CCIE Blog

The “Ask the Expert” sessions are open question and answer sessions with the an actual CCIE lab proctor. The excerpts below were taken from the most recent session.

In regards to security topics on the exam:
The security topics listed below are defined by the R&S lab blueprint and make up about 6-8% of the exam:

1. AAA
2. Security server protocols
3. Traffic filtering and firewalls
4. Access lists
5. Routing protocols security, catalyst security
6. CBAC
7. Other security features

In regards to IP Services topics on the exam:
Cisco is not testing Mobile IP. VRRP and GLBP will fall under IP/IOS Features. The total points for this section are around 8 points which includes all other content.

In regards to how the lab tasks need to be completed and how the lab is structured:
There is no mandatory order in which you must complete the exam. You can start in any section, skip sections, and come back to sections at a later time. The exam is structured on a basic flow such as: Switching, IGP, IP/IOS Features, QoS, Multicast, Security and BGP. But again you can do it in any order. Naturally some sections, such as IGP, depend on Switching, so it is suggested that you start with Switching to build the basic foundation, then start with the basic IGP. Later, you can come back and complete the more advanced features on Switching or IGP.

In regards to DVMRP on the lab:
Learn the basics of DVMRP as this topic is not explored in depth on the exam.

In regards to Layer 2 Multicast features (IGMP Snooping, MVR, etc):
You should consider looking at the L2 Multicasting as well when preparing for the exam. Consider looking at Cisco’s Configuring IP Multicast Routing

In regards to adding extra configurations and aliases:
You are not penalized for adding extra configurations as long as this will not break a specific restriction. Aliases don’t need to removed if they do not interfere with accessing the device when the exam is over.

In regards to the cabling of the network and diagrams:
The physical connections are pre-cabled so you don’t need to touch them. In some lab locations the racks are remote so you will not even see them. If you suspect you have a physical problem, ask the proctor to verify it for you. The lab document has L1/L2 diagrams for the physical connectivity as well as an IP or topology diagram and an IP Routing diagram.

In regards to any upcoming lab changes:
There are currently no expected changes regarding the CCIE R&S lab exam. Both the lab blueprint and hardware specifications are expected to stay the same for the next year. Any changes will be announced 5 to 6 months in advance.

In regards to no CCIE labs dates in Sydney, Australia:
Currently the lab location in Sydney, Australia is only staffed by a part-time proctor and therefore only offers limited date availability. Cisco is actively looking for a full time proctor and expects the facility to offer greater lab availability beginning first to second quarter of 2008.

In regards to how points are awarded in the exam:
You are marked down points for incorrect questions, not for entire sections. Suppose you have 4 questions within the QoS section with point totals of 2, 2, 2, and 3 for a total of 9 points. If you get the first 3 correct for this section you would receive 6 points or around a 66% for that section.

What is the acceptable late arrival to the exam center?
If you arrive within the first 2 hours after the exam has begun you can still take the exam but no extra time will be allotted. Arriving after the 2 hour mark you will no longer be eligible to take the exam. If you are traveling to take the exam it is suggested you to plan to arrive the day prior to the day of your exam.

What items are allowed or not allowed in the lab environment?
All personal items must be removed from your person before entering the lab environment, but make sure to bring your identification, as it will be required to register at the reception area prior to the exam. Pen, pencils, scratch papers, etc will be available for you at the lab location. Food and drinks are generally not allowed, unless they are pre-approved by the proctor.

Is food provided by Cisco?
Lunch is provided by Cisco, in either a restaurant style cafeteria or ordered and brought to the facility for you.

What are the bathroom/washroom access policies?
Cisco provides washrooms/bathrooms and break rooms near the lab environment, accessible for the duration of the exam, however only one lab candidate is allowed at a time.

What types of questions may be asked of the proctor?
You can ask any question that you feel you need clarification on. Proctors are there to help you understand the questions and requirements presented by the test material.

Can we report the proctor for a bad performance, or is there someone else to question regarding hardware issues?
Any issue that you feel has negatively affected your exam can be reported to Cisco customer service. All hardware related questions or concerns must be brought to the proctors attention during your lab session. If a problem does in fact exist, any time required to repair the issue will be added to your lab session.

What will happen if tasks within the test conflict with another section of the exam?
If you find that you must configure a device in a way that would affect a previous task restriction, make sure to bring up your concern with the proctor, who will be able to advise you regarding the situation.

Prior to the support of prefix-lists in the IOS advanced filtering for BGP needed to be done using extended ACLs.  The syntax for using extended ACLs is shown below:

access-list <ACL #> permit ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask>

The source portion of the extended ACL is used to match the network portion of the BGP route and the destination portion of the ACL is used to match the subnet mask of the BGP route.  Here are some examples:

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Matches 10.0.0.0/16 - Only

access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.0.0.0/24 - Only

access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
Matches 10.1.1.0/24 - Only

access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
Matches 10.0.X.0/24 - Any number in the 3rd octet of the network with a /24 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
Matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network with a /24 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240 0.0.0.0
Matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the network with a /28 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0 0.0.0.255
Matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /24 to /32 subnet mask.

access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128 0.0.0.127
Matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th octet of the network with a /25 to /32 subnet mask

Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route.  Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route.  Here is an example of its usage:

Notice that R1 is receiving the 172.16.0.0/16 network from R2 (10.0.0.2) and R3 (10.0.0.3).  We will use ACL 100 and a distribute-list inbound so that R1 only uses the 172.16.0.0/16 route that is being advertised by R2.

Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:06, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:06, Ethernet0/0
Rack2R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Rack2R1(config)#access-list 100 deny ip host 10.0.0.3 host 172.16.0.0
Rack2R1(config)#access-list 100 per ip any any
Rack2R1(config)#router rip
Rack2R1(config-router)#distribute-list 100 in e0/0

Rack2R1(config-router)#^Z
Rack2R1#
Rack2R1#clear ip route *
Rack2R1#show ip route rip
R    172.16.0.0/16 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
R    192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:02, Ethernet0/0
[120/1] via 10.0.0.3, 00:00:02, Ethernet0/0
Rack2R1#

More examples:

This would permit any 10.X.X.X/X network from 1.1.1.1 (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.0.0.0 0.255.255.255

This would permit any 10.1.X.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.5.4/30, 10.1.50.128/25, 10.1.3.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.0.0 0.0.255.255

This would permit any 10.1.1.X/X network from 1.1.1.1 (i.e. 10.1.1.0/24, 10.1.1.0/30, 10.1.1.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip host 1.1.1.1 10.1.1.0 0.0.0.255

You can also use the wild card mask on the host:

This would permit any 10.X.X.X/X network from 1.1.1.X (i.e. 10.5.0.0/16, 10.1.1.4/30, 10.50.6.128/25, 10.1.1.64/26, etc)

access-list 100 permit ip 1.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

By adjusting the hello/dead timers you can make non-compatible OSPF network types appear as neighbors via the “show ip ospf neighbor” but they won’t become “adjacent” with each other.  OSPF network types that use a DR (broadcast and non-broadcast) can neighbor with each other and function properly.  Likewise OSPF network types (point-to-point and point-to-multipoint) that do not use a DR can neighbor with each other and function properly.  But if you mix DR types with non-DR types they will not function properly (i.e. not fully adjacent).  You should see in the OSPF database “Adv Router is not-reachable” messages when you’ve mixed DR and non-DR types.

Here is what will work:

Broadcast to Broadcast
Non-Broadcast to Non-Broadcast
Point-to-Point to Point-to-Point
Point-to-Multipoint to Point-to-Multipoint
Broadcast to Non-Broadcast (adjust hello/dead timers)
Point-to-Point to Point-to-Multipoint (adjust hello/dead timers)

When configuring a Frame Relay switch layer 1 DCE/DTE is independent of layer 2 DCE/DTE. The “clock rate” command can only be applied on the layer 1 DCE side of the cable. This can be determined by looking at the cable for a DTE/DCE labeling, using the “show controllers serial X/X” command or by just issuing the “clock rate” command on both sides. The side that accepts the command is the layer 1 DCE.

In regards to Frame Relay layer 2 DCE is independent of the layer 1 DCE. Commonly the layer 1 DCE end of the cable is connected to the FRS and the layer 2 DCE is also configured on the FRS side. The configuration of the Frame Relay DCE can be done by using the “frame-relay intf-type dce” command. By default Frame Relay interfaces are DTE. Also as a point of interest the Frame Relay DCE side is the side that commonly generates LMI. I used the word commonly because although unusual you can have a Frame Relay connection without LMI.

This problem is common when running OSPF between a switch (i.e 3550 or 3560) and a router. The error message that is generated when this problem occurs is:

%OSPF-5-ADJCHG: Process 1, Nbr 150.8.5.5 on Vlan258 from DOWN to DOWN, Neighbor Down: Dead timer expired
%OSPF-5-ADJCHG: Process 1, Nbr 150.8.2.2 on Vlan258 from EXSTART to DOWN, Neighbor Down: Too many DBD retransmitions

The resolution is to either adjust the system MTU on the switch or have OSPF ignore the MTU.

A) Change the system MTU on the switch (system mtu 1500 or system mtu routing 1500)

B) Have the router and/or switch ignore the MTU (ip ospf mtu-ignore)

C) Change the interface MTU on the router (GigE only)

Note that using the system mtu 1500 option requires a reboot of the switch but the system mtu routing 1500 does not require a reboot.