Cracking CCIE Security Lab
By Himawan Nugroho, CCIE #8171 (R&S, Security)
Two weeks ago I passed my CCIE Security lab. It was my 2nd attempt in Brussels. I passed my CCIE Routing & Switching lab 5 years ago in Tokyo on 2nd attempt too. I become double CCIE in R&S and Security without taking any trainings or bootcamp. Only with self-study, countless hours in my home lab, and lots of Starbucks Mocca Frappucino.
Based on my experience taking 4 lab attempts, I try to write down the summary how I did it. This how-to is specific to CCIE Security lab, but the general idea can be applied to any CCIE tracks.
Scott Morris, Quad CCIE, wrote the article ‘So You Want To Be a CCIE?’ and it’s really worth reading. Yusuf Bhaiji, CCIE Security lab program manager and the author of CCIE Security Practice Labs wrote ‘Insider’s Tips on Earning Your CCIE in Security’ in Packet Magazine August 2004 page 18.
I’m not trying to compete with them. They are the masters. I’m just another guy who has just passed CCIE lab recently and willing to share his way.
So here it is, my version of Cracking CCIE Lab:
1. Start with the self-assessment
Are you sure you want to do CCIE? As you may already heard: yes, CCIE is difficult, very rare people can pass in 1st attempt. Yes, CCIE is expensive, only the exam fee is $1250 and you still need to spend money to buildhome lab, buy books and workbooks and other resources. And yes, you certainly will not have your social life during the journey.
But if you really want to do it, if you really want to distinguish yourself and stand out from the crowd, I suggest you to do self-assessment as the first step.
Read CCIE lab blueprint. For Security lab, it’s on here.
CCIE blueprint will tell you the coverage of the lab and areas you need to focus on during your study. Then ask your self: are you familiar with those technology listed in the blueprint? If you have 4-5 years experience working in Cisco partner deploying Cisco security solutions on the field, you should know at least 60 to 70% of the blueprint easily. Then you just need to study for the rest 30%.
But even you don’t have much experience and feel completely lost reading the blueprint, CCIE lab is still achievable. Continue reading.
2. Use other certification as steeping stone
This is optional if you think you need some help for your study. Cisco has created certification career from basic, medium to expert level, which is CCIE.
Read the complete information here.
For CCIE Routing & Switching, CCNP can help you to learn routing, switching, Remote Access technology and troubleshooting skill.
For CCIE Security, you must learn Cisco security technology and you still need to deal with some Routing and Switching because the network in your lab must be built first before you can secure it.
So to learn Firewall, VPN, IDS and Router security at a time, you can use CCSP certification.
And to learn Routing, I recommend to take CCIP.
Why CCIP? Because in CCIP, you will learn about IGP Routing and BGP in advance. And you will learn Quality of Service. QOS is important because there are lots of attack mitigation techniques can be done using QOS. For example, instead of dropping ICMP flood traffic we can just limit the bandwidth, so we still can have legitimate ICMP traffic.
The MPLS exam is not important so you can either skip it or just take it and become CCIP.
Most of the switching part in Security lab is pre-configured. So you can just start by learning the security technology in Cisco 3550 switch. That should be enough for switching part. And this is one of the reasons why I don’t recommend CCNP for CCIE Security lab but CCIP instead.
Taking those certifications give you benefit to learn specific technology at a time and even you are not a CCIE yet, at least you will achieve CCSP and CCIP. Something is better than nothing.
3. Build your home lab
I believe having a home lab is compulsory. You can always rent a rack but you will have a fix schedule with them. With home lab you are the one who controls the schedule. And you can always try in your home lab directly every time you read something interesting or you just want to test the option in some IOS commands.
If you have tight budget, at least you should have few routers at home.
My recommendation for minimum home lab: 5 routers and 1 switch.
The cheapest routers that you still can use for CCIE lab is 2610 series.
They can run IOS Firewall natively and if it’s required you can boot Enterprise software for 2600 XM series with this trick.
You can find Cisco 2610 with less than $200 on eBay.
Don’t go to 2611 or 2620 since they only offer more interfaces or Fast Ethernet but they still run exactly the same software with 2610. You don’t need Fast Ethernet for sure and you can always create trunk to have multiple interfaces.
Buy 1 Cisco 2522 or 2523 as Frame-relay switch. Obviously you need WIC-1T modules and V35 back-to-back cables. Cisco 3550 switch, the one currently in CCIE Lab, is expensive so you can replace it with 2950 model. Cisco 2950 can’t runrouting and all enhance Layer 3 features, but you still can test those with rental lab.
For Security lab, you must have a PIX firewall. Either the smallest series, 506E, or franken PIX.
With 506E you have only 2 interfaces but again, you can make them as trunk to have multiple interfaces.
If you have option to buy either VPN concentrator or IDS, get the VPN.
Or you can rent a rack for several hours only to practice both of them.
So, with 4 Cisco 2610 routers, 1 Cisco 2522 FR switch, 1 Cisco 2950 (without Giga ports), 1 PIX 506E, and several WIC-1T modules and back-to-back cables, yourhome lab should not cost you more than $2000. And all of these can be sold once you pass.
You still need to spend some money to rent a rack, at least to practice VPN, IDS and 3550 features.
4. Passing written exam doesn’t mean anything
Based on my experience so far, I found out that studying written exam can’t help you much in the lab. Most of the time the material covered in written exam is completely different with the lab.
So until Cisco makes the written exam more related to the lab, I suggest to just pass it, even if you have to cram the material or use some practice test.
My suggestion is to read the written exam book just like CCIE Security Exam Certification Guide and then practice the questions using product like from boson.
With one note: don’t trust the answer from any practice test vendor. Find out the answer by yourself from CCO or Internet and this will accelerated your study. This kind of attitude will help you in the lab later on.
Passing CCIE written doesn’t mean you are a half-CCIE. For me, it doesn’t mean anything in fact. It’s only a pre-requisite exam that you must take before you can register for the lab.
Nothing to be proud of even if you score 100 in written. Last time I took the exam the passing score is only 70. Get 71 to pass and register for your lab. That’s what matters.
5. Read a lot
No single source can make you pass CCIE lab. You really need to read a lot from different resources: Cisco website, RFCs, Networkers, Ciscopress books, study forum, CCIE workbooks and any related links on the Internet.
Following is the list of resource I used during my CCIE Security study:
1. Cisco configuration example and TechNotes
2. Cisco technology support
3. Cisco documentation CD (univercd), which is basically the same with product configuration guide
4. Networkers Online presentation, it costs me 200 bucks but provides complete Networkers 2005 presentation in Las Vegas with sound and slide
5. IETF RFC
6. Ciscopress CCIE Security Exam Certification Guide – H. Benyamin
7. Ciscopress Network Security Principles and Practices – Sadat Malik
8. Ciscopress Cisco ASA and PIX Firewall Handbook – Hucaby
9. Ciscopress Cisco Router Firewall Security – Richard Deal
10. Ciscopress CCIE Security Practice Labs – Yusuf Bhaiji
11. CCIE Security Workbook from Trinetnt
I have other CCIE Security workbooks from IP Expert, Internetwork Expert, 6colabs, Hello Computers, and CCBootcamp.
But during the last 4 months before my exam, I had been focusing only with Trinetnt. As per date, they are the most decent workbook and they cover almost everything in CCIE blueprint.
12. CCIE Lab forum: SecurityIE and trinet forum
Just FYI, I have already passed CCSP, CCIP and I have more than 5 years experience with various Cisco security products before I started my CCIE Security journey.
6. Build your speed
Okay, now it’s time to practice and try all the technology listed in CCIE blueprint in your lab. Start slowly. Learn single topic at a time. Try to really understand all possibilities in one technology before move to different topic.
This is where the CCIE workbooks can really help. Good workbook like the one from Trinet provides minilabs to focus on single topic at a time.
I recommend to start slowly because studying CCIE sometime can be really frustrating. Especially when you stuck with one thing and don’t know where to find the answer. That’s why I against the idea to jump directly to complex lab scenarios. Single step at a time.
Once you get used with the lab flow, try to increase your speed.
Practice, practice, practice.
You need to be fast in the real lab. And there is no other way other than practice.
Keep repeating the same thing until your fingers, not only your brain, memorize how to configure any security technology listed in blueprint.
I use only the best workbooks to practice: Trinet and Bhaiji’s book.
I found out if you can complete 1 Trinet superlabs with less than 3 hours time, than your speed should be fine for real lab.
Obviously when you practice with any workbooks, you must understand why and when you should configure with certain way.
7. Join the community
You can’t win this battle by fighting alone. Join the community to meet other CCIE candidates and study together. I found SecurityIE forum is really helpful. There are a lot of security experts in that forum and the discussion is really depth. The forum archive is priceless.
Trinet forum was active when it was started. I was involved from beginning so I enjoyed my time discussing directly with Khawar Butt, the founder. I can see now there is very less response from Khawar anymore in that forum. But I believe you still can discuss with other CCIE candidates. And try to dig the archive to see whether things you are looking for have been discussed in the past.
If possible, try to create small discussion group. I met some wonderful people from those forum and we decided to study together. It’s always good to have somebody else to verify your weak points.
During my journey, I was really happy just to know that there are several people out there that I can discuss with every time I stuck in my lab at 3 am in the morning.
8. Learn how to ask
Make sure you know how to ask questions, to the study forum and during the real lab. Before you send something to the forum, please make sure to check the archive. Try to test it by yourself in your lab, and when you get stuck, copy the related configuration with show and debug output and send it to forum.
With this way, we can build a healthy discussion and most probably you will get positive answers.
This attitude is important when sitting in the real lab too. During my 2nd attempt, my proctor mentioned something like: “if you have any questions you can ask me, but most probably I will not answer”
So you need to know how to ask question to your proctor. Otherwise he will throw his pity look to you and say: I’m sorry I can’t answer that.
I believe if you know all the technology listed in the blueprint, and you already have this attitude, you should be able to ask smart question to the lab proctor. They are there to clarify the lab questions, and that’s the only thing you should try to get from them: clarification.
By asking the right question for sure.
9. Understand the Lab questions
Speed is critical, but you need to know how to answer too. So when you think you already have the speed, you need to dig each topic in more detail. There is no other way other than try any possible scenarios and read more to understand all technology in-depth. Check all the options from each IOS command, test it, run the debug, compare the result, then move to different technology and do the same thing.
During the real exam, don’t overlook and make assumption. Read the question carefully. And if you don’t understand something, you can ask clarification from the proctor.
Yusuf mentioned in his book that most candidates fail not because they don’t understand the technology, but because lack of understanding the question. Make sure you read his book several times to make sure you understand what he expects from the answer.
10. Trust no one, trust no solution
You should not trust any of your resources until you prove it by yourself.
This is the only attitude that can make you pass.
I found a lot of mistakes in Cisco sample configuration and workbook solution. Even Bhaiji’s book contains several errors. Study forum is good because people try to test something together. But are you sure the solution posted really works?
Why you have to bet, just try it by yourself in your lab.
Every time you see some scenarios and the answers, always ask the questions: What if? Why not using this? How if I modify that?
I like Trinet because the workbook provides general idea of the real lab and makes me really fast. But I don’t just believe their solution. I always tried to answer their scenarios with my own way, and then modified the scenarios, put more requirements and restrictions.
I often ended up with my own scenarios, which are much more difficult from the original.
11. It’s all in your mind
CCIE is completely a mind game. I failed 4 years ago in my 1st CCIE R&S attempt in Brussels because no one told me at that time how difficult CCIE lab was. Everyone I know always told me that the CCIE lab is so difficult that only few selected people who can pass it. And I’m certainly not one of them.
I went to my 1st attempt with this feeling, that I was not ready and CCIE questions would always be one step ahead me. It was 2 days exam and I was able to reach troubleshooting section on 2nd day. But I failed with 5 mark away from the passing grade. I felt terrible but I realized one thing: CCIE lab is achievable. If you have spent a lot of time to prepare, then it’s even possible to pass on your 1st attempt.
For my 2nd attempt in Tokyo 1 month later, I woke up in the morning and told myself in front of the mirror that I would become CCIE that day.
CCIE lab is an exam and the proctors are “only human”. I kept telling myself: there is no spoon.
I was able to keep my sense of humor even in Japan I had to use Japanese version of Windows and keyboard.
One and half hour before the troubleshooting section over, I have already walked out Cisco office with my CCIE number.
Indeed I failed in my 1st Security lab attempt last December. But I failed at that time because I was so confident and overlook several things. I was really sure that I would pass that day and made me forget one basic rule in CCIE lab: this is Cisco exam. They make the lab and they expect me to answer as per their solution.
12. The journey must be fun
In the end, CCIE lab is only an exam. Even it’s Goddamn hard to pass but this journey must be fun. Turn all the pressure as a power.
Use any supports around you: your family, friends, working environment.
Manage your time so even you will not have social life at all but at least you should enjoy it.
And If you fail, do the classic: learn from your mistakes.
Try to know exactly what your mistake is and address it once you go back home.
Never think to stop in the middle, no matter how many times you fail.
I always believe that there are 2 kinds of CCIE candidates out there: one who always makes excuses why they should not do it again and quit, and one who just jumps back into their lab and start debugging their mistake.
The second one will pass eventually and join the elite club of experts. The first one will join the club of losers.
Which one do you want to end up? The choice is yours.