Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

CCIE SECURITY TRACK

Lab Exam Blueprint v1.0

Please review the Lab Exam Overview for general information about the CCIE Security lab exam. The blueprint is a detailed outline of the topics likely to appear on the lab exam. Knowledge of troubleshooting is an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab exam. The topics listed are guidelines and other relevant or related topics may also appear. In general, new product features become eligible for testing on CCIE lab exams six months after general release.

Note: Items marked with an * will be preconfigured to allow maximum time for working with security-specific technology.


  1. Bridging and Switching
    1. Basic frame relay configuration *
    2. Catalyst VLAN configuration *
    3. Catalyst VTP configuration *
    4. Port-VLAN assignments *
    5. Catalyst management and security
    6. 802.1x
    7. Traffic control and congestion management
    8. Catalyst features and advanced catalyst configuration

  2. IGP Routing
    1. OSPF, EIGRP and RIP configurations *
    2. OSPF, EIGRP and RIP security *
    3. PIX routing
    4. VPN3000 routing
    5. Route filtering, redistribution, summarization and other advanced IGP features

  3. PIX Firewall
    1. Basic PIX configuration
    2. Management
    3. Address translation (NAT, global, static)
    4. ACL, conduit
    5. Routing
    6. Object groups
    7. VLANs
    8. AAA
    9. VPN
    10. DHCP
    11. PPPoE
    12. Filtering
    13. Fixup protocols
    14. Other advanced PIX features

  4. BGP
    1. Basic IBGP, EBGP and BGP backbone configurations *
    2. BGP security
    3. Summarization, filtering and advanced BGP features

  5. IP/IOS Features
    1. IP services
    2. QoS
    3. NAT/PAT
    4. NTP
    5. DHCP
    6. SNMP
    7. IOS features and user interfaces
    8. File management, system management and advanced IP/IOS features

  6. AAA
    1. Tacacs+
    2. Radius
    3. Switch and router management
    4. PIX management
    5. VPN3000 management
    6. Proxy authentication
    7. Service authentication FTP, telnet, HTTP, other
    8. Advanced AAA features

  7. VPN
    1. IPSec LAN-to-LAN (IOS/ PIX/ VPN3000)
    2. DMVPN
    3. Pre-shared
    4. CA (PKI)
    5. Remote access VPN (IOS/ PIX/ VPN3000)
    6. VPN3000 concentrator
    7. Unity client
    8. WebVPN
    9. EzVPN Hardware client (IOS/ PIX)
    10. Xauth, split-tunnel, RRI, NAT-T
    11. High availability
    12. IPSec redundancy
    13. QoS for VPN
    14. GRE, mGRE
    15. L2TP
    16. PPTP
    17. Advanced VPN features

  8. IOS Firewall
    1. CBAC
    2. Audit
    3. Auth Proxy
    4. PAM
    5. Access control
    6. Performance tuning
    7. Advanced IOS firewall features

  9. Advanced Security
    1. DoS/DDoS attacks
    2. Network/ Host attacks
    3. Packet marking techniques
    4. Mitigation techniques
    5. Security RFCs
    6. Service provider security
    7. Black holes, sink holes
    8. Access lists (standard, extended, named)
    9. Lock-and-Key access-list
    10. Reflexive access-list
    11. TCP intercept
    12. uRPF
    13. CAR
    14. NBAR
    15. Netflow
    16. 802.1x
    17. PBR
    18. Flooding
    19. Spoofing
    20. Policing
    21. Fragmentation
    22. Sniffer traces
    23. Device security and management (telnet, SSH, pwd, priv lvls)
    24. Other advanced features

  10. Intrusion Detection System
    1. IDS sensor appliance 42XX
    2. Sensor configuration
    3. Signature tuning
    4. Shunning
    5. TCP resets
    6. Sensor features
    7. IDM
    8. IEV
    9. IOS IDS
    10. PIX IDS
    11. SPAN, RSPAN
    12. Advanced IDS features

Preparation Materials

  • The materials listed below can be helpful in preparing for exams. The list is only suggested, however, and other books or resources may also cover the same topics.