Goal of This Lab
This lab should assist you in your final preparation for the CCIE Security lab exam.
Sample solutions are provided here, but you need to research other various solutions on your own. Feel free to modify the questions to suit any design scenario and discover new IOS commands by using the Cisco Universe CD-ROM. This lab is not the only tool you should use; rather, it is provided here to demonstrate the minimum level of difficulty you will encounter when attempting the CCIE Security lab exam.
This lab builds on the sample Routing and Switching labs presented in Appendixes C and D. This is intentional because the CCIE Security lab exam builds on your routing skills and requires you to build a secure IP network. The CCIE Security lab exam is a difficult exam because the routing and switching topics are assumed knowledge. You can think of the CCIE Security lab exam as two lab exams built into one difficult security exam.
The end goal of any CCIE lab is a working solution, although you might be restricted by certain parameters. Candidates often ask me how best to prepare for the CCIE Security lab exam. My answer is to practice and configure every feature available and then practice some more. Of course, not every feature will be tested, and you are encouraged to read the most up-to-date information at http://www.cisco.com/en/US/learning/le3/ccie/security/index.html for the latest information regarding the CCIE Security certification. In particular, always look for new details on new Cisco IOS technologies and hardware.
Note
The CCIE Security lab doesn't require you to configure any Token Ring devices or Token Ring interfaces, nor any non-IP protocols, such as IPX or DLSW.
Effective November 4, 2002, CCIE labs worldwide employ Catalyst 3550 with Cisco IOS v12.1 using the Enhanced Multilayer Image.
CCIE Security Self-Study Lab Part I Goals
The goal of Part I of this sample lab is to ensure that you provide a working IP network solution quickly and adhere to the guidelines given. You should take no longer than 4 hours to complete Part I. Starting in October 2004, the CCIE Security lab exam has some of the basic Frame Relay and routing protocols already configured, to allow candidates more time on security features. The following is a list of technology topics now preconfigured for the lab candidate:
1. Bridging and switching
2. Basic Frame Relay configuration
3. Catalyst VLAN configuration
4. Catalyst VTP configuration
5. Port-VLAN assignments
6. Basic ATM configuration
7. IGP routing
8. OSPF, EIGRP, and RIP configurations
9. BGP
10. Basic IBGP, EBGP, and BGP backbone configurations
This section is preserved, however, to allow readers to appreciate the level of expertise required in this most difficult CCIE certification track.
CCIE Security Self-Study Lab Part II Goals
Part II builds on the working IP network and requires security features such as IPSec and PIX. RIP routing is also required. You will also notice the addition of an IDS sensor. Expect to be tested on IDS sensors and the VPN Concentrator in the lab exam. You are likely to be asked to configure both devices. Part II of this lab does not include the VPN Concentrator, however. Review the additional advanced topics questions for possible exam scenarios for the VPN Concentrator. You should take no longer than 4 hours to complete Part II.
For more sample labs and detailed security lab study, consider the following Cisco Press publications (www.ciscopress.com):
1. CCIE Security Practice Labs (ISBN: 1-58705-134-6)
2. CCIE Practical Studies: Security (ISBN: 1-58705-110-9)
Sample solutions are provided here, but you need to research other various solutions on your own. Feel free to modify the questions to suit any design scenario and discover new IOS commands by using the Cisco Universe CD-ROM. This lab is not the only tool you should use; rather, it is provided here to demonstrate the minimum level of difficulty you will encounter when attempting the CCIE Security lab exam.
This lab builds on the sample Routing and Switching labs presented in Appendixes C and D. This is intentional because the CCIE Security lab exam builds on your routing skills and requires you to build a secure IP network. The CCIE Security lab exam is a difficult exam because the routing and switching topics are assumed knowledge. You can think of the CCIE Security lab exam as two lab exams built into one difficult security exam.
The end goal of any CCIE lab is a working solution, although you might be restricted by certain parameters. Candidates often ask me how best to prepare for the CCIE Security lab exam. My answer is to practice and configure every feature available and then practice some more. Of course, not every feature will be tested, and you are encouraged to read the most up-to-date information at http://www.cisco.com/en/US/learning/le3/ccie/security/index.html for the latest information regarding the CCIE Security certification. In particular, always look for new details on new Cisco IOS technologies and hardware.
Note
The CCIE Security lab doesn't require you to configure any Token Ring devices or Token Ring interfaces, nor any non-IP protocols, such as IPX or DLSW.
Effective November 4, 2002, CCIE labs worldwide employ Catalyst 3550 with Cisco IOS v12.1 using the Enhanced Multilayer Image.
CCIE Security Self-Study Lab Part I Goals
The goal of Part I of this sample lab is to ensure that you provide a working IP network solution quickly and adhere to the guidelines given. You should take no longer than 4 hours to complete Part I. Starting in October 2004, the CCIE Security lab exam has some of the basic Frame Relay and routing protocols already configured, to allow candidates more time on security features. The following is a list of technology topics now preconfigured for the lab candidate:
1. Bridging and switching
2. Basic Frame Relay configuration
3. Catalyst VLAN configuration
4. Catalyst VTP configuration
5. Port-VLAN assignments
6. Basic ATM configuration
7. IGP routing
8. OSPF, EIGRP, and RIP configurations
9. BGP
10. Basic IBGP, EBGP, and BGP backbone configurations
This section is preserved, however, to allow readers to appreciate the level of expertise required in this most difficult CCIE certification track.
CCIE Security Self-Study Lab Part II Goals
Part II builds on the working IP network and requires security features such as IPSec and PIX. RIP routing is also required. You will also notice the addition of an IDS sensor. Expect to be tested on IDS sensors and the VPN Concentrator in the lab exam. You are likely to be asked to configure both devices. Part II of this lab does not include the VPN Concentrator, however. Review the additional advanced topics questions for possible exam scenarios for the VPN Concentrator. You should take no longer than 4 hours to complete Part II.
For more sample labs and detailed security lab study, consider the following Cisco Press publications (www.ciscopress.com):
1. CCIE Security Practice Labs (ISBN: 1-58705-134-6)
2. CCIE Practical Studies: Security (ISBN: 1-58705-110-9)
