Professional Documents
Culture Documents
CCIE Security v6.0 Real Labs Design Module Ver S1.1 Scenario 1 - Packetpiper Systems
CCIE Security v6.0 Real Labs Design Module Ver S1.1 Scenario 1 - Packetpiper Systems
1:30-JULY 2022
1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
w
2. The workbook does not have print access; kindly do not request to enable to print access. However
w
you will have perpetual access to the workbook which you have purchased.
w
3. One will be provided with free updates up to 120 days from the date of purchase, post that one
need to renew his/her account to access the latest update. However one will continue to have access
.p
to their existing workbooks. If you pass the lab within 120 days, you are not eligible for further
updates.
as
4. If one wish to renew their subscription/account, you need to renew within 120 days or before the
ss
account gets expired. Post 120 days one can renew their account however the renewal will be
considered has a new purchase. Hence we encourage one to renew within 120 days of the purchase.
ec
5. The renewal cost is 999 USD if one pay within 120 days, if one fail to renew then the cost will be
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
u
client)
rit
6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
workbooks with others, and if the system detects the share, the account will be banned and we will not
y
8. We do require CISCO ID and Official email id for security purposes. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CISCO
m
9. The workbooks are in secured pdc format and delivered via email within 24 hours after payment is
received.
10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
www.passsecuritylabs.com 2 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only
12. We do not provide Refund in any circumstances once the product is sold.
13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
w
w
14. If there is any update, one will receive the update automatically on their registered email id.
w
15. Design Module will be given only 3 days before the CCIE exam
.p
16. For any future update you can check our 'updates' page.
as
17. Labs are always published in phases. For e.g. if there is a new lab we publish it as First, Second,
Third ... till Final release.
ss
18. Client who have purchased our workbooks and services and wishes to attempt the lab, need to
consult our experts before their CCIE Lab.
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 3 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
1. In this module, you will be creating, analyzing, validating and optimizing a low-level network
w
design. All relevant resources needed to successfully complete this module are provided within
this module.
w
2. The menu bar on the main screen can be used to navigate to:
w
a) Exam content. Here you will find the exam questions. This module is scenario-based and
.p
start of the module. Additional resources are provided as you progress. Resources are
cumulative and remain available throughout the remainder of the module. It is recommended
ss
here.
d) Help. Here you will find more information about the exam environment and functionalities.
u
e) End Exam Section. Clicking this button will end this exam section
rit
3. Backward navigation in this module is disabled; once you proceed to the next question, you will
y
4. Question point values will not be visible in this module. More complex items may have partial
scoring opportunities
bs
5. Item level feedback can be provided at question level. Feedback will be processed, but Cisco will
not reach out to you to discuss any feedback provided. Any time spent on providing feedback will
.co
not be compensated.
6. Access to selected Cisco online documentation is available from your desktop. Access to select
3rd party product documentation (such as python) is available from the resources window under
m
www.passsecuritylabs.com 4 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Documents
Introduction
The CTO of the PacketPiper System is asking for a remote access VPN solution that must be able to
w
secure business traffic flows and provide asset compliance through which remote traffic will be
w
originated. The design must be able to secure traffic flows from Sales and Finance employees when
w
they remotely access organization web services at TCP port 8080 in Data Center 4 and Data Center 5
respectively. The web servers of the Sales and Finance organizations are hosted in newly developed
.p
data centers at company's HQ. The remote connection will be established by the Sales and Finance
as
You have been hired as a Cisco consulting engineer by the customer to assist in the design,
ec
www.passsecuritylabs.com 5 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Network Information
Two branch offices are connected to company's HQ in Richardson.
w
The SJ branch office is connected to the HQ using L2VPN across the internet. Branch office users utilize
w
services that are hosted in Data Center 3 at the HQ. Traffic that originated from the branch office and is
w
destined to Data Centre 3 is subject to access policies when it moves through the HQ campus. An
.p
access switch in the branch office is responsible for on-boarding the clients.
as
The RTP branch office is connected to the HQ using site-to-site VPN across the leased line with Cisco
ss
Firepower Threat Defense at the tunnel tail and head ends. Branch office users utilize services that are
hosted in Data Center 2 at the HQ.
ec
u
Marketing and Engineering remote users use clientless VPNs to establish secure connections to the HQ.
rit
The internet edge then connects to collapsed core-distribution layer that has ASAs configured for high
throughput. Marketing users utilize services that are hosted in Data Center 1 and Engineering users
y
The access layer at HQ provides client on-boarding for the contractors using MAB and the TAc
.co
engineers using 802.1X Contractors utilize services that are hosted in Data center 3 and TAC engineers
Utilize services that are hosted in Data Center 2 at the HQ. Traffic that originates from the contractors
and TAC engineers and is destined to their respective data centers is subject to access policies when it
m
moves through the HQ campus. Zone-Based Policy Firewall is deployed in Data Center 2 for traffic
inspection originated from TAC engineers.
The management domain hosts the company's security appliances, such as, Cisco identity services
engine (ISE), cisco Web Security Application (WSA), and Cisco Email Security Appliance (ESA), Cisco
www.passsecuritylabs.com 6 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Firepower Management Center (FMC), Cisco Next-Generation Intrusion Prevention System (NGIPS),
Cisco Fire AMP-Cloud, Cisco Digital Network Architecture Center (DNA Center), and Cisco Stealthwatch
Management, Console (SMC). The management domain also hosts the company's Active Directory.
w
Cisco ISE provides user identity services and is responsible for segmentation using Cisco Trustsec. ISE
also enables RTC using Adaptive Network Control (ANC) with Cisco FMC and Stealthwatch that use
.p
Cisco FMC provides the management console for FTDs and NGIPS. Cisco FMC also monitors indicates of
ss
Compromise (IOCs) of on-boarded clients via its communication with Cisco FireAMP Cloud. Cisco FMC
ec
retrieves SGT information from ISE using pxGrid to implement access policies and it also probes user
presence in the company's Active Directory for passive authentication of on-boarded clients. Cisco
u
Web Security Appliance is responsible for web security services and user authentication using the
rit
company's Active Directory. Cisco Email Security Application provides email security services.
y la
EIGRP and OSPF are deployed as authenticated routing protocols across different architecture layers
bs
www.passsecuritylabs.com 7 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Question 1
Welcome to Packet Piper. Press next to start
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 8 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
www.passsecuritylabs.com 9 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Network Topology
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 10 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Hi John,
Thanks for the recommendations. They seem like a good starting point and will definitely server well to
w
scope the
future conversations. I will look for the meeting invite.
.p
Regards,
as
-M
ss
Hi Mario,
rit
Based on the business requirements to protect the traffic flows, my recommendations are as follows
for the remote access VPN solution:
y
• Any changes to the reachability of the servers must be dynamically learned and authenticated.
That said, we need a static routing mechanism at the traffic tunnel terminal point.
bs
• Network devices that are part of the design must use existing management domain for ODB
access.
• Network devices that are part of the design must be synchronized with existing network NTP
source.
• DNS protection must be incorporated in the design.
• Traffic flow monitoring must be incorporated in the design for threat detection.
• Threat mitigation must be incorporated in the design as part of rapid threat containment.
www.passsecuritylabs.com 11 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Take a look at it and let me know if you have any question or concerns. I will set up a kickoff meeting
with your operations team to formally start the project.
Thanks!
John Kimberly
Security Solutions Team
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 12 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Question 2 (New)
Which four statement correctly represents Sales and Finance Organization traffic flows?
(Choose four)
The Sales and Finance web service port is at UDP 8080
w
DC4 is hosting Sales web services and DC5 is hosting Finance web services
w
DC5 is hosting Sales web services and DC4 is hosting Finance web services
Sales and Finance traffic requires only confidentiality
.p
Sales traffic is destined for DC4 and Finance traffic is destined for DC5
Sales traffic is destined for DC5 and Finance traffic is destined for DC4
ec
u
Answer: B, D, G, I
rit
y la
bs
.co
m
www.passsecuritylabs.com 13 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Question 3 (New)
Which architecture represents the correct flow for the design?
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 14 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
o Architecture 2
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 15 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
o Architecture 3
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
www.passsecuritylabs.com 16 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
o Architecture 4
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
Answer: A
m
www.passsecuritylabs.com 17 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
w
w
w
.p
as
ss
ec
u
www.passsecuritylabs.com 18 www.cciesecuritylabs.com