Inside the CCIE Security v6 Lab Topology
By
Abhimanyu Saharan
·
12 minute read
If you are sitting the CCIE Security v6.1 lab, you already know it is not a knowledge test. It is an eight-hour configuration exam on a topology that mixes Cisco ASA, FTD, FMC, ISE, WSA, ESA, Stealthwatch, Catalyst, and a handful of clients into one live network. You either know what each device is doing and can fix it under time pressure, or you do not pass.
This guide walks the actual v6 lab topology end to end. You will see every device class on the rack, the software versions Cisco currently ships in the lab pod, the security zones the exam pivots on, and the four realistic ways to build a practice environment that mirrors it: physical hardware, Cisco Modeling Labs (CML), EVE-NG, and hosted labs. By the end, you will know which path actually scales to a 25+ device CCIE Security topology and which one quietly stops working halfway through your study plan.
- CCIE Security v6 Lab Topology at a Glance
- What is the CCIE Security v6 lab topology?
- The Full CCIE Security v6 Device List and Versions
- Security Zones and Traffic Flows in the v6 Topology
- The CCIE Security v6.1 Blueprint Mapped to the Topology
- How to Practice the CCIE Security Lab: Hardware vs CML vs EVE-NG vs Hosted
- Choosing Your CCIE Security Practice Path
CCIE Security v6 Lab Topology at a Glance
Before getting into the device list, here is how the four common ways to build a CCIE Security practice lab compare on cost, realism, and how closely they match the production exam pod.
| Practice Option | Multi-Vendor Images | Matches Exam Pod | Scales to Full Topology |
| Physical hardware (full rack) | Hardware only | Yes (closest) | Yes, but fixed and noisy |
| Cisco CML (self-hosted) | Cisco-only images | Partial (no FTD/FMC at full fidelity) | Limited by host RAM |
| EVE-NG self-hosted | Yes (ASA, FTDv, ISE, WSA, ESA images) | Close, if you supply licensed images | Capped by host hardware |
| Hosted CCIE Security lab (CloudMyLab) | Yes, pre-loaded | Yes, sized for the pod | Yes, on cloud infrastructure |
A full physical rack is the closest match to the real exam, and almost no individual candidate can justify it. Self-hosted CML and EVE-NG can take you a long way if you have the workstation and the licensed images, with EVE-NG winning on Cisco security image coverage. A hosted lab swaps the setup tax for a subscription and is usually the right answer for a candidate working full time.
If you are studying solo, the right choice depends on your hardware, your access to legitimate Cisco security images, and how much of your study time you are willing to lose to building the lab instead of using it. If you are running training for a team, CloudMyLab's hosted lab platform gives every engineer the same pre-built CCIE Security pod without a $50K hardware purchase or per-engineer image licensing.
What is the CCIE Security v6 lab topology?
The CCIE Security v6 lab topology is a simulated enterprise network used in the Cisco CCIE Security v6.1 lab exam. It combines physical Cisco appliances (ASA, Catalyst switches, ISR routers, WLC) with virtual security appliances (ISE, FMC/FTDv, WSA, ESA, Stealthwatch, Cisco Catalyst Center) and client systems running Windows and Kali Linux, segmented into Inside, Outside, DMZ, Management, user, and server zones. The exam asks you to design, configure, and troubleshoot security policies across all of it inside a single eight-hour window.
Two things make this topology different from the other CCIE tracks. First, it is appliance-heavy. You are not just configuring routing and switching; you are running NGFW, identity, web/email security, threat detection, and automation on dedicated platforms that each have their own management plane. Second, integrations matter as much as individual configs. ISE-to-Firepower SGT enforcement, ASA-to-AnyConnect-to-ISE posture, FMC correlation policies, Stealthwatch flow ingestion: the lab is graded on how cleanly the pieces talk to each other, not just whether each box passes a show command.
The v6.1 update tightened that integration story further. Cisco pulled in more automation (Catalyst Center, Python, REST APIs against ASA/FMC/ISE), more cloud-edge security (Umbrella, SASE concepts), and more zero-trust mechanics (continuous posture, SGT-based microsegmentation). If you studied for an older revision, those four areas are where the gap shows up first.
The Full CCIE Security v6 Device List and Versions
The v6 pod is split between physical hardware and virtual appliances. Cisco does not publish exact image versions on the candidate-facing blueprint, but the platforms below are what the v6.1 lab consistently exercises and what you should be running in any serious practice environment.
Physical hardware in the v6 lab
| Device Class | Common Models | Role in the Lab |
| Next-gen firewall | Cisco ASA 5500-X (e.g., 5506-X), Firepower 1000/2100 series | Perimeter, NAT, ACLs, IPsec/SSL VPN, HA pairs |
| Layer 2/3 switching | Catalyst 3650, 3850, 9300 | VLANs, trunking, SVIs, 802.1X authenticator, MACsec |
| Routing | Cisco ISR (4000 series), occasional ASR | Routing protocols, GETVPN, DMVPN, IOS zone-based firewall |
| Wireless | WLC (e.g., 2504, 3504) with AP 1850/1852 | 802.1X over wireless, guest portal integration |
You should be configuring these against a current IOS XE / ASA 9.x / FTD 7.x train. Older code skips features the exam tests, particularly TrustSec and modern IKEv2.
Virtual appliances in the v6 lab
| Virtual Appliance | Function | Key Features Tested |
| Cisco ISE (Identity Services Engine) | AAA, identity, posture | 802.1X wired/wireless, RADIUS/TACACS+, SGTs, profiling, posture, BYOD |
| Firepower Threat Defense (FTDv) + FMC | NGFW + IPS | Access control, intrusion policies, URL filtering, AMP, identity-aware rules |
| Cisco WSA (Web Security Appliance) | Web filtering | URL categories, HTTPS decryption, malware scanning, identity-based policy |
| Cisco ESA (Email Security Appliance) | Email security | Anti-spam, anti-virus, content filters, DLP, encryption |
| Cisco Stealthwatch (now Secure Network Analytics) | Network visibility | NetFlow ingest, behavioral analytics, host groups, alarms |
| Cisco Catalyst Center (formerly DNA Center) | Automation, SD-Access | Policy authoring, SGT distribution, fabric provisioning |
| Cisco Umbrella (in v6.1) | Cloud-delivered security | DNS-layer security, SIG tunnels, integration with FTD |
| Duo, AnyConnect | MFA + remote access | AnyConnect SSL VPN, posture, Duo MFA into ASA/FTD |
Two endpoint types round out the topology: a Windows 10 client and a Windows Server (typically used as the Active Directory and CA host that ISE binds to), plus a Kali Linux box used for traffic generation, attack simulation, and DLP/IDS testing. If your practice setup does not include a working AD-joined Windows client, you cannot meaningfully test the ISE side of the topology.
For broader context on the platforms that show up in CCIE Security practice (CML, EVE-NG, and how they stack up), the EVE-NG vs CML comparison walks through what each emulator can host.
Security Zones and Traffic Flows in the v6 Topology
The CCIE Security topology is built around six logical zones. The exam grades you not on the existence of these zones but on how cleanly traffic moves between them under your security policy.
- Inside. Trusted corporate network where authenticated users sit. Highest privilege.
- Outside. Untrusted Internet. Default-deny inbound, controlled outbound.
- DMZ. Public-facing servers (web, mail relay, sometimes a reverse proxy). Specific allow rules in both directions.
- Management. Out-of-band network for device administration. Locked down, often on its own VRF or VLAN.
- User segments. Multiple VLANs split by role: corporate, BYOD, guest, voice, contractor.
- Server segments. Internal application and data tiers, segmented from users by Firepower or zone-based firewall on the ISR.
The traffic flows the exam keeps coming back to are the boundaries between these zones. ASAs (or FTDs) at the Internet edge handle Outside/DMZ and Outside/Inside. Firepower behind the ASA, or an FTD running in routed mode, inspects east-west traffic between user and server zones with identity-aware rules pulled from ISE. AnyConnect remote-access VPN drops users into a dedicated Inside subnet and then runs them through posture before promoting their session to a higher SGT. Site-to-site IPsec or GETVPN tunnels glue branch topologies into the corporate Inside. Cross-zone filtering between server tiers usually involves SGT-based access on Catalyst switches with TrustSec, with Stealthwatch ingesting flow data from every L3 hop for visibility.
VLAN design is its own checkpoint. The lab expects user VLANs, multiple server VLANs with different security requirements, voice VLANs, a tightly locked management VLAN, and an isolated guest VLAN that can only reach the Internet. If you are building a practice topology, get the VLAN plan right before you start configuring ISE. Half the ISE failures candidates hit are downstream of a sloppy VLAN map.
The CCIE Security v6.1 Blueprint Mapped to the Topology
The v6.1 blueprint splits into a 3-hour design module and a 5-hour deploy/operate/optimize module. Below is how each blueprint domain lands on the physical and virtual devices in the topology.
Perimeter security and intrusion prevention (NGFW)
This is the ASA, FTDv, and FMC half of the rack. You will configure zone-based firewall policies, NAT (static, dynamic, PAT), IPsec site-to-site VPNs (IKEv1 and IKEv2), AnyConnect remote-access SSL/IPsec VPN, and ASA/FTD high availability in active/standby and active/active modes. On Firepower you are writing access control policies, intrusion policies (NGIPS), URL filtering, AMP for Networks, file policies, and identity-aware rules that pull from ISE. Expect at least one task that involves ASA-to-FTD migration mechanics or a mixed deployment where AnyConnect terminates on the ASA but identity context comes from ISE.
NAT is one of those areas where shallow practice catches candidates out; see What is NAT and how it works if you need a refresh on the fundamentals before configuring it under exam pressure.
Secure connectivity and segmentation (ISE + TrustSec)
ISE drives identity. Tasks include 802.1X for wired and wireless access (Catalyst as authenticator, WLC as authenticator on the wireless side), RADIUS and TACACS+ for AAA, full policy sets covering authentication, authorization, posture, and profiling, TrustSec with SGTs for role-based enforcement on Catalyst and Firepower, MACsec for L2 encryption between switches, and AD integration with the Windows Server in the lab. Posture assessment usually shows up as a remediation flow: a non-compliant client gets quarantined, runs the AnyConnect posture module, and is promoted into a higher-trust SGT once it passes.
Threat detection, response, and visibility
Stealthwatch (Secure Network Analytics) ingests NetFlow from the routers and switches, generates host group baselines, and fires alarms on behavioral anomalies. The exam asks you to configure flow exporters, build host groups, tune alarms, and trace an indicator back through the topology. Rapid Threat Containment is the integration showpiece: an alert in Stealthwatch or Firepower triggers an ISE policy change that quarantines the offending endpoint via change-of-authorization (CoA). SecureX (now folded into the broader Cisco XDR story) ties threat intelligence across the stack.
Web and email security
WSA handles outbound web traffic with URL categories, HTTPS decryption, malware scanning, and identity-aware policies that pull username/group from ISE. ESA handles inbound and outbound email with anti-spam, anti-virus, content filters, DLP, and email encryption. Expect at least one task that requires you to chain the two: sending a suspicious attachment from ESA to AMP for analysis, or proving that a WSA HTTPS decryption policy works against a specific user group.
Automation and programmability
This is the biggest delta in v6.1 over earlier revisions. Cisco Catalyst Center handles policy management, SGT distribution, and SD-Access fabric provisioning. You will write Python scripts that hit the ASA, FMC, and ISE REST APIs, sometimes via Postman as a sanity check, and you will be expected to read and modify Ansible or Terraform-style infrastructure-as-code definitions. The blueprint does not require you to be a software engineer, but it does expect you to read a JSON payload, send a POST to an FMC endpoint, and parse the response without a panic.
The design module on day one of the lab pulls from all five domains. You sketch security solutions on paper — firewall placement, policy flows, identity boundaries — before you ever touch a CLI on day two.
How to Practice the CCIE Security Lab: Hardware vs CML vs EVE-NG vs Hosted
There are four realistic ways to build a CCIE Security v6 practice environment. Each one trades cost, fidelity, and the amount of your study time you spend building the lab instead of using it.
Physical hardware
A full physical CCIE Security rack is the most accurate practice environment because it is essentially a clone of the exam pod. It is also the option almost no individual candidate can justify. A working setup needs at least two ASAs (with HA), one or two FTD appliances, an FMC server, a Catalyst 9300 (or 3850 minimum), an ISR 4000-series router, a WLC and AP, plus a server class machine to host ISE, WSA, ESA, Stealthwatch, and Catalyst Center as VMs. New, you are looking at $50K–$100K-plus. On the secondary market, a stripped-down rack might land in the $15K–$30K range, but you inherit older code and the noise, heat, and power footprint of a small server room.
Hardware also does not solve the virtual appliance problem. ISE, WSA, ESA, FMC, FTDv, and Stealthwatch all run as VMs regardless. You still need a hypervisor host with serious RAM (64 GB minimum, 128 GB more realistic) sitting next to the rack.
Cisco Modeling Labs (CML)
CML is the official Cisco emulator. It runs on your workstation or a small server, uses licensed Cisco images, and integrates cleanly with the rest of the Cisco learning ecosystem. CML is excellent for the routing, switching, and IOS XE side of the CCIE Security topology, including ASAv. Where it gets thinner is around the security appliances. ISE, FMC/FTDv, WSA, and ESA run as standard OVAs, so you can host them on the same hypervisor that CML runs on, but they are not native CML node types. The result is a practice setup where you treat CML as the routing/switching backbone and stand up the security VMs alongside it on ESXi or KVM.
CML also wants resources. A CCIE Security-scale topology with the security appliances bolted on tends to need 64 GB+ of RAM on the host. Most laptops cannot run this. A dedicated workstation gets you there for $1,500–$3,000.
EVE-NG
EVE-NG, especially the Pro edition, is the most popular self-hosted choice for CCIE Security practice. It ingests almost every Cisco security image as a custom node, including ASAv, FTDv, FMC, ISE, WSA, ESA, Stealthwatch, Catalyst Center, and AnyConnect. The catch is the same one CML has: you have to source those images legally. Cisco does not redistribute them, so most candidates pull them from an employer's licensed lab, a Cisco partner program, or a paid training platform that provides them.
For a side-by-side of EVE-NG against CML, the EVE-NG vs CML comparison walks through licensing, image support, and where each one breaks for security work. For Community vs Pro (relevant because Pro is what most CCIE Security candidates run), see EVE-NG Community vs EVE-NG Professional.
Hosted CCIE Security labs
A hosted lab is EVE-NG, CML, or a custom topology running on cloud hardware that someone else maintains. You log in through a browser, every image is already provisioned and licensed, the topology mirrors the v6 pod, and you focus on configuration instead of build. For the CCIE Security workload specifically, the math gets compelling fast. A hosted lab with the full security appliance stack already loaded saves the 30–60 hours most candidates burn on initial image sourcing and setup, and it sidesteps the workstation purchase.
CloudMyLab's hosted CCIE Security lab ships with the v6.1 topology pre-built, including ISE, FMC/FTDv, WSA, ESA, Stealthwatch, and Catalyst Center, and runs on infrastructure sized for the full pod. Hosted EVE-NG, GNS3, or CML is the right fit if you want to bring your own topology to a managed environment instead.
The honest tradeoff is this. Hardware is closest to the real exam and almost nobody outside a Cisco partner can afford it. Self-hosted CML or EVE-NG is the right answer if you have the workstation, the licensed images, and the patience for setup. A hosted lab is the right answer if you value your study hours and want the topology to match the exam pod from day one.
Choosing Your CCIE Security Practice Path
The right CCIE Security practice path is not the same answer for everyone. It depends on whether you have legitimate access to Cisco security images, how much hardware you already own, and how much of your study time you can afford to spend building the lab.
| If you are... | Best CCIE Security practice path |
| A Cisco partner or have a licensed enterprise lab | EVE-NG Pro self-hosted on a 128 GB workstation |
| A working engineer with a strong workstation but no images | Hosted CCIE Security lab (pre-loaded images, sized for the pod) |
| Already deep in CML for routing/switching | CML on the workstation, plus the security VMs alongside |
| Time-constrained, studying nights/weekends | Hosted lab; do not lose Saturdays to image debugging |
| A team lead training multiple CCIE candidates | Managed hosted platform, one environment per engineer |
| Wanting to keep practicing post-exam in real architectures | Hosted lab; same environment carries into production simulations |
The most common mistake is buying an aging $20K used rack, then quietly switching to EVE-NG four months in because the appliance images are not on the hardware anyway. If you are not a Cisco partner, do not have a licensed image source, and you do not already own a 128 GB workstation, a hosted lab is almost always the cheaper and faster path to the lab pod.
If your time matters more than the subscription, start with a CloudMyLab hosted CCIE Security lab or try the free trial before you commit. For the broader landscape of cloud-based training environments, see Cloud-Based Training Labs. For where CCIE Security sits inside the wider Cisco certification path, see the Network Engineer Certifications and Career Paths guide.
Frequently Asked Questions
What is the CCIE Security v6 lab topology?
The CCIE Security v6 lab topology is a simulated enterprise network used in Cisco's CCIE Security v6.1 lab exam. It combines physical Cisco hardware (ASA, Catalyst switches, ISR routers, WLC) with virtual security appliances (ISE, FMC/FTDv, WSA, ESA, Stealthwatch, Catalyst Center) and Windows and Kali Linux clients, segmented into Inside, Outside, DMZ, Management, user, and server zones.
What devices and software versions are on the CCIE Security v6 lab?
The v6.1 lab pod runs Cisco ASA 5500-X (typically 5506-X) and Firepower 1000/2100-class NGFWs, Catalyst 3650/3850/9300 switches, ISR 4000-series routers, a WLC (2504/3504) with APs, and virtual appliances for ISE, FMC + FTDv, WSA, ESA, Stealthwatch (now Secure Network Analytics), Catalyst Center, Umbrella, AnyConnect, and Duo. Cisco does not publish exact image versions, but candidates should practice on current ASA 9.x, FTD 7.x, IOS XE, and recent ISE releases.
How do I practice for the CCIE Security v6 lab without buying hardware?
Most candidates practice on a self-hosted EVE-NG Pro setup with licensed Cisco security images, on Cisco CML for the routing and switching side combined with security VMs on a separate hypervisor, or on a hosted lab service that ships the v6 topology pre-built. A full physical rack costs $50K–$100K and is almost never justified for an individual.
What is the difference between CCIE Security v6.0 and v6.1?
The v6.1 update added more automation and programmability (Cisco Catalyst Center, Python scripting, REST APIs against ASA/FMC/ISE, infrastructure-as-code), more cloud-edge security (Umbrella, SASE concepts, centralized policy), more zero-trust mechanics (continuous identity and posture verification, SGT-based microsegmentation), and tighter integrations across ISE, Firepower, Stealthwatch, and SecureX/XDR for rapid threat containment.
How much does the CCIE Security lab exam cost?
The CCIE Security lab exam fee is $1,600 USD per attempt. Including travel ($500–$1,000 if you sit a remote test center) and courseware or mentorship ($1,000–$3,000), candidates typically budget $3,000–$5,000 on top of whatever they spend on a practice lab. Retake fees are also $1,600.
How difficult is the CCIE Security v6 lab exam?
The CCIE Security v6.1 lab is an eight-hour, hands-on exam split into a three-hour design module and a five-hour deploy/operate/optimize module. Most candidates have five to seven years of professional experience before sitting it, and historic first-attempt pass rates have been low. Time management across the topology is usually the deciding factor, not raw technical knowledge.
Is EVE-NG or CML better for CCIE Security practice?
EVE-NG Pro tends to be the better fit for CCIE Security practice because it natively supports Cisco's security appliance images (ASAv, FTDv, ISE, WSA, ESA, Stealthwatch) as custom nodes. CML excels at routing and switching with first-class Cisco support, but most security appliances run as separate VMs alongside it rather than as native CML nodes. The right answer depends on which images you can legally source.
What is the best hosted lab for CCIE Security v6.1?
CloudMyLab offers a hosted CCIE Security lab pre-built with the v6.1 topology, including ISE, FMC/FTDv, WSA, ESA, Stealthwatch, and Catalyst Center, on cloud infrastructure sized for the full pod. Other hosted training options include INE and selected Cisco Learning Partners.
