FREE Monthly
Technology Updates
One-year Vendor
Product Upgrade
Protection Plan
FREE Membership to
Access.Globalknowledge
CISCO
NETWORK
SECURITY
MANAGING
Russell Lusignan, CCNP, CCNA, MCSE, MCP+I, CNA
Oliver Steudler, CCNA, CCDA, CNE
Jacques Allison, CCNP, ASE, MCSE+I
TECHNICAL EDITOR:
Florent Parent, Network Security Engineer, Viagénie Inc.
“Finally! A single resource that really
delivers solid and comprehensive
knowledge on Cisco security planning
and implementation. A must have for the
serious Cisco library.”
—David Schaer, CCSI, CCNP, CCDA, MCSE, MCDBA,
MCNI, MCNE, CCA
President, Certified Tech Trainers
1 YEAR UPGRADE
BUYER PROTECTION PLAN
112_FC 11/22/00 1:15 PM Page 1
With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that

MANAGING
CISCO
NETWORK SECURITY:
BUILDING ROCK-SOLID
NETWORKS
112_IpSec_FM 11/8/00 8:52 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the
Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold
AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through
Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 AWQ692ADSE
002 KT3LGY35C4
003 C3NXC478FV
004 235C87MN25
005 ZR378HT4DB
006 PF62865JK3
007 DTP435BNR9
008 QRDTKE342V

challenges of designing, deploying and supporting world-class enterprise net-
works.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel,
Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan of
Publishers Group West for sharing their incredible marketing experience and
expertise.
Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for
making certain that our vision remains worldwide in scope.
Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of Harcourt
Australia for all their help.
David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong, Leslie
Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu-
siasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
v
112_IpSec_FM 11/8/00 8:52 AM Page v
vi
From Global Knowledge
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from pro-
viding instructor-led training to hundreds of thousands of students world-
wide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the

has over 10 years of experience in designing, implementing and
troubleshooting complex networks.
Chapter 5.
112_IpSec_FM 11/8/00 8:52 AM Page vii
viii
Jacques Allison (CCNP, ASE, MCSE+I) Jacques has been
involved with Microsoft-related projects on customer networks
ranging from single domain and exchange organization migra-
tions to IP addressing and network infrastructure design and
implementation. Recently he has worked on CA Unicenter TNG
implementations for network management.
He received his engineering diploma in Computer Systems in
1996 from the Technicon Pretoria in South Africa. Jacques
began his career with Electronic Data Systems performing
desktop support, completing his MCSE in 1997.
Jacques would like to dedicate his contribution for this book to
his fiancée, Anneline, who is always there for him. He would also
like to thank his family and friends for their support.
Chapter 8.
John Barnes (CCNA, CCNP, CCSI) is a network consultant and
instructor. John has over ten years experience in the implemen-
tation, design, and troubleshooting of local and wide area net-
works as well as four years of experience as an instructor.
John is a regular speaker at conferences and gives tutorials
and courses on IPv6, IPSec, and intrusion detection. He is cur-
rently pursuing his CCIE. He would like to dedicate his efforts
on this book to his daughter, Sydney.
Chapter 2.
Russell Gillis (CISSP, MCSE, CCNA) is Associate Director of
Networking at Kalamazoo College in Kalamazoo, Michigan.

rently located in San Antonio, TX. He has assisted several
clients, including a casino, in the development and implementa-
tion of network security plans for their organizations. He held
the positions of Network Security Officer and Computer Systems
Security Officer while serving in the United States Air Force.
112_IpSec_FM 11/8/00 8:52 AM Page ix
x
While in the Air Force, Stace was involved for over 14 years in
installing, troubleshooting, and protecting long-haul circuits
ensuring the appropriate level of cryptography necessary to pro-
tect the level of information traversing the circuit as well the cir-
cuits from TEMPEST hazards. This included American
equipment as well as equipment from Britain and Germany while
he was assigned to Allied Forces Southern Europe (NATO).
Stace has been an active contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” In addition, he has
co-authored or served as the Technical Editor for over 30 books
published by Osborne/McGraw-Hill, Syngress Media, and
Microsoft Press. He is also a published author in “Internet
Security Advisor” magazine.
His wife Martha and daughter Marissa have been very sup-
portive of the time he spends with the computers, routers, and
firewalls in the “lab” of their house. Without their love and sup-
port, he would not be able to accomplish the goals he has set for
himself.
112_IpSec_FM 11/8/00 8:52 AM Page x
Contents
xi
Preface xxi
Chapter 1 Introduction to IP Network Security 1