Security

The video desmonstrates the configuration of Easy VPN (EZVPN) using Dynamic Virtual Tunnel Interface (DVTI) on Cisco routers and explains its benefit over the conventional EZVPN with 'crypto map' or tunnel interface with GRE. Here we introduce the concept of Virtual-Template. The second half of the video shows example of additional features that you can implement with VTI using QoS and multicasting. 

The video demonstrates three different operational modes available on Cisco Easy VPN (EZVPN) router hardware client, namely Client, Network Extension, and Network Extension Plus, and explains when they should be used. We will also look at how to support multiple remote subnets, and NAT compatibility specifically when you run Network Extension or Network Extension Plus. These configurations only pertain to the hardware client side.

The video demonstrates various methods of EZVPN hardware client to initiate an IPSec connection. In this lab, the headend router is setup with Easy VPN (EZVPN) with Pre-shared key authentication, while the client is configured to run in Client Mode. We then explore different 'connect' and 'xauth' configuration options on the client side.

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key and certificate authentication on a Cisco headend ASA firewall. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. This video is a counterpart of SEC0015 and SEC0016 with the headend router. Here we introduce the concept of 'group-policy' and 'tunnel-group' that are unique to the ASA, while most crypto command syntax is very similar to those on a router.

The video walks you through configuration of Easy VPN (EZVPN) with Certificate authentication on a Cisco headend router. The hardware client router is running Client Mode and configured to automatically connect. Headend router already has a certificate installed through SCEP (See SEC0014 - Certificate Installation on Router and ASA), while we demonstrate a manual certificate import on the hardware client. XAuth can also be enabled concurrently, although we have XAuth disabled in this lab. 

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key authentication on a Cisco headend router. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. We demonstrate unique characteristics of Client mode where connections can only be initiated from the remote client as the client router performs PAT to the source IP. Any resources local to the client is inaccessible from the headend side.

The video demonstrates how to install a SSL certificate on Cisco router and ASA firewall manually and via SCEP. Windows 2008 running Enterprise CA server is used in this lab to provide auto-enrollment. For manual enrollment, a Certificate Signing Request (CSR) is created on a network device and submitted to the CA through web enrollment. The issued certificate is then imported to the device. SCEP, on the other hand, automates the enrollment process into a single command through HTTP transaction given the CA is reachable to the devices.

The video presents an alternative to assigning IP address to DMVPN spoke tunnel interface using a centralized DHCP server. We look at this feature in a dual-hub environment, point out some routing caveats with return DHCP packet to the router acting as a relay agent, and a quick resolution.

The video demonstrates another method of achieving redundancy in your DMVPN deployment using NHS cluster and recovery backup feature. We look at how routing and EIGRP neighbor adjacency changes when a spoke registers to one or more NHS at a time in the same cluster, and observe the failover behavior. This feature provides a good compromise between failover time and routing simplicity.

The video presents you with various options to implement certificate Auto-Enrollment for network devices using SCEP. By default, a one-time challenge password needs to be generated and used per network device. This can be cumbersome and impractical in case the number of device is large. An alternative is to disable the use of challenge password entirely, but this could post security concern, although is potentially desirable in lab environment. An acceptable solution might be disabling auto-approval and have the CA admin approve certificate requests manually.