Lab requirements for CCIE Sec

Hi!

Got a question about equipment I need access to in order to pass CCSP and if it covers the new CCIE Security lab blueprint. I'm attending a school that has the following equipment:

- 2 x IDS 4210
- 2 x 3550
- 4 x 2500
- 1 x 1700
- 6 x 2600
- 1 x PIX 515E
- VPN concentrator

Am I good to go with this lab? I do not have information about versions on the equipment..

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

mikej412

The CCIE Security Equipment and Lab page still shows the "old" -- which is what you have for hardware -- and the "new."

The 4210s can run the 5.1 software, but you still only get one sensing interface, so you can't do the sensing inline. There may be a "workaround," but I haven't upgraded yet. Should still be fine for the IPS exam.

The PIX 515E can run the 7.x software.... so it's good. Not sure what they are teaching now for the ASAs -- but for the CCIE you want 2 of those. I'm currently debating upgrading my home lab.... but am leaning towards rack rental for when I go back to studying for the Version 2 Security Lab. Check out this
642-522 PIX/ASA thread by Ahriakin for some good info.

The VPN concentrator may need the software upgrade.... but should still be good for now.

Spur

Thanks for the input mike! They have had CCIE students last year at my school, so I reckon that they must have the ASAs required. I'm going over there tomorrow and take a look. It would have been great since I can get 24/7 access to the lab. Will cost me about $10k a year. Planning to make CCIE within the summer next year.

mikej412

Spur wrote:

They have had CCIE students last year at my school

The Security CCIE Lab changed Jan 2nd, 2007 from the Version 1 to Version 2. That's where they added the ASAs to the Lab (and upgraded the software versions and got rid of the easy R&S points).

Some of the links on the Cisco site don't point to the current links... the V1 Lab Blueprint still seems to be the active link on the cisco web site, rather than the current Security V2 Blueprint. There was a delay in updating the written exam, and the old version is still available -- so someone updating the site may be confused about the other links.

That equipment and software link at least shows the old with the new -- but should also be updated to reflect only the new stuff now.

Make sure they plan to upgrade and get you the ASAs!!!

Spur

mikej412 wrote:

Make sure they plan to upgrade and get you the ASAs!!!

Hell yeah!!

Spur

No ASA's..

How many users should the ASA's support? Would a 5505 with a 10 users bundle be ok?

mikej412

You only have one user in the lab

But I'd guess the small bundles would work in the lab. I couldn't see more than 2 site-to-site tunnels on any device during a lab.

I had looked at the 5510s.... but haven't figured out if you could get by with the 5505s. The 5505 with Security Plus bundle is $1150 at CDW (and in stock -- I could drive over!).

Since I'm focused on the R&S Lab, I can't remember where I saw something that makes me think you'd want the Security Plus bundle. I guess I should go back over the features and compare it to what should be in the lab blueprint (and the V2 Security Lab Workbooks when they are all out). Same with the models -- is the 5505 good for learning, but not the practice labs?

A 50 user 5505 is under $600 at CDW (plus tax + gas). I might grab one when I have the time... I could always get the Security Plus upgrade license for just under $600. Hum.... save $50 or waste $600 if you don't need the Sec Plus bundle.....

I don't know if they work for the lab.... but you sold me on getting one to check out when I have the time.

Spur

You kinda got a point there :P

I'm just amazed that my school hasn't got these ASA's already since there is a guy at school "pretending" to go for the CCIE sec. A couple of months ago he was struggling to recertify on his CCNA.. So I guess he is just wasting his time and money

But if the 5505 doesn't cover for the CCIE it should be fine for CCSP, right?

In case my school refuse to invest on it I have to get one by myself..

Guess you have some research to do..

Appreciate your replies mike! Thanks a lot!

mikej412

Spur wrote:

But if the 5505 doesn't cover for the CCIE it should be fine for CCSP, right?

Almost anything is better than nothing for studying.

One 5505 is probably a good start for an CCSP lab and is at least useful for learning the technologies for the CCIE. Like I said -- you talked me into getting one.

Spur

Guess you're right. No harm can be done :P I'm gonna talk the people at my school into buying a couple if I'm going there. It would be weird if they didn't want their lab to be updated when they already got the rest of the equipment.

Keep me updated!

mikej412

Hum... I just checked the Lab doc again -- it says

Cisco ASA 5500 Series Adaptive Security Appliances OS Software Version 7.x*

Still will require research.... But I have 5510 on the brain because thats what one of the Security Rack Rental places installed.

The most important thing (other than getting ASAs) would be updating the software versions. The "old stuff" is better than nothing -- but it would be easier to study using the correct software versions.

Spur

Yeah, gotta check the versions also.. Want to be as prepared as possible of course.. Starting with CCSP first and we'll see where the wind takes me :P

mikej412

I don't think the 5505 does contexts.... and there may be an issue with the number of interfaces when compared to CCIE lab requirements.... and I don't think you can do failover (which may or maynot be a lab issue -- it looks like it is in one of the vendor workbooks).

Now to figure out what a 5505 with the advanced security license ($500+ vs $1000+) gets you....

But the 5505 still looks like it would be useful for study.

Spur

Good thing that you are into this one

If I can get by app. 80% with a 5505 I think I'll do fine :P

mikej412

I've ordered an ASA5505-BUN-K9 to go with 2 PIX 515 Unrestriced Active/Active Failover firewalls for my home lab.

The ASA5505-SEC-BUN-K9 gives you Active/Standby failover, DMZ support, multi-ISP.... but I'm figuring -- hoping -- guessing that the ASA specific stuff on the lab would be the WebVPN stuff -- and the 5505 I got should do that.

Spur

Sounds good!

I have layed my plans for the CCIE Sec on ice for some time.. It has turned out that my school is having problems with too few students and they will probably be closing the doors in the summer..

That means I'm in for a job hunt instead of studying full time from the summer..