Home > Store > Certification > Cisco Certification > CCNP Security / CCSP

CCNP Security Secure 642-637 Official Cert Guide

Register your product to gain access to bonus material or receive a coupon.

CCNP Security Secure 642-637 Official Cert Guide

Best Value Purchase

Book + eBook Bundle

  • Your Price: $80.49
  • List Price: $139.98
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

More Purchase Options

Book

  • Your Price: $55.99
  • List Price: $69.99
  • Usually ships in 24 hours.

Premium Edition eBook

  • Your Price: $55.99
  • List Price: $69.99
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

Description

  • Copyright 2011
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 800
  • Edition: 1st
  • Book
  • ISBN-10: 1-58714-280-5
  • ISBN-13: 978-1-58714-280-2

Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.

CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

  • Master CCNP Security SECURE 642-637 exam topics
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with exam preparation tasks
  • Practice with realistic exam questions on the CD-ROM

CCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:

  • Network security threats and foundation protection
  • Switched data plane security
  • 802.1X and identity-based networking services
  • Cisco IOS routed data plane security
  • Cisco IOS control plane security
  • Cisco IOS management plane security
  • NAT
  • Zone-based firewalls
  • IOS intrusion prevention system
  • Cisco IOS site-to-site security solutions
  • IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
  • SSL VPNs and EZVPN

CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

The print edition of the CCNP Security SECURE 642-637 Official Cert Guide contains a free, complete practice exam.

Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), or Windows 7;

Microsoft .NET Framework 4.0 Client;

Microsoft SQL Server Compact 4.0;

Pentium class 1GHz processor (or equivalent);

512 MB RAM;

650 MB disc space plus 50 MB for each downloaded practice exam

Also available from Cisco Press for Cisco CCNP Security study is the CCNP Security SECURE 642-637 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson IT Certification Practice Test.

This integrated learning package:

  • Allows you to focus on individual topic areas or take complete, timed exams
  • Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
  • Provides unique sets of exam-realistic practice questions
  • Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Premium Edition

The exciting new CCNP Security SECURE 642-637 Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:

  • The CCNP Security SECURE 642-637 Premium Edition Practice Test, including three full practice exams (over 200 questions) and enhanced practice test features
  • PDF and EPUB formats of the CCNP Security SECURE 642-637 Official Cert Guide from Cisco Press, which are accessible via your PC, tablet, and Smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with three full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:

  • Allows you to focus on individual topic areas or take complete, timed exams
  • Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
  • Provides unique sets of exam-realistic practice questions
  • Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson IT Certification Practice Test minimum system requirements:

Windows XP (SP3), Windows Vista (SP2), or Windows 7;

Microsoft .NET Framework 4.0 Client;

Microsoft SQL Server Compact 4.0;

Pentium class 1GHz processor (or equivalent);

512 MB RAM;

650 MB disc space plus 50 MB for each downloaded practice exam

About the Premium Edition eBook


CCNP Security SECURE 642-637 Official Cert Guide, focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Franklin share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNP Security SECURE 642-637 Official Cert Guide, presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

  

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

This official study guide helps you master all the topics on the CCNP Security SECURE exam, including:

  • Network security threats and foundation protection
  • Switched data plane security
  • 802.1X and identity based networking services
  • Cisco IOS routed data plane security
  • Cisco IOS control plane security
  • Cisco IOS management plane security
  • NAT
  • Zone-based firewalls
  • IOS intrusion prevention system
  • Cisco IOS site-to-site security solutions
  • IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
  • SSL VPNs and EZVPN

Sample Content

Online Sample Chapter

Cisco CCNP Security Cert Guide: Implementing and Configuring Cisco IOS Routed Data Plane Security

Sample Pages

Download the sample pages (includes Chapter 8 and Index)

Table of Contents

    Introduction xxxiii

Part I Network Security Technologies Overview

Chapter 1 Network Security Fundamentals 3

        “Do I Know This Already?” Quiz 3

    Foundation Topics 7

        Defining Network Security 7

        Building Secure Networks 7

        Cisco SAFE 9

        SCF Basics 9

        SAFE/SCF Architecture Principles 12

        SAFE/SCF Network Foundation Protection (NFP) 14

        SAFE/SCF Design Blueprints 14

        SAFE Usage 15

        Exam Preparation 17

Chapter 2 Network Security Threats 21

        “Do I Know This Already?” Quiz 21

    Foundation Topics 24

        Vulnerabilities 24

        Self-Imposed Network Vulnerabilities 24

        Intruder Motivations 29

        Lack of Understanding of Computers or Networks 30

        Intruding for Curiosity 30

        Intruding for Fun and Pride 30

        Intruding for Revenge 30

        Intruding for Profit 31

        Intruding for Political Purposes 31

        Types of Network Attacks 31

        Reconnaissance Attacks 32

        Access Attacks 33

        DoS Attacks 35

        Exam Preparation 36

Chapter 3 Network Foundation Protection (NFP) Overview 39

        “Do I Know This Already?” Quiz 39

    Foundation Topics 42

        Overview of Device Functionality Planes 42

        Control Plane 43

        Data Plane 44

        Management Plane 45

        Identifying Network Foundation Protection Deployment Models 45

        Identifying Network Foundation Protection Feature Availability 48

        Cisco Catalyst Switches 48

        Cisco Integrated Services Routers (ISR) 49

        Cisco Supporting Management Components 50

        Exam Preparation 53

Part II Cisco IOS Foundation Security Solutions

Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57

        “Do I Know This Already?” Quiz 57

    Foundation Topics 60

        Switched Data Plane Attack Types 60

        VLAN Hopping Attacks 60

        CAM Flooding Attacks 61

        MAC Address Spoofing 63

        Spanning Tree Protocol (STP) Spoofing Attacks 63

        DHCP Starvation Attacks 66

        DHCP Server Spoofing 67

        ARP Spoofing 67

        Switched Data Plane Security Technologies 67

        Port Configuration 67

        Port Security 71

        Root Guard, BPDU Guard, and PortFast 74

        DHCP Snooping 75

        Dynamic ARP Inspection (DAI) 77

        IP Source Guard 79

        Private VLANs (PVLAN) 80

        Exam Preparation 84

Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91

        “Do I Know This Already?” Quiz 91

    Foundation Topics 94

        Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94

        IBNS and 802.1x Enhancements and Features 94

        802.1x Components 96

        802.1x Interworking 97

        Extensible Authentication Protocol (EAP) 97

        EAP over LAN (EAPOL) 98

        EAP Message Exchange 99

        Port States 100

        Port Authentication Host Modes 101

        EAP Type Selection 102

        EAP—Message Digest Algorithm 5 102

        Protected EAP w/MS-CHAPv2 102

        Cisco Lightweight EAP 103

        EAP—Transport Layer Security 104

        EAP—Tunneled Transport Layer Security 104

        EAP—Flexible Authentication via Secure Tunneling 105

        Exam Preparation 106

Chapter 6 Implementing and Configuring Basic 802.1X 109

        “Do I Know This Already?” Quiz 109

    Foundation Topics 112

        Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112

        Gathering Input Parameters 113

        Deployment Tasks 113

        Deployment Choices 114

        General Deployment Guidelines 114

        Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115

        Configuration Choices 115

        Configuration Scenario 115

        Verify Basic 802.1X Functionality 121

        Configure and Verify Cisco ACS for EAP-FAST 121

        Configuration Choices 122

        Configuration Scenario 122

        Configure the Cisco Secure Services Client 802.1X Supplicant 128

        Task 1: Create the CSSC Configuration Profile 128

        Task 2: Create a Wired Network Profile 128

        Tasks 3 and 4: (Optional) Tune 802.1X Timers and

        Authentication Mode 130

        Task 5: Configure the Inner and Outer EAP Mode for the Connection 131

        Task 6: Choose the Login Credentials to Be Used for Authentication 132

        Task 7: Create the CSSC Installation Package 133

        Network Login 134

        Verify and Troubleshoot 802.1 X Operations 134

        Troubleshooting Flow 134

        Successful Authentication 135

        Verify Connection Status 135

        Verify Authentication on AAA Server 135

        Verify Guest/Restricted VLAN Assignment 135

        802.1X Readiness Check 135

        Unresponsive Supplicant 135

        Failed Authentication: RADIUS Configuration Issues 135

        Failed Authentication: Bad Credentials 135

        Exam Preparation 136

Chapter 7 Implementing and Configuring Advanced 802.1X 139

        “Do I Know This Already?” Quiz 139

    Foundation Topics 143

        Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143

        Gathering Input Parameters 143

        Deployment Tasks 144

        Deployment Choices 144

        Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145

        EAP-TLS with 802.1X Configuration Tasks 145

        Configuration Scenario 146

        Configuration Choices 146

        Task 1: Configure RADIUS Server 147

        Task 2: Install Identity and Certificate Authority Certificates on All Clients 147

        Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147

        Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149

        Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151

        Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152

        Implementation Guidelines 153

        Feature Support 153

        Verifying EAP-TLS Configuration 153

        Deploying User and Machine Authentication 153

        Configuring User and Machine Authentication Tasks 154

        Configuration Scenario 154

        Task 1: Install Identity and Certificate Authority Certificates on All Clients 155

        Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155

        Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156

        Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156

        Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157

        Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158

        Implementation Guidelines 158

        Feature Support 158

        Deploying VLAN and ACL Assignment 159

        Deploying VLAN and ACL Assignment Tasks 159

        Configuration Scenario 159

        Configuration Choices 160

        Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160

        Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161

        Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162

        Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162

        Verification of VLAN and ACL Assignment with Cisco IOS Software CLI 164

        Verification of VLAN and ACL Assignment on Cisco Secure ACS 165

        Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165

        Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165

        Configuration Tasks 166

        Configuration Scenario 166

        Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167

        Verification of Configuration 168

        Implementation Guidelines 168

        Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168

        Configuration Tasks 169

        Configuration Scenario 169

        Task 1: Configure Web Authentication on the Switch 169

        Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171

        Web Authentication Verification 172

        User Experience 172

        Choose a Method to Support Multiple Hosts on a Single Port 172

        Multiple Hosts Support Guidelines 172

        Configuring Support of Multiple Hosts on a Single Port 172

        Configuring Fail-Open Policies 174

        Configuring Critical Ports 174

        Configuring Open Authentication 176

        Resolve 802.1X Compatibility Issues 176

        Wake-on-LAN (WOL) 176

        Non-802.1X IP Phones 177

        Preboot Execution Environment (PXE) 177

        Exam Preparation 178

Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183

        “Do I Know This Already?” Quiz 183

    Foundation Topics 186

        Routed Data Plane Attack Types 186

        IP Spoofing 186

        Slow-Path Denial of Service 186

        Traffic Flooding 187

        Routed Data Plane Security Technologies 187

        Access Control Lists (ACL) 187

        Flexible Packet Matching 196

        Flexible NetFlow 203

        Unicast Reverse Path Forwarding (Unicast RPF) 209

        Exam Preparation 212

Chapter 9 Implementing and Configuring Cisco IOS Control

Plane Security 219

        “Do I Know This Already?” Quiz 219

    Foundation Topics 222

        Control Plane Attack Types 222

        Slow-Path Denial of Service 222

        Routing Protocol Spoofing 222

        Control Plane Security Technologies 222

        Control Plane Policing (CoPP) 222

        Control Plane Protection (CPPr) 226

        Routing Protocol Authentication 232

        Exam Preparation 237

Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245

        “Do I Know This Already?” Quiz 245

    Foundation Topics 248

        Management Plane Attack Types 248

        Management Plane Security Technologies 248

        Basic Management Security and Privileges 248

        SSH 254

        SNMP 256

        CPU and Memory Thresholding 261

        Management Plane Protection 262

        AutoSecure 263

        Digitally Signed Cisco Software 265

        Exam Preparation 267

Part III Cisco IOS Threat Detection and Control

Chapter 11 Implementing and Configuring Network Address Translation (NAT) 275

        “Do I Know This Already?” Quiz 275

    Foundation Topics 278

        Network Address Translation 278

        Static NAT Example 280

        Dynamic NAT Example 280

        PAT Example 281

        NAT Configuration 282

        Overlapping NAT 287

        Exam Preparation 290

Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295

        “Do I Know This Already?” Quiz 295

    Foundation Topics 298

        Zone-Based Policy Firewall Overview 298

        Zones/Security Zones 298

        Zone Pairs 299

        Transparent Firewalls 300

        Zone-Based Layer 3/4 Policy Firewall Configuration 301

        Class Map Configuration 302

        Parameter Map Configurations 304

        Policy Map Configuration 306

        Zone Configuration 308

        Zone Pair Configuration 309

        Port to Application Mapping (PAM) Configuration 310

        Zone-Based Layer 7 Policy Firewall Configuration 312

        URL Filter 313

        HTTP Inspection 318

        Exam Preparation 323

Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333

        “Do I Know This Already?” Quiz 333

    Foundation Topics 336

        Configuration Choices, Basic Procedures, and Required Input Parameters 336

        Intrusion Detection and Prevention with Signatures 337

        Sensor Accuracy 339

        Choosing a Cisco IOS IPS Sensor Platform 340

        Software-Based Sensor 340

        Hardware-Based Sensor 340

        Deployment Tasks 341

        Deployment Guidelines 342

        Deploying Cisco IOS Software IPS Signature Policies 342

        Configuration Tasks 342

        Configuration Scenario 342

        Verification 346

        Guidelines 347

        Tuning Cisco IOS Software IPS Signatures 347

        Event Risk Rating System Overview 348

        Event Risk Rating Calculation 348

        Event Risk Rating Example 349

        Signature Event Action Overrides (SEAO) 349

        Signature Event Action Filters (SEAF) 349

        Configuration Tasks 350

        Configuration Scenario 350

        Verification 355

        Implementation Guidelines 355

        Deploying Cisco IOS Software IPS Signature Updates 355

        Configuration Tasks 356

        Configuration Scenario 356

        Task 1: Install Signature Update License 356

        Task 2: Configure Automatic Signature Updates 357

        Verification 357

        Monitoring Cisco IOS Software IPS Events 358

        Cisco IOS Software IPS Event Generation 358

        Cisco IME Features 358

        Cisco IME Minimum System Requirements 359

        Configuration Tasks 359

        Configuration Scenario 360

        Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361

        Verification 362

        Verification: Local Events 362

        Verification: IME Events 363

        Cisco IOS Software IPS Sensor 363

        Troubleshooting Resource Use 365

        Additional Debug Commands 365

        Exam Preparation 366

Part IV Managing and Implementing Cisco IOS Site-to-Site Security Solutions

Chapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369

        “Do I Know This Already?” Quiz 369

    Foundation Topics 372

        Choose an Appropriate VPN LAN Topology 372

        Input Parameters for Choosing the Best VPN LAN Topology 373

        General Deployment Guidelines for Choosing the Best VPN LAN Topology 373

        Choose an Appropriate VPN WAN Technology 373

        Input Parameters for Choosing the Best VPN WAN Technology 374

        General Deployment Guidelines for Choosing the Best VPN WAN Technology 376

        Core Features of IPsec VPN Technology 376

        IPsec Security Associations 377

        Internet Key Exchange (IKE) 377

        IPsec Phases 377

        IKE Main and Aggressive Mode 378

        Encapsulating Security Payload 378

        Choose Appropriate VPN Cryptographic Controls 379

        IPsec Security Associations 379

        Algorithm Choices 379

        General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381

        Design and Implementation Resources 382

        Exam Preparation 383

Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387

        “Do I Know This Already?” Quiz 387

    Foundation Topics 390

        Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390

        Virtual Tunnel Interfaces 390

        Input Parameters 392

        Deployment Tasks 393

        Deployment Choices 393

        General Deployment Guidelines 393

        Configuring Basic IKE Peering 393

        Cisco IOS Software Default IKE PSK-Based Policies 394

        Configuration Tasks 394

        Configuration Choices 395

        Configuration Scenario 395

        Task 1: (Optional) Configure an IKE Policy on Each Peer 395

        Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396

        Verify Local IKE Sessions 396

        Verify Local IKE Policies 396

        Verify a Successful Phase 1 Exchange 397

        Implementation Guidelines 397

        Troubleshooting IKE Peering 397

        Troubleshooting Flow 397

        Configuring Static Point-to-Point IPsec VTI Tunnels 398

        Default Cisco IOS Software IPsec Transform Sets 398

        Configuration Tasks 398

        Configuration Choices 399

        Configuration Scenario 399

        Task 1: (Optional) Configure an IKE Policy on Each Peer 399

        Task 2: (Optional) Configure an IPsec Transform Set 399

        Task 3: Configure an IPsec Protection Profile 400

        Task 4: Configure a Virtual Tunnel Interface (VTI) 400

        Task 5: Apply the Protection Profile to the Tunnel Interface 401

        Task 6: Configure Routing into the VTI Tunnel 401

        Implementation Guidelines 401

        Verify Tunnel Status and Traffic 401

        Troubleshooting Flow 402

        Configure Dynamic Point-to-Point IPsec VTI Tunnels 403

        Virtual Templates and Virtual Access Interfaces 403

        ISAKMP Profiles 404

        Configuration Tasks 404

        Configuration Scenario 404

        Task 1: Configure IKE Peering 405

        Task 2: (Optional) Configure an IPsec Transform Set 405

        Task 3: Configure an IPsec Protection Profile 405

        Task 4: Configure a Virtual Template Interface 406

        Task 5: Map Remote Peer to a Virtual Template Interface 406

        Verify Tunnel Status on the Hub 407

        Implementation Guidelines 407

        Exam Preparation 408

Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411

        “Do I Know This Already?” Quiz 411

    Foundation Topics 414

        Describe the Concept of a Public Key Infrastructure 414

        Manual Key Exchange with Verification 414

        Trusted Introducing 414

        Public Key Infrastructure: Certificate Authorities 416

        X.509 Identity Certificate 417

        Certificate Revocation Checking 418

        Using Certificates in Network Applications 419

        Deployment Choices 420

        Deployment Steps 420

        Input Parameters 421

        Deployment Guidelines 421

        Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421

        Configuration Tasks for a Root Certificate Server 422

        Configuration Scenario 423

        Task 1: Create an RSA Key Pair 423

        Task 2: Create a PKI Trustpoint 424

        Tasks 3 and 4: Create the CS and Configure the Database Location 424

        Task 5: Configure an Issuing Policy 425

        Task 6: Configure the Revocation Policy 425

        Task 7: Configure the SCEP Interface 426

        Task 8: Enable the Certificate Server 426

        Cisco Configuration Professional Support 426

        Verify the Cisco IOS Software Certificate Server 427

        Feature Support 427

        Implementation Guidelines 428

        Troubleshooting Flow 429

        PKI and Time: Additional Guidelines 429

        Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429

        PKI Client Features 429

        Simple Certificate Enrollment Protocol 430

        Key Storage 430

        Configuration Tasks 430

        Configuration Scenario 431

        Task 1: Create an RSA Key Pair 431

        Task 2: Create an RSA Key Pair 432

        Task 3: Authenticate the PKI Certificate Authority 432

        Task 4: Create an Enrollment Request on the VPN Router 433

        Task 5: Issue the Client Certificate on the CA Server 434

        Certificate Revocation on the Cisco IOS Software Certificate Server 434

        Cisco Configuration Professional Support 434

        Verify the CA and Identity Certificates 435

        Feature Support 435

        Implementation Guidelines 436

        Troubleshooting Flow 436

        Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436

        IKE Peer Authentication 436

        IKE Peer Certificate Authorization 437

        Configuration Tasks 437

        Configuration Scenario 437

        Task 1: Configure an IKE Policy 438

        Task 2: Configure an ISAKMP Profile 438

        Task 3: Configure Certificate-Based Authorization of Remote Peers 438

        Verify IKE SA Establishment 439

        Feature Support 439

        Implementation Guidelines 440

        Troubleshooting Flow 440

        Configuring Advanced PKI Integration 440

        Configuring CRL Handling on PKI Clients 441

        Using OCSP or AAA on PKI Clients 441

        Exam Preparation 442

Chapter 17 Deploying DMVPNs 447

        “Do I Know This Already?” Quiz 447

    Foundation Topics 451

        Understanding the Cisco IOS Software DMVPN

        Architecture 451

        Building Blocks of DMVPNs 452

        Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452

        DMVPN Initial State 453

        DMVPN Spoke-to-Spoke Tunnel Creation 453

        DMVPN Benefits and Limitations 454

        Plan the Deployment of a Cisco IOS Software DMVPN 455

        Input Parameters 455

        Deployment Tasks 455

        Deployment Choices 456

        General Deployment Guidelines 456

        Configure and Verify Cisco IOS Software GRE Tunnels 456

        GRE Features and Limitations 456

        Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457

        Point-to-Point Tunnel Configuration Example 457

        Configuration Tasks for a Hub-and-Spoke Network 459

        Configuration Scenario 459

        Task 1: Configure an mGRE Interface on the Hub 459

        Task 2: Configure a GRE Interface on the Spoke 459

        Verify the State of GRE Tunnels 460

        Configure and Verify a Cisco IOS Software NHRP Client and Server 461

        (m)GRE and NHRP Integration 461

        Configuration Tasks 461

        Configuration Scenario 461

        Task 1: Configure an NHRP Server 461

        Task 2: Configure an NHRP Client 462

        Verify NHRP Mappings 462

        Debugging NHRP 463

        Configure and Verify a Cisco IOS Software DMVPN Hub 464

        Configuration Tasks 464

        Configuration Scenario 464

        Task 1: (Optional) Configure an IKE Policy 464

        Task 2: Generate and/or Configure Authentication Credentials 465

        Task 3: Configure an IPsec Profile 465

        Task 4: Create an mGRE Tunnel Interface 465

        Task 5: Configure the NHRP Server 465

        Task 6: Associate the IPsec Profile with the mGRE Interface 466

        Task 7: Configure IP Parameters on the mGRE Interface 466

        Cisco Configuration Professional Support 466

        Verify Spoke Registration 466

        Verify Registered Spoke Details 467

        Implementation Guidelines 468

        Feature Support 468

        Configure and Verify a Cisco IOS Software DMVPN Spoke 468

        Configuration Tasks 468

        Configuration Scenario 469

        Task 1: (Optional) Configure an IKE Policy 469

        Task 2: Generate and/or Configure Authentication Credentials 469

        Task 3: Configure an IPsec Profile 469

        Task 4: Create an mGRE Tunnel Interface 470

        Task 5: Configure the NHRP Client 470

        Task 6: Associate the IPsec Profile with the mGRE Interface 470

        Task 7: Configure IP Parameters on the mGRE Interface 471

        Verify Tunnel State and Traffic Statistics 471

        Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471

        EIGRP Hub Configuration 472

        OSPF Hub Configuration 473

        Hub-and-Spoke Routing and IKE Peering on Spoke 473

        Full Mesh Routing and IKE Peering on Spoke 474

        Troubleshoot a Cisco IOS Software DMVPN 474

        Troubleshooting Flow 475

        Exam Preparation 476

Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481

        “Do I Know This Already?” Quiz 481

    Foundation Topics 484

        Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484

        VPN Failure Modes 484

        Partial Failure of the Transport Network 484

        Partial or Total Failure of the Service Provider (SP) Transport

        Network 485

        Partial or Total Failure of a VPN Device 485

        Deployment Guidelines 485

        Use Routing Protocols for VPN Failover 486

        Routing to VPN Tunnel Endpoints 486

        Routing Protocol Inside the VPN Tunnel 486

        Recursive Routing Hazard 487

        Routing Protocol VPN Topologies 487

        Routing Tuning for Path Selection 487

        Routing Tuning for Faster Convergence 488

        Choose the Most Optimal Method of Mitigating Failure in a VTI-Based VPN 488

        Path Redundancy Using a Single-Transport Network 489

        Path Redundancy Using Two Transport Networks 489

        Path and Device Redundancy in Single-Transport Networks 489

        Path and Device Redundancy with Multiple-Transport Networks 489

        Choose the Most Optimal Method of Mitigating Failure in a DMVPN 490

        Recommended Architecture 490

        Shared IPsec SAs 490

        Configuring a DMVPN with a Single-Transport Network 490

        Configuring a DMVPN over Multiple-Transport Networks 493

        Exam Preparation 495

Chapter 19 Deploying GET VPNs 499

        “Do I Know This Already?” Quiz 499

    Foundation Topics 502

        Describe the Operation of a Cisco IOS Software GET VPN 502

        Peer Authentication and Policy Provisioning 502

        GET VPN Traffic Exchange 504

        Packet Security Services 504

        Key Management Architecture 505

        Rekeying Methods 505

        Traffic Encapsulation 507

        Benefits and Limitations 507

        Plan the Deployment of a Cisco IOS Software GET VPN 508

        Input Parameters 508

        Deployment Tasks 508

        Deployment Choices 509

        Deployment Guidelines 509

        Configure and Verify a Cisco IOS Software GET VPN Key Server 509

        Configuration Tasks 509

        Configuration Choices 510

        Configuration Scenario 510

        Task 1: (Optional) Configure an IKE Policy 511

        Task 2: Generate and/or Configure Authentication Credentials 511

        Task 3: Generate RSA keys for Rekey Authentication 511

        Task 4: Configure a Traffic Protection Policy on the Key Server 512

        Task 5: Enable and Configure the GET VPN Key Server Function 512

        Task 6: (Optional) Tune the Rekeying Policy 513

        Task 7: Create and Apply the GET VPN Crypto Map 513

        Cisco Configuration Professional Support 514

        Verify Basic Key Server Settings 514

        Verify the Rekey Policy 514

        List All Registered Members 515

        Implementation Guidelines 515

        Configure and Verify Cisco IOS Software GET VPN Group Members 515

        Configuration Tasks 516

        Configuration Choices 516

        Configuration Scenario 516

        Task 1: Configure an IKE Policy 516

        Task 2: Generate and/or Configure Authentication Credentials 517

      

More Information

Unlimited one-month access with your purchase
Free Safari Membership