CCNP Security Certification - The CCNP Certification - CCNP Security SISAS 300-208 Official Cert Guide (2015)

CCNP Security SISAS 300-208 Official Cert Guide (2015)

Part I: The CCNP Certification

Chapter 1. CCNP Security Certification

This chapter covers the following topics:

Image CCNP Security Certification Overview

Image Contents of the CCNP-Security SISAS Exam

Image How to Take the SISAS Exam

Image Who Should Take This Exam and Read This Book

Image Format of the CCNP-Security SISAS Exam

Image CCNP-Security SISAS 300-208 Official Certification Guide

The Cisco Certified Network Professional (CCNP) certification program has several technology tracks including Security, Routing and Switching, Data Center, Service Provider, Service Provider Operations, Voice, and—last but not least—Wireless. This book focuses on one of the four exams required to achieve your CCNP-Security certification: Implementing Cisco Secure Access Solutions (300-208 SISAS).

You might already have other Cisco certifications in other networking technologies, or this may be your first foray into the Cisco certification process. You might instead be reading this book to enrich your skill set for your job and not even take the exam. Whichever the case, you have chosen a great resource to further your learning, and we wish you the best of luck in your studies.

CCNP Security Certification Overview

Security is an ever-evolving and growing networking technology—a technology that will likely be needed for generations to come. As the protocols, applications, and user base that communicate over a network change and evolve, so must the security approach that is implemented. Network security requires a holistic approach whereby a single chink in the security armor can equal a significant compromise of intellectual property and result in costly network downtime.

The CCNP Security certification track provides a solid basis in four key Cisco security technologies—Access Solutions, Firewall Solutions (IOS and ASA), Virtual Private Network (VPN) Solutions, and Threat Control Solutions. As highlighted previously, the focus of this book is on the implementation of Secure Access Solutions (Cisco Certification 300-208 SISAS). Table 1-1 lists the four exams required to receive the CCNP-Security Certification.


Table 1-1 CCNP-Security Exam Technologies

By educating yourself in these areas of the Cisco security solutions portfolio, you will be well equipped to implement a well-rounded security infrastructure onto your network.

Contents of the CCNP-Security SISAS Exam

To study effectively for an exam, it is important to know what is actually going to be on the exam. Cisco fully understands this need and provides a “blueprint” for each of its certification exams. These blueprints give a high-level overview as to what is covered on the exam. By diving deeper into each of these blueprint topics, you will become better prepared for your certification exam.

To view the blueprints for the complete CCNP exam certification tracks, you can browse to This webpage contains links to each of the CCNP certification tracks, including the CCNP-Security track. If you would like to jump directly to the CCNP-Security track, you can leverage the former name of the CCNP-Security—CCSP (Cisco Certified Security Professional). The link to go directly to the CCNP-Security certification track is

To drill down specifically to the SISAS exam blueprint, click the link under Exams and Recommended Training corresponding to the SISAS exam. On this page, you will find a number of tabs that provide high-level descriptions of the SISAS exam, exam topics, recommended training, as well as additional resources. As you review the blueprint (under Exam Topics) and other content pertaining to the SISAS exam, you might find that many topics overlap with other Cisco certifications—namely, CCNA and CCNA-Security certifications. You can choose to enhance your studies by reviewing some of the topics covered in these other exams to refresh your core knowledge.

The topics contained on the CCNP-Security SISAS exam are provided in Table 1-2.



Table 1-2 CCNP-Security SISAS Exam (300-208) Topics

Besides the training resources provided on the SISAS exam page, you also can find study resources at the links provided in Table 1-3. Other unofficial texts, video, and online training resources can also be found via your favorite online search engine.


Table 1-3 Additional Training Resources

How to Take the SISAS Exam

To take the CCNP-Security SISAS Exam, browse to and click the link for the SISAS certification. You will find information about the exam including the languages in which the exam is offered, the duration of the exam, and a link to register for the exam. At the time of publication of this book, the only approved testing vendor for the SISAS exam is Pearson VUE ( To register, click the Pearson VUE link, create an account, and register for the 300-208 SISAS exam. You will then be allowed to select a time and testing center that is most convenient to you.

Who Should Take This Exam and Read This Book?

The SISAS 300-208 Exam is just one piece of the CCNP-Security certification track. For this reason, the primary audience for this book is those people who are working toward the CCNP-Security certification. Furthermore, this book can be used either as the totality of the study material or to supplement other study resources (other texts, videos, instructor-led training, online training, and so on). Whether you are participating in formalized training for the SISAS exam or studying on your own, this text is for you.

Those who take the CCNP-Security certification or other CCNP exams are often those individuals who require this level of expertise in their jobs or their intended career paths. Sometimes, the CCNP-level exams are the pinnacle of an individual’s intended training—once his CCNP certification is achieved, the recipient chooses to not pursue additional certifications. Other times, the CCNP exams are used as a stepping-stone to higher certifications. In this latter case, the next step in the certification progression is to take the CCIE in the relevant discipline. If the CCNA is the bachelor’s degree equivalent of the certification hierarchy and the specialist certifications are minors in a particular discipline, the CCNP of that discipline is a master’s degree. If we were to continue this analogy, the CCIE would be the Ph.D of the specific technology. See Figure 1-1 andTable 1-4.


Figure 1-1 Cisco certification hierarchy.




Table 1-4 Security Certification Comparison Chart

Format of the CCNP-Security SISAS Exam

If you have taken other Cisco certification exams, this exam format will not be much different. After registering for the SISAS exam, you will have a date and location for taking your exam. It is recommended that you arrive at the testing center 15–20 minutes ahead of your testing schedule. You will then be asked to present two forms of personal identification: a government-issued picture ID and a second form that has at least your signature. You will then be asked to put all of your personal effects into a locker or other secure area as you walk into the testing room. As all Cisco certification exams are closed book, you will not be allowed to take any study materials into the exam room.

The testing room contains a number of testing PCs, often isolated in their own cubicles to encourage privacy and minimize any interruptions between those who are taking exams. Your testing proctor will escort you into the testing room. You will be provided earplugs and two sheets of writing material (front and back of each sheet is usually available). Often, these are laminated sheets with a white-erase marker and eraser, allowing you to reuse the sheets as often as you require during your exam. Further details about your testing experience will be provided at the base of the confirmation letter as you schedule your exam.

When you start your exam, you will be given the option of taking a sample quiz. This sample quiz will allow you to become familiar with the exam’s format. If you are familiar with using a computer, the sample quiz test engine, and that of the actual exam, this will likely be easy to navigate.

The CCNP-level exams follow the same format and construction as the CCNA-level exams and include the following question types:

Image Multiple-choice

Image Single-answer

Image Multiple-answer

Image Drag-and-drop

Image Fill-in-the-blank

Image Testlet

Image Simlet

Image Simulated lab

Multiple-choice questions can take on one of two formats—single-answer and multiple-answer. With the single-answer, multiple-choice questions, you are given a question with several options for the correct answer. You are asked to select only one of the options using a round radio button to the left of the chosen answer—point your mouse icon at the radio button and left-click the mouse. For the multiple-answer, multiple-choice questions, you still are given a question with several options for the correct answer. However, you usually are asked to select a prescribed number of correct answers—for instance, “Choose 3.” You select these using a square radio button to the left of the chosen answers. If you attempt to choose too many answers, you are prompted to choose only the prescribed amount.

Drag-and-drop questions test your ability to match or put into order a number of words/concepts. You select one option by left-clicking the option and then, while still maintaining the left-click, move the option to another part of the screen. Often, you must match an option from one side of the screen to a related option on the other side of the screen. At times, there may be more “answers” on the left than there are slots to fill on the right. In this case, you have to narrow down your choices to those answers that best match the slots on the right.

Although very uncommon, the Cisco certification testing environment does allow for the fill-in-the-blank question format. In this type of question, a question is asked and the tester is expected to input the correct answer into the fill-in-the-blank box.

A testlet is a question in which a scenario is given. You are given multiple options to choose from to address the given scenario.

The simlet questions provide a simulated scenario. You are asked a number of questions—usually multiple-choice questions. After answering all of the multiple-choice questions, you can submit your collective answer from the simlet. Be sure that you have answered all of the multiple-choice answers before submitting the simlet.

The final question format is a simulated lab. The exam software has the ability to emulate a number of Cisco devices interconnected in a simulated network. As part of this simulated lab question type, you are asked to configure the relevant network devices. You interact with the simulated device in a manner similar to how you would interact with the device in a real-live network. If a graphical user interface (GUI) is the normal method of configuring the test device, you must use the GUI to change the configuration and behavior of the affected device. If you normally use the command-line interface (CLI) to configure a device, the CLI can be the best way to configure the device during your exam. In this simulated lab environment, not all commands are available and the standard context-sensitive help available on Cisco routers and switches (the ? button) or tab-completion for commands might not be available. However, all commands that are needed to complete the question adequately should be available.

Again, the format of the CCNP-level tests is similar to the format of CCNA-level tests. Examples of the question formats are available on Cisco’s Learning Network. The direct link to this Exam Tutorial can be found at

CCNP-Security SISAS 300-208 Official Certification Guide

As you review the contents of this book, take every opportunity you can to apply the information to your daily job, your studies, and any supplemental training you might do. By applying the information within this book whenever possible, it will help to reinforce the material, making it more relevant to your particular application and—hopefully—making it easier to remember when you take the actual certification exam.

The first section of the book is what you are reading right now; this is an overview of the CCNP-Security SISAS exam and everything that goes into it. Hopefully, you have a pretty good understanding as to what to expect as you schedule your exam.

In the second section of the book, the focus is on identity management and secure access. In this section, we discuss how to manage the users as well as how to allow them secure access to the network. This section presents the basis of authentication, authorization, and accounting (AAA). We cover the management of users, leveraging the internal user database of Cisco’s Identity Services Engine (ISE), as well as third-party enterprise databases. The verification of the user via one of these databases—internal or external—is called authentication.

You can use a number of methods to authenticate a user when she is joining the network. We cover several of these authentication methods and the underlying protocols in this section of this book. We discuss how to authenticate a wired and wireless user using 802.1X, MAC Authentication Bypass, as well as nonstandard flows such as local and centralized web authentication.

After you’ve authenticated the user, you need to dictate the level of access that the user will be given on the network. This process is called authorization. Authorization often leverages the authentication step—providing differentiated access to each endpoint based as much on the user who owns the device as on the device itself.

We round out this section of the book by discussing some advanced concepts and diving deeper into some of the details of how ISE and the supporting network infrastructure accomplishes what it needs to accomplish. By the end of this first section, you should have a good overview of the end-to-end AAA process.

The third section of the book focuses on Cisco’s Identity Services Engine (ISE) and its configuration. We discuss the specific roles that each persona plays in the ISE architecture and several common deployment scenarios. After this overview of ISE architecture, we walk you through the ISE GUI and do some initial configuration of ISE, including certificate generation and assignment as well as identity stores—those internal and external databases that provide us the authentication function.

After we have firmly established a complete understanding of AAA concepts and constructs, we start to affect the policy on ISE for both authentication and authorization. We walk you step-by-step through how ISE is configured for authentication and authorization policies—highlighting all the building blocks that are required for a typical enterprise deployment.

Depending on the method of access (for example, wired versus wireless), the manner in which you enforce the level of access can change. For instance, the enforcement mechanisms (VLANs, access control lists, Security Group Access, and so on) can be different depending on the method of access. By combining the Authentication Method (802.1X, MAB, and so on), the method of access (wired versus wireless), endpoint posturing, and profiling, you can leverage ISE to granularly apply differentiated access to each endpoint individually.

The fourth section of this book moves most of its focus away from ISE and onto the individual network devices that form the network infrastructure—the switches and wireless LAN controllers. We review how to configure the various switching and wireless platforms to put our AAA policy into action—leveraging 802.1X, MAB, as well as local and centralized web authentication.

We finish off the fourth section of this book by reviewing some special use cases—how to configure guest services within ISE as well as how to profile devices as they try to join the network. Configuring guest services can be essential to an enterprise deployment, by providing either basic Internet access to employees or access to vendors and visitors. Profiling is a process whereby ISE can make an intelligent guess as to which type of device is joining the network, making granular authorization decisions based on device type. By the end of this fourth section, you should have a solid understanding of how to secure your network leveraging ISE as the AAA server and the infrastructure devices to enforce the ISE’s policy.

As we get into the fifth section of this book, we start to apply more of our knowledge in an advanced manner. Up to this point, we were doing basic configuration and basic policy enforcement. In this section, we incorporate certificate-based user authentication—authenticating a user based on an X.509 certificate, issued by either ISE or a third-party device. The ability to use certificates to validate a user can greatly enhance the level of security in the authentication process.

Bring Your Own Device (BYOD) is also an advanced topic covered in this section of the book. BYOD is a process and security infrastructure that allows a user to bring his personal smart device onto the corporate network. The BYOD onboarding process allows a user to self-manage his device and registers the device to the corporate network. A number of special portals and configurations are required to allow for an effective BYOD deployment. To ensure that this personal device doesn’t adversely affect the network or gain access to unauthorized resources, ISE can provide differentiated access to the endpoint based on several key factors.

The next advanced topic reviewed in this section is TrustSec and MACSec. We provide a quick overview of these two topics and highlight some of benefits as well as the constructs and configurations that affect the Security Group Access configuration and enforcement both on the device and within ISE.

The final topic we address in this section is posture assessment. Posturing and profiling are sometimes used interchangeably, but that is not accurate. Profiling often leverages information that is readily available via protocols that run over the network—including protocols such as RADIUS, DHCP, HTTP, as well as MAC addresses that are provided within the RADIUS exchange protocol. By replicating or otherwise sending this data to ISE as a client joins the network, profiling is able to make an intelligent decision as to the type of device that is trying to join the network, without ever actively probing the device. Posturing is a little more entrenched at the client/endpoint level. Posturing leverages information contained deep in the configuration of the endpoint, requiring a posturing agent to be run on the endpoint. After key information is read from the endpoint via this agent, the ISE makes a decision as to whether the device/user is compliant to be allowed access to the network and, if so, what level of access the user should be given.

The sixth section of this book is geared toward the operational aspects of having ISE. As part of this chapter, we discuss how to slowly roll out your ISE deployment to minimize network outages. By leveraging deployment phasing, a network administrator can be in “monitor mode” whereby a device will not be denied access to the network but a log is thrown if the user doesn’t match an available policy. This enables network administrators to fully discover and understand the endpoints on their networks without having an adverse effect on users. After the network administrators are confident that they have reasonably triaged any unknown endpoints, they can gradually increase the level of policy enforcement.

A second important topic covered in the sixth section is ISE scale and high availability. This section highlights how to configure and deploy a distributed ISE architecture to accommodate additional load, demand, and possible additional features. Each instance of ISE has an upper limit based on the platform and particular software on which it is running. By providing a distributed deployment architecture, the ISE deployment can grow as a company grows, incorporating a new ISE appliance whenever needed.

As we round out the sixth section we provide the reader some tips and tricks to troubleshoot ISE. Some of these tools include a configuration validator, Live Logs, as well as a TCP dump. In the right hands, these tools can provide all the necessary information to isolate any quality or network issues.

In the final section, section seven, we describe the steps that you’ll need to take to prepare for the CCNP-Security SISAS.

Book Features and Exam Preparation Methods

This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. Therefore, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics.

The book includes many features that provide different ways to study to be ready for the exam. If you understand a topic when you read it but do not study it any further, you will probably not be ready to pass the exam with confidence. The features included in this book give you tools that help you determine what you know, review what you know, better learn what you don’t know, and be well prepared for the exam. These tools include

Image “Do I Know This Already?” Quizzes—Each chapter begins with a quiz that helps you determine the amount of time you need to spend studying that chapter.

Image Foundation Topics—These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter.

Image Exam Preparation Tasks—The Exam Preparation Tasks section lists a series of study activities that should be done after reading the Foundation Topics section. Each chapter has the activities that make the most sense for studying the topics in that chapter. The activities include

Image Planning Tables—The SISAS exam topics include some perspectives on how an engineer plans for various tasks. The idea is that the CCNP-level engineer in particular takes the design from another engineer, plans the implementation, and plans the verification steps, handing off the actual tasks to engineers working during change-window hours. Because the engineer plans the tasks but might not be at the keyboard when implementing a feature, that engineer must master the configuration and verification commands so that the planned commands work for the engineer making the changes off-shift. The planning tables at the end of the chapter give you the chance to take the details in the Foundation Topics core of the chapter and think about them as if you were writing the planning documents.

Image Key Topics Review—The Key Topic icon is shown next to the most important items in the Foundation Topics section of the chapter. The Key Topics Review activity lists the key topics from the chapter and their corresponding page numbers. Although the contents of the entire chapter could be on the exam, you should know the information listed in each key topic. Review these topics carefully.

Image Memory Tables—To help you exercise your memory and memorize some lists of facts, many of the more important lists and tables from the chapter are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list. CD-only Appendix D holds the incomplete tables, and Appendix E includes the completed tables from which you can check your work.

Image Definition of Key Terms—Although Cisco exams might be unlikely to ask a question such as “Define this term,” the SISAS exam requires that you learn and know a lot of networking terminology. This section lists some of the most important terms from the chapter, asking you to write a short definition and compare your answer to the Glossary on the enclosed CD.

Image CD-based practice exam—The companion CD contains an exam engine, including a bank of multiple-choice questions. Chapter 23, “Final Preparation,” gives two suggestions on how to use these questions: either as study questions or to simulate the SISAS exam.

Image Companion website—The website ( posts up-to-the-minute materials that further clarify complex exam topics. Check this site regularly for new and updated postings written by the author that provide further insight into the more troublesome topics on the exam.