Going for the CCIE Security

Iristheangel · March 2017

CCIE Security update:
Had a crazy few months where I lost a lot of time I should have been labbing but finally now getting back into it. I feel good about where I'm leaving my blog and the videos I made on there until I feel like picking them up in a month or two. In the meantime, I'm going to focus on the hardest/rustiest subjects and work my way back to the easier ones for me. Thinking that I should go in this order:
1) ASA - NAT, VPN, troubleshooting, multicontext, clustering, etc
2) VPN - DMVPN, GETVPN, FlexVPN, RAVPN, S2S VPN, etc. Troubleshooting, theory, etc
3) ESA - Need to get my mind wrapped about the ESA. I know how to get my way around the interface but no level of deep troubleshooting whatsoever. I can't imagine this being a huge part of the lab but if it's anything like the CCIE DC, you can't really afford to lose extra points
4) IPv6 - Definitely a weakness but I feel a little better after reading the IPv6 Fundamentals and IPV6 security book. I heard that there was more of a focus on this in the previous v4 security and with all the new topics, I doubt they will dedicate a crazy amount of the lab to it but I do want to lab it to make it something that I'm more comfortable with
5) IOS Security - Same as IPv6, I don't expect this to eat up TONS of the lab but definitely something to lab up more just to get reacquainted
6) WSA - If anyone reads the version they chose for the lab and pay special attention to the release notes, this probably is going to be more intensive on the written than the lab. I don't feel too bad about how I am on the WSA but with the version they chose, there's not terribly much they could throw at me in the lab on this one...
7) AMP Private Cloud - I'm good with AMP for Endpoints' cloud version and AMP Private Cloud has less features enabled so I think this will just be more practice than anything else

AnyConnect - Pretty decent with using it as a VPN client but I need to dig into using it as a supplicant with the NAM module a bit more
9) Firepower - This part I'm pretty good/dangerous with. Not an amateur but not an expert either. I probably have about 1500 pages of labs I can go through on this so it's a matter of practicing things I haven't played around with in the past with.
10) TrustSec - Love it but haven't done MacSec before and there's some more dynamic stuff I haven't practiced so I'll get on that
11) ISE - Heh. Well... Easy points right there.

Overall, I wanted to be ready for a lab attempt at this time this year but my plans got blown away by work getting busy but I'm refocusing and recommitting. I hope to have my first lab attempt sometime in Q3 or Q4 of this year. I think I have a really strong shot at this and I definitely have a REALLY strong support system of folks going towards the same goal

Iristheangel · April 2017

Posted this on my blog but figured I'd post it here. I wrote a post about a year ago stating I was going to go after the CCIE Security but v5 hadn't been announced yet. I ended up sort of guessing on the materials. I cleaned up what I've been using and other materials that are out there. Wanted to share it with Techexams:

[FONT=&amp]It was about a year ago that I posted this post where I went through the CCIE Security materials I intended to study with. In that time, the CCIE Security v5 blueprint was released and I thought I would update the list to reflect the current blueprint and the study materials that are out there.[/FONT]
[FONT=&amp]
The unified written/lab blueprint can be found here[/FONT]
[FONT=&amp]The lab equipment and version numbers can be found here.
[/FONT]
[FONT=&amp]Cisco was also nice enough to post study materials here and here.
[/FONT]
[FONT=&amp]Based on the above, the following are the most relevant materials I've found out there:

[/FONT]
AMP

[FONT=&amp]AMP for Endpoints private cloud is most certainly on the lab per the above lab equipment list. The good news is that with Private Cloud, there are a few less features to have to lab but it's still a pretty important lab topic and there aren't a lot of training materials out there. Getting your hands on the labbing equipment either means having AMP for Endpoints purchased at your company or doing an evaluation. Be aware: This evaluation is pretty strict. You won't be able to get it past the time you are given a temporary license for. If you have the option of doing regular AMP for Endpoints (not the Private Cloud version), I would recommend using that since it has even more features and if you master that, you'll be able to do the Private Cloud material easier. I would just recommend knowing how to do the setup of AMP Private Cloud if you can't get your hands on it and have a mastery of AMP for Endpoints.
[/FONT]
[FONT=&amp]Study Materials:

[/FONT]

SSFAMP Class - This is an official class by Cisco that covers AMP for Endpoints and there was a strong focus on AMP for Endpoints Private Cloud. The class also comes with a 300+ page lab workbook. I feel this class is probably enough to get you past most of the lab. Since it is a Cisco class, if your company has Cisco Learning Credits, you could always use them with any Cisco Learning Partner to purchase this class.

[FONT=&amp]Note: There is also a book on the market called "Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP." While this is an excellent book for learning about the products, I think it's more geared towards the CCNA/CCNP Security level than the CCIE Security level which is why I'm not including it on the list. If you know absolutely nothing about Firepower or AMP, it might be a good read and it's not a very large book.
[/FONT]
[FONT=&amp]For AMP for Networks in regards to the ESA, Firepower, and WSA, you're probably best served just reading the small section in the configuration guides. This is not a complex configuration for the malware aspect on the Amp for Networks portion.[/FONT]

Firepower

[FONT=&amp]This is a fun one to lab and work on. I would recommend reacting out to your Cisco sales team to talk about trying the software out. With the Firepower Management Center VM and a device running FTD, you can run it in evaluation mode for 90 days if you go to System>Licenses>Smart Licenses and click on the button Evaluation for 90 day. After that, you'll either have to purchase licenses or create a new Firepower Management Center VM. Personally, I would recommend labbing Firepower 6.1. The lab equipment guide says that it could be 6.0.1 or 6.1 but I think there's a better chance of it being 6.1 personally since that code version had been out for a few months when the v5 lab took affect. The lab equipment list says that it will have NGIPSv and Firepower Threat Defense. These two things are not the same. Understand the differences and the limitations of both. One thing also to note: ASA 5512-Xs are also listed on the lab equipment list. It doesn't specify whether this is just regular ASA or ASA with Firepower. I would recommend knowing how to configure the SFR module and potentially clustering the ASAs with those modules.
[/FONT]

[FONT=&amp]Study Materials:

[/FONT]

SSFIPS Book by Todd Lammle and Alex Tatistcheff - While this book was written for Firepower/Sourcefire 5.4, it still does an excellent job at explaining a lot of the concepts and probably about 70-80% of it is still relevant
Cisco Firepower 6.x with Firepower Threat Defense by Todd Lammle and Alex Tatistcheff - This one just came out but it's actually larger than the SSFIPS book and probably a bit more relevant. I haven't read it all the way through but the SSFIPS was an excellent book so I can vouch for the authors.
Labminutes - There are over 50+ free videos available on the site for Firepower 5.4 and 6.0 as well as an option to buy Firepower 6.1 videos. The gentleman that runs this site is awesome and his videos are invaluable. I definitely recommend coughing up the dough for the 6.1 videos and watching the free ones.
Udemy Firepower Video Series

ASA

[FONT=&amp]The lab equipment list says that there are two ASA 5512-Xs. You can bet that inline Trustsec tagging, clustering, and multicontext are going to be on the lab if these are here. If they weren't going to include it, it would have probably just been easier for the lab creators to stick with virtual ASAs and FTD devices but they also added the physical ASAs. If you want to lab this out, you definitely can't get a 5506 because there's no clustering or multicontext on that platform but you don't have to get the exact model on the lab either. I would also NOT recommend getting a non-X model of the ASA since it won't support the same code train that's on the lab. Check out the prices for a pair of 5508s if you can. I believe those support all the features that the 5512-X do.

[/FONT]
[FONT=&amp]Study Materials:

[/FONT]

ASA book - Still a good book. Don't be intimidated by the size. Most of the book is screenshots of ASDM and that can be skipped for the CLI portions.
Labminutes NAT Videos - Great for post-8.3 NAT
ASA Certificate Lab Minutes videos
SSL VPN Lab Minutes Videos
TrustSec with ASA Labminutes Videos
VPN Labminutes Videos
Udemy CCIE Security v5.0 ASA 9.6.1 Labs with Baldev

[FONT=&amp]In the future, INE is also going to offer some CCIE Security v5 updated videos as well.
[/FONT]

APIC-EM

[FONT=&amp]It's on the lab equipment blueprint so it's definitely a testable subject on the lab. I doubt there will be much in terms of configuration for this but it's going to be there for sure. The good news is that APIC-EM should be easy to download but it's going to require some serious server metal. If you try to thin provision or put less than the recommended amount of RAM, disk space, etc, it will certainly fail the hardware checks and not install.

[/FONT]
[FONT=&amp]Study Materials:

[/FONT]
[FONT=&amp]There are a lot of free videos and configuration guides. I don't think there is going to be that much complex stuff on the lab regarding APIC-EM but I'll link the following:

[/FONT]

Software download - This is where you can download it for free. 1.2 is the version that should be on the lab.
Fundamentals of APIC-EM
APIC-EM Configuration Guide for Release 1.2

IOS/CSR Security including NAT, IPv6 & VPN

[FONT=&amp]There aren't going to be any physical routers on the lab according to the lab equipment guide so you should be able to get away with CSR1000v for the router. However, you most certainly need to have a 3650/3850 that's able to support the code train that's on the lab. I know the desire will be to get a cheap IOS switch and just do that. I would NOT recommend doing so. There are syntax and feature differences between using old 3750s and newer 3650/3850 switches.

[/FONT]
[FONT=&amp]Study Materials:

[/FONT]

ISE

[FONT=&amp]Obviously, this site is good for ISE but it's probably not enough to get you past the lab. The good thing is that there are a lot of great videos out there for ISE. With ISE, also comes Trustsec. I strongly suspect Trustsec will be a big part of the lab. The reason I assume this is because some of the equipment being used in the lab could have been easily virtualized but because the lab creators decided to go physical, they must need a feature that only the physical version has. For example, they could have used a virtual WLC in the lab if they wanted to cut down on equipment but instead they decided to go with a 2504 wireless controller. The only extra feature I can think they could gain from that is the ability to do SXP which isn't available in the vWLC

[/FONT]
[FONT=&amp]Study Materials:

[/FONT]

Practical Deployment of Cisco Identity Services Engine book
SISAS book
TrustSec LiveLessons Videos - Some of it is a little out of date but great at understanding Trustsec
TrustSec Whitepapers - Very easy reads and really walk you through the configuration
Labminutes ISE videos - These videos were gold for me when I was originally learning ISE. Still wonderful videos. Metha has it updated to version 2.0 and I suspect he'll be doing a 2.1 series soon enough.
Labminutes TrustSec Videos - Good for labbing but doesn't go as deep as the LiveLessons videos because it's not focused on theory. These are more complimentary to the LiveLesson TrustSec videos
Cisco ISE for BYOD book - No, I'm not talking the book that was released back in 2013. There's a new book coming out in June which you can pre-order. This book will be focused on ISE 2.x and later.
ISE Configuration Guide 2.1
Anyconnect Configuration Guide

ESA

[FONT=&amp]Unfortunately, there's not a lot of books out for this one but it's not the hardest concept in the world.

[/FONT]
[FONT=&amp]Study Material:

[/FONT]

WSA

[FONT=&amp]I don't know how large of a topic the WSA will be in the lab given the version number they picked. Look at the release notes VERY carefully and the limitations with that version. If they stay true to the current advertised version, I suspect the lab will be more geared towards pxGrid integration and some lighter configuration than normal.

[/FONT]
[FONT=&amp]Study Material:

[/FONT]

ACS

[FONT=&amp]Yes, it's still on the lab. Why? The explanation given last year at the Cisco Live CCIE Security v5 techtorial is that even though it was riding into the sunset soon, a lot of people will be seeing it in the wild for some time. Thank god they don't test us on other things I've seen in the wild in the last year like PIX firewalls, pre-8.3 ASA IOS code, and ISE 1.x.

[/FONT]
[FONT=&amp]Joking aside, I strongly suspect the amount of ACS configuration on the lab will be kept to a minimum given the size of the blueprint and the amount of time we have. Maybe configuring some dot1x or TACACS+ with it? Or maybe a task or two where we have to migrate to ISE using the built-in ACS to ISE migration tool in ISE 2.1? I'm just speculating here and I'm going to cover my bases by labbing this up.
[/FONT]
[FONT=&amp]Not sure how long ACS will remain on the lab given the news about agile blueprints when you can read here. I think they'll eventually "agile" ACS right out of the lab sooner or later.

[/FONT]
[FONT=&amp]Study Material:

[/FONT]

AAA Identity Management Security - Half the book covers ACS 4.x and can be ignored and the other half covers 5.2 or something. It's not a very long read when you subtract half the book.
Labminutes ACS Videos - 22 beautiful and concise videos on labbing ACS. Probably enough to cover everything we'll need to cover in the lab and it's on version 5.4

Wireless and Phone?

[FONT=&amp]I put a question mark on the above because one always wonders how much phone and wireless you need to know for an exam like this. I suspect they won't want you to be a wireless expert but you should know how to secure wireless (SGTs, ISE, etc) and all the configuration that goes into securing it. As far as the phone piece, I believe it should be more focused on how the phone is profiled or using dot1x to access the network (again, ISE). You probably have to know enough about CUCM to be able to login and confirm that the phone has registered but not be a Collab expert by any means. There is a book about securing IP Voice networks and it might be a good read but I doubt they'll go too far down the rabbit hole with a blueprint as large as this. At most and it's a BIG stretch, I could see them asking us to make sure that the voice traffic is encrypted.
[/FONT]

Bootcamps

Micronics Zero-To-Hero Security - Still a great bootcamp and they take Cisco Learning Credits so easy to jump in there if your place of business as extra credits.
Micronics CCIE Security v5 - I haven't gone to this one yet but I plan on going and I'll probably write up a review
INE CCIE Security v5 Bootcamp - Cristian Matei is a great instructor and I'm sure this one will be great. This did announce a couple of weeks ago that they will be updating the CCIE Security v5 content here. They do appear to be getting ready to teach about the topics but their beta racks don't seem to include the entire blueprint such as APIC-EM and AMP for Endpoints Private Cloud. Hopefully they'll be adding that later.

Lab Workbooks

[FONT=&amp]Note: A lot of these workbooks are written for v4 and require some mental gymnastics to make them work for v5. That being said, a lot of the tasks still apply for v5 and can be used for the new blueprint.

[/FONT]

Micronics Mastering ASA Firewall
Micronics Mastering VPNs
Micronics Advanced CCIE Security Workbook v4
Micronics Firepower v2 Workbook - Only Available with Z2H Security class
INE CCIE Security Workbooks
IPExpert CCIE Security Workbooks - They're out of business but the workbooks still are relevant for whoever have them

Iristheangel · April 2017

NAT Notes:

[FONT=&amp]NAT Sections designate the processing order of a NAT rule. There are three different sections in which a NAT rule may reside.

Section 1 - Manual NAT or Twice NAT
Section 2 - Auto NAT or Object NAT
Section 3 - Manual NAT using the after-auto keyword in your NAT rule

Source NAT Syntax:

object network name
[host | subnet | range] ...
nat (real-interface,mapped-interface) ...

Destination NAT Syntax:

object network name
[host | subnet | range] ...
nat (mapped-interface,real-interface) ...

If traffic is coming from an interface with a higher security level, make sure to add an ACL to allow a port, protocol, and/or IP address/subnet through. Use real IP in the access list.

[/FONT]

[FONT=&amp]

NAT lab I working with while doing all these configurations. I'm using VIRL in this case.

[/FONT][FONT=&amp]Download: VIRL Topology

Object NAT

Object NAT always consists of an object configuration which holds a configuration for the host address/subnet/range and binds that to a NAT rule which is also inside the same object. That gives you the ability to have the NAT configuration under a single object.

PAT:

object network LAN
subnet 10.1.100.0 255.255.255.0
nat (inside,outside) dynamic interface

PAT Pool:

object network PATPOOL
range 100.0.0.15 100.0.0.20

object network LAN
subnet 10.1.100.0 255.255.255.0
nat (inside,outside) dynamic pat-pool PATPOOL {block-allocation | extended | flat | interface | round-robin}

Extended commands mentioned above for PAT:

block-allocation - Enables port block allocation
extended - Extends PAT uniqueness to per destination instead of per interface. It'll show an extended NAT entry on the NAT table where it'll not only show the sourced translated ports but also look at the destination ports.
flat - Translate TCP and UDP ports into flat range 1024-65535
interface - Use interface address as mapped IP. Can be used as teh backup IPs if you want for the interface.
round-robin - Specify to use PAT IP addresses in round robin order when it fetches an IP from the pool

Destination NAT:

object network DMZ_Host
host 100.0.0.100
nat (outside,dmz) static 200.0.0.10

Dynamic NAT:

object network WAN-POOL
range 100.0.0.11 100.0.0.l4

object network DMZ-POOL
range 200.0.0.11 200.0.0.14
nat (dmz,outside) dynamic LAN-NAT

Static NAT:

object network SRV
host 200.0.0.10
nat (dmz,outside) static 100.0.0.5 {dns | no-proxy-arp | route-lookup}
Extended commands mentioned above for static NAT:

dns - Uses the created xlate to rewrite DNS records
no-proxy-arp - Disables proxy ARP on the egress interfaces
route-lookup - Perform route lookup for this rule

Static PAT (Port Redirection):

object network SRV-GLOBAL
host 100.0.0.5

object network SRV
host 200.0.0.10
nat (dmz,outside) static SRV-GLOBAL service tcp telnet 23 2323

Identity NAT: Per the Cisco Configuration guide: “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.”

Identity NAT Configuration (Basic):

object-group network DMZ-INTERNAL
network-object 200.0.0.0 255.255.255.0

object network DMZ
subnet 200.0.0.0 255.255.255.0
nat (dmz,outside) static DMZ-INTERNAL

Identity NAT with objects:

object network DMZ
subnet 200.0.0.0 255.255.255.0
nat (dmz,outside) static DMZ

Manual NAT

Manual NAT gives you the ability to add NAT entries on the top or bottom of NAT processing and gives many more options you might not otherwise find in Object NAT. With Manual NAT, you'll see the static entry built into the xlate and see the hits against the NAT table. Show conn will give you the connection table that shows that translations. You can also debug nat but if you want to see more details without turning on debugging, make sure logging is enabled at 7 and check the show log to troubleshoot the recent NAT connections.

You always want to put the most specific NAT rules on top so they get matched first.

Static NAT:

object network DMZ-SRV
host 200.0.0.10

object network MAP-SRV
host 100.0.0.5

Global config mode:
(config)# nat (dmz,outside) source static DMZ-SRV MAP-SRV

Network Static NAT:

object network LAN
subnet 10.1.100.0 255.255.255.0

object network MAP-OUTSIDE
subnet 100.0.0.128 255.255.255.128

(config)# nat (inside,outside) source static LAN MAP-OUTSIDE

Dynamic NAT:

object network LAN
subnet 10.1.100.0 255.255.255.0

object network NATPOOL
range 100.0.0.15 100.0.0.20

(config)# nat (inside,outside) source dynamic LAN NATPOOL

PAT:

object network OUTSIDE
host 100.0.0.5

object network LAN
subnet 10.1.100.0 255.255.255.0

(config)# nat (inside,outside) [after-auto] source dynamic LAN OUTSIDE

PAT Pool:

object network PATPOOL
range 100.0.0.15 100.0.0.20

object network LAN
subnet 10.1.100.0 255.255.255.0

(config)# nat (inside,outside) [after-auto] source dynamic LAN pat-pool PATPOOL

Destination NAT:

object network MAP-PARTNER1
host 10.1.100.15

object network PARTNER1
host 100.11.11.22

(config)# nat (inside,outside) [after-auto] source dynamic any interface destination static MAP-PARTNER1 PARTNER1

Identity NAT with source and destination specified:

object network DMZ
subnet 200.0.0.0 255.255.255.0

object network PARTNER2-NETWORK
subnet 100.22.22.0 255.255.255.0

(config)# nat (dmz,outside) 1 source static DMZ DMZ destination static PARTNER2-NETWORK PARTNER2-NETWORK {description | inactive | net-to-net | no-proxy-arp | route-lookup | service | unidirectional}

Extended options mentioned above:

description - Specify NAT rule description
inactive - Disable a NAT rule
net-to-net - Net to net mapping of IPv4 and IPv6
no-proxy-arp - Disable proxy ARP on egress interface
route-lookup - Perform route lookup for this rule
service - NAT service parameters
unidirectional - Enable per-session NAT

Identity NAT with just source:

object network LOOPBACK2
host 10.1.100.37

nat (inside,outside) source static LOOPBACK2 LOOPBACK2

Another thing you might want to add is a NAT control. It basically says that anything not explicitly allowed should be dropped. Like a catch-all/blackhole for NAT. Configure it as such:

object network ZERO
host 0.0.0.0
nat (inside,outside) after-auto source dynamic any ZERO

Show commands that are useful:

show run nat
show run object
show conn [detail]
show nat [detail]
show xlate
packet-tracer
show log

[/FONT]

Boby · April 2017

Hi Iris , you got an impressive academic records. Just wanted some advice from a cisco insider and someone who is currently studying for the security track , what books ,videos or training providers would you recommend me for learning cisco Asav from zero to mastery . i have got no experience in firewall and am completely new to this .
wish you good luck for your ccie, i think the 2nd ccie is the easiest.

Iristheangel · April 2017

Post #93 should help you with the list I compiled.

Boby · April 2017

hmm so what is the difference between asa and asav ? Is the configuration part the same ?

Iristheangel · April 2017

It's pretty much the same as an ASA except it can't do the hardware-specific things like multicontext, clustering and have a firepower module. For the most part, everything else is the same.

aia87 · April 2017

hey iris great progress wish you the best on your journey
can you give your feedback on these books you have in your list ?
Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS (Networking Technology: Security)

The Complete Cisco VPN Configuration Guide (Networking Technology)

i'm studying for ccnp sec and have the old firewall and vpn exams OCG
should i use these books instead or the OCG are still good enough ?

Iristheangel · April 2017

The ASA book is good. It's deceptively large. If you cut out the ASDM screenshots and just pay attention to the CLI, it's like 1/4th the book.

IKEv2 book - Good book but you CANNOT read it cover to cover without labbing. I tried. The knowledge was in and out.

Complete VPN Configuration guide - A lot of folks I know read it but it's on my todo list. I plan on studying VPN next since both it and ASA code is my Achilles heel. My last couple weeks have been dedicated to ASA IOS and NAT. Making it hurt before I get to the fun stuff for my ABLing

ande0255 · April 2017

I didn't get to say this yet, good luck!

Iristheangel · April 2017

Thanks! I had high hopes before of taking the CCIE Security v5 early but life and my new role got in the way so I'm now catching up. I'm thinking I'm going to do what I did last time: Take the lab 10/5 (and probably fail) and hopefully be ready for vengeance on 11/5

ande0255 · April 2017

That is my plan for ROUTE (fail, re-cover material, pass), so I am right there with you

Hope to see you continue posting articles on LinkedIn as well of Security topics, I'm double timing ROUTE right now, but I read the NAT post during work while on hold and that was a great explanation.

If I ever turn into a zombie, your brain will be at the top of my to-eat list, along with all you other CCIE's!

gorebrush · April 2017

Have you not done the lab yet Iris?

I've been out of the loop for some time now, hello!

t3ch9 · April 2017

Hi Iris, I've been reading many of your posts here on this forum. I just passed my received my CCNP Security certificate and want to start working on my CCIE Security. Do you think the Zero to Hero (saturday courses) will be enough to pass the CCIE Security exams?

Iristheangel · April 2017

gorebrush wrote: »

Have you not done the lab yet Iris?

I've been out of the loop for some time now, hello!

Hello Gorebrush! Nope.. Labbing away still

Slow and steady wins the race

Iristheangel · April 2017

@t3ch9 - No, no single bootcamp, book or set of books is enough to pass any CCIE. If any vendor promises that, they're either a) shady or b) lying. You don't want don't either of those things

If you're going to study for the CCIE lab, expect a good solid year of labbing, reading, and possibly a bootcamp. The Z2H bootcamp was a great start for me and I loved it but the lab itself is much deeper than any single bootcamp

Iristheangel · May 2017

Still cranking away on this thing. Been updating my blog more than this thread.

My goal is to hit the lab in early October like I did the last one. That way if I fail, I'll still be able to go back for November depending on how far off my miss is.

Legacy User · May 2017

How do you structure your studying one topic a day/week or until you get to the point that you can recite how to configure it?

PersianImmortal · May 2017

Iris, you're such an inspiration! If I could ask, how do you manage your time when studying? Do you tend to take whole blocks of dedicated time to study or do you rather squeeze in some study time when you can, or perhaps another method I haven't thought of?

Right now I'm prepping for the CASP exam (which is cake compared to a CCIE), but with a full-time middle management position and finishing up my doctoral program I end up not having a tremendous amount of time to study, so time management becomes pretty critical. How you are able to get all of these certifications while simultaneously working is astonishing!

Anyway, I was just wondering what your time-management strategies are as you prepare for your exams?

Best Wishes,

PI

Iristheangel · May 2017

The last CCIE, I procrastinated the topics I was rougher in until last and did more "fun" ones first. Usually its a combination of videos, reading and some light labbing. Eventually I move past a topic but keep extensive notes. When I'm done hitting major topics, I usually go through full blown lab workbooks that incorporate many of the technologies together.

This CCIE I'm doing it differently - I'm hitting up the weaker subjects first and working my way back to the easier. I would rather spend more time upfront on the "teethpulling" topics and have sort of a downhill run from there there. I think I in few more weeks, I should be past my core weaknesses and working on the "downhill."

Iristheangel · May 2017

[QUOTE=PersianImmortal;1093558
Anyway, I was just wondering what your time-management strategies are as you prepare for your exams?
[/QUOTE]

If I had a normal 8-5 job, it'd probably be easier but it's more just getting a routine in place and trying to get hours in every day in any way I can. I more try to tackle subject now and when I get past that, I'll go for full scale labs

shimasensei · May 2017

Iristheangel wrote: »

Still cranking away on this thing. Been updating my blog more than this thread.

My goal is to hit the lab in early October like I did the last one. That way if I fail, I'll still be able to go back for November depending on how far off my miss is.

Hi Iris! Thanks for keeping us posted on your CCIE:Sec journey. It's an inspiration to someone like me who aspires to be a future CCIE

Between the demands of a busy job, IT consulting, studying and labbing for difficult exams / college, how do you manage your work/life balance? I understand you're married, and may or may not (not sure) have kids. I have a young family (wife and young son), and would like advice from someone with extensive experience like yourself (and other TE sages).

Iristheangel · May 2017

Howdy Shimasensei,

I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

I think the big thing is accepting some realities when you go for the CCIE:
1. It's going to be expensive
2. It's going to take a lot longer than most other certs you studied for
3. You're going to have to sacrifice quite a bit to get it

1 can be offloaded if you work at a company that will help pay for it
2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.

shimasensei · May 2017

Iristheangel wrote: »

Howdy Shimasensei,

I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

I think the big thing is accepting some realities when you go for the CCIE:
1. It's going to be expensive
2. It's going to take a lot longer than most other certs you studied for
3. You're going to have to sacrifice quite a bit to get it

1 can be offloaded if you work at a company that will help pay for it
2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.

Thank you for the great life advice

Best of luck in your CCIE:Sec studies!

tunerX · May 2017

Iristheangel wrote: »

Howdy Shimasensei,

I'm married and planning for kids soon. Having kids adds a different wrinkle in the study plans but it's not a showstopper by any means. Some folks like Nick Russo and Mrock got multiple CCIEs with young kids in the house.

I think the big thing is accepting some realities when you go for the CCIE:
1. It's going to be expensive
2. It's going to take a lot longer than most other certs you studied for
3. You're going to have to sacrifice quite a bit to get it

1 can be offloaded if you work at a company that will help pay for it
2 & 3 are going to be realities. Best thing you can do is make sure your spouse and friends are supportive. If you have a full time job and do side consulting, you'll probably have to quit it during your CCIE. That's a reality. You can't do a full time job + 10-20 extra hours a week + 30-40 hours a week of studying. You'll see a lot of weekends and nights eaten up in CCIE studies but you do what you have to do.

I also recommend finding people online or locally that are going towards a similar goal and will lab with you on hangouts. That takes a lot of the isolation aspect out of it.

Going into it with that mindset is going to get you succeeding. I think the majority of people that fail or never go through with it are those that go into CCIE studies thinking it'll be over as quickly as any other certification and are surprised by the amount of work it is. Or their spouses are surprised the commitment. Better to level set right away and decide if it's worth it for you.

I have worked with Nick on several self contrived projects like STIG'ing vmware. He wasn't even "new boots" when I first started working with him and now he is doing pretty good.

It is nice working with the next generation coming in when you are going out...

Iristheangel · August 2017

Welp. I went and done it now. I probably won't pass on the first time go but I'll shoot for the stars!

stryder144 · August 2017

Iristheangel wrote: »

Welp. I went and done it now. I probably won't pass on the first time go but I'll shoot for the stars!

See now, you went and inspired me to schedule both of my CCNA: Cyber Ops exams. Love the "shoot for the stars!" attitude! Good luck!

michael172 · October 2017

Best of luck for December. Just passed my CCNP ISE, I have a couple of CCIE sec colleagues, they all say dont bother with the remaining CCNP sec exams just commit to the CCIE. So thats what I am now exploring. Ive no doubt this will be a huge commitment and for me its a topic Ive not really thought about to give me time to certify to CCNP level, but I want to get an idea of what its going to take and this thread has been a lot of help to me, so thanks for blogging and keeping this thread up to date. Biggest thing for me to figure out now is what will suffice as a LAB (one colleague says an AP, phone, 3850 and a VM server will do the trick and keep things simple) and also what study materials are available. I am tempted by INEs workbooks but its all v4 and will probably use the rack tokens further down the line.

Iristheangel · November 2017

I reset my lab date a couple months ago to 1/11 so I could take a month off of work and couple it with the yearly end-of-the-year shutdown.

I'm 61 days away from my lab date and working through a vigorous review/lab schedule which anyone can see here: https://docs.google.com/spreadsheets/d/1Uh0QR5fQSl4WPyK6Tt1kXKgNEpsYDsWayYfTAVvFGfU/edit?usp=sharing

If you have to ask how I find the time in the day, a couple things:
1) Buy-in from your boss and spouse is essential
2) Going from number 1, you have to taper expectations at work to have the work laptop shut by a certain time of night
3) Less sleep in some cases
4) Setting your daily goals and sticking to them. Failing or compromising on them has a snowball effect. Military-like dicipline is needed in the final sprint to the lab

Not sure if I'll pull off a "first time pass" since I didn't do it the last time but if I'm within the ballpark, I'll be rescheduling and retaking that beast in 30 days

jamesleecoleman · November 2017

The spreadsheet is an awesome idea for tracking! I might have to try it out.

Going for the CCIE Security

Comments