ccie security v4 - question set - final release - 03-06-2014 - lab 3.2

CCIE

voicelabs.com1

QUESTION SET

LAB 3.2

REAL LABS

www.cciesecuritylabs.com

CCIESECURITYLABS.COM Final Release 03-JUNE-2014

CCIESECURITYLABS.COM CCIESECURITYLABS.COM

Initial Guidelines

1. Read all of the questions in a section before you start the configuration. It is even recommended that you read the entire lab exam before you proceed with any configuration.

2. Exam questions have dependencies on others. Read through the entire workbook to help identify these questions and the best order of configuration. Section do not have to be completed in the order presented in the workbook.

3. Most questions include verification output that can be used to check your solutions.

Highlighted section in output verification displays MUST be matched to ensure correctness.

4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware issues in your equipment, contact the onsite lab proctor as soon as possible.

5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points.

6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.

7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam.

8. You will be presented with preconfigured routers and switches in your topology. The routers and switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP, VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the pre configurations at any time, unless the change is specified in a question.

9. Throughout the exam, assume these values for variables if required:

- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11

- SS is your Site ID for the lab exam location, Read the next page for your location.

- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are instructed to do so.

- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively



- Z is any number.

10. You are allowed to add static and default routes (if required) on any device.

11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure that additional addressing does not conflict with a network that is already used in your topology. Routing Protocols preconfigured are shown in the Lab Routing Diagram.

12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS, Test-PC and Cisco ISEs as required in the question.

13. All device names, access information and username/password combinations are summarized on the following pages. Do NOT change these settings.



CCIE Security Lab Equipment and Software v4.0

Hardware • Cisco 3800 Series Integrated Services Routers (ISR) • Cisco 1800 Series Integrated Services Routers (ISR) • Cisco 2900 Series Integrated Services Routers (ISR G2) • Cisco Catalyst 3560-24TS Series Switches • Cisco Catalyst 3750-X Series Switches • Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances • Cisco IPS Series 4200 Intrusion Prevention System sensors • Cisco S-series Web Security Appliance • Cisco ISE 3300 Series Identity Services Engine • Cisco WLC 2500 Series Wireless LAN Controller • Cisco Aironet 1200 Series Wireless Access Point • Cisco IP Phone 7900 Series* • Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x • Cisco IPS Software Release 7.x • Cisco VPN Client Software for Windows, Release 5.x • Cisco Secure ACS System software version 5.3x • Cisco WLC 2500 Series software 7.2x • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) • Cisco WSA S-series software version 7.1x • Cisco ISE 3300 series software version 1.1x • Cisco NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X



Summary of username and Password for all devices

Device Username Password Router cisco Cisco

Switches cisco Cisco IPS cisco 123cisco123

WSA admin ironport WLC cisco Cisco123 AP ciscoAP CCie123

ESXi Server admin Cisco ISE admin Cisco123 Acs admin Cisco123 ASA

Test-PC Test-PC Cisc0123



Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC



Topology 3: Switch Cabling



Topology 4 : layer 2



Topology 5 : LOGICAL



OUR CCIE SECURITY ENGINEERS ARE AVAILABLE ON GOOGE TALK CHAT for support any questions related to our workbooks at ([email protected])

YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB

ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS

KINDLY VISIT FOR FURTHER INFORMATION

CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM

CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM

CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM

CCIE VOICE ----> WWW.CCIEVOICELABS.COM

CCIE R&S ----> WWW.CCIERNSLABS.COM

KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS

Launched !!!

CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM



SECTION I – PERIMETER SECURITY

1.1 Configure routing and Basic Access on ASA3 points 2

Complete each task to provide basic connectivity and routing capabilities on ASA3.

1) ASA3 should be in single-context routed mode and configured using the information

in the table below:

Interface Nameif Switch Vlans Sec Level IP Address Gi 0/0 outside 3 0 7.7.3.8/24 Gi 0/2 inside 4 100 7.7.4.10/24 Gi 0/3 dmz 8 50 7.7.8.12/24

Use exact names and numbers as shown in the table.

2) Add static routes as follows:

Interface Network Next Hop inside Default Route 7.7.4.1 dmz 7.7.11.16/28 7.7.8.3 dmz 7.7.11.32/28 7.7.8.3

outside 7.7.0.0/16 7.7.3.2 Allow NTP access for 7.7.0.0/16 network from outside and dmz

ASA3 should sync its NTP from SW1.

Verification:

ASA3#ping 7.7.3.2

ASA3#ping 7.7.4.1

ASA3#ping 7.7.5.3



1.2 Configure AS1 in Multi-Context Firewall Mode points 2

Part A: Initialize ASA1

ASA1 must be configured as a multi-context firewall.

Use the following outputs to complete the initial configuration.

Context details

Name Config URL c1 c1.cfg c2 c2.cfg

admin admin.cfg You can modify the Catalyst switch configuration to complete this task.

When the task is completed, ensure that you are able to ping from ASA1

ASA1/C1#ping 7.7.8.3



ASA1/C1#ping 7.7.4.1

ASA1/C1#ping 150.1.7.20

Use exact names and numbers as shown in the table

Context “c1” initialization details:

Context “c1” routing configuration details:

Interface Network Next Hop inside 0.0.0.0/0 7.7.3.2

outside 7.7.0.0/16 7.7.55.3 Inside 7.7.4.0/24 7.7.3.2

Context “c2” initialization details:

Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/3 Physical inside 8 100 7.7.8.10/24 Gi 0/1 Physical outside 5 0 7.7.5.10/24

Context “c2” routing configuration details:

Interface Network Next Hop outside 7.7.0.0/16 7.7.5.3 outside 0.0.0.0 7.7.5.3 inside 7.7.11.0/24 7.7.8.3

1.3 Configure Active-Active failover between ASA1 and ASA2 points 2

- Configure LAN-based Multi-Context active-active failover on ASA1 and ASA2

- Context c1 is the active context on ASA2 context c2 is the active context on ASA1

- Use GigabitEthernet 0/4 in VLAN 100 on SW2 for the failover lan and name it fover

Interface Type Nameif Switch Vlans Sec

Level IP Address Gi 0/2 Physical inside 3 100 7.7.3.10/24 Gi 0/0 Physical outside 55 (diagram=33) 0 7.7.55.10/24



- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby

- Enable stateful failover using fover interface GigabitEthernet 0/4

- Configure standby IP addresses as shown in the output below

- Use all other parameters according to the output given below to achieve this task

- Your output must match all parameters highlighted below

Your output must match all parameters highlighted below:



1.4 Initialize and Configure ASA4 points 2

Configure ASA4 as a single-mode firewall and is to be deployed between SW3 and SW6.

You are required to complete the three tasks outlined below

1) Initialize ASA4 using the following parameters

Interface Nameif Switch Vlans Sec Level IP Address Gi 0/2 Inside 99 100 7.7.99.10/24 Gi 0/0 Outside 14 0 7.7.14.10/24 Gi 0/1 Backup 15 0 7.7.15.10/24

Enable OSPF on the inside interface and outside interface.

Ensure that networks 10.10.110.0 and 10.10.120.0 are added to the routing table on ASA4 but

are not propagated into area 0 ,Verify by checking the routing table on R3.

Verify your solution by pinging from ASA4 as follows:

ASA4# ping 7.7.99.1

ASA4# ping 7.7.14.1

ASA4# ping 7.7.15.1

2) Configure Route Tracking

If the traffic destined for network 150.1.7.0/24 via outside interface DOES NOT have

reachability for 7.7.6.6 then the traffic should be diverted using the backup interface. Use

outside and backup interface IP's 7.7.14.1 and 7.7.15.1 respectively.

Re-route the traffic out the backup interface within 2 seconds.

You are allowed to modify any switch parameters as appropriate to achieve this task.



Ensure that the following tests are successful.

On R6, shut down interface gig0/1.2 and verify that the route to the server now points out

the backup interface on ASA4.

Bring Gig0/1.2 up and verify that the route is restored via the outside interface.



1.5 Configure NAT points 2

Configure network address translation (NAT) on the cisco ASA4 using the info given below.

NAT control is required.

Configure address translation for traffic from host 7.7.7.2 such that traffic leaving either the

backup or the outside interface is mapped to the interface address.

Ensure that traffic sourced from the 7.7.0.0/16 network and destined to 7.7.0.0/16 or

150.1.0.0/16 is not translated, but is still able to transit ASA4

Verify your solution using packet-tracer command

ASA4(config)# packet-tracer input inside icmp 7.7.7.2 0 8 7.7.15.1



ASA4(config)# packet-tracer input inside icmp 7.7.99.1 0 8 7.7.15.1



Configure network address translation (NAT) on the cisco ASA3 using the info given below.

Configure NAT so that the HTTP and Telnet services running on SW1 via 20.20.20.1/24 are

statically port mapped to 7.7.3.20 on the outside and 7.7.8.20 on the dmz.

Verify your solution using packet-tracer command

ASA3(config)# packet-tracer input dmz tcp 7.7.8.3 1234 7.7.8.20 23

ASA3(config)# packet-tracer input outside tcp 7.7.3.2 1234 7.7.3.20 80



1.6 Configure Zone Base Firewall (Class Based Access-List) points 5

R4 and R5 should be configured for zone-based firewall with their outside interface being on

the 7.7.2.0/24 subnet. Allow the following protocols:-

Protocol Action Ospfv4 Allow Ospfv6 Allow AH Allow ESP Allow Telnet Allow ICMP Allow

Deny and log in Class Default for all other protocols.

Troubleshoot the following tasks

Note: There are 4 breaks in this questions caused either by misconfig, not configured or both.

1) OSPF is configured between SW3, R4, and R5, however the ospf neigbhorship is not being

established between them. Troubleshoot the issue so neigbhorship is established.

Verify your solution using:



2) OSPFv3 is configured between R4, and R5, however the ospf neigbhorship is not being

established between them. Troubleshoot the issue so neigbhorship is established.


3) Sw3 cannot ping R4. Troubleshoot the issue.




1.7 Troubleshoot NTP points 5

R1 is configured for NTP with SW1 however R1 is not able to synchronize its time with SW1.





SECTION II. IPS and Context security

2.1 Initialize the Cisco IPS Sensor Appliance points 3

Initialize the Cisco IPS Sensor appliance as follows: Parameters Settings

Hostname RACKYYIPS where YY is our two-digital rack number (for example for

Rack 01,Rack01IPS or for RACK 40, Rack40IPS Management Configure the Command and control Management 0/0 interface in vlan 4

Sensor IP Address 7.7.4.100/24 Default Gateway 7.7.4.1

Sensor ACL 7.7.0.0/16, 150.100.1.0/24, 151.ss.1.0/24, 150.1.7.0/24 Telnet Enable telnet Management

The username/password for the IPS console is cisco and 123cisco123. DO NOT CHANGE THEM.

Use the console to initialize the Cisco IPS sensor appliance using the details in this table.

Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology

diagram). You can modify Cisco Catalyst switches configuration if required.

Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:

IPS# ping 7.7.4.1

IPS# ping 150.1.7.100

Ensure that the following ping and telnet connection is successful from SW1

SW1# ping 7.7.4.100

SW1# telnet 7.7.4.100

2.2 Deploy the Cisco IPS Sensor Using an In-line Interface Pair points 8

Configure the Cisco IPS sensor appliance for the inline interface pair as shown in Lab Topology.

Use the information on the table below to complete the task:



You are allowed to modify the switch parameters as appropriate to achieve this task.

Refer to the lab diagram for the required information.

You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate

PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall

and/or routing configuration to ensure that this works.

After configuring Interface Pairing SW1 is not able to Reach R6. Troubleshoot the faults so SW1

is able to reach R6.


For testing ensure that these-pings are successful from R6.

Parameter Name Settings Vlans Virtual Sensor NameInterface pair C1 G0/2 55 VS2

G0/3 33



2.3 Configure the Cisco IPS sensor for Promiscuous Mode points 2

Configure the CISCO IPS in promiscuous mode on Gig0/0

Promiscuous port Virtual Sensor Signature Definition

Gi0/0 vs0 sig0

IPS# show config

2.4 Implement custom signatures on the Cisco IPS sensor points 3

A custom signature 62000 is required on the Cisco IPS sensor as follows

Trigger - Whenever a TACACS+ packets are initiated from any device using source address in the

192.168.0.0 - 192.168.255.255 range.

Action – verbose Alert Alert-severity – High

Signature-Definition – 2 Virtual Sensor – vs2

To verify your solution issue the following command on R6



2.5 Initialize the Cisco WSA and Enable WCCP Support points 6

The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.

Using the Test-PC or Candidate PC, connect to WSA and configure as following

Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport

Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:

Parameters Settings Hostname Wsa.cisco.com Interface M1 to be used for for data and management

Ip Address 7.7.4.150/24 Default Gateway 7.7.4.1

System Information Admin:ironport, [email protected], time:US/America/LA NTP Server 7.7.4.1

DNS 150.1.7.10 L4 Traffic Monitoring Duplex: T1 (in/out)

Accept all other defaults

From SW1, verify that you can ping M1 interface of WSA:

SW1# ping 7.7.4.150

Configure WCCP redirect from SW1 to the WSA for all http & https traffic initiated from VL 150



You may have to reboot the WSA after configuring wccp, if show ip wccp shows

"Router identifier undetermined"

Using the following to verify your solution from the Test-PC



SECTION III – Secure Access

3.1 Troubleshooting Site to Site IPSEC VPN using IKEv2 points 6

An IPsec VPN has been partially configured between ASA3 and R6 using IKEV2.

Complete the configuration and troubleshoot the connection to ensure that IPV4 traffic

between SW1 interface lo0(20.20.20.1) and R6 interface lo0(192.168.6.1).

Use the following outputs to verify your solution

Verify using following output

R6#show crypto session



3.2 Troubleshoot and Configure GET VPN points 6

In this question R2 has been partially configured as key-server(KS) and R1, R4, R5 are the group

members(GMs) that participate in a VRF-aware GETVPN deployment.

Complete the configuration of the spokes and troubleshoot the solution using the following

outputs to verify your solution (the highlight sections are particularly important)

Verifying using the following commands R2#show crypto gdoi ks members Group Member ID : 7.7.11.17 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.18 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.19 Group ID : 135 Group Name : GET-GROUP1 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.33 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2



Group Member ID : 7.7.11.34 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2 Group Member ID : 7.7.11.35 Group ID : 246 Group Name : GET-GROUP2 Key Server ID : 7.7.4.2

R4#show crypto gdoi GROUP INFORMATION KEK POLICY Rekey Transport Type : Unicast Liftetime(secs) : xxx Encrypt Algorithm : AES Key Size :256 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length(bits) :2048

R2#show crypto godi Group Name : GET-GROUP1(Unicast) Group Identity :135 Group Members : 3 IPSec SA Direction : Both Group Rekey Lifetime : 300 secs Group Rekey Remaining Lifetime : XX secs

Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts : 3 Group Retransmit Remaining Lifetime : 0 secs



IPSec SA Number :1 IPSec SA Rekey Lifetime : 600 secs Profile Name : Profile1 Replay method : Count Based Replay Windows Size : 64 SA Rekey Remaining Lifetime : xxx secs ACL Configured : access-list VPNA Group Server list : Local

Group Name : GET-GROUP2(Unicast) Group Identity :246 Group Members : 3 IPSec SA Direction : Both Group Rekey Lifetime : 500 secs Group Rekey

Remaining Lifetime : XX secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts : 3 Group Retransmit Remaining Lifetime : 0 secs IPSec SA Number :1 IPSec SA Rekey Lifetime : 600 secs Profile Name : Profile2 Replay method : Count Based Replay Windows Size : 64 SA Rekey Remaining Lifetime : xxx secs ACL Configured : access-list VPNB

Group Server list : Local



3.3 Configure Cisco WLC points 4

The cisco WLC 2504 has been bootstrapped with the following settings.

Complete basic wireless configuration that is enabled for two groups users (admin & guest).

Parameters Guest Admin Vlan Name guest admin

SSID guest admin Dynamic-Interface Name dyint2 dyint1

Dynamic-Interface Address 10.10.120.2 10.10.110.2 Subnet /24 /24

Gateway 10.10.120.1 10.10.110.1 Local Username/Password Guest/ cisco

NOTE: To complete this question you may use the CLI / GUI whichever is accessible

Match the following OUTPUT:

(Cisco Controller) > show wlan 11 WLAN Identifier.................................. 11 Profile Name..................................... Admin Network Name (SSID).............................. admin Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled



Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Number of Active Clients......................... 1 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ dynint1 Multicast Interface.............................. Not Configured WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Disabled Quality of Service............................... Silver (best effort) Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None IPv6 Support..................................... Disabled Passive Client Feature........................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers Authentication................................ Global Servers Accounting.................................... Global Servers Dynamic Interface............................. Disabled Local EAP Authentication......................... Disabled Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled



Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Disabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Disabled FT(802.11r)............................. Disabled FT-PSK(802.11r)......................... Disabled FT Reassociation Timeout......................... 20 FT Over-The-Air mode............................. Enabled FT Over-The-Ds mode.............................. Enabled CCKM tsf Tolerance............................... 1000 CKIP ......................................... Disabled Web Based Authentication...................... Disabled Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled H-REAP Local Switching........................ Disabled H-REAP Local Authentication................... Disabled H-REAP Learn IP Address....................... Enabled Client MFP.................................... Optional Tkip MIC Countermeasure Hold-down Timer....... 60 Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled Band Select...................................... Disabled Load Balancing................................... Disabled Mobility Anchor List WLAN ID IP Address Status ------- --------------- ------ (Cisco Controller) >show wlan 12 WLAN Identifier.................................. 12



Profile Name..................................... Guest Network Name (SSID).............................. guest Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ dynint2 Multicast Interface.............................. Not Configured WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Disabled Quality of Service............................... Silver (best effort) Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... None IPv6 Support..................................... Disabled Passive Client Feature........................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers



Authentication................................ Global Servers Accounting.................................... Global Servers Dynamic Interface............................. Disabled Local EAP Authentication......................... Disabled Security 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Disabled CKIP ......................................... Disabled Web Based Authentication...................... Enabled ACL............................................. Unconfigured Web Authentication server precedence: 1............................................... local 2............................................... radius 3............................................... ldap Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled H-REAP Local Switching........................ Disabled H-REAP Local Authentication................... Disabled H-REAP Learn IP Address....................... Enabled Client MFP.................................... Optional but inactive (WPA2 not configured) Tkip MIC Countermeasure Hold-down Timer....... 60 Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled Band Select...................................... Disabled Load Balancing................................... Disabled Mobility Anchor List WLAN ID IP Address Status ------- --------------- ------



SECTION IV. System Hardening and Availability

4.1 Enable OSPF v2 Authentication points 4

Enable MD5 authentication for OSPF in area 1. Use the following key cisco123

Match the Following OUTPUT:



4.2 Configure Remote Switched Port Analyzer (RSPAN) points 5

The Cisco IPS sensor appliance should be configured in promiscuous mode on interface gi0/0.

A 10 gig interface 1/1/1 is configured between SW5 and SW6 as trunk.

Monitor transmit traffic sourced from SW6 gig 1/0/1-2 & gig 1/0/5 that enters SW5 via Gi1/1/1

You are allowed to modify the switch parameters as appropriate to achieve this task.

Refer to Diagram Lab Topology for the requested information.

Ensure that the sensor is seeing traffic successfully.


For testing the following command show traffic being monitored to this sensor.

IPS# packet display gigabitethernet0/0



4.3 Transit Traffic filtering points 5

Allow only web traffic from SW3 loopback (63.63.63.0/24) to R3 (36.36.36.1) which is a

web-server. Make sure other traffic is dropped. Use the acces-list Transit_ACL already

preconfigured on R3. Ensure that packets matching the Transit_ACL are logged.


SECTION V. Threat Identification and Mitigation

5.1 Secure DHCP Environment points 4

Implement a solution on SW3 that restricts IP traffic on untrusted port Fa0/2 and Fa0/3 to the addresses

of R4 and R5 respectively, Do not use DHCP snooping.

Verification:

SW3# show ip source binding aaaa.bbbb.cccc (active is highlighted)

5.2 Configure WLAN Security points 6



The Cisco WLC should be configured to learn the IP address of attackers that have been shuned by the

Cisco IPS appliance. The WLC can then prevent these clients from joining any wireless network.

The following information should be used to complete this task:

Attribute Value IPS Sensor IP address 7.7.4.100 Port 443 WLC/IPS username Wlc WLC/IPS password 123cisco123 WLC wps index value 1

Verification:

5.3 Strict Unicast Reverse Path Forward points 4 Ensure Strict uRPF is configured for web traffic sourced from SW3 Loopback(63.63.63.1) to R3

Loopback(36.36.36.1) and Ensure you log the drop packets using the preconfigured ACL on R3.

Make sure this does not affect the 4.3 question.




SECTION VI. Identity Management

6.1 Configure Support for MAB/802.1X for Voice and Data VLANs

Part A: Authentication and Authorization of Cisco IP Phone with MAB (5 points)

The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via

DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).



The requirement is to add security to this connection through authentication and authorization on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to

move the phone into the voice VLAN.

Use the following information to complete this task:

- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)

- Verify that you have an authentication rule for MAB on the Cisco ISE.

- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a

permit on all traffic on ISE1.

- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)

- Voice VLAN will support MAB for authentication

- Data VLAN will provide support for the Test-PC that must connect through Phone using

802.1X.

- SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.

- If MAB is not successful, 802.1X endpoints should be allowed to connect.

The following output should be used to verify your solution



Part B: (5 points)

Authentication and Authorization of 802.1X Client through a Cisco IP Phone

The Test-PC must be allowed to connect through the authenticated Cisco IP Phone

1. SW 6 G1/0/1 should have been configured to support a voice & data Vlan in Part A of this

question



2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1

using the following info

Attribute Value Group Name Test-PC_Group

Username/Password test-PC/Cisc0123 Access Type Access_Accept

Common Tasks DACL Name DATA_VLAN_DACL DACL Policy Permit ip any any

Vlan 99



6.2 Configure Local Web Authentication With Wired Clients points 6

You are required to configure support for the Test-PC behind the Cisco IP phone via Local Web

Auth on SW6 (RADIUS Source interface 7.7.99.1/vlan99) and ISE1 (150.1.7.20).

This builds on the solution Q6.1

The following tasks outline the requirement for this question

• Create an identity for a guest user on ISE1 that will be userd for authentication and the

mapped to an authorization policy

• Web Auth should be added to the existing MAB and 802.1X policies from Q6.1 and used as the fallback method

• Configure an Authorization profile and Authorization Plicy rule for Web Auth as follows:



Attribute Value Name WEB_AUTH Description Policy For Local Web Auth Access Type Acces_Accept Common Tasks DACL Name WEB_AUTH_DACL

DACL Policy

Permit icmp any any permit udp any any eq domain permit tcp any any eq www permit tcp any any eq 443

Vlan 99 Web Authentication (Local Web Auth) Username guest Password Cisco123 Pre-Web-Auth ACL (already on sw6) PRE-WEB-AUTH

Note :

· Do not lock yourself out of SW6 ,take care with the default method.

To verify your solution you must disable 802.1X supplicant functionality on the Test-PC as

shown below :



On SW6 issue the following command

SW6# clear authentication session

Then from the Test-PC and connect to 7.7.15.1 to trigger the web authentication policy.

Enter the guest/Cisco123 credentials you were asked to create on ISE1.

use the following outputs to help with this verification :



SW6#show authentication session int g1/0/1

interface GigabitEthernet1/0/1

MAC Address: 000c.290d.0c22

IP Address: 7.7.99.9

User-Name: 000c290d0c22

Staus : Authz Success

Domain : DATA

Security Policy : Should Secure

Security Status : Unsecure

Oper host mode : multi-auth

Oper control dir : both

Authorized By : Authentication Server

Vlan Group : 99

ACS ACL : xACSACLx-IP-WEB_AUTH_ACL-5043b6tf

Session timeout : N/A

idle timeout : N/A

Common Session ID: C0A84242000000AB51DD1DBC

Acct Session ID : 0x000000EA

Runnable methods list

Method State

mab Failed over

dot1x Failed over

webauth Authe Success



YOUR GATEWAY TO SUCCESS TOWARDS CCIE LAB

ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS

KINDLY VISIT FOR FURTHER INFORMATION

CCIE SECURITY ----> WWW.CCIESECURITYLABS.COM

CCIE WIRELESS ----> WWW.CCIEWIRELESSLABS.COM

CCIE DATACENTER ----> WWW.CCIEDATACENTERLABS.COM

CCIE VOICE ----> WWW.CCIEVOICELABS.COM

CCIE R&S ----> WWW.CCIERNSLABS.COM

KINDLY CONTACT US AT [email protected] FOR FURTHER INFORMATION ON OTHER TRACKS

LAUNCHED!!!

CCIE COLLABORATIONS -----> WWW.CCIECOLLABORATIONLABS.COM



Thank You for using cciesecuritylabs workbooks.

ccie security v4 - question set - final release - 03-06-2014 - lab 3.2

Documents

exam questions

lab exam location

entire lab exam

lab routing diagram

lab topology diagram

backbone number

onsite lab proctor

digit rack number