HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
CCIE Security v4.0 Practice Labs
The material covered in CCIE Security v4.0 Practice Labs is designed to help candidates prepare for the CCIE Security exam by providing a complex topology and two practice labs that force problem solving, troubleshooting, and policy design using topics and equipment that are detailed in the official exam documents.
Each solution is explained in detail to help reinforce a concept and topic. Tech Notes present other deployment options or enhancements and provide additional practical implementation tips. Initial and Final configuration files that can be cut and pasted onto lab devices for further testing and verification are also included.
These labs serve as a practice tool for prospective CCIE Security exam candidates and, through the use of a real-world lab topology and in-depth solutions and technical notes, are also a useful reference for any security professional involved with practical customer deployments that use Cisco products and solutions.
Please download the files associated with CCIE Security v4.0 Practice Labs here.
CCIE Security v4.0 Practice Lab
Download the sample pages (includes Chapter 1 and Index)
Introduction xxiii
Part I Lab Topology Components, Cabling, and Routing and Switching Configuration 1
Equipment List 2
General Guidelines 4
Prelab Setup Instructions 5
Catalyst Switchport Cabling Diagram 5
Lab Topology Diagram 7
Lab Guide Addressing Scheme 8
Lab Guide IP Routing Details 11
VPN Solutions Diagrams 15
Initial Device Configurations 18
Final Configuration Files 18
CCIE Security Exam Study and Preparation Tips 18
CCIE Security Written Exam 18
Part II Practice Lab 1 19
Section 1 Perimeter Security and Services 19
Exercise 1.1: Initialize the Cisco ASA in Multi-Context Routed Mode 19
Notes 21
Exercise 1.2: Configure Routing and Basic Access on ASA2 21
Notes 22
Exercise 1.3: Configure IP Services on ASA1 22
Task 1: Configure Network Object NAT 23
Task 2: Configure Twice NAT 23
Task 3: Configure and Troubleshoot NTP Services Using Authentication 23
Task 4: Configure Support for IPv6 in IPv4 Tunneling Through ASA1 23
Exercise 1.4: Configure IP Routing Security on ASA2 23
Task 1: BGP Connectivity Through the ASA2 24
Task 2: OSPF Authentication for Routing Update Security 24
Section 2 Intrusion Prevention and Content Security 25
Exercise 2.1: Initialize and Deploy the Cisco IPS Sensor Appliance 25
Task 1: Initialize the Cisco IPS Sensor 25
Task 2: Deploy the Cisco IPS Sensor in Inline VLAN Pair Mode 26
Task 3: Deploy the Cisco IPS Sensor in Inline Interface Pair Mode 27
Task 4: Deploy the Cisco IPS Sensor in Promiscuous Mode 27
Exercise 2.2: Initialize the Cisco WSA 27
Exercise 2.3: Enable Web Content Features on the Cisco WSA 29
Task 1: Configure WCCPv2 Proxy Support on the WSA (Client) and ASA1 (Server) 29
Task 2: Configure Proxy Bypass on the WSA 30
Task 3: Create a Custom URL Access Policy on the WSA 30
Section 3 Secure Access 30
Exercise 3.1: Configure and Troubleshoot IPsec EZVPN 30
Exercise 3.2: Troubleshoot DMVPN Phase 3: DMVPNv3 32
Exercise 3.3: Configure Security Features on the Cisco WLC 33
Task 1: Initialize the WLC and Establish Control over the Cisco Access Points (AP) 33
Task 2: Enable IP Services on the WLC to Enhance Security 35
Task 3: Creating and Assigning Security Policy to WLANs and Users 35
Exercise 3.4: Configure the Cisco IOS Certificate Server 36
Section 4 System Hardening and Availability 37
Exercise 4.1: Configure SPAN on the Cisco Catalyst Switch 37
Exercise 4.2: Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS 38
Exercise 4.3: Configure Control Plane Policing (CoPP) 39
Exercise 4.4: Troubleshoot Management Plane Protection 39
Exercise 4.5: Device Hardening on the Cisco WLC 40
Task 1: Disable SSID Broadcasting 40
Task 2: Protect the WLC Against Associating with a Rogue AP 40
Task 3: Enable Infrastructure Management Frame Protection on the WLC 40
Task 4: Enable Encryption for CAPWAP Packets 40
Task 5: Create a Rate Limiting Policy for Guest Users on the Guest WLAN 40
Section 5 Threat Identification and Mitigation 41
Exercise 5.1: Troubleshoot IPv6 in IPv4 Tunnel 41
Exercise 5.2: Mitigating DHCP Attacks on a Cisco Catalyst Switch 41
Exercise 5.3: Identifying Attacks with NetFlow and Mitigating Attacks Using Flexible Packet Matching 42
Exercise 5.4: Application Protocol Protection 43
Section 6: Identity Management 43
Exercise 6.1: Configure Router Command Authorization and Access Control 43
Exercise 6.2: Configure Cut-Through Proxy on ASA2 Using TACACS+ 45
Exercise 6.3: Configure Support for MAB/802.1X for Voice and Data VLANs 45
Exercise 6.3a: Authentication and Authorization Using MAB 45
Exercise 6.3b: Authentication and Authorization Using 802.1X 47
Part II Practice Lab 1 Solutions 51
Section 1 Perimeter Security and Services 51
Solution and Verification for Exercise 1.1: Initialize the Cisco ASA in Multi-Context Routed Mode 51
Skills Tested 51
Solution and Verification 52
Basic Parameters 52
Admin Context Parameters 53
Context c1 Parameters 54
Context c2 Parameters 56
ASA1 Configuration 57
Tech Notes 60
Solution and Verification for Exercise 1.2: Configure Routing and Basic Access on ASA2 62
Skills Tested 62
Solution and Verification 62
Configuration 66
Tech Notes 67
Solution and Verification for Exercise 1.3: Configure IP Services on ASA1 68
Skills Tested 68
Solution and Verification 68
Task 1: Network Object NAT 69
Task 2: Twice NAT 69
Task 3: NTP with Authentication 70
Task 4: Tunneling ipv6ip 71
Configuration 71
Tech Notes 72
Solution and Verification for Exercise 1.4: Configure IP Routing Security on ASA2 77
Skills Tested 77
Solution and Verification 77
Task 1: BGP Connectivity Through ASA2 77
Task 2: OSPF Authentication for Routing Update Security 78
Configuration 79
Tech Notes 80
Section 2 Intrusion Prevention and Content Security 80
Solution and Verification for Exercise 2.1: Initialize and Deploy the Cisco IPS Sensor Appliance 80
Skills Tested 80
Solution and Verification 81
Task 1: Initialize the Cisco IPS 81
Task 2: Deploy the Cisco IPS Sensor in Inline VLAN Pair Mode 82
Task 3: Deploy the Cisco IPS Sensor in Inline Interface Pair Mode 83
Task 4: Deploy the Cisco IPS Sensor in Promiscuous Mode 83
Configuration 84
Tech Notes 85
Solution and Verification for Exercise 2.2: Initialize the Cisco WSA 86
Skills Tested 86
Solution and Verification 86
Tech Notes 88
Solution and Verification for Exercise 2.3: Enable Web Content Features on the Cisco WSA 89
Skills Tested 89
Solution and Verification 89
Task 1: Configure WCCPv2 Proxy Support on the Cisco WSA (Client) and the Cisco ASA (Server) 90
Task 2: Configure Proxy Bypass on the Cisco WSA 91
Task 3: Create a Custom URL Access Policy on the Cisco WSA 92
Configuration 92
Tech Notes 92
WCCP Support Across Cisco Products 92
Transparent Proxy Versus Explicit Proxy 92
Connection Assignment and Redirection 93
Service Groups 94
Section 3 Secure Access 95
Solution and Verification for Exercise 3.1: Configure and Troubleshoot IPsec EZVPN 95
Skills Tested 95
Solution and Verification 95
Configuration 100
Tech Notes 101
Initiating the EZVPN Tunnel 101
Split Tunnel Options 101
EZVPN Client Modes of Operation in Cisco IOS 102
Client U-Turn Versus IPsec Hairpinning 102
External Versus Internal Policy 102
Solution and Verification for Exercise 3.2: Troubleshoot DMVPN Phase 3: DMVPNv3 103
Skills Tested 103
Solution and Verification 103
NHRP Spoke Registration 104
Spoke-to-Spoke Connection from R4 to R3 108
Verification 113
Configuration 121
Tech Notes 123
DMVPNv1 123
DMVPNv2 124
DMVPNv3 125
Solution and Verification for Exercise 3.3: Configure Security Features on the Cisco WLC 127
Task 1: Initialize the Cisco WLC and Establish Control over the Cisco Access Points 127
Task 2: Enable IP Services on the Cisco WLC to Enhance Security 128
Task 3: Creating and Assigning Security Policy to WLANs and Users 129
Configuration 132
Solution and Verification for Exercise 3.4: Configure the Cisco IOS Certificate Server 132
Skills Tested 132
Solution and Verification 133
Configuration 135
Tech Notes 135
Section 4 System Hardening and Availability 136
Solution and Verification for Exercise 4.1: Configure SPAN on the Cisco Catalyst Switch 136
Skills Tested 136
Solution and Verification 136
Configuration 138
Tech Notes 138
SPAN Versus RSPAN 138
SPAN and RSPAN Terminology and Guidelines 138
VLAN-Based SPAN 139
Solution and Verification for Exercise 4.2: Troubleshoot Secure Routing
Using OSPFv3 in Cisco IOS 140
Skills Tested 140
Solution and Verification 140
Configuration 143
Tech Notes 144
Solution and Verification for Exercise 4.3: Configure Control Plane Policing (CoPP) 145
Skills Tested 145
Solution and Verification 145
Verification 146
Configuration 150
Tech Notes 151
Router Planes 151
CoPP Versus CPPr 152
Solution and Verification for Exercise 4.4: Troubleshoot Management Plane Protection 153
Skills Tested 153
Solution and Verification 153
Configuration 154
Solution and Verification for Exercise 4.5: Device Hardening on the Cisco WLC 154
Skills Tested 154
Solution and Verification 154
Task 1: Disable SSID Broadcasting 155
Task 2: Protect the WLC Against Associating with a Rogue AP 155
Task 3: Enable Infrastructure Management Frame Protection on the Cisco WLC 156
Task 4: Enable Encryption for CAPWAP Packets 157
Task 5: Create a Rate Limiting Policy for Guest Users on the Guest WLAN 157
Configuration 158
Tech Notes 159
Summary of Wireless Attacks 159
Management Frame Protection via 802.11w 160
Section 5 Threat Identification and Mitigation 160
Solution and Verification for Exercise 5.1: Troubleshoot IPv6 in IPv4 Tunnel 161
Skills Tested 161
Solution and Verification 161
Configuration 163
Solution and Verification for Exercise 5.2: Mitigating DHCP Attacks on a Cisco Catalyst Switch 164
Skills Tested 164
Solution and Verification 164
Configuration 166
Tech Notes 166
DHCP Implementation Notes 167
DHCP Option 82 167
DHCP Snooping and the DHCP Server on Cisco IOS Routers 168
Solution and Verification for Exercise 5.3: Identifying Attacks with NetFlow and Mitigating Attacks Using Flexible Packet Matching 169
Skills Tested 169
Solution and Verification 169
Configuration 171
Solution and Verification for Exercise 5.4: Application Protocol Protection 171
Skills Tested 171
Solution and Verification 171
Configuration 173
Section 6 Identity Management 174
Solution and Verification for Exercise 6.1: Configure Router Command Authorization and Access Control 174
Skills Tested 174
Solution and Verification 174
ACS Solution 177
Configuration 183
Tech Notes 184
Tracing the Command Authorization Process 184
Understanding AAA and Login on the Router Lines 186
Test AAA Commands 188
AAA Accounting 189
Solution and Verification for Exercise 6.2: Configure Cut-Through Proxy on ASA2 Using TACACS+ 189
Skills Tested 189
Solution and Verification 189
CiscoSecure ACS Configuration 190
Configuration 193
Tech Notes 193
Solution and Verification for Exercise 6.3: Configure Support for MAB/802.1X for Voice and Data VLANs 193
Skills Tested 193
Verification: Part A 195
Verification: Part B 196
Configuration 197
Cisco ISE Configuration 198
Tech Notes 203
Part III Practice Lab 2 205
Section 1 Perimeter Security 205
Exercise 1.1: Configure a Redundant Interface on ASA2 205
Exercise 1.2: SSH Management Authentication and Local Command Authorization on ASA1 206
Exercise 1.3: Configuring Advanced Network Protection on the ASA 206
Task 1: Botnet Traffic Filtering on ASA1 206
Task 2: Threat Detection on ASA2 207
Task 3: IP Audit on ASA1 207
Exercise 1.4: Configure IPv6 on ASA2 207
Exercise 1.5: Cisco IOS Zone-Based Firewall with Support for Secure Group Tagging 208
Section 2 Intrusion Prevention and Content Security 209
Exercise 2.1: Configuring Custom Signatures on the Cisco IPS Sensor 209
Custom Signature to Track OSPF TTL 209
Custom Signature to Identify and Deny Large ICMP Packets 210
Custom Signature to Identify and Deny an ICMP Flood Attack 210
Exercise 2.2: Enable Support for HTTPS on the Cisco WSA 211
Exercise 2.3: Enable User Authentication for Transparent Proxy Using LDAP 212
Exercise 2.4: Guest User Support on the Cisco WSA 213
Section 3 Secure Access 214
Exercise 3.1: Configure and Troubleshoot IPsec Static VTI with IPv6 214
Exercise 3.2: Troubleshoot and Configure GETVPN 216
Exercise 3.3: SSL Client and Clientless VPNs 218
Exercise 3.4: Configure and Troubleshoot FlexVPN Site-to-Site Using RADIUS Tunnel Attributes 219
Exercise 3.5: Configure and Troubleshoot FlexVPN Remote Access (Client to Server) 221
Section 4 System Hardening and Availability 222
Exercise 4.1: BGP TTL-Security Through the Cisco ASA 222
Exercise 4.2: Configure and Troubleshoot Control Plane Protection 223
Exercise 4.3: Control Plane Protection for IPv6 Cisco IOS 223
Section 5 Threat Identification and Mitigation 223
Exercise 5.1: Preventing IP Address Spoofing on the Cisco ASA 223
Exercise 5.2: Monitor and Protect Against Wireless Intrusion Attacks 224
Exercise 5.3: Identifying and Protecting Against SYN Attacks 224
Exercise 5.4: Using NBAR for Inspection of HTTP Traffic with PAM and Flexible NetFlow 225
Section 6 Identity Management 226
Exercise 6.1: Cisco TrustSec–Dynamically Assigning Secure Group Tagging and SGACLs: 802.1X and MAB 227
Part A: Configuring SGTs on the Cisco ISE 227
Part B: Dynamically Assigning SGTs via 802.1X and MAB 227
Task 1: Cisco Access Point as an 802.1X Supplicant with SGTs 227
Task 2: Cisco IP Phone Using MAB and SGTs 228
Part C: Create the SGA Egress Policy 229
Exercise 6.2: Cisco TrustSec–NDAC and MACsec 230
Exercise 6.3: Cisco TrustSec–SGT Exchange Protocol over TCP 231
Part III Practice Lab 2 Solutions 233
Section 1 Perimeter Security 233
Solution and Verification for Exercise 1.1: Configure a Redundant Interface on ASA2 233
Skills Tested: 233
Solution and Verification 233
Configuration 236
Solution and Verification for Exercise 1.2: SSH Management Authentication and Local Command Authorization on ASA1 236
Skills Tested 236
Solution and Verification 236
Configuration 239
Tech Notes 240
Solution and Verification for Exercise 1.3: Configuring Advanced Network Protection on the ASA 240
Skills Tested 240
Solution and Verification 241
Task 1: Botnet Traffic Filtering on ASA1 241
Task 2: Threat Detection on ASA2 243
Task 3: IP Audit 243
Configuration 244
Tech Notes 245
Solution and Verification for Exercise 1.4: Configure IPv6 on ASA2 246
Skills Tested 246
Solution and Verification 246
Configuration 248
Tech Notes 248
IPv6 Addressing Review 248
IPv6 Addressing Notation 249
IPv6 Address Types 249
IPv6 Address Allocation 251
IPv6 Addressing Standards 251
Solution and Verification for Exercise 1.5: Cisco IOS Zone-Based Firewall with Support for Secure Group Tagging 252
Skills Tested 252
Solution and Verification 252
Configuration 257
Tech Notes 259
Section 2 Intrusion Prevention and Content Security 263
Solution and Verification for Exercise 2.1: Configuring Custom Signatures on the Cisco IPS Sensor 263
Skills Tested 263
Solution and Verification 263
Custom Signature to Track OSPF TTL 264
Custom Signature to Identify and Deny Large ICMP Packets 265
Custom Signature to Identify and Deny an ICMP Flood Attack 266
Configuration 268
Tech Notes 270
Risk Ratings 270
Understanding Threat Rating 271
Solution and Verification for Exercise 2.2: Enable Support for HTTPS on the Cisco WSA 272
Skills Tested 272
Solution and Verification 272
Configuration 274
Solution and Verification for Exercise 2.3: Enable User Authentication for Transparent Proxy Using LDAP 274
Skills Tested 274
Solution and Verification 274
Solution and Verification for Exercise 2.4: Guest User Support on the Cisco WSA 278
Skills Tested 278
Solution and Verification 278
WSA Configuration 279
Section 3 Secure Access 280
Solution and Verification for Exercise 3.1: Configure and Troubleshoot IPsec Static VTI with IPv6 280
Skills Tested 280
Solution and Verification 280
Configuration 286
Tech Notes 289
Tip and Tricks 289
Static VTIs for IPv6 Using Preshared Keys 289
Solution and Verification for Exercise 3.2: Troubleshoot and Configure GETVPN 290
Skills Tested 290
Solution and Verification 290
Verify Network Connectivity 292
Configure and Verify the COOP Key Servers 293
Configure and Verify the Group Members 298
Configure and Verify DPD and Authorization 302
Configuration 303
Tech Notes 308
Key Server Design Considerations for IKE 308
Key Server Design Considerations for IPsec 309
Key Server Design Considerations for Traffic Encryption Key Lifetime 309
Key Server Design Considerations for ACLs in a Traffic Encryption Policy 310
Key Server Design Considerations for Key Encryption Key Lifetime 311
Rekey Retransmit Interval 311
Time-Based Antireplay 311
Key Server Design Considerations for Authentication Policies for GM Registration 312
Implementing Rekeying Mechanisms 312
Unicast Rekeying 313
Implementing Multicast Rekeying with No ASA Considerations 313
Implementing Multicast Rekeying Through the ASA in Routed Mode 314
Solution and Verification for Exercise 3.3: SSL Client and Clientless VPNs 315
Skills Tested 315
Solution and Verification 315
Configuration 321
Tech Notes 323
Importing Third-Party Trusted CA Certificates 323
Default Group Policy and Attribute Inheritance 328
Solution and Verification for Exercise 3.4: Configure and Troubleshoot FlexVPN Site-to-Site Using RADIUS Tunnel Attributes 328
Skills Tested 328
Solution and Verification 328
Configuration 332
Tech Notes 334
IKEv2 Smart Defaults 334
IKEv2 Anti-Clogging Cookie 334
RADIUS Tunnel Attributes and IKEv2 335
Solution and Verification for Exercise 3.5: Configure and Troubleshoot FlexVPN Remote Access (Client to Server) 337
Skills Tested 337
Solution and Verification 337
Configuration 341
Tech Notes 343
Debugging FlexVPN 343
Understanding IKEv2 Routing Options 348
Section 4 System Hardening and Availability 349
Solution and Verification for Exercise 4.1: BGP TTL-Security through the Cisco ASA 349
Skills Tested 349
Solution and Verification 349
Configuration 351
Tech Notes 351
Solution and Verification for Exercise 4.2: Configure and Troubleshoot Control Plane Protection 352
Skills Tested 352
Solution and Verification 352
Configuration 354
Tech Notes 354
Solution and Verification for Exercise 4.3: Control Plane Protection for IPv6 Cisco IOS 354
Skills Tested 354
Solution and Verification 355
Configuration 356
Section 5 Threat Identification and Mitigation 357
Solution and Verification for Exercise 5.1: Preventing IP Address Spoofing on the Cisco ASA 357
Skills Tested 357
Solution and Verification 357
Configuration 358
Tech Notes 359
Understanding Unicast Reverse Path Forwarding in Cisco IOS: Technology Overview 359
Understanding Unicast Reverse Path Forwarding: Deployment Guidelines 359
Understanding Unicast Reverse Path Forwarding: Other Guidelines 360
Solution and Verification for Exercise 5.2: Monitor and Protect Against Wireless Intrusion Attacks 361
Skills Tested 361
Solution and Verification 361
Configuration 362
Solution and Verification for Exercise 5.3: Identifying and Protecting Against SYN Attacks 362
Skills Tested 362
Solution and Verification 362
Configuration 363
Tech Notes 364
Configuring Maximum Connections 364
TCP Intercept and Limiting Embryonic Connections 364
Solution and Verification for Exercise 5.4: Using NBAR for Inspection of HTTP Traffic with PAM and Flexible NetFlow 365
Skills Tested 365
Solution and Verification 365
Configuration 369
Tech Notes 370
Configuring a NetfFlow Exporter 370
Comparing NetFlow Types 370
Migrating from Traditional Netflow to Flexible Netflow 371
Section 6 Identity Management 372
Solution and Verification for Exercise 6.1: Cisco TrustSec–Dynamically Assigning Secure Group Tagging and SGACLs: 802.1X and MAB 372
Skills Tested 372
Solution and Verification 372
Part A: Configuring SGTs on the Cisco ISE 373
Part B: Dynamically Assigning SGT’s via 802.1X and MAB 374
Part C: Create the SGA Egress Policy 376
Configuration 377
Tech Notes 378
IP Device Tracking 378
Solution and Verification for Exercise 6.2: Cisco TrustSec–NDAC and MACsec 378
Skills Tested 378
Solution and Verification 378
Configuration 389
Tech Notes 390
Protected Access Credential 390
MACsec Overview 391
Solution and Verification for Exercise 6.3: Cisco TrustSec–SGT Exchange Protocol over TCP 393
Skills Tested 393
Solution and Verification 393
Configuration 398
Tech Notes 399
SXP on the Cisco WLC 399
Summary of Secure Group Access Features 400
Part IV Appendixes
Appendix A Manual Configuration Guide 401
Cisco Catalyst Switches: SW1, SW2 401
Cisco Routers R1, R2, R3, R4, R5, R6, R7 402
Cisco Router R6: Also Used as the CME Server 403
Cisco ASA Appliances ASA1, ASA2 403
Cisco WLC 405
Cisco IPS Sensor 406
Cisco WSA 407
Appendix B Preparing for the CCIE Exam 411
CCIE Certification Process 411
CCIE Security Written Exam 411
CCIE Security Lab Exam 412
Planning Resources 413
Assessing Strengths and Weaknesses 414
Training, Practice Labs, and Boot Camps 414
Books and Online Materials 414
Lab Preparation 415
Lab Exam Tips 415
A Word on Cheating... 416
Appendix C Sample Written Exam Questions and Answers 417
9781587144141 TOC 4/22/2014