If you're buying gear on a budget, then CCNA Security may be for you. As difficult as I think the IINS exam's theory might be - at least relative to my original expectations - the lab requirements may make up for it. You can practice all the router features effectively with only 2 routers; most can be practiced with a single router. Only a few of the features require a switch, and a single switch at that. Add your existing PC to the mix run SDM and to run a TACACs+/RADIUS server, and you have enough gear with which to practice. Or go the $0 cost route: take the plunge into Dynamips, ignore practice with the switch features, and use your existing PC.
Today, as you can guess by now I'm sure, I'll look at the practice lab requirements for the IINS exam. I will look at what you need, not what would be nice to have, to practice what's on the exam.
First, I need to set the stage a bit. I'm going to take advantage of some my earlier series on building home labs for Cisco exam practice along the way. For those of you who are long time readers of this blog, you'll probably pick up the main points, with maybe a brief reference back to earlier posts. For those of you that don't read here as often, let me summarize what I'll refer to throughout as background material.
The first bit of background is the CCNP lab series from a few years back, which included a few posts about the CCNP ISCW exam (parts 7 and 8 of that series). ISCW includes many of the same features as does the IINS exam, so it seemed a good place to start. In particular, those posts discussed the IOS feature sets for routers that supported all the features. I also blogged an update on lab prices earlier this year, as usual using the EBay US prices for "buy it now" as the basis to determine how much gear costs on the used market. So that's a good place to get some perspectives on router models and somewhat recent prices
Now for the ramble of what you need for a CCNA Security lab.
Routers: First, I think you need at most two routers. Many of the features can be configured on a single router - IPS, Firewall, ACLs, CLI security. Only IPSec requires two routers.
Router Feature Sets: The bigger issue with routers is the feature set. Cisco creates different compiles of IOS that include different features, with each different set of features being called a Feature Set (FS). The IP Base FS, commonly the most basic (and included in the base price) FS does not support all the features in IINS. For IINS, for some older routers, the least expensive/least memory FS that includes most of the IINS features is "IP/FW/IDS/Plus IPSEC 3DES". (Older includes 2600XM's, 3640's, and 837). For newer router hardware, either the "Advanced IP Services" or "Advanced Security" FS includes the right features for IINS.
(A quick word on process. I took the list of configuration tasks from the Cisco Press CCNA Security Exam Cert Guide, and made a list that I posted a few weeks back. I took that list, and used the Cisco Feature Navigator (www.cisco.com/go/fn) to verify the features versus each feature set, and updated the reference document, newly posted here. )
Note that the older routers, typically cheaper, only support the older "IP/FW/IDS/Plus IPSEC 3DES" feature set, which does not support zone-based firewall or IPS (again, according to my read of the feature navigator, not per extensive testing.) The (relatively) newer platforms, like 1721's, 2610XMs, 1800's, and 877's, all support the newer "Advanced IP Services" and "Advanced Security" feature sets, which do support zone-based firewall and IPS.
SDM is a Must, so 12.3T/12.4 is a must: SDM appears to have been integrated into the 12.3T/12.4 mainline IOS code. (That's again from a review of Feature Navigator; feel free to corroborate/contradict if you know more.) If you're going to get a lab for CCNA Security/IINS, you really out to get SDM support, since half the hands-on work is with SDM.
What Routers to Buy: I will either re-visit the "which to buy" question in a few weeks, if I get enough of ya'll to ask about it here, or leave it as an exercise for you. However, from the May prices on routers in my earlier blogging, a 1721 + WIC-2T, Advanced IP Services 12.4T, would really fit the bill, for around $110 each. But it's been 6 months, so prices I'm sure have changed in some way. Feel free to offer opinions here.
Switches and Switch Software: The 2950 series, even with the standard image software, seems to have grown to become a great switch for a used Cisco lab, with relatively cheap prices. For the handful of switch config items, only Dynamic ARP inspection (DAI) is missing from 2950, again per feature navigator. You can pick that up in a 2960 or 3550 (enhanced image I believe). Personally, I might just rely on reading for that one feature, and go with the cheap 2950's - around $70 US per my last (April '09) price checks.
So, all you folks who've worked on IINS, or ISCW from CCNP, or SNRS from CCSP (also similar), what advice can you give to add to what I've started here?
Odom, CCIE No, 1624, splits time between writing books for Cisco Press and teaching classes for Skyline ATS. In his 25-ish years in the networking industry, he has worked as as a pre-sale and post-sale SE for a few networking vendors, as well as a network engineer implementing network technology. Wendell has spent the majority of the last 15 years teaching, consulting, and writing about networking technologies, most of which in some way relate to Cisco products. His books include titles on QoS, CCIE R/S, as well as several titles related to CCNA certification, including the September 2007 book CCNA Official Exam Certification Library (CCNA Exam 640-802) (Read a sneak peek of chapter 7). Click for the list of current titles by Wendell.
The Leader in Network Knowledge
I concur with you Wendell
I concur with you Wendell that this exam can be done pretty cheaply. When I was studying for the exam I found that there was nothing Dynamips could not handle except for the switching features. I used a 2950T for those and I believe there were very few, if any exam topics that I couldn't lab up.
I took the exam soon after taking my CCNA and felt that it was a great intro to the security side of the house and really felt like I learned a lot during the process. The contents definitely have day to day applicability in the workplace as well.
Thanks
CCNA Security and SDM
I've decided to try the exam at Cisco Networkers based on the knowledge gained from the ISCW which I've passed about 7 months ago.
Definitely the exam is similar. I didn't pass although it was very close.
What really annoys me is why Cisco insists with the SDM? Do you guys know how many people actually used it on a daily basis?
Murilo
CCNA sec exam
Hi Wendell, as i mentioned in your previous posts on the CCNA sec two of the guys i work with are doing this exam.
The are using a mix of 837 and borrowing one of my 2610XM's for the stuff the 837 will not do. Switch wise they are happy to use one of my L3 switches. Man, i should set up some kinda shop here at work!
I agree the 1721's, 2610XMs, 1800's, and 877's are great and not too pricey. I have heard people say they just used GNS3.
Murilo, the SDM (or ASDM) gets can be very useful. I was faced with an issue just last week where a customer was using at limited ASA. He was using all 10 licences, there is no feature (cmd) i could find in the CLI that would allow me to view this. I love the CLI too much to be a total convert but it has its uses.
It is also great if you have a user who needs some support and you are able to walk them through the steps alot easier that trying to recite the CLI over the phone. Scott Morris mentioned this on his CCIE audio, it makes me laugh as it is so true.
BE.
http://bigevilsciscoworld.wordpress.com/
Post new comment