Ccie Security v4 Workbook v2.5 - Lab 1

CCIE

voicelabs.com1

QUESTIONS LAB 1 WORKBOOK

Real Labs V1

www.cciesecuritylabs.com

CCIESECURITYLABS.COM 15-June-2013

CCIESECURITYLABS.COM CCIESECLABS.COM

Initial Guidelines

1. Read all of the questions in a section before you start the configuration. It is even recommended that

you read the entire lab exam before you proceed with any configuration.

2. Exam questions have dependencies on others. Read through the entire workbook to help identify

these questions and the best order of configuration. Section do not have to be completed in the

order presented in the workbook.

3. Most questions include verification output that can be used to check your solutions.

Highlighted section in output verification displays MUST be matched to ensure correctness.

4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware

issues in your equipment, contact the onsite lab proctor as soon as possible.

5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before

starting the exam, confirm that all devices in you rack are in working order. During the exam, if any

device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure

that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot

be marked and may cause you to lose substantial points.

6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.

7. Points are awarded only for working configurations. Towards the end of the exam, you should test the

functionality of all sections of the exam.

8. You will be presented with preconfigured routers and switches in your topology. The routers and

switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,

VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the

pre configurations at any time, unless the change is specified in a question.

9. Throughout the exam, assume these values for variables if required:

- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11

- SS is your Site ID for the lab exam location, Read the next page for your location.

- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the

following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are

instructed to do so.

- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8

respectively



- Z is any number.

10. You are allowed to add static and default routes (if required) on any device.

11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure

that additional addressing does not conflict with a network that is already used in your topology. Routing

Protocols preconfigured are shown in the Lab Routing Diagram.

12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin

and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS,

Test-PC and Cisco ISEs as required in the question.

13. All device names, access information and username/password combinations are summarized on the

following pages. Do NOT change these settings.



CCIE Security Lab Equipment and Software v4.0

Hardware

Cisco 3800 Series Integrated Services Routers (ISR)

Cisco 1800 Series Integrated Services Routers (ISR)

Cisco 2900 Series Integrated Services Routers (ISR G2)

Cisco Catalyst 3560-24TS Series Switches

Cisco Catalyst 3750-X Series Switches

Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances

Cisco IPS Series 4200 Intrusion Prevention System sensors

Cisco S-series Web Security Appliance

Cisco ISE 3300 Series Identity Services Engine

Cisco WLC 2500 Series Wireless LAN Controller

Cisco Aironet 1200 Series Wireless Access Point

Cisco IP Phone 7900 Series*

Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x Cisco IPS Software Release 7.x Cisco VPN Client Software for Windows, Release 5.x Cisco Secure ACS System software version 5.3x Cisco WLC 2500 Series software 7.2x Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) Cisco WSA S-series software version 7.1x Cisco ISE 3300 series software version 1.1x Cisco NAC Posture Agent v4.X Cisco AnyConnect Client v3.0X



Summary of username and Password for all devices

Device Username Password

Router cisco Cisco

Switches cisco Cisco

IPS cisco 123cisco123

WSA admin Ironport

WLC cisco Cisco123

AP ciscoAP CCie123

ESXi Server admin Cisco

ISE admin Ise@123

Acs admin Acs@123

ASA admin Asa@123

Test-PC Test-PC Cisco123

mailto:Ise@123

mailto:Acs@123

mailto:Asa@123



Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC



Topology 3: Switch Cabling



Topology 4 : layer 2







Pre-Configuration

On R1

conf t hostname R1 ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip cef ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX1236A0D9 ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport



! ! crypto ipsec profile DMVPN set transform-set cisco1 ! ! interface loopback 0 ip address 192.168.1.1 255.255.255.255 ! interface loopback2 ip address 192.68.11.11 255.255.255.255 ! interface loopback3 no ip address ipv6 address 3001:0:1:3::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.1 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 23 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.1 255.255.255.0 duplex auto speed auto media-type rj45 ipv6 address 2001:128:BAD:8::1/64 ipv6 enable ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 duplex auto speed auto



media-type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.11.11 0.0.0.0 area 1 ! ip forward-protocol nd ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control-plane ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet exit scheduler allocate 20000 1000 ntp server 7.7.4.1



! end

On R2

en conf t hostname R2 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip cef ! ! ! ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DN ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 !



crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set cisco1 ! ! ! interface loopback 0 ip address 192.168.2.2 255.255.255.255 ! interface loopback1 ip address 192.68.22.22 255.255.255.255 ! interface loopback 2 no ip address ! interface loopback3 no ip address ipv6 address 3001:0:2:1::/64 eui-64 ipv6 enable ! interface tunnel0 bandwidth 1000 ip address 172.16.23.2 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 24 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.2 255.255.255.0



duplex auto speed auto media-type rj45 ipv6 address 2001:128:BAD:8::2/64 ipv6 enable ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto media-type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.22.22 0.0.0.0 area 1 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control-plane ! ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous



line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end

On R3

en conf t hostname R3 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route ! ip cef ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice card 0



! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DL ! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto keyring ipv6keys pre-shared-key address ipv6 ::/0 key cisco123 crypto keyring ipv4keys pre-shared-key address 7.7.7.10 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile ipv6 match identity address ipv6 2001:DB8:23::1/64 crypto isakmp profile secure-management match identity address 7.7.7.10 255.255.255.255 ! ! crypto ipsec transform-set 3des ah-sha-hmac esp-3des crypto ipsec transform-set management esp-3des esp-sha-hmac mode transport ! crypto ipsec profile profile0 set transform-set 3des set isakmp-profile ipv6 ! crypto map secure-management 1 ipsec-isakmp set peer 7.7.7.10 set transform-set management set isakmp-profile secure-management match address 120



! ! ! interface loopback 0 ip address 7.7.53.3 255.255.255.255 ! interface loopback1 ip address 192.68.33.33 255.255.255.255 ! interface loopback3 no ip address ipv6 address 2010::/64 eui-64 ! interface tunnel0 no ip address ipv6 address 2001:DB8::1:2/64 ipv6 enable ipv6 eigrp 1 tunnel source GigabitEthernet0/1.2 tunnel protection ipsec profile profile0 ! interface GigabitEthernet0/0 ip address 7.7.7.3 255.255.255.0 ip ospf priority 10 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface Gigabit0/1.1 encapsulation dot1Q 19 ip address dhcp ! interface Gigabit0/1.2 encapsulation dot1Q 13 ip address 7.7.13.3 255.255.255.0 ip ospf priority 0 ipv6 address 2001:DB8:23::2/64 ipv6 enable



! router eigrp 123 network 192.168.33.33 0.0.0.0 ! router ospf 1 router-id 3.3.3.3 redistribute connected metric 1 subnets redistribute static redistribute eigrp 100 metric 1 subnets network 7.7.13.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config access-list 120 permit ip host 7.7.7.3 host 7.7.7.10 ipv6 router eigrp 1 router-id 10.10.10.10 redistribute connected ! control-plane ! ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet



! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end

On R4

en conf t hostname R4 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route ! ip cef ! ! ! ip domain list cisco.com no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX12362013 ! archive log config hidekeys username cisco password 0 cisco !



redundancy ! ip tcp synwait-time 5 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des ! crypto ipsec profile DMVPN set transform-set cisco1 ! crypto ipsec profile profile0 set transform-set 3des ! ! ! interface loopback 0 ip address 192.168.44.44 255.255.255.255 ! interface loopback1 ip address 10.1.1.1 255.255.255.255 ! interface loopback 2 ip address 7.7.54.5 255.255.255.0 ! interface loopback3 no ip address ipv6 address 1010::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.4 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 tunnel source Fastethernet0/1.1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN



! interface FastEthernet0/0 ip address 7.7.11.4 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable ! ! interface FastEthernet0/1 no ip address ip ospf priority 10 duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.4 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.4 255.255.255.0 ipv6 address 2001:DB8:23::3/64 ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.44.0 ! router ospf 1 router-id 4.4.4.4 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.54.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! logging esm config



ipv6 router eigrp 1 router-id 40.40.40.40 redistribute connected ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end On R5 en conf t hostname R5 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route !



ip cef ! ! ! ip domain list cisco.com no ip domain lookup ip domain name cisco.com ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX1236W022 ! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait-time 5 ! crypto keyring ipv6keys pre-shared-key address ipv6 ::/0 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp profile ipv6 keyring ipv6keys match identity address ipv6 2001:DB8:23::2/64 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des ! crypto ipsec profile DMVPN set transform-set cisco1 ! crypto ipsec profile profile0



set transform-set 3des ! ! ! interface loopback 0 ip address 192.168.55.55 255.255.255.255 ! interface loopback 2 ip address 7.7.52.5 255.255.255.255 ! interface loopback3 no ip address ipv6 address 1010::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.5 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp network-id 23 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 delay 1000 tunnel source Fastethernet0/1.1 tunnel key 123 tunnel protection ipsec profile DMVPN ! ! interface Tunnel2 no ip address ipv6 address 2001:DB8::1:1/64 ipv6 enable ipv6 eigrp 1 tunnel source FastEthernet0/1.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile profile0 ! interface FastEthernet0/0 ip address 7.7.11.5 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable



! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.5 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.5 255.255.255.0 ipv6 address 2001:DB8:23::1/64 ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.55.0 ! router ospf 1 router-id 5.5.5.5 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.52.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! logging esm config ipv6 router eigrp 1 router-id 50.50.50.50 redistribute connected ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco



logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end

On R6

en conf t hostname R6 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! aaa new-model ! aaa authentication login lkey1-list local aaa authorization network lkey1-list local ! aaa session-id common ! crypto pki token default removal timeout 0 ! ipv6 unicast-routing ipv6 cef no ip source-route ip auth-proxy max-login-attempts 5 ip admission max-login-attempts 5 !



ip dhcp excluded-address 7.7.19.1 7.7.19.5 ! ip dhcp pool pool19 network 7.7.19.0 255.255.255.0 lease infinite ! no ip domain lookup ip cef ! multilink bundle-name authenticated ! voice-card 0 ! licence udi pid cisco2951/k9 sn FTX1625AJRS hw-module ism 0 ! hw-module sm 1 ! username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac ! crypto ipsec profile ikey1 set transform-set cisco1 ! ! interface loopback 0 ip address 192.168.6.1 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 7.7.5.3 255.255.255.0



ip ospf priority 10 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet 0/1.1 encapsulation dot1Q 6 ip address 7.7.6.3 255.255.255.0 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 19 ip address 7.7.19.1 255.255.255.0 ! ! interface GigabitEthernet0/2 ip address 7.7.20.3 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet1/0 no ip address shutdown ! interface GigabitEthernet1/1 description Internal switch interface connected to EtherSwitch Service Module no ip address ! router ospf 1 router-id 1.1.1.1 redistribute static metric 1 subnets route-map exclude-nets network 7.7.5.0 0.0.0.255 area 0 network 7.7.6.0 0.0.0.255 area 0 default-information originate always ! ip local pool pool2 13.1.1.1 13.1.1.10 ip forward-protocol nd ! ip http server



ip http authentication local no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.5.10 ip route 7.7.9.0 255.255.255.0 7.7.20.1 ip route 7.7.10.0 255.255.255.0 7.7.20.1 ! access-list 10 deny 7.7.9.0 access-list 10 deny 7.7.10.0 access-list 20 permit 13.0.0.0 ! nls resp-timeout 1 cpd cr-id 1 route-map exclude-nets permit 10 match ip address 10 route-map exclude-nets permit 20 match ip address 20 ! ! control-plane ! call admission limit 75000 ! mgcp profile default ! ! gatekeeper shutdown ! telephony-service max-ephones 10 max-dn 144 ip source-address 7.7.20.3 port 2000 cnf-file perphone load 7960-7940 P0030702T023 load 7965 P0030702T023 max-conferences 8 gain -6 transfer-system full-consult create cnf-files version-stamp Jan 01 2002 00:00:00 ! ephone-dn-template 1 call-forward busy 4000 call-forward noan 4000 timeout 20 hold-alert 30 originator



! ephone-dn 7 number 007 name CCIE-Security-Lab ephone-dn-template 1 ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 line 2 no activator-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 67 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line 193 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/2 ntp master 2 ! end



On SW1

en conf t hostname SW1 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 150 switchport mode access ! interface FastEthernet0/2 switchport access vlan 150 switchport mode access ! interface FastEthernet0/3 switchport access vlan 150 switchport mode access ! interface FastEthernet0/4 switchport access vlan 150 switchport mode access ! interface FastEthernet0/7 switchport access vlan 4 switchport mode access ! interface FastEthernet0/9



switchport access vlan 5 switchport mode access ! interface FastEthernet0/11 switchport access vlan 5 switchport mode access ! interface FastEthernet0/12 switchport access vlan 4 switchport mode access ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/17-24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan 2 ip address 7.7.2.1 255.255.255.0 ! interface vlan4 ip address 7.7.4.1 255.255.255.0 ! interface vlan150 ip address 150.1.7.1 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 150.1.7.254 ip route 7.7.0.0 255.255.0.0 7.7.4.10 no ip http server no ip http secure-server ! ! ntp clock-period 36028811 ntp server 150.1.7.254 ! end

On SW2



en conf t hostname Sw2 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP-self-signed-87258368 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87258368 revocation-check none rsakeypair Tp-self-sgned-87258368 ! exit spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 8 switchport mode access ! interface FastEthernet0/2 switchport access vlan 8 switchport mode access ! interface FastEthernet0/3 switchport access vlan 5 switchport mode access ! interface FastEthernet0/8 switchport access vlan 5 switchport mode access ! interface FastEthernet0/9 switchport access vlan 100 switchport mode access



! interface FastEthernet0/11 switchport access vlan 3 switchport mode access ! interface FastEthernet0/12 switchport access vlan 8 switchport mode access ! interface FastEthernet0/13 switchport access vlan 5 switchport mode access ! interface FastEthernet0/14 switchport access vlan 100 switchport mode access ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access ! interface FastEthernet0/16 switchport access vlan 8 switchport mode access ! interface FastEthernet0/17 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 no ip address shutdown end

On SW3



en conf t hostname SW3 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! ipv6 unicast-routing ipv6 dhcp pool dhcp-pool dns-server 2001:DB8:A:B::1 dns-server 2001:DB8:3000:3000::42 domain-name cisco.com ! crypto pki trustpoint TP-self-signed-87257344 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87257344 revocation-check none rsakeypair TP-self-sgned-87257344 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 77 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! ! interface FastEthernet0/17-24



switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 ip address 7.7.11.1 255.255.255.0 ipv6 address 2001:DB8:1234:42::1/64 ipv6 nd other-config-flag ipv6 dhcp server dhcp-pool ! ipv6 router ospf 1 log-adjacency-changes ! end

On SW4

en conf t hostname SW4 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP-self-signed-87258368 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87258368 revocation-check none rsakeypair TP-self-sgned-87258368 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 !



interface FastEthernet0/2 ! interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/5 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/9 ! interface FastEthernet0/11 switchport access vlan 33 switchport mode access ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 - 24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! end



On SW5

en conf t hostname SW5 ! no logging console enable password cisco ! no aaa new-model switch 1 provision ws-ws3750x-12s system mtu routing 1500 ip routing ! no ip domain lookup ipv6 unicast-routing ! crypto pki trustpoint TP-self-signed-1457097984 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-1457097984 revocation-check none rsakeypair TP-self-sgned-1457097984 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface loopback 1 no ip address ipv6 address 3001:0:5:1::/64 eui-64 ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:5:2::/64 eui-64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route-cache shutdown !



! interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/5 no switchport ip address 7.7.20.1 255.255.255.0 ! interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.2 255.255.255.0 ipv6 address 2001:128:ABC:10::2/64 ! interface GigabitEthernet1/0/9 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/11 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan3 ip address 7.7.3.2 255.255.255.0 no ip redirects ! ip route 0.0.0.0 0.0.0.0 7.7.3.12 ip route 7.7.0.0 255.255.0.0 7.7.3.10 ip route 7.7.2.0 255.255.255.0 7.7.3.8 ip route 7.7.4.0 255.255.255.0 7.7.3.12 ip route 7.7.9.0 255.255.255.0 7.7.10.1 ip route 7.7.99.0 255.255.255.0 7.7.10.1 ip route 200.200.9.0 255.255.255.0 7.7.3.10



! logging esm config ipv6 router ospf 1 router-id 35.35.35.35 redistribute connected ! line con 0 exec-timeout 0 0 password cisco logging synchronous line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 exec-timeout 0 0 password cisco login transport input telnet ! ntp server 7.7.20.3 ! end

On SW6

en conf t hostname Sw6 ! no logging console enable password cisco ! username ciscoAP password 0 CCie123 username cisco password 0 cisco aaa new-model ! aaa session-id common switch 1 provision ws-w3750x-12s



system mtu routing 1500 ip routing ! ip dhcp excluded-address 7.7.7.1 7.7.7.15 ip dhcp excluded-address 7.7.9.1 7.7.9.5 ip dhcp excluded-address 7.7.99.1 7.7.99.5 ip dhcp excluded-address 10.10.110.1 10.10.110.5 ip dhcp excluded-address 10.10.120.1 10.10.120.5 ! ip dhcp pool pool7 network 7.7.7.0 255.255.255.0 default-router 7.7.7.2 option 43 ip 7.7.7.11 lease infinite ! ip dhcp pool voice network 7.7.9.0 255.255.255.0 option 150 ip 7.7.20.1 default-router 7.7.9.2 ! ip dhcp pool data network 7.7.99.0 255.255.255.0 default-router 7.7.99.1 dns-server 150.1.7.10 ! ip domain-name cisco.com ipv6 unicast-routing ! crypto pki trustpoint TP-self-signed-1459336320 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-1459336320 revocation-check none rsakeypair TP-self-sgned-1459336320 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ip tcp synwait-time 5 interface loopback0 ip address 192.168.66.66 255.255.255.0 ! interface loopback 1 no ip address ipv6 address 1001:0:6:1::/64 eui-64



ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:6:2::/64 eui-64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route-cache ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 description WLC switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/5 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/6 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/7 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.1 255.255.255.0 ip address 7.7.10.1 255.255.255.0 ipv6 address 2001:128:ABC:10::1/64 ipv6 ospf 1 area 0 ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6,8-4094 switchport mode trunk ! interface vlan1 no ip address shutdown



! interface vlan7 ip address 7.7.7.2 255.255.255.0 ipv6 enable ! interface vlan9 ip address 7.7.9.2 255.255.255.0 ! interface vlan99 ip address 7.7.99.1 255.255.255.0 ! ip classless no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.7.1 ip route 7.7.20.0 255.255.255.0 7.7.10.2 ! ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any remark PXL/TFTP permit udp any any eq tftp deny ip any any log ! ip radius source-interface vlan7 logging esm config ipv6 router ospf 1 router-id 36.36.36.36 redistribute connected ! exit radius-server attribute 8 include-in-access req radius-server attribute 25 access-request include radius-server dead-criteria time 5 tries 3 radius-server host 150.1.7.20 auth-port 1812 acct-port 1813 key cisco radius-server vsa send accounting radius-server vsa send authentication ! ntp server 7.7.20.3 !



Section I. Perimeter security

1.1 Configure routing and Basic Access on ASA1 (6 Points)

This question has three tasks.

Complete each task to provide basic connectivity and routing capabilities on ASA1.

1) ASA1 should be in single-context routed mode and configured using the information

in the table below:

Interface Nameif Switch Vlans Sec Level IP Address

Gi 0/0 Outside 5 0 7.7.5.10/24

Gi 0/2 Inside 3 100 7.7.3.10/24

Gi 0/3 Dmz 8 50 7.7.8.10/24



Use exact names and numbers as shown in the table.

2) Add static routes as follows:

Interface Network Next Hop

Inside Configure a Default Route 7.7.3.2

3) Configure a Secured OSPF process 1

Router-id should be 8.8.8.8

Assign network 7.7.5.0 to area 0

Assign network 7.7.8.0 to area 1

Ensure that networks 192.168.11.11 and 192.168.22.22 (loopbacks on R1 and R2) are added to

the routing table on ASA1 but are not propagated into area 0.

Verify by checking the routing table on R6.

Verify your solutions by successfully pinging the inside 150.1.7.0 network from the all major

7.7.0.0 subnets as well as pinging from outside subnets to dmz subnets.

For example:

R6#ping 7.7.8.1

R6#ping 150.1.7.20

R6#ping 7.7.3.2

Note:

1) Key is already configured in R1 and R2

2) Check the vlan assignment



1.2 Configure stateful failover between ASA1 and ASA2 (4 points)



- configure LAN-based active-standby failover on ASA1 and ASA2

- Use GigabitEthernet 0/1 in VLAN 100 on SW2 for the failover LAN interface and name it fover.

- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby

- Enable stateful failover using fail-over interface GigabitEthernet 0/1

- Use all other parameters accordingly to achieve this task

Your output must match all parameters highlighted below:



1.3 Configure ASA3 in Multi-Context Firewall Mode

Part A: Initialize ASA3 (4 points)

ASA3 must be configured as a multi-context firewall. ASA3 requires a shared outside interface.

Use the following outputs to complete the initial configuration.

Context details

Name Config URL

C1 C1.cfg

C2 C2.cfg

Admin Admin.cfg

(NOTE: Above files are already there in flash & needs to be deleted before configuring)

The config-url file should be saved on the disk:0

You can permit ICMP traffic from any to any on both contexts.

You can modify the Catalyst switch configuration to complete this task.

When the task is completed, ensure that you are able to ping all major subnets within your



network, including the ISE1 150.1.7.20

Use exact names and numbers as shown in the table

Context “c1” initialization details:

Context “c1” routing configuration details:


Outside 0.0.0.0/0 7.7.3.2

Context “c2” initialization details:

Interface Type Nameif Switch Vlans Sec Level IP Address

Gi 0/2 Shared Inside 4 100 7.7.4.10/24

Gi 0/0 Shared Outside 33 0 7.7.3.12/24

Context “c2” routing configuration details:


Inside 0.0.0.0/0 7.7.4.1

Outside 7.7.0.0/16 7.7.3.2

Context “admin” initialization details:


Gi 0/2 Shared Management 4 100 7.7.4.200/24

Context “admin” routing configuration details:


Management 0.0.0.0/0 7.7.4.1


Gi 0/1 Not Shared Inside 2 100 7.7.2.10/24

Gi 0/0 Shared Outside 33 0 7.7.3.8/24



Part B: Configure IP Services on ASA3 (4 points)

Telnet access – telnet must be allowed from VLAN4 IP 7.7.4.1 on SW1 to the admin cxt of ASA3

To verify your solution: SW1# telnet 7.7.4.200 /so vlan4

Object NAT and Port-to-Application Mapping – Use object NAT to translate the VLAN4 IP

address 7.7.4.1

On SW1 to a global address of 7.7.3.3. Devices on the outside of ASA3 must be able to Telnet to

the global address using a non-standard port of 2300.

To verify your solution: R6# telnet 7.7.3.3 2300

1.4 Configure ASA4 in transparent mode with NAT support (6 points)

Configure ASA4 as a transparent firewall to be deployed between R3 and SW6 by completing

the three tasks outlined below



1. ASA4 will be assigned the IP address 7.7.7.10/24 and use the following interfaces

Interface Type Nameif Switch Vlans Sec Level

Gi 0/3 Physical Inside 7 100

Gi 0/0 Physical Outside 77 0

Note: Do not configure management interface 0/0.

2. Add static routes on ASA4 to match the following output

ASA# show route

0.0.0.0/0 via 7.7.7.3

7.7.9.0/24 via 7.7.7.2

Verify your solution by pinging from ASA4 as followings:

ASA4# ping inside 7.7.7.2

ASA4# ping outside 7.7.7.3

3. Configure NAT on the Cisco ASA4 firewall using the following information NAT control is

required

Configure a rule where any traffic sourced from 7.7.9.0/24 and destined to 7.7.0.0/16 is

mapped to a global add from 200.200.9.0/24. This NAT rule must allow for Bidirectional

connection initialization.

Ensure that traffic sourced from the 7.7.7.0/24 network and destined to 7.7.0.0/16 or

150.1.0.0/16 is not translated but still able to transit ASA4.

Verify your solution by initiating a ping from SW6 to R3 using VLAN9 as the source interface.

Enabling debug Ip icmp on R3 should show the translation has occurred

R3# ICMP: echo reply sent, src 7.7.7.3, dst 200.200.9.2



SECTION II. IPS and Context security

2.1 – Initialize the Cisco IPS Sensor Appliance (4 points)

Initialize the Cisco IPS Sensor appliance as follows:

Parameters Settings

Hostname IPS

Management Configure the Command and control Management 0/0 interface in vlan 4

Sensor IP Address 7.7.4.100/24

Default Gateway 7.7.4.1

Sensor ACL 7.7.0.0/16, 150.100.7.0/24, 151.ss.1.0/24, 150.1.7.0/24

Telnet Enable telnet Management

Auto IP Logging Enable ip Logging on sig0, Log 200 pkts, log time 30 secs, log bytes 5024

Verify the Cisco IPS sensor configuration using the following:

The username and password for the Cisco IPS console are cisco and 123cisco123. DO NOT

CHANGE THEM.

Use the console to initialize the Cisco IPS sensor appliance using the defails in this table Ensure

that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).



You can modify Cisco Catalyst switches configuration if required.

Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:

IPS# ping 7.7.4.1

IPS# ping 150.1.7.100

Ensure that the following ping and telnet connection is successful from SW1

SW1# ping 7.7.4.100

SW1# telnet 7.7.4.100

2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair (4 points)



Configure the Cisco IPS appliance inline VLAN pair using these guidelines:

Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the Lab Topology

diagram as follow:

Parameters Settings

Interface Gig 0/0

Inline Vlan Pair Vlan 3 & Vlan 33

You are allowed to modify the switch parameters as appropriate to achieve this task.

Refer to the lab diagram for the required information.

You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate

PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall

and/or routing configuration to ensure that this works.

Ensure that the sensor is passing traffic successfully.

For testing, ensure that this ping from SW6 is passing through the sensor with the packets

being displayed on the sensor console.

IPS# packet display gigabitethernet0/0

R6#ping 7.7.4.1



2.3 Implement custom signatures on the Cisco IPS sensor (4 points)

A custom signature 61000 is required on the Cisco IPS sensor as follows:

Trigger – Users are allowed to telnet to SW1 via translated address (see Q1.3), however, they

must not be allowed to launch another telnet from SW1 to any device on the 150.1.0.0/16

network.

Action – reset-tcp-connection when a telnet session is attempted from within an existing

session to SW1

Alert-severity – high

Signature-definition – 0



Note:

There’s a dependency on the NAT-object & Port-to-Application Mapping config from Q 1.3.

You can use any signature engine to complete this task that satisfies the question requirements.

Verify your solution by connecting to SW1 from another device in the topology using the

translated address specified in Q1.3 and thereafter launch a Telnet from SW1 to your Test PC

(150.1.7.100) as follows:

SW1>enable

SW1#telnet 150.1.7.

2.4 Initialize the Cisco WSA and Enable WCCP Support (6 points)



The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.

Using the Test-PC or Candidate PC, connect to WSA and configure as following

Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport

Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:

Security services:

Parameters Settings

Web Proxy Enabled

Web Proxy Mode Transparent

IP Spoofing Not Enabled

HTTP/S Proxy Enabled

Native FTP Proxy Enabled

L4 Traffic Monitor Enabled

L4 Traffic Monitor Action Enabled

Acceptable User Controls Enabled

Web Reputation Filters Enabled

Ironport DVS Engine Webroot: Enabled

Mcafee: Enabled

Parameters Settings

Hostname Wsa.cisco.com

Interface M1 to be used for Management

Ip Address 7.7.4.150/24

Default Gateway 7.7.4.1

System Information Admin:ironport, [email protected], time:US/America/LA

NTP Server 7.7.4.1

DNS 150.1.7.10

L4 Traffic Monitoring Duplex: T1 (in/out)

Accept all other defaults

From ASA/c2, verify that you can ping M1 interface of WSA:

ASA3/c2(config)# ping 7.7.4.150



Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:

Redirect-list: for all HTTP and HTTPS traffic

Group-list to limit redirections to the WSA only

Service-group must be in the appropriate range

Note: You can use any names for your redirect-list and group-list.

Be sure to use a service-group. DO not use the default web-cache.

This question is dependent on the completion of Q1.3.

You may have to reboot WSA after configuration of WCCP if the ASA reports following event in

the logs:

WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id.

Use the following to verify your solution from the Test-PC, and then check HTTP requests on

R3 for the address of the WSA:



2.5 Add a custom URL Access Policy to the WSA (3 points)

Add a custom URL category called Restricted Site which will block the Site 7.7.7.2. Add the

custom URL filter to the Global access policy and ensure that the action taken will be to block

the correction.

Use the following to verify your solution from the Test-PC:



SECTION III. Secure Access

3.1 Troubleshooting IPsec Management of ASA4 (4 points)

Complete the configuration of an IPsec secured management tunnel between R3 and ASA4.

R3 has been partially configured and will indicate the IKE and IPsec, policy parameters to use.

Ensure that you are able to launch the IPsec protected Telnet session from R3 to ASA4.

There are faults on R3 that must be corrected to complete this question.

Do not use wildcard (0.0.0.0) pre-shared keys.

You can use any names for policies that have not been preconfigured.

Verify your solution as follows:



3.2 Troubleshooting IPsec Static VTI with IPv6 (5 points)

An IPsec static virtual tunnel interface is required between R3 and R5. This interface supports

IPv6 traffic and EIGRPv6 routes (the networks from Loopback3) must be exchanged securely for

AS1 via Tunnel.

Complete and troubleshoot the configuration:




Ensure that the interface Loopbck3 subnets on either router are being advertised via EIGRPv6.

R3# show ipv6 route

EX 1010::/64 [170/27008000]

Via FE80::21E:BEFF:FE80:B5C, Tunnel0

R5#sho ipv6 route

EX 2010::/64 [170/27008000]

Via FE80::21E:4AFF:FE2F:CA50, Tunnel2

3.3 Troubleshooting DMVPN Phase 3 with Dual hubs (6 points)



In this question R1 and R2 are dual DMVPN Hubs with R4 and R5 as the spokes that peer with

hubs for redundancy. The hubs are pre-configured. Complete the configuration of the spokes

and troubleshoot the solution using the following information:

172.16.23.1/2 – IP addresses of DUAL Hubs

172.16.23.4/5 – IP addresses of DUAL Spokes

Each spoke must peer with both hubs and direct spoke to spoke communication should occur

using NHRP shortcut capabilities

EIGRP routing AS 123 is preconfigured & must be advertising the Lo 0 of R4 & R5 and network

10.2.2.0/24 of R1 and R2




3.4 Configure Security Features on the Cisco WLC (4 points)

The WLC manages the configuration and control of the Cisco AP 1242

(There is no need to change any settings on the AP itself)



To complete this question you can use the CLI on the WLC, or the web GUI via http://7.7.7.11/

Username =cisco Password=Cisco123.

1. Configure 802.1x support on the WLC. This information is pushed to the AP in the rack

and will facilitate 802.1x authentication.

2. To protect the network from Rogue AP's associating with the WLC, configure the WLC

with the following Rogue Rule

- Route Rule Name: Rogue

- Type: Malicious

- SSID: Rogue

- Must be Heard of RSSI value of -60 or stronger

- Classify only if the rogue is not using encryption



SECTION IV. System Hardening and Availability

4.1 Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS (4 points)

OSPFv3 has been partially pre-configured between R1 & R2 using command “ipv6 router ospf 2”

Complete configuration and troubleshooting as required to meet the following requirements:

1. Configure AH md5 authentication for area 0 to protect routing info. You can define your own

keys

2. Ensure that the IPV6 addresses from interface Loopback3 on R1 and R2 are being advertised

using OSPFv3 via Gig 0/0 on R1 and R2

4.2 Troubleshoot IP Options Handling on the Cisco ASA (3 points)

The following information has appeared in an error message on ASA1 for IGMPv2 traffic

transiting ASA1:

%ASA-6-106012: Dny IP from 7.7.5.15 to 225.17.1.1, IP options: “Router Alert”

Configure ASA1 to prevent this error message and allow IGMPv2 to function correctly for all

interfaces



4.3 Configure Netflow on a Cisco IOS Router (3 points)

Configure Netflow version 9 on R6 using following requirements:

1. Define an IP flow-top-talkers policy to be applied on Gig 0/1.1 as follows:

- Display top5 talkers for ICMP traffic

- Randomly sample traffic at a rate of one-out-of 10 packets

2. Verbose netflow output must display

- IP Address

- MAC Address

- Vlan IDs

R6#show ip cache verbose flow

R6#show ip flow top-talker



SECTION V. Threat Identification and Mitigation

5.1 Tuning Application Inspection on the Cisco ASA (4 points)

HTTP inspection must be configured to log GET operation with level 15 privilege made to Cisco

IOS HTTP servers behind ASA1. The packet capture output below which shows an HTTP session

to 7.7.8.1 from Test-PC should be used to help define your match criteria.



5.2 Configure Dynamic-ARP Inspection in a DHCP Environment (4 points)

R3 receives an IP address for interface g0/1.1 from R6 which is considered a trusted DHCP

Server. Configure SW4 for DAI using DHCP snooping for the appropriate VLAN.

SW4# show ip dhcp snooping binding

5.3 LDAP (Outdated )

-Microsoft windows users utilize the “msNPAllowDialin” attribute to grant or withdraw

permissions to dial into registration admisstion and status server (RASS)

Configure ASA admin context to map this MS attribute to Cisco cVPN3000-IETF-Radius-class:

- A value of FALSE should be mapped to a value of ACCESS-DENY

- A value of TRUE should be mapped to a value of ACCESS-ALLOW



SECTION VI. Identity Management

6.1 Configure the Cisco Access Point as an 802.1X supplicant (6 points)

The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should be

allowed to communicate with 802.1X authorized Aps.

In this question you are required to configure 802.1X support for the AP on SW6 (RADIUS

source interface 7.7.7.2/VLAN7) and ISE1 (150.1.7.20).

Use the information below to complete the question

1. Create an identity for the AP on ISE1 using the credentials created in the 802.1x task in Q3.4

that will be used for authentication and mapped to an authorization policy

2. Configure an Authorization Profile and Authorization Policy rule for Cisco Access point as

follows

Parameters Settings

Name Cisco_Access_Points

Management Configure the Command and control Management 0/0 interface in

vlan 4

Description Permit Cisco AP 1242

Access Type Access_Accept



Common Tasks

DACL Name AP_DACL

DACL Policy Permit CAPWAP (UDP 5246/5247) and DNS

Vlan 9

3. Configure SW6 G1/0/5 for 802.1x support which will enable the Cisco AP to authenticate via

Radius to ISE1 and receive and authorization Policy

6.2 Configure Support for MAB/802.1X for Voice and Data VLANs

Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)

The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via

DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).

The requirement is to add security to this connection through authentication and authorization

on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to

move the phone into the voice VLAN.



Use the following information to complete this task:

- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)

- Verify that you have an authentication rule for MAB on the Cisco ISE.

- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a

permit on all traffic on ISE1.

- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)

- Voice VLAN will support MAB for authentication

- Data VLAN will provide support for the Test-PC that must connect through Phone using

802.1X.

- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.

If MAB is not successful, 802.1X endpoints should be allowed to connect.

The following output should be used to verify your solution



Part B: (6 points)

Authentication and Authorization of 802.1X Client through a Cisco IP Phone

The Test-PC must be allowed to connect through the authenticated Cisco IP Phone

1. SW 6 G1/0/1 should have been configured to support a voice and data Vlan in Part A of this

question

2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1

using the following info

Attribute Value

Group Name Test-PC_Group

Username/Password test-PC/Cisc0123

Access Type Access_Accept

Common Tasks

DACL Name DATA_VLAN_DACL

DACL Policy Permit ip any any

Vlan 99

The following output should be used for verification



Thank You for using cciesecuritylabs workbooks.

Documents

Ccie Security v4 Workbook v2.5 - Lab 1