Computer Data, Inc.

Prerequisites

• ICND1 - Interconnecting Cisco Network Devices 1
• ICND2 - Interconnecting Cisco Network Devices 2
• IINS - Implementing Cisco IOS Network Security

What You'll Learn

• Layer 2 Security: Attack methods and techniques to mitigate the attacks
• Identity Based Networking Services: 802.1x authentication and authorization with Cisco switches
• Network Foundation Protection: Secure an IOS router's control plane, management plane, and data plane
• VPN Connectivity:
  • IPsec overview
  • Site-to-site IPsec VPN using public key infrastructure and digital certificates for authentication
  • Virtual tunnel interfaces
  • GRE over IPsec
  • High-availability VPN options
  • Dynamic Multipoint VPN
  • Group Encryption Transport VPN
  • Cisco IOS SSL VPN (WebVPN)
  • Easy VPN Server, Remote, and Client for Remote Access IPsec VPN
• Protect your network with Cisco IOS Classic Firewall and Cisco IOS Zone-Based Policy Firewall
• Defend against threats on your network using IOS Intrusion Prevention Systems

Course Outline

1. Network Platform Security with Switches

• Configuring Advanced Layer 2 Security
• Introducing Cisco IBNS
• Implementing Basic 802.1x Authentication
• Configuring Advanced 802.1x Authentication and Authorization

2. Network Platform Security with Routers

• Examining the Cisco Network Foundation Protection Strategy
• Securing the Control Plane
• Securing the Management Plane
• Securing the Data Plane

3. Secure Site-to-Site Communications

• Examining VPN and IPsec Fundamentals
• Implementing IPsec VPNs with PKI
• Implementing GRE over IPsec
• Configuring High-Availability VPNs and VTI
• Implementing DMVPN
• Implementing GET VPN

4. Secure Remote Access Communications

• Implementing Cisco IOS Remote Access using Cisco Easy VPN
• Examining a Cisco IOS SSL VPN

5. Threat Control and Containment

• Configuring NAT and PAT
• Configuring a Cisco IOS Classic Firewall
• Configuring a Cisco IOS Zone-Based Policy Firewall
• Configuring Cisco IOS IPS

Labs

Enhanced Labs:

We have enhanced our SNRS v3.0 hands-on labs beyond what you'll find in a standard Cisco SNRS v3.0 course, providing more realistic and robust scenarios. The root of our enhancements lies in the topology that we provide. The standard Cisco SNRS v3.0 labs provide a very simple topology based on the ICND topology that includes a single switch and a single router per pod with two PC instances - a setup that works well for covering associate-level routing and switching concepts. The motivation for Cisco's topology is compatibility with their standard IINS and ICND topologies.

More appropriate for professional-level security training, our SNRS v3.0 topology combines our standard FSA topology with a router supplement. Each SNRS v3.0 pod has four routers, two switches, and ten PC instances. The topology provides a main site with an internal network with multiple subnets and a DMZ for public services, along with two remote site networks and a simulated Internet. PC systems are strategically placed in the topology, and services such as DNS, SMTP, FTP and HTTP are configured realistically.

GUI vs. CLI

While standard SNRS training has moved away from a command-line interface (CLI) focus towards a graphical user interface (GUI) focus, our Security labs include both. Many of the operations in our labs are performed from the Security Device Manager GUI, and you will use the Command Preview and document all commands that are delivered by the GUI. Our enhanced topology allows our labs to include configuring the routers at both sides of VPN tunnels. Generally, you will configure one peer via the GUI and the other peer via the CLI. At the end of each lab, you'll receive the complete configuration with the relevant commands highlighted, providing a handy tool for lab verification and for long-term reference.

Pros and cons exist for both the GUI and the CLI. In today's world, engineers must have experience with both interfaces, and ours is the only lab environment where you'll find them.

Lab 1: Advanced Layer 2 Security

In this lab you will configure and verify several advanced Layer 2 security features. You will control which IP packets are allowed to traverse particular switch ports using Port ACLs and which IP packets are allowed to traverse particular VLANs using VLAN ACLs. You will demonstrate the use of Private VLAN Edge to prevent intra-VLAN communication between protected ports and to mitigate using a router on a trusted port in an attempt to break the Private VLAN Edge policy. You will also configure and demonstrate the use of other advanced Layer 2 security technologies, including DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard. For each of these technologies, you will observe the behavior before the technology is configured, apply the configuration, and verify the results.

• Exclusive - Configure and Verify a Port ACL
• Exclusive - Configure and Verify a VLAN ACL
• Configure and Verify Private VLAN Edge
• Mitigate Private VLAN Edge Router Proxy Attacks
• Configure and Verify DHCP Snooping
• Exclusive - Configure and Verify Dynamic ARP Inspection
• Exclusive - Configure and Verify IP Source Guard
• Exclusive - Verify the Switch Configuration

Lab 2: Layer 2 AAA with 802.1x

In this lab you will work with various 802.1x features on the L3-Switch, involving configuration on the L3-Switch, the AAA server (Cisco Secure Access Control Server), and on the client PC. You will start with simply configuring 802.1x authentication, which denies access to the Layer 2 network until a valid user authenticates. You will then work with the restricted VLAN, to which users who do not have valid credentials are assigned. Next you will work with guest VLAN, which is assigned to systems without an 802.1x supplicant. You will also configure MAC Authentication Bypass, which recognizes authorized systems without a supplicant by their MAC address. As a final procedure, you will enable 802.1x authorization and provide dynamic VLAN assignments based on the user who logs in.

• Configure RADIUS between the L3-Switch and ACS
• Configure and Test Basic 802.1x Authentication
• Configure and Test 802.1x Restricted VLAN
• Configure and Test 802.1x Guest VLAN
• Configure and Test 802.1x MAC Authentication Bypass
• Install and Configure the Cisco Secure Services Client
• Configure and Test 802.1x Dynamic VLAN Assignment
• Exclusive - Verify the Switch Configuration

Lab 3: Cisco Network Foundation Protection

In this lab you will work with various elements of Cisco's Network Foundation Protection (NFP), including route authentication. The NFP features protect the router's control plane, management plane, and data plane. EIGRP with route authentication is configured in the initial configurations of this lab. You will first review the configuration of EIGRP with route authentication, and then you will migrate to OSPF with route authentication. For management plane protection, you will configure SNMP version 3, which provides privacy, origin authentication, and data integrity between the SNMP v3 managed device and the management server. You will configure SNMP v3, and you will use an SNMP management application to demonstrate MIB browsing using SNMP v3. For data plane protection you will configure NetFlow to track TCP and UDP sessions through the IOS-FW. You will configure NetFlow for real-time analysis with SDM, and you will configure NetFlow for export to a NetFlow collection service, which is useful for historical auditing and trend analysis.

• Exclusive - Review EIGRP with Authentication
• OSPF with Authentication
• Configure SNMP Version 3
• Exclusive - Monitoring Using SNMP Version 3
• Configure and Monitor NetFlow with SDM
• Exclusive - Configure NetFlow Export to a NetFlow Collector
• Exclusive - Verify the Router Configuration

Lab 4: Site-To-Site VPN with PKI

In this lab you will configure Site-to-Site VPN using Public Key Infrastructure. That is, you will configure site-to-site IPsec VPN using digital identity certificates for peer authentication. The certificate server is an IOS Certificate Authority, which you will configure on the Internet Router. You will enroll both the IOS-FW and the Site1-Rtr with the certificate server. Once both of the peer routers have identity certificates signed by the certificate server, you will configure the IPsec VPN. In general, the configurations performed on the IOS-FW will be done with SDM and those done on the Site1-Rtr will be performed from the CLI, providing experience with both configuration interfaces. After configuration, you will verify the operation of the VPN.

• Exclusive - Configure IOS PKI Server on the Internet Router
• Assign the SSL Trustpoint for SDM
• Enroll the IOS-FW with the CA Server via SDM
• Configure the IOS-FW for the VPN via SDM
• Exclusive - Enroll the Site1 Router with the CA Server via the CLI
• Exclusive - Configure the Site1 Router for the VPN via the CLI
• Test and Verify the VPN
• Exclusive - Verify the Router Configurations

Lab 5: IPsec Redundancy using GRE

In this lab you will work with some ways to add resiliency to site-to-site VPN connectivity. You will modify the topology from the standard SNRS topology by merging the two remote sites into one site with two routers. You will then configure HSRP between the two routers, so hosts at the remote site will always perceive that their default gateway is up as long as at least one of the two routers is up. You will then configure two IPsec over GRE tunnels between the main site and the merged remote site and run EIGRP as a routing protocol. In general, configuration on the IOS-FW will be performed using SDM and configuration of the remote routers will be done using the CLI. You will verify the behavior of the system under its normal state, and then you will verify resiliency in the system.

• Understand the Scenario
• Exclusive - Configure HSRP at the Remote Site
• Configure IPsec over GRE via SDM on the IOS-FW
• Exclusive - Configure IPsec Over GRE via the CLI on the Site1 Router
• Exclusive - Configure the Site2 Router via TFTP
• Exclusive - Verify and Tune the Configurations
• Exclusive - Verify Resiliency
• Exclusive - Verify the Router Configurations

Lab 6: DMVPN

In this lab you will configure a full mesh Dynamic Multipoint VPN (DMVPN). The IOS-FW will be configured as the hub and the Site1-Rtr and Site2-Rtr will each be configured as a spoke. As you configure components, you will test component function and adjust configurations as necessary. In the end, you will have persistent GRE over IPsec VPN tunnels from the remote sites to the IOS-FW. When Site1-to-Site2 connectivity is required, a dynamic GRE over IPsec VPN tunnel will be established.

• Exclusive - Prepare the Hub Site
• Prepare Site1
• Test Connectivity and Adjust the Configuration
• Exclusive - Prepare Site2
• Exclusive - Test and Verify the Multi-Site DMVPN Connectivity
• Exclusive - Verify the Router Configurations

Lab 7: GET VPN

In this lab you will configure GETVPN in the pod network. You will first remove NAT configurations and configure EIGRP throughout the pod network to simulate a large private network (for simplicity, topology and subnet assignments will not be changed). The goal is to have GETVPN provide protection of all traffic between 10.0.0.0/8 subnets as well as multicast traffic sourced from 10.0.0.0/8 subnets. You will configure the Perimeter Router as the GDOI Key Server. You will configure the IOS-FW, Site1-Rtr, and Site2-Rtr as GDOI Group Members. You will configure the IOS-FW from scratch, though you will use copy/paste to speed up the configuration of the Site1 and Site2 Routers. As you configure elements, you will use show commands to verify configuration. Once all the elements are configured, you will verify the operation of GETVPN.

• Exclusive - Understand the Scenario
• Exclusive - Configure EIGRP
• Exclusive - Remove NAT Configuration
• Exclusive - Configure the Key Server
• Configure and Verify the First Group Member
• Exclusive - Configure the Other Group Members
• Exclusive - Verify GETVPN from the Key Server
• Verify GETVPN Traffic
• Exclusive - Verify the Router Configurations

Lab 8: Cisco Easy VPN

In this lab you will use the Easy VPN Server Wizard in SDM to configure the IOS-FW to accept connections from VPN clients, and you will analyze the configuration. You will configure the Cisco VPN Client software on the Outside PC. After configuration, you will be able to use the VPN Client on the Outside PC to provide secure access to resources on the internal networks. You will then apply and test a filter to the Virtual Tunnel Interface used for Easy VPN, preventing access to the management subnet for normal VPN users. After working with the software Cisco Easy VPN Client, you will move to using the Cisco Easy VPN Remote features included in the IOS. You will define a new profile for hardware client access on the IOS-FW and you will configure the Site1-Rtr as an Easy VPN remote. After this, there will be connectivity between Site1 and the main site. You will also experiment with Network Extension Mode and extended authentication options with the Site1-Rtr.

• Easy VPN Server Wizard
• Examine the Configuration
• Prepare the VPN Client
• Test the Remote Access VPN
• Exclusive - Apply a Filter to a DVTI
• Easy VPN Remote Hardware Client
• Exclusive - Interactive Authentication for Hardware Clients
• Exclusive - Network Extension Mode
• Monitor Remote Access VPN Connections with SDM
• Exclusive - Verify the Router Configuration

Lab 9: IOS SSL VPN

In this lab you will work with the features provided by IOS SSL VPN. You will start by configuring RADIUS support on the IOS-FW. Using RADIUS, the IOS-FW will use Cisco Secure ACS for AAA. Cisco Secure ACS itself is configured to use Active Directory for user authentication. You will then use SDM's SSL VPN Wizard to enable clientless SSL VPN access. Once the basics of clientless SSL VPN have been configured and tested, you will move on to configuring and demonstrating the "thin clientcapability which uses a Java applet to provide port forwarding functionality. You then move on to configuring and testing the full tunnel SSL VPN Client. You'll finish up this lab configuring and testing the Cisco Secure Desktop.

• Configure RADIUS Support
• Configure Clientless SSL VPN Access
• Exclusive - Test Clientless SSL VPN Access
• Configure and Test Port Forwarding
• Configure and Test the Full Tunnel SSL VPN Client
• Configure and Test the Cisco Secure Desktop
• Exclusive - Verify the Router Configuration

Lab 10: IOS Classic Firewall

In this lab you will explore the use of IOS Classic Firewall. Before configuration of the firewall, you will demonstrate the misuse of TCP port 80. That is, you will use TCP port 80 to transport non-HTTP connections as well as applications tunneled in what appears to be RFC compliant HTTP. You will then use the SDM's Firewall Wizard to configure IOS Classic Firewall. You will test the expected connectivity based on destination ports, and you will demonstrate the IOS Classic Firewall's ability to perform application layer inspection on TCP port 80. You will finish by demonstrating the maintenance of the firewall configuration without using the wizard as you configure and verify the firewall to properly handle SMTP as appropriate for the lab topology.

• Exclusive - Demonstrate Tunneling Applications
• Prepare the IOS-FW for IOS Classic Firewall
• Execute the SDM Advanced Firewall Wizard
• Verify Expected Connectivity
• Verify Expected Protections
• Exclusive - Block the HTTP Tunnel
• Exclusive - Update Firewall Policy and Verify Results
• Exclusive - Verify the Router Configuration

Lab 11: IOS Zone-Based Policy Firewall

In this lab you will configure the Zone-Based Firewall (ZBF) feature on the IOS-FW using SDM. You will also demonstrate how the stateful nature of ZBF mitigates attacks. The SDM firewall wizards are not very flexible. You will use the Basic Firewall wizard to start, and you will explore the type of configuration put in place by the wizard. You will then use SDM to configure other ZBF policies from scratch.

• Basic Firewall Wizard
• Implement the DMZ Inbound
• Implement the DMZ to Inside
• Exclusive - Demonstrate Attack Mitigation
• Static URL Filtering
• HTTP Application Inspection
• Exclusive - Verify the Router Configuration

Lab 12: IOS IPS

In this lab you will use SDM to install and configure IOS IPS on the IOS-FW. You will use the SDM IPS Wizard to accomplish the initial setup of IOS IPS. Many times an attack will be made more obscure (obfuscated) in an attempt to evade detection. After setting up IPS, you will demonstrate the IOS IPS ability to deobfuscate such attempts. You will use Cisco's IPS Manager Express (IME) to monitor and report on events from IOS IPS as you launch a number of attacks on your network. From a tuning standpoint, you will work with three options: First you will see how to modify Signature Actions from their default values; second, you will implement an Event Action Override to trigger a specific action across all signatures based on a chosen Risk Rating; and third, you will configure an Event Action Filter to exclude a specific system from being scanned by the IOS IPS.

• IOS IPS Wizard
• Exclusive - Deobfuscation
• Signature Definitions
• IPS Manager Express
• Exclusive - Signature Actions
• Exclusive - Custom Signatures
• Exclusive - Event Action Overrides
• Event Action Filters
• Exclusive - Verify the Router Configuration

Classroom Dates and Locations

Date	Location Details
Aug 31 - Sep 4, 2009	Washington, DC	Register
Aug 31 - Sep 4, 2009	Dallas, TX	Register
Sep 14 - 18, 2009	Toronto, ON	Register
Sep 21 - 25, 2009	New York, NY	Register
Sep 28 - Oct 2, 2009	Montreal, QC	Register
Oct 19 - 23, 2009	Atlanta, GA	Register
Nov 2 - 6, 2009	Vancouver, BC	Register
Nov 16 - 20, 2009	Raleigh, NC	Register
Nov 30 - Dec 4, 2009	Dallas, TX	Register
Nov 30 - Dec 4, 2009	Ottawa, ON	Register
Dec 14 - 18, 2009	Chicago (Schaumburg), IL	Register
Dec 14 - 18, 2009	Toronto, ON	Register
Jan 4 - 8, 2010	San Jose, CA	Register
Jan 18 - 22, 2010	New York, NY	Register
Feb 15 - 19, 2010	Atlanta, GA	Register
Mar 1 - 5, 2010	Dallas, TX	Register
Mar 8 - 12, 2010	Washington, DC	Register
Mar 15 - 19, 2010	Chicago (Schaumburg), IL	Register
Mar 29 - Apr 2, 2010	Morristown, NJ	Register

Don’t see the location or date you need? No problem – just use our By Request service.

What You'll Learn

• Layer 2 Security: Attack methods and techniques to mitigate the attacks
• Identity Based Networking Services: 802.1x authentication and authorization with Cisco switches
• Network Foundation Protection: Secure an IOS router's control plane, management plane, and data plane
• VPN Connectivity:
  • IPsec overview
  • Site-to-site IPsec VPN using public key infrastructure and digital certificates for authentication
  • Virtual tunnel interfaces
  • GRE over IPsec
  • High-availability VPN options
  • Dynamic Multipoint VPN
  • Group Encryption Transport VPN
  • Cisco IOS SSL VPN (WebVPN)
  • Easy VPN Server, Remote, and Client for Remote Access IPsec VPN
• Protect your network with Cisco IOS Classic Firewall and Cisco IOS Zone-Based Policy Firewall
• Defend against threats on your network using IOS Intrusion Prevention Systems

Course Outline

1. Network Platform Security with Switches

• Configuring Advanced Layer 2 Security
• Introducing Cisco IBNS
• Implementing Basic 802.1x Authentication
• Configuring Advanced 802.1x Authentication and Authorization

2. Network Platform Security with Routers

• Examining the Cisco Network Foundation Protection Strategy
• Securing the Control Plane
• Securing the Management Plane
• Securing the Data Plane

3. Secure Site-to-Site Communications

• Examining VPN and IPsec Fundamentals
• Implementing IPsec VPNs with PKI
• Implementing GRE over IPsec
• Configuring High-Availability VPNs and VTI
• Implementing DMVPN
• Implementing GET VPN

4. Secure Remote Access Communications

• Implementing Cisco IOS Remote Access using Cisco Easy VPN
• Examining a Cisco IOS SSL VPN

5. Threat Control and Containment

• Configuring NAT and PAT
• Configuring a Cisco IOS Classic Firewall
• Configuring a Cisco IOS Zone-Based Policy Firewall
• Configuring Cisco IOS IPS

Labs

Lab 1: Advanced Layer 2 Security

• Configure and Verify Private VLAN Edge
• Mitigate Private VLAN Edge Router Proxy Attacks
• Configure and Verify DHCP Snooping

Lab 2: Layer 2 AAA with 802.1x

• Configure RADIUS between the L3-Switch and ACS
• Configure and Test Basic 802.1x Authentication
• Configure and Test 802.1x Restricted VLAN
• Configure and Test 802.1x Guest VLAN
• Configure and Test 802.1x MAC Authentication Bypass
• Install and Configure the Cisco Secure Services Client
• Configure and Test 802.1x Dynamic VLAN Assignment

Lab 3: Cisco Network Foundation Protection

• OSPF with Authentication
• Configure SNMP Version 3
• Configure and Monitor NetFlow with SDM

Lab 4: Site-To-Site VPN with PKI

• Assign the SSL Trustpoint for SDM
• Enroll the IOS-FW with the CA Server via SDM
• Configure the IOS-FW for the VPN via SDM
• Test and Verify the VPN

Lab 5: IPsec Redundancy using GRE

• Understand the Scenario
• Configure IPsec over GRE via SDM on the IOS-FW

Lab 6: DMVPN

• Prepare Site1
• Test Connectivity and Adjust the Configuration

Lab 7: GET VPN

• Configure and Verify the First Group Member
• Verify GETVPN Traffic

Lab 8: Cisco Easy VPN

• Easy VPN Server Wizard
• Examine the Configuration
• Prepare the VPN Client
• Test the Remote Access VPN
• Easy VPN Remote Hardware Client
• Monitor Remote Access VPN Connections with SDM

Lab 9: IOS SSL VPN

• Configure RADIUS Support
• Configure Clientless SSL VPN Access
• Configure and Test Port Forwarding
• Configure and Test the Full Tunnel SSL VPN Client
• Configure and Test the Cisco Secure Desktop

Lab 10: IOS Classic Firewall

• Prepare the IOS-FW for IOS Classic Firewall
• Execute the SDM Advanced Firewall Wizard
• Verify Expected Connectivity
• Verify Expected Protections

Lab 11: IOS Zone-Based Policy Firewall

• Basic Firewall Wizard
• Implement the DMZ Inbound
• Implement the DMZ to Inside
• Static URL Filtering
• HTTP Application Inspection

Lab 12: IOS IPS

• IOS IPS Wizard
• Signature Definitions
• IPS Manager Express
• Event Action Filters

Labs

Enhanced Labs:

We have enhanced our SNRS v3.0 hands-on labs beyond what you'll find in a standard Cisco SNRS v3.0 course, providing more realistic and robust scenarios. The root of our enhancements lies in the topology that we provide. The standard Cisco SNRS v3.0 labs provide a very simple topology based on the ICND topology that includes a single switch and a single router per pod with two PC instances - a setup that works well for covering associate-level routing and switching concepts. The motivation for Cisco's topology is compatibility with their standard IINS and ICND topologies.

More appropriate for professional-level security training, our SNRS v3.0 topology combines our standard FSA topology with a router supplement. Each SNRS v3.0 pod has four routers, two switches, and ten PC instances. The topology provides a main site with an internal network with multiple subnets and a DMZ for public services, along with two remote site networks and a simulated Internet. PC systems are strategically placed in the topology, and services such as DNS, SMTP, FTP and HTTP are configured realistically.

GUI vs. CLI

While standard SNRS training has moved away from a command-line interface (CLI) focus towards a graphical user interface (GUI) focus, our Security labs include both. Many of the operations in our labs are performed from the Security Device Manager GUI, and you will use the Command Preview and document all commands that are delivered by the GUI. Our enhanced topology allows our labs to include configuring the routers at both sides of VPN tunnels. Generally, you will configure one peer via the GUI and the other peer via the CLI. At the end of each lab, you'll receive the complete configuration with the relevant commands highlighted, providing a handy tool for lab verification and for long-term reference.

Pros and cons exist for both the GUI and the CLI. In today's world, engineers must have experience with both interfaces, and ours is the only lab environment where you'll find them.

Lab 1: Advanced Layer 2 Security

In this lab you will configure and verify several advanced Layer 2 security features. You will control which IP packets are allowed to traverse particular switch ports using Port ACLs and which IP packets are allowed to traverse particular VLANs using VLAN ACLs. You will demonstrate the use of Private VLAN Edge to prevent intra-VLAN communication between protected ports and to mitigate using a router on a trusted port in an attempt to break the Private VLAN Edge policy. You will also configure and demonstrate the use of other advanced Layer 2 security technologies, including DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard. For each of these technologies, you will observe the behavior before the technology is configured, apply the configuration, and verify the results.

• Exclusive - Configure and Verify a Port ACL
• Exclusive - Configure and Verify a VLAN ACL
• Configure and Verify Private VLAN Edge
• Mitigate Private VLAN Edge Router Proxy Attacks
• Configure and Verify DHCP Snooping
• Exclusive - Configure and Verify Dynamic ARP Inspection
• Exclusive - Configure and Verify IP Source Guard
• Exclusive - Verify the Switch Configuration

Lab 2: Layer 2 AAA with 802.1x

In this lab you will work with various 802.1x features on the L3-Switch, involving configuration on the L3-Switch, the AAA server (Cisco Secure Access Control Server), and on the client PC. You will start with simply configuring 802.1x authentication, which denies access to the Layer 2 network until a valid user authenticates. You will then work with the restricted VLAN, to which users who do not have valid credentials are assigned. Next you will work with guest VLAN, which is assigned to systems without an 802.1x supplicant. You will also configure MAC Authentication Bypass, which recognizes authorized systems without a supplicant by their MAC address. As a final procedure, you will enable 802.1x authorization and provide dynamic VLAN assignments based on the user who logs in.

• Configure RADIUS between the L3-Switch and ACS
• Configure and Test Basic 802.1x Authentication
• Configure and Test 802.1x Restricted VLAN
• Configure and Test 802.1x Guest VLAN
• Configure and Test 802.1x MAC Authentication Bypass
• Install and Configure the Cisco Secure Services Client
• Configure and Test 802.1x Dynamic VLAN Assignment
• Exclusive - Verify the Switch Configuration

Lab 3: Cisco Network Foundation Protection

In this lab you will work with various elements of Cisco's Network Foundation Protection (NFP), including route authentication. The NFP features protect the router's control plane, management plane, and data plane. EIGRP with route authentication is configured in the initial configurations of this lab. You will first review the configuration of EIGRP with route authentication, and then you will migrate to OSPF with route authentication. For management plane protection, you will configure SNMP version 3, which provides privacy, origin authentication, and data integrity between the SNMP v3 managed device and the management server. You will configure SNMP v3, and you will use an SNMP management application to demonstrate MIB browsing using SNMP v3. For data plane protection you will configure NetFlow to track TCP and UDP sessions through the IOS-FW. You will configure NetFlow for real-time analysis with SDM, and you will configure NetFlow for export to a NetFlow collection service, which is useful for historical auditing and trend analysis.

• Exclusive - Review EIGRP with Authentication
• OSPF with Authentication
• Configure SNMP Version 3
• Exclusive - Monitoring Using SNMP Version 3
• Configure and Monitor NetFlow with SDM
• Exclusive - Configure NetFlow Export to a NetFlow Collector
• Exclusive - Verify the Router Configuration

Lab 4: Site-To-Site VPN with PKI

In this lab you will configure Site-to-Site VPN using Public Key Infrastructure. That is, you will configure site-to-site IPsec VPN using digital identity certificates for peer authentication. The certificate server is an IOS Certificate Authority, which you will configure on the Internet Router. You will enroll both the IOS-FW and the Site1-Rtr with the certificate server. Once both of the peer routers have identity certificates signed by the certificate server, you will configure the IPsec VPN. In general, the configurations performed on the IOS-FW will be done with SDM and those done on the Site1-Rtr will be performed from the CLI, providing experience with both configuration interfaces. After configuration, you will verify the operation of the VPN.

• Exclusive - Configure IOS PKI Server on the Internet Router
• Assign the SSL Trustpoint for SDM
• Enroll the IOS-FW with the CA Server via SDM
• Configure the IOS-FW for the VPN via SDM
• Exclusive - Enroll the Site1 Router with the CA Server via the CLI
• Exclusive - Configure the Site1 Router for the VPN via the CLI
• Test and Verify the VPN
• Exclusive - Verify the Router Configurations

Lab 5: IPsec Redundancy using GRE

In this lab you will work with some ways to add resiliency to site-to-site VPN connectivity. You will modify the topology from the standard SNRS topology by merging the two remote sites into one site with two routers. You will then configure HSRP between the two routers, so hosts at the remote site will always perceive that their default gateway is up as long as at least one of the two routers is up. You will then configure two IPsec over GRE tunnels between the main site and the merged remote site and run EIGRP as a routing protocol. In general, configuration on the IOS-FW will be performed using SDM and configuration of the remote routers will be done using the CLI. You will verify the behavior of the system under its normal state, and then you will verify resiliency in the system.

• Understand the Scenario
• Exclusive - Configure HSRP at the Remote Site
• Configure IPsec over GRE via SDM on the IOS-FW
• Exclusive - Configure IPsec Over GRE via the CLI on the Site1 Router
• Exclusive - Configure the Site2 Router via TFTP
• Exclusive - Verify and Tune the Configurations
• Exclusive - Verify Resiliency
• Exclusive - Verify the Router Configurations

Lab 6: DMVPN

In this lab you will configure a full mesh Dynamic Multipoint VPN (DMVPN). The IOS-FW will be configured as the hub and the Site1-Rtr and Site2-Rtr will each be configured as a spoke. As you configure components, you will test component function and adjust configurations as necessary. In the end, you will have persistent GRE over IPsec VPN tunnels from the remote sites to the IOS-FW. When Site1-to-Site2 connectivity is required, a dynamic GRE over IPsec VPN tunnel will be established.

• Exclusive - Prepare the Hub Site
• Prepare Site1
• Test Connectivity and Adjust the Configuration
• Exclusive - Prepare Site2
• Exclusive - Test and Verify the Multi-Site DMVPN Connectivity
• Exclusive - Verify the Router Configurations

Lab 7: GET VPN

In this lab you will configure GETVPN in the pod network. You will first remove NAT configurations and configure EIGRP throughout the pod network to simulate a large private network (for simplicity, topology and subnet assignments will not be changed). The goal is to have GETVPN provide protection of all traffic between 10.0.0.0/8 subnets as well as multicast traffic sourced from 10.0.0.0/8 subnets. You will configure the Perimeter Router as the GDOI Key Server. You will configure the IOS-FW, Site1-Rtr, and Site2-Rtr as GDOI Group Members. You will configure the IOS-FW from scratch, though you will use copy/paste to speed up the configuration of the Site1 and Site2 Routers. As you configure elements, you will use show commands to verify configuration. Once all the elements are configured, you will verify the operation of GETVPN.

• Exclusive - Understand the Scenario
• Exclusive - Configure EIGRP
• Exclusive - Remove NAT Configuration
• Exclusive - Configure the Key Server
• Configure and Verify the First Group Member
• Exclusive - Configure the Other Group Members
• Exclusive - Verify GETVPN from the Key Server
• Verify GETVPN Traffic
• Exclusive - Verify the Router Configurations

Lab 8: Cisco Easy VPN

In this lab you will use the Easy VPN Server Wizard in SDM to configure the IOS-FW to accept connections from VPN clients, and you will analyze the configuration. You will configure the Cisco VPN Client software on the Outside PC. After configuration, you will be able to use the VPN Client on the Outside PC to provide secure access to resources on the internal networks. You will then apply and test a filter to the Virtual Tunnel Interface used for Easy VPN, preventing access to the management subnet for normal VPN users. After working with the software Cisco Easy VPN Client, you will move to using the Cisco Easy VPN Remote features included in the IOS. You will define a new profile for hardware client access on the IOS-FW and you will configure the Site1-Rtr as an Easy VPN remote. After this, there will be connectivity between Site1 and the main site. You will also experiment with Network Extension Mode and extended authentication options with the Site1-Rtr.

• Easy VPN Server Wizard
• Examine the Configuration
• Prepare the VPN Client
• Test the Remote Access VPN
• Exclusive - Apply a Filter to a DVTI
• Easy VPN Remote Hardware Client
• Exclusive - Interactive Authentication for Hardware Clients
• Exclusive - Network Extension Mode
• Monitor Remote Access VPN Connections with SDM
• Exclusive - Verify the Router Configuration

Lab 9: IOS SSL VPN

In this lab you will work with the features provided by IOS SSL VPN. You will start by configuring RADIUS support on the IOS-FW. Using RADIUS, the IOS-FW will use Cisco Secure ACS for AAA. Cisco Secure ACS itself is configured to use Active Directory for user authentication. You will then use SDM's SSL VPN Wizard to enable clientless SSL VPN access. Once the basics of clientless SSL VPN have been configured and tested, you will move on to configuring and demonstrating the "thin clientcapability which uses a Java applet to provide port forwarding functionality. You then move on to configuring and testing the full tunnel SSL VPN Client. You'll finish up this lab configuring and testing the Cisco Secure Desktop.

• Configure RADIUS Support
• Configure Clientless SSL VPN Access
• Exclusive - Test Clientless SSL VPN Access
• Configure and Test Port Forwarding
• Configure and Test the Full Tunnel SSL VPN Client
• Configure and Test the Cisco Secure Desktop
• Exclusive - Verify the Router Configuration

Lab 10: IOS Classic Firewall

In this lab you will explore the use of IOS Classic Firewall. Before configuration of the firewall, you will demonstrate the misuse of TCP port 80. That is, you will use TCP port 80 to transport non-HTTP connections as well as applications tunneled in what appears to be RFC compliant HTTP. You will then use the SDM's Firewall Wizard to configure IOS Classic Firewall. You will test the expected connectivity based on destination ports, and you will demonstrate the IOS Classic Firewall's ability to perform application layer inspection on TCP port 80. You will finish by demonstrating the maintenance of the firewall configuration without using the wizard as you configure and verify the firewall to properly handle SMTP as appropriate for the lab topology.

• Exclusive - Demonstrate Tunneling Applications
• Prepare the IOS-FW for IOS Classic Firewall
• Execute the SDM Advanced Firewall Wizard
• Verify Expected Connectivity
• Verify Expected Protections
• Exclusive - Block the HTTP Tunnel
• Exclusive - Update Firewall Policy and Verify Results
• Exclusive - Verify the Router Configuration

Lab 11: IOS Zone-Based Policy Firewall

In this lab you will configure the Zone-Based Firewall (ZBF) feature on the IOS-FW using SDM. You will also demonstrate how the stateful nature of ZBF mitigates attacks. The SDM firewall wizards are not very flexible. You will use the Basic Firewall wizard to start, and you will explore the type of configuration put in place by the wizard. You will then use SDM to configure other ZBF policies from scratch.

• Basic Firewall Wizard
• Implement the DMZ Inbound
• Implement the DMZ to Inside
• Exclusive - Demonstrate Attack Mitigation
• Static URL Filtering
• HTTP Application Inspection
• Exclusive - Verify the Router Configuration

Lab 12: IOS IPS

In this lab you will use SDM to install and configure IOS IPS on the IOS-FW. You will use the SDM IPS Wizard to accomplish the initial setup of IOS IPS. Many times an attack will be made more obscure (obfuscated) in an attempt to evade detection. After setting up IPS, you will demonstrate the IOS IPS ability to deobfuscate such attempts. You will use Cisco's IPS Manager Express (IME) to monitor and report on events from IOS IPS as you launch a number of attacks on your network. From a tuning standpoint, you will work with three options: First you will see how to modify Signature Actions from their default values; second, you will implement an Event Action Override to trigger a specific action across all signatures based on a chosen Risk Rating; and third, you will configure an Event Action Filter to exclude a specific system from being scanned by the IOS IPS.

• IOS IPS Wizard
• Exclusive - Deobfuscation
• Signature Definitions
• IPS Manager Express
• Exclusive - Signature Actions
• Exclusive - Custom Signatures
• Exclusive - Event Action Overrides
• Event Action Filters
• Exclusive - Verify the Router Configuration

Classroom Dates and Locations

Date	Location Details
Aug 31 - Sep 4, 2009	Washington, DC	Register
Aug 31 - Sep 4, 2009	Dallas, TX	Register
Sep 14 - 18, 2009	Toronto, ON	Register
Sep 21 - 25, 2009	New York, NY	Register
Sep 28 - Oct 2, 2009	Montreal, QC	Register
Oct 19 - 23, 2009	Atlanta, GA	Register
Nov 2 - 6, 2009	Vancouver, BC	Register
Nov 16 - 20, 2009	Raleigh, NC	Register
Nov 30 - Dec 4, 2009	Dallas, TX	Register
Nov 30 - Dec 4, 2009	Ottawa, ON	Register
Dec 14 - 18, 2009	Chicago (Schaumburg), IL	Register
Dec 14 - 18, 2009	Toronto, ON	Register
Jan 4 - 8, 2010	San Jose, CA	Register
Jan 18 - 22, 2010	New York, NY	Register
Feb 15 - 19, 2010	Atlanta, GA	Register
Mar 1 - 5, 2010	Dallas, TX	Register
Mar 8 - 12, 2010	Washington, DC	Register
Mar 15 - 19, 2010	Chicago (Schaumburg), IL	Register
Mar 29 - Apr 2, 2010	Morristown, NJ	Register

Don’t see the location or date you need? No problem – just use our By Request service.