Popular Post MAS Posted June 13, 2023 Popular Post Share Posted June 13, 2023 (edited) sharing with you guys ccie security v6 workbook with design 1.0. i am not a reseller, i passed my exam using them (Design 1 and Lab 1) in Dubai. you can practice also the workbook with the eve topology. dont ask me for design 2.0 and doo 2.0 which i dont have. credit goes to the original owner of the content. This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Edited June 13, 2023 by MAS 377 91 5 1 2 Link to comment Share on other sites More sharing options...
darkiori Posted June 15, 2023 Share Posted June 15, 2023 thanks Link to comment Share on other sites More sharing options...
Sarilove Posted June 18, 2023 Share Posted June 18, 2023 Thanks Link to comment Share on other sites More sharing options...
lion2021 Posted June 19, 2023 Share Posted June 19, 2023 .... Link to comment Share on other sites More sharing options...
freebsd321 Posted June 20, 2023 Share Posted June 20, 2023 Thanks Link to comment Share on other sites More sharing options...
certcommie Posted June 21, 2023 Share Posted June 21, 2023 OMG clientless is still there... The old Cisco habit of testing on stuff which is not on the blueprint still lives. Link to comment Share on other sites More sharing options...
maxdieng Posted June 21, 2023 Share Posted June 21, 2023 hello Link to comment Share on other sites More sharing options...
Mansu Posted June 21, 2023 Share Posted June 21, 2023 unable to upload to eve-ng [Error: - Imported file must be a zip file ]😌 Link to comment Share on other sites More sharing options...
Popular Post MAS Posted June 21, 2023 Author Popular Post Share Posted June 21, 2023 36 minutes ago, Mansu said: unable to upload to eve-ng [Error: - Imported file must be a zip file ]😌 This is the hidden content, please Sign In or Sign Up 177 30 2 2 Link to comment Share on other sites More sharing options...
MAS Posted June 21, 2023 Author Share Posted June 21, 2023 a fellow friend of mine passed recently using same lab and design in Singapore, please avail this time as soon as possible if you want to have your number. 2 Link to comment Share on other sites More sharing options...
Mansu Posted June 21, 2023 Share Posted June 21, 2023 @MAS thank you for your prompt response. i have uploaded it to the eve-ng and its working fine. and some devices are not showing the preconfiguration [ASA and ASAv ] do you have any preconfiguration files Link to comment Share on other sites More sharing options...
takak Posted June 22, 2023 Share Posted June 22, 2023 thx Link to comment Share on other sites More sharing options...
MAS Posted June 22, 2023 Author Share Posted June 22, 2023 11 hours ago, Mansu said: @MAS thank you for your prompt response. i have uploaded it to the eve-ng and its working fine. and some devices are not showing the preconfiguration [ASA and ASAv ] do you have any preconfiguration files these devices you have to configure your self from scratch, even in exam you have to do those tasks as per wrokbook from the scratch. 1 Link to comment Share on other sites More sharing options...
Mansu Posted June 22, 2023 Share Posted June 22, 2023 (edited) Edited June 22, 2023 by Mansu Link to comment Share on other sites More sharing options...
Puran Posted June 26, 2023 Share Posted June 26, 2023 thanks Link to comment Share on other sites More sharing options...
regelneef86 Posted June 28, 2023 Share Posted June 28, 2023 thnx Link to comment Share on other sites More sharing options...
certcommie Posted July 3, 2023 Share Posted July 3, 2023 Some solutions are wrong. E.g. Task 1.2, it clearly speaks of DACL on ISE, not the VPN filter. Also, with this configuration, nothing prevents a Sales user from using the Marketing tunnel-group, and vice versa. Although the two are basically the same, but who knows how it will be graded. Technically one can use just a single tunnel-group with two group policies dynamically assigned from ISE, but for time saving one probably would use the ASDM wizard which makes it quicker with two different tunnel groups, in this case I would go with group-lock on the respective policies. In AuthC/AuthZ policy, no need to match on the device IP address, one can match simply on the device name - a time saver. Also, I'm not sure why they disable profiling and password policies on ISE, typically Cisco does not like when you disable something while not told to. Regarding the identity matching, the setup looks weird. What I would expect are pre-configured identity groups in AD and ISE (or at least in ISE), with subsequent matching on those groups in AuthZ policy. If there are none (like in the workbook), and you match on individual username (which you created yourself), I wonder how it's gonna be checked for grading 🤔 Link to comment Share on other sites More sharing options...
MAS Posted July 3, 2023 Author Share Posted July 3, 2023 1 hour ago, certcommie said: Some solutions are wrong. E.g. Task 1.2, it clearly speaks of DACL on ISE, not the VPN filter. Also, with this configuration, nothing prevents a Sales user from using the Marketing tunnel-group, and vice versa. Although the two are basically the same, but who knows how it will be graded. Technically one can use just a single tunnel-group with two group policies dynamically assigned from ISE, but for time saving one probably would use the ASDM wizard which makes it quicker with two different tunnel groups, in this case I would go with group-lock on the respective policies. In AuthC/AuthZ policy, no need to match on the device IP address, one can match simply on the device name - a time saver. Also, I'm not sure why they disable profiling and password policies on ISE, typically Cisco does not like when you disable something while not told to. Regarding the identity matching, the setup looks weird. What I would expect are pre-configured identity groups in AD and ISE (or at least in ISE), with subsequent matching on those groups in AuthZ policy. If there are none (like in the workbook), and you match on individual username (which you created yourself), I wonder how it's gonna be checked for grading 🤔 yes dacl should be pushed from ise for sales and finance user, and authz including group policy name, this is how i do it. i did use asdm and not take much time for me, regarding the profiling disabled i did that too, although it did not make any sense, but vendor said just follow workbook, for identities we have to configure in ise all of them, ise we have to all from scratch basically. Link to comment Share on other sites More sharing options...
certcommie Posted July 3, 2023 Share Posted July 3, 2023 1 hour ago, MAS said: for identities we have to configure in ise all of them, ise we have to all from scratch basically. Well if the requirements say so, then of course that explains. Task 4.6. The solution is incomplete: configuring mitigation action in Stealthwatch will just trigger installation of Null0 route on the router, but that would not in any way "throttle" ICMP requests. The client will cease to receive ICMP replies from the server, but the requests will still reach the server. To complete the task requirements, one shoud combine this with uRPF on ingress of the router. + some time savers: - In the Stealthwatch policy, it's not needed to add the Sales server in there, because CI is for source, not for destination (TI is for destination). - no need to create a custom flow record, default netflow ipv4 output would work fine - no need for IPFIX probably, the default of v9 should be fine Also, it's strange that the workbook shows installation of Null0 route right after several pings from the client side. The way how it works is this: when the source begins excessively pinging, the ICMP Flood security event is triggered and it contributes to CI and the High CI category event. But the default configuration of ICMP Flood security event has quite high thresholds which would not be exceeded by just pinging once a second. At least in Stealthwatch 7 it is thus, don't know about version 6. So to observe the Null0 route installation one would have to tune the ICMP Flood security event with low threshold specifically for this policy. This does not seem to be required by the task, but just for a note. What's also strange, task 1.2 seems to altogether prohibit ICMP from the client PC to the sales server (only TCP 8080 should be allowed), so the whole 4.6 appears pointless in this light. In the workbook, they add the additional entry to the VPN filter (the DACL-to-be) permitting ICMP to the server, but that does not agree with the task 1.2 requirements. 2 Link to comment Share on other sites More sharing options...
reza1234 Posted July 4, 2023 Share Posted July 4, 2023 thanks Link to comment Share on other sites More sharing options...
certcommie Posted July 4, 2023 Share Posted July 4, 2023 Solution for Task 4.8 is I think wrong, SMC does not integrate with FMC via pxGrid. Answer D should be picked instead of this wrong answer, in my opinion. It looks like 4.8 and 4.9 both address the same scenario, so answers about the SMC/Netflow part are just expected in Task 4.9. 1 Link to comment Share on other sites More sharing options...
certcommie Posted July 5, 2023 Share Posted July 5, 2023 Solution for 4.2 is wrong. The task says that the policy must allow access only to a single webpage. However, if one creates the URL category as shown in the workbook (matching on the site domain name) it would basically allow all URLs on that site. Instead, one should use the regex section to specify the exact URL. And after that two important changes need be done. Firstly, simply adding this custom category on top of all other categories in the access policy will not prevent the user from accessing other pages, because they will not match the regex and will just fall under some other category or under uncategorized. So in addition to allowing this custom category, one should block all pre-defined categories and also block uncategorized. Secondly, the category should not be included in the identification profile. Because otherwise, if the user tries any another page, this action would not hit the custom identification profile and the traffic will thus be allowed based on the default access policy - which again violates the task requirement. But I see no point in including category and port number in the identification profile anyways. The former will be in any case processed via the custom access policy selected for the identification profile, and ports other than 80 just won't be redirected by the router, to begin with. Link to comment Share on other sites More sharing options...
NGFWSKM Posted July 6, 2023 Share Posted July 6, 2023 Thanks Link to comment Share on other sites More sharing options...
Mansu Posted July 6, 2023 Share Posted July 6, 2023 (edited) .. Edited July 6, 2023 by Mansu Link to comment Share on other sites More sharing options...
certcommie Posted July 7, 2023 Share Posted July 7, 2023 (edited) About the Design solutions, some of those are also suspicious. Q7. In Cisco SAFE guides Web Security is considered to protect the network attack surface. However, here it is mapped to the application attack surface. Also, AVC should be mapped to the application attck serface. Q13. It's not clear whether each product may be used only once or multiple times. If once, then I would go with the suggested answers, but if products can be matched to multple surfaces then ISE is definitely a candidate for all three of them, and I would also add AMP to the network surface to respect AMP for networks. Q18. I would answer 5525, not 5516, because 5516 would not handle a multiprotocol throughput of 1Gbps. The question seems to suggest multiprotocol load. Edited July 7, 2023 by certcommie Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now