Hi, Everyone!

We are in the progress of upgrading our CCIE Security racks with the new software and hardware. Here are the specs that you can use to build your own rack. The rack consists of six routers, two switches, two ASA firewall appliances and one IPS sensor. The hardware models and their specs are outlined below:

R1-R5: 2611XM 32/128, IOS 12.4(15)T ADVANCED SECURITY
SW1-SW2: CAT3550, IOS 12.2(50)SEE
IPS: Cisco IPS 4235 or 4240, SW version 6.0(3)E1
ASA1-ASA2: Cisco ASA 5510, SW version 8.0
AAA/CA Server: Win 2k running CS ACS 4.0 and IPS Manager Express.
Test PC: Win XP workstation with ezVPN Client Installed.

You can find a more detailed topology description at IE’s Security Hardware List

All the hardware cabling remains the same and the backbone routers did not change. If you compare this to our current hardware blueprint, you will see that only R6 needs to be replaced with an ISR router. Optionally, instead of 2811 you can use another ISR such as 1841 64/192 for R6. If you are using the Dynamips emulator for you virtual CCIE rack, you can use 3725 model for SSL VPN, for instance. Simply put, you just need any router that supports SSL VPN and other ADVANCED ENTERPRISE features. As for the GET VPN feature – even though Cisco FN does not list it as being supported by 2611XM routers, it is still present in the ADV. SECURITY feature set. Surprisingly enough, ADVANCED ENTERPRISE SERVICES image for 2611XM does not support the feature :)

Now for the IPS appliance: the latest software version for the IPS is 6.2 and it does not support older 4235 or 4215 IPS sensors (nor does version 6.1). Instead the blueprint suggests using the newer 4240 model. However, if you look at the release notes for IPS SW 6.2 and 6.1 you will note the following tow major new features:

a) IPS management via IPS Manager Express
b) IPv6 support

Other updates are minor, including some cosmetic changes such as health monitoring, customizable dashboards, uauthenticated NTP etc. Of course, you can still configure the IPS using IDM (IPS Device Manager) or the CLI and use IMX for appliance monitoring. As for IPv6, it is not the part of the current blueprint; plus the blueprint specifies IPS version 6.1 which does not support IPv6. Therefore, until they announced IPv6 as being testing in the CCIE Security blueprint, you may freely hang with the older IPS models and save on buying the more expensive 4240. Even better, the older 4215 appliance could be emulated on VMware! Note, that you will see the older 4235 models for some more time in our racks, but they are going to be gradually replaced with the newer 4240 models. The labs will still rely on the 6.0 code.

As for the switches – right now we use the 3550s in the racks, but those will be gradually replaced with 3560s. The CCIE hardware blueprint states the use of 3560 and 3750 switches in the lab. If you compare the 3560 model against 3550, you will see the following major differences: different QoS features, IPv6 support in the 3560 and no Private VLANs in the 3550 (even though the FN states they are supported there, sigh). Everything else is virtually the same. While QoS and IPv6 are not very important from the standpoint of the Security exam, Private VLANs are. However, if you look at the CCIE lab exam blueprint, you will see that Private VLANs are not listed there. Based on that, you can stick with the 3550s switches for 99% of the Security features tested in the CCIE lab.

Also, until April 20th you will see the PIX and the VPN3k appliances in our racks. So even if you are still pursuing the old-blueprint exam, you can use the rental racks, as most features are upwards compatible with the updated software. And get ready for the upcoming initial update of our IEWB-SC VOL1 next week – 50+ technology-focused scenarios for the ASA firewall appliance.

Good luck with your studies!

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website

You can leave a response, or trackback from your own site.

13 Responses to “INE Security v3.0 Hardware List”

  1. Rizzo says:


    Thanks a lot for Great post. I have been waiting for it. :)

    Luckily, I didn’t buy two 1841 Routers. :) As I have many 2651XM with Max memory. But It seems one 1841 will be worth to try (as R6) for SSL VPN.

    Will there be new initial config files for our new Workbooks?

    Kind Regards

  2. Brian says:

    Can one use 3640 (128MB/32F) instead on the 2811XM for routers 1-5?


  3. David Koppenaal says:


    I was wondering what way Dynamips could be used to skip some of the real hardware. I was thinking about pemu for the ASA’s and running the ips in vmware. How far can you get with that at the moment.



  4. Stephen says:

    Is the Test PC must install VPN client 5.x ? or not ezVPN ?

  5. [...] IE’s Security v3.0 Hardware List – CCIE Blog Here are the specs that you can use to build your own rack (tags: cisco security ccie hardware) [...]

  6. Eric Sparks says:

    Can ASA 5505s be used instead of 5510s?

  7. Steve says:

    3640′s don’t support 12.4T from what I can see

  8. Paul Alexander says:

    Hi Petr,

    Is GET VPN the only thing you miss out in the adventerprise feature set?

    I’m using dynamips for my lab and have run into a bunch of bugs running 2600′s. So instead ive gone with 3725′s all round with adv enterprise.



  9. Dan Hughes says:

    I notice you’ve gone with ACS 4.0, while the blueprint is 4.1.. Any particular reason, or just not enough differences to matter?

  10. Sri says:

    Thanks for a gr8 insight into new requirements.


  11. Jesse says:

    I am wondering why the Cisco IPS 4235 is listed, rather than the 4215?

    When I log into Cisco Downloads, I see a 6.0(5)E3 for the 4215 (though admittedly, I haven’t yet attempted to apply the image to it)


  12. hardwarewiz says:

    nice information! practical information on those commands is difficult to come by.


Leave a Reply


CCIE Bloggers