CCNP Exam Order

I'm on CCNP Security journey.

So since we have 4 exams on CCNP Security, what is the order to take them?
I want to do the easiest first.

I hear FIREWALL the easiest? Then VPN, IPS, and SECURE?

I've heard SECURE is worsened by a poorly written OCG?

Thanks.

Find more posts tagged with

Comments

alan2308

In another thread, I was recommended FIREWALL, VPN, SECURE, IPS.

sendalot

alan2308 wrote: »

In another thread, I was recommended FIREWALL, VPN, SECURE, IPS.

So we all agree, FIREWALL is the 1st?

theodoxa

I haven't taken any exams yet (finishing up my CCNA: Security), but I would probably do IPS last since I have never worked with an IPS. I've worked with all the other technologies (ASA, ZBFW, NAT, VPN).

RouteMyPacket

It depends, how much experience do you have with ASA's, VPN's, IPS's and dot1x?

I would recommend FIREWALL->SECURE->VPN->IPS and going SECURE->FIREWALL->VPN->IPS would be even better

SECURE was a beast of an exam, if I hadn't worked with ISE/dot1x over the last couple of years it would have been even more intense. SECURE will cover dot1x, DMVPN, GRE, IPsec and various other awesome topics.

sendalot

Lots of ASA & VPN. But none of IPS & Dot1x.
I'll think about other things after passing FIREWALL first.

SteveO86

Then I'd tackle those two first. Since you are most familiar with them. (ASA/VPN)

After that I'd go for whichever one you are more exited about. IPS & SECURE are completely different (with the exception of IOS IPS but that could be a good primer for IPS?)

I knocked out FIREWALL a long time ago, and really need to buckle down and finish off my CCNP:Sec.. Thinking I might tackle IPS mid-Jan. After all I've had a decent amount of IPS/VPN/ASA work these last two months.

sendalot

Could you explain which equipment you have used? If ASA, the model and the license you have for it?
(That helped you pass FIREWALL, of course).
Thanks.

SteveO86

To lab all the objectives you'll need at least a 5510 with a security plus license.

A 5505 with security plus only goes so far since it can't do contexts on 5505. I believe you can use GNS3 to run the ASA's nowadays. So you might not have to buy actual hardware. 5505's/5510's are still pretty expensive on eBary 300/400+.

I've had to deal with ASA's for years so I didn't spend a huge amount of time labbing.

wintermute000

The only thing that a 5505 can't do is contexts / HA and you can simulate enough ASA5520 in GNS3 to do it. google around.
I found GNS3 flaky, but all I used it for was contexts and HA. 5505 did the rest and frankly you can pass easily even with just 'theoretical' knowledge of contexts (TBH I've forgottne it already, not having done much ASA work since!!! Sure it will come back pretty quick if I glance the doco).

theodoxa

SteveO86 wrote: »

To lab all the objectives you'll need at least a 5510 with a security plus license.

A 5505 with security plus only goes so far since it can't do contexts on 5505. I believe you can use GNS3 to run the ASA's nowadays. So you might not have to buy actual hardware. 5505's/5510's are still pretty expensive on eBary 300/400+.

I've had to deal with ASA's for years so I didn't spend a huge amount of time labbing.

I bought my personal 5505 on Amazon for not that much more than what they sell for on eBay. It came brand new sealed in the box with all the original cables, documentation, and software (ASA OS, ASDM, VPN Client, Anyconnect Client, etc...)

theodoxa

wintermute000 wrote: »

The only thing that a 5505 can't do is contexts / HA and you can simulate enough ASA5520 in GNS3 to do it. google around.
I found GNS3 flaky, but all I used it for was contexts and HA. 5505 did the rest and frankly you can pass easily even with just 'theoretical' knowledge of contexts (TBH I've forgottne it already, not having done much ASA work since!!! Sure it will come back pretty quick if I glance the doco).

Is there a tutorial somewhere as to how to set a 5520 up in GNS3? I tried [using one of the ASA bin files], but it also wants [in addition to the kernel - I assume this is the .bin file] the location of an initrd file (Linux???) that I have no idea where to get.

alan2308

Right here:7200emu.hacki.at :: View topic - ASA 8.4(2) on QEMU