Info

This solution is very common when you have to address discontiguous Area 0s and you want to merge them interface Tunnell ip address 10.1.1.1 255.255.255.0 ip ospf authentication-key cisco tunnel source Serial1 1 tunnel destination 81.18.1.21 interface Serial1 0 ip address 173.5.1.129 255.255.255.128 encapsulation frame-relay no ip route-cache ip ospf authentication-key cisco ip ospf network point-to-multipoint no ip mroute-cache frame-relay map ip 173.5.1.130 506 broadcast frame-relay map ip...

Overview of the CCIE Security Exam

The CCIE Security exam covers IP and IP routing as well as specific security components. Becoming a CCIE is a two-step process. The first step is to pass a two-hour, written qualification exam administered through Cisco-authorized testing centers. The second step is to successfully complete a hands-on lab examination at a Cisco facility demonstrating the candidate's expertise in configuring, testing, and troubleshooting real network equipment. The qualification exam is a prerequisite for...

Overview of the CCIE Certification

CCIE is widely considered the industry's highest-level IT certification program, commonly referred to as the doctorate of networking. It equips candidates with excellent internetworking skills that are simply the best in the industry. CCIE certification was recently voted 1 by IT professionals in the CertCities.com annual survey, The Hottest Certifications for 2003a ranking attributed to the growing importance of certifications in a tight job market. Furthermore, it also grabbed the title of...

Verify that the sensor is configured correctly for the sensing interface and the command and control interface as

By default, on some 42xx appliances, the sensing interface is configured to use int2 and not int0. Check the documentation. You can change this from the sensor console as follows Before changing the port sensor1 show interfaces command-control is up Internet address is 192.168.3.2, subnet mask is 255.255.255.0, telnet is eth1 Link encap Ethernet HWaddr 00 06 5B ED 59 B4 inet addr 192.168.3.2 Bcast 192.168.3.255 Mask 255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 58...

Load Sharing Using HSRP

Configure two HSRP groups on R5 and R6 for load balancing traffic in VLAN-7. See Example 4-53. Configure preempt for both groups to fail over in the event Active is Dead for any group. Test HSRP failover by shutting the EthernetO on R5. See Example 4-54. Example 4-53. Two HSRP Groups Between R5 and R6 for Load Balancing Snip configuration from R6 interface Fast 0 0 0 standby 1 ip 142.52.0.50 standby 1 priority 110 standby 1 preempt standby 2 ip 142.52.0.51 standby 2 preempt Snip configuration...

Configure conditional advertisement on R6 to advertise Loopbackl to R5 only if Loopbackl of R4 4444440 is absent from

< snip from R6> router bgp 2 no synchronization bgp router-id 6.6.6.6 network 66.66.66.0 mask 255.255.255.0 neighbor 175.1.6.1 remote-as 1 neighbor 175.1.6.2 remote-as 2 neighbor 175.1.6.2 advertise-map advertise non-exist-map check-exist-route no auto-summary access-list 1 permit 44.44.44.0 0.0.0.255 access-list 2 permit 66.66.66.0 0.0.0.255 route-map check-exist-route permit 10 match ip address 1 route-map advertise permit 10 match ip address 2 Verify Conditional advertisement using...

CCIE Security Practice Labs

Table of By Fahim Hussain Yusuf Bhaiji About the Technical Reviewers Acknowledgments Foreword Why Security Certifications Why CCIE Security Introduction Icons Used in This Book Command Syntax Conventions Chapter 1. Practice Lab 1 Equipment List General Guidelines Setting Up the Lab Practice Lab 1 Exercises Section 1.0 Basic Configuration (10 points) Section 2.0 Routing Configuration (25 points) Section 3.0 ISDN Configuration (8 points) Section 4.0 PIX Configuration (5 points) Section 5.0 IPSec...

D

Create an ICMP ACL on R2 as follows to confirm that packets from source 18.18.18.18 to destination 12.12.12.12 are arriving on VLAN 4 ingress interface ethernet0 0. You can check hit counts to prove that the attack is successful. access-list 101 permit icmp host 18.18.18.18 host 12.12.12.12. Do a debug ip packet detail 101 and debug ip icmp on R2. You will see echo-replies being sent to R8 from R2. Example 2-24. IP Spoofing Simulation Ping R2 loopback-1 using spoofed source IP address of R8 r3...

General Guidelines

Do not configure any static default routes unless otherwise specified required. Use DLCIs provided in the diagram. Use the IP addressing scheme provided in the diagram do not change any IP addressing unless otherwise specified. In the CCIE Lab, initial configurations are loaded, and therefore IP addresses are not to be changed. In this book, each chapter has a separate lab topology with different IP addressing, so each chapter needs to be recabled and all IP addresses need to be redone from the...

See the following examples from R2 and R6 respectively to test and verify DDR using dialerwatch

Test and verify DDR using dialer-watch, Shutdown Serial1 0 on R4 (Frame Relay link to R2) r2 show debugging Dial on demand Dial on demand events debugging is on 2w6d DDR Dialer Watch watch-group 1 2w6d DDR network 44.44.44.0 255.255.255.0 DOWN, 2w6d DDR Dialer Watch Dial Reason Primary of group 1 DOWN 2w6d DDR Dialer Watch watch-group 1, 2w6d BR0 DDR rotor dialout priority 2w6d DDR dialing secondary by dialer string 99047265 on Di1 2w6d BR0 DDR Attempting to dial 99047265 2w6d LINK-3-UPDOWN...

Target Audience

This book is intended for candidates preparing for the CCIE Security Lab exam. Network engineers with specialization in security can also take advantage of this book with the complex scenarios, troubleshooting tips, and solutions provided. One of the primary objectives of this book is to assist candidates preparing for the CCIE Lab exam by providing complex practice scenarios to give the candidate a look-and-feel for the real CCIE Lab exam. CCIE candidates can use this book as a gauging element...

Rommon Security

Disclaimer The author and Cisco Press are not liable for any damage to routers when using this feature. Please use this feature with extreme caution, and read all related materials and the following recovery procedure. The 2600 3600 series (and newer versions of ROMMON for the 1700 series) all have what is known as a ROMMON security feature. ROMMON security is designed to prevent a person with physical access to the router (2600 or 3600) from viewing the configuration file. ROMMON security...

Section 100 Security Violations

Configure the TCP Intercept feature on R1 to protect TCP servers from TCP SYN-flooding attacks. Configure ACL to protect only network 172.16.4.0 with TCP Intercept. See Example 4-56. Configure TCP Intercept in Watch mode where all TCP connections passed through are watched by the router. If any connection does not complete the three-way hand-shake within the time specified, it will drop the connection by sending a reset. See Example 4-56. access-list 102 permit tcp any 172.16.4.0 0.0.0.255 For...

Practice

One of the biggest challenges in the CCIE Lab is precise and accurate interpretation of the requirements of questions. Candidates must learn to interpret the questions accurately and understand exactly what is required. If the question is not clear, approach the proctor for clarification. Due to this inaccurate interpretation problem, most candidates are unsuccessful in passing the exam, as they appear to have misattempted the test and do not fulfill the requirements of the question. Although...