CCNP Security Secure 642-637 Official Cert Guide

Description

• Copyright 2011
• Edition: 1st

• eBook (Watermarked)
• ISBN-10: 0-13-237855-8
• ISBN-13: 978-0-13-237855-0

This is the eBook version of the print title. Note that the eBook does not provide access to the practice test software that accompanies the print book.

Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.

CCNP Security SECURE 642-637 Official Cert Guidepresents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

• Master CCNP Security SECURE 642-637 exam topics
• Assess your knowledge with chapter-opening quizzes
• Review key concepts with exam preparation tasks

CCNP Security SECURE 642-637 Official Cert Guidefocuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:

• Network security threats and foundation protection
• Switched data plane security
• 802.1X and identity-based networking services
• Cisco IOS routed data plane security
• Cisco IOS control plane security
• Cisco IOS management plane security
• NAT
• Zone-based firewalls
• IOS intrusion prevention system
• Cisco IOS site-to-site security solutions
• IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
• SSL VPNs and EZVPN

CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.



Sample Content

Table of Contents

Introduction xxxiii

Part I Network Security Technologies Overview

Chapter 1 Network Security Fundamentals 3

“Do I Know This Already?” Quiz 3

Foundation Topics 7

Defining Network Security 7

Building Secure Networks 7

Cisco SAFE 9

SCF Basics 9

安全/自洽场基于“增大化现实”技术chitecture Principles 12

SAFE/SCF Network Foundation Protection (NFP) 14

SAFE/SCF Design Blueprints 14

SAFE Usage 15

Exam Preparation 17

Chapter 2 Network Security Threats 21

“Do I Know This Already?” Quiz 21

Foundation Topics 24

Vulnerabilities 24

Self-Imposed Network Vulnerabilities 24

Intruder Motivations 29

Lack of Understanding of Computers or Networks 30

Intruding for Curiosity 30

Intruding for Fun and Pride 30

Intruding for Revenge 30

Intruding for Profit 31

Intruding for Political Purposes 31

Types of Network Attacks 31

Reconnaissance Attacks 32

Access Attacks 33

DoS Attacks 35

Exam Preparation 36

Chapter 3 Network Foundation Protection (NFP) Overview 39

“Do I Know This Already?” Quiz 39

Foundation Topics 42

Overview of Device Functionality Planes 42

Control Plane 43

Data Plane 44

Management Plane 45

Identifying Network Foundation Protection Deployment Models 45

Identifying Network Foundation Protection Feature Availability 48

Cisco Catalyst Switches 48

Cisco Integrated Services Routers (ISR) 49

Cisco Supporting Management Components 50

Exam Preparation 53

Part II Cisco IOS Foundation Security Solutions

Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57

“Do I Know This Already?” Quiz 57

Foundation Topics 60

Switched Data Plane Attack Types 60

VLAN Hopping Attacks 60

CAM Flooding Attacks 61

MAC Address Spoofing 63

Spanning Tree Protocol (STP) Spoofing Attacks 63

DHCP Starvation Attacks 66

DHCP Server Spoofing 67

ARP Spoofing 67

Switched Data Plane Security Technologies 67

Port Configuration 67

Port Security 71

Root Guard, BPDU Guard, and PortFast 74

DHCP Snooping 75

Dynamic ARP Inspection (DAI) 77

IP Source Guard 79

Private VLANs (PVLAN) 80

Exam Preparation 84

Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91

“Do I Know This Already?” Quiz 91

Foundation Topics 94

Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94

IBNS and 802.1x Enhancements and Features 94

802.1x Components 96

802.1x Interworking 97

Extensible Authentication Protocol (EAP) 97

EAP over LAN (EAPOL) 98

EAP Message Exchange 99

Port States 100

Port Authentication Host Modes 101

EAP Type Selection 102

EAP—Message Digest Algorithm 5 102

Protected EAP w/MS-CHAPv2 102

Cisco Lightweight EAP 103

EAP—Transport Layer Security 104

EAP—Tunneled Transport Layer Security 104

EAP-Flexible认证通过安全隧道105

Exam Preparation 106

Chapter 6 Implementing and Configuring Basic 802.1X 109

“Do I Know This Already?” Quiz 109

Foundation Topics 112

Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112

Gathering Input Parameters 113

Deployment Tasks 113

Deployment Choices 114

General Deployment Guidelines 114

Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115

Configuration Choices 115

Configuration Scenario 115

真实fy Basic 802.1X Functionality 121

Configure and Verify Cisco ACS for EAP-FAST 121

Configuration Choices 122

Configuration Scenario 122

Configure the Cisco Secure Services Client 802.1X Supplicant 128

Task 1: Create the CSSC Configuration Profile 128

Task 2: Create a Wired Network Profile 128

Tasks 3 and 4: (Optional) Tune 802.1X Timers and

Authentication Mode 130

Task 5: Configure the Inner and Outer EAP Mode for the Connection 131

Task 6: Choose the Login Credentials to Be Used for Authentication 132

Task 7: Create the CSSC Installation Package 133

Network Login 134

真实fy and Troubleshoot 802.1 X Operations 134

Troubleshooting Flow 134

Successful Authentication 135

真实fy Connection Status 135

真实fy Authentication on AAA Server 135

真实fy Guest/Restricted VLAN Assignment 135

802.1X Readiness Check 135

Unresponsive Supplicant 135

Failed Authentication: RADIUS Configuration Issues 135

Failed Authentication: Bad Credentials 135

Exam Preparation 136

Chapter 7 Implementing and Configuring Advanced 802.1X 139

“Do I Know This Already?” Quiz 139

Foundation Topics 143

Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143

Gathering Input Parameters 143

Deployment Tasks 144

Deployment Choices 144

Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145

EAP-TLS with 802.1X Configuration Tasks 145

Configuration Scenario 146

Configuration Choices 146

Task 1: Configure RADIUS Server 147

任务2:安装身份和证书颁发机构Certificates on All Clients 147

Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147

Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149

Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151

Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152

Implementation Guidelines 153

Feature Support 153

真实fying EAP-TLS Configuration 153

Deploying User and Machine Authentication 153

Configuring User and Machine Authentication Tasks 154

Configuration Scenario 154

Task 1: Install Identity and Certificate Authority Certificates on All Clients 155

Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155

Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156

Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156

Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157

Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158

Implementation Guidelines 158

Feature Support 158

Deploying VLAN and ACL Assignment 159

Deploying VLAN and ACL Assignment Tasks 159

Configuration Scenario 159

Configuration Choices 160

Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160

Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161

Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162

Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162

真实fication of VLAN and ACL Assignment with Cisco IOS Software CLI 164

真实fication of VLAN and ACL Assignment on Cisco Secure ACS 165

Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165

Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165

Configuration Tasks 166

Configuration Scenario 166

Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167

真实fication of Configuration 168

Implementation Guidelines 168

Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168

Configuration Tasks 169

Configuration Scenario 169

Task 1: Configure Web Authentication on the Switch 169

Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171

Web Authentication Verification 172

User Experience 172

Choose a Method to Support Multiple Hosts on a Single Port 172

Multiple Hosts Support Guidelines 172

Configuring Support of Multiple Hosts on a Single Port 172

Configuring Fail-Open Policies 174

Configuring Critical Ports 174

Configuring Open Authentication 176

Resolve 802.1X Compatibility Issues 176

Wake-on-LAN (WOL) 176

Non-802.1X IP Phones 177

Preboot Execution Environment (PXE) 177

Exam Preparation 178

Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183

“Do I Know This Already?” Quiz 183

Foundation Topics 186

Routed Data Plane Attack Types 186

IP Spoofing 186

Slow-Path Denial of Service 186

Traffic Flooding 187

Routed Data Plane Security Technologies 187

Access Control Lists (ACL) 187

Flexible Packet Matching 196

Flexible NetFlow 203

Unicast Reverse Path Forwarding (Unicast RPF) 209

Exam Preparation 212

Chapter 9 Implementing and Configuring Cisco IOS Control

Plane Security 219

“Do I Know This Already?” Quiz 219

Foundation Topics 222

Control Plane Attack Types 222

Slow-Path Denial of Service 222

Routing Protocol Spoofing 222

Control Plane Security Technologies 222

Control Plane Policing (CoPP) 222

Control Plane Protection (CPPr) 226

Routing Protocol Authentication 232

Exam Preparation 237

Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245

“Do I Know This Already?” Quiz 245

Foundation Topics 248

Management Plane Attack Types 248

Management Plane Security Technologies 248

Basic Management Security and Privileges 248

SSH 254

SNMP 256

CPU and Memory Thresholding 261

Management Plane Protection 262

AutoSecure 263

数字签名思科软件265

Exam Preparation 267

Part III Cisco IOS Threat Detection and Control

Chapter 11 Implementing and Configuring Network Address Translation (NAT) 275

“Do I Know This Already?” Quiz 275

Foundation Topics 278

Network Address Translation 278

Static NAT Example 280

Dynamic NAT Example 280

PAT Example 281

NAT Configuration 282

Overlapping NAT 287

考试准备290

Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295

“Do I Know This Already?” Quiz 295

Foundation Topics 298

Zone-Based Policy Firewall Overview 298

Zones/Security Zones 298

Zone Pairs 299

Transparent Firewalls 300

Zone-Based Layer 3/4 Policy Firewall Configuration 301

Class Map Configuration 302

Parameter Map Configurations 304

Policy Map Configuration 306

Zone Configuration 308

Zone Pair Configuration 309

Port to Application Mapping (PAM) Configuration 310

Zone-Based Layer 7 Policy Firewall Configuration 312

URL Filter 313

HTTP Inspection 318

Exam Preparation 323

Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333

“Do I Know This Already?” Quiz 333

Foundation Topics 336

Configuration Choices, Basic Procedures, and Required Input Parameters 336

Intrusion Detection and Prevention with Signatures 337

Sensor Accuracy 339

Choosing a Cisco IOS IPS Sensor Platform 340

Software-Based Sensor 340

Hardware-Based Sensor 340

Deployment Tasks 341

Deployment Guidelines 342

Deploying Cisco IOS Software IPS Signature Policies 342

Configuration Tasks 342

Configuration Scenario 342

真实fication 346

Guidelines 347

Tuning Cisco IOS Software IPS Signatures 347

Event Risk Rating System Overview 348

Event Risk Rating Calculation 348

Event Risk Rating Example 349

Signature Event Action Overrides (SEAO) 349

Signature Event Action Filters (SEAF) 349

Configuration Tasks 350

Configuration Scenario 350

真实fication 355

Implementation Guidelines 355

Deploying Cisco IOS Software IPS Signature Updates 355

Configuration Tasks 356

Configuration Scenario 356

Task 1: Install Signature Update License 356

Task 2: Configure Automatic Signature Updates 357

真实fication 357

Monitoring Cisco IOS Software IPS Events 358

Cisco IOS Software IPS Event Generation 358

Cisco IME Features 358

Cisco IME Minimum System Requirements 359

Configuration Tasks 359

Configuration Scenario 360

Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361

真实fication 362

真实fication: Local Events 362

真实fication: IME Events 363

Cisco IOS Software IPS Sensor 363

Troubleshooting Resource Use 365

Additional Debug Commands 365

Exam Preparation 366

Part IV Managing and Implementing Cisco IOS Site-to-Site Security Solutions

Chapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369

“Do I Know This Already?” Quiz 369

Foundation Topics 372

Choose an Appropriate VPN LAN Topology 372

Input Parameters for Choosing the Best VPN LAN Topology 373

总体部署指南选择喜神贝斯t VPN LAN Topology 373

Choose an Appropriate VPN WAN Technology 373

Input Parameters for Choosing the Best VPN WAN Technology 374

总体部署指南选择喜神贝斯t VPN WAN Technology 376

Core Features of IPsec VPN Technology 376

IPsec Security Associations 377

Internet Key Exchange (IKE) 377

IPsec Phases 377

IKE Main and Aggressive Mode 378

Encapsulating Security Payload 378

Choose Appropriate VPN Cryptographic Controls 379

IPsec Security Associations 379

Algorithm Choices 379

General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381

Design and Implementation Resources 382

Exam Preparation 383

Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387

“Do I Know This Already?” Quiz 387

Foundation Topics 390

Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390

Virtual Tunnel Interfaces 390

Input Parameters 392

Deployment Tasks 393

Deployment Choices 393

General Deployment Guidelines 393

Configuring Basic IKE Peering 393

Cisco IOS Software Default IKE PSK-Based Policies 394

Configuration Tasks 394

Configuration Choices 395

Configuration Scenario 395

Task 1: (Optional) Configure an IKE Policy on Each Peer 395

Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396

真实fy Local IKE Sessions 396

真实fy Local IKE Policies 396

真实fy a Successful Phase 1 Exchange 397

Implementation Guidelines 397

Troubleshooting IKE Peering 397

Troubleshooting Flow 397

Configuring Static Point-to-Point IPsec VTI Tunnels 398

Default Cisco IOS Software IPsec Transform Sets 398

Configuration Tasks 398

Configuration Choices 399

Configuration Scenario 399

Task 1: (Optional) Configure an IKE Policy on Each Peer 399

Task 2: (Optional) Configure an IPsec Transform Set 399

Task 3: Configure an IPsec Protection Profile 400

Task 4: Configure a Virtual Tunnel Interface (VTI) 400

Task 5: Apply the Protection Profile to the Tunnel Interface 401

Task 6: Configure Routing into the VTI Tunnel 401

Implementation Guidelines 401

真实fy Tunnel Status and Traffic 401

Troubleshooting Flow 402

Configure Dynamic Point-to-Point IPsec VTI Tunnels 403

Virtual Templates and Virtual Access Interfaces 403

ISAKMP Profiles 404

Configuration Tasks 404

Configuration Scenario 404

Task 1: Configure IKE Peering 405

Task 2: (Optional) Configure an IPsec Transform Set 405

Task 3: Configure an IPsec Protection Profile 405

Task 4: Configure a Virtual Template Interface 406

Task 5: Map Remote Peer to a Virtual Template Interface 406

真实fy Tunnel Status on the Hub 407

Implementation Guidelines 407

Exam Preparation 408

Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411

“Do I Know This Already?” Quiz 411

Foundation Topics 414

Describe the Concept of a Public Key Infrastructure 414

Manual Key Exchange with Verification 414

Trusted Introducing 414

Public Key Infrastructure: Certificate Authorities 416

X.509 Identity Certificate 417

Certificate Revocation Checking 418

Using Certificates in Network Applications 419

Deployment Choices 420

Deployment Steps 420

Input Parameters 421

Deployment Guidelines 421

Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421

Configuration Tasks for a Root Certificate Server 422

Configuration Scenario 423

Task 1: Create an RSA Key Pair 423

Task 2: Create a PKI Trustpoint 424

Tasks 3 and 4: Create the CS and Configure the Database Location 424

Task 5: Configure an Issuing Policy 425

Task 6: Configure the Revocation Policy 425

Task 7: Configure the SCEP Interface 426

Task 8: Enable the Certificate Server 426

Cisco Configuration Professional Support 426

真实fy the Cisco IOS Software Certificate Server 427

Feature Support 427

Implementation Guidelines 428

Troubleshooting Flow 429

PKI and Time: Additional Guidelines 429

Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429

PKI Client Features 429

Simple Certificate Enrollment Protocol 430

Key Storage 430

Configuration Tasks 430

Configuration Scenario 431

Task 1: Create an RSA Key Pair 431

Task 2: Create an RSA Key Pair 432

Task 3: Authenticate the PKI Certificate Authority 432

Task 4: Create an Enrollment Request on the VPN Router 433

Task 5: Issue the Client Certificate on the CA Server 434

Certificate Revocation on the Cisco IOS Software Certificate Server 434

Cisco Configuration Professional Support 434

真实fy the CA and Identity Certificates 435

Feature Support 435

Implementation Guidelines 436

Troubleshooting Flow 436

Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436

IKE Peer Authentication 436

IKE Peer Certificate Authorization 437

Configuration Tasks 437

Configuration Scenario 437

Task 1: Configure an IKE Policy 438

Task 2: Configure an ISAKMP Profile 438

Task 3: Configure Certificate-Based Authorization of Remote Peers 438

真实fy IKE SA Establishment 439

Feature Support 439

Implementation Guidelines 440

Troubleshooting Flow 440

Configuring Advanced PKI Integration 440

Configuring CRL Handling on PKI Clients 441

Using OCSP or AAA on PKI Clients 441

Exam Preparation 442

Chapter 17 Deploying DMVPNs 447

“Do I Know This Already?” Quiz 447

Foundation Topics 451

Understanding the Cisco IOS Software DMVPN

Architecture 451

Building Blocks of DMVPNs 452

Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452

DMVPN Initial State 453

DMVPN Spoke-to-Spoke Tunnel Creation 453

DMVPN Benefits and Limitations 454

Plan the Deployment of a Cisco IOS Software DMVPN 455

Input Parameters 455

Deployment Tasks 455

Deployment Choices 456

General Deployment Guidelines 456

Configure and Verify Cisco IOS Software GRE Tunnels 456

GRE Features and Limitations 456

Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457

Point-to-Point Tunnel Configuration Example 457

Configuration Tasks for a Hub-and-Spoke Network 459

Configuration Scenario 459

Task 1: Configure an mGRE Interface on the Hub 459

Task 2: Configure a GRE Interface on the Spoke 459

真实fy the State of GRE Tunnels 460

Configure and Verify a Cisco IOS Software NHRP Client and Server 461

(m)GRE and NHRP Integration 461

Configuration Tasks 461

Configuration Scenario 461

Task 1: Configure an NHRP Server 461

Task 2: Configure an NHRP Client 462

真实fy NHRP Mappings 462

Debugging NHRP 463

Configure and Verify a Cisco IOS Software DMVPN Hub 464

Configuration Tasks 464

Configuration Scenario 464

Task 1: (Optional) Configure an IKE Policy 464

Task 2: Generate and/or Configure Authentication Credentials 465

Task 3: Configure an IPsec Profile 465

Task 4: Create an mGRE Tunnel Interface 465

Task 5: Configure the NHRP Server 465

Task 6: Associate the IPsec Profile with the mGRE Interface 466

Task 7: Configure IP Parameters on the mGRE Interface 466

Cisco Configuration Professional Support 466

真实fy Spoke Registration 466

真实fy Registered Spoke Details 467

Implementation Guidelines 468

Feature Support 468

Configure and Verify a Cisco IOS Software DMVPN Spoke 468

Configuration Tasks 468

Configuration Scenario 469

Task 1: (Optional) Configure an IKE Policy 469

Task 2: Generate and/or Configure Authentication Credentials 469

任务3:配置一个IPsec配置469

Task 4: Create an mGRE Tunnel Interface 470

Task 5: Configure the NHRP Client 470

Task 6: Associate the IPsec Profile with the mGRE Interface 470

Task 7: Configure IP Parameters on the mGRE Interface 471

真实fy Tunnel State and Traffic Statistics 471

Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471

EIGRP Hub Configuration 472

OSPF Hub Configuration 473

Hub-and-Spoke Routing and IKE Peering on Spoke 473

Full Mesh Routing and IKE Peering on Spoke 474

Troubleshoot a Cisco IOS Software DMVPN 474

Troubleshooting Flow 475

Exam Preparation 476

Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481

“Do I Know This Already?” Quiz 481

Foundation Topics 484

Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484

VPN Failure Modes 484

Partial Failure of the Transport Network 484

Partial or Total Failure of the Service Provider (SP) Transport

Network 485

Partial or Total Failure of a VPN Device 485

Deployment Guidelines 485

Use Routing Protocols for VPN Failover 486

Routing to VPN Tunnel Endpoints 486

Routing Protocol Inside the VPN Tunnel 486

Recursive Routing Hazard 487

Routing Protocol VPN Topologies 487

Routing Tuning for Path Selection 487

Routing Tuning for Faster Convergence 488

Choose the Most Optimal Method of Mitigating Failure in a VTI-Based VPN 488

Path Redundancy Using a Single-Transport Network 489

Path Redundancy Using Two Transport Networks 489

Path and Device Redundancy in Single-Transport Networks 489

Path and Device Redundancy with Multiple-Transport Networks 489

Choose the Most Optimal Method of Mitigating Failure in a DMVPN 490

Recommended Architecture 490

Shared IPsec SAs 490

Configuring a DMVPN with a Single-Transport Network 490

Configuring a DMVPN over Multiple-Transport Networks 493

Exam Preparation 495

Chapter 19 Deploying GET VPNs 499

“Do I Know This Already?” Quiz 499

Foundation Topics 502

Describe the Operation of a Cisco IOS Software GET VPN 502

Peer Authentication and Policy Provisioning 502

GET VPN Traffic Exchange 504

Packet Security Services 504

Key Management Architecture 505

Rekeying Methods 505

Traffic Encapsulation 507

Benefits and Limitations 507

Plan the Deployment of a Cisco IOS Software GET VPN 508

Input Parameters 508

Deployment Tasks 508

Deployment Choices 509

Deployment Guidelines 509

Configure and Verify a Cisco IOS Software GET VPN Key Server 509

Configuration Tasks 509

Configuration Choices 510

Configuration Scenario 510

Task 1: (Optional) Configure an IKE Policy 511

Task 2: Generate and/or Configure Authentication Credentials 511

Task 3: Generate RSA keys for Rekey Authentication 511

Task 4: Configure a Traffic Protection Policy on the Key Server 512

Task 5: Enable and Configure the GET VPN Key Server Function 512

Task 6: (Optional) Tune the Rekeying Policy 513

Task 7: Create and Apply the GET VPN Crypto Map 513

Cisco Configuration Professional Support 514

真实fy Basic Key Server Settings 514

真实fy the Rekey Policy 514

List All Registered Members 515

Implementation Guidelines 515

Configure and Verify Cisco IOS Software GET VPN Group Members 515

Configuration Tasks 516

Configuration Choices 516

Configuration Scenario 516

Task 1: Configure an IKE Policy 516

Task 2: Generate and/or Configure Authentication Credentials 517



Updates

Submit Errata

