CCDE – My Journey To Becoming Swedens 2nd CCDE

On May the 17th I passed the CCDE practical in Madrid and became Swedens 2nd CCDE, CCDE #20160011. This post describes my journey to passing the CCDE practical in my 1st attempt and the materials that I used to do so.

Let me start by saying that this is a tough exam, a very tough exam. You need to be an expert in RS and SP technologies and there is no instant feedback in the exam, like you would get in the CCIE lab. In the CCIE lab you will see you are missing routes or if your output does not match the output the lab guidelines told you to match. In the CCDE practical there will be very few questions that you are 100% sure that you got the optimal answer. Design is a more subjective skill than implementation. I had several moments where I felt that I could just as well leave because there was no chance I was going to pass the lab. You need to be mentally strong to put those thoughts aside and just keep performing your best throughout the whole exam. You might be doing a lot better than you think.

The first section will focus on mandatory books to read for the CCDE practical. Only reading these books or even reading all of the material I am referencing here will not make you a CCDE. You need to have the depth of knowledge within these technologies but this list will help you get started with the most essential resources.


CCDE Study Guide

When I started studying for the practical, there was no book that summarized the knowledge needed to attempt the practical. Marwan Al-shawi wrote this excellent book which is an essential read for the CCDE practical. This book teaches business requirements, technical constraints, network design principles and the most important technology that is included in the CCDE program. Don’t rush through this book, you must understand the concepts and you will probably end up reading it multiple times.

Optimal Routing Design

This book written by Russ White, Alvaro Retana and Don Slice is the bible of routing design. This book is over 10 years old but the principles still apply. This book will teach you about fault domains, modularization, aggregation of topology information, summarization of prefix information. When we aggregate routes we have a more optimized forwarding table but what are we giving up? There’s always a tradeoff! If we summarize we may have suboptimal routing, sometimes also called stretch. There is also the risk of summarization black holes. This book is a must read to understand how to design networks using different routing protocols such as EIGRP, OSPF and ISIS.

Definitive MPLS Network Designs

This book in my opinion is the book that has the most resemblance to the CCDE practical. This book takes you through different fictious scenarios which are based on the experiences of the authors. As the scenario develops they will explain why a technology was chosen and what the impact is to the design. It goes through a lot of technologies such as IGP, BGP, MPLS, MPLS-TE, Inter-AS and so on. It’s quite a heavy book but an essential read for the CCDE practical. It is useful to use this book and discuss the scenarios with other people preparing for the CCDE practical.

The Art of Network Architecture: Business-Driven Design

This is another book by Russ White and the co author Denise Donohue. This book focuses on the business side of network architecture but also explains a lot of important concepts such as mean time to repair (MTTR), redundancy vs resilience and the OODA loop. This book explains different topologies such as fully meshed, rings, CLOS and so on.

The next session focuses on Cisco Live presentations. This is actually one of the most valuable resources and almost all of the content is 100% free!

Cisco Live Sessions

BRKRST-2337 – Intermediate – OSPF Deployment in Modern Networks

This session is a good complement to Optimal Routing Design. It has some of the more modern concepts such as prefix suppression, LFA, rLFA, BFD and goes through routing design for OSPF in different topologies such as fully meshed and hub and spoke. It also has a lot of information on using OSPF as PE-to-CE protocol in MPLS VPN networks. You must be very knowledgable in what kind of topology changes trigger SPF runs, the different area types and how the number of areas affect the scalability of an ABR. When we use stub areas we get less routes to the routers in the stub area but what do we give up? Once again, optimal routing. Does our business require optimal routing though? That’s where you have to map the requirements of the business to the technical design that you will use.

BRKRST-2338 – Intermediate – ISIS Deployment in Modern Networks

This session on ISIS is also a must read to complement the Optimal Routing Design book. It starts out by comparing ISIS to OSPF and then demonstrates some best practices for ISIS. The session goes through different designs and shows how a L1 router may use suboptimal routing because it will only have a default route to the L1L2 router unless routes are leaked. It also show the concept of multi topology and single topology. The session shows important concepts in achieving fast convergence and important concepts such as LDP IGP sync and LDP session protection.

BRKRST-3321 – Advanced – Scaling BGP

This session on scaling BGP starts out by comparing confederations to route reflectors. It then explains the concepts of hierarcy within route reflection and route reflector clusters. It has a useful chart for comparing confederations to route reflection. It shows best path selection when RR is used and how more paths can be sent by using technologies such as Add Path, Shadow RR and shadow session. It also shows how hot potato routing can be done when using route reflectors. It also shows different scaling options such as carving RT’s between route reflectors and using route target constraint (RTC). It also demonstrates the concept of running Internet in a VRF and different MPLS label assignment modes such as per CE or per VRF as opposed to the default of per prefix.

BRKRST-3363 – Routed Fast Convergence

This session is all about fast convergence and shows the four steps that are involved in converging, detecting, notifying, calculating and installing new routes. The session shows that failure detection via interrupt based mechanisms is generally much faster than doing polling. It shows how interrupt based signalling may not always work if there are other devices between two routers as an example. It compares fast hello’s to BFD and shows how different IGP’s can be tuned to achieve fast convergence.

LTRCCDE-3006 – Advanced – CCDE Lab

This is actually a debrief session for a paid CCDE lab available at Cisco Live. I highly recommend that you take the CCDE techtorial and labtorial if you are serious about this cert and are going to Cisco Live. This session is still useful even if you didn’t take the lab though. It demonstrates different type of questions that you will face during the lab and it also does a debrief of the scenario Best Buddy. You can still learn from this even if you didn’t take the lab. I reviewed this session a few days before taking the practical and I started finding things I weren’t fully agreeing with in the slides. This is a good sign that you are getting prepared for the practical. This session shows the concept of branching questions which are very important for the practical.

BRKCRT-8001 – CCDE: The Cisco Certified Design Expert (Session 1)

This session explains what the CCDE is and why you should get involved in network design, it’s just not about plumbing! This session also shows different technologies that are expected to be on the practical. Then the session goes through a fictious scenario called LISP and shows how you will receive documents and e-mails and examples of different type of questions. This session is very useful to get a feel for what the CCDE practical is like. If you watch the video, there is a part 2 to this session that is called BRKCRT-8002 – CCDE: The Cisco Certified Design Expert (Session 2).

These are the sessions that MUST watch/read but I have probably gone through 50-100 sessions in total on different topics such as DMVPN, GETVPN, FW design, WAN design, DC design and so on.

CCDE Training

There are mainly two prominent CCDE trainers out there, Jeremy Filliben and Orhan Ergun. They are both very talented and strong instructors and I would recommend that you get material from at least one of them if not both.

Jeremy Filliben

I used CCDE scenarios from Jeremy in my preparation for the practical. As far as I know, Jeremy has the most scenarios and each scenario is a different platform that revolves around different concepts such as a merger or divestiture, adding technology etc. The scenarios which are delivered in PDF format simulates the exam experience by giving you initial information and then communicating new information through e-mails. It has different type of questions such as multiple choice, single answer, charts, diagrams and so on.

Jeremy also delivers bootcamps, I attended such a bootcamp roughly a month before the practical. This was a great experience to learn from someone who is already a CCDE. I learned a lot about how to approach the exam and how to think when you are answering questions for the practical. I was already fully prepared from a technology standpoint when I took the bootcamp. You should not take this bootcamp expecting Jeremy to teach you all the technical content. No bootcamp can do that in only one week of training.

If you are interested in Jeremy’s training, visis his web site here.

Orhan Ergun

Orhan is also producing content for the CCDE. His offering is called the Designworld where he offers different materials such as CCDE scenarios, CCDE videos and comparison charts between different technologies. I think that Orhan’s charts are very good and a key to getting prepared for the CCDE practical. The technology videos are good to refresh your knowledge on different technologies and to see how an experienced designer approaches different technologies such as first hop routing protocols (FHRP’s) or IGP’s, BGP etc.

Orhan also offers bootcamps and personal coaching sessions. He delivers bootcamps both online and onsite. The next bootcamp is delivered in August. One of my friends, Martin Duggan, just passed the CCDE practical in London and he had been receiving training from Orhan.

If you are interested in joining Designworld, go to Orhan’s site here.

Blog Posts

Blogs can be another important resource in getting prepared for the CCDE practical. I recommend the following excellent blog posts by Diptanshu Singh which were posted to the Packet Pushers blog.

MPLS TE Design -Part 1
MPLS TE Design -Part 2
MPLS TE Design -Part 3

These posts are very good to understand what MPLS-TE is, what a tactical deployment is and what a strategic deployment is. It discusses how you can scale MPLS-TE and different FRR methods. This is the best writing I have seen on MPLS-TE outside of the books. Make sure you understand the content from these blogs.


This post describes the concept of accumulated IGP (AIGP) metric which can be used to carry an IGP metric across BGP domains. This is used to optimize routing between different ASNs since normally MED is used and that is not representative of the total end to end path cost. For this reason AIGP is better than MED in achieving optimal routing.

IP FRR And Micro-Loops Part 1
IP FRR And Micro-Loops Part 2

These two posts introduces the concept of LFA and how micro loops can be formed. It’s a bit heavy on the math side which is not very important for the CCDE but the concepts are important. You should understand what IP FRR is, when to use it and why micro loops are formed and what can be done to prevent it.

BGP RR Design – Part 1
BGP RR Design – Part 2

These posts are very important in understanding BGP RR design. They will show the challenges of BGP RR such as increased convergence time, suboptimal routing and reduced path diversity. Routing loops can also exist in a RR design if the physical topology is not congruent with the logical topology. It also shows how BGP RR can be combined with fully mesh to achieve a reasonable scale and more optimal routing than a full RR design.

I have also done a lot of post for the CCDE. In my opinion writing is one of the most efficient ways to learn something at a deeper level than simply reading. I recommend you read the following posts that I have put a considerable effort into to summarize information from books, Cisco Live sessions and real life.


This blog is about CSC which is a concept where a backbone carrier can efficiently carry routes of a customer carrier.


Inter-AS VPNs is an important concept for connecting VPNs between two different ASNs of the same organization or to connect two different organizations together. This technology can be important in mergers where there needs to be a temporay setup between the ASNs until one side can get integrated into the other.


BGP confederation is an alternative to using BGP RR although the two technologies can be combined as well. BGP confederations can be use when there are different groups of people responsible for different parts of the network but they still belong to the same organization.


This post describes the important considerations for BGP convergence. The main concept is to have a fast converging IGP. It goes through bgp next hop tracking (NHT) and different timers such as the minimum route advertisement interval (MRAI).


DMVPN is a Cisco proprietary technology but it is still something you need to study for the practical. This post talks about some ways to scale the DMVPN by using a dual tier topology where the mGRE control plane is handled by one router and the crypto control plane by another router.


GETVPN is another Cisco proprietary technology which is a tunnel less VPN built over private WAN. This post is a good summary of Cisco Live presentations and the GETVPN design guide.


This post explains different WAN rates such as T1, E1, DS3, OC-192 etc. In the practical you might get the BW in clear writing but I still recommend you learn these basic rates by heart.


MPLS primary one-hop tunnels is a way of scaling MPLS-TE networks and achieving FRR for both MPLS-TE LSPs and LSPs signalled by LDP as well as plain IP traffic. One-hop tunnels are tunnels that are one hop and built between adjacent routers.


Security is not as big a part of the practical as RS and SP technologies but you still need some understanding of it. You need to understand where to place security devices along choke points and concepts such as a routed firewall vs a transparent firewall. Where is it most optimal to place an IPS? What is the difference between an IPS and an IDS?


This post on load balancing describes different load balancing designs such as one-armed and direct server return (DSR). Load balancing is not a big topic for the CCDE but I recommend that you learn the basics.


These two posts describe PIM BiDir which is normally used in many to many multicast deployments such as in the financial vertical. What is the role of the RP in PIM BiDir? How is RP redundancy achieved? These posts teach these concepts.


This is an interview I did with the CCDE program manager, Elaine Lopes. It explains why you should go for the CCDE and what study resources are available for the CCDE.


IPv6 multicast is probably not a key technology for the CCDE but you should be familiar of the concepts which I have summarized in this blog post.


In the road to deploying IPv6, what transition technologies can we use in the mean time? What is 6RD? What is 6PE? What can we deploy when we have moved to IPv6 but need to maintain IPv4 connectivity? Those concepts are explained in this post.


What is bisectional bandwidth? Why does STP waste bandwidth? How can anycast HSRP achieve more efficient forwarding and utilization of links in a leaf and spine topology? Learn about this in this blog post.


QoS is a very important topic in the CCDE. This blog post is basically a summary of the End to End QoS Design book. What are the characteristics of different type of applications such as voice and video? How should we mark traffic? How much bandwidth should be set aside for the LLQ? This post is important to understand QoS for the CCDE practical.

There are some more posts available but I recommend that you start with these. To reach all of the posts I’ve done for the CCDE, you can follow this link.

CCDE Slack Study Group

I and my friend Kim Pedersen started a CCDE study group in Slack. In my opinion it was one of the key factors that made me pass this exam in my first attempt. We discussed different technologies and designs and the group consists of a lot of different subject matter experts. We have experts in a wide range of technologies. The CCDE is very difficult to achieve on your own which is possible when studying for the CCIE.

Cisco Validated Designs

Cisco has a program called Cisco validated designs (CVD) where different architectures such as Campus design are explained and what the best practices are in such environments. I recommend that you read through at least the following CVD’s.

Campus LAN and Wireless LAN Design Summary – October 2015

Internet Edge Design Summary – October 2015

WAN Design Summary – October 2015

Intelligent WAN Technology Design Guide – February 2016

Closing Words

I studied for this exam for about two years. There are no shortcuts. You need to be an expert in RS and SP technologies and you need a basic understanding of DC and Security design as well. Reading all the material in this blog post will not make you a CCDE but it provides you with the foundation of the knowledge that you need for the exam. By putting this in a blog post I hope to help the CCDE candidates out there to a more efficient study path.

CCDE – I passed the CCDE Practical in Madrid!

Hi everyone.

I’ve not been posting lately because I have been studying very hard for the CCDE practical.

Passed the lab in Madrid? Isn’t this guy from the North? I was supposed to take this exam in Frankfurt on Tuesday the 17th of May. Wise from my trips to the CCIE lab in Brussels I took a flight that landed around noon on Monday. I have a routine I like to use the day before a big exam. I had just scouted the Pearson Professional Centre (PPC) location and got back to my room. At 14.05 I receive an e-mail from Pearson Vue saying they can’t deliver my exam. Can you imagine the panic I felt? I had been preparing for months of furious studying for this day. The CCDE practical is only delivered every three months so I would have to wait for three more months to take it if I could even get a seat then. I had prepared for this day and my plan was to try to pass it and if I didn’t, come back in three months and pass it then.

There was no time to waste. I found an open seat in Madrid and booked it but now I also had to find a flight, a hotel and so on. Not the way I wanted to get into the right mental state for the exam for sure! I got on a plane and arrived at the NH Madrid Lagasca around 01.00 and then tried to get some sleep for the next day. Fortunately the exam starts at 10.30 in Madrid. Apparently those Madristas don’t like early mornings 🙂 I still woke up at 6 AM though. Go figure…

The PPC is literally around the corner from the NH hotel so if you go to Madrid, this is a good place to stay in. It was a very small location. The woman in the desk was surprised I got a seat there. There were literally like 4 or 5 seats in total and I was the only one taking the CCDE practical there.

When I arrived I had to leave all personal belongings. I wasn’t allowed to bring in anything to eat. The only thing I could bring was my passport and the key to the locker. When you sign in they will ask for two forms of identification so make sure to both bring your passport and another form of identification, I used my drivers license. They will also ask you to write your signature and make sure that it matches to the signature of your identification. They will in addition to this also photograph you.

After leaving my things I was handed some laminated paper, pens and ear plugs. I used the ear plugs to gain some extra focus. The laminated paper was enough for my needs. They are double sided so I think there were like at least 6 pages available.

I had arrived a bit early and was able to start the exam at around 10. When you start out you will get some information on the exam format and then you will arrive at the real scenario. You will land on a page that has the first question and you will have some initial documents in your inbox. You should be notified everytime something new arrives in the inbox but do check there as well as I’ve heard stories of people that have not been notified when new documents arrive. If you feel you are missing some information make an extra check to see that you haven’t received a new document.

The documents you receive will be background information, technical information, e-mails, diagrams etc. There can be a lot of information to go through and digest. Highlight what you think seems most important such as business goals, business constraints, technical constraints and so on.

I was pleasantly surprised by the lab delivery and GUI. I thought the diagrams were well made and it was easy to interact with the exam.

You should spend around 10-15 minutes reading through all the information in the beginning. I’m a fast reader so I used a little less than that.

You need to try to connect with the exam. Imagine that you are really working in the role they are telling you that you are. I struggled a bit to connect with my first scenario but felt better about the others. I didn’t think I would end up passing this thing though.

I went through the first scenario, struggling, as I felt it. It was a real slap in the face. I had studied very very hard and I go in there feeling like I know nothing. It’s mind games, people. You need to shake that off and do your best and just keep going. I felt like I could just leave righ then because there was no way I was going to pass this thing. You will receive different type of questions.

Multiple Choice Single Answer – There is only one correct answer. Try to pick it!

Multiple Choice Multiple Answer – There are several correct answers. They will tell you how many to pick!

Charts – Tick the boxes that apply for row/column pair. There may be several boxes that need to be ticked in a row or none! Don’t feel that you have to tick boxes if it doesn’t make sense to you!

Implementation Questions – These questions ask you to perform implementation steps in the correct order that produces the end result with the least impact on the existing network.

Diagrams – You will interact with a diagram. In some of them you click boxes to check which role a device has and what technologies it needs to run. On some diagrams you may have to place devices and add/remove links etc.

I’m sure I’ve missed something but my brain is pretty mush right now.

I finished the first scenario with roughly 30 min to go. I’ve heard varied reports about how stressed for time you are in this exam, fortunately it was not a factor for me.

The second scenario felt better but it was still very difficult. I know I had some extra time left over from the first scenario so I wasn’t rushed for time. I went through all the questions and ended with around 30 minutes to spare. You have to take a mandatory 1h lunch plus the time I had left over so that meant I had to go away for 1.5h. You can’t add the time from the first half of the day to the second half.

It’s important to remember that your questions will not only relate to the most recent documents you have received. You need to remember the goals and constraints that were handed to you in the beginning. You might be tempted to pick a technology that makes the most sense from a technical standpoint but maybe the organization told you in the beginning that they are not allowed to deploy this technology. There may also be situations where you have to compare technologies in some chart and then they may ask you which one to pick. So try to remember which one you think made sense!

After returning from a light lunch and went back into the PPC. I had to leave my things again and show my passport to get back to my seat.
Once again I finished the scenario with roughly 30 minutes to go. I knew I had extra time for the final scenario so on some questions I spent a lot of time to make sure I thought through everything. I was able to finish with around 30 minutes to go. I was 100% sure I had failed this thing so I was happily surprised when it said PASS on the score report. If you have ever taken one of these you will know you have to check it like 10 times to make sure your eyes aren’t deceiving you.

That’s why it so important to perform at your best level through the entire exam. After the first scenario I was crushed and although the others felt better I was sure I wouldn’t pass this. This was after all my first attempt at this thing.

I really want to make a point that if you fail this exam this does not make you a bad Network Designer or Network Architect. I have friends that I highly respect and that are in leading positions in their companies that have yet to pass this exam. It is a test and we all perform differently in tests and one test may suit a person perfectly and not the other. I think the exam does a good job of simulating the work of a Network Designer or Network Architect but it’s still very different from what I do in my day job. To all of you that didn’t get it yesterday. I’m sure you will get it next time!

I’ll write a post within a week or so on how I prepared for the exam and what study material I recommend. That is all for now!
Adios amigos!


In the previous posts I talked about why it’s important to build a network and how you can do it but there is still one component missing. Any guesses?

How do we maintain our network once we have built it?

Stay In Touch

You spent all this time and put effort into building a network. Are you going to let this effort go to waste? I hope not. It’s important to stay in touch every now and then and check in how your friends are doing. This could be by sending an e-mail, a text message, just giving them a call or going for a lunch. Don’t contact them only when you need their assistance. Don’t be a leech. Show that you appreciate them and the help you have received from them in the past.

Return The Favor

One of your contacts helped you with a technology or troubleshooting an issue which helped you move forward in a project. The next time they may require assistance from you. When this time comes, maybe you are very busy at work. Do you simply turn them down? I hope not and if you do don’t expect any help the next time you ask them. Maintaining a network is about taking and giving. Even if you are busy, make some time or tell them that you will get back to them in the evening or the next day or whatever.

Expand The Network

Don’t be afraid to expand your network even if the person that wants to join your network is not as experienced as you. Don’t understimate the power of paying it forward. This person may also have reach into other networks and organizations that would be beneficial to you. Worst case you make a new friend. Is that so bad? 🙂 I know from experience that it’s difficult helping out everyone that contacts you if you are a somewhat known person in the industry. I always try to answer in a polite manner though.

I hope these series of non technical posts has been helpful in inspiring you to go out and network! There may be some more posts coming up on how to build a mindset for certifications and topics in that range. Good luck in your building of networks!

Cisco Live – News About the Customer Appreciation Event (CAE)

Cisco Live takes place in Las Vegas between the 10th and 14th of July this year. Every Live event, Cisco holds a customer appreciation event (CAE) in an arena close by the conference center. Last year we saw an amazing performance from Aerosmith hosted in San Diego. The year before that, Imagine Dragons put on a show in San Francisco.

This years event will be hosted at the T-Mobile Arena on the Las Vegas strip. This is a very new arena that opened on April, 6, just days ago. The pictures below show renderings of the arena.

T-Mobile Arena® will be the destination in Las Vegas for live events – from amazing music acts to thrilling sporting events – it will set a new standard for what entertainment means in the city that does it best. The 20,000-seat T-Mobile Arena ® will host exciting, world-class events with something for everyone – from UFC, boxing, hockey, basketball and professional bull riding to high-profile awards shows and top-name concerts.

Cisco is not only holding their CAE there. The arena also uses Cisco technology called Cisco StadiumVision which is an innovative digital content distribution system. The system is used to centrally manage and deliver all of the video and digital content in the arena, except the scoreboard. This means we can expect high quality video delivered to the screens in the arena. More information about StadiumVision can be found in the following link.

Now for the interesting part and this is information that is exclusive until April, 12. The CAE will take place at July 13 in the T-Mobile arena and the opening act is Elle King. Elle is probably most known for her hit “Ex’s and Oh’s” from the album “Love Stuff” that earned her two Grammy nominations. Elle is an american singer, songwriter and actress. Her music style encompasses country, soul, rock and blues.

The main act is going to be Maroon 5. Maroon 5 is one of the biggest pop rock bands and has sold more than 20 million albums and 70 million singles worldwide.They have also been the recipients of several awards including three Grammys. They have produced hits like “One More Night”, “Moves Like Jagger”, “She Will Be Loved” and many more.

More information about the CAE can be found at the following link.

I look forward to meeting you at the CAE event.

CCIE – Cisco Learning Network Sale on CCIE Training for the CCIE RS Lab

Are you preparing for the CCIE RS lab? Cisco 360 is the official training program for the CCIE. There are other training vendors out there which are also high quality, like INE and Narbik, Cisco 360 has an advantage in that they can leverage the real platform of the lab though. If you want to assess how ready you are you can take an assessment lab at Cisco 360. You will also have the opportunity to get more comfortable with the lab platform that is used in the lab. You will also have the opportunity to practice the TS and DIAG section to make sure you are comfortable with those sections of the lab when the big day comes.

CLN will have a sale during April and May which means that you can save between 10-20% on these products to help you prepare for the CCIE RS lab. For the CCIE there are currently three products on sale.

The first product is a bundle and it’s a starter and advanced mini bundle for 1599$ and contains the following.

  • Core and Advanced Workbooks with 25 Expert-level labs for hands-on practice. Labs 01–20 have troubleshooting and configuration sections each, labs 21–25 include large-scale configuration labs.
  • 250 hours of virtual rack rental of Cisco IOS on Linux (IOL) platform.
  • Reference library with more than 2,000 pages of technical material.
  • Pre-assessment lab that measures baseline technical skills.
  • Four performance assessment labs of student’s choice with troubleshooting and configuration sections each.
  • Two diagnostic assessment labs of student’s choice.
  • Detailed answer keys and interactive mentor guide for every lab.

If you are interested in this bundle, click here to go to the CLN store.

There is also a starter mini bundle for 999$ and is currently 10% off. This product contains the following.

  • Workbook with 10 Expert-level labs for hands-on practice. Each lab has a troubleshooting and configuration section.
  • 100 hours of virtual rack rental of Cisco IOS on Linux (IOL) platform.
  • Preassessment Lab that measures baseline technical skills.
  • Two standalone performance assessment labs of the student’s choice. Each lab has a troubleshooting and configuration section.
  • Reference library with more than 2000 pages of technical material.

If you are interested in this product, click here to go to the CLN store.

The final product is an advanced mini bundle, also listed at 999$ and 10% off. It contains the following.

  • 15 Expert-Level Labs with troubleshooting and configuration sections. Five of the configuration sections include large-scale topologies with about 30 devices.
  • 150 hours of virtual rack rental of IOS on Linux (IOL) platform
  • 2 Advanced Performance Assessment labs with troubleshooting and configuration sections in each lab
  • 2 Diagnostic Assessment labs
  • Detailed answer keys
  • Interactive mentor guide

If you are interested in this product, click here to go to the CLN store.

If you are preparing for the CCIE RS lab, this is a good opportunity to get comfortable with the lab environment and assess how ready you are for the lab. If you buy these products now you’ll save between 10-20% off the ordinary price. Good luck in your studies!

Disclaimer: I will make a small amount on the purchase if you go through my blog.

General – How to Build a Network Pt.2

In the previous post I talked about why you should build a network of people to both help you in your career and to improve your own skillset. How does one build this network of people?

There are endless ways of building a network and the ways I describe here are based on my personal experience. That said, I do believe that there are some common factors regardless of what approach you take.

Interacting in Forums – There are a lot of forums available, forums for Cisco Learning Network, Cisco Support Community, training vendor forums, product forums, vendor forums. These are often the best resources for getting help on a product and finding those golden nuggets of information that are not always available from the official documentation. There are often very skilled and experienced people in these forums answering posts and writing posts. Try to contribute to the forums and to learn from them and start interacting with these people. Many forums have some form of ranking which makes it easier to spot the people that are the most active on the forums.

I started writing a lot on CLN several years ago and that has been very benificial for me landing me a Cisco VIP award. Through CLN I have gotten to learn brilliant people like Paul Stewart and Scott Morris and several more. I also get to talk to the great community managers Matt Saunders and Brett Lovins. These guys are great and have a lot of reach inside of Cisco. I’ve also been able to meet with the executives of Learning @ Cisco and through Webex sessions get to know a lot of other people inside of Cisco. In short, forums is a great resource if you use them the right way.

Social Media – Social media is just about posting pictures of cats, trolling and spamming. Right? Wrong! Twitter is a gold mine for anyone working in IT. Before social media we were limited to our real life network. This would often be based on geography and area of business. If you didn’t know person X in real life or someone that knew person X, you would not be able to get hold of person X. By using Twitter, you can now reach this person X by sending a tweet to them. First a word of caution though, just because you’re typing online does not mean that you don’t need to have good manners or that you can shortcut building a relationship with someone. You can write a tweet to say Ivan Pepelnjak and say “Ivan, I read your book and was wondering about xyz”. That is more likely to generate a response than to simply tweet to someone with a question with no background.

A lot of the people I look up to in the networking industry are present on Twitter. Some of them are Ivan Pepelnjak, Russ White, Scott Morris, Wendell Odom, Denise Fishburne, Pete Lumbis, Peter Paluch and several others. I never imagined I would get the chance to interact with these people.

Twitter is also great for asking questions like “Has anyone worked on this product? What’s your opinion of it?” or “I was setting up technology xyz and ran into this issue. Has anyone seen it before?” Using social media you can build a much larger network than you would ever be able to do only based on people you have met in real life.

Conferences – A lot of the vendors have their own conferences. I try to attend Cisco Live and I’ve written posts about why in the past but in this post I’ll focus on why from the PoV of this blog. First off, I understand that for some people it will be very difficult if not impossible to attend a conference based on costs. By going to these conferences, you will meet with brilliant engineers, product managers, Technical Marketing Engineers, certification managers and with friends from both real life and online. Don’t underestimate the learning experience of going to a conference. It’s the best way to learn and it’s really like drinking from the firehose.

I always try to meet with people I’ve learned to know from online, don’t be happy with just knowing someone from online, try to meet with them when you have the chance. At Cisco Live I’ve met with a lot of awesome people. I’ve been able to talk to Bruno Van De Werve, the CCIE RS Program Manager and Elaine Lopes, the CCDE Program Manager to learn about the certification and to give my feedback of the exams. It’s great being able to meet these people in person and discuss with them.

Last year I also met with Jeremy Filliben, I wanted to learn more about his CCDE offering. Sure, I could just have sent him a tweet or e-mailed him but a conversation in real life is always worth more than interacting online.

Don’t be afraid of interacting with people. Did you have a question for the instructor of your session? Ask it! Do you have a design you are working on that relates to the session you just attended? Ask the instructor if he has any input. Get to know these people. Once again though, use good manners! These are very busy people so don’t assume they have the time for an entire design session with you but if you approach them they will try to assist you in some way.

Study Groups – Study groups are also a great resource to learn and to meet and interact with people. In my area there aren’t really any real life user groups like the Cisco User Group (CUG) available so I setup online groups instead. Otherwise, CUGs and VMUGs etc is a great way of meeting with people and learning. These are often cheaper to attend and more local to you than say, Cisco Live.

I’ve started to use Slack for collaborating with other people studying for the same certification as I. I have to say that even I was surprised at how efficient this can be. Having several people working towards the same goal and interacting is a powerful thing. Not to mention that being to tap into the experience of other people is really beneficial for work life related tasks as well.

Writing – Writing is another great way of getting to learn people. I’ve blogged for many years now and I’ve gotten to learn to know a lot of people thanks to the blog. It’s always great to meet with someone in real life that says they are reading your blog and it’s also a great ice breaker to get a discussion going. You don’t have to write your own blog, you could blog at a place like the Packet Pushers or through a forum or vendor. Writing a book is another great way to get to know people but requires a lot more than writing shorter posts of course.

I really want to emphasize that you will never get more out of a network than you put into it. Don’t be a leech. Don’t expect to get answers to all your questions if you never do anything to answer questions from other people. So to quote Captain Jean-Luc Picard: “Engage!”

General – How to Build a Network Pt.1

Building a strong network of people is very important in creating a successful career in IT. In these posts we will start first look at why building a network is important and in the other posts we will look at how to actually build the network and how to make sure that you are also contributing to the network and not only exploiting it.

If you came here to read about connecting cables or routing protocols, sorry, this is not that kind of post. This post is about how to build a network of people.

People often understimate the power of having a big reach in the industry through a network of people. I often hear in my role that I’m almost too effective sometimes. Part of that is because I have a very good network of people that I trust and rely on. In this blog we will look at WHY you want to build a network of people.

The Borg Mind – Have you heard of Star Trek? No? Are you sure you work in IT? 😉 Jokes aside, there is species called the Borg in the series which do not so nice things. What it is nice about the Borg though is that they have a collective mind. We humans will never be as efficient as the Borg but by having several minds thinking about something, we are more likely to find an answer to our problem. If nothing else, you should get input that will help you make your own conclusion.

Increase the Knowledge Base – There is no way to cover all technologies by yourself. I have a very good grasp of routing and switching technologies. What if I run into something tricky in the data center world? I know what people to reach out to. Googling for answers will only bring you so far. Sometimes you need someone with experience. If you manage to learn people working for that vendors equipment you are working on, that will be very helpful the next time you need expert knowledge.

Staying Updated – We all know how tough it is to stay updated in the IT industry. It’s moving so fast and there’s always new technologies and products coming at us at a faster pace than we can consume. I try to stay updated as best I can but it’s a lot easier to do that if you have a good network. Let’s say I’m interested in Cisco’s ACI product. I don’t have time to consume all the information on my own. I do know people working with ACI, both inside of Cisco and outside of Cisco. If I can ask them where to learn more and what’s the drawbacks that aren’t mentioned in the Power Point slides, I’ll be able to consume information much faster and be able to form an opinion of the product/technology.

Career Development – I’ve advanced rapidly in my career. Hopefully because I’m good at what I do but a part of it is that I have a good network. I can ask people what companies are good working at. I can get a reference if I want to when I’m applying for a job. My gut feeling from working in the industry is that the people advancing the fastest aren’t neccessarily the best engineers but the people with the best networks and that can interact with people in a proper manner. There’s a much bigger chance of you landing your dream job if you have a good network.

Motivation to Learn – By interacting with other smart people, hopefully you get inspired to learn more in other technology areas. Bust those silos! Your learning path will also be much more effective because those people have already been through a learning path and possibly a certification. They can guide you in what books and labs to use and they can also teach you on real deployments. You will be in a continous learning environment where you are learning even when you don’t know that you are.

Friends – It’s always nice to have friends, even if they are from online. Hopefully one day you get to meet them. Maybe the next time you are traveling you have a chance to stop by that guy that helped you on something the last time? By knowing people in different places of the world you will also be able to ask them about the culture of that country and what restaurants are good etc. The next time you attend a conference, maybe you will bump into an aquaintance? Cisco Live has been a blast for me because that is one of the few times I get the chance to meet up with friends from all over the world.

Pay It Forward – Mentoring and helping people evolve in their careers can be very rewarding for both parties. One of the best ways to learn is to teach! Personally I hold a lot of respect for people that can teach and are willing to do so. These people after gaining more experience may pass their experience to other people coming up in the industry. This creates a better and more dynamic industry.

In the next post we’ll look at how you actually build that network. Stay posted for the next part of this series!

CCIE – CCIE SPv4 Review by Nick Russo

My friend Nick Russo just took the SPv4 lab and passed it. This is his story.

On 8 March 2016, I passed Cisco’s CCIE Service Provider version 4 lab exam. It was my second attempt. I realize there is little information on the Internet about this test because it is still rather new. This blog post will detail my personal strategy for passing the CCIE SPv4 lab exam. Most CCIEs and CCDEs agree that a smart strategy is a critical part of passing any Cisco expert-level lab; many folks are technically proficient but need to remain organized to be effective.

Note: the views expressed in this blog post are mine alone and do not necessarily represent the views of Cisco. No correlation between my comments and Cisco’s recommendation study strategies should be made. Also note that no technical exam content is discussed here in accordance with Cisco’s CCIE NDA. Comments fishing for such information will be deleted.

First, the new blueprint has 3 sections: Troubleshooting (TSHOOT), Diagnostic (DIAG), and Configuration (CONFIG). The CCIE SPv4 program explains these topics in detail within the new blueprint so that is not discussed again here. Since each section is slightly different, one should have 3 different strategies, one to address the challenges of each. After my first failure, I realized it was mostly due to poor strategy during the DIAG and CONFIG sections, not due to a lack of technical knowledge. In order to keep this blog simple to read, I use the following decision points for each section:

1. Whether to draw diagrams or not
2. Whether to perform tasks in sequence or not
3. Level of verification to perform at the end

Before beginning, here are some general strategy tips that apply to all sections and the exam in general.

1. Documentation access is generally fast, but sometimes a hyperlink click can take upwards of 10 seconds to load. It feels like a lifetime. I would recommend opening a browser with 2 tabs at the beginning of each section. Bring up the main page for the IOS XE 3.13S and IOS XR 5.2 configuration guides. Minimize the window so you have quick access should you need it. Documentation is available for all 3 sections of the test. You can use Control+F to search the page for text, but you cannot use the search function to find what you need. I personally spent one hour each night during the week leading up to the test finding my way around the documentation. During the attempt I passed, I used it once, and it was helpful.

2. Track your points. I used to hate this advice but it’s a sound strategy. I can recall some very easy high-point questions which I solved in 5 minutes, and others that took 45 with a ton of configuration. Had I been better at identifying those things during my first attempt, I would have passed. Below is a quick hand-drawn sketch of my personal tracking system. I realize this is not a new invention. 3 columns exist: Task ID, points, and notes. The notes section, in my opinion, is written in the format of “problems/requirements -> proposed solution(s)”. For example, if the task suggests needing a dynamic, scalable, and high performance method to drop ingress traffic at ASBRs to prevent DoS attacks, you might write something like I did below for Task 2.2. Green check marks mean you answered the question and performed a cursory verification. Red circle means “come back to it later”. Green strike-through means you’ve double-verified it at the end of the lab and you are certain you won the points. Red strike-through means you definitely have not answered it and will be awarded no points. You may have a red circle and a green checkmark, implying that you skipped a question but then answered it later. Track your points for all sections.

Track points
Track points

3. Use notepad like it’s your best friend, because it is. I created a file called scratch.txt and saved it to my desktop. I leave it open at all times to prepare configurations. Some people prefer to have multiple text files for different functions, but I just like a general scratch pad. At the end of the exam, my scratch.txt was a few thousand lines long (lots of copy/paste for preparation). Insert comments in your file to help with indexing. For example, you can search on the string “task 4.1” and it’ll take you to your configurations you prepared. Having one big file makes this easier rather than having a bunch of files open, trying to remember where task 4.1 was configured. You can copy this into an IOS-XR router, including the comment, and it will work.

! task 4.1
conf t
router isis 42
net 00.0000.0000.0042.00
is-type level-2

4. Master IOS-XR RPL. Don’t view it as just an alternate syntax for a route-map; it can do much more. Although CCIE SP isn’t really targeting advanced IOS-XR features per-se, knowing RPL is critical to implementing real-life SP architectures with IOS-XR. Learn the details of parameterization and nesting as this will be a huge timer saver. I also recommend creating three basic RPLs on every IOS-XR router running BGP. You will find that, generally speaking, you will have a common need to do three things. I used these extensively in my studies.

a. Pass all routes

route-policy RPL_PASS

b. Match routes against a prefix-set

route-policy RPL_IF_DEST_PASS($PS)
 if destination in $PS then

c. Match routes against a community-set

route-policy RPL_IF_COM_PASS($CS)
 if community matches-any $CS then

Now that you have these basic RPLs, you can very easily create several custom RPLs using these as your foundation. For example, a customer BGP neighbor policy can set local-preference for all routes marked with community 100:77 to 77. The implicit-deny at the end of the basic RPL ensures that only passed routes will have their local-preferences adjusted. Of course, this means that all other routes are denied; if this isn’t desirable, you may need more RPLs. These RPLs are also handy for basic community or prefix matching for redistribution to/from/between IGPs.

community-set CS_100_77

route-policy RPL_BGP_IPV4_R3_IN
 apply RPL_IF_COM_PASS(CS_100_77)
 set local-preference 77

5. Master IOS-XR apply-groups. These are huge time-savers if used intelligently. I personally like to define them for IS-IS and RSVP links. Below is a simple RSVP example; this ensures that all links have some bandwidth assigned to them, and all you need to do is add interfaces under RSVP. A similar construct could be handy for coloring MPLS-TE links with affinity values. For as RSVP example, migrating to a DS-TE network can be simplified when changing all bandwidths to BC0/BC1 syntax becomes effectively one change.

 interface ‘Gig.*’
 ! Change the command below and all interfaces will update
  bandwidth 100000 

 apply-group RSVP_LINK
 interface GigabitEthernet0/0/0/0
 interface GigabitEthernet0/0/0/1

Below is an IS-IS example. This reduces a lot per-interface configuration that no longer needs to be replicated many times. I did not use apply-groups on my first attempt but I did on my second, and I am comfortable saying that they helped me pass.

 router isis ‘100’
  interface ‘Gig.*’
   hello-padding disable
   address-family ipv4 unicast
    mpls ldp sync
    tag 10
    fast-reroute per-prefix

router isis 100
 apply-group ISIS_LINK
 interface GigabitEthernet0/0/0/0
 interface GigabitEthernet0/0/0/1

Next, I will discuss the three sections of the exam. They are broken down below:

1. Troubleshooting: You will be presented with a sizable network with a number of unrelated trouble tickets to resolve. The tickets are close-ended and very directive. While creative solutions COULD be used to solve any problem, I would recommend only solving the problem and nothing more. If the command tells you to match some show command output, don’t waste your time testing reachability. Tickets may range from a single fault on a single device to multiple faults on multiple devices. Pay attention to the point value associated with the question to gauge its difficulty. Since TSHOOT tickets are supposed to totally independent from one another, I would recommend doing them in sequence. If you get stuck, move on, but remember that hopping around too much isn’t valuable. Since the topology is presented before you with a simple “click on router, get CLI” access mechanism, do not spend time drawing a diagram. It is possible (but unlikely) to solve one ticket and subsequently break another, so I recommend allocating about 5 minutes at the end of TSHOOT to do a very quick check of your correctly answered tickets. This check should be a single show/traceroute/ping command to verify the solution still works. You can leave the TSHOOT section early if you are fast; in both of my lab attempts, I finished in about 90 minutes. The extra time is carried into CONFIG … trust me, you will need it!

In summary:
a. Do not draw a diagram.
b. Perform tasks in sequence; no need to read the whole section first.
c. Perform a cursory verification at the end.

2. Diagnostics: This is probably the scariest part of the test since it’s relatively new to both RS and SP tracks. TSHOOT existed on RSv4 so there is some experience with that mindset (I took and passed RSv4 as well). The diagnostic section is testing your ability to differentiate between important and unimportant pieces of information. You will be presented with emails, device configurations, logs, and show command outputs. You need to find the problem, and in some cases, suggest a solution. Because the GUI is a little different for DIAG, I strongly recommend taking a moment to draw diagrams for the topologies presented in this section. I did not do this for my first attempt and it made things very difficult for me. As you shuffle back and forth between artifacts, you’ll want to keep the diagram handy. Spend no more than 5 minutes total on all diagrams; no need to include details like interface enumerations or IP addresses. A general diagram for reference is good enough; routers, hostnames, and links are sufficient. DIAG questions are independent from one another like TSHOOT, so sequence isn’t terribly important. As such, I recommend moving sequentially through this section as well. Since there is no CLI access, detailed verification is not possible, but you can move back and forth through the tickets at will. At the end of the section (5 minutes left), quickly skim each question to ensure you at least answered all questions. You cannot end the DIAG section early so if you manage to finish with spare time, I would recommend a deeper scrub of the configuration files to verify that your solution makes sense. There is more information than a human can possibly process in an hour, which is exactly what DIAG is trying to test.

In summary:
a. Draw rudimentary diagrams before beginning for all sections (5 minutes maximum).
b. Perform tasks in sequence; no need to read the whole section first.
c. Just make sure you answered all the questions at the end. If you have more time, be sure to use it with some extra verification by scrubbing the artifacts.

3. Configuration: The classic CCIE lab exam, this is where all tasks are very open-ended and it’s your job to implement appropriate solutions within a larger network design. The network is sizable like TSHOOT and the GUI works the same way. This is very nice from a consistency standpoint. One thing I really liked about SPv4 is that the questions were more open-ended than I originally anticipated. You really can do whatever you want; I took some off-the-wall creative liberties on both attempts … and did well both times. This helped boost my confidence, even after a failure, because I knew that the graders weren’t looking for “the” solution. Any valid solution qualifies, and you often have many choices. That being said, always try to implement the simplest solution that is dynamic and isolated (meaning, it doesn’t affect other things). READ THE WHOLE EXAM FIRST. This is the oldest advice you’ll ever get from a CCIE and its still true here. You may implement a design that solves 80% of your problems, but creates some new problems that end up costing you time later. I made this mistake during my first attempt. Like TSHOOT, the diagram is presented before you and I do not recommend drawing it. It would take at least 15 minutes to draw an accurate and detailed diagram (then the time to verify it), which isn’t worth the time. I tend to group tasks together based on their function rather than their sequence in the lab. For example, if Task 2.3 tells you to do some MPLS-TE using RSVP, then task 5.2 asks you to deploy TE-FRR across many devices, it would make sense to configure some of those things together. You already need to enable TE on all interfaces explicitly (in IOS and IOS-XE), so why not enable BFD-based RSVP hello signaling as well? You are already in the TE mindset, so creating some backup tunnels at the same time is a natural efficiency to leverage. The same is true for configuring IGP (early) and securing it with authentication (later); doing it all at once isn’t much harder and helps you grab points quickly. If you see that PIM-based multicast VPN is required towards the end, you might as well enable PIM while you are turning on MPLS-TE at the link-level. Note that these specific examples are not based on real exam questions; they are for illustration only. I wish I could take my own advice on this next piece of advice, but detailed verification is critical. I simply ran out of time (even with the extra 30 minutes carried over from TSHOOT) on both attempts. I managed to set aside 30 minutes at the end for verification which allowed me to perform a not-deep-enough verification, but I did catch some minor errors. Ideally, you should allocate a full hour for it. I don’t know the exact passing score, but I had a number in my mind, and I was just a little bit above that number at the one-hour-remaining mark. I knew I needed more points to build a buffer to compensate for incorrectly answered questions, hence the abbreviated verification process.

In summary:
a. Do not draw a diagram.
b. Read the whole lab first and perform tasks in the most efficient/sensible sequence.
c. Perform a detailed verification to the best of your ability (one hour minimum).

Please comment if this was helpful (or not) for all your SPv4 candidates out there. The new blueprint is extensive, but trust me, Cisco has added this new content because it is valued in the SP industry.

CCDE – Carrier Supporting Carrier


In the previous post I showed some of the options to interconnect two AS so that a customer can buy a VPN in two different locations from two different SPs. There is another technology called Carrier Supporting Carrier or Carrier of Carriers. This technology is used when a customer buys a circuit from an SP, Internet service or L3 VPN and that SP uses another SP to carry their traffic between the locations. The SP connecting the customer is then the customer carrier and the SP providing the backbone is the backbone carrier. It is also possible to combine CSC with the Inter-AS options in the previous post, I will show an example of this being used in a real life network in the research world.

Carrier Supporting Carrier

CSC is a technology used to expand the reach of a SP by using another SP as transport. The concept is shown in the following diagram.


The customer carrier is providing a service to the customer. It can be an Internet service, MPLS switched or not or an MPLS L3 VPN. The CSC VPN service provides MPLS transport for the customer carrier. It is also sometimes referred to as a hierarchical VPN and is defined in RFC 4364. The CSC-CE is the device located in the customer carriers network, connecting to the backbone carrier. The CSC-PE is the device located in the backbone carriers network connecting to the customer carrier.

The first question someone might ask is “How will this scale if the backbone carrier must carry all the customer routes from the customer carrier?”. That’s a very valid question. The beauty of CSC is that it only requires the IP addresses of the PEs in the customer carrier to be advertised to the backbone carrier. The customer routes never make it into the backbone carrier which makes it a very scalable solution. Each customer carrier will belong to a VRF of its own.

How does CSC assign the labels? There are two options. Either IGP + LDP can be used where the CSC-PE would consider the CSC-CE to be a normal CE and it could use static routing, EIGRP, OSPF, etc to advertise the routes. It’s not common to run IGP + LDP on a link though unless it belongs to the same organization. The standard approach would be to use labelled BGP. Running IGP + LDP in CSC is less risky than in Inter-AS solutions though since it will only populate the VRF and not the global table. The following diagram shows the peerings involved in CSC.

CSC Detailed
CSC Detailed

The CSC-CE and CSC-PE exchange routes and labels via eBGP. The CSC-CE routers setup iBGP to propagate routes between the two islands. This can be IPv4 routes or VPNv4 routes. The BGP session could be between PE routers or RRs as well.

This technology can support both VPNs and non VPNs from the customer carrier. The label stack would be deeper for a VPN which may be considered for what MTU to use on the link between the CSC-PE and CSC-CE.

When covering technologies like this it’s rare that you see them deployed in the real world. A friend sent a link to a paper describing a solution based on this technology. It’s a joint effort from national research and education network (NREN), GEANT and NORDUnet. They call it a multi domain VPN (MD-VPN). The NREN will peer eBGP to the GEANT network and send labelled BGP routes.

MDVPN Overview
MDVPN Overview

The NREN can then peer with each other to exchange eBGP VPNv4 routes or IPv4 routes or even use it for L2 VPN. GEANT only needs reachability to the PEs and to receive the labels for those. To scale better, GEANT implemented route reflectors to reduce the number of peerings needed by each NREN and this RR supports both IPv4, VPNv4 and L2 VPNs. It also support the IPv6 address family.

This diagram shows how the NREN would enable iBGP labelled unicast within their AS. It would also be possible to redistribute between BGP and IGP to assign labels.


The next diagram shows the complete solution where the NREN peers with the RR in GEANTs network.


Like I mentioned it is also possible to use L2 VPNs, by using targeted LDP between the two NRENs.


It’s important for the GEANT RR to not modify the next-hop, which would normally be done on eBGP sessions. It’s nice to see that this technology is used in the real life. Once the peerings are in place, it’s quite simple to provide VPNs over this technology.

CCDE – Inter AS L3 VPNs


Sometimes a customer needs a L3 VPN between two locations where the same SP is not present. This can be on a national or international basis. It would be possible to buy an Internet circuit and run an overlay such as DMVPN but what if the customer wants to buy a MPLS VPN circuit?

The customer could buy a VPN from SP1 in location1 and a VPN from SP2 in location2. The two SPs would then have to exchange traffic somehow to make the customer circuit end to end. The concept is shown in the following topology.

Inter-AS-L3VPN Overview
Inter-AS-L3VPN Overview

The customer connects to the PE of each of the SPs. The SPs need to interconnect at some common point, either through a public peering place such as an IX or with an private interconnect at a common location. The routers that connect to each other are called autonomous system border routers (ASBR). There are three main options and a fourth option which combines two of the others.

Inter-AS Option A

Option A is the most simple of the options to interconnect the ASBRs. Each customer VRF requires either a physical interface or more likely a subinterface. Option A has the following characteristics.

  • Each ASBR thinks the other is a CE
  • One logical interface per VPN
  • Link may use any supported PE-CE protocol
  • Packets are sent unlabelled between the ASBRs
  • QoS policies are negotiated and manually configured on the ASBRs
  • The most secure and easy option to provision
  • Does not scale well to a large number of VPNs
Inter-AS Option A Overview
Inter-AS Option A Overview

As the diagram shows, the LSP is between the PE and the ASBR for each SP, there is no end to end LSP. Packets are sent unlabelled between the LSPs. The ASBRs considers the other one to be a CE, meaning that any routing protocol is supported such as static routes, IGP or BGP. Do note that if BGP is used, the updates are sent as IPv4 updates and not VPNv4.

Option A is the most simple to use and requires the least amount of trust between the SPs. It works well when providing VPNs to another SP is a rare thing. It can get cumbersome if two SPs have an agreement and exchange traffic for hundreds of VPNs between them. The number of BGP sessions between the ASBRs can become a scaling issue depending on the platform in use. One advantage of Option A is that SPs do not need to use the same RT values since VPNv4 updates are not exchanged. There is also no need to disable the automatic RT filter.

Since the ASBR will generate a VPNv4 update to its local AS, there is no need to manipulate the next-hop or redistribute the ASBR-link into the IGP. The next-hop will automatically be set to the ASBR to an address in the global table, otherwise there would be no reachability.

Another point to consider with Option A is that the ASBR will have to install all the routes into RIB/FIB which may also become a scaling factor together with the number of BGP sessions.

Inter-AS Option B

Inter-AS Option B is a more scalable solution compared to Option A. It does not require any VRFs on the ASBRs, it uses VPNv4 eBGP to exchange VPNv4 updates. It has the following characteristics.

  • Single interface to connect the ASBRs
  • Packets are sent labelled between the ASBRs
  • More complex to implement QoS
  • No need for VRFs on the ASBR
  • ASBRs must be directly connected
  • Less secure and requires more trust between SPs
  • Less granular traffic engineering and per customer control (maximum routes)
  • Scales better than Option A
  • Does not support BGP Pic Edge
Option B Overview
Option B Overview

There are a few different ways to implement Option B. As can be seen in the diagram, there is an end to end LSP although it in reality consists of three LSPs that are stitched together.

How does the ASBR know what label to use when sending packets to the other ASBR? We have no IGP or LDP running on the link. BGP will be used to generate the labels. This means that both eBGP VPNv4 and a IPv4 session needs to be setup between the ASBRs. Since the VPNv4 session is eBGP, the next-hop when sending the update to the other ASBR, will be the local ASBR. Each ASBR needs to generate a label for the next-hop they are using when sending BGP updates to each other.

One point to consider for Option B is that the ASBR most store all the BGP updates although it will not install them into any VRF. This also means that automatic route target filtering needs to be disabled at the ASBR.

I mentioned that there are a few different methods to implement option B. The first one is to set next-hop-self on the ASBR. Any PE in the local AS will then have the local ASBR as the next-hop for which it will have a transport label through IGP + LDP. There will then be a LSP between local PE to local ASBR, local ASBR to remote ASBR, remote ASBR to remote PE.

Another option is to have the next-hop remain unchanged when VPNv4 updates are sent between the ASBRs. When the local PE receives the update the next-hop will be the remote ASBR. This means that the link connecting the ASBRs should be redistributed into the IGP. LDP can then generate a label for it once it’s in the IGP. BGP will automatically install a /32 connected route for the eBGP peer on the ASBR when using labelled BGP. When this method is used, there are only two LSPs. One LSP is from the local PE to the remote ASBR and then from the remote ASBR to the remote PE.

As always, there are design considerations depending on keep to next-hop unchanged or not. Everytime the BGP next-hop is changed, a new VPN label is generated. In some scenarios with multiple ASBRs between the SPs, better load sharing can be achieved when using next-hop-self because the local ASBR may only have sent a single best path into the local AS but it is itself aware of multiple paths. If the local ASBR sets the next-hop to itself and uses multi path, it can choose between multiple paths to the remote ASBRs, achieving better load sharing. If the next-hop is not set to the local ASBR, the local PE will have a next-hop of a remote PE and be unaware that there are multiple paths in the remote AS. This could be worked around by using Add Path on the ASBR to have it send multiple paths. Setting the next-hop to self comes with other design considerations though, as I mentioned in the BGP convergence blog.

The final option which may used for load sharing is to have several interfaces between the ASBRs and do eBGP multihop between the ASBRs. This solution comes with a lot of caveats though. MPLS BGP forwarding is only supported on directly connected interfaces. To work around this, LDP needs to be enabled or to use static label binding which makes the solution a lot more complex. There are also a lot of caveats depending on if the ASBR interface is multicaccess or point-to-point. MPLS BGP forwarding must still be enabled on the interface even if static labels are used. An interface will not accept incoming labelled packets otherwise. Running LDP may be acceptable if the two ASBRs belong to the same organization but belong to different AS.

With Option B (and C) there is a need to coordinate the RT values used for the customer(s). If the values have not been coordinated, routes may not be imported into the customer VRF or worst case, they get imported to the wrong VRF. It is also possible to rewrite the RT values at the edge to work around this.

I briefly mentioned that BGP Pic Edge is not supported when using Option B but as always, it depends… The traditional method to achieve load sharing and fast convergence in MPLS VPNs is to use a separate RD per VRF per PE. This creates a problem for BGP PIC Edge though, since the RD values are different, it’s different routes and they can therefore not be backup for each other. A work around is to not use unique RD values and rely on Add Path instead.

Inter-AS Option C

Inter-AS Option C is when VPNv4 updates are either sent between PEs or more likely between RRs in the different AS. It is the most scalable solution but also the least secure. It has the following characteristics.

  • End to end LSP
  • Most scalable
  • Labelled BGP between ASBRs or IGP + LDP
  • VPNv4 between ASBRs
  • Must leak PE loopbacks between AS
  • Requires the most trust and is the least secure
Option-C Overview
Option-C Overview

When an eBGP VPNv4 peering is enabled between the RRs, the next-hop must remain unchanged to not insert the RRs into the packet flow. The ASBRs will run labelled BGP and leak loopback PEs from the other AS to be able to find a label to the next-hop. The LSP will then be end to end and not stitched, as was the case with Option B. The PE loopbacks can either be redistributed into the IGP after being received from BGP or they can be sent as labelled BGP routes if all the PEs has this address family (AFI) enabled. The latter option will have a deeper label stack than redistributing into IGP though.

It’s not likely that Option C will be deployed between two different SPs because of the level of trust required between them.

Inter-AS Option AB

There is also an Option AB or which combines the characteristics of option A and B. It is also sometimes referred to as Option D. Option AB uses VRFs at the ASBR but it uses a single eBGP VPNv4 session to exchange the routes. Option AB sends unlabelled packets between the ASBRs which makes it retain the positive attributes of Option A, such as per VRF policies and QoS markings. It does however use a single BGP session which was used in Option B for better scalability. The VRFs on the ASBR need to be enabled for Option AB as well as the peer under the eBGP VPNv4 session on the ASBR. This means that the ASBR needs one logical interface per VRF between the ASBRs and one global interface for the eBGP VPNv4 session. Another positive aspect of option AB is that the ASBR acts as a PE in that it can import a certain RT value and export with another RT value. In option B, there was no local VRF configured, meaning that the RT values of the other AS would get carried in the update.

I will not dive into the details of Option AB as I would consider that out of scope for the CCDE. There is some next-hop trickery involved to be able to send VPNv4 updates but use unlabelled traffic between the ASBRs.

Since Option AB is basically the best of Option A and Option B, it makes sense to use this to connect two SPs unless they belong to the same organization, Option C would be a viable option then. It would also be reasonable to deploy Option A if there were only a few VRFs involved.

Networking articles by CCIE #37149/ CCDE #20160011