Hello folks! I am often asked about CCIE Security preparation. As a disclaimer, you should know I took the “Latin” version of the exam with Blueprint version 4 (ISE 1.1, legacy IPS, pre-8.2 ASA code, and absolutely nothing cool like Firepower or AMP), so with the release of version 5, things have certainly become much more relevant. That being said, a lot of the prep resources remain the same. I have started re-using the same base email and scrubbed it for aged-out links (believe it or not I used to have more). I hope this helps someone.
The Basics:
First things first, make sure you are armed with the latest and greatest exam blueprint (https://learningnetwork.cisco.com/community/certifications/ccie_security). Too many folks I know are pursuing these CCIEs (or even CCNPs) without keeping the blueprint handy. For that matter, be sure to keep the lab gear list in the back of your mind as well (https://learningnetwork.cisco.com/community/ccie-security-v5-written-lab-exam).
I usually take the BP and convert it into a spreadsheet, providing links to both VoD and blogs or documentation and the like, while also periodically using it to assess my readiness. I also use tabs to track study time and schedule. Keep in mind, you are studying for two different beasts, as both the written and practical (a.k.a. the Lab) are completely different. It doesn’t mean you can maximize your value and lab as you go.
Documentation:
Be sure to start using the equivalent of the Doc CD for work and study both – no short cuts or search! You want to know that documentation tree like the back of your hand so you have no issues in the lab. In the lab, there is no Google, no site-wide search, and no browser-based or Adobe Reader searching within a page/doc.
I also used OneNote during my CCIE R&S and Evernote on CCIE Security to track things/hold snippets/keep notes. I am not a good note taker, but even I saw some value here. Recommend you pick some platform and stick with it as long as you can – some folks blog for just this very reason (this is why I am trying to move to blogging as well), so there is that option! I even have some peers who use Github to store their notes. Whatever works!
Training Vendors:
First off – if you have a chance, be sure to pick up a Safari Online account. For the price of 5 or so books a year, you can have access to thousands, as well as associated Video on demand covering all manner of technologies. Programming, architectures, web, cloud – you name it! And yes, Cisco Press books are all over it, so it just makes good sense. In fact, if you can only have your employer splurge on one thing for you, this is what to prioritize.
As for what vendors to study CCIE in particular with, I made heavy use of the INE Advanced Technologies VoDs for the version I was on, and labbed using their workbooks on my own gear/virtual lab. If I had it to do over again, I would definitely use those funds to attend Narbik’s Zero-to-Hero course (https://micronicstraining.com/event/security-zero-to-hero/). I hear it is 16 weeks in a row, meeting on Saturday mornings, but that the material is excellent and the pace is just right. And while it may not be Narbik himself, his crew runs a very tight ship. No PowerPoint is used, just whiteboard! INE was solid, but more liver interaction with someone like Narbik and his crew would be a fun time.
INE offered me what I needed most – flexibility – and provided some value in their config labs and workbooks. If getting funding for Narbik doesn’t work out, INE can be had for cheaper prices (https://ine.com/collections/training-bundles/products/ccie-security-ultimate-bundle). Watch for a deal to be announced and then call to bargain – I swapped out some older material (WSA and ISE were out of date at the time I was prepping, and I can’t speak to the v5 courses but those should be coming along nicely this far into version 5) from the advertised bundle for a course I wanted added and some extra tokens, which was very helpful.
Global Knowledge, Fastlane, and New Horizons provide offerings as well, but I don’t think CCIE Security (or the CCIE level in general) is a focus for them. There are a bunch of other vendors outside of the US, but I can’t speculate on the relative quality or success rates. IMHO, there are very few places that can lure both quality instructors AND make good training profitable, so by all means talk to your networks and get some good 1st-hand accounts before spending money. In the US, I would probably stick with one of the two above. Use sites like CertGuard to help you figure out if a trainer is legit or not. Here is a hint – no one guarantees a pass or touts using actual or real tests. Do yourselves a favor and actually learn the material. The paper is worthless without that knowledge to back it up.
One more thing – CBT Nuggets, while not having too much in the CCIE level, does have some great CCNP VoD courses by Keith Barker and others that I found a good change of pace. If you have the budget, look into them to fill gaps and keep you laughing. https://www.cbtnuggets.com/search?q=security
Free Cisco Training:
For www.ciscolive.com, you can register for your own free account and get access to the last 4 years’ worth of Cisco Live content. In the “On-Demand” section, you can simply search for all of your blueprint topics.
Free 3rd party Training:
I would certainly recommend hitting up a free site called Lab Minutes where a non-Cisco guy actually leads you through – at current count over 200 – short videos for everything from how to set set up, operate, manage and integrate Cisco security products. http://www.labminutes.com/video/sec/ A great help in understanding the portfolio! No login is required, but if you pay to sign up you can download them and take them wherever you go.
Paid Cisco Training (using credits or purchased outright):
If $$$ were no object, Cisco Platinum Learning Library would be a pretty slick gift to yourself and a huge help. I think it sells for $6k list as CON-TRN-CDCTE-500 (page 17 of this document: https://www.cisco.com/c/dam/en_us/training-events/learning_services/docs/pricing_sheet.pdf) and gets you access to over 400 courses and lots of fun. You can purchase courses ala carte, for something like $499 per course. There are several security-focused classes in there on Firepower, AMP, ISE, etc. Not the most thrifty mode of getting training, but if you had plans to take 2 courses via the usual providers, this all of a sudden makes huge sense. If you go with this, you get access to quite a bit of awesome stuff as detailed in this brochure. Your Employer might already have seats for this, or maybe they would consider this a more cost-effective path to getting you training than paying ala carte for 2 weeks.
If you just want to hit courses in the catalog that are specifically Product and Solution focused, then you can just target those: http://www.cisco.com/c/en/us/training-events/resources/learning-services/technology/security.html
I would recommend looking into the FIREPOWER200 and SSFIPS primarily, but others, like AMP, might make some good sense. ISE training would also be a good use of your time.
I have also heard good things from folks about how Todd Lammle does a great job as well: https://www.lammle.com
Important Blogs & Communities:
So, your mileage may vary quite a bit, but I found CCIE R&S blogging to be an art, while Security blogging and content was all over the map. INE’s own blog isn’t awful, but there are more to take a look at. Here are the ones I used:
Cisco’s P&A Forum: https://communities.cisco.com/community/technology/security/pa
Or the General Security Forum: https://communities.cisco.com/community/technology/security
Stuart’s Study blog: https://www.802101.com/category/ccie-security/
Packet Pushers CCIE Security Reading List: http://packetpushers.net/ccie-security-v4-reading-list-update-from-the-program-manager/
Katherine McNamara’s Blog: https://www.network-node.com
If you have more suggestions, I am all ears!
Labbing:
I used GNS3 quite a bit before getting into places I needed hardware. At that point, I had a massive rack in the basement and a huge power bill. I did mess with Unified Network Lab (UNetLab) for a little to try and ease that pain, but that has been replaced by EVE-NG (http://www.eve-ng.net) which allows you to run a pretty complete environment all on a fat server. I would say if you can get something with 12 cores and 64GB of RAM, you are in great shape to run on that! You’ll want a smaller implementation on your laptop to mock up 3-4 device topologies to practice things like DMVPN and NAT.
You may want to look into alternatives like GNS3 to see if it works better for you, or get more predictable access to VIRL or CML. VIRL for personal use, suitable for laptops, only costs ~$150 if I recall correctly. CML might be something your employer has access too, but isn’t really something you’d want to spend for on your own. Its pricey!
For physical gear, I dumpster dove like crazy – your employer might have some End-of-Life gear collecting dust that might suit your needs. With the Version 5 blueprint, many more of the functions can be virtualized so that isn’t as much of a concern. This comes back to having a good server and hypervisor. Keep in mind, most every Cisco VM or ISO comes with a demo/eval license built in now, so you can certainly make do with free VMs on 45 day terms for the CSR1KV, ASAv, FTVv, FMCv, ISE, WSA, etc. This is a huge improvement over the last go around.
Closing thoughts:
I hope this has been somewhat useful. Kathrine’s blog, in particular, dives into the costs and relative values as she pursued her very recent CCIE Security, so I would recommend take a look at her fresh and thorough synopsis. I went for the cheap and lonely path, where as she exhausted all resources and in the process educated us all on it. CCIEs are very much a personal endeavor, and no one size fits all. Hopefully you find your path and have success in your pursuit!
Mike