
The client address pool should be 172.16.1.0-172.16.10.0/24.
The session tunnel should remain connected for 48 hours even without any activity.
The group alias for the session should be ccieprofile
The trustpoint for the implementation should be named ccietrust using RSA key pair cciekey.
ASA should authenticate the session using AAA with ISE at 150.1.7.212.
Credentials should be username cisco password Midhumo2
User cisco should be part of ISE internal database.
ISE should check for NAS IP address to authorize the session.
Notes:
The verification of this task depends on successful implementation of Task 1.1 a Task 1.2 Task
2.1 and Task 2.2.
Tunnel destination asa1.cisco.com resolves to ASA1 outside address.
VPN session should be terminated on ASA1_V being the an active ASA in the pair.
VPN session should be in established state when you have ended the configuration module.
Use the FireFox browser to test your connectivity with server1 and server2
Any information not provided for this task can be assumed by the candidate.
Points : 4
Solution
ASA1v DNS:
dns domain-lookup mgmt
dns name-server 150.1.7.200
domain-name cisco.com
=============================================
Upload anyconnect software on ASA1v/ASA11v
==========================================
asa1v /asa11v:
asa1v(config)#ping 150.1.7.201 (Candidate PC)
OR
============================================
Enroll certificate
==============================================
crypto key generate rsa label cciekey modulus 1024
ASA1v trustpoint:
crypto ca trustpoint ccietrust
enrollment self
id-usage ssl-ipsec
fqdn asa1.cisco.com
subject-name CN=asa1.cisco.com
keypair cciekey
===============================================
WEBVPN
===============================================
ASA1v:
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg
anyconnect enable
tunnel-group-list enable
--------------------------------------------------------------------------
AAA Client:
-------------------------------------------------------------------------------
Verify
-------------------------------------------------------------
switching active and testing on ASA11v
Task 4.2 : configure SW2_P Gig1/0/9 To Authentication Dot1x Session From
dot1x_pc
Dot1x session should DHCP IP address from the SW2_P local pool in VLAN8.
ISE should authentication Dot1x user ccie password should be set Ccie123 user ccie should
be part of ISE internal database.
ISE should authorize session based on the NAS IP address.
On Successful authorization ISE should assign the session VLAN8 SGT of PC2 and push DACL
to permit IP traffic from any source to any destination.
From dot1x_pc you should be able to only browser server4 to verify the implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Task
3.5.
Make sure your implementation of AAA should not impact SW2_P console access.
Dot1x session should be in established state when you have ended your lab.
Any information not provided to implementation this task can be assumed by the candidate .
Points : 3
Solution
=================================================
SW2=SW2_P=SW22_P
===================================================
------------------------------------------------------------------
!
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
!
Vlan 8
Vlan 150
Vlan 215
ip routing
interface Vlan8
ip address 10.100.8.22 255.255.255.0
!
interface Vlan150
ip address 150.1.7.45 255.255.255.0
!
interface Vlan215
ip address 10.100.215.22 255.255.255.0
!
-----------------------------------------------------------------
!
------------------------------------------------------------------
aaa new-model
!
aaa authentication login NOACS line none
line con 0
login authentication NOACS
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
radius-server host 150.1.7.212 auth-port 1812 acct-port 1813 key cisco
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
!
ip device tracking
dot1x system-auth-control
!
ip access-list extended ACL-DEFAULT
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
permit icmp any any
deny ip any any log
interface GigabitEthernet1/0/9
switchport mode access
switchport voice vlan 215
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
mab_pc profile:
dot1x_pc SGT: SGT=PC2
一、dot1x_pc:
二、mab_pc:
三、IP Phone:
四、ACL:
Notes:
You need to test the SSH from candidate PC where r1.cisco.com connection profile has been
created putty client.
SSH session should be in the established state when you have ended your configuration
module,
Required use account ccie/Cisc0123 to join ISE with AD.
Any information not provided to implementation this task can be assumed by the candidate .
Points : 3
Solution
================================================
ISE join AD
=================================================
Note : ISE join AD three conditions 1. ISE time sync 2. DNS 3.domain name
Time SYNC : ISE should SYN NTP server 150.1.7.200 (AD/DNS server)
-----------------------------------------------------------------------
Remember it , maybe delete at real examination !
=================================================
R1
=================================================
-------------------------------------------
Verify RSA key
ip domain name cisco.com
crypto key generate rsa modulus 1024
--------------------------------------------------
****************************************************************************
R1 PRE-CONFIG
*****************************************************************************
aaa new-model
R1(config)#no radius-server vsa send authentication
R1(config)#radius server ccie
R1(config-radius-server)#adddress-ipv4 150.1.7.212 auth-port 1645 acct-port 1646
R1(config-radius-server)#key cisco
========================================================
line aux 0
login authentication NOACS
R1(config)#line vty 0 ?
<1-98> Last Line number
<cr>
R1(config)#line vty 0 98
R1(config-line)#login authentication SSH
R1(config-line)#authorization exec SSH
R1(config-line)#session-timeout 2880
R1(config-line)#exec-timeout 2880
R1(config-line)#
====================================================
Verify
Task 4.4 : configure SW2_P Gig1/0/9 To authentication And Authorize PC
The mab_pc should DHCP address from the SW2_P local pool in VLAN8
IP Phone should DHCP address from the SW2_P local pool in VLAN 225 and assign TFTP
address 150.1.7.215.
On Successful authorization ISE should assign mab_pc VLAN 8 SGT of PC1 and push DACL
to permit to traffic from any source any destination.
On Success authorization ISE should push the DACL to permit IP traffic form any source to
any destination for the IP phone.
From mab_pc you should be able to only browse server3 to verify the implementation.
From SW2 you should be able to ping IP Phone IP address and CUCM IP address to verify
the implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Tsk 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
MAB session should be in the established state when you have ended your lab.
Any information not provided to implement this task can be assumed by the candidate.
Points : 3
Solution
R17 should send debug level messages to syslog server setup at candidate PC.
Messages seen from on R17 on the syslog server are marked with string CA.
Notes:
Candidate PC is preconfigured with kiwi syslog server for this task.
Points : 2
Solution
================================================
R1
================================================
Logging on
logging origin-id hostname
logging host 150.1.7.201
logging trap informational
===================================================
R17
==================================================
Logging on
logging trap debugging
logging origin-id string CA
logging host 150.1.7.201
--------------------------------------------------------------------------
verify:
R1:
R17:
Task 5.2 : configure secure wireless deployment between WLC ISE SW2_P AP
And wireless_client
WLC:
Management interface should have address of 10.100.102.1
Configure the WLAN1 witch SSID podYY YY is your pod number that can be seen in your
commserver hostname.
Layer 2 security should be WPA with ASCII format PSK and having string Cisco123 o Not Zero
encryption type should be AES.
SW2_P:
AP should be authenticated on port Gi1/0/7 using MAB with ISE as the RADIUS server.
ISE:
On successful authorization of AP ISE should push DACL to permit IP traffic from any source
to any destination.
ISE should authorize the session based on the NAS IP address.
AP:
Candidate may need to configure the following on AP if not pre-configured.
AP IP Address 10.100.102.33/24
AP Default Gateway 10.100.102.1
Primary controller name cciewlc
Primary controller IP 10.100.102.1
Wireless_Client:
Candidate needs to configure the following for the Wireless_Client wireless NIC.
IP Address 10.100.102.1YY/24 YY is your pod number that can be seen in your commserver
hostname
Default Gateway 10.100.102.33
Notes:
AP username/password/enable is Cisco/Cisco/Cisco and this should NOT be changed.
AP hostname ccieap should not be changed.
The Wireless_Client should be able to associate with SSID podYY YY is your pod number that
can be seen in your commserver hostname. !!! DO NOT associate with any other SSID!!!.
As a task verification , you should be able to ping 10.100.102.11 and 10.100.102.22 from
wireless_client after you are able connect to podYY SSID.
Any information not provided for this task can be assumed by the candidate.
Points : 6
Solution
===================================================
Initial WLC , Check Interface network Pre-CONFIG First
===================================================
Check network preconfig :
---------------------------------------------------------------------------
Practice only for initial wlc !!!
Would you like to terminate autoinstall? [yes]:enter
AUTO-INSTALL: starting now...
System Name [Cisco_b9:66:e0] (31 characters max): cciewlc
AUTO-INSTALL: process terminated -- no configuration loaded
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): Cisco123
Re-enter Administrative Password : Cisco123
Service Interface IP Address Configuration [static][DHCP]: static
Service Interface IP Address: 150.1.7.214
Service Interface Netmask: 255.255.255.0
Management Interface IP Address: 10.100.102.1
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.100.102.22
Management Interface VLAN Identifier (0 = untagged): 102
Management Interface Port Num [1 to 1]: 1
Management Interface DHCP Server IP Address: 10.100.102.22
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: cisco
Network Name (SSID): cisco
Configure DHCP Bridging Mode [yes][NO]: enter
Allow Static IP Addresses [YES][no]: enter
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]: us,cn
Enable Auto-RF [YES][no]: enter
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...
================================================
AP initial
=================================================
CLI
ccieap#capwap ap hostname ccieap
ccieap#capwap ap ip address 10.100.102.33 255.255.255.0
ccieap#capwap ap controller ip address 10.100.102.1
ccieap#capwap ap primary-base cciewlc 10.100.102.1
ccieap#capwap ap ip default-gateway 10.100.102.1
GUI
WLC hostname
========================================================
WLC WLAN
========================================================
========================================================
ISE
=========================================================
Note: maybe AP platform is cisco-AIR-LAP-1602 on real exam.
------------------------------------------------------------------------------
==================================================
PRE-CONFIG
SW1:
interface Vlan102
ip address 10.100.102.11 255.255.255.0
SW2:
interface Vlan102
ip address 10.100.102.22 255.255.255.0
----------------------------------------------------------------------
Sw2:
interface GigabitEthernet1/0/7
switchport access vlan 102
switchport mode access
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
=========================================================
Verify
===========================================================
Verify SSID
===========================================================
-------------------------------------------------------------------------------
Enable radio , just for practice only !!! keep default local mode on real exam.
Note : Only flex-connect mode can enable radio on vwlc.
-------------------------------------------------------------------------------
Task 5.3 : configure NTP Between R1 R2 R15 R16 and R17
NTP server R1
Reference R1 R2 R15 R16 and R17 clocks should be setup to show PST time zone.
Points : 3
Solution
==========================================================
R1 NTP pre-config
==========================================================
Clock timezone PST -8
ntp authentication-key 12 md5 13061E010803 7
ntp authenticate
ntp trusted-key 12
ntp source GigabitEthernet3
ntp master 1
=======================================================
NTP R2/R15/R16/R17
========================================================
------------------------------------------------------------
Verify:
R2/R15/R16/R17