Home > Articles > Cisco Certification > CCNP > CCNP Security Firewall Cert Guide: Configuring ASA Interfaces

CCNP Security Firewall Cert Guide: Configuring ASA Interfaces

Chapter Description

This chapter covers the following topics from the 642-618 exam objectives: Configuring Physical Interfaces, Configuring VLAN Interfaces, Configuring Interface Security Parameters, Configuring the Interface MTU, and Verifying Interface Operation.

Configuring Physical Interfaces

An ASA supports multiple physical interfaces that can be connected into the network or to individual devices. From the Configuration tab in Cisco ASDM, you can view the list of interfaces by selecting Device Setup > Interfaces, as shown in Figure 3-1.

Figure 3-1

Figure 3-1. Using ASDM to View a List of Interfaces

From the CLI, you can see a list of the physical firewall interfaces that are available by using the following command:

ciscoasa# show version

Firewall interfaces are referenced by their hardware index and their physical interface names. Example 3-1 lists the physical interfaces in an ASA 5510. Ethernet0/0 through 0/3 and Management0/0 are built-in interfaces, while GigabitEthernet1/0 through 1/3 are installed as a 4GE-SSM module.

Example 3-1. Listing Physical ASA Interfaces

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(4)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 day 10 hours

Hardware:   ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04



 0: Ext: Ethernet0/0         : address is 001a.a22d.1ddc, irq 9  
 1: Ext: Ethernet0/1         : address is 001a.a22d.1ddd, irq 9  
 2: Ext: Ethernet0/2         : address is 001a.a22d.1dde, irq 9  
 3: Ext: Ethernet0/3         : address is 001a.a22d.1ddf, irq 9  
 4: Ext: Management0/0       : address is 001a.a22d.1ddb, irq 11 
 5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11 
 6: Int: Not used            : irq 5                             
 7: Ext: GigabitEthernet1/0  : address is 001a.a22d.20f1, irq 255
 8: Ext: GigabitEthernet1/1  : address is 001a.a22d.20f2, irq 255
 9: Ext: GigabitEthernet1/2  : address is 001a.a22d.20f3, irq 255
10: Ext: GigabitEthernet1/3  : address is 001a.a22d.20f4, irq 255
11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited 
Maximum VLANs                  : 100
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
[output truncated for clarity]

Before you begin configuring the ASA interfaces, you should first use the interface list to identify each of the interfaces you will use. At a minimum, you need one interface as the “inside” of the ASA and one as the “outside.”

Default Interface Configuration

Some interfaces come predefined in the initial factory default configuration. You can view the interface mappings with the show nameif EXEC command. As shown in Example 3-2, an ASA 5510 or higher model defines only one interface, Management0/0, for use by default. The interface is named “management” and is set aside for out-of-band management access.

Example 3-2. Default Interface Configuration on ASA 5510 and Higher Models

ciscoasa# show nameif
Interface               Name           Security
Management0/0           management     100
ciscoasa#

An ASA 5505 takes a different approach with its default interfaces, as shown in Example 3-3. Rather than use physical interfaces, it defines an “inside” and an “outside” interface using two logical VLANs: VLAN 1 and VLAN 2.

Example 3-3. Default Interface Configuration on the ASA 5505

ciscoasa# show nameif
Interface               Name           Security
Vlan1                   inside         100
Vlan2                   outside          0
ciscoasa#

These two VLANs are then applied to the physical interfaces such that interface Ethernet0/0 is mapped to VLAN 2, while Ethernet0/1 through 0/7 are mapped to VLAN 1 (inside). This configuration gives one outside interface that can be connected to a service provider network for an Internet connection. The remaining seven inside interfaces can be connected to individual devices on the protected network.

You can display the ASA 5505 interface-to-VLAN mapping by entering the show switch vlan command, as shown in Example 3-4.

Example 3-4. Displaying the ASA 5505 Interface-to-VLAN Mapping

ciscoasa# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0
ciscoasa#

Configuring Physical Interface Parameters

keytopic.jpg

For each physical interface, you can configure the speed, duplex, and the interface state. In ASDM, select Configuration > Interfaces, select an interface, and click the Edit button. In the General tab, click Configure Hardware Properties, as shown in Figure 3-2.

Figure 3-2

Figure 3-2. Configuring Physical Interface Parameters in ASDM

You can do the same task from the CLI by using the following commands:

ciscoasa(config)# interface hardware-id
ciscoasa(config-if)# speed  {auto | 10  | 100 |  1000}
ciscoasa(config-if)# duplex {auto  | full |  half}
ciscoasa(config-if)# [no] shutdown

By default, an interface uses autodetected speed and autonegotiated duplex mode, as if the speed auto and duplex auto commands had been entered. As long as the ASA interface and the device connected to it are configured the same, the interface will automatically come up using the maximum speed and full-duplex mode. You can also statically configure the interface speed to 10, 100, or 1000 Mbps, as wellas full or half duplex mode.

By default, physical interfaces are administratively shut down. Use the no shutdown interface configuration command to enable each one individually. As well, you can shut an interface back down with the shutdown command.

Mapping ASA 5505 Interfaces to VLANs

By default, an ASA 5505 maps interface Ethernet0/0 to VLAN 2 and interfaces Ethernet0/1 through 0/7 to VLAN 1. All eight interfaces are connected to an internal 8-port switch, with each interface configured as an access link mapped to a single VLAN.

Figure 3-3 shows how ASDM can be used to map a physical interface to a different VLAN number. First, a new interface is created and named vlan 10. At the top of the Add Interface dialog box, Ethernet0/3 is added to the list of interfaces that are mapped to VLAN 10.

Figure 3-3

Figure 3-3. Mapping an ASA 5505 Interface to a VLAN

You can use the following CLI command to accomplish the same task:

ciscoasa(config-if)# switchport access vlan vlan-id

The vlan-id parameter represents a VLAN interface that has already been created and configured. The section, “Configuring VLAN Interfaces,” covers this in detail.

In Example 3-5, interface Ethernet0/3 is mapped to VLAN 10, while Ethernet0/4 is mapped to VLAN 20.

Example 3-5. Mapping Interfaces to VLANs on an ASA 5505

ciscoasa(config)# interface ethernet0/3
ciscoasa(config-if)# switchport access vlan 10
ciscoasa(config-if)# interface ethernet0/4
ciscoasa(config-if)# switchport access vlan 20

Configuring Interface Redundancy

By default, each physical ASA interface operates independently of any other interface. The interface can be in one of two operating states: up or down. When an interface is down for some reason, the ASA cannot send or receive any data through it. For example, the switch port where an ASA interface connects might fail, causing the ASA interface to go down, too.

keytopic.jpg

To keep an ASA interface up and active all the time, you can configure physical interfaces as redundant pairs. As a redundant pair, two interfaces are set aside for the same ASA function (inside, outside, and so on), and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic.

Both physical interfaces in a redundant pair are configured as members of a single logical “redundant” interface. To join two interfaces as a redundant pair, the interfaces must be of the same type (10/100/1000BASE-TX, for example).

The redundant interface, rather than its physical member interfaces, is configured with a unique interface name, security level, and IP address—all the parameters used in ASA interface operations.

First, you must create the redundant interface by entering the following configuration command:

ciscoasa(config)# interface redundant number

You can define up to eight redundant interfaces on an ASA. Therefore, the interface number can be 1 through 8.

Next, use the following command to add a physical interface as a member of the redundant interface:

ciscoasa(config-int)# member-interface physical_interface

Here, physical_interface is the hardware name and number, like ethernet0/1 or gigabitethernet0/1, for example. In Figure 3-4, ASA interfaces Ethernet0/0 and Ethernet0/1 are member interfaces of a logical redundant interface called Redundant1, while Ethernet0/2 and Ethernet0/3 are members of interface Redundant2.

Figure 3-4

Figure 3-4. Example Redundant Interfaces

Be aware that the member interface cannot have a security level or an IP address configured. In fact, as soon as you enter the member-interface command, the ASA will automatically clear those parameters from the physical interface configuration. You should repeat this command to add a second physical interface to the redundant pair.

Keep in mind that the order in which you configure the interfaces is important. The first physical interface added to a logical redundant interface will become the active interface. That interface will stay active until it loses its link status, causing the second or standby interface to take over. The standby interface can also take over when the active interface is administratively shut down with the shutdown interface configuration command.

However, the active status will not revert to the failed interface, even when it comes back up. The two interfaces trade the active role back and forth only when one of them fails.

The redundant interface also takes on the MAC address of the first member interface that you configure. Regardless of which physical interface is active, that same MAC address will be used. You can override this behavior by manually configuring a unique MAC address on the redundant interface with the mac-address mac_address interface configuration command.

In Example 3-6, interfaces Ethernet0/0 and Ethernet0/1 are configured to be used as logical interface redundant 1.

Example 3-6. Configuring a Redundant Interface Pair

ciscoasa(config)# interface redundant 1
ciscoasa(config-if)# member-interface ethernet0/0
INFO: security-level and IP address are cleared on Ethernet0/0.
ciscoasa(config-if)# member-interface ethernet0/1
INFO: security-level and IP address are cleared on Ethernet0/1.
ciscoasa(config-if)# no shutdown

The redundant interface is now ready to be configured as a normal ASA interface. From this point on, you should not configure anything on the two physical interfaces other than the port speed and duplex.

To accomplish the same thing through ASDM, first select Add > Redundant Interface from the drop-down menu in the upper-right corner of the interface listing. A new Add Redundant Interface dialog box appears, as shown in Figure 3-5. Select the redundant interface number and the two physical interfaces that will operate as a redundant pair. To enable the new redundant interface for use, be sure to check the Enable Interface check box.

Figure 3-5

Figure 3-5. Adding a Redundant Interface in ASDM

Configuring an EtherChannel

A single link between an ASA and a switch provides simple connectivity, but it is a single point of failure. If the link goes down, no data can travel across it. In the previous section, you learned that a redundant interface binds two physical interfaces into one logical interface. The possibility of a link failure is reduced, because one of the two interfaces will always be up and available; however, only one of the two links can pass data at any given time.

How can you maximize availability with more than one link, while leveraging the bandwidth of all of them at the same time? Beginning with ASA software release 8.4(1), you can use an EtherChannel to make that all possible. With an EtherChannel, two to eight active physical interfaces can be grouped or bundled together as a single logical port-channel interface. Each interface must be of the same type, speed, and duplex mode before an EtherChannel can be built.

Figure 3-6 shows an EtherChannel that is built out of multiple physical GigabitEthernet interfaces that connect an ASA to a Catalyst switch. On the ASA, the resulting logical interface is named interface port-channel 1. Notice that the individual links in the Ether-Channel can have different interface names on each end. The interfaces can also be connected and grouped in any arbitrary order. What matters is that the interfaces form one common EtherChannel link between the two devices.

Figure 3-6

Figure 3-6. Building an EtherChannel from Multiple Physical Links

An ASA can support up to eight active interfaces in a single EtherChannel; however, you can configure up to 16 different interfaces per EtherChannel, although only eight of them can be active at any time. If one active interface fails, another one automatically takes its place. Although Figure 3-6 shows a single EtherChannel link, an ASA can support up to 48 different EtherChannels.

Because multiple interfaces are active in an EtherChannel, the available bandwidth can be scaled over that of a single interface. Traffic is load balanced by distributing the packets across the active interfaces. The ASA computes a hash value based on values found in the packet header, such as the source or destination MAC address, IP address, or the UDP or TCP port number. You can configure a preset combination of fields that are used. As long as the number of active interfaces is a multiple of two, the ASA can evenly distribute packets across them.

keytopic.jpg

To build an EtherChannel, the ASA and the switch must both agree to do so. You can configure the ASA interfaces to statically participate, where the EtherChannel is “always on.” In that case, the switch interfaces must also be configured for “always on” operation. Instead, you can configure the ASA and switch to negotiate an EtherChannel with each other.

Negotiation uses the Link Aggregation Control Protocol (LACP), which is a standards-based protocol. LACP packets are exchanged between the ASA and the switch over the interfaces that can become part of an EtherChannel. The ASA and the switch use a system priority (a 2-byte priority value followed by a 6-byte switch MAC address) to decide which one is allowed to make decisions about what interfaces are actively participating in the EtherChannel at a given time.

Interfaces are selected and become active according to their port priority value (a 2-byte priority followed by a 2-byte port number), where a low value indicates a higher priority. A set of up to 16 potential links can be defined for each EtherChannel. Through LACP, up to eight of these having the lowest port priorities can become active EtherChannel links at any given time. The other links are placed in a standby state and will be enabled in the EtherChannel if one of the active links goes down.

LACP can be configured in the active mode, in which the ASA actively asks a far-end switch to negotiate an EtherChannel, or in passive mode, in which the ASA negotiates an EtherChannel only if the far end initiates it. Table 3-2 summarizes the EtherChannel negotiation methods and characteristics.

Table 3-2. EtherChannel Negotiation Methods

Negotiation Mode

Negotiation Packets Sent?

Characteristics

On

No

All ports channeling all the time

Passive

Yes

Waits to channel until asked

Active

Yes

Actively asks to form a channel

To configure an EtherChannel in ASDM, begin by defining the port-channel interface. Select Configuration > Device Setup > Interfaces, click the Add button, and select

EtherChannel Interface. Under the General tab, enter an arbitrary Port Channel ID number (1 to 48) that will identify the port-channel interface.

Next, select an interface from the Available Physical Interface list and click the Add>> button to make it a member of the EtherChannel. You can repeat this process to add multiple interfaces. Make sure to select the Enable Interface check box to enable the port-channel interface for use. In Figure 3-7, interface port-channel1 has been created. Ethernet0/2 and Ethernet0/3 have been added as member interfaces.

Figure 3-7

Figure 3-7. Configuring a New EtherChannel in ASDM

Notice that Figure 3-7 also has fields for Interface Name, Security Level, and IP Address. These fields are not applied to the individual member interfaces; instead, they are applied to the port-channel interface. The fields are covered in the section, “Configuring Interface Security Parameters.”

Next, configure the method that the ASA will use to distribute packets across the links within the EtherChannel. By default, a packet’s source and destination IP addresses are used to compute a hash index that points to the link that will carry the packet. This is the appropriate choice in most cases, as long as the source and destination IP addresses are unique and diverse. The more varied the hash input values, the better the traffic will be distributed across the links in the EtherChannel.

In some scenarios, the majority of the traffic might travel between the same two IP addresses, causing most of the packets to travel over only one link of the EtherChannel. In that case, you can configure the EtherChannel load-balancing method to use additional information, such as a Layer 4 port number, MAC addresses, or a VLAN number, to provide more uniqueness so that the packets can be spread more evenly across the EtherChannel links. The possible load-balancing methods are as follows:

  • Destination IP
  • Destination IP and Layer 4 Port
  • Destination MAC Address
  • Destination Layer 4 Port
  • Source and Destination IP Address
  • Source and Destination MAC Address
  • Source and Destination IP Address and Layer 4 Port
  • Source and Destination Layer 4 Port
  • Source IP Address
  • Source IP Address and Layer 4 Port
  • Source MAC Address
  • Source Layer 4 Port
  • VLAN Destination IP Address
  • VLAN Destination IP and Layer 4 Port
  • VLAN Only
  • VLAN Source and Destination IP Address
  • VLAN Source and Destination IP Address and Layer 4 Port
  • VLAN Source IP Address
  • VLAN Source IP Address and Layer 4 Port

To configure the load-balancing method, select the Advanced tab in the Add EtherChannel Interface screen and choose the method from the drop-down list at the bottom of the screen, as shown in Figure 3-8.

Figure 3-8

Figure 3-8. Configuring the EtherChannel Load-Balancing Method

Next, you need to configure a negotiation method for the EtherChannel. ASDM uses a default method of “active” on each member interface, where the ASA will use LACP to actively ask the far-end switch to bring up the EtherChannel. To configure the method, select Configuration > Device Setup > Interfaces, select an interface that is a member of the EtherChannel, and click the Edit button. In Figure 3-9, interfaces Ethernet0/2 and 0/3 are shown to be members of the Port-channel1 group. Because their individual configurations are restricted, they are shown with a lock icon next to their names. Remember that the security parameters of an EtherChannel are configured on the Port-channel interface instead.

Figure 3-9

Figure 3-9. Selecting an EtherChannel Interface for Configuration

Under the General tab of the Edit Interface screen, make sure that the Enable Interface check box under the Channel Group is selected. Select the Advanced tab and use the EtherChannel drop-down menu to set the negotiation mode, which can be either Active, Passive, or On, as shown in Figure 3-10.

Figure 3-10

Figure 3-10. Configuring the EtherChannel Negotiation Method

You can configure more interfaces in the channel group number than are allowed to be active in the channel. This prepares extra standby interfaces to replace failed active ones. Set a lower LACP port priority (1 to 65,535; default 32,768) for any interfaces that must be active and a higher priority for interfaces that might be held in the standby state. Otherwise, just use the default scenario, in which all ports default to 32,768, and the lower port numbers (in interface number order) are used to select the active ports.

By default, an ASA uses LACP system priority of 32,768. If the ASA and the switch both use the same value, the one with the lower MAC address becomes the decision maker over the LACP negotiations. You can change the system priority by selecting Configuration > Device Setup > EtherChannel.

You can also configure an EtherChannel by using the CLI. Select a physical interface that will be a member of the EtherChannel, and then identify the port-channel number where it will belong, along with the negotiation method that will be used:

ciscoasa(config)# lacp system-priority priority
ciscoasa(config)# interface type mod/num
ciscoasa(config-if)# channel-protocol lacp
ciscoasa(config-if)# channel-group number mode {on |  passive |  active}
ciscoasa(config-if)# lacp port-priority priority

As an example of LACP configuration, suppose that you want to configure an ASA to actively negotiate an EtherChannel using interfaces Ethernet0/2 and 0/3. You can use the commands listed in Example 3-7 to accomplish this.

Example 3-7. Configuring an EtherChannel Using the CLI

CISCOASA(config)# interface ethernet0/2
CISCOASA(config-if)# channel-protocol lacp
CISCOASA(config-if)# channel-group 1 mode active
CISCOASA(config-if)# exit
CISCOASA(config)# interface ethernet0/3
CISCOASA(config-if)# channel-protocol lacp
CISCOASA(config-if)# channel-group 1 mode active
CISCOASA(config-if)# exit

If you find that an EtherChannel is having problems, remember that the entire concept is based on consistent configurations on both ends of the channel. You can verify the Ether-Channel state with the show port-channel summary command. Each port in the channel is shown, along with flags indicating the port’s state, as shown in Example 3-8.

Example 3-8. show port-channel summary Command Output

CISCOASA# show port-channel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel Protocol     Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(U)           LACP     Et0/2(P)  Et0/3(P)

CISCOASA#

The status of the port channel shows the EtherChannel logical interface as a whole. This should show U (in use) if the channel is operational. You also can examine the status of each interface within the channel. Notice that both of the channel interfaces have flags (P), which indicate that they are active in the port-channel.

4. Configuring VLAN Interfaces | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020