Security

The video presents an alternative to assigning IP address to DMVPN spoke tunnel interface using a centralized DHCP server. We look at this feature in a dual-hub environment, point out some routing caveats with return DHCP packet to the router acting as a relay agent, and a quick resolution.

The video demonstrates another method of achieving redundancy in your DMVPN deployment using NHS cluster and recovery backup feature. We look at how routing and EIGRP neighbor adjacency changes when a spoke registers to one or more NHS at a time in the same cluster, and observe the failover behavior. This feature provides a good compromise between failover time and routing simplicity.

The video presents you with various options to implement certificate Auto-Enrollment for network devices using SCEP. By default, a one-time challenge password needs to be generated and used per network device. This can be cumbersome and impractical in case the number of device is large. An alternative is to disable the use of challenge password entirely, but this could post security concern, although is potentially desirable in lab environment. An acceptable solution might be disabling auto-approval and have the CA admin approve certificate requests manually.

The video walks you through an installation of Cisco ACS 5.x (we use 5.3 for our demonstration) VMware version. We will guide you step-by-step through the installation process. At the end of this lab, you should have a working ACS server that you can use for RADIUS and TACACS+ authentication in future labs. No configuration, other than the setup process, is performed in this video. The video assumes that you have basic working knowledge of VMware ESXi.

The video walks you through an installation of Enterprise Certificate Authority (CA) and Network Device Enrollment Service (NDES) (aka SCEP) on a Windows 2008. We will test the server with a certificate request through web enrollment from a Windows client, as well as SCEP from a Cisco router. SCEP communication is captured and reviewed on Wireshark. At the end of the video, you should have a working CA server that you can use for certificate authentication in future labs.

The video combines the knowledge from our two previous videos on Object NAT and Twice NAT, and provides some guidelines on how to use them together on a single NAT table. We also discuss about pre-8.3 migration strategies and how the legacy command syntax (eg. nat, global, static, access-list) can be mapped to the new. We finish off the video with an experiment on the placement of destination NAT statement on the NAT table, and note its significance. We hope that you will have a better understanding on ASA 8.3 NAT by the end of this video.

The video looks at how to configure Twice NAT on a Cisco ASA 8.3. We go through NAT configuration syntax for different type of NAT scenarios and examine some characteristics specific to Twice NAT.

The video looks at how to configure Object NAT on a Cisco ASA 8.3. We go through NAT configuration syntax for different type of NAT scenarios and examine some characteristics specific to Object NAT.

The first half of the video shows you how to specify an interesting traffic that will cause a DMVPN spoke-to-spoke tunnel to be initiated, and utilized. In the second half, we will look at an ability to configure per-tunnel QoS from hub to spokes using NHRP group.

The video shows you how to build a redundant DMVPN network with dual-hub dual-cloud design. The failover capability is provided by routing protocol. With EIGRP chosen for demonstration in this video, we show how to perform a simple tweak in the routing metric to solve potential asymmetrical routing. The video concludes with failover testing and shows that spoke-to-spoke traffic is not interrupted upon a Hub failure.