IPexpert’s Preparation Workbook for the Cisco® CCIE™ Security

Laboratory Exam
Preparing for Cisco System’s “CCIE” (Cisco Certified Internetworking Expert) certification is one of the networking
industries most challenging tasks. In fact, many of the technical engineers who set out to achieve this certification
never succeed! It requires intense preparation for a very challenging written examination. Upon successful completion
of this rigorous written exam you then qualify for the second, and most challenging, part of the exam – the hands on,
CCIE Lab.

With such prestige and reward, it’s no wonder why thousands of networking professionals are currently pursuing their
CCIE Certification. Many of these inspiring engineers already hold certifications such as the MCSE, CNE, A+,
CNX, CISSP™, CCNA, CCDA, CCNP, CCDP™ and CCSP, but the ultimate goal is to be at the pinnacle and
earn the title, “CCIE”.

While reviewing the CCIE Security Lab requirements and preparation methods, the engineers associated with
IPexpert, Inc. realized that there was a need for some sort of lab workbook. We went through the complete process
most engineers have gone through, or are currently going through. What we found was that a large portion of the
available material gave you the “theoretical knowledge” of various scenarios, as did the technical classes, but the most
valuable asset is actually configuring various labs on real routers and dealing with the issues that arose during the
actual configuration. While there are currently a few limited methods in obtaining preparation labs, advanced material
was hard to obtain, especially material that covered the wide variety of technical scenarios that could appear on the lab
exam.

IPexpert’s Preparation Workbook for the Cisco ® CCIE Security Laboratory Exam, which has been designed by
CCIE certified engineers (some Double and Triple Certified!), is designed for engineers with classroom and textbook
preparation. This workbook is not designed for use as a classroom walkthrough, but as an actual CCIE Lab primer.

Before We Begin

Congratulations! You now possess the ULTIMATE CCIE Lab preparation resource available today! The
following resource has been designed by senior engineers, technical instructors and authors who have decades of
internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIE Lab, we feel
VERY confident that upon completion your chances of passing the Lab will improve dramatically!

At the beginning of each section you will be referred to a diagram of the network topology (Diagram A) located on page
5. All Sections utilize the same exact physical topology, which can be rented at http://www.ipexpert.net

Each section has been carefully laid out and will challenge you with a specific technology or protocol. Within each
section, there is a baseline overview of the technologies covered in that particular lab scenario, as well as an “estimated
completion time” for each scenario. Each lab starts out with “technical tasks” section that will give you specific tasks
or requirements that must be met in order to successfully complete each lab scenario. If you are unsure of the
command or unsure how to complete a required task, there is a “technical tips” section that provides the student with a
portion of the IOS commands that you will need to use to successfully complete the task. Finally, there is an
“Instructor’s Comments” section with technical pointers from one of our technical Instructors. Also, for your
convenience, ALL technical configurations, diagrams and documentation is available via download at
www.certificationtalk.com. (When logging into CertificationTalk, but sure that your browser is configured to accept cookies. If it is
not, you will have problems moving in and out of different forums.) At the end of each scenario you will find an “IPexpert’s
Recommendation – Additional Learning Material” section that will provide you with some additional technical
resources (i.e. published books, additional labs by IPexpert and helpful URL’s).

Technical Support

For questions, technical support and all correct solution configurations please visit CertificationTalk, our on-line
technical support forum located at http://www.CertificationTalk.com or email us at support@ipexpert.net.
Feedback
At IPexpert, Inc. we’re always trying to improve our technical products, service and support. If you have any questions
or comments please send them to sales@ipexpert.net to ensure that your comments are received by the appropriate
individual. Also, at a token of our appreciation, ALL IPexpert customers who pass their CCIE™ lab and obtain a
CCIE™ # will be entitled to a special gift! Please submit your success stories to success@ipexpert.net for gift
redemption (and include your shirt size! ☺)

Additional CCIE Preparation Material

Be sure the check out the following additional CCIE preparation products from IPexpert!

CCIE Routing & Switching (R&S)

IPexpert’s Ultimate Preparation Workbook for the Cisco CCIE R&S Laboratory Exam

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please
be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook!)

IPexpert’s 5-Day CCIE (R&S) Lab Preparation Boot Camp

IPexpert’s 1-Day Lab Experience for the Cisco CCIE R&S Lab Exam

CCIE Security

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please
be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook!)

IPexpert’s Preparation Workbook for the Cisco CCIE Security Laboratory Exam

IPexpert’s 5-Day CCIE (Security) Lab Preparation Boot Camp

IPexpert’s 1-Day Lab Experience for the Cisco CCIE Security Lab Exam

CCIE Communications & Services (C&S)

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please
be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook!)

IPexpert’s Preparation Workbook for the Cisco CCIE C&S Laboratory Exam

CCIE Voice

IPexpert’s Preparation Workbook for the Cisco CCIE Voice Laboratory Exam (Coming in May 2003)

2
 IPEXPERT END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor”) from whom you have licensed the IPEXPERT training
materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the
extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has
licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor
is unwilling to license the Training Materials to you. In such event, you may not use the Training Materials, and you should promptly
contact the Licensor for return instructions.

The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training
Materials throughout the term of this License.

Copyright and Proprietary Rights.

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright
laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design
elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT
Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share
the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training
Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not
reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or
otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and
images for your own personal, non-commercial use without the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT
Information in any manner that infringes the rights of any person or entity.

Exclusions of Warranties.

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS”. LICENSOR HEREBY DISCLAIMS ALL OTHER
WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF
INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR
EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may also have other rights that vary
from state to state.

Choice of Law and Jurisdiction.

This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any
conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training
Materials shall brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts
to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not
apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and
effect.

Limitation of Claims and Liability.

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE
DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER,
ARISING OUT OF OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING
MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES,
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST
PROFITS, LOSS OF DATA, OR COSTS OF COVER.

Entire Agreement.

This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer
Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use,
modification, reproduction release, performance, display or disclosure of the Training Materials and accompanying documentation by

3
the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly
permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS
AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

4
Diagram A (Master Topology Diagram)

5
IPexpert’s Preparation Workbook for the Cisco® CCIE™ Security
Laboratory Exam Table of Contents

Section 1: General Cisco Security (Page 16)

Unnecessary Services
TCP Intercept Configuration
Sessions, Timers
DoS Attacks
Rate Limiting
Unicast RPF Check
Logging & Logging Levels
Passwords
Network Time Protocol (NTP)
Timestamps
User Privilege Levels
Privilege level with ACS AAA
Dynamic Host Configuration Protocol (DHCP)
Disabling Unnecessary Interface Services
Controlling Interactive Access
Flood Management
Telnet, SSH
Hide Telnet Address
Intrusion Detection
Instructor’s Tips, Notes and Comments
IPexpert’s Recommendation – Additional Learning Material

Section 2: Access Control Lists (ACLs) & Network Address Translation (Page 20)

Route Maps
Time Based ACL’s
Named ACL’s
Standard ACL’s
Extended ACL’s
SNMP ACL’s
HTTP ACL’s
Reflexive ACL’s
Dynamic ACL’s
Context Based Access Control (CBAC)
CBAC / NAT
Port Address Mapping (PAM)
Inside Global and Local
Outside Global and Local
NAT Overload (Port Address Translation / PAT)
Static NAT
Static NAT/PAT to Specific Port
NAT with Multiple Exit Points “Route-map NAT”
NAT with Overlapping IP addresses
Instructor’s Tips, Notes, and Comments
IPexpert’s Recommendation – Additional Learning Material for ACL’s & NAT

Section 3: Advanced Virtual Private Networks (VPN) (Page 23)

IPsec
ISAKMP
IPSec Router to Router Fully Meshed

6
 IPSec Router to Router With GRE Tunnel
IPSec Router to Router NAT/GRE Tunnel
IPSec Pix to Router Fully Meshed
IPSec Through Pix to Router GRE Tunnel
Dynamic VPN’s
Extended Authentication
IPSec Tunnel Mode
IPSec Transport Mode
IPSec TED (Ver 1, 2 and 3) Tunnel End Point Discovery
Aggressive-mode client-endpoint
IPSec Manual Keying Between Routers
Instructor’s Tips, Notes and Comments
IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 4: Advanced Private Internet Exchange (PIX) (Page 26)

Password Management
Interface Commands
Addressing
Network & Port Address Translation
Global Configuration
Routing Options
ARP Timeout
Static Configurations
Access Lists
DMZ Configuration
URL Filtering
SNMP
Fixup
Logging
Telnet, SSH
Sysopt
Unicast RPF
Guards
Instructor’s Tips, Notes and Comments
IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 5: IOS and PIX Intrusion Detection (Page 30)

IOS IDS Configuration

PIX IDS Configuration
Default Attack Policy
Default Info Policy
Syslog configuration
Net Ranger Post Office Configuration
Disabling a Signature
Clearing the IDS Configuration
Enabling IDS for SMTP Spam messages
Instructor’s Tips, Notes and Comments
IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 6: AAA (Authentication, Authorization, Accounting) (Page 33)

AAA On routers
Authorization
Accounting
TACACS+

7
 RADIUS
Privilege Levels
Console Authorization
Backup Methods
Authentication-Proxy (TACACS+)
Authentication-Proxy (RADIUS)
PPP Callback with TACACS+
PPP Callback with RADIUS
Instructor’s Tips, Notes, and Comments
IPexpert’s Recommendation – Additional Learning Material for AAA

Section 7: Catalyst 3550 Switch Configuration (Page 36)

VTP
VLANs
MST
RSTP
DHCP Option-82
System Logging
SNMP
Port-Security
UDLD
VLAN-Maps
Switch Optimization
SSH
AAA
Fast EtherChannels
Fallback Bridging
IP Routing (EIGRP)
NTP
Instructor’s Tips, Notes, and Comments
IPexpert’s Recommendation – Additional Learning Material for the 3550

Section 8: Multiprotocol Challenge A (Page 40)

Frame Relay
ISDN
VLAN Configuration
ATM
Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
Rate Limiting (CAR)
Logging
SSH
Port Security
802.1x
Unicast RPF Check
Redundancy
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
RIP v2
RIP Authentication
BGP Route Reflectors
BGP Communities
CHAP one-way authentication
NTP Authentication
PIX DMZ Configuration
8
 PIX SSH access
PIX NAT
ICMP control on PIX
Websense filtering PIX
Pre-shared key VPN
CBAC
IDS

Section 9: Multiprotocol Challenge B (Page 45)

Frame Relay
ISDN
ISDN Backup
CHAP one-way authentication
PPP Callback
VLAN Configuration
ATM
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
RIP v2
RIP Authentication
EIGRP Authentication
BGP Route Reflectors
Unicast RPF Check
Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
Rate Limiting (CAR)
Logging
SSH
Port Security
802.1x
NTP Authentication
PIX DMZ Configuration
PIX Static configuration
PIX SSH access
PIX Telnet
PIX NAT
IDS on the PIX
Java and ActiveX filtering on the PIX
Pre-shared key VPN
AAA Authentication
AAA Command Authorization
IDS

Section 10: Multiprotocol Challenge C (Page 51)

Frame Relay
ISDN
ISDN Backup
VLAN Configuration
ATM
OSPF over Frame Relay
OSPF Authentication
RIP v2
RIP Authentication
BGP Confederations
BGP Authentication

9
 Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
Logging
SSH
VTP authentication
Port Based Storm Control
Port Blocking
802.1q Trunking
Layer 2 EtherChannel
UDLD
SNMP ACL’s
HTTP ACL’s
Network Based Application Recognition (NBAR)
PIX DMZ Configuration
PIX Static configuration
PIX SSH access
PIX NAT
Java and ActiveX filtering on the PIX
Pre-shared key VPN

Section 11: Multiprotocol Challenge D (Page 56)

Controlling Interactive Access

Disabling unnecessary services
DoS Prevention
Frame Relay
ISDN
ISDN Backup
VLAN Configuration
ATM
OSPF over Frame Relay
OSPF Authentication
RIP v2
RIP Authentication
EIGRP Authentication
BGP Route Reflectors
BGP Authentication
CHAP authentication
DiffServ Compliant WRED
Logging
Port Security
PIX DMZ Configuration
PIX Static configuration
PIX Telnet
PIX NAT
PIX NAT 0
IDS on the PIX
Java and ActiveX filtering on the PIX
Pre-shared key VPN
GRE
IPSEC over GRE
NAT
NAT with GRE and IPSEC

Section 12: Multiprotocol Challenge E (Page 61)

Frame Relay
ISDN

10
 VLAN Configuration
ATM
Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
SNMP
SSH
Port Security
Unicast RPF Check
Redundancy
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
OSPF Demand Circuit
Separated Area 0
RIP v2
RIP Authentication
BGP Redundancy
BGP Communities
BGP through PIX
BGP AS Path manipulation
CHAP one-way authentication
PPP Callback
NTP Authentication
PIX DMZ Configuration
PIX SSH access
PIX NAT
TCP Intercept
VPN Redundancy
Pre-shared key based VPN
CBAC
PAM
WRED
Priority Queuing

Section 13: Multiprotocol Challenge F (Page 66)

ISDN
ATM
Controlling Interactive Access
Disabling unnecessary services
SNMP v3
HTTP ACL
Port Security
Redundancy
VTP
VLAN Trunking (ISL)
Port-Based Traffic Control
IP Accounting
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
RIP v2
RIP Authentication
BGP Private AS
BGP Authentication
BGP Communities
PAP Authentication
ISDN Backup
NTP Authentication

11
 Time Zones
PIX DMZ Configuration
PIX NAT
PIX NAT 0
Unicast RPF Check
PIX Fixup
Pre-shared key based VPN
IOS – PIX VPN
CBAC
IOS IDS

Section 14: Multiprotocol Challenge G (Page 71)

ISDN
ATM
Disabling unnecessary services
DoS Prevention
CAR
SSH
SPAN
Fast EtherChannel
802.1q
VTP Pruning
VTP Authentication
Spanning-tree Portfast
Redundancy
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
RIP
RIP v2
RIP Authentication
EIGRP MD5 Authentication
BGP Authentication
BGP Route Manipulation
CHAP one-way authentication
PPP Callback
PIX DMZ Configuration
PIX NAT
PIX Name command
PIX IDS
Sysopt Command
Pre-shared key based VPN
VPN Client
NAT
PAT
NAT Static Configuration
Priority Queuing

Section 15: Multiprotocol Challenge H (Page 76)

ISDN
ATM
Disabling unnecessary services
DoS Prevention
CAR
SSH
SNMP ACL
Login Banners

12
 Controlling Interactive Access
Anti-Spoofing
Unicast RPF Checks
Unnecessary interface services
Redundancy
OSPF over Frame Relay
OSPF Authentication
RIP
RIP v2
EIGRP MD5 Authentication
BGP Authentication
BGP AS Manipulation
CHAP
ISDN Backup
PIX DMZ Configuration
PIX SSH
Sysopt Command
Pre-shared key based VPN
TCP Intercept

Section 16: Multiprotocol Challenge I (Page 81)

ISDN
ATM
Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
SNMP v3
HTTP ACL
SSH
Port Security
HSRP
Redundancy
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
OSPF Demand Circuit
Separated Area 0
RIP v2
RIP Authentication
BGP Redundancy
BGP Communities
BGP through PIX
BGP AS Path manipulation
CHAP one-way authentication
PPP Callback
NTP Authentication
PIX DMZ Configuration
PIX SSH access
PIX NAT
TCP Intercept
VPN Redundancy
Pre-shared key based VPN
CBAC
PAM
WRED
Priority Queuing

Section 17: Multiprotocol Challenge J (Page 86)

13
 ISDN
ATM
Controlling Interactive Access
Disabling unnecessary services
DoS Prevention
SNMP ACL
HTTP ACL
SSH
Port Security
802.1x
Fast Etherchannel
802.1q
VTP authentication
UDLD
Spanning-tree Features.
Redundancy
OSPF over Frame Relay
OSPF Demand Circuit
OSPF Authentication
OSPF Demand Circuit
Separated Area 0
RIP v2
RIP Authentication
EIGRP
EIGRP Authentication
BGP Redundancy
BGP through PIX
BGP AS Path manipulation
CHAP one-way authentication
PPP Callback
PIX DMZ Configuration
PIX SSH access
PIX NAT
Websense configuration
Pre-shared key based VPN
CBAC
AAA
NAT
NAT w/ VPN

Section 18: Cisco CCIE Lab Preparation Tips (Page 93)

Appendix A: IPexpert’s Virtual Lab e-Scenario Catalog (Page 96)

100 Series (CCNA)

200 Series (CCNP)
300 Series (CCIE)

Appendix B: BONUS BGP LAB! A Sample Virtual Lab e-Scenario (#315 – BGP) (Page 99)

Internal BGP Peers

External BGP Peers
BGP Route Advertisement
Route Aggregation
AS Path Filtering
Synchronization
BGP Next-Hop
14
Documentation: Configurations, Show Commands and Diagrams Can Be
Downloaded at www.certificationtalk.com

15