Unanswered Question
Mar 23rd, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on CCIE Security with Cisco expert Yusuf Bhaiji. Yusuf, CCIE #9305 (R&S and Security), has been with Cisco Systems, Inc. for over five years and is currently the Program Manager for the Cisco CCIE Security certification and Proctor in Cisco's Dubai and Sydney Lab. Prior to this, he was Technical Lead for the Sydney TAC Security and VPN team. Yusuf?s passion for Security and VPN- related technologies has played a dominant role in his 15 years of industry experience, from his initial master?s degree in computer science, to his numerous certifications.

Remember to use the rating system to let Yusuf know if you have received an adequate response.

Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 6, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (20 ratings)
clusterfsck Fri, 03/23/2007 - 15:09


What are the best books/study guides to buy for the CCIE Security Track? I see how a person could spend thousands on books with as many as are out there. Also, is there a virtual lab you prefer? I bought 23 hours of rack time on a security rack through, is there one you would recommend besides that?



sebastan_bach Fri, 03/23/2007 - 18:58

hi yusuf it;s glad to see u in the forum.

yusuf could u pls tell us are u coming out with a book for ccie practical studies just like the old . i mean for the new syllabus.

one more query is abt the ios. almost all the ios version have been upgraded for the new lab. but the ios for the routers have remain the same.

is there any possibility that cisco is upgrading the ios to 12.3T or so.

very curious to know.

waiting for ur reply.



sebastan_bach Fri, 03/23/2007 - 19:03

hi yusuf i would also like to know whether the nac appliance will be integrated in the lab soon



yusuff Sat, 03/24/2007 - 03:46

We continue to revamp the CCIE Security blueprints, add/remove/update technologies as appropriate.

NAC appliance and other new hw are on the radar and considered as new additions. Our Content Advisory Group (CAG) is working on it, and once we finalize it, we will announce the changes. Pls note that we will give atleast 6-months headsup if we announce to add a new hardware, so that candidates can absorb and prepare for the new changes.



yusuff Sat, 03/24/2007 - 03:42

Hi Sebastan,

I am currently working on my 2nd book for CiscoPress called "Network Security Technologies & Solutions"... an All-in-one reference guide, hopefully to finish this by summer this year.

Once I complete this title, I will definately start working on revising the 2nd edition for CCIE Security Practice Labs.

With regards to IOS upgrade on routers, we are planning to change this along with hardware upgrades to ISRs (our phase 2 update). A public announcement will be made once we finalize it.

Hope that answers your query.



sebastan_bach Sat, 03/24/2007 - 14:00

hi yusuf thanks a lot for ur detailed reply.

can u give any rought idea by when we could expect isr routers and the new ios in the exam including the nac appliance. so we can start buying the equippments.

cause u know the isr;s and the especially the nac appliance is very expensive.

atleast a rough idea would be really helpful.

yusuf what so u suggest giving the lab in the current blueprint or should i wait for cisco to announce he new changes and then go for it.

cause the new one will have exposure to more technologies and the latest ios features and new appliances.can u pls advice.

thanks lot once again.

waiting for ur reply.



yusuff Sun, 03/25/2007 - 05:09

Sorry, I cannot provide you any further details regarding future upgrades before a public announcement is made. As I mentioned earlier, once we make an announcement, we will give you 6-months notice/headsup so that you get enough time to prepare.

I suggest you make an initial attempt with the current blueprint and work your way up.



yusuff Sat, 03/24/2007 - 03:37

Hi Erik,

Some of the books I recommend;

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance (Frahim, Santos, ISBN# 1587052091)

CCSP IPS Exam Certification Guide (Carter, ISBN# 1587201461)

Cisco Access Control Security: AAA Administration Services (Carroll, ISBN# 1587051249)

Comparing, Designing, and Deploying VPNs (Lewis, ISBN# 1587051796)

IPSec VPN Design (Bollapragada, Khalid, Wainner, ISBN# 1587051117)

The Complete Cisco VPN Configuration Guide (Deal, ISBN# 1587052040)

Troubleshooting Virtual Private Networks (VPN) (Lewis, ISBN# 1587051044)

I cannot comment as such on vendors and their services regarding rack rentals etc. I suggest you evaluate following; content, equipment list, IOS versions, support structure, practice scenarios, and maybe some recommendations from someone who has already used their services.

my 2 cents,


Roble Mumin Sat, 03/24/2007 - 04:26

Hi Yusuff,

i finished my CCSP in Summer 2006 and think of heading for the CCIE Security this year. Is the CCIE security exam/track in any way comparable to the CCSP training?

Can you advise some topics which will be looked at heavier or am i able to pass the written with CCSP knowledge plus some add on topics?

Thanks for reading


yusuff Sat, 03/24/2007 - 04:54

Hi Roble,

Yes, CCSP knowledge is the foundational step moving towards the CCIE Security cert, and with some added topics (refer to blueprints), you are in good shape to approach the CCIE.

The main diffrentiator is the hands-on lab exam which will test your knowledge and skills on all security appliance in a complex scenario. I strongly recommend you do lots of hands-on practice on all sec appliances (PIX/ASA, IPS, VPN3k, etc).

Follow the blueprints closely to ensure you master each individual topic (one-by-one) and make sure you do some practice scenarios which will help you guage your readiness.

Check out the link below for;

- Blueprints

- Lab Equipment and IOS list

- Online Resources

- Recommended Book list

- Recommended Trainings

All the best in the pursuit of excellence.



arif786 Sat, 03/24/2007 - 10:42

Hello Mr. Yusuf,

Thanks for taking time for Q/A session. I am about to take my CCIE security written after months of prep. I have few things to ask you.

1) Regarding your book Practice Labs, you said above you will work on its second edition. Yes, that would be nice. I see there are hints for scenarios but those hints are out of order, referring to other questions, etc. It would be nice some solutions of the scenarios is provided much like a workbook so that reader can check and feel confident.

2) The book listed in booklist blue print under other publications, "Firewall and Internet Security by Cheswick..." is more than 4 years old, plus its subject matter is just know. Penetration Testing Cisco is far more superior content rich, up to date technologies. Are we working on revising booklist? Do we have plans to include some stuff from ISACA, ECCOUNCIL ...? Since we revise the topics list, I was just wondering why not book list blueprint v2?

3)any plan to include MPLS VPN? or its kind of limited under section, advanced VPN technologies in the lab.

Many thanks for reading/replying.



sebastan_bach Sat, 03/24/2007 - 14:03

hi yusuf one more query abt routing in the current lab.

in the lab blueprint routing or advance routing and route-filtering are not mentioned . does it mean we won;t have it in the lab. if yes then till what extent of it.

can u pls guide us on this.



yusuff Sun, 03/25/2007 - 05:20

As mentioned in the new blueprints, the new exam is heavily focused on Security technologies only, and routing functions are tested on Security appliances only.

Advance Routing features such as filtering, summarization etc are no longer core objectives, and is tested mostly on written exam.

yusuff Sun, 03/25/2007 - 05:14

Hi Arif,

Answers to your queries inline;

1) Thanks for the comment, point taken.

2) Yes, we will update the booklist, and I recommend CiscoPress book more than others.

3) MPLS VPN technology is currently tested in CCIE SP track, and currently there are no plans to add this into the CCIE Security track.



m.sir Mon, 03/26/2007 - 23:22

Hi Yusuf

VPN concentrator has EoS status so there are a rumors that the VPN concentrator is going to be removed from the LAB...Could you confirm this info???



yusuff Tue, 03/27/2007 - 02:13

Hi Milan,

Yes, since VPN3000 concetrator is announced EOS, it is very likely to be removed from the CCIE lab exam.

We are presently working on this and will make an announcement when a decision has been made. Meanwhile, it will continue to appear in the exam.



ciscobits Tue, 03/27/2007 - 02:46

Hi Yusuf,

The new CCIE security blueprint(Version2) -

does not include any routing and switching.

Is all the routing and switching preconfigured?

yusuff Tue, 03/27/2007 - 03:15

Yes, all routing & switching is pre-configured on all devices except the security appliances (i.e. PIX/ASA, VPN3k, IDS). Candidates are required to configure everything on security appliances.



yusuff Tue, 03/27/2007 - 06:45

Hello Dogan,

Answers to your query inline;

1) Cisco VPN Client v4.x

2) Cisco Intrusion Detection System Release 5.x



yusuff Tue, 03/27/2007 - 07:12

I didn't follow... are you saying use this for prep or use this in the lab exam?

If lab, yes, we use CLI and GUI (both) in the lab exam to configure IDS sensor.



yusuff Tue, 03/27/2007 - 07:21

Yes this is a good link and you should also refer to entire IDS documentation per se.

sundar.palaniappan Tue, 03/27/2007 - 08:27

Hi Yusuff,

I understand VPN concentrator will be removed from the future labs. Would you be able to tell us how soon that may happen?

I passed the Security written last month and just started seriously preparing for the lab. I plan to take the lab towards the end of the year. I just would skip the vpn concentrator section if it's not part of the lab at that time.

Moreover, if you can share with us what are other equipment that might be introduced in the near future.



yusuff Tue, 03/27/2007 - 09:31

Hi Sundar,

I understand your concern, but unfortunately, I cannot disclose or share any timelines for the new changes until a formal decision is made and a general public announcement will follow accordingly.

One thing I can assure you is that we will give enough time/headsup to candidates whenever we make any change in the exam. Usually we give a 6-month headsup notice to allow candidates absorb the new change and prepare for it.

Hope that helps.



Farrukh Haroon Wed, 03/28/2007 - 03:15

Dear Yusuf

Welcome to this forum once again :)

Some questions please:

i) Can you tell us what exact release is currently running on the exam for ASA, is it 7.2(1)? , or at least is it 7.2(X)? there is some major differences between 7.0(X) and 7.2(X) like routing, http-map configuration

ii) For IPS, is the lab running 5.1?

iii) Regarding NAC, on IOS it is not supported on 12.2(T) the current IOS, how will the lab test NAC then ? (On Routers)

iv) Do we still have to prepare for promiscuous mode IPS (or IDS) deployment or line and inline-vlan pair only?

Thanks in advance for your help



yusuff Wed, 03/28/2007 - 04:23

Hello Farrukh,

Answers inline;

1) PIX/ASA will be running version 7.2.x

2) IPS version 5.1.x

3) NAC Framework can be tested on other devices such as the Switch or VPN3k etc

4) Both, promiscuios and inline.

Hope that helps.



Farrukh Haroon Wed, 03/28/2007 - 05:27

Dear Yusuf

Thank you very much for your answers, please I would also like to know:

1) Are we penalized for over-configuration on the CCIE Security Lab? e.g. I was asked to configure some feature 'X' on a particular device , instead of enabling the feature for say two required subnets, I enable it on the whole network range and nothing in the lab breaks, will that cause me to loose points?

2) Also with respect to access-lists when configuring tcp maps for tcp option 19 for bgp through asa, or for defining crypto acls, etc . can we configure more 'generic' ACLs ? I mean in the security LAB are ACLs supposed to be as specific as possible (since its a security exam) or not? I know in the R/S exam there is leverage in this regard

another example would be a question stating 'permit ospf traffic through Router9 or ASA/PIX" and we know OSPF is only running on Router X and Router Y, could we just do "permit ospf any any"? or allow specifically "permit ospf rtX rtY " etc



yusuff Wed, 03/28/2007 - 05:32

answers inline;

1) It depends on the requirements & restrictions, but in most cases, there is no penalty for over-configuration.

2) Again, it depends on the question's requirements & restrictions. There is no golden rule that you can apply.

Pls read the questons carefully, and if unclear, pls ask the proctor for clarification.



Farrukh Haroon Wed, 03/28/2007 - 07:24

Hello Yusuf

One more question, we see that many candidates when they go for re-reads they get their points increased (sometimes as much as 13 points), this makes one feel there are some loop holes in how the CCIE Lab exam is graded..ok all humans err, but this being a thing that is recurring so often, one feels there is something wrong??

if the grading process is 'acurate' , maybe one person in hundreds whould get a incease after a re-read

is it the automated scripts that are used or what I don't know...maybe the program needs to introduce a 'global answer guide' that maybe reduces the burden on proctors, because to be honest not all proctors master security like you or some other able proctors that know security in and out, or perhaps even stop the automatic grading tools used?

so once the content writers make a question, they update the answer guide, thereby reducing the error rate in marking..just a suggestion

please let me know your views on this



yusuff Wed, 03/28/2007 - 08:03


My question to you as how & where did you learn that about 13 points. First, we never give feedback in point(s) and it is possible to calculate points on the basis of the score-card we send you. An increase of 30% to 60% doesn't mean a huge point difference, maybe only 2 point question, so please do not assume or formulate alogirthms to calculate points.

As you mentioned, the scoring is very accurate and rarely point changes.... as you said "almost 1 in 100" ratio.

I request folks on this list and others to stop speculating things and clarify with us directly. Never assume anything please.

The grading is entirely dependant on the proctor. Having said that, we also use 'automated tools' to expedite some of the repetitive tasks in grading and checking same stuff on all devices, but ultimately, it is the proctor who decides to judge if the answer is correct and/or reward the points.

Hope it clarifies.



locp Wed, 03/28/2007 - 07:33

Good day Yusuf,

Two questions:

1. Would I get the in-direct points for "band-aid" solutions? Say band-aid I mean a particular task required not to do A, I am stuck with A anyway! I will lose point only A but not the interrelated questions?

2. The ACS evaluation for windows did not available for the public?

TIA, Loc

yusuff Wed, 03/28/2007 - 08:06

Hi Loc,

Answers inline;

1) It depends, there are some questions which are inter-dependant and some are not. If a question "B" is dependant on the success of "A", and if you miss "A", then ofcourse you will miss both points. But if it is NOT dependant, then you will only loose "A" and get points for "B" only.

2) For ACS download, visit;

and go to "Cisco Secure Access Control Server 90-day Evaluation Software".



locp Wed, 03/28/2007 - 09:01

Hello again Yusuf,

Afer login, I try to download the file:


ACS v4.1 90-Days Evaluation Release Notes 4.1 xxxx xxxxx

ACS v4.1 90-Days Evaluation Software 4.1 xxxxx xxxx


"This page is only available to registered users with a Cisco Service Agreement."

It does require a CSA ?

Will it available for ccie study with the evaluation version ?


yusuff Thu, 03/29/2007 - 02:44

Hello Loc,

I am unsure of the CSA, but normally you should be able to download a 90-day eval copy.

Pls contact the TAC support centre if you have problems downloading it.



locp Thu, 03/29/2007 - 07:34

Thanks Yusuf, seem to be that way so I may need to query my SE then.

For the context of troubleshoot within the security-lab, would you limit it to PRE-configured devices and all others will be at default ( ie: wr erase and reload ) ? I ask this since we have IDS, ACS, ASA and there are lot of time to check them all out.


yusuff Fri, 03/30/2007 - 02:40

Troubleshooting is most likely within the pre-configuration as security appliances (PIX/ASA, VPN3k, IDS) does not have any configuration except the basic (hostname, enable pwd, etc). There is no sense in doing troubleshooting on security appliance with no config.

Hope that makes sense.



arif786 Wed, 03/28/2007 - 19:29

Hello Yusuf,

few more before you go.

1) Are we provided some hints for questions in the lab? Just curious.

2) Where can I find some good resources about these topics listed under written blueprint, security general?

Security Audit & Validation

Risk Assessment

Change Management Process

Incident Response Framework

Very thankful for your response.



yusuff Thu, 03/29/2007 - 02:38

Hello Arif,

Answers inline;

1) No Hints :) The lab proctor is available to clarify the requirements only. He cannot offer you any hints.

2) Checkout some of the CISSP type materials for these items. Also there are several articles/books available on Security Audit, Incident Response etc. Search the web.



imran06 Thu, 03/29/2007 - 01:20

Hello Yusuf,

Is PIX 6.3 version and IDS 4.0 version is completely upgraded with new versions or still there is chances for that IOS to see in the labs.



cjasztrab Thu, 03/29/2007 - 08:41

Hello Yusef,

How are you today? Still living in Dubai? I have two questions.

1. When I talked with you @ networks 2006 you mentioned that you were working on a CCIE Assessor for the security track. Is that still on the horizon or has it been put on the back burner.

2. As for the routing in the lab you mention in a reply to another individual that we still have to configure routing on the security devices. Is it safe to assume this includes all aspects of routing such as redistribution, summarization, filtering, etc?

chris jasztrab

yusuff Fri, 03/30/2007 - 02:51

Hi Chris,

I am good thanks, and yes, still living in Dubai :)

Answers inline;

1) Assesor security is on the radar but there is something else under the plan as well. I don't have much info at this point in time.

2) Yes, you are right; all aspects of routing on security appliance can appear on the exam. But pls note, the emphasis is NOT routing, but these will appear merely to complete an exercise.



rowl1004 Thu, 03/29/2007 - 12:32

Hello Yusuf,

Im wondering if there is any updated "Router Firewall Security" books in the works? The one by Richard Deal (1-58705-175-3) is 3 years old. Would the CCSP SNRS Exam Prep book be considered an update?

yusuff Fri, 03/30/2007 - 02:53


I am unaware of the update on CiscoPress books. You will need to ping CiscoPress to get more accurate information on their upcoming titles.



sebastan_bach Fri, 03/30/2007 - 03:00

hi yusuf .i would like to know what kind of troubleshooting we can expect with the pre-configurations.

i mean wrong ports assigned in wrong vlans. wrong routes in the routing table.then do we have to manipulate the routes and stuff like that.

i mean without breaking the nda can u pls guide us on this.

waiting for ur reply.



yusuff Fri, 03/30/2007 - 03:06

Without breaking NDA, here is a quick overview.

Troubleshooting is mainly focused on FUNCTIONALITY. For e.g. there will be a broken scenario (security context) e.g. IPsec LAN-to-LAN is pre-configured but NOT working.

You will require to identify and fix the end-to-end thing and ensure it is working. The issue can be related to IPsec config or even non-IPsec config within.

This is typical in a tradional customer network, when one configures security related config, but someone makes changes to the network and your config no longer works.

Hope that helps understand the scenario.



Farrukh Haroon Fri, 03/30/2007 - 04:46

Dear Yusuf

Some more questions regarding the blue print please:

1) "EzVPN Hardware Client", Is there any device within the CCIE Security Lab equipment that can support this, I am sorry but I have never been to the lab, so I don't know, and I can't find anything on "Lab Equipment" CCO Page. I think now we have VPN Client PC, so maybe "EzVPN Software Client" is now possible. I mean do 2600 , 3600 or 3700 routers support this feature?

2) Also can you please advise some good resources to prepare for the network attacks section?

3) Also is it possible in the lab, on the second (new) PC, any security tool could be there? NMAP etc. Now or maybe in the future?

4) Are they any plans to introduce CSA in the Lab Exam?

Thanks and Regards


yusuff Sat, 03/31/2007 - 05:20

Hello Farrukh,

Answers inline;

1) Cisco EzVPN hardware client is supported and tested in the exam on Routers and/or PIX/ASA too. E.g.;

2) Read common vulenrabilities and security advisories that are regularly posted on Cisco website and general Security websites/forums. Understand protocol stack and how it can be exploited. Understand the various tools/solutions available in Cisco IOS and Firewalls that can help mitigate these.

3) NDA... cannot answer what is in the lab on the 2nd new PC in the rack.

4) Yes, CSA and other technologies are being considered for future.




This Discussion