Finally, Cisco has made the official announcement on the upcoming changes for CCIE Security Version 5. Both the written exam and the lab exam will be changes go live starting 31st of January 2017, which gives you the usual 6 months window to pass the Version 4 exam, before the change to Version 5 occurs.  As opposed to the old blueprint, there are major changes in both the technical content and exam delivery format.

As expected, the new exam topics are inline with Cisco’s current Security product line with pretty much nothing missing. Yes, you got that right! Also, as expected, Cisco is trying to push the same exam delivery model for all CCIE tracks.

Blueprint Technical Topic Changes

We now have a Unified Exam Blueprint,  covering topics for both the written and lab exam, similar to the change that was introduced with CCIE Data Center Version 2. The Blueprint for Version 5 is divided into 6 sections, with the last one being relevant only for the written exam:

  • Perimeter Security and Intrusion Prevention
  • Advanced Threat Protection and Content Security
  • Secure Connectivity and Segmentation
  • Identity Management, Information Exchange and Access Control
  • Infrastructure Security, Virtualization and Automation
  • Evolving Technologies*

*Written exam only

Topics removed from both written and lab exams:

  • EzVPN is out now, as expected, Cisco is moving forward to its AnyConnect (IPsec and SSL) Remote Access VPN Client
  • Legacy IPS, or Cisco’s old IPS technology, is out now as well

There are many topics added to the current blueprint. As we no longer have different blueprints for the written and the lab exams, it means that what’s in the blueprint can show up in both exams. Although based on the lab exam equipment changes, some technologies cannot be configured in the lab exam, you might still get questions about these technologies in the new Diagnostic section of the lab exam. This means that you should be prepared for the technologies as per the blueprint, for both exams.

New Version 5 Topics:

  • FirePOWER
  • ASA Clustering
  • NAT for IPv6
  • Cloud Web Security (CWS)
  • Email Security Appliance (ESA)
  • Content Security Management Appliance (SMA)
  • Advanced Malware Protection (AMP)
  • OpenDNS
  • Lancope
  • Virtual Security Gateway
  • TrustSEC with SGT and SXP
  • ISE Personas with multimode deployment
  • MDM Integration with ISE
  • pxGRID
  • Wireless concepts such as FlexCONNECT and ANCHOR
  • NetFLOW/IPFIX and eStreamer
  • APIC-EM Controller
  • RESTful API in scripting languages such as Python
  • Evolving Technologies (Cloud, SDN and IoT) being only in the written exam

Lab Exam Equipment Changes

As previously rumored, in Version 5 we have more equipment going virtual:

  • FirePOWER Management Center version 6.0.1 and/or 6.1
  • FirePOWER NGIPSv version 6.0.1
  • Cisco FirePOWER Threat Defense version 6.0.1
  • FireAMP Private Cloud
  • Cisco ASAv version 9.1
  • Cisco Application Policy Infrastructure Controller Enterprise Module version 1.2
  • Email Security Appliance (ESA) version 9.7.1
  • IOSv L2 version 15.2 (which is virtual IOS for layer 2)
  • IOSv L3 version 15.5(2)T (which is virtual IOS for layer 3)
  • Cisco CSR 1000v version 3.16.02S
  • Cisco Unified Communications Manager version 8.6(1)

Other virtual devices have been kept from previous blueprint, with a version change:

  • Cisco Identity Services Engine (ISE) version 2.1.0
  • Cisco Secure Access Control System (ACS) version
  • Cisco Web Security Appliance (WSA) version 9.2.0
  • Cisco Wireless Controller (WLC) version 8.0.133
  • Test PC is Microsoft Windows 7
  • Active Directory is running on Microsoft Windows Server 2008
  • AnyConnect version 4.2

As for physical devices we have the following devices in Version 5:

  • Cisco Catalyst Switch C3850-12S 16.2.1 version 16.2.1
  • Cisco Adaptive Security Appliance: 5512-X version 9.6.1
  • Cisco 2504 Wireless Controller: 2504 version
  • Cisco Aironet1602E version 15.3.3-JC
  • Cisco Unified IP Phone 7965 version 9.2(3)

FirePOWER is the major new addition, where we have both the FirePOWER NGIPS and the FirePOWER Threat Defense (unified code for ASA and FirePOWER Services) being added, alongside with FirePOWER Management Center as the management platform. FireAMP will also be present through the private cloud appliance, used for advanced malware protection through big data analytics, policies, detections, and protections stored locally on premises.

ASA Firewall is now present through the physical model of ASA 5512-X, and the virtual model of ASAv. Addition of APIC-EM, which supports both the physical and virtual ASA models, is clearly interesting, being a strong proof about Cisco’s vision moving forward, which is clearly the adoption of SDN technologies in the Enterprise market.

As expected, ESA has been finally added to the game, as even in version 4 it was supposed to be in the lab exam, but Cisco decided in the end to skip it.

Routers and switches are now virtualized through IOSv for Layer 2/Layer 3 and CSR 1000v, exception being the 3850 switch model which most probably is there for some TrustSEC features not supported by virtualization (MACsec, SGT, SXP).

Finally, I would assume that the only scope for the Cisco Unified Communications Manage being in a Security CCIE lab, is for the IP Phone to register, which means you need zero knowledge about this technology.

Lab Exam Format Changes

The new lab exam format follows up with Cisco’s current vision of exam delivery, aimed to properly test you on different set of skills.  The format is the same that was introduced with CCIE R&S Version 5, but of course with the Security technical topics instead of R&S ones.

The eight-hour lab format is now divided into three modules with order of the modules being fixed as follows:

  • Troubleshooting module
  • Diagnostic module
  • Configuration module

Troubleshooting Module

  • It’s 2 hours in length, you can optionally borrow 30 minutes from the configuration module.
  • By the name, it's a troubleshooting section, where you’ll be given a certain number of tickets/incidents that you need to fix. There is no inter-dependency between tickets and you can fix tickets in whatever order you want. You have access to devices consoles in order to reconfigure the network and fix the problems.
  • This module is aimed to test your troubleshooting technical and methodology skills, and the ability to fix a problem from an unknown network topology within fixed allocated time.

Diagnostic Module

  • It’s 1 hour in length, and you cannot extend it
  • By the name, diagnostic, it’s still a troubleshooting section, but in a different format; you’ll be given a certain number of tickets/incidents that you need to fix, there is no inter-dependency between tickets and you can fix tickets in whatever order you want; challenge is that you have NO access to devices console, instead, for each ticket, you’re being given many inputs (e-mail threads, diagrams, logs, traffic captures), out of which you have to diagnose the problem and select the correct answer(s)
  • This module is aimed to test your ability to analyze and correlate multiple inputs related to a network problem within fixed allocated time, and without being given access to the devices you need to identity the root cause

Configuration Module

  • It’s 5 hours in length, but it can be 4.5 hours if you extended the troubleshooting module
  • By the name, it's a configuration section, where you’ll be given a certain number of configuration tasks, with access to devices console to implement the given requirements; this is nothing else but what was in version 4 the actual exam itself, as it had only one module; there will be dependencies between tasks, some of them will be explicitly stated, some of them you’ll have to figure it, are implicit
  • This module is aimed to test your understanding of a solution design and architecture, of the traffic flows and dependencies within a network when multiple technologies are combined, ability to understand network requirements and translate it into working configuration within fixed allocated time

Passing the Lab Exam

In order to pass the lab exam, two conditions need to be satisfied:

  • Pass each module, score enough points in each module to meet the minimum cut score for the module
  • Total number of gained points must equal the minimum overall cut-score criteria

As each individual module tests you on different set of skills, though for the same technologies, the first criteria make sense, having to pass each module. This is to ensure that you have proved being an expert not only from the technology point of view, but also through the fact that you can make use that knowledge to fix various types of problems, being challenged in different ways. The minimum cut-score for each module is unknown, most probably because it could vary between different lab exam versions; for example you might get a more complex Diagnostic section with a lower minimum cut-score, or a less complex Diagnostic section with a higher minimum cut-score.

The second criteria also make sense, the minimum overall cut-score. This is probably to ensure that you don’t pass the exam if you passed each individual module with close to exactly the minimum module cut-score. Basically you can have a PASS for each module, but a FAIL for the exam. What this means, is that in order to have a PASS for the exam, you need to score more than the minimum cut-score for all modules, or only for some modules.

Although it might seem that you’re walking in blind, you go to the lab exam without knowing how many points are required to pass and in which of the three modules, this new lab exam format also has some benefits:

  • It gives flexibility, as you can score less points in one module because of being less prepared or less knowledgeable, and more points in other modules
  • It gives you a better focus, as you’re no longer chasing points in the exam, you’re now chasing to do your best in each module and prove your skills; this also implies a strategy change for the lab approach
  • By passing the current lab exam format, you’ve become an expert in the field, with certified skills required to implement Cisco’s technologies into today’s and tomorrow’s networks

In conclusion, it's now clear that if you want to become CCIE Security Version 5 certified, you will need more FirePOWER.


Cisco has just announced CCIE Data Center Written and Lab Exam Content Updates.Important dates for the changes are:

  • Last day to test for the v1.0 written - July 22, 2016
  • First day to test for the v2.0 written - July 25, 2016
  • Last day to test for the v1.0 lab - July 22, 2016
  • First day to test for the v2.0 lab - July 25, 2016

Key hardware changes in the v2.0 blueprint are:

  • APIC Cluster
  • Nexus 9300
  • Nexus 7000 w/ F3 Module
  • Nexus 5600
  • Nexus 2300 Fabric Extender
  • UCS 4300 M-Series Servers

Key technical topic changes in the v2.0 blueprint are:

  • EVPN
  • LISP
  • Policy Driven Fabric (ACI)

More details to come!


Cisco has announced their plans to transition the CCIE Service Provider certification blueprint from Version 3.0 to Version 4.0 starting May 22nd, 2015.  The official announcement for the Written and Lab Exam Content Updates can be found here.

There are four key points to this announcement, which are:

  • Lab Exam format changes
  • Hardware & software version changes
  • New technical topics added
  • Old technical topics removed

CCIE SPv4 Lab Exam Format Changes

The Lab Exam format of SPv4 has been updated to follow the same format as the new CCIE Routing & Switching Version 5.0.  This means the exam now consists of three sections: Troubleshooting, Diagnostic, and Configuration.

CCIE SPv4 Hardware & Software Version Changes

Following along with the current CCIE RSv5, CCIE SPv4 now uses all virtual hardware as well.  Specifically the new hardware and software variants are as follows:

  • ASR 9000 running Cisco IOS XR 5.2
  • ASR 1000 running Cisco IOS XE 3.13S.15.4(3)S
  • Cisco 7600 running Cisco IOS 15.5(3)S
  • Cisco ME 3600 running Cisco IOS 15.5(3)S

Both the IOS XR and IOS XE variants are already available as virtual machines that you can download from cisco.com and deploy yourself on VMWare ESXi 5.5 and other similar hypervisors.  The current IOS XRv release is 5.2.0, and CSR1000v (IOS XE) is 3.13S/15.4(3)S.  As for the 7600 and ME 3600 images, I would assume these will run as L2 IOU/IOL images, however I haven’t personally seen either of these complies yet.  The key functionality of them will be based around L2VPN for Ethernet, such as EVC and VPLS, which is not covered in depth in the current SPv3 blueprint.

CCIE SPv4 New Technical Topics Added

With the new IOS XR, IOS XE, and Catalyst IOS code versions used, the following is some of the key new features that have been added to the SPv4 Blueprint:

  • Ethernet VPN (EVPN)
  • Provider Backbone Bridging EVPN (PBB-EVPN)
  • Multicast Label Distribution Protocol (mLDP)
  • Unified MPLS (Seamless MPLS)
  • Locator/ID Separation Protocol (LISP)
  • mGRE VPN
  • IPv6 NAT44/NAT64/6RD
  • MPLS OAM & Ethernet OAM

CCIE SPv4 Old Technical Topics Removed

Frame Relay and ATM, the old holdouts for years, have finally been removed from the CCIE Service Provider Blueprint.  This was expected, as most L2VPN services now focus on Ethernet last mile (EVC, VPLS, L3VPN over Ethernet) vs. legacy Frame Relay and ATM.

More information about our plans for content updates will be available as we get closer to the official release date of the new blueprint.  In the meantime for those of you that want to get in before the Blueprint change I would recommend to book a lab date as soon as possible, and start reviewing our CCIE Service Provider v3 Advanced Technologies Class and CCIE Service Provider v3 Workbook.


As many of you hopefully already know, the CCIE Routing & Switching certification blueprint is changing from version 4 to version 5 on June 3rd 2014. As this date quickly approaches, and as the last of the v4 lab seats are fully booked, it’s time to start planning your attack on the RSv5 blueprint.

While Cisco’s official blueprint for v5 is now more detailed that it has ever been in the past, it still lacks some details in certain areas, for example “Implement, optimize and troubleshoot filtering with any routing protocol.” Additionally it would be difficult to use Cisco’s blueprint for a study plan as it stands in its current linear format. For example “Layer 3 multicast” is listed before “Fundamental routing concepts”, which from a learning perspective doesn’t make sense, because you must understand unicast routing fully before you learn multicast routing. To help remedy this we’ve re-ordered and expanded Cisco’s blueprint into INE’s RSv5 Expanded Blueprint, which you can find below after the jump.

Our CCIE RSv5 Expanded Blueprint is meant to be used as a checklist that you can use as you go through your preparation. This way when you’re finally ready to attempt the lab exam, you can be assured that you’ve at least heard of all the topics in the scope, regardless of how obscure some of them might be. Additionally note that some topics listed below might appear only on the written exam and not the lab exam, such as MPLS Layer 2 VPNs or RIPng, but are still included in our content and the outline below.

The below outline will continue to be updated, so check back periodically during your preparation to see changes, adds, and removes.  Good luck in your studies!

INE's CCIE RSv5 Expanded Blueprint

Release Notes

Note: Topics in strikethrough have been removed.
Topics with * are covered in the Written Exam only.

Edit 2014-04-21 - Removed the following topics:

  • 802.1q Tunneling
  • Flex Links
  • Router IP Traffic Export (RITE)

Edit 2014-04-21 - Marked the following topics as Written Exam Only:

  • Performance Routing (PfR) *
  • IPv6 Tunneling *
  • RIPng *
  • IS-IS *
  • AToM *
  • L2TPV3 *
  • VPLS *
  • GETVPN *
  • IPv6 Multicast Routing *
  • Layer 2 QoS *
  • 802.1x *
  • AAA with TACACS+ and RADIUS *

RSv5 Expanded Blueprint

  • 1. LAN Switching
      • 1.1. VLANs & Trunking
        • 1.1.1. Standard VLANs
        • 1.1.2. Extended VLANs
        • 1.1.3. VLAN Database
        • 1.1.4. Access Ports
        • 1.1.5. 802.1q Trunk Ports
        • 1.1.6. 802.1q Native VLAN
        • 1.1.7. Dynamic Trunking Protocol (DTP)
        • 1.1.8. Trunking Allowed List
      • 1.2. VTP
        • 1.2.1. VTP Version 1, 2, & 3
        • 1.2.2. VTP Authentication
        • 1.2.3. VTP Pruning
        • 1.2.4. VTP Prune Eligible List
        • 1.2.5. VTPv3 & Private VLANs
      • 1.3. EtherChannels
        • 1.3.1. Static Layer 2 EtherChannels
        • 1.3.2. PAgP
        • 1.3.3. LACP
        • 1.3.4. Layer 3 EtherChannel
        • 1.3.5. EtherChannel Load Balancing
        • 1.3.6. EtherChannel Protocol Limiting
        • 1.3.7. EtherChannel Misconfig Guard
      • 1.4. Spanning-Tree Protocol
        • 1.4.1. PVST+
          • STP Root Bridge Election
          • STP Path Selection with Port Cost
          • STP Path Selection with Port Priority
          • STP Convergence Timers
        • 1.4.2. Optional STP Features
          • PortFast
          • UplinkFast
          • BackboneFast
          • BPDU Guard
          • BPDU Filter
          • Root Guard
        • 1.4.3. Rapid-PVST+
          • RSTP Convergence Optimizations
          • Edge Ports
        • 1.4.4. Multiple STP
          • MST Root Bridge Election
          • MST Path Selection with Port Cost
          • MST Path Selection with Port Priority
          • MST and CST/PVST+ Interoperability
          • Multi-Region MST
    • 1.5. 802.1q Tunneling
        • 1.5.1. L2 Protocol Tunneling
        • 1.5.2. Layer 2 MTU
        • 1.5.3. EtherChannel over 802.1q Tunneling
    • 1.6. Miscellaneous
        • 1.6.1. CDP
        • 1.6.2. LLDP
        • 1.6.3. UDLD
        • 1.6.4. CAM Aging Time
        • 1.6.5. SPAN
        • 1.6.6. RSPAN
        • 1.6.7. ERSPAN
        • 1.6.8. Flex Links
      • 1.6.9. Fallback Bridging
      • 1.6.10. Voice VLANs
      • 1.6.11. Smartport Macros
  • 2. Layer 2 WAN Circuits
    • 2.1. HDLC
    • 2.2. PPP
    • 2.3. PPP Authentication
    • 2.4. PPP Multilink
    • 2.5. PPPoE
  • 3. IP Routing
    • 3.1. Protocol Independent IPv4 Routing
      • 3.1.1. IPv4 Addressing
      • 3.1.2. IPv4 ARP
      • 3.1.3. Longest Match Routing
      • 3.1.4. Administrative Distance
      • 3.1.5. Static Routing
      • 3.1.6. Route Recursion
      • 3.1.7. Egress Interface vs. Next Hop Static Routing
      • 3.1.8. Default Routing
      • 3.1.9. CEF
      • 3.1.10. Floating Static Routes
      • 3.1.11. Backup Interface
      • 3.1.12. IP Service Level Agreement
      • 3.1.13. Enhanced Object Tracking
      • 3.1.14. Policy Routing
      • 3.1.15. Policy Routing and IP SLA
      • 3.1.16. Local Policy Routing
      • 3.1.17. GRE Tunnels
      • 3.1.18. IP in IP Tunnels
      • 3.1.19. Tunnels & Recursive Routing Errors
      • 3.1.20. On Demand Routing
      • 3.1.21. VRF Lite
      • 3.1.22. Bidirectional Forwarding Detection
      • 3.1.23. Performance Routing (PfR) *
    • 3.2. Protocol Independent IPv6 Routing
      • 3.2.1. IPv6 Link-Local Addressing
      • 3.2.2. IPv6 Unique Local Addressing
      • 3.2.3. IPv6 Global Aggregatable Addressing
      • 3.2.4. IPv6 EUI-64 Addressing
      • 3.2.5. IPv6 Auto-Configuration / SLAAC
      • 3.2.6. IPv6 Global Prefix
      • 3.2.7. IPv6 Redistribution
      • 3.2.8. IPv6 Filtering
      • 3.2.9. IPv6 NAT-PT
      • 3.2.10. IPv6 MP-BGP
      • 3.2.11. IPv6 Tunneling *
      • 3.2.12. Automatic 6to4 Tunneling*
      • 3.2.13. ISATAP Tunneling *
    • 3.3. Common Dynamic Routing Features
      • 3.3.1. Distance Vector vs. Link State vs. Path Vector routing protocols
      • 3.3.2. Passive Interfaces
      • 3.3.3. Routing Protocol Authentication
      • 3.3.4. Route Filtering
      • 3.3.5. Auto Summarization
      • 3.3.6. Manual Summarization
      • 3.3.7. Route Redistribution
        • Prefix Filtering with Route Tagging
        • Prefix Filtering with Manual Lists
        • Prefix Filtering with Administrative Distance
        • Administrative Distance Based Loops
        • Metric Based Loops
    • 3.4. RIP
      • 3.4.1. RIPv2
        • Initialization
          • Enabling RIPv2
          • RIP Send and Receive Versions
          • Split Horizon
          • RIPv2 Unicast Updates
          • RIPv2 Broadcast Updates
          • RIPv2 Source Validation
        • Path Selection
          • Offset List
        • Summarization
          • Auto-Summary
          • Manual Summarization
        • Authentication
          • Clear Text
          • MD5
        • Convergence Optimization & Scalability
          • RIPv2 Convergence Timers
          • RIPv2 Triggered Updates
        • Filtering
          • Filtering with Passive Interface
          • Filtering with Prefix-Lists
          • Filtering with Standard Access-Lists
          • Filtering with Extended Access-Lists
          • Filtering with Offset Lists
          • Filtering with Administrative Distance
          • Filtering with Per Neighbor AD
        • Default Routing
          • RIPv2 Default Routing
          • RIPv2 Conditional Default Routing
          • RIPv2 Reliable Conditional Default Routing
      • 3.4.2. RIPng *
        • RIPng Overview *
    • 3.5. EIGRP
      • 3.5.1. Initialization
        • Network Statement
        • Multicast vs. Unicast Updates
        • EIGRP Named Mode
        • EIGRP Multi AF Mode
        • EIGRP Split Horizon
        • EIGRP Next-Hop Processing
      • 3.5.2. Path Selection
        • Feasibility Condition
        • Modifying EIGRP Vector Attributes
        • Classic Metric
        • Wide Metric
        • Metric Weights
        • Equal Cost Load Balancing
        • Unequal Cost Load Balancing
        • EIGRP Add-Path
      • 3.5.3. Summarization
        • Auto-Summary
        • Manual Summarization
        • Summarization with Default Routing
        • Summarization with Leak Map
        • Summary Metric
      • 3.5.4. Authentication
        • MD5
        • HMAC SHA2-256bit
        • Automatic key rollover
      • 3.5.5. Convergence Optimization & Scalability
        • EIGRP Convergence Timers
        • EIGRP Query Scoping with Summarization
        • EIGRP Query Scoping with Stub Routing
        • Stub Routing with Leak Map
        • Bandwidth Pacing
        • IP FRR
        • Graceful Restart & NSF
      • 3.5.6. Filtering
        • Filtering with Passive Interface
        • Filtering with Prefix-Lists
        • Filtering with Standard Access-Lists
        • Filtering with Extended Access-Lists
        • Filtering with Offset Lists
        • Filtering with Administrative Distance
        • Filtering with Per Neighbor AD
        • Filtering with Route Maps
        • Per Neighbor Prefix Limit
        • Redistribution Prefix Limit
      • 3.5.7. Miscellaneous EIGRP
        • EIGRP Default Network
        • EIGRP Default Metric
        • EIGRP Neighbor Logging
        • EIGRP Router-ID
        • EIGRP Maximum Hops
        • no next-hop-self no-ecmp-mode
        • EIGRP Route Tag Enhancements
      • 3.5.8. EIGRPv6
        • Enabling EIGRPv6
        • EIGRPv6 Split Horizon
        • EIGRPv6 Next-Hop Processing
        • EIGRPv6 Authentication
        • EIGRPv6 Metric Manipulation
        • EIGRPv6 Default Routing
        • EIGRPv6 Summarization
        • EIGRPv6 Prefix Filtering
        • EIGRPv6 Stub Routing
        • EIGRPv6 Link Bandwidth
        • EIGRPv6 Timers
        • EIGRP IPv6 VRF Lite
        • EIGRP Over The Top
    • 3.6. OSPF
      • 3.6.1. Initialization
        • Network Statement
        • Interface Statement
      • 3.6.2. Network Types
        • Broadcast
        • Non-Broadcast
        • OSPF DR/BDR Election Manipulation
        • Point-to-Point
        • Point-to-Multipoint
        • Point-to-Multipoint Non-Broadcast
        • Loopback
        • LSA Types
        • OSPF Next-Hop Processing
        • Unicast vs. Multicast Hellos
      • 3.6.3. Path Selection
        • Auto-Cost
        • Cost
        • Bandwidth
        • Per-Neighbor Cost
        • Non-Backbone Transit Areas
        • Virtual-Links
      • 3.6.4. Authentication
        • Area
        • Interface level
        • Clear Text
        • MD5
        • Null
        • MD5 with Multiple Keys
        • SHA1-196
        • Virtual link
      • 3.6.5. Summarization
        • Internal Summarization
        • External Summarization
        • Path Selection with Summarization
        • Summarization and Discard Routes
      • 3.6.6. Stub Areas
        • Stub Areas
        • Totally Stubby Areas
        • Not-So-Stubby Areas
        • Not-So-Stubby Areas and Default Routing
        • Not-So-Totally-Stubby Areas
        • Stub Areas with Multiple Exit Points
        • NSSA Type-7 to Type-5 Translator Election
        • NSSA Redistribution Filtering
      • 3.6.7. Filtering
        • Filtering with Distribute-Lists
        • Filtering with Administrative Distance
        • Filtering with Route-Maps
        • Filtering with Summarization
        • LSA Type-3 Filtering
        • Forwarding Address Suppression
        • NSSA ABR External Prefix Filtering
        • Database Filtering
      • 3.6.8. Default Routing
        • Default Routing
        • Conditional Default Routing
        • Reliable Conditional Default Routing
        • Default Cost
      • 3.6.9. Convergence Optimization & Scalability
        • Interface Timers
        • Fast Hellos
        • LSA & SPF Throttling
        • LSA & SPF Pacing
        • Single Hop LFA / IP FRR
        • Multihop LFA
        • Stub Router Advertisement
        • Demand Circuit
        • Flooding Reduction
        • Transit Prefix Filtering
        • Resource Limiting
        • Graceful Restart & NSF
        • Incremental SPF
      • 3.6.10. Miscellaneous OSPF Features
      • 3.6.11. OSPFv3
        • LSA Types
        • OSPFv3
        • OSPFv3 Network Types
        • OSPFv3 Prefix Suppression
        • OSPFv3 Virtual Links
        • OSPFv3 Summarization
        • OSPFv3 IPsec Authentication
        • OSPFv3 Multi AF Mode
        • TTL Security
    • 3.7. BGP
      • 3.7.1. Establishing Peerings
        • iBGP Peerings
        • EBGP Peerings
        • Update Source Modification
        • Multihop EBGP Peerings
        • Neighbor Disable-Connected-Check
        • Authentication
        • TTL Security
        • BGP Peer Groups
        • 4 Byte ASNs
        • Active vs. Passive Peers
        • Path MTU Discovery
        • Multi Session TCP Transport per AF
        • Dynamic BGP Peering
      • 3.7.2. iBGP Scaling
        • Route Reflectors
        • Route Reflector Clusters
        • Confederations
      • 3.7.3. BGP Next Hop Processing
        • Next-Hop-Self
        • Manual Next-Hop Modification
        • Third Party Next Hop
        • Next Hop Tracking
        • Conditional Next Hop Tracking
        • BGP Next-Hop Trigger Delay
      • 3.7.4. BGP NLRI Origination
        • Network Statement
        • Redistribution
        • BGP Redistribute Internal
        • Conditional Advertisement
        • Conditional Route Injection
      • 3.7.5. BGP Bestpath Selection
        • Weight
        • Local Preference
        • AS-Path Prepending
        • Origin
        • MED
        • Always Compare MED
        • Deterministic MED
        • AS-Path Ignore
        • Router-IDs
        • DMZ Link Bandwidth
        • Maximum AS Limit
        • Multipath
      • 3.7.6. BGP Aggregation
        • BGP Auto-Summary
        • Aggregation
        • Summary Only
        • Suppress Map
        • Unsuppress Map
        • AS-Set
        • Attribute-Map
        • Advertise Map
      • 3.7.7. BGP Communities
        • Standard
        • Extended
        • No-Advertise
        • No-Export
        • Local-AS
        • Deleting
      • 3.7.8. Filtering
        • Prefix-Lists
        • Standard Access-Lists Task
        • Extended Access-Lists
        • Maximum Prefix
        • BGP Regular Expressions
        • Outbound Route Filtering (ORF)
        • Soft Reconfiguration Inbound
      • 3.7.9. AS-Path Manipulation
        • Local AS
        • Local AS Replace-AS/Dual-AS
        • Remove Private AS
        • Allow AS In
        • AS Override
      • 3.7.10. BGP Convergence Optimization
        • BGP Timers Tuning
        • BGP Fast Fallover
        • BGP Prefix Independent Convergence (PIC)
        • BGP Dampening
        • BGP Dampening with Route-Map
        • BGP Add Path
      • 3.7.11. BGP Default Routing
      • 3.7.12. IPv6 BGP
      • 3.7.13. Misc BGP
        • iBGP Synchronization
        • BGP over GRE
        • BGP Backdoor
    • 3.8. Route Redistribution
      • 3.8.1. Metric Based Loops
      • 3.8.2. Administrative Distance Based Loops
      • 3.8.3. Route Tag Filtering
      • 3.8.4. IP Route Profile
      • 3.8.5. Debug IP Routing
    • 3.9. Miscellaneous Routing Features
    • 3.10. IS-IS *
  • 4. VPN
    • 4.1. MPLS
      • 4.1.1. VRF Lite
      • 4.1.2. MPLS LDP
      • 4.1.3. MPLS Ping
      • 4.1.4. MPLS Traceroute
      • 4.1.5. MPLS Label Filtering
      • 4.1.6. MP-BGP VPNv4
      • 4.1.7. MP-BGP Prefix Filtering
      • 4.1.8. PE-CE Routing with RIP
      • 4.1.9. PE-CE Routing with OSPF
      • 4.1.10. OSPF Sham-Link
      • 4.1.11. PE-CE Routing with EIGRP
      • 4.1.12. EIGRP Site-of-Origin
      • 4.1.13. PE-CE Routing with BGP
      • 4.1.14. BGP SoO Attribute
      • 4.1.15. Internet Access
      • 4.1.16. Route Leaking
      • 4.1.17. MPLS VPN Performance Tuning
      • 4.1.18. AToM *
      • 4.1.19. L2TPV3 *
      • 4.1.20. VPLS *
    • 4.2. IPsec LAN-to-LAN
      • 4.2.1. ISAKMP Policies
      • 4.2.2. PSK Authentication
      • 4.2.3. Static Crypto Maps
      • 4.2.4. IPsec over GRE
      • 4.2.5. Static VTI
      • 4.2.6. GETVPN *
    • 4.3. DMVPN
      • 4.3.1. Single Hub
      • 4.3.2. NHRP
      • 4.3.3. DMVPN Phase 1, 2, & 3
      • 4.3.4. QoS Profiles
      • 4.3.5. QoS Pre-Classify
  • 5. Multicast
    • 5.1. Layer 2 Multicast
      • 5.1.1. IGMPv1, IGMPv2, IGMPv3
      • 5.1.2. IGMP Snooping
      • 5.1.3. IGMP Querier Election
      • 5.1.4. IGMP Filtering
      • 5.1.5. IGMP Proxy
      • 5.1.6. IGMP Timers
      • 5.1.7. Multicast VLAN Registration
      • 5.1.8. IGMP Profiles
    • 5.2. IPv4 Multicast Routing
      • 5.2.1. PIM Dense Mode
      • 5.2.2. PIM Sparse Mode
      • 5.2.3. PIM Sparse Dense Mode
      • 5.2.4. Static RP
      • 5.2.5. Auto-RP
        • Auto-RP
        • Sparse Dense Mode
        • Auto-RP Listener
        • Multiple Candidate RPs
        • Filtering Candidate RPs
        • RP & MA placement problems
      • 5.2.6. Bootstrap Router
        • BSR
        • Multiple RP Candidates
        • Multiple BSR Candidates
      • 5.2.7. Source Specific Multicast
      • 5.2.8. Bidirectional PIM
      • 5.2.9. Group to RP Mapping
      • 5.2.10. Anycast RP
      • 5.2.11. MSDP
      • 5.2.12. MSDP SA Filtering
      • 5.2.13. Multicast TTL Scoping
      • 5.2.14. Auto-RP & BSR Boundary Filtering
      • 5.2.15. PIM Accept Register Filtering
      • 5.2.16. PIM Accept RP Filtering
      • 5.2.17. RPF Failure
      • 5.2.18. Registration Failure
      • 5.2.19. PIM DR Election
      • 5.2.20. PIM DF Election
      • 5.2.21. PIM Assert
      • 5.2.22. Static Multicast Routes
      • 5.2.23. Multicast BGP
      • 5.2.24. PIM NBMA Mode
      • 5.2.25. Multicast over GRE
      • 5.2.26. Stub Multicast Routing
      • 5.2.27. Multicast Helper Map
      • 5.2.28. Multicast Rate Limiting
      • 5.2.29. Multicast BGP
    • 5.3. IPv6 Multicast Routing *
      • 5.3.1. IPv6 PIM and MLD *
      • 5.3.2. IPv6 PIM BSR *
      • 5.3.3. IPv6 Embedded RP *
      • 5.3.4. IPv6 SSM *
  • 6. QoS
    • 6.1. Hold-Queue and Tx-Ring
    • 6.2. Weighted Fair Queuing (WFQ)
    • 6.3. Selective Packet Discard
    • 6.4. Payload Compression on Serial Links
    • 6.5. Generic TCP/UDP Header Compression
    • 6.6. MLP Link Fragmentation and Interleaving
    • 6.7. MQC Classification and Marking
    • 6.8. MQC Bandwidth Reservations and CBWFQ
    • 6.9. MQC Bandwidth Percent
    • 6.10. MQC LLQ and Remaining Bandwidth Reservations
    • 6.11. MQC WRED
    • 6.12. MQC Dynamic Flows and WRED
    • 6.13. MQC WRED with ECN
    • 6.14. MQC Class-Based Generic Traffic Shaping
    • 6.15. MQC Class-Based GTS and CBWFQ
    • 6.16. MQC Single-Rate Three-Color Policer
    • 6.17. MQC Hierarchical Policers
    • 6.18. MQC Two-Rate Three-Color Policer
    • 6.19. MQC Peak Shaping
    • 6.20. MQC Percent-Based Policing
    • 6.21. MQC Header Compression
    • 6.22. Voice Adaptive Traffic Shaping
    • 6.23. Voice Adaptive Fragmentation
    • 6.24. Advanced HTTP Classification with NBAR
    • 6.22. Layer 2 QoS *
  • 7. Security
    • 7.1. Layer 2 Security
      • 7.1.1. Port Protection
      • 7.1.2. Private VLANs
      • 7.1.3. Port Based ACLs
      • 7.1.4. VLAN ACLs for IP Traffic
      • 7.1.5. VLAN ACLs for Non-IP Traffic
      • 7.1.6. Storm Control
      • 7.1.7. Port Security
      • 7.1.8. HSRP and Port-Security
      • 7.1.9. ErrDisable Recovery
      • 7.1.10. DHCP Snooping
      • 7.1.11. DHCP Snooping and the Information Option
      • 7.1.12. Dynamic ARP Inspection
      • 7.1.13. IP Source Guard
      • 7.1.14. 802.1x *
    • 7.2. Management Plane Security
      • 7.2.1. AAA Authentication Lists
      • 7.2.2. AAA Exec Authorization
      • 7.2.3. AAA Local Command Authorization
      • 7.2.4. Controlling Terminal Line Access
      • 7.2.5. IOS Login Enhancements
      • 7.2.6. IOS Resilient Configuration
      • 7.2.7. Role-Based CLI
      • 7.2.8. AAA with TACACS+ and RADIUS *
    • 7.3. Control Plane Security
      • 7.3.1. Controlling the ICMP Messages Rate
      • 7.3.2. Control Plane Policing
      • 7.3.3. Control Plane Protection (CPPr)
      • 7.3.4. Control Plane Host
    • 7.4. Data Plane Security
        • 7.4.1. Traffic Filtering Using Standard Access-Lists
        • 7.4.2. Traffic Filtering Using Extended Access-Lists
        • 7.4.3. Traffic Filtering Using Reflexive Access-Lists
        • 7.4.4. IPv6 Traffic Filter
        • 7.4.5. Filtering Fragmented Packets
        • 7.4.6. Filtering Packets with Dynamic Access-Lists
        • 7.4.7. Filtering Traffic with Time-Based Access Lists
        • 7.4.8. Traffic Filtering with Policy-Based Routing
        • 7.4.9. Preventing Packet Spoofing with uRPF
        • 7.4.10. Using NBAR for Content-Based Filtering
        • 7.4.11. TCP Intercept
        • 7.4.12. TCP Intercept Watch Mode
        • 7.4.13. Packet Logging with Access-Lists
        • 7.4.14. IP Source Tracker
        • 7.4.15. Router IP Traffic Export (RITE)
      • 7.4.16. IOS ACL Selective IP Option Drop
      • 7.4.17. Flexible Packet Matching
      • 7.4.18. IPv6 First Hop Security
        • RA guard
        • DHCP guard
        • Binding table
        • Device tracking
        • ND inspection/snooping
        • Source guard
        • PACL
  • 8. System Management
    • 8.1. Device Management
      • 8.1.1. Console
      • 8.1.2. Telnet
        • Telnet Service Options
      • 8.1.3. SSH
      • 8.1.4. Terminal Line Settings
      • 8.1.5. HTTP Server and Client
      • 8.1.6. FTP Server and Client
      • 8.1.7. TFTP Server and Client
      • 8.1.8. SNMP
        • SNMPv2 Server
        • SNMPv2c Access Control
        • SNMP Traps and Informs
        • CPU and Memory Thresholds
        • SNMPv3
        • SNMP MAC Address Notifications
        • SNMP Notifications of Syslog Messages
    • 8.2. Logging
      • 8.2.1. System Message Logging
      • 8.2.2. Syslog Logging
      • 8.2.3. Logging Counting and Timestamps
      • 8.2.4. Logging to Flash Memory
      • 8.2.5. Configuration Change Notification and Logging
      • 8.2.6. Configuration Archive and Rollback
      • 8.2.7. Logging with Access-Lists
    • 8.3. NTP
      • 8.3.1. NTP
      • 8.3.2. NTP Authentication
      • 8.3.3. NTP Access Control
      • 8.3.4. NTP Version 3 & 4
    • 8.4. EEM
      • 8.4.1. KRON Command Schedule
      • 8.4.2. EEM Scripting: Interface Events
      • 8.4.3. EEM Scripting: Syslog Events
      • 8.4.4. EEM Scripting: CLI Events
      • 8.4.5. EEM Scripting: Periodic Scheduling
      • 8.4.6. EEM Scripting: Advanced Features
      • 8.4.7. EEM Applets
    • 8.5. Miscellaneous System Management
      • 8.5.1. Auto-Install over LAN Interfaces using DHCP
      • 8.5.2. Auto-Install over LAN Interfaces Using RARP
      • 8.5.3. IOS Menus
      • 8.5.4. IOS Banners
      • 8.5.5. Exec Aliases
      • 8.5.6. TCP Keepalives
      • 8.5.7. Generating Exception Core Dumps
      • 8.5.8. Conditional Debugging
      • 8.5.9. Tuning Packet Buffers
      • 8.5.10. CDP
      • 8.5.11. Remote Shell
  • 9. Network Services
    • 9.1. Object Tracking
      • 9.1.1. IP SLA
      • 9.1.2. Enhanced Object Tracking
      • 9.1.3. Tracking Lists
    • 9.2. First Hop Redundancy Protocols
      • 9.2.1. HSRP
      • 9.2.2. VRRP
      • 9.2.3. GLBP
      • 9.2.4. Router Redundancy and Object Tracking
      • 9.2.5. IPv6 RS & RA Redundancy
    • 9.3. DHCP
      • 9.3.1. DHCP Server
      • 9.3.2. DHCP Client
      • 9.3.3. DHCP Relay
      • 9.3.4. DHCP Host Pools
      • 9.3.5. DHCP On-Demand Pool
      • 9.3.6. DHCP Proxy
      • 9.3.7. DHCP Information Option
      • 9.3.8. DHCP Authorized ARP
      • 9.3.9. SLAAC/DHCPv6 interaction
      • 9.3.10. Stateful & Stateless DHCPv6
      • 9.3.11. DHCPv6 prefix delegation
    • 9.4. DNS
      • 9.4.1. IOS Authoritative DNS Server
      • 9.4.2. IOS Caching DNS Server
      • 9.4.3. IOS DNS Spoofing
    • 9.5. NAT
      • 9.5.1. Basic NAT
      • 9.5.2. NAT Overload
      • 9.5.3. NAT with Route Maps
      • 9.5.4. Static NAT
      • 9.5.5. Static PAT
      • 9.5.6. Static NAT and IP Aliasing
      • 9.5.7. Static Policy NAT
      • 9.5.8. NAT with Overlapping Subnets
      • 9.5.9. TCP Load Distribution with NAT
      • 9.5.10. Stateful NAT with HSRP
      • 9.5.11. Stateful NAT with Primary/Backup
      • 9.5.12. NAT Virtual Interface
      • 9.5.13. NAT Default Interface
      • 9.5.14. Reversible NAT
      • 9.5.15. Static Extendable NAT
      • 9.5.16. NAT ALG
    • 9.6. Traffic Accounting
      • 9.6.1. IP Precedence Accounting
      • 9.6.2. IP Output Packet Accounting
      • 9.6.3. IP Access Violation Accounting
      • 9.6.4. MAC Address Accounting
    • 9.7. NetFlow
      • 9.7.1. Netflow v5 & v9
      • 9.7.2. Netflow Ingress and Egress
      • 9.7.3. Netflow Top Talkers
      • 9.7.4. Netflow Aggregation Cache
      • 9.7.5. Netflow Random Sampling
      • 9.7.6. Netflow Input Filters
      • 9.7.7. Netflow Export
    • 9.8. Miscellaneous Network Services
      • 9.8.1. Proxy ARP
      • 9.8.2. IRDP
      • 9.8.3. Router ICMP Settings
        • TCP Optimization
      • 9.8.4. IOS Small Services and Finger
      • 9.8.5. Directed Broadcasts and UDP Forwarding
      • 9.8.6. NBAR Protocol Discovery
      • 9.8.7. IP Event Dampening
      • 9.8.8. Conditional Debugging
      • 9.8.9. Embedded Packet Capture
      • 9.8.10. Interpreting Packet Captures

After the huge popularity of our CCIE 3.X Expanded Blueprint here on the blog, I am going to put extra effort in the next two weeks for the new CCIE 4.X R&S Expanded Blueprint. Adding links for Core Knowledge (Tier 1) study should help in that section, as well as Configuration and Troubleshooting. I hope you enjoy and thanks as always for choosing INE.


In preparation for the upcoming CCIE R&S v4.0 Blueprint, new topics are being added to the CCIE R&S Open Lecture Series.  For those of you that have been unable to attend the live sessions, Class-on-Demand recordings are now available for MPLS and Zone Based Policy Firewall.  Currently there are 4 sessions on MPLS, totalling about 5 hours of class, that cover theory, implementation, and verification.  Zone Based Policy Firewall has been added from today's session, and covers the evolution from standard/extended ACLs to Reflexive ACLs to CBAC to Zone Based Policy Firewall.

If you have any topics that you would like to see covered in upcoming sessions please email me at bmcgahan@ine.com with the subject "Open Lecture Topic Request".

Happy Labbing!


Probably one of the most difficult parts of the updated CCIE R&S exam will be the Troubleshooting section (you may check our recent poll to confirm that). So far, not much is known about this one. It has been announced that a separate topology will be used for this part of the exam, and the candidate will be required to obtain 80% of the total section score to pass is successfully. The exact amount of points allocated to this section is not know, but there should be around 10 “incidents” or “trouble tickets” covered.

Feeling that this section will be the most difficult to CCIE candidates, we started working on the new VOL4 part of our renowned IEWB-RS workbook. In this new product called "Advanced Troubleshooting Labs" we present you with ten scenarios each consisting of ten trouble tickets. This amount should be approximately equal to the number of the troubleshooting tasks you will encounter in the actual exam. The topology used for every scenario is the same that we use for all our RS products, including VOL1 (technology-focused labs), VOL2 (full-scale mock lab scenarios) and VOL3 (core technologies scenarios). You may already order the new product at introductory price and start practicing! New scenarios are to be added to VOL4 on regular basis (target rate is one-two new labs per week) so you should be fully covered by the time blueprint changes.

Our ultimate goal is not only prepare you for passing the Troubleshooting section of the CCIE R&S lab exam, but also to teach you a structured troubleshooting approach. As opposed to simple guessing and peeking at the routers running configurations you should learn using the debugging commands and interpreting various show commands output. For every ticket, we are going to follow the same structured procedure to resolve the issue and provide an in-depth illustration of the process.

You may find more information and sample material by following the Free Sample PDF Link at the product’s page IEWB-RS VOL4.

Good luck with your studies!


Hi everyone!

We are excited to announce our newest release of IEWB-VO VOL1 labs covering the new CCIE Voice blueprint, which becomes effective as of July this year. The first of the CCIE Voice v3.0 labs are now out in beta format, in addition to new Voice Racks available to rent covering the new topology! All current customers who have purchased IEWB-VO VOL1 will automatically receive the new updates in their members account at no additional cost. Each section of the new VOL1 includes technology-focused labs with explanations, verifications, further reading links, and dedicated troubleshooting sections.

The initial release covers Cisco Unified Communications Manager Express (CUCME, formally known as Call Manager Express or CME). We will continue releasing new voice content covering all new blueprint topics, with a new section being released each week. The next release will include more CUCME labs, as well as Unity Express tasks, followed by the first of the new Unified Communications Manager Labs! The initial VOL1 release covers the following topics:

CUCME Basic Configuration
Phone Registration & Number Assignment (SCCP Phones)
SIP Phones
IOS Call Routing
Voice Translation Rules
Shared Line
Night Service
After-Hours Setup
Single Number Reach
Softkey Customization - SCCP
Softkey Customization - SIP
Conference Resources
Transcoding Resources
Voice Hunt Groups
Ephone Hunt groups
Dynamic Hunt groups

The new voice racks are fully compliant with the CCIE Voice hardware specification posted at Cisco’s website: CCIE Voice Hardware Specification. To many folks out there, the new hardware lists is a huge relief, as the many old and expensive devices including the 6500 switch and the VG248 are now gone. Plus, the addition of SIP phones allows for more flexible choice of softphone software, not limited to the small set of SCCP-compatible products available on the market.

As for the people preparing using the old blueprint, our rack rentals support the old CCIE Voice hardware specification as well. Nothing will change until the lasts days the old blueprint remains valid.

Thank you, and be sure to check back often for more updates!


One of the biggest challenges for CCNA students (not to mention other Certification levels) is mastering Spanning Tree Protocol (STP). And the bad news for students is the fact that you no longer must master one version, but three versions of this critical protocol. Here is a quick review of the Spanning Tree Versions you want to be well-versed in for the CCNA, and beyond.


Classic Spanning Tree Protocol possesses a standard designation of 802.1D. You need to memorize these standard identifiers. For classic STP, just think Dog-gone Slow. The convergence delays the classic version can present are unacceptable for modern LAN uses of today, like the transmission of Voice and Video traffic. There is plenty of excellent documentation about Classic Spanning Tree Protocol out there, and that is really beneficial since most environments are still using this approach (as of the time of this writing of course). We need to study 802.1D very carefully and with intensity. This protocol prevents Layer 2 loops, and its operation is still at the heart of the enhanced versions.


Cisco addressed the Dog-gone slowness of 802.1D by introducing proprietary enhancements to the protocol. Specifically, Cisco introduced PortFast, BackboneFast, and UplinkFast. These did a great job of improving the protocol, and were all incorporated into the enhanced version that addressed speed issues head on - Rapid Spanning Tree Protocol (RSTP). RSTP is known by 802.1w. To memorize this, just think of the classic American cartoon character - Elmer Fudd. He would call RSTP - Wapid Spanning Tree.


Excellent! RSTP addressed the concerns of convergence delays in Classic Spanning Tree protocol. But what about the number of Spanning Tree topologies we must have in a network. Common STP (CST) has one for all VLANs, and this is certainly not flexible enough. Per VLAN STP (PVST) features a topology for every single VLAN, and this is certainly overkill. Multiple Spanning Tree Protocol (MSTP) comes to the rescue. It is known as 802.1s and it allows you to configure EXACTLY the number of topologies that you need, and map the specific VLANs you want to each topology.

If you are interested in more information on any of the technologies, but sure to start by searching this blog site on Google. For example, go to Google and issue the following search:

site:blog.internetworkexpert.com 802.1s


Welcome to the 4.X Expanded Study Blueprint - it is a constant work in progress - feel free to comment!

LAST UPDATED:  Feb 1, 2011; Added PPP AAA Authentication

1.00    Implement Layer 2 Technologies

1.10    Implement Spanning Tree Protocol (STP)

(a) 802.1d

(b) 802.1w

(c) 802.1s

(d) Loop guard

(e) Root guard

(f) Bridge protocol data unit (BPDU) guard

(g) Storm control

(h) Unicast flooding

(i) Port roles, failure propagation, and loop guard operation

(j) STP manipulation through timers

(k) PortFast, UplinkFast, BackboneFast

(l) BPDUFilter

(m) Root Bridge Placement

(n) STP Port Cost and Port Priority

(o) UDLD

1.20    Implement VLAN, Network Management and VLAN Trunking Protocol (VTP)

(a) No VTP (TRANS)

(b) Pruning

(c) Bridging - Transparent, IRB, CRB

(d) VTP Authentication

(e) VTP Versions

(f) Regular Macros

(g) Smart Macros

(h) SNMP

(i) Telnet and Telnet Controls

(j) SSH

(k) Banners

(l) Switch Virtual Interfaces (SVIs)

(m) 3560s and VoIP Phone Support

(n) SDM

1.30    Implement trunk and trunk protocols, EtherChannel, and load-balance

(a) Static Config (No DTP)

(b) Allowed VLAN

(c) Router on a Stick

(d) Native VLAN

(e) ISL

(f) 802.1Q

(g) Manual EtherChannel

(h) PaGP

(i) LACP

(j) Load Balancing Manipulation in EtherChannel

(k) QinQ Tunneling

1.40    Implement Ethernet technologies

(a) Speed and duplex

(b) Ethernet, Fast Ethernet, and Gigabit Ethernet

(c) PPP over Ethernet   (PPPoE)

1.50    Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control

(a) SPAN and RSPAN

(b) Flow Control (DOC-CD)

(c) Flow Control (Blog)

1.60   Implement Frame Relay

(a) Local Management Interface (LMI)

(b) Traffic shaping

(c) Topologies

(e) Discard eligible (DE)

(f) Static versus Dynamic L2 to L3 Resolution

(g) Frame-Relay Interface-DLCI

(h) Broadcast Queue

(i) Frame End to End Keepalives

(j) Load Interval

(k) PING Local Interface

(l) Multilink Frame Relay

(m) PPP over Frame-Relay

(n) Dynamic Mappings to

(o) Troubleshooting Hub and Spoke

(p) Frame Relay Switch Configuration

(q) Subinterfaces

1.70    Implement High-Level Data Link Control (HDLC) and PPP

(a) Clock Rate

(b) CHAP

(c) PAP

(d) PPP AAA Authentiation

(e) Peer Neighbor Route

(f) Link Quality Monitoring

(g) PPP Reliable Transmission

(h) PPP Half Bridging

(i) MLP

(j) PPP Encryption MPPE

2.00    Implement IPv4

2.10    Implement IP version   4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)

(a) Calculating the Optimum Summary Address

(b) Binary Math Manipulation

(1) Matching multiple networks with a single access list line

(2) Matching odd or even subnets with a single access list line

(c) IP Unnumbered

(d) /31 Mask

2.20    Implement IPv4   tunneling and Generic Routing Encapsulation (GRE)

(a) Recursive Routing Issue

(b) GRE Tunnel Keepalives

2.30    Implement IPv4 RIP version 2 (RIPv2)

(a) Authentication

(b) Offset List

(c) Distribute List

(1) Gateway Option

(d) Timer Manipulation

(e) Disabling Validation of Source IP Addresses

(f) Split Horizon and Secondary IP Addresses

(g) Summarization

(h) Default Information Originate

(i) Unicast Routing Updates

(j) Passive Interface

(k) Triggered Updates on WAN link

2.40    Implement IPv4 Open Shortest Path First (OSPF)

(a) Standard OSPF areas

(b) Stub area

(c) Totally stubby area

(d)  Not-so-stubby-area (NSSA)

(e) Totally NSSA

(f) Link-state advertisement (LSA) types

(g) Adjacency on a point-to-point and on a multi-access network

(1) OSPF Network Types

(h) OSPF graceful restart

(i) Demand Circuit

(j) Authentication - methods of configuration and authentication types

(k) Summarization

(l) Area Transit Capabilities

(m) Inbound Route Filtering

(n) Auto Cost Reference Bandwidth

(o) Unicasting Hello Packets

(p) Cost Manipulation

(1) ip ospf cost

(2) Bandwidth Manipulation

(3) SPF Throttling

(4) Incremental SPF

(5) LSA Throttling

(6) LSA Overhead Protection

(q) Loopback Advertising (Natural Mask)

(1) Network Type (P2P)

(2) Area Range

(3) Redistribution

(r) Timer Manipulation

(s) OSPF ABR Type 3 LSA Filtering

(t) Forwarding Address Suppression in Translated Type-5 LSAs

(u) Router ID

2.50    Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)

(a) Best path

(b) Loop-free paths

(c) EIGRP operations when alternate loop-free paths are available, and when they are not available

(d) EIGRP queries

(e) Manual summarization and autosummarization

(f) EIGRP stubs

(g) Authentication

(h) Composite Metric Manipulation

(i) Applying Offsets to Metrics

(j) Adjusting Timers

(k) Unicasting updates

(l) Use of the in the network command

(m) Manipulate the Bandwidth used by EIGRP

(n) Distribute lists

(o) Route Map Support

(p) SNMP Support

(q) EIGRP Prefix Limit

(r) Passive Interface

(s) NSF Awareness

(t) Router ID

2.60    Implement IPv4 Border Gateway Protocol (BGP)

(a) iBGP

(1) Synchronization

(2) Confederation

(3) Route-Reflection

(4) Non-BGP Speaker in Transit Path

(a) Tunnel

(b) Redistribute

(c) Static route

(d) Default route

(e) Policy route

(5) Peer Groups

(b) eBGP

(1) Multihop

(2) Next Hop Issues

(c) Filtering, redistribution, summarization, attributes and other advanced features

(1) Authentication

(2) Router ID

(3) Prefix Advertisement

(4) Automatic Summarization

(5) Manual Summarization including suppression techniques

(6) Maximum Prefix Limit

(7) Load Balancing

(8) Path Manipulation

(a) Local Pref

(b) MED


(d) Weight

(9) BGP Communities

(10) Regex Engine Performance Enhancement

(11) Hide Local AS

(12) Conditional Route Advertisement

(13) Remove Private AS

(14) AS PATH Filtering

(15) BGP Policy Accounting

(16) NSF Awareness

(17) Support for TTL Security Check

(18) Support for Fast Peering Session Deactivation

(19) Support for Next-Hop Address Tracking

(20) Outbound Route Filtering

2.70    Implement policy routing

(a) PBR Support for Multiple Tracking Options

(b) PBR Recursive Next Hop

2.80    Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)

(a) Profile Phase

(b) Measure Phase

(c) Apply Policy Phase

(d) Control Phase

(e) Verify Phase

2.90    Implement filtering, route redistribution, summarization, attributes, and other advanced features

(a) Administrative Distance Manipulation

(b) Redistribution

(1) Default Seed Metric

(2) Setting parameters with a Route Map

3.00 On Demand Routing (ODR)

3.00    Implement IPv6

3.10    Implement IP version 6 (IPv6) addressing and different addressing types

(a) Global Unicast

(b) Link Local

(c) Multicast

(d) Anycast

(e) Site Local

(f) Unique Local Address

3.20    Implement IPv6  neighbor discovery

(a) Router Discovery

(b) Prefix Discovery

(c) Parameter Discovery

(d) Address Autoconfiguration

3.30    Implement basic IPv6 functionality protocols

(a) ICMP version 6

3.40    Implement tunneling and transition techniques

(a) Manual

(b) GRE/IPV4

(c) 6to4


(e) NAT-PT

3.50    Implement OSPF version 3 (OSPFv3)

(a) Special Area Types

(b) Summarization

3.60    Implement EIGRP version 6 (EIGRPv6)

(a) Summarization

3.70    Implement filtering and route redistribution

3.80 Implement RIPng

4.00    Implement MPLS Layer 3 VPNs

4.10    Implement Multiprotocol Label Switching (MPLS)


(b) MPLS Label Filtering

4.20    Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers

(a) PE-CE Routing with RIP

(b) PE-CE Routing with EIGRP

(c) PE-CE Routing with OSPF

(d) PE-CE Routing with BGP

(e) OSPF Sham Link

(f) EIGRP SOO and Cost Community


(h) BGP AS Override

(i) Internet Access

4.30    Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)

(a) VRF-Lite

(b) MP-BGP VPNv4

(c) MP-BGP Prefix Filtering

5.00    Implement IP Multicast

5.10    Implement Protocol Independent Multicast (PIM) sparse mode

(a) Source-based Trees

(b) Shared Trees

(c) Bidirectional PIM

5.20    Implement Multicast Source Discovery Protocol (MSDP)

(a) Authentication

(b) SA Message Limiting

(c) Timer Adjustments

(d) MSDP Compliance with IETF RFC 3618

(e) Filtering and TTL Thresholds

(f) Monitoring MSDP with SNMP

5.30    Implement interdomain multicast routing
5.40    Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)

(a) Auto-RP

(1) ip pim autorp listener

(2) Static mapping of Auto-RP groups

(3) PIM Sparse-Dense Mode

(4) IP Multicast Boundary

(b) Static RP Assignment

(c) BSR

(1) BSR Border Interface

5.50    Implement multicast tools, features, and source-specific multicast

(a) RPF

(b) RPF Check

(c) SSM

(d) Multicast Helper

(e) Multicast Rate Limiting

(f) Stub IP Multicast Routing

(g) sdr Listener Support

(h) Load Splitting Multicast Traffic

(i) Multicast Routing Monitor

(j) Multicast Heartbeat

(k) Anycast

5.60    Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)

(a) IPv6 Multicast Addressing

(b) MLD

6.00    Implement Network   Security

6.01    Implement access lists

(a) Time-based Access Lists

(b) Log

(c) Log-input

(d) Block RFC 1918

(e) RFC 3330 Filtering

(f) VLAN Access Maps (VACLs)

(g) MAC Access Lists

6.02    Implement Zone Based Firewall

(a) Basic Configuration

(b) Parameter Maps

6.03    Implement Unicast Reverse Path Forwarding (uRPF)

(a) Access Lists with uRPF

6.04    Implement IP Source Guard
6.05    Implement AAA

(a) Client Side in IOS

6.06    Implement Control Plane Policing (CoPP)
6.07    Implement Cisco IOS Firewall
6.08    Implement Cisco IOS Intrusion Prevention System (IPS)

(a) Basic Configuration

6.09    Implement Secure Shell (SSH)
6.10    Implement 802.1x

(a) Reauthentication

(b) Quiet Period

(c) Host Mode

(d) Guest VLAN

(e) Accounting

6.11    Implement NAT
6.12    Implement routing protocol authentication (see earlier blueprint sections)
6.13    Implement device access control

(a) Privilege Levels

(b) Command Line Views

6.14    Implement security features

(a) Private VLANs

(b) IOS Resilient Configuration

(c) Image Verification

(d) IP Source Tracker

(e) IP Traffic Export

(f) Dynamic ARP Inspection


(h) Switchport Traffic Controls

(a) Storm Control

(b) Protected Ports

(c) Port Blocking

(d) Port Security

(i) Flexible Packet Matching

7.00    Implement Network   Services

7.10    Implement Hot Standby Router Protocol (HSRP)
7.20    Implement Gateway Load Balancing Protocol (GLBP)
7.30    Implement Virtual Router Redundancy Protocol (VRRP)
7.40    Implement Network Time Protocol (NTP)
7.50    Implement DHCP
7.60    Implement Web Cache Communication Protocol (WCCP)
7.70   Implement DNS
7.80   Implement TCP Options

8.00    Implement Quality of   Service (QoS)

8.10    Implement Modular QoS CLI (MQC)

(a) Network-Based Application Recognition (NBAR)

(b) Class-based weighted fair queuing (CBWFQ)

(c) low latency queuing (LLQ)

(d) Classification

(e) Policing

(f) Shaping

(g) Marking

(1) CoS

(2) DE

(3) Experimental Bits

(4) IP Precedence

(5) DSCP

(h) Weighted random early detection (WRED)

(i) Compression

(1) RTP Header Compression

(2) TCP Header Compression

(3) Class-Based Header Compression Methods

(j) Legacy QoS

(1) CQ

(2) PQ

(3) FRTS

(4) CAR

8.20    Implement Layer 2 QoS

(a) shaped round robin (SRR)

(b) policies

8.30    Implement link fragmentation and interleaving (LFI) for Frame Relay
8.40    Implement generic traffic shaping
8.50    Implement Resource Reservation Protocol (RSVP)
8.60    Implement Cisco AutoQoS

(a) Requirements

(b) VoIP

(c) AutoQoS for Enterprise

9.00    Troubleshoot a Network

9.10    Troubleshoot complex Layer 2 network issues
9.20    Troubleshoot complex Layer 3 network issues
9.30    Troubleshoot a network in response to application problems
9.40    Troubleshoot network services
9.50    Troubleshoot network security

10.00    Optimize the Network

10.01    Implement syslog and local logging
10.02    Implement IP Service Level Agreement SLA
10.03    Implement NetFlow
10.04    Implement SPAN, RSPAN, and router IP traffic export (RITE)

(a) SPAN


(c) Router IP Traffic Export

(1) Configure IP Traffic Export

(2) Configure IP Traffic Capture

(3) Filter with ACLs

(4) Filter with Sampling

(5) Capture Bidirectional Traffic

10.05    Implement Simple Network Management Protocol (SNMP)

(a) Version 2

(b) Version 3

10.06    Implement Cisco IOS Embedded Event Manager (EEM)
10.07    Implement Remote Monitoring (RMON)
10.08    Implement FTP
10.09    Implement TFTP
10.10    Implement TFTP server on router
10.11    Implement Secure Copy Protocol (SCP)
10.12    Implement HTTP and   HTTPS
10.13    Implement Telnet

(a) Access-Class

(b) Session Lmits

(c) Busy, Vacant, Refuse, and Custom Messaging

(d) Onscreen Message Suppression

(e) Hiding Telnet Addresses

(f) Login Enhancements

10.14  Enhanced Object Tracking

Subscribe to INE Blog Updates

New Blog Posts!