Going for the CCIE Security

124

Comments

  • IristheangelIristheangel Mod Posts: 4,133 Mod
    CCIE Security update:
    Had a crazy few months where I lost a lot of time I should have been labbing but finally now getting back into it. I feel good about where I'm leaving my blog and the videos I made on there until I feel like picking them up in a month or two. In the meantime, I'm going to focus on the hardest/rustiest subjects and work my way back to the easier ones for me. Thinking that I should go in this order:
    1) ASA - NAT, VPN, troubleshooting, multicontext, clustering, etc
    2) VPN - DMVPN, GETVPN, FlexVPN, RAVPN, S2S VPN, etc. Troubleshooting, theory, etc
    3) ESA - Need to get my mind wrapped about the ESA. I know how to get my way around the interface but no level of deep troubleshooting whatsoever. I can't imagine this being a huge part of the lab but if it's anything like the CCIE DC, you can't really afford to lose extra points
    4) IPv6 - Definitely a weakness but I feel a little better after reading the IPv6 Fundamentals and IPV6 security book. I heard that there was more of a focus on this in the previous v4 security and with all the new topics, I doubt they will dedicate a crazy amount of the lab to it but I do want to lab it to make it something that I'm more comfortable with
    5) IOS Security - Same as IPv6, I don't expect this to eat up TONS of the lab but definitely something to lab up more just to get reacquainted
    6) WSA - If anyone reads the version they chose for the lab and pay special attention to the release notes, this probably is going to be more intensive on the written than the lab. I don't feel too bad about how I am on the WSA but with the version they chose, there's not terribly much they could throw at me in the lab on this one...
    7) AMP Private Cloud - I'm good with AMP for Endpoints' cloud version and AMP Private Cloud has less features enabled so I think this will just be more practice than anything else
    icon_cool.gif AnyConnect - Pretty decent with using it as a VPN client but I need to dig into using it as a supplicant with the NAM module a bit more
    9) Firepower - This part I'm pretty good/dangerous with. Not an amateur but not an expert either. I probably have about 1500 pages of labs I can go through on this so it's a matter of practicing things I haven't played around with in the past with.
    10) TrustSec - Love it but haven't done MacSec before and there's some more dynamic stuff I haven't practiced so I'll get on that
    11) ISE - Heh. Well... Easy points right there.


    Overall, I wanted to be ready for a lab attempt at this time this year but my plans got blown away by work getting busy but I'm refocusing and recommitting. I hope to have my first lab attempt sometime in Q3 or Q4 of this year. I think I have a really strong shot at this and I definitely have a REALLY strong support system of folks going towards the same goal
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Posted this on my blog but figured I'd post it here. I wrote a post about a year ago stating I was going to go after the CCIE Security but v5 hadn't been announced yet. I ended up sort of guessing on the materials. I cleaned up what I've been using and other materials that are out there. Wanted to share it with Techexams:

    [FONT=&amp]It was about a year ago that I posted this post where I went through the CCIE Security materials I intended to study with. In that time, the CCIE Security v5 blueprint was released and I thought I would update the list to reflect the current blueprint and the study materials that are out there.[/FONT]
    [FONT=&amp]
    The unified written/lab blueprint can be found here[/FONT]
    [FONT=&amp]The lab equipment and version numbers can be found here.
    [/FONT]
    [FONT=&amp]Cisco was also nice enough to post study materials here and here.
    [/FONT]
    [FONT=&amp]Based on the above, the following are the most relevant materials I've found out there:

    [/FONT]
    AMP

    [FONT=&amp]AMP for Endpoints private cloud is most certainly on the lab per the above lab equipment list. The good news is that with Private Cloud, there are a few less features to have to lab but it's still a pretty important lab topic and there aren't a lot of training materials out there. Getting your hands on the labbing equipment either means having AMP for Endpoints purchased at your company or doing an evaluation. Be aware: This evaluation is pretty strict. You won't be able to get it past the time you are given a temporary license for. If you have the option of doing regular AMP for Endpoints (not the Private Cloud version), I would recommend using that since it has even more features and if you master that, you'll be able to do the Private Cloud material easier. I would just recommend knowing how to do the setup of AMP Private Cloud if you can't get your hands on it and have a mastery of AMP for Endpoints.
    [/FONT]
    [FONT=&amp]Study Materials:

    [/FONT]
    • SSFAMP Class - This is an official class by Cisco that covers AMP for Endpoints and there was a strong focus on AMP for Endpoints Private Cloud. The class also comes with a 300+ page lab workbook. I feel this class is probably enough to get you past most of the lab. Since it is a Cisco class, if your company has Cisco Learning Credits, you could always use them with any Cisco Learning Partner to purchase this class.
    [FONT=&amp]Note: There is also a book on the market called "Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP." While this is an excellent book for learning about the products, I think it's more geared towards the CCNA/CCNP Security level than the CCIE Security level which is why I'm not including it on the list. If you know absolutely nothing about Firepower or AMP, it might be a good read and it's not a very large book.
    [/FONT]
    [FONT=&amp]For AMP for Networks in regards to the ESA, Firepower, and WSA, you're probably best served just reading the small section in the configuration guides. This is not a complex configuration for the malware aspect on the Amp for Networks portion.[/FONT]



    Firepower


    [FONT=&amp]This is a fun one to lab and work on. I would recommend reacting out to your Cisco sales team to talk about trying the software out. With the Firepower Management Center VM and a device running FTD, you can run it in evaluation mode for 90 days if you go to System>Licenses>Smart Licenses and click on the button Evaluation for 90 day. After that, you'll either have to purchase licenses or create a new Firepower Management Center VM. Personally, I would recommend labbing Firepower 6.1. The lab equipment guide says that it could be 6.0.1 or 6.1 but I think there's a better chance of it being 6.1 personally since that code version had been out for a few months when the v5 lab took affect. The lab equipment list says that it will have NGIPSv and Firepower Threat Defense. These two things are not the same. Understand the differences and the limitations of both. One thing also to note: ASA 5512-Xs are also listed on the lab equipment list. It doesn't specify whether this is just regular ASA or ASA with Firepower. I would recommend knowing how to configure the SFR module and potentially clustering the ASAs with those modules.
    [/FONT]

    [FONT=&amp]Study Materials:

    [/FONT]
    • SSFIPS Book by Todd Lammle and Alex Tatistcheff - While this book was written for Firepower/Sourcefire 5.4, it still does an excellent job at explaining a lot of the concepts and probably about 70-80% of it is still relevant
    • Cisco Firepower 6.x with Firepower Threat Defense by Todd Lammle and Alex Tatistcheff - This one just came out but it's actually larger than the SSFIPS book and probably a bit more relevant. I haven't read it all the way through but the SSFIPS was an excellent book so I can vouch for the authors.
    • Labminutes - There are over 50+ free videos available on the site for Firepower 5.4 and 6.0 as well as an option to buy Firepower 6.1 videos. The gentleman that runs this site is awesome and his videos are invaluable. I definitely recommend coughing up the dough for the 6.1 videos and watching the free ones.
    • Udemy Firepower Video Series

    ASA


    [FONT=&amp]The lab equipment list says that there are two ASA 5512-Xs. You can bet that inline Trustsec tagging, clustering, and multicontext are going to be on the lab if these are here. If they weren't going to include it, it would have probably just been easier for the lab creators to stick with virtual ASAs and FTD devices but they also added the physical ASAs. If you want to lab this out, you definitely can't get a 5506 because there's no clustering or multicontext on that platform but you don't have to get the exact model on the lab either. I would also NOT recommend getting a non-X model of the ASA since it won't support the same code train that's on the lab. Check out the prices for a pair of 5508s if you can. I believe those support all the features that the 5512-X do.

    [/FONT]
    [FONT=&amp]Study Materials:

    [/FONT] [FONT=&amp]In the future, INE is also going to offer some CCIE Security v5 updated videos as well.
    [/FONT]

    APIC-EM


    [FONT=&amp]It's on the lab equipment blueprint so it's definitely a testable subject on the lab. I doubt there will be much in terms of configuration for this but it's going to be there for sure. The good news is that APIC-EM should be easy to download but it's going to require some serious server metal. If you try to thin provision or put less than the recommended amount of RAM, disk space, etc, it will certainly fail the hardware checks and not install.

    [/FONT]
    [FONT=&amp]Study Materials:

    [/FONT]
    [FONT=&amp]There are a lot of free videos and configuration guides. I don't think there is going to be that much complex stuff on the lab regarding APIC-EM but I'll link the following:

    [/FONT]

    IOS/CSR Security including NAT, IPv6 & VPN


    [FONT=&amp]There aren't going to be any physical routers on the lab according to the lab equipment guide so you should be able to get away with CSR1000v for the router. However, you most certainly need to have a 3650/3850 that's able to support the code train that's on the lab. I know the desire will be to get a cheap IOS switch and just do that. I would NOT recommend doing so. There are syntax and feature differences between using old 3750s and newer 3650/3850 switches.

    [/FONT]
    [FONT=&amp]Study Materials:

    [/FONT]
    ISE


    [FONT=&amp]Obviously, this site is good for ISE but it's probably not enough to get you past the lab. The good thing is that there are a lot of great videos out there for ISE. With ISE, also comes Trustsec. I strongly suspect Trustsec will be a big part of the lab. The reason I assume this is because some of the equipment being used in the lab could have been easily virtualized but because the lab creators decided to go physical, they must need a feature that only the physical version has. For example, they could have used a virtual WLC in the lab if they wanted to cut down on equipment but instead they decided to go with a 2504 wireless controller. The only extra feature I can think they could gain from that is the ability to do SXP which isn't available in the vWLC

    [/FONT]
    [FONT=&amp]Study Materials:

    [/FONT]
    ESA


    [FONT=&amp]Unfortunately, there's not a lot of books out for this one but it's not the hardest concept in the world.

    [/FONT]
    [FONT=&amp]Study Material:

    [/FONT]
    WSA


    [FONT=&amp]I don't know how large of a topic the WSA will be in the lab given the version number they picked. Look at the release notes VERY carefully and the limitations with that version. If they stay true to the current advertised version, I suspect the lab will be more geared towards pxGrid integration and some lighter configuration than normal.

    [/FONT]
    [FONT=&amp]Study Material:

    [/FONT]
    ACS


    [FONT=&amp]Yes, it's still on the lab. Why? The explanation given last year at the Cisco Live CCIE Security v5 techtorial is that even though it was riding into the sunset soon, a lot of people will be seeing it in the wild for some time. Thank god they don't test us on other things I've seen in the wild in the last year like PIX firewalls, pre-8.3 ASA IOS code, and ISE 1.x. ;)
    [/FONT]
    [FONT=&amp]Joking aside, I strongly suspect the amount of ACS configuration on the lab will be kept to a minimum given the size of the blueprint and the amount of time we have. Maybe configuring some dot1x or TACACS+ with it? Or maybe a task or two where we have to migrate to ISE using the built-in ACS to ISE migration tool in ISE 2.1? I'm just speculating here and I'm going to cover my bases by labbing this up.
    [/FONT]
    [FONT=&amp]Not sure how long ACS will remain on the lab given the news about agile blueprints when you can read here. I think they'll eventually "agile" ACS right out of the lab sooner or later.

    [/FONT]
    [FONT=&amp]Study Material:

    [/FONT]
    • AAA Identity Management Security - Half the book covers ACS 4.x and can be ignored and the other half covers 5.2 or something. It's not a very long read when you subtract half the book.
    • Labminutes ACS Videos - 22 beautiful and concise videos on labbing ACS. Probably enough to cover everything we'll need to cover in the lab and it's on version 5.4

    Wireless and Phone?


    [FONT=&amp]I put a question mark on the above because one always wonders how much phone and wireless you need to know for an exam like this. I suspect they won't want you to be a wireless expert but you should know how to secure wireless (SGTs, ISE, etc) and all the configuration that goes into securing it. As far as the phone piece, I believe it should be more focused on how the phone is profiled or using dot1x to access the network (again, ISE). You probably have to know enough about CUCM to be able to login and confirm that the phone has registered but not be a Collab expert by any means. There is a book about securing IP Voice networks and it might be a good read but I doubt they'll go too far down the rabbit hole with a blueprint as large as this. At most and it's a BIG stretch, I could see them asking us to make sure that the voice traffic is encrypted.
    [/FONT]

    Bootcamps
    • Micronics Zero-To-Hero Security - Still a great bootcamp and they take Cisco Learning Credits so easy to jump in there if your place of business as extra credits.
    • Micronics CCIE Security v5 - I haven't gone to this one yet but I plan on going and I'll probably write up a review
    • INE CCIE Security v5 Bootcamp - Cristian Matei is a great instructor and I'm sure this one will be great. This did announce a couple of weeks ago that they will be updating the CCIE Security v5 content here. They do appear to be getting ready to teach about the topics but their beta racks don't seem to include the entire blueprint such as APIC-EM and AMP for Endpoints Private Cloud. Hopefully they'll be adding that later.

    Lab Workbooks


    [FONT=&amp]Note: A lot of these workbooks are written for v4 and require some mental gymnastics to make them work for v5. That being said, a lot of the tasks still apply for v5 and can be used for the new blueprint.

    [/FONT]
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    NAT Notes:

    [FONT=&amp]NAT Sections designate the processing order of a NAT rule. There are three different sections in which a NAT rule may reside.

    • Section 1 - Manual NAT or Twice NAT
    • Section 2 - Auto NAT or Object NAT
    • Section 3 - Manual NAT using the after-auto keyword in your NAT rule
    Source NAT Syntax:

    object network name
    [host | subnet | range] ...
    nat (
    real-interface,mapped-interface) ...


    Destination NAT Syntax:

    object network name
    [host | subnet | range] ...
    nat (
    mapped-interface,real-interface) ...

    If traffic is coming from an interface with a higher security level, make sure to add an ACL to allow a port, protocol, and/or IP address/subnet through. Use real IP in the access list.



    [/FONT]

    [FONT=&amp]
    NAT-Lab.png

    NAT lab I working with while doing all these configurations. I'm using VIRL in this case.





    [/FONT][FONT=&amp]Download: VIRL Topology


    Object NAT


    Object NAT always consists of an object configuration which holds a configuration for the host address/subnet/range and binds that to a NAT rule which is also inside the same object. That gives you the ability to have the NAT configuration under a single object.

    PAT:

    object network LAN
    subnet 10.1.100.0 255.255.255.0
    nat (inside,outside) dynamic interface


    PAT Pool:

    object network PATPOOL
    range 100.0.0.15 100.0.0.20


    object network LAN
    subnet 10.1.100.0 255.255.255.0
    nat (inside,outside) dynamic pat-pool PATPOOL {block-allocation | extended | flat | interface | round-robin}


    Extended commands mentioned above for PAT:
    • block-allocation - Enables port block allocation
    • extended - Extends PAT uniqueness to per destination instead of per interface. It'll show an extended NAT entry on the NAT table where it'll not only show the sourced translated ports but also look at the destination ports.
    • flat - Translate TCP and UDP ports into flat range 1024-65535
    • interface - Use interface address as mapped IP. Can be used as teh backup IPs if you want for the interface.
    • round-robin - Specify to use PAT IP addresses in round robin order when it fetches an IP from the pool
    Destination NAT:

    object network DMZ_Host
    host 100.0.0.100
    nat (outside,dmz) static 200.0.0.10



    Dynamic NAT:

    object network WAN-POOL
    range 100.0.0.11 100.0.0.l4


    object network DMZ-POOL
    range 200.0.0.11 200.0.0.14
    nat (dmz,outside) dynamic LAN-NAT


    Static NAT:

    object network SRV
    host 200.0.0.10
    nat (dmz,outside) static 100.0.0.5 {dns | no-proxy-arp | route-lookup}

    Extended commands mentioned above for static NAT:
    • dns - Uses the created xlate to rewrite DNS records
    • no-proxy-arp - Disables proxy ARP on the egress interfaces
    • route-lookup - Perform route lookup for this rule
    Static PAT (Port Redirection):

    object network SRV-GLOBAL
    host 100.0.0.5

    object network SRV
    host 200.0.0.10
    nat (dmz,outside) static SRV-GLOBAL service tcp telnet 23 2323


    Identity NAT: Per the Cisco Configuration guide: “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.”


    Identity NAT Configuration (Basic):

    object-group network DMZ-INTERNAL
    network-object 200.0.0.0 255.255.255.0

    object network DMZ
    subnet 200.0.0.0 255.255.255.0
    nat (dmz,outside) static DMZ-INTERNAL


    Identity NAT with objects:

    object network DMZ
    subnet 200.0.0.0 255.255.255.0
    nat (dmz,outside) static DMZ


    Manual NAT


    Manual NAT gives you the ability to add NAT entries on the top or bottom of NAT processing and gives many more options you might not otherwise find in Object NAT. With Manual NAT, you'll see the static entry built into the xlate and see the hits against the NAT table. Show conn will give you the connection table that shows that translations. You can also debug nat but if you want to see more details without turning on debugging, make sure logging is enabled at 7 and check the show log to troubleshoot the recent NAT connections.

    You always want to put the most specific NAT rules on top so they get matched first.

    Static NAT:

    object network DMZ-SRV
    host 200.0.0.10

    object network MAP-SRV
    host 100.0.0.5

    Global config mode:
    (config)# nat (dmz,outside) source static DMZ-SRV MAP-SRV


    Network Static NAT:

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    object network MAP-OUTSIDE
    subnet 100.0.0.128 255.255.255.128

    (config)# nat (inside,outside) source static LAN MAP-OUTSIDE

    Dynamic NAT:

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    object network NATPOOL
    range 100.0.0.15 100.0.0.20

    (config)# nat (inside,outside) source dynamic LAN NATPOOL

    PAT:

    object network OUTSIDE
    host 100.0.0.5

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    (config)# nat (inside,outside) [after-auto] source dynamic LAN OUTSIDE


    PAT Pool:

    object network PATPOOL
    range 100.0.0.15 100.0.0.20

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    (config)# nat (inside,outside) [after-auto] source dynamic LAN pat-pool PATPOOL


    Destination NAT:

    object network MAP-PARTNER1
    host 10.1.100.15

    object network PARTNER1
    host 100.11.11.22

    (config)# nat (inside,outside) [after-auto] source dynamic any interface destination static MAP-PARTNER1 PARTNER1


    Identity NAT with source and destination specified:

    object network DMZ
    subnet 200.0.0.0 255.255.255.0

    object network PARTNER2-NETWORK
    subnet 100.22.22.0 255.255.255.0

    (config)# nat (dmz,outside) 1 source static DMZ DMZ destination static PARTNER2-NETWORK PARTNER2-NETWORK {description | inactive | net-to-net | no-proxy-arp | route-lookup | service | unidirectional}

    Extended options mentioned above:
    • description - Specify NAT rule description
    • inactive - Disable a NAT rule
    • net-to-net - Net to net mapping of IPv4 and IPv6
    • no-proxy-arp - Disable proxy ARP on egress interface
    • route-lookup - Perform route lookup for this rule
    • service - NAT service parameters
    • unidirectional - Enable per-session NAT
    Identity NAT with just source:

    object network LOOPBACK2
    host 10.1.100.37

    nat (inside,outside) source static LOOPBACK2 LOOPBACK2




    Another thing you might want to add is a NAT control. It basically says that anything not explicitly allowed should be dropped. Like a catch-all/blackhole for NAT. Configure it as such:

    object network ZERO
    host 0.0.0.0
    nat (inside,outside) after-auto source dynamic any ZERO



    Show commands that are useful:
    • show run nat
    • show run object
    • show conn [detail]
    • show nat [detail]
    • show xlate
    • packet-tracer
    • show log
    [/FONT]
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • BobyBoby Member Posts: 27 ■□□□□□□□□□
    Hi Iris , you got an impressive academic records. Just wanted some advice from a cisco insider and someone who is currently studying for the security track , what books ,videos or training providers would you recommend me for learning cisco Asav from zero to mastery . i have got no experience in firewall and am completely new to this .
    wish you good luck for your ccie, i think the 2nd ccie is the easiest.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Post #93 should help you with the list I compiled.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • BobyBoby Member Posts: 27 ■□□□□□□□□□
    hmm so what is the difference between asa and asav ? Is the configuration part the same ?
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    It's pretty much the same as an ASA except it can't do the hardware-specific things like multicontext, clustering and have a firepower module. For the most part, everything else is the same.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • aia87aia87 Member Posts: 16 ■□□□□□□□□□
    hey iris great progress wish you the best on your journey
    can you give your feedback on these books you have in your list ?
    Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)


    IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS (Networking Technology: Security)


    The Complete Cisco VPN Configuration Guide (Networking Technology)


    i'm studying for ccnp sec and have the old firewall and vpn exams OCG
    should i use these books instead or the OCG are still good enough ?





  • IristheangelIristheangel Mod Posts: 4,133 Mod
    The ASA book is good. It's deceptively large. If you cut out the ASDM screenshots and just pay attention to the CLI, it's like 1/4th the book.

    IKEv2 book - Good book but you CANNOT read it cover to cover without labbing. I tried. The knowledge was in and out.

    Complete VPN Configuration guide - A lot of folks I know read it but it's on my todo list. I plan on studying VPN next since both it and ASA code is my Achilles heel. My last couple weeks have been dedicated to ASA IOS and NAT. Making it hurt before I get to the fun stuff for my ABLing :)
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • ande0255ande0255 Banned Posts: 1,178
    I didn't get to say this yet, good luck!
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Thanks! I had high hopes before of taking the CCIE Security v5 early but life and my new role got in the way so I'm now catching up. I'm thinking I'm going to do what I did last time: Take the lab 10/5 (and probably fail) and hopefully be ready for vengeance on 11/5
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • ande0255ande0255 Banned Posts: 1,178
    That is my plan for ROUTE (fail, re-cover material, pass), so I am right there with you :)

    Hope to see you continue posting articles on LinkedIn as well of Security topics, I'm double timing ROUTE right now, but I read the NAT post during work while on hold and that was a great explanation.

    If I ever turn into a zombie, your brain will be at the top of my to-eat list, along with all you other CCIE's!
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Have you not done the lab yet Iris? :)

    I've been out of the loop for some time now, hello!
  • t3ch9t3ch9 Member Posts: 3 ■□□□□□□□□□
    Hi Iris, I've been reading many of your posts here on this forum. I just passed my received my CCNP Security certificate and want to start working on my CCIE Security. Do you think the Zero to Hero (saturday courses) will be enough to pass the CCIE Security exams?
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    gorebrush wrote: »
    Have you not done the lab yet Iris? :)

    I've been out of the loop for some time now, hello!

    Hello Gorebrush! Nope.. Labbing away still :) Slow and steady wins the race
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    @t3ch9 - No, no single bootcamp, book or set of books is enough to pass any CCIE. If any vendor promises that, they're either a) shady or b) lying. You don't want don't either of those things :)


    If you're going to study for the CCIE lab, expect a good solid year of labbing, reading, and possibly a bootcamp. The Z2H bootcamp was a great start for me and I loved it but the lab itself is much deeper than any single bootcamp
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Still cranking away on this thing. Been updating my blog more than this thread.

    My goal is to hit the lab in early October like I did the last one. That way if I fail, I'll still be able to go back for November depending on how far off my miss is.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    How do you structure your studying one topic a day/week or until you get to the point that you can recite how to configure it?
  • PersianImmortalPersianImmortal Member Posts: 124 ■■□□□□□□□□
    Iris, you're such an inspiration! If I could ask, how do you manage your time when studying? Do you tend to take whole blocks of dedicated time to study or do you rather squeeze in some study time when you can, or perhaps another method I haven't thought of?

    Right now I'm prepping for the CASP exam (which is cake compared to a CCIE), but with a full-time middle management position and finishing up my doctoral program I end up not having a tremendous amount of time to study, so time management becomes pretty critical. How you are able to get all of these certifications while simultaneously working is astonishing!

    Anyway, I was just wondering what your time-management strategies are as you prepare for your exams?

    Best Wishes,

    PI
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    The last CCIE, I procrastinated the topics I was rougher in until last and did more "fun" ones first. Usually its a combination of videos, reading and some light labbing. Eventually I move past a topic but keep extensive notes. When I'm done hitting major topics, I usually go through full blown lab workbooks that incorporate many of the technologies together.

    This CCIE I'm doing it differently - I'm hitting up the weaker subjects first and working my way back to the easier. I would rather spend more time upfront on the "teethpulling" topics and have sort of a downhill run from there there. I think I in few more weeks, I should be past my core weaknesses and working on the "downhill."
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    [QUOTE=PersianImmortal;1093558
    Anyway, I was just wondering what your time-management strategies are as you prepare for your exams?
    [/QUOTE]


    If I had a normal 8-5 job, it'd probably be easier but it's more just getting a routine in place and trying to get hours in every day in any way I can. I more try to tackle subject now and when I get past that, I'll go for full scale labs
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • shimasenseishimasensei Member Posts: 241 ■■■□□□□□□□
    Still cranking away on this thing. Been updating my blog more than this thread.

    My goal is to hit the lab in early October like I did the last one. That way if I fail, I'll still be able to go back for November depending on how far off my miss is.

    Hi Iris! Thanks for keeping us posted on your CCIE:Sec journey. It's an inspiration to someone like me who aspires to be a future CCIE :)

    Between the demands of a busy job, IT consulting, studying and labbing for difficult exams / college, how do you manage your work/life balance? I understand you're married, and may or may not (not sure) have kids. I have a young family (wife and young son), and would like advice from someone with extensive experience like yourself (and other TE sages).
    Current: BSc IT + CISSP, CCNP:RS, CCNA:Sec, CCNA:RS, CCENT, Sec+, P+, A+, L+/LPIC-1, CSSS, VCA6-DCV, ITILv3:F, MCSA:Win10
    Future Plans: MSc + PMP, CCIE/NPx, GIAC...
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Howdy Shimasensei,

    I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

    I think the big thing is accepting some realities when you go for the CCIE:
    1. It's going to be expensive
    2. It's going to take a lot longer than most other certs you studied for
    3. You're going to have to sacrifice quite a bit to get it

    1 can be offloaded if you work at a company that will help pay for it
    2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

    I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

    Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • shimasenseishimasensei Member Posts: 241 ■■■□□□□□□□
    Howdy Shimasensei,

    I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

    I think the big thing is accepting some realities when you go for the CCIE:
    1. It's going to be expensive
    2. It's going to take a lot longer than most other certs you studied for
    3. You're going to have to sacrifice quite a bit to get it

    1 can be offloaded if you work at a company that will help pay for it
    2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

    I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

    Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.

    Thank you for the great life advice :) Best of luck in your CCIE:Sec studies!
    Current: BSc IT + CISSP, CCNP:RS, CCNA:Sec, CCNA:RS, CCENT, Sec+, P+, A+, L+/LPIC-1, CSSS, VCA6-DCV, ITILv3:F, MCSA:Win10
    Future Plans: MSc + PMP, CCIE/NPx, GIAC...
  • tunerXtunerX Member Posts: 447 ■■■□□□□□□□
    Howdy Shimasensei,

    I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

    I think the big thing is accepting some realities when you go for the CCIE:
    1. It's going to be expensive
    2. It's going to take a lot longer than most other certs you studied for
    3. You're going to have to sacrifice quite a bit to get it

    1 can be offloaded if you work at a company that will help pay for it
    2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

    I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

    Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.


    I have worked with Nick on several self contrived projects like STIG'ing vmware. He wasn't even "new boots" when I first started working with him and now he is doing pretty good.

    It is nice working with the next generation coming in when you are going out...
  • IristheangelIristheangel Mod Posts: 4,133 Mod


    Welp. I went and done it now. I probably won't pass on the first time go but I'll shoot for the stars!
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • stryder144stryder144 Member Posts: 1,684 ■■■■■■■■□□

    Welp. I went and done it now. I probably won't pass on the first time go but I'll shoot for the stars!

    See now, you went and inspired me to schedule both of my CCNA: Cyber Ops exams. Love the "shoot for the stars!" attitude! Good luck!
    The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia

    Connect With Me || My Blog Site || Follow Me
  • michael172michael172 Registered Users Posts: 3 ■□□□□□□□□□
    Best of luck for December. Just passed my CCNP ISE, I have a couple of CCIE sec colleagues, they all say dont bother with the remaining CCNP sec exams just commit to the CCIE. So thats what I am now exploring. Ive no doubt this will be a huge commitment and for me its a topic Ive not really thought about to give me time to certify to CCNP level, but I want to get an idea of what its going to take and this thread has been a lot of help to me, so thanks for blogging and keeping this thread up to date. Biggest thing for me to figure out now is what will suffice as a LAB (one colleague says an AP, phone, 3850 and a VM server will do the trick and keep things simple) and also what study materials are available. I am tempted by INEs workbooks but its all v4 and will probably use the rack tokens further down the line.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    I reset my lab date a couple months ago to 1/11 so I could take a month off of work and couple it with the yearly end-of-the-year shutdown.

    I'm 61 days away from my lab date and working through a vigorous review/lab schedule which anyone can see here: https://docs.google.com/spreadsheets/d/1Uh0QR5fQSl4WPyK6Tt1kXKgNEpsYDsWayYfTAVvFGfU/edit?usp=sharing

    If you have to ask how I find the time in the day, a couple things:
    1) Buy-in from your boss and spouse is essential
    2) Going from number 1, you have to taper expectations at work to have the work laptop shut by a certain time of night
    3) Less sleep in some cases
    4) Setting your daily goals and sticking to them. Failing or compromising on them has a snowball effect. Military-like dicipline is needed in the final sprint to the lab


    Not sure if I'll pull off a "first time pass" since I didn't do it the last time but if I'm within the ballpark, I'll be rescheduling and retaking that beast in 30 days
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    The spreadsheet is an awesome idea for tracking! I might have to try it out.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
Sign In or Register to comment.