New NP:SEC lab advice

tenbullstenbulls Registered Users Posts: 3 ■□□□□□□□□□
I'm getting ready to refresh my 2013 NP:R&S lab to prepare for NP:SEC. Need some advice on my plan.

Past NP:SEC seemed to point at 1 or 2x 5510s and 1x IPS appliance. I'm debating on buying a new 5506-X although that will blow a good chunk of my lab budget. I work on tons of ASAs at work but most of them are in production. Could someone provide some guidance on what contemporary NP:SEC lab topology would look like? At the moment, I am leaning towards 1x 5510, 1x 5506-X and no IPS appliance in concert with my NP:R&S lab (2x 1841, 2x 3560, 3x2950). On the software side, I understand I'll probably also need to run an ISE OVF but nothing else software-wise.


  • fredrikjjfredrikjj Member Posts: 879
    Chcek out the ASAv before buying hardware.
    Cisco Adaptive Security Virtual Appliance (ASAv) - Products & Services - Cisco

    I don't know if it's available as a demo at this point, but it's supposed to be added to VIRL soon.
  • spiderjerichospiderjericho Registered Users, Member Posts: 884 ■■■■■□□□□□
    Bump. I have a VIRL license that's been collecting dust so I'd like to hear if using two ASAvs and using the IPS simulator will be all that's needed?

    Edit: Of course you can just use your CCO to download ASAv (unlicensed) and use VM Workstation to lab up versus all the cludge of VIRL.

    Throw in other firewalls and get crazy!!
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    GNS3 can emulate ASAs as well. I used it for my last exam the 300-206. Just a heads up on the NP:Sec, the materials are STILL not out so that might sway what your lab might need to include. If it was me, I would wait till the materials are out so I could know exactly what I need.
  • tenbullstenbulls Registered Users Posts: 3 ■□□□□□□□□□
    Based on what I can see, it won't be until later this year that all of the books are out. SISAS OCG is coming out in the next month or so. The problem for me is that this is a cert I need to start now. I've got an ISE deployment at work that I can jump into that will catalyze perfectly with this certification. I can't find O'Reilly rough cuts for anything but SISAS at the moment. VIRL looks exciting too (hadn't seen it before) but how could I connect an ISE VM with a couple of remote ASAs for 802.1x stuff, etc? Not sure thats possible so it seems like all of this would need to be in one rack. A VAR 3xCCIE who I was locked in a conference room with all day yesterday said that Sourcefire is changing Cisco security massively. I guess the next CCNP:SEC will include my Firepower/Sourcefire stuff? Feels kinda like this track, even though its so new-ish, will be a bit of a throw-away.
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Yeah I agree that the CCNP:Sec track will be changing due to Sourcefire. You could totally go for the CCNP:Sec exams now even though the materials aren't out, just be ready to take the exams multiple times. The blueprints don't necessary give you enough to go on to pass. That was my experience with SENSS.
  • GSXR750K2GSXR750K2 Member Posts: 323 ■■■■□□□□□□
    CBT Nuggets has all of the video series out now except for the 300-207. I'm not sure when that one will be available as it's not even in their "in progress" list. May not be ideal, but it would provide hopefully some info about the new exams.

    I'll be graduating in a couple of months and after I do I plan on beginning work on updating all of my CCNA level certs to CCNP. I used GNS3 for my CCNA-Sec but found as most do that touching the physical gear seems to make the process better. Here's what I've got to go towards my CCNP-RS and CCNP-Sec studies:

    4 - 1841 (384MB-D/64MB-F)
    2 - 2821 (1GB-D/256MB-F)
    1 - 871 (?/?)
    1 - 871 Wireless (?/?)
    2 - 2960 24pt
    2 - 3750 24pt PoE
    2 - ASA 5520
    1 - ASA 5505
    1 - 4260 IPS

    The two 871's and the 5505 were given to me, and while they aren't incredibly useful, the wireless function is nice to have so I can roam to a different room when my legs go numb from sitting down for hours on end. I may need to add a couple more switches and might do another 4240 or 4260 for one of the "branch" office configurations, but I'm hoping this will suffice for the changes made in the CCNP certs I'm after.

    Also I have two servers running 2012 R2 that I use as Hyper-V hosts, I can get about 6 VMs on each box to give the network configs actual traffic to work with.

    Any thoughts/ideas/criticism?
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    ASAv. Is this basically an ASA version of the CSR-1000V? I would love to be able to virtualize an ASA or two on my VMware ESXi server(s).

    [EDIT] Scratch that requires a service contract, though I have no idea what [device the contract would be] for.

    [EDIT] Found something called ASA-1000V which doesn't require a service contract. It only goes up to ASA OS 8.7.1, whereas the ASAv goes up to ASA OS 9.4.1.
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
Sign In or Register to comment.