- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam. CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. "Do I Know This Already?" quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Master CCNP Security SECURE 642-637 exam topicsAssess your knowledge with chapter-opening quizzes Review key concepts with exam preparation tasks Practice with realistic exam questions on the CD-ROMCCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:Network security threats and foundation protection Switched data plane security 802.1X and identity-based networking services Cisco IOS routed data plane security Cisco IOS control plane security Cisco IOS management plane security NAT Zone-based firewalls IOS intrusion prevention system Cisco IOS site-to-site security solutions IPsec VPNs, dynamic multipoint VPNs, and GET VPNs SSL VPNs and EZVPNCCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.The print edition of the CCNP Security SECURE 642-637 Official Cert Guide contains a free, complete practice exam.Pearson IT Certification Practice Test minimum system requirements: Windows XP (SP3), Windows Vista (SP2), or Windows 7; Microsoft .NET Framework 4.0 Client;Microsoft SQL Server Compact 4.0; Pentium class 1GHz processor (or equivalent); 512 MB RAM; 650 MB disc space plus 50 MB for each downloaded practice examAlso available from Cisco Press for Cisco CCNP Security study is the CCNP Security SECURE 642-637 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson IT Certification Practice Test. This integrated learning package: Allows you to focus on individual topic areas or take complete, timed examsIncludes direct links from each question to detailed tutorials to help you understand the concepts behind the questionsProvides unique sets of exam-realistic practice questionsTracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Contents
Introduction xxxiiiPart I Network Security Technologies OverviewChapter 1 Network Security Fundamentals 3"Do I Know This Already?" Quiz 3Foundation Topics 7Defining Network Security 7Building Secure Networks 7Cisco SAFE 9SCF Basics 9SAFE/SCF Architecture Principles 12SAFE/SCF Network Foundation Protection (NFP) 14SAFE/SCF Design Blueprints 14SAFE Usage 15Exam Preparation 17Chapter 2 Network Security Threats 21"Do I Know This Already?" Quiz 21Foundation Topics 24Vulnerabilities 24Self-Imposed Network Vulnerabilities 24Intruder Motivations 29Lack of Understanding of Computers or Networks 30Intruding for Curiosity 30Intruding for Fun and Pride 30Intruding for Revenge 30Intruding for Profit 31Intruding for Political Purposes 31Types of Network Attacks 31Reconnaissance Attacks 32Access Attacks 33DoS Attacks 35Exam Preparation 36Chapter 3 Network Foundation Protection (NFP) Overview 39"Do I Know This Already?" Quiz 39Foundation Topics 42Overview of Device Functionality Planes 42Control Plane 43Data Plane 44Management Plane 45Identifying Network Foundation Protection Deployment Models 45Identifying Network Foundation Protection Feature Availability 48Cisco Catalyst Switches 48Cisco Integrated Services Routers (ISR) 49Cisco Supporting Management Components 50Exam Preparation 53Part II Cisco IOS Foundation Security SolutionsChapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57 "Do I Know This Already?" Quiz 57Foundation Topics 60Switched Data Plane Attack Types 60VLAN Hopping Attacks 60CAM Flooding Attacks 61MAC Address Spoofing 63Spanning Tree Protocol (STP) Spoofing Attacks 63DHCP Starvation Attacks 66DHCP Server Spoofing 67ARP Spoofing 67Switched Data Plane Security Technologies 67Port Configuration 67Port Security 71Root Guard, BPDU Guard, and PortFast 74DHCP Snooping 75Dynamic ARP Inspection (DAI) 77IP Source Guard 79Private VLANs (PVLAN) 80Exam Preparation 84Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91"Do I Know This Already?" Quiz 91Foundation Topics 94Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94IBNS and 802.1x Enhancements and Features 94802.1x Components 96802.1x Interworking 97Extensible Authentication Protocol (EAP) 97EAP over LAN (EAPOL) 98EAP Message Exchange 99Port States 100Port Authentication Host Modes 101EAP Type Selection 102EAP-Message Digest Algorithm 5 102Protected EAP w/MS-CHAPv2 102Cisco Lightweight EAP 103EAP-Transport Layer Security 104EAP-Tunneled Transport Layer Security 104EAP-Flexible Authentication via Secure Tunneling 105Exam Preparation 106Chapter 6 Implementing and Configuring Basic 802.1X 109"Do I Know This Already?" Quiz 109Foundation Topics 112Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112Gathering Input Parameters 113Deployment Tasks 113Deployment Choices 114General Deployment Guidelines 114Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115Configuration Choices 115Configuration Scenario 115Verify Basic 802.1X Functionality 121Configure and Verify Cisco ACS for EAP-FAST 121Configuration Choices 122Configuration Scenario 122Configure the Cisco Secure Services Client 802.1X Supplicant 128Task 1: Create the CSSC Configuration Profile 128Task 2: Create a Wired Network Profile 128Tasks 3 and 4: (Optional) Tune 802.1X Timers andAuthentication Mode 130Task 5: Configure the Inner and Outer EAP Mode for the Connection 131Task 6: Choose the Login Credentials to Be Used for Authentication 132Task 7: Create the CSSC Installation Package 133Network Login 134Verify and Troubleshoot 802.1 X Operations 134Troubleshooting Flow 134Successful Authentication 135Verify Connection Status 135Verify Authentication on AAA Server 135Verify Guest/Restricted VLAN Assignment 135802.1X Readiness Check 135Unresponsive Supplicant 135Failed Authentication: RADIUS Configuration Issues 135Failed Authentication: Bad Credentials 135Exam Preparation 136Chapter 7 Implementing and Configuring Advanced 802.1X 139"Do I Know This Already?" Quiz 139Foundation Topics 143Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143Gathering Input Parameters 143Deployment Tasks 144Deployment Choices 144Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145EAP-TLS with 802.1X Configuration Tasks 145Configuration Scenario 146Configuration Choices 146Task 1: Configure RADIUS Server 147Task 2: Install Identity and Certificate Authority Certificates on All Clients 147Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152Implementation Guidelines 153Feature Support 153Verifying EAP-TLS Configuration 153Deploying User and Machine Authentication 153Configuring User and Machine Authentication Tasks 154Configuration Scenario 154Task 1: Install Identity and Certificate Authority Certificates on All Clients 155Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158Implementation Guidelines 158Feature Support 158Deploying VLAN and ACL Assignment 159Deploying VLAN and ACL Assignment Tasks 159Configuration Scenario 159Configuration Choices 160Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162Verification of VLAN and ACL Assignment with Cisco IOS Software CLI 164Verification of VLAN and ACL Assignment on Cisco Secure ACS 165Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165Configuration Tasks 166Configuration Scenario 166Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167Verification of Configuration 168Implementation Guidelines 168Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168Configuration Tasks 169Configuration Scenario 169Task 1: Configure Web Authentication on the Switch 169Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171Web Authentication Verification 172User Experience 172Choose a Method to Support Multiple Hosts on a Single Port 172Multiple Hosts Support Guidelines 172Configuring Support of Multiple Hosts on a Single Port 172Configuring Fail-Open Policies 174Configuring Critical Ports 174Configuring Open Authentication 176Resolve 802.1X Compatibility Issues 176Wake-on-LAN (WOL) 176Non-802.1X IP Phones 177Preboot Execution Environment (PXE) 177Exam Preparation 178Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183"Do I Know This Already?" Quiz 183Foundation Topics 186Routed Data Plane Attack Types 186IP Spoofing 186Slow-Path Denial of Service 186Traffic Flooding 187Routed Data Plane Security Technologies 187Access Control Lists (ACL) 187Flexible Packet Matching 196Flexible NetFlow 203Unicast Reverse Path Forwarding (Unicast RPF) 209Exam Preparation 212Chapter 9 Implementing and Configuring Cisco IOS ControlPlane Security 219"Do I Know This Already?" Quiz 219Foundation Topics 222Control Plane Attack Types 222Slow-Path Denial of Service 222Routing Protocol Spoofing 222Control Plane Security Technologies 222Control Plane Policing (CoPP) 222Control Plane Protection (CPPr) 226Routing Protocol Authentication 232Exam Preparation 237Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245"Do I Know This Already?" Quiz 245Foundation Topics 248Management Plane Attack Types 248Management Plane Security Technologies 248Basic Management Security and Privileges 248SSH 254SNMP 256CPU and Memory Thresholding 261Management Plane Protection 262AutoSecure 263Digitally Signed Cisco Software 265Exam Preparation 267Part III Cisco IOS Threat Detection and ControlChapter 11 Implementing and Configuring Network Address Translation (NAT) 275 "Do I Know This Already?" Quiz 275Foundation Topics 278Network Address Translation 278Static NAT Example 280Dynamic NAT Example 280PAT Example 281NAT Configuration 282Overlapping NAT 287Exam Preparation 290Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295"Do I Know This Already?" Quiz 295Foundation Topics 298Zone-Based Policy Firewall Overview 298Zones/Security Zones 298Zone Pairs 299Transparent Firewalls 300Zone-Based Layer 3/4 Policy Firewall Configuration 301Class Map Configuration 302Parameter Map Configurations 304Policy Map Configuration 306Zone Configuration 308Zone Pair Configuration 309Port to Application Mapping (PAM) Configuration 310Zone-Based Layer 7 Policy Firewall Configuration 312URL Filter 313HTTP Inspection 318Exam Preparation 323Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333"Do I Know This Already?" Quiz 333Foundation Topics 336Configuration Choices, Basic Procedures, and Required Input Parameters 336Intrusion Detection and Prevention with Signatures 337Sensor Accuracy 339Choosing a Cisco IOS IPS Sensor Platform 340Software-Based Sensor 340Hardware-Based Sensor 340Deployment Tasks 341Deployment Guidelines 342Deploying Cisco IOS Software IPS Signature Policies 342Configuration Tasks 342Configuration Scenario 342Verification 346Guidelines 347Tuning Cisco IOS Software IPS Signatures 347Event Risk Rating System Overview 348Event Risk Rating Calculation 348Event Risk Rating Example 349Signature Event Action Overrides (SEAO) 349Signature Event Action Filters (SEAF) 349Configuration Tasks 350Configuration Scenario 350Verification 355Implementation Guidelines 355Deploying Cisco IOS Software IPS Signature Updates 355Configuration Tasks 356Configuration Scenario 356Task 1: Install Signature Update License 356Task 2: Configure Automatic Signature Updates 357Verification 357Monitoring Cisco IOS Software IPS Events 358Cisco IOS Software IPS Event Generation 358Cisco IME Features 358Cisco IME Minimum System Requirements 359Configuration Tasks 359Configuration Scenario 360Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361Verification 362Verification: Local Events 362Verification: IME Events 363Cisco IOS Software IPS Sensor 363Troubleshooting Resource Use 365Additional Debug Commands 365Exam Preparation 366Part IV Managing and Implementing Cisco IOS Site-to-Site Security SolutionsChapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369"Do I Know This Already?" Quiz 369Foundation Topics 372Choose an Appropriate VPN LAN Topology 372Input Parameters for Choosing the Best VPN LAN Topology 373General Deployment Guidelines for Choosing the Best VPN LAN Topology 373Choose an Appropriate VPN WAN Technology 373Input Parameters for Choosing the Best VPN WAN Technology 374General Deployment Guidelines for Choosing the Best VPN WAN Technology 376Core Features of IPsec VPN Technology 376IPsec Security Associations 377Internet Key Exchange (IKE) 377IPsec Phases 377IKE Main and Aggressive Mode 378Encapsulating Security Payload 378Choose Appropriate VPN Cryptographic Controls 379IPsec Security Associations 379Algorithm Choices 379General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381Design and Implementation Resources 382Exam Preparation 383Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387"Do I Know This Already?" Quiz 387Foundation Topics 390Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390Virtual Tunnel Interfaces 390Input Parameters 392Deployment Tasks 393Deployment Choices 393General Deployment Guidelines 393Configuring Basic IKE Peering 393Cisco IOS Software Default IKE PSK-BasedPolicies 394Configuration Tasks 394Configuration Choices 395Configuration Scenario 395Task 1: (Optional) Configure an IKE Policy on Each Peer 395Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396Verify Local IKE Sessions 396Verify Local IKE Policies 396Verify a Successful Phase 1 Exchange 397Implementation Guidelines 397Troubleshooting IKE Peering 397Troubleshooting Flow 397Configuring Static Point-to-Point IPsec VTI Tunnels 398Default Cisco IOS Software IPsec Transform Sets 398Configuration Tasks 398Configuration Choices 399Configuration Scenario 399Task 1: (Optional) Configure an IKE Policy on Each Peer 399Task 2: (Optional) Configure an IPsec Transform Set 399Task 3: Configure an IPsec Protection Profile 400Task 4: Configure a Virtual Tunnel Interface (VTI) 400Task 5: Apply the Protection Profile to the Tunnel Interface 401Task 6: Configure Routing into the VTI Tunnel 401Implementation Guidelines 401Verify Tunnel Status and Traffic 401Troubleshooting Flow 402Configure Dynamic Point-to-Point IPsec VTI Tunnels 403Virtual Templates and Virtual Access Interfaces 403ISAKMP Profiles 404Configuration Tasks 404Configuration Scenario 404Task 1: Configure IKE Peering 405Task 2: (Optional) Configure an IPsec Transform Set 405Task 3: Configure an IPsec Protection Profile 405Task 4: Configure a Virtual Template Interface 406Task 5: Map Remote Peer to a Virtual Template Interface 406Verify Tunnel Status on the Hub 407Implementation Guidelines 407Exam Preparation 408Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411"Do I Know This Already?" Quiz 411Foundation Topics 414Describe the Concept of a Public Key Infrastructure 414Manual Key Exchange with Verification 414Trusted Introducing 414Public Key Infrastructure: Certificate Authorities 416X.509 Identity Certificate 417Certificate Revocation Checking 418Using Certificates in Network Applications 419Deployment Choices 420Deployment Steps 420Input Parameters 421Deployment Guidelines 421Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421Configuration Tasks for a Root Certificate Server 422Configuration Scenario 423Task 1: Create an RSA Key Pair 423Task 2: Create a PKI Trustpoint 424Tasks 3 and 4: Create the CS and Configure the Database Location 424Task 5: Configure an Issuing Policy 425Task 6: Configure the Revocation Policy 425Task 7: Configure the SCEP Interface 426Task 8: Enable the Certificate Server 426Cisco Configuration Professional Support 426Verify the Cisco IOS Software Certificate Server 427Feature Support 427Implementation Guidelines 428Troubleshooting Flow 429PKI and Time: Additional Guidelines 429Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429PKI Client Features 429Simple Certificate Enrollment Protocol 430Key Storage 430Configuration Tasks 430Configuration Scenario 431Task 1: Create an RSA Key Pair 431Task 2: Create an RSA Key Pair 432Task 3: Authenticate the PKI Certificate Authority 432Task 4: Create an Enrollment Request on the VPN Router 433Task 5: Issue the Client Certificate on the CA Server 434Certificate Revocation on the Cisco IOS Software Certificate Server 434Cisco Configuration Professional Support 434Verify the CA and Identity Certificates 435Feature Support 435Implementation Guidelines 436Troubleshooting Flow 436Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436IKE Peer Authentication 436IKE Peer Certificate Authorization 437Configuration Tasks 437Configuration Scenario 437Task 1: Configure an IKE Policy 438Task 2: Configure an ISAKMP Profile 438Task 3: Configure Certificate-Based Authorization of Remote Peers 438Verify IKE SA Establishment 439Feature Support 439Implementation Guidelines 440Troubleshooting Flow 440Configuring Advanced PKI Integration 440Configuring CRL Handling on PKI Clients 441Using OCSP or AAA on PKI Clients 441Exam Preparation 442Chapter 17 Deploying DMVPNs 447"Do I Know This Already?" Quiz 447Foundation Topics 451Understanding the Cisco IOS Software DMVPNArchitecture 451Building Blocks of DMVPNs 452Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452DMVPN Initial State 453DMVPN Spoke-to-Spoke Tunnel Creation 453DMVPN Benefits and Limitations 454Plan the Deployment of a Cisco IOS Software DMVPN 455Input Parameters 455Deployment Tasks 455Deployment Choices 456General Deployment Guidelines 456Configure and Verify Cisco IOS Software GRE Tunnels 456GRE Features and Limitations 456Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457Point-to-Point Tunnel Configuration Example 457Configuration Tasks for a Hub-and-Spoke Network 459Configuration Scenario 459Task 1: Configure an mGRE Interface on the Hub 459Task 2: Configure a GRE Interface on the Spoke 459Verify the State of GRE Tunnels 460Configure and Verify a Cisco IOS Software NHRP Client and Server 461(m)GRE and NHRP Integration 461Configuration Tasks 461Configuration Scenario 461Task 1: Configure an NHRP Server 461Task 2: Configure an NHRP Client 462Verify NHRP Mappings 462Debugging NHRP 463Configure and Verify a Cisco IOS Software DMVPN Hub 464Configuration Tasks 464Configuration Scenario 464Task 1: (Optional) Configure an IKE Policy 464Task 2: Generate and/or Configure Authentication Credentials 465Task 3: Configure an IPsec Profile 465Task 4: Create an mGRE Tunnel Interface 465Task 5: Configure the NHRP Server 465Task 6: Associate the IPsec Profile with the mGRE Interface 466Task 7: Configure IP Parameters on the mGRE Interface 466Cisco Configuration Professional Support 466Verify Spoke Registration 466Verify Registered Spoke Details 467Implementation Guidelines 468Feature Support 468Configure and Verify a Cisco IOS Software DMVPN Spoke 468Configuration Tasks 468Configuration Scenario 469Task 1: (Optional) Configure an IKE Policy 469Task 2: Generate and/or Configure Authentication Credentials 469Task 3: Configure an IPsec Profile 469Task 4: Create an mGRE Tunnel Interface 470Task 5: Configure the NHRP Client 470Task 6: Associate the IPsec Profile with the mGRE Interface 470Task 7: Configure IP Parameters on the mGRE Interface 471Verify Tunnel State and Traffic Statistics 471Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471EIGRP Hub Configuration 472OSPF Hub Configuration 473Hub-and-Spoke Routing and IKE Peering on Spoke 473Full Mesh Routing and IKE Peering on Spoke 474Troubleshoot a Cisco IOS Software DMVPN 474Troubleshooting Flow 475Exam Preparation 476Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481"Do I Know This Already?" Quiz 481Foundation Topics 484Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484VPN Failure Modes 484Partial Failure of the Transport Network 484Partial or Total Failure of the Service Provider (SP) TransportNetwork 485Partial or Total Failure of a VPN Device 485Deployment Guidelines 485Use Routing Protocols for VPN Failover 486Routing to VPN Tunnel Endpoints 486Routing Protocol Inside the VPN Tunnel 486Recursive Routing Hazard 487Routing Protocol VPN Topologies 487Routing Tuning for Path Selection 487Routing Tuning for Faster Convergence 488Choose the Most Optimal Method of Mitigating Failure in a VTI-Based VPN 488Path Redundancy Using a Single-Transport Network 489Path Redundancy Using Two Transport Networks 489Path and Device Redundancy in Single-Transport Networks 489Path and Device Redundancy with Multiple-Transport Networks 489Choose the Most Optimal Method of Mitigating Failure in a DMVPN 490Recommended Architecture 490Shared IPsec SAs 490Configuring a DMVPN with a Single-Transport Network 490Configuring a DMVPN over Multiple-Transport Networks 493Exam Preparation 495Chapter 19 Deploying GET VPNs 499"Do I Know This Already?" Quiz 499Foundation Topics 502Describe the Operation of a Cisco IOS Software GET VPN 502Peer Authentication and Policy Provisioning 502GET VPN Traffic Exchange 504Packet Security Services 504Key Management Architecture 505Rekeying Methods 505Traffic Encapsulation 507Benefits and Limitations 507Plan the Deployment of a Cisco IOS Software GET VPN 508Input Parameters 508Deployment Tasks 508Deployment Choices 509Deployment Guidelines 509Configure and Verify a Cisco IOS Software GET VPN Key Server 509Configuration Tasks 509Configuration Choices 510Configuration Scenario 510Task 1: (Optional) Configure an IKE Policy 511Task 2: Generate and/or Configure Authentication Credentials 511Task 3: Generate RSA keys for Rekey Authentication 511Task 4: Configure a Traffic Protection Policy on the Key Server 512Task 5: Enable and Configure the GET VPN Key Server Function 512Task 6: (Optional) Tune the Rekeying Policy 513Task 7: Create and Apply the GET VPN Crypto Map 513Cisco Configuration Professional Support 514Verify Basic Key Server Settings 514Verify the Rekey Policy 514List All Registered Members 515Implementation Guidelines 515Configure and Verify Cisco IOS Software GET VPN Group Members 515Configuration Tasks 516Configuration Choices 516Configuration Scenario 516Task 1: Configure an IKE Policy 516Task 2: Generate and/or Configure Authentication Credentials 517
