Interview CCIE R&S candidates

Unanswered Question
Jul 10th, 2009

I need to interview CCIE R&S for a opening position in the company. I am told to do this because I am the most qualified R&S person in the company which is not true. I am a security person.

Nevertheless, I interviewed three CCIEs people so far and I asked them three questions:

Question #1: Give the candidate an output of tcpdump and ask him to explain the output

Question #2: How does eBGP with MD5 authentication work across the firewall? What must be taken into account for this to work?

Question #3: In eBGP multi-hop configuration, your BGP configuration looks correct and both BGP routers can ping each other and that tcp port 179 is allowed. The BGP configuration looks correct but BGP does not come up. What could be the problem?

None of the CCIE R&S folks I interviewed so far was able to answer these questions correctly. Is that normal?

What would be the typical questions to ask CCIE R&S in an interview?

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Danilo Dy Fri, 07/10/2009 - 03:54

It would be best to ask applicants questions related to the job that he/she will be doing in the company (technical or non-technical). More focus on the main job.

Asking applicant a question that is nothing to do with the job he/she will be doing in the company is not productive, what if the applicant able to answer all the questions correctly but when he/she started working on the job he/she cannot perform.

Doesn't matter what certification the applicant possess.

Jon Marshall Fri, 07/10/2009 - 04:06


Answer is it depends. 2 of your questions are about BGP. Perhaps the CCIE's you interviewed were not that experienced with BGP or hadn't used it in a while. Just being a CCIE does not mean you have immediate recall on any routing or switching question.

I have done technical interviews before and one of the key things to remember is that a question is always easy to answer when you know the answer :-). So you can sit down and write out 20 questions based on what you know. To you they seem obvious, but maybe not to the person you are interviewing.

Also, as Dandy pointed out, the questions should be based on what you need them to do. If they need detailed knowledge of BGP then you can probably rule the above candidates out. But if they don't need to know BGP in any great detail your questions and their answers haven't really helped you to make a decision.

You may also want to consider more open ended questions such as

Explain how an MPLS network works in terms of switching traffic from A to B. This would focus more on their understanding of specific concepts than their knowledge of specific commands/problems.


Mohamed Sobair Fri, 07/10/2009 - 04:24

Hi Truong,

I would rather choose to ask a candidate about conceptual question more into technology.

For example:

1- Choosing the right routing protocol, where and why in a particular situation, this could provide you with a complete candidate knowledge in routing protocols in particular Scinarios.

2- one question regarding a design, not purely designing questin but As to where to implement specific technology equipment and why. Those equipment could be Security equipment switches , routers ..etc.

3- what is the best way for example to connect Internet edges and why?

4- charaterstics and bestway for implementation, troublshooting and solving a problem.

**Dont focus only on particular subject, try to ask different technical questions related to diffesrent technology.

** your Question on BGP Md5 authentication should be known by every CCIE i think even if he is not a Security person** (Its one of the best questions to gather the interviewee security knowledge)**

I dont agree that your whole questions are the right ones cause it doesnt provide ypou with at least 80% of technical interviewee conceptual technology knowledge.



Jon Marshall Fri, 07/10/2009 - 04:37


"I would rather choose to ask a candidate about conceptual question more into technology."

totally agree with this.

"** your Question on BGP Md5 authentication should be known by every CCIE i think even if he is not a Security person** (Its one of the best questions to gather the interviewee security knowledge)**"

I don't however agree on this. Quick search on CCO - "bgp firewall" and the first doc in the results tells you exactly what the issues of BGP/MD5 through a firewall are. If it's that quick and easy to look up does it really matter if they can remember it or not ?


Mohamed Sobair Fri, 07/10/2009 - 04:46

Hi John,

what i meant is conceptual basic security knowledge not a config point of view.

you are saying quick search in the CCO with (BGP firwall) will remind you, but this depend on his knowledge in the first place about FW rule. If he doesnt know a Firewall would breack the Hash algorithm of the MD5 authentication related to the BGP , he wouldnt even search correctly or find the appropriate cco document for that. Am I correct?



Jon Marshall Fri, 07/10/2009 - 04:53


You have a good point in that firewalls do have a habit of breaking things :-)


guruprasadr Fri, 07/10/2009 - 05:53


Upon all, it is recommended to validate the 'presence of mind' of the Person (CCIE R&S) being interviewed :-)

Best Regards,

Guru Prasad R.

pompeychimes Fri, 07/10/2009 - 12:17

I've been in the same situation. I'm not a CCIE but I've interviewed many who are. I typically get nowhere with the types of questions you're asking. I didn't understand why until I had an interview and got totally embarresed because I couldn't answer some questions.

I think i'm pretty good at what i do but you wouldn't know it by that performance.

Nowadays I ask the open ended and conceptual questions suggested earlier. With this knowledge as a foundation a good Engineer can figure out most things with a "?" and a trip to Google.

Danilo Dy Fri, 07/10/2009 - 22:45

I think there is some problem with some company trying to hire a talent. There are more interested on how really good the applicant are, but sometimes that is not right, the applicant might be good in a lot of things but thus he fits the job requirement which in the first place the reason why the company is hiring? Do take note that there are people who are good during interview (technical or non-technical) and there are people who are good in writing their CV.

The company should know what they need and publish that information in the Job Ad. Don't just publish "we want a CCIE". What for you want a CCIE, what does you want a CCIE to do, how the CCIE can help your company, maybe a CCNP will fit the requirement? If you want a CCIE to reach the quota of number of CCIE to have a partnership with Cisco, you don't even need to interview them. Just hire them :)

The interviewer must know the requirement why they are hiring such talent and focus the interview more on the main job responsibilities. The interviewer must have a list of questions prepared and have scoring matrix (e.g. excellent, very good, good, poor) specially if you will be interviewing a lot of people as you may lost track which of the applicant excel during the interview.

For deep technical questions, I suggest to give the applicant a multiple choice exam. Have some respect, even people who study for months to take their certification exams, Cisco gives them multiple choice exams - and majority fails :)

Some basic interview questions like "how do you see yourself 5 years from now" should be leave to the preliminary interview by an HR personnel. I really don't know why interviewer still ask that questions nowadays, doesn't it sink to their brains that we are in 21st century and everybody have a goal, what for we live in this planet.

There are some aspects of the job that applicants though they do that everyday, they don't remember them like the back of their hands. I think I will be scared if an applicant will be able to answer my questions asking them detailing the commands to configure Remote Access VPN in a Cisco ASA Firewall. This suggests that the applicant either doesn't have a life or something else :)

When I'm hiring for a network professional, they know my requirement as published in the Job Ad. Of course they will tailored their CV to fit the requirement (only people who were born yesterday doesn't know that). I sort all applicants CV and ask several to come for interview whom their CV fits the requirement. They were already interviewed by HR and given a written exam which I prepared. During the interview, I ask them to tell me about themselves (to make them confortable first and also to know whether you can understand them when they speak) then ask them technical concept according to the expertise they claim in their CV (which is my requirement or they tailored to my requirement). For example, I need a network professional who have experience in OSPF, I first ask him a fairly easy question whether an ASBR router can be an ABR router. If he is able to answer that, I ask a more difficult technical concept question (still in OSPF). I will not ask the applicant for ISIS since we never use that in our network and don't have plans using it.

One of the most important about the applicants is their willingness to learn and their attitude. You should open this during interview and take note of their reply. For example, you should ask the applicant whether he/she is willing to learn other things as the job may requires from time-to-time, whether he/she is willing to work longer hours or be called back during non-office hours. You will be surprise in their answers, some of them you can be sure you won't need them no matter how they are good during technical interview.

paul.matthews Sat, 07/11/2009 - 02:46

You already have some excellent answers. I have done a few tech vets for various panels recently.

I think tech vetting is a difficult task - you want to try to find out about them, and often the aim is to separate people.

Asking something very specific does not help. All it does is tell you they know the answer. Hiring should not really dpend upon knowing the answer to one obscure fact, unless you are looking for lucky people

What I try to do is stick to comparatively mainstream technologies - the ones I have used most are OSPF and Spanning tree. I have also asked people about routing protocol selection. I have also given them a kit list, and said "we need to do a demo next week, what would you suggest out of that lot?"

The most recent questions I have used (selection panels for expert level cert training) have been asking for an outline of the different flavours of spanning tree, and courtesy of Jeff Doyle "Why does OSPF insist on all inter area traffic passing through the backbone" both of which give me a good chance to talk to them and figure out what they know and an idea of how they think.

Bear in mind that you are interviewing CCIEs. It is no an unreasonable assumption that they have a reasonable grounding in the networking basics, what you need to know is how they will fit with your organisation, and what they need to do.

Joseph W. Doherty Sat, 07/11/2009 - 05:04

As you've acknowledged, you don't really consider yourself as qualified in R&S as your potential CCIE R&S candidates. If true, using any list of rote technical questions, might only indicate how well your candidate does, or doesn't, know rote answers. As other posters have written, it would be better to attempt to assess conceptional knowledge, but this is much more difficult to do, especially if you don't have an equal or better level of understanding in the technical subject yourself.

What you might consider, if you have experience with any network consultants that you trust, which have a high level of technical expertise, ask them to technically assess your interesting candidates.

Besides technical expertise, you also need to assess whether the candidate's "chemistry" seems a good fit between your company and the individual. I'm sure you do this, but if you can rely on someone else for high level technical assessment, you can focus your efforts more on this aspect of the interview process.

In other words, you take on full responsibility for the "chemistry" aspect of the interview, and only pre-screen the technical requirements. You rely on your trusted consultant experts for an in depth technical assessment.

If you do try this approach, besides providing some criteria of technical expertize you expect your consultant(s) to ferret out, discuss with them why the believe they candidate is qualified or not.



Oh, if you need to "sell" such an approach to management, and they are concerned about the additional consultanting cost, remind them of the cost of getting it "wrong" at this level.

truongdinh Sat, 07/11/2009 - 14:48

Thank you everyone for extremely helpful comments.

There were three CCIEs in the company. One CCIE works with R&S, one CCIE works with Voice and myself in security.

Two CCIEs left the company a few months ago. Now management want to outsource the Voice network and consolidate

R&S and security. In other words, they want the new CCIE R&S to be knowledgeable with Security as well and the

same goes for me as well. Company wants to save money by having just two CCIEs on staff and that both CCIEs

must be knowledgable with both R&S and Security. The salary is about 180k with 20% bonus. The job is located

in Philadelphia, PA. I will be responsible for hiring a new CCIE for this possition. My R&S skills are not

that bad. I did spend about five years on R&S prior coming over to security. The company is to have the new

employee train me on R&S and that I will train him or her about security.

My goal is to ask potential hiring candidates with about twenty questions about new emerging technologies in

R&S and security. My questions centers around OSPF, eIGRP, BGP, MPLS and layer-2 technologies. I will throw in

a few questions about security a long the way. I would expect at the CCIE level, candidates should also know

about other vendors such as Palo Alto, Checkpoint, Juniper and Extreme. Also at this level, I woud expect

candidates to be able to be good at troubleshooting as well such as intepreting output of tcpdump because this

is so fundamental to networking. Once they pass the first phase I of the interview, I will ask them to come back

for phase II of the interview which will involve a lab.

On phase II of the interview, candidate will have four hours to complete a lab scenario that I design. This lab

is a replica of our production environment. The lab has hardware from multiple vendors such as Cisco, Juniper,

Checkpoint, Extreme and Palo Alto. There will a "proctor" in the lab to help the candidate for products that

he/she is not familiar with. After four hours, I will grade the candidate on the spot on how he or she performed

on the scale from 1 to 100. Google will be available so that candidate can search for information he or she needed

to complete the lab.

With this approach, I have interviewed about four different CCIE R&S candidates so far and one only made it to

phase II of the lab. The R&S candidate that made it to the lab had problems with BGP, OSPF and other issues with

other vendors products such as Juniper SSL VPN and checkpoint products. I would not have known this during the

phase I interview because he sound so convincing.

Is my approach a sound one in screening and hiring candidate?

Jon Marshall Sun, 07/12/2009 - 01:12

"Is my approach a sound one in screening and hiring candidate?"

I still think you are relying on things you know a lot about and expecting the candidates to be at the same level.

So your'e lab is a replica of your production system. You are obviously very familiar with your production system. You will understand why things have been done a certain way, how each device integrates into the whole. Even CCIE's who step into a new network need time to assess and become familiar with it.

You also say that you would expect CCIE's to have knowledge of other vendors. I wouldn't. If you want them to have that knowledge them include it in the job specification but also be prepared to accept that they may be lacking in that area. After all what is you are looking for, a good all rounder or an expert in Cisco technologies.

I agree with you that any CCIE should have good troubleshooting skills.

If only one has made it through to the lab stage then you may want to reassess your initial interview phase. Ask yourself why they are failing, what it is that means you are not happy with their performance.

And the one candidate who did make it to the lab had issues with the non cisco equipment so either your proctor isn't doing his job properly or you are expecting expertise not just from the Cisco side but also other sides.

If you need an expert in R&S then concentrate on that, not on whether they can configure Juniper/checkpoint etc.. That stuff can be picked up.

Finally it is really important that you personally get on with whoever you hire especially if you are meant to be cross training each other.


Giuseppe Larosa Sun, 07/12/2009 - 02:31

Hello Truong,

I strongly agree with Jon.

First of all, I agree with both that troubleshooting skills are very important as the will to learn and improve.

a)Even CCIE's who step into a new network need time to assess and become familiar with it.

this is true for every human being, but usually management doesn't understand this. But you as a tech person should.


You should be aware that the security world is more multi vendor oriented then backbone and that everyone is exposed to other technologies in the measure of their past and current job experience and environment

c) assessment and lab

You say that you would like to find a mate more focused on R/S area.

Don'y you think you are rather looking for a clone of you? (without intention but from an external point of view it looks like so).

By the way, are you the proctor for other technologies or another person?

If the new employee has to work with you, you should share with him/her the lab/demo experience to understand if you can work well together.

So I would suggest something more relaxed then a formal lab, where you test human interaction that is the most important part.

Hope to help


paul.matthews Sun, 07/12/2009 - 03:52

TWENTY questions? Wow!

Asking that many questions in an interview means you are either having VERY long interviews, or you are having very short answers, which problably puts them at "what does it mean if you see a type 7 LSA" which only tells you if they know what a type seven LSA is. Someone could get lucky and happen to have the answers to the questions you pick, and not a lot else. Equally you could miss out on a hot candidate who just happens to not know the answers to your questions.

Fewer open questions that lead to a discussion will tell you so much more.

Mohamed Sobair Sun, 07/12/2009 - 01:24

Hi Truong,

a Cisco Certifed doesnt require to have knowledge about Juniper , Checkpoint ...etc, as he could have no experience in all , like wise, I wont assume that Juniper Certified or Checkpoint certified has to be aware of Cisco. but they MUST be aware of technology.

You are interviewing CCIE, means a Cisco's expert with Cisco's major. I do agree that as a CCIE in R/S candidate should have basic knowledge in Security and MPLS besides the layer-2 technologies. that's why Cisco has made an enhancment to thier Certification always. However, I dont agree with your concept of a phase 2 interview that included a lab Scenario. That's the Job of Cisco , they have already examined a candidate twice to ensure he have a kind of hands on.

If a candidate is knowledgeable enough and have sufficient tecknology concept, then its fair enough from my point of view as he already been examined practically and I am not too much concern about how fast is he?

The interview shall provide you with a mind presence of acandidate as well as personality besides his technical knowledge.



truongdinh Sun, 07/12/2009 - 09:51

Thank you everyone for your comments.

When we advertise for the new position, we explicitly state that we are looking for a CCIE candidate

with solid R&S experience but also knows other technologies from other vendors as well. I am amazed

by stuffs people puting on resume regardinng other technologies besides Cisco. Candidates claimed to work

on Juniper for almost five years and can put on a very good interview until we start pinning him or her down

on specific stuffs

Phase I of the interview is 2 hours long. During that time, the other two CCIEs who recently

left the company but willing to participate in the phase I interview. I rely on them for

R&S and Voice knowledge. I also know R&S quite well because I am preparing for the Juniper JNCIP lab as well

but my expertise is in CCIE Security, Palo Alto, Checkpoint, Juniper and F5. I am going to take everyone

advise here and start asking open quesitons during phase I of the interview.

After the phase I interview and we invite the candidate back for phase II lab interview, I usually give

the candidate two weeks in preparing for the lab interview portion. During that time, I gave them access

to all the equipments such as F5 BigIP, Checkpoint firewall, Cisco routers/switches/Firewalls and Palo Alto

devices in the lab environment so that they can get familiar with the products. The goal here is see how

quickly they can learn technologies from other vendors. The phase II lab interview is quite similar to

Cisco CCIE lab. I also provide candidates a blue-print of what I am looking for during the lab portion.

I am also the "proctor" during the phase II lab interview. I am going to change the lab scenario so that it

will be concentrated on emerging technologies rather than my specific production environment.

A little bit about the job position. We're looking for a CCIE who is an excellent R&S person but also knows

other technologies from other vendors and can learn things very quickly. Furthermore, that person must be

able to work well under extremely stressful situation. Here is the salary consideration:

- Expertise in R&S and excellent skills in Security, base salary is 180k with 20% bonus

- Good with Opensource and commercial Network Management System - +10k additional

- Good with MySQL, Oracle and Microsoft SQL + 10K additional

- Good with Programing such as Expect and Perl - +10K additional

- Good with Microsoft, Solaris and Linux Operating Systems - +10K additional

The position has ten days of sick leave, three weeks of vacation and 4 personal holidays in addition to the regular

10 days holidays. 401k is 100% matching up to 6% of the salary. 10K of additional education assistance if one

decides to go back to college for a Master degree. Two weeks of technology training of your choice in either

R&S, security or Voice of your vendor's choice.

I've been working here for almost six years and I am getting a 20% bonus every year including this year so this

is a very good place to work. The new CCIE hire will train me on new emerging technologies of Cisco and whatever he

knows and I will train him on Security and whatever I know. What I mean about crossing training each other is that

this person will be my "backup" and I will be his "backup" if something happened to one of us. This person will

be my peer and report directly to VP of Operations.

Just a couple of follows up questions:

- Is it possible to find such a candidate with all the requirements listed above?

- 220k salary with 20% bonus is competitive salary for such a position in the Philadelphia, PA region?

My career will surfer if this thing goes south, I still think that

the lab interview is a good thing. I've run into candidates who look really good on paper and that they do really well

during the Phase I of the interview. When it comes to the lab portion, they look completely lost.

What do you think? Many thanks.

Joseph W. Doherty Sun, 07/12/2009 - 18:36

"Is it possible to find such a candidate with all the requirements listed above? "

Perhaps, but likely not easy. I assume your recruiting beyond the Phila region?

Even so, such wide ranging "good" expertise tends to be rare. Many prefer to specialize, and this is encouraged by employers. (There's a reason there are different CCIE certs.)

"220k salary with 20% bonus is competitive salary for such a position in the Philadelphia, PA region?

Since I'm located in the Phila. area, I think it is for this market; generous even. If someone is coming from a higher priced market, you need to make clear the level of salary in this area vs. their area. For example, someone from NYC wouldn't normally consider such a salary as generous.

Even little things, such as whether you're based in the city itself with its wage tax, vs. outside the city, impacts the value of the actual salary offered.

From what you've been describing, it might help you if look for those with the "right" contracting experience. The type of contracting where you need to work with what the client has, but deliver results. Such experience might meet a couple of your attributes, such as learning quickly, dealing with stress, etc.

The approach you've described, is almost your only mini CCIE certification, i.e. knowledge test and lab. If this was all there was to selecting a good candidate, then a CCIE cert. alone should be sufficient, but we know it's not. In my prior post I touched on "chemistry", but what you seem to want is someone who can deliver results beyond just R&S. Besides all your testing, ask your candidates to describe some interesting isssues they had to resolve. This can provide great insight into the candidate's thinking and solution solving abilities.

If possible, for serious candiates, speak with prior employer(s). For the level of expertise you're seeking, hopefully a prior employer will be very complimentary, i.e. something positive beyond just a "yes they worked here between these dates". This is difficult to do with current employers, but should be possible, if not too far back, with prior employers. Again, for this level of expertise, employers should remember them.

avillalva Thu, 07/16/2009 - 20:58

In my experience the top IT personel are the deep thinkers. The best IT solutions can often be abstract; as a crude example one might suggest a change in process instead of infrastructure. And so I wonder how your twenty technical questions will expose this ability/or lack thereof. How you will know whether the candidate has the ability to identify the real issue behind the problem.

Cisco have done the hard work with regards to the candidates technical abilities. But the real test of their understanding is in the application of the technology...not the configuration.



chinkevi_2 Mon, 07/13/2009 - 19:01

gee.. with this base salary, you would attract lots of oversea candidates if your company open for oversea hire. i would put my hand up too.

rtaulton Fri, 11/08/2013 - 09:48

I don't know, I would think most CCIE's could answer those questions and be able to work in a lab.  In truth it depends on what and where the candidate is currently engaged as to the other technologies.  Some are in a pure Cisco shop.

If you have not filled the position reply this and maybe we can talk.


This Discussion