I have had a nagging thought over the last couple of days regarding the CCIE Security topology I will be using to start my studies.
My original plan was to work through the INE workbooks towards the end of the studying, but to use their topology for the studies, from the start right to the end.
This really isn’t the best idea. I am trying to fit my own learning around a pre-defined topology, into which I am trying to drop and build my own network.
Instead, I should be building my own. So that’s what I will do.
I will still keep with the same devices, but build up something I know that I can work with. After all, if you are building something, then build something you can build.
So, this is what I have come up with:
Now, let’s plan how the network will actually work.
The IP addressing needs to be sorted, but once that is done, then we have a sub-office, the HQ, and a couple of customer sites:
The HQ will run the majority of the equipment, such as the wireless, authentication servers, IPS, and this is where the servers will live. It will provide authentication services to the other site, and to the customers as well. So fully functioning routing is critical (obviously).
As is pretty standard, I’ll be making use of loopback addresses to extend the network out, so that I can run the VPNs across it. There will be a number of different networks, using the loopbacks as the interesting traffic:
I have left out a couple of switches. At the moment I do not see a need to have these in the topology – at the moment at least. This may change later on.
This seems like a much more workable way to study, it’s much cleaner, makes more sense, and doesn’t look like a jumbled mass of equipment. If I want to look at a jumbled mass of wires and routers then I can look at my study instead.
If this does prove a workable CCIE Security topology, then I will post it on the Unetlab.com website for all to use.
Nice setup man. Did you manage to get ASA 8.2 running on UNL to test the old NAT commands (static, nat, global, etc)? Thanks!
is this legal?
This comment has been removed by the author.
Totally, this is my own topology, not the one you'd get in the lab exam. I wouldn't violate any NDA by posting Cisco's topology here.
so you legally obtain the images of the devices you used in this topology?
Cisco do a wide range of 90 day trials, and it's amazing what you can achieve with a sympathetic account rep.
I'm also preparing for the CCIE Sec, so started with building similar topo (mostly INE based) and think I'm covering almost all the stuff from the INE topo, but just fighting with the WSA as I have read there is no eval license provided by Cisco. And I see you are using WSA inside the UNL. I just supposed I download the virtual S000V image and run it in the ESXi directly …
So may I just ask how did you solved the WSA? Thanks a lot
Ok, I see there is an option to obtain 45-days evaluation/demo license from the official Cisco Licensing Portal 🙂
Hi Tom – it does depend on what CCO abilities you have, otherwise speak to your Cisco rep, some are more helpful than others if they know what its for – unless you say you want to evaluate for a potential project 🙂
Hi, Please can you list all that is required to set up this topology; if possible a post on how to setup this topology, resources, images required. Also since this is a topology you built yourself to study for the ccie security, how do you intend to task yourself with the topology to reflect the Blueprint. Are you going to simulate ine tasks using this topology.
Once it's complete and working, then I'll list everything, but it is a work in progress at the moment. The lab, once complete, will be added to UNetLab as part fo the official release.
How am I going to task myself? Good question. I am either going to do way too much, or not enough – but it will be backed up by doing the actual INE labs. Alot of the lab will be supposition – the appliance supports this function, to let's try it out. Take the ASA for example, it's got two modes, layer 2 (transparent0 or routed – so that's two things to do, then we can add on contexts, failover, etc etc.
It'll be interesting to see how it works out!
Thanks for reply… I am in d middle of start ccie security journey too, and trying to figure out what lab to use to study. I intend to use UNL to study and thank God the new release support ACS, ISE. Also WSA, ASA, are all supported. My concern is how to make the physical topology. i can see we will need Access Point, IP Phone. My concern is how these physical gear will connect to my lab which is virtual on UNL ( ASA, vASA, vWLC, ISE, ACS, WSA, IPS, Routers, Switch ).
Your topology doesnt seems to have AP & IP Phone
Oh! i can see IP Phone in your topology, also SW3-LAP ( assume its Access Point). Will you update your topology now that UNL support ACS, ISE. Your topology look more real life especially with the idea of HQ and MPLS at the HQ, although i haven't really check ine topology. I will like to follow you on this topology to use for study too. But i need help, I haven't be able to connect vWLC on UNL with real Access Point and also how do you achieve the IP Phone connection with virtual Switch on UNL.
I havn't got to that point yet 🙂 Still need to buy the AP and the IPPhone from eBay, then I can give it a crack. I think it will be vWLC -> 3560 (PoE) -> AP…