CCIE Security V4 Workbook v2.3 - Lab 1

CCIE

voicelabs.com1

QUESTIONS LAB 1 WORKBOOK

Real Labs V1

www.ccieseclabs.com

CCIESECLABS.COM CCIESECLABS.COM

Initial Guidelines

1. Read all of the questions in a section before you start the configuration. It is even recommended that

you read the entire lab exam before you proceed with any configuration.

2. Exam questions have dependencies on others. Read through the entire workbook to help identify

these questions and the best order of configuration. Section do not have to be completed in the

order presented in the workbook.

3. Most questions include verification output that can be used to check your solutions.

Highlighted section in output verification displays MUST be matched to ensure correctness.

4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware

issues in your equipment, contact the onsite lab proctor as soon as possible.

5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before

starting the exam, confirm that all devices in you rack are in working order. During the exam, if any

device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure

that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot

be marked and may cause you to lose substantial points.

6. Knowledge of implementation and troubleshooting techniques is part of the lab exam.

7. Points are awarded only for working configurations. Towards the end of the exam, you should test the

functionality of all sections of the exam.

8. You will be presented with preconfigured routers and switches in your topology. The routers and

switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP,

VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the

pre configurations at any time, unless the change is specified in a question.

9. Throughout the exam, assume these values for variables if required:

‐ YY is your two‐digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11

‐ SS is your Site ID for the lab exam location, Read the next page for your location.

‐ BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the

following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are

instructed to do so.

‐ X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8

respectively

‐ Z is any number.


10. You are allowed to add static and default routes (if required) on any device.

11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure

that additional addressing does not conflict with a network that is already used in your topology. Routing

Protocols preconfigured are shown in the Lab Routing Diagram.

12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin

and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS,

Test‐PC and Cisco ISEs as required in the question.

13. All device names, access information and username/password combinations are summarized on the

following pages. Do NOT change these settings.


CCIE Security Lab Equipment and Software v4.0

Hardware

Cisco 3800 Series Integrated Services Routers (ISR) Cisco 1800 Series Integrated Services Routers (ISR) Cisco 2900 Series Integrated Services Routers (ISR G2) Cisco Catalyst 3560‐24TS Series Switches Cisco Catalyst 3750‐X Series Switches Cisco ASA 5500 and 5500‐X Series Adaptive Security Appliances Cisco IPS Series 4200 Intrusion Prevention System sensors

Cisco S‐series Web Security Appliance

Cisco ISE 3300 Series Identity Services Engine Cisco WLC 2500 Series Wireless LAN Controller

Cisco Aironet 1200 Series Wireless Access Point

Cisco IP Phone 7900 Series* Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required. Software Versions Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x Cisco IPS Software Release 7.x Cisco VPN Client Software for Windows, Release 5.x Cisco Secure ACS System software version 5.3x Cisco WLC 2500 Series software 7.2x Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) Cisco WSA S‐series software version 7.1x Cisco ISE 3300 series software version 1.1x Cisco NAC Posture Agent v4.X Cisco AnyConnect Client v3.0X


Summary of username and Password for all devices

Device Username Password

Router cisco Cisco

Switches cisco Cisco

IPS cisco 123cisco123

WSA admin Ironport

WLC cisco Cisco123

AP ciscoAP CCie123

ESXi Server admin Cisco

ISE admin Ise@123

Acs admin Acs@123

ASA admin Asa@123

Test‐PC Test‐PC Cisco123


Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC


Topology 3: Switch Cabling


Topology 4 : layer 2




Pre‐Configuration

On R1

conf t hostname R1 ! no logging console enable password cisco ! no aaa new‐model dot11 syslog ip cef ! no ip domain lookup ipv6 unicast‐routing ipv6 cef ! multilink bundle‐name authenticated ! voice‐card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX1236A0D9 ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait‐time 5 ip ssh version 1 ! crypto isakmp policy 10 encr 3des authentication pre‐share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform‐set cisco1 esp‐3des esp‐md5‐hmac mode transport !


! crypto ipsec profile DMVPN set transform‐set cisco1 ! ! interface loopback 0 ip address 192.168.1.1 255.255.255.255 ! interface loopback2 ip address 192.68.11.11 255.255.255.255 ! interface loopback3 no ip address ipv6 address 3001:0:1:3::/64 eui‐64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.1 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network‐id 23 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.1 255.255.255.0 duplex auto speed auto media‐type rj45 ipv6 address 2001:128:BAD:8::1/64 ipv6 enable ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 duplex auto speed auto media‐type rj45 !


! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router‐id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.11.11 0.0.0.0 area 1 ! ip forward‐protocol nd ip http server no ip http secure‐server ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control‐plane ! mgcp profile default ! ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 exec‐timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end


On R2

en conf t hostname R2 ! boot‐start‐marker boot‐end‐marker ! no logging console enable password cisco ! no aaa new‐model dot11 syslog ip cef ! ! ! ! no ip domain lookup ipv6 unicast‐routing ipv6 cef ! multilink bundle‐name authenticated ! voice card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DN ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait‐time 5 ip ssh version 1 ! crypto isakmp policy 10 encr 3des authentication pre‐share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0


! crypto ipsec transform‐set cisco1 esp‐3des esp‐md5‐hmac mode transport ! crypto ipsec profile DMVPN set transform‐set cisco1 ! ! ! interface loopback 0 ip address 192.168.2.2 255.255.255.255 ! interface loopback1 ip address 192.68.22.22 255.255.255.255 ! interface loopback 2 no ip address ! interface loopback3 no ip address ipv6 address 3001:0:2:1::/64 eui‐64 ipv6 enable ! interface tunnel0 bandwidth 1000 ip address 172.16.23.2 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network‐id 24 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.2 255.255.255.0 duplex auto speed auto media‐type rj45 ipv6 address 2001:128:BAD:8::2/64 ipv6 enable


ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto media‐type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router‐id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.22.22 0.0.0.0 area 1 ! ip forward‐protocol nd ip http server no ip http secure‐server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control‐plane ! ! mgcp profile default ! ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 exec‐timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4


exec‐timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end

On R3

en conf t hostname R3 ! boot‐start‐marker boot‐end‐marker ! no logging console enable password cisco ! no aaa new‐model dot11 syslog ip source‐route ! ip cef ! no ip domain lookup ipv6 unicast‐routing ipv6 cef ! multilink bundle‐name authenticated ! voice card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DL ! archive log config hidekeys


username cisco password 0 cisco ! redundancy ! ip tcp synwait‐time 5 ip ssh version 1 ! crypto keyring ipv6keys pre‐shared‐key address ipv6 ::/0 key cisco123 crypto keyring ipv4keys pre‐shared‐key address 7.7.7.10 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre‐share group 2 crypto isakmp profile ipv6 match identity address ipv6 2001:DB8:23::1/64 crypto isakmp profile secure‐management match identity address 7.7.7.10 255.255.255.255 ! ! crypto ipsec transform‐set 3des ah‐sha‐hmac esp‐3des crypto ipsec transform‐set management esp‐3des esp‐sha‐hmac mode transport ! crypto ipsec profile profile0 set transform‐set 3des set isakmp‐profile ipv6 ! crypto map secure‐management 1 ipsec‐isakmp set peer 7.7.7.10 set transform‐set management set isakmp‐profile secure‐management match address 120 ! ! ! interface loopback 0 ip address 7.7.53.3 255.255.255.255 ! interface loopback1 ip address 192.68.33.33 255.255.255.255 !


interface loopback3 no ip address ipv6 address 2010::/64 eui‐64 ! interface tunnel0 no ip address ipv6 address 2001:DB8::1:2/64 ipv6 enable ipv6 eigrp 1 tunnel source GigabitEthernet0/1.2 tunnel protection ipsec profile profile0 ! interface GigabitEthernet0/0 ip address 7.7.7.3 255.255.255.0 ip ospf priority 10 duplex auto speed auto media‐type rj45 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media‐type rj45 ! interface Gigabit0/1.1 encapsulation dot1Q 19 ip address dhcp ! interface Gigabit0/1.2 encapsulation dot1Q 13 ip address 7.7.13.3 255.255.255.0 ip ospf priority 0 ipv6 address 2001:DB8:23::2/64 ipv6 enable ! router eigrp 123 network 192.168.33.33 0.0.0.0 ! router ospf 1 router‐id 3.3.3.3 redistribute connected metric 1 subnets redistribute static redistribute eigrp 100 metric 1 subnets network 7.7.13.0 0.0.0.255 area 0


! ip forward‐protocol nd ip http server no ip http secure‐server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config access‐list 120 permit ip host 7.7.7.3 host 7.7.7.10 ipv6 router eigrp 1 router‐id 10.10.10.10 redistribute connected ! control‐plane ! ! mgcp profile default ! ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 exec‐timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end

On R4


en conf t hostname R4 ! boot‐start‐marker boot‐end‐marker ! no logging console enable password cisco ! no aaa new‐model dot11 syslog ip source‐route ! ip cef ! ! ! ip domain list cisco.com no ip domain lookup ipv6 unicast‐routing ipv6 cef ! multilink bundle‐name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX12362013 ! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait‐time 5 ! crypto isakmp policy 10 encr 3des authentication pre‐share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform‐set cisco1 esp‐3des esp‐md5‐hmac mode transport


crypto ipsec transform‐set 3des ah‐sha‐hmac esp‐3des ! crypto ipsec profile DMVPN set transform‐set cisco1 ! crypto ipsec profile profile0 set transform‐set 3des ! ! ! interface loopback 0 ip address 192.168.44.44 255.255.255.255 ! interface loopback1 ip address 10.1.1.1 255.255.255.255 ! interface loopback 2 ip address 7.7.54.5 255.255.255.0 ! interface loopback3 no ip address ipv6 address 1010::/64 eui‐64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.4 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 tunnel source Fastethernet0/1.1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 7.7.11.4 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link‐local ipv6 address autoconfig ipv6 enable ! ! interface FastEthernet0/1 no ip address ip ospf priority 10


duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.4 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid‐commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.4 255.255.255.0 ipv6 address 2001:DB8:23::3/64 ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.44.0 ! router ospf 1 router‐id 4.4.4.4 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.54.0 0.0.0.255 area 0 ! ip forward‐protocol nd ip http server no ip http secure‐server ! ! logging esm config ipv6 router eigrp 1 router‐id 40.40.40.40 redistribute connected ! control‐plane ! ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 exec‐timeout 0 0 password cisco


logging synchronous transport input telnet line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end On R5 en conf t hostname R5 ! boot‐start‐marker boot‐end‐marker ! no logging console enable password cisco ! no aaa new‐model dot11 syslog ip source‐route ! ip cef ! ! ! ip domain list cisco.com no ip domain lookup ip domain name cisco.com ipv6 unicast‐routing ipv6 cef ! multilink bundle‐name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX1236W022


! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait‐time 5 ! crypto keyring ipv6keys pre‐shared‐key address ipv6 ::/0 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre‐share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp profile ipv6 keyring ipv6keys match identity address ipv6 2001:DB8:23::2/64 ! crypto ipsec transform‐set cisco1 esp‐3des esp‐md5‐hmac mode transport crypto ipsec transform‐set 3des ah‐sha‐hmac esp‐3des ! crypto ipsec profile DMVPN set transform‐set cisco1 ! crypto ipsec profile profile0 set transform‐set 3des ! ! ! interface loopback 0 ip address 192.168.55.55 255.255.255.255 ! interface loopback 2 ip address 7.7.52.5 255.255.255.255 ! interface loopback3 no ip address ipv6 address 1010::/64 eui‐64 ! interface tunnel0 bandwidth 1000


ip address 172.16.23.5 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp network‐id 23 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 delay 1000 tunnel source Fastethernet0/1.1 tunnel key 123 tunnel protection ipsec profile DMVPN ! ! interface Tunnel2 no ip address ipv6 address 2001:DB8::1:1/64 ipv6 enable ipv6 eigrp 1 tunnel source FastEthernet0/1.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile profile0 ! interface FastEthernet0/0 ip address 7.7.11.5 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link‐local ipv6 address autoconfig ipv6 enable ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.5 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid‐commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.5 255.255.255.0 ipv6 address 2001:DB8:23::1/64


ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.55.0 ! router ospf 1 router‐id 5.5.5.5 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.52.0 0.0.0.255 area 0 ! ip forward‐protocol nd ip http server no ip http secure‐server ! ! logging esm config ipv6 router eigrp 1 router‐id 50.50.50.50 redistribute connected ! control‐plane ! ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 exec‐timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end


On R6

en conf t hostname R6 ! boot‐start‐marker boot‐end‐marker ! no logging console enable password cisco ! aaa new‐model ! aaa authentication login lkey1‐list local aaa authorization network lkey1‐list local ! aaa session‐id common ! crypto pki token default removal timeout 0 ! ipv6 unicast‐routing ipv6 cef no ip source‐route ip auth‐proxy max‐login‐attempts 5 ip admission max‐login‐attempts 5 ! ip dhcp excluded‐address 7.7.19.1 7.7.19.5 ! ip dhcp pool pool19 network 7.7.19.0 255.255.255.0 lease infinite ! no ip domain lookup ip cef ! multilink bundle‐name authenticated ! voice‐card 0 ! licence udi pid cisco2951/k9 sn FTX1625AJRS hw‐module ism 0 ! hw‐module sm 1 ! username cisco privilege 15 password 0 cisco


! redundancy ! ip tcp synwait‐time 5 ip ssh version 1 ! crypto isakmp policy 1 encr 3des authentication pre‐share group 2 ! crypto ipsec transform‐set cisco1 esp‐3des esp‐md5‐hmac ! crypto ipsec profile ikey1 set transform‐set cisco1 ! ! interface loopback 0 ip address 192.168.6.1 255.255.255.255 ! interface Embedded‐Service‐Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 7.7.5.3 255.255.255.0 ip ospf priority 10 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet 0/1.1 encapsulation dot1Q 6 ip address 7.7.6.3 255.255.255.0 ipv6 address dhcp rapid‐commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 19 ip address 7.7.19.1 255.255.255.0 !


! interface GigabitEthernet0/2 ip address 7.7.20.3 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet1/0 no ip address shutdown ! interface GigabitEthernet1/1 description Internal switch interface connected to EtherSwitch Service Module no ip address ! router ospf 1 router‐id 1.1.1.1 redistribute static metric 1 subnets route‐map exclude‐nets network 7.7.5.0 0.0.0.255 area 0 network 7.7.6.0 0.0.0.255 area 0 default‐information originate always ! ip local pool pool2 13.1.1.1 13.1.1.10 ip forward‐protocol nd ! ip http server ip http authentication local no ip http secure‐server ! ip route 0.0.0.0 0.0.0.0 7.7.5.10 ip route 7.7.9.0 255.255.255.0 7.7.20.1 ip route 7.7.10.0 255.255.255.0 7.7.20.1 ! access‐list 10 deny 7.7.9.0 access‐list 10 deny 7.7.10.0 access‐list 20 permit 13.0.0.0 ! nls resp‐timeout 1 cpd cr‐id 1 route‐map exclude‐nets permit 10 match ip address 10 route‐map exclude‐nets permit 20 match ip address 20 ! ! control‐plane !


call admission limit 75000 ! mgcp profile default ! ! gatekeeper shutdown ! telephony‐service max‐ephones 10 max‐dn 144 ip source‐address 7.7.20.3 port 2000 cnf‐file perphone load 7960‐7940 P0030702T023 load 7965 P0030702T023 max‐conferences 8 gain ‐6 transfer‐system full‐consult create cnf‐files version‐stamp Jan 01 2002 00:00:00 ! ephone‐dn‐template 1 call‐forward busy 4000 call‐forward noan 4000 timeout 20 hold‐alert 30 originator ! ephone‐dn 7 number 007 name CCIE‐Security‐Lab ephone‐dn‐template 1 ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line aux 0 line 2 no activator‐character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb‐ta mop udptn v120 ssh stopbits 1 line 67 no activation‐character no exec transport preferred none


transport input all transport output lat pad telnet rlogin lapb‐ta mop udptn v120 ssh stopbits 1 flowcontrol software line 193 no activation‐character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb‐ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/2 ntp master 2 ! end

On SW1

en conf t hostname SW1 ! no logging console enable password cisco ! no aaa new‐model system mtu routing 1500 ip routing no ip domain lookup ! spanning‐tree mode pvst spanning‐tree extend system‐id ! vlan internal allocation policy ascending ! ip tcp synwait‐time 5


! interface FastEthernet0/1 switchport access vlan 150 switchport mode access ! interface FastEthernet0/2 switchport access vlan 150 switchport mode access ! interface FastEthernet0/3 switchport access vlan 150 switchport mode access ! interface FastEthernet0/4 switchport access vlan 150 switchport mode access ! interface FastEthernet0/7 switchport access vlan 4 switchport mode access ! interface FastEthernet0/9 switchport access vlan 5 switchport mode access ! interface FastEthernet0/11 switchport access vlan 5 switchport mode access ! interface FastEthernet0/12 switchport access vlan 4 switchport mode access ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/17‐24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan 2 ip address 7.7.2.1 255.255.255.0


! interface vlan4 ip address 7.7.4.1 255.255.255.0 ! interface vlan150 ip address 150.1.7.1 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 150.1.7.254 ip route 7.7.0.0 255.255.0.0 7.7.4.10 no ip http server no ip http secure‐server ! ! ntp clock‐period 36028811 ntp server 150.1.7.254 ! end

On SW2

en conf t hostname Sw2 ! no logging console enable password cisco ! no aaa new‐model system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP‐self‐signed‐87258368 enrollment selfsigned subject‐name en=IOS‐Self‐Signed‐Certificate‐87258368 revocation‐check none rsakeypair Tp‐self‐sgned‐87258368 ! exit spanning‐tree mode pvst spanning‐tree extend system‐id ! vlan internal allocation policy ascending !


ip tcp synwait‐time 5 ! interface FastEthernet0/1 switchport access vlan 8 switchport mode access ! interface FastEthernet0/2 switchport access vlan 8 switchport mode access ! interface FastEthernet0/3 switchport access vlan 5 switchport mode access ! interface FastEthernet0/8 switchport access vlan 5 switchport mode access ! interface FastEthernet0/9 switchport access vlan 100 switchport mode access ! interface FastEthernet0/11 switchport access vlan 3 switchport mode access ! interface FastEthernet0/12 switchport access vlan 8 switchport mode access ! interface FastEthernet0/13 switchport access vlan 5 switchport mode access ! interface FastEthernet0/14 switchport access vlan 100 switchport mode access ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access ! interface FastEthernet0/16 switchport access vlan 8 switchport mode access !


interface FastEthernet0/17 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 no ip address shutdown end

On SW3

en conf t hostname SW3 ! no logging console enable password cisco ! no aaa new‐model system mtu routing 1500 ip routing no ip domain lookup ! ipv6 unicast‐routing ipv6 dhcp pool dhcp‐pool dns‐server 2001:DB8:A:B::1 dns‐server 2001:DB8:3000:3000::42 domain‐name cisco.com ! crypto pki trustpoint TP‐self‐signed‐87257344 enrollment selfsigned subject‐name en=IOS‐Self‐Signed‐Certificate‐87257344 revocation‐check none rsakeypair TP‐self‐sgned‐87257344 ! spanning‐tree mode pvst


spanning‐tree extend system‐id ! vlan internal allocation policy ascending ! ip tcp synwait‐time 5 ! interface FastEthernet0/1 switchport access vlan 77 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! ! interface FastEthernet0/17‐24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 ip address 7.7.11.1 255.255.255.0 ipv6 address 2001:DB8:1234:42::1/64 ipv6 nd other‐config‐flag ipv6 dhcp server dhcp‐pool ! ipv6 router ospf 1 log‐adjacency‐changes ! end

On SW4

en conf t hostname SW4 ! no logging console enable password cisco ! no aaa new‐model


system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP‐self‐signed‐87258368 enrollment selfsigned subject‐name en=IOS‐Self‐Signed‐Certificate‐87258368 revocation‐check none rsakeypair TP‐self‐sgned‐87258368 ! spanning‐tree mode pvst spanning‐tree extend system‐id ! vlan internal allocation policy ascending ! ip tcp synwait‐time 5 ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/5 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/9 ! interface FastEthernet0/11 switchport access vlan 33 switchport mode access ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk


! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ‐ 24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! end

On SW5

en conf t hostname SW5 ! no logging console enable password cisco ! no aaa new‐model switch 1 provision ws‐ws3750x‐12s system mtu routing 1500 ip routing ! no ip domain lookup ipv6 unicast‐routing ! crypto pki trustpoint TP‐self‐signed‐1457097984 enrollment selfsigned subject‐name en=IOS‐Self‐Signed‐Certificate‐1457097984 revocation‐check none rsakeypair TP‐self‐sgned‐1457097984 ! spanning‐tree mode pvst spanning‐tree extend system‐id ! vlan internal allocation policy ascending !


ip tcp synwait‐time 5 ! interface loopback 1 no ip address ipv6 address 3001:0:5:1::/64 eui‐64 ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:5:2::/64 eui‐64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route‐cache shutdown ! ! interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/5 no switchport ip address 7.7.20.1 255.255.255.0 ! interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.2 255.255.255.0 ipv6 address 2001:128:ABC:10::2/64 ! interface GigabitEthernet1/0/9 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/11 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk


! interface vlan1 no ip address shutdown ! interface vlan3 ip address 7.7.3.2 255.255.255.0 no ip redirects ! ip route 0.0.0.0 0.0.0.0 7.7.3.12 ip route 7.7.0.0 255.255.0.0 7.7.3.10 ip route 7.7.2.0 255.255.255.0 7.7.3.8 ip route 7.7.4.0 255.255.255.0 7.7.3.12 ip route 7.7.9.0 255.255.255.0 7.7.10.1 ip route 7.7.99.0 255.255.255.0 7.7.10.1 ip route 200.200.9.0 255.255.255.0 7.7.3.10 ! logging esm config ipv6 router ospf 1 router‐id 35.35.35.35 redistribute connected ! line con 0 exec‐timeout 0 0 password cisco logging synchronous line vty 0 4 exec‐timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 exec‐timeout 0 0 password cisco login transport input telnet ! ntp server 7.7.20.3 ! end


On SW6

en conf t hostname Sw6 ! no logging console enable password cisco ! username ciscoAP password 0 CCie123 username cisco password 0 cisco aaa new‐model ! aaa session‐id common switch 1 provision ws‐w3750x‐12s system mtu routing 1500 ip routing ! ip dhcp excluded‐address 7.7.7.1 7.7.7.15 ip dhcp excluded‐address 7.7.9.1 7.7.9.5 ip dhcp excluded‐address 7.7.99.1 7.7.99.5 ip dhcp excluded‐address 10.10.110.1 10.10.110.5 ip dhcp excluded‐address 10.10.120.1 10.10.120.5 ! ip dhcp pool pool7 network 7.7.7.0 255.255.255.0 default‐router 7.7.7.2 option 43 ip 7.7.7.11 lease infinite ! ip dhcp pool voice network 7.7.9.0 255.255.255.0 option 150 ip 7.7.20.1 default‐router 7.7.9.2 ! ip dhcp pool data network 7.7.99.0 255.255.255.0 default‐router 7.7.99.1 dns‐server 150.1.7.10 ! ip domain‐name cisco.com ipv6 unicast‐routing ! crypto pki trustpoint TP‐self‐signed‐1459336320 enrollment selfsigned subject‐name en=IOS‐Self‐Signed‐Certificate‐1459336320


revocation‐check none rsakeypair TP‐self‐sgned‐1459336320 ! spanning‐tree mode pvst spanning‐tree extend system‐id ! vlan internal allocation policy ascending ! ip tcp synwait‐time 5 ! interface loopback0 ip address 192.168.66.66 255.255.255.0 ! interface loopback 1 no ip address ipv6 address 1001:0:6:1::/64 eui‐64 ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:6:2::/64 eui‐64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route‐cache ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 description WLC switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/5 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/6 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/7 switchport access vlan 7 switchport mode access !


interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.1 255.255.255.0 ip address 7.7.10.1 255.255.255.0 ipv6 address 2001:128:ABC:10::1/64 ipv6 ospf 1 area 0 ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1‐6,8‐4094 switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan7 ip address 7.7.7.2 255.255.255.0 ipv6 enable ! interface vlan9 ip address 7.7.9.2 255.255.255.0 ! interface vlan99 ip address 7.7.99.1 255.255.255.0 ! ip classless no ip http server no ip http secure‐server ! ip route 0.0.0.0 0.0.0.0 7.7.7.1 ip route 7.7.20.0 255.255.255.0 7.7.10.2 ! ! ip access‐list extended ACL‐DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any remark PXL/TFTP permit udp any any eq tftp deny ip any any log ! ip radius source‐interface vlan7


logging esm config ipv6 router ospf 1 router‐id 36.36.36.36 redistribute connected ! exit radius‐server attribute 8 include‐in‐access req radius‐server attribute 25 access‐request include radius‐server dead‐criteria time 5 tries 3 radius‐server host 150.1.7.20 auth‐port 1812 acct‐port 1813 key cisco radius‐server vsa send accounting radius‐server vsa send authentication ! ntp server 7.7.20.3 ! end


Section I. Perimeter security

1.1 Configure routing and Basic Access on ASA1 (6 Points)

This question has three tasks.

Complete each task to provide basic connectivity and routing capabilities on ASA1.


Verify your solution by successfully pinging the inside 150.1.7.0 network from the all major 7.7.0.0

subnets as well as pinging from outside subnets to DMZ subnets

Example:

R3#ping 7.7.8.1

R3#ping 150.1.7.20

R3#ping 7.7.3.2


1.2 Configure stateful failover between ASA1 and ASA2 (4 points)


‐ configure LAN‐based active‐standby failover on ASA1 and ASA2

‐ Use GigabitEthernet 0/1 in VLAN 100 on SW2 for the failover LAN interface and name it fail‐over.

‐ Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby

‐ Enable stateful failover using fail‐over interface GigabitEthernet 0/1

‐ Use all other parameters accordingly to achieve this task

Your output must match all parameters highlighted below:


1.3 Configure ASA3 in Multi‐Context Firewall Mode

Part A: Initialize ASA3 (4 points)

ASA3 must be configured as a multi‐context firewall. ASA3 requires a shared outside interface. Use the

following outputs to complete the initial configuration.

Context details

(NOTE: Below files are already there in flash & needs to be deleted before configuring)

You can permit ICMP traffic from any to any on both contexts.

You can modify the Catalyst switch configuration to complete this task.

When the task is completed, ensure that you are able to ping all major subnets within your network,

including the ISE1 150.1.7.20

Use exact names and numbers as shown in the table


Context “c1” initialization details:

Part B: Configure IP Services on ASA3 (4 points)

Telnet access – telnet must be allowed from VLAN4 IP 7.7.4.1 on SW1 to the admin context of ASA3

To verify your solution: SW1# telnet 7.7.4.200 /so vlan4

Object NAT and Port‐to‐Application Mapping – Use object NAT to translate the VLAN4 IP address 7.7.4.1

on SW1 to a global address of 7.7.3.3. Devices on the outside of ASA3 must be able to Telnet to the

global address using a non‐standard port of 2300.

To verify your solution: R6# telnet 7.7.3.3 2300


1.4 Configure ASA4 in transparent mode with NAT support (6 points)

Configure ASA4 as a transparent firewall to be deployed between R3 and SW6 by completing

the three tasks outlined below


ASA# show route

0.0.0.0/0 via 7.7.7.3

7.7.9.0/24 via 7.7.7.2

Verify your solution by pinging from ASA4 as followings:

ASA4# ping inside 7.7.7.2

ASA4# ping outside 7.7.7.3

NAT control is required

Configure a rule where any traffic sourced from 7.7.9.0/24 and destined to 7.7.0.0/16 is mapped

to a global address from 200.200.9.0/24. This NAT rule must allow for Bidirectional connection

initialization.

Ensure that traffic sourced from the 7.7.7.0/24 network and destined to 7.7.0.0/16 or

150.1.0.0/16 is not translated but still able to transit ASA4.

Verify your solution by initiating a ping from SW6 to R3 using VLAN9 as the source interface.

Enabling debug Ip icmp on R3 should show the translation has occurred

R3# ICMP: echo reply sent, src 7.7.7.3, dst 200.200.9.2


SECTION II. IPS and Context security

2.1 – Initialize the Cisco IPS Sensor Appliance (4 points)

Initialize the Cisco IPS Sensor appliance as follows:

Verify the Cisco IPS sensor configuration using the following:

The username and password for the Cisco IPS console are cisco and 123cisco123. Do NOT change them.

Use the console to initialize the Cisco IPS sensor appliance using the defails in this table Ensure that the

Management0/0 interface is up and functioning (refer to the Lab Topology diagram).

You can modify Cisco Catalyst switches configuration if required.


Ensure that the Cisco IPS sensor is able to ping the default gateway and Test‐PC:

IPS# ping 7.7.4.1

IPS# ping 150.1.7.100

Ensure that the following ping and telnet connection is successful from SW1

SW1# ping 7.7.4.100

SW1# telnet 7.7.4.100

2.2 Deploy the Cisco IPS Sensor Using an In‐line VLAN Pair (4 points)


Configure the Cisco IPS appliance inline VLAN pair using these guidelines:

Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the Lab Topology diagram

as follow:

You are allowed to modify the switch parameters as appropriate to achieve this task.

Refer to the lab diagram for the required information.

You may access the IPS management GUI (IME) either from your Test‐PC or your local Candidate PC to

help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing

configuration to ensure that this works.

Ensure that the sensor is passing traffic successfully.

For testing, ensure that this ping from SW6 is passing through the sensor with the packets being

displayed on the sensor console.

IPS# packet display gigabitethernet0/0

R6#ping 7.7.4.1


2.3 Implement custom signatures on the Cisco IPS sensor (4 points)

A custom signature 61000 is required on the Cisco IPS sensor as follows:

Trigger – Users are allowed to telnet to SW1 via translated address (see Q1.3), however, they must not

be allowed to launch another telnet from SW1 to any device on the 150.1.0.0/16 network.

Action – reset‐tcp‐connection when a telnet session is attempted from within an existing session to SW1

Alert‐severity – high

Signature‐definition – 0

Note: There’s a dependency on the NAT‐object & Port‐to‐Application Mapping config from Q 1.3.

You can use any signature engine to complete this task that satisfies the question requirements.

Verify your solution by connecting to SW1 from another device in the topology using the translated

address specified in Q1.3 and thereafter launch a Telnet from SW1 to your Test PC (150.1.7.100) as


follows:

SW1>enable

SW1#telnet 150.1.7.

2.4 Initialize the Cisco WSA and Enable WCCP Support (6 points)

The Cisco WSA has been initialized with an IP address of 7.7.4.150 and connected via SW1 in VLAN4.

Using the Test‐PC or Candidate PC, connect to WSA and configure as following


Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport

Initialize the Cisco WSA sensor appliance as follows using the system setup wizard:

Security services:

Accept all other defaults

From ASA/c2, verify that you can ping M1 interface of WSA:

ASA3/c2(config)# ping 7.7.4.150

Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using:

Redirect‐list: for all HTTP and HTTPS traffic

Group‐list to limit redirections to the WSA only

Service‐group must be in the appropriate range

Note: You can use any names for your redirect‐list and group‐list.

Be sure to use a service‐group. DO not use the default web‐cache.


This question is dependent on the completion of Q1.3.

You may have to reboot WSA after configuration WCCP if the ASA reports following event in the logs:

WCCP‐EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web‐cache id.

Use the following to verify your solution from the Test‐PC, and then check HTTP requests on R3 for the

address of the WSA:


2.5 Add a custom URL Access Policy to the WSA (3 points)

Add a custom URL category called Restricted Site which will block the Site 7.7.7.2. Add the custom URL

filter to the Global access policy and ensure that the action taken will be to block the correction

Use the following to verify your solution from the Test‐PC:


SECTION III. Secure Access

3.1 Troubleshooting IPsec Management of ASA4 (4 points)

Complete the configuration of an IPsec secured management tunnel between R3 and ASA4.

R3 has been partially configured and will indicate the IKE and IPsec, policy parameters to use.

Ensure that you are able to launch the IPsec protected Telnet session from R3 to ASA4.

There are faults on R3 that must be corrected to complete this question.

Do not use wildcard (0.0.0.0) pre‐shared keys.

You can use any names for policies that have not been preconfigured.

Verify your solution as follows:


3.2 Troubleshooting IPsec Static VTI with IPv6 (5 points)

An IPsec static virtual tunnel interface is required between R3 and R5. This interface supports IPv6 traffic

and EIGRPv6 routes (the networks from Loopback3) must be exchanged securely for AS1 via Tunnel.

Complete and troubleshoot the configuration:



Ensure that the interface Loopbck3 subnets on either router are being advertised via EIGRPv6.

R3# show ipv6 route

EX 1010::/64 [170/27008000]

Via FE80::21E:BEFF:FE80:B5C, Tunnel0

R5#sho ipv6 route

EX 2010::/64 [170/27008000]

Via FE80::21E:4AFF:FE2F:CA50, Tunnel2

3.3 Troubleshooting DMVPN Phase 3 with Dual hubs (6 points)


In this question R1 and R2 are dual DMVPN Hubs with R4 and R5 as the spokes that peer with hubs for

redundancy. The hubs are pre‐configured. Complete the configuration of the spokes and troubleshoot

the solution using the following information:

172.16.23.1/2 – IP addresses of DUAL Hubs

172.16.23.4/5 – IP addresses of DUAL Spokes

Each spoke must peer with both hubs and direct spoke to spoke communication should occur using

NHRP shortcut capabilities

EIGRP routing AS 123 is preconfigured and must be advertising the Loopback0 of R4 and R5 and network

10.2.2.0/24 of R1 and R2



3.4 Configure Security Features on the Cisco WLC (4 points)

The WLC manages the configuration and control of the Cisco AP 1242

(There is no need to change any settings on the AP itself)


To complete this question you can use the CLI on the WLC, or the web GUI via http://7.7.7.11/

Username =cisco Password=Cisco123.


SECTION IV. System Hardening and Availability

4.1 Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS (4 points)

OSPFv3 has been partially pre‐configured between R1 and R2 using the command “ipv6 router ospf 2”

Complete configuration and troubleshooting as required to meet the following requirements:

4.2 Troubleshoot IP Options Handling on the Cisco ASA (3 points)

The following information has appeared in an error message on ASA1 for IGMPv2 traffic transiting ASA1:

%ASA‐6‐106012: Dny IP from 7.7.5.15 to 225.17.1.1, IP options: “Router Alert”

Configure ASA1 to prevent this error message and allow IGMPv2 to function correctly for all interfaces


4.3 Configure Netflow on a Cisco IOS Router (3 points)

Configure Netflow version 9 on R6 using following requirements:

R6#show ip cache verbose flow

R6#show ip flow top‐talker


SECTION V. Threat Identification and Mitigation

5.1 Tuning Application Inspection on the Cisco ASA (4 points)

HTTP inspection must be configured to log GET operation with level 15 privilege made to Cisco IOS HTTP

servers behind ASA1. The packet capture output below which shows an HTTP session to 7.7.8.1 from

Test‐PC should be used to help define your match criteria.


5.2 Configure Dynamic‐ARP Inspection in a DHCP Environment (4 points)

R3 receives an IP address for interface g0/1.1 from R6 which is considered a trusted DHCP Server.

Configure SW4 for DAI using DHCP snooping for the appropriate VLAN.

SW4# show ip dhcp snooping binding

5.3 LDAP (Outdated )

‐Microsoft windows users utilize the “msNPAllowDialin” attribute to grant or withdraw permissions to

dial into registration admisstion and status server (RASS)

Configure ASA admin context to map this Microsoft attribute to Cisco cVPN3000‐IETF‐Radius‐class:

‐ A value of FALSE should be mapped to a value of ACCESS‐DENY

‐ A value of TRUE should be mapped to a value of ACCESS‐ALLOW


SECTION VI. Identity Management

6.1 Configure the Cisco Access Point as an 802.1X supplicant (6 points)

The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should be allowed to

communicate with 802.1X authorized Aps. In this question you are required to configure 802.1X support

for the AP on SW6 (RADIUS source interface 7.7.7.2/VLAN7) and ISE1 (150.1.7.20).

Use the information below to complete the question


6.2 Configure Support for MAB/802.1X for Voice and Data VLANs

Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)

The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via DHCP from

the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3). The requirement is to add security

to this connection through authentication and authorization on SW6 using MAC Authentication Bypass


(MAB) to assign the RADIUS attributes required to move the phone into the voice VLAN.

Use the following information to complete this task:

‐ Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20)

‐ Verify that you have an authentication rule for MAB on the Cisco ISE.

‐ Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a permit on all

traffic on ISE1.

‐ Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99)

‐ Voice VLAN will support MAB for authentication

‐ Data VLAN will provide support for the Test‐PC that must connect through Phone using 802.1X.

‐ SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint. If MAB

is not successful, 802.1X endpoints should be allowed to connect.

The following output should be used to verify your solution


Part B: Authentication and Authorization of 802.1X Client through a Cisco IP Phone (6 points)

The Test‐PC must be allowed to connect through the authenticated Cisco IP Phone

The following output should be used for verification


Thank You for using ccieseclabs workbooks.

Documents

CCIE Security V4 Workbook v2.3 - Lab 1