WordPress Blog information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs.

In order to access and download all provided materials and receive important updates from above posts under GNS3 tab in the main header please go ahead and subscribe to !

All other posts have not been affected and can be accessed at any given time.


Hi All !

Just like with R&S , MPLS and BGP set ups this post is dedicated to the best practise for setting up CCIE SECURITY lab in GNS3 and I want to show you how to set up a practise rack!

Below you will find initial CCIE Security configs for the following topologies/series (IPExpert and Netmetric initial configs will become available at a later date):


CCBootcamp Security – see below image

CCBootcamp Initial Configs : R1cc   R2cc   R3cc   R4cc   R5cc   R6cc   R7cc   R8cc

SW1cc   SW2cc   SW3cc   SW4cc   Frame_switchcc

Frame_switchcc   IDScc   BB1cc   BB2cc   ASA1cc   ASA2cc

CCBootcamp Security


INE Security – see below image and initial configs (I have decided to use different topology for INE as the previous one only had one Backbone router and it’s way more fun with more)

INE Initial configs : R1   R2   R3   R4   R5   R6   SW1   SW2   SW3   SW4


ccie security_ine_topology

IPExpert Security – see below image



Netmetric – see below image :


I have spent number of long hours to prepare above GNS3 topology to make it work with almost any lab scenario you can find on the internet and I believe it is ready to go. I will soon attach a GNS3.NET.FILE so you will be able to build it in exact same way on your PC. As you know from my previous posts about R&S , BGP and MPLS GNS3 topologies it is crucial to connect all devices in exact same way as it is specified in the GNS3.NET.FILE as otherwise the set up will not work efficiently then when you launch it you will be able to copy and paste provided initial configs (basic routing protocols , ip address , vlans etc…)  into every devices and start labbing.



There’s not a lot of switching in security. Vlans doc contains all vlans that you will need despite what series you’re going through , so simple paste those into switches at the very beginning then use all the remaining configs.

In order to fully run this GNS3 CCIE Security network on your machine you must have :

1. Use a high-end system with good processor and plenty of RAM, preferably 8GB or more also close programs and Windows services that you don’t use before running GNS3, this way, you can save (precious) CPU and RAM usage

2. Use latest IOS versions (at least to support new commands and features) and configure your routers to use the correct RAM requirements by checking their documentation from Cisco website. My router’s IOS requires at least 128MB and when I don’t change the default of 64MB, it still runs but it always crashes after some time

3. When running / starting your topology, I recommend running the devices one at a time. But on the first router of each model (if you use different models in a topology), after running it, configure and select idle/pc that uses low CPU. I always open Task Manager when using GNS3 so I can monitor the CPU and RAM usage.

4. ASA must have asa842 (5520) GNS3 image on it

5. IDS must have IDS\IPS Qemu\IPS Qemu GNS3 image on it

6. VMware with Windows XP or Professional (TEST PC)

7. AAA windows licence which you run on another VM machine (AAA_SERVER)



I’ve been dealing with this issue all day today. In my case, the issue was that if I have TWO of the NM-16ESW cards installed into a 37xx router, back-to-back L3 links with IP addresses work fine but I cannot ping SVIs on the switch.

For example:

Router6 (f0/0) -> SW2 (f1/6)

If Router6’s interface has an IP address assigned and SW2’s interface has an IP address assigned, everything works great with two cards installed.
However, if Router6 has an IP address assigned (or subinterfaces) and SW2 is an access port on VLAN 1, the SVI for VLAN 1 on SW2 cannot be pinged. CDP still shows the connection up, but pings do not get through.
Note that this issue will occur even if all your connections are on the first slot’s NM-16ESW module — the second one just needs to be present in order to break things. Removing the second NM-16ESW module from my SW2 router fixed all my issues , looks like a GNS3 internal bug.



As you can see a TEST_PC is not included in every topology however from my experience it is definitely good practise to have one and you wll most definitely need one when configuring IPS appliance(see below). Simply attach one of your Microsoft loopbacks adapter to the TEST_PC cloud , assign relevant to the series that you’re watching ip address to it and allow it on the trunk

You should be able to ping and connect to the IPS from your physical machine on port 443 from your browser , see below output from my PC:

ids pingids image


Caution ! This set up will crash your PC therefore please remember that it is crucial to make sure that you have a super fast processor and enough ram but once you’ve got it all it works perfectly !

This post will be publicly open until all configs files have been uploaded and after that it will be available to the subscribed members only so please go ahead and subscribe !


Enjoy !


About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

25 Responses to CCIE SECURITY GNS3

  1. Bunge Toweett says:

    Hi Tom, Great site you have here and you deserve a pat on the back for all the hard work you are doing here. God luck on your R&S lab too. I am also studying for my CCIE-Sec and hoping to get it completed by June next year. I was looking at your security page and I can’t seem to find the GNS3 configs for the security lab ? How can I access those.? Thanks.

    • ccie4all says:

      Hello Bunge ! Thanks so much !
      Security is an amazing area and most likely the one I going to go after R&S which I’m hoping to pass by Sept this year. I was never able to find any good GNS3 Sec lab set up on the internet and in the end decided to create one myself and it works great as long as the PC is in good shape !
      I will post the GNS3 net file explaining how to build this set up and all initial configs as soon as I have them all completed and tested !
      Will keep you guys posted


  2. Akuavi says:

    Hello Tom,

    do you have IPExpert initial configs ?
    thank you

    • ccie4all says:

      Hello Akuavid,

      Sure, you can initial configs for INE , IPEpert and CBTnuggets CCIE series under

      Simply build the topology I have posted then copy and paste all configs to each device and you’re ready to go !


      • Akuavi says:

        Hello Tom,

        I was talking about the ccie security

        thank you

      • ccie4all says:

        Hello Akuavi,

        🙂 my mistake !!

        Of course! I will dig the up very soon , make sure they match the GNS3 CCIE Sec topology and make them available !


  3. Dele says:

    Hello Tom,
    I can’t begin imagine the time you have put in to make all this happen given the constraints of work and lab prep.. 99 stars to you men and more grease to your thumbs!!! since you don’t type with your elbows.

    • ccie4all says:

      Hello Dele,

      Haha the hardest part was to make it functional with all of these ccie video series so we don’t have to build a separate lab for each!


  4. justin says:

    Hi, could you post what routers, and ios version you used ?

    I can see that you used 3745 routers in the net file, but I’m not sure if you used 3745 image, or what..?

    Thank you.

    • ccie4all says:

      Hi Justin,

      Sure, 80% of the time I use c3745-advipservicesk9-mz.124-25d.bin except when for instance I’m practising ZBF where I use c7200-adventerprisek9-mz.124-22.T.bin


  5. Great work, but what about the ISR G2, ISE, WSA, 3750 x-series and ASA x-series? How effective will CCIE security v4 studies be using GNS3 without those key components?

    • ccie4all says:

      Hi Tony !
      Apologize for the late reply ! You are absolutely correct, unfortunately due to GNS3 limitations it is not possible at the moment to simulate some of the appliances so the only way to have for instance ISR G2 and ISE would be to connect real devices to GNS3 using breakout switch.

      This topology I’ve built and been practising based on the IPExpert , INE and CCBootcamp CCIE Security v3 workbooks so in order to prepare for v4 we would have to do some tweaking around.

      Best Regards!

  6. olu007 says:

    Hi Tom, Great job you’ve done for this CCIE stuff. Well done.
    Please where can I find the net file for INE. You have the image but not the net file.

    Thanks for yur supprt.



    • ccie4all says:

      Hi Olu,

      Firstly, massive thank you for the comment!

      Certainly , you need to download the NET_FILE from the website (scroll down and it’s just under Netmetric topology) and based on it build your network in GNS3 or other network simulator….

      The final lab look is how it is presented at the beginning of this post !

      ….then simply copy and paste the initial config into each device and the lab’s ready to go ! Of course you must have workbooks to go through the lab and practise etc …


  7. Ayedh says:

    Hi Tom,

    What amazing job done here, thanks Tom. It will be great if there is an update to match INE CCIE Security v4. No one tackle it yet!


    • ccie4all says:

      Thanks so much for the great comment Ayedh!
      Definitely CCIE Secv4 is something to think about soon !

      • Kash says:

        Dear Tom,can u kindly upload a video for ccie security in gns3 explaining step by step configuration

  8. Miguelon says:

    hi i see the new lab have 4 asa and you have only 2 why?

  9. Sandip Dey says:

    Hi Tom When it comes to Cisco I see all of us like you in the same boat.Just completed CCNA R& S and looking for CCNP.You are doing an awesome job.May God bless you ang give you success in your life.I am sure with your hard work you can clear all 5+ CCIEs.I have a lot to learn from you and will keep visiting this site as I love your blog.

    • ccie4all says:

      Hi Sandip! Thanks so much for the great feedback , there’s more to come soon !
      We all know it’s not easy but most definitely we’ll all get there in the end !

  10. aflatoon says:

    Hi friends

    There is a Book About Cisco ASA ” Cisco ASA Second Generation’s OS 9.x
    it contain
    Contents At A Glance
    Section I. Firewall Overview
    Chapter 1 Firewall Introduction
    Chapter 2 ASA Introduction
    Chapter 3 ASA Basics
    Section II. Routing on ASA
    Chapter 4 Routing Introduction
    Chapter 5 RIP
    Chapter 6 EIGRP
    Chapter 7 OSPF
    Chapter 8 IPv6 Introduction
    Chapter 9 SLA
    Chapter 10 Multicasting
    Section III. Access-list & NAT
    Chapter 11 Introduction of Access-list
    Chapter 12 NAT on OS 8.0
    Chapter 13 NAT on
    Chapter 14 CTP
    Section IV. IPSec Introduction
    Chapter 15 Overview of IPSec
    Chapter 16 Site-Site VPN
    Chapter 17 Remote Access VPN
    Chapter 18 VPN Load balancing
    Chapter 19 SSL VPN
    Section V. Advance Firewall Features
    Chapter 20 Transparent Firewall
    Chapter 21 Context
    Chapter 22 Failover
    Chapter 23 MPF
    Section VI. OS 9.x Advance Features
    Chapter 24 OSPFv3
    Chapter 25 NAT on OS 9.2.x on IPv6
    Chapter 26 Site-Site VPN on IPv6
    Chapter 27 SSL VPN on IPv6
    Chapter 28 BGP
    Chapter 29 Dynamic Routing in Context
    Chapter 30 Site-Site VPN in Context
    Chapter 31 Clustering
    Chapter 32 Management of ASA
    Chapter 33 IPv6 Active-Standby FO
    Chapter 34 IPv6 Active-Active FO
    Practicals Covered in this book
    1. ASA_BASIC
    2. ASA_Static_&_Default
    3. ASA_RIP
    4. ASA_EIGRP
    5. ASA_OSPF
    6. ASA_SLA
    7. ASA_CTP
    8. ASA_Multicasting
    9. ASA_ACL_&_Objects
    10. ASA_ipv6_static_default
    11. ASA_NAT_8.0
    12. ASA_NAT_9.2
    13. How_To_Configure_2003_As_CA
    14. How_To_Configure_2008_As_CA
    15. How_To_Configure_2012_As_CA
    16. How_To_Configure_IOS_As_CA
    17. ASA_s2s_pre_8.0
    18. ASA_s2s_rsa_8.0
    19. ASA_s2s_overlapping_subnet
    20. ASA_s2s_pre_ikev1
    21. ASA_s2s_rsa_ikev1_2003_ca
    22. ASA_s2s_pre_ikev2
    23. ASA_s2s_rsa_ikev2_2008_ca
    24. ASA_s2s_rsa_ikev2_ios_Ca
    25. ASA_s2s_rsa_ikev2_2012_Ca
    26. ASA_ra_pre_8.0
    27. ASA_ra_rsa_8.0
    28. ASA_ra_ikev1_pre
    29. ASA_ra_ikev1_rsa
    30. ASA_ssl_8.0
    31. ASA_ssl_9.2
    32. ASA_vpn_load_balancing
    33. ASA_Transparent_firewall
    34. ASA_context
    35. ASA_Inter_context_routing
    36. ASA_active_standby_fo
    37. ASA_active_active_fo
    38. ASA_mpf
    39. ASA_EC_RE
    40. ASA9.x_bgp
    41. ASA9.x_clustering
    42. ASA9.x_dynamic_routing
    43. ASA9.x_ospfv3
    44. ASA9.x_s2s_in_context
    45. ASA9.x_ssl_ipv6
    46. ASA9.x_ipv6_s2s
    47. ASA9.x_ipv6_nat
    48. ASA9.x_ipv6_active_standby_fo
    49. ASA9.x_ipv6_active_active_fo

    Download Link

    Don,t forget to say thanks to aflatton as well as Author

    because he deserve it

    because he deserve it

    • Akuavi says:

      hello aflatoon

      could you please put back the link ?
      thank you

    • Emmanuel says:

      Please the link specified above is no more available. kindly help me with a valid link direct to my box. Thank you.

  11. Thanx for posting.It had been certainly excellent reading regarding your whole opinion of this subject matter.I had been in search of this type of write up for some time,and amazingly i came accross your site.I am hoping you will continue to keep supporting people in the same manner in future also.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: