You are previewing CCNP ISCW Official Exam Certification Guide.
O'Reilly logo
CCNP ISCW Official Exam Certification Guide

Book Description

CCNP ISCW Official Exam Certification Guide

  • Master all 642-825 exam topics with the official study guide

  • Assess your knowledge with chapter-opening quizzes

  • Review key concepts with foundation summaries

  • Practice with hundreds of exam questions on the CD-ROM

  • Brian Morgan, CCIE® No. 4865

    Neil Lovering, CCIE No. 1772

    CCNP ISCW Official Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the Implementing Secure Converged Wide Area Networks exam (642-825 ISCW). Successfully passing the ISCW 642-825 exam certifies that you have the knowledge and skills necessary to secure and expand the reach of an enterprise network to teleworkers and remote sites with focus on securing remote access and VPN client configuration.

    CCNP ISCW Official Exam Certification Guide follows a logical organization of the CCNP® ISCW exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. You can organize your exam preparation through the use of the consistent features in these chapters. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and concise Foundation Summary information make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts.

    The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a topic-by-topic basis, presenting question-by-question remediation to the text. Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that can enable you to succeed on the exam the first time.

    Brian Morgan, CCIE® No. 4865, is a consulting systems engineer for Cisco, specializing in Unified Communications technologies. He services a number of Fortune 500 companies in architectural, design, and support roles. With more than 15 years in the networking industry, he served as director of engineering for a large telecommunications company, is a certified Cisco instructor teaching at all levels, from basic routing and switching to CCIE lab preparation, and spent a number of years with IBM Network Services serving many of IBM’s largest clients. He is a former member of the ATM Forum and a long-time member of the IEEE.

    Neil Lovering, CCIE No. 1772, works as a design consultant for Cisco. Neil has been with Cisco for more than three years and works on large-scale government networking solutions projects. Prior to Cisco, Neil was a network consultant and instructor for more than eight years and worked on various routing, switching, dialup, and security projects for many customers all over North America.

    This official study guide helps you master all the topics on the CCNP ISCW exam, including

  • The Cisco hierarchical network model as it pertains to the WAN

  • Teleworker configuration and access with broadband technologies

  • Frame mode MPLS

  • IPsec VPN implementations

  • Cisco device hardening

  • Cisco IOS® Firewall features

  • Cisco IOS Intrusion Prevention System (IPS) features

  • Companion CD-ROM

    The CD-ROM contains an electronic copy of the book and more than 200 practice questions for the ISCW exam, which are all available in study mode, test mode, and flash card format.

    This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

    Category: Cisco Certification

    Covers: CCNP ISCW Exam 642-825

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
      1. Contributing Author
      2. About the Technical Reviewer
    3. Acknowledgments
    4. Icons Used in This Book
    5. Command Syntax Conventions
    6. Foreword
    7. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. Strategies for Exam Preparation
      4. Pedagogical Approach
      5. How This Book Can Help You Pass the CCNP ISCW Exam
      6. How to Use This Book to Pass the Exam
        1. You Have Passed Other CCNP Exams and Are Preparing for the ISCW Exam
          1. Scenario 1: You Have Taken the ISCW Course
          2. Scenario 2: You Have Not Taken the ISCW Course
        2. You Have Passed the CCNA and Are Preparing for the ISCW Exam
          1. Scenario 1: You Have Taken the ISCW Course
          2. Scenario 2: You Have Not Taken the ISCW Course
        3. You Have Experience and Want to Skip the Classroom Experience and Take the ISCW Exam
          1. Scenario 1: You Have CCNA Certification
          2. Scenario 2: You Do Not Have a CCNA Certification
      7. One Final Word of Advice
    8. I. Remote Connectivity Best Practices
      1. 1. Describing Network Requirements
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Describing Network Requirements
          2. Intelligent Information Network
          3. SONA
            1. Networked Infrastructure Layer
            2. Interactive Services Layer
            3. Application Layer
          4. Cisco Network Models
            1. Cisco Hierarchical Network Model
            2. Campus Network Architecture
            3. Branch Network Architecture
            4. Data Center Architecture
            5. Enterprise Edge Architecture
            6. Teleworker Architecture
            7. WAN/MAN Architecture
          5. Remote Connection Requirements in a Converged Network
            1. Central Site
            2. Branch Office
            3. SOHO Site
            4. Integrated Services for Secure Remote Access
        3. Foundation Summary
        4. Q&A
      2. 2. Topologies for Teleworker Connectivity
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Facilitating Remote Connections
            1. IIN and the Teleworker
            2. Enterprise Architecture Framework
            3. Remote Connection Options
              1. Traditional Layer 2 Connections
              2. Service Provider MPLS VPN
              3. Site-to-Site VPN over Public Internet
          2. Challenges of Connecting Teleworkers
            1. Infrastructure Options
            2. Infrastructure Services
            3. Teleworker Components
            4. Traditional Teleworker versus Business-Ready Teleworker
        3. Foundation Summary
        4. Q&A
      3. 3. Using Cable to Connect to a Central Site
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cable Access Technologies
            1. Cable Technology Terminology
            2. Cable System Standards
            3. Cable System Components
            4. Cable Features
            5. Cable System Benefits
          2. Radio Frequency Signals
            1. Digital Signals over RF Channels
          3. Data over Cable
            1. Hybrid Fiber-Coaxial Networks
            2. Data Transmission
          4. Cable Technology Issues
          5. Provisioning Cable Modems
        3. Foundation Summary
        4. Q&A
      4. 4. Using DSL to Connect to a Central Site
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. DSL Features
            1. POTS Coexistence
          2. DSL Limitations
          3. DSL Variants
            1. Asymmetric DSL Types
            2. Symmetric DSL Types
          4. ADSL Basics
          5. ADSL Modulation
            1. CAP
            2. DMT
          6. Data Transmission over ADSL
            1. RFC 1483/2684 Bridging
            2. PPP Background
          7. PPP over Ethernet
            1. Discovery Phase
            2. PPP Session Phase
              1. PPPoE Session Variables
            3. Optimizing PPPoE MTU
          8. PPP over ATM
        3. Foundation Summary
        4. Q&A
      5. 5. Configuring DSL Access with PPPoE
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Configure a Cisco Router as a PPPoE Client
          2. Configure an Ethernet/ATM Interface for PPPoE
          3. Configure the PPPoE DSL Dialer Interface
          4. Configure Port Address Translation
          5. Configure DHCP for DSL Router Users
          6. Configure Static Default Route on a DSL Router
          7. The Overall CPE Router Configuration
        3. Foundation Summary
        4. Q&A
      6. 6. Configuring DSL Access with PPPoA
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Configure a Cisco Router as a PPPoA Client
            1. PPP over AAL5 Connections
              1. VCMultiplexed PPP over AAL5
              2. LLC Encapsulated PPP over AAL5
              3. Cisco PPPoA
          2. Configure an ATM Interface for PPPoA
          3. Configure the PPPoA DSL Dialer and Virtual-Template Interfaces
          4. Configure Additional PPPoA Elements
          5. The Overall CPE Router Configuration
        3. Foundation Summary
        4. Q&A
      7. 7. Verifying and Troubleshooting ADSL Configurations
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. DSL Connection Troubleshooting
            1. Layers of Trouble to Shoot
          2. Isolating Physical Layer Issues
            1. Layer 1 Anatomy
            2. ADSL Physical Connectivity
            3. Where to Begin
            4. Playing with Colors
            5. Tangled Wires
            6. Keeping the Head on Straight
            7. DSL Operating Mode
          3. Isolating Data Link Layer Issues
            1. PPP Negotiation
        3. Foundation Summary
        4. Q&A
    9. II. Implementing Frame Mode MPLS
      1. 8. The MPLS Conceptual Model
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Introducing MPLS Networks
            1. Traditional WAN Connections
            2. MPLS WAN Connectivity
              1. MPLS Terminology
              2. MPLS Features
              3. MPLS Concepts
          2. Router Switching Mechanisms
            1. Standard IP Switching
            2. CEF Switching
        3. Foundation Summary
        4. Q&A
      2. 9. MPLS Architecture
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. MPLS Components
          2. MPLS Labels
            1. Label Stacks
            2. Frame Mode MPLS
          3. Label Switching Routers
          4. Label Allocation in Frame Mode MPLS Networks
            1. LIB, LFIB, and FIB
          5. Label Distribution
            1. Packet Propagation
            2. Interim Packet Propagation
            3. Further Label Allocation
        3. Foundation Summary
        4. Q&A
      3. 10. Configuring Frame Mode MPLS
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Configuring CEF
          2. Configuring MPLS on a Frame Mode Interface
          3. Configuring MTU Size
        3. Foundation Summary
        4. Q&A
      4. 11. MPLS VPN Technologies
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. MPLS VPN Architecture
          2. Traditional VPNs
            1. Layer 1 Overlay
            2. Layer 2 Overlay
            3. Layer 3 Overlay
          3. Peer-to-Peer VPNs
            1. VPN Benefits
            2. VPN Drawbacks
          4. MPLS VPNs
            1. MPLS VPN Terminology
            2. CE Router Architecture
            3. PE Router Architecture
            4. P Router Architecture
            5. Route Distinguishers
            6. Route Targets
            7. End-to-End Routing Update Flow
            8. MPLS VPN Packet Forwarding
            9. MPLS VPN PHP
        3. Foundation Summary
        4. Q&A
    10. III. IPsec VPNs
      1. 12. IPsec Overview
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. IPsec
            1. IPsec Features
            2. IPsec Protocols
              1. IKE
              2. ESP
              3. AH
            3. IPsec Modes
            4. IPsec Headers
            5. Peer Authentication
          2. Internet Key Exchange (IKE)
            1. IKE Protocols
            2. IKE Phases
            3. IKE Modes
              1. IKE Main Mode
              2. IKE Aggressive Mode
              3. IKE Quick Mode
            4. Other IKE Functions
          3. Encryption Algorithms
            1. Symmetric Encryption
            2. Asymmetric Encryption
          4. Public Key Infrastructure
        3. Foundation Summary
        4. Q&A
      2. 13. Site-to-Site VPN Operations
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Site-to-Site VPN Overview
          2. Creating a Site-to-Site IPsec VPN
            1. Step 1: Specify Interesting Traffic
            2. Step 2: IKE Phase 1
              1. IKE Transform Sets
              2. Diffie-Hellman Key Exchange
              3. Peer Authentication
            3. Step 3: IKE Phase 2
              1. IPsec Transform Sets
              2. Security Associations
              3. SA Lifetime
            4. Step 4: Secure Data Transfer
            5. Step 5: IPsec Tunnel Termination
          3. Site-to-Site IPsec Configuration Steps
            1. Step 1: Configure the ISAKMP Policy
            2. Step 2: Configure the IPsec Transform Sets
            3. Step 3: Configure the Crypto ACL
            4. Step 4: Configure the Crypto Map
            5. Step 5: Apply the Crypto Map to the Interface
            6. Step 6: Configure the Interface ACL
          4. Security Device Manager Features and Interface
          5. Configuring a Site-to-Site VPN in SDM
            1. Site-to-Site VPN Wizard
              1. Quick Setup
              2. Step-by-Step Setup
                1. Define Connection Settings
                2. Define IKE Proposals
                3. Define IPsec Transform Sets
                4. Define the Traffic to Protect
                  1. Protect a Single IP Address or Subnet
                  2. Protect Multiple Subnets Using ACLs
                5. Complete the Configuration
            2. Testing the IPsec VPN Tunnel
          6. Monitoring the IPsec VPN Tunnel
        3. Foundation Summary
        4. Q&A
      3. 14. GRE Tunneling over IPsec
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. GRE Characteristics
          2. GRE Header
          3. Basic GRE Configuration
          4. Secure GRE Tunnels
          5. Configure GRE over IPsec Using SDM
            1. Launch the GRE over IPsec Wizard
            2. Step 1: Create the GRE Tunnel
            3. Step 2: Create a Backup GRE Tunnel
            4. Steps 3–5: IPsec VPN Information
            5. Step 6: Routing Information
              1. Static Routes
              2. RIP
              3. OSPF
              4. EIGRP
            6. Step 7: Validate the GRE over IPsec Configuration
        3. Foundation Summary
        4. Q&A
      4. 15. IPsec High Availability Options
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Sources of Failures
          2. Failure Mitigation
          3. Failover Strategies
            1. IPsec Stateless Failover
              1. Dead Peer Detection
              2. IGP Within a GRE over IPsec Tunnel
              3. HSRP
            2. IPsec Stateful Failover
          4. WAN Backed Up by an IPsec VPN
        3. Foundation Summary
        4. Q&A
      5. 16. Configuring Cisco Easy VPN
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cisco Easy VPN Components
            1. Easy VPN Remote
            2. Easy VPN Server Requirements
          2. Easy VPN Connection Establishment
            1. IKE Phase 1
            2. Establishing an ISAKMP SA
            3. SA Proposal Acceptance
            4. Easy VPN User Authentication
            5. Mode Configuration
            6. Reverse Route Injection
            7. IPsec Quick Mode
          3. Easy VPN Server Configuration
            1. User Configuration
            2. Easy VPN Server Wizard
          4. Monitoring the Easy VPN Server
          5. Troubleshooting the Easy VPN Server
        3. Foundation Summary
        4. Q&A
      6. 17. Implementing the Cisco VPN Client
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cisco VPN Client Installation and Configuration Overview
          2. Cisco VPN Client Installation
          3. Cisco VPN Client Configuration
            1. Connection Entries
            2. Authentication Tab
            3. Transport Tab
            4. Backup Servers Tab
            5. Dial-Up Tab
            6. Finish the Connection Configuration
        3. Foundation Summary
        4. Q&A
    11. IV. Device Hardening
      1. 18. Cisco Device Hardening
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Router Vulnerability
            1. Vulnerable Router Services
            2. Unnecessary Services and Interfaces
            3. Common Management Services
            4. Path Integrity Mechanisms
            5. Probes and Scans
            6. Terminal Access Security
            7. Gratuitous and Proxy ARP
          2. Using AutoSecure to Secure a Router
          3. Using SDM to Secure a Router
            1. SDM Security Audit Wizard
            2. SDM One-Step Lockdown Wizard
            3. AutoSecure Default Configurations
            4. SDM One-Step Lockdown Default Configurations
        3. Foundation Summary
        4. Q&A
      2. 19. Securing Administrative Access
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Router Access
          2. Password Considerations
          3. Set Login Limitations
          4. Setup Mode
          5. CLI Passwords
          6. Additional Line Protections
          7. Password Length Restrictions
          8. Password Encryption
          9. Create Banners
          10. Provide Individual Logins
          11. Create Multiple Privilege Levels
          12. Role-Based CLI
          13. Prevent Physical Router Compromise
        3. Foundation Summary
        4. Q&A
      3. 20. Using AAA to Scale Access Control
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. AAA Components
          2. AAA Access Modes
          3. Understanding the TACACS+ and RADIUS Protocols
            1. UDP Versus TCP
            2. Packet Encryption
            3. Authentication and Authorization
            4. Multiprotocol Support
            5. Router Management
            6. Interoperability
          4. Configuring AAA Using the CLI
            1. RADIUS Configuration
            2. TACACS+ Configuration
            3. AAA-Related Commands
              1. aaa new-model Command
              2. radius-server host Command
              3. tacacs-server host Command
              4. radius-server key and tacacs-server key Commands
              5. username root password Command
              6. aaa authentication ppp Command
              7. aaa authorization Command
              8. aaa accounting Command
          5. Configuring AAA Using SDM
          6. Using Debugging for AAA
            1. debug aaa authentication Command
            2. debug aaa authorization Command
            3. debug aaa accounting Command
            4. debug radius Command
            5. debug tacacs Command
        3. Foundation Summary
        4. Q&A
      4. 21. Cisco IOS Threat Defense Features
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Layered Device Structure
          2. Firewall Technology Basics
            1. Packet Filtering
            2. Application Layer Gateway
            3. Stateful Packet Filtering
          3. Cisco IOS Firewall Feature Set
            1. Cisco IOS Firewall
            2. Authentication Proxy
            3. Cisco IOS IPS
          4. Cisco IOS Firewall Operation
          5. Cisco IOS Firewall Packet Inspection and Proxy Firewalls
        3. Foundation Summary
        4. Q&A
      5. 22. Implementing Cisco IOS Firewalls
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Configure a Cisco IOS Firewall Using the CLI
            1. Step 1: Choose an Interface and Packet Direction to Inspect
            2. Step 2: Configure an IP ACL for the Interface
            3. Step 3: Define the Inspection Rules
            4. Step 4: Apply the Inspection Rules and the ACL to the Interface
            5. Step 5: Verify the Configuration
          2. Configure a Basic Firewall Using SDM
          3. Configure an Advanced Firewall Using SDM
        3. Foundation Summary
        4. Q&A
      6. 23. Implementing Cisco IDS and IPS
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. IDS and IPS Functions and Operations
          2. Categories of IDS and IPS
          3. IDS and IPS Signatures
          4. Signature Reaction
          5. Cisco IOS IPS Configuration
          6. SDM Configuration
        3. Foundation Summary
        4. Q&A
    12. A. Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
      1. Chapter 1
        1. “Do I Know This Already?”
        2. Q&A
      2. Chapter 2
        1. “Do I Know This Already?”
        2. Q&A
      3. Chapter 3
        1. “Do I Know This Already?”
        2. Q&A
      4. Chapter 4
        1. “Do I Know This Already?”
        2. Q&A
      5. Chapter 5
        1. “Do I Know This Already?”
        2. Q&A
      6. Chapter 6
        1. “Do I Know This Already?”
        2. Q&A
      7. Chapter 7
        1. “Do I Know This Already?”
        2. Q&A
      8. Chapter 8
        1. “Do I Know This Already?”
        2. Q&A
      9. Chapter 9
        1. “Do I Know This Already?”
        2. Q&A
      10. Chapter 10
        1. “Do I Know This Already?”
        2. Q&A
      11. Chapter 11
        1. “Do I Know This Already?”
        2. Q&A
      12. Chapter 12
        1. “Do I Know This Already?”
        2. Q&A
      13. Chapter 13
        1. “Do I Know This Already?”
        2. Q&A
      14. Chapter 14
        1. “Do I Know This Already?”
        2. Q&A
      15. Chapter 15
        1. “Do I Know This Already?”
        2. Q&A
      16. Chapter 16
        1. “Do I Know This Already?”
        2. Q&A
      17. Chapter 17
        1. “Do I Know This Already?”
        2. Q&A
      18. Chapter 18
        1. “Do I Know This Already?”
        2. Q&A
      19. Chapter 19
        1. “Do I Know This Already?”
        2. Q&A
      20. Chapter 20
        1. “Do I Know This Already?”
        2. Q&A
      21. Chapter 21
        1. “Do I Know This Already?”
        2. Q&A
      22. Chapter 22
        1. “Do I Know This Already?”
        2. Q&A
      23. Chapter 23
        1. “Do I Know This Already?”
        2. Q&A