I enjoyed Petr's article regarding explicit next hop.  It reminded me of a scenario where a redistributed route, going into OSPF conditionally worked, depending on which reachable next hop was used.

Here is the topology for the scenario:

3 routers ospf fa blogpost

Here is the relevant (and working :)) information for R1.

R1 screenshot

When we replace the static route, with a new reachable next hop, we loose the ability to ping

R1 screenshot 2

When we change the next hop for the static route, (which is being redistributed into OSPF), the route to no longer works, even though we have verified ability to ping the new next hop.

Can you solve this puzzle?  Please post your ideas!

For more troubleshooting scenarios, please see our CCIE Route-Switch workbooks, volume 2, for more than 100 challenging troubleshooting scenarios.

We will post the results right here, in a few days, after you have had a chance to post your comments and ideas.

Best wishes.



Thank you for all the great answers, (below in the comments).

R1, using a next hop of in its static route, will include that same address in the LSA as the forwarding address.  Among the requirements that make this possible, the one we are going to focus on here is that this next hop is in the same IP subnet as an OSPF interface (Lo0) on R1. (R1) and (next hop address, owned by R3).

R1 sends as fa

If we use a next hop that isn't in the same IP subnet as an OSPF interface on R1, the LSA will not include the next hop forwarding address, which will then cause R2 to believe that R1 is the next hop and the route will fail to work.   We could also cause the to show up by changing the ospf network type for R1 Loop 0 to point-to-point, not including Loop 0 in the network statement for OSPF, or by setting Loop 0 as a passive interface for OSPF. (take your pick) :)

R1 sends fa

Again, thanks to all for the EXCELLENT answers and insights.

You rock!


Hi Everyone,

yesterday we posted another VOL2 lab to all subscribed member's account. The lab is a full-scale 8 hour mock exam aimed to prepare you for the real CCIE Security exam. The updated material covers the following new features found in CCIE Security v3.0 bluepring: IPSec VTI (Virtual Tunnel Interface), CBAC Enhancements (found in IOS 12.4), NVI (NAT Virtual Interface), GET VPN (Group Encrypted Transport VPN), Control Plan Protection (an enhancement to Control Plane Policing), SNMPv3 (secure form of SNMP). And of course, more updates for IEWB-SC VOL1 and VOL2 are coming this month!

Happy studing!


Hi everyone,

as promised before, updated Security VOL2 Lab1 has been posted to all subscribed members accounts. The new lab features completely new diagram (I hope you guys like it ;) and significants updates to its contents. Alongside with removing the PIX and VPN3k sections we've added tasks covering such topics as IPsec VTI, Zone-Based Firewall, IPS virtual sensors/VLAN groups, ASA reliable static routes, 802.1x authorization and a few more goodies to this lab. The updated content should be less "crazy hard" than its v3.0 predecessor and better mimic the difficulty of the real exam. Still, it was designed to be *harder* than the real stuff, just to make sure you don't relax too much and don't let your guards down ;) Anyways, enjoy the first update in the series! We plan to post updates periodically and finish the whole process in June.

For you CCIE-RS folks waiting for the BGP section to be posted. Our apologies for the delay, we're working to get it done ASAP. The section appears to be bigger than we estimated before, and it may take an extra week to finish it. We'll try to make an intermittent update by the end of this week, covering at least some of BGP Section tasks. Thank you for your patience!


Labs 4 and 5 in the CCIE Routing & Switching Lab Workbook Volume 2 Version 5.0 is now posted on the members site. More labs in this series will be posted shortly, along with more updates to Volume 1.

Happy Labbing!


Lab 3 for our CCIE Routing & Switching Lab Workbook Volume 2 Version 5.0 is now posted on the members site.  A Lab Meet-Up for this scenario is scheduled today at 10:00 Pacific time (GMT -8).  The Class-on-Demand version will be posted shortly afterwards.  More labs in this series will begin posting next week, which will give people more time to actually configure the scnearios before attending the Lab Meet-Ups.

Also, Lab Meet-Ups will resume running on a weekly basis (starting today).  More detailed scheduling information will be available on this shortly.  Hope to see you there!


Hi everyone,

Recently, a number of changes have been made to our IEWB-VO VOL1 and VOL2 products. Specifically, all the tasks have been verified, some bugs fixed, more breakdowns and comments added. Currently, there are 63 technology-focused mini-scenarios an 7 completely independent full-scale mock labs available.

We're working on making VOL1 (mini labs) more informative, by expanding the breakdowns and incorporating screenshots in additional to detailed configuration steps description. The next step is to add extra labs covering the new v3.0 voice lab content. For more information on IEWB-VO products please refer to:


Happy labbing!


In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

  • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
  • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
  • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
  • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
  • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.



VLANs and IP Addressing
Configuring and Authenticating RIP
Configuring and Authenticating OSPF
Configuring EIGRP Support
Redistribution, Summarization and Route Filtering


Common Configuration
Filtering with IP Access Lists
Using Object Groups
Administrative Access Management
ICMP Traffic Management
Configuring Filtering Services


Dynamic NAT and PAT
Static NAT and PAT
Dynamic Policy NAT
Static Policy NAT and PAT
Identity NAT and NAT Exemption
Outside Dynamic NAT
DNS Doctoring with Alias
DNS Doctoring with Static
Same Security Traffic and NAT
Transparent Firewall NAT


Firewall Contexts Configuration
Administrative Context and Resource Management
Active/Standby Stateful Failover with Failover Interface
Active Stateful Failover with Failover Interface
Monitoring Interfaces with Active/Active Failover
Filtering with L2 Transparent Firewall
ARP Inspection with Transparent Firewall
Filtering Non-IP Traffic with L2 Transparent FW
Handling Fragmented Traffic
Handling Some Application Issues
BGP Through the PIX/ASA Firewall
Multicast Routing across the PIX/ASA
System Monitoring
DHCP Server
Standby Interfaces
ASA Local CA
Cisco Secure Desktop
VLAN Support for RA VPN
Inspection for Web/SSL VPN Traffic
Enhanced Service Object Groups
Enhanced ASA protection (Threat Detection)
Persistent IPsec Tunneled Flows


HTTP Inspection with MPF
Advanced FTP Inspection
Advanced ESMTP Inspection
Authenticating BGP Session Through the Firewall
Implementing Traffic Policing
Implementing Traffic Shaping
Implementing Low Latency Queueing
TCP Normalization
Enhanced TCP Normalization
Management Traffic and MPF
ICMP Inspection Engine



IOS Router and the PIX/ASA
IOS Router and VPN3k


IOS and the PIX/ASA with PSK
IOS and the PIX/ASA with PSK and NAT on the Firewall
IOS and the PIX/ASA with Digital Certificates
IOS and the PIX/ASA: Matching Name in Certificate
IOS and IOS with PSK Across the PIX/ASA
IOS and IOS with PSK Across the PIX/ASA and NAT
IOS and IOS with PSK Across the PIX/ASA with Overlapping Subnets
IOS and IOS with PSK Across the PIX/ASA and NAT with IKE AM
IOS and IOS with Digital Certificates Across the PIX/ASA
IOS and VPN3k with PSK
IOS and VPN3k with PSK using CLI only
IOS and VPN3k with Digital Certificates
IOS and VPN3k with PSK: Tuning IPsec Parameters
IOS and VPN3k: Filtering Tunneled Traffic


GRE Tunnels over IPsec with Static Crypto Maps
GRE Tunnels over IPsec with Crypto Profiles
IPsec VPN Enhancements: VTI Support
IPsec VPN Enhancements: Encrypted PSK
IOS CA: Subordinate/RA Mode IOS Certificate Server (CS) Rollover
IOS CA: Key Rollover for Cerificate Renewal
Certificate ACLs
Dynamic Access Policies


VPN3k and Cisco VPN Client
VPN3k and Cisco VPN Client with Split-Tunneling
VPN3k and Cisco VPN Client with HoId-Down Route
VPN3k and Cisco VPN Client with RRI
VPN3k and Cisco VPN Client with DHCP Server
VPN3k and Cisco VPN Client with RADIUS Authentication
VPN3k and Cisco VPN Client with External Group
VPN3k and Cisco VPN Client with Digital Certificates
VPN3k and IOS ezVPN Remote Client Mode with Split-Tunneling
VPN3k and IOS ezVPN Remote NW Extension Mode with RRI
IOS and IOS ezVPN Remote Client Mode with Xauth/RRI
IOS and IOS ezVPN Remote NW Extension Mode with Xuath/RRI
PIX/ASA and Cisco VPN Client with Split-Tunneling/Xauth/RRI
PIX/ASA and Cisco VPN Client with External Policy
PIX/ASA and Cisco VPN Client with RADIUS
PIX/ASA and Cisco VPN Client with Digital Certificates
The PIX/ASA and IOS ezVPN Remote NW Extension Mode
ezVPN Ehancements: Multiple Inside/Outside Interfaces
ezVPN Ehancements: Proxy DNS
ezVPN Ehancements: Peer Hostname
ezVPN Ehancements: VTI Support
ezVPN Ehancements: DPD Enhancements


ASA and WebVPN Client
ASA and WebVPN Port Forwarding
ASA and SSL VPN Client
AnyConnect VPN in IOS
AnyConnect VPN in ASA
WebVPN Configuration in IOS
VPN3k and WebVPN Client
VPN3k and WebVPN Port Forwarding


IOS and the PIX/ASA: Policing the L2L IPsec tunnel
IOS and VPN3k: QoS for L2L Tunnel
PIX/ASA and Cisco VPN Client: Per-Flow Policing
QoS Pre-Classify for IPsec Tunnel


Decoding IPsec Debugging Output on VPN3k
IPsec and Fragmentation Issues
ISAKMP Pre-Shared Keys via AAA
IPsec NAT-T: L2L Tunnel with VPN3k and IOS Box
IKE Tunnel Endpoint Discovery (TED)
IPsec VPN High-Availability with HSRP
IPsec High Availability with NAT and HSRP
IPsec Pass-Through Inspection on the PIX/ASA
L2TP over IPsec between the ASA and Windows 2000 PC
VPN3k and PPTP Client
Using ISAKMP Profiles
Group Encrypted Transport (GET) VPN
Advanced DMVPN
DMVPN Phase 3
ASA Persistent IPsec Tunneled Flows


Common Configuration
Basic Access-Lists
Reflexive Access-Lists
Dynamic Access-Lists
Stateful Inspection with CBAC
CBAC Port-to-Application Mapping
Preventing DoS Attacks with CBAC
CBAC Performance Tuning
Authentication Proxy with RADIUS
Content Filtering with IOS Firewall
IOS Zone-Based Firewalls
ACL IP Option Selective Drop
IOS L2 Transparent Firewall
CBAC Enhancements (e.g. Self-traffic inspection)
Application Firewall (HTTP Inspection, HTTP Applications, Instant Messaging)
Flexible Packet Matching


Using RADIUS/TACACS+ for telnet Authentication
Using RADIUS/TACACS+ for Exec Authorization
TACACS+ for Command Authorization
TACACS+ Command Accounting
Service Authorization with TACACS+
Using LDAP for Authentication and Authorization
VPN AAA Authentication and Authorization
Using IOS Local AAA
Switchport Authorization with 802.1x
Using ACS RADIUS Profiles
Certificate-Based Authentication


ACS Setup for NAC
NAC L3 IP With the ASA and Cisco VPN Client
NAC L3 IP with VPN3k and Cisco VPN Client



IPS Initial Setup
Configuring Inline VLAN Pair
Promiscuous Mode Monitoring with RSPAN
Monitoring IPS with IPS Event Viewer


Configuring Event Summarization
Creating Custom Signature
Event Counting
Inline Blocking
Event Action Override
Event Action Filtering
IPS Network Access Control (Shunning)
Rate Limiting with IPS


Virtual Sensors
Sensor Password Recovery
Anomaly Detection
TCP Session Tracking Modes
Threat Rating
Sensor Configuration via IME



Mitigating ARP Spoofing Attack with PIX/ASA
Mitigating DHCP Attacks with DHCP Snooping
Mitigating ARP Attacks in DHCP Environment
Mitigating MAC/IP Spoofing in DHCP Environment
Protecting Spanning-Tree Protocol
Protecting Against Broadcast Storms
Mitigating VLAN Hopping Attacks
Protecting Against Network Mapping
Blackhole Routing using PBR
Intrusion Prevention with PIX/ASA
Mitigating Malicious IP Options Attack
Protecting Against MitM attacks

The VOL2 upgrade will be taking place in parallel with VOL1 updates. What you should expect is removal of the VPN3k and (probably) PIX and the changes to the approximately 30% of the material. Many of the existing v2.0 tasks will remain the same, so you can practice the existing material, ignoring anything related to VPN3k (but not the PIX, as many of the PIX features remain unmodified in the new blueprint).

Good luck with your studies!

Further Reading:
CCIE Security Lab Expanded Blueprint


IEWB-RS Volume 2 Version 5 Lab 2 is now available for download on the members site.  The solutions will be posted tomorrow morning.  I hope to see you all at the lab meetup tomorrow to discuss the scenario.

Happy Labbing!

Update: The lab document and solutions have been updated and are now available on the members site.  The lab meetup CoD will be posted tomorrow.


Labs 1 and 10 of the new CCIE Routing & Switching Lab Workbook Volume 2 Version 5 (IEWB-RS) are now available on the members site.  All users with an active subscription to version 4.1 should automatically see the R&S Lab Workbook Volume II Version 5.0 Beta link when you login.  The lab meetup for lab 10 is scheduled for 9am Pacific time this Thursday.

Hope to see you there!


The new CCIE R&S Lab Workbook Volume 2 Version 5 Lab 1 is now available.  Click here to download it.  Also the first of our new CCIE R&S Lab Meet-Up Series, starting today at 9:30am Pacific time, is open to all users.  Simply follow this link to join: If you are planning on attending I would highly recommend printing out the lab and its diagram prior to us starting, as the majority of the class will be held on the command-line.

The schedule of following lab meet-ups will be posted shortly, as well as a projected timeline for the release of the rest of the volume 2 version 5 labs.

Hope to see you on class!

Subscribe to INE Blog Updates