larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

CCNP Security Secure 642-637 Official Cert Guide

eBook (Watermarked)

  • Sorry, this book is no longer in print.
  • About Watermarked eBooks
  • This PDF will be accessible from your Account page after purchase and requires PDF reading software, such as Acrobat® Reader®.

    The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2011
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-237855-8
  • ISBN-13: 978-0-13-237855-0

This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book.

Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.

CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

  • Master CCNP Security SECURE 642-637 exam topics
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with exam preparation tasks

CCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:

  • Network security threats and foundation protection
  • Switched data plane security
  • 802.1X and identity-based networking services
  • Cisco IOS routed data plane security
  • Cisco IOS control plane security
  • Cisco IOS management plane security
  • NAT
  • Zone-based firewalls
  • IOS intrusion prevention system
  • Cisco IOS site-to-site security solutions
  • IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
  • SSL VPNs and EZVPN

CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

Table of Contents

    Introduction xxxiii

Part I Network Security Technologies Overview

Chapter 1 Network Security Fundamentals 3

        “Do I Know This Already?” Quiz 3

    Foundation Topics 7

        Defining Network Security 7

        Building Secure Networks 7

        Cisco SAFE 9

        SCF Basics 9

        SAFE/SCF Architecture Principles 12

        SAFE/SCF Network Foundation Protection (NFP) 14

        SAFE/SCF Design Blueprints 14

        SAFE Usage 15

        Exam Preparation 17

Chapter 2 Network Security Threats 21

        “Do I Know This Already?” Quiz 21

    Foundation Topics 24

        Vulnerabilities 24

        Self-Imposed Network Vulnerabilities 24

        Intruder Motivations 29

        Lack of Understanding of Computers or Networks 30

        Intruding for Curiosity 30

        Intruding for Fun and Pride 30

        Intruding for Revenge 30

        Intruding for Profit 31

        Intruding for Political Purposes 31

        Types of Network Attacks 31

        Reconnaissance Attacks 32

        Access Attacks 33

        DoS Attacks 35

        Exam Preparation 36

Chapter 3 Network Foundation Protection (NFP) Overview 39

        “Do I Know This Already?” Quiz 39

    Foundation Topics 42

        Overview of Device Functionality Planes 42

        Control Plane 43

        Data Plane 44

        Management Plane 45

        Identifying Network Foundation Protection Deployment Models 45

        Identifying Network Foundation Protection Feature Availability 48

        Cisco Catalyst Switches 48

        Cisco Integrated Services Routers (ISR) 49

        Cisco Supporting Management Components 50

        Exam Preparation 53

Part II Cisco IOS Foundation Security Solutions

Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57

        “Do I Know This Already?” Quiz 57

    Foundation Topics 60

        Switched Data Plane Attack Types 60

        VLAN Hopping Attacks 60

        CAM Flooding Attacks 61

        MAC Address Spoofing 63

        Spanning Tree Protocol (STP) Spoofing Attacks 63

        DHCP Starvation Attacks 66

        DHCP Server Spoofing 67

        ARP Spoofing 67

        Switched Data Plane Security Technologies 67

        Port Configuration 67

        Port Security 71

        Root Guard, BPDU Guard, and PortFast 74

        DHCP Snooping 75

        Dynamic ARP Inspection (DAI) 77

        IP Source Guard 79

        Private VLANs (PVLAN) 80

        Exam Preparation 84

Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91

        “Do I Know This Already?” Quiz 91

    Foundation Topics 94

        Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94

        IBNS and 802.1x Enhancements and Features 94

        802.1x Components 96

        802.1x Interworking 97

        Extensible Authentication Protocol (EAP) 97

        EAP over LAN (EAPOL) 98

        EAP Message Exchange 99

        Port States 100

        Port Authentication Host Modes 101

        EAP Type Selection 102

        EAP—Message Digest Algorithm 5 102

        Protected EAP w/MS-CHAPv2 102

        Cisco Lightweight EAP 103

        EAP—Transport Layer Security 104

        EAP—Tunneled Transport Layer Security 104

        EAP—Flexible Authentication via Secure Tunneling 105

        Exam Preparation 106

Chapter 6 Implementing and Configuring Basic 802.1X 109

        “Do I Know This Already?” Quiz 109

    Foundation Topics 112

        Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112

        Gathering Input Parameters 113

        Deployment Tasks 113

        Deployment Choices 114

        General Deployment Guidelines 114

        Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115

        Configuration Choices 115

        Configuration Scenario 115

        Verify Basic 802.1X Functionality 121

        Configure and Verify Cisco ACS for EAP-FAST 121

        Configuration Choices 122

        Configuration Scenario 122

        Configure the Cisco Secure Services Client 802.1X Supplicant 128

        Task 1: Create the CSSC Configuration Profile 128

        Task 2: Create a Wired Network Profile 128

        Tasks 3 and 4: (Optional) Tune 802.1X Timers and

        Authentication Mode 130

        Task 5: Configure the Inner and Outer EAP Mode for the Connection 131

        Task 6: Choose the Login Credentials to Be Used for Authentication 132

        Task 7: Create the CSSC Installation Package 133

        Network Login 134

        Verify and Troubleshoot 802.1 X Operations 134

        Troubleshooting Flow 134

        Successful Authentication 135

        Verify Connection Status 135

        Verify Authentication on AAA Server 135

        Verify Guest/Restricted VLAN Assignment 135

        802.1X Readiness Check 135

        Unresponsive Supplicant 135

        Failed Authentication: RADIUS Configuration Issues 135

        Failed Authentication: Bad Credentials 135

        Exam Preparation 136

Chapter 7 Implementing and Configuring Advanced 802.1X 139

        “Do I Know This Already?” Quiz 139

    Foundation Topics 143

        Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143

        Gathering Input Parameters 143

        Deployment Tasks 144

        Deployment Choices 144

        Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145

        EAP-TLS with 802.1X Configuration Tasks 145

        Configuration Scenario 146

        Configuration Choices 146

        Task 1: Configure RADIUS Server 147

        Task 2: Install Identity and Certificate Authority Certificates on All Clients 147

        Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147

        Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149

        Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151

        Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152

        Implementation Guidelines 153

        Feature Support 153

        Verifying EAP-TLS Configuration 153

        Deploying User and Machine Authentication 153

        Configuring User and Machine Authentication Tasks 154

        Configuration Scenario 154

        Task 1: Install Identity and Certificate Authority Certificates on All Clients 155

        Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155

        Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156

        Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156

        Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157

        Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158

        Implementation Guidelines 158

        Feature Support 158

        Deploying VLAN and ACL Assignment 159

        Deploying VLAN and ACL Assignment Tasks 159

        Configuration Scenario 159

        Configuration Choices 160

        Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160

        Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161

        Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162

        Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162

        Verification of VLAN and ACL Assignment with Cisco IOS Software CLI 164

        Verification of VLAN and ACL Assignment on Cisco Secure ACS 165

        Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165

        Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165

        Configuration Tasks 166

        Configuration Scenario 166

        Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167

        Verification of Configuration 168

        Implementation Guidelines 168

        Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168

        Configuration Tasks 169

        Configuration Scenario 169

        Task 1: Configure Web Authentication on the Switch 169

        Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171

        Web Authentication Verification 172

        User Experience 172

        Choose a Method to Support Multiple Hosts on a Single Port 172

        Multiple Hosts Support Guidelines 172

        Configuring Support of Multiple Hosts on a Single Port 172

        Configuring Fail-Open Policies 174

        Configuring Critical Ports 174

        Configuring Open Authentication 176

        Resolve 802.1X Compatibility Issues 176

        Wake-on-LAN (WOL) 176

        Non-802.1X IP Phones 177

        Preboot Execution Environment (PXE) 177

        Exam Preparation 178

Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183

        “Do I Know This Already?” Quiz 183

    Foundation Topics 186

        Routed Data Plane Attack Types 186

        IP Spoofing 186

        Slow-Path Denial of Service 186

        Traffic Flooding 187

        Routed Data Plane Security Technologies 187

        Access Control Lists (ACL) 187

        Flexible Packet Matching 196

        Flexible NetFlow 203

        Unicast Reverse Path Forwarding (Unicast RPF) 209

        Exam Preparation 212

Chapter 9 Implementing and Configuring Cisco IOS Control

Plane Security 219

        “Do I Know This Already?” Quiz 219

    Foundation Topics 222

        Control Plane Attack Types 222

        Slow-Path Denial of Service 222

        Routing Protocol Spoofing 222

        Control Plane Security Technologies 222

        Control Plane Policing (CoPP) 222

        Control Plane Protection (CPPr) 226

        Routing Protocol Authentication 232

        Exam Preparation 237

Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245

        “Do I Know This Already?” Quiz 245

    Foundation Topics 248

        Management Plane Attack Types 248

        Management Plane Security Technologies 248

        Basic Management Security and Privileges 248

        SSH 254

        SNMP 256

        CPU and Memory Thresholding 261

        Management Plane Protection 262

        AutoSecure 263

        Digitally Signed Cisco Software 265

        Exam Preparation 267

Part III Cisco IOS Threat Detection and Control

Chapter 11 Implementing and Configuring Network Address Translation (NAT) 275

        “Do I Know This Already?” Quiz 275

    Foundation Topics 278

        Network Address Translation 278

        Static NAT Example 280

        Dynamic NAT Example 280

        PAT Example 281

        NAT Configuration 282

        Overlapping NAT 287

        Exam Preparation 290

Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295

        “Do I Know This Already?” Quiz 295

    Foundation Topics 298

        Zone-Based Policy Firewall Overview 298

        Zones/Security Zones 298

        Zone Pairs 299

        Transparent Firewalls 300

        Zone-Based Layer 3/4 Policy Firewall Configuration 301

        Class Map Configuration 302

        Parameter Map Configurations 304

        Policy Map Configuration 306

        Zone Configuration 308

        Zone Pair Configuration 309

        Port to Application Mapping (PAM) Configuration 310

        Zone-Based Layer 7 Policy Firewall Configuration 312

        URL Filter 313

        HTTP Inspection 318

        Exam Preparation 323

Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333

        “Do I Know This Already?” Quiz 333

    Foundation Topics 336

        Configuration Choices, Basic Procedures, and Required Input Parameters 336

        Intrusion Detection and Prevention with Signatures 337

        Sensor Accuracy 339

        Choosing a Cisco IOS IPS Sensor Platform 340

        Software-Based Sensor 340

        Hardware-Based Sensor 340

        Deployment Tasks 341

        Deployment Guidelines 342

        Deploying Cisco IOS Software IPS Signature Policies 342

        Configuration Tasks 342

        Configuration Scenario 342

        Verification 346

        Guidelines 347

        Tuning Cisco IOS Software IPS Signatures 347

        Event Risk Rating System Overview 348

        Event Risk Rating Calculation 348

        Event Risk Rating Example 349

        Signature Event Action Overrides (SEAO) 349

        Signature Event Action Filters (SEAF) 349

        Configuration Tasks 350

        Configuration Scenario 350

        Verification 355

        Implementation Guidelines 355

        Deploying Cisco IOS Software IPS Signature Updates 355

        Configuration Tasks 356

        Configuration Scenario 356

        Task 1: Install Signature Update License 356

        Task 2: Configure Automatic Signature Updates 357

        Verification 357

        Monitoring Cisco IOS Software IPS Events 358

        Cisco IOS Software IPS Event Generation 358

        Cisco IME Features 358

        Cisco IME Minimum System Requirements 359

        Configuration Tasks 359

        Configuration Scenario 360

        Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361

        Verification 362

        Verification: Local Events 362

        Verification: IME Events 363

        Cisco IOS Software IPS Sensor 363

        Troubleshooting Resource Use 365

        Additional Debug Commands 365

        Exam Preparation 366

Part IV Managing and Implementing Cisco IOS Site-to-Site Security Solutions

Chapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369

        “Do I Know This Already?” Quiz 369

    Foundation Topics 372

        Choose an Appropriate VPN LAN Topology 372

        Input Parameters for Choosing the Best VPN LAN Topology 373

        General Deployment Guidelines for Choosing the Best VPN LAN Topology 373

        Choose an Appropriate VPN WAN Technology 373

        Input Parameters for Choosing the Best VPN WAN Technology 374

        General Deployment Guidelines for Choosing the Best VPN WAN Technology 376

        Core Features of IPsec VPN Technology 376

        IPsec Security Associations 377

        Internet Key Exchange (IKE) 377

        IPsec Phases 377

        IKE Main and Aggressive Mode 378

        Encapsulating Security Payload 378

        Choose Appropriate VPN Cryptographic Controls 379

        IPsec Security Associations 379

        Algorithm Choices 379

        General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381

        Design and Implementation Resources 382

        Exam Preparation 383

Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387

        “Do I Know This Already?” Quiz 387

    Foundation Topics 390

        Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390

        Virtual Tunnel Interfaces 390

        Input Parameters 392

        Deployment Tasks 393

        Deployment Choices 393

        General Deployment Guidelines 393

        Configuring Basic IKE Peering 393

        Cisco IOS Software Default IKE PSK-Based Policies 394

        Configuration Tasks 394

        Configuration Choices 395

        Configuration Scenario 395

        Task 1: (Optional) Configure an IKE Policy on Each Peer 395

        Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396

        Verify Local IKE Sessions 396

        Verify Local IKE Policies 396

        Verify a Successful Phase 1 Exchange 397

        Implementation Guidelines 397

        Troubleshooting IKE Peering 397

        Troubleshooting Flow 397

        Configuring Static Point-to-Point IPsec VTI Tunnels 398

        Default Cisco IOS Software IPsec Transform Sets 398

        Configuration Tasks 398

        Configuration Choices 399

        Configuration Scenario 399

        Task 1: (Optional) Configure an IKE Policy on Each Peer 399

        Task 2: (Optional) Configure an IPsec Transform Set 399

        Task 3: Configure an IPsec Protection Profile 400

        Task 4: Configure a Virtual Tunnel Interface (VTI) 400

        Task 5: Apply the Protection Profile to the Tunnel Interface 401

        Task 6: Configure Routing into the VTI Tunnel 401

        Implementation Guidelines 401

        Verify Tunnel Status and Traffic 401

        Troubleshooting Flow 402

        Configure Dynamic Point-to-Point IPsec VTI Tunnels 403

        Virtual Templates and Virtual Access Interfaces 403

        ISAKMP Profiles 404

        Configuration Tasks 404

        Configuration Scenario 404

        Task 1: Configure IKE Peering 405

        Task 2: (Optional) Configure an IPsec Transform Set 405

        Task 3: Configure an IPsec Protection Profile 405

        Task 4: Configure a Virtual Template Interface 406

        Task 5: Map Remote Peer to a Virtual Template Interface 406

        Verify Tunnel Status on the Hub 407

        Implementation Guidelines 407

        Exam Preparation 408

Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411

        “Do I Know This Already?” Quiz 411

    Foundation Topics 414

        Describe the Concept of a Public Key Infrastructure 414

        Manual Key Exchange with Verification 414

        Trusted Introducing 414

        Public Key Infrastructure: Certificate Authorities 416

        X.509 Identity Certificate 417

        Certificate Revocation Checking 418

        Using Certificates in Network Applications 419

        Deployment Choices 420

        Deployment Steps 420

        Input Parameters 421

        Deployment Guidelines 421

        Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421

        Configuration Tasks for a Root Certificate Server 422

        Configuration Scenario 423

        Task 1: Create an RSA Key Pair 423

        Task 2: Create a PKI Trustpoint 424

        Tasks 3 and 4: Create the CS and Configure the Database Location 424

        Task 5: Configure an Issuing Policy 425

        Task 6: Configure the Revocation Policy 425

        Task 7: Configure the SCEP Interface 426

        Task 8: Enable the Certificate Server 426

        Cisco Configuration Professional Support 426

        Verify the Cisco IOS Software Certificate Server 427

        Feature Support 427

        Implementation Guidelines 428

        Troubleshooting Flow 429

        PKI and Time: Additional Guidelines 429

        Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429

        PKI Client Features 429

        Simple Certificate Enrollment Protocol 430

        Key Storage 430

        Configuration Tasks 430

        Configuration Scenario 431

        Task 1: Create an RSA Key Pair 431

        Task 2: Create an RSA Key Pair 432

        Task 3: Authenticate the PKI Certificate Authority 432

        Task 4: Create an Enrollment Request on the VPN Router 433

        Task 5: Issue the Client Certificate on the CA Server 434

        Certificate Revocation on the Cisco IOS Software Certificate Server 434

        Cisco Configuration Professional Support 434

        Verify the CA and Identity Certificates 435

        Feature Support 435

        Implementation Guidelines 436

        Troubleshooting Flow 436

        Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436

        IKE Peer Authentication 436

        IKE Peer Certificate Authorization 437

        Configuration Tasks 437

        Configuration Scenario 437

        Task 1: Configure an IKE Policy 438

        Task 2: Configure an ISAKMP Profile 438

        Task 3: Configure Certificate-Based Authorization of Remote Peers 438

        Verify IKE SA Establishment 439

        Feature Support 439

        Implementation Guidelines 440

        Troubleshooting Flow 440

        Configuring Advanced PKI Integration 440

        Configuring CRL Handling on PKI Clients 441

        Using OCSP or AAA on PKI Clients 441

        Exam Preparation 442

Chapter 17 Deploying DMVPNs 447

        “Do I Know This Already?” Quiz 447

    Foundation Topics 451

        Understanding the Cisco IOS Software DMVPN

        Architecture 451

        Building Blocks of DMVPNs 452

        Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452

        DMVPN Initial State 453

        DMVPN Spoke-to-Spoke Tunnel Creation 453

        DMVPN Benefits and Limitations 454

        Plan the Deployment of a Cisco IOS Software DMVPN 455

        Input Parameters 455

        Deployment Tasks 455

        Deployment Choices 456

        General Deployment Guidelines 456

        Configure and Verify Cisco IOS Software GRE Tunnels 456

        GRE Features and Limitations 456

        Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457

        Point-to-Point Tunnel Configuration Example 457

        Configuration Tasks for a Hub-and-Spoke Network 459

        Configuration Scenario 459

        Task 1: Configure an mGRE Interface on the Hub 459

        Task 2: Configure a GRE Interface on the Spoke 459

        Verify the State of GRE Tunnels 460

        Configure and Verify a Cisco IOS Software NHRP Client and Server 461

        (m)GRE and NHRP Integration 461

        Configuration Tasks 461

        Configuration Scenario 461

        Task 1: Configure an NHRP Server 461

        Task 2: Configure an NHRP Client 462

        Verify NHRP Mappings 462

        Debugging NHRP 463

        Configure and Verify a Cisco IOS Software DMVPN Hub 464

        Configuration Tasks 464

        Configuration Scenario 464

        Task 1: (Optional) Configure an IKE Policy 464

        Task 2: Generate and/or Configure Authentication Credentials 465

        Task 3: Configure an IPsec Profile 465

        Task 4: Create an mGRE Tunnel Interface 465

        Task 5: Configure the NHRP Server 465

        Task 6: Associate the IPsec Profile with the mGRE Interface 466

        Task 7: Configure IP Parameters on the mGRE Interface 466

        Cisco Configuration Professional Support 466

        Verify Spoke Registration 466

        Verify Registered Spoke Details 467

        Implementation Guidelines 468

        Feature Support 468

        Configure and Verify a Cisco IOS Software DMVPN Spoke 468

        Configuration Tasks 468

        Configuration Scenario 469

        Task 1: (Optional) Configure an IKE Policy 469

        Task 2: Generate and/or Configure Authentication Credentials 469

        Task 3: Configure an IPsec Profile 469

        Task 4: Create an mGRE Tunnel Interface 470

        Task 5: Configure the NHRP Client 470

        Task 6: Associate the IPsec Profile with the mGRE Interface 470

        Task 7: Configure IP Parameters on the mGRE Interface 471

        Verify Tunnel State and Traffic Statistics 471

        Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471

        EIGRP Hub Configuration 472

        OSPF Hub Configuration 473

        Hub-and-Spoke Routing and IKE Peering on Spoke 473

        Full Mesh Routing and IKE Peering on Spoke 474

        Troubleshoot a Cisco IOS Software DMVPN 474

        Troubleshooting Flow 475

        Exam Preparation 476

Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481

        “Do I Know This Already?” Quiz 481

    Foundation Topics 484

        Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484

        VPN Failure Modes 484

        Partial Failure of the Transport Network 484

        Partial or Total Failure of the Service Provider (SP) Transport

        Network 485

        Partial or Total Failure of a VPN Device 485

        Deployment Guidelines 485

        Use Routing Protocols for VPN Failover 486

        Routing to VPN Tunnel Endpoints 486

        Routing Protocol Inside the VPN Tunnel 486

        Recursive Routing Hazard 487

        Routing Protocol VPN Topologies 487

        Routing Tuning for Path Selection 487

        Routing Tuning for Faster Convergence 488

        Choose the Most Optimal Method of Mitigating Failure in a VTI-Based VPN 488

        Path Redundancy Using a Single-Transport Network 489

        Path Redundancy Using Two Transport Networks 489

        Path and Device Redundancy in Single-Transport Networks 489

        Path and Device Redundancy with Multiple-Transport Networks 489

        Choose the Most Optimal Method of Mitigating Failure in a DMVPN 490

        Recommended Architecture 490

        Shared IPsec SAs 490

        Configuring a DMVPN with a Single-Transport Network 490

        Configuring a DMVPN over Multiple-Transport Networks 493

        Exam Preparation 495

Chapter 19 Deploying GET VPNs 499

        “Do I Know This Already?” Quiz 499

    Foundation Topics 502

        Describe the Operation of a Cisco IOS Software GET VPN 502

        Peer Authentication and Policy Provisioning 502

        GET VPN Traffic Exchange 504

        Packet Security Services 504

        Key Management Architecture 505

        Rekeying Methods 505

        Traffic Encapsulation 507

        Benefits and Limitations 507

        Plan the Deployment of a Cisco IOS Software GET VPN 508

        Input Parameters 508

        Deployment Tasks 508

        Deployment Choices 509

        Deployment Guidelines 509

        Configure and Verify a Cisco IOS Software GET VPN Key Server 509

        Configuration Tasks 509

        Configuration Choices 510

        Configuration Scenario 510

        Task 1: (Optional) Configure an IKE Policy 511

        Task 2: Generate and/or Configure Authentication Credentials 511

        Task 3: Generate RSA keys for Rekey Authentication 511

        Task 4: Configure a Traffic Protection Policy on the Key Server 512

        Task 5: Enable and Configure the GET VPN Key Server Function 512

        Task 6: (Optional) Tune the Rekeying Policy 513

        Task 7: Create and Apply the GET VPN Crypto Map 513

        Cisco Configuration Professional Support 514

        Verify Basic Key Server Settings 514

        Verify the Rekey Policy 514

        List All Registered Members 515

        Implementation Guidelines 515

        Configure and Verify Cisco IOS Software GET VPN Group Members 515

        Configuration Tasks 516

        Configuration Choices 516

        Configuration Scenario 516

        Task 1: Configure an IKE Policy 516

        Task 2: Generate and/or Configure Authentication Credentials 517


Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020