[Link] Final Release D2.
1:01-SEP-2018
M
O
C
S.
AB
YL
IT
R
U
C
SSE
AS
.P
Diagnostics Lab
W
W
D 2.1
W
Real Labs
v5
[Link]
[Link] 1 [Link]
�[Link] Final Release D2.1:01-SEP-2018
M
O
C
S.
AB
YL
IT
R
THIS PAGE IS INTENTIONALLY LEFT BLANK
U
C
SSE
AS
.P
W
W
W
[Link] 2 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Pass Security Labs Policies:
1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
M
2. The workbook does not have print access; kindly do not request to enable to print access.
O
C
3. One will be provided with free updates up to 90 days from the date of purchase, post that one need
to renew his/her account to access the latest update. Post 90 days the workbooks will cease to open.
S.
AB
4. If one wish to renew their subscription/account, you need to renew within 90 days or before the
account gets expired. Post 90 days one can renew their account however the renewal will be
YL
considered has a new purchase. Hence we encourage one to renew within 90 days of the purchase.
5. The renewal cost is 1999 USD if one pay within 90 days, if one fail to renew then the cost will be
IT
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
R
client)
U
6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
C
workbooks with others, and if the system detects the share, the account will be banned and we will not
SE
entertain any explanation of any sort.
S
7. For any queries regarding Questions/Solutions, you can contact us on email @
AS
support@[Link] or skype @ cciesecuritylabs. Response time to any of the queries is 24
hours.
.P
8. We do require CSCO ID, CCIE number and Official email id for security purposes. One should have
W
CCIE written passed and CCIE lab should be booked within 90 days. We do not sell without these
W
details. We do background verification of the details provided, so request to give us the correct CSCO
ID and official email id.
W
9. The workbooks are in secured pdf format and delivered via email.
10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only
12. We do not provide Refund in any circumstances once the product is sold.
[Link] 3 [Link]
�[Link] Final Release D2.1:01-SEP-2018
13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
14. If there is any update, one will receive the update automatically on their registered email-id.
15. For any future update you can check our update page on [Link]
M
O
C
S.
AB
YL
IT
R
U
C
S SE
AS
.P
W
W
W
[Link] 4 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Diagnostic Guideline
1. In Total, you have 10 Questions that relate to support ticket scenarios.
2. You must diagnose the problem and answer the questions.
3. You have a fixed time of 60 minutes (one hour) to complete this section.
4. Carefully read the incident stem and the question before selecting your answers.
M
O
o For each incident, read the question, email exchange and the provided resources to identify the
issue.
C
S.
5. Select the answers that fulfill the requirements that are described for each incident.
AB
6. All Questions are independent from each other, In another words, the resolution of one question
does not depend on the resolution of any other question.
7. Each question is worth one point.
Note:
YL
IT
The Final score of this section is combined with the Troubleshooting and the Configuration
R
sections to comprise your final Pass or Fail status on the CCIE Security Lab exam.
U
The Candidate is required to achieve a minimum score in all three sections of the lab exam as
C
well as achieve a minimum overall score (Sum of all three sections score). In order to pass the
SE
CCIE Security certification.
S
AS
.P
W
W
W
[Link] 5 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Tips and Tricks
Use the Web interface features in Order to minimize scrolling when browsing between Resources
Provided
M
o The left-Menu is always visible and providers one-click access to any resources
o Open resources either in a popup or inline on the main web page.
O
C
Answers are automatically recorded even if the final submit button was not hit on time.
S.
Carefully read the stem and all the question options before go through the resources provided.
AB
Understand the problems asked.
There is only possible solution.
YL
IT
R
U
C
S SE
AS
.P
W
W
W
[Link] 6 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 1:
Support Engineer from Meezam Inc. Opened case with Cisco TAC reporting the issue
that one of the PC 'MAB_PC' not able to be allowed network resources
M
Select an answer:
O
C
o Incorrect network device group configuration on ISE
o Authorization policy needs to be corrected on ISE for the MAB Rule
S.
o Radius packet from SW2 has been sourced from an incorrect interface
AB
o Authentication policy needs to be corrected on ISE for the MAB Rule
o There is an issue with aaa login authentication method configuration on SW2
o Authorization condition needs to be corrected on ISE for the MAB session
YL
o SW2 port is incorrectly configured for MAB
o ISE has the incorrect key for the network device
IT
R
U
C
Answer: A
S SE
AS
.P
W
W
W
[Link] 7 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 2:
Support Enginner from Sunshine Inc. Opened case with cisco TAC reporting the issue
with employee profile has network connectivity
M
O
Select an answer:
C
o Authentication Condition needs to be corrected on ISE for the Do1x session
S.
o The ISE has incorrect network device address
AB
o Authorization condition needs to be corrected on ISE for the Dot1x session
o Sw1 is pointing to incorrect ISE server for Dot1x session authentication
o Incorrect user group configuration on ISE
YL
o Issue with aaa network authorization method configuration on Sw1
o Sw1 port in incorrectly configured for Dot1x
IT
o Authorization policy needs to be corrected on ISE for the Dot1x Session
R
U
C
SE
Answer: E
S
AS
.P
W
W
W
[Link] 8 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 3:
Support Engineer from Mezrak Inc. Opened case with Cisco TAC reporting the issue that
the user's contractor profile has network connectivity issue
M
Select an answer:
O
C
o ISE unable to communicate with active directory server
o Incorrect network device group configuration
S.
o There is an issue with CoA configuration on Sw2
AB
o Sw2 port is incorrectly configured for MAB authentication
o There is an issue with CoA configuration on ISE
o Radius packet has been sourced from an incorrect interface on Sw2
YL
o Issue with AD group mapping on ISE
o Issue with MAB authorization result configuration on ISE
IT
R
U
C
Answer: B
S SE
AS
.P
W
W
W
[Link] 9 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 4:
Support Engineer from mezrak Inc. Opened case with Cisco TAC on site-to-site IPsec VPN
failure using FTDs
M
O
Select an answer:
C
o FMC 6.2 does not support point-to-port VPN tunnel
S.
o FTD2 VPN policy is incorrect
AB
o Issue with FTDs network zones configuration
o R4 is missing static routes for VPN tunnel establishment
o FTD1 policy is not consistent with the topology
YL
o FTD2 interface configuration is not consistent with the topology
o Issue with FMC licensing
IT
o FTD1 outside object is incorrectly configured
R
U
C
SE
Answer: F
S
AS
.P
W
W
W
[Link] 10 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 5:
Support Engineer from TransienNet limited opened case with Cisco TAC complaining on
FMC not able to see the scanned events from end host protected by firAMP connector
M
O
Select an answer:
C
o Incorrect export group mapping on the Cloud for FMC
S.
o DNS is incorrectly configured for the cloud "Defense Center Link" resolution
AB
o FMC should be manually configured for time and NTP should not be used
o Probable issue with sliding windows time range for AMP events analysis on FMC
o Cloud and FMC should not be doing lookups using same DNS
YL
o Cloud has an incorrect next-hop
o Time synchronization issue with the NTP server on Cloud
IT
o Cloud is disable under FMC AMP management
R
o FMC 6.2 is pointing to the incorrect DNS
o FMC is pointing to a wrong default-gateway for cloud reachability
U
C
S SE
Answer: F
AS
.P
W
W
W
[Link] 11 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 6:
Support Engineer from Supplychane Limited. Opened case with Cisco TAC complaining
on unable to add a device into DNA center (DNAC) from network orchestration
M
Select an answer:
O
C
o Incorrect protocol used on DNAC to communicate with Sw1_V
o RO community string mismatch when adding device to DNAC
S.
o Incorrect enabed password used when adding device to DNAC
AB
o write community string missing when adding device to DNAC
o incorrect VTY password entered when adding device to DNAC
o Sw1_V interface to reach DNAC is down
YL
o Sw1_V should disable NTP
o Sw1_V not setup for RO community string
IT
o SNMP version mismatch between DNAC and Sw1_V
R
o VTY line missing authentication method
U
C
SE
Answer: E
S
AS
.P
W
W
W
[Link] 12 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 7:
Support Engineer from cosmos Inc. opened case with Cisco TAC complaining that
python script is failing to retrieve network devices list from cisco DNA center inventory.
M
Select an answer:
O
C
o Management PC cannot reach DNAC
o DNAC is blocking HTTPS access
S.
o Script is not referencing IP address of network devices
AB
o Script is calling incorrect API to retrieve device list from DNAC
o Script has incorrect DNAC login username
o Script has incorrect DNAC address
YL
o Script has incorrect DNAC login password
o Script is not configured to use service ticket for DNAC login
IT
o Script is not configured to use HTTPS for DNAC access
R
o DNAC does not support Python
U
C
SE
Answer: E
S
AS
.P
W
W
W
[Link] 13 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 8:
Support Engineer from sunshine INC. opened case with Cisco TAC complaining that
central WebAuth is broken from the suggest account
M
O
Select an answer:
C
o ISE CoA authotization rule is incorrectly configured
S.
o Sw2 is not able to communicate with ISE
AB
o Incorrect ACL is pushed for the MAB authorization profile
o Switch redirect ACL is incorreclty configured
o Issue with CoA configuration on Sw2
YL
o CWA authentication rule is pointing to incorrect database
o MAB is disabled on Sw2 authentication port
IT
o Issue with CWA authorization policy set condition on ISE
R
o CWA authentication rule is incorrectly configured for supplicant MAC not found
o Sw2 belong to incorrect device group in ISE
U
C
S SE
Answer: C
AS
.P
W
W
W
[Link] 14 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 9:
Support engineer from Meezan inc has opened a case with Cisco TAC complaining that
Anyconnect ISE posture is broken
M
O
Select an answer:
C
S.
o Incorrect Redirect ACL configured on ASA1
o Incorrect provisioning portal URL
AB
o HTTP server not enabled on ASA1
o HTTPS server not enabled on ASA1
YL
o Posture profile missing on ASA1
o Redirect ACL not properly configured in posture authorization profile
IT
o Incorrect address translation for ISE on ASA1
o No inside route on ASA1 for ISE
R
o Incorrect Posture policy set configuration
U
o Posture profile has an incorrect ISE pointer
C
o Issue with network device configuration on ISE
S SE
AS
Answer: K
.P
W
W
W
[Link] 15 [Link]
�[Link] Final Release D2.1:01-SEP-2018
Task Number 10:
Support engineer from Meezan inc has opened a case with Cisco TAC complaining
device profiling is not working to deny authorization rogue MAC
M
Select an answer:
O
C
o Authorization rule is incorrectly configured
S.
o Matching identity group should be disabled for profile
o Authentication rule is incorrectly configured
AB
o Profile is disabled
o Issue with network device configuration on Switch
YL
o Access policy is incorrectly configured
o Profile policy rule is incorrectly configured IT
o Issue with authentication port configuration on Sw
o logical profile incorrectly configured
R
o Issue with network device configuration on ISE
U
o Issue with profile rule certainty factor configuration
C
o Profiler policy is disabled
S SE
AS
Answer: L
.P
W
W
W
[Link] 16 [Link]
�[Link] Final Release D2.1:01-SEP-2018
M
O
C
S.
AB
YL
IT
R
U
THANKS FOR USING [Link] WORKBOOKS
C
SSE
AS
.P
W
W
W
[Link] 17 [Link]
