Planning a Security v5 lab environment

It is time to start planning how I will be practicing for the CCIE Security v5 written and lab. In this post, I will be looking at the requirements, comparing these against the v4, trying to work out if I need to buy a new ESXi server, and trying to gauge what will be better to run natively, or within EVE-NG, or VIRL.

A lot has changed from the v4. So, let’s start by looking at what I needed to run with the v4 exam:

CCIE Security v4:

  • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
  • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
  • Cisco IPS Software Release 7.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS System software version 5.3x
  • Cisco WLC 2500 Series software 7.2x
  • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
  • Cisco WSA S-series software version 7.1x
  • Cisco ISE 3300 series software version 1.1x
  • Cisco NAC Posture Agent v4.X
  • Cisco AnyConnect Client v3.0X

The big hitters in the list above were the ASAs, the IPS, the ACS, WSA and the ISE. These had the biggest overhead in terms of memory and hard disk. They all ran happily in UNetLab. The ISE needed about 16GB, the rest ran happily within the rest of the memory left over. There is also a healthy mix of virtual and physical devices.

Now, with the V5, it is primarily virtual. So, let’s have a look at what is needed.

CCIE Security v5:

Security Appliances

  • Cisco Identity Services Engine (ISE): 2.1.0
  • Cisco Secure Access Control System (ACS):
  • Cisco Web Security Appliance (WSA): 9.2.0
  • Cisco Email Security Appliance (ESA): 9.7.1
  • Cisco Wireless Controller (WLC): 8.0.133
  • Cisco Firepower Management Center Virtual Appliance: 6.0.1 and/or 6.1
  • Cisco Firepower NGIPSv: 6.0.1
  • Cisco Firepower Threat Defense: 6.0.1

ISE and ACS are sorted. I will be running v2.2 of ISE on a 90-day trial, so will have to build, burn and rebuild as necessary. The WSA and ESA I have running in EVE-NG. I have covered WSA while studying for the v4, already. The Firepower stuff is running in ESXi at the moment but could move to EVE-NG. At this stage, I think I am still well within the comfort zone of the ESXi server.

Core Devices

  • IOSv L2: 15.2
  • IOSv L3: 15.5(2)T
  • Cisco CSR 1000V Series Cloud Services Router: 3.16.02.S
  • Cisco Adaptive Security Virtual Appliance (ASAv): 9.6.1

These are all available in VIRL (within a version or two) or EVE. Depending on how many devices I decide to run, I still think this is doable. Running VIRL as well as EVE would mean a bigger overhead. Why run two when one will work just as well? While I have purchased VIRL, I do find EVE easier to use, and there is less overhead.

We also only have one flavor of ASA to contend with, not three as we did with the v4. This makes life much easier!


  • Test PC: Microsoft Windows 7
  • Active Directory: Microsoft Windows Server 2008
  • Cisco Application Policy Infrastructure Controller Enterprise Module: 1.2
  • Cisco Unified Communications Manager: 8.6.(1)
  • FireAMP Private Cloud
  • AnyConnect 4.2

The Windows boxes won’t take up a huge amount of resources. I have no idea about CUCM, and I have AnyConnect. This leaves APIC-EM. APIC-EM (on VMware) requires 6 vCPUs and a minimum of 32GB memory.  Ouch. Even with memory sharing, I think this would make things crawl considerably. Upgrading the memory would be roughly the same cost as a new server, and then there would be competition for the number of available cores. So, it would make more sense to share the load out across two servers and enjoy the number of cores and memory. The options would be Dell, either T5500 or T7500 or the HP Z800. Both will take a silly amount of memory, and will be around £800-1100 for something rocking between 96-192GB.

Physical Devices

Cisco Catalyst Switch: C3850-12S: 16.2.1

Cisco Adaptive Security Appliance: 5512-X: 9.6.1

Cisco 2504 Wireless Controller: 2504:

Cisco Aironet: 1602E: 15.3.3-JC

Cisco Unified IP Phone: 7965: 9.2(3)

I have a 3750X, but the primary difference between the 3750-X and the 3850 is that the 3850 runs IOS-XE, rather than IOS. A 3850 will be in the region of £2500-3000 on eBay. Not a route I am going to head down. There also differences in QoS (MLS vs MQC). For a good comparison, check this out. The CSR1000v also runs IOS-XE, so most of the quirks could be easily covered using that instead.

I have an ASA 5506-X, or at least I do at the moment. It’s 20 months old and is affected by the clocking issue. Hopefully, Cisco will be replacing it soon, I have filled in the forms and sent them off. Otherwise, it’s going to be a brick. Functionality wise, I don’t think I will be in any lesser stead with the smaller model. It’s not quite as powerful, but this is just for labbing, so I think I can cope with only having 2 AnyConnect users instead of 50.

Wireless and phone wise, I am happy to stick with my older hardware.

Being realistic

How concerned do I need to be with my ability to run everything all at the same time? Probably not very. The APIC-EM, although listed, only appears in the blueprint once:

5.14  Describe the northbound and southbound APIs of SDN controllers such as APIC-EM

This is a “describe”. No need to implement. Hurrah, this means I don’t need to worry (too much) about needing to find 30+GB memory for a VM. Let’s look at another of the devices, the ESA. Last night I found myself asking what could be configured on this? We have a Windows server and a Windows client, we don’t have an email server by the looks of it, so my guess would be more to do with the integration with other components, and basic configuration.

Let’s look at another of the devices, the ESA. Last night I found myself asking what could be configured on this? We have a Windows server and a Windows client, we don’t have an email server by the looks of it, so my guess would be more to do with the integration with other components, and basic configuration.

Most of the focus will be on Firepower, that’s clear from the topic list. So this is where the focus needs to lie. The rest of it should be OK. Most of it should come flooding back when I get started.

The next step is to start planning out some labs! Oh, and start learning about Firepower (because there is A LOT of that in the CCIE Security v5).

Here is a (rough) costing of the CCIE Security v5 hardware.


  1. Rj Pitts April 12, 2017
  2. CCNP Sec April 26, 2017
  3. Nanda Kyaw June 23, 2017
  4. Nameless July 18, 2017