larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

eBook (Watermarked)

  • Your Price: $49.59
  • List Price: $61.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Also available in other formats.

  • About
  • Description
  • Sample Content
  • Updates

Additional Information

Download the sample pages (includes Chapter 7 and the Index.)

  • Copyright 2017
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 656
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-442640-1
  • ISBN-13: 978-0-13-442640-2

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN

The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.

The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.

IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.

  • Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
  • Implement modern secure VPNs with Cisco IOS and IOS-XE
  • Plan and deploy IKEv2 in diverse real-world environments
  • Configure IKEv2 proposals, policies, profiles, keyrings, and authorization
  • Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
  • Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
  • Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
  • Deploy, configure, and customize FlexVPN clients
  • Configure, manage, and troubleshoot the FlexVPN Load Balancer
  • Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
  • Monitor IPsec VPNs with AAA, SNMP, and Syslog
  • Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
  • Calculate IPsec overhead and fragmentation
  • Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more

Table of Contents

    Foreword xxvii

     Introduction xxxiii

 Part I Understanding IPsec VPNs

 Chapter 1 Introduction to IPsec VPNs 1

     The Need and Purpose of IPsec VPNs 2

     Building Blocks of IPsec 2

         Security Protocols 2

         Security Associations 3

         Key Management Protocol 3

     IPsec Security Services 3

         Access Control 4

         Anti-replay Services 4

        Confidentiality 4

         Connectionless Integrity 4

         Data Origin Authentication 4

         Traffic Flow Confidentiality 4

         Components of IPsec 5

         Security Parameter Index 5

         Security Policy Database 5

         Security Association Database 6

         Peer Authorization Database 6

         Lifetime 7

     Cryptography Used in IPsec VPNs 7

         Symmetric Cryptography 7

         Asymmetric Cryptography 8

         The Diffie-Hellman Exchange 8

     Public Key Infrastructure 11

         Public Key Cryptography 11

         Certificate Authorities 12

         Digital Certificates 12

         Digital Signatures Used in IKEv2 12

     Pre-Shared-Keys, or Shared Secret 13

     Encryption and Authentication 14

         IP Authentication Header 15

         Anti-Replay 16

 IP Encapsulating Security Payload (ESP) 17

         Authentication 18

         Encryption 18

         Anti-Replay 18

         Encapsulation Security Payload Datagram Format 18

        Encapsulating Security Payload Version 3 19

         Extended Sequence Numbers 19

         Traffic Flow Confidentiality 20

         Dummy Packets 20

     Modes of IPsec 20

         IPsec Transport Mode 20

         IPsec Tunnel Mode 21

     Summary 22

     References 22

 Part II Understanding IKEv2

 Chapter 2 IKEv2: The Protocol 23

     IKEv2 Overview 23

     The IKEv2 Exchange 24

     IKE_SA_INIT 25

         Diffie-Hellman Key Exchange 26

         Security Association Proposals 29

         Security Parameter Index (SPI) 34

         Nonce 35

         Cookie Notification 36

         Certificate Request 38


     Key Material Generation 39

     IKE_AUTH 42

         Encrypted and Authenticated Payload 42

         Encrypted Payload Structure 43

         Identity 44

         Authentication 45

         Signature-Based Authentication 46

         (Pre) Shared-Key-Based Authentication 47

         EAP 48

         Traffic Selectors 50

         Initial Contact 52


         IPsec Security Association Creation 53

         IPsec Security Association Rekey 54

         IKEv2 Security Association Rekey 54

     IKEv2 Packet Structure Overview 55

     The INFORMATIONAL Exchange 56

         Notification 56

         Deleting Security Associations 57

         Configuration Payload Exchange 58

         Dead Peer Detection/Keepalive/NAT Keepalive 59

         IKEv2 Request – Response 61

     IKEv2 and Network Address Translation 61

         NAT Detection 64

     Additions to RFC 7296 65

     RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65

     RFC 5685 Redirect Mechanism for the Internet Key Exchange

         Protocol Version 2 (IKEv2) 65

     RFC 6989 Additional Diffie-Hellman Tests for the Internet Key

         Exchange Protocol Version 2 (IKEv2) 65

     RFC 6023 A Childless Initiation of the Internet

         Key Exchange Version 2 (IKEv2) Security Association (SA) 66

     Summary 66

     References 66

 Chapter 3 Comparison of IKEv1 and IKEv2 67

     Brief History of IKEv1 67

     Exchange Modes 69

         IKEv1 70

         IKEv2 71

     Anti-Denial of Service 72

     Lifetime 72

     Authentication 73

     High Availability 74

     Traffic Selectors 74

     Use of Identities 74

     Network Address Translation 74

     Configuration Payload 75

     Mobility & Multi-homing 75

     Matching on Identity 75

     Reliability 77

     Cryptographic Exchange Bloat 77

     Combined Mode Ciphers 77

     Continuous Channel Mode 77

     Summary 77

     References 78

 Part III IPsec VPNs on Cisco IOS

 Chapter 4 IOS IPsec Implementation 79

     Modes of Encapsulation 82

         GRE Encapsulation 82

         GRE over IPsec 83

         IPsec Transport Mode with GRE over IPsec 83

         IPsec Tunnel mode with GRE over IPsec 84

         Traffic 85

         Multicast Traffic 85

         Non-IP Protocols 86

     The Demise of Crypto Maps 86

     Interface Types 87

         Virtual Interfaces: VTI and GRE/IPsec 87

         Traffic Selection by Routing 88

         Static Tunnel Interfaces 90

         Dynamic Tunnel Interfaces 91

         sVTI and dVTI 92

         Multipoint GRE 92

     Tunnel Protection and Crypto Sockets 94

     Implementation Modes 96

         Dual Stack 96

         Mixed Mode 96

         Auto Tunnel Mode 99

     VRF-Aware IPsec 99

         VRF in Brief 99

         VRF-Aware GRE and VRF-Aware IPsec 101

         VRF-Aware GRE over IPsec 102

     Summary 103

     Reference 104

 Part IV IKEv2 Implementation

 Chapter 5 IKEv2 Configuration 105

     IKEv2 Configuration Overview 105

         The Guiding Principle 106

         Scope of IKEv2 Configuration 106

         IKEv2 Configuration Constructs 106

     IKEv2 Proposal 107

         Configuring the IKEv2 Proposal 108

         Configuring IKEv2 Encryption 111

         Configuring IKEv2 Integrity 113

         Configuring IKEv2 Diffie-Hellman 113

         Configuring IKEv2 Pseudorandom Function 115

         Default IKEv2 Proposal 115

     IKEv2 Policy 117

         Configuring an IKEv2 Policy 118

         Configuring IKEv2 Proposals under IKEv2 Policy 119

         Configuring Match Statements under IKEv2 Policy 120

         Default IKEv2 Policy 121

         IKEv2 Policy Selection on the Initiator 122

         IKEv2 Policy Selection on Responder 124

         IKEv2 Policy Configuration Examples 125

         Per-peer IKEv2 Policy 125

         IKEv2 Policy with Multiple Proposals 126

     IKEv2 Keyring 128

         Configuring IKEv2 Keyring 129

         Configuring a Peer Block in Keyring 130

         Key Lookup on Initiator 132

         Key Lookup on Responder 133

         IKEv2 Keyring Configuration Example 134

         IKEv2 Keyring Key Points 136

     IKEv2 Profile 136

         IKEv2 Profile as Peer Authorization Database 137

         Configuring IKEv2 Profile 138

         Configuring Match Statements in IKEv2 Profile 139

         Matching any Peer Identity 142

         Defining the Scope of IKEv2 Profile 143

         Defining the Local IKE Identity 143

         Defining Local and Remote Authentication Methods 145

         IKEv2 Dead Peer Detection 149

         IKEv2 Initial Contact 151

         IKEv2 SA Lifetime 151

         NAT Keepalives 152

         IVRF (inside VRF) 152

         Virtual Template Interface 153

         Disabling IKEv2 Profile 153

         Displaying IKEv2 Profiles 153

         IKEv2 Profile Selection on Initiator and Responder 154

         IKEv2 Profile Key Points 154

     IKEv2 Global Configuration 155

         HTTP URL-based Certificate Lookup 156

         IKEv2 Cookie Challenge 156

         IKEv2 Call Admission Control 157

         IKEv2 Window Size 158

         Dead Peer Detection 158

         NAT Keepalive 159

         IKEv2 Diagnostics 159

     PKI Configuration 159

         Certificate Authority 160

         Public-Private Key Pair 162

         PKI Trustpoint 163

         PKI Example 164

     IPsec Configuration 166

         IPsec Profile 167

         IPsec Configuration Example 168

         Smart Defaults 168

     Summary 169

 Chapter 6 Advanced IKEv2 Features 171

     Introduction to IKEv2 Fragmentation 171

         IP Fragmentation Overview 172

         IKEv2 and Fragmentation 173

     IKEv2 SGT Capability Negotiation 178

     IKEv2 Session Authentication 181

         IKEv2 Session Deletion on Certificate Revocation 182

         IKEv2 Session Deletion on Certificate Expiry 184

     IKEv2 Session Lifetime 185

     Summary 187

     References 188

 Chapter 7 IKEv2 Deployments 189

     Pre-shared-key Authentication with Smart Defaults 189

         Elliptic Curve Digital Signature Algorithm Authentication 194

         RSA Authentication Using HTTP URL Lookup 200

         IKEv2 Cookie Challenge and Call Admission Control 207

     Summary 210

 Part V FlexVPN

 Chapter 8 Introduction to FlexVPN 211

     FlexVPN Overview 211

         The Rationale 212

         FlexVPN Value Proposition 213

     FlexVPN Building Blocks 213

         IKEv2 213

         Cisco IOS Point-to-Point Tunnel Interfaces 214

         Configuring Static P2P Tunnel Interfaces 214

         Configuring Virtual-Template Interfaces 216

         Auto-Detection of Tunnel Encapsulation and Transport 219

         Benefits of Per-Peer P2P Tunnel Interfaces 221

         Cisco IOS AAA Infrastructure 221

         Configuring AAA for FlexVPN 222

     IKEv2 Name Mangler 223

         Configuring IKEv2 Name Mangler 224

         Extracting Name from FQDN Identity 225

         Extracting Name from Email Identity 226

         Extracting Name from DN Identity 226

         Extracting Name from EAP Identity 227

     IKEv2 Authorization Policy 228

         Default IKEv2 Authorization Policy 229

     FlexVPN Authorization 231

         Configuring FlexVPN Authorization 233

         FlexVPN User Authorization 235

         FlexVPN User Authorization, Using an External AAA Server 235

         FlexVPN Group Authorization 237

         FlexVPN Group Authorization, Using a Local AAA Database 238

         FlexVPN Group Authorization, Using an External AAA Server 239

         FlexVPN Implicit Authorization 242

         FlexVPN Implicit Authorization Example 243

         FlexVPN Authorization Types: Co-existence and Precedence 245

         User Authorization Taking Higher Precedence 247

         Group Authorization Taking Higher Precedence 249

     FlexVPN Configuration Exchange 250

         Enabling Configuration Exchange 250

         FlexVPN Usage of Configuration Payloads 251

         Configuration Attributes and Authorization 253

         Configuration Exchange Examples 259

     FlexVPN Routing 264

         Learning Remote Subnets Locally 265

         Learning Remote Subnets from Peer 266

     Summary 268

 Chapter 9 FlexVPN Server 269

     Sequence of Events 270

     EAP Authentication 271

         EAP Methods 272

         EAP Message Flow 273

         EAP Identity 273

         EAP Timeout 275

         EAP Authentication Steps 275

         Configuring EAP 277

         EAP Configuration Example 278

     AAA-based Pre-shared Keys 283

         Configuring AAA-based Pre-Shared Keys 284

         RADIUS Attributes for AAA-Based Pre-Shared Keys 285

         AAA-Based Pre-Shared Keys Example 285

     Accounting 287

     Per-Session Interface 290

         Deriving Virtual-Access Configuration from a Virtual Template 291

         Deriving Virtual-Access Configuration from AAA Authorization 293

         The interface-config AAA Attribute 293

         Deriving Virtual-Access Configuration from an Incoming Session 294

         Virtual-Access Cloning Example 295

     Auto Detection of Tunnel Transport and Encapsulation 297

     RADIUS Packet of Disconnect 299

         Configuring RADIUS Packet of Disconnect 300

         RADIUS Packet of Disconnect Example 301

     RADIUS Change of Authorization (CoA) 303

         Configuring RADIUS CoA 304

         RADIUS CoA Examples 305

         Updating Session QoS Policy, Using CoA 305

         Updating the Session ACL, Using CoA 307

     IKEv2 Auto-Reconnect 309

         Auto-Reconnect Configuration Attributes 310

         Smart DPD 311

         Configuring IKEv2 Auto-Reconnect 313

     User Authentication, Using AnyConnect-EAP 315

         AnyConnect-EAP 315

         AnyConnect-EAP XML Messages for User Authentication 316

         Configuring User Authentication, Using AnyConnect-EAP 318

         AnyConnect Configuration for Aggregate Authentication 320

     Dual-factor Authentication, Using AnyConnect-EAP 320

         AnyConnect-EAP XML Messages for dual-factor authentication 322

         Configuring Dual-factor Authentication, Using AnyConnect-EAP 324

     RADIUS Attributes Supported by the FlexVPN Server 325

     Remote Access Clients Supported by FlexVPN Server 329

         FlexVPN Remote Access Client 329

         Microsoft Windows7 IKEv2 Client 329

         Cisco IKEv2 AnyConnect Client 330

     Summary 330

     Reference 330

 Chapter 10 FlexVPN Client 331

     Introduction 331

     FlexVPN Client Overview 332

         FlexVPN Client Building Blocks 333

         IKEv2 Configuration Exchange 334

         Static Point-to-Point Tunnel Interface 334

         FlexVPN Client Profile 334

         Object Tracking 334

         NAT 335

         FlexVPN Client Features 335

         Dual Stack Support 335

         EAP Authentication 335

         Dynamic Routing 335

         Support for EzVPN Client and Network Extension Modes 336

         Advanced Features 336

     Setting up the FlexVPN Server 336

     EAP Authentication 337

     Split-DNS 338

         Components of Split-DNS 340

     Windows Internet Naming Service (WINS) 343

     Domain Name 344

     FlexVPN Client Profile 345

     Backup Gateways 346

         Resolution of Fully Qualified Domain Names 346

         Reactivating Peers 346

         Backup Gateway List 347

     Tunnel Interface 347

         Tunnel Source 348

         Tunnel Destination 349

     Tunnel Initiation 350

         Automatic Mode 350

         Manual Mode 350

         Track Mode 350

         Tracking a List of Objects, Using a Boolean Expression 350

     Dial Backup 352

     Backup Group 353

     Network Address Translation 354

     Design Considerations 356

         Use of Public Key Infrastructure and Pre-Shared Keys 356

         The Power of Tracking 356

         Tracked Object Based on Embedded Event Manager 356

     Troubleshooting FlexVPN Client 358

         Useful Show Commands 358

         Debugging FlexVPN Client 360

         Clearing IKEv2 FlexVPN Client Sessions 360

     Summary 361

 Chapter 11 FlexVPN Load Balancer 363

     Introduction 363

     Components of the FlexVPN Load Balancer 363

         IKEv2 Redirect 363

         Hot Standby Routing Protocol 366

     FlexVPN IKEv2 Load Balancer 367

         Cluster Load 369

         IKEv2 Redirect 372

         Redirect Loops 373

     FlexVPN Client 374

     Troubleshooting IKEv2 Load Balancing 374

     IKEv2 Load Balancer Example 376

     Summary 379

 Chapter 12 FlexVPN Deployments 381

     Introduction 381

     FlexVPN AAA-Based Pre-Shared Keys 381

         Configuration on the Branch-1 Router 382

         Configuration on the Branch-2 Router 383

         Configuration on the Hub Router 383

         Configuration on the RADIUS Server 384

     FlexVPN User and Group Authorization 386

         FlexVPN Client Configuration at Branch 1 386

         FlexVPN Client Configuration at Branch 2 387

         Configuration on the FlexVPN Server 387

         Configuration on the RADIUS Server 388

         Logs Specific to FlexVPN Client-1 389

         Logs Specific to FlexVPN Client-2 390

     FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391

         FlexVPN Spoke Configuration at Branch-1 392

         FlexVPN Spoke Configuration at Branch-2 394

         FlexVPN Hub Configuration at the HQ 395

         Verification on FlexVPN Spoke at Branch-1 397

         Verification on FlexVPN Spoke at Branch-2 399

         Verification on the FlexVPN Hub at HQ 401

     FlexVPN Client NAT to the Server-Assigned IP Address 404

         Configuration on the FlexVPN Client 404

         Verification on the FlexVPN Client 405

     FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407

         FlexVPN Client Configuration on the Dual-Homed Branch Router 408

         Verification on the FlexVPN Client 409

     FlexVPN Hub Resiliency, Using Backup Peers 411

         FlexVPN Client Configuration on the Branch Router 411

         Verification on the FlexVPN Client 412

     FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414

         Verification on the FlexVPN Client 415

     Summary 416

 Part VI IPsec VPN Maintenance

 Chapter 13 Monitoring IPsec VPNs 417

     Introduction to Monitoring 417

         Authentication, Authorization, and Accounting (AAA) 418

         NetFlow 418

         Simple Network Management Protocol 419

         VRF-Aware SNMP 420

         Syslog 421

     Monitoring Methodology 422

         IP Connectivity 423

         VPN Tunnel Establishment 425

         Cisco IPsec Flow Monitor MIB 425

         SNMP with IKEv2 425

         Syslog 428

         Pre-Shared Key Authentication 429

         PKI Authentication 431

         EAP Authentication 434

         Authorization Using RADIUS-Based AAA 436

         Data Encryption: SNMP with IPsec 437

         Overlay Routing 439

         Data Usage 440

     Summary 443

     References 443

 Chapter 14 Troubleshooting IPsec VPNs 445

     Introduction 445

     Tools of Troubleshooting 446

         Show Commands 447

         Syslog Messages 447

         Event-Trace Monitoring 447

         Debugging 449

         IKEv2 Debugging 449

         IPsec Debugging 453

         Key Management Interface Debugging 453

         PKI Debugging 456

         Conditional Debugging 456

     IP Connectivity 457

     VPN Tunnel Establishment 460

         IKEv2 Diagnose Error 460

         Troubleshooting the IKE_SA_INIT Exchange 461

         Troubleshooting the IKE_AUTH Exchange 464

     Authentication 464

         Troubleshooting RSA or ECDSA Authentication 465

         Certificate Attributes 469

         Debugging Authentication Using PKI 470

         Certificate Expiry 470

         Matching Peer Using Certificate Maps 472

         Certificate Revocation 473

         Trustpoint Configuration 476

         Trustpoint Selection 476

         Pre-Shared Key 478

         Extensible Authentication Protocol (EAP) 480

     Authorization 485

     Data Encryption 488

         Debugging IPsec 488

         IPsec Anti-Replay 491

     Data Encapsulation 495

         Mismatching GRE Tunnel Keys 495

     Overlay Routing 495

         Static Routing 496

         IKEv2 Routing 496

         Dynamic Routing Protocols 498

     Summary 499

     References 502

 Part VII IPsec Overhead

 Chapter 15 IPsec Overhead and Fragmentation 503

     Introduction 503

     Computing the IPsec Overhead 504

         General Considerations 504

         IPsec Mode Overhead (without GRE) 505

         GRE Overhead 505

         Encapsulating Security Payload Overhead 507

         Authentication Header Overhead 509

         Encryption Overhead 510

         Integrity Overhead 511

         Combined-mode Algorithm Overhead 512

         Plaintext MTU 513

         Maximum Overhead 514

         Maximum Encapsulation Security Payload Overhead 515

         Maximum Authentication Header Overhead 516

         Extra Overhead 516

     IPsec and Fragmentation 518

         Maximum Transmission Unit 518

         Fragmentation in IPv4 519

         Fragmentation in IPv6 522

         Path MTU Discovery 523

         TCP MSS Clamping 525

         MSS Refresher 525

         MSS Adjustment 526

         IPsec Fragmentation and PMTUD 527

         Fragmentation on Tunnels 531

         IPsec Only (VTI) 531

         GRE Only 532

         GRE over IPsec 534

         Tunnel PMTUD 534

         The Impact of Fragmentation 535

     Summary 536

     References 536

 Part VIII Migration to IKEv2

 Chapter 16 Migration Strategies 539

     Introduction to Migrating to IKEv2 and FlexVPN 539

     Consideration when Migrating to IKEv2 539

         Hardware Limi

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020