your partner for success ccie security v5 lab access guide · introduction cloudmylab offers a...

Your partner for Success

CCIE Security v5 Lab Access Guide

Version 1.9

Author: Cloudmylab Support

Contents

Introduction ........................................................................................................................................................... 4

Audience ................................................................................................................................................................ 4

Disclaimer .............................................................................................................................................................. 4

Legal Liability .......................................................................................................................................................... 4

Topology ................................................................................................................................................................ 4

Devices Used .......................................................................................................................................................... 7

Physical Devices .............................................................................................................................................. 7

Virtual Devices ................................................................................................................................................ 7

Getting Access to the POD ...................................................................................................................................... 8

DEVICE ACCESS ....................................................................................................................................................... 9

How to access the devices .................................................................................................................................. 9

Guest Machine Reload ........................................................................................................................................ 9

Retrieve Snapshots ........................................................................................................................................... 12

Setup WLC and WSA for Lab ............................................................................................................................. 13

Setup ISE for Lab ............................................................................................................................................... 13

Setting up Routers and ASAs for the lab ............................................................................................................ 14

Accessing the Devices console .......................................................................................................................... 15

Device List..................................................................................................................................................... 15

Devices CLI Credentials ................................................................................................................................. 16

Quick Device access .......................................................................................................................................... 17

Virtual Device Access ........................................................................................................................................ 17

Example Method 1 for Virtual Devices with CLI access .................................................................................. 18

Example Method 2 for Virtual Devices with CLI Access .................................................................................. 19

Accessing Windows Based machines................................................................................................................. 19

Example Method 1 for windows based Device: ............................................................................................. 19

Example Method 2 for windows based Device .............................................................................................. 21

LAB Devices IP Details ........................................................................................................................................... 21

Physical Connectivity ............................................................................................................................................ 22

FIREWALLS........................................................................................................................................................ 22

Switches ........................................................................................................................................................... 22

IP And VLAN MAP ................................................................................................................................................. 23

Virtualization Logic ............................................................................................................................................... 26

Lab Shortcuts........................................................................................................................................................ 27

Introduction

Cloudmylab offers a platform to run any lab topology. CCIE Security v5 lab has been adopted from various vendors

and is built on the topology and configuration provided by them. We have designed this lab with customers and

online forum feedback. The Lab topology mentioned below is mostly virtual and it aligns with Cisco’s CCIE V5

blueprint.

Audience

This lab guide is intended for the students who are preparing for CCIE Security V5 and wish to use our platform for

practicing the CCIE labs.

Disclaimer

These labs have been designed and built by topology provided by vendors selling CCIE workbooks and online

student forums. Cloudmylab is not responsible for the accuracy of the labs or workbooks. Cloudmylab does not

endorse any CCIE workbook vendor or company. We have designed our platform per Cisco’s blueprint and it can

be used for any lab scenario. Students will be responsible for loading any pre-configuration.

Cloudmylab does not sell any workbooks or CCIE topology.

Legal Liability

Cloudmylab is an IAAS (Infrastructure as a service), PAAS (Platform as a service) and LAAS (LAB as a service)

provider. Cloudmylab either owns or lease the equipment used in the certification labs or proof of concept labs.

Cloudmylab uses all genuine software either procured or evaluation from the manufacturer. Cloudmylab

encourages its users to use their own licensing and/or lease it from Cloudmylab. Cloudmylab doesn’t resell

hardware, software or licensing.

Cloudmylab has no liability for software and licensing used by the customer in their purchased service instance.

Cloudmylab doesn’t endorse any Cisco Certification labs workbook Vendors. Cloudmylab doesn’t endorse any Juniper Certification labs workbook Vendors. Cloudmylab doesn’t endorse any Microsoft Certification labs workbook Vendors. Cloudmylab doesn’t endorse any VMware Certification labs workbook Vendors.

Topology

The following topology has been adopted from CCIE University, this is a topology available on online forums and

vendors page. Cloudmylab offers a platform to run topologies and in no way own or endorse any vendor topology.

Figure 1

Figure 2

Figure 3

Devices Used

Physical Devices

This section details physical devices and software version in the topology.

Device Name Device Model Software Version

ASA1 ASA5515X 9.6.1

ASA2 ASA5515X 9.6.1

ASA3 ASA5512X 9.6.1

ASA4 ASA5512X 9.6.1

SW1 C3750X 12.2 58(SE)

SW2 C3560X 12.2 58(SE) Table 1

Virtual Devices

This section details virtual devices and the software version used in the topology.

Device Name Device Model Software Version

R1 CSR1000v 03.16.06.S

R2 CSR1000v 03.16.06.S

R3 CSR1000v 03.16.06.S

R4 CSR1000v 03.16.06.S

R5 CSR1000v 03.16.06.S

R6 CSR1000v 03.16.06.S

R7 CSR1000v 03.16.06.S

R8 CSR1000v 03.16.06.S

R9 CSR1000v 03.16.06.S

R10 CSR1000v 03.16.06.S

R11 CSR1000v 03.16.06.S

R12 CSR1000v 03.16.06.S

R13 CSR1000v 03.16.06.S

R14 CSR1000v 03.16.06.S

R15 CSR1000v 03.16.06.S

R16 CSR1000v 03.16.06.S

R17 CSR1000v 03.16.06.S

R18 CSR1000v 03.16.06.S

ASAv1 ASAv 9.6.2

ASAv11 ASAv 9.6.2

ASAv2 ASAv 9.6.2

ASAv22 ASAv 9.6.2

ISE ISE-VM-K9 2.1

vWLC WLC-VM 8.5

WSA WSA-VM 9.1.1-041

NGIPS FP-NGIPS 6.1

FMC FP-FMC 6.1

AMP FP-AMP 6.1

Table 2

Getting Access to the POD

1. There are two methods you can get access to the access detail as mentioned below:

a.) Check for the URL and Port Number in the email from [email protected]

Figure 4

b.) You can alternatively log in to your account and under ‘my account’ > Rack access, you will see the details

Figure 5

mailto:[email protected]

2. Please login with the credentials provided.

Figure 6

3. After logging in successfully, you will see a customized Desktop from where you can access all the devices.

DEVICE ACCESS

This section details how to access the physical and virtual devices.

How to access the devices

Starting the lab environment: https://www.youtube.com/watch?v=rYMvbJci70E (Needs updating)

Guest Machine Reload

1. Once you get the access to the Guest Desktop Environment,

A.) Open the VMware vSphere client and login with the details in table below:

Rack Rack-1 Rack-2

IP Address/hostname 192.168.130.39 192.168.130.37

Username ccisesec ccisesec

Password Ccie123! Ccie123!

Table 3

http://www.youtube.com/watch

Figure 7

2. Reload the Guest Virtual Machines in the table below using the VMware vSphere Client before you start your

lab.

Windows machine

Wireless-PC MS-AD

MAB-CLIENT

DOT1X-PC Table 4

The steps below explain how to reload a Virtual Machine:

Step 1: After your successful login to ESX host, select the guest machine.

Figure 8

Step 2: Right Click on the guest machine, click on power and select Power Off.

Figure 9

Step 3: Wait for VM to power off, then right click on the guest machine, click on power and select Power On

Figure 10

Retrieve Snapshots

1. Retrieve the snapshot for the Guest Virtual Machines in the table below using the VMware

vSphere Client before you start your lab.

Virtual Machines NGIPS

FMC

AMP Table 5

Step1: Right Click on the machine -Snapshotsnapshot manager

Figure 11

Step2: Under Snapshot Manager Click on the BASE-CONF -GO To

Figure 12

Setup WLC and WSA for Lab

Simply restart both WLC and WSA to reset the configuration.

Step1: Right Click on the machine -PowerPower Off

Step2: Right Click on the machine -PowerPower On

Setup ISE for Lab

This section defines how to setup ISE for the lab use. Please follow the steps carefully.

1. Go to Administration > Backup & Restore.

2. Select FTP from the drop-down menu for ‘History for Repository’.

3. Select the lab you want to restore to. When prompted for encryption key, type ISEisC00L and select

‘Restore ADE-OS configuration’.

Figure 13

Note: You will have to again join the AD and re-generate the CA certificates.

Setting up Routers and ASAs for the lab

Step 1: Open Secure CRT, close any tabs if already open. Step 2: Under –Erase folder, double click the device that you want to reset.

Accessing the Devices console

A.) Device Access – All the devices are pre-setup for console access and follow the screenshots for a quick access.

Device List

The table below contains the list of devices and their console access details. Terminal Server is a server which

host the console connections, do not confuse this with actual device IP.

Device Name

Device

Rack-1 Rack-2

Port No Terminal IP address Port No IP address

R1 1501 192.168.130.39 1501 192.168.130.37

R2 1502 192.168.130.39 1502 192.168.130.37

R3 1503 192.168.130.39 1503 192.168.130.37

R4 1504 192.168.130.39 1504 192.168.130.37

R5 1505 192.168.130.39 1505 192.168.130.37

R6 1506 192.168.130.39 1506 192.168.130.37

R7 1507 192.168.130.39 1507 192.168.130.37

R8 1508 192.168.130.39 1508 192.168.130.37

R9 1509 192.168.130.39 1509 192.168.130.37

R10 1510 192.168.130.39 1510 192.168.130.37

R11 1511 192.168.130.39 1511 192.168.130.37

R12 1512 192.168.130.39 1512 192.168.130.37

R13 1513 192.168.130.39 1513 192.168.130.37

R14 1514 192.168.130.39 1514 192.168.130.37

R15 1515 192.168.130.39 1515 192.168.130.37

R16 1516 192.168.130.39 1516 192.168.130.37

R17 1517 192.168.130.39 1517 192.168.130.37

R18 1518 192.168.130.39 1518 192.168.130.37

SW1 2079 192.168.130.39 2079 192.168.190.156 SW2 2078 192.168.130.39 2078 192.168.190.156

ASA1 2074 192.168.130.39 2074 192.168.190.156 ASA2 2075 192.168.130.39 2075 192.168.190.156

ASA3 2076 192.168.130.39 2076 192.168.190.156

ASA4 2077 192.168.130.39 2077 192.168.190.156 AP1 2080 192.168.130.39 2080

192.168.190.156

Terminal Server 23 192.168.130.39 23 192.168.190.156

ASAv1 1539 192.168.130.39 1539 192.168.130.37

ASAv11 1540 192.168.130.39 1540 192.168.130.37 ASAv2 1538 192.168.130.39 1538 192.168.130.37

ASAv22 1537 192.168.130.39 1537 192.168.130.37 ASAv1 1539 192.168.130.39 1539 192.168.130.37

ISE 1534 192.168.130.39 1534 192.168.130.37

vWLC 1522 192.168.130.39 1522 192.168.130.37

WSA 1533 192.168.130.39 1533 192.168.130.37

NGIPS 1520 192.168.130.39 1520 192.168.130.37

FMC 1519 192.168.130.39 1519 192.168.130.37

AMP 1536 192.168.130.39 1536 192.168.130.37

Table 6

Devices CLI Credentials

Table below contains the credentials to access CLI for the undermentioned devices:

Device Name Username Password

R1 cisco cisco

R2 cisco cisco

R3 cisco cisco

R4 cisco cisco

R5 cisco cisco

R6 cisco cisco

R7 cisco cisco

R8 cisco cisco

R9 cisco cisco

R10 cisco cisco

R11 cisco cisco

R12 cisco cisco

R13 cisco cisco

R14 cisco cisco

R15 cisco cisco

R16 cisco cisco

R17 cisco cisco

R18 cisco cisco

SW1 cisco cisco SW2 cisco cisco

ASA1 cisco cisco ASA2 cisco cisco

ASA3 cisco cisco

ASA4 cisco cisco AP1 Cisco Cisco

Terminal Server cisco cisco

ASAv1 cisco cisco

ASAv11 cisco cisco ASAv2 cisco cisco

ASAv22 cisco cisco ASAv1 cisco cisco

ISE admin Ccie123

vWLC admin Ccie123

WSA admin ironport

NGIPS admin Ccie123

FMC admin Ccie123

AMP admin Ccie123

CUCM administrator cciecollab

Table 7

Quick Device access

This section details on how to access the devices via CLI:

1. Click on SecureCRT.

Figure 14

Virtual Device Access

Virtual devices can be accessed using two methods:

1. Using Secure CRT CLI. Its strongly recommended to use terminal emulator to access all the Virtual Routers and

Firewall.

2. Using the vSphere Console

Example Method 1 for Virtual Devices with CLI access

Open SecureCRT >> Click on the Plus Sign against Virtual Device >> Select the relevant device

Figure 15

Example Method 2 for Virtual Devices with CLI Access

Open Vmware Vsphere Client >> right click on the relevant machine >> click open console

Figure 16

Accessing Windows Based machines

There are 4 Windows Based machines as follows:

Machine Rack-1 MGMT IP Rack-2 MGMT IP Username Password

Wireless-PC 150.1.7.204 150.1.7.204 admin Ccie123

Windows Server

AD

150.1.7.200 150.1.7.200 admin Ccie123

Dot1x PC 150.1.7.202 150.1.7.202 admin Ccie123

MAB-PC 150.1.7.203 150.1.7.203 admin Ccie123

Table 8

Example Method 1 for windows based Device:

Click on the remote desktop shortcut on the desktop, you will see 4 shortcuts and named appropriately.

Enter the username and password when prompted

Figure 17

Example Method 2 for windows based Device

Open Vmware Vsphere Client >> right click on the relevant machine >> click open console

Figure 18

LAB Devices IP Details

This section details the management IP assigned to the following virtual machines in the table below.

Please do refer to the topology as well.

IP Address Device Name

150.1.7.200 AD

150.1.7.201 Candidate PC

150.1.7.204 Wireless PC

150.1.7.206 NGIPS

150.1.7.211 FMC

150.1.7.212 ISE

150.1.7.213 WSA

150.1.7.214 vWLC

150.1.7.215 CUCM

150.1.7.216 AMP

150.1.7.217 AMP

Table 9

Physical Connectivity

This Section explains the physical Connectivity

FIREWALLS

PHYSICAL FIREWALL CONNECTIONS

From interface To interface

ASA3 Management0/0 SW2 GigabitEthernet0/3

ASA3 GigabitEthernet0/1 SW2 GigabitEthernet0/1


ASA4 Management0/0 SW2 GigabitEthernet0/6



ASA1 GigabitEthernet0/0 SW1 GigabitEthernet 1/0/1








Table 10

Switches

PHYSICAL SWITCHES

From interface To interface

SW1 GigabitEthernet1/0/12 ESX Server 0

SW1 GigabitEthernet1/0/10 SW2 GigabitEthernet0/10

SW2 GigabitEthernet0/7 AP G0

SW2 GigabitEthernet0/9 IP PHONE GigabitEthernet0 Table 11

IP And VLAN MAP

R1

INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE

GigabitEthernet1 4002 10.1.11.10 ASA1_V GigabitEthernet0/1

GigabitEthernet2 4003 10.1.22.10 ASA2_V GigabitEthernet0/1

GigabitEthernet3 150 150.1.7.231 VSWITCH-MGMT NA

GigabitEthernet4 11 10.1.12.1 NGIPS GigabitEthernet0/1

R2



GigabitEthernet2 11 10.1.12.2 NGIPS GigabitEthernet0/0

GigabitEthernet3 12 10.1.23.2 R3 GigabitEthernet2

R3


GigabitEthernet1 150 NA VSWITCH-MGMT NA


GigabitEthernet3 20 10.1.20.3 SW1_V GigabitEthernet1/0/9



R4



GigabitEthernet2 TRUNK NA SW1_V GigabitEthernet0/1


GigabitEthernet3.100 100 10.1.45.4 R5 GigabitEthernet3.100



R5








R6





GigabitEthernet3.1 2 10.100.2.6 ASA1 GigabitEthernet0/1

GigabitEthernet3.2 3 10.100.3.6 ASA2 GigabitEthernet0/2


R7


GigabitEthernet1 4 10.100.4.7 VSWITCH-MGMT

R8



R9





GigabitEthernet3.1 6 10.100.6.9 ASA1

GigabitEthernet3.2 7 10.100.7.9 ASA2


R10






R11





R12



GigabitEthernet2 150



R13




GigabitEthernet3 8 10.100.8.13 ASA4 GigabitEthernet0/1


R14





R15






R16





R17





R18






Table 12

Virtualization Logic

The diagram explains how the devices are connected virtually and physically. ESX server is connected over a trunk and that is how all logical devices are logically connected to the switch

Example:

Follow the red dotted line for the Traffic Flow. If I was sending a Packet from R13 to ASA 4, here is how the packet will get to the ASA

1. VSWITCH will add a tag of VLAN 1008 and forward it to the SWITCH 2. Switch 1 will Forward it to the trunk based on the ARP info to SW2 3. SW2 will look for ARP and forward it to the Firewall.

4. Now based on the Firewall Rules, Firewall will allow or drop the packet

Lab Shortcuts

1. Starting a lab with Specific configuration:

Open the physical device console > login > dir flash:

#copy flash:base-config startup

Reload

Check out the video: https://www.youtube.com/watch?v=I72ExquNIFA

2. Clearing console line to get access: Under SecureCRT click on the plus sign against

Clear line and Select relevant device to clear

Vlan

3. Reloading the devices: All the devices are connected to managed power PDU and you can use the

shortcut to boot the devices

To get support open a ticket on Support Page or send an email to [email protected].

Please check the documentation and FAQs beforehand.

-------------------------------------------------------END OF Document-------------------------------------------------------

https://www.youtube.com/watch?v=I72ExquNIFA

https://cloudmylabcom.freshdesk.com/support/home

mailto:[email protected]

https://cloudmylabcom.freshdesk.com/support/solutions/folders/19000097837

your partner for success ccie security v5 lab access guide · introduction cloudmylab offers a...

Documents