39
Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008 CCIE Routing & Switching Lab Workbook Volume I Version 4.1 Copyright © 2007 Internetwork Expert www.InternetworkExpert.com - i - Copyright Information Copyright © 2003 - 2007 Internetwork Expert, Inc. All rights reserved. The following publication, CCIE Routing & Switching Lab Workbook Volume I, was developed by Internetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior written permission of Internetwork Expert, Inc. Cisco®, Cisco® Systems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks of Cisco® Systems, Inc. and/or its affiliates in the U.S. and certain countries. All other products and company names are the trademarks, registered trademarks, and service marks of the respective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguish proprietary trademarks from descriptive names by following the capitalization styles used by the manufacturer.

Cisco CCIE Security

Embed Size (px)

DESCRIPTION

Cisco CCIE Security

Citation preview

Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- i - Copyright Information Copyright 2003 - 2007 Internetwork Expert, Inc.All rights reserved. The following publication, CCIE Routing & Switching Lab Workbook Volume I, was developed by Internetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior written permission of Internetwork Expert, Inc. Cisco, CiscoSystems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks of CiscoSystems, Inc. and/or its affiliates in the U.S. and certain countries.All other products and company names are the trademarks, registered trademarks, and service marks of the respective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguish proprietary trademarks from descriptive names by following the capitalization styles used by the manufacturer. Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- ii - Disclaimer The following publication, CCIE Routing & Switching Lab Workbook Volume I, is designed to assist candidates in the preparation for Cisco Systems CCIE Routing & Switching Lab exam.While every effort has been made to ensure that all material is as complete and accurate as possible, the enclosed material is presented on an as is basis.Neither the authors nor Internetwork Expert, Inc. assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this workbook. This workbook was developed by Internetwork Expert, Inc. and is an original work of the aforementioned authors.Any similarities between material presented in this workbook and actual CCIETM lab material is completely coincidental. Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- iii - SECURITY ...........................................................................................................1 Traffic Filtering with Access Lists...................................................................2 Traffic Filtering with Reflexive Access-Lists...................................................6 Reflexive Access-Lists and Router-Generated Traffic...................................8 Configuring CBAC for Traffic Inspection......................................................11 Access Control with Dynamic ACLs (Lock & Key) .......................................13 Using NBAR to Filter Traffic.........................................................................16 Using Policy-Based Routing to Filter Traffic.................................................18 DoS Attacks Prevention with TCP Intercept.................................................20 Configuring TCP Intercept in Watch Mode ..................................................22 DoS Attacks Prevention with CBAC.............................................................24 Configuring Application Port-Mapping with CBAC .......................................27 Using CAR for Smurf Attack Mitigation........................................................29 IP Address Spoofing Prevention with ACLs.................................................31 Using uRPF to Prevent IP Address Spoofing ..............................................34 Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 1 - Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 2 - Traffic Filtering with Access Lists Objective: Configure access-lists to permit FTP and WWW connections to specific servers. Do not block the necessary traffic (routing, etc) Directions Configure routers as per the NAT scenario Configuring Static NAT The servers mentioned in the task have IP addresses 150.X.4.1 and 150.X.4.6 respectively (static NAT mappings) The task is to permit TCP connections to ports of FTP and WWW services. Either Passive or Active FTP should work In addition, no OSPF, BGP, Ping and Traceroutes should be prohibited either inbound or outbound Ping uses ICMP message types echo and echo-reply Tracroute (the UNIX variant, which IOS utilizes) uses by default UDP port range 33434 33464 to probe the network, and expects ICMP packets of type either Time-Exceeded or Port-Unreachable in response BGP uses port 179 to establish its connection and OSPF has IP protocol number 89 Active FTP uses TCP port 21 for inbound connections and port 20 to make outbound connections (server to client) Passive FTP client opens data connections inbound to ports in range 123 65535 (client to server) Create extended access-list FROM_OUTSIDE on R4 to permit all connections mentioned beforehand Add deny ip any any log at the end of access-list to log all denied packets Apply this access-list to both Serial and FR interfaces on ingress Final Configuration SW1: ip access-list extended FROM_OUTSIDE Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 3 - r emar k==r emar k== Pi ngs r emar k==permit icmp any any echo permit icmp any any echo-reply r emar k==r emar k== I nboundTr acer out e r emar k==permit udp any any range 33434 33464 r emar k==r emar k== Backscat t er I CMPmessagesf or out boundTr acer out e r emar k==permit icmp any any time-exceeded permit icmp any any port-unreachable r emar k==r emar k== BGPI nbound/ Out bound r emar k== permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 permit tcp host 150.1.5.5 host 150.1.4.4 eq bgp r emar k==r emar k== OSPFpacket s r emar k==permit ospf any any r emar k==r emar k== Act i veFTP r emar k== permit tcp any host 150.1.4.1 range 20 21 permit tcp any host 150.1.4.6 range 20 21 r emar k==r emar k== Passi veFTPdat aconnect i ons r emar k== permit tcp any host 150.1.4.1 range 1023 65535 permit tcp any host 150.1.4.6 range 1023 65535 r emar k==r emar k== WWW r emar k==permit tcp any host 150.1.4.1 eq 80 permit tcp any host 150.1.4.6 eq 80 r emar k==r emar k== WWW r emar k== deny ip any any log i nt er f aceSer i al 0/ 1 i paccess- gr oupFROM_OUTSI DEi n !i nt er f aceSer i al 0/ 0. 1 i paccess- gr oupFROM_OUTSI DEi n Verification R4#show ip access-listsExt endedI Paccessl i st FROM_OUTSI DE 10per mi t i cmpanyanyecho 20per mi t i cmpanyanyecho- r epl y 30per mi t udpanyanyr ange3343433464 40per mi t i cmpanyanyt i me- exceeded 50per mi t i cmpanyanypor t - unr eachabl e 60per mi t t cphost 150. 1. 5. 5eqbgphost 150. 1. 4. 4( 42mat ches)70per mi t t cphost 150. 1. 5. 5host 150. 1. 4. 4eqbgp 80per mi t ospf anyany( 80mat ches)Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 4 - 90per mi t t cpanyhost 150. 1. 4. 1r angef t p- dat af t p 100per mi t t cpanyhost 150. 1. 4. 6r angef t p- dat af t p 110per mi t t cpanyhost 150. 1. 4. 1r ange102365535 120per mi t t cpanyhost 150. 1. 4. 6r ange102365535 130per mi t t cpanyhost 150. 1. 4. 1eqwww140per mi t t cpanyhost 150. 1. 4. 6eqwww150denyi panyanyl og R5#ping 150.1.4.1 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 1, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 28/ 31/ 32ms R5#ping 150.1.4.6 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 44/ 44ms R5#ping 150.1.4.6 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 44/ 44ms R5# R4#ping 150.1.5.5 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:! ! ! ! !Successr at ei s100per cent ( 5/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 45/ 48ms R1#traceroute 150.1.5.5 Typeescapesequencet oabor t .Tr aci ngt her out et o150. 1. 5. 5 110. 0. 0. 44msec0msec4msec 2155. 1. 0. 524msec*20msec R1# R5#traceroute 150.1.4.1 Typeescapesequencet oabor t .Tr aci ngt her out et o150. 1. 4. 1 1155. 1. 45. 416msec 155. 1. 0. 424msec* R5# R1#copy running-config flash:test.txt Dest i nat i onf i l ename[ t est . t xt ] ? Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0xC5CD)910byt escopi edi n6. 647secs( 137byt es/ sec) R1#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 5 - R1( conf i g) #ip http server R1( conf i g) #ftp-server enableR1( conf i g) #ftp-server topdir flash: R5#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.R5( conf i g) #no ip ftp passive R5#copy ftp://150.1.4.1/test.txt null: Accessi ngf t p: / / 150. 1. 4. 1/ t est . t xt . . .Loadi ngt est . t xt ![ OK- 910/ 4096byt es] 910byt escopi edi n2. 560secs( 355byt es/ sec) R5#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.R5( conf i g) #ip ftp passive R5( conf i g) #do copy ftp://150.1.4.1/test.txt null: Accessi ngf t p: / / 150. 1. 4. 1/ t est . t xt . . .Loadi ngt est . t xt ![ OK- 910/ 4096byt es] 910byt escopi edi n2. 584secs( 352byt es/ sec)R5( conf i g) # R5#t elnet 150.1.4.1 80 Tr yi ng150. 1. 4. 1, 80. . . Open R5#disc 1 Cl osi ngconnect i ont o150. 1. 4. 1[ conf i r m] R5#telnet 150.1.4.1 Tr yi ng150. 1. 4. 1. . .%Dest i nat i onunr eachabl e; gat ewayor host down R4#show ip access-listsExt endedI Paccessl i st FROM_OUTSI DE 10per mi t i cmpanyanyecho( 12mat ches)20per mi t i cmpanyanyecho- r epl y( 15mat ches)30per mi t udpanyanyr ange3343433464( 3mat ches)40per mi t i cmpanyanyt i me- exceeded 50per mi t i cmpanyanypor t - unr eachabl e( 6mat ches)60per mi t t cphost 150. 1. 5. 5eqbgphost 150. 1. 4. 4( 135mat ches)70per mi t t cphost 150. 1. 5. 5host 150. 1. 4. 4eqbgp 80per mi t ospf anyany( 340mat ches)90per mi t t cpanyhost 150. 1. 4. 1r angef t p- dat af t p( 376mat ches)100per mi t t cpanyhost 150. 1. 4. 6r angef t p- dat af t p 110per mi t t cpanyhost 150. 1. 4. 1r ange102365535( 28mat ches)120per mi t t cpanyhost 150. 1. 4. 6r ange102365535 130per mi t t cpanyhost 150. 1. 4. 1eqwww ( 14mat ches)140per mi t t cpanyhost 150. 1. 4. 6eqwww150denyi panyanyl og( 1mat ch) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 6 - Traffic Filtering with Reflexive Access-Lists Objective: Configure router to use access-list technique that creates ACL entries for returning traffic dynamically Directions The task is to permit inside hosts to access outside resources via telnet and HTTP. In addition, pings should be also permitted Configure routers as per the NAT scenario Standard NAT with Overloading (PAT) Create access-list OUTBOUND and permit outgoint TCP connections to port numbers 80 and 23. This connections should be reflected in access-list MIRROR Additionally, permit outbound ICMP of type echo and reflect it into access-list MIRROR Create access-list INBOUND. Evaluate access-list MIRROR in the beginning, and additionally permit OSPF traffic. Deny and log all other traffic Apply access-list OUTBOUND and INBOUND to both Serial and Frame-Relay interfaces, as egress and ingress filters respectively Note that routers traffic by default is not subject to reflective ACL inspections Final Configuration R4: i paccess- l i st ext endedOUTBOUND per mi t t cpanyanyeq23r ef l ect MI RROR per mi t t cpanyanyeq80r ef l ect MI RROR per mi t i cmpanyanyechor ef l ect MI RROR !i paccess- l i st ext endedI NBOUND eval uat eMI RROR per mi t ospf anyany denyi panyanyl og !i nt er f aceSer i al 0/ 1 Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 7 - i paccess- gr oupI NBOUNDi n i paccess- gr oupOUTBOUNDout!i nt er f aceSer i al 0/ 0. 1 i paccess- gr oupI NBOUNDi n i paccess- gr oupOUTBOUNDout Verification R1#telnet 150.1.5.5 Tr yi ng150. 1. 5. 5. . . Open R5> R4#show ip access MIRROR Ref l exi veI Paccessl i st MI RROR per mi t t cphost 150. 1. 5. 5eqt el net host 150. 1. 4. 4eq43992( 33mat ches)( t i mel ef t 295) R6#ping 150.1.5.5 size 1500 repeat 10 Typeescapesequencet oabor t .Sendi ng10, 1500- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:. ! ! !Rack1AS>4 [ Resumi ngconnect i on4t or 4. . . ] R4#show ip acce MIRROR Ref l exi veI Paccessl i st MI RROR per mi t i cmphost 150. 1. 5. 5host 150. 1. 4. 4( 29mat ches) ( t i mel ef t 299)per mi t t cphost 150. 1. 5. 5eqt el net host 150. 1. 4. 4eq43992( 33mat ches)( t i mel ef t 252) R4#telnet 150.1.5.5 Tr yi ng150. 1. 5. 5. . .%SEC- 6- I PACCESSLOGP: l i st I NBOUNDdeni edt cp150. 1. 5. 5( 23) - >155. 1. 45. 4( 21042) , 1packet%Connect i ont i medout ; r emot ehost not r espondi ng R4#show ip bgp summary BGPr out er i dent i f i er 150. 1. 4. 4, l ocal ASnumber 1 BGPt abl ever si oni s3, mai nr out i ngt abl ever si on3 Nei ghbor VASMsgRcvdMsgSent Tbl Ver I nQOut QUp/ DownSt at e/ Pf xRcd 150. 1. 5. 542293200000: 01: 00Act i ve R4#ping 150.1.5.5 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:. . . . .Successr at ei s0per cent ( 0/ 5) %SEC- 6- I PACCESSLOGDP: l i st I NBOUNDdeni edi cmp150. 1. 5. 5- > 155. 1. 45. 4( 0/ 0) , 1 packet%SEC- 6- I PACCESSLOGP: l i st I NBOUNDdeni edt cp150. 1. 5. 5( 179) - >150. 1. 4. 4( 15332) , 1packetAccessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 8 - Reflexive Access-Lists and Router-Generated Traffic Objective: Configure router so that reflexive access-lists may evaluate router-generated traffic Directions Configure routers as per the NAT scenario Traffic Filtering with Reflexive Access-Lists Add a line to access-list OUTBOUND to permit and reflect oubound connections to port 179 Create extended access-list LOCAL_TRAFFIC and match TCP/ICMP traffic from any to any Create route-map LOCAL_POLICY; match access-list LOCAL_TRAFFIC and set interface Loopback0 Apply route-map LOCAL_POLICY as local policy Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 9 - Final Configuration R4: i paccess- l i st ext OUTBOUND per mi t t cpanyanyeq179r ef l ect MI RROR !i paccess- l i st ext endedLOCAL_TRAFFI C per mi t t cpanyany per mi t i cmpanyany !r out e- mapLOCAL_POLI CY mat chi paddr essLOCAL_TRAFFI C set i nt er f aceLoopback0 !i pl ocal pol i cyr out e- mapLOCAL_POLI CY Verification R4#ping 150.1.5.5 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:! ! ! ! !Successr at ei s100per cent ( 5/ 5) , r ound- t r i pmi n/ avg/ max= 32/ 49/ 64ms R4#show ip access-lists MIRROR Ref l exi veI Paccessl i st MI RROR per mi t i cmphost 150. 1. 5. 5host 155. 1. 45. 4( 8mat ches) ( t i mel ef t 297)per mi t i cmphost 150. 1. 5. 5host 155. 1. 0. 4( 12mat ches) ( t i mel ef t 297) R4#telnet 150.1.5.5 Tr yi ng150. 1. 5. 5. . . Open R5>exit [ Connect i ont o150. 1. 5. 5cl osedbyf or ei gnhost ] R4#sh ip access-lists MIRROR Ref l exi veI Paccessl i st MI RROR per mi t t cphost 150. 1. 5. 5eqt el net host 155. 1. 0. 4eq47175( 78mat ches)( t i mel ef t 1)per mi t i cmphost 150. 1. 5. 5host 155. 1. 45. 4( 8mat ches) ( t i mel ef t 233)per mi t i cmphost 150. 1. 5. 5host 155. 1. 0. 4( 12mat ches) ( t i mel ef t 233) R4#sh ip bgp summaryBGPr out er i dent i f i er 150. 1. 4. 4, l ocal ASnumber 1 BGPt abl ever si oni s2, mai nr out i ngt abl ever si on2 1net wor kent r i esusi ng117byt esof memor y 1pat hent r i esusi ng52byt esof memor y 2/ 1BGPpat h/ best pat hat t r i but eent r i esusi ng248byt esof memor y 1BGPAS- PATHent r i esusi ng24byt esof memor y 0BGPr out e- mapcacheent r i esusi ng0byt esof memor y 0BGPf i l t er - l i st cacheent r i esusi ng0byt esof memor y BGPusi ng441t ot al byt esof memor y BGPact i vi t y2/ 1pr ef i xes, 2/ 1pat hs, scani nt er val 60secs Nei ghbor VASMsgRcvdMsgSent Tbl Ver I nQOut QUp/ DownSt at e/ Pf xRcd 150. 1. 5. 542343620000: 00: 531 Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 10 - R4#show ip acce MIRROR Ref l exi veI Paccessl i st MI RROR per mi t t cphost 150. 1. 5. 5eqbgphost 150. 1. 4. 4eq34994( 21mat ches)( t i mel ef t 241) R4#show ip access-lists LOCAL_TRAFFIC Ext endedI Paccessl i st LOCAL_TRAFFI C 10per mi t t cpanyany( 42mat ches)20per mi t i cmpanyany( 29mat ches) R4#show route-mapr out e- mapLOCAL_POLI CY, per mi t , sequence10 Mat chcl auses:i paddr ess( access- l i st s) : LOCAL_TRAFFI C Set cl auses:i nt er f aceLoopback0 Pol i cyr out i ngmat ches: 70packet s, 4678byt es Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 11 - Configuring CBAC for Traffic Inspection Objective: Configure router for outgoing traffic inspection and dynamic opening of ACL pinholes Directions Configure routers as per the NAT scenario Standard NAT with Overloading (PAT) Create inspection rule named INSPECT to permit TCP based protocols. Additionally, permit FTP transactions to be performed through the firewall Next, configure this rule to permit ICMP and inspect router-generated TCP/ICMP traffic Create access-list INBOUND and permit OSPF with it. Block and log all other traffic Apply access-list INBOUND ingress on Serial and FR interfaces Apply inspection rules egress on Serial and FR interfaces Final Configuration R4: i pi nspect nameI NSPECTf t p i pi nspect nameI NSPECTi cmpr out er - t r af f i c i pi nspect nameI NSPECTt cpr out er - t r af f i c !i paccess- l i st ext I NBOUND per mi t ospf anyany denyi panyanyl og !i nt er f aceSer i al 0/ 1 i paccess- gr oupI NBOUNDi n i pi nspect I NSPECTout!i nt er f aceSer i al 0/ 0. 1 i paccess- gr oupI NBOUNDi n i pi nspect I NSPECToutAccessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 12 - Verification R4#show ip inspect configSessi onaudi t t r ai l i sdi sabl ed Sessi onal er t i senabl ed one- mi nut e( sampl i ngper i od) t hr eshol dsar e[ 400: 500] connect i ons max- i ncompl et esessi onst hr eshol dsar e[ 400: 500]max- i ncompl et et cpconnect i onsper host i s50. Bl ock- t i me0mi nut e.t cpsynwai t - t i mei s30sec- - t cpf i nwai t - t i mei s5sec t cpi dl e- t i mei s3600sec- - udpi dl e- t i mei s30sec dns- t i meout i s5sec I nspect i onRul eConf i gur at i on I nspect i onnameI NSPECT ht t pal er t i sonaudi t - t r ai l i sof f t i meout 3600 f t pal er t i sonaudi t - t r ai l i sof f t i meout 3600 i cmpal er t i sonaudi t - t r ai l i sof f t i meout 10 t el net al er t i sonaudi t - t r ai l i sof f t i meout 3600 r out er al er t i sonaudi t - t r ai l i sof f t i meout 30 R6#telnet 150.1.5.5 Tr yi ng150. 1. 5. 5. . . Open R5> R4#show ip inspect sessionsEst abl i shedSessi ons Sessi on650FF88C( 10. 0. 0. 6: 54327) =>( 150. 1. 5. 5: 23) t cpSI S_OPEN Sessi on650FFB04( 150. 1. 4. 4: 40087) =>( 150. 1. 5. 5: 179) t cpSI S_OPEN R4#ping 150.1.5.5 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:! ! ! ! !Successr at ei s100per cent ( 5/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 44/ 48ms R4#telnet 150.1.5.5 Tr yi ng150. 1. 5. 5. . . Open R5>exit [ Connect i ont o150. 1. 5. 5cl osedbyf or ei gnhost ] R5#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.R5( conf i g) #ftp-server enable R5( conf i g) #ftp-server topdir flash: R5( conf i g) #do copy start flash: Dest i nat i onf i l ename[ r 5- conf g] ?test.txt Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0x10CB)1668byt escopi edi n0. 292secs( 5712byt es/ sec) R6#copy ftp://150.1.5.5/test.txt null: Accessi ngf t p: / / 150. 1. 5. 5/ t est . t xt . . .Loadi ngt est . t xt ![ OK- 1668/ 4096byt es] 1668byt escopi edi n4. 652secs( 359byt es/ sec) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 13 - Access Control with Dynamic ACLs (Lock & Key) Objective: Configure router to authenticate users via telnet login session before granting them access to internal resources Directions Configure routers as per the NAT scenario Configuring Static NAT The goal is to permit remote uses access the inside network and set the absolute and inactivity timeouts Configure VTY lines to authenticate incoming telnet sessions Create local username DYNACL with passwod CISCO Configure this user to have autocommand access-enable host timeout 5, therefore setting inactivity timeout to 5 minutes Create extended access-list INBOUND and permit OSPF, BGP and Telnet traffic with this list Create dynamic list entry ACCESS with timeout value of 10 (absolute timeout) and configure permit ip any any as dynamic rule Deny and log everything else with access-list INBOUND Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 14 - Final Configuration R4: l i nevt y04 l ogi nl ocal!user nameDYNACLpasswor dCI SCO user nameDYNACLaut ocommandaccess- enabl ehost t i meout 5 !i paccess- l i st ext endedI NBOUND per mi t ospf anyany per mi t t cpanyanyeqbgp per mi t t cpanyeqbgpany per mi t t cpanyanyeqt el netdynami cACCESSt i meout 10per mi t i panyany denyi panyanyl og !i nt er f aceSer i al 0/ 1 i paccess- gr oupI NBOUNDi n !i nt er f aceSer i al 0/ 0. 1 i paccess- gr oupI NBOUNDi n Verification R5#ping 150.1.4.1 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 1, t i meout i s2seconds:U. U. U Successr at ei s0per cent ( 0/ 5) R5#ping 150.1.4.6 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:U. U. U Successr at ei s0per cent ( 0/ 5) R5#telnet 150.1.4.4 Tr yi ng150. 1. 4. 4. . . Open User AccessVer i f i cat i on User name: DYNACL Passwor d: CI SCO [ Connect i ont o150. 1. 4. 4cl osedbyf or ei gnhost ] R5# R4#show ip acce Ext endedI Paccessl i st I NBOUND 10per mi t ospf anyany( 11mat ches)20per mi t t cpanyanyeqbgp 30per mi t t cpanyeqbgpany( 6mat ches)40per mi t t cpanyanyeqt el net ( 99mat ches)50Dynami cACCESSper mi t i panyany per mi t i phost 155. 1. 45. 5any Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 15 - 60denyi panyanyl og( 10mat ches)R4# R5#ping 150.1.4.1 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 1, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 28/ 31/ 32ms R5#ping 150.1.4.6 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 44/ 44ms R4#show ip access-listsExt endedI Paccessl i st I NBOUND 10per mi t ospf anyany( 49mat ches)20per mi t t cpanyanyeqbgp 30per mi t t cpanyeqbgpany( 24mat ches)40per mi t t cpanyanyeqt el net ( 99mat ches)50Dynami cACCESSper mi t i panyany per mi t i phost 155. 1. 45. 5any( 12mat ches) ( t i mel ef t 132)60denyi panyanyl og( 10mat ches) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 16 - Using NBAR to Filter Traffic Objective: Configure router to filter traffic based on application-level criteria Directions Configure routers as per the NAT scenario Standard NAT with Overloading (PAT) Make sure CEF is enabled globally on R4 Create a map-class IMAGES on R4 on match any of HTTP URLs that are retrieving an image file (.gif, .jpeg, .jpg) Create policy-map DROP_IMAGES and configure it to drop any traffic in class IMAGES Apply the policy-map DROP_IMAGES ingress to the interfaces Serial 0/1 and Serial 0/0.1 Final Configuration R4: i pcefcl ass- mapmat ch- anyI MAGES mat chpr ot ocol ht t pur l *. gi f mat chpr ot ocol ht t pur l *. j peg| *. j pg !pol i cy- mapDROP_I MAGES cl assI MAGES dr op !i nt er f aceSer i al 0/ 1 ser vi ce- pol i cyi nput DROP_I MAGES !i nt er f aceSer i al 0/ 0. 1 ser vi ce- pol i cyi nput DROP_I MAGES Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 17 - Verification R5#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.R5( conf i g) #ip http server R5( conf i g) #ip http path flash: R5( conf i g) #do copy start flash:test.gif Dest i nat i onf i l ename[ t est . gi f ] ? Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0x10CB)1668byt escopi edi n0. 288secs( 5792byt es/ sec)R5( conf i g) #do copy start flash:test.jpgDest i nat i onf i l ename[ t est . j pg] ? Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0x10CB)1668byt escopi edi n0. 300secs( 5560byt es/ sec)R5( conf i g) #do copy start flash:test.jpeg Dest i nat i onf i l ename[ t est . j peg] ? Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0x10CB)1668byt escopi edi n0. 288secs( 5792byt es/ sec)R5( conf i g) #do copy start flash:test.txt Dest i nat i onf i l ename[ t est . t xt ] ? Er asef l ash: bef or ecopyi ng?[ conf i r m] n Ver i f yi ngchecksum. . . OK( 0x10CB)1668byt escopi edi n0. 294secs( 5670byt es/ sec) R1#copy http://150.1.5.5/test.txt null: Loadi nght t p: / / 150. 1. 5. 5/ t est . t xt !1668byt escopi edi n2. 496secs( 668byt es/ sec) R1#copy http://150.1.5.5/test.gif null: %Er r or openi nght t p: / / 150. 1. 5. 5/ t est . gi f ( I / Oer r or ) R1#copy http://150.1.5.5/test.jpeg null: %Er r or openi nght t p: / / 150. 1. 5. 5/ t est . j peg( I / Oer r or ) R1#copy http://150.1.5.5/test.jpg null: %Er r or openi nght t p: / / 150. 1. 5. 5/ t est . j pg( I / Oer r or ) R4#show policy-map interface serial 0/0.1 Ser i al 0/ 0. 1 Ser vi ce- pol i cyi nput : DROP_I MAGES Cl ass- map: I MAGES( mat ch- any)24packet s, 4971byt es 5mi nut eof f er edr at e0bps, dr opr at e0bps Mat ch: pr ot ocol ht t pur l " *. j peg| *. j pg"16packet s, 3314byt es 5mi nut er at e0bps Mat ch: pr ot ocol ht t pur l " *. gi f "8packet s, 1657byt es 5mi nut er at e0bps dr op Cl ass- map: cl ass- def aul t ( mat ch- any)70packet s, 7822byt es 5mi nut eof f er edr at e0bps, dr opr at e0bpsMat ch: any Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 18 - Using Policy-Based Routing to Filter Traffic Objective: Configure router to filter traffic based on packet lengths Directions Configure routers per the NAT scenario Configuring Static NAT The task is to permit small ICMP echo packets with L3 length up to 300 bytes Create extended access-list ICMP_ECHO and match ICMP echo packets Create route-map ICMP_CONTROL; with section 10 permit packets matching the access-list ICMP and having length 301-1500. Route this packets to Null0 interface Apply this route-map to Serial and FR interfaces Final Configuration R4: i paccess- l i st ext endedI CMP_ECHO per mi t i cmpanyanyecho !r out e- mapI CMP_CONTROLper mi t 10 mat chi paddr essI CMP_ECHO mat chl engt h3011500 set i nt er f aceNul l 0 !i nt er f aceSer i al 0/ 1 i ppol i cyr out e- mapI CMP_CONTROL !i nt er f aceSer i al 0/ 0. 1 i ppol i cyr out e- mapI CMP_CONTROL Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 19 - Verification R4#show route-mapr out e- mapI CMP_CONTROL, per mi t , sequence10 Mat chcl auses:i paddr ess( access- l i st s) : I CMP_ECHO l engt h3011500 Set cl auses:i nt er f aceNul l 0 Pol i cyr out i ngmat ches: 0packet s, 0byt es R5#ping 150.1.4.1 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 1, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 28/ 30/ 32ms R5#ping 150.1.4.6 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:. ! ! ! !Successr at ei s80per cent ( 4/ 5) , r ound- t r i pmi n/ avg/ max= 44/ 44/ 44ms R5#ping 150.1.4.6 size 301 Typeescapesequencet oabor t .Sendi ng5, 301- byt eI CMPEchost o150. 1. 4. 6, t i meout i s2seconds:. . . . .Successr at ei s0per cent ( 0/ 5) R5#ping 150.1.4.1 size 301 Typeescapesequencet oabor t .Sendi ng5, 301- byt eI CMPEchost o150. 1. 4. 1, t i meout i s2seconds:. . . . .Successr at ei s0per cent ( 0/ 5) R4#show route-mapr out e- mapI CMP_CONTROL, per mi t , sequence10 Mat chcl auses:i paddr ess( access- l i st s) : I CMP_ECHO l engt h3011500 Set cl auses:i nt er f aceNul l 0 Pol i cyr out i ngmat ches: 10packet s, 3050byt es Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 20 - DoS Attacks Prevention with TCP Intercept Objective: Configure router to intercept all TCP connections to Web Servers Directions Configure routers as per the NAT scenario Common Configuration Create access-list 199 and match TCP connections to network 150.1.4.0/24 on port 80 Configure TCP intercept to use list 199, and random drop mode Start clamping half-open sessions when their number reaches 1500 Stop clamping half-open sessions when their number reaches 1200 Set inactive connection timeout to one hour Final Configuration R4: access- l i st 199per mi t t cpany150. 1. 4. 00. 0. 0. 255eq80 !i pt cpi nt er cept l i st 199 i pt cpi nt er cept max- i ncompl et ehi gh1500 i pt cpi nt er cept max- i ncompl et el ow 1200 i pt cpi nt er cept connect i on- t i meout 3600 i pt cpi nt er cept dr op- moder andom Verification R4#debug ip tcp interceptTCPi nt er cept debuggi ngi son R5#telnet 150.1.4.100 80Tr yi ng150. 1. 4. 100, 80. . . Open [ Connect i ont o150. 1. 4. 100cl osedbyf or ei gnhost ]Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 21 - R5# R4#*Mar 1921: 29: 42. 391: I NTERCEPT: new connect i on( 155. 1. 45. 5: 20959SYN- >150. 1. 4. 100: 80)*Mar 1921: 29: 42. 395: I NTERCEPT( *) : ( 155. 1. 45. 5: 20959 150. 1. 4. 100: 80)*Mar 1921: 29: 42. 419: I NTERCEPT( *) : ( 155. 1. 45. 5: 20959SYN- > 150. 1. 4. 100: 80)*Mar 1921: 29: 42. 419: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 29: 42. 423: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 29: 43. 415: I NTERCEPT( *) : SYNSENTr et r ansmi t 1( 155. 1. 45. 5: 20959SYN - > 150. 1. 4. 100: 80)*Mar 1921: 29: 43. 415: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 29: 45. 415: I NTERCEPT( *) : SYNSENTr et r ansmi t 2( 155. 1. 45. 5: 20959SYN - > 150. 1. 4. 100: 80)*Mar 1921: 29: 45. 415: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 29: 49. 415: I NTERCEPT( *) : SYNSENTr et r ansmi t 3( 155. 1. 45. 5: 20959SYN - > 150. 1. 4. 100: 80)*Mar 1921: 29: 49. 415: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 29: 57. 415: I NTERCEPT( *) : SYNSENTr et r ansmi t 4( 155. 1. 45. 5: 20959SYN - > 150. 1. 4. 100: 80)*Mar 1921: 29: 57. 415: I NTERCEPT: cl i ent packet dr oppedi nSYNSENT ( 155. 1. 45. 5: 20959- > 150. 1. 4. 100: 80)*Mar 1921: 30: 13. 415: I NTERCEPT: SYNSENTr et r ansmi t t i ngt ool ong ( 155. 1. 45. 5: 20959 150. 1. 4. 100: 80)*Mar 1921: 30: 13. 415: I NTERCEPT( *) : ( 155. 1. 45. 5: 20959150. 1. 4. 1: 80)*Mar 2013: 09: 49. 091: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 09: 51. 087: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 09: 51. 091: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 09: 55. 087: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 09: 55. 091: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 10: 03. 087: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 10: 03. 091: I NTERCEPT: cl i ent packet passedi nSYNSENT ( 155. 1. 45. 5: 33678- > 150. 1. 4. 1: 80)*Mar 2013: 10: 04. 087: I NTERCEPT: SYNSENTt i mi ngout ( 155. 1. 45. 5: 33678150. 1. 4. 1: 80)*Mar 2013: 10: 04. 087: I NTERCEPT( *) : ( 155. 1. 45. 5: 33678RST- > 150. 1. 4. 1: 80) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 24 - DoS Attacks Prevention with CBAC Objective: Configure CBAC to defend against SYN-Flooding Attacks Directions Configure routers as per the NAT scenario Common Configuration Advertise network 10.0.0.0/24 into OSPF on R4 Create inspection rule DOS_MITIGATION and inspect TCP traffic Configure CBAC to start claming half-open sessions when their number reaches 1200 and stop on 1000 sessions Configure CBAC to start replacing half-open sessions when their rate exceeds 300 per minute and stop when it falls below 100 Configure CBAC to block any host for 5 minutes when it has more then 50 half-open sessions Final Configuration R4: i pi nspect max- i ncompl et ehi gh1200 i pi nspect max- i ncompl et el ow 1000 i pi nspect one- mi nut el ow 200 i pi nspect one- mi nut ehi gh300 i pi nspect t cpmax- i ncompl et ehost 50bl ock- t i me5 !i pi nspect nameDOS_MI TI GATI ONt cp !i nt er f aceEt her net 0/ 0 i pi nspect DOS_MI TI GATI ONout!r out er ospf 1 r edi st r i but econnect edsubnet s Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 25 - Verification R4#show ip inspect allSessi onaudi t t r ai l i sdi sabl ed Sessi onal er t i senabl ed one- mi nut e( sampl i ngper i od) t hr eshol dsar e[ 200: 300] connect i ons max- i ncompl et esessi onst hr eshol dsar e[ 1000: 1200]max- i ncompl et et cpconnect i onsper host i s50. Bl ock- t i me5mi nut es.t cpsynwai t - t i mei s30sec- - t cpf i nwai t - t i mei s5sec t cpi dl e- t i mei s3600sec- - udpi dl e- t i mei s30sec dns- t i meout i s5sec I nspect i onRul eConf i gur at i on I nspect i onnameDOS_MI TI GATI ON t cpal er t i sonaudi t - t r ai l i sof f t i meout 3600 I nt er f aceConf i gur at i on I nt er f aceEt her net 0/ 0 I nboundi nspect i onr ul ei snot setOut goi ngi nspect i onr ul ei sDOS_MI TI GATI ON t cpal er t i sonaudi t - t r ai l i sof f t i meout 3600 I nboundaccessl i st i snot setOut goi ngaccessl i st i snot set R4#debug ip inspect tcp I NSPECTTCPI nspect i ondebuggi ngi son R4#debug ip inspect event I NSPECTspeci al event sdebuggi ngi son R5#debug ip tcp transactionsTCPspeci al event debuggi ngi son R1#conf t Ent er conf i gur at i oncommands, oneper l i ne. Endwi t hCNTL/ Z.R1( conf i g) #int fa 0/0 R1( conf i g- i f ) #shut R5#telnet 10.0.0.1Tr yi ng10. 0. 0. 1. . .*Mar 2015: 45: 27. 171: TCP: Randoml ocal por t gener at ed64972 *Mar 2015: 45: 27. 171: TCB65C81554cr eat ed *Mar 2015: 45: 27. 171: TCB65C81554set t i ngpr oper t yTCP_TOS( 11) 65650030 *Mar 2015: 45: 27. 171: TCB65C81554boundt oUNKNOWN. 64972 *Mar 2015: 45: 27. 171: TCP: sendi ngSYN, seq2073350221, ack0 *Mar 2015: 45: 27. 171: TCP0: Connect i ont o10. 0. 0. 1: 23, adver t i si ngMSS536 *Mar 2015: 45: 27. 175: TCP0: st at ewasCLOSED- > SYNSENT[ 64972- > 10. 0. 0. 1( 23) ]*Mar 2015: 45: 29. 175: 155. 1. 45. 5: 64972 10. 0. 0. 1: 23congest i onwi ndowchanges *Mar 2015: 45: 29. 175: cwndf r om536t o536, sst hr eshf r om65535t o1072 *Mar 2015: 45: 29. 175: TCP0: t i meout #1- t i meout i s4000ms, seq2073350221 *Mar 2015: 45: 33. 175: TCP0: t i meout #2- t i meout i s8000ms, seq2073350221 *Mar 2015: 45: 41. 175: TCP0: t i meout #3- t i meout i s16000ms, seq2073350221 *Mar 2015: 45: 57. 175: TCP0: t i meout #4- t i meout i s29996ms, seq2073350221 *Mar 2015: 45: 57. 195: TCP0: badsegf r om10. 0. 0. 1- - Rst bi t set . : por t 64972 seq0ack0r cvnxt 0r cvwnd4128l en0 R4#CBACsi s65086504pak64B21D7CSI S_CLOSED/ LI STENTCPSYNSEQ2073350221LEN0 ( 155. 1. 45. 5: 64972) => ( 10. 0. 0. 1: 23)CBACsi s65086504pak64B23264SI S_OPENI NG/ SYNSENTTCPSYNSEQ2073350221LEN0 ( 155. 1. 45. 5: 64972) => ( 10. 0. 0. 1: 23)Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 26 - CBACsi s65086504L4i nspect r esul t : SKI Ppacket 64B23264( 155. 1. 45. 5: 64972)( 10. 0. 0. 1: 23) byt es0Er r St r = Ret r ansmi t t edSegment t cpCBACsi s65086504pak 650025A4SI S_OPENI NG/ SYNSENTTCPSYNSEQ2073350221LEN0( 155. 1. 45. 5: 64972) =>( 10. 0. 0. 1: 23)CBACsi s65086504L4i nspect r esul t : SKI Ppacket 650025A4( 155. 1. 45. 5: 64972)( 10. 0. 0. 1: 23) byt es0Er r St r = Ret r ansmi t t edSegment t cp CBACsi s65086504pak64B1FAA4SI S_OPENI NG/ SYNSENTTCPSYNSEQ2073350221LEN0 ( 155. 1. 45. 5: 64972) => ( 10. 0. 0. 1: 23)CBACsi s65086504L4i nspect r esul t : SKI Ppacket 64B1FAA4( 155. 1. 45. 5: 64972)( 10. 0. 0. 1: 23) byt es0Er r St r = Ret r ansmi t t edSegment t cp CBACsent aTCPpkt ( 10. 0. 0. 1: 23) t cpf l ag: 0x4- > 155. 1. 45. 5: 64972seq0ack0 wnd4128 CBACsent aTCPpkt ( 155. 1. 45. 5: 64972) t cpf l ag: 0x4- > 10. 0. 0. 1: 23seq 2073350222ack0wnd0 CBACsi s65086504pak6500724CSI S_CLOSED/ LI STENTCPSYNSEQ2073350221LEN0 ( 155. 1. 45. 5: 64972) => ( 10. 0. 0. 1: 23) CBACsent aTCPpkt ( 10. 0. 0. 1: 23) t cpf l ag: 0x4- > 155. 1. 45. 5: 64972seq0ack0 wnd4128 CBACsent aTCPpkt ( 155. 1. 45. 5: 64972) t cpf l ag: 0x4- > 10. 0. 0. 1: 23seq 2073350222ack0wnd0 Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 27 - Configuring Application Port-Mapping with CBAC Objective: Configure router so that CBAC recognizes common application on non-standard port Directions Configure routers per the NAT scenario Configuring Static PAT Create CBAC inspection rule named INSPECT_TELNET on R4 and configure it to inspect telnet protocol Create access-list 99 on R4 and match network 10.0.0.0/24 with it Map ports 1023 and 6023 as telnet ports for networks in list 99 Apply inspection rule INSPECT_TELNET inbound on Serail and FR interfaces Create extended access-list INSIDE and deny everything with it Apply access-list INSIDE inbound to Ethernet interface on R4 Final Configuration R4: access- l i st 99per mi t 10. 0. 0. 00. 0. 0. 255 !i pi nspect nameI NSPECT_TELNETt el neti ppor t - mapt el net por t t cp1023l i st 99 i ppor t - mapt el net por t t cp6023l i st 99 !i nt er f aceSer i al 0/ 1 i pi nspect I NSPECT_TELNETi n !i nt er f aceSer i al 0/ 0. 1 i pi nspect I NSPECT_TELNETi n !i paccess- l i st ext endedI NSI DE denyi panyany !i nt er f aceEt her net 0/ 0 i paccess- gr oupI NSI DEi n Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 28 - Verification R5#telnet 150.1.4.4 1023 Tr yi ng150. 1. 4. 4, 1023. . . Open R1> R4#show ip inspect sessionsEst abl i shedSessi ons Sessi on6507BE4C( 155. 1. 45. 5: 17996) =>( 10. 0. 0. 1: 23) t el net SI S_OPEN R5#telnet 150.1.4.4 6023 Tr yi ng150. 1. 4. 4, 6023. . . Open R6> R4#show ip inspect sessionsEst abl i shedSessi ons Sessi on6507C0C4( 155. 1. 45. 5: 59812) =>( 10. 0. 0. 6: 23) t el net SI S_OPEN Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 29 - Using CAR for Smurf Attack Mitigation Objective: Configure router to protect inside network from Smurf attack Directions Configure routers as per the NAT scenario Configuring Static NAT Smurf attack is performed reflecting ICMP echo packets; Therefore, target network is bombed with a heavy flow of ICMP echo-reply packets Create extended access-list 100 on R4 and match ICMP echo-reply packets with it Create rate-limit rule to limit traffic matching access-list 100 to 64Kbps.Select Bc and Be values to accommodate sustained bursts length of 1 sec and 1.5 sec of traffic-rate:Bc=64000*1/8=8000 bytesandBe=Be*1.5=12000 bytes. This rate-limiting rules should be applied to Serial and FR interfaces Final Configuration R4: access- l i st 100per mi t i cmpanyanyecho- r epl y !i nt er f aceSer i al 0/ 1 r at e- l i mi t i nput access- gr oup10064000800012000conf t r exceeddr op !i nt er f aceSer i al 0/ 0. 1 r at e- l i mi t i nput access- gr oup10064000800012000conf t r exceeddr op Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 30 - Verification R4#ping 150.1.5.5 size 500 repeat 100 Typeescapesequencet oabor t .Sendi ng100, 500- byt eI CMPEchost o150. 1. 5. 5, t i meout i s2seconds:! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !Successr at ei s100per cent ( 100/ 100) , r ound- t r i pmi n/ avg/ max= 192/ 195/ 208ms R4#show int se 0/1 rate Ser i al 0/ 1 I nputmat ches: access- gr oup100 par ams: 64000bps, 8000l i mi t , 12000ext endedl i mi tconf or med100packet s, 50400byt es; act i on: t r ansmi texceeded0packet s, 0byt es; act i on: dr op l ast packet : 134524msago, cur r ent bur st : 0byt es l ast cl ear ed00: 03: 26ago, conf or med1000bps, exceeded0bps R4#show int se 0/0.1 rate Ser i al 0/ 0. 1 I nputmat ches: access- gr oup100 par ams: 64000bps, 8000l i mi t , 12000ext endedl i mi tconf or med0packet s, 0byt es; act i on: t r ansmi texceeded0packet s, 0byt es; act i on: dr op l ast packet : 672000msago, cur r ent bur st : 0byt es l ast cl ear ed00: 03: 31ago, conf or med0bps, exceeded0bps R4#show ip acce 100 Ext endedI Paccessl i st 100 10per mi t i cmpanyanyecho- r epl y( 100mat ches) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 31 - IP Address Spoofing Prevention with ACLs Objective: Configure router to protect against IP address spoofing Directions The task is to implement IP address filtering on outside to filter out RFC1918, RFC3330 networks Additionally, as per the recommendations of RFC2627, ingress filtering should be performed, to deny illegal IP addresses. That is, only our network is permitted from inside, and our networks are denied as sources on outside Also, its a good idea to filter out ICMP redirect messages and disable IP source routing Pay special attention not to block source address 0.0.0.0 on inside interface, since DHCP usually uses it to send requests Pre-configure routes as per NAT scenario Standard NAT Configuration. Apply your configurations to R4 Create extended access-list OUTSIDE_IN oFilter out ICMP redirects and packets sourced from host 0.0.0.0 oFilter out RFC 1918 networks oFilter out RFC 3330 networks oAs per RFC 2627 deny packets sourced from our network 150.1.4.0/24 Create extended access-list INSIDE_IN oFilter out ICMP redirectsoPermit UDP packets from 0.0.0.0/32 to 10.0.0.4 (R4s address) port BOOTPs. oPermit network 10.0.0.0/24as per RFC2627 oBlock and log everything else. Apply access-list INSIDE_IN ingress to Ethernet interface Apply access-list OUTSIDE_IN ingress to Serial and FR interfaces Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 32 - Final Configuration R4: noi psour ce- r out e !i paccess- l i st ext endedOUTSI DE_I N r emar k==r emar k== Redi r ect smaybeusedf or spoof i ng r emar k==denyi cmpanyanyr edi r ectr emar k==r emar k== RFC1918 r emar k==deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any r emar k==r emar k== RFC3330 r emar k==deny ip host 0.0.0.0 any deny ip 224.0.0.0 31.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any r emar k==r emar k== RFC2627 r emar k==deny ip 150.1.4.0 0.0.0.255 any r emar k==r emar k== Endof Li str emar k==per mi t i panyany i paccess- l i st ext endedI NSI DE_I N denyi cmpanyanyr edi r ectper mi t i p10. 0. 0. 00. 0. 0. 255any per mi t udphost 0. 0. 0. 0host 10. 0. 0. 4eqboot ps denyi panyanyl og i nt er f aceEt her net 0/ 0 i paccess- gr oupI NSI DE_I Ni n !i nt er f aceSer i al 0/ 1 i paccess- gr oupOUTSI DE_I Ni n !i nt er f aceSer i al 0/ 0. 1 i paccess- gr oupOUTSI DE_I Ni n Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 33 - Verification R4#sho ip access-listsSt andar dI Paccessl i st I NSI DE_NETWORK 10per mi t 10. 0. 0. 0, wi l dcar dbi t s0. 0. 0. 255 Ext endedI Paccessl i st I NSI DE_I N 10denyi cmpanyanyr edi r ect20per mi t i p10. 0. 0. 00. 0. 0. 255any 30per mi t udphost 0. 0. 0. 0host 10. 0. 0. 4eqboot ps 40denyi panyanyl og Ext endedI Paccessl i st OUTSI DE_I N 10denyi cmpanyanyr edi r ect20denyi p10. 0. 0. 00. 255. 255. 255any 30denyi p172. 16. 0. 00. 15. 255. 255any 40denyi p192. 168. 0. 00. 0. 255. 255any 50denyi phost 0. 0. 0. 0any 60denyi p224. 0. 0. 031. 255. 255. 255any 70denyi p127. 0. 0. 00. 255. 255. 255any 80denyi p169. 254. 0. 00. 0. 255. 255any 90denyi p192. 0. 2. 00. 0. 0. 255any 100denyi p150. 1. 4. 00. 0. 0. 255any 110per mi t i panyany( 26mat ches) Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 34 - Using uRPF to Prevent IP Address Spoofing Objective: Configure router to prevent address spoofing using uRPF Directions Configure routers as per the NAT scenario Common Configuration The task is to enable uRPF checks, yet exempt some networks from verification Additionally, all spoofing attempts should be logged Create additional interfaces Loopback1 on R5 with IP address 150.1.55.55/24 and Loopback2 with IP address 150.1.155.155/24 Do not advertise the new Loopbacks into any routing protocol Disable BGP on R4 to stop receiving default route. Create access-list 100 on R4 and permit network 150.1.55.0/24. Deny and log everything else Configure uRPF on R4, using Serial and FR interfaces. Apply access-list 100 as uRPF ACL Final Configuration R4: i pcefaccess- l i st 100per mi t i p150. 1. 55. 00. 0. 0. 255any access- l i st 100denyi panyanyl og !i nt er f aceSer i al 0/ 1 i pver i f yuni cast r ever se100 !i nt er f aceSer i al 0/ 0. 1 i pver i f yuni cast r ever se100 !nor out er bgp1 R5: i nt er f aceLoopback1 Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 35 - i paddr ess150. 1. 55. 55255. 255. 255. 0 !i nt er f aceLoopback2 i paddr ess150. 1. 155. 155255. 255. 255. 0 Verification R5#ping 150.1.4.4 so lo1 Typeescapesequencet oabor t .Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 4, t i meout i s2seconds:Packet sent wi t hasour ceaddr essof 150. 1. 55. 55 . . . . .Successr at ei s0per cent ( 0/ 5) R4#sh ip acce Ext endedI Paccessl i st 100 20per mi t i p150. 1. 55. 00. 0. 0. 255any( 5mat ches)30denyi panyanyl og R4#show ip int se 0/1 Ser i al 0/ 1i sup, l i nepr ot ocol i sup I nt er net addr essi s155. 1. 45. 4/ 24 Br oadcast addr essi s255. 255. 255. 255 Addr essdet er mi nedbynon- vol at i l ememor y MTUi s1500byt es Hel per addr essi snot setDi r ect edbr oadcast f or war di ngi sdi sabl ed Mul t i cast r eser vedgr oupsj oi ned: 224. 0. 0. 5 Out goi ngaccessl i st i snot setI nboundaccessl i st i snot setPr oxyARPi senabl ed Local Pr oxyARPi sdi sabl ed Secur i t yl evel i sdef aul tSpl i t hor i zoni senabl ed I CMPr edi r ect sar eal wayssentI CMPunr eachabl esar eal wayssentI CMPmaskr epl i esar enever sentI Pf ast swi t chi ngi senabl ed I Pf ast swi t chi ngont hesamei nt er f acei senabl ed I PFl ow swi t chi ngi sdi sabl ed I PCEFswi t chi ngi senabl ed I PCEFFeat ur eFast swi t chi ngt ur bovect orI Pmul t i cast f ast swi t chi ngi senabl ed I Pmul t i cast di st r i but edf ast swi t chi ngi sdi sabl ed I Pr out e- cachef l agsar eFast , CEF Rout er Di scover yi sdi sabl ed I Pout put packet account i ngi sdi sabl ed I Paccessvi ol at i onaccount i ngi sdi sabl ed TCP/ I Pheader compr essi oni sdi sabl ed RTP/ I Pheader compr essi oni sdi sabl ed Pol i cyr out i ngi sdi sabl ed Net wor kaddr esst r ansl at i oni sdi sabl ed BGPPol i cyMappi ngi sdi sabl ed I Pver i f ysour cer eachabl e- vi aRX, al l ow def aul t , ACL100 0ver i f i cat i ondr ops 0suppr essedver i f i cat i ondr ops R5#ping 150.1.4.4 so lo2 Typeescapesequencet oabor t .Accessed by [email protected] from 200.198.104.126 at 15:17:03 Mar 19,2008CCIE Routing & Switching Lab Workbook Volume IVersion 4.1 Copyright 2007 Internetwork Expertwww.InternetworkExpert.com- 36 - Sendi ng5, 100- byt eI CMPEchost o150. 1. 4. 4, t i meout i s2seconds:Packet sent wi t hasour ceaddr essof 150. 1. 155. 155 . . . . .Successr at ei s0per cent ( 0/ 5) R4#%SEC- 6- I PACCESSLOGDP: l i st 100deni edi cmp150. 1. 155. 155- > 150. 1. 4. 4( 0/ 0) , 1 packet R4#show ip int se 0/1 Ser i al 0/ 1i sup, l i nepr ot ocol i sup I nt er net addr essi s155. 1. 45. 4/ 24 Br oadcast addr essi s255. 255. 255. 255 Addr essdet er mi nedbynon- vol at i l ememor y MTUi s1500byt es Hel per addr essi snot setDi r ect edbr oadcast f or war di ngi sdi sabl ed Mul t i cast r eser vedgr oupsj oi ned: 224. 0. 0. 5 Out goi ngaccessl i st i snot setI nboundaccessl i st i snot setPr oxyARPi senabl ed Local Pr oxyARPi sdi sabl ed Secur i t yl evel i sdef aul tSpl i t hor i zoni senabl ed I CMPr edi r ect sar eal wayssentI CMPunr eachabl esar eal wayssentI CMPmaskr epl i esar enever sentI Pf ast swi t chi ngi senabl ed I Pf ast swi t chi ngont hesamei nt er f acei senabl ed I PFl ow swi t chi ngi sdi sabl ed I PCEFswi t chi ngi senabl ed I PCEFFeat ur eFast swi t chi ngt ur bovect orI Pmul t i cast f ast swi t chi ngi senabl ed I Pmul t i cast di st r i but edf ast swi t chi ngi sdi sabl ed I Pr out e- cachef l agsar eFast , CEF Rout er Di scover yi sdi sabl ed I Pout put packet account i ngi sdi sabl ed I Paccessvi ol at i onaccount i ngi sdi sabl ed TCP/ I Pheader compr essi oni sdi sabl ed RTP/ I Pheader compr essi oni sdi sabl ed Pol i cyr out i ngi sdi sabl ed Net wor kaddr esst r ansl at i oni sdi sabl ed BGPPol i cyMappi ngi sdi sabl ed I Pver i f ysour cer eachabl e- vi aRX, al l ow def aul t , ACL100 0ver i f i cat i ondr ops 0suppr essedver i f i cat i ondr ops R4#sh ip acce 100 Ext endedI Paccessl i st 100 20per mi t i p150. 1. 55. 00. 0. 0. 255any( 5mat ches)30denyi panyanyl og( 5mat ches)


Cisco Press CCIE Practical Studies CCIE Practice Lab...The Cisco Press CCIE Practical Studies Volume 1 book contains 5 simulated CCIE lab exams in chapter 18, and the solutions are

Cisco Press CCIE Practical Studies CCIE Practice Lab...The Cisco Press CCIE Practical Studies Volume 1 book contains 5 simulated CCIE lab exams in chapter 18, and the solutions are

Documents
1708 CCIE Security

1708 CCIE Security

Documents
Experience Our Cisco Training offering as Cisco · PDF fileCCIE Routing & Switching - Cisco Certified Internetwork Expert RS CCIE Security - Cisco CertifiedInternetwork Expert Security

Experience Our Cisco Training offering as Cisco · PDF fileCCIE Routing & Switching - Cisco Certified Internetwork Expert RS CCIE Security - Cisco CertifiedInternetwork Expert Security

Documents
Selecting a Partner for Cisco CCIE Certification: An ... · PDF fileSelecting a Partner for Cisco CCIE Certification: An ... IPexpert — Selecting a Partner for Cisco CCIE ... vs

Selecting a Partner for Cisco CCIE Certification: An ... · PDF fileSelecting a Partner for Cisco CCIE Certification: An ... IPexpert — Selecting a Partner for Cisco CCIE ... vs

Documents
CCIE Security dominating CCIE Collaboration and CCIE Data

CCIE Security dominating CCIE Collaboration and CCIE Data

Documents
Cisco CCIE Security 350-018 · PDF fileEnsurepass.com Easy Test! Easy Pass! Download the complete collection of Exam's Real Q&As Cisco CCIE Security 350-018 Exam

Cisco CCIE Security 350-018 · PDF fileEnsurepass.com Easy Test! Easy Pass! Download the complete collection of Exam's Real Q&As Cisco CCIE Security 350-018 Exam

Documents
Cisco 400-101 VCE CCIE Braindumps

Cisco 400-101 VCE CCIE Braindumps

Documents
CCIE - index-of.co.ukindex-of.co.uk/Cisco/Cisco Press - CCIE Self Study CCIE... · 2019-03-07 · , CCIE No. 6924, has CCIE certifications in Security, Routing and Switching, and

CCIE - index-of.co.ukindex-of.co.uk/Cisco/Cisco Press - CCIE Self Study CCIE... · 2019-03-07 · , CCIE No. 6924, has CCIE certifications in Security, Routing and Switching, and

Documents
Cisco CCIE v5 Workbook

Cisco CCIE v5 Workbook

Documents
1 © 2005 Cisco Systems, Inc. All rights reserved. CCIE Overview; January 2006 CISCO PUBLIC CISCO CCIE Program January 2006

1 © 2005 Cisco Systems, Inc. All rights reserved. CCIE Overview; January 2006 CISCO PUBLIC CISCO CCIE Program January 2006

Documents
AUTHORIZED CISCO TRAINING - iTLS CCNA Security CCNP Security CCIE Security Service Provider CCNA Service Provider CCNP Service Provider CCIE Service Provider Wireless CCNA Wireless

AUTHORIZED CISCO TRAINING - iTLS CCNA Security CCNP Security CCIE Security Service Provider CCNA Service Provider CCNP Service Provider CCIE Service Provider Wireless CCNA Wireless

Documents
Next Generation CCIE · CCIE Data Center CCIE SP CCIE Security CCIE Wireless Collaboration CCIE R&S CCDE 90% 100% 100% 100%

Next Generation CCIE · CCIE Data Center CCIE SP CCIE Security CCIE Wireless Collaboration CCIE R&S CCDE 90% 100% 100% 100%

Documents
Cisco - Himawan Nugroho CCIE 8171 - How to Pass CCIE Lab - Insider Tips

Cisco - Himawan Nugroho CCIE 8171 - How to Pass CCIE Lab - Insider Tips

Documents
PowerPoint Presentation · CCNA Expert Professional CCIE CCNP - CCIE Professional CCNP Associate CCNA Gold Partner Cisco CCIE Cisco CERTIFIED CCIE Cisco CERTIFIED CCIE CENTER CISCO

PowerPoint Presentation · CCNA Expert Professional CCIE CCNP - CCIE Professional CCNP Associate CCNA Gold Partner Cisco CCIE Cisco CERTIFIED CCIE Cisco CERTIFIED CCIE CENTER CISCO

Documents
CCIE - doc.lagout.org Security/Cisco Press... · Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA Cisco Press CCIE Self-Study CCIE Security Exam Certification Guide Henry

CCIE - doc.lagout.org Security/Cisco Press... · Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA Cisco Press CCIE Self-Study CCIE Security Exam Certification Guide Henry

Documents
CCIEipmanager.ir/r/Ebook/Cisco.Press.CCIE.Self.Study.CCIE.Security... · Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA Cisco Press CCIE Self-Study CCIE Security Exam

CCIEipmanager.ir/r/Ebook/Cisco.Press.CCIE.Self.Study.CCIE.Security... · Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA Cisco Press CCIE Self-Study CCIE Security Exam

Documents
Cisco Press CCIE Practical Studies CCIE Practice Labptgmedia.pearsoncmg.com/images/1587200023/downloads/...CCIE Practical Studies The Lab, the Bad, the Ugly Overview The Cisco Press

Cisco Press CCIE Practical Studies CCIE Practice Labptgmedia.pearsoncmg.com/images/1587200023/downloads/...CCIE Practical Studies The Lab, the Bad, the Ugly Overview The Cisco Press

Documents
Cisco Press - CCIE Security v4.0 Practice Lab - Natalie Timms.pdf

Cisco Press - CCIE Security v4.0 Practice Lab - Natalie Timms.pdf

Documents
Cisco Security LearningCisco Certifications - … · The CCIE Security Certification program is a two-year certification program intended to recognize Cisco network security experts

Cisco Security LearningCisco Certifications - … · The CCIE Security Certification program is a two-year certification program intended to recognize Cisco network security experts

Documents
Cisco CCNA CCNP CCIE - mylearning.ch · Cisco Certification - ersegeitende eiteridngen Cisco CCNA CCNP CCIE CAS Network Programmability ... TSHOOT - 300-135 Es werden strukturierte

Cisco CCNA CCNP CCIE - mylearning.ch · Cisco Certification - ersegeitende eiteridngen Cisco CCNA CCNP CCIE CAS Network Programmability ... TSHOOT - 300-135 Es werden strukturierte

Documents
Cisco Security LearningCisco Certifications - Auldhouse · The CCIE Security Certification program is a two-year certification program intended to recognize Cisco network ... Cisco

Cisco Security LearningCisco Certifications - Auldhouse · The CCIE Security Certification program is a two-year certification program intended to recognize Cisco network ... Cisco

Documents
Netmetric Ccie Security-Khawar Bhutt CCIE Security Workbook v2

Netmetric Ccie Security-Khawar Bhutt CCIE Security Workbook v2

Documents
CCIE Routing and Switchingindex-of.co.uk/Cisco/Cisco.Press.CCIE.Routing.and... · Maurilio Gorito, CCIE No. 3807, works for Cisco Systems, Inc., as part of the CCIE team. As content

CCIE Routing and Switchingindex-of.co.uk/Cisco/Cisco.Press.CCIE.Routing.and... · Maurilio Gorito, CCIE No. 3807, works for Cisco Systems, Inc., as part of the CCIE team. As content

Documents
CCIE Security Written Exam v4 · CCIE Security Written Exam v4.0 Version: 9.0 Cisco 350-018 Exam. Exam A QUESTION 1 Which two of these Cisco Catalyst security features offer …

CCIE Security Written Exam v4 · CCIE Security Written Exam v4.0 Version: 9.0 Cisco 350-018 Exam. Exam A QUESTION 1 Which two of these Cisco Catalyst security features offer …

Documents
Cisco Content Services Switch Security Configuration Guide · CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, ... Chapter 4, Configuring

Cisco Content Services Switch Security Configuration Guide · CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, ... Chapter 4, Configuring

Documents
WELL TRAINED PEOPLE BETTER SERVED CUSTOMERS SECURITY v5.0.pdf · 01 CCIE SECURITY V5.0. 02 (overview) TThe Cisco Certified Internetwork Expert Security (CCIE Security) ... CCIE Security

WELL TRAINED PEOPLE BETTER SERVED CUSTOMERS SECURITY v5.0.pdf · 01 CCIE SECURITY V5.0. 02 (overview) TThe Cisco Certified Internetwork Expert Security (CCIE Security) ... CCIE Security

Documents
Cisco 350-030 Exam Bundle Exam Name: Cisco CCIE Voice

Cisco 350-030 Exam Bundle Exam Name: Cisco CCIE Voice

Documents
CCIE Security

CCIE Security

Documents
CCIE Security Lab Workbook Volume I Version 3 - Lagout Security... · Cisco®,€Cisco®€Systems,€CCIE,€and€Cisco€Certified ... CCIE Security Lab Workbook Volume I ... CCIE

CCIE Security Lab Workbook Volume I Version 3 - Lagout Security... · Cisco®,€Cisco®€Systems,€CCIE,€and€Cisco€Certified ... CCIE Security Lab Workbook Volume I ... CCIE

Documents
Cisco CCIE Fundamentals Network - Ostad Online

Cisco CCIE Fundamentals Network - Ostad Online

Documents