
Learn the fundamentals of IPsec VPN and set up a LAN-to-LAN tunnel using crypto maps, including phase one and phase two negotiations, Diffie-Hellman, pre-shared keys, and ACL-based traffic.
Explains GRE over IPsec by encrypting all traffic on the tunnel interface, contrasts tunnel mode and transport mode, and demonstrates applying an IPsec profile to secure packets.
Learn how to configure a native IPsec tunnel interface to connect sites, running IPsec as the tunnel protocol, enabling multicast routing and saving header overhead.
Learn how DMVPN uses a hub-and-spoke NHS with dynamic mappings to create scalable tunnels, plus phase-based configurations and IPsec encryption for secure, direct spoke-to-spoke routing.
Get VPN encrypts traffic on a private WAN with a central key server; phase one distributes session keys, transform sets, and ACLs, while phase two encrypts data, using unicast rekeying.
Explain virtual routing and forwarding (VRF) instances that isolate routing tables, assign interfaces to VRFs, and run protocols like OSPF within VRFs to enable VRF-aware VPNs and IPsec tunnels.
Learn how IKEv2 enhances phase one establishment for site-to-site VPN, with scalable IKEv2 proposals, flexible pre-shared key options, certificate support, and streamlined crypto map and profile configuration.
Explore flex vpn for site-to-site connectivity with a dynamic public ip. See how to configure a dynamic virtual tunnel interface from a template with unnumbered loopback and ipsec profiles.
Explore flex VPN hub-and-spoke design with a hub and spoke-to-spoke links via NHRP redirects. Implement dynamic tunnel interfaces, virtual templates, and address pools to push tunnel IPs to spokes.
Configure a LAN-to-LAN IPsec tunnel using certificates issued by a router acting as a certificate authority. Replace pre-shared keys with a public key infrastructure based solution, including enrollment and revocation.
Explore the Cisco ASA firewall, its default high-to-low traffic policy defined by security levels, and how to initialize interfaces with names, IPs, ACLs, and stateful inspection.
Explain ASA traffic flow, distinguishing 'to' vs 'through' traffic, and configure a firewall with outside, inside, and DMZ segments. Learn default flows, ICMP inspection, and inter-interface permits to control access.
Learn to enable management access on an ASA firewall, including inside-telnet with a permitted network, SSH with local aaa, rsa keys, and remote management via asdm.
Explore static routing on the ASA, including syntax, exit interface, and default gateway, then configure dynamic routing with RIP and OSPF, plus redistribution and BGP.
Configure dynamic NAT with a public IP pool, observe translation tables map inside addresses to public ones, and compare static NAT and destination NAT using ACL order and DMZ scenarios.
Explains dynamic and static NAT and PAT on ASA, using a single public IP for many internal devices with port-based translation, plus policy NAT and DMZ port forwarding.
Explore asa interface redundancy, including redundant interfaces and port channels, with pre-8.4 limitations, and practical lab steps for Vlan setup and Eve switch quirks.
Configure Cisco ASA in multi-context mode to create virtual firewalls, assign interfaces to sales and marketing contexts, and use admin and system contexts for remote management.
Explore how to implement ASA failover in active/standby mode with stateless replication, including failover LAN interfaces, config replication, keepalive, and role-based IP addressing.
Configure stateful failover by designating a failover link on the active device, which replicates configurations, session data, and VPNs to the standby, using the same interface or a dedicated link.
Learn how Cisco ASA supports active/active failover with a multi-context setup, using C1 and C2, shared interfaces, and context-specific Mac addresses to route traffic through primary and secondary units.
Explore asa clustering that offers active-active redundancy and load balancing by forming a single logical unit. Compare span mode with port channels to the individual interface mode behind a router.
this lecture demonstrates configuring a site-to-site vpn between an ASA and a router, covering phase one and phase two crypto settings, transform sets, crypto maps, and enabling the outside interface.
Set up a LAN-to-LAN vpn from r4 to r6 through the firewall, configuring precise phase one and phase two entries with udp 500 and 4500 and exact acl rules.
Use ASDM to configure and manage AnyConnect VPN deployments and generate the required XML profile.
Learn to deploy web vpn remote access using a browser client, ssl encryption, and proxy-based access to internal web, ftp, and file shares, with groups and port forwarding.
Configure remote access vpn with anyconnect on the ASA, using a certificate-based server, XML profile files, address pools, and split tunneling to tailor traffic with access policies.
Define zones and assign router interfaces to outside, inside, and dmz; implement zone-based firewall policies with class maps and zone-pair policies to control inside-outside and outside-dmz traffic using stateful inspection.
Demonstrates initial FTD configuration and interface setup, including management connectivity, and deploying routing configurations (static, ospf, rip, bgp) via the FMC for centralized policy control.
Learn to configure NAT and ACP on FTD, including dynamic and static NAT, object-based and policy NAT, with inside, DMZ, outside interfaces and zone-based access control policies.
Explore intrusion prevention with signature-based detection, pre-created preset signature sets, and customizable IPS policies integrated into Firepower and access control policies.
Explore how email flows from client to mailbox, detailing SMTP, DNS resolution with MX and A records, and email filtering by the ESA's spam and malware checks.
Set up a basic e-mail workflow with a single smtp server and mailbox, configure a thunderbird client, and create dns mx records to route mail between internal and external servers.
Initialize the ESA from the CLI, log in as admin with the ironport password, configure the management interface IP, enable https, and commit changes before mail flow resumes.
Configure the ESA GUI through the system setup wizard, license setup, and gateway and DNS settings, then define mail policies, enable relay, and validate delivery using logs and DNS records.
Create inbound and outbound content filters on the esa to block messages containing specific words or sensitive data, then apply them via mail policies for data loss prevention.
Explore how a web proxy and web filtering appliance cache pages to speed access and enforce content filtering, using direct or transparent proxy and the WCC protocol with v2.
Initialize the WSA from the cli, configure the management port and ip address, set the default gateway, and enable http to https redirection to secure web access and policy filtering.
Configure the WSA via the graphical interface by logging in as admin, setting up DNS on the router, adjusting ports, and enabling malware scanning, then install the configuration.
Configure a WCCP v2 relationship between Router2 and the web cache server, defining a service ID and redirecting web traffic on ports 80 and 8000 with ACLs and inbound redirection.
Configure outbound web filtering by IP-based identities, create a sales network policy, and block categories such as adult, sports, social networking, and gambling; test shows ESPN blocked, CNN allowed.
Create custom categories to classify websites, build a sales whitelist to allow ESPN while blocking CNN with a blacklist, and apply explicit actions in access policies.
Learn how wireless networking works, from basic wireless LAN configuration to enterprise controller-based WLANs, including VLAN mapping, SSIDs, CAPWAP, and centralized versus local switching with WLCs.
Initialize the Cisco wlc from the cli, configure dhcp for vlan 150 with option 43, and set the trunk port for ap connectivity. Configure the management interface and country settings.
Configure a controller-based WLAN by creating virtual interfaces for VLANs, mapping SSIDs to VLANs, and enabling DHCP relay to route clients from sales VLAN 20 and marketing VLAN 30.
Configure the relationship between ISE and WLC using radius, set up ISE authentication with WPA/WPA2, and map sales and marketing groups to VLANs 20 and 30 via authorization policies.
Configure 802.1x wireless authentication with ISE by creating sales and marketing groups, adding local users, and linking authorization profiles to policies that assign VLAN 20 or VLAN 30.
Demonstrates wired 802.1x authentication with ISE on a switch, dynamically assigning per-user VLANs (for sales or marketing) as users log in and moving the port accordingly.
Configure the relationship between the switch and the ISE radius server to enable authentication, setting the switch IP and radius credentials for ISE-based access control.
Configure wired dot1x authentication and VLAN assignment by creating identity groups and users (wired sales, wired market) and mapping them to VLAN 30 via authorization profiles and policies.
Configure wired ise with a dacl demonstrates creating a downloadable acl tied to a wired profile, which applies vlan and group-based permissions on a port after re-authentication.
Learn how to configure mac authentication bypass (MAB) using a MAC address in the identity database, including creating endpoint groups and profiles for devices such as Cisco IP phones.
Explore how ICE combines Cisco NAC features—dot1x profiling, posture validation, and centralized device administration. Authenticate, authorize, and account admins using tacacs+ or radius, with AD integration options.
Set up tacacs+ authentication, authorization, and accounting with ice, create authentication and exec/command authorization lists, and apply to console and vty lines.
Enable the device administration service on ISE, link the device via tacacs, create groups and users with privilege level 15, and define policy elements and command sets for authorization.
The CCIE Security v5 Bootcamp is an in depth course covering all the technologies required for the CCIE Security Lab Exam. The topics covered are:
1. VPNs
- Basic LAN - To - LAN VPNs [IPSEC (Crypto Maps), GRE, GRE Over IPSec, S-VTI]
- M-GRE
- DMVPN
- GET VPN
- IKEv2 VPNs
- Flex VPN
- VRF Aware VPNs
- Certificate Based VPNs
- ASA Based VPNs (LAN-2-LAN, VPNs thru the ASA, Remote Access VPNs (WebVPN, AnyConnect)
2. Firewall
- ASA Firewall (Basic Initialization, Routing, NAT, Redundancy, Virtualization)
- Zone-Based Firewall (ZBF)
- FTD (Basic Initialization, Routing, NAT, ACP, IPS)
3. Content Filtering
- WSA (Basic Initialization - CLI, Basic Initialization - GUI, WCCP Relationship with Router, Access Policies)
- ESA (E-Mail Flow Overview, Basic Initialization - CLI, Basic Initialization - GUI, SMTP Relay Configuration, E-Mail Policies)
4. Wireless Networking
- Overview of Wireless Networking (Controlled Based Wireless)
- Networking configuration required for Wireless
- Basic Initialization of the WLC
- Basic Wireless LAN Setup
5. ISE Configuration
- Overview of ISE
- Wireless ISE (Dot1x Authentication)
- Wired ISE (Dot1x Authentication, MAB)
- Device Administration using ISE