Premium Library Contact Us/Help About Us Mobile View Welcome, Arindam

Log out
Connect with us on: Search the Learning Network
Cisco Learning Home IT Careers Connections Certifications Learning Center Our Store
Cisco Learning Home > Certifications > CCIESecurity > Lab Exam > For Registered Users Only > Documents
New Your Stuff History Browse
Up to Documents in For Registered Users Only
Created on: May 30, 2012 1:57 PM by wiliu - Last Modif ied: Nov 25,
2013 12:25 PM by Madhukar: Cisco Team
CCIE Security Lab Exam Topics
VERSION 5
S S S S M
0 Like
Hide Details
Hide Details
CCIE Security Lab Exam version 4.0
Exam Description

The Cisco CCIE Security Lab Exam version 4.0 is an 8-hour practical hands-on exam that tests
the skills and competencies of security professionals in terms of configuring and
troubleshooting Cisco security products and solutions.

Candidates may be required to perform implementation, optimization and troubleshooting
actions in each of the exam topic sections. Content may include both IPv4 and IPv6 concepts
and applications.

The following topics are general guidelines for the content likely to be included on the exam.
However, other related topics may also appear on any specific delivery of the exam. In order to
better reflect the contents of the exam and for clarity purposes, the guidelines below may change
at any time without notice.

Download Complete List of Topics in PDF format

1.0 System Hardening and Availability 14%
1.1 Routing plane security features (for example, protocol authentication and route
filtering)
1.2 Control Plane Policing
1.3 Control plane protection and management plane protection
1.4 Broadcast control and switch port security
1.5 Additional CPU protection mechanisms (for example, options drop and logging
interval)
1.6 Disable unnecessary services
1.7 Control device access (for example, Telnet, HTTP, SSH, and privilege levels)
1.8 Device services (for example, SNMP, syslog, and NTP)
1.9 Transit traffic control and congestion management
2.0 Threat Identification and Mitigation 14%
2.1 Identify and protect against fragmentation attacks
2.2 Identify and protect against malicious IP option usage
2.3 Identify and protect against network reconnaissance attacks
2.4 Identify and protect against IP spoofing attacks
2.5 Identify and protect against MAC spoofing attacks
2.6 Identify and protect against ARP spoofing attacks
2.7 Identify and protect against DoS attacks
2.8 Identify and protect against DDoS attacks
2.9 Identify and protect against man-in-the-middle attacks
2.10 Identify and protect against port redirection attacks
2.11 Identify and protect against DHCP attacks
2.12 Identify and protect against DNS attacks
2.13 Identify and protect against MAC flooding attacks
2.14 Identify and protect against VLAN hopping attacks
2.15 Identify and protect against various Layer 2 and Layer 3 attacks
Certifications
Show All
ENTRY
ASSOCIATE
PROFESSIONAL
EXPERT
CCDE Design Expert
CCIE Collaboration
CCIE Data Center
CCIE Routing & Switching
CCIE Security
Syllabus
Written Exam
Lab Exam
For Registered Users Only
CCIE Service Provider
CCIE SP Operations
CCIE Storage Networking (Retired)
CCIE Voice (Retired)
CCIE Wireless
ARCHITECT
SPECIALIST
POLICIES| REFERENCE| TOOLS
Actions
Report abuse
Receive email notifications
Send as email
View as PDF
View print preview
Bookmark this
View: Everyone
Bookmarked By (16)
More Like This
CCIE Security v4.0

CCIE Security Lab Exam

Checklist v4.0
CCIE Security Lab Exam v4.0
Checklist
d-Chapter 6: Network Security
Using Cisco IOS IPS
Security of applications
moving to a network
(whitepaper)
Incoming Links
CCIE Security Lab Exam
Overview
CCIE Security Written Exam
Overview
More by wiliu
View wiliu's profile
Languages:
Hide Details
Hide Details
Hide Details
2.16 NBAR
2.17 NetFlow
2.18 Capture and utilize packet captures
3.0 Intrusion Prevention and Content Security 20%
3.1 Cisco IPS 4200 Series Sensor appliance and Cisco ASA appliance IPS module

3.1.a Initialize the sensor appliance
3.1.b Sensor appliance management
3.1.c Virtual sensors on the sensor appliance
3.1.d Implement security policies
3.1.e Promiscuous and inline monitoring on the sensor appliance
3.1.f Tune signatures on the sensor appliance
3.1.g Custom signatures on the sensor appliance
3.1.h Actions on the sensor appliance
3.1.i Signature engines on the sensor appliance
3.1.j Use Cisco IDM and Cisco IME to manage the sensor appliance
3.1.k Event action overrides and filters on the sensor appliance
3.1.l Event monitoring on the sensor appliance
3.2 VACL, SPAN and RSPAN on Cisco switches
3.3 Cisco WSA

3.3.a Implement WCCP
3.3.b Active Directory integration
3.3.c Custom categories
3.3.d HTTPS configuration
3.3.e Services configuration (web reputation)
3.3.f Configure proxy bypass lists
3.3.g Web proxy modes
3.3.h Application visibility and control
4.0 Identity Management 16%
4.1 Identity-based AAA

4.1.a Cisco router and appliance AAA
4.1.b RADIUS
4.1.c TACACS+
4.2 Device administration (Cisco IOS routers, Cisco ASA, and Cisco ACS5.x)
4.3 Network access (TrustSec model)

4.3.a Authorization results for network access (ISE)
4.3.b IEEE 802.1X (Cisco ISE)
4.3.c VSAs (Cisco ASA, Cisco IOS, and Cisco ISE)
4.3.d Proxy authentication (Cisco ISE, Cisco ASA, and Cisco IOS)
4.4 Cisco ISE

4.4.a Profiling configuration (probes)
4.4.b Guest services
4.4.c Posture assessment
4.4.d Client provisioning (CPP)
4.4.e Configure Microsoft Active Directory integration and identity sources
5.0 Perimeter Security and Services 20%
5.1 Cisco ASA firewalls

5.1.a Basic firewall Initialization
Average User Rating (15 ratings) My Rating:
Hide Details
5.1.b Device management
5.1.c Address translation
5.1.d ACLs
5.1.e IP routing and route tracking
5.1.f Object groups
5.1.g VLANs
5.1.h Configure EtherChannel
5.1.i High availability and redundancy
5.1.j Layer 2 transparent firewall
5.1.k Security contexts (virtual firewall)
5.1.l Cisco Modular Policy Framework
5.1.j Identity firewall services
5.1.k Configure Cisco ASA with ASDM
5.1.l Context-aware services
5.1.m IPS capabilities
5.1.n QoS capabilities
5.2 Cisco IOS zone-based firewall

5.2.a Network, secure group, and user-based policy
5.2.b Performance tuning
5.2.c Network, protocol, and application inspection
5.3 Perimeter security services

5.3.a Cisco IOS QoS and packet-marking techniques
5.3.b Traffic filtering using access lists
5.3.c Cisco IOS NAT
5.3.d uRPF
5.3.e Port to Application Mapping (PAM)
5.3.f Policy routing and route maps
6.0 Confidentiality and Secure Access 16%
6.1 IKE (v1/v2)
6.2 IPsec LAN-to-LAN (Cisco IOS and Cisco ASA)
6.3 DMVPN
6.4 FlexVPN
6.5 GET VPN
6.6 Remote-access VPN

6.6.a Cisco EasyVPN Server (Cisco IOS and Cisco ASA)
6.6.b VPN Client 5.X
6.6.c Clientless WebVPN
6.6.d Cisco AnyConnect VPN
6.6.e Cisco EasyVPN Remote
6.6.f SSL VPN gateway
6.7 VPN high availability
6.8 QoS for VPN
6.9 VRF-aware VPN
6.10 MACsec
6.11 Digital certificates (enrollment and policy matching)
6.12 Wireless access

6.12.a EAP methods
6.12.b WPA and WPA2
6.12.c wIPS
47766 Views
Add a comment
1 2 3 4 Previous Next
Jun 4, 2012 10:47 PM
Report Abuse Reply
zhangwenshi says:
NBCISCO NB .
Jun 4, 2012 11:11 PM
Report Abuse Reply
abu says:
Nice Update.. obsolete topics removed and new added.

It would be really nice if we can get more detail as there are some general topics here and
there e.g. Control Plane Protection and Management Plane Protection & Transit Traffic Control
and Congestion Management.

In addition, should we expect to see IPv6 in the lab or something.

Overall... Good Work
Jun 5, 2012 2:58 AM
Report Abuse Reply
Slawomir says: (in response to abu)
abu, see the checklist on the right.
Jun 5, 2012 1:54 AM
Report Abuse Reply
Ashwin S. Ramteke says:
how many " LAB " are there in CCIE SECURITY V4 ?
Jun 5, 2012 2:55 AM
Report Abuse Reply
Parvez says:
It is going more relevant towards the exiting corporate envirement.
Jul 14, 2012 8:32 AM
Report Abuse Reply
Fawad Khan says: (in response to Ashwin S. Ramteke)
Never mind
Jun 5, 2012 1:34 PM
Report Abuse Reply
Vibeesh says:
Finally its out .. was expecting a lot more, but this should keep us busy for the year !!
Jun 5, 2012 3:37 PM
Report Abuse Reply
crash0verride says:
Are Lab and written topics the same?
Comments (85)
Jun 5, 2012 6:18 PM
Report Abuse Reply
Natalie says: (in response to abu)
The exam checklist is alot more detailed in terms of topics. There will be IPv6 content in the
exam, I am hoping to get the checklist slightly updated to reflect v6 in a little more detail so
check back in a couple of days.
Jun 5, 2012 9:26 PM
Report Abuse Reply
dipak says:
this is good to underatand each tpic with coming technology.
Jun 5, 2012 9:47 PM
Report Abuse Reply
laxman.bheda says: (in response to Ashwin S. Ramteke)
Questions bhi puchh hi lo....
Jun 6, 2012 1:26 AM
Report Abuse Reply
RSUTHAR says:
1. how may routers (1841/3800) are required for lab v4.
2. how may ASA (8.2/8.4/8.6) are required for lab v4.
3. how may PC (windows 2003 server or 2008/ client PC XP or Windows 7) are needed.

4. ACS/Ironport/WLC/AP etc
if any body can define devices in detail, it will be great.
Jun 6, 2012 7:16 AM
Report Abuse Reply
Fawad Khan says: (in response to laxman.bheda)
Haha, that made my day. Thank you.
Jun 6, 2012 8:39 AM
Report Abuse Reply
Natalie says: (in response to RSUTHAR)
The exact number of devices is not published as there are multiple exam forms and more than
one topology. As a candidate you are randomly assigned a particular exam setup. We need
variation to help keep ahead of the cheaters and maintain the integrity of the exam so you feel
like you really achieved something significant.
Jun 6, 2012 8:05 PM
Report Abuse Reply
RSUTHAR says: (in response to Natalie)
thanks Natalie
but any recommadation for how may devices we need.
Jun 8, 2012 8:44 AM
Report Abuse Reply
yongkhang says:
no SGA?
Jun 8, 2012 11:20 AM Natalie says: (in response to yongkhang)
I have an enhanced checklist coming that lists SGA and other TrustSec items in more detail.
Anytime you see "TustSec" in a doc assume that any component of this model is fair game.
Report Abuse Reply
Jun 8, 2012 11:27 AM
Report Abuse Reply
Natalie says: (in response to RSUTHAR)
You can work this out based on the items in the checklist..we don't test you on scalability and
performance scenarios so most of your practice can be done with a small set of devices.
Jun 8, 2012 11:30 PM
Report Abuse Reply
RSUTHAR says: (in response to Natalie)
Is cisco planning to release any book related v4 lab exam, just like yusuf bhaiji.
Jun 9, 2012 4:31 AM
Report Abuse Reply
rohan.deshmukh says: (in response to Fawad Khan)
abe yede he asking for LAB means...types of exams.simmilar to troublshooting tickets in
R&S..and lastly i knw which part of world ur too.frm ur ..ok forget it
Jun 9, 2012 11:35 AM
Report Abuse Reply
Natalie says: (in response to RSUTHAR)
Currently an Exam guide is being written and a lab guide is also planned.
Jun 10, 2012 12:19 AM
Report Abuse Reply
Bhikshukkumar says:
which will b the more beneficial as per current it industries requirements till december-
2012..ccie security v.3 or ccie security v.4..??
Jun 11, 2012 9:41 AM
Report Abuse Reply
Natalie says: (in response to Bhikshukkumar)
v3.0 content is still relevant in that it is a good base knowledge level for v4.0, however if you look
at industry trends and some of messaging that Cisco and other vendors put out around security
and technology in general, perhaps there are areas of technology missing from the v3
blueprints which were defined in 2009 - although it depends on your needs, your customers
needs and your individual industry requirements. If 802.1X, wireless security, content security
and IPv6 knowledge etc are not important in your plans you can make the call to not move to
v4.0.
Jun 13, 2012 12:58 PM
Report Abuse Reply
Vibeesh says: (in response to Natalie)
Hi Natalie,
Can you give any insights on the format of the exam. Is it going to be a 2:6 exam with
troubleshooting & config like the R&S or will be a pure Config exam.
Appreciate your response.
Jun 13, 2012 7:23 PM
Report Abuse Reply
yong says:
Pass the written paper 3.0, hao can test the lab4.0? 2012.11 months ago cciesecurity also put
the position of the lab?
1992-2014 Cisco Systems Inc. All rights reserved. Site Map Terms & Conditions Privacy Statement Cookie Policy Trademarks
1 2 3 4 Previous Next
Add a comment