Post on 15-Jan-2016
description
CCIE
voicelabs.com1
QUESTION SET
LAB 3.2
REAL LABS
www.cciesecuritylabs.com
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Initial Guidelines
1. Read all of the questions in a section before you start the configuration. It is even recommended that you read the entire lab exam before you proceed with any configuration.
2. Exam questions have dependencies on others. Read through the entire workbook to help identify these questions and the best order of configuration. Section do not have to be completed in the order presented in the workbook.
3. Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware issues in your equipment, contact the onsite lab proctor as soon as possible.
5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points.
6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam.
8. You will be presented with preconfigured routers and switches in your topology. The routers and switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP, VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are instructed to do so.
- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Z is any number.
10. You are allowed to add static and default routes (if required) on any device.
11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure that additional addressing does not conflict with a network that is already used in your topology. Routing Protocols preconfigured are shown in the Lab Routing Diagram.
12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS, Test-PC and Cisco ISEs as required in the question.
13. All device names, access information and username/password combinations are summarized on the following pages. Do NOT change these settings.
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIE Security Lab Equipment and Software v4.0
Hardware • Cisco 3800 Series Integrated Services Routers (ISR) • Cisco 1800 Series Integrated Services Routers (ISR) • Cisco 2900 Series Integrated Services Routers (ISR G2) • Cisco Catalyst 3560-24TS Series Switches • Cisco Catalyst 3750-X Series Switches • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances • Cisco IPS Series 4200 Intrusion Prevention System sensors • Cisco S-series Web Security Appliance • Cisco ISE 3300 Series Identity Services Engine • Cisco WLC 2500 Series Wireless LAN Controller • Cisco Aironet 1200 Series Wireless Access Point • Cisco IP Phone 7900 Series* • Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x • Cisco IPS Software Release 7.x • Cisco VPN Client Software for Windows, Release 5.x • Cisco Secure ACS System software version 5.3x • Cisco WLC 2500 Series software 7.2x • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) • Cisco WSA S-series software version 7.1x • Cisco ISE 3300 series software version 1.1x • Cisco NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Summary of username and Password for all devices
Device Username Password Router cisco Cisco
Switches cisco Cisco IPS cisco 123cisco123
WSA admin ironport WLC cisco Cisco123 AP ciscoAP CCie123
ESXi Server admin Cisco ISE admin Cisco123 Acs admin Cisco123 ASA
Test-PC Test-PC Cisc0123
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 1: Test PC and Vmware ESXI server
Topology 2: Local Candidate PC
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 3: Switch Cabling
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 4 : layer 2
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Topology 5 : LOGICAL
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any questions related to our workbooks at (sales@cciesecuritylabs.com)
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
CCIE R&S ----> WWW.CCIERNSLABS.COM
KINDLY CONTACT US AT SALES@CCIESECURITYLABS.COM FOR FURTHER INFORMATION ON OTHER TRACKS
Launched !!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION I – PERIMETER SECURITY
1.1 Configure routing and Basic Access on ASA3 points 2
Complete each task to provide basic connectivity and routing capabilities on ASA3.
1) ASA3 should be in single-context routed mode and configured using the information
in the table below:
Interface Nameif Switch Vlans Sec Level IP Address Gi 0/0 outside 3 0 7.7.3.8/24 Gi 0/2 inside 4 100 7.7.4.10/24 Gi 0/3 dmz 8 50 7.7.8.12/24
Use exact names and numbers as shown in the table.
2) Add static routes as follows:
Interface Network Next Hop inside Default Route 7.7.4.1 dmz 7.7.11.16/28 7.7.8.3 dmz 7.7.11.32/28 7.7.8.3
outside 7.7.0.0/16 7.7.3.2 Allow NTP access for 7.7.0.0/16 network from outside and dmz
ASA3 should sync its NTP from SW1.
Verification:
ASA3#ping 7.7.3.2
ASA3#ping 7.7.4.1
ASA3#ping 7.7.5.3
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.2 Configure AS1 in Multi-Context Firewall Mode points 2
Part A: Initialize ASA1
ASA1 must be configured as a multi-context firewall.
Use the following outputs to complete the initial configuration.
Context details
Name Config URL c1 c1.cfg c2 c2.cfg
admin admin.cfg You can modify the Catalyst switch configuration to complete this task.
When the task is completed, ensure that you are able to ping from ASA1
ASA1/C1#ping 7.7.8.3
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
ASA1/C1#ping 7.7.4.1
ASA1/C1#ping 150.1.7.20
Use exact names and numbers as shown in the table
Context “c1” initialization details:
Context “c1” routing configuration details:
Interface Network Next Hop inside 0.0.0.0/0 7.7.3.2
outside 7.7.0.0/16 7.7.55.3 Inside 7.7.4.0/24 7.7.3.2
Context “c2” initialization details:
Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/3 Physical inside 8 100 7.7.8.10/24 Gi 0/1 Physical outside 5 0 7.7.5.10/24
Context “c2” routing configuration details:
Interface Network Next Hop outside 7.7.0.0/16 7.7.5.3 outside 0.0.0.0 7.7.5.3 inside 7.7.11.0/24 7.7.8.3
1.3 Configure Active-Active failover between ASA1 and ASA2 points 2
- Configure LAN-based Multi-Context active-active failover on ASA1 and ASA2
- Context c1 is the active context on ASA2 context c2 is the active context on ASA1
- Use GigabitEthernet 0/4 in VLAN 100 on SW2 for the failover lan and name it fover
Interface Type Nameif Switch Vlans Sec
Level IP Address Gi 0/2 Physical inside 3 100 7.7.3.10/24 Gi 0/0 Physical outside 55 (diagram=33) 0 7.7.55.10/24
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby
- Enable stateful failover using fover interface GigabitEthernet 0/4
- Configure standby IP addresses as shown in the output below
- Use all other parameters according to the output given below to achieve this task
- Your output must match all parameters highlighted below
Your output must match all parameters highlighted below:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.4 Initialize and Configure ASA4 points 2
Configure ASA4 as a single-mode firewall and is to be deployed between SW3 and SW6.
You are required to complete the three tasks outlined below
1) Initialize ASA4 using the following parameters
Interface Nameif Switch Vlans Sec Level IP Address Gi 0/2 Inside 99 100 7.7.99.10/24 Gi 0/0 Outside 14 0 7.7.14.10/24 Gi 0/1 Backup 15 0 7.7.15.10/24
Enable OSPF on the inside interface and outside interface.
Ensure that networks 10.10.110.0 and 10.10.120.0 are added to the routing table on ASA4 but
are not propagated into area 0 ,Verify by checking the routing table on R3.
Verify your solution by pinging from ASA4 as follows:
ASA4# ping 7.7.99.1
ASA4# ping 7.7.14.1
ASA4# ping 7.7.15.1
2) Configure Route Tracking
If the traffic destined for network 150.1.7.0/24 via outside interface DOES NOT have
reachability for 7.7.6.6 then the traffic should be diverted using the backup interface. Use
outside and backup interface IP's 7.7.14.1 and 7.7.15.1 respectively.
Re-route the traffic out the backup interface within 2 seconds.
You are allowed to modify any switch parameters as appropriate to achieve this task.
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Ensure that the following tests are successful.
On R6, shut down interface gig0/1.2 and verify that the route to the server now points out
the backup interface on ASA4.
Bring Gig0/1.2 up and verify that the route is restored via the outside interface.
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.5 Configure NAT points 2
Configure network address translation (NAT) on the cisco ASA4 using the info given below.
NAT control is required.
Configure address translation for traffic from host 7.7.7.2 such that traffic leaving either the
backup or the outside interface is mapped to the interface address.
Ensure that traffic sourced from the 7.7.0.0/16 network and destined to 7.7.0.0/16 or
150.1.0.0/16 is not translated, but is still able to transit ASA4
Verify your solution using packet-tracer command
ASA4(config)# packet-tracer input inside icmp 7.7.7.2 0 8 7.7.15.1
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
ASA4(config)# packet-tracer input inside icmp 7.7.99.1 0 8 7.7.15.1
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Configure network address translation (NAT) on the cisco ASA3 using the info given below.
Configure NAT so that the HTTP and Telnet services running on SW1 via 20.20.20.1/24 are
statically port mapped to 7.7.3.20 on the outside and 7.7.8.20 on the dmz.
Verify your solution using packet-tracer command
ASA3(config)# packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 23
ASA3(config)# packet-tracer input outside tcp 7.7.3.2 1234 7.7.3.20 80
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.6 Configure Zone Base Firewall (Class Based Access-List) points 5
R4 and R5 should be configured for zone-based firewall with their outside interface being on
the 7.7.2.0/24 subnet. Allow the following protocols:-
Protocol Action Ospfv4 Allow Ospfv6 Allow AH Allow ESP Allow Telnet Allow ICMP Allow
Deny and log in Class Default for all other protocols.
Troubleshoot the following tasks
Note: There are 4 breaks in this questions caused either by misconfig, not configured or both.
1) OSPF is configured between SW3, R4, and R5, however the ospf neigbhorship is not being
established between them. Troubleshoot the issue so neigbhorship is established.
Verify your solution using:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2) OSPFv3 is configured between R4, and R5, however the ospf neigbhorship is not being
established between them. Troubleshoot the issue so neigbhorship is established.
Verify your solution using:
3) Sw3 cannot ping R4. Troubleshoot the issue.
Verify your solution using:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
1.7 Troubleshoot NTP points 5
R1 is configured for NTP with SW1 however R1 is not able to synchronize its time with SW1.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
Verify your solution using:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION II. IPS and Context security
2.1 Initialize the Cisco IPS Sensor Appliance points 3
Initialize the Cisco IPS Sensor appliance as follows: Parameters Settings
Hostname RACKYYIPS where YY is our two-digital rack number (for example for
Rack 01,Rack01IPS or for RACK 40, Rack40IPS Management Configure the Command and control Management 0/0 interface in vlan 4
Sensor IP Address 7.7.4.100/24 Default Gateway 7.7.4.1
Sensor ACL 7.7.0.0/16, 150.100.1.0/24, 151.ss.1.0/24, 150.1.7.0/24 Telnet Enable telnet Management
The username/password for the IPS console is cisco and 123cisco123. DO NOT CHANGE THEM.
Use the console to initialize the Cisco IPS sensor appliance using the details in this table.
Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology
diagram). You can modify Cisco Catalyst switches configuration if required.
Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:
IPS# ping 7.7.4.1
IPS# ping 150.1.7.100
Ensure that the following ping and telnet connection is successful from SW1
SW1# ping 7.7.4.100
SW1# telnet 7.7.4.100
2.2 Deploy the Cisco IPS Sensor Using an In-line Interface Pair points 8
Configure the Cisco IPS sensor appliance for the inline interface pair as shown in Lab Topology.
Use the information on the table below to complete the task:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
After configuring Interface Pairing SW1 is not able to Reach R6. Troubleshoot the faults so SW1
is able to reach R6.
Note: There are 2 breaks in this questions caused either by misconfig, not configured or both.
For testing ensure that these-pings are successful from R6.
Parameter Name Settings Vlans Virtual Sensor NameInterface pair C1 G0/2 55 VS2
G0/3 33
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.3 Configure the Cisco IPS sensor for Promiscuous Mode points 2
Configure the CISCO IPS in promiscuous mode on Gig0/0
Promiscuous port Virtual Sensor Signature Definition
Gi0/0 vs0 sig0
IPS# show config
2.4 Implement custom signatures on the Cisco IPS sensor points 3
A custom signature 62000 is required on the Cisco IPS sensor as follows
Trigger - Whenever a TACACS+ packets are initiated from any device using source address in the
192.168.0.0 - 192.168.255.255 range.
Action – verbose Alert Alert-severity – High
Signature-Definition – 2 Virtual Sensor – vs2
To verify your solution issue the following command on R6
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2.5 Initialize the Cisco WSA and Enable WCCP Support points 6
The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.
Using the Test-PC or Candidate PC, connect to WSA and configure as following
Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Parameters Settings Hostname Wsa.cisco.com Interface M1 to be used for for data and management
Ip Address 7.7.4.150/24 Default Gateway 7.7.4.1
System Information Admin:ironport, foobar@cisco.com, time:US/America/LA NTP Server 7.7.4.1
DNS 150.1.7.10 L4 Traffic Monitoring Duplex: T1 (in/out)
Accept all other defaults
From SW1, verify that you can ping M1 interface of WSA:
SW1# ping 7.7.4.150
Configure WCCP redirect from SW1 to the WSA for all http & https traffic initiated from VL 150
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
You may have to reboot the WSA after configuring wccp, if show ip wccp shows
"Router identifier undetermined"
Using the following to verify your solution from the Test-PC
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION III – Secure Access
3.1 Troubleshooting Site to Site IPSEC VPN using IKEv2 points 6
An IPsec VPN has been partially configured between ASA3 and R6 using IKEV2.
Complete the configuration and troubleshoot the connection to ensure that IPV4 traffic
between SW1 interface lo0(20.20.20.1) and R6 interface lo0(192.168.6.1).
Use the following outputs to verify your solution
Verify using following output
R6#show crypto session
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
3.2 Troubleshoot and Configure GET VPN points 6
In this question R2 has been partially configured as key-server(KS) and R1, R4, R5 are the group
members(GMs) that participate in a VRF-aware GETVPN deployment.
Complete the configuration of the spokes and troubleshoot the solution using the following
outputs to verify your solution (the highlight sections are particularly important)
Verifying using the following commands R2#show crypto gdoi ks members Group Member ID : 7.7.11.17 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.18 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.19 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.33 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Group Member ID : 7.7.11.34 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.35 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2
R4#show crypto gdoi GROUP INFORMATION KEK POLICY Rekey Transport Type : Unicast Liftetime(secs) : xxx Encrypt Algorithm : AES Key Size :256 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length(bits) :2048
R2#show crypto godi Group Name : GET-GROUP1(Unicast) Group Identity :135 Group Members : 3 IPSec SA Direction : Both Group Rekey Lifetime : 300 secs Group Rekey Remaining Lifetime : XX secs
Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts : 3 Group Retransmit Remaining Lifetime : 0 secs
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
IPSec SA Number :1 IPSec SA Rekey Lifetime : 600 secs Profile Name : Profile1 Replay method : Count Based Replay Windows Size : 64 SA Rekey Remaining Lifetime : xxx secs ACL Configured : access-list VPNA Group Server list : Local
Group Name : GET-GROUP2(Unicast) Group Identity :246 Group Members : 3 IPSec SA Direction : Both Group Rekey Lifetime : 500 secs Group Rekey
Remaining Lifetime : XX secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts : 3 Group Retransmit Remaining Lifetime : 0 secs IPSec SA Number :1 IPSec SA Rekey Lifetime : 600 secs Profile Name : Profile2 Replay method : Count Based Replay Windows Size : 64 SA Rekey Remaining Lifetime : xxx secs ACL Configured : access-list VPNB
Group Server list : Local
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
3.3 Configure Cisco WLC points 4
The cisco WLC 2504 has been bootstrapped with the following settings.
Complete basic wireless configuration that is enabled for two groups users (admin & guest).
Parameters Guest Admin Vlan Name guest admin
SSID guest admin Dynamic-Interface Name dyint2 dyint1
Dynamic-Interface Address 10.10.120.2 10.10.110.2 Subnet /24 /24
Gateway 10.10.120.1 10.10.110.1 Local Username/Password Guest/ cisco
NOTE: To complete this question you may use the CLI / GUI whichever is accessible
Match the following OUTPUT:
(Cisco Controller) > show wlan 11 WLAN Identifier.................................. 11 Profile Name..................................... Admin Network Name (SSID).............................. admin Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Number of Active Clients......................... 1 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ dynint1 Multicast Interface.............................. Not Configured WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Disabled Quality of Service............................... Silver (best effort) Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None IPv6 Support..................................... Disabled Passive Client Feature........................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers Authentication................................ Global Servers Accounting.................................... Global Servers Dynamic Interface............................. Disabled Local EAP Authentication......................... Disabled Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Disabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Disabled FT(802.11r)............................. Disabled FT-PSK(802.11r)......................... Disabled FT Reassociation Timeout......................... 20 FT Over-The-Air mode............................. Enabled FT Over-The-Ds mode.............................. Enabled CCKM tsf Tolerance............................... 1000 CKIP ......................................... Disabled Web Based Authentication...................... Disabled Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled H-REAP Local Switching........................ Disabled H-REAP Local Authentication................... Disabled H-REAP Learn IP Address....................... Enabled Client MFP.................................... Optional Tkip MIC Countermeasure Hold-down Timer....... 60 Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled Band Select...................................... Disabled Load Balancing................................... Disabled Mobility Anchor List WLAN ID IP Address Status ------- --------------- ------ (Cisco Controller) >show wlan 12 WLAN Identifier.................................. 12
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Profile Name..................................... Guest Network Name (SSID).............................. guest Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ dynint2 Multicast Interface.............................. Not Configured WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Disabled Quality of Service............................... Silver (best effort) Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None IPv6 Support..................................... Disabled Passive Client Feature........................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Authentication................................ Global Servers Accounting.................................... Global Servers Dynamic Interface............................. Disabled Local EAP Authentication......................... Disabled Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Disabled CKIP ......................................... Disabled Web Based Authentication...................... Enabled ACL............................................. Unconfigured Web Authentication server precedence: 1............................................... local 2............................................... radius 3............................................... ldap Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled H-REAP Local Switching........................ Disabled H-REAP Local Authentication................... Disabled H-REAP Learn IP Address....................... Enabled Client MFP.................................... Optional but inactive (WPA2 not configured) Tkip MIC Countermeasure Hold-down Timer....... 60 Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled Band Select...................................... Disabled Load Balancing................................... Disabled Mobility Anchor List WLAN ID IP Address Status ------- --------------- ------
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION IV. System Hardening and Availability
4.1 Enable OSPF v2 Authentication points 4
Enable MD5 authentication for OSPF in area 1. Use the following key cisco123
Match the Following OUTPUT:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
4.2 Configure Remote Switched Port Analyzer (RSPAN) points 5
The Cisco IPS sensor appliance should be configured in promiscuous mode on interface gi0/0.
A 10 gig interface 1/1/1 is configured between SW5 and SW6 as trunk.
Monitor transmit traffic sourced from SW6 gig 1/0/1-2 & gig 1/0/5 that enters SW5 via Gi1/1/1
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to Diagram Lab Topology for the requested information.
Ensure that the sensor is seeing traffic successfully.
Match the Following OUTPUT:
For testing the following command show traffic being monitored to this sensor.
IPS# packet display gigabitethernet0/0
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
4.3 Transit Traffic filtering points 5
Allow only web traffic from SW3 loopback (63.63.63.0/24) to R3 (36.36.36.1) which is a
web-server. Make sure other traffic is dropped. Use the acces-list Transit_ACL already
preconfigured on R3. Ensure that packets matching the Transit_ACL are logged.
Match the Following OUTPUT:
SECTION V. Threat Identification and Mitigation
5.1 Secure DHCP Environment points 4
Implement a solution on SW3 that restricts IP traffic on untrusted port Fa0/2 and Fa0/3 to the addresses
of R4 and R5 respectively, Do not use DHCP snooping.
Verification:
SW3# show ip source binding aaaa.bbbb.cccc (active is highlighted)
5.2 Configure WLAN Security points 6
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
The Cisco WLC should be configured to learn the IP address of attackers that have been shuned by the
Cisco IPS appliance. The WLC can then prevent these clients from joining any wireless network.
The following information should be used to complete this task:
Attribute Value IPS Sensor IP address 7.7.4.100 Port 443 WLC/IPS username Wlc WLC/IPS password 123cisco123 WLC wps index value 1
Verification:
5.3 Strict Unicast Reverse Path Forward points 4 Ensure Strict uRPF is configured for web traffic sourced from SW3 Loopback(63.63.63.1) to R3
Loopback(36.36.36.1) and Ensure you log the drop packets using the preconfigured ACL on R3.
Make sure this does not affect the 4.3 question.
Match the Following OUTPUT:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SECTION VI. Identity Management
6.1 Configure Support for MAB/802.1X for Voice and Data VLANs
Part A: Authentication and Authorization of Cisco IP Phone with MAB (5 points)
The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via
DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
The requirement is to add security to this connection through authentication and authorization on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to
move the phone into the voice VLAN.
Use the following information to complete this task:
- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)
- Verify that you have an authentication rule for MAB on the Cisco ISE.
- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a
permit on all traffic on ISE1.
- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)
- Voice VLAN will support MAB for authentication
- Data VLAN will provide support for the Test-PC that must connect through Phone using
802.1X.
- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.
- If MAB is not successful, 802.1X endpoints should be allowed to connect.
The following output should be used to verify your solution
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Part B: (5 points)
Authentication and Authorization of 802.1X Client through a Cisco IP Phone
The Test-PC must be allowed to connect through the authenticated Cisco IP Phone
1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan in Part A of this
question
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
Attribute Value Group Name Test-PC_Group
Username/Password test-PC/Cisc0123 Access Type Access_Accept
Common Tasks DACL Name DATA_VLAN_DACL DACL Policy Permit ip any any
Vlan 99
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
6.2 Configure Local Web Authentication With Wired Clients points 6
You are required to configure support for the Test-PC behind the Cisco IP phone via Local Web
Auth on SW6 (RADIUS Source interface 7.7.99.1/vlan99) and ISE1 (150.1.7.20).
This builds on the solution Q6.1
The following tasks outline the requirement for this question
• Create an identity for a guest user on ISE1 that will be userd for authentication and the
mapped to an authorization policy
• Web Auth should be added to the existing MAB and 802.1X policies from Q6.1 and used as the fallback method
• Configure an Authorization profile and Authorization Plicy rule for Web Auth as follows:
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Attribute Value Name WEB_AUTH Description Policy For Local Web Auth Access Type Acces_Accept Common Tasks DACL Name WEB_AUTH_DACL
DACL Policy
Permit icmp any any permit udp any any eq domain permit tcp any any eq www permit tcp any any eq 443
Vlan 99 Web Authentication (Local Web Auth) Username guest Password Cisco123 Pre-Web-Auth ACL (already on sw6) PRE-WEB-AUTH
Note :
· Do not lock yourself out of SW6 ,take care with the default method.
To verify your solution you must disable 802.1X supplicant functionality on the Test-PC as
shown below :
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
On SW6 issue the following command
SW6# clear authentication session
Then from the Test-PC and connect to 7.7.15.1 to trigger the web authentication policy.
Enter the guest/Cisco123 credentials you were asked to create on ISE1.
use the following outputs to help with this verification :
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
SW6#show authentication session int g1/0/1
interface GigabitEthernet1/0/1
MAC Address: 000c.290d.0c22
IP Address: 7.7.99.9
User-Name: 000c290d0c22
Staus : Authz Success
Domain : DATA
Security Policy : Should Secure
Security Status : Unsecure
Oper host mode : multi-auth
Oper control dir : both
Authorized By : Authentication Server
Vlan Group : 99
ACS ACL : xACSACLx-IP-WEB_AUTH_ACL-5043b6tf
Session timeout : N/A
idle timeout : N/A
Common Session ID: C0A84242000000AB51DD1DBC
Acct Session ID : 0x000000EA
Runnable methods list
Method State
mab Failed over
dot1x Failed over
webauth Authe Success
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
KINDLY VISIT FOR FURTHER INFORMATION
CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM
CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM
CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM
CCIE VOICE ----> WWW.CCIEVOICELABS.COM
CCIE R&S ----> WWW.CCIERNSLABS.COM
KINDLY CONTACT US AT SALES@CCIESECURITYLABS.COM FOR FURTHER INFORMATION ON OTHER TRACKS
LAUNCHED!!!
CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM
CCIESECURITYLABS.COM Final Release 03-JUNE-2014
CCIESECURITYLABS.COM CCIESECURITYLABS.COM
Thank You for using cciesecuritylabs workbooks.