CCIE SCv4 Lab 1 Tasks

Expand all



Contents
Last updated: April 9, 2015

1. Perimeter Security and Services
2. Intrusion Prevention and Content Security
3. Confidentiality and Secure Access
4. Identity Management
5. System Hardening and Availability
6. Threat Identification and Mitigation


Difficulty Rating (10 highest): 8

Point Values

The point values for each section are as follows:

Section Point Value
Perimeter Security and Services 24
Intrusion Prevention and Content Security 17
Confidentiality and Secure Access 19
Identity Management 16
System Hardening and Availability 14
Threat Identification and Mitigation 10

GOOD LUCK!


TIP
When taking the CCIE lab exam, you will be provided with a few sheets of scratch paper for notes and diagrams. You should create two diagrams at a minimum: one for the logical Layer 2 topology and one for the logical Layer 3 topology. Note that the physical diagram and the logical Layer 2 diagram are not the same.

Although you are provided with the logical Layer 3 diagram in the lab, it will be in electronic format, which means that you cannot add notes to it and may need to switch between windows to see it on the computer. By having your own diagram, you will be able to take notes on it and quickly reference it as you work through the configuration section. Finally, drawing the Layer 2 and Layer 3 topologies will help you become familiar with a complex network toplogy at first sight.


1. Perimeter Security and Services

1.1 ASA Routed Mode (3 points)

  • Configure ASA1 in routed single mode with a hostname of ASA12, using the information from the table:
Interface Nameif Security Level IPv4 Address
E0/0.43 DMZ1 60 140.1.45.Y/24
E0/0.73 DMZ2 50 140.1.71.Y/24
E0/1.40 INSIDE 100 172.16.3.1/24
E0/1.91 OUTSIDE 0 140.1.91.Y/24

  • Configure ASA1 for EIGRP in AS 200; do not advertise VLAN 40 prefix.

1.2 ASA Active-Standby Failover (3 points)

  • Configure ASA1 and ASA2 in for active-standby failover, matching the following output from ASA1:

    ASA12# show failover                  
    Failover On 
    Failover unit Primary
    Failover LAN Interface: FAILOVER Ethernet0/2 (up)
    Unit Poll frequency 500 milliseconds, holdtime 2 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 2
    Monitored Interfaces 4 of 110 maximum
    Version: Ours 8.2(5), Mate 8.2(5)
    Last Failover at: 16:09:56 UTC Mar 25 2014
            This host: Primary - Active 
                    Active time: 257 (sec)
                    slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)
                      Interface DMZ1 (140.1.45.15): Normal 
                      Interface DMZ2 (140.1.71.15): Normal 
                      Interface INSIDE (172.16.3.1): Normal 
                      Interface OUTSIDE (140.1.91.15): Normal 
                    slot 1: empty
            Other host: Secondary - Standby Ready 
                    Active time: 66 (sec)
                    slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                      Interface DMZ1 (140.1.45.16): Normal 
                      Interface DMZ2 (140.1.71.16): Normal 
                      Interface INSIDE (172.16.3.2): Normal 
                      Interface OUTSIDE (140.1.91.16): Normal 
                    slot 1: empty

    Stateful Failover Logical Update Statistics
            Link : Unconfigured.

1.3 ASA Routed Mode (3 points)

  • Configure ASA3 in routed single mode with a hostname of ASA3, using the information from the table:
Interface Nameif Security Level IPv4 Address
Gi0/0 INSIDE 100 172.16.6.1/24
Gi0/1.38 OUTSIDE 0 140.1.38.Y/24
Gi0/1.63 WLC 40 172.16.5.1/241
  • Configure ASA3 to advertise all its connected prefixes into EIGRP AS 200.
  • Disable EIGRP packet processing on VLAN 63.

1.4 ASA Transparent Mode (3 points)

  • Configure ASA4 in transparent single mode with a hostname of ASA4, using the information from the table:
Interface Nameif Security Level Bridge-Group
Gi0/0.71 DMZ1 30 77
Gi0/0.74 INSIDE 100 77
Gi0/1.72 OUTSIDE 0 77
Gi0/1.73 DMZ2 80 77

  • Ensure that EIGRP is functional between ASA1, R2, and SW2 using the minimum required commands.
  • Use the IPv4 address 140.1.71.Y/24, and allow IPv6 packet forwarding according to security levels without configuring any IPv6 global unicast address.

1.5 CBAC Transparent Mode (2 points)

  • Configure CBAC on R3, considering VLAN 93 as the untrusted interface.
  • All IPv4 UDP/TCP/ICMP traffic should be inspected as it exits the untrusted interface.

1.6 CBAC Transparent Mode (3 points)

  • Configure CBAC on R3, considering VLAN 83 as the untrusted interface.
  • Both router-originated and transit IPv4 TCP/UDP/ICMP traffic should be inspected.
  • R3 should log a message for ICMP sessions and delete the entry from state table after 30 seconds.

1.7 Traffic Policy (3 points)

  • Configure the network to match the following outputs:

    ASA12# traceroute 150.1.1.1

    Type escape sequence to abort.
    Tracing the route to 150.1.1.1

     1  140.1.91.9 0 msec 0 msec 10 msec
     2  140.1.38.3 0 msec 0 msec 10 msec
     3  140.1.38.1 0 msec *  0 msec


    SW1#traceroute 150.1.1.1

    Type escape sequence to abort.
    Tracing the route to 150.1.1.1

      1 172.16.6.1 8 msec *  0 msec
      2 140.1.38.3 0 msec 8 msec 0 msec
      3 140.1.38.1 8 msec *  0 msec

1.8 ASA NAT (4 points)

  • Configure ASA3 to statically NAT R4's Loopback0 into 172.16.6.4 on its INSIDE interface.
    • Allow telnet and ping traffic to SW1's Loopback0 interface for testing.
    • NAT rule should restrict traffic from being initiated in the reverse direction.

  • Using auto-nat, configure ASA3 to NAT R1's Loopback0 into its INSIDE interface.
    • Allow telnet and ping traffic to SW1's Loopback0 interface for testing.

2. Intrusion Prevention and Content Security

2.1 IPS Initialization (2 points)

  • Initialize the IPS using the information from the table:
Variables Values
Hostname IPS
IPv4 Address 140.1.57.100/24
Default Gateway 140.1.57.9
Telnet Enabled
Login Banner This is IPS from CCIE Lab Exam
Management Access 140.1.71.0/24

  • Ensure that ping and telnet from the default gateway are allowed by the IPS.
  • Ensure that administrators from VLAN 71 can manage the IPS through both telnet and HTTPS.

2.2 IPS Inline Interface-Pair (2 points)

  • Configure IPS inline between VLAN 43 and VLAN 45 using the interfaces from the diagram.
  • Ensure that traffic between these VLANs is inspected by the IPS.

2.3 IPS Custom Signature (3 points)

  • Configure a custom signature to match relevant parts of the output:

    sensor# show events 

    evIdsAlert: eventId=1395295337431000769 severity=medium vendor=Cisco alarmTraits=32768 
      originator: 
        hostId: IPS
        appName: sensorApp
        appInstanceId: 1202
      time: 2014/03/26 06:15:08 2014/03/26 06:15:08 UTC
      signature: description=My Sig id=60001 created=20000101 type=other version=custom 
        subsigId: 0
        sigDetails: My Sig Info
      interfaceGroup: vs0
      vlan: 0
      participants: 
        attacker: 
          addr: locality=OUT 140.1.45.11
        target: 
          addr: locality=OUT 224.0.0.10
          os: idSource=unknown relevance=relevant type=unknown 
      triggerPacket: 
    000000  01 00 5E 00 00 0A 44 D3  CA 63 99 C1 08 00 45 C0  ..^...D..c....E.
    000010  00 3C 00 00 00 00 02 58  1E 94 8C 01 2D 0B E0 00  .<.....X....-...
    000020  00 0A 02 05 F1 0A 00 00  00 00 00 00 00 00 00 00  ................
    000030  00 00 00 00 00 C8 00 01  00 0C 01 00 01 00 00 00  ................
    000040  00 0F 00 04 00 08 07 00  03 00                    ..........
      riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 66
      threatRatingValue: 66
      interface: ge0_0
      protocol: IP protocol 88

2.4 WSA Initialization (4 points)

  • Initialize the WSA using the information from the table:
Variables Values
Hostname wsa.inelab.local
DNS Server 150.1.4.4
NTP Server 150.1.4.4
Proxy Ports P1
M1 IPv4 Address 172.16.6.100/24
M1 Default Gateway 172.16.6.1
P1 Default Gateway 140.1.91.9
Admin Password default1A
Email Address ccielab@inelab.local
Senderbase Participation Minimum

  • Assign TEST-PC-B the IPv4 address of 140.1.71.100/24 for this scope with a default gateway of ASA1.
  • Ensure that TEST-PC-B can manage the WSA through HTTPS.
  • Do not make any configuration changes on SW1 for this task.

2.5 WSA WCCP Integration (3 points)

  • Configure SW1 to redirect all HTTP traffic received inbound on its VLAN 91 interface to the WSA.
  • Secure the communication and match the output:

    SW1#show ip wccp 91 detail 
    WCCP Client information:
            WCCP Client ID:          140.1.91.100
            Protocol Version:        2.0
            State:                   Usable
            Redirection:             L2
            Packet Return:           L2
            Packets Redirected:    0
            Connect Time:          00:04:21
            Assignment:            MASK

2.6 WSA Traffic Policies (3 points)

  • Configure the WSA to do caching for as much content as possible.
  • Configure the WSA so that access to wwww.gunbroker.com is disallowed; the URL resolves to SW1's Loopback0 IPv4 address.
  • Users should accept the company Internet access usage policy if idle for two hours.
  • Ensure that tests from VLAN 73 can be performed to verify configured policies.

3. Confidentiality and Secure Access

3.1 IKEv2 LAN-to-LAN (4 points)

  • Configure IKEv2 LAN-to-LAN IPsec VPN between R1 and ASA3 to protect traffic between R1's and SW1's Loopback0 subnets:
    • use the default algorithms on ASA3.
    • modify the smart defaults on R1 accordingly.
    • use symmetric PSK authentication.

3.2 ASA Remote Access (4 points)

  • Ensure that users from VLAN 71 can establish IKEv1 IPsec sessions to ASA3:
    • allocate IPv4 addresses from subnet 140.1.50.0/24.
    • do not configure any IPv4 static routes.
    • only traffic destined to R1's Loopback0 should be protected.
    • only ICMP traffic should be allowed through the IPsec tunnel.
    • use testpcb for any required password.

  • Identify all required parameters from the following output:

    ASA3# show vpn-sessiondb detail ra-ikev1-ipsec 

    Session Type: IKEv1 IPsec Detailed

    Username     : testpcb                Index        : 28
    Assigned IP  : 140.1.50.1             Public IP    : 140.1.71.100
    Protocol     : IKEv1 IPsecOverTCP
    License      : Other VPN
    Encryption   : 3DES                   Hashing      : MD5
    Bytes Tx     : 0                      Bytes Rx     : 0
    Pkts Tx      : 0                      Pkts Rx      : 0
    Pkts Tx Drop : 0                      Pkts Rx Drop : 0
    Group Policy : testpcb                Tunnel Group : TEST_PC_B
    Login Time   : 13:49:39 UTC Thu Mar 27 2014
    Duration     : 0h:02m:42s
    Inactivity   : 0h:00m:00s
    NAC Result   : Unknown
    VLAN Mapping : N/A                    VLAN         : none

    IKEv1 Tunnels: 1
    IPsecOverTCP Tunnels: 1

    IKEv1:
      Tunnel ID    : 28.1
      UDP Src Port : 5211                   UDP Dst Port : 500
      IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
      Encryption   : 3DES                   Hashing      : MD5
      Rekey Int (T): 86400 Seconds          Rekey Left(T): 86241 Seconds
      D/H Group    : 2
      Filter Name  : VPN_FILTER
      Client OS    : WinNT                  Client OS Ver: 5.0.07.0410            

    IPsecOverTCP:
      Tunnel ID    : 28.2
      Local Addr   : 0.0.0.0/0.0.0.0/0/0
      Remote Addr  : 140.1.50.1/255.255.255.255/0/0
      Encryption   : 3DES                   Hashing      : MD5                    
      Encapsulation: Tunnel                 TCP Src Port : 5211                   
      TCP Dst Port : 80                     
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 28639 Seconds          
      Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes             
      Bytes Tx     : 0                      Bytes Rx     : 0                      
      Pkts Tx      : 0                      Pkts Rx      : 0                      

    NAC:
      Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
      SQ Int (T)   : 0 Seconds              EoU Age(T)   : 161 Seconds
      Hold Left (T): 0 Seconds              Posture Token: 
      Redirect URL :

3.3 IPv6 VRF-Aware DMVPN Troubleshooting (4 points)

  • The VRF named DMVPN has been configured on R2, R5, and R6.
  • IPv6 VRF-aware DMVPN has been configured on all three routers, with R6 being the hub.
  • EIGRP is the routing protocol used to advertise Loopback256 prefixes.
  • Fix the configuration errors so that you match the following outputs:

    R2#ping vrf DMVPN 2001::66 source loopback256
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2001::66, timeout is 2 seconds:
    Packet sent with a source address of 2001::22%DMVPN
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms


    R2#ping vrf DMVPN 2001::55 source loopback256
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2001::55, timeout is 2 seconds:
    Packet sent with a source address of 2001::22%DMVPN
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

3.4 IPv4 GETVPN Troubleshooting (4 points)

  • GET VPN is configured between R1, R4, and R6, with R6 being the KS and R1/R4 the GMs.
  • GRE tunnels between R1/R4 and R6 have been configured for the registration process.
  • Traffic between R1 and R4 Loopback0 prefixes must be protected.
  • Fix the configuration errors so that you match the following output:

    R6#show crypto gdoi ks members | i ID
    Group Member ID    : 16.16.16.1
     Group ID          : 146
     Key Server ID     : 6.6.6.6
    Group Member ID    : 46.46.46.4
     Group ID          : 146
     Key Server ID     : 6.6.6.6

3.5 WLC Security (3 points)

  • Configure the network so that CAPWAP UDP ports are allowed between VLAN 12 and WLC, so LAP can join the WLC.
  • Ensure that WLC can be managed through HTTPS by administrators in VLAN 71.
  • Configure a rogue malicious rule named MALICIOUS_FIRST that is true when both of the following conditions are matched:
    • SSID named CCIELAB.
    • RSSI value of -50 or stronger.

4. Identity Management

4.1 IOS TACACS+ (5 points)

  • Configure R5 to be configured via HTTP on port 8080.
  • Authenticate users against the ACS server and test with username WEB_USER and the password CISCO.
  • Source the TACACS session off R5's Loopback0 interface and use a shared key of CISCO.

4.2 IOS TACACS+ (5 points)

  • Configure R2 to authenticate telnet sessions against the ACS server.
  • Source the TACACS session off R2's Loopback0 interface and use a shared key of CISCO.
  • When user TEST1 is authenticated, the command show ip interface brief should be automatically executed without being disconnected.
  • User TEST1 should be authorized for all commands, and user TEST2 should be given access to all debug and undebug all commands.
  • Both users should be automatically placed into privilege level 15 and use a password of CISCO.

4.3 ISE Central Web Authentication (6 points)

  • Configure SW3 and ISE1 to authenticate TEST-PC-B through ISE Web Portal.
    • Test by accessing R6's Loopack0 on port 80.
  • Assume that TEST-PC-B can have any IPv4 address in VLAN 71 and is configured with a DNS server of 150.1.4.4.
  • For testing purposes, configure ISE with a username of TEST-PC-B and a password of Cisco123.
  • Source the RADIUS session off SW3's Loopback0 interface.
  • No static routes are allowed for this task.

5. System Hardening and Availability

5.1 Control Plane Security (3 points)

  • Configure R6 to drop any packets destined to closed TCP/UDP ports, but ensure that the remote users may still connect to port numbers 3001 and 5001.
  • To minimize the impact of packet floods on R6’s CPU, limit the aggregate rate of control-plane traffic to 20 Kpps.
  • Make sure that the above policing does not affect BGP and EIGRP routing protocols.

5.2 SNMP Security (3 points)

  • Configure R2 to inform TEST-SRV-B about issues related to environmental temperature via SNMP.
  • Ensure the reliable delivery of the messages sourced from Loopback0 and encrypt it using 3DES cipher with the string of CISCO.
  • Use the most secure authentication algorithm with the string of CISCO.

5.3 SSH Access (2 points)

  • Configure R6 to be managed via SSH with a username of ssh and password of cisco.
  • Activate version 2 of the SSH server and log a message for each failed or successful VTY session.
  • Without affecting the telnet service, ensure that SSH is allowed only from 150.1.0.0/16 sources.

5.4 BGP Troubleshooting (4 points)

  • R6 and SW1 are configured for authenticated eBGP peering.
  • Fix the configuration errors so that eBPG session can be successfully established.

5.5 Device Hardening (2 points)

  • To protect R2 from known vulnerabilities and DoS attacks, secure it as follows:
    • disable proxy-arp on its VLAN 2 interface.
    • disable BOOTP and DHCP service.
    • rate-limit ICMP unreachable messages to one per second.
    • display a banner message to all authenticating lines: Unauthorized access to this device is prohibited.

6. Threat Identification and Mitigation

6.1 Preventing DoS Attacks (2 points)

  • Configure R5 to limit inbound ICMP traffic on its VLAN 5 interface to 64 Kbps.
  • Allow traffic bursts up to 25% of the configured limit.
  • Do not use MQC syntax for this task.

6.2 Preventing CAM Attacks (2 points)

  • Configure SW1 so that it allows a single MAC address to be learned on its Fa1/0/4 interface.
  • Statically define the MAC address, but allow SW1 to learn new MAC addresses after 10 minutes of no traffic from the configured MAC address.
  • SW1 should silently drop traffic in case of policy violation.

6.3 Preventing TCP Attacks (3 points)

  • Configure ASA1 to prevent TCP attacks against ISE, received on its VLAN 43 interface:
    • limit the number of TCP open and half-open sessions to 5000 and 1000, respectively.
    • ensure data integrity for TCP segments.
    • ensure that no data payload is carried in connection-establishment segments.
    • explicitly permit TCP Echo and Echo Reply options.
    • ensure that any reserved bits in TCP headers are cleared.

6.4 Mitigating WORM Attacks (3 points)

  • A new worm has been detected that sends the string root.exe in the URL to a web server on TCP port 80 and 8080.
  • Configure R5 to drop all such HTTP sessions inbound on its VLAN 5 interface.
^ back to top