As most candidates preparing for the CCIE hopefully know by now, a blueprint change is coming for the CCIE R&S Lab in October 2009, which includes the new addition of MPLS. Tomorrow I will be teaching a free vSeminar entitled Introduction to MPLS for CCIE R&S Candidates at 11am PDT (GMT -8). Anyone interested is welcome to attend. Registration information is available at If you are interested, but unable to attend, the session will be available in Class-on-Demand format shortly following its completion.

Class duration will be about two hours, and will focus on what will, and also importantly - what will not, be within the scope of MPLS topics for the new exam blueprint. Both theory and implementation will be covered. No previous knowledge of MPLS is required to attend.

Good luck in your continued preparation!


Hi, Everyone!

We are in the progress of upgrading our CCIE Security racks with the new software and hardware. Here are the specs that you can use to build your own rack. The rack consists of six routers, two switches, two ASA firewall appliances and one IPS sensor. The hardware models and their specs are outlined below:

R1-R5: 2611XM 32/128, IOS 12.4(15)T ADVANCED SECURITY
SW1-SW2: CAT3550, IOS 12.2(50)SEE
IPS: Cisco IPS 4235 or 4240, SW version 6.0(3)E1
ASA1-ASA2: Cisco ASA 5510, SW version 8.0
AAA/CA Server: Win 2k running CS ACS 4.0 and IPS Manager Express.
Test PC: Win XP workstation with ezVPN Client Installed.

You can find a more detailed topology description at IE's Security Hardware List

All the hardware cabling remains the same and the backbone routers did not change. If you compare this to our current hardware blueprint, you will see that only R6 needs to be replaced with an ISR router. Optionally, instead of 2811 you can use another ISR such as 1841 64/192 for R6. If you are using the Dynamips emulator for you virtual CCIE rack, you can use 3725 model for SSL VPN, for instance. Simply put, you just need any router that supports SSL VPN and other ADVANCED ENTERPRISE features. As for the GET VPN feature - even though Cisco FN does not list it as being supported by 2611XM routers, it is still present in the ADV. SECURITY feature set. Surprisingly enough, ADVANCED ENTERPRISE SERVICES image for 2611XM does not support the feature :)

Now for the IPS appliance: the latest software version for the IPS is 6.2 and it does not support older 4235 or 4215 IPS sensors (nor does version 6.1). Instead the blueprint suggests using the newer 4240 model. However, if you look at the release notes for IPS SW 6.2 and 6.1 you will note the following tow major new features:

a) IPS management via IPS Manager Express
b) IPv6 support

Other updates are minor, including some cosmetic changes such as health monitoring, customizable dashboards, uauthenticated NTP etc. Of course, you can still configure the IPS using IDM (IPS Device Manager) or the CLI and use IMX for appliance monitoring. As for IPv6, it is not the part of the current blueprint; plus the blueprint specifies IPS version 6.1 which does not support IPv6. Therefore, until they announced IPv6 as being testing in the CCIE Security blueprint, you may freely hang with the older IPS models and save on buying the more expensive 4240. Even better, the older 4215 appliance could be emulated on VMware! Note, that you will see the older 4235 models for some more time in our racks, but they are going to be gradually replaced with the newer 4240 models. The labs will still rely on the 6.0 code.

As for the switches - right now we use the 3550s in the racks, but those will be gradually replaced with 3560s. The CCIE hardware blueprint states the use of 3560 and 3750 switches in the lab. If you compare the 3560 model against 3550, you will see the following major differences: different QoS features, IPv6 support in the 3560 and no Private VLANs in the 3550 (even though the FN states they are supported there, sigh). Everything else is virtually the same. While QoS and IPv6 are not very important from the standpoint of the Security exam, Private VLANs are. However, if you look at the CCIE lab exam blueprint, you will see that Private VLANs are not listed there. Based on that, you can stick with the 3550s switches for 99% of the Security features tested in the CCIE lab.

Also, until April 20th you will see the PIX and the VPN3k appliances in our racks. So even if you are still pursuing the old-blueprint exam, you can use the rental racks, as most features are upwards compatible with the updated software. And get ready for the upcoming initial update of our IEWB-SC VOL1 next week – 50+ technology-focused scenarios for the ASA firewall appliance.

Good luck with your studies!


In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

  • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
  • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
  • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
  • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
  • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.



VLANs and IP Addressing
Configuring and Authenticating RIP
Configuring and Authenticating OSPF
Configuring EIGRP Support
Redistribution, Summarization and Route Filtering


Common Configuration
Filtering with IP Access Lists
Using Object Groups
Administrative Access Management
ICMP Traffic Management
Configuring Filtering Services


Dynamic NAT and PAT
Static NAT and PAT
Dynamic Policy NAT
Static Policy NAT and PAT
Identity NAT and NAT Exemption
Outside Dynamic NAT
DNS Doctoring with Alias
DNS Doctoring with Static
Same Security Traffic and NAT
Transparent Firewall NAT


Firewall Contexts Configuration
Administrative Context and Resource Management
Active/Standby Stateful Failover with Failover Interface
Active Stateful Failover with Failover Interface
Monitoring Interfaces with Active/Active Failover
Filtering with L2 Transparent Firewall
ARP Inspection with Transparent Firewall
Filtering Non-IP Traffic with L2 Transparent FW
Handling Fragmented Traffic
Handling Some Application Issues
BGP Through the PIX/ASA Firewall
Multicast Routing across the PIX/ASA
System Monitoring
DHCP Server
Standby Interfaces
ASA Local CA
Cisco Secure Desktop
VLAN Support for RA VPN
Inspection for Web/SSL VPN Traffic
Enhanced Service Object Groups
Enhanced ASA protection (Threat Detection)
Persistent IPsec Tunneled Flows


HTTP Inspection with MPF
Advanced FTP Inspection
Advanced ESMTP Inspection
Authenticating BGP Session Through the Firewall
Implementing Traffic Policing
Implementing Traffic Shaping
Implementing Low Latency Queueing
TCP Normalization
Enhanced TCP Normalization
Management Traffic and MPF
ICMP Inspection Engine



IOS Router and the PIX/ASA
IOS Router and VPN3k


IOS and the PIX/ASA with PSK
IOS and the PIX/ASA with PSK and NAT on the Firewall
IOS and the PIX/ASA with Digital Certificates
IOS and the PIX/ASA: Matching Name in Certificate
IOS and IOS with PSK Across the PIX/ASA
IOS and IOS with PSK Across the PIX/ASA and NAT
IOS and IOS with PSK Across the PIX/ASA with Overlapping Subnets
IOS and IOS with PSK Across the PIX/ASA and NAT with IKE AM
IOS and IOS with Digital Certificates Across the PIX/ASA
IOS and VPN3k with PSK
IOS and VPN3k with PSK using CLI only
IOS and VPN3k with Digital Certificates
IOS and VPN3k with PSK: Tuning IPsec Parameters
IOS and VPN3k: Filtering Tunneled Traffic


GRE Tunnels over IPsec with Static Crypto Maps
GRE Tunnels over IPsec with Crypto Profiles
IPsec VPN Enhancements: VTI Support
IPsec VPN Enhancements: Encrypted PSK
IOS CA: Subordinate/RA Mode IOS Certificate Server (CS) Rollover
IOS CA: Key Rollover for Cerificate Renewal
Certificate ACLs
Dynamic Access Policies


VPN3k and Cisco VPN Client
VPN3k and Cisco VPN Client with Split-Tunneling
VPN3k and Cisco VPN Client with HoId-Down Route
VPN3k and Cisco VPN Client with RRI
VPN3k and Cisco VPN Client with DHCP Server
VPN3k and Cisco VPN Client with RADIUS Authentication
VPN3k and Cisco VPN Client with External Group
VPN3k and Cisco VPN Client with Digital Certificates
VPN3k and IOS ezVPN Remote Client Mode with Split-Tunneling
VPN3k and IOS ezVPN Remote NW Extension Mode with RRI
IOS and IOS ezVPN Remote Client Mode with Xauth/RRI
IOS and IOS ezVPN Remote NW Extension Mode with Xuath/RRI
PIX/ASA and Cisco VPN Client with Split-Tunneling/Xauth/RRI
PIX/ASA and Cisco VPN Client with External Policy
PIX/ASA and Cisco VPN Client with RADIUS
PIX/ASA and Cisco VPN Client with Digital Certificates
The PIX/ASA and IOS ezVPN Remote NW Extension Mode
ezVPN Ehancements: Multiple Inside/Outside Interfaces
ezVPN Ehancements: Proxy DNS
ezVPN Ehancements: Peer Hostname
ezVPN Ehancements: VTI Support
ezVPN Ehancements: DPD Enhancements


ASA and WebVPN Client
ASA and WebVPN Port Forwarding
ASA and SSL VPN Client
AnyConnect VPN in IOS
AnyConnect VPN in ASA
WebVPN Configuration in IOS
VPN3k and WebVPN Client
VPN3k and WebVPN Port Forwarding


IOS and the PIX/ASA: Policing the L2L IPsec tunnel
IOS and VPN3k: QoS for L2L Tunnel
PIX/ASA and Cisco VPN Client: Per-Flow Policing
QoS Pre-Classify for IPsec Tunnel


Decoding IPsec Debugging Output on VPN3k
IPsec and Fragmentation Issues
ISAKMP Pre-Shared Keys via AAA
IPsec NAT-T: L2L Tunnel with VPN3k and IOS Box
IKE Tunnel Endpoint Discovery (TED)
IPsec VPN High-Availability with HSRP
IPsec High Availability with NAT and HSRP
IPsec Pass-Through Inspection on the PIX/ASA
L2TP over IPsec between the ASA and Windows 2000 PC
VPN3k and PPTP Client
Using ISAKMP Profiles
Group Encrypted Transport (GET) VPN
Advanced DMVPN
DMVPN Phase 3
ASA Persistent IPsec Tunneled Flows


Common Configuration
Basic Access-Lists
Reflexive Access-Lists
Dynamic Access-Lists
Stateful Inspection with CBAC
CBAC Port-to-Application Mapping
Preventing DoS Attacks with CBAC
CBAC Performance Tuning
Authentication Proxy with RADIUS
Content Filtering with IOS Firewall
IOS Zone-Based Firewalls
ACL IP Option Selective Drop
IOS L2 Transparent Firewall
CBAC Enhancements (e.g. Self-traffic inspection)
Application Firewall (HTTP Inspection, HTTP Applications, Instant Messaging)
Flexible Packet Matching


Using RADIUS/TACACS+ for telnet Authentication
Using RADIUS/TACACS+ for Exec Authorization
TACACS+ for Command Authorization
TACACS+ Command Accounting
Service Authorization with TACACS+
Using LDAP for Authentication and Authorization
VPN AAA Authentication and Authorization
Using IOS Local AAA
Switchport Authorization with 802.1x
Using ACS RADIUS Profiles
Certificate-Based Authentication


ACS Setup for NAC
NAC L3 IP With the ASA and Cisco VPN Client
NAC L3 IP with VPN3k and Cisco VPN Client



IPS Initial Setup
Configuring Inline VLAN Pair
Promiscuous Mode Monitoring with RSPAN
Monitoring IPS with IPS Event Viewer


Configuring Event Summarization
Creating Custom Signature
Event Counting
Inline Blocking
Event Action Override
Event Action Filtering
IPS Network Access Control (Shunning)
Rate Limiting with IPS


Virtual Sensors
Sensor Password Recovery
Anomaly Detection
TCP Session Tracking Modes
Threat Rating
Sensor Configuration via IME



Mitigating ARP Spoofing Attack with PIX/ASA
Mitigating DHCP Attacks with DHCP Snooping
Mitigating ARP Attacks in DHCP Environment
Mitigating MAC/IP Spoofing in DHCP Environment
Protecting Spanning-Tree Protocol
Protecting Against Broadcast Storms
Mitigating VLAN Hopping Attacks
Protecting Against Network Mapping
Blackhole Routing using PBR
Intrusion Prevention with PIX/ASA
Mitigating Malicious IP Options Attack
Protecting Against MitM attacks

The VOL2 upgrade will be taking place in parallel with VOL1 updates. What you should expect is removal of the VPN3k and (probably) PIX and the changes to the approximately 30% of the material. Many of the existing v2.0 tasks will remain the same, so you can practice the existing material, ignoring anything related to VPN3k (but not the PIX, as many of the PIX features remain unmodified in the new blueprint).

Good luck with your studies!

Further Reading:
CCIE Security Lab Expanded Blueprint


Bookmark this page and check back often for updates! As you can see it is very much a work in progress, but I will be making updates.

I. Implement secure networks using Cisco ASA Firewalls

A. Perform basic firewall Initialization

1. Restoring the Factory Default Configuration

a. configure factory-default [ip_address [mask]]

2. Saving Configuration Changes

a. write memory all [/noconfirm]

3. Setting the Login Password

a. Used for Telnet and SSH connections; default is cisco
b. {passwd | password} password

4. Setting the Enable Password

a. Default is blank
b. enable password password

5. Setting the Hostname

a. hostname name

6. Setting the Domain Name

a. Appended to unqualified names
b. Default is default.domain.invalid
c. domain-name name

7. Setting the Date and Time

a. NTP server will override any manually set time
b. clock timezone zone [-]hours [minutes]
c. clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]
d. clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
e. ntp authenticate
ntp trusted-key key_id
ntp authentication-key key_id md5 key
ntp server ip_address [key key_id] [source interface_name] [pref er]
f. clock set hh:mm:ss {month day | day month} year

8. Configuring Ethernet Interfaces

a. interface physical_interface
speed {auto | 10 | 100 | 1000 | nonegotiate}
duplex {auto | full | half}
no shutdown

9. Configuring Fiber Interfaces

a. interface gigabitethernet 1/port
media-type sfp
speed nonegotiate
no shutdown

10. Configuring a Redundant Interface

a. interface redundant number
interface redundant number
redundant-interface redundantnumber active-member physical_interface

11. Configuring Interface Parameters

a. no shutdown
b. nameif
c. security-level
d. management-only
e. ip address
f. mac-address

12. Allowing Communication Between Interfaces of Same Security Level

a. same-security-traffic permit inter-interface

B. Configure device management

1. Local Database

a. username name {nopassword | password password [mschap]} [privilege

2. AAA Servers

a. aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
aaa-server server_group (interface_name) host server_ip

3. Allowing Telnet Access

a. telnet source_IP_address mask source_interface

4. Allowing SSH Access

a. crypto key generate rsa modulus modulus_size
write mem
ssh source_IP_address mask source_interface

5. Allowing HTTPS Access for ASDM

a. http source_IP_address mask source_interface
http server enable [port]
asdm image disk0:/asdmfile

6. Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface

a. management access management_interface

7. LDAP Authentication Support

C. Configure address translation (nat, global, static)
D. Configure ACLs
E. Configure IP routing

1. Static Routing
2. Default Routing
4. RIP

a. Generating a default route

b. Disabling route summarization

c. Network filtering

d. Send and receive versions

e. RIP Authentication

6. Route Maps
7. Multicast Routing

a. Enabling
c. Stub Multicast Routing
d. Static Multicast Routes
e. PIM Features

F. Configure object groups

1. Enhanced Service Object Groups

G. Configure VLANs

1. VLAN Support for RA VPN

H. Configure filtering
I. Configure failover
J. Configure Layer 2 Transparent Firewall

1. Transparent Firewall NAT

K. Configure security contexts (virtual firewall)
L. Configure Modular Policy Framework
M. Configure Application-Aware Inspection
N. Configure high availability solutions
O. Configure QoS policies
P. Cisco Secure Desktop
Q. Other Advanced Features

1. Local CA
2. Dynamic Access Policies
3. Inspection for Web/SSL VPN Traffic
4. Enahcned ASA protection (Threat Detection)

II. Implement secure networks using Cisco IOS Firewalls

A. Configure CBAC

1. CBAC Enhancements

B. Configure Zone-Based Firewall
C. Configure Audit
D. Configure Auth Proxy
E. Configure PAM
F. Configure access control
G. Configure performance tuning
H. Configure advanced IOS Firewall features

1. ACL IP Option Selective Drop
2. IOS L2 Transparent Firewall
3. Application Firewall
4. HTTP Inspection
5. HTTP Applications
6. Instant Messaging
7. Flexible Packet Matching

III. Implement secure networks using Cisco VPN solutions

A. Configure IPsec LAN-to-LAN (IOS/ASA)
B. Configure SSL VPN (IOS/ASA)
C. Configure Dynamic Multipoint VPN (DMVPN)

1. Advanced DMVPN
2. DMVPN Phase 3

D. Configure Group Encrypted Transport (GET) VPN
E. Configure Easy VPN (IOS/ASA)

1. EZVPN Enhancements

a. Multiple Inside/Outside Interfaces
b. Proxy DNS
c. Peer Hostname
d. VTI Support
e. DPD Enhancements

F. Configure CA (PKI)


b. Subordinate/RA Mode IOS Certificate Server (CS) Rollover
c. Certificate ACLs
d. Key Rollover for Certificate Renewal

G. Configure Remote Access VPN
H. Configure Cisco Unity Client
I. Configure Clientless WebVPN
J. Configure AnyConnect VPN
K. Configure XAuth, Split-Tunnel, RRI, NAT-T
L. Configure High Availability
M. Configure QoS for VPN
N. Configure GRE, mGRE
O. Configure L2TP
P. Configure advanced Cisco VPN features

1. IPsec VPN Enhancements

a. VTI Support
b. Encrypted PSK

IV. Configure Cisco IPS to mitigate network threats

A. Configure IPS 4200 Series Sensor Appliance
B. Initialize the Sensor Appliance

1. Sensor Password Recovery

C. Configure Sensor Appliance management
D. Configure virtual Sensors on the Sensor Appliance
E. Configure security policies
F. Configure promiscuous and inline monitoring on the Sensor Appliance
G. Configure and tune signatures on the Sensor Appliance
H. Configure custom signatures on the Sensor Appliance
I. Configure blocking on the Sensor Appliance
J. Configure TCP resets on the Sensor Appliance
K. Configure rate limiting on the Sensor Appliance
L. Configure signature engines on the Sensor Appliance
M. Use IDM to configure the Sensor Appliance
N. Configure event action on the Sensor Appliance
O. Configure event monitoring on the Sensor Appliance
P. Configure advanced features on the Sensor Appliance

1. Threat Rating
2. Anomaly Detection
3. TCP Session Tracking Modes
4. Configuration via the IME

Q. Configure and tune Cisco IOS IPS
R. Configure SPAN & RSPAN on Cisco switches

V. Implement Identity Management

A. Configure RADIUS and TACACS+ security protocols
B. Configure LDAP
C. Configure Cisco Secure ACS
D. Configure certificate-based authentication
E. Configure proxy authentication
F. Configure 802.1x
G. Configure advanced identity management features
H. Configure Cisco NAC Framework
J. PKI AAA Authorization

VI. Implement Control Plane and Management Plane Security

A. Implement routing plane security features (protocol authentication, route filtering)
B. Configure Control Plane Policing
C. Configure CP protection and management protection
D. Configure broadcast control and switchport security
E. Configure additional CPU protection mechanisms (options drop, logging interval)
F. Disable unnecessary services
G. Control device access (Telnet, HTTP, SSH, Privilege levels)
H. Configure SNMP, Syslog, AAA, NTP
I. Configure service authentication (FTP, Telnet, HTTP, other)
J. Configure RADIUS and TACACS+ security protocols
K. Configure device management and security

1. IOS Login Enhancements
2. IP Source Tracker
3. Role Based CLI
4. IOS Resilient Configuration
5. Buffer Overflow Detection and correction
6. Additional CPU protection mechanisms (options drop, logging interval)

VII. Configure Advanced Security

A. Configure mitigation techniques to respond to network attacks
B. Configure packet marking techniques
C. Implement security RFCs (RFC1918/3330, RFC2827/3704)
D. Configure Black Hole and Sink Hole solutions
E. Configure RTBH filtering (Remote Triggered Black Hole)
F. Configure Traffic Filtering using Access-Lists
G. Configure IOS NAT
H. Configure TCP Intercept
I. Configure uRPF
J. Configure CAR
K. Configure NBAR
L. Configure NetFlow
M. Configure Anti-Spoofing solutions
N. Configure Policing
O. Capture and utilize packet captures
P. Configure Transit Traffic Control and Congestion Management
Q. Configure Cisco Catalyst advanced security features
R. IOS Security Features

1. DHCP Secured/Authorized ARP
2. Router IP Traffic Export
3. Virtual Fragmentation and Reassembly

VIII. Identify and Mitigate Network Attacks

A. Identify and protect against fragmentation attacks
B. Identify and protect against malicious IP option usage
C. Identify and protect against network reconnaissance attacks
D. Identify and protect against IP spoofing attacks
E. Identify and protect against MAC spoofing attacks
F. Identify and protect against ARP spoofing attacks
G. Identify and protect against Denial of Service (DoS) attacks
H. Identify and protect against Distributed Denial of Service (DDoS) attacks
I. Identify and protect against Man-in-the-Middle (MiM) attacks
J. Identify and protect against port redirection attacks
K. Identify and protect against DHCP attacks
L. Identify and protect against DNS attacks
M. Identify and protect against Smurf attacks
N. Identify and protect against SYN attacks
O. Identify and protect against MAC Flooding attacks
P. Identify and protect against VLAN hopping attacks
Q. Identify and protect against various Layer2 and Layer3 attacks


In this post I will try to summarize the things known so far about the CCDE written/practical exams and provide some (hopefully) useful tips and hint. Even though I didn’t receive my exam results yet, I think it’s still a good idea. At least, I’m still the person who “tried” and haven’t “failed” yet (at least unaware of that :)

The first question that people ask – would getting CCDA and CCDP help in achieving CCDE? That would help, a little. Most useful thing would be summarization your knowledge of IP Routing protocols and QoS topics. Plus, you can find some useful things in the new ARCH2 training course. However, I don’t think it is necessary to become a CCDP in order to get enough knowledge for taking CCDE.

Written Test

This one looks remarkably close to any CCIE written test you have taken before. You have about 100 questions to be answered in 2 hours following this *very* detailed blueprint:

CCDE Written Exam Blueprint

Look at the top-level sections of the document:

IP Routing. This is the section you should pay most of your attention to. You must know everything about OSPF, ISIS, EIGRP and BGP. Specifically, you should learn anything related to protocol deployment and scalability issues – things like summarization, flooding domain, route filtering, BGP topologies, traffic engineering. The exam contains a lot of “scenario-type” questions, providing information on a particular topology and configuration and asking questions that require some basic analysis. Don’t expect to encounter questions like “which command tunes OSPF LSA throttling” but expect things like “where would you place flooding domain boundary” or “what would you do reduce the impact of a flapping link”. There is no single book to cover all the section topics in depth, but here is a list that I would recommend:

Jeff’s Doyle “Routing TCP/IP Vol 1,2” and R. Zhang, M. Bartell “BGP Design and Implementation”

Additionally, look through the relevant tech notes for all protocols here:

Routing Protocols Support Page

When you’re done with in-depth reading on protocols, read the following “final” book: R. White, A. Retana, D. Slice “Optimal Routing Design”. This book covers the design topics in quite generic manner. For the “IP Routing” section focus on the chapters dedicated to routing protocols only. At first sight, the book might look a little bit boring, as it does not focus on gory details, but goes over talking about “generic” topics. Remember, knowing “IP Routing” in-depth is about 60% of your success in the written test.

Tunneling. What they mean by that are various “virtualization” techniques. This includes L3 and L2 tunneling techniques, most notably using MPLS and classic IP packet technologies such as GRE, mGRE, L2TPv3. This is where they are going to test your knowledge of L3 and L2 VPNs (e.g. VPLS), MPLS FRR and other VPN topics. This section is probably the next largest in the exam, constituting about 20-30% of the content that you should absorb. Here is a recommended reading list. First, if you’re not well familiar with MPLS, read the following as a good intro:

I. Pepelnjak, J. Guichard “MPLS and VPN Architectures”, a good additional books is J. Guichard, et. Al “Definitive MPLS Network Designs”.

Other books for this section:

W. Luo, et. al “Layer 2 VPN Architectures” and E. Osborne, A. Simha “Traffic Engineering with MPLS”

Also you may look through the section of “Optimal Routing Design” dedicated to the tunneling technologies for a brief summary. Don’t expect the exam to ask you in-depth technology questions like “what is the meaning of this bit in AToM control word”. Most likely you’ll be asked to pick up the best technology for implementing a particular solution (like what is the best VPN solution to transport multicast securely over SP core given the following limitations, etc).

QoS. This is the topic that most people hate :) With respect to the CCDE exam you are not required to know all the flavors of FRTS. Rather, what you should know are theoretical aspects of QoS implementation, such as QoS models (e.g. Diff/Int Serv) and mapping of application performance requirements to a particular QoS technology (e.g. policing or LLQ). You are expected to know the generic requirements of different application types (e.g. video, interactive traffic) with respect to network characteristics and understand the performance impact caused by QoS implementations. Of course, you need to know all QoS technologies available on Cisco routers as well (classification, marking, conditioning, policing, congestion management and avoidance). Most notably, you need to know how QoS applies in “virtualized” or “tunneled” environments, such as MPLS VPNs (e.g. pipe, short-pipe and uniform QoS models). The blueprint provides A LOT of details for QoS section. Don’t be scared, though. Most of the topics are just analytical breakdown of generic QoS models such as DiffServ. And besides, QoS does not constitute the huge part of the written test. What I would recommend to read on the QoS topics is the following list:

S. Vegesna “IP Quality Of Service” and probably S. Alvarez “QoS for IP/MPLS Networks”

Remember, QoS topics might look overly complicated at first sight. Make sure you master the fundamental concepts of QoS models and understand the implication of QoS configurations on application performance. They wont ask you crazy questions like 10xG.729 cRTP calls bandwidth consumption, but may ask things like “what technology should be used to provide differentiated services for applications sharing the same MPLS LSP”.

Management. This one should be relatively easy, as they wont ask you questions about Cisco Works or Tivoli :) Most likely you need to demonstrate the knowledge of show and debug commands as well as various system monitoring technologies, such as syslog, netflow, RMON, SNMP etc. You may want to take a quick look over A. Clemm’s “Network Management” book, but you probably should better focus at the IOS DocCD section dedicated to “IP Services” and “Network Management” commands and features. Don’t get stuck with in-depth theory of network management, like you would do with QoS. You may expect questions like “choose an optimal technology to extract particular type of information from traffic flows” etc.

Security. You need to know a little about generic concepts such risk analysis, security policy, policy enforcement, role separations, intrusion detection, event correlation etc. However, the top priority for you with this section is studying IOS security features and tools. This includes AAA, packet filtering, firewall features, routing protocol security, and infrastructure protection. Also, make sure you understand some advanced topics such as RTBH and sink-holes, which are related to SP security toolkit. In general, this section does not require detailed knowledge of all security features, but you’d better look under the “Security” section of the DocCD to have basic understanding of all IOS security features.

To summarize, I think you need to focus on the top three sections: Routing, Tunneling, QoS and spend less time on Management and Security. Of course that does not mean you can simply ignore those two “outsiders”, but rather gives you an idea of how to plan your study time.

Practical Test

First of all, you may want to read some of our previous blog posts on the CCDE practical exam.

CCDE Practical Perspectives


The general feeling of the CCDE Practical

The “practical” test itself does not involve any real hardware configuration. The exam is built using Adobe Flash engine. There are few sections, with every section build around a particular network topology (the same topology diagrams) you are supposed to work with. For every topology you are given a number of scenarios (approximately 30-35 questions each), that require the following, per the exam blueprint:

Gather, clarify, and analyze existing and new network requirements

  • Identify requirements and determine how they shape the purpose and expectations of a given network.
  • Demonstrate the ability to gather and validate information about an existing network.

This one is tough, even though it’s mostly reading. In the beginning of every scenario they give you the diagrams and an initial set of documents describing the current network design. Those documents contain quite a lot of information, with some part being more or less relevant to your scenario. What you need to do is perform an analysis, extracting the key concept, business and technical requirements and constrains (sounds easy, huh). For a non-native English speaker this is more time-consuming, since the information could be presented in “free-formats” such as emails or minutes and require additional “processing”. The engine will then ask you some questions testing your ability to extract the key concepts and find the correct questions to ask from the customer. As you could see from the “demo” test, you are offered to request additional information on the network. Whether you selected the correct or wrong choices, the engine presents you the “correct” information. The final result of this section is set of documents that provide all the relevant information you need to complete the particular scenario. The format of the documents could be different, but most of the time it includes some “live” conversations reflecting the real-life work flow.

Develop network designs to meet functional specifications

  • Choose the correct technology to resolve a specific network design problem.
  • Create a network design that minimizes or eliminates negative impact on the existing network and services.
  • Create a network design that is scalable.
  • Create a network design that is elegant and supportable.
  • Create a network design that is resilient.

This part follows the information gathering. Now the engine asks you some questions on relevant technologies. You may need to clarify your choices, as the engine may ask for justification of your selections. The funniest part is the ability to work with network diagrams. The Flash engine allows you enhancing the existing diagrams, placing additional devices (routers, switches) or links (e.g. physical connections or tunnels) and choosing the functional role of devices in the network. The design you are creating should satisfy the scalability and resiliency requirements stated above. You can try working with the diagram using the demo test. Again, even if you provide an incorrect solution, the engine will give you the “correct” design when the next part of the scenario will start. So you can always see how far from the successful design you have been :)

Develop a plan to implement network design changes

  • Evaluate the impact of implementation options.
  • Develop contingency plans for network restoration.

This section is relatively short. The engine asks you to arrange the network changes in the optimal order. You can see that in the demo test as well. The order you choose should provide less impact on the existing topology and should be logically consistent, e.g. you cannot deploy L3 before you enable MPLS in the core. However, it is not all that simple. Sometimes it makes almost no difference to place a particular step before or after another one. Most likely this means you miss something important ;)

Convey design decisions and rationale

  • Justify network design choices based on functional specifications.
  • Justify technology choices based on technical requirements

This may happen at any point within the exam where you are asked to select a particular technology or solution. The engine may ask you to justify your choice and provide rational arguments behind your selection. Even though you may have selected an incorrect choice, it still has some rationale options that you may select from.

Practical Exam Summary

The exam is very exhausting. Like I mentioned, first four hours could draw all your motivation off. So make sure you have enough strength to read a lot of documents and grasp tons of diagrams :) The problem is the exam stress, which may affect your ability to concentrate and understand information presented. During the exam, try taking short breaks and relaxing, as you may feel your brain burning out due to exception load of new information (at least this is what I felt afte 5 hours :)

As for the preparation, there is no special reading list that I would recommend. Theoretical concepts that you need are contained within the books recommended for the written test. You don’t have to practice any lab equipment, as with the CCIE exam, you just need to develop you analytical skills and patience :) Compared to the CCIE lab exam the CCDE practical might look “unfair”. After all, during the lab exam you have full control of the situation. Unlike this, during the CCDE practical the engine controls all your actions, and sometimes you may find that even though your answers might constitute a valid solution, the engine suddenly cuts your line of deduction and throws the “valid” solution on the screen. Sometimes you don’t even have chance to justify your selection, as the engine seems to mark it as incorrect immediately. This lack of options might be frustrating to many and a panel board review could constitute a truly fair examination. However, remember that there are people who already passed the CCDE test, and therefore you have a real chance :)


The following is a detailed CCIE SP lab exam outline. The aim is to help people preparing for the respective exam in organizing their study and eliminating "white spaces" in their knowledge. In general, the ouline tries to follows the official lab blueprint as much as possible and covers the following topics in-depth:

  • Bridging & Switching
  • IGP Core Routing
  • BGP
  • MPLS
  • SP Multicast
  • L2/L3 VPNs
  • QoS
  • Security
  • High Availability
  • Management

Some of the sections may look too much detailed, especially the Bridging & Switching (particularly ATM technology) and maybe QoS and High Availability sections. You will probably want to spend most of your time on IGP, BGP, MPLS, L2/L3 VPN sections (the core of the SP lab) and slightly less on SP Multicast section.


  • Bridging and Switching
    • Ethernet
      • VLANs & VTP
        • VTP Modes & Pruning
      • Trunks
        • DTP
        • ISL & 802.1q
        • Allowed VLANs
        • Native VLAN & Tag Native
      • SVIs & L3 Ports
      • STP
        • Root Bridge Election
        • Features (Portfast, UplinkFast etc)
        • Redundancy
        • RSTP & MSTP
      • Etherchannels
        • LACP & PaGP
        • Load-Balancing Methods
      • QinQ
        • MTU Issues
        • L2 Protocol Tunneling
    • Frame-Relay
      • Interface Types (DCE/DTE/NNI)
      • Subinterfaces, DLCIs & PVCs
      • LMI
      • Inverse-ARP & Static Mappings
      • FR Switching
      • Multilink Frame-Relay (FRF.16)
    • ATM
      • Subinterfaces & VC Mapping
      • PVC
      • SVC
        • NSAP Address
        • NSAP Prefix Learning and ESI
        • Signaling and Q.2931 (QSAAL) PVC
        • CLIP
      • ILMI
      • ATM VC Encapsulations
      • Inverse-ARP and Protocol Address Mapping
      • Frame-Relay Interworking (FRF.5 & FRF.8)
    • PPPoE
      • PPP IP Address Allocation (IPCP, DHCP)
  • IGP Core Routing
    • Intergrated IS-IS ***
      • Level-1/2 and Areas
      • Network Types
        • Point2Point
        • Broadcast
      • Mesh Groups
      • Route-Leaking
      • Metric-Style & Metric-Types
      • Redistribution & Filtering
      • Tuning Timers
        • Hello/Dead
        • LSA Generation/Throttling
        • PRC/SPF Throttling
    • OSPF
      • Area Types
      • Network Types
      • NSSA Area
      • Filtering (Inter-Area filters, Database, Dist-Lists)
      • Redistribution
      • Summarization (External/Inter-Area)
      • Virtual-Links
      • OSPF Timers
        • LSA Flooding & Pacing
        • SPF Throttle
    • Policy Based Routing
  • BGP
    • iBGP & eBGP
    • BGP Timers & Convergence Tuning
      • Advertisement interval (neighbor advertisement-interval)
      • VPNv4 Import Scan interval (bgp scan-time import)
      • General Scan interval (bgp scan-time)
      • BGP Next-Hop Trigger
      • Fast Fallover
      • Keepalive & Holdtime
    • BGP Scalability
      • Route-Reflectors & Clusters
      • Confederations
      • Synchronization
    • Redistribution & Filtering
    • Outbound Route Filtering
    • Route Aggregation & Attributes
    • Conditional Route Injection & Advertisement
    • Route Dampening
    • Communities, Coloring & Signaling
    • BGP Attributes & Best-Path Selection
    • Backdoors
    • BGP Multipath (iBGP/eBGP, DMZ Link BW)
  • SP Multicast
    • PIM-SM/DM
    • PIM-Bidir
    • PIM-SSM & IGMPv3/UDR
    • RPF failure and static mroutes
    • IGMP
      • Versions
      • Timers
      • Filtering
    • Static-RP/Auto-RP/BSR
    • MSDP and Inter-AS Multicast
    • MP-BGP Extension for Multicast
    • Anycast-RP
    • IGMP Snooping
    • Stub Multicast Routing
    • 3550
      • IGMP Profiles
      • MVR
  • MPLS
    • Label Distribution
      • LDP/TDP,
        • Directed Sessions
        • Authentication
      • BGP Send-Label
      • Advertising Labels
      • Label Filtering
        • LDP and ACLs
        • BGP and route-maps
    • Cell-Mode MPLS & Label Merging
      • ATM Control-VC
    • MPLS TE
      • IGP Configuration
      • RSVP Settings
      • Attributes & Affinity Bits
      • Holding & Setup Priority
      • Path Options
      • Explicit/Dynamic Route
      • Routint Options: PBR, Static route, Autoroute
      • Cisco Forwarding Adjacency over TE tunnel
      • Inter-Area TE
      • MPLS TE with L3/L2 VPN
        • PE-PE Tunnels
        • PE-P, P-P Tunnels & LSP recovery
      • Unequal-Cost Load-Balancing
  • L3/L2 VPN
    • L3 VPN
      • VRF & RD
        • Controlling Route Import/Export
        • VRF Lite
        • VRF Select & Route-Map VRF selection
      • MP-BGP
        • VPNv4 AF
        • Extended Communities
        • Route-Target
        • Filtering
        • RRs & Scalability Issues
          • ORF
          • Communities & Partitioning
          • BGP RR-Group & Partitioning
      • PE-CE Routing
        • OSPF
          • Super-Backbone and Extended Communities
          • Domain-ID
          • Sham-Links
          • VRF Lite Capability
          • Down Bit and VPN Tag
        • EIGRP
          • SoO Attribute
          • BGP Cost Community
        • RIP
          • Transparent Metric
        • eBGP
          • AS-Override
          • AllowAs-In
          • BGP SoO
        • Redistribution & Filtering
        • VRF Import/Export Maps
        • Importing from global table
      • VPN Topologies
        • Central Services
        • Extranet
        • Hub-and-Spoke (upstream, downstream VPNs)
      • Inter-AS VPN
        • Back-to-Back VRFs
        • Direct VPNv4 Exchange on ASBRs
        • ASBR Send-Label & VPNv4 Multihop
          • IPv4 BGP Route-Reflector for Label distribution
          • Redistribute into IGP + LDP
      • Carrier Supporting Carrier
        • IP only Customer Carrier
        • MPLS Enabled Customer Carrier
        • Hierarchical MPLS VPNs
        • Carrier Label Exchange
          • IGP+LDP
          • BGP+Send-Label
      • Multicast VPN
        • Default & Data MDT
        • PIM-SM/Bidir (ISM) in Core
        • SSM in Core (Ext.Comm/MDT SAFI)
        • Inter-AS mVPN
          • PIM-SM + MSDP
          • MDT SAFI + PIM SSM + PIM RPF Proxy
    • L2 VPN
      • Generic
        • ATM Cell Relay & AAL5 SDU Mode
        • ATM OAM Transparent/Emulation
        • HDLC Frame Tunneling
        • Frame-Relay DLCI-to-DLCI
        • Ethernet VLAN and Port Mode
        • PPP and IP address Assignment
      • AToM
        • PW Setup & MTU Issues
        • Inter-AS AToM
          • Back-to-Back
          • Label exchange
      • L2TPv3
        • Manual & Automatic Signaling
        • Authentication & Cookie
        • Sequencing & Keepalives
        • pMTU Discovery & DF-bit
      • L2 Interworking (IP/Ethernet, Local Termination)
      • Local Switching (with & w/o Interworking)
      • GRE/mGRE Tunnels
      • MPLS BGP VPN over mGRE
  • QoS
    • Classification & Marking
      • ACLs
      • DSCP bits, TOS & IP Precedence
      • NBAR & Protocol-Specific Matching
      • Policers (Single/Dual-Rate, Color-Aware/Blind)
      • FR DE bit/ATM CLP
      • QoS-Groups
      • MPLS EXP bits
      • Tunnel Modes:
        • Uniform
        • Short-Pipe
        • Pipe
    • Congestion Management
      • Tx-Ring Tuning
      • Legacy Queueing
        • WFQ/CQ/PQ
        • IP RTP Priority
      • CBWFQ
        • Priority (LLQ)
        • Bandwidth
        • Hierarchical (Queueing at Subinterfaces)
      • Frame-Relay/ATM Per-VC Queueing (Legacy & CBWFQ)
      • WRED for Congestion Avoidance (Legacy & MQC)
    • Traffic Flow Control
      • Rate-Limiting
        • CAR & Cascading
        • MQC Policer
          • Single-Rate
          • Dual-Rate
          • Actions
      • Shaping
        • Legacy GTS
        • FRTS
          • Legacy
          • MQC
        • Class-Based (MQC)
    • QPPB
    • DiffServ Aware TE
      • Interface Subpools
    • 3550 QoS Features
      • WRR Queue Tuning
      • Classification & Marking
        • Policy Maps
        • Mapping Tables
      • Per-Port/Per-VLAN Classification
      • Policing
  • Security
    • Application Level Filtering (NBAR)
    • L3 Security
      • Control Plane
        • Routing Updates Auth
        • Signaling Protocols Auth (LDP, L2TPv3, BGP)
        • Control Plane Policing
      • Filtering with ACLs & ACL Logging
      • RPF and Spoofing (Strict/Loose Mode)
      • CAR and Flooding
      • TCP Intercept and SYN-Flooding
    • L2 Security
      • Protecting STP (BPDU-Filter/Guard)
      • Port-Security
    • DDoS Mitigation
      • Sinkholes/Blackholes
      • RTBH Scenarios
    • Common Attacks
      • Worms & Viruses
      • Smurf/Fraggle/Generic Flooding
      • SYN-Flooding
      • Network Scanning
      • CAM-Table overflow, VLAN Hopping
  • High Availability
    • NSF & SOO
      • BGP Graceful Restart
      • OSPF LLS
      • EIGRP NSF awareness
      • LDP Graceful restart
    • LDP Session protection
    • Tuning IGP Convergence
      • Link Protection
      • Node Protection
      • L2 PW Protection
      • L3 VPN and FRR
  • Management
    • SNMP
    • Syslog
    • Remote Access (Telnet/SSH)
    • NTP
    • Netflow
      • MPLS-aware Netflow
      • Flexible Netflow
      • Export Configuration
    • IP Accounting
    • Other IP Services

Below is the new CCIE Voice Lab Blueprint (version 3) that will be implemented mid-July 2009.

CCIE Voice Lab 3.0 Equipment and Software Versions

Passing the CCIE Voice Lab Exam requires a depth of understanding difficult to obtain without hands-on experience. Early in your preparation, you should arrange access to the equipment listed below:

Lab Equipment:

  • Cisco MCS-7845 Media Convergence Servers
  • Cisco 3825 Series Integrated Services Routers (ISR)
  • Cisco 2821 Series Integrated Services Routers (ISR)
  • ISR Modules and Interface Cards

+ VWIC2-1MFT-T1/E1

  • Cisco Catalyst 3750 Series Switches
  • IP Phones and Soft Clients

Software Versions

Any major software release which has been generally available for six months is eligible for testing in the CCIE Voice Lab Exam.

  • Cisco Unified Communications Manager 7.0
  • Cisco Unified Communications Manager Express 7.0
  • Cisco Unified Contact Center Express 7.0
  • Cisco Unified Presence 7.0
  • Cisco Unity Connection 7.0
  • All routers use IOS version 12.4T Train.
  • Cisco Catalyst 3750 Series Switches uses 12.2 Main Train

Network Interfaces

  • Fast Ethernet
  • Frame Relay

Telephony Interfaces

  • T1
  • E1

I expanded upon the awesome CCIE Lab Technology Outline found in the Resources section or our main Web Site. I am looking to add features to this list soon, and of course, please post any changes you feel I should make in our comments section. I plan on fixing the formatting as I add new features. Enjoy your studies.

I. Bridging and Switching

A. Frame Relay

I. L2/L3 Resolution - static vs dynamic
II. Broadcast/Multicast Support
IV. Full Mesh/Partial Mesh
V. Hub and Spoke using Point-to-Point
VI. Hub and Spoke using Multipoint
VIII. PPP over Frame
IX. End to End Keepalives
X. Broadcast Queue
XI. Load Interval
XII. PING local interface
XIII. Multilink Frame Relay


I. Authentication

a. PAP

II. Peer Neighbor-Route
III. Link Quality Monitoring
IV. RFC 1663 (PPP Reliable Transmission)
V. PPP Half-Bridging

a. MRRU Negotiation

VII. PPP over Frame Relay
VIII. Serial Clocking

C. Bridging

I. Transparent Bridging

D. Catalyst switching

I. Administering

a. MAC address aging time
b. MAC address notification traps
c. Unicast MAC address filtering
d. Optimizing System Resources (SDM)

II. Smartports Macros
V. Flow Control
VI. Fallback Bridging

a. Aging Time
b. Filtering by Specific MAC Address
c. Adjusting STP Parameters

VII. Interface Range Macro

a. Port Cost versus Port Priority
b. Timers
c. PortFast, UplinkFast, BackboneFast
d. BPDU Guard and BPDU Filtering
e. Guards

1. EtherChannel Guard
2. Root Guard
3. Loop Guard

f. Load sharing using STP
g. STP Modes - MSTP and PerVLAN - RSTP
h. Root and secondary root


a. VTP Modes
b. VTP Version 2
c. VTP Pruning

X. Trunks

a. Static Config
b. Allowed VLAN
c. Block DTP (Nonegotiate)
d. Block VTP (TRANS Mode)
e. Router on a Stick
f. Pruning
g. Native VLAN

XI. Extended-Range VLAN with Internal VLAN ID
XII. Inter-VLAN Routing
XIV. EtherChannel

a. Layer 2 EtherChannel
b. Layer 3 EtherChannel
c. Load Balancing
d. PAgP Learn Method and Priority
e. LACP Port Priority and System Priority

XVI. Link-State Tracking

II. IP IGP Routing


I. NBMA Configs

a. Timer Manipulation Through Network Type

II. Demand Circuit
III. Passive Interface
IV. Authentication

a.Link versus Area
b. MD5 versus Clear
c. Link-Local Signaling

V. Summarization

a. Area Range
b. Summary Address
c. Make a Type-1

VI. Area Transit Capability
VII. Inbound Route Filtering

a. Limiting Number of OSPF Redistributed Routes

VIII. auto-cost reference-bandwidth
IX. Stub areas
X. Stub Router Advertisement
XI. Unicasting hellos

a. Nonbroadcast network type with neighbor
b. Support for Fast Hello Packets

XII. Cost Manipulation

b. Bandwidth Manipulation
c. SPF Throttling
d. Incremental SPF
e. LSA Throttling
f. LSA Overload Protection

XIII. Loopback Advertising

a. Network Type P2P
b. Area Range
c. Redistribute

XIV. Time Manipulation

a. Retransmission Limit

XV. OSPF ABR Type 3 LSA Filtering
XVI. Forwarding Address Suppression in Translated Type-5 LSAs
XVII. NSF Awareness
XVIII. Incremental OSPF


I. Authentication
II. Summarization

a. Floating summary routes

III. Composite metric manipulation

a. Applying offsets to Routing Metrics

IV. Adjusting timers
V. Neighbor command
VI. Network command with Wildcard Mask
VII. Percentage of link bandwidth used (bandwidth-percent)
IX. Distribute List
X. Route-Map Support
XI. SNMP Support
XII. Offset List
XIII. EIGRP Prefix Limit
XIV. Passive Interface
XV. NSF Awareness
XVI. Maximum prefix

C. RIPv2

I. Authentication
II. Offset List
III. Distribute List

a.Gateway option

IV. Adjusting Timers

a.Interpacket Delay

V. Disabling Validation of Source IP Addresses
VI. Split Horizon and secondary interfaces
VII. Summarization
VIII. Default Information Originate
IX. Unicast routing updates

a. Passive Interface/Neighbor

X. Passive Interface
XI. Triggered updates on WAN

D. IPv6

I. Introduction to IPv6
II. IPv6 Addressing
III. IPv6 Tunneling
IV. RIP for IPv6

a. Enabling IPv6 RIP

I. Over broadcast

b. Split Horizon
c. Customizing IPv6 RIP
d. Redistributing Routes into an IPv6 RIP routing process
e. Configuring Tags
f. Filtering IPv6 RIP updates

V. OSPF for IPv6

a. Enabling OSPF on an interface
b. Defining an OSPF IPv6 area range
c. Authentication on an Interface
d. Authentication in an OSPF area

V. Configuring NBMA interfaces



I. IPv4 Tunnel
II. IPv6 Tunnels

a.Configuring GRE/IPv6 Tunnel
b. Manual IPv6 Tunnel
c. Configuring 6to4 Tunnel
d. Configuring IPv4-Compatible IPv6 Tunnels


I. Enabling ODR
II. Filtering ODR information
III. Redistributing ODR Information
IV. Reconfiguring CDP or ODR Timers

G. Filtering, redistribution, summarization and other advanced features

I. Policy-Based Routing

a. PBR Recursive Next Hop
b. PBR Support for Multiple Tracking Options

II. /31 Mask
III. Administrative Distance Manipulation
IV. Redistribution

a. Default Metric
b. Setting Parameters with Route Map

I. Metric
II. Metric Type
III. Tagging During Redistribution



I. Synchronization
II. Confederation
III. Route-Reflection
IV. Non-BGP Speaker in Transit Path

b. Redistribute into IGP
c. Static route
d. Default route
e. Policy Route


I. Multihop

C. Filtering, redistribution, summarization, synchronization, attributes and other advanced features

I. Authentication
II. BGP Router ID
III. Advertising Prefixes
IV. Max-Prefix Limit
V. Next Hop Self

VI. Load Balancing

VII. Path Manipulation

a. Local Pref
b. Weight
c. MED

VIII. BGP Cost Community
IX. Regex Engine Performance Enhancement
X. Local-AS

a. Hide Local-AS

XI. Summarization

a. Suppress Map
b. Unsuppress Map

XII. Well-known Communities
XIII. Conditional Route Advertisement
XIV. Remove Private AS
XV. AS-PATH Filtering
XVI. BGP Policy Accounting

a. Output Interface Accounting

XVII. NSF Awareness
XVIII. Support for TTL Security Check
XIX. Support for Fast Peering Session Deactivation
XX. Support for Next-Hop Address Tracking

IV. IP and IOS Features

A. IP addressing
B. Switching Paths

I. Process switching
II. Fast Switching
III. Netflow switching
IV. CEF switching


I. Performance Parameters
II. Window Scaling
III. Explicit Congestion Notification
IV. Keepalive Packet Service

D. Interface Hold-Queue Limits
E. Configuring Loopback detection

I. Different Subnet Mask than Interface
II. Multiple Default Gateways
III. DHCP Snooping (on 3550)
IV. DHCP Relay and Option 82
V. Reforwarding Policy
VI. IP Source Guard
VII. DHCP for IPv6


I. Interface Tracking
II. Multiple Groups
III. Authentication and Timers


I. Object Tracking
II. MD5 Authentication


I. MD5 Authentication
II. Text Authentication
III. Weighting values and object tracking

J. Enhanced Object Tracking

I. Tracking Line-Protocol State
II. Tracking IP-Routing State
III. Tracking IP-Reachablility
IV. Tracking Threshold of IP-Route Metrics
V. Configuring Track Lists

K. IP services

I. IP Event Dampening

a. Excluding Traffic from Redirection
b. Using Access-lists for a Service Group

c. Setting a Password for a router and cache engine
d. Outbound ACL Check
e. Increased Services

III. IP Accounting
IV. DRP Server Agent
V. TFTP Server
VI. FTP Connections
VII. RARP Server
VIII. Auto Install

L. IOS user interfaces


I. HTTP Authentication
II. Filtering access to HTTP Server
III. Changing HTTP server port number
IV. Downloading/Uploading files via HTTP/HTTPS

II. Using rsh and rcp

M. System management

I. Logging

a. Timestamps
b. Sequence numbers
c. History
d. XML formatted System Logging Messages

II. Compressing the configuration file
III. Disabling the parser cache
IV. Reallocating processor and I/O memory
V. Embedded Resource Manager
VII. Warm Reboot


I. NAT Inside
II. NAT Outside

a. Configuring overlapping networks to communicate

III. NAT Timeouts
IV. NAT Virtual Interface
V. Overload Interface Outbound To Hide Internal Details
VI. TCP load balancing
VII. Using route-maps for NAT decisions
VIII. Limiting number of concurrent NAT operations


I. Configuring NHRP authentication
II. Using GRE for multipoint operation


I. Master with Authentication
II. NTP Server
III. Authentication
IV. NTP Peer


I. Configuring Interface Index Persistence
II. CPU and Memory Threshold Notification
III. Event Tracing

R. Telnet

I. Establishing Terminal Session Limits
II. Displaying Line Connection Information
III. Chunk-size
IV. Assign IP address to service provided on a TCP port
V. Busy-message
VI. Vacant-message
VII. Telnet message on successful connection
VIII. Refuse-message
IX. Suppressing onscreen messages during Telnet connections (ip telnet quiet)
X. Saving Local Settings Between Sessions
XI. Defining Escape character and other key sequences
XII. Setting terminal screen length and width
XIII. Enable session locking
XIV. Configuring Banners using tokens
XV. Login Enhancements (block-for, quite-mode, delay, etc.)
XVI. Hiding Telnet Addresses

T. IP Accounting

I. Tracking IP Precedence


V. IP Multicast MM

A. PIM, bi-directional PIM

I. Static RP Config

a. RP-Announce-Filter

IV. Neighbor Filter
V. NBMA Mode
VI. Static Mroutes
VII. Tunnel in Hub and Spoke Configuration



I. IGMP Access Groups
II. IGMP Version
III. Join Group
IV. Static Group
V. Immediate Leave
VI. IGMP Snooping and MVR (cat 3550)
VII. Timers

D. Multicast tools, source specific multicast

I. Multicast Helper
II. Multicast Rate Limiting
III. TTL Threshold
IV. IP Multicast Boundary
V. SPT Threshold
VI. Stub IP Multicast Routing
VII. sdr Listener support
VIII. Load splitting multicast traffic
IX. Multicast Routing Monitor
X. Multicast Heartbeat

G. Anycast


A. Quality of service solutions
B. Classification and Marking

I. Using MQC

I. Using NBAR
II. Using PBR
III. Using CAR
IV. QoS Policy Propagation via BGP

I. DE List

VI. 3550 - Classifying Traffic on a Per-Port Per-VLAN Basis by Using Class Maps

C. Congestion management, congestion avoidance

I. Legacy Congestion Management (WFQ, CQ, PQ)
V. 3550 - Expedite Queue
VI. 3560 - Weighted Tail Drop (WTD)
VII. 3560 - SRR (Shaped Round Robin)

D. Policing and shaping

I. 3550 Policing
II. Policing with MQC

I. Two-Rate Policer
II. Percentage-based Policing and Shaping

III. Unconditional Packet Discard
IV. Control Plane Policing
V. Shaping with MQC
VII. Generic Traffic Shaping

E. Signaling


F. Link efficiency mechanisms

I. MultiLink PPP (MLP)

I. MPL Interleaving and Queuing
II. Multiclass Multilink PPP
II. FRF.12
IV. Compressed Real-Time Protocol
V. Compression - STAC versus PREDICTOR

VII. Security


I. 802.1x

I. Enabling 802.1x Authentication
II. Periodic Reauthentication
III. Quiet Period
IV. Host mode
V. Guest VLAN
VI. Accounting

B. Traffic filtering and firewalls

I. Lock and Key (Dynamic Access Lists)
II. Reflexive Access Lists
III. TCP Intercept


C. Access lists

I. Time-Based Access Lists
II. Log-Input Option
III. Block RFC 1918
IV. RFC 2827 Filtering
V. Block Loopback Address Space
VII. MAC Access Lists

D. Routing protocols security, catalyst security

II. Port-Based Traffic Control

I. Storm Control
II. Protected Ports
III. Port Blocking
IV. Port Security

III. Dynamic Arp Inspection (DAI)
IV. VLAN Access Control Lists (VACLs or VLAN Access Maps)
V. Private VLANS (3560 Only)
VI. All forms of routing protocol authentication

E. Other security features

I. Unicast Reverse Path Forwarding

I. Access-list option allows you to forward traffic still - but log it

II. Privilege Levels
III. Cisco IOS Resilient Configuration
IV. Image Verification
V. IP Source Tracker
VI. IP Traffic Export
VII. Role-Based CLI Access


Hi gang. If you are a "tweener" like me as you are looking at this lab track, I thought you might like a list of the topics in the new blueprint that do not exist in the old. Also, notice that many topics that exist in both are being implemented on different equipment. For example, in the old you might do an SSL VPN on the concentrator, but now you would be limited to IOS or ASA.

Section II Cisco IOS Firewalls

B. Zone-Based Firewalls

Section III VPN

D. Group Encrypted Transport (GET) VPN
J. AnyConnect VPN

Section IV IPS

D. Virtual Sensors
E. Security Policies

Section V Identity Management


Section VI Control Plane/Management Plan Security

A. Implement routing plane security features (protocol authentication, route filtering)
B. Configure Control Plane Policing
C. Configure CP protection and management protection
D. Configure broadcast control and switchport security
E. Configure additional CPU protection mechanisms (options drop, logging interval)
F. Disable unnecessary services
G. Control device access (Telnet, HTTP, SSH, Privilege levels)
H. Configure SNMP, Syslog, AAA, NTP
I. Configure service authentication (FTP, Telnet, HTTP, other)
J. Configure RADIUS and TACACS+ security protocols
K. Configure device management and security

Section VIII Network Attacks

B. Malicious IP Option Usage


The long rumored Security CCIE Lab changes have finally been officially announced by Cisco.  The new version 3 hardware/software and blueprint will be implemented in mid-April 2009.  The good news is that there are not going to be any real changes to the hardware.  The new hardware and software is listed below:


  • Cisco 3800 Series Integrated Services Routers (ISR)
  • Cisco 1800 Series Integrated Services Routers (ISR)
  • Cisco Catalyst 3560 Series Switches
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco IPS Series 4200 Intrusion Prevention System sensors
  • Cisco Secure Access Control Server for Windows


  • Cisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routers
  • Cisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or above
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.x
  • Cisco IPS Software Release 6.1.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS for Windows Version 4.1

New Version 3 Blueprint

  1. Implement secure networks using Cisco ASA Firewalls
    1. Perform basic firewall Initialization
    2. Configure device management
    3. Configure address translation (nat, global, static)
    4. Configure ACLs
    5. Configure IP routing
    6. Configure object groups
    7. Configure VLANs
    8. Configure filtering
    9. Configure failover
    10. Configure Layer 2 Transparent Firewall
    11. Configure security contexts (virtual firewall)
    12. Configure Modular Policy Framework
    13. Configure Application-Aware Inspection
    14. Configure high availability solutions
    15. Configure QoS policies
  2. Implement secure networks using Cisco IOS Firewalls
    1. Configure CBAC
    2. Configure Zone-Based Firewall
    3. Configure Audit
    4. Configure Auth Proxy
    5. Configure PAM
    6. Configure access control
    7. Configure performance tuning
    8. Configure advanced IOS Firewall features
  3. Implement secure networks using Cisco VPN solutions
    1. Configure IPsec LAN-to-LAN (IOS/ASA)
    2. Configure SSL VPN (IOS/ASA)
    3. Configure Dynamic Multipoint VPN (DMVPN)
    4. Configure Group Encrypted Transport (GET) VPN
    5. Configure Easy VPN (IOS/ASA)
    6. Configure CA (PKI)
    7. Configure Remote Access VPN
    8. Configure Cisco Unity Client
    9. Configure Clientless WebVPN
    10. Configure AnyConnect VPN
    11. Configure XAuth, Split-Tunnel, RRI, NAT-T
    12. Configure High Availability
    13. Configure QoS for VPN
    14. Configure GRE, mGRE
    15. Configure L2TP
    16. Configure advanced Cisco VPN features
  4. Configure Cisco IPS to mitigate network threats
    1. Configure IPS 4200 Series Sensor Appliance
    2. Initialize the Sensor Appliance
    3. Configure Sensor Appliance management
    4. Configure virtual Sensors on the Sensor Appliance
    5. Configure security policies
    6. Configure promiscuous and inline monitoring on the Sensor Appliance
    7. Configure and tune signatures on the Sensor Appliance
    8. Configure custom signatures on the Sensor Appliance
    9. Configure blocking on the Sensor Appliance
    10. Configure TCP resets on the Sensor Appliance
    11. Configure rate limiting on the Sensor Appliance
    12. Configure signature engines on the Sensor Appliance
    13. Use IDM to configure the Sensor Appliance
    14. Configure event action on the Sensor Appliance
    15. Configure event monitoring on the Sensor Appliance
    16. Configure advanced features on the Sensor Appliance
    17. Configure and tune Cisco IOS IPS
    18. Configure SPAN & RSPAN on Cisco switches
    19. jfdk
  5. Implement Identity Management
    1. Configure RADIUS and TACACS+ security protocols
    2. Configure LDAP
    3. Configure Cisco Secure ACS
    4. Configure certificate-based authentication
    5. Configure proxy authentication
    6. Configure 802.1x
    7. Configure advanced identity management features
    8. Configure Cisco NAC Framework
  6. Implement Control Plane and Management Plane Security
    1. Implement routing plane security features (protocol authentication, route filtering)
    2. Configure Control Plane Policing
    3. Configure CP protection and management protection
    4. Configure broadcast control and switchport security
    5. Configure additional CPU protection mechanisms (options drop, logging interval)
    6. Disable unnecessary services
    7. Control device access (Telnet, HTTP, SSH, Privilege levels)
    8. Configure SNMP, Syslog, AAA, NTP
    9. Configure service authentication (FTP, Telnet, HTTP, other)
    10. Configure RADIUS and TACACS+ security protocols
    11. Configure device management and security
  7. Configure Advanced Security
    1. Configure mitigation techniques to respond to network attacks
    2. Configure packet marking techniques
    3. Implement security RFCs (RFC1918/3330, RFC2827/3704)
    4. Configure Black Hole and Sink Hole solutions
    5. Configure RTBH filtering (Remote Triggered Black Hole)
    6. Configure Traffic Filtering using Access-Lists
    7. Configure IOS NAT
    8. Configure TCP Intercept
    9. Configure uRPF
    10. Configure CAR
    11. Configure NBAR
    12. Configure NetFlow
    13. Configure Anti-Spoofing solutions
    14. Configure Policing
    15. Capture and utilize packet captures
    16. Configure Transit Traffic Control and Congestion Management
    17. Configure Cisco Catalyst advanced security features
  8. Identify and Mitigate Network Attacks
    1. Identify and protect against fragmentation attacks
    2. Identify and protect against malicious IP option usage
    3. Identify and protect against network reconnaissance attacks
    4. Identify and protect against IP spoofing attacks
    5. Identify and protect against MAC spoofing attacks
    6. Identify and protect against ARP spoofing attacks
    7. Identify and protect against Denial of Service (DoS) attacks
    8. Identify and protect against Distributed Denial of Service (DDoS) attacks
    9. Identify and protect against Man-in-the-Middle (MiM) attacks
    10. Identify and protect against port redirection attacks
    11. Identify and protect against DHCP attacks
    12. Identify and protect against DNS attacks
    13. Identify and protect against Smurf attacks
    14. Identify and protect against SYN attacks
    15. Identify and protect against MAC Flooding attacks
    16. Identify and protect against VLAN hoping attacks
    17. Identify and protect against various Layer2 and Layer3 attacks

Subscribe to INE Blog Updates