0 Checklist
Expansion of the Security Lab v4.0 Exam Topics
Detailed Checklist of Topics to Be Covered
Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. Instead, we
provide this outline as a supplement to the existing lab blueprint to help candidates prepare for their lab exams. Other
relevant or related topics may also appear in the actual lab exam.
We would like to get your feedback please comment and/or rate this document.
Spoofing, MAC Spoofing, ARP Snooping, Fragment Attack, Smurf Attack, TCP SYN Attack
Understanding and Interpreting ARP Header Structure
Understanding and Interpreting IP Header Structure
Understanding and Interpreting TCP Header Structure
Understanding and Interpreting UDP Header Structure
Understanding and Interpreting HTTP Header Structure
Understanding and Interpreting ICMP Header structure
Understanding and Interpreting ICMP Type Name and Codes
Understanding and Interpreting Syslog Messages
Understanding and Interpreting Packet Capture Outputs (Sniffer, Ethereal, Wireshark, TCPDump)
Understanding Different Types of Attack Vectors
Interpreting Various show and debug Outputs
Classifying Attack Patterns Using FPM
Memorizing Common Protocol and Port Numbers
Preventing an ICMP Attack Using ACLs
Preventing an ICMP Attack Using NBAR
Preventing an ICMP Attack Using Policing
Preventing an ICMP Attack Using the Modular Policy Framework (MPF) on the Cisco ASA
Security Appliance
Preventing a SYN Attack Using ACLs
Preventing a SYN Attack Using NBAR
Preventing a SYN Attack Using Policing
Preventing a SYN Attack Using CBAC
Preventing a SYN Attack Using CAR
Preventing a SYN Attack Using a TCP Intercept
Preventing a SYN Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security
Appliance
Preventing Application ProtocolSpecific Attacks Using FPM (e.g., HTTP, SMTP)
Preventing Application ProtocolSpecific Attacks Using NBAR (e.g., HTTP, SMTP)
Preventing Application ProtocolSpecific Attacks Using the Modular Policy Framework (MPF) on
the Cisco ASA Security Appliance (e.g., HTTP, SMTP)
Preventing IP Spoofing Attacks Using Antispoofing ACLs
Preventing IP Spoofing Attacks Using uRPF
Preventing IP Spoofing Attacks Using IP Source Guard
Preventing Fragment Attacks Using ACLs
Identity Management
User-Based Firewall
Secure-Group Firewall
Transparent Cisco IOS Firewall (Layer 2)
Context-Based Access Control (CBAC)
Proxy Authentication (Auth Proxy)
Port-to-Application Mapping (PAM) Usage with ACLs
Use of PAM to Change System Default Ports
PAM Custom Ports for Specific Applications
Mapping Nonstandard Ports to Standard Applications
Performance Tuning
Tuning Half-Open Connections
Understanding and Interpreting the show ip port-map Commands
Understanding and Interpreting the show ip inspect Commands
Understanding and Interpreting the debug ip inspect Commands
Understanding and Interpreting the show zone|zone-pair Commands
Understanding and Interpreting the debug zone Commands
Cisco IOS Services
Marking Packets Using DSCP and IP Precedence and Other Values
Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)
RTBH Filtering (Remote Triggered Black Hole)
Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Named vs. Numbered
ACLs)
Managing Time-Based Access Lists
Enabling NAT and PAT on a Router
Conditional NAT on a Router
Multihome NAT on a Router
CAR Rate Limiting with Traffic Classification Using ACLs
PBR (Policy-Based Routing) and Use of Route Maps
Traffic Policing on a Router
Traffic Characterization
Packet Classification
Packet-Marking Techniques
6
Understanding Cryptographic Protocols (ISAKMP, IKEv1 and IKEv2, ESP, Authentication Header,
CA)
IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance
Configuring VPNs Using ISAKMP Profiles
Configuring VPNs Using IPsec Profiles
GRE over IPsec Using IPsec Profiles
Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and
Certificates)
Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and
Certificates)
Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates)
Understanding DMVPN architecture (NHRP, mGRE, IPsec, Routing)
DMVPN Using NHRP and mGRE (Hub-and-Spoke)
DMVPN Using NHRP and mGRE (Full-Mesh)
DMVPN Through Firewalls and NAT Devices
Understanding GETVPN Architecture (GDOI, Key Server, Group Member, Header Preservation,
Policy, Rekey, KEK, TEK, and COOP)
Implementing GETVPN (Using Preshared Keys and Certificates)
GETVPN Unicast Rekey
GETVPN Multicast Rekey
GETVPN Group Member Authorization List
GETVPN Key Server Redundancy
GETVPN Through Firewalls and NAT Devices
Integrating GET VPN with a DMVPN Solution
Basic VRF-Aware IPsec
Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance)
CA Enrollment Process on a Router Client
CA Enrollment Process on a Cisco ASA Security Appliance Client
CA Enrollment Process on a PC Client
Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs)
AnyConnect VPN Client on Cisco IOS Software
AnyConnect VPN Client on the Cisco ASA Security Appliance
Remote Access Using a Traditional Cisco VPN Client on a Cisco IOS Router
Remote Access Using a Traditional Cisco VPN Client on a Cisco ASA Security Appliance
Cisco Easy VPN Router Server and Router Client (Using DVTI)
Cisco Easy VPN Router Server and Router Client (Using Classical Style)
Cisco Easy VPN Cisco ASA Server and Router Client
Cisco Easy VPN Remote Connection Modes (Client, Network, Network+)
Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security
Appliance
Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance
Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security
Appliance
Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance
High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby
Router Protocol (HSRP)
High Availability Using Link Resiliency (with Loopback Interface for Peering)
High Availability Using HSRP and RRI
High Availability Using IPsec Backup Peers
High Availability Using GRE over IPsec (Dynamic Routing)
Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance
Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN,
and Cisco Easy VPN)
Understanding and Interpreting the show crypto Commands
Understanding and Interpreting the debug crypto Commands
Anyconnect VPN including DAP support
MacSec (switch-switch, Host-switch)
Wireless Security on AP and WLC
EAP methods
WPA/WPA-2
WIPS