Exam Profile: Cisco CCNP Security VPN (642-648)
Date: May 2, 2012
The Cisco 642-648 VPN v2.0 exam is focused on VPN technologies supported by Cisco Adaptive Security Appliance Firewall. The exam takes a relatively complete tour into enterprise-level IKEv1 IPsec Remote Access and Site-to-Site VPNs as well as clientless SSL VPNs and AnyConnect SSL VPNs. Topics with less focus but still present on the exam are IKEv2 Site-to-Site VPNs, IKEv2 Remote Access VPNs and IPv6 VPN features. It covers both configuration related topics as well as general VPN technology aspects.
Cisco includes the VPN v2.0 exam as a requirement in achieving the new CCNP Security professional level certification, rest of the three exams being 642-637 SECURE v1.0, 642-618 FIREWALL v2.0 and 642-627 IPS v7.0. As the name suggests, these are scoped for Securing Networks with Cisco Routers and Switches, Deploying Cisco ASA Firewall and Implementing Cisco IPS.
Exam Details
- Types of Questions: Multiple Choice (single and multiple answer), drag-and-drop, Sim, Simlet, Testlet, Exhibits
- Number of Questions: 70
- Passing score: 776/1000[lb] Time Limit: 120 minutes
- How to Register: Pearson VUE
Trouble Spots
Not all candidates have the same level of knowledge and experience for all of the exam topics. The exam can be complex because it tests you on both general technical aspects to address your level of understanding, as well as on configuration related scenarios for achieving a given requirement. One problem here is that you need to know both GUI and CLI methods for achieving a goal, and most of the time engineers will know one or the other but not both. For example, most medium-to-large enterprises use Cisco Security Manager and linkage to ASDM to manage their ASA’s firewall policies and CLI only for troubleshooting purposes. But bottom line: you need to know both very well.
Advanced features that are available in IPsec and SSL VPN topics (which are not part of common, general deployments) are targeted for specific scenarios and architectures, and thus need to be known as well. As a result, those pursuing the VPN exam need to allocate more time for study theory and practicing on their lab equipment. Remember that no matter how small and insignificant an exam topic may appear to you, as long as it is related to the blueprint, it is fair game showing up in the exam.
A lack of true technology understanding or advanced VPN topics and interaction of VPN technologies with non-VPN ASA configurations such as NAT can be a major trouble spot. Lack of true technology understanding usually has two causes: quick learning by only reading without practicing on real equipment, and a bad approach for studying with focus on configuration scenarios and not on the technology itself. This will definitely make a difference when it comes down to troubleshooting scenarios, where only skilled engineers can solve an issue, be it on the exam or real-life scenarios.
As for advanced VPN topics, this is common problem on all exams with not-commonly deployed features, as these are hard to remember. For at least the scope of the exam, know these features. Because VPN is only a subset of ASA capabilities, VPN sessions will be subject to NAT, routing, advanced protocol inspection, or other deployed features. This will further raise the complexity level and require true understanding of ASA architecture as well. If you lack this knowledge, read the FIREWALL course on required chapters.
Preparation Hints
First, you should immerse yourself in each major topic when you study it. For example, you might take some time away between studying IKEv1 IPSec VPNs and IKEv2 IPsec VPNS or SSL VPNs, but when studying any of it, take the time to read and practice all the exam material in a concentrated period. The VPN exam has several large topic areas (IKEv1 and IKEv2 IPSec VPNs, Clientless SSL VPNs, AnyConnect VPNs and High Availability) that fit this strategy well. As usual, there is time pressure on achieving a certain level of certification; thus, a wrong approach to your studies will eventually catch up with you as more and more gaps start accumulating due to a rapid but incomplete learning path.
Bear in mind that it is not enough to understand the technology; you also need a good study approach so you can easily remember commonly used topics as well as advanced, cumbersome ones. For this there is no common approach; you need to make your own algorithm to easily make connections between topics and find your own best strategy.
Practice. Buy gear, use emulators, use simulators, rent or borrow gear, but plan to practice the configurations and spend time understanding the show commands. Use as much as possible debug commands to get a better understanding of what goes on during a functional configuration. Break it, use debug commands again, and observe if outputs are friendly enough to give you hints on where the errors lie.
Learn each topic deeply. CCNA and CCNA Security cover a much broader set of topics than does any professional level exam, which goes much deeper into a certain technology area. To learn the topics to the required depth, read your primary study sources, review the material and practice every aspect of it. It is also helpful to use multiple study sources when possible, in order to get a different view or opinion, which might be easier for you to follow and understand. Nevertheless use certified forums and blogs which often times make a good job on explaining how stuff works, and where you can ask experts about your issues.
Recommended Study Resources
Use the CCNP VPN 642-648 Official Certification Guide. Like mainly all Cisco Press Certification Guides, besides explaining the technologies needed for both the exam and real life practice, this book offers many other tools to help with exam preparation, including memory tables, notations of the most important topics in each chapter, and a CD question bank with exam software.
The CCNP VPN 642-648 Quick Reference Guide provides you with a very good overview of technologies you need to know for the exam and not only. Every chapter briefly explains each technology and gives you a quick look into configuration aspects from both GUI, handled by ASDM software for ASA, and CLI perspective. Book can be useful as a summary after reading the Official Certification Guide or as a refresher if you are already familiar with most topics.
If not certain what specific commands achieve, or what options you have on configuring it, check the free, online Command Reference Guide for the ASA.
As starting with versions 8.3, 8.4 many new features became available, you might want to check the Cisco ASA New Features by Release document.
Where to Go from Here
Instead of choosing to pursue the VPN exam, most candidates make a choice to pursue a particular certification level, like CCNP, CCDP, CCNP Security, CCIP, CCNP SP Operations, CCNP Voice, CCNP Wireless or CCIE, which then drives the choice to study for particular exams as required by the certification track. Start by reading about these certifications, and once you choose the technology vertical that best fits you, pick that as starting point. In general, most candidates start with good old CCNP track as it is the best and easier technical approach after achieving the CCNA level. This is because you cannot really claim yourself a professional level voice, wireless, security, or service provider engineer if you don’t know how routing and switching really works, as you are running your services over an routing and switching infrastructure.
In the same time, if your focus is only on security related technologies, you can stick with the CCNA level of knowledge for basic routing and switching. To achieve the CCNP Security level you first need to meet the prerequisites, be CCNA Security certified as well as CCNA certified. CCNA Security provides you with a basic of general security aspects and Cisco security technologies. Afterwards, you need to pass the four exams previously described. While there is no prerequisite for achieving the CCIE level, going through the Associate and Professional certification levels along with real life experience with the technologies is a recommended path.