CCIE Security 400-251 V5.0 Written Exam – Learn How to Pass It in 2019!Paul Adam
Today, I wanna talk about the CCIE Security Written Exam, what it is, recent changes, and what it takes to pass the exam. If you are planning to sit for it in the near future, I bet you can’t afford to miss this discussion.
First, let me share some context. CCIE Security Exam is known as 400-251 and the current version is 5.0. It was last updated in Jan of 20-17 when Cisco brutally revised the previous exam V4.1 blueprint by adding newer categories and topics. In addition to that, back in August 30th 20-18 or about 6 months ago, Cisco also added Evolving Technologies V1.1 with some more focused content around cloud, SDN and IOT technologies and that applies to all of the Written Exams NOT just Security. This exam contains so many software stacks or code bases that it is mind bending, don’t believe me? Let me lay it out for you. ASA OS, Fire OS, IOS-XE, OpenDNS, ISE or Identity Services Engine, ACS, WLC, Cisco APIC – you name it. Moving on, what didn’t change is the passing score on the test, which still stands at 825. Let me share some observation based on the changes in the official V5.0 Cisco blueprint. Looking at the bigger picture, Cisco is an acquisition machine and bought bunch of companies in Security space over the past two years including Lancope (Network Behavioral Analysis or NBA), OpenDNS (cloud-delivered security which is now branded as Cisco Umbrella), and SourceFire (the FirePower product line) to name a few. These product lines in addition to organically built solutions such as Cisco ACI, made it to the current V5.0 Security blueprint.
Now, before we move on from this, I want to remind you that Cisco has now committed to making minor exam changes every year and major changes every 3 to 5 years. Cisco defines minor and major changes as content update of 20% or less and 50% or more respectively. How do you know if an update is a minor or major change? Easy! For example, going from V5.0 to V5.1 is a minor change as per Cisco, whereas going from V5.0 to V6.0 would be considered a major change – I bet you can expect that to happen in 20-20. Looking forward, in V6.0 blueprint, I am expecting to see Cisco add technologies and solutions from more recent acquisitions such as Observable Networks, Skyport Systems, and Duo Security. Last but not least, CCIE program team has committed to announcing upcoming exam changes 4 to 6 months in advance so all of us have a chance to parse them.
Now, let me breakdown the Security V5.0 Exam blueprint for you. It comprises of 6 sections, i.e. Perimeter Security and Intrusion Prevention (with products such as Firepower and ASA), Advanced Threat Protection and Content Security (again with products such as WSA, ESA, AMP and various Security protocols), Secure Connectivity and Segmentation (IPSec, TrustSec, GETVPN, DMVPN etc.), Identity Management, Information Exchange, and Access Control (Cisco ISE, RADIUS, TACACS+, WLAN Security and corresponding protocols such as EAP), Infrastructure Security, Virtualization, and Automation (Network attacks, Cisco ACI, NetFlow, ACLs etc.) and the evolving technologies. These sections carry weights ranging all the way from a meager 10% to a whopping 22%. Speaking about section weights, let me simplify them for you. On-prem FW/IPS and Identity topics carry a combined weight of 43% whereas Cloud-delivered threat prevention represents about 17%, so both on-prem and cloud-delivered security combined is more than half or 60% of the exam, which makes sense since we’re talking about Security Exam. VPN technologies, Infrastructure Security and Automation combined represent about 30% of the exam, so that’s your 90% when combined with On-prem and cloud-delivered security. Last but not least, Evolving Technologies carry 10% of the weight.
Now, let me share with you some specific guidance on how you can best prepare for the Security Written Exam. If on-prem or cloud-delivered Threat Prevention topics make you nervous, IE topics such as Cisco Firepower, ASA, AMP solution, or Cisco ISE, then you are NOT ready to take the exam just yet. You can’t screw up these and still pass the exam. Why? As we discussed earlier, more than half of the questions on the exam are going to be from those three sections.
Now, let’s say you are feeling pretty good about on-prem and cloud-delivered security exam topics IE 60% of the exam. Next up is the combination of VPN technologies, Infrastructure Security, Virtualization and Automation – what am I talking about? These sections are about topics such as DMVPN, GETVPN, IKE/IPSec protocols (remember IKE Main and Aggressive Modes and Diffie-Hellman?) and tunneling technologies. Again, if you find yourself clueless about most of those topics, then bad news is that you are not ready to face the exam just yet. On the other hand, if you feel pretty good about them, you are still barely ready to take the exam. Why! Because, your margin of error is about 4-5 questions, or 50 points give or take. Which brings to me to the final section, Evolving Technologies. This, at least for now, is pretty much theoretical as far as CCIE exams are concerned. As we speak, Evolving Technologies is not part of any of the CCIE Lab exams. In order to comfortably tackle the exam, you gotta be able to feel somewhat confident about cloud, SDN, SD-WAN, network programmability and IOT topics.
Now, what I have not discussed thus far, IE the elephant in the room per se, is HOW to do you prepare for those sections and save yourself a costly Exam retake. Well, you need to tap into as many resources you can.
Well, there is a big difference if you are preparing for the first time versus if you are sitting for the Recert or Retake. If this is your first time, I’d strongly suggest going with a structured learning approach which can come from a reputed exam prep provider, IE someone who can provide you with a good balance of learning and passing the test. Beyond that, I’d refer you to spend as much time as you can on Cisco.com. Why? Well, it is Cisco’s exam and quote and quote correct answers are what they consider correct as documented on Cisco.com. Be sure to read in between the lines, what am I talking about? Say you are reading about Cisco Umbrella or AMP or TrustSec or ACI and ASAv integration, then you need to pay attention to all of the caveats involved in Cisco IOS XE, ASA and Fire OS implementation of those protocols and technologies, so read the usage guidelines, limitations, and notes when you are going through a CVD, SRND, TAC docs, Best Practices white papers and what have you. Last bit that I just mentioned, also applies to you if you are sitting for Recert because you don’t pay attention to all that odd ball stuff while doing your day job.
Finally, there is yet another set of topics that most of you don’t get to work on in your day to day work, and that is Evolving Technologies. What makes this section challenging? Well, unlike other sections where your single source of truth is Cisco.com, Evolving Technologies topics are a wild mix of non-Cisco related topics thrown together. IMO, your best source for those topics, besides structured learning i.e. a study guide and what have you, is the INTERNET itself. You should spend some time reading about Evolving Technologies exam topics on websites such as Wikipedia, cloud vendor websites such as AWS, Azure and Google Compute Engine, and SDXCentral just to name a few to get you started.
I hope you found this article helpful and I look forward to hearing from you as to what your learning goals are for the 20-19 and what steps are you taking to achieve them now that we are almost two months into it!