What Is IPsec Tunnel in Networking?
Also known as: IPsec tunnel, Cisco VPN, CCNP ENCOR IPsec, site-to-site VPN, IPsec tunnel mode
On This Page
Quick Definition
An IPsec tunnel creates a private, protected pathway for data traveling between two locations over the internet. It encrypts all the information inside, so no one else can read it. Think of it as a secure, sealed pipe that only authorized devices can use. This is essential for businesses connecting remote offices or employees working from home.
Must Know for Exams
The IPsec tunnel is a high-priority topic in the Cisco CCNP ENCOR exam (350-401), as well as in related exams like CCNA Security and CCNP SCOR. The ENCOR exam objectives explicitly list 'IPsec VPNs' and 'site-to-site VPNs' as key areas. Candidates must understand the concepts, configuration, and troubleshooting of IPsec tunnels.
Exam questions often test your understanding of the difference between transport mode and tunnel mode. For example, a question might show a packet diagram and ask which mode is being used. You need to know that tunnel mode encapsulates the entire original packet, while transport mode only encrypts the payload. The ENCOR exam also expects you to know which encryption algorithms are considered secure. Triple DES and MD5 are deprecated, while AES-256 and SHA-256 are recommended.
Another common exam focus is the Internet Key Exchange (IKE) process. You might be asked to order the steps of IKE phase 1 and phase 2 correctly. For instance, phase 1 establishes a secure management channel, and phase 2 negotiates the actual IPsec SAs. You also need to know authentication methods, including pre-shared keys, RSA signatures, and digital certificates.
In the CCNP Enterprise exam, you may see scenario-based questions where a site-to-site VPN is not working. You will need to troubleshoot common issues like mismatched encryption algorithms, incorrect pre-shared keys, firewall blocking UDP ports 500 and 4500, or network address translation (NAT) interference. Understanding the concept of interesting traffic is also critical: if the traffic does not match the access list defined in the crypto map, it will not be encrypted.
The exam also covers newer IPsec-related technologies like FlexVPN, which uses a combination of IPsec and other protocols for more flexible VPN solutions. While this is more advanced, the underlying IPsec principles remain the same.
For certification success, you should be able to describe the entire life cycle of an IPsec tunnel, from authentication to data transfer to termination. Practice configuring IPsec tunnels on Cisco routers in a lab environment, as hands-on experience dramatically improves your understanding of the concepts tested on the exam.
Simple Meaning
Imagine you are sending a secret letter across a crowded city. You could just write it on a postcard and hand it to a stranger, but anyone could read it along the way. An IPsec tunnel is like placing that letter inside a locked, armored briefcase before handing it to a trusted courier. The courier takes a special, hidden path that only they know, and at the destination, only the right person has the key to open the briefcase.
Now let us break this down into the parts you need to understand. First, the 'IP' part stands for Internet Protocol, which is the basic language computers use to send information to each other on a network. Second, 'sec' is short for secure, meaning the information is protected. Finally, 'tunnel' describes the method: instead of sending data directly through the open internet, it is wrapped inside another packet of data that hides the original content.
When two offices, say a main office in New York and a branch office in London, need to share sensitive information, they cannot just send it over the internet because anyone could intercept it. An IPsec tunnel solves this problem. Each office has a special device, like a router or a firewall, that acts as the tunnel entrance. When data leaves one office, the device encrypts it, meaning it scrambles the data into unreadable gibberish. Then it wraps that scrambled data inside a new packet addressed to the other office. The data travels through the internet looking like a normal message, but its contents are completely hidden. When it arrives, the other device unwraps it and decrypts it back into readable form.
This process happens automatically for every piece of data, whether it is an email, a file transfer, or a video call. The two devices also authenticate each other, which means they prove who they are using digital certificates or pre-shared keys, like showing a secret password before opening the door. The tunnel also ensures that no one has tampered with the data during transit by using integrity checks. If anyone tried to change even a single letter of the message, the receiving device would know and discard it.
For a beginner, the most important takeaway is that an IPsec tunnel makes the public internet feel like a private, secure wire between two locations. It is the backbone of many Virtual Private Networks, or VPNs, which companies use every day. You do not need to see the encryption or the authentication happening; it works behind the scenes to keep your data safe.
Full Technical Definition
IPsec (Internet Protocol Security) is a suite of protocols that provides authentication, encryption, and integrity for IP packets transmitted over a network. An IPsec tunnel is a mode of operation where the entire original IP packet is encapsulated within a new IP packet, with the original packet being encrypted and optionally authenticated. This is distinct from transport mode, where only the payload of the IP packet is encrypted.
IPsec operates at the network layer of the OSI model, unlike SSL/TLS which operates at the transport layer. This means IPsec can protect any application-layer protocol without requiring modifications to the applications themselves. The core components of an IPsec tunnel include the Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). In modern implementations, ESP is used for encryption and authentication, while IKE (version 1 or 2) handles the secure negotiation of keys and security parameters.
The tunnel setup begins with IKE phase 1, where two peers authenticate each other and establish a secure, encrypted channel called the IKE security association (SA). This phase can use pre-shared keys, digital certificates, or other authentication methods. Phase 2 then negotiates the IPsec SAs, defining which traffic will be protected, what encryption algorithms to use (like AES-256), and what authentication algorithms (like SHA-256). Finally, the actual encrypted data flows through the tunnel using ESP in tunnel mode.
In real IT environments, IPsec tunnels are commonly configured on Cisco routers, firewalls, and VPN concentrators. Configuration involves defining interesting traffic (the data to be encrypted), setting up crypto maps or tunnel interfaces, and ensuring routing is properly directed into the tunnel. Common encryption algorithms include AES, 3DES (now deprecated), and DES (obsolete). Authentication can be done with MD5 (weak) or SHA-1/SHA-256. Perfect Forward Secrecy (PFS) is often used to ensure that compromise of one key does not compromise future keys.
IPsec tunnels also support Network Address Translation (NAT) traversal, which allows the tunnel to work even when one or both peers are behind a NAT device. This is critical for remote access VPNs where users connect from home networks. Additionally, dead peer detection (DPD) is used to quickly identify when a tunnel peer becomes unreachable, allowing for failover or reconnection.
For Cisco CCNP ENCOR exam candidates, understanding IPsec tunnel modes, IKE phases, and common configuration mistakes is essential. The exam may ask you to identify which encryption algorithms are considered secure, or how to troubleshoot a tunnel that fails to establish.
Real-Life Example
Think about a large international bank with a main vault in New York and a branch vault in Tokyo. Between these two vaults, the bank needs to transfer gold bars and cash every day. The streets between the buildings are public, full of people, and anyone could try to steal or tamper with the shipment.
To solve this, the bank builds a secure underground tunnel connecting the two vaults. This tunnel has several features that map directly to an IPsec tunnel. First, only authorized bank employees with special badges can enter the tunnel entrances. This is like authentication where both devices prove their identity. Second, once inside, every gold bar is placed inside a locked, armored box. This is encryption, which scrambles the data so no one can read it. Third, each box has a tamper-proof seal that breaks if someone tries to open it. This is integrity checking, ensuring the data was not changed.
Now, let's walk through an example transfer. The bank in Tokyo wants to send 100 gold bars to New York. First, the Tokyo vault manager authenticates herself with a retina scan and a key card. This is like IKE phase 1 authentication. Then, she places each gold bar into a separate locked box and seals it. This is encryption and integrity applied to each packet. She then loads all boxes onto a secure rail car that travels only inside the underground tunnel. The rail car has a destination address on it, but the address is encrypted so no one outside knows where it is going. This is the tunnel mode encapsulation, where the original packet (the gold bar) is hidden inside a new packet (the rail car).
When the rail car arrives in New York, the vault manager there uses his own key to open the boxes and verify the seals are intact. He counts the gold bars and confirms the shipment matches the manifest. If a seal is broken, he rejects the entire shipment. Similarly, in an IPsec tunnel, if the integrity check fails, the packet is dropped.
This analogy shows that an IPsec tunnel is not just about locking the data, but also about creating a dedicated, private path, authenticating both ends, and verifying nothing was tampered with. Just like the bank would never send gold bars through the open streets without protection, companies never send sensitive data over the internet without an IPsec tunnel.
Why This Term Matters
In real IT work, the importance of IPsec tunnels cannot be overstated. They form the foundation of secure site-to-site VPNs, remote access VPNs, and cloud connectivity. For a network engineer, understanding IPsec is essential for connecting branch offices to headquarters, enabling employees to work from home securely, and integrating with cloud services like AWS or Azure.
Without IPsec tunnels, any data sent over the internet would be vulnerable to eavesdropping, tampering, and theft. Consider a company with a point-of-sale system that transmits credit card numbers from a retail store to the central database. Without encryption, an attacker on the same Wi-Fi network could capture every credit card number. An IPsec tunnel encrypts this traffic, making it unreadable to anyone who intercepts it.
IPsec tunnels also help with compliance. Regulations like GDPR, HIPAA, and PCI-DSS require encryption of sensitive data in transit. Using IPsec tunnels is a standard way to meet these requirements. Auditors often ask for proof of encryption between sites, and a properly configured IPsec tunnel provides that.
In cloud infrastructure, IPsec tunnels are used to create hybrid networks. For example, a company might run an IPsec tunnel from their on-premises Cisco router to an AWS Virtual Private Gateway. This allows the company's servers in the cloud to communicate with on-premises databases as if they were on the same local network. This is critical for disaster recovery, data migration, and running applications across multiple locations.
For system administrators, IPsec tunnels also enable secure remote management. Instead of exposing a management interface directly to the internet, an administrator can connect via an IPsec VPN and then access internal devices securely. This reduces the attack surface significantly.
Finally, IPsec tunnels are a fundamental building block for network segmentation and zero trust architectures. By encrypting traffic between segments, even if an attacker breaches one part of the network, they cannot easily see traffic in other segments. This defense-in-depth approach is a core principle of modern network security.
How It Appears in Exam Questions
IPsec tunnel questions appear in several common formats on Cisco certification exams. The first type is the concept identification question. For example, you might be asked 'Which IPsec mode encrypts the entire original IP packet?' The answer is tunnel mode. Another variant asks 'Which protocol provides both encryption and authentication in an IPsec tunnel?' The answer is ESP.
Scenario-based questions are very common. A typical scenario might describe two branch offices that need to communicate securely over the internet. The question then asks you to select the correct configuration, or to identify what is missing. For instance, 'An engineer configures an IPsec tunnel between two routers, but the tunnel does not come up. Which step should be verified first?' The correct answer might be to check that the crypto isakmp key matches on both ends.
Troubleshooting questions often list show commands and ask you to interpret the output. For example, 'The output of show crypto ipsec sa shows that the number of packets encrypted is zero. What does this indicate?' The answer is that no traffic is being sent through the tunnel, possibly because the interesting traffic access list is not matching any packets.
Configuration questions ask you to complete a configuration snippet. You might be given a partial crypto map and asked which parameter is missing, such as the peer IP address or the transform set. Another common question asks about the correct order of commands to create an IPsec tunnel: first configure IKE parameters, then the transform set, then the crypto map, then apply it to the interface.
Architecture questions test your understanding of where IPsec tunnels fit in a network design. For example, 'Where should an IPsec tunnel be terminated in a hub-and-spoke topology?' The answer is typically at the edge router or firewall at each site.
Finally, security policy questions ask about best practices. You might be asked which encryption algorithm is no longer considered secure and why. Or you might be asked why Perfect Forward Secrecy should be enabled. The exam wants you to know not just the 'what' but the 'why' behind each configuration choice.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized retail company called 'TechMart' has its headquarters in Chicago and a regional distribution center in Denver. Both locations use Cisco ISR routers connected to the internet through different ISPs. The company uses a cloud-based inventory management system hosted in a data center in Dallas. The inventory system processes purchase orders, stock levels, and shipping details, all of which are sensitive business data.
TechMart's network engineer needs to ensure that all communication between Chicago, Denver, and the Dallas data center is encrypted and authenticated. The engineer decides to implement IPsec tunnels in a hub-and-spoke configuration, with the Dallas data center as the hub and the two retail sites as spokes.
To set this up, the engineer configures IKE phase 1 parameters on all three routers, using pre-shared keys for authentication. She then defines an IPsec transform set that uses AES-256 encryption and SHA-256 authentication. For each site, she creates a crypto map that specifies the remote peer IP address and the interesting traffic access list. The interesting traffic for Chicago is any traffic destined for the Dallas data center subnet, and similarly for Denver.
After configuration, the engineer tests the tunnel by pinging from a server in Chicago to a server in Dallas. The ping succeeds, and she verifies the tunnel using the command 'show crypto ipsec sa'. She sees that packets are being encrypted and decrypted correctly. The tunnel remains up and stable for weeks, ensuring all inventory data is protected from eavesdropping while traveling across the public internet. This allows TechMart to operate securely without the cost of a private leased line.
Common Mistakes
Believing IPsec is the same as a VPN, but every VPN must use IPsec.
IPsec is one of many protocols used to create VPNs. Other protocols include SSL/TLS, WireGuard, and L2TP. Not all VPNs use IPsec. For example, many remote access VPNs use SSL/TLS instead.
Understand that IPsec is a specific suite of protocols, while VPN is a general term for secure connections. Many VPNs use IPsec, but not all.
Confusing transport mode and tunnel mode.
In transport mode, only the payload of the IP packet is encrypted, and the original IP header is visible. In tunnel mode, the entire original packet is encapsulated and encrypted. This is a critical difference that often appears on exams.
Remember: tunnel mode is like putting a letter inside a new envelope. Transport mode is like locking the letter but keeping the original envelope.
Thinking that authentication alone provides confidentiality.
Authentication ensures that the data comes from a trusted source and has not been tampered with, but it does not encrypt the data. An attacker can still read the contents. Encryption is required for confidentiality.
Use both authentication and encryption. In IPsec, ESP provides both if configured correctly, while AH only provides authentication without encryption.
Using deprecated or weak algorithms like 3DES or MD5.
3DES and MD5 are considered cryptographically weak and can be broken by modern attacks. Certification exams expect you to know that these are insecure and should not be used in production.
Always use AES with at least 128-bit keys and SHA-256 for authentication. The exam will test you on secure choices.
Forgetting to allow UDP ports 500 and 4500 through firewalls.
IKE uses UDP port 500 for key exchange. If a firewall blocks this port, the tunnel cannot establish. NAT traversal uses UDP port 4500. Without these ports open, the IPsec tunnel fails silently.
Always verify that your firewall rules permit UDP 500 and 4500, and also IP protocol 50 (ESP) and 51 (AH) if used.
Exam Trap — Don't Get Fooled
A question states: 'An IPsec tunnel is configured between two routers. The tunnel is up, but no data is being encrypted. What is the most likely cause?' The answer choices include 'IKE phase 1 failed', 'The transform set is incorrect', or 'The access list for interesting traffic is missing or does not match any traffic'.
Understand that a tunnel being 'up' only means the control plane is established. The data plane, where actual encryption happens, depends on traffic matching. Always check the access list tied to the crypto map.
Use 'show crypto ipsec sa' to see if packets are being encrypted. If the packet count is zero, the issue is with interesting traffic, not the tunnel itself.
Commonly Confused With
An SSL/TLS VPN operates at the transport layer and typically runs over port 443, the same as HTTPS. It does not require client software and is often used for remote access. An IPsec tunnel operates at the network layer and usually requires dedicated client software or router configuration. IPsec can protect all IP traffic, while SSL/TLS is often limited to web applications.
An employee connecting from home uses an SSL VPN client to access a single web application. A branch office connecting to headquarters uses an IPsec tunnel to exchange all traffic between two networks.
Generic Routing Encapsulation (GRE) is a simple tunneling protocol that can encapsulate a wide variety of network layer protocols. However, GRE provides no encryption or authentication. It is often combined with IPsec to add security. IPsec alone can also tunnel traffic, but GRE allows for routing protocols like OSPF to run over the tunnel.
You need to connect two networks and run OSPF between them. You use a GRE tunnel to carry the routing updates, then protect the GRE tunnel with IPsec encryption.
Layer 2 Tunneling Protocol (L2TP) is often combined with IPsec to provide a VPN. L2TP itself does not encrypt data; it relies on IPsec for security. L2TP/IPsec is commonly used for remote access VPNs, especially on Windows and macOS. In contrast, a pure IPsec tunnel does not require L2TP and is often used for site-to-site connections.
A remote user connects to the corporate network using a built-in Windows VPN client that uses L2TP/IPsec. The L2TP part creates the tunnel, and IPsec encrypts the data.
Step-by-Step Breakdown
Traffic trigger and interesting traffic match
The process begins when a data packet from a device on one network wants to reach a device on the remote network. The router checks its crypto map configuration to see if the packet matches an access list defined as interesting traffic. If it matches, the router knows this packet must be protected by the IPsec tunnel. If no match occurs, the packet is sent unencrypted.
IKE phase 1: Main mode or aggressive mode
The router initiates IKE phase 1 to establish a secure management channel between the two peers. This phase authenticates both devices using pre-shared keys, certificates, or other methods. It also negotiates encryption and authentication algorithms for the IKE itself, like AES and SHA. At the end of phase 1, both devices share a symmetric key called the IKE SA.
IKE phase 2: Quick mode
Using the secure channel from phase 1, the devices negotiate the parameters for the actual IPsec tunnel. They agree on which encryption algorithm, authentication algorithm, and optional features like Perfect Forward Secrecy will be used. They also establish two unidirectional security associations, one for traffic going each direction. This results in the IPsec SAs.
Data packet encapsulation and encryption
When the IPsec SAs are active, the router takes the original IP packet and encrypts its contents using the agreed algorithm and key. It then wraps the encrypted packet inside a new IP packet with a new header that contains the source and destination addresses of the tunnel endpoints. This new packet is called the IPsec tunnel packet.
Transmission over the network
The new IPsec packet is sent over the internet or untrusted network. Intermediate routers forward it like any other IP packet. Because the original packet is encrypted, no one can read its contents or see the original source and destination addresses. The only visible information is the tunnel endpoints and that it is an IPsec packet.
Receiving and decryption
The remote router receives the IPsec packet. It uses the IPsec SA to identify which decryption key and algorithm to use. It decrypts the inner packet, verifies its integrity using the authentication checksum, and then extracts the original IP packet. If integrity fails, the packet is dropped.
Delivery to the destination
The original IP packet is now fully restored. The router forwards it to the intended destination device on the remote network. The entire process is transparent to the end devices, which only see the original packet as if it were sent over a local network.
Practical Mini-Lesson
Let us walk through a practical, hands-on approach to understanding IPsec tunnels as a network professional. Imagine you are given a task to connect two Cisco routers at different sites. You have a console cable, a laptop, and the routers are already configured with IP addresses on their internet-facing interfaces.
Your first step is to ensure reachability. You should ping the remote router's public IP address from the local router. If the ping fails, no tunnel will work. This is often overlooked. Once reachable, you configure IKE phase 1 with a command like 'crypto isakmp policy 10', then set the encryption algorithm, hash algorithm, authentication method, and Diffie-Hellman group. For a beginner, using a pre-shared key is simplest, but for production, certificates are more secure.
Next, you create an IPsec transform set with 'crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac'. This tells the router to use AES-256 for encryption and SHA for authentication. Then you define an access list that identifies the interesting traffic, such as 'access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255'. This means traffic from the 10.1.1.x network to the 10.2.2.x network will be encrypted.
Now you create a crypto map named MYMAP and specify the remote peer IP: 'crypto map MYMAP 10 ipsec-isakmp', then 'set peer 203.0.113.2', then 'set transform-set MYSET', and 'match address 100'. Finally, you apply the crypto map to the outgoing interface with 'interface gigabitethernet0/0', then 'crypto map MYMAP'.
What can go wrong? Many things. The pre-shared keys must match exactly. The access list must be mirrored on both sides. The firewall must allow UDP 500 and 4500. Also, if one side has NAT enabled, you need to allow NAT traversal. A common mistake is forgetting to include the 'isakmp keepalive' command for dead peer detection, which causes the tunnel to stay up even if the remote peer fails.
In real production, you will also need to monitor the tunnel. Use 'show crypto isakmp sa' to see if phase 1 is established. Use 'show crypto ipsec sa' to see if packets are being encrypted. If you see zero packets in the 'encrypted' counters, your interesting traffic access list is likely wrong.
Professionals also plan for redundancy. If you have two internet connections, you might configure multiple crypto maps with different peers, or use a dynamic routing protocol like BGP over the tunnel. The IPsec tunnel itself does not support dynamic routing, but you can run OSPF or EIGRP over a GRE tunnel that is protected by IPsec. This allows the network to automatically failover if one tunnel goes down.
Finally, security best practices demand that you deprecate weak algorithms. Always use AES-256 or higher, SHA-256 or higher, and enable Perfect Forward Secrecy. Also, use certificates instead of pre-shared keys for better authentication. Document your configuration thoroughly, because tunnels can be obscure to troubleshoot months later.
This mini lesson covers the practical steps, common pitfalls, and professional considerations that go beyond theoretical knowledge. It is exactly the kind of understanding you need both for the exam and for real network engineering work.
Memory Tip
Remember 'IKE builds the tunnel, ESP locks the box' to separate the key exchange phase (IKE) from the actual encryption and integrity (ESP).
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between IPsec and SSL VPN?
IPsec operates at the network layer and can protect all IP traffic, making it ideal for site-to-site connections. SSL VPN operates at the transport layer, often only protects web traffic, and is commonly used for remote access without dedicated client software.
Is IPsec tunnel mode more secure than transport mode?
Both modes offer the same level of encryption. However, tunnel mode hides the original IP header, which adds an extra layer of privacy. Transport mode leaves the original header visible, which can be useful in some environments but reduces privacy.
Why do I need to open UDP port 500 for IPsec?
UDP port 500 is used by IKE to exchange encryption keys and negotiate security parameters. Without this port open through firewalls, the two endpoints cannot securely agree on how to protect the data, and the tunnel will not establish.
Can I use IPsec with a dynamic IP address?
Yes, you can use IPsec with dynamic IPs, but it requires additional configuration. Many implementations support dynamic DNS or IKEv2 with mobile peers. For site-to-site tunnels, static IP addresses are recommended for easier configuration.
What is a transform set in IPsec?
A transform set is a combination of security protocols and algorithms that define how the data will be protected. It specifies which encryption algorithm (like AES) and which authentication algorithm (like SHA) to use, as well as the mode (tunnel or transport).
What does the acronym SA stand for in IPsec?
SA stands for Security Association. It is a set of parameters and keys that define how two devices communicate securely. In IPsec, there are IKE SAs for the control channel and IPsec SAs for the data channel.
How do I troubleshoot an IPsec tunnel that will not come up?
First, verify reachability by pinging the remote peer. Check that pre-shared keys match. Ensure firewalls allow UDP 500 and 4500. Verify that the crypto map is applied to the correct interface. Use 'show crypto isakmp sa' to see if phase 1 completed.
Is it acceptable to use 3DES encryption in an IPsec tunnel today?
No. 3DES is considered weak and has been deprecated by most security standards, including those from Cisco and NIST. It is vulnerable to certain cryptographic attacks. Always use AES with at least 128-bit keys.
Summary
In summary, an IPsec tunnel is a fundamental security technology that creates encrypted, authenticated connections between two network devices over an untrusted network like the internet. It operates at the network layer, making it transparent to applications and capable of protecting all types of IP traffic. The process involves two main phases: IKE phase 1, which establishes a secure management channel and authenticates the peers, and IKE phase 2, which negotiates the actual encryption and integrity parameters for the data tunnel. The tunnel mode encapsulates the entire original IP packet inside a new packet, hiding both the data and the original source and destination addresses.
For IT certification candidates, especially those preparing for the Cisco CCNP ENCOR exam, understanding IPsec tunnels is crucial. You will be tested on configuration, troubleshooting, and security best practices. Common exam traps include confusing tunnel mode with transport mode, using deprecated algorithms, and failing to identify why a tunnel is up but not encrypting data. The practical mini lesson and step-by-step breakdown in this glossary provide a clear, exam-accurate foundation. Remember that IPsec is not just a theory; it is a daily tool for network engineers to ensure confidentiality, integrity, and privacy of data in transit. By mastering this concept, you are building a core skill for enterprise networking and cybersecurity.