VPN 2.0 Exam
dover
Member Posts: 184 ■■■■□□□□□□
Well, I sat the VPN 2.0 exam yesterday and passed with a 938. I have to say I was much less interested in the topic than for the FIREWALL exam. I’m not sure if it was the text or just the topics in general. In all I think the exam was fair, but I expected much more in terms of being expected to know- and verify - configurations from the CLI-side
I tore through the FIREWALL material in about 4 months because I enjoyed it so much and spent so much time labbing and reading. The VPN exam was different. I had to slug my way through starting in August. During that time, I was able to use the VPN skills I was learning about in the real world. My organization migrated away from a hosted (read EXPEN$IVE) FR/MPLS network to a full mesh site-site VPN topology that I got to lead and implement.
The only advice I have would be to focus quite a bit on the ASDM - but be aware of the CLI configurations and commands for troubleshooting and verification. Lab everything! Particularly certificate based authentication for remote access and site-site VPN access. All the VPN client software - Anyconnect Secure Mobility and the VPN Client. Secure desktop - there are some stumbling blocks getting it all to work properly, particularly with Vista and 7 clients. I would definitely read the Anyconnect deployment guide too.
Here are most of the resources I used:
CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Cisco ASA 5500 Series Config Guide using the CLI 8.4 and 8.6
Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4. and 6.6
Cisco Secure Desktop Config Guides
Cisco AnyConnect Secure Mobility Client Admin Guide (3.0 is on the exam)
IKEV2 RFC 5996
CCNP Security VPN 642-648 Quick Reference
Oh, I also tried a CBT Nuggets 24-hour Cram Session for (I think) $25 and watched all of the videos this past weekend. I did catch a few tips and tricks so I'd say it was worth it.
Hope it helps.
I tore through the FIREWALL material in about 4 months because I enjoyed it so much and spent so much time labbing and reading. The VPN exam was different. I had to slug my way through starting in August. During that time, I was able to use the VPN skills I was learning about in the real world. My organization migrated away from a hosted (read EXPEN$IVE) FR/MPLS network to a full mesh site-site VPN topology that I got to lead and implement.
The only advice I have would be to focus quite a bit on the ASDM - but be aware of the CLI configurations and commands for troubleshooting and verification. Lab everything! Particularly certificate based authentication for remote access and site-site VPN access. All the VPN client software - Anyconnect Secure Mobility and the VPN Client. Secure desktop - there are some stumbling blocks getting it all to work properly, particularly with Vista and 7 clients. I would definitely read the Anyconnect deployment guide too.
Here are most of the resources I used:
CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Cisco ASA 5500 Series Config Guide using the CLI 8.4 and 8.6
Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4. and 6.6
Cisco Secure Desktop Config Guides
Cisco AnyConnect Secure Mobility Client Admin Guide (3.0 is on the exam)
IKEV2 RFC 5996
CCNP Security VPN 642-648 Quick Reference
Oh, I also tried a CBT Nuggets 24-hour Cram Session for (I think) $25 and watched all of the videos this past weekend. I did catch a few tips and tricks so I'd say it was worth it.
Hope it helps.
Comments
-
Master Of Puppets Member Posts: 1,210Congrats on the pass and a very good result!Thanks for the information, it is extremely helpful. Can't wait to start my CCNP Security studies(I'm gonna do the NP in R&S first).
So, you passed the VPN and the FIREWALL and you have SECURE and IPS left?Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. -
dover Member Posts: 184 ■■■■□□□□□□Thanks!
I've done SECURE - well actually SECURE's predecessor SNRS (642-504) - which appears to still count towards the CCNP Security. So I just started working on IPS. So far, the IPS text and material is exceptional. I've read the entire Official Cert Guide in the last 12 days. Of course, I'm going to have to go back through and takes notes, lab and possibly do the CBT Nuggets, but this material is that I really enjoy. The SANS Intrusion Detection course I took a year ago really sparked my interest in IDS/IPS, packet inspection and signature writing/tuning.
The only drawback I see with the Cisco IPS is that I'm going to have to do rack-rental to get real hands-on labbing done. With Firewall and VPN I had access to a ton of physical ASA's and could supplement with GNS3. I probably did a couple hundred hours of hands on labbing for both of those. With rack-rentals I'm going to have to get as much out of the time as possible.
Also, it looks like the Gigavelocity racks are the only ones supporting IPS7 with the Cisco IME so far. But since the CCIE Security v4 changes were announced the other rack rentals should start offering the new hardware/software list.
After IPS I'm planning on doing the CCNP R/S ROUTE, SWITCH and TSHOOT before (maybe) concentrating tackling CCIE Security. -
Master Of Puppets Member Posts: 1,210Just awesome!Good luck on the IPS studies although, by the looks of it, you're not going to need it.It would be very much appreciated if you keep us current on your progress.Thanks.Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
-
Maced129 Member Posts: 78 ■■□□□□□□□□Congrats on the pass! I'm working on this exam as well, I'm with you, I was pretty excited to get to this part of the CCNP:Sec but finding it rather boring compared to FIREWALL so far.
Anyways, check out proctorlabs, they just released their cciev4 security racks (includingthe other tracks) as well. -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□The only drawback I see with the Cisco IPS is that I'm going to have to do rack-rental to get real hands-on labbing done. With Firewall and VPN I had access to a ton of physical ASA's and could supplement with GNS3. I probably did a couple hundred hours of hands on labbing for both of those. With rack-rentals I'm going to have to get as much out of the time as possible.
Put an IPS Module in one of your ASAs. The IPS Features are nearly identical across the available IPS platforms. I've read that book and setup a 5515X with the new software IPS module. It wasn't too bad one you realize that management traffic is no longer allowed to traverse the firewall. You have to implement a "janky" routing configuration, but it isn't terrible.