CCIE Security Lab Exam

CCIE Security Lab Exam Topics v4.0

The following topics are general guidelines for the content likely to be included on the lab exam. However, other related topics may also appear on any specific delivery of the exam. In order to reflect better the contents of the exam and for clarity purposes, the exam topics may change at any time without notice.

Candidates may be required to perform implementation, optimization and troubleshooting actions in each of the exam topics sections and should also be comfortable with both IPv4 and IPv6 concepts and application.

CCIE Security Lab Exam Topics v4.0

System Hardening and Availability

Routing plane security features (e.g. protocol authentication, route filtering)

Control Plane Policing

Control Plane Protection and Management Plane Protection

Broadcast control and switchport security

Additional CPU protection mechanisms (e.g. options drop, logging interval)

Disable unnecessary services

Control device access (e.g. Telnet, HTTP, SSH, Privilege levels)

Device services (e.g. SNMP, Syslog, NTP)

Transit Traffic Control and Congestion Management

Threat Identification and Mitigation

Identify and protect against fragmentation attacks

Identify and protect against malicious IP option usage

Identify and protect against network reconnaissance attacks

Identify and protect against IP spoofing attacks

Identify and protect against MAC spoofing attacks

Identify and protect against ARP spoofing attacks

Identify and protect against Denial of Service (DoS) attacks

Identify and protect against Distributed Denial of Service (DDoS) attacks

Identify and protect against Man-in-the-Middle (MiM) attacks

Identify and protect against port redirection attacks

Identify and protect against DHCP attacks

Identify and protect against DNS attacks

Identify and protect against MAC Flooding attacks

Identify and protect against VLAN hopping attacks

Identify and protect against various Layer2 and Layer3 attacks

NBAR

NetFlow

Capture and utilize packet captures

Intrusion Prevention and Content Security

IPS 4200 Series Sensor Appliance

(a) Initialize the Sensor Appliance

(b) Sensor Appliance management

(c) Virtual Sensors on the Sensor Appliance

(d) Implementing security policies

(e) Promiscuous and inline monitoring on the Sensor Appliance

(f) Tune signatures on the Sensor Appliance

(g) Custom signatures on the Sensor Appliance

(h) Actions on the Sensor Appliance

(i) Signature engines on the Sensor Appliance

(j) Use IDM/IME to  the Sensor Appliance

(k) Event action overrides/filters on the Sensor Appliance

(l) Event monitoring on the Sensor Appliance

VACL/SPAN & RSPAN on Cisco switches

WSA

(a) Implementing WCCP

(b) Active Dir Integration

(c)Custom Categories

(d) HTTPS Config

(e) Services Configuration (Web Reputation)

(f) Configuring Proxy By-pass Lists

(g) Web proxy modes

(h) App visibility and control

Identity Management

Identity Based Authentication/Authorization/Accounting

(a) Cisco Router/Appliance AAA

(b) RADIUS

(c)TACACS+

Device Admin (Cisco IOS Routers, ASA, ACS5.x)

Network Access (TrustSec Model)

(a) Authorization Results for Network Access (ISE)

(b) 802.1X (ISE)

(c)VSAs (ASA / Cisco IOS / ISE)

(d) Proxy-Authentication (ISE/ASA/Cisco IOS)

Cisco Identity Services Engine (ISE)

(a) Profiling Configuration (Probes)

(b) Guest Services

(c)Posture Assessment

(d) Client Provisioning (CPP)

(e) Configuring AD Integration/Identity Sources

Perimeter Security and Services

Cisco ASA Firewall

(a) Basic firewall Initialization

(b) Device management

(c ) Address translation (nat, global, static)

(d) Access Control Lists

(e) IP routing/Route Tracking

(f) Object groups

(g) VLANs

(h) Configuring Etherchannel

(i) High Availability and Redundancy

(j) Layer 2 Transparent Firewall

(k) Security contexts (virtual firewall)

(l) Modular Policy Framework

(j) Identity Firewall Services

(k) Configuring ASA with ASDM

(l) Context-aware services

(m) IPS capabilities

(n) QoS capabilities

Cisco IOS Zone Based Firewall

(a) Network, Secure Group and User Based Policy

(b) Performance Tuning

(c) Network, Protocol and Application Inspection

Perimeter Security Services

(a) Cisco IOS QoS and Packet marking techniques

(b) Traffic Filtering using Access-Lists

(c)Cisco IOS NAT

(d) uRPF

(e) PAM - Port to Application Mapping

(f) Policy Routing and Route Maps

Confidentiality and Secure Access

IKE (V1/V2)

IPsec LAN-to-LAN (Cisco IOS/ASA)

Dynamic Multipoint VPN (DMVPN)

FlexVPN

Group Encrypted Transport (GET) VPN

Remote Access VPN

(a) Easy VPN Server (Cisco IOS/ASA)

(b) VPN Client 5.X

(c)Clientless WebVPN

(d)  AnyConnect VPN

(e) EasyVPN Remote

(f) SSL VPN Gateway

VPN High Availability

QoS for VPN

VRF-aware VPN

MacSec

Digital Certificates (Enrollment and Policy Matching)

Wireless Access

(a) EAP methods

(b) WPA/WPA-2

(c)WIPS

Configuring a Network to Given Specifications

The CCIE lab exam is an eight-hour, hands-on exam which requires you to configure a series of secure networks to given specifications. Knowledge of troubleshooting is an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab exam.

Cost

The Lab Exam cost does not including travel and lodging expenses. Costs may vary due to exchange rates and local taxes (VAT, GST). You are responsible for any fees your financial institution charges to complete the payment transaction.  Price not confirmed and is subject to change until full payment is made. For more information on the lab exam please reference the Take your Lab Exam tab.

Lab Environment

The Cisco documentation CD is available in the lab room, but the exam assumes knowledge of the more common protocols and technologies. Documentation can only be navigated using the index; the search function has been disabled. No outside reference materials are permitted in the lab room. You must report any suspected equipment issues to the proctor during the exam; adjustments cannot be made once the exam is over.

Lab Exam Grading

Each question on the lab has specific criterion. The labs are graded by proctors who ensure all the criterion are met and points are awarded accordingly. The proctors use automatic tools to gather information from the routers to perform some preliminary evaluations, but the final determination of a correct or incorrect configuration is done by a trained proctor.

Results

You can review your lab exam results online (login required), usually within 48 hours. Results are Pass/Fail and failing score reports indicate major topic areas where additional study and preparation may be useful.

Reevaluation of Lab Results

You may request a reevaluation of results for Routing and Switching, Security and Service Provider labs for up to 14 days following your exam date. Use the link next to your lab record called "Request for Reread". Due to the equipment used, rereads are not available for the Wireless, Voice, and Storage Networking exams. Each reread costs US$250 plus any applicable local taxes. Payment is made online via credit card and your card will be charged upon receipt of the request. You may not cancel the reread request once the process has been initiated and refunds are only given when the results change from Fail to Pass.

A reread consists of a second proctor loading your configurations onto a rack to recreate the test and rescore the entire exam. This process may take up to three weeks after receipt of payment. Only one reread per lab attempt is permitted. The result of the reread is an updated score report with success rates for each major section. Be aware that scores may decrease. Exams receive a Pass mark only when the total exam score exceeds 80%. Before requesting a reread, consider that, historically, only 0.3% of exams have been changed from Fail to Pass.

Security Lab Locations

Security exams are offered at the Cisco locations. Additional information on the Lab Exam, can be found on the Take Your Lab Exam tab.