Well, we had all heard the rumors that it was coming down the line, and today Cisco decided to make it official just ahead of Cisco Live. Something very interesting thing about this update -no doubt as a result of really listening to the community’s voice in regards to the things that threaten the enterprise most these days- is that they’ve added a heavy emphasis on Bring Your Own Device (BYOD) over wireless threats. With the addition of a Wireless Lan Controller (WLC) and at least a single AP, along with the Identity Services Engine (ISE). For those of you who may not be familiar with the ISE, this is basically an evolution of a few devices combined into one – it is sort of a mix of the ACS, NAC Appliance and NAC Profiler. However, it is NOT a replacement for the ACS, namely because it does not do TACACS+, instead only supporting RADIUS for 802.1x and NAC. This is the reason that Cisco decided to leave ACS server in there – but upgrading it to v5.x (most likely 5.3). Also, if you happen to not have any experience with wireless technologies in general – you’re in luck! INE is releasing our 20-hour CCNA Wireless class later today, which covers Lightweight Access Points (LWAP) being controlled by WLCs, and those WLCs being controlled by higher-up Wireless Control System (WCS). In fact, since I’ve mentioned the WCS, it’s quite interesting that Cisco (in sort of a nonchalant way) mentions that the ASA firewalls may be configured by “Cisco Prime Tools”. If you aren’t familiar with Cisco Prime, it is basically the new branding of Cisco’s network management as a whole. LMS would now fall under Prime, something called Prime NCS (evolution of Cisco’s WCS), and Prime Tools fall under the new Prime branding.

There’s also a smidge of Voice device authentication as well, though it doesn’t even begin to really touch on Unified Communications security – something I still think will largely be addressed in the next CCIE Voice update. Basically they have a 7900 phone (probably 7965) and you do NOT have to configure the Unified Communications Manager (UCM) server to get it to work, you only have to dot1x authenticate it onto the wired network. Basically setup the ISE or ACS to auth it and interact with the actual phone display to input your credentials. Don’t be concerned – it’s nothing difficult at all.

Cisco also (finally) introduces their IronPort acquisition to the exam, by way of the S-series Web Security Appliance (WSA). This device goes way beyond days of old where you blocked or allowed certain websites, but rather digs deep into the functionality of websites and web-based applications and provides ‘acceptable use enforcement’ of these sites or webapps. Take for example Facebook. Many (if not most) companies these days have a social presence and use Facebook as a tool to conduct business, but that doesn’t mean they want their users surfing FB all day. The WSA allows strategic enforcement of what is and is not allowed to occur via these type web sites. It also blocks against threats such as malware.

They mention simply including “VPN Client Software” which will no doubt be the Cisco Secure Services Client v5 installed on one or possibly more Windows 7 virtual desktops placed around the topology. This would make sense for both wired and wireless 802.1x authentication with the ACS/ISE. Something we also go into in the new 20-hour CCNA Wireless class I just recorded a few weeks back. Question is whether AnyConnect Secure Mobility Client will also be tested. It’s not in there per-se, but that doesn’t mean it isn’t possible.

The addition of at least one 2911 ISR-G2 only makes sense, as IOS version 15.2 can’t be run on an older ISRs (making me wonder why the inclusion of the older ISR is even there, save maybe that there are far more deployed currently).

Links to both the new v4 blueprint and v4 hardware/software equipment list, as well as a more detailed checklist for studying:

CCIE Security v4 Blueprint

CCIE Security v4 Equipment List

CCIE Security v4 Checklist

There are obviously still a lot of questions that need to be answered by Cisco to have a complete and full picture of this new version of the prestigious CCIE Security exam, and those will no doubt be addressed during the 8-hour seminar this Sunday at Cisco Live in San Diego. I should note that this 8-hour session is an additional charge ($799) on top of your normal admittance to the convention – it is not considered a “breakout session”, all of which come included with your convention pass. Some obvious questions might be:

  • Will we need to know how to configure ASA via Prime Tools, or is that simply another option?
  • How many Windows 7 desktops will there be, and will we be using AnyConnect NAM on them or something like CSSC?
  • Will there be both ASA and ASA-x versions? And if so, what would be the reason? (ASA-X series runs 8.6, whereas ASA only goes up to 8.4, amongst other things
  • And many others we’ll come up with and have asked and answered

You can be sure that INE will be there, tweeting and live-blogging from the event.
Follow me and stay updated throughout the conference!

About Mark Snow, CCIE #14073:

Mark Snow has been actively working with data and traditional telephony as a Network Consulting Engineer since 1995, and has been working with Cisco Call Manager and voice-over technology since 1998. Mark has been actively teaching and developing content for the CCIE Voice track since 2005, and the Security track since 2007. Mark's story with both data and voice technology started out quite young, as he began learning around the age of five from his father who was a patented inventor and a research scientist at AT&T Bell Laboratories. Mark started out on Unix System V and basic analog telephony, and went on from there to large data networking projects with technologies such as Banyan Vines, IPX and of course IP, and large phone systems such as Nortel 61c, Tadiran Coral, Avaya Definity and of course Cisco Unified Communications Manager in both enterprise and 911 PSAP environments across the US and internationally. Mark is also an accomplished pilot and punched his ticket in 2001. When Mark isn't learning, labing, consulting or teaching, he can be found either piloting or possibly jumping out of a perfectly good airplane, hanging off a rock somewhere or else skiing out west. He also might just be enjoying a quiet day at the beach with his wife and two wonderful young kids, Ryleigh and Judah.

Find all posts by Mark Snow, CCIE #14073 | Visit Website

You can leave a response, or trackback from your own site.

12 Responses to “CCIE Security Updated Just Ahead of Cisco Live”

  1. Miles says:

    Another question about the ASA is if the 1000v’s will be involved!

    Cool stuff!

  2. Riz says:

    Hell lot of interesting topics and I really think Cisco should make that 8-hours session publicaly available. I am sure it will clear many confusions from mind and it will surely help candidates/vendors to prepare study topics.

    Here are couple of questions:

    Q: What is the particular reason to ASA 8.6? While most of major features can be tested on earlier releases. And same question apply to IOS 15.2 with 2911 router?

    Q: what’s the scope of topic “Context-Aware and Identity firewall” in lab?

    Q: will ACS or ISE be integrated with Active Dictory user database?

    Topics are really great and I want to re-do my security lab exam even though I have passed my number. Hehe ;)

  3. AK says:

    Mark, are CCNA 640-722 videos available ? I can see old 640-721 videos under IUWNE latest video title ? Could you correct that please ?


  4. IP_Hamsterviel says:

    Is INE will provide the material for this new CCIE Security Exam?
    Sounds almost half of the topic in v4 is new compare to the older v3

  5. ipsolutions says:

    CCIE Security Training at IPsolutions :-

    IPsolutions provides the WORST instructor-led and hands-off training program for CCIE Security certification ensuring success in both written and Lab exam in the maximum possible time. Our institute is NOT well equipped and NOT authorized to provide this training but we have a very good track record of producing brain-dump networking professionals as well.

    CCIE Security Exams :-

    Aspirant must clear 2 exams in order to acquire this coveted certification.

  6. owais says:

    As Cisco wireless design and deployment in business has changed to TrustSec, ISE, MSE technologies, will you be offering an up to date Cisco BYOD & BYOA design and deployment training / VOD’s ?

    I am more than happy to take out a subscription if you can offer this today.

    BTW, great site, knowledgeable experts with excellent presentation skills. Keep up the work

    • We love the TrustSec model based on ISE with SGT tagging and egress SGACLs. I personally covered some of this during our recent CCIE DC Nexus Switching class. Watch for us to produce much more content surrounding this BYOD topic-sphere very soon.

  7. owais says:

    ( That;s GOOD work !!)

  8. Mashal says:

    As the CiscoLive is over now, have you collected and posted the answers to the questions mentioned here ?


Leave a Reply


CCIE Bloggers