There are still a few days left to get any questions you might have about the CCIE Security Lab Exam in to Yusuf Bhaiji, but hurry - the discussion ends Monday 13 Sept!


Thank you to all those who have submitted questions and comments to our blog and our CCIE Instructors. If you have a question, please email them to

Question 1:

Can anyone explain what is VPN intercept?

Bhavik Joshi

VPN Intercept can mean a few different things, depending on the specific context.

One interpretation is from a driver perspective, where a VPN connection breaks the binding between TCP/IP and the physical interface, acting as a shim.  See also:

Another meaning can be in regards to intercepting SSL traffic.

See also:
PPTP attacks:
Cisco - VPN-based IPv4 Lawful Intercept Taps -

Answered by: Marvin Greenlee, CCIE #12237

Question 2:

Dear Valuable Technical Teachers and Friends,

First of all , i wish and thank you for your great support to those who are
all preparing Network studies. I've completed my CCNA two years back.Now am
preparing for next step. At this point, i have bit confusion of deciding
whether can i do CCNP or CCIE(R&S). I would like to reach a top level in
Cisco Networking technology.So am requesting your suggestions, which is best
for me.

Also can you suggest any good simulators to improve my practical skills.

K.Saleem Jaffer

Thanks for the question.   Having the CCIE certification makes for an excellent stepping stone in a technical career.   An important aspect to successfully passing the CCIE lab exam, is a very solid understanding of all the technologies involved.    A great way to prepare for this is through the CCNP level of studies.   If a person chooses that path, they would do well to take time to learn the technologies while studying CCNP, and not have the feeling of just learning enough to pass a CCNP written exam.  By truly  learning the core technologies in CCNP, it will serve as a springboard into the CCIE studies.   Many candidates waste large amounts of time in complex configurations, because they are lacking the basic understanding of the protocols and technologies that make up the scenario.    I would recommend a 1-2 yr plan, that begins with CCNP, carries into CCIE studies, and end with you attaining your CCIE.    Best wishes in your studies and journey.


Answered by: Keith Barker, CCIE #6783

Question 3:


would u mind please, explaining the benefit of command "area x nssa default-information-originate" ? i know how we use it but i don't know its benefit? and do we use this command on ALL of the routers or just ABR? when we don't use this what will happen?

thanks a lot
timaz mohsenzadeh

The benefit of having a default route is that you have somewhere to send traffic when you don't have more specific information.

One point of using stub areas in OSPF is to minimize the information in the OSPF database.

With a stub area, you will have some OSPF routes, but not external routes (E1/E2) in the stub area.  So, if somewhere else across the topology, there is redistribution happening, the device in the stub area won't know about the redistributed networks.  Having a default route out to the ABR can be all that a stub area needs, if the ABR has the routing information to send the traffic forward to the destination.

The R&S Advanced Technologies Class section on OSPF area types shows the difference of not having this command, as well as looking at the contents of the OSPF database.


Answered by: Marvin Greenlee, CCIE #12237

Question 4:

Hi everybody
I have a question regarding ISDN Backup. I have two cisco routers 800 (IOS 12.4(15)T5) and 1600 (IOS 12.1(4)).
The 800 router is the primary link with SHDSL and the backup router is the 1600 with ISDN.
I have OSPF running between these two routers and HSRP. Now when the primary link (SHDSL) fails,
the Backup router (1600) should take over. How can I solve this problem. Or what is a suitable solution.
I have searched various forums and cisco, but I can't find any sample according my example.
I am going to be an CCNA. But I guess there is much left to learn.

Thanks for your help.

Regards Alen

Firstly, you dont need OSPF unless you have IGP requirements for other routers behind the border rouers (the 800 and the 1600). You only need HSRP running between the routers and static reliable route on the primary gateway (SHDSL). Next, configure HSRP to track the static route object in the primary router, and lower the priority when the static route fails. Your Cisco 800 should support this functionaly, and the 1600 only needs to know if the active router changes. So here are the steps

1) Create an IP SLA object in the 800 router, pinging your provider's IP ("ip sla" commad)
2) Create an object tracking the state of IP SLA ping object ("track" commad)
3) Create a static default route in the 800 pointing to you ISP and tracking the object above
4) Configure static default route in the 1600
5) Configure HSRP so that 800 is the primary gateway
6) Configure the HSRP to track the object you created before ("standby XX track" command)
7) Ensure HSRP is configured to preempt so primary router may kick back in when the link recovers

This will ensure automatic switchover upon the lost of primary connection and automatic retun back to normal. You may want to read

for more information on reliable static routes.

Answered by: Petr Lapukhov's, CCIE #16379


Looking over the questions asked to Maurilio Gorito during the latest R&S Ask The Expert Session, I tried to summarize some information and outline the new exam format. Here is how it looks to me so far.

The exam consists of three sections. A candidate must obtain the PASS mark in *every* section in order to pass the exam. All three sections are tested in sequence and grading occurs in the end of the exam. Even if the candidate fails in any of the section, he won’t know about this until the exam ends and grading has been performed. A candidate may finish any section in advance and move forward to the next section, which might be considered a time-management strategy. However, the candidate is not allowed to return to any previous section after it’s finished.

The following is the list of the exam sections:

(1) Open Ended Questions (OEQ) (0.5 hours): Four questions in total; A candidate needs to answer three questions out of four correctly to get the PASS mark in this section. A human grades the results. Most times, an answer could be as short as two or three words. Questions deal with the understanding of the theoretical concepts of the lab exam and don’t require intensive memorizing. The only tool the candidate has access to will be Windows Notepad, and no access to the DocCD is provided during this section.

(2) Troubleshooting Section (2 hours). Initial configurations are loaded in the candidate's rack, and the candidate is presented with a troubleshooting scenario, formatted as a series of trouble-tickets. Additionally, L2/L3 & IGP diagrams are presented for reference. The section consists of approximately 10-15 tickets. Every ticket has point value associated with it and tickets DO NOT depend on each other (this is important to avoid cascading effects). The results are graded by the verification script and confirmed by a human. A relative score of 80% of the total section score must be obtained to get the PASS mark for this section. It is important to understand that this section is completely independent of Configuration section that follows.

(3) Configuration Section (5,5 hours). This is a new scenario on a new logical topology, different from the one presented during the Troubleshooting section. Of course, this section has its own initial configuration, which most likely includes IP addressing and basic IGP/BGP settings. The formatting is similar to the old exam, with the tasks, point allocation per task, diagrams and so on. 
The approximate number of tasks here is 25-30. The section results are graded by the verification script and confirmed by a human. A relative score of 80% must be obtained to get the PASS mark for this section.

It is rumored, by not confirmed officially that the OEQ section has 21 points and the Troubleshooting + Configuration section has 79 points allocated. This allocating may probably change with time, but apparently the fact that all task points sum to 100 remains true. And again, you have to obtain approximately 80% points in every section (around 80 points total) to pass the exam.

Finally, for the new topics being added to the exam. It appears that major stress will be on new routing features, such as MPLS VPN and EIGRPv6. However, the MPLS VPN tasks will be pretty basic, not covering any advanced scenarios such as CsC, InterAS VPN, mVPN, MPLS TE and so forth. For the other new technologies added to the lab:

1) PfR (Performance Routing). Should be pretty basic, and does not require any deep knowledge of PfR. Will not appear in all labs.
2) Security feautures: IPS and Zone-Based Firewall are NOT covered in-deph as well. Only basic configuration of the IPS feature is required with no deep understanding of the signature engines and signature tuning. Most likely you just need to know the basic configuration scenarios and be able to copy-adapt-paste the configuration samples from the DocCD.
3) 802.1x IBNS. All you need is to know how to set up the 802.1X control. No RADIUS server will be present in the lab, so this part is pretty basic as well.
4) SDM will not be present in the lab ISRs, so all configurations are purely CLI-based.

I'll be updating this post to reflect any new information posted in the NetPro forum thread.


The “Ask the Expert” sessions are open question and answer sessions with the an actual CCIE lab proctor. The excerpts below were taken from the most recent session.

In regards to security topics on the exam:
The security topics listed below are defined by the R&S lab blueprint and make up about 6-8% of the exam:

1. AAA
2. Security server protocols
3. Traffic filtering and firewalls
4. Access lists
5. Routing protocols security, catalyst security
7. Other security features

In regards to IP Services topics on the exam:
Cisco is not testing Mobile IP. VRRP and GLBP will fall under IP/IOS Features. The total points for this section are around 8 points which includes all other content.

In regards to how the lab tasks need to be completed and how the lab is structured:
There is no mandatory order in which you must complete the exam. You can start in any section, skip sections, and come back to sections at a later time. The exam is structured on a basic flow such as: Switching, IGP, IP/IOS Features, QoS, Multicast, Security and BGP. But again you can do it in any order. Naturally some sections, such as IGP, depend on Switching, so it is suggested that you start with Switching to build the basic foundation, then start with the basic IGP. Later, you can come back and complete the more advanced features on Switching or IGP.

In regards to DVMRP on the lab:
Learn the basics of DVMRP as this topic is not explored in depth on the exam.

In regards to Layer 2 Multicast features (IGMP Snooping, MVR, etc):
You should consider looking at the L2 Multicasting as well when preparing for the exam. Consider looking at Cisco’s Configuring IP Multicast Routing

In regards to adding extra configurations and aliases:
You are not penalized for adding extra configurations as long as this will not break a specific restriction. Aliases don’t need to removed if they do not interfere with accessing the device when the exam is over.

In regards to the cabling of the network and diagrams:
The physical connections are pre-cabled so you don’t need to touch them. In some lab locations the racks are remote so you will not even see them. If you suspect you have a physical problem, ask the proctor to verify it for you. The lab document has L1/L2 diagrams for the physical connectivity as well as an IP or topology diagram and an IP Routing diagram.

In regards to any upcoming lab changes:
There are currently no expected changes regarding the CCIE R&S lab exam. Both the lab blueprint and hardware specifications are expected to stay the same for the next year. Any changes will be announced 5 to 6 months in advance.

In regards to no CCIE labs dates in Sydney, Australia:
Currently the lab location in Sydney, Australia is only staffed by a part-time proctor and therefore only offers limited date availability. Cisco is actively looking for a full time proctor and expects the facility to offer greater lab availability beginning first to second quarter of 2008.

In regards to how points are awarded in the exam:
You are marked down points for incorrect questions, not for entire sections. Suppose you have 4 questions within the QoS section with point totals of 2, 2, 2, and 3 for a total of 9 points. If you get the first 3 correct for this section you would receive 6 points or around a 66% for that section.

What is the acceptable late arrival to the exam center?
If you arrive within the first 2 hours after the exam has begun you can still take the exam but no extra time will be allotted. Arriving after the 2 hour mark you will no longer be eligible to take the exam. If you are traveling to take the exam it is suggested you to plan to arrive the day prior to the day of your exam.

What items are allowed or not allowed in the lab environment?
All personal items must be removed from your person before entering the lab environment, but make sure to bring your identification, as it will be required to register at the reception area prior to the exam. Pen, pencils, scratch papers, etc will be available for you at the lab location. Food and drinks are generally not allowed, unless they are pre-approved by the proctor.

Is food provided by Cisco?
Lunch is provided by Cisco, in either a restaurant style cafeteria or ordered and brought to the facility for you.

What are the bathroom/washroom access policies?
Cisco provides washrooms/bathrooms and break rooms near the lab environment, accessible for the duration of the exam, however only one lab candidate is allowed at a time.

What types of questions may be asked of the proctor?
You can ask any question that you feel you need clarification on. Proctors are there to help you understand the questions and requirements presented by the test material.

Can we report the proctor for a bad performance, or is there someone else to question regarding hardware issues?
Any issue that you feel has negatively affected your exam can be reported to Cisco customer service. All hardware related questions or concerns must be brought to the proctors attention during your lab session. If a problem does in fact exist, any time required to repair the issue will be added to your lab session.

What will happen if tasks within the test conflict with another section of the exam?
If you find that you must configure a device in a way that would affect a previous task restriction, make sure to bring up your concern with the proctor, who will be able to advise you regarding the situation.

Subscribe to INE Blog Updates

New Blog Posts!