CCNA Security Part 3: Lab Requirements

Is CCNA Security a Great Step with a Small Budget?

If you're buying gear on a budget, then CCNA Security may be for you. As difficult as I think the IINS exam's theory might be - at least relative to my original expectations - the lab requirements may make up for it. You can practice all the router features effectively with only 2 routers; most can be practiced with a single router. Only a few of the features require a switch, and a single switch at that. Add your existing PC to the mix run SDM and to run a TACACs+/RADIUS server, and you have enough gear with which to practice. Or go the $0 cost route: take the plunge into Dynamips, ignore practice with the switch features, and use your existing PC.

Today, as you can guess by now I'm sure, I'll look at the practice lab requirements for the IINS exam. I will look at what you need, not what would be nice to have, to practice what's on the exam.

First, I need to set the stage a bit. I'm going to take advantage of some my earlier series on building home labs for Cisco exam practice along the way. For those of you who are long time readers of this blog, you'll probably pick up the main points, with maybe a brief reference back to earlier posts. For those of you that don't read here as often, let me summarize what I'll refer to throughout as background material.

The first bit of background is the CCNP lab series from a few years back, which included a few posts about the CCNP ISCW exam (parts 7 and 8 of that series). ISCW includes many of the same features as does the IINS exam, so it seemed a good place to start. In particular, those posts discussed the IOS feature sets for routers that supported all the features. I also blogged an update on lab prices earlier this year, as usual using the EBay US prices for "buy it now" as the basis to determine how much gear costs on the used market. So that's a good place to get some perspectives on router models and somewhat recent prices

Now for the ramble of what you need for a CCNA Security lab.

Routers: First, I think you need at most two routers. Many of the features can be configured on a single router - IPS, Firewall, ACLs, CLI security. Only IPSec requires two routers.

Router Feature Sets: The bigger issue with routers is the feature set. Cisco creates different compiles of IOS that include different features, with each different set of features being called a Feature Set (FS). The IP Base FS, commonly the most basic (and included in the base price) FS does not support all the features in IINS. For IINS, for some older routers, the least expensive/least memory FS that includes most of the IINS features is "IP/FW/IDS/Plus IPSEC 3DES". (Older includes 2600XM's, 3640's, and 837). For newer router hardware, either the "Advanced IP Services" or "Advanced Security" FS includes the right features for IINS.

(A quick word on process. I took the list of configuration tasks from the Cisco Press CCNA Security Exam Cert Guide, and made a list that I posted a few weeks back. I took that list, and used the Cisco Feature Navigator ( to verify the features versus each feature set, and updated the reference document, newly posted here. )

Note that the older routers, typically cheaper, only support the older "IP/FW/IDS/Plus IPSEC 3DES" feature set, which does not support zone-based firewall or IPS (again, according to my read of the feature navigator, not per extensive testing.) The (relatively) newer platforms, like 1721's, 2610XMs, 1800's, and 877's, all support the newer "Advanced IP Services" and "Advanced Security" feature sets, which do support zone-based firewall and IPS.

SDM is a Must, so 12.3T/12.4 is a must: SDM appears to have been integrated into the 12.3T/12.4 mainline IOS code. (That's again from a review of Feature Navigator; feel free to corroborate/contradict if you know more.) If you're going to get a lab for CCNA Security/IINS, you really out to get SDM support, since half the hands-on work is with SDM.

What Routers to Buy: I will either re-visit the "which to buy" question in a few weeks, if I get enough of ya'll to ask about it here, or leave it as an exercise for you. However, from the May prices on routers in my earlier blogging, a 1721 + WIC-2T, Advanced IP Services 12.4T, would really fit the bill, for around $110 each. But it's been 6 months, so prices I'm sure have changed in some way. Feel free to offer opinions here.

Switches and Switch Software: The 2950 series, even with the standard image software, seems to have grown to become a great switch for a used Cisco lab, with relatively cheap prices. For the handful of switch config items, only Dynamic ARP inspection (DAI) is missing from 2950, again per feature navigator. You can pick that up in a 2960 or 3550 (enhanced image I believe). Personally, I might just rely on reading for that one feature, and go with the cheap 2950's - around $70 US per my last (April '09) price checks.

So, all you folks who've worked on IINS, or ISCW from CCNP, or SNRS from CCSP (also similar), what advice can you give to add to what I've started here?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)