Professional Documents
Culture Documents
LAB 7 Question Set
LAB 7 Question Set
Nameif
Outside
Inside
Dmz
Security
0
100
50
IP Address
17.17.4.10/24
7.7.2.10/24
17.17.3.10/24
ZONE
Outside
Outside
Outside
Outside
Outside
Outside
Inside
Inside
NEXT HOP
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
7.7.2.1
7.7.2.1
C1 Interfaces
GigabitEthernet0/0
GigabitEthernet0/2
Nameif
Outside
Inside
Interface
Management 0/0
GigabitEthernet0/0,
GigabitEthernet0/2
GigabitEthernet0/1,
GigabitEthernet0/3
Security Level
0
100
Network
4.4.4.4/32
5.5.5.5/32
7.7.16.6/32
17.17.12.0/24
17.17.13.0/24
17.17.14.0/24
17.17.8.0/24
Zone
Inside
Inside
Outside
Outside
Outside
Outside
Outside
Config-url
Admin.cfg
C1.cfg
C2.cfg
Primary IP address
17.17.5.10/24
17.17.4.12/24
Next Hop
17.17.4.10
17.17.4.10
17.17.5.2
17.17.5.6
17.17.5.6
17.17.5.2
17.17.5.6
Standby IP address
17.17.5.11/24
17.17.4.11/24
C2 Interfaces
GigabitEthernet0/1
GigabitEthernet0/3
Name
Outside
Inside
Interface
0
100
Active ip address
17.17.6.10/24
17.17.3.12/24
ASA1_ASA2
Name
Interface
Active ip address
Interface for
failover & Stateful
Communication
ASAs
ASA1
ASA2
Fover
GigabitEthernet0/4
17.17.12.100/24
Role
Primary
Standby
Active
C1
C2
Standby ip address
17.17.6.11/24
17.17.3.11/24
Standby ip
address
17.17.12.101/24
Standby
C2
C1
Outside address
4.4.4.4
5.5.5.5
DMZ address
7.7.2.2
Nameif
Outside
Backup
Inside
IP address
17.17.13.10/24
17.17.14.10/24
17.17.15.10/24
Zone
Outside
Outside
inside
Next hop
17.17.13.3
17.17.13.3
17.17.15.6
Track the reachability of 17.17.5.6/32 prefix every 5 sec from the outside interface & if not
reachable, the ASA should install the route to 4.4.4.4/32 and 5.5.5.5/32 prefixes through
backup interface.
If the reachability establishes for the 17.17.5.6/24 prefix then ASA should fall back to
outside interface 4.4.4.4/32 and 5.5.5.5/32 prefixes
The tracking operation should wait for 1000ms to receive a response for the request
packets.
Every reachability test should include 2 packets.
Reachability should last forever and starts as soon as its configured.
Any service level agreement used for this task should be numbered as 17
Any track object used for the task should be numbered as 71
Value
IPS
7.7.2.100/24
7.7.2.1
Enabled
Enabled
150.1.7.0/24,7.7.2.0/24
Value
GigabitEthernet0/3
1
5,7
VSIV
Value
60001
High
ICMP_Outside
4.4.4.4
17.17.13.10
Table:
Parameter
Signature ID
Alert Severity
Signature Name
Destination IP Address
Source IP Address
Value
60002
Low
ICMP_Backup
4.4.4.4
17.17.14.10
Value
7.7.2.101
7.7.2.1
8080
8443
Enabled
wsa.ccie.com
Note: You may find WSA preconfigured with incorrect parameters that you need to change as part of initialization
Task:
Configure WSA for a transparent redirection using information in this table.
Table:
Parameter
WCCP router
Service password
Service ID
HTTP service port
Values
7.7.2.1/24
Ccie
91
17000
Note:
SW1 should be allowed to accept WCCP Client connection from WSA 7.7.2.101
The reduction should happen only for the session from test PC to HTTP server 7.7.2.2 at port 17000
HTTP server 7.7.2.2 access credentials username cisco password ccie
Value
cisco/Cisco0123
7.7.2.102
2
7.7.2.1
Points:- 5
SECTION IV System Hardening and Availability
4.1 Configuration OSPFV2 Authentication
Task:
Secure OSPF routing domain in the topology using information in this table
Table
Parameter
OSPF Areas
Authentication Type
Key ID
Authentication key
Value
0,2
Message-Digest
17
Ccie
Points: 4
Authentication rule should match for match for Radius attributes Server-Type and NAS-Port for the
wired MAB in the Radius request packet
Authentication rule should check for ip Phone MAC address statically configuration on ISE to allow
the default network access.
The ip phone should be statically binded with phone type 7965 policy
Authorization A rule should checked for ip phone MAC address identity group Cisco-IP-Phone
that is already created
Authorization should also check for condition that MAB request should be form the device group
belongs to device type Switch and Location Inside The condition should be named as
NDG_Conditions
Upon successfully meeting the identify group condition as mentioned above ,IP phone should be
moved to voice domain and download DACL Cisco-IP-Phone DACLA permitting all the traffic .
the authorization result having voice domain permission and DACL should be named Cisco-IPPhone
Notes:
Authentication and accounting messages should be for coded port 1812 and 1813 respective
DHCP pool for the voice is defined on and upon successful MAB authentication and authorization IP
Phone will register with CUCME on R6
Points: 6
Notes:
Authentication and accounting messages should be for coded port 1812 and 1813 respective
Make sure the task does not break the GUI sessions for IPS,WSA & WLC from test-PC
Notes:
Authentication and accounting messages should be for coded port 1812 and 1813 respective
You may change the switchport configuration as required to implement the task.