Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT - CCIE SECURITY

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the Cisco CCIE Security with Cisco expert Yusuf Bhaiji. Yusuf CCIE No. 9305 (Routing & Switching and Security), has been with Cisco for seven years and is currently the program manager for Cisco CCIE security certification and CCIE proctor in the Cisco Dubai Lab. Yusuf has authored two Cisco Press books; "Network Security Technologies and Solutions" and "CCIE Security Practice Labs". In addition to authoring these, he has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies.

Remember to use the rating system to let Yusuf know if you have received an adequate response.

Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 30, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

46 REPLIES
Silver

Re: ASK THE EXPERT - CCIE SECURITY

Yusuf -

I currently hold a CCSP. My cert expires next March, so I am researching recert options. I was wondering if I choose to recert by passing a professional level exam can that exam be from ANY pro level test? Or must it be from any NON-CCSP test? I haven't taken the MARS exam and would like to recert with that if possible, but I don't want to waste my time if I can only recert with any NON-CCSP exam.

Thanks.

Jay Walker

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi Jay,

You have posted your query in the wrong forum. This session is for CCIE Security discussions, and I am not aware of policies related to CCSP.

However, you can open a case online on www.cisco.com/go/certsupport to get an answer for this query.

Hope that helps.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Hi Yusuf,

It's great to have to on this Forum.

I am preparing for CCIE Security Lab, which can take up to 8 months, so shall I also read bit about NAC & CS MARS, as to easily cope up with future change in the Lab topics.

Thanks in Advance

Vijay

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi Vijay,

If you are asking about the new revision and update in the lab exam, all I can tell you is that we are working on it; a final announcement is yet to be made. The announcement will provide complete details for the new v3.0 blueprint and the new hardware and software revisions.

However, general policy is that when we announce changes in the blueprint, we will give you 6 months headsup time to be able to do the lab exam as per old blueprint. So you are safe to assume that the lab is not changing in the next 6 months as there is no announcement made yet.

Hope that helps.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Really nice to see you here...

I need your expert adivice; basically i am targeting CCIE security after my CCNP; i have pretty much inclined towards security right from my bachlors; but probably i have to go for CCIE R&S first due to lack of lab equipment and finance(few emulation s/w make the cost of lab afforadable for R&S track)

My queries:

1-What are the pre-req skills for this track; i know it may take a year before i even enter into this track, but during that adopting that skills will be helpful for me;

2- What books and material you would refer as pre-req to this track

3-Any preparation guideline; or if u can refer me to some other links/post?

Thanks a lot!!!

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

hi yusuf it;s really nice to see here . hi yusuf i am planning for the ccie security but it will take time as i am building my own pod at home.

i only want to know should i buy the nac appliance as well for the new blueprint.

pls help me in building my pod.

thanks

regards

jack

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi Jack,

As I mentioned earlier in this session, we are still in the process of finalizing the new changes. Therefore, I cannot confirm about NAC appliance at this stage. A final announcement is yet to be made. The formal announcement on our web will provide complete details for the new v3.0 blueprint and the new hardware and software revisions.

However, general policy is that when we announce changes in the blueprint, we will give you 6 months headsup time to be able to do the lab exam as per old blueprint. So you are safe to assume that the lab is not changing in the next 6 months as there is no announcement made yet.

Hope that helps.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

hi yusuf thanks a lot .

regards

jack

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hello Omair,

There is no formal pre-requisites for doing any CCIE certification. However, it is recommended that you build-up from the corresponding Professional-level cert i.e. For CCIE Security, we recommend if you do the CCSP cert to strengthen your knowledge and foundation in core security components such as Firewall, IPS, VPN etc.

Recommended books;

http://www.cisco.com/web/learning/le3/ccie/security/book_list.html

and check out my book, it is inline with the blueprint;

Network Security Technologies and Solutions (ISBN# 1587052466)

For written exam;

CCIE Security Exam Quick Reference Sheets (ISBN# 1587053349)

Some online resources;

http://www.cisco.com/web/learning/le3/ccie/security/online_resources.html

Recommended Trainings (some of them are FREE online);

http://www.cisco.com/web/learning/le3/ccie/security/training.html

Hope that helps.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Hi Yusuf,

During Lab can we leave some debug commands on equipments or we have to remove all the commands which are not relevant as per the Lab scenario.

Means is it possible that some extra commands can be consider for negative marking??

Thanks in advance

Vijay

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi Vijay,

There are two parts in your question;

a) if you have enabled some debug commands, it is ok to leave it, as sometimes candidates forget to disable it. Proctor will disable them. But it is recommended if you do it prior.

b) Extra commands... negative marking. First of all, there is no negative marking concept. However, if you have added some extra commands, which hinder or violate some part of a question, then surely we will deduct points. Else, no issues (e.g. alias commands are ok).

Hope that clarifies.

R/Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Dear yusuf.

when we talk about routers, what is the serial interface meant for ,is it for getting connected to an CSU/DSU or Terminal adapters .

If in case we have built in NT1 and csu/dsu

in a router we would not need the serial

devices as mentioned above.

What is the difference between v.35 and E1

on a router.

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

The serial interfaces in the lab exam are used to connect to Frame Relay cloud.

The Frame Relay switch will always be pre-configured. You have to configured the client-side, and the necessary information (DLCI numbers, etc) will be provided in the exam.

Regards,

Yusuf

Gold

Re: ASK THE EXPERT - CCIE SECURITY

Hi Yusuf,

routing , frame-relay etc.. should be pre-configured - I heard there is sometimes missing (not working) pre-configuration and candidate need to fix it... Do you do any steps to minimize those errors????

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

Yes; IP routing, basic Layer 2 (basic switching, FR) will be pre-configured on Routers and Switches only. You still have to do some configs on the security appliances (PIX/ASA, IPS, VPN3k). In some occasions, you may also have to do some additional Layer2/3 configs to complete a task.

Some questions in the exam relate to troubleshooting skills, which will require you to identify errors in the preloaded configs. These errors could be of any part of your network... It will be a network-wide troubleshooting.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Hello Yusuff,

What do you think about simulators for PIX/IDS...etc? Can one pass the lab using such tools?

Thanks.

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

Honestly, I have no idea as I have never experienced or used it; so I would not be in the position to comment on this.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Hello Yusuf,

Two short questions:

1. Will l2tp only be tested on asa/pix/vpn3000 or also on the ios routers?

2. What OS is used on the workstation?

Many thanks

Markus

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi Markus,

Pls follow the blueprint which lists all the technologies that can potentially be tested in the lab;

http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v2.html

On the TEST PC workstation, we use Windows XP Professional.

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Yusuf -

Is there an estimated date to release the v3.0 blueprint announcement? I know after the announcement I still have 6 months left to test on v2.0, so I need to start planning my time.

thanks,

hcassolo

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

At this point in time, no; we do not have an exact target date yet, and we are in the process of finalizing it. As soon as we do, we will make a web announcement.

Regards,

Yusuf

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

As I mentioned earlier, we are finalizing all the changes, there is no firm date yet.

R/Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

can Anybody help me?????

I have GRE tunnel....I want source based route towards my tunnel destination

if anybody have answer please email me at bssohail@yahoo.com

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

To get technical support help, pls post your query in the VPN category of the NetPro forum.

This session is about CCIE Security certification subject.

Regards,

Yusuf

Gold

Re: ASK THE EXPERT - CCIE SECURITY

here's a non-technical question:

during the lab, are we allowed to bring any drinks or snacks? how long is the lunch break and is it provided for us? (afterall, we did pay $1400 for the exam).

-thanks

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Each Cisco facility has a self-service area (kitchen) where you can help yourself with tea/coffee, drinks, etc (free).

Lunch is also provided (inclusive)

Regards,

Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Hello,

1- In the lab exam what equipment could you configure partially or totally using the graphical administration interface ?

2- I notice that "Tunnel Endpoint Discovery" solution has not been treated in your "network security technologies and solutions" book, is it a pure coincidence or is there a special reason?

thank you

Cisco Employee

Re: ASK THE EXPERT - CCIE SECURITY

Hi,

answers inline;

1- In the lab exam what equipment could you configure partially or totally using the graphical administration interface ?

>>>> You can only configure IDS and VPN3000 using the GUI.

2- I notice that "Tunnel Endpoint Discovery" solution has not been treated in your "network security technologies and solutions" book, is it a pure coincidence or is there a special reason?

>>>> Pls note, topics covered (or not covered) in the book are not directly related to the exam blueprint; the book is reference point and serves as a supporting prep guide, and there is always a possibility that some items may not be covered in the text. On the same note, there are many other topics in the book that are NOT part of the lab (e.g. GET VPN, MPLS VPN, MARS, etc) which the book still covers it. The book covers a wide range of audience.

Hope that helps.

R/Yusuf

Community Member

Re: ASK THE EXPERT - CCIE SECURITY

Yusuf I want to configure ASA5511 in transparent mode to pass thru VLAN dot1q encapsuled subinterfaces from a Cisco 2811 router to a Cisco 3750 trunking port, the router being the subnet gateway not the firewall. Can the firewall be configured in this manner or what are my options? Thanks

105
Views
43
Helpful
46
Replies
CreatePlease to create content