Learning Path

Implementing Cisco Network Security, Part 2

Time to complete: 2h 24m

Published byO'Reilly Media, Inc.

CreatedJuly 2019

This is the second part in a three-part learning path series, designed for intermediate-level engineers with some proficiency in Cisco networking and Internet Operating System (IOS) concepts. In this part, you continue with the next steps to prepare for the Cisco 210-260 IINS exam. Part 1 looked at the four main topics that are the focus of this exam: common security principles, common security threats, cryptography concepts, and network topologies. In Part 2, you dive deeper and review advanced concepts related to VPNs and VPN deployment. You’ll look at operational features of remote-access VPNs and the issue of using NAT with VPN Tunnel endpoints. You’ll examine the IPsec framework, looking closely at Internet Key Exchange (IKE) and IPsec VPN negotiation. Then, you explore how to configure and verify clientless remote access VPNs as well as AnyConnect SSL VPNs by using Cisco's ASDM.

The discussion then turns to securing the control plane, routing protocols (OSPF), and defending against Layer 2 attacks such as STP attacks, DHCP, and MAC and ARP spoofing. You’ll also take an in-depth look at VLAN security, Access Control Lists on switches to control traffic flow, port security, and much more. With Part 2 under your belt, you’ll be primed and ready to take on Part 3.

What you’ll learn—and how you can apply it

  • The fundamentals of VPNs, including configuration and the verification of clientless remote access and AnyConnect SSL using Cisco's ASDM
  • Configuration and the verification of site-to-site IPSec VPNs
  • Configuring role-based CLI privilege levels
  • Protecting the control plane from attacks and from high levels of activity using Control Plane Policing and Control Plane Protection
  • Recognizing STP attacks and how to mitigate them
  • Recognizing ARP and MAC attacks how to mitigate them
  • How to uses Access Control Lists (ACLs) on switches to control traffic flow
  • How to defend against DHCP spoofing and snooping
  • How to restrict access to switchports based on the source MAC address of incoming frames
  • And more

This learning path is for you because…

  • You're preparing to take the Cisco IINS 210-260 exam
  • You're preparing for Cisco CCNA Security Certification
  • You're preparing to recertify
  • You're a network designer, administrator, or engineer
  • You're a network security specialist
  • You're a security technician
  • You're a security administrator
  • You're a network security support engineer
  • You're a network and security manager


  • You should have already participated in Learning Path: Implementing Cisco Network Security, Part 1 or already possess the skills and knowledge equivalent to those presented in that part of this three-part learning path
  • You should have a working knowledge of the Windows operating system
  • Cisco Certified Entry Networking Technician (CCENT) certification or equivalent skills and knowledge
  • Basic practical skills and knowledge of Cisco IOS networking and concepts

Materials or downloads needed in advance: None

Further resources: