HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.
CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
CCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:
CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
The print edition of the CCNP Securi
Basic Intrusion Prevention System (IPS) Concepts and Configuration
Basic NAT Concepts and Configuration
Cisco Network Infrastructure Security: Control Plane Policing Concepts and Configuration
Flexible Netflow Concepts and Configuration
Routing Protocol Authentication Concepts and Configuration
Securing the Management Plane of a Cisco Network Device
SNMP Concepts and Configuration
Switchport Security Concepts and Configuration
Unicast Reverse Path Forwarding Concepts and Configuration
Working with Protocol Analyzers and Related Certifications
The exciting new CCNP Security SECURE 642-637 Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with three full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Microsoft SQL Server Compact 4.0;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
About the Premium Edition eBook
CCNP Security SECURE 642-637 Official Cert Guide, focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Franklin share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCNP Security SECURE 642-637 Official Cert Guide, presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
This official study guide helps you master all the topics on the CCNP Security SECURE exam, including:
Cisco CCNP Security Cert Guide: Implementing and Configuring Cisco IOS Routed Data Plane Security
Download the sample pages (includes Chapter 8 and Index)
Introduction xxxiii
Part I Network Security Technologies Overview
Chapter 1 Network Security Fundamentals 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Defining Network Security 7
Building Secure Networks 7
Cisco SAFE 9
SCF Basics 9
SAFE/SCF Architecture Principles 12
SAFE/SCF Network Foundation Protection (NFP) 14
SAFE/SCF Design Blueprints 14
SAFE Usage 15
Exam Preparation 17
Chapter 2 Network Security Threats 21
“Do I Know This Already?” Quiz 21
Foundation Topics 24
Vulnerabilities 24
Self-Imposed Network Vulnerabilities 24
Intruder Motivations 29
Lack of Understanding of Computers or Networks 30
Intruding for Curiosity 30
Intruding for Fun and Pride 30
Intruding for Revenge 30
Intruding for Profit 31
Intruding for Political Purposes 31
Types of Network Attacks 31
Reconnaissance Attacks 32
Access Attacks 33
DoS Attacks 35
Exam Preparation 36
Chapter 3 Network Foundation Protection (NFP) Overview 39
“Do I Know This Already?” Quiz 39
Foundation Topics 42
Overview of Device Functionality Planes 42
Control Plane 43
Data Plane 44
Management Plane 45
Identifying Network Foundation Protection Deployment Models 45
Identifying Network Foundation Protection Feature Availability 48
Cisco Catalyst Switches 48
Cisco Integrated Services Routers (ISR) 49
Cisco Supporting Management Components 50
Exam Preparation 53
Part II Cisco IOS Foundation Security Solutions
Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57
“Do I Know This Already?” Quiz 57
Foundation Topics 60
Switched Data Plane Attack Types 60
VLAN Hopping Attacks 60
CAM Flooding Attacks 61
MAC Address Spoofing 63
Spanning Tree Protocol (STP) Spoofing Attacks 63
DHCP Starvation Attacks 66
DHCP Server Spoofing 67
ARP Spoofing 67
Switched Data Plane Security Technologies 67
Port Configuration 67
Port Security 71
Root Guard, BPDU Guard, and PortFast 74
DHCP Snooping 75
Dynamic ARP Inspection (DAI) 77
IP Source Guard 79
Private VLANs (PVLAN) 80
Exam Preparation 84
Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94
IBNS and 802.1x Enhancements and Features 94
802.1x Components 96
802.1x Interworking 97
Extensible Authentication Protocol (EAP) 97
EAP over LAN (EAPOL) 98
EAP Message Exchange 99
Port States 100
Port Authentication Host Modes 101
EAP Type Selection 102
EAP—Message Digest Algorithm 5 102
Protected EAP w/MS-CHAPv2 102
Cisco Lightweight EAP 103
EAP—Transport Layer Security 104
EAP—Tunneled Transport Layer Security 104
EAP—Flexible Authentication via Secure Tunneling 105
Exam Preparation 106
Chapter 6 Implementing and Configuring Basic 802.1X 109
“Do I Know This Already?” Quiz 109
Foundation Topics 112
Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112
Gathering Input Parameters 113
Deployment Tasks 113
Deployment Choices 114
General Deployment Guidelines 114
Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115
Configuration Choices 115
Configuration Scenario 115
Verify Basic 802.1X Functionality 121
Configure and Verify Cisco ACS for EAP-FAST 121
Configuration Choices 122
Configuration Scenario 122
Configure the Cisco Secure Services Client 802.1X Supplicant 128
Task 1: Create the CSSC Configuration Profile 128
Task 2: Create a Wired Network Profile 128
Tasks 3 and 4: (Optional) Tune 802.1X Timers and
Authentication Mode 130
Task 5: Configure the Inner and Outer EAP Mode for the Connection 131
Task 6: Choose the Login Credentials to Be Used for Authentication 132
Task 7: Create the CSSC Installation Package 133
Network Login 134
Verify and Troubleshoot 802.1 X Operations 134
Troubleshooting Flow 134
Successful Authentication 135
Verify Connection Status 135
Verify Authentication on AAA Server 135
Verify Guest/Restricted VLAN Assignment 135
802.1X Readiness Check 135
Unresponsive Supplicant 135
Failed Authentication: RADIUS Configuration Issues 135
Failed Authentication: Bad Credentials 135
Exam Preparation 136
Chapter 7 Implementing and Configuring Advanced 802.1X 139
“Do I Know This Already?” Quiz 139
Foundation Topics 143
Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143
Gathering Input Parameters 143
Deployment Tasks 144
Deployment Choices 144
Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145
EAP-TLS with 802.1X Configuration Tasks 145
Configuration Scenario 146
Configuration Choices 146
Task 1: Configure RADIUS Server 147
Task 2: Install Identity and Certificate Authority Certificates on All Clients 147
Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147
Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149
Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151
Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152
Implementation Guidelines 153
Feature Support 153
Verifying EAP-TLS Configuration 153
Deploying User and Machine Authentication 153
Configuring User and Machine Authentication Tasks 154
Configuration Scenario 154
Task 1: Install Identity and Certificate Authority Certificates on All Clients 155
Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155
Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156
Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156
Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157
Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158
Implementation Guidelines 158
Feature Support 158
Deploying VLAN and ACL Assignment 159
Deploying VLAN and ACL Assignment Tasks 159
Configuration Scenario 159
Configuration Choices 160
Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160
Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161
Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162
Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162
Verification of VLAN and ACL Assignment with Cisco IOS Software CLI 164
Verification of VLAN and ACL Assignment on Cisco Secure ACS 165
Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165
Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165
Configuration Tasks 166
Configuration Scenario 166
Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167
Verification of Configuration 168
Implementation Guidelines 168
Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168
Configuration Tasks 169
Configuration Scenario 169
Task 1: Configure Web Authentication on the Switch 169
Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171
Web Authentication Verification 172
User Experience 172
Choose a Method to Support Multiple Hosts on a Single Port 172
Multiple Hosts Support Guidelines 172
Configuring Support of Multiple Hosts on a Single Port 172
Configuring Fail-Open Policies 174
Configuring Critical Ports 174
Configuring Open Authentication 176
Resolve 802.1X Compatibility Issues 176
Wake-on-LAN (WOL) 176
Non-802.1X IP Phones 177
Preboot Execution Environment (PXE) 177
Exam Preparation 178
Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183
“Do I Know This Already?” Quiz 183
Foundation Topics 186
Routed Data Plane Attack Types 186
IP Spoofing 186
Slow-Path Denial of Service 186
Traffic Flooding 187
Routed Data Plane Security Technologies 187
Access Control Lists (ACL) 187
Flexible Packet Matching 196
Flexible NetFlow 203
Unicast Reverse Path Forwarding (Unicast RPF) 209
Exam Preparation 212
Chapter 9 Implementing and Configuring Cisco IOS Control
Plane Security 219
“Do I Know This Already?” Quiz 219
Foundation Topics 222
Control Plane Attack Types 222
Slow-Path Denial of Service 222
Routing Protocol Spoofing 222
Control Plane Security Technologies 222
Control Plane Policing (CoPP) 222
Control Plane Protection (CPPr) 226
Routing Protocol Authentication 232
Exam Preparation 237
Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245
“Do I Know This Already?” Quiz 245
Foundation Topics 248
Management Plane Attack Types 248
Management Plane Security Technologies 248
Basic Management Security and Privileges 248
SSH 254
SNMP 256
CPU and Memory Thresholding 261
Management Plane Protection 262
AutoSecure 263
Digitally Signed Cisco Software 265
Exam Preparation 267
Part III Cisco IOS Threat Detection and Control
Chapter 11 Implementing and Configuring Network Address Translation (NAT) 275
“Do I Know This Already?” Quiz 275
Foundation Topics 278
Network Address Translation 278
Static NAT Example 280
Dynamic NAT Example 280
PAT Example 281
NAT Configuration 282
Overlapping NAT 287
Exam Preparation 290
Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295
“Do I Know This Already?” Quiz 295
Foundation Topics 298
Zone-Based Policy Firewall Overview 298
Zones/Security Zones 298
Zone Pairs 299
Transparent Firewalls 300
Zone-Based Layer 3/4 Policy Firewall Configuration 301
Class Map Configuration 302
Parameter Map Configurations 304
Policy Map Configuration 306
Zone Configuration 308
Zone Pair Configuration 309
Port to Application Mapping (PAM) Configuration 310
Zone-Based Layer 7 Policy Firewall Configuration 312
URL Filter 313
HTTP Inspection 318
Exam Preparation 323
Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333
“Do I Know This Already?” Quiz 333
Foundation Topics 336
Configuration Choices, Basic Procedures, and Required Input Parameters 336
Intrusion Detection and Prevention with Signatures 337
Sensor Accuracy 339
Choosing a Cisco IOS IPS Sensor Platform 340
Software-Based Sensor 340
Hardware-Based Sensor 340
Deployment Tasks 341
Deployment Guidelines 342
Deploying Cisco IOS Software IPS Signature Policies 342
Configuration Tasks 342
Configuration Scenario 342
Verification 346
Guidelines 347
Tuning Cisco IOS Software IPS Signatures 347
Event Risk Rating System Overview 348
Event Risk Rating Calculation 348
Event Risk Rating Example 349
Signature Event Action Overrides (SEAO) 349
Signature Event Action Filters (SEAF) 349
Configuration Tasks 350
Configuration Scenario 350
Verification 355
Implementation Guidelines 355
Deploying Cisco IOS Software IPS Signature Updates 355
Configuration Tasks 356
Configuration Scenario 356
Task 1: Install Signature Update License 356
Task 2: Configure Automatic Signature Updates 357
Verification 357
Monitoring Cisco IOS Software IPS Events 358
Cisco IOS Software IPS Event Generation 358
Cisco IME Features 358
Cisco IME Minimum System Requirements 359
Configuration Tasks 359
Configuration Scenario 360
Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361
Verification 362
Verification: Local Events 362
Verification: IME Events 363
Cisco IOS Software IPS Sensor 363
Troubleshooting Resource Use 365
Additional Debug Commands 365
Exam Preparation 366
Part IV Managing and Implementing Cisco IOS Site-to-Site Security Solutions
Chapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369
“Do I Know This Already?” Quiz 369
Foundation Topics 372
Choose an Appropriate VPN LAN Topology 372
Input Parameters for Choosing the Best VPN LAN Topology 373
General Deployment Guidelines for Choosing the Best VPN LAN Topology 373
Choose an Appropriate VPN WAN Technology 373
Input Parameters for Choosing the Best VPN WAN Technology 374
General Deployment Guidelines for Choosing the Best VPN WAN Technology 376
Core Features of IPsec VPN Technology 376
IPsec Security Associations 377
Internet Key Exchange (IKE) 377
IPsec Phases 377
IKE Main and Aggressive Mode 378
Encapsulating Security Payload 378
Choose Appropriate VPN Cryptographic Controls 379
IPsec Security Associations 379
Algorithm Choices 379
General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381
Design and Implementation Resources 382
Exam Preparation 383
Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387
“Do I Know This Already?” Quiz 387
Foundation Topics 390
Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390
Virtual Tunnel Interfaces 390
Input Parameters 392
Deployment Tasks 393
Deployment Choices 393
General Deployment Guidelines 393
Configuring Basic IKE Peering 393
Cisco IOS Software Default IKE PSK-Based Policies 394
Configuration Tasks 394
Configuration Choices 395
Configuration Scenario 395
Task 1: (Optional) Configure an IKE Policy on Each Peer 395
Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396
Verify Local IKE Sessions 396
Verify Local IKE Policies 396
Verify a Successful Phase 1 Exchange 397
Implementation Guidelines 397
Troubleshooting IKE Peering 397
Troubleshooting Flow 397
Configuring Static Point-to-Point IPsec VTI Tunnels 398
Default Cisco IOS Software IPsec Transform Sets 398
Configuration Tasks 398
Configuration Choices 399
Configuration Scenario 399
Task 1: (Optional) Configure an IKE Policy on Each Peer 399
Task 2: (Optional) Configure an IPsec Transform Set 399
Task 3: Configure an IPsec Protection Profile 400
Task 4: Configure a Virtual Tunnel Interface (VTI) 400
Task 5: Apply the Protection Profile to the Tunnel Interface 401
Task 6: Configure Routing into the VTI Tunnel 401
Implementation Guidelines 401
Verify Tunnel Status and Traffic 401
Troubleshooting Flow 402
Configure Dynamic Point-to-Point IPsec VTI Tunnels 403
Virtual Templates and Virtual Access Interfaces 403
ISAKMP Profiles 404
Configuration Tasks 404
Configuration Scenario 404
Task 1: Configure IKE Peering 405
Task 2: (Optional) Configure an IPsec Transform Set 405
Task 3: Configure an IPsec Protection Profile 405
Task 4: Configure a Virtual Template Interface 406
Task 5: Map Remote Peer to a Virtual Template Interface 406
Verify Tunnel Status on the Hub 407
Implementation Guidelines 407
Exam Preparation 408
Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411
“Do I Know This Already?” Quiz 411
Foundation Topics 414
Describe the Concept of a Public Key Infrastructure 414
Manual Key Exchange with Verification 414
Trusted Introducing 414
Public Key Infrastructure: Certificate Authorities 416
X.509 Identity Certificate 417
Certificate Revocation Checking 418
Using Certificates in Network Applications 419
Deployment Choices 420
Deployment Steps 420
Input Parameters 421
Deployment Guidelines 421
Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421
Configuration Tasks for a Root Certificate Server 422
Configuration Scenario 423
Task 1: Create an RSA Key Pair 423
Task 2: Create a PKI Trustpoint 424
Tasks 3 and 4: Create the CS and Configure the Database Location 424
Task 5: Configure an Issuing Policy 425
Task 6: Configure the Revocation Policy 425
Task 7: Configure the SCEP Interface 426
Task 8: Enable the Certificate Server 426
Cisco Configuration Professional Support 426
Verify the Cisco IOS Software Certificate Server 427
Feature Support 427
Implementation Guidelines 428
Troubleshooting Flow 429
PKI and Time: Additional Guidelines 429
Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429
PKI Client Features 429
Simple Certificate Enrollment Protocol 430
Key Storage 430
Configuration Tasks 430
Configuration Scenario 431
Task 1: Create an RSA Key Pair 431
Task 2: Create an RSA Key Pair 432
Task 3: Authenticate the PKI Certificate Authority 432
Task 4: Create an Enrollment Request on the VPN Router 433
Task 5: Issue the Client Certificate on the CA Server 434
Certificate Revocation on the Cisco IOS Software Certificate Server 434
Cisco Configuration Professional Support 434
Verify the CA and Identity Certificates 435
Feature Support 435
Implementation Guidelines 436
Troubleshooting Flow 436
Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436
IKE Peer Authentication 436
IKE Peer Certificate Authorization 437
Configuration Tasks 437
Configuration Scenario 437
Task 1: Configure an IKE Policy 438
Task 2: Configure an ISAKMP Profile 438
Task 3: Configure Certificate-Based Authorization of Remote Peers 438
Verify IKE SA Establishment 439
Feature Support 439
Implementation Guidelines 440
Troubleshooting Flow 440
Configuring Advanced PKI Integration 440
Configuring CRL Handling on PKI Clients 441
Using OCSP or AAA on PKI Clients 441
Exam Preparation 442
Chapter 17 Deploying DMVPNs 447
“Do I Know This Already?” Quiz 447
Foundation Topics 451
Understanding the Cisco IOS Software DMVPN
Architecture 451
Building Blocks of DMVPNs 452
Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452
DMVPN Initial State 453
DMVPN Spoke-to-Spoke Tunnel Creation 453
DMVPN Benefits and Limitations 454
Plan the Deployment of a Cisco IOS Software DMVPN 455
Input Parameters 455
Deployment Tasks 455
Deployment Choices 456
General Deployment Guidelines 456
Configure and Verify Cisco IOS Software GRE Tunnels 456
GRE Features and Limitations 456
Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457
Point-to-Point Tunnel Configuration Example 457
Configuration Tasks for a Hub-and-Spoke Network 459
Configuration Scenario 459
Task 1: Configure an mGRE Interface on the Hub 459
Task 2: Configure a GRE Interface on the Spoke 459
Verify the State of GRE Tunnels 460
Configure and Verify a Cisco IOS Software NHRP Client and Server 461
(m)GRE and NHRP Integration 461
Configuration Tasks 461
Configuration Scenario 461
Task 1: Configure an NHRP Server 461
Task 2: Configure an NHRP Client 462
Verify NHRP Mappings 462
Debugging NHRP 463
Configure and Verify a Cisco IOS Software DMVPN Hub 464
Configuration Tasks 464
Configuration Scenario 464
Task 1: (Optional) Configure an IKE Policy 464
Task 2: Generate and/or Configure Authentication Credentials 465
Task 3: Configure an IPsec Profile 465
Task 4: Create an mGRE Tunnel Interface 465
Task 5: Configure the NHRP Server 465
Task 6: Associate the IPsec Profile with the mGRE Interface 466
Task 7: Configure IP Parameters on the mGRE Interface 466
Cisco Configuration Professional Support 466
Verify Spoke Registration 466
Verify Registered Spoke Details 467
Implementation Guidelines 468
Feature Support 468
Configure and Verify a Cisco IOS Software DMVPN Spoke 468
Configuration Tasks 468
Configuration Scenario 469
Task 1: (Optional) Configure an IKE Policy 469
Task 2: Generate and/or Configure Authentication Credentials 469
Task 3: Configure an IPsec Profile 469
Task 4: Create an mGRE Tunnel Interface 470
Task 5: Configure the NHRP Client 470
Task 6: Associate the IPsec Profile with the mGRE Interface 470
Task 7: Configure IP Parameters on the mGRE Interface 471
Verify Tunnel State and Traffic Statistics 471
Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471
EIGRP Hub Configuration 472
OSPF Hub Configuration 473
Hub-and-Spoke Routing and IKE Peering on Spoke 473
Full Mesh Routing and IKE Peering on Spoke 474
Troubleshoot a Cisco IOS Software DMVPN 474
Troubleshooting Flow 475
Exam Preparation 476
Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481
“Do I Know This Already?” Quiz 481
Foundation Topics 484
Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484
VPN Failure Modes 484
Partial Failure of the Transport Network 484
Partial or Total Failure of the Service Provider (SP) Transport
Network 485
Partial or Total Failure of a VPN Device 485
Deployment Guidelines 485
Use Routing Protocols for VPN Failover 486
Routing to VPN Tunnel Endpoints 486
Routing Protocol Inside the VPN Tunnel 486
Recursive Routing Hazard 487
Routing Protocol VPN Topologies 487
Routing Tuning for Path Selection 487
Routing Tuning for Faster Convergence 488
Choose the Most Optimal Method of Mitigating Failure in a VTI-Based VPN 488
Path Redundancy Using a Single-Transport Network 489
Path Redundancy Using Two Transport Networks 489
Path and Device Redundancy in Single-Transport Networks 489
Path and Device Redundancy with Multiple-Transport Networks 489
Choose the Most Optimal Method of Mitigating Failure in a DMVPN 490
Recommended Architecture 490
Shared IPsec SAs 490
Configuring a DMVPN with a Single-Transport Network 490
Configuring a DMVPN over Multiple-Transport Networks 493
Exam Preparation 495
Chapter 19 Deploying GET VPNs 499
“Do I Know This Already?” Quiz 499
Foundation Topics 502
Describe the Operation of a Cisco IOS Software GET VPN 502
Peer Authentication and Policy Provisioning 502
GET VPN Traffic Exchange 504
Packet Security Services 504
Key Management Architecture 505
Rekeying Methods 505
Traffic Encapsulation 507
Benefits and Limitations 507
Plan the Deployment of a Cisco IOS Software GET VPN 508
Input Parameters 508
Deployment Tasks 508
Deployment Choices 509
Deployment Guidelines 509
Configure and Verify a Cisco IOS Software GET VPN Key Server 509
Configuration Tasks 509
Configuration Choices 510
Configuration Scenario 510
Task 1: (Optional) Configure an IKE Policy 511
Task 2: Generate and/or Configure Authentication Credentials 511
Task 3: Generate RSA keys for Rekey Authentication 511
Task 4: Configure a Traffic Protection Policy on the Key Server 512
Task 5: Enable and Configure the GET VPN Key Server Function 512
Task 6: (Optional) Tune the Rekeying Policy 513
Task 7: Create and Apply the GET VPN Crypto Map 513
Cisco Configuration Professional Support 514
Verify Basic Key Server Settings 514
Verify the Rekey Policy 514
List All Registered Members 515
Implementation Guidelines 515
Configure and Verify Cisco IOS Software GET VPN Group Members 515
Configuration Tasks 516
Configuration Choices 516
Configuration Scenario 516
Task 1: Configure an IKE Policy 516
Task 2: Generate and/or Configure Authentication Credentials 517