This discussion is locked


Unanswered Question
Aug 27th, 2010

Welcome to the Cisco Networking  Professionals Ask the Expert conversation. This is an opportunity to get an update on CCIE Security with Yusuf Bahiji. Yusuf Bhaiji is the product manager for the Cisco CCIE Security certification and is the CCIE Proctor in the Cisco Dubai Lab. Bhaiji has been with Cisco for 10 years and has 20 years of industry experience in security technologies and solutions. He also chairs the Networkers Society of Pakistan and the Pakistan chapter of the IPv6 Forum. Bhaiji has authored four books for Cisco Press: "Network Security Technologies and Solutions," "CCIE Security Practice Labs 1st Edition," "CCIE Security v3.0 Configuration Practice Labs 2nd Edition," and "CCIE Security Flash Cards." He has also been a technical reviewer for Cisco Press, a writer and presenter on various security technologies, and a frequent lecturer and speaker at conferences and seminars. Bhaiji holds a master's degree in computer science as well as CCIE certification #9305 (R&S and Security).

Remember to use the rating system to let Yusuf know if you have received an adequate response.

Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered   questions in other discussion forums shortly after the event. This  event  lasts through September 13, 2010. Visit this forum often to view  responses  to your questions and the questions of other community  members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Fahad Wasi Mon, 08/30/2010 - 03:56

Sir Yousif Bhaiji,

I am a Computer Network student and have successfully completed my CNAP(Cisco Network Academy Program). I am going to take the exam of CCNA soon and after that I'll go for CCNP. Sir, I am being confused about Cisco certification, I am interested in both Cisco Security and Voice,but

I donot understand which path should I take after CCNP.

Please correct me if I am wrong,is CCNA Security the basic or prerequisite for CCSP(Cisco Certified Security Pro) and CCNA Voice is the prerequisite for CCVP(Cisco Certified Voice Pro)?

My other question is that which path should I take,Cisco Security or Cisco Voice? I am actually being confused between both of them and sometimes donot understand which path should I take after CCNP. Do you really think that security is also important in Cisco Voice?

I hope my concern is clear,



Message was edited by: Fahad Wasi

yusuff Mon, 08/30/2010 - 06:13

Dear Fahad,

Yes, CCNA Security is a pre-requisite of CCSP, and CCNA Voice is a pre-requisite of CCVP.

See below URLs.

To answer your other query regarding technology choice of Security vs Voice, it very much depends on your future plans and career aspirations. For example, if you wish to be an expert in Security and work as a security consultant/engineer, then you should pursue CCSP and CCIE Security. Whereas, if you like working with IP telephony solutions and deploy Voice solutions, then you should pursue CCVP and CCIE Voice. … it all comes down to what you want to do in your career in the next 2-3 years. Both have their own importance and need in the industry, neither is more important over the other, both technologies are good, it depends which technology is more INTERESTING for you.

Hope that helps.



Fahad Wasi Tue, 08/31/2010 - 00:21

Dear Sir Yousif,

Thank you for your help, I wanted to know that if a candidate has done CCNA Security and CCSP,then can he work in the VOIP or IP Telephony

environment? Does the security level knowledge that we gain from CCNA Security and CCSP only apply on networks and systems without VOIP support?

I hope my question is clear,



yusuff Tue, 08/31/2010 - 06:25

If you do CCNA Security and CCSP, you will cover most of the security technologies and solutions that Cisco has to offer.

However, VoIP security is a different subject and is not covered in these courses. Having said that, you can always work in VoIP environment with your Security background as it will give you better understanding of the network.

JMC Nel Wed, 09/01/2010 - 07:17

We have a star topology using eigrp and vrf's. We recently added a new site to our network. However what makes this site different from the rest of our sites is that its making use of another companies facilities and comcast connection The spare comcast connection terminate at all their buildings as well as our building. Its only a handful of users. The few users will use this comcast connection to access resources on our network off the 6509. please see diagram. They have connectivity but as of now no security on this connection. If someone from that company would plug computers in on that connection at any building where it terminates and use the same line those users are using they would gain access to our resources and network. What would you recommend for us to do to secure the connection and users. any suggestions would be great.

yusuff Wed, 09/01/2010 - 10:19


I think your post is in the wrong session forum. This session is specifically focusing on CCIE Security certification in order to help candidates pursuing CCIE cert, and provide them guidelines and prep resources.

For all your technical support and design queries, kindly post your question on the NetPro forum under the Security section below, and a SME will be able to help you with your queries;

Hope that helps.



jlefko Thu, 09/02/2010 - 02:24


I have just started preparing for the CCIE Security lab, having passed the written in July.  The hardware/software blueprint is about 18 months old right now, will there be updates to this shortly?  Specifically do you foresee moving to ACS 5.x?  Other pieces aren't as big of a change as the hardware wouldn't change, ASA/IPS/ISR.  Do you also envision including other technologies in the future, like NAC maybe.

Take care.


yusuff Thu, 09/02/2010 - 02:39

Hi Jeff,

Due to confidentiality I cannot share much; however, there is no major changes coming across..only minor stuff... ACS 5.x is not coming for sure, so you can strike that out.

If we make any changes to the blueprint (add/remove technologies and products), we will announce it on website and give sufficient time to the candidates to ensure they can prepare ahead of time. Stay tuned.

Hope that helps.



ayman_gad Thu, 09/02/2010 - 14:58

Hi Yusuff

              I am ayman  i am preparing to my CCIE SEC Lab in October and i really need your help to know if there any change coming during this period to my exam date !! , And due to my work if i could not take it in october and take it in the 2011 is there any possibility that it can be changed at the  begining of the new year ? sorry for this long one but it is my first trail and i am really confused about it

Thanks a Lot

yusuff Thu, 09/02/2010 - 15:03

Hi Ayman,

Due to confidentiality I cannot tell you what/when changes are going to occur before we make a public announcement; however, there is no major changes coming across..only minor stuff.

If we make any changes to the blueprint (add/remove technologies and products), we will announce it on website and give sufficient time to the candidates to ensure they can prepare ahead of time. Stay tuned and keep checking the CLN website regularly.

Hope that helps.


yusuff Thu, 09/02/2010 - 15:13

just a clarification, when i say "minor stuff" i mean in context of topics/blueprint and/or products, there is no plans of adding new hw/sw in the short term.

petr_lopuhov Thu, 09/02/2010 - 15:17

Hi Yusuf,

It is well-know that the core knowledge questions have been introduced in the CCIE lab exam to overcome the problem cheating. During the Cisco Live! presentation this year, you mentioned that there is about 3% of people who pass the configuration section and fail the core knowledge questions. Theoretically, these are the *potential* "braindumpers" who have been filtered by the open ended questions. Among these people, of course, there are "honest" candidates as well. Therefore, the amount of "cheaters" filtered by the core knowledge section should be expected to be around 1%. This is the estimated empirical filter "efficiency".

Based on that simple observation, it is apparent that using core knowledge section does not really improve the exam integrity. Simply put, most of the "cheating" candidates fail the configuration section even without the core knowledge questions. It makes sense to simply go ahead and replace the open ended questions with additional configuration tasks that, for example, may change in different exam variations. Out of these conclusions, should we expect the core knowledge section to be eliminated any time soon, noticing all controversy it creates among the "honest" exam candidates?


Petr Lapukhov,

CCIE#16379 (R&S/Security/SP/Voice)

yusuff Thu, 09/02/2010 - 15:26

Hi Petr,

I understand from where you are coming from, but we have other reasons to include CK including cheating countermeasures when enforcing CK. However, as stated earlier during my other posts/presentations, CK may eventually be removed in the future once we can establish that the CK items are no longer required to produce secure and valid test results.

Hope that helps.



petr_lopuhov Thu, 09/02/2010 - 16:10


Thanks for the prompt reply! My other question is how "unbiased" the exam questions are going to be in the future. By "biased" I mean the questions that use vague, or tricky wording, that is subject to the candidate's interpretation. This interpretation may not be unique (e.g. "use a VPN technology that offers best scalability" could be say GET VPN or DMVPN - both are scalable in some sense). As a counterexample, an ideal lab exam question should clearly state the "verification" procedure, e.g specify that the candidate should be able to ping from point A to point B and obtain the specific "show" command's output (e.g. provide explicit "show crypto ipsec sa" or "debug crypto isakmp" output as part of the scenario). This would allow a candidate to be 100% sure whether his/her solution was wrong or right, without guessing.

My hope is seeing the exam getting more "objective" and less "vague". An ideal test is where candidate cannot be failed simply because he/she misinterpret question based on language vagueness. Making the exam scenarios unique interpretable and clearly *verifiable* will greatly increate the value of CCIE certification.

Thanks again,

Petr Lapukhov,

CCIE#16379 (R&S/Security/SP/Voice)

yusuff Fri, 09/03/2010 - 06:32

Hi Petr,

Point taken, and thank you for the advise and valuable suggestions.



ayman_gad Thu, 09/02/2010 - 19:39

Hi Yusuff

               I want just to know when cisco decide to make any changes to the lab, Is cisco going to announce it before it changes it , i mean what is the period between the announcement and the actual change ??


yusuff Fri, 09/03/2010 - 06:35

Hi Ayman,

Yes, we make announcement on the website whenever a change is made, the headsup time depends on the level of change (minor/major) and it can vary from 1 month advance notice up to 3 months. In some cases, when the blueprint is refreshed overall, we can give up to 6 months advance notice. So it entirely depends on the level of change in question.



yusuff Sat, 09/04/2010 - 06:37

Hi Tom,

This session is specifically focusing on CCIE Security certification in order to help candidates pursuing CCIE cert, and provide them guidelines and prep resources.

For all your technical support and design queries, kindly post your question on the NetPro forum under the Security section below, and a SME will be able to help you with your queries;

Hope that helps.



philsetzer Sat, 09/04/2010 - 13:30

Good day Yusuff,

I have just aquired two cisco 2516 routers. I am trying to perform a password recovery/reset. I am trying to follow the procedures in document ID 12722, however I notice that there are several aspects of the router that are disabled in the configuration, such as BREAK, diagnostic mode, etc. What is the best way to perform a password recovery when the standard methods will not work.

My apologies if this is not the forum for this type of question.

Thank you and many blessings to your day.

Giuseppe Larosa Sat, 09/04/2010 - 23:40

Hello Philip,

repost in netpro  network infrastructure under getting started with LAN or other forum, (LAN or WAN)

this is a special session focused on CCIE security lab, so your question is out of context here.

You should also have the option to move your post to another forum.

Hope to help


ipagliani Mon, 09/06/2010 - 15:12

Hi Yusuf,

I'm preparing my first LAB attempt and I've done write exam on 2/22/2010, is it valid ? or I have to do again the CCIE Security Written v3.0 Exam.

I'd know where I can found the same documentations that i can use during the exam.

Thanks for writing Net Security Technologies & Solution.

Iarno Pagliani

yusuff Mon, 09/06/2010 - 23:35

Hi Iarno,

No, you do not have to redo the written exam, you are eligble for v3.0 lab exam even if you have done v2.0 written exam, no issue.

During the lab, following documentation link is available to you;



aritra.sunny Mon, 09/06/2010 - 22:53

Hai yusuf , i have given my exam on 6th september  at bangalore center there was some link problem between 12 am to 1pm ,i am pretty much sure that i have done all the required configuration correctly , but still i got 0% in vpn and in  ips , and in copp i got 58 % , so i want to reevaluate is there any minimum  criteria below which one cannot apply for reevaluation .Please reply .

yusuff Mon, 09/06/2010 - 23:32


Yes, there is minimum criteria/score required in order to be eligible for a reread request, if your Total score is below the required threshold, you cannot request for reevaluation. For more information, please open a customer support case.


Yusuf Bhaiji

aritra.sunny Tue, 09/07/2010 - 02:00

hi yusuf ,

My name is Aritra Ghosh , I have given ccie security lab on 6th september from Bangalore . In the lab the link was flapping from 12 am to 1 pm , I diid the

vpn configurations correctly and the data was properly getting encrypted and decrypted , i am pretty much sure that i did the vpn configuration correctly , still i got zero percent in vpn , also in the ips there were three sections  i did the all the configuration correctly but still i got zero percent in ips .

if my ips was not configured correctly how was i able to get 100 % in identity management because the traffic for the identity management was flowing through the ips , I am totally confused now do you think that the checking done by cisco can be wrong , i want to reevaluate my results but my overall percentage is coming to fifty ,am i eligible for reevaluation if not how can i raise a case so that checking for my exam is done again .Please give me some suggestion  as soon as possible because i want to take some steps .                                       

                                                                                                                                                                  with regards

                                                                                                                                                                   ARITRA GHOSH 



yusuff Tue, 09/07/2010 - 02:57

Hi Aritra,

I think i replied to you earlier, for any customer support issue, kindly open a case with Customer Support team to explain your concern, and they will look into it.



golly_wog Wed, 09/08/2010 - 05:04

Hi Yusuf

Firstly I wish to thank you for your efforts in creating the CiscoPress material for the CCIE Security, I’ve learnt so much for my studies, which have enabled me to excel in my current position. I put this down to my hard work and your mentoring.

After taking the CCIE a number of times, I’ve seen various Qs from the lab posted on forums, these included not only lab Qs, but I also saw 3 of the 4 OEQs I had from my last attempted posted online! (I did report this to NDA @ Cisco). I’ve also seen pass4sure documents that are pretty much word for word as the lab I have had.

After spending so much time and effort to gain the CCIE, I’m feeling that it’s being de-valued. Of the people that I know who have recently passed I would say 75% have no experience with Cisco equipment. I was also asked by a recently certified candidate what a FWSM is!?!?

My Q to yourself is, what re-assurances can you give that Cisco are protection the value of the certification and is anyone being punished for breaking the NDA?

Many thanks

yusuff Wed, 09/08/2010 - 18:30

Hi Golly,

First, I appreciate you bringing on this discussion and your concerns about CCIE certification. I would like to assure you that we take these matters very seriously, we have a dedicated team of Enforcement experts who are well qualified to review and action accordingly... we get many many cases on a regular basis, and the Enforcement team works on EACH one individually and document and take necessary action. Actions include warnings, Ban from certification (1 year up to Lifetime ban depending on the severity). Be assured, we do take action upon conclusive breach.

We've implemented lot of security measures in protecting the integrity of CCIE programs and enforcing security measures to protect your investment.

if you have any concerns or evidence to support a situation involving breach of policy or exam violation, do not hesitate to ping myself or anyone in the CCIE team, we will take it seriously.

Thank you.


Yusuf Bhaiji

haithamnofal Thu, 09/09/2010 - 14:41

Dear Yusuf,

I would like to check if for your CCIE Security Practice Book ""CCIE Security v3.0 Configuration Practice Labs 2nd Edition," is there any Remote Racks, which follows the same physical and Logical topology, available for online purchase to practice the labs or is each individual expected to build the lab physically by himself ??



golly_wog Thu, 09/09/2010 - 15:03

Both IP Expert and Internetwork Expert support this on their racks.

yusuff Fri, 09/10/2010 - 15:00

Dear Haitham,

With the exception of minor cabling/wiring outline, most rack rental vendors support the book, particularly IPExpert and InternetworkExpert.



warsaji Thu, 09/09/2010 - 14:45

Hi Yusuf,

I am on my way towards Security. I have read your books and they really helped me alot. Can you please refer me to some RFCs, IEEE documentation or some other standard documentations which can suplement the books that I read.

Best Regards


Eli Barb Thu, 09/09/2010 - 15:24


I understand the idea of using different security levels to permit traffic flow from higher to lower security levels. I'm not sure I understand a compelling reason to rely on security levels instead of inbound and outbound ACLs being applied to each interface and just setting all the interfaces to the same level. Am I missing some best practice or firewall fundamental? Since I use inbound and outbound ACLs I feel like I have complete granular control over the traffic so I'm not concerned about things that shouldn't be allowed getting through because of the same-security-permit inter-interface command being applied as well(for NAT exemption purposes usually). I have seen some difficulties getting one to one static NATs to play well when you're doing various types of NAT and NAT exemption between all of these interfaces which immediately work like you would expect when you do give in and use different security levels. Thoughts? Will the security level model eventually change and fade into the sunset? Being able to use inbound and outbound ACLs seemed like such a better way to control traffic than these security levels that I got used to using on the old PIX 6.3(5) code. Thanks.



sorry please ignore I just noticed this Ask the Expert is only in regards to CCIE Security certification and not Security in general. I apologize for the mispost. I'd remove it, but I don't see a delete option available.

tiagolousadasoares Thu, 09/09/2010 - 17:53

Hi Yusuf,

I am preparing to take the CCIE Security lab soon, and would like to ask you if you can share with us what version of the ASA software is used in the lab (8.3 brings some changes a lab candidate would have to look out for) ? It would help "fine tune" my preparation for the lab :-)

Also I would like to confirm that the features tested are only the ones introduced up to the version posted in the Lab Equipment Page (for the ASA this would be 8.0? since the page referes 8.x) ?

Best regards,


yusuff Fri, 09/10/2010 - 15:06

Currently on the ASA, we use version 8.0(x)

On a general note, if you see any device with software version higher than listed on our website, we are not going to test any new features, only features will be tested from the version listed on the website.

mariorui Thu, 09/09/2010 - 20:17

Hi Yusuf,

There were recent changes to the CCIE R/S where a troubleshooting section was introduced into the lab exam. Will the CCIE Sec follow this trend and implement a troubleshooting section in the future?

All the best!

yusuff Fri, 09/10/2010 - 15:07

Yes, assessing Troubleshooting skills in the Lab exam will be an integrated format in all the tracks in the near future.

Glenn de Wysockie Fri, 09/10/2010 - 08:17

Hello Yusuf,

For studies I have an IDS 4215 with IDS 6.0(6)E4 software loaded. Will this be a good platform for lab practice?


Glenn de Wysockie


This Discussion