Jump to content

[Offer] CCIE Security v6.0 Workbook (Design1.0 and DOO 1.0) Complete.

MAS

By MAS
in CCIE Security

 Share

Recommended Posts

  • Popular Post
MAS Rising Star

MAS

Posted
  • Popular Post
Posted (edited)

sharing with you guys ccie security v6 workbook with design 1.0.

i am not a reseller, i passed my exam using them (Design 1 and Lab 1) in Dubai.

you can practice also the workbook with the eve topology.

dont ask me for design 2.0 and doo 2.0 which i dont have.

credit goes to the original owner of the content. 

Topo (1).jpeg

This is the hidden content, please
This is the hidden content, please
This is the hidden content, please

Edited by MAS
  • Like 364
  • Thanks 87
  • Haha 5
  • Confused 1
  • Sad 2
Link to comment
Share on other sites
  • MAS changed the title to [Offer] CCIE Security v6.0 Workbook (Design1.0 and DOO 1.0) Complete.
  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

MAS
MAS

sharing with you guys ccie security v6 workbook with design 1.0. i am not a reseller, i passed my exam using them (Design 1 and Lab 1) in Dubai. you can practice also the workbook with the e

MAS
MAS

This is the hidden content, please Sign In or

jefftalks87
jefftalks87

Enroll now in the latest This is the hidden content, please Sign In 5944251b273a6dcd7246d6e15aaf

Posted Images

MAS Rising Star

MAS

Posted
  • Author
Posted
11 hours ago, Mansu said:

@MAS thank you for your prompt response. i have uploaded it to the eve-ng and its working fine.

and some devices are  not showing the preconfiguration [ASA and ASAv ] do you have any preconfiguration files

these devices you have to configure your self from scratch, even in exam you have to do those tasks as per wrokbook from the scratch.

  • Like 1
Link to comment
Share on other sites
certcommie Apprentice

certcommie

Posted
Posted

Some solutions are wrong.

E.g. Task 1.2, it clearly speaks of DACL on ISE, not the VPN filter.

Also, with this configuration, nothing prevents a Sales user from using the Marketing tunnel-group, and vice versa. Although the two are basically the same, but who knows how it will be graded. Technically one can use just a single tunnel-group with two group policies dynamically assigned from ISE, but for time saving one probably would use the ASDM wizard which makes it quicker with two different tunnel groups, in this case I would go with group-lock on the respective policies.

In AuthC/AuthZ policy, no need to match on the device IP address, one can match simply on the device name - a time saver.

Also, I'm not sure why they disable profiling and password policies on ISE, typically Cisco does not like when you disable something while not told to.

Regarding the identity matching, the setup looks weird. What I would expect are pre-configured identity groups in AD and ISE (or at least in ISE), with subsequent matching on those groups in AuthZ policy. If there are none (like in the workbook), and you match on individual username (which you created yourself), I wonder how it's gonna be checked for grading 🤔

Link to comment
Share on other sites
MAS Rising Star

MAS

Posted
  • Author
Posted
1 hour ago, certcommie said:

Some solutions are wrong.

E.g. Task 1.2, it clearly speaks of DACL on ISE, not the VPN filter.

Also, with this configuration, nothing prevents a Sales user from using the Marketing tunnel-group, and vice versa. Although the two are basically the same, but who knows how it will be graded. Technically one can use just a single tunnel-group with two group policies dynamically assigned from ISE, but for time saving one probably would use the ASDM wizard which makes it quicker with two different tunnel groups, in this case I would go with group-lock on the respective policies.

In AuthC/AuthZ policy, no need to match on the device IP address, one can match simply on the device name - a time saver.

Also, I'm not sure why they disable profiling and password policies on ISE, typically Cisco does not like when you disable something while not told to.

Regarding the identity matching, the setup looks weird. What I would expect are pre-configured identity groups in AD and ISE (or at least in ISE), with subsequent matching on those groups in AuthZ policy. If there are none (like in the workbook), and you match on individual username (which you created yourself), I wonder how it's gonna be checked for grading 🤔

yes dacl should be pushed from ise for sales and finance user, and authz including group policy name, this is how i do it.

 

i did use asdm and not take much time for me,

 

regarding the profiling disabled i did that too, although it did not make any sense, but vendor said just follow workbook, 

 

for identities we have to configure in ise all of them, ise we have to all from scratch basically.

 

 

Link to comment
Share on other sites
certcommie Apprentice

certcommie

Posted
Posted
1 hour ago, MAS said:

for identities we have to configure in ise all of them, ise we have to all from scratch basically.

Well if the requirements say so, then of course that explains.

Task 4.6. The solution is incomplete: configuring mitigation action in Stealthwatch will just trigger installation of Null0 route on the router, but that would not in any way "throttle" ICMP requests. The client will cease to receive ICMP replies from the server, but the requests will still reach the server. To complete the task requirements, one shoud combine this with uRPF on ingress of the router.

+ some time savers:
- In the Stealthwatch policy, it's not needed to add the Sales server in there, because CI is for source, not for destination (TI is for destination).
- no need to create a custom flow record, default netflow ipv4 output would work fine
- no need for IPFIX probably, the default of v9 should be fine

Also, it's strange that the workbook shows installation of Null0 route right after several pings from the client side. The way how it works is this: when the source begins excessively pinging, the ICMP Flood security event is triggered and it contributes to CI and the High CI category event. But the default configuration of ICMP Flood security event has quite high thresholds which would not be exceeded by just pinging once a second. At least in Stealthwatch 7 it is thus, don't know about version 6. So to observe the Null0 route installation one would have to tune the ICMP Flood security event with low threshold specifically for this policy. This does not seem to be required by the task, but just for a note.

What's also strange, task 1.2 seems to altogether prohibit ICMP from the client PC to the sales server (only TCP 8080 should be allowed), so the whole 4.6 appears pointless in this light. In the workbook, they add the additional entry to the VPN filter (the DACL-to-be) permitting ICMP to the server, but that does not agree with the task 1.2 requirements.

  • Like 2
Link to comment
Share on other sites
certcommie Apprentice

certcommie

Posted
Posted

Solution for Task 4.8 is I think wrong, SMC does not integrate with FMC via pxGrid. Answer D should be picked instead of this wrong answer, in my opinion. It looks like 4.8 and 4.9 both address the same scenario, so answers about the SMC/Netflow part are just expected in Task 4.9.

  • Like 1
Link to comment
Share on other sites
certcommie Apprentice

certcommie

Posted
Posted

Solution for 4.2 is wrong. The task says that the policy must allow access only to a single webpage. However, if one creates the URL category as shown in the workbook (matching on the site domain name) it would basically allow all URLs on that site. Instead, one should use the regex section to specify the exact URL.

And after that two important changes need be done.

Firstly, simply adding this custom category on top of all other categories in the access policy will not prevent the user from accessing other pages, because they will not match the regex and will just fall under some other category or under uncategorized. So in addition to allowing this custom category, one should block all pre-defined categories and also block uncategorized.

Secondly, the category should not be included in the identification profile. Because otherwise, if the user tries any another page, this action would not hit the custom identification profile and the traffic will thus be allowed based on the default access policy - which again violates the task requirement.

But I see no point in including category and port number in the identification profile anyways. The former will be in any case processed via the custom access policy selected for the identification profile, and ports other than 80 just won't be redirected by the router, to begin with.

Link to comment
Share on other sites
certcommie Apprentice

certcommie

Posted
Posted (edited)

About the Design solutions, some of those are also suspicious.

Q7. In Cisco SAFE guides Web Security is considered to protect the network attack surface. However, here it is mapped to the application attack surface. Also, AVC should be mapped to the application attck serface.

Q13. It's not clear whether each product may be used only once or multiple times. If once, then I would go with the suggested answers, but if products can be matched to multple surfaces then ISE is definitely a candidate for all three of them, and I would also add AMP to the network surface to respect AMP for networks.

Q18. I would answer 5525, not 5516, because 5516 would not handle a multiprotocol throughput of 1Gbps. The question seems to suggest multiprotocol load.

Edited by certcommie
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...