Fun building a CCIE Security home Lab

I built a CCIE lab a while back and found the process to be a bit cumbersome. The hardware and software requirements were clear (4.0 version found HERE), but not the actual construction of a home lab. Here is an explanation of how I built my lab. This is my experience so I’m not saying it’s the right way, but its how I did it.

The first step when building my lab was deciding which lab guides I was planning to study. This way I could visit the vendor site and mirror the hardware to what they offer for rack rental. I went with IPExperts since they are pretty known and had two guide options that seemed to cover most concepts. IPExperts uses proctorlabs for rack rental so you can see the rack details via checking out the security lab at You can also find details on their racks on the ipexpert site HERE.  crimper

Next thing was purchasing a cable crimper since many various sizes of cables are needed to match all the lab guide connections. Plus I had a few very long 50+ foot cat5e cables that became 30 or so short cables once cut down. I found cheap crimper packages that included 100 connectors and tester on Amazon. The crimper quality wasn’t great, as some plastic parts broke after a few uses however it got the job done. You will defiantly want a cable tester and extra connecters since you will likely botch up a cable every so often as you hammer them out. My crimper package was around 50 dollars.

IPExpers’s rental rack lists four ASAs, nine to eleven routers, four switches and a bunch of stuff hosted off of VM such as ISE, AD, etc. After reviewing the IPExperts lab guides, I found many of the exercises didn’t need this much hardware running at the same time so you can build up a lab as you work on things rather than assuming its all or nothing. I personally like focusing on a particular technology and working through it multiple times meaning usually only a few things need to be on. For example, you may just need two ASAs and a few routers to work on the firewall sections as the guides want you to get hands on with ASA code version 8.4 and 8.2 as specified by Cisco.

terminalServerTo access each box, I picked up a terminal server. They are pretty cheap on Ebay (around $100 dollars). You also need two octo cables to accommodate all the hardware (16 connections) aka two DB62(M) to 8 x DB9(M) Cables. I used THIS youtube video to set it up. It took me a little trail and error via setting the octo cable to a port, accessing a device terminal and seeing if I matched the right name to device. I found using a MAC and virtual windows systems are a pain when hitting the Terminal release commands. I recommend a windows system when using a terminal server.

A lot of technology can be virtualized so I went that route for things like Identity Services Engine (ISE) and Web Security Appliance (WSA). I converted a basic laptop to ESXi server for this purpose. I have done similar things with MACMINI servers (more on that found HERE) so I recommend doing your research before proceeding. The major points to note is you will need the laptop’s network drivers since they will be lost during the install process. You can find details on this by searching google using your hardware version and ESXi.

Hardware can range from a few models for each device as long as the code is right. IPExerts uses three first generation ASAs and one second generation ASA. I went with 5510s since it’s the smallest module that isn’t vlan based like the 5505s. Routers models can very so I have a blend of 2600s and 1841s. I prefer the 1841s but you will need a larger model to be the frame-relay server. I went with four 3750-48s for my switches and found I typically only used 2 or 3 per exercise.

And that’s pretty much all she wrote. The final product can be seen in the images above. My lab is two stacks of hardware connected between two power supplies and a laptop sitting on top to host ESXI. It servers its purpose well and easy to fire up and kill as time permits study.

4 thoughts on “Fun building a CCIE Security home Lab”

    1. Hi Zoran,

      Well it depends on the piece of equipment and how you buy it. Basic used routers and switches range on model. People also sell hardware bundles online. Cisco sells the newer stuff so that has a cost with discount based on who you purchase it from. If you have questions about a particular piece of gear, ask and I’ll try to give you a range.

  1. Hi,
    I have a lot of the gear that racks mounts and an ESXi 5.1 server.
    Where can I get DEMO versions of WSA or ISE?
    I’m new to assembling the CCIE Sec lab, as I just finished CCNP-V(&C)

    I’m wondering about how to get the software components, as when I am in CCO, I get the dreaded ‘Additional Entitlement Required..’

    I’m guessing Cisco offers a legit way to demo / eval / lab these products?

    1. Hi. Any Cisco employee can “publish” the image for you to download. Once you download and install, you are given 90 days for 100 devices for all licenses. Hope this helps

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.