CCIE Security v6.0 Real Labs Design Module Ver S1.1 Scenario 1 - Packetpiper Systems

www.passsecuritylabs.com Demo Release v1.1 S1.
1:30-JULY 2022
CCIE Security v6.0 Real Labs

Design Module Ver S1.1
Scenario 1 – Packetpiper Systems
www.passsecuritylabs.com 1 www.cciesecuritylabs.com
www.passsecuritylabs.com Demo Release v1.1 S1.1:30-JULY 2022
Lab Workbook Policy
1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
w
2. The workbook does not have print access; kindly do not request to enable to print access. However
w
you will have perpetual access to the workbook which you have purchased.
w
3. One will be provided with free updates up to 120 days from the date of purchase, post that one
need to renew his/her account to access the latest update. However one will continue to have access
.p
to their existing workbooks. If you pass the lab within 120 days, you are not eligible for further
updates.
as
4. If one wish to renew their subscription/account, you need to renew within 120 days or before the
ss
account gets expired. Post 120 days one can renew their account however the renewal will be
considered has a new purchase. Hence we encourage one to renew within 120 days of the purchase.
ec
5. The renewal cost is 999 USD if one pay within 120 days, if one fail to renew then the cost will be
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
u
client)
rit
6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
workbooks with others, and if the system detects the share, the account will be banned and we will not
y
entertain any explanation of any sort.

la
7. For any queries regarding Questions/Solutions, you can contact us on email:

bs
support@chinesedumps.com or skype @ chinesexams@gmail.com. Response time to any of the

queries is 24 hours.
.co
8. We do require CISCO ID and Official email id for security purposes. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CISCO
m
ID and official email id.
9. The workbooks are in secured pdc format and delivered via email within 24 hours after payment is
received.
10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only
12. We do not provide Refund in any circumstances once the product is sold.
13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
w
w
14. If there is any update, one will receive the update automatically on their registered email id.
w
15. Design Module will be given only 3 days before the CCIE exam
.p
16. For any future update you can check our 'updates' page.
as
17. Labs are always published in phases. For e.g. if there is a new lab we publish it as First, Second,
Third ... till Final release.
ss
18. Client who have purchased our workbooks and services and wishes to attempt the lab, need to
consult our experts before their CCIE Lab.
ec
u rit
y la
bs
.co
m
CCIE Design Guidelines
Before starting, please read the below guidelines:
1. In this module, you will be creating, analyzing, validating and optimizing a low-level network
w
design. All relevant resources needed to successfully complete this module are provided within
this module.
w
2. The menu bar on the main screen can be used to navigate to:
w
a) Exam content. Here you will find the exam questions. This module is scenario-based and
.p
contains about 30 to 35 web-based items. No device access is provided.

b) Resources. Here you will find provided resources. An initial set of resources is provided at the
as
start of the module. Additional resources are provided as you progress. Resources are
cumulative and remain available throughout the remainder of the module. It is recommended
ss
to read all the provided resources prior to answering a question.

c) Guidelines. If you want to review this guideline again during your exam, you can find them
ec
here.
d) Help. Here you will find more information about the exam environment and functionalities.
u
e) End Exam Section. Clicking this button will end this exam section
rit
3. Backward navigation in this module is disabled; once you proceed to the next question, you will
y
not be able to return to the previous question

la
4. Question point values will not be visible in this module. More complex items may have partial
scoring opportunities
bs
5. Item level feedback can be provided at question level. Feedback will be processed, but Cisco will
not reach out to you to discuss any feedback provided. Any time spent on providing feedback will
.co
not be compensated.
6. Access to selected Cisco online documentation is available from your desktop. Access to select
3rd party product documentation (such as python) is available from the resources window under
m
the “External Documentation” category.

7. If you suspect an issue with your exam environment, contact the lab proctor as soon as possible.
8. You have 3 hours to complete this module. If you finish early, you may start with the next module
but any unused time will not be carried over to the next module.
Documents
Introduction
The CTO of the PacketPiper System is asking for a remote access VPN solution that must be able to
w
secure business traffic flows and provide asset compliance through which remote traffic will be
w
originated. The design must be able to secure traffic flows from Sales and Finance employees when
w
they remotely access organization web services at TCP port 8080 in Data Center 4 and Data Center 5
respectively. The web servers of the Sales and Finance organizations are hosted in newly developed
.p
data centers at company's HQ. The remote connection will be established by the Sales and Finance
as
employees using company-provided PCs.

ss
You have been hired as a Cisco consulting engineer by the customer to assist in the design,
ec
implementation, and validation of the solution.

u rit
y la
bs
.co
m
Network Information
Two branch offices are connected to company's HQ in Richardson.
w
The SJ branch office is connected to the HQ using L2VPN across the internet. Branch office users utilize
w
services that are hosted in Data Center 3 at the HQ. Traffic that originated from the branch office and is
w
destined to Data Centre 3 is subject to access policies when it moves through the HQ campus. An
.p
access switch in the branch office is responsible for on-boarding the clients.
as
The RTP branch office is connected to the HQ using site-to-site VPN across the leased line with Cisco
ss
Firepower Threat Defense at the tunnel tail and head ends. Branch office users utilize services that are
hosted in Data Center 2 at the HQ.
ec
u
Marketing and Engineering remote users use clientless VPNs to establish secure connections to the HQ.
rit
The internet edge then connects to collapsed core-distribution layer that has ASAs configured for high
throughput. Marketing users utilize services that are hosted in Data Center 1 and Engineering users
y
utilize service that are hosted in Data Center 2 at the HQ.

la
bs
The access layer at HQ provides client on-boarding for the contractors using MAB and the TAc
.co
engineers using 802.1X Contractors utilize services that are hosted in Data center 3 and TAC engineers
Utilize services that are hosted in Data Center 2 at the HQ. Traffic that originates from the contractors
and TAC engineers and is destined to their respective data centers is subject to access policies when it
m
moves through the HQ campus. Zone-Based Policy Firewall is deployed in Data Center 2 for traffic
inspection originated from TAC engineers.
The management domain hosts the company's security appliances, such as, Cisco identity services
engine (ISE), cisco Web Security Application (WSA), and Cisco Email Security Appliance (ESA), Cisco
Firepower Management Center (FMC), Cisco Next-Generation Intrusion Prevention System (NGIPS),
Cisco Fire AMP-Cloud, Cisco Digital Network Architecture Center (DNA Center), and Cisco Stealthwatch
Management, Console (SMC). The management domain also hosts the company's Active Directory.
w
DNS server, syslog server and Master NTP source.

w
w
Cisco ISE provides user identity services and is responsible for segmentation using Cisco Trustsec. ISE
also enables RTC using Adaptive Network Control (ANC) with Cisco FMC and Stealthwatch that use
.p
pxGrid communicate with ISE.

as
Cisco FMC provides the management console for FTDs and NGIPS. Cisco FMC also monitors indicates of
ss
Compromise (IOCs) of on-boarded clients via its communication with Cisco FireAMP Cloud. Cisco FMC
ec
retrieves SGT information from ISE using pxGrid to implement access policies and it also probes user
presence in the company's Active Directory for passive authentication of on-boarded clients. Cisco
u
Web Security Appliance is responsible for web security services and user authentication using the
rit
company's Active Directory. Cisco Email Security Application provides email security services.
y la
EIGRP and OSPF are deployed as authenticated routing protocols across different architecture layers
bs
off the network.

.co
m
Question 1
Welcome to Packet Piper. Press next to start
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
Refer to the new resource (s) available

w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
Network Topology
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
Email: Design Recommendation
From: Mario Gonzales [mailto:mgon@packetpiper.com]

Sent: Monday. July 1. 2017 9:30 AM
To: John Kimberly [mailto:ikim@cisco.com]
w
Subject: Re: Design Recommendation

w
Hi John,
Thanks for the recommendations. They seem like a good starting point and will definitely server well to
w
scope the
future conversations. I will look for the meeting invite.
.p
Regards,
as
-M
ss
From: John Kimberly [mailto: jkim@cisco.com]

Sent: Monday, July 1, 2017 9:00 AM
ec
To: Mario Gonzales [mailto:mgon@packetpiper.com]

Subject: Design Recommendation
u
Hi Mario,
rit
Based on the business requirements to protect the traffic flows, my recommendations are as follows
for the remote access VPN solution:
y
• Connections must be highly available.

la
• Any changes to the reachability of the servers must be dynamically learned and authenticated.
That said, we need a static routing mechanism at the traffic tunnel terminal point.
bs
• Remote connection must allow access only to specific network services

• Traffic segmentation must be implemented for the traffic flows at HQ.
.co
• Remote users must be authenticated by a centralized identity source.

• Access policies for remote users must be dynamic.
• Real addresses of web servers must be hidden from the outside access.
m
• Network devices that are part of the design must use existing management domain for ODB
access.
• Network devices that are part of the design must be synchronized with existing network NTP
source.
• DNS protection must be incorporated in the design.
• Traffic flow monitoring must be incorporated in the design for threat detection.
• Threat mitigation must be incorporated in the design as part of rapid threat containment.
Take a look at it and let me know if you have any question or concerns. I will set up a kickoff meeting
with your operations team to formally start the project.
Thanks!
John Kimberly
Security Solutions Team
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
Question 2 (New)
Which four statement correctly represents Sales and Finance Organization traffic flows?
(Choose four)
 The Sales and Finance web service port is at UDP 8080
w
 The Sales and Finance web service port is at TCP 80

w
 DC4 is hosting Sales web services and DC5 is hosting Finance web services
w
 DC5 is hosting Sales web services and DC4 is hosting Finance web services
 Sales and Finance traffic requires only confidentiality
.p
 Sales and Finance traffic requires only integrity

as
 Sales and Finance traffic requires confidentiality and integrity

ss
 Sales traffic is destined for DC4 and Finance traffic is destined for DC5
 Sales traffic is destined for DC5 and Finance traffic is destined for DC4
ec
u
Answer: B, D, G, I
rit
y la
bs
.co
m
Question 3 (New)
Which architecture represents the correct flow for the design?
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
o Architecture 2
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
o Architecture 3
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
m
o Architecture 4
w
w
w
.p
as
ss
ec
u rit
y la
bs
.co
Answer: A
m
w
w
w
.p
as
ss
ec
u
Thank You for choosing www.passsecuritylabs.com Workbooks.

rit
y la
bs
.co
m

CCIE Security v6.0 Real Labs Design Module Ver S1.1 Scenario 1 - Packetpiper Systems

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Security v6.0 Real Labs Design Module Ver S1.1 Scenario 1 - Packetpiper Systems

Uploaded by

Copyright:

Available Formats

www.passsecuritylabs.com Demo Release v1.1 S1.

CCIE Security v6.0 Real Labs

Lab Workbook Policy

entertain any explanation of any sort.

7. For any queries regarding Questions/Solutions, you can contact us on email:

support@chinesedumps.com or skype @ chinesexams@gmail.com. Response time to any of the

ID and official email id.

CCIE Design Guidelines

Before starting, please read the below guidelines:

contains about 30 to 35 web-based items. No device access is provided.

to read all the provided resources prior to answering a question.

not be able to return to the previous question

the “External Documentation” category.

employees using company-provided PCs.

implementation, and validation of the solution.

utilize service that are hosted in Data Center 2 at the HQ.

DNS server, syslog server and Master NTP source.

pxGrid communicate with ISE.

off the network.

Refer to the new resource (s) available

Email: Design Recommendation

From: Mario Gonzales [mailto:mgon@packetpiper.com]

Subject: Re: Design Recommendation

From: John Kimberly [mailto: jkim@cisco.com]

To: Mario Gonzales [mailto:mgon@packetpiper.com]

• Connections must be highly available.

• Remote connection must allow access only to specific network services

• Remote users must be authenticated by a centralized identity source.

 The Sales and Finance web service port is at TCP 80

 Sales and Finance traffic requires only integrity

 Sales and Finance traffic requires confidentiality and integrity

Thank You for choosing www.passsecuritylabs.com Workbooks.

You might also like