1 2 Previous Next 28 Replies Latest reply: Apr 7, 2014 11:49 AM by Ryan_Curry RSS

    It Can Be Done!


      Passed my final CCNP exam and I'm quite pleased about it.


      Here's my recommendations to anyone getting on the CCNP-Security track:


      1. These exams involve a good deal of GUI usage. Software is more important than hardware on 3 of the 4 tests. You will need the IPS Manager Express and ASDM running in demo mode for the IPS and VPN exams, respectively. You might also like to have the AnyConnect client software for the VPN exam.


      2. Hardware? Simple and cheap. Yes, I know an ACS server isn't cheap and an IPS box can be pricey, but you don't really *need* either. IPS is emulated with IME in demo mode and ACS is mentioned in passing on most tests - except SECURE. However, a pair of switches that can do 802.1x, 2 or 3 1841 routers, and an ASA 5505 can give you plenty enough hands-on for the exams. GNS3 can emulate more hardware for you, and you'll want that to go along with your modest home lab.


      3. Having your ASA 5505 handle your home internet traffic is a great way to get actual traffic going through your ASA for examination and troubleshooting. Just warn anyone you live with prior to affecting their production flow of Internet.


      4. Take Firewall first, then IPS, then VPN. A good measure of the material in the VPN book is redundant, so bear with it and keep your eyes open for minor differences between client types, as those are testable details. Anyway, these tests are quite doable and they can serve as a foundation for the material you need to know for the last test, SECURE.


      5. SECURE has the most difficult questions of the four tests and you might want to budget enough money to take it two or three times. Possibly four. This is no joke: it is a rough ride. The book for the test has a number of errors and, even after correcting them, the test itself goes beyond the scope of the many items covered in the book. I personally believe the test is cursed, but that's just my superstition. More to the point, this test illustrates where you need to go "beyond the book" for the CCNP level of certification.


      6. Read product guides. Yes, that may mean another 184 pages, but it's worth doing. Feel free to skim here and there, but keep your eyes open and attentive on troubleshooting information. Read the 18-page IPSec troubleshooting manual like it was divine revelation that you can download. Read the IPSec debugging guide, while you're at it. When you debug your own VPNs, compare them to the guides. Break things and see where they go wrong and what messages you get when they do go wrong.


      7. Suggestions on things to break: set up a VPN, then unplug one end as you have "interesting traffic" going across the link; set  up a VPN, then change the transform-set on an endpoint; set up a VPN, then mess up the ISAKMP policy... then mess up that default policy that always seems to override everything else... be sure to have debugging on when you do these things and then research the error messages.


      8. Get the premium edition tests that go with the official Cisco press cert guides. You'd like to have those and to practice on those... and to research anything that crops up on those tests that surprises you.


      I guarantee if you prepare properly, you will learn things that won't even show up on the test. Instead of grumbling about learning something you didn't need on a test, you'll be proud that you had skills to spare.


      Best of luck to everyone on this track, and it can be done!

        • 1. Re: It Can Be Done!

          Hi Dean


          Well done so what are you going to study next ???



          • 2. Re: It Can Be Done!

            Want ads right now... my contract job is coming to an end.


            I suppose the next tech I study will be CCIE Security.

            • 3. Re: It Can Be Done!
              Matt Saunders - Community Manager - Part Time Ninja

              Dean, GREAT and very thoughtful write up. Thank you for sharing your feedback, and CONGRATULATIONS!!


              Good luck pounding the want ads... Hopefully the IT Careers section of the site can be of help. Maybe take a look though a few of the webinars we did earlier in the year: IT Careers Toolkit

              • 4. Re: It Can Be Done!

                Congratulations!  Enjoy yuor success.

                • 5. Re: It Can Be Done!

                  Thanks, helpful advice. I've had the 'regular' CCNP for years, but am thinking to add CCNP Seurity and starting with SECURE, you have me worried

                  • 6. Re: It Can Be Done!

                    Matt: Thanks for the link. I've also hit the Cisco Careers page hard today.


                    Ray: SECURE really is serious business. It can be done, but I'd strongly recommend starting with Firewall. IPS is also helpful, VPN not as much. With those under your belt, you'll be ready to take on SECURE. Treat it with great respect, and you will succeed.     

                    • 7. Re: It Can Be Done!



                      You can start with SECURE, but it's helpful to go through the IPS exam if you aren't familiar with IPS terminology such as risk rating and event action filters/overrides.  If you have a lot of experience with router based VPNs and advanced zone-based firewall configurations, you should be ok.  There's some layer 2 security mixed in there too, so be familiar with it.


                      My personal test order was:







                      The reason I took them in that order is because I was doing a lot of ASA and ASA-based VPN work at the time I was studying.


                      Good luck.  It's definitely a worthwhile certification.

                      • 8. Re: It Can Be Done!

                        Thanks for posting your experiences.  If I were to attempt this, I would start with firewall and VPN, simply because that is where my current experience is.  Of course I probably ought to do my CCNA Security first. 

                        • 9. Re: It Can Be Done!

                          Thanks Eric and Dean for the advice.


                          This may make you chuckle, I guessed SECURE was 'easier' as it seemed to be less specific and covered more subjects, so it had to be an overview. Seems I guessed wrong


                          Your advice comes just in time. I need to re-certify CCNP by next March (happens every 3 years) and had been sitting on the SECURE book for a year and finished a half of it. I was just about to get 'serious' and dig into it. I will order the Firewall book right away

                          I had re-certified the CCNP 3 times using the QoS exam and would recommend that to anyone looking for the simplest most useful way to re-certify. The material is easy to understand and the subject has been very useful in years of networking. But recently I have been doing more security, got the CCNA Security so looking at the CCNP Security. Not sure if I will actually get all 4 parts of the CCNP or just one part for my re-certifiaction


                          Thanks again

                          • 10. Re: It Can Be Done!
                            Antonio Knox - CCNP R&S, CCNA R&S/Security

                            First off, congrats to you DeanWebb!


                            I will throw in my two cents on the SECRE exam.... MY GOODNESS I'm so happy I did that one first!  If the rest are the exams stack up to this one as easily as everyone implies, the hard part of CCNP Security is behind me!  This exam took me two attempts (luckily the first of them was for free at Cisco Live!), but the exam is a beast.  You have to really know the material.  The thing about it is that you have to not just know the material as in being able to identify where things fit, but the exam seems to be more of a test of your understanding of the topics, the how and the whys moreso than any other Cisco exam I've taken to date (up there with the old BSCI exam for you old farts).  Its a tough (and truthfully, great) exam, and the euphoria you get from seeing that passing grade makes it worth it.  I guess my logic is in the minority, but I like to tackle the hard exams first and SECURE delivered on that.  I just welcome the challenge.

                            • 11. Re: It Can Be Done!

                              Ray: thanks for the re-certification tip. As excited as I am to get CCNP, I can also hear the clock ticking in the background. My wife thought the long hours of study were finally behind me and that I wouldn't go back to them... but I'm still peeking at Cisco Press titles here and there... I was reading an RFC last night when she walked in and I barely closed the window before she saw what I was looking at... yeah, I'll have to recertify one day. We all will... we all will...

                              • 12. Re: It Can Be Done!
                                Antonio Knox - CCNP R&S, CCNA R&S/Security


                                I thought I was the only one that sneaks around to study!  Its almost sad that we have to minimize windows like this as if we were viewing pron.  I guess it is just that..... But for the mind!  LOL

                                • 13. Re: It Can Be Done!

                                  Reading about 600 pages per book times four books eats up a LOT of time that could go for something else. My wife was a exam widow for quite some time, especially since my CCNP studies followed right after my CCNA studies...


                                  Let that be a cautionary tale to one and all: study takes up a great deal of time, and you need to prepare family and friends for the time requirements... and be sure to schedule gaps so you can balance your life. Last thing you want to be doing is to be watching Star Wars and then groan when R2D2 taps into the Death Star computer system. "A simple 802.1x system would have, at best, R2D2 on a guest VLAN, where he wouldn't be able to gain admin access to the whole thing. Has the Empire even HEARD of BPDUGuard?" Take the breaks and you'll keep your sanity.    

                                  • 14. Re: It Can Be Done!

                                    Hi Dean


                                    I seemed to have taken my CCNP security back to front here is my order






                                    My reasonig behing this was i had passed my CCNA security and it seemed a natural step to take the SECURE although i did just scrape through it,the next two were more logical





                                    1 2 Previous Next