The costs of the CCIE Security v5

I still have not completely figured out my next move, after not passing the first attempt at the CCIE Security lab on Friday. I certainly am not quitting, just deciding whether to take a break, or push on with the Security v5, or switch to a different track.

One of the biggest issues I faced with my studies was the time it took to keep setting everything up over and over again. This is clearly an area for improvement in my approach. With a bit of better planning of where the VMs sat (ESXi or UNetLab) I think I could have sped things up a little, leaving more room for learning and the much-needed repetition, than repeatedly setting up the initial configuration.

It looks like I will not be able to re-sit the v4. I can’t find any places, and to be perfectly honest, I am not sure that I would even be ready by December anyway. Therefore, if I am to sit the lab again (and the written by that stage), it will be Security v5. With the new version comes new requirements.

The switches and routers for the v5 are IOSv and CSR1000v, and they also make use of the ASAv. These all come as part of VIRL (but can also be used in UNetLab). There are a whole bunch of security appliances, which will also run under UNetLab, or ESXi if I can get hold of them. Then we have the hardware, which will be the costly part.

CCIE Security v5 hardware and costs

Cisco Catalyst Switch

C3850-12S: 16.2.1

This goes for around £2500-4500 on eBay. I currently have a 3750X, which is great for the v4, but I don’t think it will cut the mustard for the v5. If you look at this link outlining the differences between the C3850 and C3750-X, there are a number of features that the 3750-X does not support, such as MACSec, TrustSec for Wireless, SDN and OpenFlow, Flexible NetFlow. Are these features required? MACSec is listed in section 3.7, TrustSec is listed in 3.12, NetFlow is listed in section 5.9 – so these could be in the lab.

Cisco Adaptive Security Appliance

5512-X: 9.6.1 £1200

This will be roughly £1200 on eBay. i am sure that a cheaper option would be the 5506-X. In terms of functionality, I can see no difference apart from throughput and that’s not a show-stopper for lab practice. We need this because of the FirePower module. The 5506-X is about half the cost of the 5512-X, and easier to sneak past my wife.

Cisco 2504 Wireless Controller

2504: – £400-500

£400-500 on eBay. the vWLC worked fine in my tests, though.

Cisco Aironet

1602E: 15.3.3-JC

£300 give or take. Again the AP I have worked fine and I cannot see a reason to upgrade.

Cisco Unified IP Phone

7965: 9.2(3)

£50-100 Again, I cannot see a good reason to change from the one I already bought.

Pros and Cons

The switch is going to be the real clincher here for preparing for the Security v5. £2500 is a large sum of money. £500-600 for a 5506-X is reasonable, but I don’t really relish spending that kind of money on a switch. If I do then we are looking at nearly £5000 for the hardware and examination costs. I could buy myself a Rolex for that kind of money and have something to hand down to my kids when they are older.

This does have a large impact on my decision. The Service Provider track does not have these of demands, just so long as you can run IOS-XR 5.2, IOS-XE 3.13 and IOS 15.4S then you should be fine. But I would like to finish the Security track – after all, I have started it, so should see it out to the end.

It is not a clear-cut decision. There have been many very encouraging responses to my lack of passing on Friday and thank you to everyone who got in touch. I do appreciate it. I am just not sure if I want to take a long break, or switch tracks. Taking a long break will give me a chance to save up for the switch, and will allow me to spend some much needed time with the family again, after spending so much time studying and being pre-occupied with the CCIE.

Choices, choices, choices.


  1. greensboro February 10, 2017
    • Stuart Fordham February 10, 2017