Ccnp security pdf download

You also get an enhanced practice test that contains an additional two full practice tests of unique questions. In addition, all the prac- tice test questions are linked to the PDF eBook, allowing you to get more detailed feed- back on each question instantly. To take advantage of this offer, you will need the coupon code included on the paper in the CD sleeve.

Just follow the purchasing instructions that accompany the code to download and start using your Premium Edition today! Each of its interfaces must be configured to interoperate with other network equipment and to participate in the IP protocol suite. This chapter discusses each of these topics in detail. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter.

If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment.

Giving yourself credit for an answer you correctly guess skews your self-assessment results and might pro- vide you with a false sense of security. Which of the following answers describe an attribute of a redundant interface?

Choose all that apply. A redundant interface load balances traffic across member interfaces. A redundant interface is made up of two or more physical interfaces. An ASA can have up to eight redundant interface pairs. Each member interface of a redundant interface cannot have its own security level. IP addresses must be applied to the member physical interfaces of a redundant interface. The member interfaces swap the active role when one of them fails. What must happen for a member interface to take over the active role as part of a re- dundant interface?

Three hello messages must be missed. The link status of the current active interface goes down. A member interface, which was previously active before it went down, regains its link status. Its member priority is higher than other member interfaces.

A timer must expire. Which ASA command can be used to display a list of all physical interfaces? A single GigabitEthernet link exists today; a second link would also add redundancy. Which one of the following describes the best approach to meet the requirements? Configure the two interfaces as a redundant interface. Configure the two interfaces as an EtherChannel. Dual links are not possible on an ASA. The interface will use VLAN Which one of the following sets of commands should be entered first to accomplish the task?

The physical interface operates as an ISL trunk. The physical interface operates as an The subinterface numbers of the physical interface must match the VLAN number.

All packets sent from a subinterface are tagged for the trunk link. An ASA can negotiate a trunk link with a connected switch. Which of the following represent security attributes that must be assigned to an ac- tive ASA interface when the ASA is in routed firewall mode? Choose three answers. IP address b. Access list c. Interface name d. Security level e. Interface priority f. Which one of the following interfaces should normally be assigned a security level value of ?

None of these answers are correct. An ASA has two active interfaces, one with security level 0 and one with security level Which one of the following statements is true? Traffic is permitted to be initiated from security level 0 toward security level Traffic is permitted to be initiated from security level toward security level 0. Traffic is not permitted in either direction. The interfaces must have the same security level by default before traffic can flow. Which one of the following answers contains the correct command s to enter?

None of these answers are correct; the MTU must be greater than The interface is configured and is live on the network.

The interface is not ready to use; the no shutdown command has not been issued. Answer E might also be true, but you cannot confirm that a security level has been configured from the command output given. Because an interface name has not been configured with the nameif command, neither the interface name nor the security level is shown in the output. ASA interfaces can be physical, where actual network media cables connect, or logical, where the interfaces ex- ist internally and are passed to the network over a physical link.

In this chapter, you learn how to configure both types of interfaces for connectivity and IP addressing. Example lists the physical interfaces in an ASA You can view the interface mappings with the show nameif EXEC command. This configuration gives one outside interface that can be connected to a service provider network for an Internet connection.

The remaining seven inside interfaces can be connected to individual devices on the protected network. As long as the ASA interface and the device connected to it are configured the same, the interface will automatically come up using the maximum speed and full-duplex mode. You can also statically config- ure the interface speed to 10, , or Mbps, as well as full or half duplex mode.

By default, physical interfaces are administratively shut down. Use the no shutdown inter- face configuration command to enable each one individually.

As well, you can shut an in- terface back down with the shutdown command. Note: Other parameters, such as the interface name, security level, and IP address, should be configured, too. All eight interfaces are connected to an internal 8-port switch, with each interface configured as an access link mapped to a single VLAN. First, a new interface is created and named vlan You can use the following CLI command to accomplish the same task: ciscoasa config-if switchport access vlan vlan-id The vlan-id parameter represents a VLAN interface that has already been created and configured.

The interface can be in one of two operating states: up or down. When an interface is down for some reason, the ASA cannot send or receive any data through it. As a redundant pair, two interfaces are set aside for the same ASA Key Topic function inside, outside, and so on , and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic.

The redundant interface, rather than its physical member interfaces, is configured with a unique interface name, security level, and IP address—all the parameters used in ASA in- terface operations. Therefore, the interface number can be 1 through 8. In fact, as soon as you enter the member-interface command, the ASA will automat- ically clear those parameters from the physical interface configuration. You should repeat this command to add a second physical interface to the redundant pair.

Keep in mind that the order in which you configure the interfaces is important. The first physical interface added to a logical redundant interface will become the active interface. That interface will stay active until it loses its link status, causing the second or standby interface to take over. The standby interface can also take over when the active interface is administratively shut down with the shutdown interface configuration command.

However, the active status will not revert to the failed interface, even when it comes back up. The two interfaces trade the active role back and forth only when one of them fails. The redundant interface also takes on the MAC address of the first member interface that you configure.

Regardless of which physical interface is active, that same MAC address will be used. From this point on, you should not configure anything on the two physical interfaces other than the port speed and duplex.

Note: Make sure the logical redundant interface and the two physical interfaces are enabled with the no shutdown command.

Even though they are all logically associated, they can be manually shut down or brought up independently. A new Add Redundant Interface dialog box appears, as shown in Figure Select the redundant in- terface number and the two physical interfaces that will operate as a redundant pair.

To en- able the new redundant interface for use, be sure to check the Enable Interface check box. If the link goes down, no data can travel across it. In the previous sec- tion, you learned that a redundant interface binds two physical interfaces into one logical interface. The possibility of a link failure is reduced, because one of the two interfaces will always be up and available; however, only one of the two links can pass data at any given time.

How can you maximize availability with more than one link, while leveraging the band- width of all of them at the same time? Beginning with ASA software release 8. With an EtherChannel, two to eight ac- tive physical interfaces can be grouped or bundled together as a single logical port-chan- nel interface.

Each interface must be of the same type, speed, and duplex mode before an EtherChannel can be built. On the ASA, the resulting logical in- terface is named interface port-channel 1. Notice that the individual links in the Ether- Channel can have different interface names on each end. What matters is that the interfaces form one common EtherChannel link between the two devices. If one active interface fails, another one automatically takes its place.

Because multiple interfaces are active in an EtherChannel, the available bandwidth can be scaled over that of a single interface. Traffic is load balanced by distributing the packets across the active interfaces.

You can configure a preset combination of fields that are used. As long as the number of active interfaces is a multiple of two, the ASA can evenly distribute packets across them. The ASA and the switch use a system priority a 2-byte priority value followed by a 6-byte switch MAC address to decide which one is allowed to make decisions about what interfaces are actively participating in the EtherChannel at a given time.

Interfaces are selected and become active according to their port priority value a 2-byte priority followed by a 2-byte port number , where a low value indicates a higher priority. A set of up to 16 potential links can be defined for each EtherChannel. Through LACP, up to eight of these having the lowest port priorities can become active EtherChannel links at any given time.

The other links are placed in a standby state and will be enabled in the EtherChannel if one of the active links goes down. Table summarizes the EtherChannel nego- tiation methods and characteristics. Under the General tab, enter an arbitrary Port Channel ID num- ber 1 to 48 that will identify the port-channel interface.

You can repeat this process to add mul- tiple interfaces. Make sure to select the Enable Interface check box to enable the port- channel interface for use. In Figure , interface port-channel1 has been created. After the EtherChannel interfaces are configured, you can define a name and other security parameters on the port-channel interface. These fields are not applied to the individual member interfaces; instead, they are applied to the port-channel interface.

The more varied the hash input values, the better the traffic will be distributed across the links in the EtherChannel. In some scenarios, the majority of the traffic might travel between the same two IP ad- dresses, causing most of the packets to travel over only one link of the EtherChannel.

In that case, you can configure the EtherChannel load-balancing method to use additional in- formation, such as a Layer 4 port number, MAC addresses, or a VLAN number, to provide more uniqueness so that the packets can be spread more evenly across the EtherChannel links.

Next, you need to configure a negotiation method for the EtherChannel. Because their individual configura- tions are restricted, they are shown with a lock icon next to their names.

Remember that the security parameters of an EtherChannel are configured on the Port-channel interface instead. Select the Advanced tab and use the EtherChannel drop-down menu to set the negotiation mode, which can be either Active, Passive, or On, as shown in Figure You can configure more interfaces in the channel group number than are allowed to be ac- tive in the channel.

This prepares extra standby interfaces to replace failed active ones. Set a lower LACP port priority 1 to 65,; default 32, for any interfaces that must be ac- tive and a higher priority for interfaces that might be held in the standby state. Otherwise, just use the default scenario, in which all ports default to 32,, and the lower port num- bers in interface number order are used to select the active ports.

You can use the commands listed in Example to accomplish this. You can verify the Ether- Channel state with the show port-channel summary command. This should show U in use if the channel is operational.

Notice that both of the channel interfaces have flags P , which indicate that they are active in the port-channel. To do this, the interface is configured to operate as a VLAN trunk link. As each packet is sent over a trunk link, it is tagged with its source VLAN number.

As packets are removed from the trunk, the tag is examined and removed so that the packets can be for- warded to their appropriate VLANs. Packets that are sent out a subinterface do receive a VLAN tag. Therefore, an ASA trunk link is either on or off, according to the subinterface configuration. You should make sure that the switch port is configured to trunk unconditionally, too.

A subinterface number is added to the physical interface name to create the logical VLAN interface. This is an arbitrary number that must be unique for each logical interface. The subinterface number does not have to match the VLAN number, although it can for convenience and readability. As an example, Figure shows a network diagram of a trunk link between an ASA and a switch.

The trunk link can be configured with the commands listed in Example Subinterfaces used in a trunk link must first be added or created. Select the hard- ware port or physical interface that will be used for the trunk link. By default, the ASA platform includes the interface vlan 1 and interface vlan 2 commands in its configuration. First, create the individual VLANs with the interface vlan vlan-id configuration command.

Then, configure the physical interface to operate in IEEE Hardware names are predefined and cannot be changed. An ASA uses the interface name when security policies are applied. To assign an interface name to an ASA interface, you must first enter the interface configu- ration mode. The interface name is set by entering the name into the Interface Name field.

The only exception is when the ASA is configured to operate in transparent mode. For example, if the first octet of the IP address is 1 through 1. If you use subnetting in your network, be sure to specify the correct subnet mask rather than the classful mask Continuing the process from Example , so that the outside interface is assigned IP ad- dress This is handy be- cause the default route should always correlate with the IP address that is given to the in- terface.

If the setroute keyword is not entered, you will have to explicitly configure a default route. For the subnet mask, you can type in a mask or select one from a drop-down menu. This exam tests a candidate's knowledge of implementing and operating core security technologies including network security, cloud security, content security, endpoint protection and detection, secure network access, visibility and enforcements.

The Securing Networks with Cisco Firepower v1. This exam tests a candidate's knowledge of Cisco Identify Services Engine, including architecture and deployment, policy enforcement, Web Auth and guest services, profiler, BYOD, endpoint compliance, and network access device administration.

This exam tests a candidate's knowledge of Cisco Email Security Appliance, including administration, spam control and antispam, message filters, data loss prevention, LDAP, email authentication and encryption, and system quarantines and delivery methods. This exam tests a candidate's knowledge of Cisco Web Security Appliance, including proxy services, authentication, decryption policies differentiated traffic access policies and identification policies, acceptable use control settings, malware defense, and data security and data loss prevention.

This exam tests a candidate's knowledge of implementing secure remote communications with Virtual Private Network VPN solutions including secure communications, architectures, and troubleshooting.

The course, Implementing Cisco Security Automation Solutions, helps candidates to prepare for this exam. Best-in-class innovations across firewall, intrusion prevention, web and email security, remote workforce security, and network access control, coupled with advanced policy management, are fundamental to Cisco's products. Register now to access these demo-focused webinars and find out how Cisco Modeling Labs can help you and your organization.

If you encounter a technical issue on the site, please open a support case. Communities: Chinese Japanese Korean. All Rights Reserved. The Cisco Learning Network. Cyber Monday Sale.