A good knowledge of Cisco’s Documentation is what could make a difference in passing or failing the exam. Because of that, I would like to show you how to access most useful Doc CD resources on a per blueprint-section basis. In addition, we will also take a look at the location of a particular document, so you know how to access it without using the Search function. Same thing as what you will have to do to access those resources in the lab.
Unless otherwise mentioned, all documents discussed in this blog are part of Configuration Guides.
1.System Hardening and Availability
Probably the most useful doc here will be for Control Plane features. However, I am going to show you more so you at least know how to find them.
Our starting point for this section is IOS Configuration Guides :
IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T
Routing Protocol Authentication :
IP Routing : RIP -> Configuring Routing Information Protocol
Read More Here
IP Routing : EIGRP -> IP EIGRP Route Authentication
Read More Here
IP Routing : EIGRP -> IPv6 Routing : EIGRP Support
Read More Here
IP Routing : OSPF -> OSPFv2 Cryptographic Authentication
Read More Here
IP Routing : OSPF -> OSPFv3 Authentication Support with IPSec
Read More Here
Route Filtering, PBR :
IP Routing : Protocol-Independent -> Basic IP Routing
Read More Here
IP Routing : Protocol-Independent -> Policy-Based Routing
Read More Here
+ Respective RIP, EIGRP, OSPF and BGP Configuration Guides
Control Plane Policing, Protection and Logging :
QoS : Quality of Service Solutions -> Policing and Shaping
Read More Here
Device Access Control, Role-Based CLI Access, SSH :
Security, Services, and VPN : Securing User Services -> User Security
Read More Here
Security, Services, and VPN : Securing User Services -> Secure Shell
Read More Here
Disabling Unnecessary Services :
Security, Services, and VPN : Securing User Services -> User Security -> AutoSecure
Read More Here
NetFlow, Flexible NetFlow :
Network Management : NetFlow
Read More Here
Network Management : Flexible NetFlow
Read More Here
CPU/Memory Thresholds, Fault Management :
Network Management : Network Management -> Basic System Management
Read More Here
SNMP :
Network Management : Network Management -> SNMP
Read More Here
2. Threat Identification and Mitigation
A great resource can be found under ASA :
Protocols, Ports, ICMP Types :
Security -> Firewalls -> ASA -> ASA 5500-X Series Next-Generation Firewalls -> Cisco ASA 5500 Series Configuration Guide using the CLI 8.4/8.6Â -> Reference -> Addresses, Protocols and Ports
Read More Here
Pretty much all L2 Security Features (Port Security, DHCP Snooping, DAI, Source Guard, STP Protection, Storm Control, etc.) are documented under Switch Config Guide :
L2 Security :
Switches -> Campus LAN Switches – Access > Catalyst 3750-X Series Switches ->
Cisco IOS Release 15.0(2) SE and Later :
Read More Here
IPv6 First Hop Security :
Switches -> Campus LAN Switches – Access > Catalyst 3750-X Series Switches ->
Cisco IOS Release 15.0(2) SE and Later -> Configuring IPv6 Unicast Routing
Read More Here
For all other features, let’s go back to the main IOS documentation page :
IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T
SEND :
IP : IPv6 Implementation Guide -> Implementing First Hop Security in IPv6
Read More Here
FPM :
Security, Services, and VPN : Securing the Data Plane -> Flexible Packet Matching
Read More Here
TCP Intercept :
Security, Services, and VPN : Securing the Data Plane -> Denial of Service Attack Prevention
Read More Here
3. Intrusion Prevention and Content Security
Not really much to look for in this section :
IPS :
Security -> Next Generation Intrusion Prevention System (NGIPS) -> Intrusion Prevention System -> IPS 4200 Series Sensor -> IPS 7.1 (IDM or CLI)
Link 1
Link 2
IOS IPS :
IOS 15.2M&T -> Security : Securing the Data Plane -> Cisco IOS Intrusion Prevention System -> Cisco IOS IPS 5.x Signature Format Support and Usability Enhancements
Read More Here
ASA IPS Module :
ASA 8.4/8.6 Config Guide -> Configuring Modules -> Configuring the IPS Module
Read More Here
WSA :
Security -> Web Security -> Web Security Appliance -> End User Guides -> IronPort AsyncOS 7.1
Read More Here
4. Identity Management
In my opinion, ACS & ISE User Guides are pretty much useless on the exam. Once exception is part of the ISE document that shows you how to prepare your switch for 802.1x including certain Profiling methods. Great reference to see if you have not missed any of the 802.1x-related commands :
Wired 802.1x & NAD Profiling configuration :
Security -> Access Control and Policy -> Identity Services Engine -> Configuration Guides -> User Guide Release 1.1.x -> Reference -> Switch and WLC Configuration Required to Support Cisco ISE Functions
Read More Here
Now move to : IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T
AAA :
Security : Securing User Services -> Authentication, Authorization and Accounting
Read More Here
RADIUS & TACACS+ Attributes :
Security : Securing User Services -> RADIUS Attributes
Read More Here
Security : Securing User Services -> TACACS+ Configuration -> TACACS Attribute-Value Pairs
Read More Here
5. Perimeter Security and Services
First – IOS documents :
IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T
NAT :
IP : IP Addressing -> NAT Configuration Guide -> Configuring NAT for IP Address Conservation
Read More Here
IPv4/IPv6 ACLs, Dynamic/Reflexive ACLs, Object Groups, SEND :
Security : Securing the Data Plane -> Access Control Lists
Read More Here
CBAC, Transparent IOS Firewall :
Security : Securing the Data Plane -> Context-Based Access Control Firewall
Read More Here
Application Firewall (http) :
Network Management : Network Management -> http Services -> http Inspection Engine
Read More Here
ZFW, User-Based Firewall :
Security : Securing the Data Plane -> Zone-Based Policy Firewall
Read More Here
URPF :
Security : Securing the Data Plane -> Unicast Reverse Path Forwarding
Read More Here
QoS and NBAR :
QoS : Quality of Service Solutions -> (multiple links)
QoS Solutions Link 1
QoS Solutions Link 2
QoS Solutions Link 3
QoS Solutions Link 4
QoS Solutions Link 5
QoS Solutions Link 6
QoS Solutions Link 7
For the ASA, you should be familiar with the entire Configuration Guide for 8.4/8.6 :
ASA (multiple features) :
Security -> Firewalls -> ASA -> ASA 5500-X Series Next-Generation Firewalls -> Cisco ASA 5500 Series Configuration Guide using the CLI 8.4/8.6
Read More Here
Also know how to deal with old-style NAT & Transparent Firewall :
ASA Old NAT (before 8.3) :
Security -> Firewalls -> ASA -> ASA 5500-X Series Next-Generation Firewalls -> Cisco ASA 5500 Series Configuration Guide using the CLI 8.2 -> Configuring NAT
Read More Here
ASA Old Transparent Firewall (before 8.4) :
Security -> Firewalls -> ASA -> ASA 5500-X Series Next-Generation Firewalls -> Cisco ASA 5500 Series Configuration Guide using the CLI 8.2 -> Getting Started and General Information -> Configuring the Transparent or Routed Firewall
Read More Here
6. Confidentiality and Secure Access
For VPNs, it will be ASA Configuration Guide (-> Configuring VPN), and a bunch of IOS documents :
IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T
VPNs, PKI :
Security : Secure Connectivity -> (multiple links)
Secure Connectivity Link 1
Secure Connectivity Link 2
Secure Connectivity Link 3
Secure Connectivity Link 4
Secure Connectivity Link 5
Secure Connectivity Link 6
Secure Connectivity Link 7
Secure Connectivity Link 8
MACSec can be found under Switch docs :
MACSec :
Switches -> Campus LAN Switches Access > Catalyst 3750-X Series Switches ->
Cisco IOS Release 15.0(2) SE and Later -> Configuring MACsec Encryption
Read More Here
Last but not the least, Wireless :
Wireless Security :
Wireless -> Wireless LAN Controller -> Wireless LAN Controller Software -> 7.2 -> Configuring Security Solutions
Read More Here
If you feel there is another resource that should be included in the above list, don’t hesitate to contact us.
