This post will deal with configuring Layer 2 VLANs on Cisco switches. Up to 4094 VLANs can be configured on Cisco catalyst switches. By default, only VLAN 1 is configured on the switch, so if you connect hosts on an out-of-the-box switch they all belong to the same Layer 2 broadcast domain.

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN. For example, let’s assume the following scenario:

• Accounting Department: IP Subnet 192.168.2.0/24 –> VLAN 2
• Management Department: IP Subnet 192.168.3.0/24 –> VLAN 3
• Engineering Department: IP Subnet 192.168.4.0/24 –> VLAN 4

By separating the internal LAN into different IP subnets (and thus different VLANs) allows the network administrators to enforce traffic restrictions if needed between departments and have better control of internal hosts.

VLAN assignment on a switch is configured on a per-interface basis. That is, each switch port interface is assigned individually into a Layer 2 VLAN. If you have more than one switch connected and you want the same VLANs to belong across all switches, then a Trunk Port must be configured between the switches. The Trunk Port passes all VLANs between the switches. Let’s see the following network scenario to help us clarify some concepts.

On the LAN network above, we have three VLANs. VLAN 2,3, and 4. VLAN 4 belongs both to SWITCH 1 and SWITCH 2, therefore we need a Trunk Port between the two switches in order for hosts in VLAN4 in Switch 1 to be able to communicate with hosts in VLAN4 in Switch 2.

The ports of the two switches shall be configured as following:

SWITCH 1:
Fe0/1 – Fe0/2 –> VLAN 2 (Accounting)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

SWITCH 2:
Fe0/1 – Fe0/2 –> VLAN 3 (Management)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

Configuration:

Switch 1 Configuration:
!  Create VLANs 2 and 4 in the switch database
Switch1# configure terminal
Switch1(config)# vlan 2
Switch1(config-vlan)# name Accounting
Switch1(config-vlan)# end

Switch1(config)# vlan 4
Switch1(config-vlan)# name Engineering
Switch1(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 2
Switch1(config)# interface fastethernet0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch1(config)# interface fastethernet0/10
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/11
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end

!  Create Trunk Port Fe0/24
Switch1(config)# interface fastethernet0/24
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# end

One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are “double tagged” with two separate VLAN IDs. As you’ll see in our example, certain circumstances must exist for a double tagging attack to be successful:

The intruder’s host device must be attached to an access port.

The VLAN used by that access port must be the native VLAN.

The term “native VLAN” tips us off to the third requirement – dot1q must be the trunking protocol in use, since ISL doesn’t use the native VLAN.

When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack. In this example, we’ll assume that to be VLAN 100, with the native VLAN set as VLAN 25.

The trunk receiving this double-tagged frame will see the tag for VLAN 25, and since that’s the native VLAN, that tag will be removed and then transmitted across the trunk – but the tag for VLAN 100 is still there!

When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

This is why you often see the native VLAN of a network set to a VLAN that no host on the network is a member of – that stops this version of VLAN Hopping right in its tracks.

Notice that I said “this version”. We’ll take a look at another VLAN Hopping tactic in the next installation of my CIsco CCNP BCMSN certification exam tutorial series!

Over the last week, I have done a fair amount of work segmenting a network with VLANs. VLAN, or virtual LAN, configuration is typically easy, but there are a few things that you need to know to be successful. This newsletter covers the basic configuration of VLANs on Catalyst switches. Examples are based on IOS switches. Check the links provided at the end of this article for examples of VLAN configurations using CatOS-based switches.

Cisco defines a VLAN as a broadcast domain within a switched network. VLANs allow you to segment your switched network so that broadcast domains are smaller, leaving more bandwidth for your end nodes. Devices that are in one VLAN do not receive broadcasts from devices in another VLAN. For devices on different VLANs to communicate, a layer 3 device (usually a router) must be used.

The first consideration for setting up VLANs in your network is planning your environment. Will the VLANs span multiple switches, or will you only be segmenting one switch? If you only have one switch to segment, you can just configure the VLANs with no other considerations. If you need to span multiple switches with VLAN information, you will need to decide which switches need which VLANs. You will also need to configure trunking and set up VLAN Trunking Protocol (VTP).

To configure VLANS on a single switch, you can use the following commands from privileged mode:

SwitchA# vlan database
SwitchA(vlan)# vlan 2 name vlan2
SwitchA(vlan)# exit
SwitchA# configure terminal
SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode access
SwitchA(config-if)# swichport access vlan 2
SwitchA(config-if)# end

These commands create VLAN number 2 and name it vlan2. Fast Ethernet interface 0/1 (on my Cat 2924XL-M) is then configured to use vlan2. It is important to note that VLAN 1 is used for the management VLAN, so any VLANs created should be numbered 2 to 1000.

For VLAN information to be passed between switches, trunking must be configured between the switches. VLAN trunking allows a port to pass traffic from multiple VLANs between the two switches. Frames travelling over a trunk are tagged to identify which VLAN the frames belong to. When implementing trunking between switches, the ports at either end of the connection must be set up for trunk mode and the trunk encapsulation mode must match. Trunk encapsulation dictates the manner that frames are identified (tagged) on a trunk and defines the VLAN services available. There are four types of trunking encapsulations:

1) Inter-Switch Link Protocol (ISL)
Cisco proprietary trunking protocol.

2) IEEE 802.1Q (dot1q)
Industry standard trunking protocol.

3) LAN Emulation (LANE)
Used for trunking VLANs over ATM links.

4) IEEE 802.10 (dot10q)
Cisco proprietary method for transporting VLAN information inside standard FDDI frames.

To set up trunking between two switches, use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk encapsulation dot1q

Repeat commands on SwitchB.

This sets up fast Ethernet interface 0/1 to be a trunk port using dot1q encapsulation. It is important to note that once you change one side of a connection to trunk mode, communication between the two switches will be lost until the other side is configured for the same mode/encapsulation. If you are trying to set up trunking remotely, always change the far side of a connection first. The port is currently passing information for all VLANs (1-1005). To limit which VLANs will be allowed to pass information on the port you can use the following commands:

SwitchA(config)# interface fastethernet 0/1
SwitchA(config-if)# switchport trunk allowed vlan remove 1-1005
SwitchA(config-if)# switchport trunk allowed vlan add 1-3

Repeat commands on SwitchB.

This removes the default of all VLANs, and adds back support for VLANs 1-3. It is good practice to remove everything and only add support for the VLANs that are required. We now have two switches happily passing VLAN traffic for VLANs 1-3. This process is great for a small number of switches with a limited number of VLANs. In a large environment that has a large number of switches, and requires several VLANs, it can be difficult to maintain the configuration on each switch.

Have you ever wondered what a Virtual LAN (or VLAN) is or been unclear as to why you would want one? If so, I have been in your place at one time too. Since then, I have learned a lot about what a VLAN is and how it can help me. In this article, I will share that knowledge with you.

What is a LAN?

Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you remember, routers stop broadcasts, switches just forward them.

What is a VLAN?

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Are VLANs required?

It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?

You need to consider using VLAN’s in any of the following situations:

• You have more than 200 devices on your LAN
• You have a lot of broadcast traffic on your LAN
• Groups of users need more security or are being slowed down by too many broadcasts?
• Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
• Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.

With a VLAN, one device can be connected to one switch, another device can be connected to another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?

Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?

When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.

A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.

Hello,  I am having a problem with host hbas logging into a CLARiiON array via IVR.  The hbas are zoned to 2 sp ports (spa and spb).  Usually only one SP port gets logged into successfully. This is very strange.  Sometimes it works fine.  Then I start trying to get the others working and the working one goes away.

Simple IVR topology.  Site 1, 3 switch fabric (vsan 250) connected via GE FCiP to site 2, 1 switch fabric (vsan 100).  Transit vsan is 1000.  The IVR zoneset is consistant on all switches.  All IVR zones are injected into the active running zones on the switches and show as active.  All fcns entries are correct (so I think).  Meaning sh fcns data vsan 100, 1000 and 250 all show the hbas N ports and storage ports logged in.  No errors anywwhere. We have an extremely robust site to site connection (4G fcip per fabric A and B).  2ms ping times, RTT 270us consistantly (dark fiber).  We are getting about 600MB/sec throughput with no errors.

I’m pretty much on my own.  I have opened a case with the vendor… but they are not making any head way… sh tech-supports have been sent in etc etc.

Hopefully this will help someone.  I figured this problem out myself.  Apparently this is a known issue leveraging FCiP WA.  If an hba has multiple paths to a target, and multiple equal cost paths over FCiP tunnels WA can cause issues.  I disabled WA and everything started working fine.

Our site to site configuration is across 4 GigE links per fabirc channeled together in 2 port channels, equal cost.  We are migrating our ESX clusters to a new data center via SVmotion (esx storage vmotion) across these links.  Not leveraging WA seems to of really slowed things down, but, at least the environment is stable.

At the FCC broadband workshop held this morning, researchers argued for a new Internet architecture built upon infrastructure currently used in large data centers that would be capable of adapting itself to deliver each individual application. Meanwhile, those associated with think tanks and the broadband industry argued that the most significant Internet-related innovation is already behind us and that we need to think about embedding more intelligence into the network we have.

It reminded me of Vanity Fair’s awesome story about the making of the web in which Bob Metcalfe relates his attempts to show some AT&T executives the precursor to the Internet:

Bob Metcalfe: Imagine a bearded grad student being handed a dozen AT&T executives, all in pin-striped suits and quite a bit older and cooler. And I’m giving them a tour. And when I say a tour, they’re standing behind me while I’m typing on one of these terminals. I’m traveling around the Arpanet showing them: Ooh, look. You can do this. And I’m in U.C.L.A. in Los Angeles now. And now I’m in San Francisco. And now I’m in Chicago. And now I’m in Cambridge, Massachusetts—isn’t this cool? And as I’m giving my demo, the damned thing crashed. And I turned around to look at these 10, 12 AT&T suits, and they were all laughing. And it was in that moment that AT&T became my bête noire, because I realized in that moment that these sons of bitches were rooting against me.

Today’s workshop, called “The Future of The Internet,” had a similar feel, with researchers David Clark, professor at the MIT Computer Science and Artificial Intelligence Laboratory, and Taieb Znati, division director for the National Science Foundation, talking up the idea of virtualizing communications networks in order to create several networks optimized for delivering different types of applications. By the way, this focus on the ability to deliver a specific application vs. delivering a set speed is a sticky topic when it comes to defining broadband. Going forward, we’re going to be hearing a lot about it.

Scott Shenker, a professor of computer science at UC Berkeley,  added that such a re-imagined network could be created by mirroring some of the wide area networks used by the likes of Amazon and Google to send information around their data centers. As he noted, today’s telecommunications networks are built atop of specialized hardware with routers running proprietary software. He argued that if the Googles and Amazons of the world could take their focus on deploying commodity hardware and open-source routers to the telecommunications industry, the entire infrastructure of the Internet would change — including allowing for lower-cost networks that could be virtualized.

As the theory moved farther outside of the current telecommunications model, Robert Atkinson, president of the technology industry-funded think tank Information Technology and Innovation Foundation, brought things back to the present by saying that the largest innovations on the web may be behind us and that while the Internet of 2022-2023 would be different from what it is today, it won’t have gone through the evolutionary changes seen in the last decade. His wish list included more embedded intelligence in the network to help advance packets and manage a flow of real-time data, as well as some type of authentication and identification for users.

The end goal seems to be figuring out how to build a network that knows what the content it’s delivering is and where it came from rather than a packet-based network focused on getting unidentified bits from machines. How this will relate to the National Broadband Plan that’s due next year is unclear, but the ideas expressed in the panel are worth listening to. So if you’re curious about what’s out on the fringes for the future of the web, check out the webcast of this panel, which sadly, I could not embed here.

Padmasree Warrior is, to quote her biography on their company blog “Cisco Systems’ Chief Technology Officer. As CTO, she is responsible for helping drive the company’s technological innovations and strategy, and works closely with its senior executive team and board of directors to align these efforts with Cisco’s corporate goals.

As an evangelist for what’s possible, she pushes the organization to stretch beyond its current capabilities – not just in technology, but also in its strategic partnerships and new business models”.

Here’s Padmasree’s 5 predictions for the future of collaboration, fleshed out by her in more detail here:

1. Collaboration Networks will be to Enterprises what Social Networks are to Consumers

My previous post railing about people confusing ’social media’ marketing with the intricate strategic and tactical connectivity inside companies, and others in their orbit, has a good counterpoint in Padmasree’s posts.

I don’t like the word ’social’ in a business context, not least because the word has deep meaning, particularly for those not living in the tech bubble. Socialism in a political sense, company social clubs and the general connotations of socializing and shmoozing. Many companies in Europe have a long tradition of employee social clubs, as another example. It’s a culturally messy word with a lot of baggage globally.

‘Collaboration Networks’ is a much more elegant way to describe business uses of similar technologies to the ones we use in our personal lives to stay in touch with friends. I’m going to use this term going forward as it is a great fit, is more accessible semantically than ‘Enterprise 2.0′ to the lay person and makes good sense to those in the non IT business world.

2. It is not about “on-premise” versus “on-demand”, it will be all about the User Experience

Steve Balmer’s famous ‘Developers, Developers, Developers‘ engineer cheerleading video clip badly needs a larger than life counterpart with someone bellowing ‘Users, Users, Users’. Malcolm Gladwell wrote in Blink about the ‘the first two seconds of looking–the decisive glance that knows in an instant’.

This is the reality with software. No one cares about the clever technology stack underpinning the system, all they care about is if they are going to be able to use it for their needs, if it will be useful, and if they can find stuff easily.

3. Innovation will be redefined by Operational Excellence

Padmasree: “There is a long-standing debate about what drives long term success: Is it innovation OR Operational Excellence?  Traditionally we viewed this as an either-or proposition, and most companies have taken pride in being really good at one or the other.

What we hear from most CEOs, CTOs and CIOs is that we need to do both — especially during the current economic downturn.  We no longer have the luxury of choosing one vs. the other.

- Beautifully put!

4. Organizations without boundaries will drive the next wave of productivity

“This prediction is rooted in the fact that business processes must extend beyond corporate firewalls.  That means they must encompass people outside the company as readily as they do people inside the four walls“.

This is the area where the confusion builds with ’social media’ marketing efforts. One of the biggest headaches in enabling ‘through the firewall’ collaboration is security and IP protection. The VPN connectivity necessary  to connect friends but not foes isn’t trivial, and the buzz around marketing transparency can obscure the delicate tactics around this.

5. Information Technology will evolve into Information Fabric

“…the future is no longer just about the management and routing of information.  It’s about providing people with the right information at the right time, connecting communities that can improve the relevance, and accelerating decisions to drive value for the business.  Importantly, it’s about weaving that information fabric into business processes so they run more efficiently and connect with each other in ways that were simply not possible before.”
The great pathfinding work done by John Hagel & John Seely Brown in their 2005 book ‘The Only Sustainable Edge: Why Business Strategy Depends on Productive Friction and Dynamic Specialization‘ is reflected here. Their sophisticated discussion of ‘performance fabric’ has ben neatly co-opted by Cisco to sell Padmasrees’ concept.

The Value of Certification for Employers

As organizations become more globally connected, they are also more vulnerable to network attacks and threats. Compromised security can disrupt key operations, reduce productivity and inflict significant economic losses on a business. While many innovative security products are available, it is the security experts who choose, implement and maintain the appropriate solutions that will truly protect assets and ensure seamless operations. In this environment, certification is an objective way of identifying such experts.

Another reality of IT security is that hiring managers may have little direct experience with the technologies their employees must implement and maintain. Even small and medium-sized businesses are adding security professionals to their staff. Hiring managers need a benchmark to help them choose a qualified person. Certifications can play an important role in gauging and verifying an individual’s proficiency and skill set.

Security concerns are not just confined to the company’s managers and executives. Customers, investors and business partners are also sensitive to security threats. Having certified individuals on staff can increase the confidence these groups have in their interactions with an organization, boosting credibility, reputation and value.

Security is no longer just a technology concern, but a key strategic consideration. As companies rely more on their networks to connect employees, business partners and customers, security has become increasingly complex. Many key security technologies are still evolving, and new standards are emerging. You might wonder if it’s possible to develop a valid security certification. Do the vast array of certifications available offer real value or merely reflect the booming interest in security?

A survey of security-related IT positions over the past five years finds increasing specialization in areas such as security design, virtual private network (VPN) implementation, security operations and intrusion analysis. Some of these roles are being recognized as individual professions, with universities offering course work in certain security disciplines and industry associations catering to specific niches. As the roles have become more narrowly defined, the skills required have too. Specialization therefore actually facilitates certification, as exams and programs are able to focus on a more specific set of topics.

The Value of Certification for Professionals

On an individual level, certifications help you characterize your experience and expertise for potential employers. Earning a particular security certification, especially one with rigorous hands-on testing, offers objective proof of your ability. In a slow job market, certifications help you differentiate yourself from other job seekers and can help you position yourself for broader opportunities. In a current work situation, earning a certification can lead to a higher level of trust or authority over new projects.

With the demand for IT professionals who are certified in security-related topics on the rise, those holding the most highly regarded certifications are reported to receive consistently higher base salary, bonuses and raises compared with other, less specialized IT positions. According to Information Security Magazine, “Security professionals in four out of six surveyed positions earn in excess of $100,000 in annual base salary and bonus.” Salary scales for security certification holders are actually outperforming the overall market for IT professionals, and overall, security experts have maintained their value and positions equally or better than most other skill sets in the past years.

Cisco’s Security Strategy and Certification Program

Cisco Systems Inc. is committed to the intersection of networking and security. Cisco’s Integrated Security strategy is a critical component of the Intelligent Information Network and has led to Cisco’s recent acquisitions of Riverhead Networks and Twingo Systems, as well as its “Self-Defending Network” initiative-an innovative approach to security that develops the network’s capability for identifying, preventing and mitigating security threats.

Cisco offers three graduated levels of certification: Associate, Professional and Expert. The expert-level certification, Cisco Certified Internetwork Expert (CCIE) is known throughout the industry as the “doctorate of networking.” CCIE is one of the industry’s most respected certifications, requiring candidates to pass both a written exam and an eight-hour, hands-on lab exam.

In 2001 Cisco began offering a special CCIE track for security. Cisco recently revised the exam with updated security technologies. The new exam tests knowledge of stand-alone intrusion detection system (IDS) sensors, which provide accurate threat detection and quick response to breaches; stand-alone VPN concentrators, which create a secure path into the enterprise and improve security for branch locations and remote employees; VPN/security management systems, which help configure, deploy and troubleshoot complex, secure networks; and AES and EAP wireless protocols, which help ensure secure wireless access.

Choosing the Right Certification Program

A list of current programs shows certifications sponsored by hardware vendors, software vendors, point solution vendors, process specialists, consulting organizations and industry consortiums. How do you decide which credential to pursue?

You might start by considering one of the most notable trends in information technology today—the growing connection between security and the network. According to Jon Oltsik, senior analyst at the Enterprise Strategy Group and security industry expert, “Networking and security are moving closer together—a critical process in ensuring system availability and performance.”

Another consideration should be the reputation and rigor of the program. As more and more IT certifications have been introduced in the market, skepticism has grown over whether a particular exam tests real-world skills or merely theoretical knowledge that can be found in a book. Hands-on exams stand out as being the most practical and the toughest to pass.

Make sure the certification you spend your time and effort to earn is well respected in the industry as a symbol of true expertise. Find out whether the program has a requirement for recertification and how often the exams are revised and updated. You want your certification to have strict standards to maintain its value over time.

I was fortunate enough to talk to Lorne Braddock Sr., the manager of the CCIE program, about the move from a two-day test to a one-day test. Like many CCIEs, I had a knee-jerk reaction to the move. I was aware of the huge backload that Cisco was experiencing with people waiting to get into the lab; in some cases, the waiting list was approaching a year long. Many Cisco partners required people to get certified to retain or gain a preferred partner status. For many Cisco partners, the revenue difference between a gold and silver partnership is in the millions. Another problem for Cisco and its customers was the difficulty in scheduling a two-day exam that you can get sent home early on. This not only costs time and money to Cisco’s customers, but it also leaves many open lab slots.

Moving to a one-day, 8 1/2-hour test resolved many of these problems, but the question remained—what do you cut? The program decided to enhance the Layer 1 or physical aspect of the written test. The physical portion of the lab exam was a rather “technically” small portion of the lab exam, but it did consume some time. Another portion of the exam that could be cut was the troubleshooting portion. The reality is that if you spent the last 8 1/2-hours successfully configuring this very difficult exam, you are not going to get stumped when someone changes the router password or an IP address. I personally know a lot of CCIEs, and of those who have failed the exam, no one has ever failed the troubleshooting portion. Therefore, the four hours of troubleshooting also was cut from the lab exam.

In a nutshell, Cisco made the written portion of the CCIE exam more difficult because it deals with more physical layer topics. The lab exam now is a one-day, 8 1/2-hour exam in which time will be critical factor.