Transcription
CCIE Security v4.0Practice LabsNatalie Timms, CCIE No. 37959Cisco Press800 East 96th StreetIndianapolis, IN 46240
iiCCIE Security v4.0 Practice LabsCCIE Security v4.0 Practice LabsNatalie Timms, CCIE No. 37959Copyright 2014 Pearson Education, Inc.Published by:Pearson Education, Inc.800 East 96th StreetIndianapolis, IN 46240 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by anymeans, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion ofbrief quotations in a review.ISBN-13: 978-1-58714-414-1ISBN-10: 1-58714-414-XWarning and DisclaimerThis book is designed to provide information about exam topics for the Cisco CertifiedInternetwork Expert (CCIE) Security Lab 4.0 Exam. Every effort has been made to make this bookas complete and as accurate as possible, but no warranty or fitness is implied.The information is provided on an “as is” basis. The author, Cisco Press, and Cisco Systems, Inc.,shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programsthat may accompany it.The opinions expressed in this book belong to the author and are not necessarily those of CiscoSystems, Inc.Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of thisinformation. Use of a term in this book should not be regarded as affecting the validity of anytrademark or service mark.Special SalesFor information about buying this title in bulk quantities, or for special sales opportunities (whichmay include electronic versions; custom cover designs; and content particular to your business,training goals, marketing focus, or branding interests), please contact our corporate sales department at corpsales@pearsoned.com or (800) 382-3419.For government sales inquiries, please contact governmentsales@pearsoned.com.For questions about sales outside the U.S., please contact international@pearsoned.com.
iiiFeedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Eachbook is crafted with care and precision, undergoing rigorous development that involves the uniqueexpertise of members from the professional technical community.Readers’ feedback is a natural continuation of this process. If you have any comments regardinghow we could improve the quality of this book, or otherwise alter it to better suit your needs, youcan contact us through e-mail at feedback@ciscopress.com. Please make sure to include the booktitle and ISBN in your message.We greatly appreciate your assistance.Publisher: Paul BogerBusiness Operation Manager, Cisco Press: Jan CornelssenAssociate Publisher: Dave DusthimerSenior Development Editor: Christopher ClevelandAcquisition Editor: Denise LincolnManaging Editor: Sandra SchroederSenior Project Editor: Tonya SimpsonTechnical Editors: Tim Rowley, Tyson ScottProofreader: Paula LowellEditorial Assistant: Vanessa EvansCover Designer: Mark ShirarComposition: Mary Sudul
ivCCIE Security v4.0 Practice LabsAbout the AuthorNatalie Timms, CCIE No. 37959, is a former program manager with the CCIE certification team at Cisco, managing exam curricula and content for the CCIE Security trackbefore becoming an independent consultant.Natalie has been involved with computer networking for more than 20 years, much ofwhich was spent with Cisco. Natalie has contributed at the IETF standards level and haswritten many technical papers, and is also a Cisco Press author and U.S. patent holder.Natalie has also been a technical instructor in the Asia-Pacific region for WellfleetCommunications/Bay Networks, and is the winner of multiple Cisco Live DistinguishedSpeaker awards.Natalie has a CCIE Security certification and a bachelor’s degree in computer scienceand statistics from Macquarie University in Sydney, Australia.
vAbout the Technical ReviewersTim Rowley, CCIE No. 25960 (Security/Wireless), CWNE No. 124, CCSI No. 33858,CISSP, is a consultant within the Cisco Global Security Services. He is responsible fordesign, implementation, and support of customer networks with a focus on networksecurity and wireless. Tim regularly contributes to the development of certificationexams and the related training material, including CCNA, CCNP, and CCIE security andwireless. He has a passion for technical development and enjoys helping others achievetheir certification goals.Tyson Scott, Triple CCIE No. 13513, is a consulting systems engineer for Cisco Systemswith more than 14 years in the IT industry. He has traveled the globe delivering learningsolutions to the Cisco certification community, specializing in CCIE Security and CCIERouting and Switching. Today, he helps to deliver leading security solutions in the state,local government, and education verticals.
viCCIE Security v4.0 Practice LabsDedicationI have been so very fortunate to be surrounded by people who have always encouragedme to march to the beat of my own drum. To my husband, Randy, I give my love andgratitude for letting me be me; never being in my face yet always being there. To myparents, Helen and Denis, thank you for putting up with my craziness and patiently waiting for me to find my niche in life. I am Russian passion tempered with an Aussie senseof humor. And to my brother, Mick, you have always been the “little” brother I lookedup to both in stature and knowing who you wanted to be.Finally, this book is also dedicated to all those who strive to be the best they can be.AcknowledgmentsI would like to thank the folks at Cisco Press, Denise Lincoln and Brett Bartow, for inviting me to contribute, and Chris Cleveland, for wading through pages of edits and notimploding.To my technical editors, Tyson Scott and Tim Rowley, I appreciate all you have done tohelp me complete this book. You guys are network rock stars and I bow at your feet.I need to acknowledge Scott Fanning, who for so many years was my partner in crime atCisco. Scott, you helped foster my love for security technologies, all-night coding sessions, Tim Hortons Coffee, and ice hockey. I’m so proud of all you have achieved.So many others have helped and supported me over the years, and kicked my ass whenrequired; it is impossible to list everyone who has made an impact in my life. I hope Ican pay it forward.Sometimes, inspiration comes in the most unexpected way, even a Cake Pop.
viiContents at a GlanceIntroductionPart IPart IIxxiiiLab Topology Components, Cabling, and Routing andSwitching Configuration 1Practice Lab 1Practice Lab 119Practice Lab 1 Solutions51Part III Practice Lab 2Practice Lab 2205Practice Lab 2 SolutionsPart IV233AppendicesManual Configuration GuidePreparing for the CCIE Exam401411Sample Written Exam Questions and Answers417
viiiCCIE Security v4.0 Practice LabsContentsIntroductionPart IxxiiiLab Topology Components, Cabling, and Routing and SwitchingConfiguration 1Equipment List 2General Guidelines 4Prelab Setup Instructions 5Catalyst Switchport Cabling Diagram 5Lab Topology Diagram 7Lab Guide Addressing Scheme 8Lab Guide IP Routing Details 11VPN Solutions Diagrams 15Initial Device Configurations 18Final Configuration Files 18CCIE Security Exam Study and Preparation Tips 18CCIE Security Written Exam 18Part IIPractice Lab 1 19Section 1Perimeter Security and Services 19Exercise 1.1: Initialize the Cisco ASA in Multi-Context Routed Mode 19Notes21Exercise 1.2: Configure Routing and Basic Access on ASA2 21Notes22Exercise 1.3: Configure IP Services on ASA1 22Task 1: Configure Network Object NAT 23Task 2: Configure Twice NAT 23Task 3: Configure and Troubleshoot NTP Services UsingAuthentication 23Task 4: Configure Support for IPv6 in IPv4 Tunneling Through ASA1 23Exercise 1.4: Configure IP Routing Security on ASA2 23Task 1: BGP Connectivity Through the ASA2 24Task 2: OSPF Authentication for Routing Update Security 24Section 2Intrusion Prevention and Content Security 25Exercise 2.1: Initialize and Deploy the Cisco IPS Sensor Appliance 25Task 1: Initialize the Cisco IPS Sensor 25Task 2: Deploy the Cisco IPS Sensor in Inline VLAN Pair Mode 26
ixTask 3: Deploy the Cisco IPS Sensor in Inline Interface Pair Mode 27Task 4: Deploy the Cisco IPS Sensor in Promiscuous Mode 27Exercise 2.2: Initialize the Cisco WSA 27Exercise 2.3: Enable Web Content Features on the Cisco WSA 29Task 1: Configure WCCPv2 Proxy Support on the WSA (Client) and ASA1(Server) 29Task 2: Configure Proxy Bypass on the WSA 30Task 3: Create a Custom URL Access Policy on the WSA 30Section 3Secure Access 30Exercise 3.1: Configure and Troubleshoot IPsec EZVPN 30Exercise 3.2: Troubleshoot DMVPN Phase 3: DMVPNv3 32Exercise 3.3: Configure Security Features on the Cisco WLC 33Task 1: Initialize the WLC and Establish Control over the Cisco AccessPoints (AP) 33Task 2: Enable IP Services on the WLC to Enhance Security 35Task 3: Creating and Assigning Security Policy to WLANs and Users 35Exercise 3.4: Configure the Cisco IOS Certificate Server 36Section 4System Hardening and Availability 37Exercise 4.1: Configure SPAN on the Cisco Catalyst Switch 37Exercise 4.2: Troubleshoot Secure Routing Using OSPFv3 inCisco IOS 38Exercise 4.3: Configure Control Plane Policing (CoPP) 39Exercise 4.4: Troubleshoot Management Plane Protection 39Exercise 4.5: Device Hardening on the Cisco WLC 40Task 1: Disable SSID Broadcasting 40Task 2: Protect the WLC Against Associating with a Rogue AP 40Task 3: Enable Infrastructure Management Frame Protection on theWLC 40Task 4: Enable Encryption for CAPWAP Packets 40Task 5: Create a Rate Limiting Policy for Guest Users on the GuestWLAN 40Section 5Threat Identification and Mitigation 41Exercise 5.1: Troubleshoot IPv6 in IPv4 Tunnel 41Exercise 5.2: Mitigating DHCP Attacks on a Cisco Catalyst Switch 41Exercise 5.3: Identifying Attacks with NetFlow and Mitigating Attacks UsingFlexible Packet Matching 42Exercise 5.4: Application Protocol Protection 43
xCCIE Security v4.0 Practice LabsSection 6: Identity Management 43Exercise 6.1: Configure Router Command Authorization and AccessControl 43Exercise 6.2: Configure Cut-Through Proxy on ASA2 Using TACACS 45Exercise 6.3: Configure Support for MAB/802.1X for Voice and DataVLANs 45Exercise 6.3a: Authentication and Authorization Using MAB 45Exercise 6.3b: Authentication and Authorization Using 802.1X 47Part IIPractice Lab 1 Solutions 51Section 1Perimeter Security and Services 51Solution and Verification for Exercise 1.1: Initialize the Cisco ASA in MultiContext Routed Mode 51Skills Tested 51Solution and Verification 52Basic Parameters 52Admin Context ParametersContext c1 Parameters54Context c2 Parameters56ASA1 ConfigurationTech Notes535760Solution and Verification for Exercise 1.2: Configure Routing and BasicAccess on ASA2 62Skills Tested62Solution and Verification62Configuration 66Tech Notes67Solution and Verification for Exercise 1.3: Configure IP Services onASA1 68Skills Tested 68Solution and Verification 68Task 1: Network Object NATTask 2: Twice NAT6969Task 3: NTP with AuthenticationTask 4: Tunneling ipv6ipConfiguration 71Tech Notes727170
xiSolution and Verification for Exercise 1.4: Configure IP Routing Security onASA2 77Skills Tested 77Solution and Verification 77Task 1: BGP Connectivity Through ASA277Task 2: OSPF Authentication for Routing Update Security78Configuration 79Tech NotesSection 280Intrusion Prevention and Content Security80Solution and Verification for Exercise 2.1: Initialize and Deploy the Cisco IPSSensor Appliance 80Skills Tested80Solution and Verification81Task 1: Initialize the Cisco IPS 81Task 2: Deploy the Cisco IPS Sensor in Inline VLAN Pair Mode 82Task 3: Deploy the Cisco IPS Sensor in Inline Interface Pair Mode 83Task 4: Deploy the Cisco IPS Sensor in Promiscuous Mode 83Configuration 84Tech Notes85Solution and Verification for Exercise 2.2: Initialize the Cisco WSASkills Tested86Solution and VerificationTech Notes868688Solution and Verification for Exercise 2.3: Enable Web Content Features onthe Cisco WSA 89Skills Tested89Solution and Verification89Task 1: Configure WCCPv2 Proxy Support on the Cisco WSA (Client)and the Cisco ASA (Server) 90Task 2: Configure Proxy Bypass on the Cisco WSA 91Task 3: Create a Custom URL Access Policy on the Cisco WSA 92Configuration 92Tech Notes92WCCP Support Across Cisco Products 92Transparent Proxy Versus Explicit Proxy 92Connection Assignment and Redirection 93Service Groups 94
xiiCCIE Security v4.0 Practice LabsSection 3Secure Access 95Solution and Verification for Exercise 3.1: Configure and Troubleshoot IPsecEZVPN 95Skills Tested 95Solution and Verification 95Configuration 100Tech Notes101Initiating the EZVPN Tunnel 101Split Tunnel Options 101EZVPN Client Modes of Operation in Cisco IOS 102Client U-Turn Versus IPsec Hairpinning 102External Versus Internal Policy 102Solution and Verification for Exercise 3.2: Troubleshoot DMVPN Phase 3:DMVPNv3 103Skills Tested 103Solution and Verification 103NHRP Spoke Registration104Spoke-to-Spoke Connection from R4 to R3 108Verification 113Configuration 121Tech Notes123DMVPNv1 123DMVPNv2 124DMVPNv3 125Solution and Verification for Exercise 3.3: Configure Security Features on theCisco WLC 127Task 1: Initialize the Cisco WLC and Establish Control over the CiscoAccess Points 127Task 2: Enable IP Services on the Cisco WLC to Enhance Security 128Task 3: Creating and Assigning Security Policy to WLANs and Users 129Configuration 132Solution and Verification for Exercise 3.4: Configure the Cisco IOSCertificate Server 132Skills Tested 132Solution and Verification 133Configuration 135Tech Notes135
xiiiSection 4System Hardening and Availability 136Solution and Verification for Exercise 4.1: Configure SPAN on the CiscoCatalyst Switch 136Skills Tested 136Solution and Verification 136Configuration 138Tech Notes138SPAN Versus RSPAN 138SPAN and RSPAN Terminology and Guidelines 138VLAN-Based SPAN 139Solution and Verification for Exercise 4.2: Troubleshoot Secure RoutingUsing OSPFv3 in Cisco IOS 140Skills Tested 140Solution and Verification 140Configuration 143Tech Notes144Solution and Verification for Exercise 4.3: Configure Control Plane Policing(CoPP) 145Skills Tested 145Solution and Verification 145Verification 146Configuration 150Tech Notes151Router Planes151CoPP Versus CPPr152Solution and Verification for Exercise 4.4: Troubleshoot Management PlaneProtection 153Skills Tested 153Solution and Verification 153Configuration 154Solution and Verification for Exercise 4.5: Device Hardening on the CiscoWLC 154Skills Tested 154Solution and Verification 154Task 1: Disable SSID Broadcasting 155Task 2: Protect the WLC Against Associating with a Rogue AP 155Task 3: Enable Infrastructure Management Frame Protection on theCisco WLC 156
xivCCIE Security v4.0 Practice LabsTask 4: Enable Encryption for CAPWAP Packets 157Task 5: Create a Rate Limiting Policy for Guest Users on the GuestWLAN 157Configuration 158Tech Notes159Summary of Wireless Attacks 159Management Frame Protection via 802.11w 160Section 5Threat Identification and Mitigation 160Solution and Verification for Exercise 5.1: Troubleshoot IPv6 in IPv4Tunnel 161Skills Tested 161Solution and Verification 161Configuration 163Solution and Verification for Exercise 5.2: Mitigating DHCP Attacks on aCisco Catalyst Switch 164Skills Tested 164Solution and Verification 164Configuration 166Tech Notes166DHCP Implementation Notes 167DHCP Option 82 167DHCP Snooping and the DHCP Server on Cisco IOS Routers 168Solution and Verification for Exercise 5.3: Identifying Attacks with NetFlowand Mitigating Attacks Using Flexible Packet Matching 169Skills Tested 169Solution and Verification 169Configuration 171Solution and Verification for Exercise 5.4: Application ProtocolProtection 171Skills Tested 171Solution and Verification 171Configuration 173Section 6Identity Management 174Solution and Verification for Exercise 6.1: Configure Router CommandAuthorization and Access Control 174Skills Tested 174
xvSolution and Verification 174ACS Solution177Configuration 183Tech Notes184Tracing the Command Authorization Process 184Understanding AAA and Login on the Router Lines 186Test AAA Commands 188AAA Accounting 189Solution and Verification for Exercise 6.2: Configure Cut-Through Proxy onASA2 Using TACACS 189Skills Tested 189Solution and Verification 189CiscoSecure ACS Configuration 190Configuration 193Tech Notes193Solution and Verification for Exercise 6.3: Configure Support forMAB/802.1X for Voice and Data VLANs 193Skills Tested193Verification: Part A 195Verification: Part B 196Configuration 197Cisco ISE Configuration 198Tech Notes 203Part IIIPractice Lab 2 205Section 1Perimeter Security 205Exercise 1.1: Configure a Redundant Interface on ASA2 205Exercise 1.2: SSH Management Authentication and Local CommandAuthorization on ASA1 206Exercise 1.3: Configuring Advanced Network Protection on the ASA 206Task 1: Botnet Traffic Filtering on ASA1 206Task 2: Threat Detection on ASA2 207Task 3: IP Audit on ASA1 207Exercise 1.4: Configure IPv6 on ASA2 207Exercise 1.5: Cisco IOS Zone-Based Firewall with Support for Secure GroupTagging 208
xviCCIE Security v4.0 Practice LabsSection 2Intrusion Prevention and Content Security 209Exercise 2.1: Configuring Custom Signatures on the Cisco IPS Sensor 209Custom Signature to Track OSPF TTL 209Custom Signature to Identify and Deny Large ICMP Packets 210Custom Signature to Identify and Deny an ICMP Flood Attack 210Exercise 2.2: Enable Support for HTTPS on the Cisco WSA 211Exercise 2.3: Enable User Authentication for Transparent Proxy UsingLDAP 212Exercise 2.4: Guest User Support on the Cisco WSA 213Section 3Secure Access 214Exercise 3.1: Configure and Troubleshoot IPsec Static VTI with IPv6 214Exercise 3.2: Troubleshoot and Configure GETVPN 216Exercise 3.3: SSL Client and Clientless VPNs 218Exercise 3.4: Configure and Troubleshoot FlexVPN Site-to-Site UsingRADIUS Tunnel Attributes 219Exercise 3.5: Configure and Troubleshoot FlexVPN Remote Access (Client toServer) 221Section 4System Hardening and Availability 222Exercise 4.1: BGP TTL-Security Through the Cisco ASA 222Exercise 4.2: Configure and Troubleshoot Control Plane Protection 223Exercise 4.3: Control Plane Protection for IPv6 Cisco IOS 223Section 5Threat Identification and Mitigation 223Exercise 5.1: Preventing IP Address Spoofing on the Cisco ASA 223Exercise 5.2: Monitor and Protect Against Wireless Intrusion Attacks 224Exercise 5.3: Identifying and Protecting Against SYN Attacks 224Exercise 5.4: Using NBAR for Inspection of HTTP Traffic with PAM andFlexible NetFlow 225Section 6Identity Management 226Exercise 6.1: Cisco TrustSec—Dynamically Assigning Secure Group Taggingand SGACLs: 802.1X and MAB 227Part A: Configuring SGTs on the Cisco ISE 227Part B: Dynamically Assigning SGTs via 802.1X and MAB 227Task 1: Cisco Access Point as an 802.1X Supplicant with SGTs 227Task 2: Cisco IP Phone Using MAB and SGTs 228Part C: Create the SGA Egress Policy 229
xviiExercise 6.2: Cisco TrustSec—NDAC and MACsec 230Exercise 6.3: Cisco TrustSec—SGT Exchange Protocol over TCP 231Part IIIPractice Lab 2 Solutions 233Section 1Perimeter Security 233Solution and Verification for Exercise 1.1: Configure a Redundant Interfaceon ASA2 233Skills Tested: 233Solution and Verification 233Configuration 236Solution and Verification for Exercise 1.2: SSH Management Authenticationand Local Command Authorization on ASA1 236Skills Tested 236Solution and Verification 236Configuration 239Tech Notes240Solution and Verification for Exercise 1.3: Configuring Advanced NetworkProtection on the ASA 240Skills Tested240Solution and Verification241Task 1: Botnet Traffic Filtering on ASA1Task 2: Threat Detection on ASA2Task 3: IP Audit241243243Configuration 244Tech Notes245Solution and Verification for Exercise 1.4: Configure IPv6 on ASA2Skills Tested246246Solution and Verification246Configuration 248Tech Notes248IPv6 Addressing Review 248IPv6 Addressing Notation 249IPv6 Address Types 249IPv6 Address Allocation 251IPv6 Addressing Standards 251Solution and Verification for Exercise 1.5: Cisco IOS Zone-Based Firewallwith Support for Secure Group Tagging 252Skills Tested 252
xviiiCCIE Security v4.0 Practice LabsSolution and Verification 252Configuration 257Tech NotesSection 2259Intrusion Prevention and Content Security263Solution and Verification for Exercise 2.1: Configuring Custom Signatures onthe Cisco IPS Sensor 263Skills Tested263Solution and Verification263Custom Signature to Track OSPF TTL 264Custom Signature to Identify and Deny Large ICMP Packets 265Custom Signature to Identify and Deny an ICMP Flood Attack 266Configuration 268Tech NotesRisk Ratings270270Understanding Threat Rating 271Solution and Verification for Exercise 2.2: Enable Support for HTTPS on theCisco WSA 272Skills Tested 272Solution and Verification 272Configuration 274Solution and Verification for Exercise 2.3: Enable User Authentication forTransparent Proxy Using LDAP 274Skills Tested 274Solution and Verification 274Solution and Verification for Exercise 2.4: Guest User Support on the CiscoWSA 278Skills Tested 278Solution and Verification 278WSA Configuration 279Section 3Secure Access 280Solution and Verification for Exercise 3.1: Configure and Troubleshoot IPsecStatic VTI with IPv6 280Skills Tested 280Solution and Verification 280Configuration 286
xixTech Notes289Tip and Tricks289Static VTIs for IPv6 Using Preshared Keys 289Solution and Verification for Exercise 3.2: Troubleshoot and ConfigureGETVPN 290Skills Tested 290Solution and Verification 290Verify Network Connectivity 292Configure and Verify the COOP Key Servers 293Configure and Verify the Group Members 298Configure and Verify DPD and Authorization 302Configuration 303Tech Notes308Key Server Design Considerations for IKE 308Key Server Design Considerations for IPsec 309Key Server Design Considerations for Traffic Encryption KeyLifetime 309Key Server Design Considerations for ACLs in a Traffic EncryptionPolicy 310Key Server Design Considerations for Key Encryption KeyLifetime 311Rekey Retransmit Interval 311Time-Based Antireplay 311Key Server Design Considerations for Authentication Policies for GMRegistration 312Implementing Rekeying Mechanisms 312Unicast Rekeying 313Implementing Multicast Rekeying with No ASA Considerations 313Implementing Multicast Rekeying Through the ASA in RoutedMode 314Solution and Verification for Exercise 3.3: SSL Client and ClientlessVPNs 315Skills Tested 315Solution and Verification 315Configuration 321Tech Notes323Importing Third-Party Trusted CA Certificates 323Default Group Policy and Attribute Inheritance 328
xxCCIE Security v4.0 Practice LabsSolution and Verification for Exercise 3.4: Configure and TroubleshootFlexVPN Site-to-Site Using RADIUS Tunnel Attributes 328Skills Tested 328Solution and Verification 328Configuration 332Tech Notes334IKEv2 Smart Defaults 334IKEv2 Anti-Clogging Cookie 334RADIUS Tunnel Attributes and IKEv2 335Solution and Verification for Exercise 3.5: Configure and TroubleshootFlexVPN Remote Access (Client to Server) 337Skills Tested 337Solution and Verification 337Configuration 341Tech Notes343Debugging FlexVPN 343Understanding IKEv2 Routing Options 348Section 4System Hardening and Availability 349Solution and Verification for Exercise 4.1: BGP TTL-Security through theCisco ASA 349Skills Tested 349Solution and Verification 349Configuration 351Tech Notes351Solution and Verification for Exercise 4.2: Configure and TroubleshootControl Plane Protection 352Skills Tested352Solution and Verification352Configuration 354Tech Notes354Solution and Verification for Exercise 4.3: Control Plane Protection for IPv6Cisco IOS 354Skills Tested354Solution and VerificationConfiguration 356355
xxiSection 5Threat Identification and Mitigation 357Solution and Verification for Exercise 5.1: Preventing IP Address Spoofing onthe Cisco ASA 357Skills Tested 357Solution and Verification 357Configuration 358Tech Notes359Understanding Unicast Reverse Path Forwarding in Cisco IOS:Technology Overview 359Understanding Unicast Reverse Path Forwarding: DeploymentGuidelines 359Understanding Unicast Reverse Path Forwarding: OtherGuidelines 360Solution and Verification for Exercise 5.2: Monitor and Protect AgainstWireless Intrusion Attacks 361Skills Tested 361Solution and Verification 361Configuration 362Solution and Verification for Exercise 5.3: Identifying and Protecting AgainstSYN Attacks 362Skills Tested 362Solution and Verification 362Configuration 363Tech Notes364Configuring Maximum Connections 364TCP Intercept and Limiting Embryonic Connections 364Solution and Verification for Exercise 5.4: Using NBAR for Inspection ofHTTP Traffic with PAM and Flexible NetFlow 365Skills Tested 365Solution and Verification 365Configuration 369Tech Notes370Configuring a NetfFlow Exporter 370Comparing NetFlow Types 370Migrating from Traditional Netflow to Flexible Netflow 371
xxiiCCIE Security v4.0 Practice LabsSection 6Identity Management 372Solution and Verification for Exercise 6.1: Cisco TrustSec—DynamicallyAssigning Secure Group Tagging and SGACLs: 802.1X and MAB 372Skills Tested 372Solution and Verification 372Part A: Configuring SGTs on the Cisco ISE 373Part B: Dynamically Assigning SGT’s via 802.1X and MAB 374Part C: Create the SGA Egress Policy 376Configuration 377Tech Notes378IP Device Tracking378Solution and Verification for Exercise 6.2: Cisco TrustSec—NDAC andMACsec 378Skills Tested 378Solution and Verification 378Configuration 389Tech Notes390Protected Access Credential 390MACsec Overview 391Solution and Verification for Exercise 6.3: Cisco TrustSec—SGT ExchangeProtocol over TCP 393Skills Tested 393Solution and Verification 393Configuration 398Tech Notes399SXP on the Cisco WLC 399Summary of Secure Group Access Features 400Part IVAppendixesAppendix AManual Configuration Guide 401Cisco Catalyst Switches: SW1, SW2 401Cisco Routers R1, R2, R3, R4, R5, R6, R7 402Cisco Router R6: Also Used as the CME Server 403Cisco ASA Appliances ASA1, ASA2 403Cisco WLC 405Cisco IPS Sensor 406Cisco WSA 407
xxiiiAppendix BPreparing for the CCIE Exam 411CCIE Certification Process 411CCIE Security Written Exam 411CCIE Security Lab Exam 412Planning Resources 413Assessing Strengths and Weaknesses 414Training, Practice Labs, and Boot Camps 414Books and Online Materials 414Lab Preparation 415Lab Exam Tips 415A Word on Cheating. 416Appendix CSample Written Exam Questions and Answers 417
xxivCCIE Security v4.0 Practice LabsCommand Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conventions as follows: Q Boldface indicates commands and keywords that are entered literally as shown.In actual configuration examples and output (not general command syntax),boldface indicates commands that are manually input by the user (such as ashow command). Q Italic indicates arguments for which you supply actual values. Q Vertical bars ( ) separate alternative, mutually exclusive elements. Q Square brackets ([ ]) indicate an optional element. Q Braces ({ }) indicate a required choice. Q Braces within brackets ([{ }]) indicate a required choice within an optionalelement.IntroductionFor more than ten years, the CCIE program has identified networking professionals withthe highest level of expertise. Fewer than 3 percent of all Cisco certified professionalsactually achieve CCIE status. The majority of candidates who take the exam fail at thefirst attempt because they are not fully prepared; they generally find that their studyplan did not match what was expected of them in the exam. These practice exercisesare indicative of the types of questions you can expect in an actual exam. Completionof these exercises with a solid understanding of the solutions will be an indication ofwhether you are ready to schedule your lab or you need to reevaluate your study plan.Exam OverviewThe CCIE qualification consists of two separate exams, a two-hour written exam and aneight-hour hands-on lab exam that includes troubleshooting questions. Written examsare computer-based multiple-choice exams lasting two hours and available at hundredsof authorized testing centers worldwide. The written exam is designed to test your theoretical knowledge to ensure you are ready to take the lab exam; as such, you are eligibleto schedule the lab exam only after you have passed the written exam. Having purchasedthis publication, it is assumed that you have passed the written exam and are ready topractice for the lab exam. The lab exam is an eight-hour hands-on exam in which youare required to configure a series of complex scenarios in strict accordance to the questions—it’s tough but achievable. Current exam blueprint content information can befound at the following rtifications/ccie security
xxvStudy RoadmapTaking the lab exam is all about experience: You can’t expect to take it and pass afterjust completing your written exam, relying on your theoretical knowledge. You mustspend countless hours of rack time configuring features and learning how protocolsinteract with one another. To be confident enough to schedule your lab exam, reviewthe following outlined points.Assessing Your StrengthsUsing the content blueprint, determine your experience and knowledge in the majortopic areas. For areas of strength, practicing for speed should be your focus. For weakareas, you might need training or book study in addition to practice.Study MaterialsChoose lab materials that provide configuration examples and take a hands-on approach.Look fo
CCIE Security Exam Study and Preparation Tips 18 CCIE Security Written Exam 18 Part II Practice Lab 1 19 Section 1 Perimeter Security and Services 19 Exercise 1.1: Initialize the Cisco ASA in Multi-Context Routed Mode 19 Notes 21 Exercise 1.2: Configure Routing and Basic Access on ASA2 21 Notes 22 Exercise 1.3: Configure IP Services on ASA1 22
