CCIE Security topology revised


I have had a nagging thought over the last couple of days regarding the topology I will be using to start my CCIE Security studies.

My original plan was to work through the INE workbooks towards the end of the studying, but to use their topology for the studies, from the start right to the end.

This really isn't the best idea. I am trying to fit my own learning around a pre-defined topology, into which I am trying to drop and build my own network.

Instead I should be building my own. So that's what I will do.

I will still keep with the same devices, but build up something I know that I can work with. After all, if you are building something, then build something you can build.

So, this is what I have come up with:

CCIE Security v4 topology

Now, let's plan how the network will actually work.
The IP addressing needs to be sorted, but once that is done, then we have a sub-office, the HQ, and a couple of customer sites:

CCIE Security v4 topology

The HQ will run the majority of the equipment, such as the wireless, authentication servers, IPS, and this is where the servers will live. It will provide authentication services to the other site, and to the customers as well. So fully functioning routing is critical (obviously).

As is pretty standard, I'll be making use of loopback addresses to extend the network out, so that I can run the VPNs across it. There will be a number of different networks, using the loopbacks as the interesting traffic:

CCIE Security v4 topology

I have left out a couple of switches. At the moment I do not see a need to have these in the topology - at the moment at least. This may change later on.

This seems like a much more workable way to study, it's much cleaner, makes more sense, and doesn't look like a jumbled mass of equipment. If I want to look at a jumbled mass of wires and routers then I can look at my study instead.

If this does prove a workable topology, then I will post it on the Unetlab.com website for all to use.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »

15 comments

comments
Anonymous
6 August 2015 at 17:52 delete

Nice setup man. Did you manage to get ASA 8.2 running on UNL to test the old NAT commands (static, nat, global, etc)? Thanks!

Reply
avatar
Anonymous
8 August 2015 at 10:32 delete

is this legal?

Reply
avatar
8 August 2015 at 13:04 delete This comment has been removed by the author.
avatar
8 August 2015 at 13:07 delete

Totally, this is my own topology, not the one you'd get in the lab exam. I wouldn't violate any NDA by posting Cisco's topology here.

Reply
avatar
Anonymous
9 August 2015 at 01:41 delete

so you legally obtain the images of the devices you used in this topology?

Reply
avatar
9 August 2015 at 03:48 delete

Cisco do a wide range of 90 day trials, and it's amazing what you can achieve with a sympathetic account rep.

Reply
avatar
Tom
14 August 2015 at 07:05 delete

Hi bud,

I'm also preparing for the CCIE Sec, so started with building similar topo (mostly INE based) and think I'm covering almost all the stuff from the INE topo, but just fighting with the WSA as I have read there is no eval license provided by Cisco. And I see you are using WSA inside the UNL. I just supposed I download the virtual S000V image and run it in the ESXi directly ...

So may I just ask how did you solved the WSA? Thanks a lot

Reply
avatar
Tom
17 August 2015 at 01:01 delete

Ok, I see there is an option to obtain 45-days evaluation/demo license from the official Cisco Licensing Portal :)

Reply
avatar
17 August 2015 at 01:24 delete

Hi Tom - it does depend on what CCO abilities you have, otherwise speak to your Cisco rep, some are more helpful than others if they know what its for - unless you say you want to evaluate for a potential project :)

Reply
avatar
22 August 2015 at 17:49 delete

Hi, Please can you list all that is required to set up this topology; if possible a post on how to setup this topology, resources, images required. Also since this is a topology you built yourself to study for the ccie security, how do you intend to task yourself with the topology to reflect the Blueprint. Are you going to simulate ine tasks using this topology.

thanks
Anu

Reply
avatar
23 August 2015 at 00:23 delete

Hi Anu,

Once it's complete and working, then I'll list everything, but it is a work in progress at the moment. The lab, once complete, will be added to UNetLab as part fo the official release.

How am I going to task myself? Good question. I am either going to do way too much, or not enough - but it will be backed up by doing the actual INE labs. Alot of the lab will be supposition - the appliance supports this function, to let's try it out. Take the ASA for example, it's got two modes, layer 2 (transparent0 or routed - so that's two things to do, then we can add on contexts, failover, etc etc.

It'll be interesting to see how it works out!

Reply
avatar
23 August 2015 at 02:05 delete

Thanks for reply... I am in d middle of start ccie security journey too, and trying to figure out what lab to use to study. I intend to use UNL to study and thank God the new release support ACS, ISE. Also WSA, ASA, are all supported. My concern is how to make the physical topology. i can see we will need Access Point, IP Phone. My concern is how these physical gear will connect to my lab which is virtual on UNL ( ASA, vASA, vWLC, ISE, ACS, WSA, IPS, Routers, Switch ).
Your topology doesnt seems to have AP & IP Phone

Reply
avatar
23 August 2015 at 02:19 delete

Oh! i can see IP Phone in your topology, also SW3-LAP ( assume its Access Point). Will you update your topology now that UNL support ACS, ISE. Your topology look more real life especially with the idea of HQ and MPLS at the HQ, although i haven't really check ine topology. I will like to follow you on this topology to use for study too. But i need help, I haven't be able to connect vWLC on UNL with real Access Point and also how do you achieve the IP Phone connection with virtual Switch on UNL.

Thanks
Anu

Reply
avatar
23 August 2015 at 02:34 delete

I havn't got to that point yet :) Still need to buy the AP and the IPPhone from eBay, then I can give it a crack. I think it will be vWLC -> 3560 (PoE) -> AP...

Reply
avatar