Creating a CCIE Security study plan

It’s always a good idea to have a structured study plan. I did this with my Routing and Switching CCIE, managing to stick to it (roughly). So it makes sense to do one for this as well.

My study plan, in it’s most general sense is to:

Build up a fully working lab, bit by bit.
Use the INE videos to build up this knowledge as I go.
Read the books for the various sections.

Lab it up!

The lab will be based around UNL, and the topology will be based on the same one used by INE. So that when I come to do their full labs, it will all be set up and all the kinks will be worked out. The topology is in my first post about the CCIE Security, but I will re-post it here to make life easier:

Cisco CCIE Security study plan

Sounds very broad, doesn’t it. So let’s break it down to a proper study plan, starting with the things that are new to me. Where I mention ATC, this is the INE Advanced Technology Class (

17-point study plan

1: Set up TestPC-B, Switch 2 and Switch 6. This will give me access to WSA1
2: WSA :-

3: Set up Switch 1 & Switch 3, giving access to ISE1 and ISE2 (Not pictured – need to complete topology)
4: ISE :-

5: Set up Switch 2 and Switch 4 – giving access to ACS1 and ACS2.
6: ACS :-

7: Set up ASAs – Now the fun really starts! I should be in a good position now to start opening up the network. We are ready to authenticate through ACS/ISE and WSA, and are working from an inside-out fashion, rather than outside-in.

8: VPNs

9: IPS

10: Hardening and availability

  • Watch: INE ATC
  • Read: Designing Network Security
  • Do: Set up hardened services on routers
  • Covering: Section 1: System Hardening and Availability

11: Wireless stuff

  • Watch: INE ATC
  • Read: Cisco Wireless LAN Security
  • Do: Set up Wireless components – vWLC, an AP, a wi-fi client
  • Covering: Section 6: Confidentiality and Secure Access

12: Miscellaneous other stuff – need to cover section 2: Threat Identification and Mitigation

13: IPv4 and IPv6 routing protocol security. Although it’s not stated, explicitly, section 1.1 does refer to IGP authentication, so with the aid of part 8 (VPNs), we can add on some IGPs and EGPs.

  • Do: Implement IGPs and set up authentication.

By this stage I should have gone back and forward, as the network expands, adding and building on to WSA, ISE and ACS knowledge. As I go through the topology I will be changing it, and then when complete, it will be published, definitely here, probably on the UNL site as well. Then we get to the final stages.

14: Do written exam
15: Practice – do INE Security workbooks and full-scale labs.
16: Lab – take the lab exam.
17: Profit? Re-take lab exam? Who knows!

I am not attaching any timelines to this at the moment, though. I’ll start doing that closer to the end.

What do you reckon? A workable study plan? Missing anything?