Sei sulla pagina 1di 51

QUESTION SET

LAB 3.2

REAL LABS
www.cciesecuritylabs.com
CCIE
voicelabs.com1

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that
you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify
these
questions and the best order of configuration. Section do not have to be completed in the
order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware
issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before
starting the exam, confirm that all devices in you rack are in working order. During the exam, if any
device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure
that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.
6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the
functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and
switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,
VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the
pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the
following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are
instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8
respectively
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure
that additional addressing does not conflict with a network that is already used in your topology. Routing
Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin
and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS,
Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the
following pages. Do NOT change these settings.

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

CCIE Security Lab Equipment and Software v4.0


Hardware
Cisco 3800 Series Integrated Services Routers (ISR)
Cisco 1800 Series Integrated Services Routers (ISR)
Cisco 2900 Series Integrated Services Routers (ISR G2)
Cisco Catalyst 3560-24TS Series Switches
Cisco Catalyst 3750-X Series Switches
Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
Cisco IPS Series 4200 Intrusion Prevention System sensors
Cisco S-series Web Security Appliance
Cisco ISE 3300 Series Identity Services Engine
Cisco WLC 2500 Series Wireless LAN Controller
Cisco Aironet 1200 Series Wireless Access Point
Cisco IP Phone 7900 Series*
Cisco Secure Access Control System
Notes:
The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools.
*Device Authentication only, provisioning of IP phones is NOT required.

Software Versions

Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release
12.2SE/15.0(x)SE
Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x,
8.6x
Cisco IPS Software Release 7.x
Cisco VPN Client Software for Windows, Release 5.x
Cisco Secure ACS System software version 5.3x
Cisco WLC 2500 Series software 7.2x
Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
Cisco WSA S-series software version 7.1x
Cisco ISE 3300 series software version 1.1x
Cisco NAC Posture Agent v4.X
Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Summary of username and Password for all devices


Device
Router
Switches
IPS
WSA
WLC
AP
ESXi Server
ISE
Acs
ASA
Test-PC

CCIESECURITYLABS.COM

Username
cisco
cisco
cisco
admin
cisco
ciscoAP
admin
admin
admin

Password
Cisco
Cisco
123cisco123
ironport
Cisco123
CCie123
Cisco
Cisco123
Cisco123

Test-PC

Cisc0123

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Topology 3: Switch Cabling

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Topology 4 : layer 2

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Topology 5 : LOGICAL

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any
questions related to our workbooks at (sales@cciesecuritylabs.com)

YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB


ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION

CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM


CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
CCIE R&S ----> WWW.CCIERNSLABS.COM

KINDLY CONTACT US AT SALES@CCIESECURITYLABS.COM FOR FURTHER INFORMATION ON


OTHER TRACKS

Launched !!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SECTION I PERIMETER SECURITY


1.1

Configure routing and Basic Access on ASA3

points 2

Complete each task to provide basic connectivity and routing capabilities on ASA3.
1) ASA3 should be in single-context routed mode and configured using the information
in the table below:
Interface
Gi 0/0
Gi 0/2
Gi 0/3

Nameif
outside
inside
dmz

Switch Vlans
3
4
8

Sec Level
0
100
50

IP Address
7.7.3.8/24
7.7.4.10/24
7.7.8.12/24

Use exact names and numbers as shown in the table.


2) Add static routes as follows:
Interface
inside
dmz
dmz
outside

Network
Default Route
7.7.11.16/28
7.7.11.32/28
7.7.0.0/16

Next Hop
7.7.4.1
7.7.8.3
7.7.8.3
7.7.3.2

Allow NTP access for 7.7.0.0/16 network from outside and dmz
ASA3 should sync its NTP from SW1.
Verification:
ASA3#ping 7.7.3.2
ASA3#ping 7.7.4.1
ASA3#ping 7.7.5.3

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

1.2

Final Release

03-JUNE-2014

Configure AS1 in Multi-Context Firewall Mode

points 2

Part A: Initialize ASA1


ASA1 must be configured as a multi-context firewall.
Use the following outputs to complete the initial configuration.
Context details
Name
c1
c2
admin

Config URL
c1.cfg
c2.cfg
admin.cfg

You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping from ASA1
ASA1/C1#ping 7.7.8.3
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

ASA1/C1#ping 7.7.4.1
ASA1/C1#ping 150.1.7.20
Use exact names and numbers as shown in the table
Context c1 initialization details:

Interface
Gi 0/2
Gi 0/0

Type
Physical
Physical

Nameif
inside
outside

Switch Vlans
3
55 (diagram=33)

Sec
Level
100
0

IP Address
7.7.3.10/24
7.7.55.10/24

Context c1 routing configuration details:


Interface
inside
outside
Inside

Network
0.0.0.0/0
7.7.0.0/16
7.7.4.0/24

Next Hop
7.7.3.2
7.7.55.3
7.7.3.2

Context c2 initialization details:


Interface
Gi 0/3
Gi 0/1

Type
Physical
Physical

Nameif
inside
outside

Switch Vlans
8
5

Sec Level
100
0

IP Address
7.7.8.10/24
7.7.5.10/24

Context c2 routing configuration details:


Interface
outside
outside
inside

1.3

Network
7.7.0.0/16
0.0.0.0
7.7.11.0/24

Next Hop
7.7.5.3
7.7.5.3
7.7.8.3

Configure Active-Active failover between ASA1 and ASA2

points 2

- Configure LAN-based Multi-Context active-active failover on ASA1 and ASA2


- Context c1 is the active context on ASA2 context c2 is the active context on ASA1
- Use GigabitEthernet 0/4 in VLAN 100 on SW2 for the failover lan and name it fover
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby


- Enable stateful failover using fover interface GigabitEthernet 0/4
- Configure standby IP addresses as shown in the output below
- Use all other parameters according to the output given below to achieve this task
- Your output must match all parameters highlighted below
Your output must match all parameters highlighted below:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

1.4

Final Release

03-JUNE-2014

Initialize and Configure ASA4

points 2

Configure ASA4 as a single-mode firewall and is to be deployed between SW3 and SW6.
You are required to complete the three tasks outlined below
1) Initialize ASA4 using the following parameters
Interface
Nameif
Switch Vlans
Sec Level
Gi 0/2
Inside
99
100
Gi 0/0
Outside
14
0
Gi 0/1
Backup
15
0
Enable OSPF on the inside interface and outside interface.

IP Address
7.7.99.10/24
7.7.14.10/24
7.7.15.10/24

Ensure that networks 10.10.110.0 and 10.10.120.0 are added to the routing table on ASA4 but
are not propagated into area 0 ,Verify by checking the routing table on R3.
Verify your solution by pinging from ASA4 as follows:
ASA4# ping 7.7.99.1
ASA4# ping 7.7.14.1
ASA4# ping 7.7.15.1

2) Configure Route Tracking


If the traffic destined for network 150.1.7.0/24 via outside interface DOES NOT have
reachability for 7.7.6.6 then the traffic should be diverted using the backup interface. Use
outside and backup interface IP's 7.7.14.1 and 7.7.15.1 respectively.
Re-route the traffic out the backup interface within 2 seconds.
You are allowed to modify any switch parameters as appropriate to achieve this task.
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Ensure that the following tests are successful.

On R6, shut down interface gig0/1.2 and verify that the route to the server now points out
the backup interface on ASA4.

Bring Gig0/1.2 up and verify that the route is restored via the outside interface.

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

1.5 Configure NAT

03-JUNE-2014

points 2

Configure network address translation (NAT) on the cisco ASA4 using the info given below.
NAT control is required.
Configure address translation for traffic from host 7.7.7.2 such that traffic leaving either the
backup or the outside interface is mapped to the interface address.
Ensure that traffic sourced from the 7.7.0.0/16 network and destined to 7.7.0.0/16 or
150.1.0.0/16 is not translated, but is still able to transit ASA4
Verify your solution using packet-tracer command
ASA4(config)# packet-tracer input inside icmp 7.7.7.2 0 8 7.7.15.1

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

ASA4(config)# packet-tracer input inside icmp 7.7.99.1 0 8 7.7.15.1

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Configure network address translation (NAT) on the cisco ASA3 using the info given below.
Configure NAT so that the HTTP and Telnet services running on SW1 via 20.20.20.1/24 are
statically port mapped to 7.7.3.20 on the outside and 7.7.8.20 on the dmz.
Verify your solution using packet-tracer command
ASA3(config)# packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 23

ASA3(config)# packet-tracer input outside tcp 7.7.3.2 1234 7.7.3.20 80

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

1.6 Configure Zone Base Firewall (Class Based Access-List)

03-JUNE-2014

points 5

R4 and R5 should be configured for zone-based firewall with their outside interface being on
the 7.7.2.0/24 subnet. Allow the following protocols:Protocol
Ospfv4
Ospfv6
AH
ESP
Telnet
ICMP

Action
Allow
Allow
Allow
Allow
Allow
Allow

Deny and log in Class Default for all other protocols.


Troubleshoot the following tasks
Note: There are 4 breaks in this questions caused either by misconfig, not configured or both.
1) OSPF is configured between SW3, R4, and R5, however the ospf neigbhorship is not being
established between them. Troubleshoot the issue so neigbhorship is established.
Verify your solution using:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

2) OSPFv3 is configured between R4, and R5, however the ospf neigbhorship is not being
established between them. Troubleshoot the issue so neigbhorship is established.
Verify your solution using:

3) Sw3 cannot ping R4. Troubleshoot the issue.


Verify your solution using:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

1.7 Troubleshoot NTP

Final Release

03-JUNE-2014

points 5

R1 is configured for NTP with SW1 however R1 is not able to synchronize its time with SW1.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
Verify your solution using:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SECTION II. IPS and Context security


2.1

Initialize the Cisco IPS Sensor Appliance

points 3

Initialize the Cisco IPS Sensor appliance as follows:


Parameters
Hostname
Management
Sensor IP Address
Default Gateway
Sensor ACL
Telnet

Settings
RACKYYIPS where YY is our two-digital rack number (for example for
Rack 01,Rack01IPS or for RACK 40, Rack40IPS
Configure the Command and control Management 0/0 interface in vlan 4
7.7.4.100/24
7.7.4.1
7.7.0.0/16, 150.100.1.0/24, 151.ss.1.0/24, 150.1.7.0/24
Enable telnet Management

The username/password for the IPS console is cisco and 123cisco123. DO NOT CHANGE THEM.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table.
Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology
diagram). You can modify Cisco Catalyst switches configuration if required.
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
IPS# ping 7.7.4.1
IPS# ping 150.1.7.100
Ensure that the following ping and telnet connection is successful from SW1
SW1# ping 7.7.4.100
SW1# telnet 7.7.4.100

2.2

Deploy the Cisco IPS Sensor Using an In-line Interface Pair

points 8

Configure the Cisco IPS sensor appliance for the inline interface pair as shown in Lab Topology.
Use the information on the table below to complete the task:
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Parameter
Interface pair

Name
C1

Final Release

Settings
G0/2
G0/3

Vlans
55
33

03-JUNE-2014

Virtual Sensor Name


VS2

You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
After configuring Interface Pairing SW1 is not able to Reach R6. Troubleshoot the faults so SW1
is able to reach R6.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
For testing ensure that these-pings are successful from R6.

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

2.3

Final Release

03-JUNE-2014

Configure the Cisco IPS sensor for Promiscuous Mode

points 2

Configure the CISCO IPS in promiscuous mode on Gig0/0


Promiscuous port

Virtual Sensor

Signature Definition

Gi0/0

vs0

sig0

IPS# show config

2.4

Implement custom signatures on the Cisco IPS sensor

points 3

A custom signature 62000 is required on the Cisco IPS sensor as follows


Trigger - Whenever a TACACS+ packets are initiated from any device using source address in the
192.168.0.0 - 192.168.255.255 range.
Action verbose Alert

Alert-severity High

Signature-Definition 2

Virtual Sensor vs2

To verify your solution issue the following command on R6

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

2.5

Final Release

03-JUNE-2014

Initialize the Cisco WSA and Enable WCCP Support

points 6

The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Parameters
Hostname
Interface
Ip Address
Default Gateway
System Information
NTP Server
DNS
L4 Traffic Monitoring

Settings
Wsa.cisco.com
M1 to be used for for data and management
7.7.4.150/24
7.7.4.1
Admin:ironport, foobar@cisco.com, time:US/America/LA
7.7.4.1
150.1.7.10
Duplex: T1 (in/out)

Accept all other defaults


From SW1, verify that you can ping M1 interface of WSA:
SW1# ping 7.7.4.150
Configure WCCP redirect from SW1 to the WSA for all http & https traffic initiated from VL 150
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

You may have to reboot the WSA after configuring wccp, if show ip wccp shows
"Router identifier undetermined"
Using the following to verify your solution from the Test-PC

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SECTION III Secure Access


3.1

Troubleshooting Site to Site IPSEC VPN using IKEv2

points 6

An IPsec VPN has been partially configured between ASA3 and R6 using IKEV2.
Complete the configuration and troubleshoot the connection to ensure that IPV4 traffic
between SW1 interface lo0(20.20.20.1) and R6 interface lo0(192.168.6.1).
Use the following outputs to verify your solution
Verify using following output
R6#show crypto session

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

3.2

Final Release

03-JUNE-2014

Troubleshoot and Configure GET VPN

points 6

In this question R2 has been partially configured as key-server(KS) and R1, R4, R5 are the group
members(GMs) that participate in a VRF-aware GETVPN deployment.
Complete the configuration of the spokes and troubleshoot the solution using the following
outputs to verify your solution (the highlight sections are particularly important)

Verifying using the following commands


R2#show crypto gdoi ks members
Group Member ID : 7.7.11.17
Group ID
:
135
Group Name : GET-GROUP1
Key Server ID : 7.7.4.2
Group Member ID : 7.7.11.18
Group ID
:
135
Group Name : GET-GROUP1
Key Server ID : 7.7.4.2
Group Member ID : 7.7.11.19
Group ID
:
135
Group Name : GET-GROUP1
Key Server ID : 7.7.4.2
Group Member ID : 7.7.11.33
Group ID
:
246
Group Name : GET-GROUP2
Key Server ID :
7.7.4.2
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Group Member ID : 7.7.11.34


Group ID
: 246
Group Name : GET-GROUP2
Key Server ID :
7.7.4.2
Group Member ID : 7.7.11.35
Group ID
: 246
Group Name : GET-GROUP2
Key Server ID :
7.7.4.2

R4#show crypto gdoi


GROUP INFORMATION
KEK POLICY
Rekey Transport Type : Unicast
Liftetime(secs)
: xxx
Encrypt Algorithm : AES
Key Size
:256
Sig Hash Algorithm : HMAC_AUTH_SHA Sig
Key Length(bits) :2048

R2#show crypto godi


Group Name
: GET-GROUP1(Unicast) Group
Identity
:135
Group Members : 3
IPSec SA Direction : Both Group
Rekey Lifetime : 300 secs Group Rekey
Remaining Lifetime : XX secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts : 3
Group Retransmit
Remaining Lifetime : 0 secs
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

IPSec
SA Number :1
IPSec
SA Rekey Lifetime : 600 secs
Profile Name
: Profile1
Replay method
: Count Based
Replay Windows Size : 64
SA Rekey
Remaining Lifetime : xxx secs
ACL Configured : access-list VPNA
Group Server list
: Local

Group Name
: GET-GROUP2(Unicast)
Group Identity
:246
Group Members
:3
IPSec SA Direction : Both Group
Rekey Lifetime : 500 secs Group Rekey
Remaining Lifetime : XX secs Rekey
Retransmit Period :
10 secs
Rekey Retransmit Attempts : 3
Group Retransmit
Remaining Lifetime
: 0 secs
IPSec
SA Number :1
IPSec
SA Rekey Lifetime : 600 secs
Profile Name
: Profile2
Replay method
: Count Based
Replay Windows Size : 64
SA Rekey
Remaining Lifetime : xxx secs
ACL Configured
: access-list VPNB
Group Server list

: Local

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

3.3

Final Release

Configure Cisco WLC

03-JUNE-2014

points 4

The cisco WLC 2504 has been bootstrapped with the following settings.
Complete basic wireless configuration that is enabled for two groups users (admin & guest).
Parameters
Vlan Name
SSID
Dynamic-Interface Name
Dynamic-Interface Address
Subnet
Gateway
Local Username/Password

Guest
guest
guest
dyint2
10.10.120.2
/24
10.10.120.1
Guest/ cisco

Admin
admin
admin
dyint1
10.10.110.2
/24
10.10.110.1

NOTE: To complete this question you may use the CLI / GUI whichever is accessible
Match the following OUTPUT:

(Cisco Controller) > show wlan 11


WLAN Identifier.................................. 11
Profile Name..................................... Admin
Network Name (SSID).............................. admin
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ dynint1
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Wi-Fi Protected Access (WPA/WPA2)............. Enabled


WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address
Status
------- --------------------

(Cisco Controller) >show wlan 12


WLAN Identifier.................................. 12
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Profile Name..................................... Guest


Network Name (SSID).............................. guest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ dynint2
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Authentication................................ Global Servers


Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address
Status
------- --------------------

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SECTION IV. System Hardening and Availability


4.1

points 4

Enable OSPF v2 Authentication

Enable MD5 authentication for OSPF in area 1. Use the following key cisco123
Match the Following OUTPUT:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

4.2

Final Release

03-JUNE-2014

Configure Remote Switched Port Analyzer (RSPAN)

points 5

The Cisco IPS sensor appliance should be configured in promiscuous mode on interface gi0/0.
A 10 gig interface 1/1/1 is configured between SW5 and SW6 as trunk.
Monitor transmit traffic sourced from SW6 gig 1/0/1-2 & gig 1/0/5 that enters SW5 via Gi1/1/1
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to Diagram Lab Topology for the requested information.
Ensure that the sensor is seeing traffic successfully.
Match the Following OUTPUT:

For testing the following command show traffic being monitored to this sensor.
IPS# packet display gigabitethernet0/0
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

4.3

Final Release

03-JUNE-2014

Transit Traffic filtering

points 5

Allow only web traffic from SW3 loopback (63.63.63.0/24) to R3 (36.36.36.1) which is a
web-server. Make sure other traffic is dropped. Use the acces-list Transit_ACL already
preconfigured on R3. Ensure that packets matching the Transit_ACL are logged.
Match the Following OUTPUT:

SECTION V. Threat Identification and Mitigation


5.1

Secure DHCP Environment

points 4

Implement a solution on SW3 that restricts IP traffic on untrusted port Fa0/2 and Fa0/3 to the addresses
of R4 and R5 respectively, Do not use DHCP snooping.
Verification:
SW3# show ip source binding aaaa.bbbb.cccc (active is highlighted)

5.2

Configure WLAN Security

CCIESECURITYLABS.COM

points 6

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

The Cisco WLC should be configured to learn the IP address of attackers that have been shuned
by the
Cisco IPS appliance. The WLC can then prevent these clients from joining any wireless network.
The following information should be used to complete this task:
Attribute
IPS Sensor IP address
Port
WLC/IPS username
WLC/IPS password
WLC wps index value

Value
7.7.4.100
443
Wlc
123cisco123
1

Verification:

5.3

Strict Unicast Reverse Path Forward

points 4

Ensure Strict uRPF is configured for web traffic sourced from SW3 Loopback(63.63.63.1) to R3
Loopback(36.36.36.1) and Ensure you log the drop packets using the preconfigured ACL on R3.
Make sure this does not affect the 4.3 question.
Match the Following OUTPUT:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SECTION VI. Identity Management


6.1

Configure Support for MAB/802.1X for Voice and Data VLANs

Part A: Authentication and Authorization of Cisco IP Phone with MAB (5 points)


The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via
DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

The requirement is to add security to this connection through authentication and authorization
on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to
move the phone into the voice VLAN.
Use the following information to complete this task:
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
permit on all traffic on ISE1.
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
- Voice VLAN will support MAB for authentication
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
- If MAB is not successful, 802.1X endpoints should be allowed to connect.

The following output should be used to verify your solution

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Part B:

Final Release

03-JUNE-2014

(5 points)

Authentication and Authorization of 802.1X Client through a Cisco IP Phone


The Test-PC must be allowed to connect through the authenticated Cisco IP Phone
1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan in Part A of this
question
CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
Attribute
Group Name
Username/Password
Access Type
Common Tasks
DACL Name
DACL Policy
Vlan

CCIESECURITYLABS.COM

Value
Test-PC_Group
test-PC/Cisc0123
Access_Accept
DATA_VLAN_DACL
Permit ip any any
99

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

6.2

Final Release

03-JUNE-2014

Configure Local Web Authentication With Wired Clients

points 6

You are required to configure support for the Test-PC behind the Cisco IP phone via Local Web
Auth on SW6 (RADIUS Source interface 7.7.99.1/vlan99) and ISE1 (150.1.7.20).
This builds on the solution Q6.1
The following tasks outline the requirement for this question

Create an identity for a guest user on ISE1 that will be userd for authentication and the

mapped to an authorization policy

Web Auth should be added to the existing MAB and 802.1X policies from Q6.1 and used
as the fallback method

Configure an Authorization profile and Authorization Plicy rule for Web Auth as follows:

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Attribute
Name
Description
Access Type
Common Tasks
DACL Name
DACL Policy

Vlan
Username
Password
Pre-Web-Auth ACL (already on sw6)

Final Release

03-JUNE-2014

Value
WEB_AUTH
Policy For Local Web Auth
Acces_Accept
WEB_AUTH_DACL
Permit icmp any any
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
99
Web Authentication (Local Web Auth)
guest
Cisco123
PRE-WEB-AUTH

Note :
Do not lock yourself out of SW6 ,take care with the default method.
To verify your solution you must disable 802.1X supplicant functionality on the Test-PC as
shown below :

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

On SW6 issue the following command


SW6# clear authentication session
Then from the Test-PC and connect to 7.7.15.1 to trigger the web authentication policy.
Enter the guest/Cisco123 credentials you were asked to create on ISE1.
use the following outputs to help with this verification :

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

SW6#show authentication session int g1/0/1


interface GigabitEthernet1/0/1
MAC Address: 000c.290d.0c22
IP Address: 7.7.99.9
User-Name: 000c290d0c22
Staus

: Authz Success

Domain

: DATA

Security Policy : Should Secure


Security Status : Unsecure
Oper host mode : multi-auth
Oper control dir : both
Authorized By : Authentication Server
Vlan Group
ACS ACL

: 99
: xACSACLx-IP-WEB_AUTH_ACL-5043b6tf

Session timeout : N/A


idle timeout

: N/A

Common Session ID: C0A84242000000AB51DD1DBC


Acct Session ID : 0x000000EA
Runnable methods list
Method State
mab

Failed over

dot1x Failed over


webauth Authe Success

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB


ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION

CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM


CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
CCIE R&S ----> WWW.CCIERNSLABS.COM

KINDLY CONTACT US AT SALES@CCIESECURITYLABS.COM FOR FURTHER INFORMATION ON


OTHER TRACKS

LAUNCHED!!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Final Release

03-JUNE-2014

Thank You for using cciesecuritylabs workbooks.

CCIESECURITYLABS.COM

CCIESECURITYLABS.COM

Potrebbero piacerti anche