Introduction

Volume I - Advanced Technology Labs is the hands on practice companion to the Advanced Technologies Class and is the first step towards CCIE lab preparation. Each lab is designed to walk you through the technology, and provide in depth explanations of the necessary configurations.

CCIE Security Lab Workbook Volume I consists of over 150 hands-on individually focused labs that present topics in an easy to follow, goal-oriented step-by-step approach. Every scenario features detailed breakdowns and thorough verifications to assist you in getting 100% understanding of the particular technology. By isolating each topic on its own you are able to see, firsthand, the various ways to configure each technology. By understanding these fundamental technologies, you will then be able to predict advanced and sometimes subtle interactions when configuring multiple technologies together.

Update Policy

New labs are continuously added so all material is kept up to date. Each of these new labs will be made available electronically and free of charge to customers who have purchased previous versions of Lab Workbook Volume I. This method ensures that the material covered in this Lab Workbook is as up-to-date as possible with the current CCIE R&S Lab exam specification.

Authors

The workbook has been designed and supported by a team of highly-skilled and industry recognized CCIE instructors, each having many years of in-production and training experience. In short, our instructor names speak for themselves!

At-a-Glance

• The CCIE Security Lab Workbook Volume I is covered by our exclusive Investment Protection Program
• Access to over 150 technology-focused labs (Electronic lab content is printable)
• Workbook support provided via www.IEOC.com - Free online CCIE community and forum actively monitored by the actual authors of the workbook
• The amount of material covered, and the detail of information, is not found in any other workbook on the market
• Same physical topology used throughout the entire workbook so no need to re-cable your equipment
• Hardware specification is widely supported by commercial rack vendors and our preferred rack vendor Graded Labs
• Developed by the authors you know and trust to provide only the best material

Workbook Outline

The following is the outline of the technology-focused scenarios included in the workbook. Every challenging scenario is accomplished by detailed solution, verification and informative breakdowns. Notice that the workbook is being constantly revised and updated, so you may expect to see more advanced scenarios than displayed in the outline.

• ASA Firewall
• VLANs and IP Addressing
• RIPv2
• OSPF
• EIGRP
• Advanced Routing
• IP Access-Lists
• Object Groups
• Administrative Access
• ICMP Traffic
• URL Filtering
• Dynamic NAT and PAT
• Static NAT and PAT
• Dynamic Policy NAT
• Static Policy NAT and PAT
• Identity NAT and NAT Exemption
• Outside Dynamic NAT
• DNS Doctoring using "Alias"
• DNS Doctoring using "Static"
• Fragmented Traffic
• IDENT Issues
• BGP across the Firewall
• Stub Multicast Routing
• PIM Multicast Routing
• Network Time Protocol
• System Logging
• Filtering System Logs
• SNMP Monitoring
• DHCP Server
• HTTP Traffic Inspection
• FTP Traffic Inspection
• SMTP Traffic Inspection
• TCP Inspection
• Management Traffic Inspection
• ICMP Traffic Inspection
• Threat Detection
• Un-Stealthing the Firewall
• Traffic Policing
• Low Latency Queuing
• Traffic Shaping
• Hierarchical Queuing
• Transparent Firewall
• ARP Inspection
• Ethertype Access-Lists
• Transparent Firewall NAT
• Firewall Contexts
• Firewall Contexts Routing
• Firewall Contexts Classification
• Resource Management
• Active/Standby Failover
• Active/Active Failover
• ASA Redundant Interface
• ASA Enhanced Object Groups
• IOS Firewall
• Basic Access Lists
• Reflexive Access Lists
• Dynamic Access Lists
• Basic CBAC
• CBAC Port to Application Mapping
• CBAC TCP/UDP Intercept Feature
• CBAC Performance Optimization
• IOS URL Filtering
• IOS Authentication Proxy
• Flexible Packet Matching
• Zone Based Firewall
• ZFW Rate Limiting
• ZFW Application Inspection
• Classic IOS Transparent Firewall
• ZFW-Based IOS Transparent Firewall
• IOS IP Virtual Reassembly
• IOS ACL Selective IP Option Drop
• VPN
• LAN-to-LAN VPN between IOS and ASA
• IPsec and NAT Interaction in ASA Firewall
• Authentication using Digital Signatures
• ASA Tunnel Group Names
• ASA Certificate Mapping Rules
• Filtering traffic inside LAN-to-LAN tunnels
• LAN-to-LAN tunnel between IOS Routers
• IOS IPsec NAT Traversal
• IOS IKE Aggressive Mode
• VPN between Overlapping Subnets
• IOS VPN with Digital Signatures Authentication
• IOS Certificate Access Lists
• Virtual Tunnel Interfaces
• GRE over IPsec
• DMVPN
• IOS ezVPN Server
• IOS ezVPN Server using VTI
• IOS ezVPN Server: Group Lock
• IOS ezVPN Server: RADIUS Authorization
• IOS ezVPN Server: Per User AAA download with PKI
• IOS ezVPN Remote: Client Mode
• IOS ezVPN Remote: NEM
• IOS ezVPN Remote: VTI
• IOS ezVPN Remote: Digital Signatures
• ASA ezVPN Server
• ASA ezVPN Server: DHCP Address Allocation
• ASA ezVPN Server: RADIUS Authorization
• ASA ezVPN Server: Per User AAA download with PKI
• ASA Clientless SSL VPN
• ASA Clientless SSL VPN: Port Forwarding
• ASA Clientless SSL VPN: Smart Tunnel
• ASA SSL VPN
• IOS SSL VPN
• IOS SSL VPN RADIUS Authorization
• IOS WebVPN (Clientless SSL VPN)
• IOS WebVPN Port Forwarding
• GET VPN
• GET VPN COOP KS
• Intrusion Prevention
• IPS Initial Setup
• Configuring Inline VLAN Pair
• Creating Custom Signature
• Event Counting
• Inline Blocking
• IPS VLAN Groups and Virtual Sensors
• IPS Event Summarization
• IPS Event Processing
• IPS Blocking and Rate-Limiting
• IPS Application Inspection and Control
• IPS META Engine
• IPS Anomaly Detection
• IOS IPS
• Identity Management
• Remote Session Authentication using TACACS+
• Exec Authorization using TACACS+
• IOS Local Command Authorization
• IOS Remote Command Authorization
• Using RADIUS for Session Control
• ASA Cut-Through Proxy
• ASA Network Authorization
• LDAP Attribute Maps
• 802.1x Authentication and Authorization
• NAC Policy Configuration
• L3 NAC with ASA and Cisco VPN Client
• Control/Management Plane Security
• Control Plane Protection (CPPr)
• BGP Generic TTL Security Mechanism
• BGP Prefix Limit
• Selective Packet Discard
• Terminal Lines Security
• TCP Keepalives
• SNMPv2 Server
• SNMPv2c Access Control
• SNMP Traps and Informs
• CPU and Memory Thresholds
• SNMPv3
• RMON Alarms
• Role Based Access Control
• IP Source Tracker
• ICMP Rate Limiting
• IOS Login Enhancements
• Advanced Security & Attack Mitigation
• Application-Based Filtering with NBAR
• VLAN Filtering for IP Traffic
• VLAN Filters for Non-IP Traffic
• DHCP Snooping
• Dynamic ARP Inspection
• IP Source Guard
• Netflow Ingress & Egress
• Netflow Top Talkers
• Rate-Limiting with CAR
• MQC Single-Rate Policing
• TCP Intercept
• TCP Intercept Watch Mode
• Preventing Spoofing with uRPF
• Traffic Filtering with Policy-Based Routing
• Using Catalyst Ingress Access-Lists
• STP BPDU Guard
• STP BPDU Filter
• STP Root Guard
• Protected Ports
• Storm Control

Hardware

Internetwork Expert's CCIE Security products and classes all use the same hardware specification used in the actual CCIE Security Lab exam. This includes six routers running a mixture of 12.4T IOS with the Advanced Security or Advanced Enterprise Services feature sets. In addition to the six routers, two Catalyst 3550 or 3560 series switches running the enhanced multilayer software image (EMI) are included. Specific security-related hardware consists of an IPS 4235 running 6.x software, two ASA 5510 firewalls running 8.x software with Security Plus license, a Windows 2000/2003 server for AAA/CA. A separate Test PC is provided for NAC/VPN verification as well as other testing purposes and GUI access. It runs Windows XP with Cisco VPN Client, Cisco Trust Agent and Wireshark protocol analyzer software installed.

As per the actual CCIE lab hardware specification, our products and classes also include various external devices that are not within the control of the candidate. These devices include a Frame Relay switch and three backbone routers to inject routes and facilitate in the testing of security related features.

Although the logical topology changes with every scenario, all of our CCIE Security products and classes use the same physical topology. Therefore once your lab has been physically cabled to meet the specification there is no need to change the cabling. Refer to our recent blog post named INE CCIE Security v3.0 Hardware List for detailed information on our hardware topology. The following document - IEWB-SC Physical Topology - outlines the hardware and the physical cabling required to build a compatible rack

What is the difference between the printed and electronic versions?

With the printed version you will receive the professionally-printed workbook. Additionally with the printed version you will get access to the electronic version FREE OF CHARGE! If your order is placed before 3PM PDT (-7 GMT) you will receive access the same day!

The electronic version is exactly the same as the printed version with the exception of the fact the workbook, solutions and diagrams are Adobe PDF format. With the electronic version you can save the file locally to your computer, use it offline and even print it out. There are not any restrictions on the PDF with regards to how many times you can print it.

CCIE Security Combo Deals

In addition to our complete Security End-to-End Program you may consider the following combined and economically priced bundles.

CCIE Security Electronic Bundle

This bundle provides an ideal combination of video-based training and hands-on workbooks. Also included is our unique Core Knowledge Simulator, which allows students to assess readiness for the essential Core Knowledge part of the CCIE Voice exam.

CCIE Security Volume I Lab Workbook (Electronic) + CCIE Security Volume II Lab Workbook (Electronic) + CCIE Security Advanced Technology Labs Class-on-Demand + CCIE Security Core Knowledge Simulator List Price: $1500 Your Price: $995

CCIE Security Workbooks Bundle

This bundle is the best solutions for students who want to get as much hands-on practice in Network Security as they need to pass the CCIE Security exam.

CCIE Security Volume I Lab Workbook (Electronic) + CCIE Security Volume II Lab Workbook (Electronic) List Price: $590 Your Price: $495

Sample Advanced Technology Labs

Want to get a feeling of the product before buying it? No problems! We provide you with absolutely free sample lab from our workbook. This is a full-scale scenario that will give you better understanding of how good our product really is. Please use the links below to access the sample lab components:

• CCIE Security Workbook Volume I Sample Lab

You may also want to rent some rack time from our preferred rack rental partner GradedLabs LLC to give this sample scenario a try.