Friday, December 24, 2010

CCIE R&S v4.0 Lab Exam Demo Video

On forums I find a lot of people asking about the interface used for the CCIE R&S Lab exam. Around 6 months ago, Cisco released a video with a tour of the interface, the narrator is not the most exciting in the land but you get the general idea and feel of the lab:

CCIE R&S v4.0 Lab Exam Demo

"This demo will familiarize candidates with the online interface that has replaced paper exams, which presents the virtual topology, test questions, documentation and tools. Strongly recommended for all candidates"

Thursday, December 23, 2010

Cisco IOS menu autocommand with AAA/Cisco ACS

A customer has a router dedicated to a site-to-site IPSec VPN , the users of that VPN  are a small group that are not directly responsible for the router. They want a way to check the status of the WAN connection, the IPSec tunnel and also to force a clear crypto sa.

This could be solved with a looking glass but that would require a web server. An alternative solution could be a special user with a menu auto command:

menu VPN text 1 ping Internet (OpenDNS)
menu VPN command 1 ping
menu VPN text 2 ping VPN (
menu VPN command 2 ping source gi0/1/0
menu VPN text 3 sh crypto isakmp sa
menu VPN command 3 sh crypto isakmp sa
menu VPN text 4 sh crypto ipsec sa
menu VPN command 4 sh crypto ipsec sa
menu VPN text 5 Reset VPN  (clear crypto ipsec sa)
menu VPN command 5 clear crypto sa
menu VPN text 6 Exit
menu VPN command 6 exit
menu VPN clear-screen
menu VPN status-line
menu VPN line-mode
menu VPN single-space

My environment uses AAA with a Cisco ACS, so the special user has to be created in the Internal ACS database, restricted to only that router (Per User Defined Network Access Restrictions), allowing shell (exec) access and the auto command menu VPN (TACACS+ Settings)

The router has to refer to the authorization for exec to the ACS:

aaa authorization exec default group tacacs+ local

Of course, if you don’t use ACS and only use AAA with the local database, Ivan @ Cisco IOS Hints has a great example.


Server "VPN-Router"    Line 6    Terminal-type xterm


    1          ping Internet (OpenDNS)
    2          ping VPN (
    3          sh crypto isakmp sa
    4          sh crypto ipsec sa
    5          Reset VPN (clear crypto ipsec sa)
    6          Exit

Selection: 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/95/140 ms

More info:

Tuesday, December 21, 2010

INE CCIE R/S 4.X Expanded Study Blueprint with links

After my bootcamp with Anthony Sequeira, I decided to guide my studies using the INE CCIE R/S 4.X Expanded Study Blueprint, the original doesn't have links for all the topics, so here it is with links for almost everything. Any feedback is appreciated, specially for the few areas where I couldn't find any relevant information.

There is also a PDF version for download.

1.00    Implement Layer 2 Technologies

 (a) 802.1d
 (b) 802.1w
 (c) 802.1s
 (d) Loop guard
 (e) Root guard
 (l) BPDUFilter
 (o) UDLD

 (b) Pruning
 (h) SNMP
 (j) SSH
 (k) Banners

 (e) ISL
 (f) 802.1Q
 (h) PaGP
 (i) LACP

 (c) Topologies

 (a) Clock Rate
 (b) CHAP
 (c) PAP
 (h) MLP


2.00    Implement IPv4

            (1) Gateway Option

 (b) Stub area
 (u) Router ID

 (a) Best path
 (t) Router ID

 (a) iBGP
(a) Tunnel
(b) Redistribute
(c) Static route
(d) Default route
(e) Policy route
 (b) eBGP
 (1) Multihop
                        (a) Local Pref
                        (b) MED
                        (c) AS PATH
                        (d) Weight
            (9) BGP Communities
            (10) Regex Engine Performance Enhancement
            (11) Hide Local AS
            (12) Conditional Route Advertisement
            (13) Remove Private AS
            (14) AS PATH Filtering
            (15) BGP Policy Accounting
            (16) NSF Awareness
            (17) Support for TTL Security Check
            (19) Support for Next-Hop Address Tracking
            (20) Outbound Route Filtering

            (1) Default Seed Metric
            (2) Setting parameters with a Route Map

3.00    Implement IPv6

 (c) Multicast
 (d) Anycast
 (e) Site Local

 (a) Manual
 (b) GRE/IPV4
 (c) 6to4
 (e) NAT-PT

3.80    Implement RIPng


4.00    Implement MPLS Layer 3 VPNs


 (g) BGP SOO

 (a) VRF-Lite
 (c) MP-BGP Prefix Filtering


5.00    Implement IP Multicast

  (a) Auto-RP
 (2) Static mapping of Auto-RP groups:

ip pim rp-address 55
access-list 55 permit
access-list 55 permit

 (c) BSR

 (a) RPF
 (b) RPF Check
 (c) SSM
 (k) Anycast

 (b) MLD


6.00    Implement Network Security

 (b) Log
 (c) Log-input

6.05    Implement AAA
 (a) Client Side in IOS

 (c) Host Mode

6.11    Implement NAT

6.14    Implement security features

7.00    Implement Network Services

7.50    Implement DHCP


8.00    Implement Quality of Service (QoS)

 (f) Policing
 (g) Shaping
 (h) Marking
            (1) CoS
            (2) DE
            (3) Experimental Bits [2]
            (4) IP Precedence
            (5) DSCP
            (1) RTP Header Compression
            (2) TCP Header Compression
            (3) Class-Based Header Compression Methods
 (k) Legacy QoS
(1) CQ
(2) PQ
            (3) FRTS
            (4) CAR

 (c) policies

 (b) VoIP


9.00    Troubleshoot a Network


10.00    Optimize the Network

10.03    Implement NetFlow
10.04    Implement SPAN, RSPAN, and router IP traffic export (RITE)

 (a) SPAN
 (b) RSPAN
            (1) Configure IP Traffic Export
            (2) Configure IP Traffic Capture
            (3) Filter with ACLs
            (4) Filter with Sampling
            (5) Capture Bidirectional Traffic

 (a) Version 2
 (b) Version 3

10.08    Implement FTP
10.09    Implement TFTP
10.13    Implement Telnet


11.00    Extra

10.01    DNS
11.02    SDM
11.03    TCP