CCIE Security it is then!

Although I am still on a bit of a high after passing my first CCIE, I am now considering which CCIE to do next. Each CCIE expires after two years, and as it took me two years to get this one, I can’t afford to sit around for too long. In my previous post I laid out the pros and cons of the CCIE Service Provider and CCIE Security tracks.
I was in two minds, one seemed a logical continuation, the other was a logical move to something more pertinent to my role. But which to choose, ease, or sense? A couple of you guys helped out, which helped the sense part kick in.

So then next certification I am planning to get is the CCIE Security.

It makes sense. I spend most of my time at work on ASA firewalls, so already that has lessened the learning curve – still a lot of learning to do, but it’s certainly easier than say Wireless.

I have been thinking of how to plan this, and so far the idea is:

Watch the INE training videos. There are two courses, both in excess of 60 hours each. There is probably some overlap between the two, but I’ll watch them both anyway.

Do the INE courses. There are seven sections, and then five full-scale labs.

Read some books. Read some more books, lab things up, practice and practice.
Take the written
Take the lab

I am not attaching any timelines to this, barring the fact that, at the very least, the written needs to be done before my current CCIE expires.

I also still want to finish the Multicast and QoS book that I have started to write, so that’ll take a couple of months.

I also need to set up my “lab”, which will be a mixture of UNetLab and physical equipment.

UNetLab as a base for CCIE Security

I should be able to do the majority of this within UNetLab (UNL).

There are a couple of bits that won’t be doable in UNL, and that is the IP phone, and the Lightweight Access Point (LAP).

I have started to build the topology, using Arista vEOS switches in order that the port number be as similar as possible. But it looks a little like this at the moment:

CCIE Security v4 on UNetLab

I still need to add in the ISE1, ISE2, ACS2 and windows 2008 servers – but, in theory, these should run happily within Qemu, if not then they can be run as ESXi images and UNL will connect happily to them. The issue is going to be the memory requirements.

CCIE Security hardware requirements

So far this is what I need to be running (going by the INE topology):

Device Quantity Memory (GB) Total Memory (GB)
Switches 6 1 6
Routers 7 0.5 3.5
ASA (8.x) 2 0.256 0.5
ASAv 2 2 4
IPS 1 2 2
vWLC 1 2 3
WSA 1 4 4
ACS 2 2 4
ISE 2 2 4
Windows 2008 Server 2 4 8
Windows 7 PC 1 2 2
Total 40

Some are rough estimates, but if I want to run it all it’ll be around 40Gb of memory that will be needed.

This is more memory than I currently have in my ESXi server.

So that means I have some hardware requirements.

I am OK for physical switches, I have a 3750, some 3650, and some 3550s. I only really need one or two of these for the physical connections.

I need to get:

1x Cisco 7900 series IP phone (Approx £50).
1x Cisco Aironet AP (about £50).
Big-ass server/desktop to run ESXi on. There are a couple of good ones on the bay, a Dell 48Gb memory dual hexa-core one for £650 (or a 144Gb one for £1400!), or some HP ones, but with those I’d need to buy the memory separately, which could quickly bump up the price.

It’ll be about £800 for everything. I’ll start getting the bits together after my holiday next week.

Now it’s time to play with Qemu a bit, and see what will run within UNL.

Also – in the last post, I said that I might throw in a prize, well Bernd can you drop me an email, there’s a £50 Amazon voucher (or your preferred currency equivalent) for you.


  1. Anonymous July 16, 2015
  2. Stuart Fordham July 16, 2015
  3. Anonymous July 20, 2015
  4. Stuart Fordham July 20, 2015
  5. nova July 23, 2015
  6. Anonymous November 20, 2015
  7. Bryan Tran February 22, 2016
  8. Stuart Fordham February 22, 2016
  9. Vinay kumar April 18, 2017
    • Stuart Fordham April 20, 2017
    • Stuart Fordham April 20, 2017
  10. Vinay April 25, 2017