Many would agree that one of the biggest headaches after achieving a Cisco certification is renewing it. Renewing or maintaining a Cisco certification usually requires the candidate to sit for an equal-level exam or pushing forward and aiming for a higher-level exam. While this might not be a problem for many professionals, many find it a big struggle. A significant amount of professionals decide not to renew their certifications because of the time and commitment required or because they’ve decided to focus on other vendors.

In this article, you’ll discover how you can easily renew any Cisco certification or specialization without sitting for a single exam! We’ll explain the different recertification paths, show how to select a recertification path, submit a claim, track the recertification process, open a support ticket, and more!

Key Topics:

• Recertifying Cisco Certifications without Exams – How it Works
• How Many Cisco Learning Credits Do I Need?
• Planning Your Cisco Recertification Strategy
• Claiming Cisco Education Credits
• Certmetrics: Tracking – Verifying the Recertification Progress
• Cisco Associate, Professional, and Specialist Certs Successfully Renewed!
• Summary

Recertifying Cisco Certifications without Exams – How it Works

It is indeed possible to renew any Cisco certification without sitting for the dreaded exams, and it’s called the Cisco Continuing Education Program, and we’ll explain how it works.

The Cisco Continuing Education Program allows Cisco certified engineers to earn Continuing Education Credits (CE) that are then applied towards recertification. CEs can be earn via the following activities:

• Instructor-Led Training
• Cisco Digital Learning
• Cisco Live! Training Sessions (BRK, LTR, TEC, DEVWks)
• Cisco Network Academy Training
• Other Activities such as workshops, bootcamps, etc

The amount of CE credits earned will depend on the type of activity and its duration. For example, you can earn 12 CE credits for a sitting through a 14-hour Cisco course delivered via the Cisco Digital Learning platform or earn a generous 40 to 65 credits for attending a 5-day Cisco Instructor-Led training course offered by authorized Cisco Learning Training Partners.

Once the training course or activity is complete, you submit a claim to earn the CE Credits. When you’ve gathered enough CE credits, you are automatically recertified.

How Many Cisco Learning Credits Do I Need?

The amount of Cisco Learning Credits required for your certification renewal depends on the level of recertification. For example, Associate level recertification, such as the CCNA, requires a minimum of 30 CE credits. In contrast, the Professional level (CCNP Enterprise, CCNP Data Center, etc.) requires 80 CE credits and CCIE level an impressive 120 Continuing Education credits.

The table below shows all available certification levels, duration, required Continuing Education credits, but also the ability to combine exams with Continuing Education credits to achieve recertification:

Recertification requirements must be met prior to the certification expiration date.

Combining Continuing Education credits and exams provides significant flexibility as it allows engineers to maximize their options and achieve recertification status easier with less stress.

Planning Your Cisco Recertification Strategy - Selecting a Course or Activity

When planning your recertification path, it’s crucial to have a strategy to help you achieve your goal the fastest way, therefore understanding how to search and browse through Cisco’s list of activities is very important.

You can browse through Cisco’s lists of activities by visiting the Cisco Continuing Education Program website and selecting Item Catalog from the menu as shown below:

From here, you can search for a course name and use the various filters to find a suitable course. An easy way to look at your available options is to select the Category and Type of training, then click on Search to list all available training for the selected filters.

We’ve selected CCNP/CCDP Training (1) and Instructor-Led training (2) in the example below. This returned several different courses, delivery methods (Item type), and credits each course earns:

By clicking on the View Details link on the right, we can obtain additional information about the course, where and when it’s delivered, and further filter our selection based on time-zone, dates, and more. Spending 15 minutes browsing through the Item Catalog list and using the various filters helps you better understand how to search for the course or activity that best suits you.

Claiming Cisco Education Credits

After selecting and completing an activity, you must register or claim the activity so that the Educational Credits are awarded to your account.

You must register/claim your activity within 90 days of completing it, or else you miss the opportunity to claim the credits.

To help illustrate how to claim your Educational Credits, we’ll use a real example below. In this case, the candidate has attended two Instructor-Led courses delivered by an authorized Cisco Training partner:

Course 1: Implementing and Configuring Cisco Identity Services Engine (SISE) 3.0, 40 Credits - Claimed

Course 2: Implementing and Operating Cisco Security Core Technologies (SCOR) 1.0, 64 Credits – Unclaimed

Note: We’ll cover below the complete process of claiming credits using Course 2 as an example.

Upon logging into Cisco’s Continuing Education Program website, the dashboard displays the first course (SISE 3.0), which was completed and successfully claimed, providing a total of 40 Credits:

Now it’s time to claim the second course, SCOR (1.0).

To begin, click on the Submit Items menu and enter the course details. When ready, click the Submit button:

The Cisco course attended was Implementing and Operating Cisco Security Core Technologies (SCOR) 1.0, delivered via Instructor Led Training method by an authorized Cisco Training partner.

As soon as the course details are submitted, a confirmation window appears. Double-check all details and click on Yes to submit the item:

After a few minutes, we received an email confirmation containing the item and details that were submitted:

Viewing the main dashboard on the Cisco Continuing Education site, you’ll notice the newly submitted item is listed and in a Pending state. The course is eligible for 64 credits:

Cisco next reaches out to the provider to verify the claim. Once this process is complete, Cisco approves the claim, credits are added to the account, and an email confirmation is sent informing us of the outcome:

The time required to process a claim is usually fast – one to two business days. However, if no response is received or the outcome is not the desired one, it is highly advisable to open a case using the Help menu item on the top right corner of the page:

Certmetrics: Tracking – Verifying the Recertification Progress

Certmetric helps Cisco professionals to keep track of their certification progress, testing history, transcripts, download digital badges, and more. The site is accessible at the following URL: https://www.certmetrics.com/cisco/, and a link is also available from the main dashboard within the Cisco Continuing Education site.

Under the Certifications menu option, you’ll find all active and expired certifications. Select the certification for which you are recertifying, this is usually the highest certification as this automatically renews all others below it. In this example, we selected (clicked) the CCNP Enterprise:

The next window shows all paths for the CCNP Enterprise recertification. This maps to the recertification path options shown at the beginning of the article. 

Option 1: Satisfy one of the listed items between 1.1.1 – 1.1.2 or two items under 1.1.3.

Option 2: Satisfy one item under 1.2.1 and 1.2.2 (40 CE credits).

Option 3: Satisfy one item under 1.3 (80 CE credits).

Our preferred recertification path is 1.3. This requires 80 CE credits, of which 40 have already been claimed and awarded from the first course.

The above screenshot was taken after the 40 credit points from the first course were approved.

After the second item (course) has been approved, menu item 1.3 will be fully satisfied and show a total of 80 CE Credits (80/80).

Cisco Associate, Professional and Specialist Certs Successfully Renewed!

The below screenshot confirms that both Instructor Led Training courses were approved, earning us a total of 104 CE credits. We were able to successfully renew all Cisco certifications:

We should note the certifications above set to expire in 2 and 69 days have been retired by Cisco and cannot therefore be renewed.

Summary

In this article we showed how it’s possible to recertify/renew your Cisco certifications without sitting for any Cisco exams. We explained how the recertification process works via the Continuing Education Program, how to calculate and earn Educational Credits (CE), calculate the required credits to recertify, search and claim your Educational Credits, your track your recertification progress and more.

I have seen people spend hundreds or thousands of dollars (myself included) buying used networking equipment in order to build a home Cisco lab to gain practical experiences and study for certification exams. Until a few years ago it was the only option available, or you had to rent lab hours through one of the training companies.

Other Simulation Tools

GNS3 is a well-known free network simulation platform that has been around for many years. Cisco IOS on UNIX (IOU) is another option for running Cisco routers in a virtual environment. It is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU was built as a native Solaris image and runs just like any other program. One key advantage that Cisco IOU has is that it does not require nearly as much resources as GNS3 and VIRL would require. However, the legality of the source of Cisco images for GNS3 is questionable.

Figure 1. Cisco VIRL Network Topology (click to enlarge)

If you are not an authorized Cisco employee or trusted partner, usage of Cisco IOU is potentially a legal gray area. Because of lack of publicity and availability to average certification students and network engineers, online resources are limited and setting up a network takes much more effort. Also, due to missing features and delays in supporting the recent Cisco image releases, Cisco is not recommending them to engineers and students.

Read our review on "The VIRL Book" – A Guide to Cisco’s Virtual Internet Routing Lab (Cisco Lab)

Here Comes Cisco VIRL

Cisco Virtual Internet Routing Lab (VIRL) is a software tool Cisco developed to build and run network simulations without the need for physical hardware.

Under the hood, VIRL is an OpenStack-based platform that runs IOSv, IOSvL2, IOS XRv, NX-OSv, CSR1000v, and ASAv software images on the built-in hypervisor. VIRL provides a scalable, extensible network design and simulation environment using the VM Maestro frontend. Recently, I have seen extensive development and improvement made on the browser based operations using HTML5. VIRL also has extensive ability to integrate with third-party vendor virtual machines such as Juniper, Palo Alto Networks, Fortinet, F5 BigIP, Extreme Networks, Arista, Alcatel, Citrix and more.

VIRL comes in two different editions – Personal Edition and Academic Edition. Both have the same features except the Academic Edition is cheaper. At the time of writing, Academic Edition costs $79.99 USD per annum and Personal Edition costs $199.99 USD per year. VIRL has a license limit to simulate up to 20 Cisco nodes at a time. You can pay an extra $100 USD to upgrade to 30 Cisco nodes, maximum. To qualify to purchase the Academic Edition, you must be faculty, staff and students of any public or private K-12 institution or Higher Education institution. 

Cisco VIRL is community-supported and is designed for individual users. For enterprise users who want TAC support, in-depth documentation, training and more, there is Cisco Modeling Labs (CML), an enterprise version of VIRL. Of course the CML version costs much more.

Why VIRL Is Better

Official Cisco Images

VIRL comes with a complete set of legal and licensed Cisco IOS images that are the same as those running on physical routers. (I’m sure they were tweaked to optimize them running in a virtual environment). New Cisco IOS releases are provided on a regular basis.

Runs on Most Computers

The minimum hardware requirement for VIRL is an Intel-based computer with four CPU cores, 8GB of RAM and 70 GB free disk space. Of course more resources allow for larger simulations. Cisco suggests larger memory, such as 12GB for 20 nodes, 15GB for 30 nodes, or 18GB for 40 nodes. Each Cisco IOS-XRv node requires 3GB of memory to launch. In my experience, the only thing that is likely to stop you is the amount of memory installed on the computer. Computer memory is now inexpensive. You just need to ensure that your computer has enough empty slots to install additional memory.

Flexible Installation Options

You can install a VIRL on an enterprise-grade server infrastructure, a desktop computer, a laptop, or even on the cloud. You can run it as a Virtual Machine on VMware ESXi, VMware Workstation, Player or VMware Fusion for Mac OS. As opposed to running on a hypervisor, some choose to build VIRL on a bare-metal computer to achieve maximum performance.

Once your VIRL lab is up and running, it is an all-in-one virtual networking lab that has no wires and cords attached. When you run it as a VM, you can scale, migrate and implement high availability (HA) by taking advantage of the features that VMware infrastructure has to offer.

Automatic Configuration

The AutoNetkit, which comes with VIRL, can assign IP addresses to the nodes automatically when they launch, and it will even set up some basic routing protocols for you. The bootstrap configuration gives you a fully converged network as soon as they are launched. And you can go straight to the features and focus on what you want to test. This is a cool feature for network engineers who want to set up a one-time temporary environment to look up commands and test certain features. If you were building a network topology from scratch, or creating a mockup a production environment, manual IP addressing is recommended.

Community Support by Developers

VIRL is supported by a community full of good people like you. Questions are often answered first-hand by developers and engineers. The Cisco VIRL team offers monthly webinars and newsletters to keep the community updated on new feature releases and announcements. You can find the online community on Cisco Learning Network at: https://learningnetwork.cisco.com/groups/virl

About The Author

Jack Wang, CCIE #32450, is a principle network consultant and founder of Speak Network Solutions. He has been designing and implementing enterprise and large-scale service provider networks as well as teaching and blogging about advanced technologies. His current focus includes Software Defined Networking (SDN), data centers, Amazon AWS cloud integration, wireless, WAN architectures and design. Jack holds B.S. in Engineering and M.S. in Computer Science.

Summary

I wish VIRL had been available when I first started learning Cisco networking technology and taking CCIE exams. I have used GNS3, IOU and other simulation and emulation tools. They all had their advantages and disadvantages. When looking at them together, there are four main reasons I recommend VIRL to network engineers, certification students and trainers.

• Developed by Cisco, running official Cisco images. No concerns about legal or software licensing issues.
• Has a production-grade, commercial version (CML - Cisco Modeling Lab) available to enterprise customers. It runs essentially the same code as VIRL. Cisco has made VIRL much more affordable for personal and academic use, without the price tag and TAC support. Why not take advantage of it?
• Runs on OpenStack and is SDN-ready. If you are interested in learning about Software Defined Network, VIRL has direct integration with OpenDaylight.
• Is actively developed by Cisco. New features and updates are released regularly.

Figure 1. This app can’t run on this PC. Cisco VPN Client doesn’t work on this version of Windows

The good news is that what you’re reading is not true – While Windows 10 does in fact disable the application, getting it to work again is a very easy process and very similar to installing the client on the Windows 10 operating system.

The following steps will help rectify the problem and have your Cisco IPSec VPN client working in less than 5 minutes.

Windows 7 32bit & 64bit users can read our Cisco VPN Client Fix for Windows 7 Operating System.

Windows 8 32bit & 64bit users can read our Cisco VPN Client Fix for Windows 8 Operating System.

Windows 10 Anniversary users without the Cisco VPN Client should read our article How to Install and Fix Cisco VPN Client on Windows 10.

Step 1 – Download and Extract the Cisco VPN Client

Head to the Firewall.cx Cisco Tools & Applications download section to download and extract the Cisco IPSec VPN Client installation files on your computer. The Cisco VPN installation files will be required for the repair process that follows.

Note: The Cisco IPSec VPN Client is offered in a 32Bit and 64Bit version. Ensure you download the correct version for your operating system.

Step 2 – Repair The Cisco VPN Client Application

After the file extraction process is complete, go to the Windows Control Panel and select Programs and Features. Locate the Cisco Systems VPN Client, select it and click on Repair:

Figure 2. Initiating the Repair of the Cisco IPSec VPN Client

The repair process will ask for the location of the Cisco VPN installation files – simply point it to where the files were extracted previously e.g c:\temp\vpnclient.

At this point the Windows 10 User Account Control will prompt for confirmation to allow the Cisco VPN application to make changes to your device. Click Yes to continue:

Figure 3. Windows 10 User Account Control requesting user confirmation to make changes

The repair process will continue by reinstalling the Cisco VPN client files as shown in the process below:

Figure 4. The repair process of the Cisco VPN Client on Windows 10 Anniversary update

Step 3 – Edit Windows Registry - Fix Reason 442: Failed To Enable Virtual Adapter Error

At this point, the workstation has a fresh installation of the Cisco VPN Client, but will fail to work and produce the well-known Reason 442: Failed to enable Virtual Adapter Error.

To fix this issue, follow the steps below:

1. Open your Windows Registry Editor by typing regedit in the Search Windows area.

2. Browse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

3. From the window on the right, select and right-click on DisplayName and choose Modify from the menu. Alternatively, double-click on DisplayName:

Figure 5. Modify & correct the Windows 10 Cisco VPN Registry entry

For Windows 10 32bit (x86) operating systems, change the value data from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”.

For Windows 10 64bit (x64) operating systems, change the value data from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows” as shown below:

Figure 6. Editing the Value Data for the 64Bit Cisco VPN Client

The registry key now shows the correct DisplayName value data:

Figure 7. The correct DisplayName registry value for the 64bit Cisco VPN Client

At this point, you should be able to connect to your VPN Gateway without any errors or problems.

To simplify the article and help users quickly find what they are after, we’ve broken it into the following two sections:

• How to Install Cisco VPN client on Windows 10 (clean installation or upgrade from previous Windows), including Windows 10 build prior or after build 1511.
• How to Fix Reason 442: Failed to enable Virtual Adapter on Windows 10

Figure 1. The Cisco VPN Client Reason 442: Failed to enable Virtual Adapter error on Windows 10

Windows 7 32bit & 64bit users can read our Cisco VPN Client Fix for Windows 7 Operating System.

Windows 8 users can read our Cisco VPN Client Fix for Windows 8 Operating System.

Windows 10 32bit & 64bit Anniversary Update 1607 users can read our Fix Cisco VPN Client Break After Windows 10 Anniversary Update 1607.

How To Install Cisco VPN Client On Windows 10 (New installations or O/S Upgrades)

The instructions below are for new or clean Windows 10 installations. Users who just upgraded to Windows 10 from an earlier Windows version, will need to first uninstall their SonicWALL VPN Client & Cisco VPN client, then proceed with the instructions below.

1. Download and install the SonicWALL Global VPN Client from Firewall.cx’s Cisco Tools & Applications section. This is required so that the DNE Lightweight filter network client is installed on your workstation. You can later on remove the SonicWall Global Client.
2. Download and install the Cisco VPN client (32 or 64 bit) from Firewall.cx’s Cisco Tools & Applications section.
3. Optional: Uninstall the SonicWALL Global VPN Client.

Note: If you receive the Windows message “This app can’t run on this PC”, go to the folder where the Cisco VPN client was extracted and run the “vpnclient_setup.msi” file. If you don’t remember where the file was extracted, execute the downloaded file again and select an extraction path e.g c:\temp\ciscovpn\ so you know where to look for it.

Figure 2. Overcoming the “Cisco VPN Client doesn’t work on this version of Windows” message

After successfully installing the Cisco VPN Client, you can uninstall the SonicWALL Global VPN Client to save system resources and stop it from running in the future, however ensure you leave all uninstall options to their default. This means leave unchecked the two options below during the uninstall process:

Figure 3. Uninstalling the SonicWALL Global VPN Client after Cisco VPN Client installation

This completes the installation phase of the Cisco VPN client on Windows 10.

How To Fix Reason 442: Failed To Enable Virtual Adapter On Windows 10

When attempting to connect to a VPN gateway (router or firewall) using the Cisco VPN Client on Windows 10, it will fail to connect because of the following reason: Reason 442: Failed to Enable Virtual Adapter.

This fix is very easy and identical to Windows 8 Cisco VPN Client fix, already covered on Firewall.cx:

1. Open your Windows Registry Editor by typing regedit in the Search the web and Windows prompt.

2. Browse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

3. From the window on the right, select and right-click on DisplayName and choose Modify from the menu. Alternatively, double-click on DisplayName:

Figure 4. Modify & correct the Windows 10 Cisco VPN Registry entry

For Windows 10 32bit (x86) operating systems, change the value data from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”.

For Windows 10 64bit (x64) operating systems, change the value data from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows” (shown below):

Figure 5. Editing the Value Data for the Cisco VPN Client

The registry key now shows the correct DisplayName value data:

Figure 6. The correct 64bit Windows 10 registry values for the Cisco VPN Client to work

At this point, you should be able to connect to your VPN Router or Gateway without any problems.

When this error is produced, users will no longer be able to connect to their VPN using the Cisco VPN client. It seems like Cisco’s VPN client often produces the error when network adaptors disappear and reappear – a common scenario when removing the Ethernet cable or reconnecting to your wireless network.

The solution provided will force the Cisco VPN to re-initialize and continue working without a problem.

To overcome the error, close the VPN Client, open a Terminal Window, (Applications -> Utilities -> Terminal) and type one of the following commands:

For older OS versions:

 Another command that can be used to re-initialize the Cisco VPN subsystem is the following:

Again, the administrator password might be required.

Should the Error 51 problem occur again, simply apply the same command that worked for you previously and you’ll be ready to connect to your VPN. It might also be a good idea to create a small script with the above commends so it can be executed every time the error occurs.

Windows 7/8 users experiencing the Cisco VPN Client Error 442 on their system can also visit our Cisco Services & Technologies section to read how to correct the problem.

For a successful networking professional it is essential to gain information on-the-fly about the network infrastructure he or she is working on. For a successful and established vendor of networking equipment and technology it is important to satisfy this requirement. Being at the forefront of networking technology, Cisco carries the enviable distinction of not only setting industry standards and delivering a variety of networking equipment, but also presenting an efficient support infrastructure. One such service offering is its latest Cisco Technical Support Mobile App.

As handheld devices are rapidly becoming the norm, the Cisco Support mobile app delivers a strong support base for networking professionals. Firewall.cx, will now present a broad spectrum analysis of this application, discussing its salient features and showcasing its merits.

For the purpose of this exercise the Android Platform has been used.  However the app  is available for all other platforms such as iOS and BB10.

Key Features

The Cisco Technical Support mobile app has a multifunctional element, synonymous with all Cisco products. Here we look into the key features, which are as follows:

• Opening and Managing Support Cases and RMAs with Cisco
• Cisco Support Community Activities
• Video Feeds
• News Feeds (Cisco Blogs)
• Podcasts
• Cisco Product Information

Please note that this review is being done on the app itself, venturing into its ease of use, robustness and overall functionality.

User Experience

Simplicity has always been the hallmark of a Cisco product; this mobile application shares this key value. The user experience is enhanced by the fact that the app delivers a robust support infrastructure without complicating the extraction of information.

Before obtaining access to the services and information the app provides, each user is requested to login to their Cisco CCO account as shown below:

 Once logged in, the user is presented with the Home screen menu, which clearly shows what the application has to offer:

As depicted in the screenshot, it is evident that form has followed function. This high-impact home screen layout clearly shows the services Cisco Technical Support Mobile App has to offer.

Each section has its own subsection, which has a strict hierarchy. This allows the user to navigate through the various subsections without losing context.

Support Cases

The Cisco Support Cases section is one of the application’s strongest and most popular areas, it allows the user to open and fully manage Cisco support cases. The process of opening a support case is identical to that of the Cisco Support Website.

Users with existing cases in their CCO account will find they can continue working on their cases through the application. The app automatically syncs with the user’s CCO profile, allowing users to have access to their Cisco support cases without requiring a laptop or, being at the office. The only requirement is Internet access on their mobile device.

The Support Cases section presents four options, allowing the user to:

• Use My Open Cases toview and manage support cases
• Create a Watch List (useful to ‘bookmark’ important cases)
• Search Cases
• Open New Cases (and issue RMAs)

The My Open Cases menu allows users to fully manage all existing open cases. From here,  users can view cases and communications with Cisco TAC, update cases with new information, request the closure of cases and much more.

When working on multiple TAC cases it can be difficult to keep track of the most important ones. This is where the My Watch List menu option comes in handy: it allows the user to add cases to his/her Watch List, and keep track of them, without searching through the My Open Cases section.

The Search Cases menu option allows users to search through all open TAC cases for specific keywords. The search can be based on Title, Description, Case Number, Case Owner ID or Service Contract Number.

The last menu option, Open New Case, allows the user to open a new case with Cisco TAC.

Support Cases: Diving Into ‘My Open Cases’

Let’s look at how to fully manage Cisco TAC support cases using the Cisco Technical Support  app.

By selecting My Open Cases users are presented with all open support cases, which are categorized by Customer Pending and Cisco Pending status. Notice how the application shows the number of open cases in the tab of each category:

Selecting either of the two tabs (Customer/Cisco Pending), the application will list the cases and the following important information: Severity (automatically highlighted in the application), Service Request Number, Case Title, Last Update Date and Case Owner.

Users running the app under the Android platform can use the refresh button (lower left corner) to force the application to update – sync with the Cisco Support website.  We should note that the iOS client uses "tug to refresh" instead. 

The refresh feature comes in handy while monitoring cases where the user is expecting updates by Cisco TAC or one of their colleagues handling the cases with Cisco. For the user’s convenience, the application shows when it was last updated with the Cisco Support website. 

The user can tap on any open case to view more details and manage it. For example, we tapped on the second listed case while in the Cisco Pending tab (Case 626926599) to view further details:

As shown in the screenshot above, the user is able to view the Date Created, the Cisco TAC Engineer assigned to the case, Tracking Number and RMA related information. This is used only in case of an RMA, along with the Previous Notes (communication history for this case) and case Attachments (files that have been attached to the case).

Getting in contact the Cisco TAC engineer handling the case is as easy as tapping on Contact TAC Engineer option. This will open the Contact Option popup window and ask the user for the preferred contact method: Email or Call the Engineer:

Selecting Email will launch the preferred email client and automatically enter the Cisco TAC Engineer’s email address and Case number as the subject. Selecting Call TAC Engineer will bring up the engineer’s direct phone number.

Returning back to our case screen and selecting the Previous Notes option reveals all of the communication history with Cisco TAC. This feature is ideal for IT Managers monitoring cases, to get up to speed on what actions have been taken so far:

 From here, we can read an individual email/note by simply tapping on top of it to select it.

Additional Support Case Management

While inside a Cisco Support Case the user can select additional actions by selecting the left menu button which will reveal the following: Add Note, Request Status Update, Add to Watch List, Attach Photo, Request Case Closure and Logout:

Selecting Add Note is similar to replying to an email thread of the case. Once selected, we can add a title and note which can then be submitted. The system will then automatically update the case and the engineer will be notified that an update has been made by the customer.

Support Cases: Watch Lists & Searching Cases

My Watch List

Returning to the main Support Cases menu, users can visit the My Watch List area. Here they can keep track of any cases that have been added to the Watch List:

Users who haven’t used this feature won’t find any case listed in it, however, as noted previously, pressing the left menu button while viewing a case will allow it to be added to the Watch List for future reference as shown in the two screenshots below:

After adding the necessary support cases to the Watch List, users can view and manage them directly from My Watch List, as shown below:

Searching Cases

The ability to search cases allows the user to quickly search and locate a specific open case, based on the available search options:

To begin searching, select the Search Option (by default Title or Description contains is selected), type in a search keyword and select the large green Search button at the bottom of the screen.

After the Search button is pressed, the application will send the request to the Cisco Support Website  and return the results within a few seconds:

In our example we searched for the keyword ‘CME’ and it returned the Cisco case we were looking for. Once the search is complete select the case to enter and continue managing it.

Support Cases: Opening A New Case

Opening a support case with Cisco has always been an easy step-by-step process, especially through the new intuitive Cisco Support Website. The Cisco Technical Support mobile application brings the same ease to all mobile devices.

Through the Open New Case option the user is able to quickly open support cases and get a TAC Engineer to help resolve the problem. The experience is so impressive that we (Firewall.cx) decided to open a new case and then requested the TAC Engineer call us back so we could discuss our requirements. We tracked this whole case from our mobile phone, without the use of a PC, and we couldn’t think of any other vendor who would provide such a functional and smartly designed support environment.

When opening a new case, the user is presented with five easy steps before submitting the support case. These are:

• Product Serial Number
• Case Type (Severity Selection – ability to mark as urgent)
• Select Product Type (Technology or product)
• Select Problem Type (Configuration Assistance, Error Messages, Hardware failure etc.)
• Case Title and Description

Every step, with the exception of Serial Number and Case Title / Description, consists of easy tap-and-select options that require minimal effort to complete.

When opening a new case, the first screen requests the product’s serial number. It is important to have the serial number of the product experiencing the problem. This will ensure that the application can continue to the next step. Once the correct serial number is entered tap Next:

Next, select the Case Type. If this is an urgent case such as a network-down situation it is imperative the Extended Loss of Service option is also selected. This will help catch the immediate attention of the assigned Cisco TAC Engineer and in most cases results to a faster initial response. For this example we chose the first option by simply tapping on it, after which the Check appeared as a visual confirmation of our selection:

We hit the Next button and then selected the technology and product in the two scrollable menu selections:

Selecting Next again takes the user to the next step where he/she is required to select the Problem Type:

There are five different problem types to select.  They cover possible problems that might arise, from simple configuration issues to hardware or software failures. Users selecting the Hardware Failure option will be taken down the RMA path to have their hardware replaced. In this example we selected Configuration Assistance and selected the NEXT button.

The final step requires the user to enter a short Case Title and a more detailed Case Description:

It is important to provide as much information as possible, in a well-structured manner. This will help the engineer assigned to the case understand the problem or requirement.

When complete, the application will present a final overview of the case before it is submitted into the queue for an engineer to be assigned to it. If incorrect details were accidentally entered was and submitted an update email can be submitted through the case management with the necessary corrections:

After ensuring the details, notes and problem description are correct, select the Submit button. The case is then created and a confirmation window appears with the Support Case Number and options to View the Case or Email Case Information to a Manager, colleague or engineer:

Tapping the Done button will return the user to the main Support Case menu. Alternatively, selecting View Case will show the case details and allow the user to manage the newly opened case:

Notice that since this was a newly created TAC Case, no engineer has been assigned to it yet (TAC Engineer: NA). After a couple of minutes, the app shows the case was assigned to a Cisco TAC Engineer. Once the TAC Engineer was assigned, we created a new note (left menu button -> Add Note) requesting the engineer to call us so we can discuss the problem:

The TAC Engineer assigned to the case is able to view the owner’s details and obtain their contact information from there. If we were out of the office, we could provide our mobile number in the note. Shortly after submitting the note, we received the expected phone call from the Cisco TAC Engineer.

Summarizing the Support Case section of the Cisco Technical Support mobile application,  we believe it is an invaluable tool that helps IT Managers, Engineers and IT personnel keep on top of problems by managing Cisco Support Cases with ease and effectiveness, regardless of their location. We have not seen any similar products from other vendors, confirming once again how innovative Cisco’s Support Services and the Development team are.

Support Community

The Support Community Section is broken down into several subsections, each dealing with a different mode of support as shown in the following screenshot:

If the user prefers to go down the route of ‘Browse Community’ a plethora of options is presented. This enables the user to make very specific choices based on their most current need. The following screenshot shows the options:

Each individual subsection further expands into its own area to display further choices. Worth mentioning is also the fact the Cisco Technical Support Mobile App has added support for several global communities such as Japanese, Polish, Portuguese, Russian, & Spanish.

A key element to an engineer’s understanding is being able to visualize the technology being described, or demonstrated, and to be informed about the latest implementations. This is where the Videos section comes in very handy. This section contains a variety of information made available in video. These videos range from Cisco Support Communities videos, showcasing seminars, events etc. and expands to bulletins, webcasts and expert explanations.

The following screenshot shows video options available for a user to select from:

The last two sections in the Videos category are full of fundamental overviews and general networking topics like concepts and networking protocols.

Another feature is the Podcasts section. This category has two subsections Cyber Risks Report and a TAC Security Podcast. Selecting either of these subsections opens up the current topics covered within the podcast arena. This handy tool keeps users updated on current news and trends.

The next section we will cover is the RSS Feeds. This is a massive repository of blogs covering a wide range of topics segmented into three major labels: media, news and security. This enables the user to pick and choose which feeds are most relevant from his or her own perspective.

Last in this discussion, is the Products section. This covers all of Cisco’s offerings in terms of devices, tools, services, resources and trends. This is a virtual goldmine for anything and everything related to Cisco. The most brilliant part of this section is that the user can join a chat session (see screenshot) if there is a need for some instant assistance or information.

In this section you also have the option to send an email or request a price for any product. Additionally, once the chat session is started it continues to run in the background for easy access whenever the user chooses. Hence the ‘Continue Chat’ tab that appears, enabling the user to reengage the information interchange.

This screenshot shows the first page in the list of options on the Product Information page:

In this screenshot you can see the multiple options for communicating with Cisco:

This mobile application is a must have for every networking professional. It is a master of usability, simplicity and efficiency in delivering relevant information.

It has often been stated that the value of a tool is in its ability to reach the masses, and their recognition of its features. The Cisco Technical Support mobile application has won the 2013 American Business Award for Mobile On-Demand Application, 2012 Web Marketing Association Best Advocacy Mobile App, and 2012 Forrester Groundswell B2B Mobile App awards.

In closing, this application lives up to the expectations and scores on multiple grounds. Networking professionals will benefit from this immensely. Using this app will greatly enhance their own productivity and efficiency as well as help resolve issues and stay up to date on information, products and trends.

Cisco must be proud of its VPN solutions. It’s one of the few vendors that support such a wide range of VPN technologies with so many features and flexibility. Cisco Routers and Cisco ASA Firewalls are the two types of devices that are used most often to build Cisco Virtual Private Networks.  

In this article we will discuss and compare two general Cisco VPN categories that are utilized by network engineers to build the majority of VPN networks in today’s enterprise environments. These categories are “Policy Based VPNs” (or IPSEC VPNs) and “Route Based VPNs”. Of course Cisco supports additional VPN technologies such as SSL VPNs (Anyconnect SSL VPN, Clientless SSL VPN), Dynamic Multipoint VPN (DMVPN), Easy VPN, Group Encrypted Transport (GET) VPN etc. Many of these VPN technologies are already covered on Firewall.cx and are beyond the scope of this article.  

Below is a selection of Cisco VPN articles to which interested users can refer:

• Understanding Cisco Dynamic Multipoint VPN (DMVPN)
• Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures
• Configuring Cisco Dynamic Multipoint VPN (DMVPN)
• Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
• Configuring Cisco Site to Site IPSec VPN with Dynamic IP Endpoint Cisco Routers
• Configuring Point-to-Point GRE VPN Tunnels on Cisco Routers
• Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
• Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers

Overview Of Policy-Based & Route-Based Cisco VPNs

The diagram below shows a quick overview of the two VPN Categories we are going to discuss and their Practical Applications in actual networks:

For a Network Engineer or Designer it’s important to know the main differences between these two VPN categories and their practical applications. Knowing these will help professionals choose the right VPN type for their company and customers.

As shown in the diagram above, Policy-Based VPNs are used to build Site-to-Site and Hub-and-Spoke VPN and also remote access VPNs using an IPSEC Client. On the other hand, Route-Based VPNs are used to build only Site-to-Site or Hub-and-Spoke VPN topologies.

Now let’s see a brief description of each VPN Type.

Policy-Based IPSEC VPN

This is the traditional IPSEC VPN type which is still widely used today. This VPN category is supported on both Cisco ASA Firewalls and Cisco IOS Routers. With this VPN type the device encrypts and encapsulates a subset of traffic flowing through an interface according to a defined policy (using an Access Control List). The IPSEC protocol is used for tunneling and for securing the communication flow. Since the traditional IPSEC VPN is standardized by IETF, it is supported by all networking vendors so you can use it to build VPNs between different vendor devices as well. 

Sample Configuration on Cisco ASA Firewalls

To illustrate the reason why this VPN type is called Policy-Based VPN, we will see a sample configuration code on a Cisco ASA firewall based on the diagram below.

Full step-by-step configuration instructions for Policy-Based VPN on IOS Routers can be found at our Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers article.

ASA-1:

ASA-2:

Understanding Route-Based VPNs

A route-based VPN configuration uses Layer3 routed tunnel interfaces as the endpoints of the VPN. Instead of selecting a subset of traffic to pass through the VPN tunnel using an Access List, all traffic passing through the special Layer3 tunnel interface is placed into the VPN. Therefore you need to configure routing accordingly. Either a dynamic routing protocol (such as EIGRP or OSPF) or static routing must be configured to divert VPN traffic through the special Layer3 tunnel interface.

This VPN Type is supported only on Cisco Routers and is based on GRE or VTI Tunnel Interfaces. For secure communication, Route-Based VPNs use also the IPSEC protocol on top of the GRE or VTI tunnel to encrypt everything.

Sample Configuration on Cisco Routers

Based on the network diagram below, let’s see a GRE Route-Based VPN with IPSEC protection.

Full step-by-step configuration instructions for Route-Based VPN on IOS Routers can be found at ourConfiguring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels article.

Router-1:

From the configuration above, a GRE Layer3 Tunnel Interface is created (Tunnel0) which will be one of the endpoints of the VPN tunnel. IPSEC Protection is also applied for security. The other end of the VPN tunnel is Tunnel0 of the other site (with IP 10.0.0.2), thus forming a point-to-point VPN link. The static route shown above will divert VPN traffic destined for LAN2 via the Tunnel Interfaces.

Following is the VPN related configuration commands for our second router:

Router-2:

Comparison Between Policy-Based & Route-Based VPNs

To summarize, let’s see a comparison table with the main differences between Policy-Based and Route-Based VPNs.

Summary

In this article we examined and compare the two Cisco VPN categories that are utilized by organizations: Policy-Based and Route-Based VPNs.

Unified communications is a very popular term these days and we see it appearing on almost every vendor as they rename their platforms and products to include this term. The definition of unified communications changes slightly depending on the vendor you are looking at, but its foundation remains the same. Breaking unified communications into components makes it a lot easier to analyze and put things into the correct perspective.

Unified Communications Foundational Components

These are, in essence, the main-core services a unified communications product should offer:

• Network Infrastructure. Almost all unified communications services require a rock-solid network infrastructure. Without this foundation component we are unable to use all the features an advanced unified communications solution can offer.
• IP telephony. Also known as Voice over IP (VoIP). This is a critical part of UC.
• Presence. Being able to monitor the availability and state of another user. Check if the user's phone line is occupied, is in a conference or away from his desk/office.

Unified Communications Basic Components

These are your everyday applications and services helping to unify your communications needs:

• Email. The ability to send messages and attachments between colleagues and customers.
• Messaging. Includes faxing, instant messaging services and voicemail.
• Conferencing. Includes audio conferencing and Web conferencing services that tightly integratewith the UC infrastructure.

Unified Communications Emerging Components

These unified communications components are pretty much the most popular ones around today:

• Mobility. Perhaps unified communications' greatest driving force. This component gives mobile workers corporate communications no matter where they are located.
• Social Media. Many companies are using social media to help them reach out to millions of consumers at a fraction of the traditional marketing cost.
• Videoconferencing. Mainly used by companies to reduce travel expenses and organize meetings.

Understanding Your True Unified Communications Needs

There is no doubt unified communications is not one product but a combination of complex technologies working together to meet your needs. A very common problem IT Managers and engineers are faced with is to understand the needs of their company when considering a unified communications solution.

This process unfortunately can be harder than it sounds as there are a lot of parameters often not taken in consideration during the planning and decision-making process.

To help this process, we've outlined a number of points that require consideration and will help you reveal your true unified communications needs:

• Return on investment (ROI). ROI is a key point to help you understand how your investment will help you save money. ROI can be difficult to measure. ROI must be calculated based on the unified communications solution being examined, the features it offers and how necessary they are for your organization. Don't focus entirely on the product's features but your real needs today and tomorrow.
• Unified communications is an evolving trend. Are you ready for the cloud? Many organizations are already migrating their unified communications services to the cloud, relieving them from the administration burden and management cost while providing a solid platform that has the ability to deliver true 100% uptime and ease of administration.
• Future proof / Adapt to changes. This is where most unified communications solutions fall short. A unified communications solution should be able to adapt to company-wide changes and provide room for future growth. Examine your company's future plans and ensure the unified communications solution selected has the ability to support your growth plan and adapt to rapid changes.
• Roll-out plan. Most unified communication solutions consist of core services that affect everyone in the organization during the rollout (installation) phase. In some cases, these installations can disrupt the company's normal workflow and therefore cannot be made during working hours. Rollout of these services must be planned with your integrator so that your workflow is not affected. Any serious integrator will have this in mind and present an accepted rollout plan that will have minimum impact on the company's operation.

With the introduction of Windows 8, Cisco VPN users are faced with a problem – the Cisco VPN software installs correctly but fails to connect to any remote VPN network.

Windows 7 32bit & 64bit users dealing with the same problem can refer to our Troubleshooting Cisco VPN Client - How To Fix Reason 442: Failed to Enable Virtual Adapter article.

Windows 10 32bit & 64bit can read our article Install & Fix Cisco VPN Client on Windows 10 (32 & 64 Bit). Fix Reason 442: Failed to enable Virtual Adapter.

Windows 10 32bit & 64bit Anniversary Update 1607 users can read our Fix Cisco VPN Client Break After Windows 10 Anniversary Update 1607.

When trying to connect to a VPN network through a Windows 8 operating system (32 or 64 bit), the Cisco VPN client will fail to connect. As soon as the user double-clicks on the selected Connection Entry, the VPN client will begin its negotiation and request the username and password.

As soon as the credentials are provided, the VPN client shows the well-known “Securing communications channel” at the bottom of the windows application:

After a couple of seconds the Cisco VPN client will timeout, fail and eventually the connection is terminated. The user is then greeted by a pop up window explaining that the VPN failed with a Reason 442: Failed to enable Virtual Adaptor error:

Note: It’s always a great idea to have the latest Cisco VPN client installed. Users can download the Cisco VPN client for Windows, Linux and MacOS operating systems by visiting our Cisco Tools & Applications download section.

Introducing The Fix – Workaround

Thankfully the fix to this problem is simple and can be performed even by users with somewhat limited experience.

Here are 4 easy-to-follow steps to the solution:

1. Open your Windows Registry Editor by typing regedit in the Run prompt.

2. Browse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

3. From the window on the right, select and right-click on DisplayName and choose Modify from the menu. Alternatively, double-click on DisplayName:

4. For Windows 8 32bit (x86) operating systems, change the value data from @oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter to Cisco Systems VPN Adapter.

For Windows 8 64bit (x64) operating systems, change the value data from @oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows to Cisco Systems VPN Adapter for 64-bit Windows (shown below):

When done editing the Value data, click on OK and close the Registry Editor.

You can now run the Cisco VPN Client and connect to your VPN network.  Changes performed do not require a system restart.

When hearing the DMVPN terms single tier or dual tier it can be difficult to understand exactly their meanings.  While the difference between the two might seem clear when looking at a DMVPN with single or dual tier headend setup, what really goes on is usually not revealed or analysed in great depth, until now…

While there are plenty of diagrams online illustrating Single Tier and Dual Tier Headend architectures, we found none that would analyse the differences on a packet/protocol level. This is usually the level of analysis many engineers require to truly understand how each model works.

We always assume the DMVPN network (mGRE tunnel) is protected using the IPSecurity protocol.

Single Tier Headend

Single Tier Headend involves a DMVPN setup with one single Hub router responsible for all DMVPN services. Practically, this means both Crypto IPSec and mGRE tunnel terminate on the same router, the Hub.

This is illustrated in our detailed diagram below:

In Single Tier Headend IPSec runs in Tunnel Model, encrypting the whole GRE tunnel and Data carried within. This ensures true confidentiality of our GRE tunnel and provides great flexibility in terms of VPN network design.

Engineers and Administrators who would like to learn more about protecting GRE using IPSec (both Tunnel and Transport Mode) can read our popular  GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode article. We high recommend the above article as it contains extremely useful information, not found easily!

As expected, a Single Tier Headend setup means that all processing is performed by one single device. The burden of encrypting, decrypting, encapsulating, decapsulating and maintaining the NHRP database falls on a single Hub. As a rule of thumb, the faster the Internet connection speed on the Hub router the bigger the burden will be on its CPU as it needs to process VPN data at a much faster rate. DMVPN scalability issues is a topic that will be covered on Firewall.cx.

DMVPN deployments based on Single Tier Headend architecture also support spoke-to-spoke VPN tunnels, allowing remote offices to dynamically build VPN tunnels between each other. Remote offices (spokes) are also configured with mGRE tunnels (like the Hub), allowing them to create the dynamic spoke-to-spoke tunnels.

Dual Tier Headend

Dual Tier Headend is a more popular approach to DMVPN, especially when it comes to VPN redundancy. Cisco usually uses this method when analysing DMVPN networks, however, this does not mean the Single Tier is not an acceptable solution.

With Dual Tier Headend Crypto IPSec terminates on a router positioned in front of the Hub, while the mGRE tunnel terminates on the Hub. This is illustrated in our detailed diagram below:

In Dual Tier Headend IPSec runs in Tunnel Model, encrypting the whole GRE tunnel and Data carried within. IPSec decryption occurs on R2, the Frontend router, and the mGRE tunnel is passed to the Hub where it terminates.

DMVPN deployments based on Dual Tier Headend architecture do not support spoke-to-spoke VPN tunnels. This limitation should be seriously considered if planning for this type of DMVPN deployment. This also explains why spoke routers in this deployment method are configured with single GRE tunnels (not mGRE).

Links To GRE - DMVPN - IPSec VPN Articles

Firewall.cx hosts a number of popular articles for those requiring additional information on DMVPN networks and IPSec VPNs. Below are a few hand-picked links to articles we are sure will be useful:

1. Understanding Cisco Dynamic Multipoint VPN (DMVPN)
2. Dynamic Multipoint VPN (DMVPN) Deployment Models & Architectures
3. Configuring Cisco Dynamic Multipoint VPN (DMVPN)
4. Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
5. Configuring Point-to-Point GRE VPN Tunnels on Cisco Routers
6. Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
7. Configuring Cisco SSL VPN AnyConnect (WebVPN) on Cisco IOS Routers
8. Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?

Those seeking help to configure a DMVPN network can also refer to our Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing - DMVPN Configuration article which fully covers the deployment and configuration of a Single DMVPN Network/Cloud  - Single Tier Headend Architecture.

DMVPN Deployment Models

There is a number of different ways an engineer can implement a DMVPN network. The fact that there is a variety of DMVPN models, each one with its caveats and requirements, means that almost any VPN requirement can be met as long as we have the correct hardware, software license and knowledge to implement it.

Speaking of implementation, no matter how complex the DMVPN network might get, it’s pretty straightforward once it's broken down into sections.

Engineers already working with complex DMVPNs can appreciate this and see the simplicity in configuration they offer.  At the end, it’s all a matter of experience.

Providing configuration for each deployment model is out of this article’s scope, however, we will identify key services used in each deployment model along with their strong and weak points.

Future articles will cover configuration of all DMVPN deployment models presented here.

Following are the most popular DMVPN deployment models found in over 85% of DMVPN networks across the globe:

• Single DMVPN Network/Cloud  - Single Tier Headend Architecture
• Single DMVPN Network/Cloud  - Dual Tier Headend Architecture
• Dual DMVPN Network/Cloud – Single Tier Headend Architecture
• Dual DMVPN Network/Cloud – Dual Tier Headend Architecture

In every case a complete DMVPN deployment consists of the following services, also known as control planes:

1. Dynamic Routing (Next Hop Resolution Protocol)
2. mGRE Tunnels
3. Tunnel Protection – IPSec Encryption that protects the GRE tunnel and data

It’s time now to take a look at each deployment model.

Single DMVPN Network/Cloud - Single Tier Headend Architecture

The Single DMVPN - Single Tier Headend deployment model is DMVPN in its simplest form.  It consists of the main Hub located at the headquarters and remote spokes spread amongst the remote offices.

The term ‘Single DMVPN’ refers to the fact there is only one DMVPN network in this deployment.  This DMVPN network consists of the yellow GRE/IPSec Hub-and-Spoke tunnels terminating at the central Hub from one end and the remote spokes on the other end.

The term ‘Single Tier Headend’ means that all control planes are incorporated into a single router – the Hub. This means it takes care of the dynamic routing (NHRP), mGRE tunnels and IPSec Tunnel Protection.

The central hub maintains the Next Hop Resolution Protocol (NHRP) database and is aware of each spoke’s public IP address.

When setting up a DMVPN network, every spoke is configured, using static NHRP mappings, to register with the Hub. Through this process, every spoke is aware of every other’s public IP address via the NHRP server (Hub), no matter if the spokes IP addresses are dynamic or static.

Through DMVPN, each spoke is able to dynamically build a VPN tunnel to each other spoke, allowing the direct communication between them without needing to tunnel all traffic through the main Hub. This saves valuable bandwidth, time and money.

We should at this point note that in Phase 1 DMVPN, all traffic passes through the Hub.  Phase 2 and Phase 3 DMVPN, directly forms spoke-to-spoke tunnels and sends traffic directly, bypassing the Hub.

The Single DMVPN - Single Tier Headend Architecture has the advantage of requiring only one Hub router, however, the Hub’s CPU is also the limiting factor for this deployment’s scalability as it undertakes all three control planes (NHRP, mGRE & IPSec protection). 

In addition the Hub router, and its link to the Internet, is the single point of failure in this design. If any of the two (Hub or Internet link) fail, it can cripple the whole VPN network.

This DMVPN model is a usual approach for a limited budget DMVPN network with a few remote branches.  Routing protocols are also not required when implementing a single DMVPN network/cloud. Instead, static routes can be used with the same end result.

Single DMVPN Network/Cloud - Dual Tier Headend Architecture

The Single DMVPN Network/Cloud or Dual Tier Headend DMVPN deployment consists of two routers at the headquarters. The first router, R1, is responsible for terminating the IPSec connections to all spokes, offloading the encryption and decryption process from the main Hub behind it. The Hub router undertakes the termination of mGRE tunnel, NHRP server and processing of all routing protocol updates.

The only real advantage offered by the Dual Tier Headend Architecture (Single DMVPN cloud) is that it can support a significantly greater number of spokes.

A limitation of Dual Tier Headend Architecture is the absence of the spoke-to-spoke connections, in Dual Tier DMVPN spoke-to-spoke connections are not supported. 

Dual DMVPN Network/Cloud – Single Tier Headend Architecture

The Dual DMVPN topology with spoke-to-spoke deployment consists of two headend routers, Hub 1 and Hub 2.  Each DMVPN network (DMVPN 1 & DMVPN 2) represents a unique IP subnet, one is considered the primary DMVPN while the other is the secondary/backup DMVPN.

The dynamic Spoke-to-Spoke tunnels created between branches must be within a single DMVPN network.  This means that spoke-to-spoke tunnels can only be created between spokes in the same DMVPN network. 

With Dual DMVPN – Single Tier Headend Architecture, each Hub manages its own DMVPN network. Each Hub undertakes the task of IPSec encryption/decryption, mGRE Tunnel termination and NHRP Server for its DMVPN network.  A routing protocol such as EIGRP or OSPF is usually implemented in this type of setup to ensure automatic failover in case the primary DMVPN fails.

Dual DMVPN – Single Tier Architecture is considered an extremely flexible and scalable setup as it combines the best of both worlds – that is, true redundancy with two separate Hubs and DMVPN networks, plus support for spoke-to-spoke tunnels.

Dual DMVPN Network/Cloud – Dual Tier Headend Architecture

The Dual DMVPN Network – Dual Tier Headend combines the previous two deployment methods in one setup. It consists of two Hubs that deal only with mGRE tunnels and NHRP services, each Hub managing its own DMVPN network.

Frontend routers R1 and R2 take care of all IPSec termination for all spokes, performing encryption/decryption as data enters or exits the IPSec tunnels.

Newer ISR G2 routers are capable of undertaking great quantities of number crunching for all VPN tunnels as they are equipped with hardware accelerated VPN modules that offload this process from the main CPU.

As with Dual DMVPN – Single Tier deployment model, each Hub manages its own DMVPN network and connections with its spokes. Routing protocols are a necessity to ensure automatic failover to the secondary DMVPN network in case the primary fails.

Unfortunately, as with all Dual Tier deployments, we lose the spoke-to-spoke ability, but this might not be a limitation for some.

Acknowledgements

We would like to thank Saravana Kumar from the Cisco VPN TAC Support team for his valuable feedback and help.

Summary

This article examined the different types of DMVPN deployments and covered the following deployment models: Single DMVPN Network/Cloud  - Single Tier Headend Architecture, Single DMVPN Network/Cloud  - Dual Tier Headend Architecture, Dual DMVPN Network/Cloud – Single Tier Headend Architecture and finally Dual DMVPN Network/Cloud – Dual Tier Headend Architecture.

Note: Users familair with DMVPN can also visit our article Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing

With DMVPN, one central router, usually placed at the head office, undertakes the role of the Hub while all other branch routers are Spokes that connect to the Hub router so the branch offices can access the company’s resources. DMVPN consists of two mainly deployment designs:

• DMVPN Hub & Spoke, used to perform headquarters-to-branch interconnections
  
• DMVPN Spoke-to-Spoke, used to perform branch-to-branch interconnections

In both cases, the Hub router is assigned a static public IP Address while the branch routers (spokes) can be assigned static or dynamic public IP addresses.

DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) to perform its job and save the administrator the need to define multiple static crypto maps and dynamic discovery of tunnel endpoints.

NHRP is layer 2 resolution protocol and cache, much like Address Resolution Protocol (ARP) or Reverse ARP (Frame Relay).

The Hub router undertakes the role of the server while the spoke routers act as the clients. The Hub maintains a special NHRP database with the public IP Addresses of all configured spokes.

Each spoke registers its public IP address with the hub and queries the NHRP database for the public IP address of the destination spoke it needs to build a VPN tunnel.

mGRE Tunnel Interface is used to allow a single GRE interface to support multiple IPSec tunnels and helps dramatically to simplify the complexity and size of the configuration.

Following is an outline of the main differences between GRE and mGRE interfaces:

A GRE interface definition includes:

• An IP address  
• A Tunnel Source
• A Tunnel Destination
• An optional tunnel key

An mGRE interface definition includes:

• An IP address
• A Tunnel source
• A Tunnel key

It is important to note that mGRE interfaces do not have a tunnel destination. Because mGRE tunnels do not have a tunnel destination defined, they cannot be used alone.  NHRP fills this gap by telling mGRE where to send the packets.

DMVPN Benefits

DMVPN provides a number of benefits which have helped make them very popular and highly recommended. These include:

• Simplified Hub Router Configuration. No more multiple tunnel interfaces for each branch (spoke) VPN. A single mGRE, IPSec profile without any crypto access lists, is all that is required to handle all Spoke routers. No matter how many Spoke routers connect to the Hub, the Hub configuration remains constant.

• Full Support for Spoke Routers with Dynamic IP Addressing. Spoke routers can use dynamic public IP Addresses. Thanks to NHRP, Spoke routers rely on the Hub router to find the public IP Address of other Spoke routers and construct a VPN Tunnel with them.

• Dynamic Creation of Spoke-to-Spoke VPN Tunnels. Spoke routers are able to dynamically create VPN Tunnels between them as network data needs to travel from one branch to another.

• Lower Administration Costs. DMVPN simplifies greatly the WAN network topology, allowing the Administrator to deal with other more time-consuming problems. Once setup, DMVPN continues working around the clock, creating dynamic VPNs as needed and keeping every router updated on the VPN topology.

• Optional Strong Security with IPSec. Optionally, IPSecurity can be configured to provide data encryption and confidentiality. IPSec is used to secure the mGRE tunnels by encrypting the tunnel traffic using a variety of available encryption algorithms. More on GRE IPSec can be found on our Configuring P-to-P GRE VPN IPSec Tunnels article.

DMVPN Case Study - DMVPN = Configuration Reduction and Simplified Architecture

As stated, DMVPN greatly reduces the necessary configuration in a large scale VPN network by eliminating the necessity for crypto maps and other configuration requirements.

To help demonstrate the level of simplicity and dramatic reduction of administrative overhead, we’ve worked on an example from Cisco.com and made it a bit more realistic to help show how much DMVPN does really help when it comes to configuration complexity and length.

The following requirements have been calculated for a traditional VPN network of a company with a central hub and 30 remote offices. All GRE tunnels are protected using IPSec:

Before DMVPN With p-pGRE + IPSec Encryption

• Single GRE interface for each spoke

• All tunnels for each spoke (remote office) need to be predefined:
  • Use of static tunnel destination
  • Requires static addresses for spokes
  • Supports dynamic routing protocols
• Large hub configuration (HQ Router)
  • 1 interface/spoke -> 30 spokes = 30 tunnel interfaces
  • 7 lines per spoke -> 30 spokes = 210 configuration lines
  • 4 IP addresses per spoke -> 30 spokes = 120 addresses
• Addition of spokes requires changes on the hub
• Spoke-to-Spoke traffic must pass through the hub.

The diagram below shows a point-to-point GRE VPN network. All spokes connect directly to the hub using a tunnel interface. The hub router is configured with three separate tunnel interfaces, one for each spoke:

Each GRE tunnel between the hub-spoke routers is configured with its unique network ID.  For example, GRE tunnel between the HUB and Remote Office 1 could use network 10.0.0.0/30, while GRE tunnel between the HUB and Remote Office 2 could use 10.0.1.0/30 etc.

In addition, the hub router has three GRE tunnels configured, one for each spoke, making the overall configuration more complicated.  In case no routing protocol is used in our VPN network, the addition of one more spoke would mean configuration changes to all routers so that the new spoke is reachable by everyone.

Lastly, traffic between spokes in a point-to-point GRE VPN network must pass through the hub, wasting valuable bandwidth and introducing unnecessary bottlenecks.

After DMVPN With mGRE + IPSec Encryption

• One mGRE interface supports ALL spokes. Multiple mGRE interfaces are allowed, in which case each is a separate DMVPN.
• Dynamic Tunnel Destination simplifies support for dynamically addressed spokes with the use of NHTP registration and dynamic routing protocols
• Smaller hub configuration (HQ Router)
  • 1 interface for all 30 spokes = 1 tunnel interfaces
  • Configuration including NHRP for 30 spokes = 15 lines
  • 7 lines per spoke -> 30 spokes = 210 configuration lines
  • All spokes in the same subnet -> 30 spokes  = 30 addresses
• No need to touch the hub for new spokes
• Spoke-to-Spoke traffic via the hub or directly.

mGRE dramatically simplifies the overall setup and configuration of our VPN network. With mGRE, all spokes are configured with only one tunnel interface, no matter how many spokes they can connect to. All tunnel interfaces are part of the same network. In our diagram below, this is network 10.0.0.0/29.

Furthermore, spoke-to-spoke traffic no longer needs to pass through the hub router but is sent directly from one spoke to another.

It should be clear how much simpler and easier DMVPN with mGRE is when compared with IPSec VPN Crypto tunnels or point-to-point GRE.

Cisco DMVPN IOS Version Support

While DMVPN was introduced in the earlier 12.3.19T IOS versions it is highly recommended to use the latest possible IOS. This will ensure VPN stability and access to new DMVPN features found only on the latest IOS.

Summary - More DMVPN Articles

It is evident that DMVPN is not just another VPN technology but a revolution to VPN architecture design.  The flexibility, stability and easy setup it provides are second-to-none, making it pretty much the best VPN solution available these days for any type of network.

To learn how to configure a DMVPN network, you can read our Configuring Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing article.

Windows 8 32bit & 64bit users dealing with the same problem can refer to our Cisco VPN Client & Windows 8 (32bit & 64Bit) - Reason 442: Failed To Enable Virtual Adaptor - How To Fix It article.

Windows 10 32bit & 64bit can read our article Install & Fix Cisco VPN Client on Windows 10 (32 & 64 Bit). Fix Reason 442: Failed to enable Virtual Adapter.

Windows 10 32bit & 64bit Anniversary Update 1607 users can read our Fix Cisco VPN Client Break After Windows 10 Anniversary Update 1607.

Following the steps outlined below will help resolve this error and save you a lot of time and frustration:

1. Hit the start button and type "services.msc' as shown:

2. Locate and stop Cisco Systems, Inc. VPN Service;

3. Stop and disable Internet Connection Sharing (ICS) Service;

4. Restart Cisco System, Inc. VPN Service.

Launch the Cisco VPN Client again, and the problem is now gone!

Keep in mind that we are running Cisco Systems VPN Client version 5.0.07.0440 on Windows 7 Ultimate 64-bit edition, but we faced the same problem with other versions as well.

Note: It’s always a great idea to have the latest Cisco VPN client installed. Users can download the Cisco VPN client for Windows, Linux and MacOS operating systems by visiting our Cisco Tools & Applications download section.

Since the presentation of the new SmartCare service on Firewall.cx some things have changed, which is the reason we decided to write  an update on the original article. 

Firstly, the Cisco SmartCare appliance has changed. With the termination of collaboration between Cisco and HP, Cisco no longer supplies HP-based SmartCare appliances; these have been replaced by IBM-based servers, which are a lot shorter and lighter.  The SmartCare appliance is much easier to install and doesn't require a lengthy rack to fit in properly.

While the operating system is still Linux, the distribution used now is the popular CentOS v5.3 with kernel version 2.6.18-128.el5 - essentially a repackaged RedHat Enterprise Linux. This operating system runs on 3.5 Gigs of installed memory and an Intel-based CPU. The hard drive is a Seagate Barracuda SATA 250GB spinning at 7200rpm.

As expected, the box the appliance arrives in is very small compared to the original SmartCare appliance. The box is similar to that of a Cisco 2960G Catalyst switch and contains mounting brackets plus a SATA cable and a few screws which we couldn't find a use for!

What a lot people aren't aware of is that most of these products come with a 90 day warranty - something that's really odd when compared with other vendors who usually offer at least one year warranty. On the other hand, only a number of hand-picked Cisco devices offer lifetime-limited warranty - for example, the Cisco Catalyst switches (lower to mid range models). Effectively, these lifetime-limited covered devices means that if they fail, it takes 20-25 days for Cisco to replace them.

For the above, and many more reasons, you should always choose to purchase the additional warranty extension service for each device. This is know as a 'SmartNet service'.

The Cisco SmartNet service comes in many variations, however in its most basic form, it extends up to one year the warranty for the device it is purchased, with a next business day replacement (NBD). The SmartNet service also entities you to download minor upgrade for the device's IOS or firmware.

The big problem with SmartNet service is that when dealing with a lot of equipment e.g 8 routers, 15 switches, 2 firewalls, it can get quite tricky and you need to ensure the renewal of every SmartNet happens within a specific period, otherwise you'll need to pay a lot more money to renew it.

Sounds fussy and a laborious task? Want more from Cisco than a simple warranty coverage?

Enter the Cisco SmartCare service.....

The Cisco Smart Care service is the most advanced support services Cisco has offered until now. Due to the extensive features and services offered within the Smart Care service, we've broken the article down into smaller sections to make it easier to follow.

Cisco Smart Care Service

The Cisco Smart Care service is a new and much sophisticated approach in covering expensive Cisco equipment. The Smart Care service aims to help simplyfy the whole process while providing a lot more for your money.

The Smart Care service of course covers completely everything the SmartNet service does, but also adds the following benefits:

• Simplified Contract. Everything you have with a Cisco logo is covered under one contract.
• Access to advanced Cisco Technical Assistance Center (TAC) for help around the clock.
• Free Cisco Smart Care appliance (Hold on, we'll analyse this soon).
• 24/7 Monitoring of your Cisco equipment.
• Delivers dashboard visibility into network performance
• Proactive network scanning for software vulnerabilities and security risks
• Security assesments of your device configurations according to Cisco's security guidelines
• VoIP assessment of your network (for networks with VoIP Smart Care services)
• Cheaper coverage. As it turns out, the more Cisco equipment you cover, the cheaper it gets when compared to the traditional SmartNet service.

When your Cisco Smart Care service is purchased and enabled, you'll receive the Cisco Smart Care appliance within a couple of days.

Through this appliance, all Cisco network equipment covered under the Smart Care contract, are monitored 24/7. This information is encrypted and sent directly to the Cisco Smart Care center for processing and is almost immediately made available to your Cisco Partner via the Smart Care portal.

Your Cisco partner can, and should, provide you with access to the Smart Care portal so you can see all information provided by Cisco, that is associated with your network. Reports and warnings generated by the Smart Care appliance are sent to your Cisco partner and can also be configured so you (the network administrator) receive them as well.

The Cisco Smart Care Appliance

The Cisco Smart Care appliance can only be deployed only by your authorised Cisco Smart Care partner. Keep in mind that the Cisco 'Smart Care certifed' certification is a separate certification in addition to the ones your partner might already have aquired. This means that no matter what certification level your Cisco partner has (SMB, Premier, Silver or Gold), they need to also be Smart Care certified.

The Cisco Smart Care appliance is basically a HP Proliant DL server with the Cisco brand on it, much like the Cisco Call Manager servers. At the time, the model we received was powered by an Intel Celeron Processor running at 3.2 Ghz with a 533Mhz bus and is bundled with 1GB RAM and a single Western Digital 74.6 GB SATA hdd.

We must agree that the specifications for this server are extremely low, however because its running on a customised Linux kernel, we can justify the server's specifications. By the way, don't expect to find a floppy or DVD drive - they've been removed and replaced by plastic covers.

Speaking of covers, we thought it would be nice if we opened our Smart Care appliance and see what's inside it, and we did just that:

At a first glance, the server's fanless CPU, Ram and SATA hdd grabs your attention. In front of the CPU you'll notice an array of fans designed to constantly blow cool air through the CPU's heatsink keeping its temperature low, but also cooling at the same time the motherboard and other circuits. This is a classical design for these type of servers. On the lower left part of the picture you can see the server's power supply, bundled with two additional fans in front forcing cool air to enter the area from the front, skimming the hdd and cooling it as well.

Turning the appliance backwards, you'll find all necessary interfaces, including a serial port which is all you really need to setup the server.

Provided with the server is a DB9 serial cable (shown below on the right side) which is basically a null-modem serial cable with the TX & RX pins in cross-over mode:

Since almost all laptops today do not feature a serial port, you'll need to use a USB-to-Serial adaptor like the one shown left in the above picture. Alternatively, you can simply connect a VGA monitor and a keyboard to proceed with the setup. We've decided to go ahead using the serial cable, rather than a monitor.

When you first power on the Smart Care, you'll get the well-know bios post test and a brief summary of the system's configuration as shown below:

Following the post test is the system bootup which doesn't really show anything else other than a message telling you that its booting the kernel. Once the system has loaded, it will prompt for a login name and password. The factory defaults for this are 'cisco' and 'cisco'.

The first step required once your Smart Care appliance boots up, is to configure it with the appropriate network settings in order to obtain Internet access and update the appliance software.

Configuring the Appliance Network Settings

To configure the network settings, you need to enter Priveliged Mode just as you would with a Cisco router or switch. Type 'enable' and enter 'admin' as a password when prompted.

You'll see the hash # character at the prompt, indicating you've now entered priveliged mode. Typing ? will present all available options as shown below:

The conf ip command will launch a series of prompts asking for the system's IP Address, Subnet mask, Gateway, DNS servers and proxy server, however we highly advise you enable a DHCP server on your network that will provide all this information automatically.

Our approach was to use a DHCP server and by issuing the 'show net' command we were able to verify the correct settings of our Smart Care appliance:

As with all Cisco products, you can enter a simple 'ping' command toward a domain to ensure the DNS resolution process is working correctly and there is in fact connectivity with the Internet.

Updating the Cisco Smart Care Appliance

Updating the Cisco Smart Care appliance is a necessity because if you don't upgrade it, it simply won't work.

The first time we performed the update, we had a problem downloading the new image and were required to open a Cisco TAC case as the appliance is not able to automatically find the necessary update and download it. Hopefully this will be fixed in the newer versions of the appliance so updating it would simply mean to execute a command and nothing more.

Envoking the update process is easy: At the prompt #, simply type the command update and hit enter. The Cisco Smart Care appliance will ask you to confirm the upgrade of the client:

After answering y for yes, the system will move to the 'client update' page to continue the process.

The client update page is very simple and requests the following two peices of information:

1) URL from which the Cisco Smart Care appliance is able to download the necessary image

2) Cisco Connection Online (known as 'CCO') account name & password

Keep in mind that when entering your CCO password, the system will not show it on the screen, but instead the field is kept blank:

The url seems a bit wierd at a first glance because of its length, the system wraps it at the end of the screen, giving it an aweful look. Assuming all the information provided is correct, the Cisco Smart Care appliance will automatically start downloading the new update providing you with constant feedback on the download speed. The image download is about 55Mb, so if your on a fast ASDL connection, its a matter of minutes.

This update can only be performed online. You cannot download the image and install it from your computer as you would with an IOS image!

As soon as the image download is complete, you are prompted with a few details about the installation that will proceed, plus a final confirmation that you wish to perform the update:

After you press 'y' and 'enter', confirming to proceed with the update, the system will start to upwrap the image it downloaded and begins the installation as shown below:

The installation process is monitored easily through the stars * on the screen. We don't know what eactly one unique star represents, but that doesn't really matter :) As soon as the update is complete, the system notifies the installer with a 'Installation Complete' message and immediately begins the restart process to load the newly updated software.

When the Cisco Smart Care appliance completes its reboot, you'll need to perform the whole login process again, until you reach the '#' prompt. At that point, we can issue the '?' command and see the available menu options. If you compare the options with the ones before the update, (shown at the begining of this page - first screenshot), we'll see there is a noticeable difference.

Now that we have updated the Cisco Smart Care appliance, we need to register it with Cisco. This registration is necessary so we can finally tie the appliance to the end customer.

To kick-start the registration, simply enter the 'register' command and the registration screen will make its appearance:

Taking the settings from top to bottom, we leave the first three options 'as is' and move to the fourth where enter again the partner CCO account and password. Next, we can provide a name for the appliance to help us indicate which customer is it for. The name above has been smudged out to ensure privacy.

We confirm at the end that all above information is correct and the appliance proceeds to contact Cisco and register itself. A confirmation message is shown, indicating tha the registration was successful.

Assigning & Enabling the Cisco Smart Care Appliance

Once the Cisco Smart Care appliance has registered with Cisco, we need to assign it to the end customer. This process binds the appliance to the specific customer and the contract invoked.

For this process, the partner must log into the Cisco Smart Care portal.

The main page at the Cisco Smart Care portal provides all the necessary configuration and monitoring options for all appliances installed.

From the menu on the left, we select the Administration menu and then Assessment Appliances to assign the registered appliance to the appropriate customer.

When selected, the Assessment Appliances screen will show all registered appliances no matter what state they are in. As shown in the screenshot below, our hardware client is registered, but remains unassigned to the customer.

To assign the appliance, we select the appliance and then click on the Assign/Unassign button located on the lower left corner of the Cisco Network Assessment Appliances table.

Once the Assign/Unassign button is pressed, a final confirmation is required before the assignment process begins. After confirming by pressing OK, the process begins:

The Cisco Smart Care portal will contact the appliance and after a brief secure exchange of data, the appliance will be assigned to the customer.

Once this phase of the process is complete, we need to enable the Smart Care appliance installed as the customer's site. To do this, under the customer's menu, we select Administration and then Assessment Appliance Configuration.

Once the page loads we click on view and wait for the next window to open

The next page provides us with the option to finally enable the network appliance installed at our customer's site. Click on the drop-down box, select Enabled and then click on the Save button.

Once the Save button is pressed, the Smart Care portal will queue the necessary commands and send them to the Smart Care appliance to enable it, providing the Cisco engineer with a number of additional tasks within the Smart Care portal.

Discovering Cisco Devices

As soon as the appliance is enabled, the Smart Care portal will refresh and show its status alongside with the services activated and their respective version. This particular customer has a Level 3 service which includes routing, switching and voice services (Cisco Unified CallManager Express).

Level 3 services indicate a higher complexity network and therefore offer additional services such as Voice Monitor, Voice Quality Monitor and other related services as shown in the screenshot above.

At this point, we need to discover our Cisco network devices and add them to the portal. This process is usually handled during the contract setup by your Cisco Partner, and therefore all covered equipment are already listed with their product codes and serial numbers, however the system does not contain any IP Addresses, SNMP passwords (required for the SmartCare appliance to connect to the devices) e.t.c.

We now head over to the Discovered Devices menu on the left and click the Perform New Discovery button which brings up the Service Control screen where we can run a number of services by either scheduling them or running them at that moment.

The first step here is to select the Run Now... button which will trigger the 3-step discovery process so that the Smart Care appliance can discover all Cisco devices that will be included in the Smart Care contract. These devices will be permanently monitored by the appliance once added.

The first step involves the Cisco engineer inserting the network subnets that need to be scanned by the appliance to discover the Cisco devices. Scrolling further below (not shown) the system requires the SNMP string which will be used to connect to each discovered device and obtain all necessary information. As it is evident, SNMP must be enabled on all Cisco devices we want to be discovered, using a read-only string.

This technique is favourable because it allows you to control which equipment are added to the Smart Care contract. If the Smart Care appliance can't 'see' them - they aren't added to the contract!

As soon as all the information is entered, hitting the Next button starts the scanning process as shown below:

The screen will show the discovered hosts in real-time and won't take longer than a couple of minutes to complete, depending on the amount of hosts the network has.

As each device is successfully discovered, the system shows its Status, Device Type, Eligibility and Details. This will help ensure the correct devices are discovered.

In our first discovery process, the ASA 5510 appliances were not discovered due to the strict firewall policies in place. This was a reminder that when performing the discovery, you must ensure firewall access lists are not blocking SNMP queries to the devices.

Thankfully, we are able to re-run the discovery process and add the missing devices later on.

As soon as the process is complete, we are presented with the final table of discovered devices. Here we get the chance to make any last changes and select the proper device, in case the Smart Care appliance made a mistake - something we have never encountered so far.

Clicking on the Details button doesn't do much other than display the IP Address and SNMP MIB Tree information of the discovered device - slightly useless information we believe.

Now all that is needed is to hit the Save and Continue button so the system can add these devices to the Cisco Smart Care service so they become available to the customer's inventory.

The Cisco Smart Care service allows the Cisco Partner to run the discover process and add devices to the service at any time, however, these additional devices (assuming they are not already covered) can force the Smart Care service device weight jump to the next level. When this happens, an invoice is automatically generated and sent to the partner!

Therefore, to help avoid covering equipment accidently, the system always provides a number of warnings before allowing you to accept the changes:

For this installation, all devices had been pre-inserted into the Smart Care portal in order to generate the initial quotation. As these devices are now discovered, we will see duplicate entries in the inventory. As a last step, we simply need to delete the older entries, effectively replacing them with the newly discovered devices.

Inventorying The Discovered Cisco Devices

After running the discovery service, if we visit the Discovered Devices section from the menu, the system will confirm the devices found already exist in the system and report that we need to run the inventory service:

Following the instructions, we select Services under the customer's Administration menu:

This will load the Service Control panel where we can execute on the spot a number of services or schedule them to automatically run at specific times and dates. The panel will also show when exactly the available services were executed.

To continue our setup, we select the Run Now... button to initiate the Inventory service.

Like most partner-initiated services, this is a 4-step process where we selected the discovered devices to the inventoried:

After selecting the devices to be inventoried and clicking the Next button, we are asked to enter the necessary credentials for each Cisco device, so that the Smart Care appliance can log into each device.

This might come as a surprise to some engineers, however it is necessary because the Cisco Smart Care appliance actually logs into each device and obtains a full list of all components installed, including part numbers, serial numbers, PVDMs (Cisco DSPs), slots in which cards are installed (for routers) and even Cisco Unity Express modules (if installed)!

The amount of information later on provided will surprise you as it is extremely comprehensive.

In case an incorrect username or password is entered, the system will reported a failure to log into the affected device and we will be able to later on re-run the inventory service and enter the correct credentials. For any given device who's credentials are correct, the SmartCare appliance will save this information for all future monitoring services to be run.

As we complete entering all information and select the protocol used to access each device, we can click on the Next button to start the inventory process:

At this point, the Smart Care portal queues the operation at the customer's Smart Care appliance and will begin to execute in a minute or two.

The time required to complete the inventory process will depend on the amount of devices and their complexity. For our setup, the process did not take more than 5 minutes to complete.

As soon as the process completes, we are presented with a brief summary of the process and are able to Terminate (close) the window. This will take us back to the Service Control panel where the Inventory will show as sucessfully executed along with a date and time.

With the inventory process complete, the last step is to schedule or run the Core, Security and Voice technology processes in order to examine and monitor the equipment discovered.

The Core, Security and Voice process is out of this article's scope and will be covered in future articles.

Summary

This article introduced the Cisco Smart Care service and explained the secret details of this service, which is executed by Cisco Smart Care authorized partners only. We saw the setup process of the Smart Care appliance, the portal setup including discovery and inventorying process of Cisco devices.

Early VPN products required, as many still do today, their own client which is usually installed on the remote workstation that requires access to the local network. The encryption methods and supported protocols made them either a very good choice, or simply a very bad one which could be easily compromised. These days, IPSec based VPNs are a standard, using the IP Security protocol and a number of other relative protocols, they provide adequate security and encryption to ensure a session is secure and properly encrypted.

VPN clients are usually preconfigured by the company's IT department with the necessary details and all end users need to do is launch the SSL VPN program and enter their credentials. Once user credentials are verified, they are granted access to the company's network and all associated security policies (such as access control lists) are applied.

We would say that, until recently (last 5 years), one of the major fall backs with VPN solutions was the fact that their vendors would in most cases only support their own VPN client, making the product usable only with their software – a major drawback for most companies. Another big problem with VPN clients is the fact they usually support specific operating systems. For example, many vendors provide VPN clients for Windows based operating systems but few support 64bit operating systems! Linux and Unix systems are usually out of luck when it comes to vendor-based VPN clients but, thanks to the open source community, solutions are freely available .

But these are just a few of the problems vpn-users and administrators are faced with. Getting access to your corporate VPN in most cases requires custom ports to be open through the firewall that's in front. Hotels and public hotspots usually block these ports and only allow very specific protocols to pass through such as HTTP, HTTPS, POP3, SMTP and others.

Web SSL VPN has started to change all that. As the name implies, Web SSL VPN is a popular version of VPNs, moving in a complete different direction from that which most vendors have been used to.

What is Web SSL VPN?

Web SSL VPN is, as the name implies, a web-based VPN client. While this might not mean much to many, it's actually a revolution in VPN technology! By moving from the program-based VPN client to a web-based VPN client, the operating system is no longer a problem. You can download, install and run your web-based VPN client on any operating system without a second thought!

Web SSL VPN works by communicating over standard HTTPS (SSL) protocol, allowing it to pass through almost any proxy or firewall that might be limiting your access. Once connected, a small java-based client is downloaded to the computer's web browser which creates a virtual connection between your computer and VPN concentrator or firewall providing the service.

An early version of Cisco Web VPN client, being downloaded and preparing its installation

The great part about Web SSL VPN is that it will automatically download if needed on to your computer and install itself. Once your session is over, it can be configured (by the administrator setting up the VPN service) to automatically delete itself from the computer, leaving no trace of the VPN client!

This means that using Web SSL VPN, you can safely log on to your corporate network from another computer, without requiring special certificates installed or group passwords at the user end. All you need to know is your own credentials and the URL to your Web SSL VPN concentrator.

After installation, your connection is established with the corporate Firewall

Another big advantage of Web SSL VPN is that it supports ‘split tunnelling' natively. Split tunnelling is a technique where when connected to a VPN network, only traffic destined for that network is encrypted and passed over the tunnel. All other traffic (e.g Internet browsing) bypasses the tunnel and is sent directly to the Internet as any normal connection. Split tunnelling is a wonderful feature that allows users to do necessary work through the VPN, but also maintain a direct Internet connection. Of course, this feature is easily disabled, again, by the administrator of your VPN concentrator.

Note: WebVPN for Cisco IOS routers is fully covered in our article: Configuring WebSSL VPN AnyConnect on Cisco IOS Routers.

Is Web based VPN Considered Safe?

Fortunately Web based VPN connections do not suffer from the same vulnerabilities as websites and webservers. The technology might use the same protocols (HTTP & HTTPS), however the Web SSL VPN implementation is completely different for most vendors. The non-web server based solution of Web SSL VPN offers a much more secure approach and is generally considered safe. The main difference here is that you've got a dedicated appliance offering a web service, and not a dedicated machine with a buggy operating system and web server full of exploits.

Web SSL VPN is considered to be very secure and capable of encrypting your user sessions so that no data is compromised over the VPN.

Client-Side Security of Web SSL VPN

The latest Web SSL VPN solutions offered have certainly improved in both performance and security requirements for the end user. They are now capable of checking a number of parameters on the host's side to decide whether or not to install. Administrators are able to create their own policies that would allow the Web SSL VPN client to install on a host's PC only if the host has a firewall installed and operating on its system, or if it has a valid up to date antivirus. If any of these requirements are not met, the Web SSL VPN client can fail to install.

VPN Application Support for Web SSL VPN

Early Web SSL VPNs, or First-Generation Web SSL VPNs, supported fewer features and protocols and provided secure access mainly to Intranet web-based application services. Their limited functionality and immaturity did not allow many companies to see them as an alternative to the well-known vpn client program.

As things started to progress and the Second-Generation of Web SSL VPNs came out, there was full support for all IP-based applications. Intranet Web services, File services, ERP services and pretty much anything you can think of is now capable of running through a second generation Web SSL VPN. This is also called a True SSL VPN solution as it completely replaces the IPSec based VPN client used until now.

Today, all Web SSL VPNs offer tunnelling of all IP Services, thereby falling into the second category .

Business Value of Web SSL VPN

While this fairly new technology is great, is there any real value in it for business? The answer is clearly ‘Yes'. Here are a few pointers that will help clarify:

• Easy to setup with a lot less administrative overhead and technical support required due to the ease of use.

• Costs less than traditional IPSec VPNs. They do not require propriety vpn client software to be purchased or licensed (in most cases).

• SSL makes use of Port 443. This almost guarantees it will work though any firewall that provides standard Internet access, without the need for any special configuration. No more troubled users trying to connect to the corporate network due to a restrictive Internet connection.

• Compatible with all operating system and web browsers.

• Full IP application support – replacing IPSec vpn client programs completely

• Ability to create security policies and allow access only when these policies are met e.g. Firewall, up to date antivirus and more.

• Available on servers, firewalls and even routers! You don't necessarily need a dedicated machine only for your VPN users as it is supported even on small devices such as Cisco 870 series routers!

WebVPN for Cisco IOS routers is fully covered in our article: Configuring WebSSL VPN AnyConnect on Cisco IOS Routers.

Summary

We saw what the Web SSL VPN hype is all about and it's good. As time passes, more vendors will start offering these solutions in their products. The message is 'use them'– don't be afraid to adopt these solutions as they will help you solve a great deal more problems and help get the job done better, faster and safer.

Invest in Web SSL VPN – it's the future of remote VPN access.