Stay tuned for more!

Required Passing Score: 790

Time Allotted: 2 hours

Question Types: Single Response-Multiple Choice, Multiple Response-Multiple Choice, Drag and Drop, Scenario (Flash Based)

Overall Level of Difficulty: Easy

Exam Sections:

• Evaluate proposed changes to a network
• Implement Layer 2 technologies
• Implement Layer 3 Technologies
• Implement IP Multicast
• Implement Advanced Services
• Troubleshoot a Network
• Optimize the Network

Overview:

Compared to the previous versions of this exam, Cisco has solved one of the major issues with it – time. The previous version featured 105 questions that were to be solved in 2 hours. This was absurdly difficult. Knowing the material as well as I do, I had about 4 minutes to spare in one of my visits to the old exam.

Notice the new exam allows students to breathe a bit as they are sitting the exam. I did not find time to be nearly as much of a pressure with this exam. I completed all questions in 1 hour and 10 minutes. I believe that most students will have no problems finishing the exam in 1 hour and a half.

In addition to the shorter length, I found there were many more questions of CCNA-level and CCNP-level in this exam compared to past exams. Now of course, there are still a fair share of really tough CCIE-level questions, so you actually feel a bit off-balance taking the exam. When you click next, you just never know what you are going to get.

Also, as advertised, there is no longer a BACK button. Be real sure of your answer before you click NEXT. Twice I realized I answered something wrong once it was too late. Remember, time should not be an issue now, so avoid the typical response of rushing. Incidentally, one reason Cisco is not allowing the BACK button any longer is that it would make the exam MUCH easier. Several times I learned of a correct response from a later question but I was prohibited from going back and changing my initial reponse.

What I Loved:

• Shorter exam
• Troubleshooting questions

What I Disliked:

• Exhibits that were completely illegible
• Only one new Scenario style question in my exam
• Over-emphasis in certain areas, with no coverage, or limited coverage, of other areas

Topic Domains Most Emphasized (In My Question Pool):

• OSPF and EIGRP for IPv6
• IP SLA
• Layer 2 Troubleshooting
• Layer 3 Troubleshooting
• QoS
• PIM Sparse Mode
• MPLS
• Services

As you know, updates have begun to our top-rated CCIE Written R&S Bootcamp product. I am creating the new lessons in an order that reflects exam emphasis. I am also adding a second Practice Exam to the course. It will be available (In Progress) tomorrow, so you do not need to wait to try your skills on new questions immediately.

Module 1 Lesson 1 Advanced Switching Technology

Module 1 Lesson 2 VLANs

Module 1 Lesson 3 VLAN Configuration

Module 1 Lesson 4 VLAN Trunking

Module 1 Lesson 5 VTP

Module 1 Lesson 6 RSTP

I have listened to your feedback as I create these new lessons. As such, they include:

• Much more detail for each new topic.
• More Core Knowledge questions based on each topic (these Core Knowledge questions are unique – they appear in no other INE products).
• More simulated exam questions.

I have started the updates with a new QoS topic for the exam – Auto QoS. Enjoy. You will find the new lesson is automatically added to your Member’s area for the course. Just scroll down to the new section called Version 4.X Updates.

1. Limited time – can’t go through all the labs.
2. Memorization issues, tendency to forget things learned earlier.
3. Time planning problems, cannot allocate time properly between the workbook sections to get the most use of it.

Resolving these issues is the best way of improving VOL1 effectiveness. Let’s see the ways to address the outlined issues.

Basic Planning

Start by figuring out how many hours you may spend practicing mini-labs. Normally, this should be around 60-70% of the total time you have allotted to prepare to the CCIE lab exam. Let’s say you have 6 months before your lab date. It’s about 180 days, so you can spend 60%*180=108 days on mini-labs. Now estimate the time you can spend a day preparing for your CCIE – let’s say it’s 2 hours in average (e.g. 1 hour today, 3 hours tomorrow, or just 2 hours every day). Take a realistic number, accounting for the time you need to spend on your job, family, etc. Now find the resulting amount of hours that you may spend on VOL1: 108*2=216 hours. Finally, gauge the time you need to complete a single VOL1 lab. Some of VOL1 labs might be harder than another, so try figuring an average number. Let’s say it’s about 40 minutes, where 30 minutes you spend actually working on the lab and 10 minutes repeating the information you have just learned. Based on the total amount of hours you have for VOL1 and the average time per lab you may find the approximate number of mini-labs that you may cover; using the example from above, it’s going to be 216/(4/6)=324. This number is significantly lower than the amount of scenarios in VOL1. So how should you divide your efforts among different sections of VOL1 to obtain maximum efficiency?

Allocating the time between VOL1 sections properly

In the previous blog post, an approach based on the utility function has been suggested. However, after some modeling I decided to revert back to a simpler approach, based on the concept of max min fairness. The reason is a well-known utilitarian paradox, which I yet need to address properly

So what about this max-min fairness thing? You may already have known of it, if you studied QoS and resource sharing. In fact, this is an approach used to implement Fair Queueing – maximizing the “throughput” for the minimally demanding “flow”. In our scenario, a “flow” is a section, and “demand” is the amount of tasks you need to complete from this section. We implement section weighting, so that some topics are considered more important as another. In short, here is how the max/min fair approach works:

1. Assume there are N sections, with the weights a1, a2,… aN and the amount of tasks T1,…,TN in respective sections.
2. Suppose you may only complete M tasks, where M < T1+T2+…TN.
3. Initially, we allocate the time between sections based on the formula: Xj=aj/(a1+a2+…aN)*M. This means that every section gets “fair” amount of resource, proportional to its weight.
4. For every section that gets more than it needs, i.e. Xj > Tj, take the amount Xj-Tj and allocate is based on the weights a1, a2…aN as in step (2) among all remaining sections that still need the resource.
5. Repeat the loop to (4) checking for the sections that got more than they needed and re-allocating this amount again.

This iterative algorithm could be quickly implemented using an Excel spreadsheet. Here is a simple spreadsheet with some of the basic constants (e.g. number of tasks per section) configured for you. All you need to enter is the following:

a) Total amount of hours you are going to spend on the workbook
b) Average amount of time per lab. This may change with your progress, so you may want to get back to the spreadsheet and edit some values.
c) The number of labs that you have already completed for every section. Like with (b), you may return to the spreadsheet and re-calculate the time allocation. Make sure you set these to zeroes if you truly dont know much about the technologies covered in the respective section.

Notice that the spreadsheet only performs two iterations of the weighted fair sharing algorithm, which should be enough in most cases, but may yield slightly inaccurate results in some situations. Also, pay attention to the “Weights” column. This is where you specify the relative “importance” of every section. In short, the idea is to prefer the core topics to non-core, thus allocating more time to spend on those. If you feel like you know what you’re doing, you may play with the weights. Just keep in minds that only their relative values do matter, i.e. 10 20 30 would yield the same weighting as 1:2:3.

Not just Learning, but Memorizing

We’ve been talking about memorization before in this blog post. One answer to better memorization was the process of optimally spaced repetitions. But those might look complicated if you follow any of the special algorithms. Is there a small and simple set of instructions that one can follow to improve the memorization process without the need of any software? In fact, there is. Here are the rules:

1. Perform the first repetition immediately after you finished a set of mini-labs. What do we mean by a repetition? Typically, it’s a condensed review of the material you have just been working with. Read over the breakdowns; re-type the major commands in the notepad. Do not spend too much time reviewing and repeating, it should be kept up to 10% of the time you typically spend labbing up the scenarios. (e.g. if you spend 30 minutes on a mini-lab, allocate approximately 10 minutes to a single lab repetition).
2. Take a 20 minutes break from studying; you may spend the break reading over and analyzing the tomorrow’s set of mini-labs, or just taking a cup of coffee or green tea. Both drinks contain caffeine, which in small amounts improve concentration and memorization processes.
3. When you done with the labs for the day, schedule another repetition 8 hours after your initial repetition. Based on this 8-hour interval, it may be best to practice in the morning (so you may take a repetition in the evening) or in the evening, right before you go to sleep (so you may repeat everything early next morning). During that repetition, review the material for all mini-labs you practiced today. For example if you were doing 3 mini-labs it may take about 30 minutes to perform complete review.
4. Schedule the last repetition of the today’s labst by 24 hours in the future counting from the initial (Step 1) repetition (e.g. tomorrow’s morning if you were practicing in the morning). Mark this on your calendar or any personal time-management tool. This is going to be the last review for the series of the mini-labs you have done today. Again, it should take no longer than 10-15% of the time you spend practicing the scenarios initially.

This repetition procedure adds over 30% overhead to your “bare” study time (you need to repeat the material 3 times during the first day). This is a significant increase in time, and you may want to account for it when calculating the average time to complete a single mini-lab and planning your time budget as shown previously.

How do I prioritize labs within VOL1 sections?

Like we said before, sections are weighted based on their relative importance. Core topics require more attention than non-core. What about the tasks within a single section? Typically, the workflow for VOL1 is linear: every next lab requires previous scenarios as “pre-configuration”; however, major “chains” are independent, and you may see the workbook asking you to perform configuration resets between the sub-sections. Commonly, more advanced scenarios follow the basic ones, so you progress naturally by doing them in sequence. However, in situations when you don’t have enough time, you may want to focus on the scenarios you are most unfamiliar with and skip some basic stuff.

In addition to this, some sections, especially the non-core ones (e.g. QoS or IP Services), may not follow the linear logical structure perfectly. For example, if you take “IP Services” you may see scenarios being grouped by technology: e.g. DHCP, NAT, WCCP and so on. For the QoS, you may group scenarios in sub-sections such as MQC, Catalyst QoS, Legacy FRTS and so on. In this case, you may want to apply the same fair scheduling logic to these sections. In the same XLS file we referred to before, there is an additional sheet (named “QoS”) to help you splitting the time “inside” a large, non-linear section. I’m planning to add similar breakdowns to other “non-linear” sections, such as “IP Services”, “System Management” and “Security”. Here is a sample screenshot of this page:

It works in the same way as the main planning page. However, you don’t have to edit the total amount of labs for the QoS section – it is copied from the previous sheet. You may only want to edit the “Labs Completed” column, to reflect the amount of scenarios you came through already.

Summary

The above-described techniques should help you get more organized and proactive with your time management as well as improve content retention. Keep in mind those are just tools, and it’s up to you to do all work! And stay tuned for more updates to the XLS file and the methodology. Following our Tier-based logical approach, the next step after VOL1 should be IEWB-RS VOL2 full-scale labs practicing, which is to be covered next.

Here are the links for all the posts in the series:

IPv6 Transition Mechanisms Part 1: Manual Tunnels

IPv6 Transition Mechanisms Part 2: GRE/IPv4 Tunnels

IPv6 Transition Mechanisms Part 3: 6to4 Tunnels

IPv6 Transition Mechanisms Part 4: ISATAP Tunnels

IPv6 Transition Mechanisms Part 5: NAT-PT

Remember, when you are ready to test your Tier 2 and Tier 3 knowledge of these important topics, be sure to check out our many CCIE R&S products. If you have any questions about which product would be perfect for you, contact one of our Customer Success Managers.

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is most recently specified in RFC 5214. Notice the topology below that we will use to detail the workings of this transition approach. This internal network has RouterB in place that is not IPv6 capable . ISATAP provides a solution for the hosts behind this device! Dynamic tunneling will be done from these hosts to the ISATAP router (RouterA). Obviously, your job in the CCIE R&S Lab Exam might be to configure or troubleshoot this important device.

Here is how ISATAP actually works. The networks DNS server is updated with a well-known name entry of “ISATAP” that resolves to the IPv4 address used in the tunnel on the ISATAP router (RouterA). HostA initializes and notes that it has been configured with ISATAP capabilities for IPv6. HostA then sends a request to the DNS server for the address associated with “ISATAP”. DNS responds with the IPv4 address of the ISATAP router. HostA tunnels a router discovery packet (using an IPv6-in-IPv4 encapsulation approach) and sends this packet to the ISATAP router. RouterA responds with a router advertisement that includes the IPv6 prefix the host (HostA) should use. HostA takes this prefix and automatically constructs its own unique IPv6 address. It uses a reserved identifier for ISATAP (0:5efe) and its own IPv4 address to do this. Now the host is fully able to communicate beyond its local network using IPv6 and ISATAP.

One of the exciting things about the ISATAP soltuion is the fact that HostA will automatically transition to native IPv6 communications once the network is upgraded (in our case, once RouterB is replaced or upgraded). The minute HostA begins receiving unsolicited, native router advertisements, it ignores its ISATAP capabilities.

The configuration of the ISATAP router is very simple. Here is an example:

RouterA:
configure terminal
!
interface Tunnel 0
ip address 2001:80f0:4:300::/64 eui-64
no ipv6 nd suppress-ra
tunnel source 172.16.1.20
tunnel mode ipv6ip isatap

The prefix assigned to the tunnel interface is the prefix that will be assigned to hosts. Notice the no ipv6 nd suppress-ra command is required to ensure that router advertisements are sent over the tunnel to hosts. By default, these messages are not used on tunnel interfaces.

After setting the tunnel mode, your tunnel interface should launch. To verify that your tunnel has been assigned the appropriate ISATAP IPv6 address space, you can use show ipv6 interface brief as follows:

RouterA#show ipv6 interface brief
FastEthernet0/0            [up/up]
FastEthernet0/1            [administratively down/down]
Tunnel0                    [up/up]
 FE80::5EFE:AC10:114
 2001:80F0:4:300:0:5EFE:AC10:114

Awesome! We will investigate another transition option in the next part of this series. Thanks for tuning in! If you want more training targeted at this subject, check out any workbook practice, while Tier 3 would be Poly-labs or Graded Mock Labs.

Before we do any more technical posting, here is a list of the lucky folks (well, some of them), who got their CCIE numbers recently! Those must be the last ones who have taken the “old” CCIE blueprint. Let’s hope the new lab blueprint will not be a problem for those of you who are still preparing. It’s our mission to make sure it is not! Now for the list and the success stories!

PS
tough week, been testing and releasing the new updated mock labs!. Now working on the detailed usage guide for IEWB-RS VOL1, to allow people get the most use of their limited study time!

• Martin Hogan, CCIE #25636 (R&S)
• Ricard Badia, CCIE #25480 (R&S)
• David Bluett, CCIE #25437 (R&S)
• Kevin Kilpatrick, CCIE #25105 (R&S)
• Wouter Prins, CCIE #25628 (R&S)
• Nora Prommahachai, CCIE #25554 (R&S)
• Anantha Subramanian Natarajan, CCIE #25652
• Cassio Gomes, 2xCCIE #13900 (R&S/SP)
• Chris Jones, CCIE #25655 (R&S)

=====================

Hey All,

I actually got the news less then 3 hours after my lab last Thursday, but
the celebration was ongoing

GS is a pretty cool resource, Darby and Nimmers from here helped me out with
a book list for final OEQ / LAB preparation and cheers to the people who
helped me out with the odd question I posted.

Like a lot of people I was fairly overwhelmed originally with Internetwork
Experts 5.0 Volume I workbooks but I worked on through it all (QOS broke my
brain, but im glad I covered it in that detail) and then reviewed when
required after seeing the scenario in a slightly different way which didn’t
make sense or I got the scenario incorrect(or different) in their Volume II
books.

Going through the Volume I workbook, reading about each of the variations
and the core technologies in the book and then on the DOCCD was a great
help.

The extra info I got on here and on IEOC (and via the Mock Labs – if you
were thinking of doing these but aren’t sure if they are worth it, do it)
from the entire INE crew was absolutely incredible, Larry Hadrava, Anthony
Sequeira, Scott Morris (Online community participation), Petr Lapukhov
(Brain busting blog posts) and the Brians (COD videos) really gave me the
extra detail and info required to understand each technology down to the
expert level.

The lab proctor Scott was a really funny guy, was there all day to answer
questions (questions about the questions, not the answer), tell some funny
stories at lunch and before the lab, I was pretty laid back and relaxed for
the day, in part because of the atmosphere that he helped to create.

Thanks to all people who take the time to post up informative and on-topic
posts and _massive_ thanks to the Internetwork Expert guys for the
incredible quality materials and the community participation.

Cheers
Martin Hogan, CCIE# 25636

================

I wanted to thank Brian McGahan for sharing with us at the
bootcamp so many tips and for explaining very well the technologies
for RS. I also watched the Adv. Tech VoDs (invaluable), did 15 Labs,
3 mock labs and the Core knowledge Sim questions. I was fortunate to
pass the lab on the first attempt, thanks to all the great info from
your products and the labs. I will definitely be using your products
again for the next CCIE.

Ricard Badia CCIE RS #25480

====================

Hi Internetworkexpert,

I’d like to let you know I passed my CCIE Routing and switching exam
on the 16th of September 2009.

My study materials included your DVD Class on Demand, and 3
workbooks. Without these materials preparation for the lab would have
been far more difficult.

Thank you for your excellent products.

David Bluett CCIE #25437

======================

I passed my CCIE R&S on the first try. I took the test because it was
my last chance before the new version of the lab came out. I really
did not think I was ready for the lab yet. However, I still passed.
The ATC course and the Mock Labs definitely prepared me for the
test.

Thank you,
Kevin Kilpatrick CCIE #25105

=================

Hi all,

Finally its my turn!!! #25628 !!! What a relief! My head was one big
protocol/timer bomb that was set to detinate today!

I would like to thank everyone on this list (especially the archives), my
girlfriend for her patience, the INE team, Christian Zengl (#19533) and
everyone else i’ve been in contact with during this journey!

I’ve been using quite some materials and resources, the most ones used are:

- INE WB vol 1, 2 and 3
- Mocklabs from INE
- ASET Labs from Cisco
- Cisco Press Books (a lot of them!! CCNP and CCIP track)
- Routing TCP/IP, Volumes 1 and 2 – The bible of networking
- Internet Routing Architectures – Sam Halabi
- CCIE Routing and Switching Exam Certification Guide
- Developing IP Multicast Networks
- Previous course materials from Foundry Networks and Extreme Networks
- Several blogs
- #cisco@freenode

And many more!!

I hope all other candidates from today in Brussels did well!
–
Wouter Prins
wp@null0.nl
wp@freenode

====================

Hi,

I passed the R&S lab in San Jose on Sep 25, 2009. Thank you to the excellent material, CCIE 2.0 from INE.

Nora Prommahachai CCIE #25554

====================

Hi INE Team,

I would like to thank you all from my bottom of the heart for
helping me out in getting the CCIE.The course content were awesome
and the bootcamps where to the point related to the Lab exam.

I would like to personally thank Brian’s,Anthony Sequeria,Stan
Yee(Sales),Marvin Greenle,Petr Laphukhov,Keith Barker and Scott
Morris.

Please keep up the great work in making many people CCIE.
Once again thank you.Looking for future associations with you all

Regards,
Anantha Subramanian Natarajan

==========================

I pass in the CCIE Service Provider LAB in the First attempt, it was
amazing.

I’d like to thank IE due its excellent material, team and all support.

Cassio Gomes, Double CCIE R&S / SP #13900

=====================

Hello!

I used your CCIE2.0 (End-to-End when I bought it) products to pass my CCIE R&S lab exam on the first attempt! I am now known as Chris Jones, CCIE# 25655 (R&S).

Special thanks to Anthony Sequeira for helping me on so many levels!

- Chris aka IPv6Freely

–
Chris Jones, CCIE# 25655 (R&S)

Eagerly, Bob set up 4 routers to test DMVPN for dynamic GRE tunnels and GET VPN to provide the encryption services.

Bob’s heart beat a little faster as he thought about the layout of the test;  R1 would be the KEY, CA and NTP server. R2 would be the DMVPN hub with R3 and R4 being spokes.   From the GET VPN side of the house,  R2, R3 and R4 would all be GET VPN group members so no IPSec profiles would be required for the GRE interfaces.

Bob's test bed for DMVPN/GET VPN

Bob put the configuration he planned to use into his favorite configuration editor (notepad), and realized that when he eventually pastes this into the routers, he may have to intervene at times to supply manual input for certificate related tasks, and he was ok with that.  Bob also remembered that it is best to allow time to synchronize with peers when using digital certificates.

All the switchports used by R1-4 Fa0/0 were set up correctly as access-ports, and in the same VLAN.  Bob verified that  no L1 or L2 problems were standing between him and success.

In contrast to his anticipation of building the “perfect” new solution for his company, Bob had a sneaking suspicion that something in his proposed configuration wasn’t quite right, or maybe was missing something.  Below is the proposed configuration:

R1 Key, NTP and CA Server

enable
conf t
hostname R1
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.1 255.255.255.0
int loop 0
ip address 1.1.1.1 255.255.255.0
exit
ntp master 2
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
clock timezone PST -8
clock summer-time PDT recurring
crypto key generate rsa general-keys  modulus 1024
ip http server
crypto pki server R1-CA_Server
database url nvram:
database level minimum
grant auto
no shutdown
exit
crypto isakmp policy 1
auth rsa-sig
exit
crypto ipsec transform-set TSET esp-aes esp-sha
mode transport
exit
crypto ipsec profile GDOI-PROF
set transform-set TSET
exit
crypto gdoi group group1
identity number 1
server local
address ipv4 10.0.0.1
rekey authentication mypubkey rsa R1.INE.com
rekey transport unicast
sa ipsec 1
profile GDOI-PROF
match address ipv4 100
exit
exit
access-list 100 permit  gre  10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

R2 DMVPN HUB

enable
conf t
hostname R2
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.2 255.255.255.0
int loop 0
ip address 2.2.2.2 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.168.0.2 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 2210
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source Fa0/0
tunnel mode gre multipoint
tunnel key 6738
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 2.2.2.2 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end

R3 DMVPN Spoke

enable
conf t
hostname R3
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.3 255.255.255.0
int loop 0
ip address 3.3.3.3 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 10.0.0.2 172.16.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 3.3.3.3 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end

R4 Spoke

enable
conf t
hostname R4
ip domain-name INE.com
no ip domain-lookup
line con 0
no exec-time
logging sync
privi level 15
exit
int fa 0/0
no shut
ip address 10.0.0.4 255.255.255.0
int loop 0
ip address 4.4.4.4 255.255.255.0
exit
clock timezone PST -8
clock summer-time PDT recurring
ntp authentication-key 1 md5 cisco
ntp trusted-key 1
ntp authenticate
ntp server 10.0.0.1 key 1
ip domain-name INE.com
crypto key generate rsa general-keys  modulus 1024
crypto isakmp policy 1
auth rsa-sig
exit
interface Tunnel0
bandwidth 1000
delay 1000
ip address 172.16.0.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 10.0.0.2
ip nhrp map 10.0.0.2 172.16.0.2
ip nhrp network-id 2210
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.2
ip tcp adjust-mss 1360
tunnel source FA0/0
tunnel mode gre multipoint
tunnel key 6783
exit
router eigrp 1
network 172.16.0.0 0.0.255.255
network 4.4.4.4 0.0.0.0
no auto-summary
exit
crypto pki trustpoint R1-CA
enrollment url http://10.0.0.1:80
revocation-check none
exit
cry pki authenticate R1-CA
crypto pki enroll R1-CA
crypto gdoi group group1
identity number 1
server address ipv4 10.0.0.1
exit
crypto map map-group1 10 gdoi
set group group1
interface FastEthernet0/0
crypto map map-group1
end

Your mission, should you choose to accept it, (feel free to hum the tune of mission impossible), is to find the errors regarding this configuration.

Hint:  there are 4 specific configuration related issues based on the proposed configuration.

Will you assist Bob in creating a working DMVPN/GET VPN solution?

PS   Bob passes on his appreciation for all the help he has received from you in the past!   The solutions you provided worked like a charm, and Bob is being treated like a Network Rock Star by his manager.    Keep up the great work!

- VLAN database issue fixed with v5.0 Dynagen topology (no flash memory was allocated)

- Old v3.0 and v4.1 .net file mappings re-added

We’ve just posted more updates to our renowned IEWB-RS VOL1 – Technology focused labs. The MPLS section is now complete (well maybe just a couple more tasks coming) resulting in 16 new scenarios. In addition to that, the Security section of VOL1 has been updated as well, featuring another 10 labs. That makes a total of 26 more new scenarios with breakdowns, solutions, and verifications! Here is the list of the new topics added:

MPLS VPN:

VRF Lite
MPLS LDP
MPLS Label Filtering
MP-BGP VPNv4
MP-BGP Prefix Filtering
PE-CE Routing with RIP
PE-CE Routing with OSPF
OSPF Sham-Link
PE-CE Routing with EIGRP
EIGRP SOO and Cost Community
PE-CE Routing with BGP
BGP SOO
BGP AS Override
Internet Access
AToM
L2TPv3
MPLS VPN Performance Tuning

Security

Control Plane Protection
IOS ACL Selective IP Option Drop
BGP Generic TTL Security Mechanism
Flexible Packet Matching
Zone Based Firewall
ZFW Rate Limiting
ZFW Application Inspection
Classic IOS Transparent Firewall
ZFW-Based IOS Transparent Firewall
IOS IPS

I know the question on your minds . What’s next on track? More IEWB-RS VOL2 (Configuration Full Scale Labs) and IEWB-RS VOL4 (Troubleshooting) updates of course! And don’t ask me about EIGRPv6 – it’s only 3 commands to enter in the configuration Alright, it will be added to the IPv6 section too, as well as the IPv6 Multicast basics! However, please remember that MPLS VPNs and the security features is the core of the new technologies added to the updated blueprint!

Thanks for choosing INE and happy studying!

we’ve got a fresh list of the folks (eigth people) who got their numbers last week! Here we go, hope their stories are inspiring!

• Mihai Grigore CCIE# 25510 (R&S)
• Daniel Koto CCIE# 25514 (R&S)
• Jon Harald Bovre CCIE #25493 (Service Provider)
• Rodolfo Beltran CCIE #25482 (R&S)
• Mohamed El Henawy CCIE #25453 (R&S)
• Chris Gray CCIE# 25527 (R&S)
• Naga Sayeenathan CCIE# 25532 (R&S)
• Prasanna Ramachandran CCIE# 25551 (Service Provider)

I just wanted to let you know that I got my CCIE R&S number yesterday in Brussels. My number is 25510. I started in early 2007 with the INE workbooks, complete set. At that time, it was still version 4.0. In the meantime version 5 came out. I also used a lot of rack time from INE in 12 hours sessions that started at 6:00AM until 17:30 local time due to the time zone difference. Then we moved to our own rack in the company premises and allowed me to work on it anytime and from anywhere, whenever I had time for this. I stopped counting how many weekends, vacation days I spent on this rack using the INE workbooks.

The last 6 weeks for me were doing the INE R&S WB Volume1 version 5. This is a great source of information, very well written, with lots of details. I cannot recommend it strongly enough! Peter’s 400 pages QoS section (but not only) is simply amazing. I must say that all INE materials that I worked with is simply awesome!!!

I would like to thank INE for their products and great instructors. And I am glad to see that the team is growing with new expert names. Brians were great to listen on the CoD. I had to listen CoD 3 times in order to get ALL the details they talk about. Especially Scott, you were simply great during the boot camp last November in Reno!! Anthony was also special !!

All this helped me during my preparation.

Thank you again and all the best for you guys !

Best regards,

Mihai Grigore CCIE# 25510 (R&S)

====================

I passed my CCIE Routing and Switching on 23rd of Sep 2009. Thanks for your awesome Dynamips workbooks that give me deep understanding
of the exam technologies.

Daniel Koto CCIE# 25514 (R&S)

====================

Thanks a lot for the support and great materials and all the tips you put and all the information you put for free on your blog.

Mohamed El Henawy CCIE #25453 (R&S)

====================

Thanks for the great training material it was the key for me in passing the lab

Chris Gray CCIE# 25527 (R&S)

====================

I have passed the CCIE R&S Lab on 24th of Sep 2009 and would like to thank the folks at INE. I started with the 10-day COD and Vol1 & Vol2 workbooks and attended the Mock lab workshop a week prior to my exam. The Vol1 workbook scenarios were good and reflected all the sections in the cisco’s official blueprint. Mock lab workshop helped me to develop my configuration speed, identify my weaknesses and build my confidence.
I would recommend INE to everybody who would like to achieve their CCIE certification.

Naga Sayeenathan CCIE# 25532 (R&S)

====================

hi Scott and Team,

I cleared the CCIE SP lab in SJC on Friday Sep 25th. I will post my
best practices in the SP general forum for the benefit of the larger
team. I used Internetwork experts work books, but the real thing for
me was the bootcamp, which just zoomed up my intensity level. Thanks
for doing a great job on that and keeping it fun.

With 9 years of experience in the service provider arena, I think
this complements my resume real well.

Prasanna Ramachandran CCIE #25551

He started with a basic configuration on the firewall:

hostname INEASA1
password cisco
enable password cisco

interface e0/1
 nameif inside
 no shut
 ip address 172.16.16.10 255.255.255.0
 security-level 90

interface e0/0
 nameif outside
 ip address 136.1.122.10 255.255.255.0
 security-level 10
 no shut

Bob verified that he could ping both R1 and his PC from the Firewall. Now, he wants to configure the firewall to allow telnet from his PC. He remembers that there was some additional configuration that needed to be done on the firewall to allow this to work, but doesn’t remember exactly what is needed. Since his PC isn’t connected to the internet, he is not able to access the online documentation.

What additional configuration will allow Bob to telnet to the firewall from his PC?

There is more than one possible solution for this challenge. Feel free to post your proposed answer in the comments section. We will try to keep comments hidden from public view, so that the fun isn’t spoiled for others.

____

OK, so let’s look at the problem here. The PC is on the outside of the firewall, and according to multiple responses, you can’t telnet to the outside interface. (or can you?)

A few helpful hints when studying for the CCIE lab.

1. Don’t be afraid to go to the documentation, even for topics you think you know.
2 Re-read the question, to see just what you are asked to do and what your restrictions are.

So, where does the confusion about being able to telnet to the firewall come from? Perhaps it comes from trying in earlier versions, perhaps some confusion about what the documentation says, or perhaps someone read somewhere in the past that it just wouldn’t work.

Let’s start by carefully re-reading the documentation. ASA – Config guide – system administration – managing system access – allowing telnet

This section states:

“…The security appliance allows Telnet connections to the security appliance for management purposes. You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. …”

So, it doesn’t explicitly mention the outside, it mentions the “lowest security interface”. In most cases that is the outside, but not always.

A few “solutions”

1. Configure the switch so that Bob’s PC is on VLAN 121 instead of VLAN 122, configure the firewall to allow telnet on the inside interface. (Technically would meet requirements, but not much of a challenge.)

2. Change the security levels for the interfaces, making them the same or making the outside higher.

3. Add another interface with a lower security level

int eth0/1.1
vlan 123
nameif DMZ
sec 9

4. Configure a VPN for the firewall, so that the telnet traffic to the lower security (outside) interface is encrypted and therefore allowed.

5. Configure the firewall to allow transit traffic through to R1. Telnet to R1, and then Telnet to the ASA from R1, after configuring the ASA to allow telnet on the inside interface.

10. Effective use of the proctors – for more information, see Tips for Working with the Proctors.

9. Proper diet – be sure to bring your own lunch and snacks.

8. Attention to the Core Knowledge Section – do not rush this section, and once complete, do not think about it again.

7. Use of the DOC-CD – knowing when to use it and how is critical.

6. Effective diagramming techniques – for more information, see May I Have a Diagram with that Please.

5. Positive mindset – no thoughts of failure, only thoughts of success.

4. Effective disaster management techniques – how quickly and effectively you react to a major issues is critical.

3. Precise and accurate verifications.

2. Precise and accurate troubleshooting.

And the Number 1 Quality for a Successful Lab Attempt:

1. Time management and overall lab strategy.

For those of you preparing for the updated CCIE R&S exam – half of our Full-Scale Labs workbook (10 labs) have been fully updated to match the requirements of the new, CCIE R&S v4.0 blueprint. The full-scale scenarios have been significantly changed and a lot of new tasks added. You will find such exciting topics as MPLS VPN, Zone Based Firewall, EEM, and many others. Like mentioned in previous posts, the new labs do not include the basic configuration requirements, but rather ask you to deal with advanced scenarios, having a lot of things already pre-configured. The remaining ten full-scale labs we expect to complete in October. Of course, every existing owner of VOL2 gets these updates absolutely FREE!

Now for those of you who want more advanced technology mini-scenarios: we posted the initial version of the new MPLS VPN section for our IEWB-RS VOL1 workbook. It includes the initial 7 minilabs out of the following list of the labs for the new section:

• VRF Lite
• MPLS LDP
• MPLS Label Filtering
• MP-BGP VPNv4
• MP-BGP Prefix Filtering
• PE-CE Routing with RIP
• PE-CE Routing with OSPF
• OSPF Sham-Link
• PE-CE Routing with EIGRP
• EIGRP SOO and Cost Community
• PE-CE Routing with BGP
• BGP SOO
• BGP AS Override
• Internet Access
• Central Services VPN
• Extranets
• MPLS VPN Performance Tuning

This particular section should be completed next week, followed by part of our Security mini-scenarios to cover the new security-relevant topics of the updated CCIE R&S blueprint. And not only this, more updates to VOL4 are coming next week as well!

Thanks for choosing INE, and happy studying!

Module 1 Lesson 1 Advanced Switching Technology

Module 1 Lesson 2 VLANs

Module 1 Lesson 3 VLAN Configuration

Module 1 Lesson 4 VLAN Trunking

Module 1 Lesson 5 VTP

If you are new to dynamips, view the tutorial Using Dynamips for CCIE Lab Preparation on a PC (How To Run Cisco IOS On Your PC)

The updated .net files can be downloaded here.  Like the previous version, the BackBone router configs are included and should automatically load when you run the .net files.

The major changes are as follows:

• Separate .net files for Dynagen and GNS3
• Platforms upgraded to all 3725s
• Interface numbering now matches more closely on R1 – R6
• Minor performance enhancements

These files were written with MacOS in mind, but can be easily modified to run on Windows and/or Linux.  From my personal experience it is very unlikely that you will get the entire topology to boot on Windows without a massive amount of hardware to back it up.

Happy Labbing!

Match (and permit) the following destinations using an access-list.  Your access list should use the fewest number of lines, and should not overlap any other address space.

Anything within the 10.0.0.0/8 address space.
Anything within the 172.16.0.0/12 address space.
Anything within the 192.168.0.0/16 address space.
Anything within the 169.254.0.0/16 address space.

Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.

access-list 199 permit ip any object-group TEST

What just happened here?  Can you really match those in a single line?  The answer deals with object groups, which allow grouping of other items.  The object group still needs to be configured, but the question just asked for a short access list.

You can enter in either /x notation for mask, or with subnet mask information, as shown in the following examples:

object-group network TEST
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
 169.254.0.0 /16

The router will convert syntax, and the following will be what remains in your config for the group:

object-group network TEST
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0
 169.254.0.0 255.255.0.0

You can also nest object groups.  You could configure the individual groups as follows:

object-group network A
 10.0.0.0 /8
object-group network B
 172.16.0.0 /12
object-group network C
 192.168.0.0 /16

object-group network RFC1918
 group-object A
 group-object B
 group-object C

object-group network APIPA
 169.254.0.0 /16

object-group network TEST
 group-object RFC1918
 group-object APIPA

Here, we took a brief look at network object groups.  Object groups on the router also have a “service” option, which can be used to group protocols and ports. For those of you with a background configuring PIX / ASA, you may already be very familiar with configuring object groups.  For the rest of you, it may be something that you want to practice before your next scheduled lab date.

For more reading:
Cisco – Object Groups for ACLs

Object groups were added in 12.4(20)T.

Now for the new Dynamips topology – the main change when comparing to the old one is the replacement of 3640 platform with 3725 router, which supports IOS 12.4T. Best of all, the 3725 routers with “ADV. ENTERPRISE SERVICES” images support most of the IOS features required for the updated CCIE R&S exam, including MPLS VPNs, ZFW, EIGRPv6 and OER. Additionally, the use of 3725 platform means we now have the built-in FastEthernet controller, which allows to get rid of the NM-4E modules used int 3640s. As a consequence, some interface names have changed too – specifically, all “Ethernet 0/X” interfaces have translated to “FastEthernet 0/X”.

You may find a sample .NET file for Dynagen here; the file has been created with a dual-CPU workstation on mind. However, a more powerful platform is recommended to simulate the full CCIE R&S rack (10+3 routers). Notice that you need to provide a correct path to the IOS image used in the topology as well as obtain the image itself. You may also need to edit other directory variables, such as working directory in order to get working configuration. Of course, you may want to play around with the IdlePC value to obtain optimal performance with your hardware platform and operating system. As a side note, two good tricks to reduce the load on your CPU

1) Disable spanning-tree for all VLANs in SW1-SW4 and provide a loopless topology by shutting down unused links and connecting switching in a star topology.
2) Shut down the backbone routers and only bring them up for testing purposes.

And finally, for the Dynamips version of our Full-Scale Labs Workbook. This one is coming right after we finish updating the “classic” VOL2 for the new R&S lab blueprint. You may expect the first “fully-Dynamips” labs to appear by the mid of October.

Happy studying!