CCIE Security: Material List Update and Thoughts on the Blueprint

NOTE: I plan on updating this blog as I find good blogposts and other good threads out there so plan on this blog post being a living document. 

It was about a year ago that I posted this  post where I went through the CCIE Security materials I intended to study with. In that time, the CCIE Security v5 blueprint was released and I thought I would update the list to reflect the current blueprint and the study materials that are out there. 

The unified  written/lab blueprint can be found here

The lab equipment and version numbers can be found here.

Cisco was also nice enough to post study materials here and here

Based on the above, the following are the most relevant materials I've found out there: 


AMP for Endpoints private cloud is most certainly on the lab per the above lab equipment list. The good news is that with Private Cloud, there are a few less features to have to lab but it's still a pretty important lab topic and there aren't  a lot of training materials out there. Getting your hands on the labbing equipment either means having AMP for Endpoints purchased at your company or doing an evaluation. Be aware: This evaluation is pretty strict. You won't be able to get it past the time you are given a temporary license for. If you have the option of doing regular AMP for Endpoints (not the Private Cloud version), I would recommend using that since it has even more features and if you master that, you'll be able to do the Private Cloud material easier. I would just recommend knowing how to do the setup of AMP Private Cloud if you can't get your hands on it and have a mastery of AMP for Endpoints. 

Study Materials:

  • SSFAMP Class - This is an official class by Cisco that covers AMP for Endpoints and there was a strong focus on AMP for Endpoints Private Cloud. The class also comes with a 300+ page lab workbook. I feel this class is probably enough to get you past most of the lab. Since it is a Cisco class, if your company has Cisco Learning Credits, you could always use them with any Cisco Learning Partner to purchase this class.
  • AMP Private Cloud Datasheet
  • Installation and Configuration of AMP Private Cloud
  • BRKSEC-2139- Advanced Malware Protection

Note: There is also a book on the market called "Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP." While this is an excellent book for learning about the products, I think it's more geared towards the CCNA/CCNP Security level than the CCIE Security level which is why I'm not including it on the list. If you know absolutely nothing about Firepower or AMP, it might be a good read and it's not a very large book.

For AMP for Networks in regards to the ESA, Firepower, and WSA, you're probably best served just reading the small section in the configuration guides. This is not a complex configuration for the malware aspect on the Amp for Networks portion.



This is a fun one to lab and work on. I would recommend reacting out to your Cisco sales team to talk about trying the software out. With the Firepower Management Center VM and a device running FTD, you can run it in evaluation mode for 90 days if you go to System>Licenses>Smart Licenses and click on the button Evaluation for 90 day. After that, you'll either have to purchase licenses or create a new Firepower Management Center VM. Personally, I would recommend labbing Firepower 6.1. The lab equipment guide says that it could be 6.0.1 or 6.1 but I think there's a better chance of it being 6.1 personally since that code version had been out for a few months when the v5 lab took affect. The lab equipment list says that it will have NGIPSv and Firepower Threat Defense. These two things are not the same. Understand the differences and the limitations of both. One thing also to note: ASA 5512-Xs are also listed on the lab equipment list. It doesn't specify whether this is just regular ASA or ASA with Firepower. I would recommend knowing how to configure the SFR module and potentially clustering the ASAs with those modules. 

Study Materials: 

  • SSFIPS Book by Todd Lammle and Alex Tatistcheff - While this book was written for Firepower/Sourcefire 5.4, it still does an excellent job at explaining a lot of the concepts and probably about 70-80% of it is still relevant 
  • Cisco Firepower 6.x with Firepower Threat Defense by Todd Lammle and Alex Tatistcheff - This one just came out but it's actually larger than the SSFIPS book and probably a bit more relevant. I haven't read it all the way through but the SSFIPS was an excellent book so I can vouch for the authors.
  • Labminutes - There are over 50+ free videos available on the site for Firepower 5.4 and 6.0 as well as an option to buy Firepower 6.1 videos. The gentleman that runs this site is awesome and his videos are invaluable. I definitely recommend coughing up the dough for the 6.1 videos and watching the free ones. 
  • Udemy Firepower Video Series
  • Firepower Threat Defense Advanced Troubleshooting Book
  • BRKSEC-2028-Deploying Next-Generation Firewall with ASA and Firepower Services
  • BRKSEC-3126-Firepower - Advanced Configuration and Tuning
  • BRKSEC-2762-Firepower Network Security Platform
  • BRKSEC-2020-Firewall Deployment



The lab equipment list says that there are two ASA 5512-Xs. You can bet that inline Trustsec tagging, clustering, and multicontext are going to be on the lab if these are here. If they weren't going to include it, it would have probably just been easier for the lab creators to stick with virtual ASAs and FTD devices but they also added the physical ASAs. If you want to lab this out, you definitely can't get a 5506 because there's no clustering or multicontext on that platform but you don't have to get the exact model on the lab either. I would also NOT recommend getting a non-X model of the ASA since it won't support the same code train that's on the lab. Check out the prices for a pair of 5508s if you can. I believe those support all the features that the 5512-X do. 

Study Materials:

In the future, INE is also going to offer some CCIE Security v5 updated videos as well. 



It's on the lab equipment blueprint so it's definitely a testable subject on the lab. I doubt there will be much in terms of configuration for this but it's going to be there for sure. The good news is that APIC-EM should be easy to download but it's going to require some serious server metal. If you try to thin provision or put less than the recommended amount of RAM, disk space, etc, it will certainly fail the hardware checks and not install. 

Study Materials:

There are a lot of free videos and configuration guides. I don't think there is going to be that much complex stuff on the lab regarding APIC-EM and it's probably a placeholder for SD-Access for future versions of the test but I'll link the following:


IOS/CSR Security including NAT, IPv6 & VPN

There aren't going to be any physical routers on the lab according to the lab equipment guide so you should be able to get away with CSR1000v for the router. However, you most certainly need to have a 3650/3850 that's able to support the code train that's on the lab. I know the desire will be to get a cheap IOS switch and just do that. I would NOT recommend doing so. There are syntax and feature differences between using old 3750s and newer 3650/3850 switches. 

Study Materials:



Obviously, this site is good for ISE but it's probably not enough to get you past the lab. The good thing is that there are a lot of great videos out there for ISE. With ISE, also comes Trustsec. I strongly suspect Trustsec will be a big part of the lab. The reason I assume this is because some of the equipment being used in the lab could have been easily virtualized but because the lab creators decided to go physical, they must need a feature that only the physical version has. For example, they could have used a virtual WLC in the lab if they wanted to cut down on equipment but instead they decided to go with a 2504 wireless controller. The only extra feature I can think they could gain from that is the ability to do SXP which isn't available in the vWLC

Study Materials:

  • Practical Deployment of Cisco Identity Services Engine book
  • SISAS book
  • TrustSec LiveLessons Videos - Some of it is a little out of date but great at understanding Trustsec 
  • TrustSec Whitepapers - Very easy reads and really walk you through the configuration
  • Labminutes ISE videos - These videos were gold for me when I was originally learning ISE. Still wonderful videos. Metha has it updated to version 2.0 and I suspect he'll be doing a 2.1 series soon enough.
  • Labminutes TrustSec Videos - Good for labbing but doesn't go as deep as the LiveLessons videos because it's not focused on theory. These are more complimentary to the LiveLesson TrustSec videos
  • Cisco ISE for BYOD book - Newly updated and just released. Definitely the newest ISE book to get
  • ISE Configuration Guide 2.1
  • Anyconnect Configuration Guide
  • MACsec Guide
  • Identity Based Networking Services: MAC Security
  • BRKSEC-3045-Advanced ISE and Secure Access Deployment
  • BRKSEC-3697-Advanced ISE Services, Tips & Tricks
  • BRKSEC-2044-Building an Enterprise Access Control Architecture with ISE
  • BRKSEC-3699-Designing ISE for Scale & High Availability
  • BRKSEC-2060-Device Administration with TACACS+ using Identity Services Engine
  • BRKSEC-2088-Identity Based Networking - IEEE 802.1X and Beyond
  • CCSSEC-2002-Cisco IT - ISE Deployment and Best Practices
  • PSOSEC-2002-Identity Services Engineer Product Solution Overview
  • BRKSEC-2041-Identity Services - Integrating Posture, Profiling, and Guest Services with 802.1x
  • DEVNET-1618-Cisco pxGrid - A New Architecture for Security Platform Integration
  • BRKEWN-2020-Wireless LAN Security, Policy and BYOD Best Practices
  • BRKSEC-2695-Building an Enterprise Access Control Architecture using ISE and Trustsec
  • BRKSEC-2022-Demystifying TrustSec, Identity, NAC and ISE
  • BRKSEC-3692-Deploying TrustSec - Security Group Tags in the Branch and Campus
  • BRKSEC-2203-Deploying TrustSec
  • BRKSEC-2981-Enterprise Network Segmentation with TrustSec
  • BRKSEC-1022-Introduction to TrustSecBRKSEC-3040-TrustSec and ISE Deployment Best Practices



Unfortunately, there's not a lot of books out for this one but it's not the hardest concept in the world.

Study Material:




I don't know how large of a topic the WSA will be in the lab given the version number they picked. Look at the release notes VERY carefully and the limitations with that version. If they stay true to the current advertised version, I suspect the lab will be more geared towards pxGrid integration and some lighter configuration than normal.

Study Material:




Yes, it's still on the lab. Why? The explanation given last year at the Cisco Live CCIE Security v5 techtorial is that even though it was riding into the sunset soon, a lot of people will be seeing it in the wild for some time. Thank god they don't test us on other things I've seen in the wild in the last year like PIX firewalls, pre-8.3 ASA IOS code, and ISE 1.x. ;)  

Joking aside, I strongly suspect the amount of ACS configuration on the lab will be kept to a minimum given the size of the blueprint and the amount of time we have. Maybe configuring some dot1x or TACACS+ with it? Or maybe a task or two where we have to migrate to ISE using the built-in ACS to ISE migration tool in ISE 2.1? I'm just speculating here and I'm going to cover my bases by labbing this up. 

Not sure how long ACS will remain on the lab given the news about agile blueprints when you can read here. I think they'll eventually "agile" ACS right out of the lab sooner or later. 

Study Material: 

  • AAA Identity Management Security - Half the book covers ACS 4.x and can be ignored and the other half covers 5.2 or something. It's not a very long read when you subtract half the book. 
  • Labminutes ACS Videos - 22 beautiful and concise videos on labbing ACS. Probably enough to cover everything we'll need to cover in the lab and it's on version 5.4


Wireless and Phone?

I put a question mark on the above because one always wonders how much phone and wireless you need to know for an exam like this. I suspect they won't want you to be a wireless expert but you should know how to secure wireless (SGTs, ISE, etc) and all the configuration that goes into securing it. As far as the phone piece, I believe it should be more focused on how the phone is profiled or using dot1x to access the network (again, ISE). You probably have to know enough about CUCM to be able to login and confirm that the phone has registered but not be a Collab expert by any means. There is a book about securing IP Voice networks and it might be a good read but I doubt they'll go too far down the rabbit hole with a blueprint as large as this. At most and it's a BIG stretch, I could see them asking us to make sure that the voice traffic is encrypted. 





  • Micronics Zero-To-Hero Security  - Still a great bootcamp and they take Cisco Learning Credits so easy to jump in there if your place of business as extra credits. 
  • Micronics CCIE Security v5 - I haven't gone to this one yet but I plan on going and I'll probably write up a review
  • INE CCIE Security v5 Bootcamp - Cristian Matei is a great instructor and I'm sure this one will be great. This did announce a couple of weeks ago that they will be updating the CCIE Security v5 content here


Lab Workbooks

Note: A lot of these workbooks are written for v4 and require some mental gymnastics to make them work for v5. That being said, a lot of the tasks still apply for v5 and can be used for the new blueprint.