Cisco Certified Internetwork Expert Security

CCIE Security Dashboard

Cisco Certified Internetwork Expert Security - Structured Learning Portal

Section 01 - Virtual Private Networks (VPNs) ▼

1) IPSec LAN - To LAN VPN using Crypto Maps +

IPSec LAN-to-LAN VPN using Crypto Maps provides secure encrypted communication between two remote networks over the Internet. It includes ISAKMP - Internet Security Association and Key Management Protoco - Phase 1 for establishing a secure management tunnel, IPSec Phase 2 for encrypting data traffic, transform sets for defining encryption methods, and ACL-based interesting traffic selection to identify which packets should pass through the VPN tunnel.

2) GRE Based VPN - Generic Routing Encapsulation +

GRE-based VPN creates a virtual point-to-point tunnel between remote routers, allowing routing protocols, multicast, and broadcast traffic to pass through the tunnel. GRE itself does not provide encryption, so it is commonly combined with IPSec for secure communication. The configuration includes GRE tunnel interfaces, source and destination tunnel endpoints, routing between remote networks, and optional IPSec protection for encrypted data transmission.

3) GRE Over IPSec - Tunnel Mode & Transport Mode +

GRE over IPSec combines GRE tunneling with IPSec encryption to securely connect remote networks while supporting routing protocols, multicast, and broadcast traffic. In Tunnel Mode, the entire original IP packet including the GRE header is encrypted and encapsulated inside a new IPSec packet, providing maximum security. In Transport Mode, only the payload is encrypted while the original IP header remains visible, making it more efficient and commonly used with GRE tunnels.

4) S-VTI - Tunnel Interface Based IPSec +

Static Virtual Tunnel Interface (S-VTI) is a tunnel-interface-based IPSec VPN technology that simplifies VPN configuration by using a dedicated virtual tunnel interface instead of crypto maps. It supports point-to-point secure communication between remote sites, enables easier routing integration, and allows dynamic routing protocols to run directly over the encrypted tunnel. S-VTI provides better scalability, simplified management, and efficient IPSec tunnel deployment.

5) M-GRE +

Multipoint GRE (M-GRE) is an advanced GRE tunneling technology that allows a single GRE tunnel interface to support multiple remote VPN peers dynamically. It eliminates the need to create separate point-to-point GRE tunnels for each branch, making it highly scalable for large networks. M-GRE is commonly used in DMVPN deployments and supports dynamic routing protocols, multicast, and efficient hub-and-spoke VPN architectures.

6) DMVPN Part 01 +

Dynamic Multipoint VPN (DMVPN) is a scalable VPN technology that combines Multipoint GRE (M-GRE), NHRP (Next Hop Resolution Protocol), and IPSec encryption to create secure communication between multiple remote sites. DMVPN allows dynamic tunnel creation between branch routers without requiring permanent point-to-point tunnels, reducing configuration complexity and improving scalability in hub-and-spoke or spoke-to-spoke network architectures.

7) DMVPN Part 02 +

Advanced DMVPN phases include Phase 1, Phase 2, and Phase 3 architectures for scalable and efficient VPN communication. It supports dynamic tunnel creation between remote branches using NHRP and mGRE technology, enabling direct spoke-to-spoke connectivity, reduced latency, optimized routing, and improved bandwidth utilization across large enterprise networks.

8) GET VPN +

Group Encrypted Transport VPN (GET VPN) is a scalable IPSec-based VPN technology designed for secure communication across private WAN or MPLS networks without requiring traditional point-to-point tunnels. It uses a centralized Key Server (KS) to distribute encryption policies and keys to Group Members (GMs), enabling end-to-end encryption while preserving original IP headers for efficient routing and QoS support.

9) VRF Aware VPNs - Virtual Routing and Forwarding +

VRF-Aware VPNs use Virtual Routing and Forwarding (VRF) technology to create multiple isolated routing instances on a single router, allowing secure separation of customer or departmental traffic over shared network infrastructure. When integrated with IPSec or MPLS VPNs, VRF-aware VPNs provide secure multi-tenant connectivity, overlapping IP address support, improved traffic isolation, and scalable enterprise or service provider VPN deployments.

10) IKEv2 +

IKEv2 (Internet Key Exchange version 2) is a secure VPN protocol used to establish, negotiate, and manage IPSec security associations between peers. It improves upon IKEv1 by providing faster tunnel setup, built-in NAT traversal, better stability with rekeying, and support for mobility (MOBIKE). IKEv2 simplifies VPN connectivity, reduces overhead, and is widely used in modern site-to-site and remote access VPN solutions.

11) Flex VPN - Site to Site using D-VTI & S-VTI +

FlexVPN Site-to-Site is a modern IPSec VPN solution based on IKEv2 that supports scalable and simplified configuration using Virtual Tunnel Interfaces (VTI). It uses S-VTI (Static VTI) for fixed point-to-point VPN tunnels between sites, and D-VTI (Dynamic VTI) for on-demand tunnel creation in hub-and-spoke or large-scale environments. FlexVPN integrates routing protocols directly over the tunnel, supports dynamic security associations, and provides a flexible, scalable replacement for traditional crypto map-based VPNs.

12) Flex VPN - Spoke to Spoke using NHRP +

FlexVPN spoke-to-spoke connectivity using NHRP (Next Hop Resolution Protocol) enables direct communication between branch sites without routing traffic through the hub. In this design, spokes initially register with the hub, which acts as an NHRP server. When a spoke needs to reach another spoke, it queries the hub to discover the remote peer’s public address and establishes a direct IPSec/GRE tunnel dynamically. This improves performance, reduces latency, and optimizes bandwidth usage in scalable VPN topologies.

13) LAN to LAN VPN using Router as CA Server +

LAN-to-LAN VPN using a Router as a CA (Certificate Authority) Server provides secure IPSec site-to-site connectivity by replacing pre-shared keys with digital certificates. In this setup, a Cisco router acts as the CA server to issue, sign, and manage certificates for VPN peers. The VPN routers enroll with the CA to obtain identity certificates, which are then used during IKE authentication in Phase 1. This enhances security, scalability, and simplifies key management in large enterprise VPN deployments.

14) Assessment Test 01 +

Practice assessment for VPN concepts and troubleshooting.

Section 02 - ASA Firewall ▼

1) Basic Initialization +

Cisco ASA Firewall Basic Initialization involves the initial setup required to bring the device into an operational state. It includes assigning hostname, configuring management interface (IP address, subnet mask, and security level), setting up default gateway, enabling SSH or ASDM access, configuring enable/privileged mode password, and basic interface configuration. This step ensures secure administrative access and prepares the ASA for advanced security policies, NAT, and VPN configurations.

2) ASA Traffic Flow - To vs Thru Traffic +

Cisco ASA traffic flow is divided into “To” and “Through” traffic. “To” traffic refers to packets destined for the ASA itself, such as SSH, ASDM, ping, or management access to interface IPs. This traffic is controlled by management access policies and interface security levels. “Through” traffic refers to packets passing across the ASA from one interface to another, such as inside-to-outside or inside-to-DMZ communication. This traffic is controlled by ACLs, NAT rules, and inspection policies, making it the primary function of the firewall.

3) ASA Management Access +

Cisco ASA Management Access refers to the configuration that allows administrators to securely manage the firewall using protocols like SSH, Telnet, ASDM (HTTPS), or console access. It includes defining management IP addresses, enabling management services on specific interfaces, setting access restrictions using ACLs, and configuring authentication methods such as local user database or AAA servers. Proper management access ensures secure and controlled administrative control of the ASA device.

4) ASA Routing +

Cisco ASA Routing defines how the firewall forwards traffic between different networks by determining the best path to a destination. It supports static routing, default routes, and dynamic routing protocols (limited support depending on ASA version). Static routes are commonly used to define inside, outside, and DMZ network paths, while the default route directs unknown traffic toward the upstream gateway. Proper routing configuration ensures correct traffic flow through the ASA between security zones.

5) ASA NAT - Dynamic NAT, Static NAT & Destination NAT +

Cisco ASA NAT (Network Address Translation) is used to translate private IP addresses into public or different internal addresses to control and secure network traffic. Dynamic NAT allows multiple internal hosts to share a pool of public IP addresses dynamically. Static NAT provides a fixed one-to-one mapping between an internal and external IP address, commonly used for servers. Destination NAT (Port Forwarding) translates incoming traffic on a specific public IP and port to an internal host and service, enabling controlled access from external networks.

6) ASA NAT - Dynamic & Static PAT & Policy NAT +

Cisco ASA NAT (Network Address Translation) includes Dynamic PAT, Static PAT, and Policy NAT for flexible traffic translation and control. Dynamic PAT (Port Address Translation) allows multiple internal hosts to share a single public IP by differentiating traffic using port numbers. Static PAT provides a fixed mapping of a public IP and port to a specific internal host and service. Policy NAT is a rule-based translation method that applies NAT only when specific traffic conditions are met, such as source, destination, or service-based criteria, offering granular control over address translation.

7) ASA Transparent Firewalls +

Cisco ASA Transparent Firewall operates at Layer 2 (bridging mode) instead of Layer 3 routing mode, allowing it to inspect and filter traffic without changing the existing IP addressing scheme. It is deployed between network segments like a “bump-in-the-wire” and uses MAC address forwarding while enforcing security policies, ACLs, and inspection rules. Transparent mode is ideal for network environments where IP restructuring is not desired, providing inline security with minimal impact on network design.

8) ASA Interface Redundancy +

Cisco ASA Interface Redundancy provides high availability by grouping two or more physical interfaces into a single logical redundant interface. One interface acts as active while the other remains standby, automatically taking over if the active link fails. This ensures continuous network connectivity without manual intervention. Interface redundancy improves fault tolerance, simplifies configuration compared to separate failover setups, and is commonly used for critical network links such as inside, outside, or DMZ interfaces.

9) ASA Security Contexts +

Cisco ASA Security Contexts enable virtualization of a single physical firewall into multiple independent logical firewalls. Each security context operates as a separate instance with its own interfaces, policies, NAT rules, and configurations, allowing multi-tenant environments or departmental segmentation. There are two types: single context mode (default, one global firewall) and multiple context mode (virtual firewalls). This feature is commonly used by service providers and large enterprises to isolate traffic and improve resource utilization.

10) ASA Failover Active Standby - Stateless +

Cisco ASA Active/Standby Stateless Failover provides high availability by using two firewalls where one operates as active and the other as standby. In stateless failover, only basic configuration and interface state information is synchronized, while active session tables (connections) are not replicated to the standby device. If failover occurs, existing sessions are dropped and users must re-establish connections. This mode is simpler and requires less bandwidth compared to stateful failover but offers lower session continuity.

11) ASA Failover Active Standby - Stateful +

Cisco ASA Active/Standby Stateful Failover provides high availability by synchronizing both configuration and active session state between two firewalls. The active unit continuously replicates connection tables, NAT translations, and VPN session information to the standby unit. In case of failover, the standby ASA takes over immediately without dropping existing sessions, ensuring seamless connectivity. This mode requires a dedicated failover link for state synchronization and is widely used in enterprise environments for maximum service continuity.

12) ASA Failover Active Active +

Cisco ASA Active/Active Failover operates two firewalls simultaneously, where both units actively process traffic in multiple security contexts (requires multiple context mode). Each ASA acts as active for a portion of the contexts while also serving as standby for others, providing load sharing and high availability at the same time. In case of a failure, the remaining device takes over all contexts automatically. This design improves resource utilization but is more complex to configure and is typically used in large-scale enterprise or data center environments.

13) ASA Clustering +

Cisco ASA Clustering is a high-availability and scalability feature that groups multiple ASA firewalls into a single logical firewall unit. All cluster members work together to distribute traffic load, providing active-active processing for higher throughput and redundancy. One unit acts as the master to manage the cluster, while others function as slaves for forwarding traffic. The cluster uses a cluster control link for synchronization and supports state sharing, NAT, and VPN load balancing, making it ideal for large enterprise and data center environments.

14) ASA VPN - ASA to Router LAN to LAN +

ASA VPN Site-to-Site (ASA to Router LAN-to-LAN) provides secure IPSec connectivity between a Cisco ASA firewall and a remote router network over the Internet. It uses ISAKMP/IKE Phase 1 to establish secure authentication, IPSec Phase 2 for data encryption, and crypto maps or VTI-based configuration to define VPN parameters. Interesting traffic is identified using ACLs, and the VPN ensures secure communication between ASA-protected LAN and remote router-based LAN.

15) ASDM +

Cisco ASDM (Adaptive Security Device Manager) is a graphical management tool used to configure, monitor, and troubleshoot Cisco ASA firewalls. It provides a web-based interface that runs over HTTPS, allowing administrators to manage firewall policies, NAT rules, VPN configurations, interface settings, and security contexts without using CLI commands. ASDM simplifies ASA administration, supports real-time monitoring, and is commonly used for easier firewall deployment and maintenance.

16) ASA Remote Access - Web VPN +

Cisco ASA Remote Access Web VPN (SSL VPN) allows users to securely connect to an internal network using a web browser without requiring full VPN client software. It uses SSL/TLS encryption over HTTPS to provide secure access to internal applications, file shares, and web resources. Web VPN supports portal-based access, clientless connectivity, and optional AnyConnect client download for full tunnel access, making it ideal for remote users and mobile workforce security.

17) ASA Remote Access - AnyConnect Client +

Cisco ASA Remote Access VPN using the AnyConnect Client provides secure full-tunnel or split-tunnel connectivity for remote users. The AnyConnect Secure Mobility Client establishes an SSL/TLS or IPSec/IKEv2 encrypted tunnel between the user device and ASA firewall, allowing access to internal corporate resources. It supports features like user authentication (local, RADIUS, or LDAP), posture assessment, dynamic access policies, and seamless roaming, making it a modern and scalable remote access VPN solution.

18) Assessment Test 02 +

Practice exam for ASA firewall concepts and troubleshooting.

Section 03 - Zone Based Firewall ▼

1) Configuring Zone-Based Firewall +

Zone-Based Firewall (ZBF) is a Cisco IOS firewall feature that uses security zones instead of interface-based inspection to control traffic flow between different network segments. Interfaces are assigned to zones, and traffic is only allowed between zones through explicitly defined policies. Configuration involves creating zones, assigning interfaces to zones, defining class-maps to match traffic, policy-maps to set actions (inspect, pass, drop), and applying zone-pairs to control inter-zone communication.

Section 04 - Firepower Threat Defence (FTD) ▼

1) FTD Initial Configuration - Interface Configuration - Routing Configuration +

Cisco Firepower Threat Defense (FTD) Initial Configuration involves setting up the basic system parameters such as management IP address, hostname, DNS, and registration with Firepower Management Center (FMC) or Firepower Device Manager (FDM). Interface configuration includes assigning physical or logical interfaces to inside, outside, or DMZ zones, setting IP addresses, and defining security zones. Routing configuration involves adding static routes or default gateways to ensure proper traffic flow between internal networks and external destinations.

2) FTD - NAT & ACP +

Cisco Firepower Threat Defense (FTD) NAT & ACP (Access Control Policy) are core components for traffic handling and security enforcement. NAT in FTD is used to translate private IP addresses to public or other internal addresses using Auto NAT, Manual NAT, or Policy NAT rules. ACP defines how traffic is allowed or blocked based on source, destination, application, URL, and security intelligence. It provides centralized control for inspection, intrusion prevention (IPS), malware filtering, and overall policy enforcement across the network.

3) FTD - Intrusion Prevention +

Cisco Firepower Threat Defense (FTD) Intrusion Prevention System (IPS) provides deep packet inspection and real-time threat detection to protect networks from malicious activity. It uses Snort-based engine technology to analyze traffic at the application layer, detect exploits, vulnerabilities, and abnormal behavior, and take actions such as alert, drop, or block traffic. IPS policies in FTD are applied through the Access Control Policy (ACP) and can be tuned using security rules, signatures, and severity levels to enhance network security.

Section 05 - Email Security Appliance (ESA) ▼

1) Email & ESA Overview +

Cisco Email Security Appliance (ESA) and Web Security Appliance (WSA) provide advanced protection against email and web-based threats. ESA filters inbound and outbound email traffic to block spam, phishing, malware, and data loss using anti-spam, anti-virus, and content filtering policies. WSA secures web traffic by enforcing URL filtering, malware protection, and application control. Together, they ensure secure communication, prevent data breaches, and protect users from internet-based threats.

2) Basic Email Setup +

Basic Email Setup in Cisco Email Security Appliance (ESA) involves configuring system identity, network settings, and mail flow routing to ensure proper email delivery and protection. It includes defining hostname and IP configuration, setting up SMTP interfaces, configuring inbound and outbound mail routes (listeners), integrating DNS for MX records, and enabling basic security features like anti-spam and anti-virus. This setup allows ESA to receive, inspect, and forward email securely within the organization.

3) Initializing the ESA - CLI +

Initializing Cisco Email Security Appliance (ESA) via CLI involves performing the initial system setup using command-line interface. This includes configuring hostname, IP address, default gateway, DNS settings, and management interface access. The setup wizard (via CLI) guides through network configuration, mail flow parameters, and basic security settings. After initialization, the ESA becomes reachable over the network for further configuration through GUI (Web UI) or advanced CLI commands for email security policies and system tuning.

4) Initializing & Implementing the ESA - GUI +

Initializing and implementing Cisco Email Security Appliance (ESA) via GUI (Web Interface) involves accessing the ESA through a browser using its management IP address. The setup wizard helps configure hostname, network interfaces, DNS, and default gateway. Through the GUI, administrators can define mail flow policies, create listeners, configure anti-spam and anti-virus settings, and set up sender/recipient controls. The GUI simplifies deployment, allowing visual management of email security policies, quarantine settings, and reporting for secure email processing.

5) Custom Filter Rules on the ESA +

Custom Filter Rules on Cisco Email Security Appliance (ESA) are policy-based conditions used to inspect, modify, or block email messages based on specific criteria. These rules can match sender, recipient, subject, attachment type, content, or message size. Actions include dropping, bouncing, quarantining, encrypting, or modifying emails. Custom filters provide granular control over email traffic, enabling organizations to enforce security policies, prevent data loss, and block spam or malicious content effectively.

6) Assessment Test 03 +

Practice test for ESA concepts and configuration review.

Section 06 - Web Security Appliance (WSA) ▼

1) WSA Overview +

Cisco Web Security Appliance (WSA) is a network security solution designed to control, monitor, and protect web traffic entering and leaving an organization. It enforces web usage policies through URL filtering, malware protection, application visibility, and content inspection. WSA helps prevent access to malicious websites, blocks phishing attacks, and ensures compliance with corporate internet usage policies while providing secure and controlled web access for users.

2) Initializing the WSA - CLI +

Initializing Cisco Web Security Appliance (WSA) via CLI involves performing the first-time system configuration using the command-line interface. This includes setting hostname, management IP address, subnet mask, default gateway, and DNS servers. Administrators also configure basic network connectivity and enable management access (SSH/HTTPS) during initialization. After completing CLI setup, the WSA becomes accessible through the web interface for further configuration of proxy services, policies, and web filtering rules.

3) Initializing the WSA - GUI +

Initializing Cisco Web Security Appliance (WSA) via GUI (Web Interface) involves accessing the device through a browser using its management IP address. The setup wizard guides initial configuration such as hostname, network settings, DNS, and default gateway. Through the GUI, administrators can configure proxy settings, define access policies, enable URL filtering, set up authentication methods, and apply malware protection rules. The GUI provides an easy-to-manage interface for deploying and controlling secure web traffic policies across the organization.

4) Configuring WCCP +

Configuring WCCP (Web Cache Communication Protocol) on Cisco devices allows redirection of web traffic to a Web Security Appliance (WSA) or caching server without changing client configurations. WCCP is used between routers/switches and WSA to transparently intercept HTTP/HTTPS traffic for filtering and inspection. Configuration includes enabling WCCP on the router, defining service groups, specifying ACLs for traffic redirection, setting WSA as a redirect target, and assigning interfaces. This ensures centralized web security, content filtering, and improved traffic control across the network.

5) WSA Filtering using Standard Categories +

WSA Filtering using Standard Categories is a web security feature that controls user access to websites based on predefined URL categories maintained by Cisco. These categories include malicious sites, social media, streaming, adult content, gambling, shopping, and more. Administrators can allow, block, or monitor access to each category through policy rules. This simplifies web filtering, improves security enforcement, and helps organizations apply consistent internet usage policies across all users.

6) WSA Filtering using Custom Categories +

WSA Filtering using Custom Categories allows administrators to create and manage their own URL groupings beyond Cisco’s standard categories. This feature enables organizations to define specific websites or domains into custom lists such as “Approved Business Sites,” “Blocked Internal Leakage Sites,” or “Department-Specific Access.” These custom categories can then be applied in access policies to allow, block, or monitor traffic, providing more granular and organization-specific web filtering control.

7) Assessment Test 04 +

WSA practice exam and troubleshooting questions.

Section 07 - Wireless Networking ▼

1) Wireless Networking Overview +

Wireless Networking Overview refers to communication networks that use radio frequency (RF) signals instead of wired connections to connect devices to a network. It includes components such as access points (APs), wireless controllers, and client devices. Wireless networks operate on standards like IEEE 802.11 and provide mobility, flexibility, and easy scalability. They are commonly used in homes, enterprises, and public areas to enable internet and LAN access without physical cabling.

2) Initializing the WLC from the CLI +

Initializing a Wireless LAN Controller (WLC) from the CLI involves performing the initial system setup to bring the controller into operational state. This includes configuring system name, management IP address, subnet mask, default gateway, and VLAN settings. Administrators also set country code, time zone, and admin credentials during the setup wizard. Once initialized, the WLC can discover and manage lightweight access points, enabling centralized wireless network control and configuration.

3) Configuring a Controller-based WLAN +

Configuring a Controller-based WLAN involves creating and managing wireless networks through a Wireless LAN Controller (WLC) that centrally controls access points. The configuration includes defining WLAN SSID, assigning security settings (WPA2/WPA3, 802.1X authentication or PSK), mapping WLANs to specific VLANs, and applying QoS or bandwidth policies. The WLC pushes these configurations to lightweight access points, ensuring consistent wireless coverage, centralized management, and secure client connectivity across the network.

4) Assessment Test 05 +

Wireless networking assessment and practice questions.

Section 08 - ISE for Wired VLANs ▼

1) Configuring the relationship between ISE & WLC +

Cisco ISE for Wired VLANs (1–6) enables Identity-Based Network Access Control by assigning users dynamically to specific VLANs based on authentication and authorization policies. Cisco Identity Services Engine (ISE) communicates with network devices using RADIUS to determine user identity and apply VLAN assignments for wired ports. This allows centralized policy enforcement, network segmentation, and secure access control across multiple VLANs. Configuring the relationship between Cisco ISE and Wireless LAN Controller (WLC) involves integrating ISE as a RADIUS authentication server for wireless clients. The WLC forwards authentication requests (802.1X) to ISE, which verifies user credentials and returns authorization policies such as VLAN assignment, access restrictions, and security profiles. This integration ensures consistent policy enforcement across both wired and wireless networks, enabling secure, identity-based access control throughout the enterprise.

2) Configuring 802.1X based Wireless Authentication using ISE +

Configuring 802.1X-based Wireless Authentication using Cisco ISE involves securing wireless network access through identity-based authentication. The Wireless LAN Controller (WLC) is configured to use Cisco ISE as a RADIUS authentication server. When a client connects to the WLAN, the WLC forwards authentication requests to ISE, which validates user credentials using methods like PEAP, EAP-TLS, or EAP-FAST. Based on policy rules, ISE returns authorization results such as VLAN assignment, ACLs, or access permissions. This ensures secure, controlled, and identity-based wireless access across the network.

Section 09 - ISE Device Administration ▼

1) Wired ISE Overview +

Cisco ISE Device Administration provides centralized control for managing and securing administrative access to network devices such as routers, switches, and firewalls using TACACS+. It enables role-based access control (RBAC), command authorization, and detailed accounting of all administrative actions. Wired ISE Overview refers to using Cisco Identity Services Engine (ISE) for controlling wired network access through 802.1X authentication, MAC Authentication Bypass (MAB), and profiling. It ensures that only authorized users and devices can access the wired network while enforcing security policies and segmentation.

2) Configuring the relationship between ISE & Switch +

Configuring the relationship between Cisco ISE and a Switch involves integrating the switch as a network access device using RADIUS or TACACS+ for authentication, authorization, and accounting. The switch is configured to communicate with ISE by defining the ISE server IP, shared secret key, and AAA authentication methods. For wired access, 802.1X is enabled on switch ports so that endpoint authentication requests are forwarded to ISE. Based on ISE policies, users and devices are assigned VLANs, ACLs, or access levels, enabling centralized and identity-based network control.

3) Dot1X Authentication with VLAN Assignment +

Configuring Wired ISE using 802.1X Authentication with VLAN Assignment involves securing switch ports by requiring user/device authentication through Cisco Identity Services Engine (ISE). The switch is configured with 802.1X on access ports and uses ISE as a RADIUS server. When a device connects, it must authenticate using credentials or certificates. ISE evaluates the identity and returns authorization policies that dynamically assign the user to a specific VLAN. This enables secure network segmentation, centralized policy enforcement, and controlled access to wired network resources.

4) Wired ISE with DACL +

Configuring Wired ISE with DACL (Downloadable Access Control List) involves using Cisco Identity Services Engine (ISE) to dynamically assign access policies to wired endpoints after authentication. When a user or device connects to a switch port using 802.1X or MAB, ISE evaluates identity and authorization policies, then downloads a DACL to the switch. This DACL defines permitted and denied traffic at the port level, allowing granular control without manually configuring ACLs on each switch. It enhances security, scalability, and centralized access management in wired networks.

5) Configuring MAB +

Configuring MAB (MAC Authentication Bypass) involves enabling an alternative authentication method for devices that do not support 802.1X, such as printers, IP phones, or IoT devices. When a device connects to a switch port, its MAC address is sent to Cisco ISE via RADIUS for authentication. ISE checks the MAC address against its database and applies authorization policies such as VLAN assignment, ACLs, or access permissions. MAB ensures network access control for non-802.1X-capable devices while maintaining centralized security enforcement.

6) Assessment Test 06 +

ISE wired and wireless authentication assessment.

Section 10 - Router & Switch Security Features ▼

1) ISE Device Administration Overview +

Router & Switch Security Features (1–10) include key protections such as: (1) Secure administrative access using SSH instead of Telnet, (2) Strong password policies and password encryption, (3) Role-Based Access Control (RBAC), (4) AAA authentication using RADIUS/TACACS+, (5) Port security to limit MAC addresses on switch ports, (6) DHCP snooping to prevent rogue DHCP servers, (7) Dynamic ARP Inspection (DAI) to stop ARP spoofing, (8) IP Source Guard for IP/MAC binding enforcement, (9) Control Plane Policing (CoPP) to protect CPU, and (10) VLAN segmentation to isolate traffic. Cisco ISE Device Administration Overview provides centralized management of network device access using TACACS+. It enables authentication, authorization, and accounting (AAA) for administrators accessing routers, switches, and firewalls. ISE enforces role-based command control, logs all administrative actions, and allows fine-grained permission policies, improving security, visibility, and compliance in enterprise network management.

2) Configuring Device Administration - Router +

Configuring Device Administration on a Cisco Router involves enabling secure administrative access and centralized AAA control using Cisco ISE or a TACACS+ / RADIUS server. It includes configuring SSH for secure remote access, defining AAA authentication, authorization, and accounting, setting up TACACS+ server details, and applying login policies. Administrators can also control command-level access using role-based privileges, ensuring that only authorized users can execute specific configuration commands. This improves security, auditability, and centralized management of router access.

3) Configuring Device Administration - ISE +

Configuring Device Administration in Cisco ISE involves setting up centralized AAA (Authentication, Authorization, and Accounting) for network devices such as routers, switches, and firewalls using TACACS+. It includes defining network devices in ISE, configuring shared secret keys, and creating policy sets for administrative access. Authorization policies control which commands or privilege levels a user can execute on devices. ISE also logs all administrative actions for auditing and compliance, providing secure, role-based, and fully centralized device management across the network.

Section 11 - Final Exam ▼

1) Configuring NTP +

Configuring NTP (Network Time Protocol) involves synchronizing the system clock of network devices such as routers, switches, ASA, and servers with a reliable time source. This is important for accurate logging, troubleshooting, and security functions like authentication and certificate validation. Configuration includes defining an NTP server, setting authentication keys (optional), and applying the NTP source interface. Proper NTP setup ensures consistent time across all network devices in the infrastructure.

2) Anti-spoofing ACL & uRPF +

Configuring an Anti-spoofing ACL and uRPF (Unicast Reverse Path Forwarding) helps protect networks from IP spoofing attacks. An Anti-spoofing ACL filters traffic by allowing only valid source IP addresses from trusted networks and blocking illegitimate or spoofed addresses. uRPF verifies incoming packets by checking if the source IP address has a valid routing path back through the same interface. If the check fails, the packet is dropped. Together, these mechanisms enhance network security by preventing forged IP traffic and reducing attack vectors.

3) DHCP Server & DHCP Relay Agent +

Configuring a DHCP Server involves enabling automatic IP address assignment to client devices, along with parameters such as subnet mask, default gateway, DNS server, and lease time. The server manages IP pools and assigns addresses dynamically to reduce manual configuration. A DHCP Relay Agent is configured on routers or Layer 3 switches to forward DHCP requests from clients in one subnet to a DHCP server located in another subnet. It uses the ip helper-address command to ensure DHCP communication across different network segments.

4) Syslog Server Configuration +

Configuring a router to send logs to a Syslog Server involves enabling system logging and defining the remote syslog server IP address where log messages will be forwarded. The router generates logs for events such as interface status changes, routing updates, security alerts, and configuration changes. Using the logging command, administrators can set the syslog server, severity levels, and optional timestamps. This centralizes log management, improves troubleshooting, and enhances network monitoring and security analysis.

5) Port Security on Switch +

Configuring Port-Security on a Cisco Switch involves restricting access to a switch port by limiting the number and type of MAC addresses allowed on that interface. It is applied on access ports to prevent unauthorized devices from connecting to the network. Configuration includes enabling port-security, defining maximum MAC addresses, setting static or sticky MAC learning, and selecting violation modes such as protect, restrict, or shutdown. This enhances network security by preventing MAC flooding and unauthorized device access.

6) DHCP Snooping +

Configuring DHCP Snooping on a Cisco Switch is a security feature used to protect the network from rogue DHCP servers and IP address spoofing. It works by classifying switch ports as trusted (toward legitimate DHCP server) and untrusted (toward clients). DHCP Snooping filters DHCP messages, allowing only valid server responses on trusted ports. It also builds a binding database that records MAC address, IP address, VLAN, and interface mappings, which can be used for additional security features like Dynamic ARP Inspection (DAI) and IP Source Guard.

7) ARP Inspection +

Configuring Dynamic ARP Inspection (DAI) on a Cisco Switch is a Layer 2 security feature used to prevent ARP spoofing and man-in-the-middle attacks. It validates ARP packets by checking them against the DHCP snooping binding database. Switch ports are classified as trusted (toward DHCP servers or uplinks) and untrusted (toward end devices). Only valid ARP replies are allowed on untrusted ports, while invalid or forged ARP packets are dropped. This ensures secure IP-to-MAC mapping and protects network integrity.

8) Secured Guard +

IP Source Guard (IPSG) is a Layer 2 security feature used on Cisco switches to prevent IP address spoofing on access ports. It works by using the DHCP snooping binding table or static IP-to-MAC bindings to validate incoming traffic. Only packets with a matching IP and MAC address pair are allowed through the port, while unauthorized or spoofed traffic is dropped. IP Source Guard enhances network security by ensuring that end devices cannot impersonate other IP addresses within the network.

9) VLAN ACLs +

Configuring VLAN ACLs (VACLs) on a Cisco Switch involves filtering traffic at the VLAN level to control what communication is allowed within or between devices in the same VLAN. A standard or extended ACL is first created to define match conditions, then a VLAN access-map is configured to apply permit or deny actions, and finally the VACL is applied to a specific VLAN. Unlike interface ACLs, VACLs filter both bridged and routed traffic inside the VLAN, providing stronger internal network security and segmentation.

10) Assessment Test 07 +

Final revision test for core security concepts.

11) Final Exam +

Comprehensive final exam covering all CCIE Security topics.

12) Final Assessment Test +

Final evaluation and practice assessment.

13) Final Exam (Repeat) +

Additional final exam practice for revision.

CCIE Security Learning Dashboard