We're ringing in the New Year with more awesome content than ever! Our goal for 2019 is to continue to grow and deliver the best IT training in the industry. Here are a few of our highlights from 2018.

2019 22New22 Stats

"Why doesn't this PING work!?!"

Here is a simple 3 router configuration, well at least it is simple on 2 of the 3 routers. R1 and R3 are configured quite traditionally, but R2 is a bit more involved.
Here is the diagram.

Here are the details.

R2 is using a VRF which includes both LAN interfaces. R2 is also acting as a Zone Based Firewall in transparent mode, allowing all ICMP traffic in both directions, as well as SSH from the inside to the outside networks. R2 has a bridged virtual interface in the network. All are running OSPF, but pings issued from R2 to the loopbacks of R1 and R3 are failing.

Can you identify why?


RFC, or Request for Comments, are documents published that describe various items surrounding computer networking. Generally, these are memorandums published by the Internet Engineering Task Force.

RFCs can be a great resource. For some unknown reason, most candidates preparing for the CCIE don't take the time to review these documents, which can be very helpful in assisting with understanding the how and why of various networking components. Perhaps the language is a bit dry, or they prefer books with shiny covers.


You have just been given a shiny, new router to configure.  As part of the configuration, you are asked to configure an outbound access list which will only permit traffic through to specific destinations.  Here are the requirements that you are given for your access-list:

Match (and permit) the following destinations using an access-list.  Your access list should use the fewest number of lines, and should not overlap any other address space.

Anything within the address space.
Anything within the address space.
Anything within the address space.
Anything within the address space.

Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.


The leading question:

"Is it possible (and if so, how) to redistribute or originate a default route based on time of day?"

The short answer is "Sure, why not?"...  But the longer answer has to do with how do we warp the forces of the universe to make that happen???

Well, start with what we know.  We know we can do time-ranges in access-lists, right?  Can we do them in standard access-lists (what we see used for redistribution all the time)?

Rack1R1(config)#access-list 1 permit ?
log  Log matches against this entry


Nope.  There's a bummer.  So we will need to use EXTENDED ACL's in order to make this work.  So now we are reaching the point of "Yes, it can be done, but it will make my head hurt." as the answer.   :)

First, as a little review, check out a blog we did last year providing some information on that sort of thing in conjunction with a distribute-list in different routing protocols.


Hello faithful blog readers. We all know there are some real treasures in the DOC-CD that can assist dramatically in the lab exam. Here are some of our reader's favorites. Thanks to my friend Ruhann over in South Africa for the post idea!

All navigation begins from

I. Bridging and Switching

a. Integrated and Concurrent Routing and Bridging

Cisco IOS Software - 12.4 Family - 12.4 Mainline - C.G. - Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.4 - Part 1: Bridging - Configuring Transparent Bridging

II. IP IGP Routing


a. Best Path Selection

Cisco IOS Software - 12.2 Family- 12.2 Mainline - C.G. - Cisco IOS IP Configuration Guide, Release 12.2 - Part 2: IP Routing Protocols - Configuring BGP - How BGP Selects Paths


Answers for Part II

So the answers to the exciting tasks at hand....

There was a good amount of activity surrounding answers submitted for the contest!  It was good to see that many people interested in them!  Now, it's time to go through the answers and stretch the imagination a bit!  Be prepared for some stretching as well!

One quick thing to point out before we get started, there was a question asked about why /24 routes won't have a ".255" as the fourth octet.  This really depends on how we are using the ACL.  If we are doing traffic filtering, where packets will obviously come from hosts INSIDE the /24, then yes, I'd use a ".255" mask.

However, when the entry is being used for a routing filter, and it's a /24 route...  The fourth octet will, by definition, always be ".0" and shouldn't be changed.  So the mask of ".0" prevents anything from changing!

Now...  On to the answers!


Thank you to everyone who participated...  It was my first time running a little contest on the blog, and I'm sorry to say it didn't quite work as I expected!  The comments were not supposed to be seen until a day later, but I think I forgot to share that with the other folks here!  My bad!


As CCIE candidates, we are asked to do all sorts of things with access lists.  We have them in lots of different places, and use them in lots of different ways.  So many, sometimes, that it becomes very confusing to follow things!


This may seem to be a basic topic, but it looks like many people are still confused by the difference between those two concepts. Let us clear this confusion at once!

Subscribe to INE Blog Updates

New Blog Posts!