Cisco CCNA Security Lab Suggestions

In this article, we will cover the hardware you will need to build your own CCNA Security 640-554 lab. There have been some major changes to the 640-554 Security lab environment from the old CCNA Security exam. So without further ado, lets start to figure out the best way to build our CCNA Security Lab.

We should probably open up by covering some of the differences between the CCNA Security 640-553 and the CCNA Security 640-554 exam. First and foremost, the new 640-554 CCNA Security exam has replaced SDM(Security Device Manager) with CCP (Cisco Configuration Professional) and it also has less emphasis on the CLI(Command Line Interface). Next, the CCNA Security 640-554 exam covers many topics only from a CCP perspective. So get very comfortable with CCP! All that said, if you made it this far in your Cisco career, I think you will find the CCP GUI interface quite easy to use compared to remembering all the levels and syntax of the CLI interface.

How Many Routers for my CCNA Security 640-554 Lab?

The lab kits we offer for CCNA Security uses three routers and the same number of switches. In our Premium CCNA Security Lab Kit we use three routers and three switches. In building your CCNA Security lab, the first thing you need to consider is picking up a router that can support the IOS with the feature set to cover the exam objectives. Many students assume that the older 2500, 2600 or even some of the 2600XM 12.4 series routers which support IP/FW/IDS Plus or IPSEC 3DES will do the job. Although they can cover some of the CLI topics, the first issue is that they do not support zone-based firewalls or IPS. The second issue is that they do not support CCP. This is a change from the older version of the CCNA Security exam as the 2600XM series used to be fine since it supported SDM. But now since it does not support CCP, it is no longer relevant. Since much of the exam covers CCP, none of the above routers are really a viable option.

Premium CCNA Security Lab Topology
Premium CCNA Security Lab Topology

What Routers Will Work and Why?

So what routers will work? You will need a ISR (Integrated Services Router) model router. The most economical choice is the 1841 or the 2800 series routers. These routers will support the 15.1 Advanced IP Services feature set which supports zone-based firewalls and IPS. They also support CCP which is the key. You are also going to want to make sure the 1841 routers are 256/64, the 2801 routers are 384/128 and the 2811 routers are 512/128 so you can run the proper IOS and CCP. Otherwise you will find out that you can’t run both as you don’t have enough memory. Below you will find a table with the memory requirements to run Advanced IP Services and CCP on a router for both IOS 12 and 15. My suggestion is to have a mix of these routers so you get exposure to different models that you can see in the real world. As you will be working in the real world and every router you work on will not be a 1841. The one caveat to that comment is if you plan on doing CCNA Voice, then make sure two of the routers are 2811 512/128 routers to have the best experience as you will need it for CME.

Model 12.4 Memory Req. 15.x Memory Req.
Cisco 1841  256/64 256/64
Cisco 2801 256/64 384/128
Cisco 2811 & 2821 256/64 512/128

What About Switches for my CCNA Security Lab?

Finally from a switch perspective the 2950 switches are the way to go for most people. The 2960 switches are what are suggested by Cisco, but the 2950 covers all the test concepts and commands except the Dynamic ARP Inspection feature is missing. We include a standard 2950 in our kits which you can upgrade to an enhanced 2950 or just exactly match the Cisco topology with a 2960. It is all up to you and your budget.

What About ASA(Adaptive Security Devices) Like the ASA 5505?

I am glad you asked. Another major change to the CCNA Security 640-554 exam is they have included a slew of questions on their security devices. The lab workbook calls for a ASA-5510 but you can complete the labs with the ASA-5505. But let's say you want the ASA-5510 as you want to really know Security inside and out, we offer that as an upgrade option. Also we offer the ASA-5510 with the SSM-10 modules so you can play with the Context Security and Control Services features it provides such as anitvirus, anti-spyware, file blocking, anti-spam, anti-phising, URL blocking and filtering and content filtering.

What are the CCNA Security Labs that are covered?

CCNA Security Lab Workbook Labs
Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools
Chapter 2 Lab A: Securing the Router for Administrative Access
Chapter 3 Lab A: Securing Administrative Access Using AAA and RADIUS
Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls
Chapter 5 Lab A: Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP
Chapter 6 Lab A: Securing Layer 2 Switches
Chapter 7 Lab A: Exploring Encryption Methods
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client
Chapter 8 Lab C (Optional): Configuring a Remote Access VPN Server and Client
Chapter 9 Lab A: Security Policy Development and Implementation
Chapter 10 Lab A: Configuring ASA Basic Settings and Firewall Using CLI
Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall Using ASDM
Chapter 10 Lab C: Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM
Chapter 10 Lab D: Configuring a Site-to-Site IPsec VPN Using CCP and ASDM
Appendix: ASA 5510 Supplemental Lab Manual
Chapter 10 Lab E: Configuring ASA 5510 Basic Settings and Firewall Using CLI
Chapter 10 Lab F: Configuring ASA 5510 Basic Settings and Firewall Using ASDM
Chapter 10 Lab G: Configuring ASA 5510 Clientless and AnyConnect Remote Access SSL VPNs Using ASDM
Chapter 10 Lab H: Configuring a Site-to-Site IPsec VPN Using CCP on an ISR and ASDM on an ASA 5510

We also have created another lab workbook focused specifically on the Cisco ASA 5500 devices(this lab workbook will also work on the PIX firewalls too!).

ASA 5500 Lab Topology
ASA 5500 Lab Topology

So your next logical step would be to check out our ASA 5500 & PIX Firewalls Demystified! Lab Workbook. It covers 25 different real world PIX and ASA 5500 series scenarios. How to setup ASA Security Levels, a DMZ with multiple internal zones, site to site VPNs and much, much more! This is where you really start to have some fun in your CCNA Security Lab!

That about wraps it up from an equipment perspective. The Cisco CCNA Security 640-554 is one of the more expensive labs. There is good and bad about that. Cisco has finally started to upgrade the lab requirements beyond that of the 15 year old 2500 series routes and are getting into some of the more real world units you will see in the workplace that support some of your advanced features like CCP. But I am sure you will agree that it is definitely a major improvement and enhances your learning experience.

For many more CCNA Security articles and videos, we highly suggest you subscribe to our Premium CCNA Content section of our website. Here you will find access to over 350 CCNA, CCNA Security and CCNA Voice articles explaining the most difficult concepts to master. That is not it, you will also have access to over 100 CCNA, CCNA Security and CCNA Voice labs found no where else. Not even in our lab workbooks that we sell. They are only available to our CCNA Premium Content subscribers. But there is more! You also get access to over 60 videos and tons of games to make your CCNA studies fun such as exam questions, flash cards, CCNA Hangman, Jeopardy, Million Dollar Question and much more!