My study lab: 5505 with IPS?

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
I posted this over in the Cisco Learning Network CCSP forums but there's usually not much activity there, so I thought I'd mirror the post here:

...

I currently have an old 1700 series router between my ISP and home network. While I can greatly expand my home environment using open source alternatives, I figure I can equip myself with something more branded / "legitimate" (from a corporate professional's point of view) and get a 5505, 50-user license, and possibly an IPS for the ASA. I probably won't get a Security Plus license for the 642-524 and maybe consider renting a rack to do more complex scenarios which I presume will be in the 642-515 exam. This equipment will be for more than just CCSP studies - I'll incorporate it as permanent pieces in my network so I don't mind some initial investment costs (because I apparently have no life beyond this anyway).

Would the IPS (SSC-5) module be sufficient for the 642-533 exam? If not, I'll just go run Snort because I probably won't be able to justify a dedicated IPS appliance.

Would the ASA without the Security Plus license cover most of the 642-524 requirements?
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • tierstentiersten Member Posts: 4,505
    The base license 5505 has quite a few limitations and if you're going to be using it for CCSP then you're going to want the Security Plus license and even that will have quite a few limitations.

    If you want an ASA then just get a 5505 with 50 users and the base license. Everything else you do rack rental. The SSC IPS is significantly more expensive than the 5505 so it isn't worth it IMO.

    However, if you really want to have a good CCSP lab then get a 5510 + SecPlus.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I guess the question really comes down to, "How much can I wing it with just the base license?" The IPS is damn expensive for sure (over a thousand), but it might be nice to have, even though it's feature-limited compared to the versions available for the other ASA models. Could one actually prep for the 642-533 using just rack rentals?

    The 5510 is nice, but much more expensive and ups the electricity bill a lot. The ASA I'm going to buy will be online full-time. I entertained the thought of a Security Plus license ... but started wondering if my training budget couldn't be better used elsewhere.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • QHaloQHalo Member Posts: 1,488
    I've done some cost comparisons regarding purchasing the ASA's needed for CCSP and rack rental is the way to go. I think when I figured it out, something like 70 sessions @ 5.5 hours a session of rental of the rack was equal to like $860. That's significantly cheaper than buying any of it and 385 hours on the rack. That's getting up to CCIE labbing numbers. And that doesn't cost you the price in electricity. The downside to not buying your own equipment is that you can't resell it and recoup a lot of the cost back when you're done. At those rack rental prices though, you could get an ASA 5505 to futz around with at home and make it your full time firewall AND rent rack time and still come out ahead. The only time I've had issues pondering the cost comparison was if I was going to CCIE immediately after. But even then I think renting a rack is still more cost effective. I'm all for playing with hardware but $2k+ for a 5510 with a Sec plus license and then the cost of an IPS device kind of kills building a home lab.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I kind of see where you're coming from. However, there's a certain appeal of having your own personal equipment. The possibility exists that even after I (hopefully) get my CCSP, I may not get to handle an ASA device for quite some time although in my current job I manage a PIX 515e (via SSH though, not via ASDM). It's comforting to have continuous practical hands-on away from work, that way my skills don't erode. I actually did manage a 5505 at one point, but I handed it to another department due to business need.

    On a side note, the way these things are licensed irks me. The base 10-user license is annoying since I build and tear down VMs at home all the time. At any given moment, I may have more than ten accessing the outside. I thought about having a second internal NAT point to reduce the "user" count that the ASA sees, but then the home network starts becoming unnecessarily complex. Cisco has to make money though, so I understand...
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • JSKJSK Member Posts: 166
    What CCSP rack rentals are you guys looking at? I'm getting close to taking my CCNA:S and now starting to think ahead. I've been doing some basic googling trying to find rental options. Not sure I want to commit to 5 hour blocks. My usual lab sessions are only 60-90 minutes.
  • QHaloQHalo Member Posts: 1,488
    docrice wrote: »
    I kind of see where you're coming from. However, there's a certain appeal of having your own personal equipment. The possibility exists that even after I (hopefully) get my CCSP, I may not get to handle an ASA device for quite some time although in my current job I manage a PIX 515e (via SSH though, not via ASDM). It's comforting to have continuous practical hands-on away from work, that way my skills don't erode. I actually did manage a 5505 at one point, but I handed it to another department due to business need.

    On a side note, the way these things are licensed irks me. The base 10-user license is annoying since I build and tear down VMs at home all the time. At any given moment, I may have more than ten accessing the outside. I thought about having a second internal NAT point to reduce the "user" count that the ASA sees, but then the home network starts becoming unnecessarily complex. Cisco has to make money though, so I understand...

    I'm all for the appeal of having equipment. Lord knows I have a rack of routers sitting right next to me right now. If you have the means, then by all means buy what you need. You could even buy as much as possible and then rack rent the rest of the way for stuff you don't have. There's really a few different possibilities of ways to do it. I'm not a single guy, but I don't have kids either. I have a new mortgage and school to pay for so somethings have to be done cost effectively.

    As far as JSK's question, I have all of INE's security materials from NA to IE Sec V3.0 paid for by my boss (thanks bossman!) so I've looked at Graded Labs racks. The CCNA Security stuff I've been doing through Dynamips because you can run everything you need for that test using that except the layer 2 security which I have 2950's for. But rack rentals are going to take me through CCSP unless I can talk our security guy into helping me out with a couple ASA's.
  • tierstentiersten Member Posts: 4,505
    QHalo wrote: »
    Here is a link to get you started. ASA Project
    It appears to be bundling modified ASA firmware images inside the ISOs and disk images which is a tad illegal...
  • QHaloQHalo Member Posts: 1,488
    I removed the link as I can see the legality issue. My apologies.
  • god_of_thundergod_of_thunder Member Posts: 21 ■□□□□□□□□□
    rack rentals seem to be way cheaper than buying the devices. Proctorlabs was offering BOGO on their sessions making the cost of one 7hr45min session just 12.5$.
    Even if you bought 100 sessions like this. It would cost you just 1250$ for enough rack to study for a CCIE.
    The only downside I see to this is that we can't always have a session at a time convenient to us.
    Get JNCIA-Junos by Dec 31st.
    Then pursue the loftiest goal ever.
  • QHaloQHalo Member Posts: 1,488
    Yeah and the rack rentals maybe more expensive if you use them on the weekends during peek studying times. Pay attention to that and always check the calendar times they put on their sites.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Thanks for the tips. I went ahead and got a used 5505 with an unlimited-user license for a pretty sweet deal. I might opt out from the IPS module, unless I hear otherwise.

    Some people are happy with their iPhones, big screen TVs, and cars. I have networking appliances. (How lame does that sound?)
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.