Security Rack FAQ

8/3/2019 Security Rack FAQ

1/24

Network Learning Inc

www.ccbootcamp.com

Security

REMOTE RACK ACCESS FAQ v3.5.0

05-01-2009

www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/


2/24

2

Table of Contents

Read Me First...............................................................................................................................................Usage Information for R&S/Security/SP Racks 1-10....................................................................................Fixed Frame-Relay Configuration Information..............................................................................................

Actual Frame Relay Router Configuration ................................................................................................Remote Power Cycle Instructions for Racks 1-10 ...................................................................................... 1FAQ for Most Common Remote Rack Usage Problems ............................................................................ 1RACK Cabling Diagram.............................................................................................................................. 1CCIE Security Rack Specific Information ................................................................................................... 1

RDP and VNC......................................................................................................................................... 1ACS / CA Access.................................................................................................................................... 1

CCIE Security Rack Connectivity Example ................................................................................................ 1Accessing the test PC............................................................................................................................. 2IPS Layout and Management ................................................................................................................. 2ASA Management................................................................................................................................... 2

www.CareerCert.info


3/24

3

Read Me First

Even before your virtual rack session starts, please make sure to read this document THOROUGHLY!

** If no one was on your rack in the prior session, you probably need to power on your devices. You cando so using the connection from your access-server to your APC power controller performing the stepssted in the remote power cycle instructions, or you can use our rack automation control page (preferred)

www.CareerCert.info


4/24

4

Usage Information for R&S/Security/SP Racks 1-10

. If you must use passwords on your routers please use "cisco" in case you forget to erase yourconfigurations. This saves us from having to password break the routers before the next student starts.Very important!

2. Your 8 hour session will be terminated exactly on time so please plan ahead and save your

configurations and erase the routers.

3. Your 8 hour session may start up to 5 minutes late as we terminate the previous customer and seteverything up for your session.

4. Hardware or access problems with the remote racks can be solved by reaching us here:http://www.ccbootcamp.com/rackhelp.html

5. Customers are expected to erase all the configurations at the end of their session.

6. This rack is available in three time blocks.

Racks have fixed start times (PST)Session 1 00:00-08:00Session 2 08:00-16:00Session 3 16:00-24:00

7. Remote rack reservations must be paid in advance before they are secured. Refunds are not providedor scheduled lab access. You can reschedule up to 2 hours prior to your timeslot if it is an emergency anyou can not make your session.

All racks have a dedicated Cisco 2611 for reverse telnet. This router will only be configured for reverse

elnet and will not be used for anything else in the practice labs.

Racks have a fixed physical configuration. We have setup a very flexible configuration with all the FastEthernet interfaces plugged into the Catalyst. Use VLANs as necessary to place interfaces as necessarynto broadcast domains.

The frame switches on the racks have a fixed configuration! This fixed configuration is a full mesh. FrameRelay configuration is on the following pages.

When you telnet to the racks you will not have access to enable mode. Your prompt will appear as below

example given for rack#1):

Rack-1>

Below are the only commands you will have access to:

access-enableclear Resetconnect

www.CareerCert.info


5/24

5

disconnectenable (your password won't work here, you don't have access to enable mode)exitoginogoutesume

showclear linesystat

You can access the other devices on the access-server in your rack with the hostnames below:

Device Hostname

2811 Router 1 r1

2811 Router 2 r2

2811 Router 3 r3

2811 Router 4 r4

2811 Router 5 r5

2811 Router 6 r62811 Router 7 r7

2811 Router 8 r8

2811 Backbone Router 1 bb1



Catalyst 3560 Switch 1 cat1 orsw1




IDS-4235 ips

www.CareerCert.info


6/24

6

Fixed Frame-Relay Configuration Information

www.CareerCert.info


7/24

7

ActualFrame Relay Router Configurationostname Frame_FullMesh

rame-relay switching

nterface Serial1o ip addressncapsulation frame-relaylockrate 64000

rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 102 interface Serial2 201rame-relay route 103 interface Serial3 301rame-relay route 104 interface Serial4 401rame-relay route 105 interface Serial5 501rame-relay route 106 interface Serial6 601rame-relay route 107 interface Serial7 701rame-relay route 108 interface Serial8 801rame-relay route 109 interface Serial9 901rame-relay route 110 interface Serial0 1001o sh

nterface Serial2o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 201 interface Serial1 102rame-relay route 203 interface Serial3 302rame-relay route 204 interface Serial4 402rame-relay route 205 interface Serial5 502rame-relay route 206 interface Serial6 602rame-relay route 207 interface Serial7 702rame-relay route 208 interface Serial8 802

rame-relay route 209 interface Serial9 902rame-relay route 210 interface Serial0 1002o sh

nterface Serial3o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 301 interface Serial1 103rame-relay route 302 interface Serial2 203rame-relay route 304 interface Serial4 403rame-relay route 305 interface Serial5 503rame-relay route 306 interface Serial6 603rame-relay route 307 interface Serial7 703rame-relay route 308 interface Serial8 803rame-relay route 309 interface Serial9 903rame-relay route 310 interface Serial0 1003o sh

nterface Serial4o ip addressncapsulation frame-relaylockrate 64000

www.CareerCert.info


8/24

8

rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 401 interface Serial1 104rame-relay route 402 interface Serial2 204rame-relay route 403 interface Serial3 304rame-relay route 405 interface Serial5 504rame-relay route 406 interface Serial6 604rame-relay route 407 interface Serial7 704rame-relay route 408 interface Serial8 804rame-relay route 409 interface Serial9 904

rame-relay route 410 interface Serial0 1004o sh

nterface Serial5o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 501 interface Serial1 105rame-relay route 502 interface Serial2 205rame-relay route 503 interface Serial3 305rame-relay route 504 interface Serial4 405rame-relay route 506 interface Serial6 605

rame-relay route 507 interface Serial7 705rame-relay route 508 interface Serial8 805rame-relay route 509 interface Serial9 905rame-relay route 510 interface Serial0 1005o sh

nterface Serial6o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 601 interface Serial1 106

rame-relay route 602 interface Serial2 206rame-relay route 603 interface Serial3 306rame-relay route 604 interface Serial4 406rame-relay route 605 interface Serial5 506rame-relay route 607 interface Serial7 706rame-relay route 608 interface Serial8 806rame-relay route 609 interface Serial9 906rame-relay route 610 interface Serial0 1006o sh

nterface Serial7o ip addressncapsulation frame-relay

lockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 701 interface Serial1 107rame-relay route 702 interface Serial2 207rame-relay route 703 interface Serial3 307rame-relay route 704 interface Serial4 407rame-relay route 705 interface Serial5 507rame-relay route 706 interface Serial6 607rame-relay route 708 interface Serial8 807rame-relay route 709 interface Serial9 907rame-relay route 710 interface Serial0 177

www.CareerCert.info


9/24

9

o sh

nterface Serial8o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 801 interface Serial1 108rame-relay route 802 interface Serial2 208

rame-relay route 803 interface Serial3 308rame-relay route 804 interface Serial4 408rame-relay route 805 interface Serial5 508rame-relay route 806 interface Serial6 608rame-relay route 807 interface Serial7 708rame-relay route 809 interface Serial9 908rame-relay route 810 interface Serial0 188o sh

nterface Serial9o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansi

rame-relay intf-type dcerame-relay route 901 interface Serial1 109rame-relay route 902 interface Serial2 209rame-relay route 903 interface Serial3 309rame-relay route 904 interface Serial4 409rame-relay route 905 interface Serial5 509rame-relay route 906 interface Serial6 609rame-relay route 907 interface Serial7 709rame-relay route 908 interface Serial8 809rame-relay route 910 interface Serial0 199o sh

nterface Serial0

o ip addressncapsulation frame-relaylockrate 64000rame-relay lmi-type ansirame-relay intf-type dcerame-relay route 1001 interface Serial1 110rame-relay route 1002 interface Serial2 210rame-relay route 1003 interface Serial3 310rame-relay route 1004 interface Serial4 410rame-relay route 1005 interface Serial5 510rame-relay route 1006 interface Serial6 610rame-relay route 177 interface Serial7 710rame-relay route 188 interface Serial8 810

rame-relay route 199 interface Serial0 910o sh

ne con 0ransport input nonene aux 0ne vty 0 4

www.CareerCert.info


10/24

10

Remote Power Cycle Instructions for Racks 1-10

. Racks don't allow access to enable mode on the Cisco 2511 used for reverse telnet access to the othedevices in the racks. You will be at the "Rack-X>" prompt.

2. To access the power cycle unit from the terminal server, type "apc" then enter "apcX" for the usernameand "powerX" for the password. X is the rack# you are on. So for example for rack#1, your username

would be apc1 and your password would be power1 .

3. You will then have four menu options. The only menu options you have access to is number 1 and 4 "1Device Manager" and "4-logout"

4. Enter "1" and then you will be presented with a list of device you can manipulate. Always use capitaletters to confirm "YES"

5. Hit to get back to the top menu and hit "4" to logout. This will bring you back to the "Rack-X>"prompt.

www.CareerCert.info


11/24

11

FAQ for Most Common Remote Rack Usage Problems

1. Are you accessing the correct rack? The easiest way to access our racks is by TELNETing to thefully qualified domain name (FQDN), rack1.ccbootcamp.com, rack2.ccbootcamp.com, etc.

2. Router FRS used as the frame switch is a Cisco 2522. It has a full mesh and is a fixedconfiguration. The configuration is in this file. You do not have console access to this device.

3. You are expected to erase the configurations on all devices on your rack when you are done withyour session.

4. If you must configure a password on any of the devices in the rack please use lower case "cisco".This will help the next user if you forget to erase your configurations.

5. Use the command "show controllers serial 0" to verify if a serial interface is DCE or DTE. The DCEside must have the clock rate command.

6. When you telnet to our racks you will access a Cisco 2611 configured for reverse telnet. You will nhave enable mode access to this router. Just type "show hosts" to see the hostnames for the

devices to access. To access the routers (R1, R2, R3, R4, R5, R6, R7, etc) via reverse telnet. Justtype the hostname (example R1) and you will be at the console port on R1.

7. Type ctrl-shift-6 then x to take you back to the Cisco 2611. If you go back to the Cisco 2611 afterthe ctrl-shift-6 x key stroke combination and press enter at the Rack-# you will be sent back to yourprevious session.

8. Type show sessions to see what sessions are already open. You can access them by number.

9. If one of your routers gets locked our racks have a remote power cycle unit so you can reboot thedevice. Also, if you login to a rack and none of the devices respond please check and make sure

they havent been powered off via the remote power cycle unit.

10. If you get an error similar to "[Connection to r4 closed by foreign host]" you will need to clear theline. In this example, clear line 4, for R4 will work. You may have to do it twice.

rack2>sw3Trying sw3 (1.1.1.1, 2051)...% Connection refused by remote host

rack2>clear line 51[confirm][OK]rack2>sw3Trying sw3 (1.1.1.1, 2051)... Open

switch#

11. Use CDP to verify your cable connections if necessary.

12. If you still need help after reading this document please send e-mail to the address below. If aproblem occurs between 9:00 a.m. and 5:00 p.m. Pacific time, you can call us at 702.968.5100. Foproblems outside these hours, please page us: http://www.ccbootcamp.com/rackhelp.html

www.CareerCert.info


12/24

12

13. If you want to check to see what our server time is, do show clockon your terminal server. This isthe same time that is set on our access control server.

www.CareerCert.info


13/24

13

RACK Cabling Diagram

2811

R1

S0/0/0

S0/0/1

Fas0/0 Fas0/1

S0/1/0

S0/1/1

R2S0/0/1

DCE DCE

DCE DCE

R2S0/1/0

R3S0/1/1

FRS1

SW1Fas0/1

SW2Fas0/1

2811

R2Fas0/0 Fas0/1

R1

DCE

DCE DCE

R1

R4FRS2

SW1Fas0/2

SW2Fas0/2

2811

R4Fas0/0 Fas0/1

R3

DCE DCE

DCE DCE

R3

R2FRS4

SW1Fas0/4

SW2Fas0/4

2811

R5Fas0/0 Fas0/1

R6

DCE

DCE

FRS5

SW1Fas0/5

SW2Fas0/5

2811

R6Fas0/0 Fas0/1

R5

DCE

DCE

FRS6

SW1Fas0/6

SW2Fas0/6

2811

R7Fas0/0 Fas0/1

R8

DCE

DCE

FRFRS7

SW3Fas0/17

SW4Fas0/17

2811

R8Fas0/0 Fas0/1

R7

DCE

DCE

FRS8

SW3Fas0/18

SW4Fas0/18

2811

BB1Fas0/0 Fas0/1

BB2

DCE

DCE

FRS9

SW1Fas0/9

SW2Fas0/9

2811Fas0/0 Fas0/1

BB1

DCE

DCE

BB3

SW1Fas0/10

SW2Fas0/10

3640E0/0 E0/1

SW1Fas0/11

SW2Fas0/11

BB2 BB3

DCE

Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

Frame Relay Cloud

DCE

S1

S2 S3 S4

S5

S6S7

S8S9

S0

R1S0/0/0

R2R3

R4

R5

R8

R6

R7

R7

BB1

Fas0/24

S0/1/0

S0/0/0 S0/0/0 S0/0/0

S0/0/0

S0/0/0

S0/0/0S0/0/0

S0/0/0Fas0/24

S0/0/0

S0/0/1 S0/1/0

S0/1/1

S0/0/1 S0/1/0

S0/1/1 S0/0/0

S0/0/1 S0/1/0

S0/1/1 S0/1/1

2811

R3Fas0/0 Fas0/1

R4

DCE

DCE DCE

R4

R1FRS3

SW1Fas0/3

SW2Fas0/3

DCES0/0/0

S0/0/1 S0/1/0

S0/1/1

S0/1/0

S0/1/1

S0/0/0

S0/0/1

S0/0/1

S0/0/0

S0/0/1

S0/0/1

S0/0/0

S0/0/1

S0/1/0 S0

S0/0/0

S0/0/1

S0/0/0

S0/0/0S0/0/1

S0/0/1

S0/0/0

S0/0/0

S0/0/1

S0/0/1 S0/0/1 S0/1/0

S0/0/1 S0/0/1

TFTP Server Address:

172.22.1.254 /24

BB2

DCES0/0S0/0/1

DCE

ACS/CA Server192.168.0.0 /16

PublicNet172.22.10X.0 /24

(DG: 172.22.10X.1)

LS1010ATM0/0/1

ATM1/0

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

Fas0/22

Fas0/22

Fas0/21

Fas0/21

Fas0/22

Fas0/22

Fas0/21

Fas0/21

Fas0/08

Fas0/08

Fas0/07

Fas0/07

Fas0/08Fa

s0/07

Fas0/08

Fas0/07

www.CareerCert.info


14/24

14

Security Specific RACK Cabling Diagram

FE2

SW2Fas0/12

FE0

SW1Fas0/12 FE1

SW1

Fas0/17

ASA5510#1

FE3

SW2Fas0/17

FE2

SW2Fas0/18

FE0

SW1Fas0/18 FE1

SW1

Fas0/23

ASA5510#2

FE3

SW2Fas0/2

ACS/CA Server

Public IP Address

64.89.238.134+X

NAT: 172.22.1.110+X

DG: 172.22.1.200SW1 0/24

192.168.2.10X

Fas0/20 Fas0/20

Fas0/19 Fas0/19

SW1 SW2

Fas0/24 Fas0/24

ACS/CA Server

192.168.0.0 /16

PublicNet

172.22.10X.0 /24

(DG: 172.22.10X.1)

SW3 SW4

Fas0/20 Fas0/20

Fas0/19 Fas0/19

Fas0/22

Fas0/22

Fas0/21

Fas0/21

Fas0/22

Fas0/22

Fas0/21

Fas0/21

Fas0/08

Fas0/08

Fas0/07

Fa

s0/07

Fas0/08

Fas0/07

Fas0/08

Fas0/07

IDS

G0/0

SW1Fas0/14

G0/1 SW2

Fas0/14

SW3SW3

SW3

SW3

Fas0/1

Fas0/2

Fas0/3 Fas0/4

Fas1/1

Fas1/3

Fas1/2

Fas1/0

www.CareerCert.info


15/24

15

RACK Hardware Configuration

Model Router Name Memory Dram/Flash Version

2611 Rack-1

2811 r1 256,256 12.4(15)T7

2811 r2 256,256 12.4(15)T7

2811 r3 256,64 12.4(15)T7

2811 r4 256,64 12.4(15)T7

2811 r5 256,64 12.4(15)T7

2811 r6 256,64 12.4(15)T7

2811 r7 256,64 12.4(15)T7

2811 r8 256,64 12.4(15)T7

2811 bb1 256,64 12.4(15)T7

2811 bb2 256,64 12.4(15)T7

3640 bb3 128,32 12.3(14)T6

Cat 3560 cat1 12.2-44.SE5

Cat 3560 cat2 12.2-44.SE5

Cat 3560 cat3 12.2-44.SE5

Cat 3560 cat4 12.2-44.SE5

asa-5510 asa1 8.x

asa-5510 asa2 8.xacs/ca (must use VNC or RDP) 4.x

IPS Sensor ips 6.x

www.CareerCert.info


16/24

16

CCIE Security Rack Specific Information

RDP and VNC

To connect to the ACS server, you will need to use either Microsoft RDP or VNC to connect to theappropriate server for your rack. However, before you can RDP or VNC to the server, you will need to

have your account validated with our PIX (cut-through proxy).

Example for Rack1:

Open up a browser window to:http://acsrack1.ccbootcamp.comEnter your rack login informationLogin (example): BEPassword (example): enable2355

After you have authenticated to the PIX, you can RDP or VNC to the server as indicated below:

The IP Addresses for the servers and login information is listed below.

RDP Example for Rack 1:RDP Server: acsrack1.ccbootcamp.comLogin: enablemodePassword: enableme

VNC Example for Rack 1:VNC Server: acsrack1.ccbootcamp.comVNC Password: enableme

Login: enablemodePassword: enableme

RDP is Microsoft Remote Desktop Connection Software (you can download from www.microsoft.com)VNC is Virtual Network Computing (you can download a free VNC client from http://www.realvnc.com/)

The ACS/CA server is connected to your rack via Switch 1 port 0/24. If you need to connect an interfacehat is on Switch 2 to your ACS server, you will have to create a trunk between the two switches and setuyour VLANs accordingly.

Switch 2, port 0/24 is connected to a shared backbone for TFTP access (to save yourconfigurations if you like). While doing your lab, it is highly recommended to SHUT THIS PORTDOWN! If not, you may get duplicate IP address errors and other errors from other racks on thebackbone.

www.CareerCert.info


17/24

17

ACS / CA Access

CCIE Security Rack Connectivity Example

STEP 1 Authenticate to our PIX using yourrack login information

After your successful authentication to our PIX, you will see this message below:

www.CareerCert.info


18/24

18

STEP 2 Connect via RDP or VNC to our server

Use the password of enableme for your VNC connection

STEP 3 Use the username of enablemode and the password enableme to access the serve

www.CareerCert.info


19/24

19

Now you can access the Cisco Secure ACS, CA, and IPS web functions.

www.CareerCert.info


20/24

20

Accessing the test PC

Each rack also has a test PC that can be reached from the ACS server via VNC. Just click the vnc icon inhe tool bar. The vnc connection should default to the PC pertaining to the rack.

www.CareerCert.info


21/24

21

Once OK is selected you will be taken to the following desktop.

www.CareerCert.info


22/24

22

From the PC desktop you are able to change the IP address of the interface facing the rack by launchinghe IPChangeApp program.

www.CareerCert.info


23/24

23

IPS Layout and Management

Each IPS appliance has an Ether0 interface connected to Catalyst #1 port Fas0/14 and an Ether1 interfacconnected to Catalyst #2 port Fas0/14.

You should create a VLAN (actually a trunk between the two switches) connecting the Ether1 (Cat#2Fas0/14) to the ACS/CA Server on Catalyst #1 (Fas 0/24).

You can connect to the IPS web interface via the RDP/VNC server for your rack or access the IPS EventViewer (IEV) which is located on the RDP/VNC server for your rack.

Check the IP addressing below to determine which IP addresses you should be using. Donforget to create the appropriate VLANs!

You may need to add some static routes to your server - but DO NOT CHANGE THEDEFAULT ROUTE ON THE SERVER!

Rack 1 IDS

Eth1:

192.168.10.103

Rack 2 IDS

Eth1:

192.168.20.103

Rack 3 IDS

Eth1:

192.168.30.103

Rack 4 IDS

Eth1:

192.168.40.103

Rack 5 IDS

Eth1:

192.168.50.103

Rack 6 IDS

Eth1:

192.168.60.103

Rack 7 IDS

Eth1:

192.168.70.103

Rack 8 ID

Eth1:

192.168.80

The default username for the IPS sensor is cisco and the password is ccie5796. Please do not change thusernames or passwords.

f you power-down the IPS sensor, you may have to power it back up then do an immediate re-boot.

Directions:1. Power Up IPS Sensor2. Immediate Re-Boot (5 second delay)

*** DONT FORGET ***

SET YOUR VLANs CORRECTLY ON YOUR CATALYST SWITCHES!!!

www.CareerCert.info


24/24

ASA Management) If the ASA unit is working in multiple context mode or as a transparent firewall, you will not be able to assign any IP addressor any of the system contexts interfaces or Transparent Firewalls interfaces.

You can fix this by changing your mode to single mode (the default behavior) using the following command from a globalonfiguration prompt (ASA(config)#mode single) or change your firewall to work in the router by using following command fromlobal configuration prompt (ASA(config)#firewall router).

) If there are configuration files left over in the ASAs flash disk from the previous user that a write erase will not remove, youmay use the following command to delete them:Ciscoasa# delete flash*.cfg

) If you have difficulties with the interface configuration over ASA box and there are a lot of missing commands, there are somteps you can take to overcome this.

When you get your rack access please make sure that you clear the ASAs configuration and it is working on single mode andrewall router using the commands below:

iscoasa(config)# wr eraseErase configuration in flash memory? [confirm]OK]

iscoasa(config)# firewall routeriscoasa(config)# sh firewall

Firewall mode: Routeriscoasa# sh mode

Security context mode: multiple

iscoasa# conf tiscoasa(config)# mode singleiscoasa# sh mode

Security context mode: single

www.CareerCert.info

Date post:	07-Apr-2018
Category:	Documents
Upload:	chavara-matekwe
View:	222 times
Download:	0 times

Security Rack FAQ

Documents