CCIE, CCIP, CCNP: Sec Lab Equipment.

My new employer now sees the need for a Cisco lab for the engineering team to have at their disposal, so a Co-worker and I trying to get this spec'ed out.. My ultimate goal is to have a lab that can be used by anyone (from NOC guys to us engineers for troubleshooting/design purposes).

I also want to design it in a way that will assist me with my CCNP: Security (along with the CCIE in the far future, GNS3 seems to be adequate for the CCIP so far)

Off the top of my head I'm thinking..

a few 3550's - L3 Switches for routing, PVLANs?

a couple 2960's - L2 stuff VTP, VLAN, AAA, Port Security

Some 2800's - Not sure if I could get aware with 2600's with Adv Security (and maxed memory) for ZBF, CBAC, VPN, etc

ASA 5510's - Maybe I could get away a 5505 but since we have lots of customers with ASA 5510's, 5520's so the 5510 should be attainable.

Maybe some 38xx or 39xx routers with various modules... Although I'm sure some 28xx/29xx ISR would be just as good.

Some PIX's and VPN Concentrators (We've got quite few customers still running these)..

Between the ASA, PIX, VPN, and ISR's with Adv Security IOS or higher that should be good enough for the CCNP: Security (and CCNA: Security).

The ISR's and Catalyst switches would be good for anyone wanting to pursue their CCNA, CCNP.

The next question, would I need to anything special for the CCIE? (Obviously I'm thinking really term with this).. What do you guys think?

Find more posts tagged with

Comments

ColbyG

I don't think I'd bother with 2960s at all. Either go 3560, or more 3550s. 2800+ are probably overkill (and pretty expensive). 1841s should be enough (I believe they do LDP, if not, maybe supplement with 3640s or some XMs).

For the CCIP, you can use Dynamips almost exclusively (I did). And with IOU and L2IOU out, you can probably get by running everything virtually. I can't help much with the Security stuff, I know almost nothing about that track.

NOC-Ninja

For ccie rs
2 x 3550
2 x 3560

But I think you want ccie-sec right? Check the blueprint.

Forsaken_GA

ColbyG wrote: »

For the CCIP, you can use Dynamips almost exclusively (I did). And with IOU and L2IOU out, you can probably get by running everything virtually. I can't help much with the Security stuff, I know almost nothing about that track.

L3IOU is pretty cool and gives you a lot of flexibility.

L2IOU, at least the version that's in the wild, has..... issues. Getting trunking to work properly is a royal pain in the rear, and I haven't yet been able to do it without it also consuming 100% of the CPU, it thinks there's excessive collisions on the link. It works fine for emulating a shared bus though.

ColbyG

That's interesting. I haven't played with it yet, but people were ecstatic when they got hold of it. Kind of useless without trunking.

Forsaken_GA

To answer the OP, the following are links to INE's CCIE Lab rack specs. While you may not necessarily be building to their specs, or those tracks, it should get your a good idea of what kind of gear you need, and stilll be cost effective in doing so

Security: http://s3.www.ine.com/downloads/ine.sc.physical.topology.v5.002.pdf
Voice: http://s3.www.ine.com/downloads/voice_rack_rental_hardware_specifications_v1.2.pdf
R&S: How To Build A CCIE Rack | INE

shodown

I think it should be simular to what your site or sites is like as example.

Our CORE wan Sites at one job had

2 Junipers
2 3750
1 3845
2 Firewalls
and a few other odds and ends. So what we did was be able to load up any site in the wan cause we kept the gear consistant throughout and we could build out and test any deployment we wanted and check the results.

Bl8ckr0uter

Maybe a couple of windows servers for ACS. As far as CCNA:S you have plenty.

Forsaken_GA

SteveO86 wrote: »

a few 3550's - L3 Switches for routing, PVLANs?

Ah, and I missed this. Unforutnately, 3550's can't do PVLAN. Or ipv6. It's one of the few annoyances with the platforms. If you want that, you'll need to step up to 3560's

SteveO86

I had a feeling the 3550's couldn't do PVLANs.. thanks for confirming that. (saved me a bit of research there!)

Thanks for the lab specs Forsaken!

We've for an ACS servers going already so we should be set on that. Of course we may just setup a second one dedicated to the lab (probably the best idea).

The 28xx/38xx might be overkill for a lab but those are the primary devices we have at many of our customers that's the only reason I through them in.

My long term is going to be:

CCIP, CCDP, CCNP: Sec, CCIE: ???...

The order might change I've got a lot more experience with ASA then I do with BGP/MPLS, but with all the work I've been doing with BGP/MPLS lately I feel my time would be more well spent learning BGP/MPLS then trying to work toward a subject I am already familiar with (CCNP: Sec).. Of course IPS is going to be a tough topic I've only worked with Cisco IOS IPS and not a dedicated IPS appliance... but that's a discussion for the future.