How to Pass the CCIE Security Lab Exam

Achieving a Security CCIE certification is a big deal, and many people often ask for the “secret” to successfully passing the lab and becoming a Security CCIE. If you are considering a CCIE, or working towards one now, this document is written for you.

The acronym for the successful candidate is: A.B.L.E.

A ssess your current level of knowledge, regarding each and every topic and sub-topic from the CCIE Security blueprint, available on Cisco’s web site. Honestly rate your skills and knowledge for each topic, on a scale from 1 to 5. A rank of “1” would mean that the concept is new or that your knowledge of it is very limited on that subject. A rank of “5” would mean that you are at the level of doing advanced configuration and troubleshooting, with no assistance from outside sources or documentation. This “CCIE Security Checklist” will serve as a baseline to track your studies, and assist you in covering all the topics. It is often a temptation to jump to lab configurations, without understanding the technology. Remember that as you take the time now to learn the technology, you will save time later in configuration and troubleshooting. Before attempting the lab, a person should be at a 4+ on virtually every topic on the blueprint.

B elieve in your ability to learn the topics and pass the lab, with the emphasis on learning the technology. No matter how many lab scenarios a person looks at, they will not be successful in the live lab unless they have learned the technology and how to implement and troubleshoot it at an advanced level. Don’t cheat yourself, by “hoping” you won’t get a specific topic on the lab, and prepare for all topics. You can do it.

L ong-term planning is essential for the preparation for the lab. Using the assessment with the CCIE Security Checklist you created earlier, identify the areas that you want to focus on, and then setup a plan that includes which days of the week you will study, and how many hours on those days. Before the study time arrives, lay out a plan of the topics and have the study material, labs, videos and other resources you will use ready to go, so that you may hit the ground running during your study time. Use the assessment worksheet before and after each study session to track where you are in the topics you are studying. Realistically, a successful candidate should set a study plan out that includes beginning with the CCSP level of knowledge and skills, and then additional study and lab work. Approximately 400 hours of lab practice using live or simulated gear are going to be needed and at least that again in study time. So if a person said they were going to dedicate 4 hours a day, 3 times a week (12 hours a week), they should put together a plan that would last between 12 and 24 months. As you study, update the CCIE Security Checklist with your personal ranking of each topic. If you end up mastering each topic ahead of schedule, your time frame may be less than originally planned. The goal should be to really learn the technology in each area of the blueprint. Finding a study-buddy can also be of value, along with sharing with friends what your commitments are regarding study time. There are several online communities, including www.IEOC.com where members assist other member.

E njoy the process. There is a lot to learn, and it will serve you to tackle new topics with the attitude of “I get to learn this” instead of “I have to learn this”. Keep it fun, and light. Also realize that you will NEVER know everything, and what you have learned, you may discover can be improved on. Enjoying the journey involves being honest about your current level and always taking that knowledge up another notch every time you study. Cramming the week or so before the lab is not usually a good strategy. By using your study schedule, and really learning as you go along, you will find that many technologies dovetail into others, and you will become faster at learning, configuring and troubleshooting.

Before we take a look at the recommended reading, and what products should be used, I want to make sure that we are all on the same page. Before preparation for the CCIE Security, you should have at least a CCSP level of knowledge and/or experience first. You would also want a solid knowledge of routing and switching to succeed in CCIE Security. If you are not at a CCSP level yet, INE offers an online CCNA Security as well as CCSP class. Please be aware that Cisco’s CCSP certification requires knowledge of the Security Device Manager (SDM) GUI for routers, and the Adaptive Security Device Manager (ASDM) GUI for the ASA. The 10 day CCSP class includes the command line interface (CLI), as well as both the GUIs for ASDM and SDM because the CCSP requires it. The GUI for SDM and ASDM is not allowed nor covered in the Security CCIE lab, so that portion of the CCSP class will be nice to know, but not required for CCIE level certification. One of our product specialists can assist you with additional recommendations as well, should you need more information.

Recommended Reading

For Security CCIE candidates, I recommend the following books for reading and reference:

CCIE Professional Development Series Network Security Technologies and Solutions
By: Yusuf Bhaiji
Publisher: Cisco Press
Pub. Date: March 20, 2008
Print ISBN-10: 1-58705-246-6
Print ISBN-13: 978-1-58705-246-0

CCIE Security v3.0 Configuration Practice Labs, Second Edition
By: Yusuf Bhaiji
Publisher: Cisco Press
Pub. Date: November 04, 2009
Print ISBN-10: 1-58714-026-8
Print ISBN-13: 978-1-58714-026-0

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition
By: Jazib Frahim - CCIE No. 5459; Omar Santos
Publisher: Cisco Press
Pub. Date: December 29, 2009
Print ISBN-10: 1-58705-819-7
Print ISBN-13: 978-1-58705-819-6

Learning the Technologies and Topics Covered in the Security CCIE Lab Exam

CCIE Security Class on Demand (CoD) v5 (for CCIE Security Blueprint 3)

Use the ATCoD as a means of learning the details for the technologies. Schedule your study time to focus on a specific topic, and perhaps use part of the time for the CoD, and part of the same study period for reading. I would recommend no more than 45 minutes to an hour per session. Mix it up, keep it fun and you will learn at a greater rate.

CCIE Security Lab Workbook Volume I (for CCIE Security Blueprint 3)

Use the technology labs as a means to get an understanding of the implementation for any technologies or features you are not familiar with. These labs are not meant to be done as a whole but more as a way to fill in any gaps in your knowledge base. They are broken out into sections that correspond to the blueprint. You should use this workbook, and its labs to move your expertise ranking on the assessment you did earlier to make sure you are at least a level 3 or higher on all topics.

Treat these as more warm-up labs as opposed to true practice labs. What is meant by "warm-up" is use these labs to get familiar and comfortable with all the technologies. Ensure that you gain the knowledge and experience that is conveyed in these labs and not worry about a pass or fail at this point. Use online documentation, and reference material as you go through these.

CCIE Security Lab Workbook Volume II (for CCIE Security Blueprint 3)

Using volume I as a foundation, volume II includes 10 labs that collectively test your ability to read and interpret the tasks, and implement the correct solution. These labs are not intended to be completed within 8 hours each, and several different study sessions may be required to master all of the tasks contained in a single lab.

The goal for this part of your journey is to solidify your knowledge while at the same time expanding your knowledge by hands on practice. It is important that you have the knowledge discussed earlier before these Volume II labs, as you will have a much harder time with the labs and will not receive the full benefit of them without it.

You want to be able to do the vast majority of these labs without relying on the online Cisco documentation too much at this point. Ideally you are only using it to verify command options and not using it to help solve a task. If you have to reference the online documentation for most of the tasks in the labs you may need to step back and reevaluate if you are ready to continue on. There is no shame in stepping back. You are far better off stepping back and going back over the technologies and topics than you are going forward and failing the real lab.

At this point you are roughly two-thirds of the way to being ready for the real lab and you should start feeling more comfortable doing these practice labs. You will want to focus a little on speed. After doing these labs, you may want switch back to Volume I, having been several weeks since you have done them, and see if you can do all the tasks, but this time without use of the solutions or online documentation.

Switch over and do labs 6 through 9 Lab Workbook Volume II. You want to focus on speed with your configuration and verification skills along with minimizing any simple mistakes (applying configuration to the wrong device, filtering on the wrong interface, etc). Remember to "test as you build".

CCIE Security Lab 5 day Live Bootcamp (for CCIE Security Blueprint 3)

Ideally, after going through the Class on Demand (CoD), and Vol I-II, and between 2 to 6 weeks from your actual lab date, the live bootcamp provides incredible value, with new lab content not available anywhere else, and a veteran instructor who will assist in not only identifying weak areas, but helping you make those strengths.

Ensuring You Are Ready

Here are some of the more common reasons people have a hard time with a lab:

1. Do not understand the technologies and topics covered
2. Had problems understanding the requirements from the wording given in the tasks
3. Made too many little mistakes
4. Overwhelmed with all of the tasks and didn't have time to complete them all

If you failed because of number 1, you definitely should step back and fill in the gaps you have in your knowledge. Every time we teach a class we learn something new so I can pretty much guarantee that if you watch the CoD or attend the class again you will benefit from it. Remember that we do not require you to fail the real lab before you can audit our classes again.

If you had problems with number 2 it could be a couple of issues. First off you may not understand the technologies and topics enough to grasp the wording of the tasks. If you understand the technologies and topics you should be able to complete the task. Secondly you may be "overthinking" the tasks. Do what the task is asking and nothing more. Do try to apply real world logic or design to the task. Also don't add in "what if's", meaning do not worry about “what if" this router goes down or "what if" the Frame Relay circuit is down. If the proctors are looking for redundancy to be taken into consideration they will ask for it.

The little mistakes are get many people (forgetting to no shut an interface, etc). As you become more of an "expert" you will make fewer mistakes and solve the ones that you do make quickly. You will always make little mistakes as it's just human nature but with experience you will be better at finding and fixing your own mistakes. For many people that fail the lab it's the little mistakes that get them into some big problems.

Lastly number four is just going to boil down to getting the hands on practice needed to be good at doing these labs. No tips, tricks, or braindumps can substitute for the hands on experience you will need with the routers, switches, ASAs, IPS and the ACS to pass the real lab exam.

The online community at www.IEOC.com and our entire staff are willing and ready to assist you in achieving your CCIE.

Good Luck!