HOW TO PASS

THE CCIE SECURITY

Lab Exam

Keith Barker, CCIE #6783

1
Getting
Started
|
3
Getting Started

Achieving a Security CCIE certification is a big deal, and many people often ask for
the “secret” to successfully passing the lab and becoming a Security CCIE. If you
are considering a CCIE, or working towards one now, this document is written for
you.

The acronym for the successful candidate is: The acronym INE TIP
for the successful candidate is: A.B.L.E.
No matter where you are
in your journey, the
Assess your current level of knowledge, regarding each
and every topic and sub-topic from the CCIE Security products and services
blueprint, available on Cisco’s web site. Honestly rate provided in the INE
your skills and knowledge for each topic, on a scale from Version 3.0 Training
1 to 5. A rank of “1” would mean that the concept is Program will ensure that
new or that your knowledge of it is very limited on that you will complete your
subject. A rank of “5” would mean that you are at the journey.
level of doing advanced configuration and
troubleshooting, with no assistance from outside sources
or documentation.

This “CCIE Security Checklist” will serve as a baseline to track your studies, and
assist you in covering all the topics. It is often a temptation to jump to lab
configurations, without understanding the technology. Remember that as you
take the time now to learn the technology, you will save time later in
configuration and troubleshooting. Before attempting the lab, a person should be
at a 4+ on virtually every topic on the blueprint.

Believe in your ability to learn the topics and pass the lab, with the emphasis on
learning the technology. No matter how many lab scenarios a person looks at,
they will not be successful in the live lab unless they have learned the
technology and how to implement and troubleshoot it at an advanced level.
Don’t cheat yourself, by “hoping” you won’t get a specific topic on the lab, and
prepare for all topics. You can do it.
|
4
Getting Started

Long-term planning is essential for the preparation for the lab. Using the
assessment with the CCIE Security Checklist you created earlier, identify the
areas that you want to focus on, and then setup a plan that includes which days
of the week you will study, and how many hours on those days. Before the study
time arrives, lay out a plan of the topics and have the study material, labs,
videos and other resources you will use ready to go, so that you may hit the
ground running during your study time. Use the
assessment worksheet before and after each study
session to track where you are in the topics you
A.B.L.E are studying. Realistically, a successful candidate
1. ASSESS should set a study plan out that includes beginning
2. BELIEVE with the CCSP level of knowledge and skills, and
3. LONG-TERM then additional study and lab work. Approximately

4. ENJOY 400 hours of lab practice using live or simulated

gear are going to be needed and at least that again
in study time. So if a person said they were going to
dedicate 4 hours a day, 3 times a week (12 hours a week), they should put
together a plan that would last between 12 and 24 months. As you study,
update the CCIE Security Checklist with your personal ranking of each topic. If
you end up mastering each topic ahead of schedule, your time frame may be
less than originally planned. The goal should be to really learn the technology in
each area of the blueprint. Finding a study-buddy can also be of value, along
with sharing with friends what your commitments are regarding study time.
There are several online communities, including www.IEOC.com where members
assist other member.

Enjoy the process. There is a lot to learn, and it will serve you to tackle new
topics with the attitude of “I get to learn this” instead of “I have to learn this”.
Keep it fun, and light. Also realize that you will NEVER know everything, and
what you have learned, you may discover can be improved on. Enjoying the
journey involves being honest about your current level and always taking that
knowledge up another notch every time you study. Cramming the week or so
before the lab is not usually a good strategy. By using your study schedule, and
really learning as you go along, you will find that many technologies dovetail
into others, and you will become faster at learning, configuring and
troubleshooting.
|
5
Getting Started

Do not look for "short cuts" on your journey. Stick to the path we have outlined
for you here and it will help you not only in your journey to become a CCIE but also
in your career as a networking engineer. During your journey stay away from cheat
sheets, brain dumps, gotcha lists, etc. The material you have access to here,
combined with the Cisco Documentation, is everything you need to complete your
journey. All of the products and services are designed as an important step in your
journey. The INE's Version 3.0 Program is not just a bunch of products and services
that are bundled together with no rhyme or reason. All of the products and services
are developed by the elite instructor team here at INE. We put our names on the
front of everything we offer and personally stand behind our products and services.

You may get discouraged at times during your journey and think that it may not be
worth it. Don't give up or stray from your path and you will complete the journey as
hundreds of our customers have done before you.

The average candidate attempts the CCIE lab 2.7 times before passing. You want to
have a personal goal to pass the lab the first time or the second at the latest. If you
have properly followed the path we have given you this should be an obtainable
goal.

I would like to add a couple more items here before you begin. As I said earlier, you
must be honest in your assessment of your knowledge. There isn't a problem in
thinking you are knowledgeable about a topic but there is a problem when you think
you are more knowledgeable then you really are. I've personally seen people take
the CCIE Lab 7 or 8 times before passing because of this single problem. They
would never step back to assess where they were and why they failed. They
believed they just needed more practice labs and would buy every workbook on the
market. You do not want to fall into this trap. You want to pass the CCIE lab exam as
a byproduct of learning the technologies and topics covered. You do not want to
pass because you can remember seeing a scenario in a practice lab you did.

Congratulations on beginning your journey!

2
Three
Step
Learning
Process
|
7
Three Step Process

The recommended learning process you should take is what I define as a three step
learning process. The first step is to get an understanding of what the technology or
feature does and why it was implemented. This step should be done from a vendor
neutral point of view if possible. This can be done by utilizing the Cisco
Documentation, our Volume 1 Workbook, a Core Knowledge Simulator Link, the
various books and white papers, or the RFCs freely available on the Internet.

The second step is to learn how Cisco has

INE TIP implemented the particular technology or feature. You
1. Understand the can do this by using the numerous configuration
Technology examples, tech tips, and documentation available on
2. Learn the the Internet and Cisco's website along with Cisco
Implementation Press books. Do not underestimate the wealth of
3. Experience the information available in the Cisco Documentation.
Technology
Now that you have an understanding of the why and
the how, it's time to take the third step by gaining
experience with the technology or feature through hands on practice. Although
anything is pretty much theoretically possible, you can not expect to pass the CCIE
Lab Exam without hundreds of hours of hands-on practice and/or real world
experience on the routers and switches. Many students report that this can add up
to 400 to 700 hours of command line practice on the devices. In the CCIE lab they
will be trying to test your experience and the main way they test experience is by
seeing how familiar you are with the technologies and topics. Generally speaking,
someone who is more familiar will also be faster. By faster I do not mean that they
can type faster, but that they can do a task faster than someone without the
equivalent experience. So do not worry about your keyboard typing speed if it is not
the fastest.

If we break these three steps down into time frames, the first step would consume
about 15% of total time, the second step about 20%, and the last step about 65% of
total time. This means that for every one hour of reading about a technology or
topic, you should expect to spend two hours doing hands-on practice.
|
8
Recommended Reading Prior to Starting
Three Step Process

Before we take a look at the recommended reading, and what products should be
used, I want to make sure that we are all on the same page. Before preparation for
the CCIE Security, you should have at least a CCSP level of knowledge and/or
experience first. You would also want a solid knowledge of routing and switching to
succeed in CCIE Security. If you are not at a CCSP level yet, INE offers an online
CCNA Security as well as CCSP class. Please be aware that Ciscoʼs CCSP
certification requires knowledge of the Security Device Manager (SDM) GUI for
routers, and the Adaptive Security Device Manager (ASDM) GUI for the ASA. The 10
day CCSP class includes the command line interface (CLI), as well as both the GUIs
for ASDM and SDM because the CCSP requires it. The GUI for SDM and ASDM is
not allowed nor covered in the Security CCIE lab, so that portion of the CCSP class
will be nice to know, but not required for CCIE level certification. One of our product
specialists can assist you with additional recommendations as well, should you need
more information.

For Security CCIE candidates, I recommend the following books for reading and
reference:

CCIE Professional Development Series Network Security

Technologies and Solutions
By: Yusuf Bhaiji

CCIE Security v3.0 Configuration

Practice Labs, Second Edition
By: Yusuf Bhaiji

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive

Security Appliance, Second Edition
By: Jazib Frahim, CCIE #5459; Omar Santos
|
9
CCIE Security Advanced Technologies
Three Step Process

Class on Demand
Step One: Use the ATCoD as a means of learning the details for
the technologies. Schedule your study time to focus

Learn on a specific topic, and perhaps use part of the time

for the CoD, and part of the same study period for
reading. I would recommend no more than 45 minutes
to an hour per session. Mix it up, keep it fun and you
will learn at a greater rate.

CCIE Security Lab Workbook Volume I

Use the technology labs as a means to get an understanding of the implementation
for any technologies or features you are not familiar with. These labs are not meant
to be done as a whole but more as a way to fill in any gaps in your knowledge
base. They are broken out into sections that
correspond to the blueprint. You should use
this workbook, and its labs to move your
expertise ranking on the assessment you did
earlier to make sure you are at least a level 3
or higher on all topics.

Treat these as more warm-up labs as opposed to true practice labs. What is meant
by "warm-up" is use these labs to get familiar and comfortable with all the
technologies. Ensure that you gain the knowledge and experience that is conveyed
in these labs and not worry about a pass or fail at this point. Use online
documentation, and reference material as you go through these.
|
10
CCIE Security Lab Workbook Volume II
Three Step Process

Step Two:
Using volume I as a foundation, volume II includes 10
labs that collectively test your ability to read and interpret
the tasks, and implement the correct solution. These labs
Practice
are not intended to be completed within 8 hours each,
and several different study sessions may be required to
master all of the tasks contained in a single lab.

The goal for this part of your journey is to solidify your knowledge while at the same
time expanding your knowledge by hands on practice. It is important that you have
the knowledge discussed earlier before these Volume II labs, as you will have a
much harder time with the labs and will not receive the full benefit of them without it.

You want to be able to do the vast majority of these labs without relying on the
online Cisco documentation too much at this point. Ideally you are only using it to
verify command options and not using it to help solve a task. If you have to
reference the online documentation for most of the tasks in the labs you may need
to step back and reevaluate if you are ready to continue on. There is no shame in
stepping back. You are far better off stepping back and going back over the
technologies and topics than you are going forward and failing the real lab.

At this point you are roughly two-thirds of the way to being ready for the real lab and
you should start feeling more comfortable doing these practice labs. You will want to
focus a little on speed. After doing these labs, you may want switch back to Volume
I, having been several weeks since you have done them, and see if you can do all
the tasks, but this time without use of the solutions or online documentation.

Switch over and do labs 6 through 9 Lab Workbook Volume II. You want to focus on
speed with your configuration and verification skills along with minimizing any simple
mistakes (applying configuration to the wrong device, filtering on the wrong
interface, etc). Remember to "test as you build".
|
11
Three Step Process

CCIE Security Lab 5-Day Bootcamp

Ideally, after going through the Class on Demand
(CoD), and Vol I-II, and between 2 to 6 weeks from
Step Two:
your actual lab date, the live bootcamp provides
incredible value, with new lab content not available
anywhere else, and a veteran instructor who will Practice
assist in not only identifying weak areas, but helping
you make those strengths.

Bootcamps available in multiple locations!

|
12
CCIE Security Core Knowledge Simulator
Three Step Process

Unlike traditional written exams, the Core Knowledge

Step Three: questions are not multiple choice, but instead require a
short answer to be manual typed out by the candidate.

Refine Additionally, this section must be completed before

proceeding onto the traditional configuration portion of
the exam, candidates may not return to the short answer
questions once they have begun the configuration
portion of the exam, and no additional resources such as the Cisco documentation are
available during the section. Most importantly, this section is manually graded by the
exam proctors as pass or fail only. Candidates who answer more than one question
incorrectly in the Core Knowledge section automatically fail the entire lab exam, even
if they passed the configuration and troubleshooting portions of the exam!
3
Ensuring
You
Are
Ready
|
14
Ensuring You Are Ready

Here are some of the more common reasons people have a hard time with a lab:
1. Do not understand the technologies and topics covered
2. Had problems understanding the requirements from the wording given in the
tasks
3. Made too many little mistakes
4. Overwhelmed with all of the tasks and didn't have time to complete them all

If you failed because of number 1, you definitely should step back and fill in the gaps
you have in your knowledge. Every time we teach a class we learn something new
so I can pretty much guarantee that if you watch the CoD or attend the class again
you will benefit from it. Remember that we do not require you to fail the real lab
before you can audit our classes again.

If you had problems with number 2 it could be a couple of issues. First off you may
not understand the technologies and topics enough to grasp the wording of the
tasks. If you understand the technologies and topics you should be able to complete
the task. Secondly you may be "over thinking" the tasks. Do what the task is asking
and nothing more. Do try to apply real world logic or design to the task. Also don't
add in "what if's", meaning do not worry about “what if" this router goes down or
"what if" the Frame Relay circuit is down. If the proctors are looking for redundancy
to be taken into consideration they will ask for it.

The little mistakes are get many people (forgetting to no shut an interface, etc). As
you become more of an "expert" you will make fewer mistakes and solve the ones
that you do make quickly. You will always make little mistakes as it's just human
nature but with experience you will be better at finding and fixing your own mistakes.
For many people that fail the lab it's the little mistakes that get them into some big
problems.

Lastly number four is just going to boil down to getting the hands on practice needed
to be good at doing these labs. No tips, tricks, or brain-dumps can substitute for the
hands on experience you will need with the routers, switches, ASAs, IPS and the
ACS to pass the real lab exam.
Additional
Resources
|
16
Additional Resources

Websites to Visit
1. INE
1.1. Access your products electronically
1.2. Get the best training products
1.3. http://www.ine.com/
2. IEOC - Internetwork Expert Online Community.
2.1. Product support
2.2. Ask questions, post comments, and interact with your peers
2.3. http://www.ieoc.com
3. CCIE Blog
3.1. Content published from our CCIE Instructors
3.2. Exciting challenges and prizes
3.3. Ask INE, dedicated to answering your CCIE questions
3.4. http://blog.ine.com
4. INE on Twitter
4.1. Follow us for the latest news
4.2. http://www.twitter.com/inetraining
5. INE on Facebook
5.1. Join our fan page
5.2. http://www.facebook.com/inetraining
6. INE on LinkedIn
6.1. Add us to your connections
6.2. http://www.linkedin.com/companies/144650
7. INE on YouTube
7.1. Subscribe to our channel
7.2. http://www.youtube.com/INEtraining
|
17

About the Author

Keith Barker excelled as a Network Engineer
beginning in 1986 with EDS. Before opting for a
career in IT Education, Keith’s practical experience
culminated with the position of IT Manager for
Paramount Pictures. Once joining the field of IT
Education, Keith became a top-rated Microsoft and Cisco Certified Instructor.
Keith Barker, along with Jeremy Cioara and Anthony Sequeira helped to make
KnowledgeNet, the most respected Online IT Training organization of its time.
You will find Keith Barker in Live Classroom, Live Online, and Self-Paced Route/
Switch and Security classes here at INE.

Keith Barker can be reached via email at kbarker@ine.com.

Thank you for taking the time to read this document.
Congratulations on starting (or continuing) one of the most rewarding journeys you
can take in your lifetime. Remember, while at times you might feel alone in this
journey, that is NEVER the case.