CCIE, CCIP, CCNP: Sec Lab Equipment.
My new employer now sees the need for a Cisco lab for the engineering team to have at their disposal, so a Co-worker and I trying to get this spec'ed out.. My ultimate goal is to have a lab that can be used by anyone (from NOC guys to us engineers for troubleshooting/design purposes).
I also want to design it in a way that will assist me with my CCNP: Security (along with the CCIE in the far future, GNS3 seems to be adequate for the CCIP so far)
Off the top of my head I'm thinking..
a few 3550's - L3 Switches for routing, PVLANs?
a couple 2960's - L2 stuff VTP, VLAN, AAA, Port Security
Some 2800's - Not sure if I could get aware with 2600's with Adv Security (and maxed memory) for ZBF, CBAC, VPN, etc
ASA 5510's - Maybe I could get away a 5505 but since we have lots of customers with ASA 5510's, 5520's so the 5510 should be attainable.
Maybe some 38xx or 39xx routers with various modules... Although I'm sure some 28xx/29xx ISR would be just as good.
Some PIX's and VPN Concentrators (We've got quite few customers still running these)..
Between the ASA, PIX, VPN, and ISR's with Adv Security IOS or higher that should be good enough for the CCNP: Security (and CCNA: Security).
The ISR's and Catalyst switches would be good for anyone wanting to pursue their CCNA, CCNP.
The next question, would I need to anything special for the CCIE? (Obviously I'm thinking really term with this).. What do you guys think?
I also want to design it in a way that will assist me with my CCNP: Security (along with the CCIE in the far future, GNS3 seems to be adequate for the CCIP so far)
Off the top of my head I'm thinking..
a few 3550's - L3 Switches for routing, PVLANs?
a couple 2960's - L2 stuff VTP, VLAN, AAA, Port Security
Some 2800's - Not sure if I could get aware with 2600's with Adv Security (and maxed memory) for ZBF, CBAC, VPN, etc
ASA 5510's - Maybe I could get away a 5505 but since we have lots of customers with ASA 5510's, 5520's so the 5510 should be attainable.
Maybe some 38xx or 39xx routers with various modules... Although I'm sure some 28xx/29xx ISR would be just as good.
Some PIX's and VPN Concentrators (We've got quite few customers still running these)..
Between the ASA, PIX, VPN, and ISR's with Adv Security IOS or higher that should be good enough for the CCNP: Security (and CCNA: Security).
The ISR's and Catalyst switches would be good for anyone wanting to pursue their CCNA, CCNP.
The next question, would I need to anything special for the CCIE? (Obviously I'm thinking really term with this).. What do you guys think?
My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
Comments
For the CCIP, you can use Dynamips almost exclusively (I did). And with IOU and L2IOU out, you can probably get by running everything virtually. I can't help much with the Security stuff, I know almost nothing about that track.
2 x 3550
2 x 3560
But I think you want ccie-sec right? Check the blueprint.
L3IOU is pretty cool and gives you a lot of flexibility.
L2IOU, at least the version that's in the wild, has..... issues. Getting trunking to work properly is a royal pain in the rear, and I haven't yet been able to do it without it also consuming 100% of the CPU, it thinks there's excessive collisions on the link. It works fine for emulating a shared bus though.
Security: http://s3.www.ine.com/downloads/ine.sc.physical.topology.v5.002.pdf
Voice: http://s3.www.ine.com/downloads/voice_rack_rental_hardware_specifications_v1.2.pdf
R&S: How To Build A CCIE Rack | INE
Our CORE wan Sites at one job had
2 Junipers
2 3750
1 3845
2 Firewalls
and a few other odds and ends. So what we did was be able to load up any site in the wan cause we kept the gear consistant throughout and we could build out and test any deployment we wanted and check the results.
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
Ah, and I missed this. Unforutnately, 3550's can't do PVLAN. Or ipv6. It's one of the few annoyances with the platforms. If you want that, you'll need to step up to 3560's
Thanks for the lab specs Forsaken!
We've for an ACS servers going already so we should be set on that. Of course we may just setup a second one dedicated to the lab (probably the best idea).
The 28xx/38xx might be overkill for a lab but those are the primary devices we have at many of our customers that's the only reason I through them in.
My long term is going to be:
CCIP, CCDP, CCNP: Sec, CCIE: ???...
The order might change I've got a lot more experience with ASA then I do with BGP/MPLS, but with all the work I've been doing with BGP/MPLS lately I feel my time would be more well spent learning BGP/MPLS then trying to work toward a subject I am already familiar with (CCNP: Sec).. Of course IPS is going to be a tough topic I've only worked with Cisco IOS IPS and not a dedicated IPS appliance... but that's a discussion for the future.
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS