Although I am still on a bit of a high after passing my first CCIE, I am now considering which one to do next. Each CCIE expires after two years, and as it took me two years to get this one, I can't afford to sit around for too long.
In my previous post I laid out the pros and cons of the Service Provider and Security tracks.
I was in two minds, one seemed a logical continuation, the other was a logical move to something more pertinent to my role. But which to choose, ease, or sense? A couple of you guys helped out, which helped the sense part kick in.
So then next CCIE I am planning to get is the Security track.
It makes sense. I spend most of my time at work on ASA firewalls, so already that has lessened the learning curve - still a lot of learning to do, but it's certainly easier, than say Wireless.
I have been thinking of how to plan this, and so far the idea is:
Watch the INE training videos. There are two courses, both in excess of 60 hours each. There is probably some overlap between the two, but I'll watch them both anyway.
Do the INE courses. There are seven sections, and then five full scale labs.
Read some books. Read some more books, lab things up, practice and practice.
Take the written
Take the lab
I am not attaching any timelines to this, barring the fact that, at the very least, the written needs to be done before my current CCIE expires.
I also still want to finish the Multicast and QoS book that I have started to write, so that'll take a couple of months.
I also need to set up my "lab", which will be a mixture of UNetLab and physical equipment.
UNetLab as a base for CCIE Security
I should be able to do the majority of this within UNetLab (UNL).There are a couple of bits that won't be doable in UNL, and that is the IP phone, and the Lightweight Access Point (LAP).
I have started to build the topology, using Arista vEOS switches in order that the port number be as similar as possible. But it looks a little like this at the moment:
I still need to add in the ISE1, ISE2, ACS2 and windows 2008 servers - but, in theory, these should run happily within Qemu, if not then they can be run as ESXi images and UNL will connect happily to them. The issue is going to be the memory requirements.
CCIE Security hardware requirements
So far this is what I need to be running (going by the INE topology):| Device | Quantity | Memory (GB) | Total Memory (GB) |
|---|---|---|---|
| Switches | 6 | 1 | 6 |
| Routers | 7 | 0.5 | 3.5 |
| ASA (8.x) | 2 | 0.256 | 0.5 |
| ASAv | 2 | 2 | 4 |
| IPS | 1 | 2 | 2 |
| vWLC | 1 | 2 | 3 |
| WSA | 1 | 4 | 4 |
| ACS | 2 | 2 | 4 |
| ISE | 2 | 2 | 4 |
| Windows 2008 Server | 2 | 4 | 8 |
| Windows 7 PC | 1 | 2 | 2 |
| Total | 40 |
Some are rough estimates, but if I want to run it all it'll be around 40Gb of memory that will be needed.
This is more memory than I currently have in my ESXi server.
So that means I have some hardware requirements.
I am OK for physical switches, I have a 3750, some 3650, and some 3550s. I only really need one or two of these for the physical connections.
I need to get:
1x Cisco 7900 series IP phone (Approx £50).
1x Cisco Aironet AP (about £50).
Big-ass server/desktop to run ESXi on. There are a couple of good ones on the bay, a Dell 48Gb memory dual hexa core one for £650 (or a 144Gb one for £1400!), or some HP ones, but with those I'd need to buy the memory separately, which could quickly bump up the price.
It'll be about £800 for everything. I'll start getting the bits together after my holiday next week.
Now it's time to play with Qemu a bit, and see what will run within UNL.
Also - in the last post, I said that I might throw in a prize, well Bernd can you drop me an email, there's a £50 Amazon voucher (or your preferred currency equivalent) for you.
8 comments
commentsCongrats with the number!
ReplyWhat images (routers, switches) are you going to use in UNL?
What are the best for l2, l3?
Cheers. I am going to start with the Arista swicthes, then probably switch to IOSv later on, when I am sure that the topology is how I need it to be.
ReplyI'll update my progress, and probably publish the UNL files when I have had a chance to make sure that the topology is going to work properly! Its early days yet :)
Hi Stuart;
ReplyPlease can you tell how have you been able to run WSA inside of UNL...Please can you kindly provide a write up...
Once I get everything up and running properly, I'll provide all the steps.
Replywaiting for your steps
ReplyGreat and handy instruction.
ReplyI'm configuring my CCIE Sec topology as well but I have some difficulties setting up Unetlab.
I will really appreciate your help on this website when ready!
go ahead!!!!
I am a frequent visitor on this blog and have learned a tons from your valuable shared knowledge. I am wondering if you would be kind enough to share your CCIE Security UNL? Thank you.
ReplyHi Bryan, I certainly will, but I want to finish off the internal IP addressing first. Should be ready within 2 weeks!
Reply