CCNA Security Home Lab

The CCNA SECURITY lab has most of its hardware roots from the routing and switching (R&S) track. You need one more piece of hardware if you already have 3 routers and 3 switches. Here is my input on finding the right hardware. I should note that these recommendations are based on my experience and outcomes.

Lets start with all the technologies that you must master for the CCNA Security:

Hash algorithms, digital signatures, certificates, Public Key Infrastructure (PKI), AAA, Adaptive Security Appliance (ASA), Virtual Private Networks (VPN), RADIUS , TACACS+, 802.1X, IPsecurity (IPSec), clientless SSL remote access VPN, AnyConnect SSL remote access VPN, IPsec site-to-site VPN on Cisco routers and ASA firewalls, Cisco IOS role-based CLI access, securing routing protocols, control plane policing, DHCP snooping, Dynamic ARP Inspection, L2 port security, BPDU guard, root guard, loop guard, private VLANs, Network address translation (NAT), Zone Based Firewalls(ZBF), , Intrusion Prevention System (IPS)

With this info, here are my recommendations :


Catalyst 2960

If you got this switch for your CCNA, CCNP SWITCH studies, then you are already set!

Image result for cisco 2960 switch

I recommend getting 3 of each. The switches are mostly used for practicing AAA concepts, 802.1X authentication, Cisco IOS role-based CLI access, and layer 2 security. These topics are on the CCNA and CCNP SWITCH exams, so lab work will be a review mostly.


2800 Series-

If you got this router for your CCNA, CCNP ROUTE studies, then you are already set!

Image result for cisco 2811 router

I recommend getting 3 of each. The 2800 is end of life, but is still supported by Cisco. It’s the best bang for the buck right now.  Like the switches, you will work on hash algorithms, digital signatures, certificates, Public Key Infrastructure, role based access, AAA, RADIUS, and TACACS+. The specific router topics you will master are: IPsec site-to-site VPN, routing protocol security, NAT, and ZBF. Make sure your are running the Advance Security code.

Security Appliance:

Cisco ASA 5505:



The Cisco Adaptive Security Appliance 5505 model is designed for small to medium size security solutions. The good news for those building home labs is this device is now going to be sunset by Cisco in a few years, so look for decommissioned enterprise units to become available on the re-seller market! I suggest getting 1 ASA  with a Security Plus license.

Here are some of the other items you need to get up and running:

Router Modules:

WAN Interface Cards (WIC)- For your routers to make serial connections. WIC -2T will give you enough connections for your router triangle. Get 3 of these.


Ethernet (straight through & cross over) cables and a console cable.

Serial cables for routing links. Use WIC-2T cables.

You should also invest in the Cisco lab workbook.

As always, do you research!


Places I buy equipment:



Cables and kits


My CCNA SECURITY Lab (phase 2)


2 x 2811 ISRs w 2 WIC-1T serial cards- enterprise edge routers

1 x 2610XM w/2 -WIC-1T serial cards – ISP router

3 x 2950 catalyst switches – LAN switches (1 installed)

3 x 2610  (using as end user test devices)

2 x 5505 (currently deployed as a firewall)

1 x 3620 router – (currently deployed as terminal server)

Not in use:


Posted in Certification, Skill Development

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 688 other followers

Mr Bart

Cisco certification and other topics

TTy BroadCast

A network engineer blog


Cisco Certified Design Expert Study Guide


My CCIE Wireless Journey & More..... Blog

The path to becoming a fully realized network architect

%d bloggers like this: