CCIE Security v5 - The Long Haul

Good Morning!

To start off this all came rather unexpectedly, but in a good way. A colleague of mine wanted to work on the CCIE Security track and as such I helped him build his home lab, signed him up for Narbik's Z2H:Security course and figured that was the last of it. You can imagine my surprise when my company called me to say they requested 2! seats to the Fall 2017 Z2H course and was asking that I not only attend, but complete the CCIE Security track along with my coworker. I felt like a kid opening presents on Christmas morning. That night I sat down with my wife to discuss everything (family support is CRITICAL towards success) and we agreed to make adjustments to our schedules to accommodate.

Since I've focused on DC/RS/SP/Wireless over the last few years (some security, but not as much hands on with the new toys) I knew I'd have to get back to the books to get caught up with many of the technologies. As a start I decided to review the following materials with many additions to come:

ASA/FirePower:

https://www.amazon.com/Cisco-ASA-All-one-Next-Generation/dp/1587143070/ref=sr_1_1?s=books&ie=UTF8&qid=1510584587&sr=1-1&keywords=cisco+asa

https://www.amazon.com/Cisco-Next-Generation-Security-Solutions-All/dp/1587144468/ref=sr_1_4?s=books&ie=UTF8&qid=1510584587&sr=1-4&keywords=cisco+asa

https://www.amazon.com/Cisco-Firepower-6-x-Threat-Defense-ebook/dp/B06XYXCVQ8/ref=sr_1_3?s=books&ie=UTF8&qid=1510584635&sr=1-3&keywords=cisco+firepower

ISE:

https://www.amazon.com/Secure-Unified-Access-Networking-Technology/dp/1587144735/ref=sr_1_1?s=books&ie=UTF8&qid=1510584448&sr=1-1&keywords=cisco+ise+for+byod+and+secure+unified+access%2C+2nd+edition

https://www.amazon.com/Practical-Deployment-Identity-Services-Engine/dp/0128044578/ref=sr_1_2?s=books&ie=UTF8&qid=1510584659&sr=1-2&keywords=cisco+ise

ESA/WSA:

INE Subscription

AMP/Umbrella:

SSFAMP course and tons of hands on exp with Umbrella

For practicing at home I have the following equipment in the "mad lab" and will be adding to it over the next few months:

Synology DS1517 with plenty of space available
Catalyst 3750X 24port PoE with IP Base
ASA 5506-X Firepower Ready
WLC 2504 with 25 Licenses
2x AIR-AP2602i (may be replacing with 3802i)
2 x HP DL 360 Servers with Dual 6 core procs, 128Gb memory, and plenty of HDD space

My plan is to virtualize as much as possible and use physical gear only when necessary.

As I mentioned, I'm also working on the Z2H:Security class thanks to work. The first session was this last weekend and I'm already enjoying the course. We spent the first day doing introductions and reviewing ASA firewalls. I'll be taking notes during each section and hopefully @Iristheangel can give me some tips on formatting them as she does probably the best job I've seen! Needless to say half the class mentioned her as the reason for taking the Z2H so Kudos to our own TE Rock Star!

Goals:

I saved this section for last as a sobering reminder that while I get to have fun on the journey, I still need to have accountability for the written and lab exams. I'm shooting for the written exam @ CLUS 2018 in Orlando (down the street from me, TopGolf anyone?) and hopefully lab attempt #1 by EoY 2018. In order to accomplish this I plan to do the following:

-Study 4-5 days a week, reserving at least 2 days for family.
-Complete 800-1000 hours of hands on lab time between now and the lab attempt
-Successfully complete the Z2H course
-Successfully complete the SSFAMP course
-Successfully complete the SISE 2.x course (done)
-Complete 2 of 4 Cisco Fire Jumper Competencies (in progress, Cisco Partner Only)
-Update this thread at least once per week

Any suggestions/tips/tricks/etc are always welcome! If anyone wants to come along for the ride then I more than welcome the company, especially if it means we can pick up a new skill together.

Find more posts tagged with

Comments

down77

Woke up this morning and had a few meetings canceled! So today's study tasks will be as follows:

ASA Basic Initialization, Clustering/HA, and Routing:
-Continue to review week 1 Z2H recorded webex and take notes (1hr)
-Review INE CCIE Security ATP v4 videos (2hrs)
-Begin reading Cisco ASA AIO v3 (1-2hrs, or until I pass out)

If all goes well I'll be watching videos earlier in the day, and then do some reading/lab'ing in the evenings. I'll probably take some time later this week or next week to start building the lab and also make sure to get my VPN set up so I can access everything while traveling.

cbolar

I wish you luck, this is one of my dreams as well. I'll be looking forward to seeing your process!

NOC-Ninja

Goodluck.

down77

Thanks guys. If this track is anything like the previous ones I've studied for then it should be a blast!

I have a bit of work that needs to get done today so I won't have as much time to study. I did have to swap the C3750X for a C3750G as a coworker needed to borrow the 3750X for a customer. I'm scared to see which version of IOS is on the device and I have a feeling I will have to upgrade that to 12.2.55-SE.

Plan for today:

-Finish the ASA IP Routing video before driving to meet a customer for lunch
-Continue reading ASA AIO v3

Iristheangel

My recommendation: For the ASA AIO, skip the parts about ASDM and just read the theory and skip ahead in the chapter to the actual CLI. You'll notice the book gets a LOT smaller when you do that :P

down77

Good recommendation. That should help to get through this book a bit faster.

down77

Happy Friday!

I got an early start to the day this morning and decided to make the most of it. I was able to watch most of an INE ASA Multiple Context mode video before my kids woke up and asked me to help them get ready for school.

My goal for the day is to finish reading Chapter 8-9 in the AIO, watch the corresponding videos, and then compile my notes so that I can review them later. I'm going to try and do as much of this as possible while @ work so that I can spend time with the kids later this evening.

Tomorrow is session 2 of the Z2H class (ASA Part 2) so I'll be spending part of the day in lecture, and then part of the day watching my daughter's Nutcracker ballet recital. I'll finish watching the lecture once the webex recording is up, after everyone is asleep. Its important to remember that your studies need to be balanced out with other important things in your life.

Sunday will be a day at the amusement park(s) followed by an evening of lab lab lab!

I hope everyone has a great Friday!

down77

Post holiday update! I've been staying busy and making progress.

We just wrapped up week 2 of Z2H so I will be labbing more NAT (BiDirectional NAT/Twice NAT), starting on the MPF labs and working through advanced inspection. Towards the end of the week I will be picking up an ASA 5525X par from a colleague to borrow towards Virtualization Labs (Clustering/Multi-context) and HA (active/active and active/passive). I have to return them in 2 weeks so I'm planning to use them extensively while I have them.

I'm skipping QoS for now, and will come back to it later. I'm looking forward to starting the FirePOWER content this coming weekend. But for now, back to some studies!

down77

I'm a little behind where I wanted to be on the reading, so I took @Iristheangel's advice and skipped most of the ADSM content in the ASA AIO v3.

Today I will be playing with ASA Transparent mode; allowing routing protocols/Multicast/and lets throw some MPLS into the mix (why not right?). Like with the CCIE RS studies each protocol will be configured to require authentication... I mean afterall, we are talking about security!

More Gear on the desk below. I plan to cable this up and extend my lab from upstairs

IMG_1161.jpg

down77

Since we had no Z2H class last week I decided to start on the LabMinutes ASA FirePOWER videos and spend the remainder of the time cleaning up my notes from the first 3 weeks. I've learned to appreciate the commands "debug icmp trace" and "ping tcp <x>" as I seem to use them pretty frequently when testing ASA configuration in the labs.

On a similar note I was asked by a customer to help with a Cisco FirePOWER/FireAMP proof of value (PoV) deployment starting tomorrow. This would normally go to an install Engineer on my team but the customer felt more comfortable working with a resource they have known for years. I'm looking forward to building out the PoV for them. The more hands on time with security technologies, the better!

down77

Our Z2H class this weekend featured an "introduction" to FTD mostly due to a lab server crashing and a bunch of pods going down. No student configs were lost, but it appears my pod was one of those that was affected. Soooo.... I'm taking a quick break from the ASA advanced studies to start on some FTD work!

Earlier today I downloaded FTDv, FMCv, and started deploying the VMs just before dinner. Later this evening I'll go through basic setup of both appliances and begin setting up Network Discovery policies. If I get some time, I may re-image my 5506-X with FTD so I can throw that in the mix and set up a quick "S-2-S" vpn between the two devices.

down77

Great Z2H class last weekend on FirePOWER Security Intelligence, AMP, and some best practices. Our next class is in 2018 so my plan is to re-watch the first 5 videos and get caught up on labs. I also need to finish reading the FTD book and compile notes, which I have been slacking on. Thankfully I have some time off for the holidays so I plan to use the time to my advantage.

down77

My 2 week vacation for the holidays is now complete! While I spent a bit of time with family, I made sure to rewatch all 5 of the Z2H sessions as well as make progress in the FTD book.

My lab server took a hit during the holidays, so I will be on ebay buying a few (minor) spare parts to get it up and going again. Thankfully I have access on online labs so that I can continue progress while I wait for the parts to arrive.

Pushing forward with FTD/FirePOWER for the next few weeks.