CCIE Security it is then!


Although I am still on a bit of a high after passing my first CCIE, I am now considering which one to do next. Each CCIE expires after two years, and as it took me two years to get this one, I can't afford to sit around for too long.

In my previous post I laid out the pros and cons of the Service Provider and Security tracks.

I was in two minds, one seemed a logical continuation, the other was a logical move to something more pertinent to my role. But which to choose, ease, or sense? A couple of you guys helped out, which helped the sense part kick in.

So then next CCIE I am planning to get is the Security track.

It makes sense. I spend most of my time at work on ASA firewalls, so already that has lessened the learning curve - still a lot of learning to do, but it's certainly easier, than say Wireless.

I have been thinking of how to plan this, and so far the idea is:

Watch the INE training videos. There are two courses, both in excess of 60 hours each. There is probably some overlap between the two, but I'll watch them both anyway.

Do the INE courses. There are seven sections, and then five full scale labs.

Read some books. Read some more books, lab things up, practice and practice.
Take the written
Take the lab

I am not attaching any timelines to this, barring the fact that, at the very least, the written needs to be done before my current CCIE expires.

I also still want to finish the Multicast and QoS book that I have started to write, so that'll take a couple of months.

I also need to set up my "lab", which will be a mixture of UNetLab and physical equipment.

UNetLab as a base for CCIE Security

I should be able to do the majority of this within UNetLab (UNL).

There are a couple of bits that won't be doable in UNL, and that is the IP phone, and the Lightweight Access Point (LAP).

I have started to build the topology, using Arista vEOS switches in order that the port number be as similar as possible. But it looks a little like this at the moment:

CCIE Security v4 on UNetLab

I still need to add in the ISE1, ISE2, ACS2 and windows 2008 servers - but, in theory, these should run happily within Qemu, if not then they can be run as ESXi images and UNL will connect happily to them. The issue is going to be the memory requirements.

CCIE Security hardware requirements

So far this is what I need to be running (going by the INE topology):

Device Quantity Memory (GB) Total Memory (GB)
Switches 6 1 6
Routers 7 0.5 3.5
ASA (8.x) 2 0.256 0.5
ASAv 2 2 4
IPS 1 2 2
vWLC 1 2 3
WSA 1 4 4
ACS 2 2 4
ISE 2 2 4
Windows 2008 Server 2 4 8
Windows 7 PC 1 2 2
Total 40

Some are rough estimates, but if I want to run it all it'll be around 40Gb of memory that will be needed.

This is more memory than I currently have in my ESXi server.

So that means I have some hardware requirements.

I am OK for physical switches, I have a 3750, some 3650, and some 3550s. I only really need one or two of these for the physical connections.

I need to get:

1x Cisco 7900 series IP phone (Approx £50).
1x Cisco Aironet AP (about £50).
Big-ass server/desktop to run ESXi on. There are a couple of good ones on the bay, a Dell 48Gb memory dual hexa core one for £650 (or a 144Gb one for £1400!), or some HP ones, but with those I'd need to buy the memory separately, which could quickly bump up the price.

It'll be about £800 for everything. I'll start getting the bits together after my holiday next week.

Now it's time to play with Qemu a bit, and see what will run within UNL.

Also - in the last post, I said that I might throw in a prize, well Bernd can you drop me an email, there's a £50 Amazon voucher (or your preferred currency equivalent) for you.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »

8 comments

comments
Anonymous
16 July 2015 at 04:57 delete

Congrats with the number!
What images (routers, switches) are you going to use in UNL?
What are the best for l2, l3?

Reply
avatar
16 July 2015 at 05:33 delete

Cheers. I am going to start with the Arista swicthes, then probably switch to IOSv later on, when I am sure that the topology is how I need it to be.

I'll update my progress, and probably publish the UNL files when I have had a chance to make sure that the topology is going to work properly! Its early days yet :)

Reply
avatar
Anonymous
20 July 2015 at 01:30 delete

Hi Stuart;

Please can you tell how have you been able to run WSA inside of UNL...Please can you kindly provide a write up...

Reply
avatar
20 July 2015 at 02:43 delete

Once I get everything up and running properly, I'll provide all the steps.

Reply
avatar
23 July 2015 at 01:15 delete

waiting for your steps

Reply
avatar
Anonymous
20 November 2015 at 01:34 delete

Great and handy instruction.
I'm configuring my CCIE Sec topology as well but I have some difficulties setting up Unetlab.
I will really appreciate your help on this website when ready!
go ahead!!!!

Reply
avatar
21 February 2016 at 18:20 delete

I am a frequent visitor on this blog and have learned a tons from your valuable shared knowledge. I am wondering if you would be kind enough to share your CCIE Security UNL? Thank you.

Reply
avatar
22 February 2016 at 02:10 delete

Hi Bryan, I certainly will, but I want to finish off the internal IP addressing first. Should be ready within 2 weeks!

Reply
avatar