The CCNA SECURITY lab has most of its hardware roots from the routing and switching (R&S) track. You need one more piece of hardware if you already have 3 routers and 3 switches. Here is my input on finding the right hardware. I should note that these recommendations are based on my experience and outcomes.
Lets start with all the technologies that you must master for the CCNA Security:
Hash algorithms, digital signatures, certificates, Public Key Infrastructure (PKI), AAA, Adaptive Security Appliance (ASA), Virtual Private Networks (VPN), RADIUS , TACACS+, 802.1X, IPsecurity (IPSec), clientless SSL remote access VPN, AnyConnect SSL remote access VPN, IPsec site-to-site VPN on Cisco routers and ASA firewalls, Cisco IOS role-based CLI access, securing routing protocols, control plane policing, DHCP snooping, Dynamic ARP Inspection, L2 port security, BPDU guard, root guard, loop guard, private VLANs, Network address translation (NAT), Zone Based Firewalls(ZBF), , Intrusion Prevention System (IPS)
With this info, here are my recommendations :
If you got this switch for your CCNA, CCNP SWITCH studies, then you are already set!
I recommend getting 3 of each. The switches are mostly used for practicing AAA concepts, 802.1X authentication, Cisco IOS role-based CLI access, and layer 2 security. These topics are on the CCNA and CCNP SWITCH exams, so lab work will be a review mostly.
If you got this router for your CCNA, CCNP ROUTE studies, then you are already set!
I recommend getting 3 of each. The 2800 is end of life, but is still supported by Cisco. It’s the best bang for the buck right now. Like the switches, you will work on hash algorithms, digital signatures, certificates, Public Key Infrastructure, role based access, AAA, RADIUS, and TACACS+. The specific router topics you will master are: IPsec site-to-site VPN, routing protocol security, NAT, and ZBF. Make sure your are running the Advance Security code.
Cisco ASA 5505:
The Cisco Adaptive Security Appliance 5505 model is designed for small to medium size security solutions. The good news for those building home labs is this device is now going to be sunset by Cisco in a few years, so look for decommissioned enterprise units to become available on the re-seller market! I suggest getting 1 ASA with a Security Plus license.
Here are some of the other items you need to get up and running:
WAN Interface Cards (WIC)- For your routers to make serial connections. WIC -2T will give you enough connections for your router triangle. Get 3 of these.
Ethernet (straight through & cross over) cables and a console cable.
Serial cables for routing links. Use WIC-2T cables.
You should also invest in the Cisco lab workbook.
As always, do you research!
Places I buy equipment:
Cables and kits
My CCNA SECURITY Lab (phase 1)
2 x 2811 ISRs w 2 WIC-1T serial cards- enterprise edge routers
1 x 2610XM w/2 -WIC-1T serial cards – ISP router
3 x 2950 catalyst switches – LAN switches (1 installed)
3 x 2610 (using as end user test devices)
1 x 5505 (currently deployed as a firewall)
Not in use:
1 x 4402 Wireless LAN Controller (for phase 2 and testing)