Travis Newshott I have been studying for my CCIE Security since late last year, with a short hiatus after Cisco Live due to health issues — more on that in a later post. I had to get my hands on a copy. Sharp, funny and very talented; needless to say I had high expectations of her book. I did not get a copy of the book in time for it to help much with my lab studies for an attempt in mid-June, but walking out of the lab and then reading this book was eye opening. It provides a focus on the scope and types of tasks you will face on the real lab, without going anywhere near actually teaching the exam.

Author:Kazrak Mijinn
Country:Cayman Islands
Language:English (Spanish)
Genre:Personal Growth
Published (Last):28 December 2015
PDF File Size:16.66 Mb
ePub File Size:6.51 Mb
Price:Free* [*Free Regsitration Required]

All rights reserved. This publication is protected by copyright. Please see page for more details. The ID of the virus begins on the third character of the payload. The virus originated on VLAN You cannot use any ACLs to block traffic to this host specifically but can use a static route pointing to null 0 for traffic destined to R2 can have an additional static route pointing to null0.

Use a BGP feature on R2 to ensure traffic to this source is blocked. Prevent unnecessary replies when traffic is passed to the null0 interface for users residing on VLAN Configure PIM spare mode on all required interfaces.

R3 should also be used to advertise its own gigabit interface IP address as an RP. Do not use the command ntp server in any configurations. Routers R1, R2, and R4 should all show a clock synchronized to that of R3. The policy should ensure ei- ther command is not executed and should consist of a single-line command for the CLI pattern detection. The policy and CLI should run asynchronously. The policy should also generate an email from the router to a mail server residing on IP address In the actual CCIE lab, the Proctor will not enter into any discussions regarding the questions or answers; he or she will be present to ensure you do not have problems with the lab environment and to maintain the timing element of the exam.

A: You are requested to configure root bridges in a later question. Is this acceptable? A: Yes. Q: If I explicitly configure Switches 1 and 2 as root bridges, surely this will never enable Switches 3 and 4 to become root bridges? If a superior BPDU is received on ports connecting to Switches 3 and 4 from Switches 1 and 2, Switches 3 and 4 could become root bridges; use a feature that effectively ignores a superior BPDU if received. Q: Do you want me to disable spanning tree down to Switches 3 and 4?

A: No, spanning tree must remain in operation. Q: Can I configure the switchport block multicast command? A: No, the question directs you how to use the trunks. Is there anything else I need to do? A: Remember the switches are in VTP transparent mode; you might want to check that Switch2 has the required VLANs configured to enable propagation within your switched network. A: There have been recent advances in OSPF enabling you to configure it purely under specific areas of the router rather like with IPv6.

Take a look at the commands available to you under the interfaces. Q: My neighbor relationship is down over the Frame Relay network. Can I change these? A: No, use an alternative method of bringing the interface parameters back into line. Q: My secondary address is advertised automatically under OSPF; can I use a distribute-list or prefix type list to block it? Is this okay?

A: No, the question states that your solution should cater for either Layer 1 or Layer 2 failures and that the Ethernet should remain up. Backup interfaces would be fine for a Layer 1 failure but not for a Layer 2 type issue if you had problems with specific DLCIs that caused neighbor failures over the Frame relay.

This feature would also ensure the Ethernet network would be down until the backup interface is activated. A: No, this would involve a neighbor relationship being maintained. You need to allow only the neighbor relationship to be formed if a failure condition occurs.

A: No, this might aid in failure detection, but it does not meet the objectives of the question. Is this normal? Duggan [21] A: Yes, perform a debug of the Frame Relay packets if you need to; remember what you need to gain IP connectivity on a Frame Relay network.

Is this anything to do with tracking the response to the ping? Q: How about if I use policy routing with the next hop based on the tracking status? A: This is fine; just remember that this traffic will be based locally on the router when applying any policies. A: Not if you have configured correctly; take a look at your topology and areas.

Something might have changed when R5 connects over the Ethernet. Section 2. A: Yes, this is fine and is in accordance with the question. A: No, you should use a feature on R4 to block them. Q: Can I use a neighbor prefix list to block the Loopbacks? A: No, you cannot use any type of ACLs or prefix lists. Duggan [22] Section 2. A: No, you should have blocked these from entering your IP routing table within R4 previously, so additional blocking would not be required. Q: I have only one redistribution point, and there is no benefit in creating filtering to protect against potential routing loops between protocols.

A: Yes, in this scenario this would be superfluous. Use a more general method of allowing a specific number of routes. A: You need to determine whether you need this feature on or off. Q: Do you want me to configure ebgp multihop but limit it to a value of 2 on R3 for a TTL security check?

A: You need to ensure that your peering still works effectively between R3 and R4 when you have configured this feature.

Q: I find that when the Frame Relay network fails my neighbor relationship is still maintained between R2 and R5. This is because the Loopback routes are still available over the alternative path through the network. Can I block my Loopbacks or policy route at some point to effectively break the peering?

A: You do need to effectively break the peering, but there is a far simpler method of achieving this that still maintains unaltered communication between R2 and R5. Think about what you need to configure when you have EBGP peers. Q: I might have been a little generous with my original multihop value between R2 and R5. Duggan [23] A: Yes. Just think about whether R2 is the best place to send the community to originally. Is it okay to use the first address in the subnet?

A: No, you still have two ACLs. A: No, you are instructed to use an ACL; your solution would require additional configuration. Q: Can I use a prefix-list to achieve this? A: No, you are instructed to use an ACL. A: Not necessarily; you would need to match only one requirement on the permit functionality; the other could be met by deny. A: No, if these were required you would have been instructed to do so in the question. Should I be able to?

A: Yes, if you debug your Frame Relay traffic, you will find you need additional configuration. Q: Can I tunnel between R1 and R2?

A: This issue is addressed in the following task. A: No, find a way to still run RIPng between routers without enabling it on the physical interfaces. Q: Can I tunnel between R4 and R5? Section 4. A: No, static routes are permitted unless specified. What would you do if this were IPv4? A: No, this would also require you to perform redistribution at this point?

Is this OK? Q: I have created my tunnel and found that this is now the primary route rather than an alternative path. Can I perform some kind of backup interface to make this come up only if a failure occurs on the Frame Relay? This approach would also break your IPv4 network; think why the Ethernet path is preferred and manipulate it.

Q: Can I use a prefix-list to block the summary and permit all other IPv6 routes? A: Yes, this is fine. A: No, this should be completed as part of your policy. Q: Shall I rate-limit my ports to 5M on a per-port basis?

A: Yes, just use the available limits within the command options. Q: I am trying to assign bandwidth within my class with the speeds supplied, but I can see only a percentage option, is this correct?

A: Yes, you need to do some math. You are supplied with the information you require and just need to remember how fast a T1 line is. Investigate the options open to you with NBAR.


Book Review : CCIE Security v4.0 Practice Labs by Natalie Timms



CCIE Routing and Switching v4.0 Configuration Practice Labs, Second Edition by Martin J. Duggan



CCIE Routing and Switching v4.0 Configuration Practice Labs (ebook), 2nd Edition



CCIE Routing and Switching v4.0 Configuration Practice Labs, Second Edition


Related Articles