As many of you hopefully already know, the CCIE Routing & Switching certification blueprint is changing from version 4 to version 5 on June 3rd 2014. As this date quickly approaches, and as the last of the v4 lab seats are fully booked, it’s time to start planning your attack on the RSv5 blueprint.
While Cisco’s official blueprint for v5 is now more detailed that it has ever been in the past, it still lacks some details in certain areas, for example “Implement, optimize and troubleshoot filtering with any routing protocol.” Additionally it would be difficult to use Cisco’s blueprint for a study plan as it stands in its current linear format. For example “Layer 3 multicast” is listed before “Fundamental routing concepts”, which from a learning perspective doesn’t make sense, because you must understand unicast routing fully before you learn multicast routing. To help remedy this we’ve re-ordered and expanded Cisco’s blueprint into INE’s RSv5 Expanded Blueprint, which you can find below after the jump.
Our CCIE RSv5 Expanded Blueprint is meant to be used as a checklist that you can use as you go through your preparation. This way when you’re finally ready to attempt the lab exam, you can be assured that you’ve at least heard of all the topics in the scope, regardless of how obscure some of them might be. Additionally note that some topics listed below might appear only on the written exam and not the lab exam, such as MPLS Layer 2 VPNs or RIPng, but are still included in our content and the outline below.
The below outline will continue to be updated, so check back periodically during your preparation to see changes, adds, and removes. Good luck in your studies!
INE’s CCIE RSv5 Expanded Blueprint
CCIE Security Version 4.0 adds new software version updates, as well as introduces new hardware platforms to the exam, such as ISE and WSA. The hardware used in our new course is available through our CCIE Security Rack Rentals. The playlist for the new CCIE SCv4 ATC is as follows. A few minor topics are still in video post-processing and will be posted shortly.
- Recommended Study Resources
- ASA Firewall Overview
- ASA Basic Initialization
- ASA IP Routing
- ASA ACLs
- ASA High Availability Overview
- ASA Active/Standby Failover
- ASA Multiple Context Mode Overview
- ASA Multiple Context Mode Configuration
- ASA Active/Active Failover
- ASA Transparent Firewall
- ASA Transparent Firewall & ARP Filtering
- ASA Transparent Failover
- ASA Modular Policy Framework (MPF) Overview
- ASA Modular Policy Framework (MPF) Configuration
- ASA Advanced TCP Inspection with MPF
- ASA Advanced Application Inspection with MPF
- ASA Quality of Service (QoS)
- ASA Network Address Translation (NAT) Part 1
- ASA Network Address Translation (NAT) Part 2
- ASA Redundant Interfaces
- Standard, Extended, Time Based, & Dynamic ACLs
- Reflexive ACLs
- TCP Intercept
- Content Based Access Control (CBAC)
- CBAC High Availability
- Zone Based Firewall (ZBPF) Overview
- ZBPF Configuration
- Port to Application Mapping (PAM)
- ZBPF Parameter Tuning
- ZBPF Application Inspection
- IOS Transparent Firewall
- ZBPF Transparent Firewall
- IPsec VPN Overview
- IOS LAN-to-LAN IPsec Configuration
- IPsec Verification & Troubleshooting
- ASA LAN-to-LAN IPsec Configuration
- IOS & ASA PKI Overview
- IPsec & PKI Certificates
- GRE over IPsec Tunnels
- IPSec Profiles & Virtual Tunnel Interfaces (VTIs)
- Easy VPN Overview
- IOS Easy VPN Server
- IOS Easy VPN Client
- IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles
- ASA Easy VPN Server
- ASA Easy VPN Server & IOS Easy VPN Client
- ASA Clientless & AnyConnect SSL VPN
- IPS Overview, Promiscuous Mode & SPAN
- IPS Promiscuous Mode & RSPAN
- IPS Blocking Devices & Custom Signatures
- IPS Inline Mode, VLAN Pairing
- IPS Virtual Sensors and Signature Engines
- WSA Overview & Initial Setup
- WSA Management, Identities, & Access Policies
- WSA HTTP Session Processing
- WSA Transparent Mode & WCCP L2 Mode
- WSA Transparent Mode & WCCP GRE Mode
- WSA HTTPS Decryption Policies
- AAA Overview, Local AAA, & Role Based CLI
- IOS AAA with ACS
- ASA AAA with ACS
- ACS IOS Auth-Proxy Authentication
- ACS IOS Auth-Proxy Authorization
- ACS ASA Cut-Through Proxy
- ISE Overview
- 802.1x, MAB, & EAP Overview
- ISE MAB Authentication
- ISE 802.1x & MAB Authorization
- ISE 802.1x Authentication
- ISE MACsec
- ISE Central Web Authentication
- ISE Profiling
The Application Control Engine (ACE) 4710 has been removed from our normal CCIE Data Center rack rental topology, and is now available as a standalone rack rental. From now until Sunday March 23rd 2014 you can book ACE rack rentals for free. To book ACE rentals, login to your http://members.ine.com account, click the Rack Rentals option on the left, and you should see the ACE scheduler as seen below:
Click the Schedule/Cancel Session button, and the calendar window will appear. Select your start and end date, and if it is within the beta period it will show a zero token cost for the session. Note that during the beta period you can only reserve blocks of 4 hours at the most.
ACE rack rentals include the following:
- ACE 4710 Appliance
- Catalyst 3750G Switch
- 3 x Apache Server Virtual Machines
- 1 x Windows Client Virtual Machine
The topology for ACE rack rentals looks as follows:
Although the ACE 4710 is End-of-Life, there is still a large install base of these boxes in the field. Even if you’re not preparing for the CCIE Data Center Lab Exam it can’t hurt to see how the ACE works, as other load balancers & application switches such as Citrix NetScaler or F5 Local Traffic Manager use the same type of logic for traffic switching.
Next Tuesday, January 21st 2014, at 10:00 PST (GMT 18:00) I will be continuing our vSeminar series on new topics for the CCIE R&S v5 Blueprint, which will focus on IPv6 First Hop Security. You can sign-up for this seminar here. Additionally the link to attend is available at the top of the dashboard when you login to the INE Members Site.
The upcoming session will focus on security exploits and attack mitigation techniques that relate to IPv6 Neighbor Discovery, Stateless Address Autoconfiguration, and DHCPv6, just to name a few. This session will also include both theory and live implementation examples on the Cisco IOS CLI. This session is expected to run approximately 2 – 3 hours in length.
Please feel free to submit topic requests for additional upcoming vSeminar sessions below. I hope to see you in class!
We’ve been putting a lot of time into development for quite a while now on the new CCIE Collaboration blueprint and wanted to share with you a few updates. If you’ve taken a look at the blueprint anytime recently, you know that there is quite a lot of material to be covered, and that a simple 5-day class would never suffice. So we’ve put together a new class that is extremely thorough, spanning a 10-day period, and we wanted to share with you the updated outline for the class structure as well as a sample class topology and list of equipment that we will be using, since many of you have been emailing and asking in our forums about what to buy in order to host your own rack.
Keep watching for more updates as we get closer to releasing new material.
UPDATE: Current customers that have the All Access Pass can already view two 4-hour classes that will assist with a few of the subjects. The first related to a (now outdated by GDPR, but still on the exam) technology known as CCD over SAF and also a CAC mechanism known as SIP Preconditions. The second – while not tested on the lab per-se (students have no access to UCS C-Series CIMC), but certainly covered in-depth on the written exam – is UC on UCS.
The recording of last week’s seminar on Introduction to DMVPN for CCIE R&S v5 Candidates is now available to view here. This is the first of many new free seminars on new topics that have been added to the CCIE R&S version 5 blueprint. New upcoming sessions will include IPv6 First Hop Security, IPsec LAN-to-LAN tunnels, GET VPN, IGP Convergence & Scalability, and BGP Convergence & Scalability, just to name a few. Feel free to submit requests for additional topics in the comments below.
Good luck in your studies!
We’ve heard you loud and clear, and we understand that gaining access to Nexus 7000s, Nexus 5000s, UCS and Storage for hands-on practice is probably one of the more difficult parts of studying for the CCNA/CCNP and CCIE Data Center certifications. That’s why we’re happy to announce that we have just added 5 new DC racks available for rental immediately.
Enjoy – and remember to lab responsibly this holiday season.
Tomorrow, December 6th 2013, at 10:00 PST (GMT 18:00) I will be running a free live online session on Introduction to DMVPN for CCIE R&S v5 Candidates. You can sign-up for this seminar here. Additionally the link to attend is available at the top of the dashboard when you login to the INE Members Site.
This session is the first of many to help candidates transition from the current CCIE R&S v4 Blueprint to the recently announced CCIE R&S v5 Blueprint that goes live on June 4th 2014. We will continue to run additional sessions in the future on new topics that have been added to the CCIE R&S v5 Blueprint, such as IPv6 First Hop Security, IPsec LAN-to-LAN tunnels, GET VPN, IGP Convergence & Scalability, and BGP Convergence & Scalability, just to name a few. These sessions are not only applicable to CCIE R&S v5 candidates, but also to those pursuing the CCNA, CCNP, or CCIE Security tracks, as well as for everyday engineers looking to apply these technologies in their production environments.
Tomorrow’s session will focus on the theory of what Dynamic Multipoint VPN (DMVPN) is, what problems it was designed to solve, and where it fits in the overall network design as compared to other technologies such as MPLS Virtual Private LAN Service (VPLS) or MPLS Layer 3 VPNs. The session will also include live implementation examples of DMVPN on the Cisco IOS CLI. Expect this session to run somewhere around 2 – 3 hours in length.
I hope to see you there!
Today Cisco posted their official announcement on the upcoming changes for CCIE Routing & Switching Version 5. The majority of the announcement is along the same lines as previously rumored changes, except for the official launch date, which is now scheduled for June 4th 2014. This should bring a great sigh of relief to you if you’re currently nearing the end of your CCIE R&S v4 preparation, as you now have a 6 month window to pass the v4 lab exam before the change to v5 occurs.
Specifically the announcement details changes to technical topics covered both in the written and lab exams, the equipment used, as well as the exam format, as follows:
Technical Topic Changes
New Lab Topics:
- Interpreting Packet Captures
- Bidirectional Forwarding Detection (BFD)
- Multi Address Family (AF) EIGRP
- Dynamic Multipoint VPN (DMVPN)
- IPv6 First Hop Security
Of the new topics announced, the big ones are DMVPN and IPsec. These are specifically listed as DMVPN Single Hub and IPsec with Pre-Shared Keys, so the scope is not nearly as large as the CCIE Security. If you don’t yet know what any of these terms mean, don’t worry, you soon will
Topics moved from the Lab to the Written:
- IPv6 Multicast
- IPv6 Tunneling
- IOS AAA with TACACS+ and RADIUS
- Layer 2 QoS
- Performance Routing (PfR)
Topics completely removed:
- Layer 2 Protocol Tunneling
- IOS Firewall
- IOS IPS
- RSVP QoS
For topics removed, there are three killer areas here: Frame Relay, PfR, and Layer 2 QoS. Frame Relay’s removal is no surprise, as Ethernet based last mile access solutions such as Metro Ethernet and Virtual Private LAN Services (VPLS) have exploded in the past few years and have eclipsed legacy methods such as DS3 Frame Relay. From a technology design point of view though, a lot of the Frame Relay theory transfers directly over to DMVPN, as DMVPN could be thought of as a way to emulate legacy hub-and-spoke network designs over a public transport.
As for PfR’s removal, this one is a bit of a surprise, and I can already hear Brian Dennis’s screams of agony:
While the general idea of PfR is great, I’ve never seen it implemented other than in very small scale environments due to the management complexity. You have to give Cisco credit though, as PfR is essentially SDN version 1.0, and now a very large portion of the industry is focused on this type of application.
The other large change here is the removal of Layer 2 QoS. While this is still a very important topic, the problem with L2 QoS is that it is highly platform dependent, and the way that Catalyst 29xx/35xx/45xx/65xx implement L2 QoS is generally unique to each. Therefore in the interest of platform independence and virtualization, L2 QoS gets the axe. This brings us to our next topic, which is the hardware changes in the new blueprint.
As previously rumored, the new CCIE R&S v5 equipment is going all virtual. As CCIE R&S v4 had already been using virtual IOS for the troubleshooting section of the exam, this should come as no surprise. The biggest implication of this change is that the size of the topology is now arbitrary. I wouldn’t be surprised going into the exam and seeing a configuration section with 20+ routers in the topology.
The other implication of this change is that certain features can no longer be tested on, as they’re not supported in the virtual IOS. Those topics that can’t be tested, such as Layer 2 QoS or Flexlinks, are now explicitly excluded from the topic scope of the exam.
Last but not least, a new testing section has been introduced into the R&S v5 lab exam format. While the written exam format stays the same, the lab now includes a “diagnostic” section, which focuses on the diagnosis and resolution of network issues from a more high level point of view.
This new section won’t use equipment, but instead will present the candidate with information such as network diagrams, CLI outputs, log outputs, traffic captures, and email exchanges, based on which they will be expected to diagnose a presented network problem. Based on the description in the announcement, I would assume that this format is going to be similar to the CCDE Practical Exam testing format, which tests analytical skills without the need of access to actual devices CLI.
Another minor change to the exam is how the timing of sections works. In the v4 format, candidates had a maximum of 2 hours to complete the troubleshooting section, and a minimum of 6 hours for the configuration section. If the candidate used less than 2 hours in troubleshooting, the extra time rolled over to the configuration section. In the v5 format this changes along with the addition of the diagnostic section.
In v5, candidates will have a maximum of 2.5 hours to complete troubleshooting, a fixed 30 minutes for the diagnostic section, and the rest to complete configuration. Any time less than 2.5 hours used in troubleshooting will be credited towards configuration. For example if a candidate uses only 1.5 hours in troubleshooting then the configuration section would be 6 hours, which along with the .5 hour of diagnostic adds up to a total of 8 hours for the exam.
How Does This Affect Me As An INE Customer?
The good news is that if you’ve purchased and of the R&S v4 products from INE, you’re covered for the v5 products. You won’t have to pay anything to upgrade to the v5 products, including the Bootcamps. If you already attended a v4 bootcamp and want to resit a v5 bootcamp, there’s no charge for it.
As it’s no secret that Cisco’s blueprint changes have been in the works for quite some time, as have INE’s plans for the v5 update. We have a bunch of new exciting product updates and more importantly new product features that we’re going to be launching along with the v5 product updates. More information will be available about these updates in the coming weeks.
In the short term I’m going to be running a free online class this Friday – December 6th 2013 – at 10:00 PST (GMT –8) on Introduction to DMVPN for CCIE R&S Candidates. I’ll post another blog update tomorrow with more information on this.
Congratulations go out to the newly minted Cisco Certified Design Experts that passed the Practical Exam after attending INE’s CCDE Bootcamp with me in Chicago last week! So far I know of at least 9 students from this past week’s class and previous ones that passed the practical this time around. Here’s what some of them had to say:
I had accomplished 2 CCIE’s and was ready for the CCDE. I took the CCDE v1 test a couple of years ago and failed miserably. I came to the INE CCDE boot camp with really no expectations. I didn’t only learn some technical details through the boot camp, I learned the mental strategies needed to get through this test. Thanks, INE!!
Rob Gonzalez, CCDE #20130059
Brian’s approach in how to tackle the exam question were invaluable. I was able to successfully navigate several difficult questions there on my first attempt. Thanks to Brian and his insight I was able to pass.
Travis Jones, CCDE #20130060
Just wanted to drop you a note that I passed the exam today. Still in shock, but it’s starting to sink in. Thanks for a great session this week. I’ll highly recommend it!
Dave Fusik, CCDE #20130070
I passed the CCDE in Chicago after attending the 3 day INE CCDE Bootcamp with Brian McGahan. The room was full of very intelligent and experienced individuals who started discussions that helped solidify my knowledge in the topics tested on the exam. Thank you once again INE!
Dana Yanch, CCDE #20130071
As it seems that the interest in the CCDE track is continuing to grow, INE is going to continue to offer our study sessions which follow along with Cisco’s schedule for the Practical Exam. The next Practical Exam is scheduled for Thursday February 20th 2014, so expect our next session to likely run Monday – Wednesday that same week in Chicago. However since Cisco is now offering the CCDE Practical Exam at all Pearson Professional Center locations, there’s a possibility that we may be moving our next study session to an online format.
If you’re interested in attending one of INE’s CCDE Bootcamps in the future, let me know via comments below if you prefer it in an online format or a live onsite format. The advantage of course of running it online is that you can attend from anywhere, but at the expense of the live class discussion that happens in an onsite class.
Also don’t forget to check out our CCDE Practical Recommended Reading List, as the topic scope for the exam is immense to say the least.
Congrats again to the newest CCDEs of 2013!