INE’s CCIE Security v4 Workbook Bundle combines our Technologies and Practice Labs workbooks into an online interactive compilation of hands-on lab scenarios that guides you through all the technologies covered by the v4 blueprint and offers the building blocks for becoming a true expert and obtaining your CCIE.
The CCIE Security v4 Technologies Workbook lays the foundational knowledge you’ll need if you’re preparing for the lab exam, have an upcoming security implementation project with ASA firewalls, IOS routers and switches, web security appliances, an intrusion prevention system, and access control system or Identity Services Engine, or simply want to gain real experience with these cutting-edge technologies, this workbook is for you.
The CCIE Security v4 Practice Labs Workbook contains five detailed full-scale labs based on the actual CCIE Security Lab Exam. It follows a structured design that covers all topic domains from the current blueprint, and it is scoped to test you on your knowledge of the interaction between different technologies within a given network topology as well as building the network and making it functional according to given requirements. This workbook is an essential part of your final test preparation phase, after you have gained a solid understanding of all concepts from other self-paced materials such as the CCIE Security Advanced Technologies v4 video course and the CCIE Security v4 Technologies Workbook.
NOTE: I plan on updating this blog as I find good blogposts and other good threads out there so plan on this blog post being a living document.
It was about a year ago that I posted this post where I went through the CCIE Security materials I intended to study with. In that time, the CCIE Security v5 blueprint was released and I thought I would update the list to reflect the current blueprint and the study materials that are out there.
The unified written/lab blueprint can be found here
The lab equipment and version numbers can be found here.
Cisco was also nice enough to post study materials here and here.
Based on the above, the following are the most relevant materials I've found out there:
AMP
AMP for Endpoints private cloud is most certainly on the lab per the above lab equipment list. The good news is that with Private Cloud, there are a few less features to have to lab but it's still a pretty important lab topic and there aren't a lot of training materials out there. Getting your hands on the labbing equipment either means having AMP for Endpoints purchased at your company or doing an evaluation. Be aware: This evaluation is pretty strict. You won't be able to get it past the time you are given a temporary license for. If you have the option of doing regular AMP for Endpoints (not the Private Cloud version), I would recommend using that since it has even more features and if you master that, you'll be able to do the Private Cloud material easier. I would just recommend knowing how to do the setup of AMP Private Cloud if you can't get your hands on it and have a mastery of AMP for Endpoints.
Study Materials:
Note: There is also a book on the market called 'Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP.' While this is an excellent book for learning about the products, I think it's more geared towards the CCNA/CCNP Security level than the CCIE Security level which is why I'm not including it on the list. If you know absolutely nothing about Firepower or AMP, it might be a good read and it's not a very large book.
For AMP for Networks in regards to the ESA, Firepower, and WSA, you're probably best served just reading the small section in the configuration guides. This is not a complex configuration for the malware aspect on the Amp for Networks portion.
Firepower
This is a fun one to lab and work on. I would recommend reacting out to your Cisco sales team to talk about trying the software out. With the Firepower Management Center VM and a device running FTD, you can run it in evaluation mode for 90 days if you go to System>Licenses>Smart Licenses and click on the button Evaluation for 90 day. After that, you'll either have to purchase licenses or create a new Firepower Management Center VM. Personally, I would recommend labbing Firepower 6.1. The lab equipment guide says that it could be 6.0.1 or 6.1 but I think there's a better chance of it being 6.1 personally since that code version had been out for a few months when the v5 lab took affect. The lab equipment list says that it will have NGIPSv and Firepower Threat Defense. These two things are not the same. Understand the differences and the limitations of both. One thing also to note: ASA 5512-Xs are also listed on the lab equipment list. It doesn't specify whether this is just regular ASA or ASA with Firepower. I would recommend knowing how to configure the SFR module and potentially clustering the ASAs with those modules.
Study Materials:
ASA
The lab equipment list says that there are two ASA 5512-Xs. You can bet that inline Trustsec tagging, clustering, and multicontext are going to be on the lab if these are here. If they weren't going to include it, it would have probably just been easier for the lab creators to stick with virtual ASAs and FTD devices but they also added the physical ASAs. If you want to lab this out, you definitely can't get a 5506 because there's no clustering or multicontext on that platform but you don't have to get the exact model on the lab either. I would also NOT recommend getting a non-X model of the ASA since it won't support the same code train that's on the lab. Check out the prices for a pair of 5508s if you can. I believe those support all the features that the 5512-X do.
Study Materials:
In the future, INE is also going to offer some CCIE Security v5 updated videos as well.
APIC-EM
It's on the lab equipment blueprint so it's definitely a testable subject on the lab. I doubt there will be much in terms of configuration for this but it's going to be there for sure. The good news is that APIC-EM should be easy to download but it's going to require some serious server metal. If you try to thin provision or put less than the recommended amount of RAM, disk space, etc, it will certainly fail the hardware checks and not install.
Study Materials:
There are a lot of free videos and configuration guides. I don't think there is going to be that much complex stuff on the lab regarding APIC-EM and it's probably a placeholder for SD-Access for future versions of the test but I'll link the following:
IOS/CSR Security including NAT, IPv6 & VPN
There aren't going to be any physical routers on the lab according to the lab equipment guide so you should be able to get away with CSR1000v for the router. However, you most certainly need to have a 3650/3850 that's able to support the code train that's on the lab. I know the desire will be to get a cheap IOS switch and just do that. I would NOT recommend doing so. There are syntax and feature differences between using old 3750s and newer 3650/3850 switches.
Study Materials:
ISE
Obviously, this site is good for ISE but it's probably not enough to get you past the lab. The good thing is that there are a lot of great videos out there for ISE. With ISE, also comes Trustsec. I strongly suspect Trustsec will be a big part of the lab. The reason I assume this is because some of the equipment being used in the lab could have been easily virtualized but because the lab creators decided to go physical, they must need a feature that only the physical version has. For example, they could have used a virtual WLC in the lab if they wanted to cut down on equipment but instead they decided to go with a 2504 wireless controller. The only extra feature I can think they could gain from that is the ability to do SXP which isn't available in the vWLC
Study Materials:
ESA
Unfortunately, there's not a lot of books out for this one but it's not the hardest concept in the world.
Study Material:
WSA
I don't know how large of a topic the WSA will be in the lab given the version number they picked. Look at the release notes VERY carefully and the limitations with that version. If they stay true to the current advertised version, I suspect the lab will be more geared towards pxGrid integration and some lighter configuration than normal.
Study Material:
ACS
Yes, it's still on the lab. Why? The explanation given last year at the Cisco Live CCIE Security v5 techtorial is that even though it was riding into the sunset soon, a lot of people will be seeing it in the wild for some time. Thank god they don't test us on other things I've seen in the wild in the last year like PIX firewalls, pre-8.3 ASA IOS code, and ISE 1.x. ;)
Joking aside, I strongly suspect the amount of ACS configuration on the lab will be kept to a minimum given the size of the blueprint and the amount of time we have. Maybe configuring some dot1x or TACACS+ with it? Or maybe a task or two where we have to migrate to ISE using the built-in ACS to ISE migration tool in ISE 2.1? I'm just speculating here and I'm going to cover my bases by labbing this up.
Not sure how long ACS will remain on the lab given the news about agile blueprints when you can read here. I think they'll eventually 'agile' ACS right out of the lab sooner or later.
Study Material:
Wireless and Phone?
I put a question mark on the above because one always wonders how much phone and wireless you need to know for an exam like this. I suspect they won't want you to be a wireless expert but you should know how to secure wireless (SGTs, ISE, etc) and all the configuration that goes into securing it. As far as the phone piece, I believe it should be more focused on how the phone is profiled or using dot1x to access the network (again, ISE). You probably have to know enough about CUCM to be able to login and confirm that the phone has registered but not be a Collab expert by any means. There is a book about securing IP Voice networks and it might be a good read but I doubt they'll go too far down the rabbit hole with a blueprint as large as this. At most and it's a BIG stretch, I could see them asking us to make sure that the voice traffic is encrypted.
Bootcamps
Lab Workbooks
Note: A lot of these workbooks are written for v4 and require some mental gymnastics to make them work for v5. That being said, a lot of the tasks still apply for v5 and can be used for the new blueprint.
NOTE: I plan on updating this blog as I find good blogposts and other good threads out there so plan on this blog post being a living document.
It was about a year ago that I posted this post where I went through the CCIE Security materials I intended to study with. In that time, the CCIE Security v5 blueprint was released and I thought I would update the list to reflect the current blueprint and the study materials that are out there.
The unified written/lab blueprint can be found here
The lab equipment and version numbers can be found here.
Cisco was also nice enough to post study materials here and here.
Based on the above, the following are the most relevant materials I've found out there:
Situation below explains this better:Today when I turned my Windows 8 system on, I noticed some of my important folders containing significant data were missing; therefore I am searching for a reliable tool to recover missing folder in Windows 8 machines.Well, there is no need to worry; these sort of instances are common nowadays. This utility is designed with advanced integrated algorithms so that it thoroughly scans entire hard disk and restores missing or lost folders enclosing different types of files such as spreadsheets, PDF, email archives, videos, text documents, Zip archives, photos, etc. You can easily get back your missing folders from Windows 8 system that too in matter of minutes just by making use of Remo Recover Windows software. Occasionally most of the computer users have experienced the problem wherein thier vital folder goes missing in Windows 8 system laptop due to some unforeseen logical glitches or human errors. Without any difficulty.Common Reasons in which Folders Get Disappeared from Windows 8 System are as Follows:Severe Virus Attack: Hazardous viruses (Malware, Spyware, Trojan or Adware) infection is system may causes application fault, which ultimately results in loss of folders and files that are present in computer. Files disappeared windows 8.
AMP
AMP for Endpoints private cloud is most certainly on the lab per the above lab equipment list. The good news is that with Private Cloud, there are a few less features to have to lab but it's still a pretty important lab topic and there aren't a lot of training materials out there. Getting your hands on the labbing equipment either means having AMP for Endpoints purchased at your company or doing an evaluation. Be aware: This evaluation is pretty strict. You won't be able to get it past the time you are given a temporary license for. If you have the option of doing regular AMP for Endpoints (not the Private Cloud version), I would recommend using that since it has even more features and if you master that, you'll be able to do the Private Cloud material easier. I would just recommend knowing how to do the setup of AMP Private Cloud if you can't get your hands on it and have a mastery of AMP for Endpoints.
Study Materials:
Note: There is also a book on the market called 'Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP.' While this is an excellent book for learning about the products, I think it's more geared towards the CCNA/CCNP Security level than the CCIE Security level which is why I'm not including it on the list. If you know absolutely nothing about Firepower or AMP, it might be a good read and it's not a very large book.
For AMP for Networks in regards to the ESA, Firepower, and WSA, you're probably best served just reading the small section in the configuration guides. This is not a complex configuration for the malware aspect on the Amp for Networks portion.
Firepower
This is a fun one to lab and work on. I would recommend reacting out to your Cisco sales team to talk about trying the software out. With the Firepower Management Center VM and a device running FTD, you can run it in evaluation mode for 90 days if you go to System>Licenses>Smart Licenses and click on the button Evaluation for 90 day. After that, you'll either have to purchase licenses or create a new Firepower Management Center VM. Personally, I would recommend labbing Firepower 6.1. The lab equipment guide says that it could be 6.0.1 or 6.1 but I think there's a better chance of it being 6.1 personally since that code version had been out for a few months when the v5 lab took affect. The lab equipment list says that it will have NGIPSv and Firepower Threat Defense. These two things are not the same. Understand the differences and the limitations of both. One thing also to note: ASA 5512-Xs are also listed on the lab equipment list. It doesn't specify whether this is just regular ASA or ASA with Firepower. I would recommend knowing how to configure the SFR module and potentially clustering the ASAs with those modules.
Study Materials:
ASA
The lab equipment list says that there are two ASA 5512-Xs. You can bet that inline Trustsec tagging, clustering, and multicontext are going to be on the lab if these are here. If they weren't going to include it, it would have probably just been easier for the lab creators to stick with virtual ASAs and FTD devices but they also added the physical ASAs. If you want to lab this out, you definitely can't get a 5506 because there's no clustering or multicontext on that platform but you don't have to get the exact model on the lab either. I would also NOT recommend getting a non-X model of the ASA since it won't support the same code train that's on the lab. Check out the prices for a pair of 5508s if you can. I believe those support all the features that the 5512-X do.
Study Materials:
In the future, INE is also going to offer some CCIE Security v5 updated videos as well.
APIC-EM
It's on the lab equipment blueprint so it's definitely a testable subject on the lab. I doubt there will be much in terms of configuration for this but it's going to be there for sure. The good news is that APIC-EM should be easy to download but it's going to require some serious server metal. If you try to thin provision or put less than the recommended amount of RAM, disk space, etc, it will certainly fail the hardware checks and not install.
Study Materials:
There are a lot of free videos and configuration guides. I don't think there is going to be that much complex stuff on the lab regarding APIC-EM and it's probably a placeholder for SD-Access for future versions of the test but I'll link the following:
IOS/CSR Security including NAT, IPv6 & VPN![]() Ine Ccie Security V5 Workbook
There aren't going to be any physical routers on the lab according to the lab equipment guide so you should be able to get away with CSR1000v for the router. However, you most certainly need to have a 3650/3850 that's able to support the code train that's on the lab. I know the desire will be to get a cheap IOS switch and just do that. I would NOT recommend doing so. There are syntax and feature differences between using old 3750s and newer 3650/3850 switches.
Study Materials:
ISE
Obviously, this site is good for ISE but it's probably not enough to get you past the lab. The good thing is that there are a lot of great videos out there for ISE. With ISE, also comes Trustsec. I strongly suspect Trustsec will be a big part of the lab. The reason I assume this is because some of the equipment being used in the lab could have been easily virtualized but because the lab creators decided to go physical, they must need a feature that only the physical version has. For example, they could have used a virtual WLC in the lab if they wanted to cut down on equipment but instead they decided to go with a 2504 wireless controller. The only extra feature I can think they could gain from that is the ability to do SXP which isn't available in the vWLC
Study Materials:
ESA
Unfortunately, there's not a lot of books out for this one but it's not the hardest concept in the world.
Study Material:
WSA
I don't know how large of a topic the WSA will be in the lab given the version number they picked. Look at the release notes VERY carefully and the limitations with that version. If they stay true to the current advertised version, I suspect the lab will be more geared towards pxGrid integration and some lighter configuration than normal.
Study Material:
ACS
Yes, it's still on the lab. Why? The explanation given last year at the Cisco Live CCIE Security v5 techtorial is that even though it was riding into the sunset soon, a lot of people will be seeing it in the wild for some time. Thank god they don't test us on other things I've seen in the wild in the last year like PIX firewalls, pre-8.3 ASA IOS code, and ISE 1.x. ;)
Joking aside, I strongly suspect the amount of ACS configuration on the lab will be kept to a minimum given the size of the blueprint and the amount of time we have. Maybe configuring some dot1x or TACACS+ with it? Or maybe a task or two where we have to migrate to ISE using the built-in ACS to ISE migration tool in ISE 2.1? I'm just speculating here and I'm going to cover my bases by labbing this up.
Not sure how long ACS will remain on the lab given the news about agile blueprints when you can read here. I think they'll eventually 'agile' ACS right out of the lab sooner or later.
Study Material: Fallout 4 institute too bright.
Ine Ccie Security V5 Technologies: Asa Firewall TestWireless and Phone?
I put a question mark on the above because one always wonders how much phone and wireless you need to know for an exam like this. I suspect they won't want you to be a wireless expert but you should know how to secure wireless (SGTs, ISE, etc) and all the configuration that goes into securing it. As far as the phone piece, I believe it should be more focused on how the phone is profiled or using dot1x to access the network (again, ISE). You probably have to know enough about CUCM to be able to login and confirm that the phone has registered but not be a Collab expert by any means. There is a book about securing IP Voice networks and it might be a good read but I doubt they'll go too far down the rabbit hole with a blueprint as large as this. At most and it's a BIG stretch, I could see them asking us to make sure that the voice traffic is encrypted.
Bootcamps
Lab Workbooks
Note: A lot of these workbooks are written for v4 and require some mental gymnastics to make them work for v5. That being said, a lot of the tasks still apply for v5 and can be used for the new blueprint.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |