Upload
vanthien
View
236
Download
2
Embed Size (px)
Citation preview
Your partner for Success
CCIE Security v5 Lab Access Guide
Version 1.9
Author: Cloudmylab Support
Contents
Introduction ........................................................................................................................................................... 4
Audience ................................................................................................................................................................ 4
Disclaimer .............................................................................................................................................................. 4
Legal Liability .......................................................................................................................................................... 4
Topology ................................................................................................................................................................ 4
Devices Used .......................................................................................................................................................... 7
Physical Devices .............................................................................................................................................. 7
Virtual Devices ................................................................................................................................................ 7
Getting Access to the POD ...................................................................................................................................... 8
DEVICE ACCESS ....................................................................................................................................................... 9
How to access the devices .................................................................................................................................. 9
Guest Machine Reload ........................................................................................................................................ 9
Retrieve Snapshots ........................................................................................................................................... 12
Setup WLC and WSA for Lab ............................................................................................................................. 13
Setup ISE for Lab ............................................................................................................................................... 13
Setting up Routers and ASAs for the lab ............................................................................................................ 14
Accessing the Devices console .......................................................................................................................... 15
Device List..................................................................................................................................................... 15
Devices CLI Credentials ................................................................................................................................. 16
Quick Device access .......................................................................................................................................... 17
Virtual Device Access ........................................................................................................................................ 17
Example Method 1 for Virtual Devices with CLI access .................................................................................. 18
Example Method 2 for Virtual Devices with CLI Access .................................................................................. 19
Accessing Windows Based machines................................................................................................................. 19
Example Method 1 for windows based Device: ............................................................................................. 19
Example Method 2 for windows based Device .............................................................................................. 21
LAB Devices IP Details ........................................................................................................................................... 21
Physical Connectivity ............................................................................................................................................ 22
FIREWALLS........................................................................................................................................................ 22
Switches ........................................................................................................................................................... 22
IP And VLAN MAP ................................................................................................................................................. 23
Virtualization Logic ............................................................................................................................................... 26
Lab Shortcuts........................................................................................................................................................ 27
Introduction
Cloudmylab offers a platform to run any lab topology. CCIE Security v5 lab has been adopted from various vendors
and is built on the topology and configuration provided by them. We have designed this lab with customers and
online forum feedback. The Lab topology mentioned below is mostly virtual and it aligns with Cisco’s CCIE V5
blueprint.
Audience
This lab guide is intended for the students who are preparing for CCIE Security V5 and wish to use our platform for
practicing the CCIE labs.
Disclaimer
These labs have been designed and built by topology provided by vendors selling CCIE workbooks and online
student forums. Cloudmylab is not responsible for the accuracy of the labs or workbooks. Cloudmylab does not
endorse any CCIE workbook vendor or company. We have designed our platform per Cisco’s blueprint and it can
be used for any lab scenario. Students will be responsible for loading any pre-configuration.
Cloudmylab does not sell any workbooks or CCIE topology.
Legal Liability
Cloudmylab is an IAAS (Infrastructure as a service), PAAS (Platform as a service) and LAAS (LAB as a service)
provider. Cloudmylab either owns or lease the equipment used in the certification labs or proof of concept labs.
Cloudmylab uses all genuine software either procured or evaluation from the manufacturer. Cloudmylab
encourages its users to use their own licensing and/or lease it from Cloudmylab. Cloudmylab doesn’t resell
hardware, software or licensing.
Cloudmylab has no liability for software and licensing used by the customer in their purchased service instance.
Cloudmylab doesn’t endorse any Cisco Certification labs workbook Vendors. Cloudmylab doesn’t endorse any Juniper Certification labs workbook Vendors. Cloudmylab doesn’t endorse any Microsoft Certification labs workbook Vendors. Cloudmylab doesn’t endorse any VMware Certification labs workbook Vendors.
Topology
The following topology has been adopted from CCIE University, this is a topology available on online forums and
vendors page. Cloudmylab offers a platform to run topologies and in no way own or endorse any vendor topology.
Figure 1
Figure 2
Figure 3
Devices Used
Physical Devices
This section details physical devices and software version in the topology.
Device Name Device Model Software Version
ASA1 ASA5515X 9.6.1
ASA2 ASA5515X 9.6.1
ASA3 ASA5512X 9.6.1
ASA4 ASA5512X 9.6.1
SW1 C3750X 12.2 58(SE)
SW2 C3560X 12.2 58(SE) Table 1
Virtual Devices
This section details virtual devices and the software version used in the topology.
Device Name Device Model Software Version
R1 CSR1000v 03.16.06.S
R2 CSR1000v 03.16.06.S
R3 CSR1000v 03.16.06.S
R4 CSR1000v 03.16.06.S
R5 CSR1000v 03.16.06.S
R6 CSR1000v 03.16.06.S
R7 CSR1000v 03.16.06.S
R8 CSR1000v 03.16.06.S
R9 CSR1000v 03.16.06.S
R10 CSR1000v 03.16.06.S
R11 CSR1000v 03.16.06.S
R12 CSR1000v 03.16.06.S
R13 CSR1000v 03.16.06.S
R14 CSR1000v 03.16.06.S
R15 CSR1000v 03.16.06.S
R16 CSR1000v 03.16.06.S
R17 CSR1000v 03.16.06.S
R18 CSR1000v 03.16.06.S
ASAv1 ASAv 9.6.2
ASAv11 ASAv 9.6.2
ASAv2 ASAv 9.6.2
ASAv22 ASAv 9.6.2
ISE ISE-VM-K9 2.1
vWLC WLC-VM 8.5
WSA WSA-VM 9.1.1-041
NGIPS FP-NGIPS 6.1
FMC FP-FMC 6.1
AMP FP-AMP 6.1
Table 2
Getting Access to the POD
1. There are two methods you can get access to the access detail as mentioned below:
a.) Check for the URL and Port Number in the email from [email protected]
Figure 4
b.) You can alternatively log in to your account and under ‘my account’ > Rack access, you will see the details
Figure 5
2. Please login with the credentials provided.
Figure 6
3. After logging in successfully, you will see a customized Desktop from where you can access all the devices.
DEVICE ACCESS
This section details how to access the physical and virtual devices.
How to access the devices
Starting the lab environment: https://www.youtube.com/watch?v=rYMvbJci70E (Needs updating)
Guest Machine Reload
1. Once you get the access to the Guest Desktop Environment,
A.) Open the VMware vSphere client and login with the details in table below:
Rack Rack-1 Rack-2
IP Address/hostname 192.168.130.39 192.168.130.37
Username ccisesec ccisesec
Password Ccie123! Ccie123!
Table 3
Figure 7
2. Reload the Guest Virtual Machines in the table below using the VMware vSphere Client before you start your
lab.
Windows machine
Wireless-PC MS-AD
MAB-CLIENT
DOT1X-PC Table 4
The steps below explain how to reload a Virtual Machine:
Step 1: After your successful login to ESX host, select the guest machine.
Figure 8
Step 2: Right Click on the guest machine, click on power and select Power Off.
Figure 9
Step 3: Wait for VM to power off, then right click on the guest machine, click on power and select Power On
Figure 10
Retrieve Snapshots
1. Retrieve the snapshot for the Guest Virtual Machines in the table below using the VMware
vSphere Client before you start your lab.
Virtual Machines NGIPS
FMC
AMP Table 5
Step1: Right Click on the machine -Snapshotsnapshot manager
Figure 11
Step2: Under Snapshot Manager Click on the BASE-CONF -GO To
Figure 12
Setup WLC and WSA for Lab
Simply restart both WLC and WSA to reset the configuration.
Step1: Right Click on the machine -PowerPower Off
Step2: Right Click on the machine -PowerPower On
Setup ISE for Lab
This section defines how to setup ISE for the lab use. Please follow the steps carefully.
1. Go to Administration > Backup & Restore.
2. Select FTP from the drop-down menu for ‘History for Repository’.
3. Select the lab you want to restore to. When prompted for encryption key, type ISEisC00L and select
‘Restore ADE-OS configuration’.
Figure 13
Note: You will have to again join the AD and re-generate the CA certificates.
Setting up Routers and ASAs for the lab
Step 1: Open Secure CRT, close any tabs if already open. Step 2: Under –Erase folder, double click the device that you want to reset.
Accessing the Devices console
A.) Device Access – All the devices are pre-setup for console access and follow the screenshots for a quick access.
Device List
The table below contains the list of devices and their console access details. Terminal Server is a server which
host the console connections, do not confuse this with actual device IP.
Device Name
Device
Rack-1 Rack-2
Port No Terminal IP address Port No IP address
R1 1501 192.168.130.39 1501 192.168.130.37
R2 1502 192.168.130.39 1502 192.168.130.37
R3 1503 192.168.130.39 1503 192.168.130.37
R4 1504 192.168.130.39 1504 192.168.130.37
R5 1505 192.168.130.39 1505 192.168.130.37
R6 1506 192.168.130.39 1506 192.168.130.37
R7 1507 192.168.130.39 1507 192.168.130.37
R8 1508 192.168.130.39 1508 192.168.130.37
R9 1509 192.168.130.39 1509 192.168.130.37
R10 1510 192.168.130.39 1510 192.168.130.37
R11 1511 192.168.130.39 1511 192.168.130.37
R12 1512 192.168.130.39 1512 192.168.130.37
R13 1513 192.168.130.39 1513 192.168.130.37
R14 1514 192.168.130.39 1514 192.168.130.37
R15 1515 192.168.130.39 1515 192.168.130.37
R16 1516 192.168.130.39 1516 192.168.130.37
R17 1517 192.168.130.39 1517 192.168.130.37
R18 1518 192.168.130.39 1518 192.168.130.37
SW1 2079 192.168.130.39 2079 192.168.190.156 SW2 2078 192.168.130.39 2078 192.168.190.156
ASA1 2074 192.168.130.39 2074 192.168.190.156 ASA2 2075 192.168.130.39 2075 192.168.190.156
ASA3 2076 192.168.130.39 2076 192.168.190.156
ASA4 2077 192.168.130.39 2077 192.168.190.156 AP1 2080 192.168.130.39 2080
192.168.190.156
Terminal Server 23 192.168.130.39 23 192.168.190.156
ASAv1 1539 192.168.130.39 1539 192.168.130.37
ASAv11 1540 192.168.130.39 1540 192.168.130.37 ASAv2 1538 192.168.130.39 1538 192.168.130.37
ASAv22 1537 192.168.130.39 1537 192.168.130.37 ASAv1 1539 192.168.130.39 1539 192.168.130.37
ISE 1534 192.168.130.39 1534 192.168.130.37
vWLC 1522 192.168.130.39 1522 192.168.130.37
WSA 1533 192.168.130.39 1533 192.168.130.37
NGIPS 1520 192.168.130.39 1520 192.168.130.37
FMC 1519 192.168.130.39 1519 192.168.130.37
AMP 1536 192.168.130.39 1536 192.168.130.37
Table 6
Devices CLI Credentials
Table below contains the credentials to access CLI for the undermentioned devices:
Device Name Username Password
R1 cisco cisco
R2 cisco cisco
R3 cisco cisco
R4 cisco cisco
R5 cisco cisco
R6 cisco cisco
R7 cisco cisco
R8 cisco cisco
R9 cisco cisco
R10 cisco cisco
R11 cisco cisco
R12 cisco cisco
R13 cisco cisco
R14 cisco cisco
R15 cisco cisco
R16 cisco cisco
R17 cisco cisco
R18 cisco cisco
SW1 cisco cisco SW2 cisco cisco
ASA1 cisco cisco ASA2 cisco cisco
ASA3 cisco cisco
ASA4 cisco cisco AP1 Cisco Cisco
Terminal Server cisco cisco
ASAv1 cisco cisco
ASAv11 cisco cisco ASAv2 cisco cisco
ASAv22 cisco cisco ASAv1 cisco cisco
ISE admin Ccie123
vWLC admin Ccie123
WSA admin ironport
NGIPS admin Ccie123
FMC admin Ccie123
AMP admin Ccie123
CUCM administrator cciecollab
Table 7
Quick Device access
This section details on how to access the devices via CLI:
1. Click on SecureCRT.
Figure 14
Virtual Device Access
Virtual devices can be accessed using two methods:
1. Using Secure CRT CLI. Its strongly recommended to use terminal emulator to access all the Virtual Routers and
Firewall.
2. Using the vSphere Console
Example Method 1 for Virtual Devices with CLI access
Open SecureCRT >> Click on the Plus Sign against Virtual Device >> Select the relevant device
Figure 15
Example Method 2 for Virtual Devices with CLI Access
Open Vmware Vsphere Client >> right click on the relevant machine >> click open console
Figure 16
Accessing Windows Based machines
There are 4 Windows Based machines as follows:
Machine Rack-1 MGMT IP Rack-2 MGMT IP Username Password
Wireless-PC 150.1.7.204 150.1.7.204 admin Ccie123
Windows Server
AD
150.1.7.200 150.1.7.200 admin Ccie123
Dot1x PC 150.1.7.202 150.1.7.202 admin Ccie123
MAB-PC 150.1.7.203 150.1.7.203 admin Ccie123
Table 8
Example Method 1 for windows based Device:
Click on the remote desktop shortcut on the desktop, you will see 4 shortcuts and named appropriately.
Enter the username and password when prompted
Figure 17
Example Method 2 for windows based Device
Open Vmware Vsphere Client >> right click on the relevant machine >> click open console
Figure 18
LAB Devices IP Details
This section details the management IP assigned to the following virtual machines in the table below.
Please do refer to the topology as well.
IP Address Device Name
150.1.7.200 AD
150.1.7.201 Candidate PC
150.1.7.204 Wireless PC
150.1.7.206 NGIPS
150.1.7.211 FMC
150.1.7.212 ISE
150.1.7.213 WSA
150.1.7.214 vWLC
150.1.7.215 CUCM
150.1.7.216 AMP
150.1.7.217 AMP
Table 9
Physical Connectivity
This Section explains the physical Connectivity
FIREWALLS
PHYSICAL FIREWALL CONNECTIONS
From interface To interface
ASA3 Management0/0 SW2 GigabitEthernet0/3
ASA3 GigabitEthernet0/1 SW2 GigabitEthernet0/1
ASA3 GigabitEthernet0/0 SW2 GigabitEthernet0/2
ASA4 Management0/0 SW2 GigabitEthernet0/6
ASA4 GigabitEthernet0/1 SW2 GigabitEthernet0/4
ASA4 GigabitEthernet0/0 SW2 GigabitEthernet0/5
ASA1 GigabitEthernet0/0 SW1 GigabitEthernet 1/0/1
ASA1 GigabitEthernet0/1 SW1 GigabitEthernet 1/0/2
ASA1 GigabitEthernet0/2 SW1 GigabitEthernet 1/0/3
ASA1 GigabitEthernet0/3 SW1 GigabitEthernet 1/0/4
ASA2 GigabitEthernet0/0 SW1 GigabitEthernet 1/0/5
ASA2 GigabitEthernet0/1 SW1 GigabitEthernet 1/0/6
ASA2 GigabitEthernet0/2 SW1 GigabitEthernet 1/0/7
ASA2 GigabitEthernet0/3 SW1 GigabitEthernet 1/0/8
Table 10
Switches
PHYSICAL SWITCHES
From interface To interface
SW1 GigabitEthernet1/0/12 ESX Server 0
SW1 GigabitEthernet1/0/10 SW2 GigabitEthernet0/10
SW2 GigabitEthernet0/7 AP G0
SW2 GigabitEthernet0/9 IP PHONE GigabitEthernet0 Table 11
IP And VLAN MAP
R1
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 4002 10.1.11.10 ASA1_V GigabitEthernet0/1
GigabitEthernet2 4003 10.1.22.10 ASA2_V GigabitEthernet0/1
GigabitEthernet3 150 150.1.7.231 VSWITCH-MGMT NA
GigabitEthernet4 11 10.1.12.1 NGIPS GigabitEthernet0/1
R2
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 150.1.7.232 VSWITCH-MGMT NA
GigabitEthernet2 11 10.1.12.2 NGIPS GigabitEthernet0/0
GigabitEthernet3 12 10.1.23.2 R3 GigabitEthernet2
R3
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 12 10.1.23.3 R2 GigabitEthernet3
GigabitEthernet3 20 10.1.20.3 SW1_V GigabitEthernet1/0/9
GigabitEthernet4 13 10.1.36.3 R6 GigabitEthernet4
GigabitEthernet5 14 10.1.33.3 R13 GigabitEthernet1
R4
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3.100 100 10.1.45.4 R5 GigabitEthernet3.100
GigabitEthernet3.200 200 10.1.45.4 R5 GigabitEthernet3.200
GigabitEthernet3.20 20 10.1.20.4 R5 GigabitEthernet3.20
R5
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3.100 100 10.1.45.5 R4 GigabitEthernet3.100
GigabitEthernet3.200 200 10.1.45.5 R4 GigabitEthernet3.200
GigabitEthernet3.20 20 10.1.20.5 R4 GigabitEthernet3.20
R6
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3.1 2 10.100.2.6 ASA1 GigabitEthernet0/1
GigabitEthernet3.2 3 10.100.3.6 ASA2 GigabitEthernet0/2
GigabitEthernet4 13 10.1.36.6 R3 GigabitEthernet4
R7
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 4 10.100.4.7 VSWITCH-MGMT
R8
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 5 10.100.5.8 VSWITCH-MGMT NA
R9
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3 TRUNK NA SW1_V GigabitEthernet0/1
GigabitEthernet3.1 6 10.100.6.9 ASA1
GigabitEthernet3.2 7 10.100.7.9 ASA2
GigabitEthernet4 15 20.1.3.9 R12 GigabitEthernet3
R10
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 16 20.1.4.10 R12 GigabitEthernet4
GigabitEthernet4 150 NA VSWITCH-MGMT NA
R11
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 NA VSWITCH-MGMT NA
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 17 20.1.5.11 R12 GigabitEthernet1
R12
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 17 20.1.5.12 R11 GigabitEthernet3
GigabitEthernet2 150
GigabitEthernet3 15 20.1.3.12 R9 GigabitEthernet4
GigabitEthernet4 16 20.1.4.12 R10 GigabitEthernet3
R13
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 14 10.1.33.13 R3 GigabitEthernet5
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 8 10.100.8.13 ASA4 GigabitEthernet0/1
GigabitEthernet4 150 NA VSWITCH-MGMT NA
R14
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 10 10.100.10.14 ASA4 GigabitEthernet0/1
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 150 NA VSWITCH-MGMT NA
R15
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 150.1.7.234 VSWITCH-MGMT NA
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 9 10.100.9.15 ASA4 GigabitEthernet0/1
GigabitEthernet4 18 20.1.6.15 R18 GigabitEthernet3
R16
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 150.1.7.235 VSWITCH-MGMT NA
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 19 20.1.7.16 R18 GigabitEthernet4
R17
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 150 150.1.7.236 VSWITCH-MGMT NA
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 21 20.1.8.17 R18 GigabitEthernet1
R18
INTERFACE VLAN Prefix/IP CONNECTED TO DEVICE INTERFACE
GigabitEthernet1 21 20.1.8.18 R17 GigabitEthernet1
GigabitEthernet2 150 NA VSWITCH-MGMT NA
GigabitEthernet3 18 20.1.6.18 R15 GigabitEthernet4
GigabitEthernet4 19 20.1.7.18 R16 GigabitEthernet3
Table 12
Virtualization Logic
The diagram explains how the devices are connected virtually and physically. ESX server is connected over a trunk and that is how all logical devices are logically connected to the switch
Example:
Follow the red dotted line for the Traffic Flow. If I was sending a Packet from R13 to ASA 4, here is how the packet will get to the ASA
1. VSWITCH will add a tag of VLAN 1008 and forward it to the SWITCH 2. Switch 1 will Forward it to the trunk based on the ARP info to SW2 3. SW2 will look for ARP and forward it to the Firewall.
4. Now based on the Firewall Rules, Firewall will allow or drop the packet
Lab Shortcuts
1. Starting a lab with Specific configuration:
Open the physical device console > login > dir flash:
#copy flash:base-config startup
Reload
Check out the video: https://www.youtube.com/watch?v=I72ExquNIFA
2. Clearing console line to get access: Under SecureCRT click on the plus sign against
Clear line and Select relevant device to clear
Vlan
3. Reloading the devices: All the devices are connected to managed power PDU and you can use the
shortcut to boot the devices
To get support open a ticket on Support Page or send an email to [email protected].
Please check the documentation and FAQs beforehand.
-------------------------------------------------------END OF Document-------------------------------------------------------