CCIE Security Lab Version 4 VPN Topic Checklist

As I start back in my CCIE Security studies, I am going to start with the Lab items for VPNs – here they are:

  • Understanding Cryptographic Protocols (ISAKMP, IKEv1 and IKEv2, ESP, Authentication Header, CA)
  • IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance
  • Configuring VPNs Using ISAKMP Profiles
  • Configuring VPNs Using IPsec Profiles
  • GRE over IPsec Using IPsec Profiles

  • Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and Certificates)
  • Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and Certificates)
  • Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates)
  • Understanding DMVPN architecture (NHRP, mGRE, IPsec, Routing)
  • DMVPN Using NHRP and mGRE (Hub-and-Spoke)
  • DMVPN Using NHRP and mGRE (Full-Mesh)
  • DMVPN Through Firewalls and NAT Devices
  • Understanding GETVPN Architecture (GDOI, Key Server, Group Member, Header Preservation, Policy, Rekey, KEK, TEK, and COOP)
  • Implementing GETVPN (Using Preshared Keys and Certificates)
  • GETVPN Unicast Rekey
  • GETVPN Multicast Rekey
  • GETVPN Group Member Authorization List
  • GETVPN Key Server Redundancy
  • GETVPN Through Firewalls and NAT Devices
  • Integrating GET VPN with a DMVPN Solution
  • Basic VRF-Aware IPsec
  • Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance)
  • CA Enrollment Process on a Router Client
  • CA Enrollment Process on a Cisco ASA Security Appliance Client
  • CA Enrollment Process on a PC Client
  • Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs)
  • AnyConnect VPN Client on Cisco IOS Software
  • AnyConnect VPN Client on the Cisco ASA Security Appliance
  • Remote Access Using a Traditional Cisco VPN Client – on a Cisco IOS Router
  • Remote Access Using a Traditional Cisco VPN Client – on a Cisco ASA Security Appliance
  • Cisco Easy VPN – Router Server and Router Client (Using DVTI)
  • Cisco Easy VPN – Router Server and Router Client (Using Classical Style)
  • Cisco Easy VPN – Cisco ASA Server and Router Client
  • Cisco Easy VPN Remote Connection Modes (Client, Network, Network+)
  • Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security Appliance
  • Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance
  • Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security Appliance
  • Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance
  • High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP)
  • High Availability Using Link Resiliency (with Loopback Interface for Peering)
  • High Availability Using HSRP and RRI
  • High Availability Using IPsec Backup Peers
  • High Availability Using GRE over IPsec (Dynamic Routing)
  • Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance
  • Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN, and Cisco Easy VPN)
  • Understanding and Interpreting the show crypto Commands
  • Understanding and Interpreting the debug crypto Commands
  • Anyconnect VPN including DAP support
  • MacSec (switch-switch, Host-switch)
  • Wireless Security on AP and WLC
  • EAP methods
  • WPA/WPA-2
  • WIPS

14 thoughts on “CCIE Security Lab Version 4 VPN Topic Checklist

    1. I got stalled in my studies due to a current Cisco Press project! So I will be restarting this weekend. I have also decided to start with the ASA – then move to VPNs.

  1. Hi Anthony ,

    May you please list and discuss the topics for ASA required for CCIE v4 lab with refrences .

    Best Regards

    Sameer Ahmad

  2. Hi Anthony…will push my R&S studies and hope fully will finish with you 😀 Do you have a time table for studies??

    1. That is very exciting! I have no timelines calculated yet – I just am going to work on it every day and then gauge how long I think it will take. You can follow along here of course.

  3. Greetings Anthony,

    Thanks for putting up this list! I’ve started my studies for IE Sec v4 with the VPN section so I’ll use it as a check list to strike off what is done.

    Regards,
    Shoaib

    1. It is my pleasure! I will get VERY active with this blog once my exam is passed. I am in the final weeks of preparation now for attempt number 2. This will be my first attempt at Version 4.

  4. Hello Sir, I would like to go through all the vpn sections, please can you guide me for reference docs , for all these vpn topics?

  5. Let me give you an example – let’s say we need documentation on Reverse Route Injection in IOS. I would find this as follows:

    Cisco.com – Support – Product Support – All Products – Cisco IOS – 15.0M – Configuration Guides – Secure Connectivity – VPN Availability – RRI

    1. Hello SKMR

      I am afraid that might be a while. I am currently working on the Cisco Data Center track and it might be some time before I return to CCIE Security studies. 🙁

      I would recommend you check out the CCIE Security forum at the Cisco Learning Network – it is probably the most active area now.

Leave a Reply

Your email address will not be published. Required fields are marked *