This article assumes that you don't have any network foundation, starting from scratch, intending to reach Security CCIE level (not paper IE) in a certain direction within 2–3 years, a plan combed by my personal experience. For each part that takes time, different people will have different situations, depending on the situation. But overall, steadily improving without affecting work, 2–3 years is a reasonable time.

I started my internship at Cisco on July 11, 2015. I started CCNA in early 2015 and started to learn CCNP. However, I did not take CCNP certification. The main time is to learn OSPF and BGP. Security CCIE has been prepared since 2012, and CCIE Security certification has been obtained in May 2018.

In the process of learning, we must have theory + practice, practice should occupy a high proportion, and it is better if we can make some notes. During those three years, I will summarize the approximate learning process in the order of the basics → Security CCNA Exam→ Security CCNP  →Security CCIE.

Basic article

In the basics, there is basically no contact and access to specific network equipment, but rather emphasis on theory and concepts, but it is very important, which is the basis for learning all the knowledge behind.

If the university or postgraduate course has learned the basic concepts and main structure of the communication network [1] or the computer network, communication network foundation and other courses, then the basic articles can be skipped, because you have mastered the network layering, TCP/IP protocol, The basic concept of routing algorithms. (If you are not confident, you can review it again)

1.1 TCP/IP Basics

How to learn the TCP/IP protocol, you can refer to a question and answer "How to learn the tcp ip protocol" [2]. To sum up, there are basically two points:


Theory: TCP, UDP, IP, ARP, ICMP, DHCP, DNS, etc.

Practice: Theory is boring, practice is interesting

Basic practice: Using wireshark to capture the process of opening a web page, HTTP, TCP three-way handshake

Basic practice: write socket applets using familiar programming languages ​​and capture packet analysis.


1.2 Routing Protocol Basics

Mainly conceptual.

Basic concept of a router

The concept of static routing and dynamic routing (distance vector algorithm and link state algorithm).

Basic concepts of RIP/OSPF/BGP

2. Security CCNA Preparation

On the basis of the basics, adding contacts to router switch devices can be tested with the CCNA Learning Guide [6] and the Cisco Packet Tracer [7] as the simulator. In operation, basically to achieve:

Switch router telnet configuration

Interface IP configuration for the switch router

Basic configuration of the VLAN

Simple configuration of routing protocol RIP/EIGRP/OSPF

Basic show command

Basic network troubleshooting capabilities (ping, traceroute, telnet, arp)

The results can pass the CCNA exam without prejudice to the question bank. )


3. Security CCNP Preparation

I personally have not tested CCNP. Personally, if I don't take the exam, the focus of the NP phase is on various routing protocols. This learning is not a simple configuration (at the beginning of this level), but to learn in depth. The basic method is GNS3[8] (or IOL) plus wireshark packet capture analysis, configuration manual and related RFC also need to look at. The experimental topology at this time is generally small, and the complex topology of IE is less likely to occur.

I take OSPF and BGP as examples. Other protocols are similar to RIPv2, EIGRP, and ISIS.


3.1 OSPF

The main thing is to do experiments and experiment! The OSPF command line configuration manual can be used. Cisco OSPF Command and Configuration Handbook [9]

How to establish OSPF adjacency (capture analysis)

What are the five packet types of OSPF and what role do they play in establishing adjacencies?

OSPF special area type

OSPF LA type (capture)


3.2 BGP

Cisco BGP-4 Command and Configuration Handbook [10]

BGP neighbor establishment process (capture analysis)

BGP message type (Open, Update, Keepalive, Notification)

IBGP, RR, RR Client, EBGP Concept and Configuration

Basic BGP Route Policy

If you plan to take the CCNP, it is recommended to look at the question bank, the exam outline, and the guide. Personally, CCNP is not recommended. In fact, you can directly choose a direction to go in and prepare for CCIE.


4. Security CCIE Preparation

CCIE has many directions. It is more popular with the Routing Direction and Service Provider. Because of the project needs, I need to specialize in security, so chose CCIE Security. The most important aspect of the SP direction is MPLS VPN. The must-see book is "MPLS and VPN Architecture" [12], with volume 1 as the main and volume 2 as the supplement. There are also some multicast and l2vpn content. It is recommended not to do CCIE's lab question bank as soon as you come up. You must first pass the knowledge point, and each knowledge point must be experimented. In this way, to do the lab question bank, it will be very convenient, and then the preparation before the exam is a question of proficiency in the command line.


4.1 Construction of the test environment

CCIE Security exams, experimental topology devices are basically IOS-XR, many configurations and IOS syntax are slightly different. The topology that really prepares for the exam can be built using XRv [13]. XRv consumes system resources, so when learning the usual knowledge points, individuals still recommend using GNS3. Because the mechanism is the same, but the configuration syntax is different, the key is GNS3 "plug and play", build the topology is very good Simple, and more importantly, it's very convenient to capture packets through wireshark. Training for IOS-XR configuration can begin with a post-production lab real-question exercise.


4.2 IGP

CCIE SP direction test, IGP is relatively simple, basically IPv4 + IPv6 single area OSPF or ISIS. In the exam, IGP is the basis for all subsequent configurations, especially BGP. Because the IBGP neighbors use Loopback0 as the update-source, ensure that all loopback0 interfaces in a BGP AS can ping each other (IPv4+IPv6). Be familiar with ping, extended ping, traceroute and other trouble shooting tools, because the error is inevitable, less configuration line, more than one line is very common, so there must be basic trouble shooting ability.


4.3 BGP

Be familiar with IBGP, EBGP, and RR-client configurations. Then there is the basic configuration of MPLS VPN, PE, CE. Finally, there are several options for Inter-AS VPN, as well as CSC.

The trouble shooting is still the same, all kinds of ping, show command jumps to find the fault point.


4.4 Multicast

The concept of multicast just look at it is more abstract, so I did a lot of experiments, including using Python and some software to build a multicast source myself.


5. Follow-up

Learning network knowledge is not to Obtain a Security CCIE certification. When you get a certification, you still need to continue learning later. First, knowledge will be forgotten. Second, new technologies will emerge in an endless stream, such as SDN, container, you can also take the CCIE RS Exam and so on.


Leave a comment