Vous êtes sur la page 1sur 76
QUESTIONS LAB 1 WORKBOOK Real Labs V1 www.cciesecuritylabs.com CCIE voicelabs.com 1

QUESTIONS LAB 1 WORKBOOK

Real Labs V1

www.cciesecuritylabs.com

CCIE

voicelabs.com1

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Initial Guidelines

1. Read all of the questions in a section before you start the configuration. It is even recommended that

you read the entire lab exam before you proceed with any configuration.

2. Exam questions have dependencies on others. Read through the entire workbook to help identify

these questions and the best order of configuration. Section do not have to be completed
these
questions and the best order of configuration. Section do not have to be completed in the
order presented in the workbook.
3.
Most questions include verification output that can be used to check your solutions.
Highlighted section in output verification displays MUST be matched to ensure correctness.
4.
If you need clarification of the meaning of a questions, or if you suspect that there may be hardware
issues in your equipment, contact the onsite lab proctor as soon as possible.
5.
The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before
starting the exam, confirm that all devices in you rack are in working order. During the exam, if any
device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure
that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.
6.
Knowledge of implementation and troubleshooting techniques is part of the lab exam.
7
. Points are awarded only for working configurations. Towards the end of the exam, you should test the
functionality of all sections of the exam.
8.
You will be presented with preconfigured routers and switches in your topology. The routers and
switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,
VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration.
Do NOT change any of the
pre configurations at any time, unless the change is specified in a question.
9. Throughout the exam, assume these values for variables if required:
- YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11
- SS is your Site ID for the lab exam location, Read the next page for your location.
- BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the
following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are
instructed to do so.

- X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

- Z is any number.

10.

You are allowed to add static and default routes (if required) on any device.

 

11.

In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure

that additional addressing does not conflict with a network that is already used in your topology. Routing

Protocols preconfigured are shown in the Lab Routing Diagram. 12. Full access to the VMWare
Protocols preconfigured are shown in the Lab Routing Diagram.
12.
Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin
and the password cisco to log in
. You can add, modify or delete any settings on the Cisco Secure ACS,
Test-PC and Cisco ISEs as required in the question.
13.
All device names, access information and username/password combinations are summarized on the
following pages. Do NOT change these settings.

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

CCIE Security Lab Equipment and Software v4.0

Hardware

Cisco 3800 Series Integrated Services Routers (ISR)

 Cisco 1800 Series Integrated Services Routers (ISR)  Cisco 2900 Series Integrated Services Routers
Cisco 1800 Series Integrated Services Routers (ISR)
Cisco 2900 Series Integrated Services Routers (ISR G2)
Cisco Catalyst 3560-24TS Series Switches
Cisco Catalyst 3750-X Series Switches
Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
Cisco IPS Series 4200 Intrusion Prevention System sensors
Cisco S-series Web Security Appliance
Cisco ISE 3300 Series Identity Services Engine
Cisco WLC 2500 Series Wireless LAN Controller
Cisco Aironet 1200 Series Wireless Access Point
Cisco IP Phone 7900 Series*
Cisco Secure Access Control System
Notes:
The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools.
*Device Authentication only, provisioning of IP phones is NOT required.
Software Versions
 Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
 Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release
12.2SE/15.0(x)SE
 Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x,
8.6x
 Cisco IPS Software Release 7.x
 Cisco VPN Client Software for Windows, Release 5.x
 Cisco Secure ACS System software version 5.3x
 Cisco WLC 2500 Series software 7.2x

Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)

Cisco WSA S-series software version 7.1x

Cisco ISE 3300 series software version 1.1x

Cisco NAC Posture Agent v4.X

Cisco AnyConnect Client v3.0X

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Summary of username and Password for all devices

Device Username Password Router cisco Cisco Switches cisco Cisco IPS cisco 123cisco123 WSA admin Ironport
Device
Username
Password
Router
cisco
Cisco
Switches
cisco
Cisco
IPS
cisco
123cisco123
WSA
admin
Ironport
WLC
cisco
Cisco123
AP
ciscoAP
CCie123
ESXi Server
admin
Cisco
ISE
admin
Ise@123
Acs
admin
Acs@123
ASA
admin
Asa@123
Test-PC
Test-PC
Cisco123

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC
Topology 2: Local Candidate PC

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Topology 3: Switch Cabling

CCIESECURITYLABS.COM 15-June-2013 Topology 3: Switch Cabling CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Topology 4 : layer 2

CCIESECURITYLABS.COM 15-June-2013 Topology 4 : layer 2 CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
CCIESECURITYLABS.COM 15-June-2013 CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
CCIESECURITYLABS.COM 15-June-2013 CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
On R1
On R1

Pre-Configuration

conf t

hostname R1

!

no logging console

R1 Pre-Configuration conf t hostname R1 ! no logging console enable password cisco ! no aaa

enable password cisco

!

no aaa new-model dot11 syslog

ip cef

!

no ip domain lookup

ipv6 unicast-routing ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

crypto pki token default removal timeout 0

!

licence udi pid cisco3825 sn FTX1236A0D9

!

archive log config hidekeys username cisco privilege 15 password 0 cisco

!

redundancy

!

ip tcp synwait-time 5

ip ssh version 1

!

crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac

mode transport

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

!

crypto ipsec profile DMVPN

set transform-set cisco1

!

!

interface loopback 0

DMVPN set transform-set cisco1 ! ! interface loopback 0 ip address 192.168.1.1 255.255.255.255 ! interface loopback2

ip address 192.168.1.1 255.255.255.255

!

interface loopback2

ip address 192.68.11.11 255.255.255.255

!

interface loopback3 no ip address

ipv6 address 3001:0:1:3::/64 eui-64

!

interface tunnel0 bandwidth 1000 ip address 172.16.23.1 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 23 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123

tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0 ip address 7.7.8.1 255.255.255.0 duplex auto speed auto media-type rj45

ipv6 address 2001:128:BAD:8::1/64 ipv6 enable ipv6 ospf 2 area 0

!

interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 duplex auto speed auto

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

media-type rj45

!

!

router eigrp 123

network 10.0.0.0 network 172.16.0.0

!

router ospf 2

123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1

router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.11.11 0.0.0.0 area 1

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 7.7.8.10

!

logging esm config

ipv6 router ospf 2

redistribute connected

!

control-plane

!

mgcp profile default

!

!

line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet exit scheduler allocate 20000 1000 ntp server 7.7.4.1

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

end

On R2 en conf t hostname R2 ! boot-start-marker boot-end-marker ! no logging console enable
On R2
en
conf t
hostname R2
!
boot-start-marker
boot-end-marker
!
no logging console
enable password cisco
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
no ip domain lookup
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
voice card 0
!
crypto pki token default removal timeout 0
!
licence udi pid cisco3825 sn FTX123A0DN
!
archive
log config
hidekeys

username cisco privilege 15 password 0 cisco

!

redundancy

!

ip tcp synwait-time 5 ip ssh version 1

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

crypto isakmp policy 10 encr 3des authentication pre-share group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport

!

crypto ipsec profile DMVPN

esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set cisco1 ! ! ! interface loopback

set transform-set cisco1

!

!

!

interface loopback 0

ip address 192.168.2.2 255.255.255.255

!

interface loopback1 ip address 192.68.22.22 255.255.255.255

!

interface loopback 2 no ip address

!

interface loopback3 no ip address ipv6 address 3001:0:2:1::/64 eui-64

ipv6 enable

!

interface tunnel0 bandwidth 1000 ip address 172.16.23.2 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 24 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123

tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0 ip address 7.7.8.2 255.255.255.0

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

duplex auto speed auto media-type rj45 ipv6 address 2001:128:BAD:8::2/64 ipv6 enable

ipv6 ospf 2 area 0

!

interface GigabitEthernet0/1 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto media-type rj45

!

!

router eigrp 123

duplex auto speed auto media-type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 !

network 10.0.0.0 network 172.16.0.0

!

router ospf 2 router-id 11.11.11.11

network 7.7.8.0 0.0.0.255 area 1 network 192.168.22.22 0.0.0.0 area 1

!

ip forward-protocol nd ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 7.7.8.10

!

logging esm config ipv6 router ospf 2

redistribute connected

!

control-plane

!

!

mgcp profile default

!

!

line con 0 exec-timeout 0 0 password cisco logging synchronous

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet

line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login

4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate

transport input telnet

!

exit

scheduler allocate 20000 1000 ntp server 7.7.4.1

!

end

On R3
On R3

en

conf t

hostname R3

!

boot-start-marker

boot-end-marker

!

no logging console

enable password cisco

!

no aaa new-model

dot11 syslog

ip source-route

!

ip cef

!

no ip domain lookup ipv6 unicast-routing ipv6 cef

!

multilink bundle-name authenticated

!

voice card 0

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

crypto pki token default removal timeout 0

!

licence udi pid cisco3825 sn FTX123A0DL

!

archive

log config

hidekeys

pid cisco3825 sn FTX123A0DL ! archive log config hidekeys username cisco password 0 cisco ! redundancy

username cisco password 0 cisco

!

redundancy

!

ip tcp synwait-time 5

ip ssh version 1

!

crypto keyring ipv6keys pre-shared-key address ipv6 ::/0 key cisco123 crypto keyring ipv4keys pre-shared-key address 7.7.7.10 key cisco123

!

crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile ipv6 match identity address ipv6 2001:DB8:23::1/64 crypto isakmp profile secure-management match identity address 7.7.7.10 255.255.255.255

!

!

crypto ipsec transform-set 3des ah-sha-hmac esp-3des

crypto ipsec transform-set management esp-3des esp-sha-hmac mode transport

!

crypto ipsec profile profile0

set transform-set 3des

set isakmp-profile ipv6

!

crypto map secure-management 1 ipsec-isakmp

set peer 7.7.7.10 set transform-set management set isakmp-profile secure-management match address 120

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

!

!

interface loopback 0

ip address 7.7.53.3 255.255.255.255

!

interface loopback1 ip address 192.68.33.33 255.255.255.255

!

interface loopback3

address 192.68.33.33 255.255.255.255 ! interface loopback3 no ip address ipv6 address 2010::/64 eui-64 ! interface

no ip address

ipv6 address 2010::/64 eui-64

!

interface tunnel0 no ip address ipv6 address 2001:DB8::1:2/64 ipv6 enable ipv6 eigrp 1 tunnel source GigabitEthernet0/1.2

tunnel protection ipsec profile profile0

!

interface GigabitEthernet0/0 ip address 7.7.7.3 255.255.255.0 ip ospf priority 10 duplex auto speed auto media-type rj45

!

interface GigabitEthernet0/1

no ip address duplex auto speed auto

media-type rj45

!

interface Gigabit0/1.1 encapsulation dot1Q 19 ip address dhcp

!

interface Gigabit0/1.2 encapsulation dot1Q 13 ip address 7.7.13.3 255.255.255.0 ip ospf priority 0 ipv6 address 2001:DB8:23::2/64 ipv6 enable

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

router eigrp 123 network 192.168.33.33 0.0.0.0

!

router ospf 1 router-id 3.3.3.3 redistribute connected metric 1 subnets redistribute static

redistribute connected metric 1 subnets redistribute static redistribute eigrp 100 metric 1 subnets network 7.7.13.0

redistribute eigrp 100 metric 1 subnets network 7.7.13.0 0.0.0.255 area 0

!

ip forward-protocol nd ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 7.7.8.10

!

logging esm config

access-list 120 permit ip host 7.7.7.3 host 7.7.7.10 ipv6 router eigrp 1 router-id 10.10.10.10 redistribute connected

!

control-plane

!

!

mgcp profile default

!

!

line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

exit scheduler allocate 20000 1000 ntp server 7.7.4.1

!

end

On R4 en conf t hostname R4 ! boot-start-marker boot-end-marker ! no logging console enable
On R4
en
conf t
hostname R4
!
boot-start-marker
boot-end-marker
!
no logging console
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
!
!
!
ip domain list cisco.com
no ip domain lookup
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
licence udi pid cisco1841 sn FTX12362013

!

archive

log config

hidekeys

username cisco password 0 cisco

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

redundancy

!

ip tcp synwait-time 5

!

crypto isakmp policy 10 encr 3des authentication pre-share group 2

isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac

mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des

!

crypto ipsec profile DMVPN set transform-set cisco1

!

crypto ipsec profile profile0

set transform-set 3des

!

!

!

interface loopback 0

ip address 192.168.44.44 255.255.255.255

!

interface loopback1

ip address 10.1.1.1 255.255.255.255

!

interface loopback 2 ip address 7.7.54.5 255.255.255.0

!

interface loopback3 no ip address

ipv6 address 1010::/64 eui-64

!

interface tunnel0 bandwidth 1000 ip address 172.16.23.4 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 tunnel source Fastethernet0/1.1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

interface FastEthernet0/0 ip address 7.7.11.4 255.255.255.0 duplex auto

speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable ! ! interface FastEthernet0/1
speed auto
ipv6 address FE80:: link-local
ipv6 address autoconfig
ipv6 enable
!
!
interface FastEthernet0/1
no ip address
ip ospf priority 10
duplex auto
speed auto
!
interface Fastethernet0/1.1
encapsulation dot1Q 6
ip address 7.7.6.4 255.255.255.0
ip ospf priority 10
ipv6 address dhcp rapid-commit
ipv6 enable
!
interface FastEthernet0/1.2
encapsulation dot1Q 13
ip address 7.7.13.4 255.255.255.0
ipv6 address 2001:DB8:23::3/64
ipv6 enable
!
router eigrp 123
network 172.16.0.0
network 192.168.44.0
!
router ospf 1
router-id 4.4.4.4
network 7.7.6.0 0.0.0.255 area 0
network 7.7.13.0 0.0.0.255 area 0
network 7.7.54.0 0.0.0.255 area 0
!

ip forward-protocol nd ip http server

no ip http secure-server

!

!

logging esm config

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ipv6 router eigrp 1

router-id 40.40.40.40 redistribute connected

!

control-plane

!

!

line con 0

redistribute connected ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous

exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet

!

exit

scheduler allocate 20000 1000

!

end

On R5
On R5

en

conf t

hostname R5

!

boot-start-marker

boot-end-marker

!

no logging console

enable password cisco

!

no aaa new-model dot11 syslog ip source-route

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ip cef

!

!

!

ip domain list cisco.com no ip domain lookup ip domain name cisco.com ipv6 unicast-routing

domain lookup ip domain name cisco.com ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! crypto

ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

licence udi pid cisco1841 sn FTX1236W022

!

archive

log config

hidekeys

username cisco password 0 cisco

!

redundancy

!

ip tcp synwait-time 5

!

crypto keyring ipv6keys

pre-shared-key address ipv6 ::/0 key cisco123

!

crypto isakmp policy 10 encr 3des authentication pre-share

group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp profile ipv6 keyring ipv6keys match identity address ipv6 2001:DB8:23::2/64

!

crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des

!

crypto ipsec profile DMVPN set transform-set cisco1

!

crypto ipsec profile profile0

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

set transform-set 3des

!

!

!

interface loopback 0 ip address 192.168.55.55 255.255.255.255

!

interface loopback 2

address 192.168.55.55 255.255.255.255 ! interface loopback 2 ip address 7.7.52.5 255.255.255.255 ! interface loopback3 no

ip address 7.7.52.5 255.255.255.255

!

interface loopback3

no ip address ipv6 address 1010::/64 eui-64

!

interface tunnel0 bandwidth 1000 ip address 172.16.23.5 255.255.255.0 no ip redirects ip mtu 1360

ip nhrp authentication cisco ip nhrp network-id 23 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 delay 1000 tunnel source Fastethernet0/1.1 tunnel key 123

tunnel protection ipsec profile DMVPN

!

!

interface Tunnel2 no ip address ipv6 address 2001:DB8::1:1/64 ipv6 enable ipv6 eigrp 1 tunnel source FastEthernet0/1.2

tunnel mode ipsec ipv4 tunnel protection ipsec profile profile0

!

interface FastEthernet0/0 ip address 7.7.11.5 255.255.255.0 duplex auto

speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

interface FastEthernet0/1 no ip address duplex auto

speed auto

!

interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.5 255.255.255.0 ip ospf priority 10 ipv6 address
interface Fastethernet0/1.1
encapsulation dot1Q 6
ip address 7.7.6.5 255.255.255.0
ip ospf priority 10
ipv6 address dhcp rapid-commit
ipv6 enable
!
interface FastEthernet0/1.2
encapsulation dot1Q 13
ip address 7.7.13.5 255.255.255.0
ipv6 address 2001:DB8:23::1/64
ipv6 enable
!
router eigrp 123
network 172.16.0.0
network 192.168.55.0
!
router ospf 1
router-id 5.5.5.5
network 7.7.6.0 0.0.0.255 area 0
network 7.7.13.0 0.0.0.255 area 0
network 7.7.52.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
logging esm config
ipv6 router eigrp 1
router-id 50.50.50.50
redistribute connected
!

control-plane

!

!

line con 0 exec-timeout 0 0 password cisco

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet

!

exit

scheduler allocate 20000 1000

!

end

input telnet ! exit scheduler allocate 20000 1000 ! end On R6 en conf t hostname
On R6
On R6

en

conf t

hostname R6

!

boot-start-marker

boot-end-marker

!

no logging console

enable password cisco

!

aaa new-model

!

aaa authentication login lkey1-list local

aaa authorization network lkey1-list local

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

ipv6 unicast-routing ipv6 cef

no ip source-route

ip auth-proxy max-login-attempts 5 ip admission max-login-attempts 5

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ip dhcp excluded-address 7.7.19.1 7.7.19.5

!

ip dhcp pool pool19 network 7.7.19.0 255.255.255.0

lease infinite

!

no ip domain lookup ip cef ! multilink bundle-name authenticated ! voice-card 0 ! licence
no ip domain lookup
ip cef
!
multilink bundle-name authenticated
!
voice-card 0
!
licence udi pid cisco2951/k9 sn FTX1625AJRS
hw-module ism 0
!
hw-module sm 1
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
ip tcp synwait-time 5
ip ssh version 1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac
!
crypto ipsec profile ikey1
set transform-set cisco1
!
!
interface loopback 0
ip address 192.168.6.1 255.255.255.255
!

interface Embedded-Service-Engine0/0 no ip address

shutdown

!

interface GigabitEthernet0/0 ip address 7.7.5.3 255.255.255.0

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ip ospf priority 10 duplex auto speed auto

!

interface GigabitEthernet0/1 no ip address duplex auto speed auto

!

interface GigabitEthernet 0/1.1

duplex auto speed auto ! interface GigabitEthernet 0/1.1 encapsulation dot1Q 6 ip address 7.7.6.3 255.255.255.0 ipv6

encapsulation dot1Q 6

ip address 7.7.6.3 255.255.255.0 ipv6 address dhcp rapid-commit ipv6 enable

!

interface FastEthernet0/1.2

encapsulation dot1Q 19 ip address 7.7.19.1 255.255.255.0

!

!

interface GigabitEthernet0/2 ip address 7.7.20.3 255.255.255.0 duplex auto speed auto

!

interface GigabitEthernet1/0 no ip address shutdown

!

interface GigabitEthernet1/1

description Internal switch interface connected to EtherSwitch Service Module no ip address

!

router ospf 1

router-id 1.1.1.1 redistribute static metric 1 subnets route-map exclude-nets network 7.7.5.0 0.0.0.255 area 0 network 7.7.6.0 0.0.0.255 area 0 default-information originate always

!

ip local pool pool2 13.1.1.1 13.1.1.10 ip forward-protocol nd

!

ip http server

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ip http authentication local no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 7.7.5.10

ip route 7.7.9.0 255.255.255.0 7.7.20.1 ip route 7.7.10.0 255.255.255.0 7.7.20.1

!

access-list 10 deny 7.7.9.0

255.255.255.0 7.7.20.1 ! access-list 10 deny 7.7.9.0 access-list 10 deny 7.7.10.0 access-list 20 permit 13.0.0.0

access-list 10 deny 7.7.10.0 access-list 20 permit 13.0.0.0

!

nls resp-timeout 1 cpd cr-id 1 route-map exclude-nets permit 10 match ip address 10

route-map exclude-nets permit 20 match ip address 20

!

!

control-plane

!

call admission limit 75000

!

mgcp profile default

!

!

gatekeeper

shutdown

!

telephony-service max-ephones 10 max-dn 144 ip source-address 7.7.20.3 port 2000 cnf-file perphone load 7960-7940 P0030702T023 load 7965 P0030702T023 max-conferences 8 gain -6 transfer-system full-consult

create cnf-files version-stamp Jan 01 2002 00:00:00

!

ephone-dn-template 1

call-forward busy 4000 call-forward noan 4000 timeout 20 hold-alert 30 originator

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

ephone-dn 7 number 007 name CCIE-Security-Lab

ephone-dn-template 1

!

line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 line 2 no activator-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 67 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line 193 no activation-character no exec transport preferred none

193 no activation-character no exec transport preferred none transport input all transport output lat pad telnet

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet

!

scheduler allocate 20000 1000

ntp source GigabitEthernet0/2 ntp master 2

!

end

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
On SW1
On SW1

en

conf t

hostname SW1 ! no logging console enable password cisco ! no aaa new-model system mtu
hostname SW1
!
no logging console
enable password cisco
!
no aaa new-model
system mtu routing 1500
ip routing
no ip domain lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
switchport access vlan 150
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 150
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 150
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 150
switchport mode access

!

interface FastEthernet0/7

switchport access vlan 4 switchport mode access

!

interface FastEthernet0/9

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

switchport access vlan 5 switchport mode access

!

interface FastEthernet0/11

switchport access vlan 5 switchport mode access

!

interface FastEthernet0/12 switchport access vlan 4 switchport mode access ! interface FastEthernet0/13 shutdown !
interface FastEthernet0/12
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/17-24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface vlan1
no ip address
shutdown
!
interface vlan 2
ip address 7.7.2.1 255.255.255.0
!
interface vlan4
ip address 7.7.4.1 255.255.255.0
!
interface vlan150
ip address 150.1.7.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 150.1.7.254
ip route 7.7.0.0 255.255.0.0 7.7.4.10
no ip http server
no ip http secure-server
!
!
ntp clock-period 36028811
ntp server 150.1.7.254

!

end

On SW2
On SW2

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

en

conf t

hostname Sw2

!

no logging console enable password cisco

!

no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! crypto
no aaa new-model
system mtu routing 1500
ip routing
no ip domain lookup
!
crypto pki trustpoint TP-self-signed-87258368
enrollment selfsigned
subject-name en=IOS-Self-Signed-Certificate-87258368
revocation-check none
rsakeypair Tp-self-sgned-87258368
!
exit
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 5
switchport mode access

!

interface FastEthernet0/9 switchport access vlan 100 switchport mode access

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

interface FastEthernet0/11 switchport access vlan 3 switchport mode access

!

interface FastEthernet0/12

switchport access vlan 8 switchport mode access ! interface FastEthernet0/13 switchport access vlan 5 switchport
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 8
switchport mode access
!
interface FastEthernet0/17
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
end
On SW3

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

en

conf t

hostname SW3

!

no logging console enable password cisco

!

no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! ipv6
no aaa new-model
system mtu routing 1500
ip routing
no ip domain lookup
!
ipv6 unicast-routing
ipv6 dhcp pool dhcp-pool
dns-server 2001:DB8:A:B::1
dns-server 2001:DB8:3000:3000::42
domain-name cisco.com
!
crypto pki trustpoint TP-self-signed-87257344
enrollment selfsigned
subject-name en=IOS-Self-Signed-Certificate-87257344
revocation-check none
rsakeypair TP-self-sgned-87257344
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
switchport access vlan 77
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
!

interface FastEthernet0/3 switchport access vlan 11

switchport mode access

!

!

interface FastEthernet0/17-24

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

switchport trunk encapsulation dot1q switchport mode trunk

!

interface vlan1 ip address 7.7.11.1 255.255.255.0 ipv6 address 2001:DB8:1234:42::1/64 ipv6 nd other-config-flag ipv6 dhcp server dhcp-pool

!

ipv6 router ospf 1 log-adjacency-changes

!

end

dhcp-pool ! ipv6 router ospf 1 log-adjacency-changes ! end On SW4 en conf t hostname SW4
On SW4
On SW4

en

conf t

hostname SW4

!

no logging console

enable password cisco

!

no aaa new-model system mtu routing 1500 ip routing no ip domain lookup

!

crypto pki trustpoint TP-self-signed-87258368

enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87258368 revocation-check none rsakeypair TP-self-sgned-87258368

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip tcp synwait-time 5

!

interface FastEthernet0/1

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

interface FastEthernet0/2

!

interface FastEthernet0/3 switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/5
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
!
interface FastEthernet0/11
switchport access vlan 33
switchport mode access
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17 - 24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface vlan1
no ip address
shutdown

!

end

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
On SW5
On SW5

en

conf t

hostname SW5

!

no logging console enable password cisco ! no aaa new-model switch 1 provision ws-ws3750x-12s system
no logging console
enable password cisco
!
no aaa new-model
switch 1 provision ws-ws3750x-12s
system mtu routing 1500
ip routing
!
no ip domain lookup
ipv6 unicast-routing
!
crypto pki trustpoint TP-self-signed-1457097984
enrollment selfsigned
subject-name en=IOS-Self-Signed-Certificate-1457097984
revocation-check none
rsakeypair TP-self-sgned-1457097984
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
interface loopback 1
no ip address
ipv6 address 3001:0:5:1::/64 eui-64
ipv6 ospf 1 area 0
!
interface loopback2
no ip address
ipv6 address 3001:0:5:2::/64 eui-64
ipv6 ospf 1 area 0

!

interface FastEthernet0/0

no ip address

no ip route-cache shutdown

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access

!

interface GigabitEthernet1/0/4

switchport access vlan 20 switchport mode access

!

interface GigabitEthernet1/0/5

20 switchport mode access ! interface GigabitEthernet1/0/5 no switchport ip address 7.7.20.1 255.255.255.0 ! interface

no switchport

ip address 7.7.20.1 255.255.255.0

!

interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.2 255.255.255.0

ipv6 address 2001:128:ABC:10::2/64

!

interface GigabitEthernet1/0/9

switchport trunk encapsulation dot1q switchport mode trunk

!

interface GigabitEthernet1/0/11

switchport trunk encapsulation dot1q switchport mode trunk

!

interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk

!

interface vlan1 no ip address shutdown

!

interface vlan3

ip address 7.7.3.2 255.255.255.0 no ip redirects

!

ip route 0.0.0.0 0.0.0.0 7.7.3.12 ip route 7.7.0.0 255.255.0.0 7.7.3.10 ip route 7.7.2.0 255.255.255.0 7.7.3.8 ip route 7.7.4.0 255.255.255.0 7.7.3.12 ip route 7.7.9.0 255.255.255.0 7.7.10.1 ip route 7.7.99.0 255.255.255.0 7.7.10.1 ip route 200.200.9.0 255.255.255.0 7.7.3.10

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

logging esm config ipv6 router ospf 1 router-id 35.35.35.35

redistribute connected

!

line con 0 exec-timeout 0 0

redistribute connected ! line con 0 exec-timeout 0 0 password cisco logging synchronous line vty 0

password cisco logging synchronous line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 exec-timeout 0 0 password cisco login transport input telnet

!

ntp server 7.7.20.3

!

end

On SW6
On SW6

en

conf t

hostname Sw6

!

no logging console

enable password cisco

!

username ciscoAP password 0 CCie123 username cisco password 0 cisco

aaa new-model

!

aaa session-id common switch 1 provision ws-w3750x-12s

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

system mtu routing 1500 ip routing

!

ip dhcp excluded-address 7.7.7.1 7.7.7.15 ip dhcp excluded-address 7.7.9.1 7.7.9.5 ip dhcp excluded-address 7.7.99.1 7.7.99.5 ip dhcp excluded-address 10.10.110.1 10.10.110.5 ip dhcp excluded-address 10.10.120.1 10.10.120.5

!

ip dhcp pool pool7 network 7.7.7.0 255.255.255.0

! ip dhcp pool pool7 network 7.7.7.0 255.255.255.0 default-router 7.7.7.2 option 43 ip 7.7.7.11 lease infinite

default-router 7.7.7.2 option 43 ip 7.7.7.11 lease infinite

!

ip dhcp pool voice network 7.7.9.0 255.255.255.0 option 150 ip 7.7.20.1 default-router 7.7.9.2

!

ip dhcp pool data

network 7.7.99.0 255.255.255.0 default-router 7.7.99.1 dns-server 150.1.7.10

!

ip domain-name cisco.com

ipv6 unicast-routing

!

crypto pki trustpoint TP-self-signed-1459336320 enrollment selfsigned

subject-name en=IOS-Self-Signed-Certificate-1459336320 revocation-check none rsakeypair TP-self-sgned-1459336320

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending ip tcp synwait-time 5 interface loopback0 ip address 192.168.66.66 255.255.255.0

!

interface loopback 1 no ip address ipv6 address 1001:0:6:1::/64 eui-64

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

ipv6 ospf 1 area 0

!

interface loopback2

no ip address

ipv6 address 3001:0:6:2::/64 eui-64 ipv6 ospf 1 area 0

!

interface FastEthernet0/0 no ip address no ip route-cache ! interface GigabitEthernet1/0/1 ! interface
interface FastEthernet0/0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
description WLC
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/8
no switchport
ip address 7.7.10.1 255.255.255.0
ip address 7.7.10.1 255.255.255.0
ipv6 address 2001:128:ABC:10::1/64
ipv6 ospf 1 area 0
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-6,8-4094
switchport mode trunk

!

interface vlan1 no ip address shutdown

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

!

interface vlan7 ip address 7.7.7.2 255.255.255.0 ipv6 enable

!

interface vlan9

ip address 7.7.9.2 255.255.255.0

!

interface vlan99 ip address 7.7.99.1 255.255.255.0

!

ip classless no ip http server

7.7.99.1 255.255.255.0 ! ip classless no ip http server no ip http secure-server ! ip route

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 7.7.7.1

ip route 7.7.20.0 255.255.255.0 7.7.10.2

!

ip access-list extended ACL-DEFAULT

remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any remark PXL/TFTP permit udp any any eq tftp deny ip any any log

!

ip radius source-interface vlan7

logging esm config ipv6 router ospf 1 router-id 36.36.36.36

redistribute connected

!

exit radius-server attribute 8 include-in-access req radius-server attribute 25 access-request include radius-server dead-criteria time 5 tries 3 radius-server host 150.1.7.20 auth-port 1812 acct-port 1813 key cisco radius-server vsa send accounting

radius-server vsa send authentication

!

ntp server 7.7.20.3

!

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Section I. Perimeter security

1.1 Configure routing and Basic Access on ASA1

(6 Points)

1.1 Configure routing and Basic Access on ASA1 (6 Points) This question has three tasks. Complete
1.1 Configure routing and Basic Access on ASA1 (6 Points) This question has three tasks. Complete

This question has three tasks.

Complete each task to provide basic connectivity and routing capabilities on ASA1.

1) ASA1 should be in single-context routed mode and configured using the information

in the table below:

Interface

Nameif

Switch Vlans

Sec Level

IP Address

Gi 0/0

Outside

5

0

7.7.5.10/24

Gi 0/2

Inside

3

100

7.7.3.10/24

Gi 0/3

Dmz

8

50

7.7.8.10/24

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Use exact names and numbers as shown in the table.

2) Add static routes as follows:

Interface Network Next Hop Inside Configure a Default Route 7.7.3.2 3) Configure a Secured OSPF
Interface
Network
Next Hop
Inside
Configure a Default Route
7.7.3.2
3) Configure a Secured OSPF process 1
Router-id should be 8.8.8.8
Assign network 7.7.5.0 to area 0
Assign network 7.7.8.0 to area 1
Ensure that networks 192.168.11.11 and 192.168.22.22 (loopbacks on R1 and R2) are added to
the routing table on ASA1 but are not propagated into area 0.
Verify by checking the routing table on R6.
Verify your solutions by successfully pinging the inside 150.1.7.0 network from the all major
7.7.0.0 subnets as well as pinging from outside subnets to dmz subnets.
For example:
R6#ping 7.7.8.1
R6#ping 150.1.7.20
R6#ping 7.7.3.2
Note:

1) Key is already configured in R1 and R2

2) Check the vlan assignment

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

1.2 Configure stateful failover between ASA1 and ASA2

(4 points)

15-June-2013 1.2 Configure stateful failover between ASA1 and ASA2 (4 points) CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

- configure LAN-based active-standby failover on ASA1 and ASA2

- Use GigabitEthernet 0/1 in VLAN 100 on SW2 for the failover LAN interface and name it fover.

- Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby

- Enable stateful failover using fail-over interface GigabitEthernet 0/1

failover using fail-over interface GigabitEthernet 0/1 - Use all other parameters accordingly to achieve this task

- Use all other parameters accordingly to achieve this task

Your output must match all parameters highlighted below:

to achieve this task Your output must match all parameters highlighted below: CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

1.3 Configure ASA3 in Multi-Context Firewall Mode

Part A: Initialize ASA3 (4 points) ASA3 must be configured as a multi-context firewall. ASA3
Part A: Initialize ASA3
(4 points)
ASA3 must be configured as a multi-context firewall. ASA3 requires a shared outside interface.
Use the following outputs to complete the initial configuration.
Context details
Name
Config URL
C1
C1.cfg
C2
C2.cfg
Admin
Admin.cfg
(NOTE: Above files are already there in flash & needs to be deleted before configuring)
The config-url file should be saved on the disk:0

You can permit ICMP traffic from any to any on both contexts.

You can modify the Catalyst switch configuration to complete this task.

When the task is completed, ensure that you are able to ping all major subnets within your

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

network, including the ISE1 150.1.7.20

Use exact names and numbers as shown in the table

Context “c1” initialization details: Interface Type Nameif Switch Vlans Sec Level IP Address Gi 0/1
Context “c1” initialization details:
Interface
Type
Nameif
Switch Vlans
Sec Level
IP Address
Gi 0/1
Not Shared
Inside
2
100
7.7.2.10/24
Gi 0/0
Shared
Outside
33
0
7.7.3.8/24
Context “c1” routing configuration details:
Interface
Network
Next Hop
Outside
0.0.0.0/0
7.7.3.2
Context “c2” initialization details:
Interface
Type
Nameif
Switch Vlans
Sec Level
IP Address
Gi 0/2
Shared
Inside
4
100
7.7.4.10/24
Gi 0/0
Shared
Outside
33
0
7.7.3.12/24
Context “c2” routing configuration details:
Interface
Network
Next Hop
Inside
0.0.0.0/0
7.7.4.1
Outside
7.7.0.0/16
7.7.3.2
Context “admin” initialization details:
Interface
Type
Nameif
Switch Vlans
Sec Level
IP Address
Gi 0/2
Shared
Management
4
100 7.7.4.200/24

Context “admin” routing configuration details:

Interface

Network

Next Hop

Management

0.0.0.0/0

7.7.4.1

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Part B: Configure IP Services on ASA3

(4 points)

Telnet access telnet must be allowed from VLAN4 IP 7.7.4.1 on SW1 to the admin cxt of ASA3

To verify your solution: SW1# telnet 7.7.4.200 /so vlan4

To verify your solution: SW1# telnet 7.7.4.200 /so vlan4 (6 points) Object NAT and Port-to-Application Mapping

(6 points)

Object NAT and Port-to-Application Mapping Use object NAT to translate the VLAN4 IP address 7.7.4.1

On SW1 to a global address of 7.7.3.3. Devices on the outside of ASA3 must be able to Telnet to the global address using a non-standard port of 2300.

To verify your solution: R6# telnet 7.7.3.3 2300

1.4 Configure ASA4 in transparent mode with NAT support

2300 1.4 Configure ASA4 in transparent mode with NAT support Configure ASA4 as a transparent firewall

Configure ASA4 as a transparent firewall to be deployed between R3 and SW6 by completing the three tasks outlined below

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

1. ASA4 will be assigned the IP address 7.7.7.10/24 and use the following interfaces

Interface Type Nameif Switch Vlans Sec Level Gi 0/3 Physical Inside 7 100 Gi 0/0
Interface
Type
Nameif
Switch Vlans
Sec Level
Gi 0/3
Physical
Inside
7
100
Gi 0/0
Physical
Outside
77
0
Note: Do not configure management interface 0/0.
2.
Add static routes on ASA4 to match the following output
ASA# show route
0.0.0.0/0 via 7.7.7.3
7.7.9.0/24 via 7.7.7.2
Verify your solution by pinging from ASA4 as followings:
ASA4# ping inside 7.7.7.2
ASA4# ping outside 7.7.7.3
3.
Configure NAT on the Cisco ASA4 firewall using the following information NAT control is
required
Configure a rule where any traffic sourced from 7.7.9.0/24 and destined to 7.7.0.0/16 is
mapped to a global add from 200.200.9.0/24. This NAT rule must allow for Bidirectional
connection initialization.
Ensure that traffic sourced from the 7.7.7.0/24 network and destined to 7.7.0.0/16 or
150.1.0.0/16 is not translated but still able to transit ASA4.

Verify your solution by initiating a ping from SW6 to R3 using VLAN9 as the source interface.

Enabling debug Ip icmp on R3 should show the translation has occurred

R3# ICMP: echo reply sent, src 7.7.7.3, dst 200.200.9.2

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

SECTION II. IPS and Context security

2.1 Initialize the Cisco IPS Sensor Appliance

(4 points)

Initialize the Cisco IPS Sensor appliance as follows: Parameters Settings Hostname IPS Management Configure the
Initialize the Cisco IPS Sensor appliance as follows:
Parameters
Settings
Hostname
IPS
Management
Configure the Command and control Management 0/0 interface in vlan 4
Sensor IP Address
7.7.4.100/24
Default Gateway
7.7.4.1
Sensor ACL
7.7.0.0/16, 150.100.7.0/24, 151.ss.1.0/24, 150.1.7.0/24
Telnet
Enable telnet Management
Auto IP Logging
Enable ip Logging on sig0, Log 200 pkts, log time 30 secs, log bytes 5024
Verify the Cisco IPS sensor configuration using the following:
The username and password for the Cisco IPS console are cisco and 123cisco123. DO NOT

CHANGE THEM.

Use the console to initialize the Cisco IPS sensor appliance using the defails in this table Ensure

that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

You can modify Cisco Catalyst switches configuration if required.

Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC:

IPS# ping 7.7.4.1

IPS# ping 150.1.7.100

gateway and Test-PC: IPS# ping 7.7.4.1 IPS# ping 150.1.7.100 (4 points) Ensure that the following ping

(4 points)

Ensure that the following ping and telnet connection is successful from SW1

SW1# ping 7.7.4.100

SW1# telnet 7.7.4.100

2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair

SW1# telnet 7.7.4.100 2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Configure the Cisco IPS appliance inline VLAN pair using these guidelines:

Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the
Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the Lab Topology
diagram as follow:
Parameters
Settings
Interface
Gig 0/0
Inline Vlan Pair
Vlan 3 & Vlan 33
You are allowed to modify the switch parameters as appropriate to achieve this task.
Refer to the lab diagram for the required information.
You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate
PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall
and/or routing configuration to ensure that this works.
Ensure that the sensor is passing traffic successfully.
For testing, ensure that this ping from SW6 is passing through the sensor with the packets
being displayed on the sensor console.
IPS# packet display gigabitethernet0/0
R6#ping 7.7.4.1

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

2.3 Implement custom signatures on the Cisco IPS sensor

(4 points)

A custom signature 61000 is required on the Cisco IPS sensor as follows: Trigger –
A custom signature 61000 is required on the Cisco IPS sensor as follows:
Trigger – Users are allowed to telnet to SW1 via translated address (see Q1.3), however, they
must not be allowed to launch another telnet from SW1 to any device on the 150.1.0.0/16
network.
Action – reset-tcp-connection when a telnet session is attempted from within an existing
session to SW1

Alert-severity high

Signature-definition 0

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
Note:
Note:

There’s a dependency on the NAT-object & Port-to-Application Mapping config from Q 1.3.

You can use any signature engine to complete this task that satisfies the question requirements.

Verify your solution by connecting to SW1 from another device in the topology using the

to SW1 from another device in the topology using the (6 points) translated address specified in

(6 points)

translated address specified in Q1.3 and thereafter launch a Telnet from SW1 to your Test PC

(150.1.7.100) as follows:

SW1>enable

SW1#telnet 150.1.7.

2.4 Initialize the Cisco WSA and Enable WCCP Support

SW1#telnet 150.1.7. 2.4 Initialize the Cisco WSA and Enable WCCP Support CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4.

Using the Test-PC or Candidate PC, connect to WSA and configure as following

Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport

Initialize the Cisco WSA sensor appliance as follows using the system setup wizard: Security services:
Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:
Security services:
Parameters
Settings
Web Proxy
Enabled
Web Proxy Mode
Transparent
IP Spoofing
Not Enabled
HTTP/S Proxy
Enabled
Native FTP Proxy
Enabled
L4 Traffic Monitor
Enabled
L4 Traffic Monitor Action
Enabled
Acceptable User Controls
Enabled
Web Reputation Filters
Enabled
Webroot: Enabled
Ironport DVS Engine
Mcafee: Enabled
Parameters
Settings
Hostname
Wsa.cisco.com
Interface
M1 to be used for Management
Ip Address
7.7.4.150/24
Default Gateway
7.7.4.1
System Information
Admin:ironport, foobar@cisco.com, time:US/America/LA
NTP Server
7.7.4.1
DNS
150.1.7.10
L4 Traffic Monitoring
Duplex: T1 (in/out)

Accept all other defaults

From ASA/c2, verify that you can ping M1 interface of WSA:

ASA3/c2(config)# ping 7.7.4.150

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:

Redirect-list: for all HTTP and HTTPS traffic

Group-list to limit redirections to the WSA only

Service-group must be in the appropriate range

the WSA only Service-group must be in the appropriate range Note: You can use any names

Note: You can use any names for your redirect-list and group-list.

Be sure to use a service-group. DO not use the default web-cache.

This question is dependent on the completion of Q1.3.

You may have to reboot WSA after configuration of WCCP if the ASA reports following event in the logs:

WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id.

Use the following to verify your solution from the Test-PC, and then check HTTP requests on

R3 for the address of the WSA:

from the Test-PC, and then check HTTP requests on R3 for the address of the WSA:

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

2.5 Add a custom URL Access Policy to the WSA

(3 points)

2.5 Add a custom URL Access Policy to the WSA (3 points) Add a custom URL
2.5 Add a custom URL Access Policy to the WSA (3 points) Add a custom URL

Add a custom URL category called Restricted Site which will block the Site 7.7.7.2. Add the

custom URL filter to the Global access policy and ensure that the action taken will be to block

the correction.

Use the following to verify your solution from the Test-PC:

to block the correction. Use the following to verify your solution from the Test-PC: CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

SECTION III. Secure Access

3.1 Troubleshooting IPsec Management of ASA4

(4 points)

3.1 Troubleshooting IPsec Management of ASA4 (4 points) Complete the configuration of an IPsec secured management
3.1 Troubleshooting IPsec Management of ASA4 (4 points) Complete the configuration of an IPsec secured management

Complete the configuration of an IPsec secured management tunnel between R3 and ASA4.

R3 has been partially configured and will indicate the IKE and IPsec, policy parameters to use.

Ensure that you are able to launch the IPsec protected Telnet session from R3 to ASA4.

There are faults on R3 that must be corrected to complete this question.

Do not use wildcard (0.0.0.0) pre-shared keys.

You can use any names for policies that have not been preconfigured.

Verify your solution as follows:

names for policies that have not been preconfigured. Verify your solution as follows: CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

3.2 Troubleshooting IPsec Static VTI with IPv6

(5 points)

3.2 Troubleshooting IPsec Static VTI with IPv6 (5 points) An IPsec static virtual tunnel interface is
3.2 Troubleshooting IPsec Static VTI with IPv6 (5 points) An IPsec static virtual tunnel interface is

An IPsec static virtual tunnel interface is required between R3 and R5. This interface supports

IPv6 traffic and EIGRPv6 routes (the networks from Loopback3) must be exchanged securely for

AS1 via Tunnel.

Complete and troubleshoot the configuration:

Verify your solution as follows:

Tunnel. Complete and troubleshoot the configuration: Verify your solution as follows: CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Ensure that the interface Loopbck3 subnets on either router are being advertised via EIGRPv6.

R3# show ipv6 route

EX 1010::/64 [170/27008000]

Via FE80::21E:BEFF:FE80:B5C, Tunnel0

R5#sho ipv6 route

EX 2010::/64 [170/27008000]

Via FE80::21E:4AFF:FE2F:CA50, Tunnel2

[170/27008000] Via FE80::21E:4AFF:FE2F:CA50, Tunnel2 (6 points) 3.3 Troubleshooting DMVPN Phase 3 with Dual hubs

(6 points)

3.3 Troubleshooting DMVPN Phase 3 with Dual hubs

Tunnel2 (6 points) 3.3 Troubleshooting DMVPN Phase 3 with Dual hubs CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

In this question R1 and R2 are dual DMVPN Hubs with R4 and R5 as the spokes that peer with

hubs for redundancy. The hubs are pre-configured. Complete the configuration of the spokes

and troubleshoot the solution using the following information:

172.16.23.1/2 IP addresses of DUAL Hubs

information: 172.16.23.1/2 – IP addresses of DUAL Hubs 172.16.23.4/5 – IP addresses of DUAL Spokes Each

172.16.23.4/5 IP addresses of DUAL Spokes

Each spoke must peer with both hubs and direct spoke to spoke communication should occur

using NHRP shortcut capabilities

EIGRP routing AS 123 is preconfigured & must be advertising the Lo 0 of R4 & R5 and network

10.2.2.0/24 of R1 and R2

Verify your solution as follows:

of R4 & R5 and network 10.2.2.0/24 of R1 and R2 Verify your solution as follows:

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
CCIESECURITYLABS.COM 15-June-2013 (4 points) 3.4 Configure Security Features on the Cisco WLC The WLC manages the
CCIESECURITYLABS.COM 15-June-2013 (4 points) 3.4 Configure Security Features on the Cisco WLC The WLC manages the

(4 points)

3.4 Configure Security Features on the Cisco WLC

(4 points) 3.4 Configure Security Features on the Cisco WLC The WLC manages the configuration and

The WLC manages the configuration and control of the Cisco AP 1242

(There is no need to change any settings on the AP itself)

of the Cisco AP 1242 (There is no need to change any settings on the AP

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

To complete this question you can use the CLI on the WLC, or the web GUI via http://7.7.7.11/

Username =cisco Password=Cisco123.

1. Configure 802.1x support on the WLC. This information is pushed to the AP in the rack and will facilitate 802.1x authentication.

2. To protect the network from Rogue AP's associating with the WLC, configure the WLC
2.
To protect the network from Rogue AP's associating with the WLC, configure the WLC
with the following Rogue Rule
- Route Rule Name: Rogue
- Type: Malicious
- SSID: Rogue
- Must be Heard of RSSI value of -60 or stronger
- Classify only if the rogue is not using encryption

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

SECTION IV. System Hardening and Availability

4.1 Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS

(4 points)

OSPFv3 has been partially pre-configured between R1 & R2 using command “ipv6 router ospf 2”
OSPFv3 has been partially pre-configured between R1 & R2 using command “ipv6 router ospf 2”
Complete configuration and troubleshooting as required to meet the following requirements:
1.
Configure AH md5 authentication for area 0 to protect routing info. You can define your own
keys
2.
Ensure that the IPV6 addresses from interface Loopback3 on R1 and R2 are being advertised
using OSPFv3 via Gig 0/0 on R1 and R2
4.2
Troubleshoot IP Options Handling on the Cisco ASA
(3 points)
The following information has appeared in an error message on ASA1 for IGMPv2 traffic
transiting ASA1:
%ASA-6-106012: Dny IP from 7.7.5.15 to 225.17.1.1, IP options: “Router Alert”
Configure ASA1 to prevent this error message and allow IGMPv2 to function correctly for all

interfaces

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

4.3 Configure Netflow on a Cisco IOS Router

(3 points)

Configure Netflow version 9 on R6 using following requirements: 1. Define an IP flow-top-talkers policy
Configure Netflow version 9 on R6 using following requirements:
1.
Define an IP flow-top-talkers policy to be applied on Gig 0/1.1 as follows:
- Display top5 talkers for ICMP traffic
- Randomly sample traffic at a rate of one-out-of 10 packets
2.
Verbose netflow output must display
- IP Address

- MAC Address

- Vlan IDs

R6#show ip cache verbose flow

R6#show ip flow top-talker

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

SECTION V. Threat Identification and Mitigation

5.1 Tuning Application Inspection on the Cisco ASA

(4 points)

Tuning Application Inspection on the Cisco ASA (4 points) HTTP inspection must be configured to log
Tuning Application Inspection on the Cisco ASA (4 points) HTTP inspection must be configured to log

HTTP inspection must be configured to log GET operation with level 15 privilege made to Cisco

IOS HTTP servers behind ASA1. The packet capture output below which shows an HTTP session

to 7.7.8.1 from Test-PC should be used to help define your match criteria.

session to 7.7.8.1 from Test-PC should be used to help define your match criteria. CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

5.2 Configure Dynamic-ARP Inspection in a DHCP Environment

(4 points)

Dynamic-ARP Inspection in a DHCP Environment (4 points) R3 receives an IP address for interface g0/1.1
Dynamic-ARP Inspection in a DHCP Environment (4 points) R3 receives an IP address for interface g0/1.1

R3 receives an IP address for interface g0/1.1 from R6 which is considered a trusted DHCP

Server. Configure SW4 for DAI using DHCP snooping for the appropriate VLAN.

SW4# show ip dhcp snooping binding

5.3 LDAP (Outdated )

-Microsoft windows users utilize the “msNPAllowDialin” attribute to grant or withdraw

permissions to dial into registration admisstion and status server (RASS)

Configure ASA admin context to map this MS attribute to Cisco cVPN3000-IETF-Radius-class:

- A value of FALSE should be mapped to a value of ACCESS-DENY

- A value of TRUE should be mapped to a value of ACCESS-ALLOW

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

SECTION VI. Identity Management

6.1 Configure the Cisco Access Point as an 802.1X supplicant

(6 points)

The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should
The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should be
allowed to communicate with 802.1X authorized Aps.
In this question you are required to configure 802.1X support for the AP on SW6 (RADIUS
source interface 7.7.7.2/VLAN7) and ISE1 (150.1.7.20).
Use the information below to complete the question
1.
Create an identity for the AP on ISE1 using the credentials created in the 802.1x task in Q3.4
that will be used for authentication and mapped to an authorization policy
2.
Configure an Authorization Profile and Authorization Policy rule for Cisco Access point as
follows

Parameters

Name

Management

Description

Access Type

Settings

Cisco_Access_Points

Configure the Command and control Management 0/0 interface in vlan 4

Permit Cisco AP 1242

Access_Accept

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Common Tasks

DACL Name

AP_DACL

DACL Policy

Permit CAPWAP (UDP 5246/5247) and DNS

Vlan

9

3. Configure SW6 G1/0/5 for 802.1x support which will enable the Cisco AP to authenticate via Radius to ISE1 and receive and authorization Policy

via Radius to ISE1 and receive and authorization Policy 6.2 Configure Support for MAB/802.1X for Voice

6.2 Configure Support for MAB/802.1X for Voice and Data VLANs

Configure Support for MAB/802.1X for Voice and Data VLANs Part A: Authentication and Authorization of Cisco

Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)

The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via

DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3).

The requirement is to add security to this connection through authentication and authorization on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to

move the phone into the voice VLAN.

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Use the following information to complete this task:

- Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)

- Verify that you have an authentication rule for MAB on the Cisco ISE.

- Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a

traffic on ISE1.
traffic on ISE1.

permit on all

- Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)

- Voice VLAN will support MAB for authentication

- Data VLAN will provide support for the Test-PC that must connect through Phone using

802.1X.

-

SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint.

If MAB is not successful, 802.1X endpoints should be allowed to connect.

The following output should be used to verify your solution

be allowed to connect. The following output should be used to verify your solution CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013

Part B:

(6 points)

Authentication and Authorization of 802.1X Client through a Cisco IP Phone

The Test-PC must be allowed to connect through the authenticated Cisco IP Phone

1.

SW 6 G1/0/1 should have been configured to support a voice and data Vlan in Part A of this

question 2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
question
2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1
using the following info
Attribute
Value
Group Name
Test-PC_Group
Username/Password
test-PC/Cisc0123
Access Type
Access_Accept
Common Tasks
DACL Name
DATA_VLAN_DACL
DACL Policy
Permit ip any any
Vlan
99
The following output should be used for verification
Permit ip any any Vlan 99 The following output should be used for verification CCIESECURITYLABS.COM CCIESECLABS.COM

CCIESECURITYLABS.COM

CCIESECLABS.COM

CCIESECURITYLABS.COM

15-June-2013

CCIESECURITYLABS.COM 15-June-2013
CCIESECURITYLABS.COM 15-June-2013 Thank You for using cciesecuritylabs workbooks. CCIESECURITYLABS.COM CCIESECLABS.COM

Thank You for using cciesecuritylabs workbooks.

CCIESECURITYLABS.COM

CCIESECLABS.COM