CCIE Security Lab Exam v4.

0 Checklist
Expansion of the Security Lab v4.0 Exam Topics
Detailed Checklist of Topics to Be Covered
Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. Instead, we
provide this outline as a supplement to the existing lab blueprint to help candidates prepare for their lab exams. Other
relevant or related topics may also appear in the actual lab exam.
We would like to get your feedback please comment and/or rate this document.

System Hardening and Availability

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Understanding Four Types of Traffic Planes on a Cisco Router (Control, Management, Data, and
Services)
Understanding Control Plane Security Technologies and Core Concepts Covering Security
Features Available to Protect the Control Plane
Understanding Management Plane Security Technologies and Core Concepts Covering Security
Features Available to Protect the Management Plane
Configuring Control Plane Policing (CoPP)
Control Plane Rate Limiting
Disabling Unused Control Plane Services (IP Source Routing, Proxy ARP, Gratuitous ARP, etc.)
Disabling Unused Management Plane Services (Finger, BOOTP, DHCP, Cisco Discovery Protocol,
etc.)
MPP (Management Plane Protection) and Understanding OOB (Out-of-Band) Management
Interfaces
Configuring Routing Protocol Authentication
Route Filtering and Protocol-Specific Filters
ICMP Techniques to Reduce the Risk of ICMP-Related DoS Attacks (IP Unreachable, IP Redirect,
IP Mask Reply, etc.)
Selective Packet Discard (SPD)
MQC and FPM Types of Service Policy on the CoPP Interface
Broadcast Control on a Switch
Catalyst Switch Port Security
IPv6 Selective Packet Discard
Cisco IOS Software-Based CPU Protection Mechanisms (Options Drop, Logging Interval, CPU
Threshold)
The Generalized TTL Security Mechanism Known as BGP TTL Security Hack (BTSH)
Device Access Control (vty ACL, HTTP ACL, SSH Access, Privilege Levels)
SNMP Security
System Banners

Secure Cisco IOS File Systems

Understanding and Enabling Syslog
NTP with Authentication
Role-Based CLI Views and Cisco Secure ACS Setup
Service Authentication on Cisco IOS Software (FTP, Telnet, HTTP)
Network Telemetry Identification and Classification of Security Events (IP Traffic Flow, NetFlow,
SNMP, Syslog, RMON)
2

Threat Identification and Mitigation

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Implementing RFC 1918 Antispoofing Filtering
Implementing RFC 2827 Antispoofing Filtering
Implementing RFC 2401 Antispoofing Filtering
Enabling a TCP Intercept on a Router
Enabling a TCP Intercept on the Cisco ASA Security Appliance
FPM (Flexible Packet Matching) and Protocol Header Definition File (PHDF) Files and
Configuration of Nested Policy Maps
Classification Using NBAR
Understanding and Enabling NetFlow on a Router
Port Security on a Switch
Storm Control on a Switch
Private VLAN (PVLAN) on a Switch
Port Blocking on a Switch
Port ACL on a Switch
MAC ACL on a Switch
VLAN ACL on a Switch
Spanning Tree Protocol (STP) Protection Using BPDU Guard and Loop Guard on a Switch
DHCP Snooping on a Switch
IP Source Guard on a Switch
Dynamic ARP Inspection (DAI) on a Switch
SeND for ND Protection
IPv6 First Hop Security
Disabling DTP on All Nontrunking Access Ports
Concept of Proactive vs. Reactive Measures
Knowledge of Protocols: TCP, UDP, HTTP, SMTP, ICMP, FTP
Knowledge of Common Attacks: Network Reconnaissance, IP Spoofing, DHCP Snooping, DNS

Spoofing, MAC Spoofing, ARP Snooping, Fragment Attack, Smurf Attack, TCP SYN Attack
Understanding and Interpreting ARP Header Structure
Understanding and Interpreting IP Header Structure
Understanding and Interpreting TCP Header Structure
Understanding and Interpreting UDP Header Structure
Understanding and Interpreting HTTP Header Structure
Understanding and Interpreting ICMP Header structure
Understanding and Interpreting ICMP Type Name and Codes
Understanding and Interpreting Syslog Messages
Understanding and Interpreting Packet Capture Outputs (Sniffer, Ethereal, Wireshark, TCPDump)
Understanding Different Types of Attack Vectors
Interpreting Various show and debug Outputs
Classifying Attack Patterns Using FPM
Memorizing Common Protocol and Port Numbers
Preventing an ICMP Attack Using ACLs
Preventing an ICMP Attack Using NBAR
Preventing an ICMP Attack Using Policing
Preventing an ICMP Attack Using the Modular Policy Framework (MPF) on the Cisco ASA
Security Appliance
Preventing a SYN Attack Using ACLs
Preventing a SYN Attack Using NBAR
Preventing a SYN Attack Using Policing
Preventing a SYN Attack Using CBAC
Preventing a SYN Attack Using CAR
Preventing a SYN Attack Using a TCP Intercept
Preventing a SYN Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security
Appliance
Preventing Application ProtocolSpecific Attacks Using FPM (e.g., HTTP, SMTP)
Preventing Application ProtocolSpecific Attacks Using NBAR (e.g., HTTP, SMTP)
Preventing Application ProtocolSpecific Attacks Using the Modular Policy Framework (MPF) on
the Cisco ASA Security Appliance (e.g., HTTP, SMTP)
Preventing IP Spoofing Attacks Using Antispoofing ACLs
Preventing IP Spoofing Attacks Using uRPF
Preventing IP Spoofing Attacks Using IP Source Guard
Preventing Fragment Attacks Using ACLs

Preventing MAC Spoofing Attacks Using Port Security

Preventing ARP Spoofing Attacks Using DAI
Preventing VLAN Hopping Attacks Using the switchport mode access Command
Preventing STP Attacks Using the Root Guard or BPDU Guard
Preventing DHCP Spoofing Attacks Using Port Security
Preventing DHCP Spoofing Attacks Using DAI
Preventing Port Redirection Attacks Using ACLs
3

Intrusion Prevention and Content Security

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Understanding Cisco IPS System Architecture (System Design, MainApp, SensorApp, EventStore)
Understanding Cisco IPS User Roles (Administrator, Operator, Viewer, Service)
Understanding Cisco IPS Command Modes (Privileged, Global, Service, Multi-Instance)
Understanding Cisco IPS Interfaces (Command and Control, Sensing, Alternate TCP Reset)
Understanding Promiscuous (IDS) vs. Inline (IPS) Monitoring
Initialization Basic Sensor (IP Address, Mask, Default Route, etc.)
Troubleshooting Basic Connectivity Issues
Managing Sensor ACLs
Allowing Services Ping and Telnet from/to Cisco IPS
Enabling Physical Interfaces
Promiscuous Mode
Inline Interface Mode
Inline VLAN Pair Mode
VLAN Group Mode
Inline Bypass Mode
Interface Notifications
Understanding the Analysis Engine
Creating Multiple Security Policies and Applying Them to Individual Virtual Sensors
Understanding and Configuring Virtual Sensors (vs0, vs1)
Assigning Interfaces to the Virtual Sensor
Understanding and Configuring Event Action Rules (rules0, rules1)
Understanding and Configuring Signatures (sig0, sig1)
Adding Signatures to Multiple Virtual Sensors
Understanding and Configuring Anomaly Detection (ad0, ad1)
Using the Cisco IDM (IPS Device Manager)

Using Cisco IDM Event Monitoring

Displaying Events Triggered Using the Cisco IPS Console
Troubleshooting Events Not Triggering
Displaying and Capturing Live Traffic on the Cisco IPS Console (Packet Display and Packet
Capture)
SPAN and RSPAN
Rate Limiting
Configuring Event Action Variables
Target Value Ratings
Event Action Overrides
Event Action Filters
Configuring General Settings
General Signature Parameters
Alert Frequency
Alert Severity
Event Counter
Signature Fidelity Rating
Signature Status
Assigning Actions to Signatures
AIC Signatures
IP Fragment Reassembly
TCP Stream Reassembly
IP Logging
Configuring SNMP
Signature Tuning (Severity Levels, Throttle Parameters, Event Actions)
Creating Custom Signatures (Using the CLI and Cisco IDM)
Understanding Various Types of Signature Engines
Understanding Various Types of Signature Variables
Understanding Various Types of Event Actions
Creating a Custom String TCP Signature
Creating a Custom Flood Engine Signature
Creating a Custom AIC MIME-Type Engine Signature
Creating a Custom Service HTTP Signature
Creating a Custom Service FTP Signature

Creating a Custom ATOMIC.ARP Engine Signature

Creating a Custom ATOMIC.IP Engine Signature
Creating a Custom TCP Sweep Signature
Creating a Custom ICMP Sweep Signature
Creating a Custom Trojan Engine Signature
Enabling Shunning and Blocking (Enabling Blocking Properties)
Enabling the TCP Reset Function
Configure Cisco Ironport WSA
Configuring WCCP
Active Dir Integration
Custom Categories
HTTPS Config
Services Configuration (Web Reputation)
Configuring Proxy By-pass Lists
Web proxy modes
Application visibility and control
4

Identity Management

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Understanding the AAA Framework
Understanding the RADIUS Protocol
Understanding RADIUS Attributes (Cisco AV-PAIRS)
Understanding the TACACS+ Protocol
Understanding TACACS+ Attributes
Comparison of RADIUS and TACACS+
Configuring Basic LDAP Support
Overview of Cisco Secure ACS
How to Navigate Cisco Secure ACS
Cisco Secure ACS Network Settings Parameters
Cisco Secure ACS User Settings Parameters
Cisco Secure ACS Group Settings Parameters
Cisco Secure ACS Shared Profiles Components (802.1X, NAF, NAR, Command Author,
Downloadable ACL, etc.)
Cisco Secure ACS Shell Command Authorization Sets Using Both Per-Group Setup and Shared
Profiles
Cisco Secure ACS System Configuration Parameters

Enabling AAA on a Router for vty Lines

Enabling AAA on a Switch for vty Lines
Enabling AAA on a Router for HTTP
Enabling AAA on the Cisco ASA Security Appliance for Telnet and SSH Protocols
Using Default vs. Named Method Lists
Complex Command Authorization and Privilege Levels, and Relevant Cisco Secure ACS Profiles
Proxy Service Authentication and Authorization on the Cisco ASA Security Appliance for PassThrough Traffic (FTP, Telnet, and HTTP), and Relevant Cisco ISE Profiles\
Using Virtual Telnet on the Cisco ASA Security Appliance
Using Virtual HTTP on the Cisco ASA Security Appliance
Downloadable ACLs
AAA 802.1X Authentication Using RADIUS on a Switch
NAC-L2-802.1X on a Switch
NAC-L2-IP on a Switch
Troubleshooting Failed AAA Authentication or Authorization
Troubleshooting Using Cisco Secure ACS Logs
Cisco Identity Services Engine Configuration and initialization
ISE authZ result handling
ISE Profiling Configuration (Probes)
ISE Guest Services
ISE Posture Assessment
ISE Client Provisioning (CPP)
ISE Configuring AD Integration/Identity Sources
ISE support for 802.1x
ISE MAB support
ISE Web Auth support
ISE definition and support for VSAs
Support for MAB in Cisco IOS
Support for Web Auth in Cisco IOS
Using the test aaa Command on the Router, Switch, or Cisco ASA Security Appliance
Understanding and Interpreting the debug radius Command
Understanding and Interpreting the debug tacacs+ Command
Understanding and Interpreting the debug aaa authentication Command
Understanding and Interpreting the debug aaa authorization Command

Understanding and Interpreting the debug aaa accounting Command

5

Perimeter Security and Services

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.)
Understanding Security Levels (Same Security Interface)
Understanding Single vs. Multimode
Understanding Firewall vs. Transparent Mode
Understanding Multiple Security Contexts
Understanding Shared Resources for Multiple Contexts
Understanding Packet Classification in Multiple-Contexts Mode
VLAN Subinterfaces Using 802.1Q Trunking
Multiple-Mode Firewall with Outside Access
Single-Mode Firewall Using the Same Security Level
Multiple-Mode, Transparent Firewall
Single-Mode, Transparent Firewall with NAT
ACLs in Transparent Firewall (for Pass-Through Traffic)
Understanding How Routing Behaves on the Adaptive Security Appliance (Egress and Next-Hop
Selection Process)
Understanding Static vs. Dynamic Routing
Static Routes
RIP with Authentication
OSPF with Authentication
EIGRP with Authentication
Managing Multiple Routing Instances
Redistribution Between Protocols
Route Summarization
Route Filtering
Static Route Tracking Using an SLA
Dual ISP Support Using Static Route Tracking
Redundant Interface Pair
LAN-Based Active/Standby Failover (Routed Mode)
LAN-Based Active/Active Failover (Routed Mode)
LAN-Based Active/Standby Failover (Transparent Mode)
LAN-Based Active/Active Failover (Transparent Mode)

Stateful Failover Link

Device Access Management
Enabling Telnet
Enabling SSH
The nat-control Command vs. no nat-control Command
Enabling Address Translation (NAT, Global, and Static) Pre & Post 8.4
NAT Objects
Context-Aware firewall
Identity Firewall
Using ASDM and Cisco Prime
Policy NAT
Destination NAT
Bypassing NAT When NAT Control Is Enabled Using Identity NAT
Bypassing NAT When NAT Control Is Enabled Using NAT Exemption
Port Redirection Using NAT
Tuning Default Connection Limits and Timeouts
Basic Interface Access Lists and Access Group (Inbound and Outbound)
Time-Based Access Lists
ICMP Commands
Enabling Syslog and Parameters
NTP with Authentication
Object Groups (Network, Protocol, ICMP, and Services)
Nested Object Groups
URL Filtering
Java Filtering
ActiveX Filtering
ARP Inspection
Modular Policy Framework (MPF)
Application-Aware Inspection
Identifying Injected Errors in Troubleshooting Scenarios
Understanding and Interpreting Adaptive Security Appliance show and debug Outputs
Understanding and Interpreting the packet-tracer and capture Commands
Cisco IOS Firewalls
Zone-Based Policy Firewall Using Multiple-Zone Scenarios

User-Based Firewall
Secure-Group Firewall
Transparent Cisco IOS Firewall (Layer 2)
Context-Based Access Control (CBAC)
Proxy Authentication (Auth Proxy)
Port-to-Application Mapping (PAM) Usage with ACLs
Use of PAM to Change System Default Ports
PAM Custom Ports for Specific Applications
Mapping Nonstandard Ports to Standard Applications
Performance Tuning
Tuning Half-Open Connections
Understanding and Interpreting the show ip port-map Commands
Understanding and Interpreting the show ip inspect Commands
Understanding and Interpreting the debug ip inspect Commands
Understanding and Interpreting the show zone|zone-pair Commands
Understanding and Interpreting the debug zone Commands
Cisco IOS Services
Marking Packets Using DSCP and IP Precedence and Other Values
Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)
RTBH Filtering (Remote Triggered Black Hole)
Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Named vs. Numbered
ACLs)
Managing Time-Based Access Lists
Enabling NAT and PAT on a Router
Conditional NAT on a Router
Multihome NAT on a Router
CAR Rate Limiting with Traffic Classification Using ACLs
PBR (Policy-Based Routing) and Use of Route Maps
Traffic Policing on a Router
Traffic Characterization
Packet Classification
Packet-Marking Techniques
6

Confidentiality and Secure Access

Implement, Optimize, Troubleshoot, IPv4/IPv6 Content

Understanding Cryptographic Protocols (ISAKMP, IKEv1 and IKEv2, ESP, Authentication Header,
CA)
IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance
Configuring VPNs Using ISAKMP Profiles
Configuring VPNs Using IPsec Profiles
GRE over IPsec Using IPsec Profiles
Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and
Certificates)
Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and
Certificates)
Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates)
Understanding DMVPN architecture (NHRP, mGRE, IPsec, Routing)
DMVPN Using NHRP and mGRE (Hub-and-Spoke)
DMVPN Using NHRP and mGRE (Full-Mesh)
DMVPN Through Firewalls and NAT Devices
Understanding GETVPN Architecture (GDOI, Key Server, Group Member, Header Preservation,
Policy, Rekey, KEK, TEK, and COOP)
Implementing GETVPN (Using Preshared Keys and Certificates)
GETVPN Unicast Rekey
GETVPN Multicast Rekey
GETVPN Group Member Authorization List
GETVPN Key Server Redundancy
GETVPN Through Firewalls and NAT Devices
Integrating GET VPN with a DMVPN Solution
Basic VRF-Aware IPsec
Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance)
CA Enrollment Process on a Router Client
CA Enrollment Process on a Cisco ASA Security Appliance Client
CA Enrollment Process on a PC Client
Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs)
AnyConnect VPN Client on Cisco IOS Software
AnyConnect VPN Client on the Cisco ASA Security Appliance
Remote Access Using a Traditional Cisco VPN Client on a Cisco IOS Router
Remote Access Using a Traditional Cisco VPN Client on a Cisco ASA Security Appliance
Cisco Easy VPN Router Server and Router Client (Using DVTI)

Cisco Easy VPN Router Server and Router Client (Using Classical Style)
Cisco Easy VPN Cisco ASA Server and Router Client
Cisco Easy VPN Remote Connection Modes (Client, Network, Network+)
Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security
Appliance
Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance
Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security
Appliance
Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance
High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby
Router Protocol (HSRP)
High Availability Using Link Resiliency (with Loopback Interface for Peering)
High Availability Using HSRP and RRI
High Availability Using IPsec Backup Peers
High Availability Using GRE over IPsec (Dynamic Routing)
Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance
Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN,
and Cisco Easy VPN)
Understanding and Interpreting the show crypto Commands
Understanding and Interpreting the debug crypto Commands
Anyconnect VPN including DAP support
MacSec (switch-switch, Host-switch)
Wireless Security on AP and WLC
EAP methods
WPA/WPA-2
WIPS