Cisco CCNA Security Lab Suggestions

In this article, we will cover the hardware you will need to build your own CCNA Security 210-260 lab. There have been some major changes to the 210-260 Security lab environment from the old CCNA Security exam. So without further ado, lets start to figure out the best way to build our CCNA Security Lab.

We should probably open up by covering some of the differences between the previous CCNA Security 640-553 and the CCNA Security 640-554 exam. First and foremost, the new 640-554 CCNA Security exam has replaced SDM(Security Device Manager) with CCP (Cisco Configuration Professional) and it also has less emphasis on the CLI(Command Line Interface). Next, the CCNA Security 640-554 exam covers many topics only from a CCP perspective. So get very comfortable with CCP! All that said, if you made it this far in your Cisco career, I think you will find the CCP GUI interface quite easy to use compared to remembering all the levels and syntax of the CLI interface. With the latest CCNA Security 210-260 exam, Cisco has moved on and dropped CCP. We are now back to remembering all the syntax and using the CLI interface again.

How Many Routers for my CCNA Security 210-260 Lab?

The lab kits we offer for CCNA Security uses three routers and the same number of switches. In our
Premium CCNA Security Lab Kit we use three routers, three switches, and an ASA. In building your CCNA Security lab, the first thing you need to consider is picking up a router that can support the IOS with the feature set to cover the exam objectives. Many students assume that the older 2500, 2600 or even some of the 2600XM 12.4 series routers which support IP/FW/IDS Plus or IPSEC 3DES will do the job. Although they can cover some of the CLI topics, the first issue is that they do not support zone-based firewalls or IPS. The second issue is that they do not support CCP. This is a change from the older version of the CCNA Security exam as the 2600XM series used to be fine since it supported SDM. But now since it does not support CCP, it is no longer relevant. Since much of the 640-554 exam covers CCP, none of the above routers are really a viable option. The 210-260 exam has dropped CCP, but it has put higher demands on the version of IOS required (IOS 15) and the need for more capability in your command sets.


Premium CCNA Security Lab Topology

Premium CCNA Security Lab Topology

What Routers Will Work and Why?

So what routers will work? You will need a ISR (Integrated Services Router) model router. The most economical choice is the 1841 or the 2800 series routers. These routers will support the 15.1 Advanced IP Services feature set which supports zone-based firewalls and IPS. They also support CCP which is the key. You are also going to want to make sure the 1841 routers are 256/64, the 2801 routers are 384/128 and the 2811 routers are 512/128 so you can run the proper IOS and CCP. Otherwise you will find out that you can’t run both as you don’t have enough memory. Below you will find a table with the memory requirements to run Advanced IP Services and CCP on a router for both IOS 12 and 15. My suggestion is to have a mix of these routers so you get exposure to different models that you can see in the real world. As you will be working in the real world and every router you work on will not be a 1841. The one caveat to that comment is if you plan on doing CCNA Voice, then make sure two of the routers are 2811 512/128 routers to have the best experience as you will need it for CME.

As the 2811 router is still our recommendation for getting the most capability for your money, the CCNA Security 210-260 is designed for the 1941 router with the Security Technology Package. This license will support additional features such as Cisco IOS Firewall, SSL VPN, DMVPN, IPS, GET VPN, IP sec, etc. So, if you want to be able to do every single command and not miss a beat, then the 1941 Sec is the best option. Unfortunately, the 1941 Sec is one of the more expensive devices that we offer, which often puts it financially out of reach. A good solution, if your budget won’t allow you to get three of these, is to consider purchasing one and using it as a lead router in conjuntion with two 2811 or 1841 routers. This way, you will have at least one device where you can completely work through all of the syntax if you want. The additional bonus to the 1941 is that it will also double as a router that can do all of the commands for both CCNA and CCNP! So, it will cover all three exams!

Once again, we know this can all get confusing and we are here to help! Always feel free to reach out through our contact us if you have any questions.

Model 12.4 Memory Req. 15.x Memory Req.
Cisco 1841  256/64 256/64
Cisco 2801 256/64 384/128
Cisco 2811 & 2821 256/64 512/128
Cisco 1941 N/A 512/256

What About Switches for my CCNA Security Lab?

Finally from a switch perspective the 2960-S switches are the base device in most of our budget level kits. These will run IOS 15, but are only capable of the LanLite version which supports less commands. The 2960-TT switches are what are suggested by Cisco, and run the more capable LabBase image. We include a 2960-S in our kits which you can very affordably upgrade to 2960-TT to exactly match the Cisco topology with a 2960. It is all up to you and your budget. Once again, the 2960-TT is also the exact match for CCNA and will make up half of the switch toplogy for CCNP. So, if it is within your budget, we highly recommend the 2960-TT model.

What About ASA(Adaptive Security Devices) Like the ASA 5505?

I am glad you asked. Another major change to the CCNA Security 640-554 exam is they have included a slew of questions on their security devices. The CCNA Security lab workbook calls for a ASA-5510 but you can complete the labs with the ASA-5505. But let’s say you want the ASA-5510 as you want to really know Security inside and out, we offer that as an upgrade option. Also we offer the ASA-5510 with the SSM-10 modules so you can play with the Context Security and Control Services features it provides such as anitvirus, anti-spyware, file blocking, anti-spam, anti-phising, URL blocking and filtering and content filtering.
The new 210-260 CCNA Security exam took a tighter focus on the ASA 5505 and the lab workbook is written for this device. The ASA 5510 is still the best option if you want to be able to move up into more advanced concepts, even ones not covered in the CCNA Security curriculum. However, that being said, the ASA 5505 will do everything in the current CCNA Security Lab Workbook and be a more economical solution if you are focused purely on certification and nothing past that.

What are the CCNA Security Labs that are covered?

CCNA Security Lab Workbook Labs
Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools
Chapter 2 Lab A: Securing the Router for Administrative Access
Chapter 3 Lab A: Securing Administrative Access Using AAA and RADIUS
Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls
Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP
Chapter 6 Lab A: Securing Layer 2 Switches
Chapter 7 Lab A: Exploring Encryption Methods
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client
Chapter 8 Lab C (Optional): Configuring a Remote Access VPN Server and Client
Chapter 9 Lab A: Security Policy Development and Implementation
Chapter 10 Lab A: Configuring ASA Basic Settings and Firewall Using CLI
Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall Using ASDM
Chapter 10 Lab C: Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM
Chapter 10 Lab D: Configuring a Site-to-Site IPsec VPN Using CCP and ASDM
Appendix: ASA 5510 Supplemental Lab Manual
Chapter 10 Lab E: Configuring ASA 5510 Basic Settings and Firewall Using CLI
Chapter 10 Lab F: Configuring ASA 5510 Basic Settings and Firewall Using ASDM
Chapter 10 Lab G: Configuring ASA 5510 Clientless and AnyConnect Remote Access SSL VPNs Using ASDM
Chapter 10 Lab H: Configuring a Site-to-Site IPsec VPN Using CCP on an ISR and ASDM on an ASA 5510

The New and Current CCNA Security 210-260 Lab Workbook v2.0 Labs
Chapter 1: Modern Network Security Threats
Lab A: Social Engineering
Lab B: Researching Network Attacks and Security Audit Tools
Chapter 2: Securing Network Devices
Lab A: Securing the Router for Administrative Access
Chapter 3: Authentication, Authorization, and Accounting
Lab A: Securing Administrative Access Using AAA and RADIUS
Chapter 4: Implementing Firewall Technologies
Lab A: Lab 4.4.1.2 – Configuring Zone-Based Policy Firewalls
Chapter 5: Implementing Intrusion Prevention
Lab A: Configure an Intrusion Prevention System (IPS)
Chapter 6: Securing the Local Area Network
Lab A: Securing Layer 2 Switches
Chapter 7: Cryptographic Systems
Lab A: Exploring Encryption Methods
Chapter 8: Implementing Virtual Private Networks
Lab A: Configure Site-to-Site VPN using CLI
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Lab A: Configure ASA Basic Settings and Firewall Using CLI
Chapter 10: Advanced Cisco Adaptive Security Appliance
Lab A: Configure ASA Basic Settings and Firewall Using ASDM
Lab B: Configure a Site-to-Site IPsec VPN Using ISR CLI and ASA ASDM
Lab C: Configure Clientless Remote Access SSL VPNs Using ASDM
Lab D: Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 11: Managing a Secure Network
Lab A: CCNA Security Comprehensive Lab

We also have created another lab workbook focused specifically on the Cisco ASA 5500 devices(this lab workbook will also work on the PIX firewalls too!).


ASA 5500 Lab Topology

ASA 5500 Lab Topology

So your next logical step would be to check out our ASA 5500 & PIX Firewalls Demystified! Lab Workbook. It covers 25 different real world PIX and ASA 5500 series scenarios. How to setup ASA Security Levels, a DMZ with multiple internal zones, site to site VPNs and much, much more! This is where you really start to have some fun in your CCNA Security Lab!

That about wraps it up from an equipment perspective. The Cisco CCNA Security 210-260 is slightly more expensive than a CCNA lab withe the recommended higher end devices and the ASA. There is good and bad about that. Cisco has finally started to upgrade the lab requirements beyond that of the 20 year old 2500 series routes and are getting into some of the more real world units you will see in the workplace that support some of your advanced features. But we are sure you will agree that it is definitely a major improvement and enhances your learning experience.

For many more CCNA Security articles and videos, we highly suggest you subscribe to our
Premium CCNA Content section of our website. Here you will find access to over 350 CCNA, CCNA Security and CCNA Voice articles explaining the most difficult concepts to master. That is not it, you will also have access to over 100 CCNA, CCNA Security and CCNA Voice labs found no where else. Not even in our lab workbooks that we sell. They are only available to our CCNA Premium Content subscribers. But there is more! You also get access to over 60 videos and tons of games to make your CCNA studies fun such as exam questions, flash cards, CCNA Hangman, Jeopardy, Million Dollar Question and much more!