Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the CCIE Security Lab exams with expert Yusuf Bhaiji. Yusuf, CCIE No. 9305 (Routing & Switching and Security), has been with Cisco for seven years and is currently the program manager for Cisco CCIE security certification and CCIE proctor in the Cisco Dubai lab. Prior to this, he was technical lead for the Sydney Technical Assistance Center (TAC) Security and VPN team. Yusuf is an advisory board member of several non-profit organizations for the dissemination of technologies and promotion of indigenous excellence in the field of internetworking through academic and professional activities. He chairs the Networkers' Society of Pakistan (NSP) and IPv6 Forum Pakistan chapter.Yusuf has authored two Cisco Press books: "Network Security Technologies and Solutions" and "CCIE Security Practice Labs." In addition to authoring these, he has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He is a frequent lecturer and well-known speaker presenting at several conferences and seminars worldwide. Yusuf's passion for security technologies and solutions has played a dominant role in his 17 years of industry experience, from as far back as the time when he obtained his master's degree in computer science and achieving numerous certifications.
Remember to use the rating system to let Yusuf know if you have received an adequate response.
Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 3, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
Nice to have you here. Few questions related to the CCIE lab
- Do you recommend any Practice Lab book specifically for V3.0. Are you planning to publish a new edition of your (Practice Lab) book i.e. applicable to V3.0.
- If I have 3750 or 3550 instead of 3560 and 1800 instead of 2800 or 3800 in my personal lab, would it suffice or do I have to do the practice only on given models stated in the blueprint to be safe.
- Would you recommend any CCIE training program in Dubai, UAE. Last year, Cisco conducted CCIE Security Mentoring program (for channel partners) in Dubai i.e. with lab, books, tutor etc but it is not heard of anymore. That was an excellent initiative.
- How should the CCIE examinee spend his last week before the actual lab exam for e.g. the topics to be covered/brush up, areas to focus on, schedule etc. Any specific recommendations for candidates appearing from Dubai.
Thanks a lot.
Yes, I am working on 2nd edition of the Practice Lab book, which is due sometime in Aug/Sept. Stay tuned and keep checking CiscoPress website.
Cat3750 and/or any ISR router model is ok for the lab prep as long as all the features in the blueprint are available on that platform.
For CCIE Mentoring program, pls send me an email and I will give you more details.
For last week, my only recommendation is to focus on speed and accuracy, and most importantly relax and have some fun, no need to stress out in your last few days, you need to give your 100% on the lab day :)
Hope that helps.
Could you please let me know your email id.
- Other than the IPS, can the examinee choose to use CLI only on all the devices during the exam.
I have joined ISP(internet service provider)on the post of NOC and i am getting the prblem of attacthment,downlodin,uploading related specific area. what could be reson behind it pls mail me
Your query is bit unclear; however, it doesn't seem to be related to CCIE Security certification.
Pls note this session is specifically for queries related to Cisco CCIE Security certification exam.
Welcome to the forum once more :)
Is there any possibility of a 'troubleshooting' section being added to the security exam as well?
You mentioned that ISR router model is ok for the lab prep, then why is that the equipment blueprint lists both i.e. 1800 and 3800 routers while exempting 2800.
We've provided you with details of what we are using in the lab. However, all IOS software revisions support same feature set on ISR models such as 1800, 2800 and 3800. In summary, you can use any router model as long as all items listed in blueprint are covered and supported.
At this point, we are introducing Troubleshooting section into R&S track only; however, this is on the roadmap for other tracks and will eventually be introduced similar to the Core Knowledge implementation.
The IPS module can be used for basic IPS configuration and basic signatures; however, there are many other advanced features that are absent on the module, and only available on the sensor appliance.
In my opinion, I would recommend using the sensor appliance for lab prep.
my 2 cents.
1. what is the goal behind introducing open questions a the Lab exam ?
2. How could we prepare well for this ?
3. Is it right that if you fail 2 questions at open questions section and you have 80 points for the Lab, you'll fail the exam ?
Thank you very much for your response.
1. One of the primary goals to introduce the new Core Knowledge Section is maintain exam security and integrity and ensure only qualified candidates achieve certification. The questions will be designed to validate concepts, theory, architecture and fundamental knowledge of products & protocols.
2. No new topics are being added, questions are covered from the lab exam blueprint. Therefore, no special prep is required, focus on the core concepts and architecture of the protocols and technologies covered in the lab blueprint.
3. The Core Knowledge section is scored Pass/Fail and every candidate will be required to pass in order to achieve CCIE certification. A candidate must answer at least three of the four short-answer questions correctly to Pass the Core Knowledge section, which will be indicated with a 100% mark on the score report. If a candidate answers fewer than three correctly, the Core Knowledge section will be marked 0%, indicating a Fail. A 0% does not necessarily indicate the candidate answered all the questions incorrectly.
Hope that answers your query.
Hello cchartouny .You can prepare it online i give you some links for the preparation.
On the off chance that you are looking for CCIE Security Lab material then don't meandering here in there. Spare your time by visit lab4ccie.on this site you can discover state-of-the-art CCIE SECURITY LAB questions and their answers. Lab4ccie is a one of a kind site which give concentrate material is in PDF arrange for the simplicity of clients. This site guarantee you by giving you cash back grantee and three month free inquiries refreshes. For more subtle elements visit: http://ccie-security-lab-dumps.blogspot.com/
I would like to know what will happen if someone don't answer correctly the open ended questions? Will that make me fail the test? I am just not so clear with that.
As mentioned earlier;
The Core Knowledge section is scored Pass/Fail and every candidate will be required to pass in order to achieve CCIE certification. (in other words, you must PASS both sections, Core knowledge and Configuration section to achieve the CCIE certification).
A candidate must answer at least three of the four short-answer questions correctly to Pass the Core Knowledge section, which will be indicated with a 100% mark on the score report.
If a candidate answers fewer than three correctly, the Core Knowledge section will be marked 0%, indicating a Fail. A 0% does not necessarily indicate the candidate answered all the questions incorrectly.
Thank you for giving us your time to ask questions on the CCIE Security Exam. We all really appreciate it. I hope that my questions will be appropriate but I know you won't answer anything that is too intimate to the test, so I hope nothing I ask to be out of line.
I have noticed on the new blueprint that it still lists CA (PKI) for VPN. But it no longer lists a CA Server. Does this mean the CA Server is pre-configured or is it that the CA Server is now one of the IOS routers and there is no longer a Microsoft CA Server in the LAB.
For the list of equipment I don't see the listing of a AIM-VPN module for the devices, which I have been told is required to run Stateful IPSec VPN. Is this used in the lab or is this topic beyond the scope of the lab?
For the ACS Server do students have direct access, Remote Desktop, to the ACS server or is it only via the Admin Web Interface? I know the blueprint lists using IDM for IPS configuration so I wasn't sure if the ACS server and XP workstation could be used to access it or just the XP Workstation.
Can students bring Colored pencils or Colored Pens into the lab for re-working their diagrams.
Is it possible to get a re-confirmation of what students should have access to as far as documentation? Is this list Correct?
- General Information
- Command References Guides
- Release Notes
- Configuration Guides
- Configuration Examples and TechNotes
- Troubleshoot and Alerts
- Security Advisories, Responses and Notices
- Troubleshooting TechNotes
- Technology Q&A
I have been focusing a lot on teaching people to understand the technologies but nobody is going to know everything going into the test. I know I didn't when I took it.
There are many ways, as you know, to skin the cat with Cisco Software. My question would be in relation to using old techniques versus new techniques. Should I be helping people to focus only on the newer ways of configuring technologies or should both still be used. This question is cutting a little close I know but with the increase in new features I am hoping to help people learn the technology in ways that is applicable to the trend of the technology and not waste time on methods that are outdated and do not support as many features. IE Using MQC for Security techniques versus legacy QoS techniques for Security that are outdated.
My goal in asking these questions is to know in the direction I should be taking students not only for the test but in strengthening their technical abilities as a Network Engineer.
Again, Thank you in advance for your time Yusuf.
Just to extend on Tyson's comments about documentation access, I have found some excellent docs, deployment guides etc under Products & Services Whitepapers which I cant seem to navigate to via the support pages.
Flexible Packet Matching Deployment guide is one that comes to mind.
Will these also be available during the lab, or are there plans to make them available under the support pages?
Important thing to remember is the categories of documentation, and all/any documents under the categories listed in Tyson's post are available for candidates. Documents posted under different category may not be available and there is no plans for now.
I will do my best to answer your queries.
1) CA server will be based on the IOS router now, and candidate need to know how to configure and troubleshoot it. No more Microsoft CA server.
2) AIM-VPN module is not used in the lab (for now).
3) For ACS, candidates have Admin web interface access only via browser e.g. http://ip_address:2002
4) We provide color pencils on each desk.
5) List of documentation seems correct, candidate can access all of these.
6) Regarding prep legacy vs. cutting-edge, you need to have a balance and do both, but more inclined towards newer technologies.
Hope that helps.
Thank you very much for your response. You helped to clarify a few things I was unsure about.
One more question that I believe you answered back in October but after Maurilio's recent comments for the R&S Ask the Expert I feel like I am mixing up the two. I can't seem to recall if you did cover this in October for sure.
Is this correct for the equipment list
1 ACS Server
1 XP Workstation
1 4240 IPS Appliance
2 5510 ASA Firewalls
2 3560 Switches
4-6 ISR Routers (1800 and 3800's based off the blueprint) (This is the main one I can't remember what you had said)
Is there any additional equipment connected to the students rack that interacts with the students topology that they would need to be concerned with?
I am thinking that is what you said but maybe I am mistaken.
Again, Thank you in Advance for your Time and answers.
The equipment models you have listed are all are correct; however, we do not confirm the count as it varies from topologies and non-disclosure.
There are several very ambiguous topics in the blueprint, such as configure advanced security features.
These topics on the surface could contain just about anything. So are there any technologies that will be used in the lab that are not specifically defined in the blueprint i.e. VRF's etc.
Appreciate this may ride a little close to the line in terms of NDA.
Yes, items such as VRFs can fall into the "Advanced Security Features" category.
The reason we have this type of topic on the blueprint is to highlight the non-core items which may have a smaller impact in the lab exam, tasks that are one-off type and not very critical.
On the same note, new features and other advanced IOS options (minor) which cannot be individually itemize in the blueprint also fall into this category.
Hope that makes sense.
MPLS VPN is a major topic and not covered in Security lab; however, "VRF aware IPsec" is partially covered.
I want to know if as the new CCSP courses, all the labs are oriented GUI?
If they do, do we can expect some questions exclusively in CLI like troubleshooting.
Thanks for your time!