CCIE Security v6 Lab: ISE, TrustSec, ESA and WSA Hands-On Guide

Introduction

Passing the CCIE Security v6 lab requires more than theoretical knowledge. You need to configure, verify, and troubleshoot complex security technologies under time pressure, with zero room for guesswork. The CCIE Security v6 lab tests your ability to deploy Identity Services Engine (ISE) for 802.1X and TACACS+ device administration, enforce segmentation through TrustSec Security Group Tags (SGTs), secure email traffic with the Email Security Appliance (ESA), filter web access through the Web Security Appliance (WSA), and build Software Defined Access (SDA) fabrics with macro- and micro-segmentation.

This CCIE Security workbook guide walks you through every major lab domain with exact configurations, IP addressing, and step-by-step procedures. Whether you are building your lab topology from scratch or reinforcing weak areas before your exam attempt, this article provides the depth you need. We cover the base network setup, ISE initialization, wired 802.1X authentication with VLAN assignment and downloadable ACLs, Active Directory integration, VPN authentication through ISE, TACACS+ device administration, ISE-FMC integration via pxGrid, ESA incoming and outgoing content filters, WSA web filtering with WCCP redirection, and SDA TrustSec segmentation with custom SGACL contracts.

How Do You Build the CCIE Security v6 Lab Base Network?

Every CCIE Security v6 lab scenario begins with a properly configured base network. Without correct VLANs, IP addressing, routing, and DHCP services, none of the security technologies will function. The lab topology typically includes two Layer 3 switches (SW1 and SW2), multiple routers (R1, R2, R3), an ASA firewall, and dedicated devices for ISE, Active Directory, DNS, and endpoint PCs.

VLAN and Trunk Configuration

The foundation starts with trunk links between switches and the creation of VLANs that will serve different security zones:

! SW1 - Trunk toward SW2
interface E1/2
 switchport trunk encap dot1q
 switchport mode trunk

! SW2 - Trunk toward SW1
interface E1/1
 switchport trunk encap dot1q
 switchport mode trunk

Create the required VLANs on both switches. The lab uses VLAN 10 and VLAN 20 for user segments, VLAN 100 for the management/server network (ISE, AD, DNS, Admin PC), and VLAN 101 for interconnections:

! SW1 and SW2
vlan 10,20,100,101

Management VLAN and SVI Configuration

VLAN 100 hosts the critical infrastructure -- ISE at 10.1.1.1, the AD/DNS/CA server at 10.1.1.2, and the Admin PC at 10.1.1.3. Assign switch ports connecting to these devices into VLAN 100 and configure SVIs for inter-VLAN routing:

! SW1
interface range e0/0-2
 switchport mode access
 switchport access vlan 100
!
ip routing
!
interface vlan 100
 ip address 10.1.1.254 255.255.255.0
 no shut

! SW2
ip routing
!
interface vlan 100
 ip address 10.1.1.252 255.255.255.0
 no shut

ASA Firewall Interfaces

The ASA firewall connects the internal network to the outside world and a DMZ segment. Each interface receives a security-level designation:

! ASA Firewall
interface E1
 nameif Inside
 ip address 10.3.3.10 255.255.255.0
 no shut
!
interface E2
 nameif DMZ
 security-level 50
 ip address 10.4.4.10 255.255.255.0
 no shut
!
interface E0
 nameif Outside
 ip address 192.1.10.10 255.255.255.0
 no shut

EIGRP Routing and Default Route Injection

EIGRP AS 111 ties the internal network together. The ASA participates in EIGRP only on the Inside interface and injects a default route toward internal devices using the summary-address command:

! R1
router eigrp 111
 network 10.10.10.0 0.0.0.255
 network 10.20.20.0 0.0.0.255
 network 10.2.2.0 0.0.0.255
 network 10.3.3.0 0.0.0.255

! ASA
router eigrp 111
 network 10.3.3.0 255.255.255.0
!
interface E1
 summary-address eigrp 111 0.0.0.0 0.0.0.0
!
interface E2
 summary-address eigrp 111 0.0.0.0 0.0.0.0
!
route outside 0 0 192.1.10.3

DHCP Services

SW1 acts as the DHCP server for VLANs 10, 20, and 100, while R1 relays DHCP requests from remote segments:

! SW1
ip dhcp excluded-address 10.10.10.1 10.10.10.100
ip dhcp excluded-address 10.10.10.201 10.10.10.254
!
ip dhcp pool VLAN10
 network 10.10.10.0 /24
 default-router 10.10.10.1
 dns-server 10.1.1.2
!
ip dhcp pool VLAN20
 network 10.20.20.0 /24
 default-router 10.20.20.1
 dns-server 10.1.1.2

! R1 - DHCP Relay
interface E0/2
 ip helper-address 10.2.2.254
!
interface E0/3
 ip helper-address 10.2.2.254

Pro Tip: Always exclude infrastructure addresses from DHCP pools. The lab excludes the first 100 and last 54 addresses in each subnet to reserve them for gateways, servers, and network devices.

What Is Required to Initialize ISE for the CCIE Security v6 Lab?

ISE is the centerpiece of the CCIE Security v6 lab. Initialization involves CLI password configuration, network settings, RADIUS log tuning, and enabling critical services like Device Admin (TACACS+) and pxGrid.

CLI and GUI Password Configuration

After initial boot, the ISE CLI prompts for a password change. Set it and then reset the GUI admin password:

! ISE CLI - Reset GUI admin password
ISE/admin# application reset-passwd ise admin
Enter new password: Lab@123
Confirm new password: Lab@123
Password reset successfully.

Network Configuration

Configure the ISE network parameters including IP address, default gateway, DNS server, and domain name:

! ISE CLI
config t
!
hostname ISE1
!
ip domain-name lab.nhprep.com
!
interface GigabitEthernet 0
 ip address 10.1.1.1 255.255.255.0
!
ip default-gateway 10.1.1.254
!
ip name-server 10.1.1.2

After changing the network configuration, ISE requires an application restart, which can take several minutes.

RADIUS Log Settings and Service Enablement

For lab testing, configure ISE RADIUS settings to show all authentication attempts:

1. Browse to Administration > System > Settings > Protocols > RADIUS
2. Uncheck "Reject RADIUS requests from clients with repeated failures"
3. Uncheck "Suppress repeated failed clients"
4. Uncheck "Suppress repeated successful authentications"

Then enable the services needed for later modules:

1. Browse to Administration > System > Deployment > ISE1
2. Enable pxGrid (required for ISE-to-FMC integration)
3. Enable Device Admin Service (required for TACACS+)

How Do You Configure 802.1X Authentication in the CCIE Security v6 Lab?

Wired 802.1X authentication is a core topic on the CCIE Security v6 lab exam. The configuration spans ISE (network device registration, user/group creation, authorization policies) and the switch (RADIUS server, AAA commands, port-level dot1x).

Registering Network Devices on ISE

Before any RADIUS communication works, you must register each network device on ISE with the correct IP address, device type, and shared secret.

Create Network Device Groups first:

1. Browse to Administration > Network Resources > Network Device Groups > Add
2. Create groups: Routers, Switches, Firewalls (all under "All Device Types")

Then register each device. For example, SW1:

• Name: SW1
• IP Address: 10.1.1.254/32
• Device Type: Switches
• RADIUS: Checked, Secret: Lab@123
• TACACS+: Checked, Secret: Lab@123

Repeat for SW2 (10.1.1.252), R1, R2, and the ASA firewall (10.3.3.10).

Creating Identity Groups and Users

Create User Identity Groups that map to different authorization levels:

Group Name	Purpose
ISE-EMP	Employee 802.1X users
ISE-CON	Contractor 802.1X users
SuperAdmins	Full device admin access
RP-Admins	Routing protocol admin access
Switching-Admins	Switch configuration access

Create users and assign them to groups:

• ISE-1 (password: Lab@123) assigned to ISE-EMP
• ISE-2 (password: Lab@123) assigned to ISE-CON
• Admin1 assigned to SuperAdmins
• Admin2 assigned to RP-Admins
• Admin3 assigned to Switching-Admins

Switch-Side 802.1X Configuration

Configure the switch as a RADIUS authenticator. This involves enabling AAA, defining the RADIUS server, and activating dot1x on access ports:

! SW2
aaa new-model
!
username admin privilege 15 password admin
!
radius server ISE1
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 key Lab@123
!
aaa group server radius ABC
 server name ISE1
!
aaa authentication dot1x default group ABC
aaa authorization network default group ABC
!
dot1x system-auth-control
!
interface range E0/1-2
 switchport access vlan 100
 switchport mode access
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator

Key points from this configuration:

• authentication order dot1x mab -- the switch tries 802.1X first, then falls back to MAC Authentication Bypass
• authentication host-mode multi-auth -- allows multiple devices to authenticate on the same port
• authentication port-control auto -- the port starts in an unauthorized state and only opens after successful authentication

Authorization Policies with VLAN Assignment

Create Authorization Profiles that dynamically assign VLANs based on group membership:

Profile Name	VLAN Assignment
ISE-EMP-PROFILE	VLAN 10
ISE-CON-PROFILE	VLAN 20

Then configure Authorization Policies that match on identity group, authentication method, and device type:

• ISE-EMP-POLICY: Identity Group = ISE-EMP + Wired_802.1x + Network Device Group = Switches, result = ISE-EMP-PROFILE
• ISE-CON-POLICY: Identity Group = ISE-CON + Wired_802.1x + Network Device Group = Switches, result = ISE-CON-PROFILE

After authentication, verify VLAN assignment on the switch:

show authentication session interface E0/1 details
show vlan

Downloadable ACLs (DACLs)

DACLs allow ISE to push access control lists to the switch dynamically per user. For example, to block Telnet access for employee users while allowing all other traffic:

1. Create a DACL named ISE-EMP-DACL with content:

   • deny tcp any any eq 23
   • permit ip any any

2. Attach the DACL to the ISE-EMP-PROFILE authorization profile

3. Verify on the switch after re-authentication:

show authentication session interface E0/1 detail

The DACL will appear in the switch access-list table, applied to the authenticated session.

Pro Tip: Always test DACL syntax carefully. An incorrect DACL will either block all traffic or fail to download entirely. Use the ISE RADIUS Live Logs under Operations > RADIUS > Live Logs to verify successful DACL deployment.

How Do You Integrate ISE with Active Directory?

Active Directory integration allows ISE to authenticate users against existing AD credentials, leveraging enterprise-wide identity stores rather than local ISE databases.

Joining ISE to Active Directory

Configure the AD join point on ISE:

1. Browse to Administration > Identity Management > External Identity Sources > Active Directory > Add
2. Join Point Name: lab-AD
3. Active Directory Domain: lab.nhprep.com
4. Administrator credentials for the domain join

After joining, pull down the required AD groups:

• lab.nhprep.com/Users/Employees
• lab.nhprep.com/Users/Consultants
• lab.nhprep.com/Users/Domain Users

Identity Source Sequence

Add the AD identity store to the Identity Source Sequence so ISE checks both internal and external users:

1. Browse to Administration > Identity Management > Identity Source Sequences > All_Users_ID_Stores
2. Add the AD join point from the Available box
3. Position it as the second entry in the search list

AD-Based Authorization Policies

Create authorization profiles and policies for AD users:

• AD-EMP-PROFILE: VLAN 10
• AD-CON-PROFILE: VLAN 20

Authorization policies use the external group as a condition:

• AD-EMP-POLICY: ExternalGroups = Employees + Wired_802.1x + Switches, result = AD-EMP-PROFILE
• AD-CON-POLICY: ExternalGroups = Consultants + Wired_802.1x + Switches, result = AD-CON-PROFILE

Also configure certificate-based authentication for AD objects by navigating to the Preloaded-Certificate-Profile and selecting the AD join point as the Identity Store, with the option "Any Subject or alternate name Attributes in the certificate (for Active Directory Only)" enabled.

How Do You Authenticate VPN Connections Using ISE?

The CCIE Security v6 lab requires you to configure AnyConnect SSL VPN on an ASA firewall with ISE as the RADIUS authentication server, and then apply DACLs to VPN sessions.

ASA AnyConnect VPN Configuration

First, enable ASDM and HTTP access on the ASA:

! ASA
http server enable
!
username admin password admin privilege 15
!
http 10.1.1.0 255.255.255.0 inside
aaa authentication http console LOCAL

Use the ASDM VPN Wizard to configure AnyConnect with these parameters:

Parameter	Value
Connection Profile	AC-RemoteAccess
Interface	Outside
Certificate	Self-Signed (TrustPoint: SELF-TP)
AAA Server Group	ISE (RADIUS)
Server IP	10.1.1.1
Server Interface	Inside
Secret Key	Lab@123
IPv4 Pool	VPN-POOL (192.168.1.1 - 192.168.1.254)
Split Tunneling	10.4.4.0/24 (DMZ only)

VPN DACLs

Create a VPN-specific DACL on ISE:

• Name: ISE-VPN-DACL
• Content:
  • deny icmp any any
  • permit ip any any

Attach the DACL to the VPN authorization profile. After re-connecting, the VPN user should be unable to ping the DMZ router but can still telnet and browse to it.

Verify the VPN session and DACL on the ASA:

show vpn-sessiondb anyconnect
show access-list

How Do You Configure TACACS+ Device Administration in the CCIE Security v6 Lab?

TACACS+ provides granular control over who can access network devices and what commands they can execute. The CCIE Security v6 lab tests your ability to configure authentication, authorization, and accounting for device administration through ISE.

Router and Switch TACACS+ Configuration

Configure all network devices to use ISE as the TACACS+ server:

! R1 (same pattern for R2, SW1, SW2)
aaa new-model
!
tacacs server ISE1-T
 address ipv4 10.1.1.1
 key Lab@123
!
aaa group server tacacs+ ISE-TAC
 server name ISE1-T

Generate RSA keys and configure authentication for VTY lines:

ip domain-name lab.nhprep.com
!
crypto key generate rsa modulus 1024
!
aaa authentication login TAC-AUTHEN group ISE-TAC
!
line vty 0 4
 login authentication TAC-AUTHEN
 transport input telnet ssh

Exec and Command Authorization

Configure exec-level and command-level authorization so ISE controls what privilege level users receive and which commands they can run:

aaa authorization config-commands
aaa authorization exec TAC-AUTHOR group ISE-TAC
aaa authorization command 15 TAC-AUTHOR group ISE-TAC
!
line vty 0 4
 authorization exec TAC-AUTHOR
 authorization command 15 TAC-AUTHOR

Accounting

Enable accounting to log all login/logout events and privilege-15 commands to ISE:

aaa accounting exec TAC-ACCT start-stop group ISE-TAC
aaa accounting command 15 TAC-ACCT start-stop group ISE-TAC
!
line vty 0 4
 accounting exec TAC-ACCT
 accounting command 15 TAC-ACCT

ISE TACACS+ Policies

On ISE, configure the Device Administration policies under Work Centers > Device Administration:

1. TACACS+ Profile: Create PRIV_15 to set Exec privilege level to 15

2. Command Sets:

Command Set	Allowed Commands
Full-Access	All commands
Routing-Protocol-CMDS	configure terminal, router, network, version, router-id, distribute-list, redistribute, access-list, ip route
Switching-Assistant-CMDS	configure terminal, vlan, interface, switchport, spanning-tree, ip routing, ip route

3. Device Admin Policies:

Policy Name	Identity Group	Device Group	Exec Profile	Command Set
SuperAdmins-Policy	SuperAdmins	All Device Types	PRIV_15	Full-Access
RouterAdmins-Policy	RP-Admins	Routers	PRIV_15	Routing-Protocol-CMDS
SwitchAdmins-Policy	Switching-Admins	Switches	PRIV_15	Switching-Assistant-CMDS

Verify by logging in as each admin user and testing command authorization. For example, Admin2 (RP-Admins) should be able to enter router bgp 111 but not crypto isakmp policy 10. Admin3 (Switching-Admins) should be able to create VLANs but not configure routing protocols.

Verify accounting logs under Operations > TACACS+ > Live Logs on ISE.

Pro Tip: When configuring TACACS+ command authorization, always include configure terminal in every command set. Without it, administrators cannot enter global configuration mode, rendering all other permitted commands useless.

How Do You Configure ISE Integration with FMC via pxGrid?

The CCIE Security v6 lab includes integrating ISE with Firepower Management Center (FMC) and Active Directory to enable identity-based access control policies on the firewall.

Prerequisites

Before integration, ensure:

• pxGrid service is enabled on ISE (configured during ISE initialization)
• Certificates are properly configured on both FMC and ISE
• ISE is already joined to Active Directory

Integration Steps

The integration workflow involves:

1. Configure certificates for FMC -- ensure the FMC trusts the ISE certificate chain
2. Configure certificates and pxGrid on ISE -- enable pxGrid and approve the FMC as a pxGrid client
3. Configure FMC to integrate with ISE and AD -- add the ISE identity source in FMC
4. Configure Identity Policies in Access Control Policy (ACP) -- use ISE user identity data in firewall rules
5. Use AD and ISE attributes in ACP -- create rules that match on AD group membership or ISE attributes

This integration allows the FMC to receive real-time user identity information from ISE via pxGrid, enabling the firewall to enforce policies based on who the user is rather than just their IP address.

How Do You Configure ESA Email Security in the CCIE Security v6 Lab?

The Email Security Appliance (ESA) section of the CCIE Security v6 lab covers initial deployment, SMTP relay configuration, and both incoming and outgoing content filters.

ESA Network Setup

The ESA lab uses a dedicated topology with mail servers for two domains. The ASA firewall translates the internal mail server address for external access and permits inbound SMTP:

! ASA - NAT for mail server
object network Mail
 host 192.168.100.99
 nat (Inside,Outside) static 192.1.11.25
!
access-list OUTSIDE permit tcp any host 192.168.100.99 eq 25
access-group OUTSIDE in interface Outside

DNS is configured with A records and MX records for both domains, pointing to the respective mail servers.

ESA CLI Initialization

Initialize the ESA from the CLI using the interfaceconfig command:

• Interface Name: MgmtData
• IP Address: 192.168.101.25/24
• Hostname: esa.lab.nhprep.com
• Protocols: SSH, FTP, HTTP, HTTPS

The ESA default credentials are admin/ironport. After CLI initialization, run the System Setup Wizard from the GUI to finalize settings:

• Default Gateway: 192.168.1.10
• DNS Server: configured per topology
• Data 1 Interface: Enabled for accepting incoming email
• Accepted Domain: the protected mail domain
• Destination: the internal mail server IP

ESA as SMTP Relay

Configure a Mail Flow Policy to enable relaying:

1. Browse to Mail Policies > Host Access Table (HAT) > Mail Flow Policies > Add Policy
2. Policy Name: RELAYED
3. Connection Behavior: Relay

Then configure a Sender Group to identify which hosts can relay through the ESA, and update DNS MX records to point to the ESA rather than directly to the mail server.

Incoming Content Filters

Incoming content filters inspect messages arriving from external sources. The lab covers two types:

String-Based Blocking:

1. Browse to Mail Policies > Incoming Content Filters > Add Filter
2. Filter Name: IC-BOMB
3. Condition: Message Body contains "BOMB"
4. Action: Drop

Size-Based Attachment Stripping:

1. Filter Name: IC-File-Size
2. Condition: Message Size greater than 3000000 bytes
3. Action: Strip Attachment by File Info where File Size exceeds 3000000 bytes
4. Replacement Message: "Attachment Dropped. Exceeded the Company Policy for Message Size"

After creating filters, apply them to the Default Incoming Mail Policy and commit changes.

Outgoing Content Filters

Outgoing filters protect against data loss and policy violations:

Smart Filter -- SSN Detection:

1. Create a Text Resource (notification template) with content warning about SSN in emails
2. Create an Outgoing Content Filter that detects Social Security Number patterns
3. Action: Send notification to the sender using the notification template

File Type Blocking:

1. Filter Name: OG-File-Type
2. Condition: File Type is "exe"
3. Action: Drop

Pro Tip: Always commit changes on the ESA after modifying content filters or mail policies. The ESA uses a staged configuration model -- changes are not active until you explicitly commit them.

How Do You Configure WSA Web Filtering in the CCIE Security v6 Lab?

The Web Security Appliance (WSA) provides proxy-based web filtering with category blocking, identity-based policies, and custom URL controls. The CCIE Security v6 lab tests WSA configuration including WCCP integration for transparent proxying.

WSA Initialization

Initialize the WSA from the CLI using interfaceconfig:

• IP Address: 192.1.200.50/24
• Default Gateway: 192.1.200.2
• Hostname: wsa.lab.nhprep.com
• Protocols: SSH, HTTP, HTTPS

Run the System Setup Wizard from the GUI (accessed at https://192.1.200.50:8443 with admin credentials) to configure:

• System Name and DNS server
• Network interfaces
• Layer 4 traffic monitor settings

WCCP Transparent Redirection

For transparent proxying, configure WCCP on both the WSA and the router:

WSA Configuration:

1. Browse to Network > Transparent Redirection
2. Add a Service Profile:
   • Service Profile Name: R2
   • Dynamic Service ID: 55
   • Port Numbers: 80
   • Router IP Address: 192.1.200.2
   • Password: cisco

Router Configuration:

! R2
ip wccp web-cache redirect-list 101 group-list 11 password 0 cisco
!
access-list 11 permit 192.1.200.50
!
access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www
!
interface GigabitEthernet2
 ip wccp web-cache redirect in

Pro Tip: WCCP redirect direction matters. Use redirect in on the interface facing the clients. Using redirect out is a common troubleshooting scenario where traffic does not get intercepted by the WSA.

Creating Identities for Web Filtering

Identities define which users or networks a web access policy applies to:

1. Browse to Web Security Manager > Authentication > Identification Profiles > Add
2. Create identities based on subnet or IP range:
   • Network 50: Subnet 192.1.50.0/24
   • Network 60: Subnet 192.1.60.0/24
   • Execs: Range 192.1.50.91 - 192.1.50.100

Category-Based Blocking

Configure the Global Policy to block specific URL categories:

1. Browse to Web Security Manager > Web Policies > Access Policies
2. Under URL Filtering for the Global Policy, set the following categories to Block:
   • Adult
   • Gambling
   • Pornography
   • Social Networking
   • Sports & Recreation

Identity-Specific Policies

Create tailored policies for different user groups. For example, the Execs identity might have a more permissive policy that only blocks Adult, Gambling, and Pornography categories while allowing Social Networking and Sports.

1. Browse to Web Security Manager > Web Policies > Access Policies > Add Policy
2. Policy Name: Execs Policy
3. Associate with the Execs identification profile
4. Block only the restricted categories for that group

Custom URL Categories

For granular control beyond predefined categories:

1. Browse to Web Security Manager > Custom Policy Elements > Custom & External URL Categories > Add Category
2. Create an Allow List with specific permitted URLs
3. Create a Deny List with specific blocked URLs
4. Apply these custom categories within access policies to override global category settings

How Does TrustSec and SDA Micro-Segmentation Work in the CCIE Security v6 Lab?

Software Defined Access (SDA) with TrustSec is the most architecturally complex section of the CCIE Security v6 lab. It involves DNAC (DNA Center) for fabric orchestration, ISE for policy enforcement, and TrustSec SGTs for micro-segmentation.

SDA Foundation -- DNAC and ISE Integration

Before building the fabric, integrate DNAC with ISE:

1. Configure ISE RADIUS settings to allow repeated authentications (same settings as the ISE initialization module)
2. In DNAC, add ISE as the AAA server under Design settings

DNAC Design Components

Configure the DNAC design hierarchy and network settings:

1. Network Hierarchy: Create Site (e.g., Los Angeles) and Building (e.g., HQ)
2. Server Configuration: Add ISE as the AAA server, configure NTP
3. Device Credentials: Configure CLI credentials and SNMP settings for device discovery
4. IP Address Pools: Create overlay and underlay pools

Fabric Creation and L3 Handoff

After discovering devices through LAN Automation:

1. Reserve IP Pools for the HQ site for both overlay and underlay
2. Create Virtual Networks (VNs): IT_VN and SALES_VN
3. Create Transit Network (L3 Handoff) between the border switch and fusion router
4. Configure Host Onboarding with INFRA, IT, and SALES VNs
5. Provision the Control/Border device and Edge devices

ISE Configuration for SDA

Create user groups and authorization profiles that map to DNAC VNs:

Identity Group	Authorization Profile	VLAN Source
IT-DATA-1	IT-DATA-1-PROF	Copied from DNAC
IT-DATA-2	IT-DATA-2-PROF	Copied from DNAC
SALES-DATA-1	SALES-DATA-1-PROF	Copied from DNAC
SALES-DATA-2	SALES-DATA-2-PROF	Copied from DNAC

Authorization policies link groups to profiles using Wired_802.1x as the authentication method.

Macro-Segmentation Verification

Macro-segmentation isolates traffic between VNs. Users in IT_VN can communicate with each other but cannot reach users in SALES_VN. Verify by logging into endpoints with users from the same VN and confirming connectivity, then testing cross-VN isolation.

Creating Security Group Tags (SGTs)

For micro-segmentation within a VN, create SGTs in DNAC:

• IT-DATA-1: SGT 6001, assigned to IT_VN
• IT-DATA-2: SGT 6002, assigned to IT_VN

Navigate to Policy > Group Based Access Control > Scalable Groups > Create Security Group in DNAC.

Re-Configure ISE Authorization with SGTs

Update the ISE authorization policies to assign SGTs alongside the authorization profiles:

• IT-DATA-1-POLICY: Identity Group = IT-DATA-1, Method = Wired_802.1x, Permission = IT-DATA-1-PROF, Security Group = IT-DATA-1
• IT-DATA-2-POLICY: Identity Group = IT-DATA-2, Method = Wired_802.1x, Permission = IT-DATA-2-PROF, Security Group = IT-DATA-2

Applying SGACL Contracts

Control traffic between SGTs using contracts in DNAC:

1. Default Deny: Set the policy matrix between IT-DATA-1 and IT-DATA-2 to use the built-in "Deny IP" contract. This blocks all communication between the two groups even though they are in the same VN.

2. Custom Contract: Create a custom SGACL contract (e.g., IT-DATA-1-TO-IT-DATA-2) that permits specific traffic types while denying others.

3. Apply the Contract: In DNAC, navigate to Group-Based Access Control > Policies, click the policy matrix cell intersecting IT-DATA-1 and IT-DATA-2, select the custom contract, and deploy.

To revert to default behavior, set the policy matrix back to "Default: Permit IP."

Pro Tip: When troubleshooting TrustSec, always verify that SGTs are being assigned correctly by checking the ISE RADIUS Live Logs. If SGTs are not appearing in the authentication results, confirm that the authorization policies have the Security Group field populated and that DNAC has successfully pushed the SGT definitions to ISE.

CCIE Security v6 Lab Troubleshooting Tips

Troubleshooting is a critical skill tested throughout the CCIE Security v6 lab. Based on common lab scenarios, here are the areas most likely to have intentional breaks:

802.1X and MAB Troubleshooting

• Verify RADIUS shared keys match between the switch and ISE network device configuration
• Check that internal users are enabled on ISE (they may be created but disabled)
• Validate DACL syntax -- incorrect port numbers (e.g., port 81 instead of 80) will break expected access
• Confirm VLAN assignments in authorization profiles match the actual VLAN IDs on the switch
• Use show authentication sessions interface <interface> to verify authentication status and DACL download

WSA and WCCP Troubleshooting

• WCCP ACLs must match the correct source/destination direction -- source subnets are the clients, destinations are the servers
• The WCCP group-list must contain the correct WSA IP address
• WCCP redirect must be applied in the correct direction on the router interface
• The WSA forwarding method must support both L2 and GRE

VPN Troubleshooting

• Verify EIGRP key chains match between ASA and connected routers
• Check that the AnyConnect image is present on both units in a failover pair
• Ensure the ASA outside interface is not in shutdown state

Frequently Asked Questions

What topics does the CCIE Security v6 lab exam cover?

The CCIE Security v6 lab covers Identity Services Engine (ISE) with 802.1X authentication and TACACS+ device administration, ASA and Firepower firewall configuration, VPN technologies (AnyConnect SSL, site-to-site IPsec, DMVPN), Email Security Appliance (ESA) content filtering, Web Security Appliance (WSA) web filtering, and Software Defined Access (SDA) with TrustSec segmentation. The lab also includes a troubleshooting section where you must diagnose and fix intentionally broken configurations.

How do DACLs differ from static ACLs on a switch?

Downloadable ACLs (DACLs) are dynamically pushed from ISE to the switch during the RADIUS authentication process. Unlike static ACLs that are manually configured on switch interfaces, DACLs are applied per-session based on the user's authorization profile. This means different users on the same switch port can receive different access policies. DACLs appear in the switch access-list table with auto-generated names and can be verified using show authentication session interface <interface> detail and show access-list.

What is the difference between macro-segmentation and micro-segmentation in SDA?

Macro-segmentation uses Virtual Networks (VNs) to create isolated routing domains within the SDA fabric. Users in different VNs cannot communicate by default -- for example, IT_VN and SALES_VN are completely isolated from each other. Micro-segmentation operates within a single VN using Security Group Tags (SGTs) and SGACL contracts. It allows you to control which groups within the same VN can communicate. For instance, IT-DATA-1 (SGT 6001) and IT-DATA-2 (SGT 6002) are both in IT_VN but can have traffic between them denied or selectively permitted through custom contracts.

How does WCCP work with the WSA for transparent web filtering?

Web Cache Communication Protocol (WCCP) enables a router to transparently redirect web traffic to the WSA without requiring any proxy configuration on client devices. The router intercepts HTTP traffic matching a redirect-list ACL on the specified interface and forwards it to the WSA identified by the group-list ACL. The WSA processes the traffic according to its access policies and either permits, blocks, or monitors the request. Key configuration elements include the WCCP service ID, the router redirect-list and group-list ACLs, the redirect direction (which must be "in" on the client-facing interface), and matching WCCP passwords on both the router and WSA.

What are the key ISE services needed for the CCIE Security v6 lab?

ISE must run several services across the lab modules: the Policy Services node handles RADIUS authentication for 802.1X and VPN; the Device Admin Service enables TACACS+ for router and switch administration; pxGrid provides the integration channel between ISE and FMC for identity-based firewall policies; and the standard Administration and Monitoring services manage configuration and logging. All services can run on a single ISE node in the lab environment. Enable Device Admin Service and pxGrid under Administration > System > Deployment on the ISE node.

How do you verify TACACS+ command authorization is working?

After configuring TACACS+ authentication, exec authorization, and command authorization on network devices, verify by logging in as different admin users and testing command access. For example, a user in the RP-Admins group should successfully enter router bgp 111 but receive a "Command authorization failed" message when attempting crypto isakmp policy 10. Check ISE logs under Operations > TACACS+ > Live Logs to see both successful and failed authorization attempts with the exact commands that were permitted or denied.

Conclusion

The CCIE Security v6 lab demands hands-on proficiency across a broad range of security technologies. This guide has walked you through the complete lab workflow -- from building the base network with VLANs, EIGRP routing, and DHCP, through ISE deployment for 802.1X authentication with VLAN assignment and DACLs, Active Directory integration, VPN authentication, TACACS+ device administration with role-based command sets, ESA email content filtering, WSA web security with WCCP transparent redirection, and SDA TrustSec micro-segmentation with SGTs and SGACL contracts.

The key to success is repetition. Build these configurations from scratch multiple times until the commands, ISE navigation paths, and verification steps become second nature. Pay particular attention to the relationships between components -- the RADIUS shared secrets that link switches to ISE, the authorization policies that map identity groups to profiles, the WCCP ACLs that connect routers to the WSA, and the SGT assignments that bridge DNAC policy to ISE enforcement.

Explore the full range of CCIE Security preparation resources on NHPREP to strengthen your lab readiness and build the confidence needed to pass on exam day.