brkccie-3003.ppt .ppt [read-only] · • the ccde is a certification with relevance to what i...

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicSession_IDPresentation_ID 2

The CCDE

Session Number-1234


© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3Session_IDPresentation_ID

The CCDE

• What is the CCDE?

• The Written Exam

• The Practical Exam


The CCDE Logo

• This is not the CCDE Logo• There is no logo at this

point• We are waiting on the Cisco

Identity Team to come up with a logo for this certification

• They intend to have a logo ready by the time the certification launches



What is the CCDE?


What is the CCDE?

• Why Are We Doing This?

• Where Does the CCDE Fit?

• What the CCDE is Not

• How the CCDE Was Developed

• The Bottom Line



Why Are We Doing This?

• To understand the CCDE, we need to start with the group building the CCDE

John Cavanaugh: TAC=>AS Global Services, 10+ years at CiscoKhalid Raza: TAC=>CA network design, 10+ years at CiscoBruce Pinsky: TAC=>CA network design, 10+ years at CiscoAlvaro Retana: TAC=>IOS RP/Architecture Team, 10+ years at Cisco

Russ White: TAC=>IOS RP/Architecture Team, 10+ years at CiscoMosaddaq Turabi: TAC=>CA network design, 10+ years at CiscoSteve Barnes: 7+ years at Cisco



• Notice the pattern?We all started in implementation and troubleshooting

We all moved into network and protocol design positions over our time at Cisco

We all learned how to design networks by seeing networks fail

• As we moved, our certifications didn’t (really) keep upThis is a microcosm of the industry as a whole

Where were you ten years ago?




• The network engineering field has split into many pieces

• Implementation and design are almost completely different career paths

Operations and design are not normally both outsourced

Design is almost always global, while operations might be global or regional

Most people seem to move from operations to design work over time

Des

ign

Impl

emen

tatio

nV

oice

SA

N

Voi

ce

SA

N



• We seem to have lost our “roots”

We focus on specific technologiesVoiceWAN AccelerationSecurity....

We focus on “Places in the Network”

The data centerThe WANThe campus.... L3 Roots

Des

ign

Impl

emen

tatio

nV

oice

SA

N

Voi

ce

SA

N




• L3 design is no longer widely taught or practiced

Routing and L3 design are “easy,” in theory

And yet... A lot of L3 design problems seem to be cropping up

L3 Roots

Des

ign

Impl

emen

tatio

nV

oice

SA

N

Voi

ce

SA

N



• The CCDEIs a certification with relevance to what I actually do

Provides a target for those coming into design

Much like the original CCIE, this is a baselineYou build special skills on top of this, not in lieu of it

Provides a backfill for those already in design

A baseline of skills on which to build special skills



Where Does the CCDE Fit?

• Certifications can be seen in two dimensions

What does it certify?ImplementationDesign

How does it relate to the business?

Tactically or StrategicallyVertically or Horizontally

Strategic

Tactical

Implementation Design



• The CCDE is Strategically Oriented

Not the “tyranny of the immediate”

Long term problems are the focus

Where is this network now?Where will it be in five years?

How do I get it from here to there?

Strategic

Tactical





• The CCDE is Design OrientedWhat changes do I need to make to....

Merge these Networks?Implement this Application?Provide this Level of Security?Prepare this Network for the Next Five Years?

How do I transition the network?Business hurdles?Technical hurdles?People hurdles?

Strategic

Tactical




Senior Network DesignerDesigns large scale networks in a variety of business environmentsTroubleshoot and resolve design level issues

Network DesignerDesigns moderate scale networks in a narrow set of business environmentsDesign components of larger networks

Network DesignerUnderstands the fundamentals of network designDesigns components of medium and large scale networks




• The CCDE is more horizontal to the business

Interacts with the business, rather than following the business Technical

specifications

Tech

nica

l re

quire

men

ts

Implementation plans

Implementation

plans

Impl

emen

tatio

n pl

ans

Functional

SpecificationsTechnica

l

requirements

Implementation

plans and Designs

Tech

nica

l re

quire

men

ts

Business

requirements

Implementation

plans and Designs

Functional

requirements

Implementation

plans and Designs

Functional

requirements

Implem

entation

plans and Designs


What the CCDE is Not

• This is not a business testThere is no “budget” for any given problem

• But—there are business problems on the testBusiness problems provide the primary structure

Business problems provide the primary driver towards specific technology solutions



What the CCDE is Not

• You do not “go forth and configure”This is higher level than the “?”

• This is not about choosing the right equipment in the right place

Hardware limitations only come in at a high level

Hardware changes occur on a daily basis

• The skills you demonstrate for this certification should be timeless


How the CCDE Was Developed

• Start with a team of old timers

10+ years at CiscoPrior CCIE program involvement

Current CCIECurrently doing designMust wear old folk’s glassesGray hair a plusYou get the idea....



• Walk through a group of typical customer engagementsBetter known as “tell war stories”How did you get involved?What information were you given?What else did you ask for?What sorts of documentation did you provide?What process did you use to design the solution?How did you present the design?What changes were made during the presentation phase?Did it work?




• Build a set of claims from the Engagement Structure• Classify each claim based on the type of task

Does the candidate need to know a piece of knowledge, know how to do something, or be able to analyze something?

• Set the weight for each claimHow important is it for a qualified candidate to know this?




• Determine how to ask the questionCan the context for the question be contained in the stem of a single question?

Are there analytical skills involved?Can the question be formed so it can be answered with a multiple choice response?

• The answers to these questions determine if the skill can be tested on the written, or they must be tested on the practical



• Write a bunch of questionsCover the claims determined to be suitable for the written examination

Cover the claims in the weightings determined

• Review a bunch of questionsDoes the question actually test the claimed knowledge or skill?Is the question psychometrically sound?Do we care?

Will knowing this specific bit of knowledge or having this specific skill actually impact someone’s ability to design well?




• Throw out a bunch of questionsFor every question on the beta examination, three were written

• Run the beta examDo a bunch of psychometric magicI’m a routing geek, not a psychometric geek, so don’t ask

• Throw out a bunch of questionsDidn’t we just do this?Three out of every four questions written were discarded



• How long did this take?Two and a half years

More than 100 years of “man hours”



The Cisco Certified Design Expert

• The CCDE is an expert level network design certification

• Comparable to the CCIE in difficulty, depth, and breadth

• Focusing on Layer 3 network design

• Includes the touch points between layer 3 and the layers above and below

• Includes the touch points between layers 3 and 9, but does not focus on business aspects

• Is generally vendor neutral—technology, not features

The Bottom Line


The Written Exam



The Written Exam

• The Purpose of the Written• Written Outline

DesignRoutingTunnelingQoSManagementSecurity


The Purpose of the Written

• Test Knowledge of Design ConceptsTheoretical Knowledge of Network Design Principles

• Test Technology KnowledgeNo “Bit Level” QuestionsNo ConfigurationsFocused on Design Implications

• Show Qualification for the PracticalIf you don’t know this stuff, you don’t have any hope of passing the practical....



Routing

• If Host A sends a packet to Host F, what will happen?

The packet will be discarded at BThe packet will be discarded at CThe packet will be received by DThe packet will be discarded at EThe packet will be received by F

Aggregation


Routing

• The packet is discarded at CThe destination address is 10.1.1.48This falls within 10.1.1.0/25So the traffic is routed to CBut C doesn’t have an ARP entry for this destination

So it ARPs and drops the packet

• Why do we care?Overlapping destinations are a fact of life when you aggregate

You need to understand how they interact

Aggregation



Routing

• What justification would you give for configuring Router A as an ABR, with the Hub and Spoke area as an OSPF stub area, without route summarization?

To reduce the routing table size at Router B

To reduce the complexity of the full mesh in OSPF

To reduce the impact of Router B failing at Router C

To reduce SPF run time at Router A

Aggregation


Routing

• To reduce the impact of Router B failing at Router C

Router B failing would normally cause a full SPF run on all routers

If the Hub and Spoke area is a stub, routers within the area would not run SPF for a failure at B

• Why do we care?Failure domains are intrinsically related to flooding domains in link state protocols

Failure domains are important in network design

Aggregation



Routing

• If the link between A and B fails, when will EIGRP on C discover the failure?

Immediately

The next time B transmits a CDP status packet to C

When the B takes the link to C down

When the routing protocol adjacency fails

Layer 2 Interaction


Routing

• When the routing protocol adjacency failsCDP doesn’t have status packetsB has no reason to take the B to C link down when the A to B link fails

As long as the link status is up, EIGRP on C has no reason to remove A from its neighbor table

• Why do we care?Because this layer 2 behavior impacts network convergence at layer 3

When considering fast convergence to support an application, you need to take layer 2 links into account

Layer 2 Interaction



Routing

• Traffic Flow vs RP Metric Tuning• Routing Protocol Operation

Adjacency FormationLoop Free Paths

• Address Allocation• Multicast Operation

Multicast Routing

• Operational Costs of ConfigurationConfiguring with Intent


Tunneling

• A company wants carry credit card transactions between Host A and Host B. What tunneling mechanism should they consider?

L2TPv3IPsec tunnels using AHAn L3VPN using MPLSIPsec runnels using ESP

End Services



Tunneling

• IPsec runnels using ESPFirst, what sort of protection do we need for this application?

Prevent outsiders from seeing it altogetherL2TPv2: Provides layer 2 transport (not layer 3)IPsec using AH does not prevent from snoopingL3VPNs using MPLS do not encrypt dataIPsec using ESP encrypts the data

• Why do we care?Because of the layer 3 interaction with the applicationWhat does the application need?What is the best layer 3 mechanism for providing it?

End Services


Tunneling

• What tunneling mechanism would you consider for connecting 1000 remote sites which need to be fully meshed, have layer 3 transport requirements only, and use OSPF routing?

VPLS

IPsec using AH

L3VPNs

GRE tunnels

Scalability



Tunneling

• L3VPNsVPLS would require a full mesh of 1000 OSPF adjacenciesIPsec would require a full mesh of 1000 tunnels, and wouldn’t support OSPF (no multicast support)

GRE would require a full mesh of 1000 tunnels and OSPF adjacenciesL3VPNs allow you to carry routing information through the tunnelinfrastructure without forming adjacencies through the tunnels

• Why do we care?The tunnel infrastructure directly impacts the layer 3 and routing scalabilityWe need to choose the tunnel mechanisms we use with this in mind

Scalability


Tunneling

• When using any form of IPsec over GRE tunneling (for instance, DMVPNs) over a public or private network, how many routing instances will you need to provide full reachability?

One

Two

Three

Four

L3 Routing Interaction



Tunneling

• TwoOne to provide reachability between the tunnel endpoints

One to provide reachability between the destinations reachable through the tunnels

• Why do we care?The tunnel mechanism directly impacts the routing design

We need to design the routing around the tunneling mechanism chosen

L3 Routing Interaction


Tunneling

• TopologyUnderstand the impact of logical and physical topologies

• Inter-ProviderUnderstand the mechanisms available for carrying tunnels throughservice provider boundaries

• Path SelectionUnderstand steering traffic with and into tunnels

• FailoverUnderstand mechanisms for providing fast failover in tunnel environments



Quality of Service

• Which of the following would you deploy to control delay along the path from A to B?

Head of queue dropping

Traffic policing

Tail of queue dropping

Traffic shaping

Performance Metrics


Quality of Service

• Traffic policingHead of queue and tail of queue drops will drop random packets, so the delay will be random

Traffic shaping will try to keep the traffic in line, but will really tail drop in this case

Traffic policing will drop traffic which is out of policy, keeping the delay consistent

• Why do we care?This is an interaction between layer 3 and transport behavior required by specific applications

Performance Metrics



Quality of Service

• Which would you deploy to increase the throughput of multiple TCP traffic flows on a single link?

Head of queue dropping

Traffic Policing

Weighted RED

Traffic Shaping

Differentiated Services


Quality of Service

• Weighted REDHead of queue dropping will allow the TCP flows to synchronizeTraffic policing and shaping will not balance between the flows to increase overall throughput

Only WRED is specifically designed to prevent TCP flows from consuming all available queue resources, and leave room for other flows

WRED reduces the “sawtooth” effect and synchronization of multiple TCP flows

• Why do we care?This is an interaction between layer 3 and transport behavior required by specific applications

Differentiated Services



Quality of Service

• Integrated ServicesRSVP Operations

• Application RequirementsGeneral requirements presented by common applications

• Class Starvation• Interaction with Other Technologies

DSCP bits in Ethernet, ATM, Frame Relay, etc.

• Policy Based Routing


Network Management

• Which of the following is true of SNMP and Syslog?Syslog always provides a wider variety of information than SNMP traps

Syslog is more reliable than SNMP traps, since it is carried over TCP

Syslog may lose information because of logging buffer overflows,but SNMP will not

Syslog information is always available as SNMP traps

Analyze Network Conditions



Network Management

• Syslog is more reliable than SNMP traps, since it is carried over TCP

Whether Syslog or SNMP provides more information in a specific case depends on the information provided by the device

SNMP traps can be dropped because of buffer overflowsSyslog information may overlap with SNMP traps, but not always

• Why do we care?A network design engineer must know when to specify and use the various management tools available

A network design engineer must know what sorts of information toexpect from each tool when looking at a design or problem

Analyze Network Conditions


Network Management

• If you wanted to determine the servers which transmit the most traffic to an external destination, which tool would be the most appropriate?

Packet level debugs filtered through an access list

SNMP traps set for traffic flows

Buffered Syslog based on packet event information

Netflow traffic flow statistics

Management Tools



Network Management

• Netflow traffic flow statisticsPacket level debugs? Right!SNMP wouldn’t be able to keep up with traffic flow informationSyslog would depend on debugs or some other information

• What other options are there here?IP Accounting?ACLs with logging?

• Why do we care?A network design engineer must know when to specify and use the various

management tools availableA network design engineer must know what sorts of information to expect from

each tool when looking at a design or problem

Management Tools


Network Management

• In-band verses Out-of-Band Management

• SNMP Concepts and Operation

• Auditable Factors in Network Management

• Traffic Management Concepts

• Change Management Concepts



Security

• What would the result of configuring two synchronized servers with the same IP address, as shown, be?

A could split inbound sessions with B, causing difficult to troubleshoot problems

A could overlap transactions with B, violating various regulations

A could provide access to the service while B is under a DoS attack

Availability


Security

• A could provide access to the service while B is under a DoS attack

We don’t know enough about the configurations of these servers or their services to determine if the other options are correct

But, we do know anycast is a common technique to provide resiliency during DoS attacks

• Why do we care?A design engineer must be able to plan in mitigations against various attacks

Availability



Security

• What attacks would configuring unicast RPF at A and B prevent?

False routing protocol adjacencies from B, C, D, and E

DoS attacks against A and B from B, C, D, and E

Attacks from spoofed sources originating from B, C, D, and E

Layer 2 based attacks against A and B sourced from B, C, D and E

Control Plane Protection


Security

• Attacks from spoofed sources originating from B, C, D, and E

uRPF would prevent spoofed packets from entering the network

uRPF does not manage routing adjacencies

uRPF does not block DoS attacksuRPF does not operate at layer 2

• Why do we care?A design engineer must be able to plan in mitigations against various attacks

Control Plane Protection



Security

• Identity and TrustRouter access mechanisms

802.1x and other identity mechanisms

• Data Plane ProtectionInfrastructure protection

• Incident Planning and Preparation


The Written Exam

• Layer 3 FocusedWhile we’ve seen questions which are not layer 3, they relate to some interaction with layer 3

Application reliance on layer 3Layer 2 impact on layer 3

• No Configurations• No Bit Level Questions

Some detail, but not to the depth of bits, etc

• Broad Array of Technical AreasLayer 3 Design, Routing, Tunneling, QoS, Management, and Security



The Practical Exam


The Practical Exam

• An Overview• High Level Skills

AnalysisDesignImplementationJustification(Abstraction)

• The Practical Format• A Short Practical Example



An Overview

• The Purpose of the PracticalTest application of knowledge to real problemsIntegrate smaller bits of knowledge into a useful wholeIntegrate business problems into technical design

• The Structure of the PracticalComputer based; no lab environmentNo configuration of real devicesScenario basedTightly scripted


An Overview

• What about multiple good solutions?Aren’t there bound to be a bunch of good solutions for any given problem?

• Two SolutionsThe scenarios are tightly scripted

Business and technical requirements strongly bound the solution setIn some places, there are multiple right answers

When the requirements leave multiple solutions open, provisions are made to account for all right solutionsSome right solutions might be worth more points than other rightsolutions, however



Analysis

• Determine Network ExpectationsExamine and understand business goals

Examine and understand application requirements

Examine and understand the implications of network failures

• Gather and Validate InformationDetermine missing information

Determine additional required tests


Design

• Focus on TechnologyUnderstand technical/functional tradeoffs between solutions

• Reduce or Eliminate the Impact on Existing Services• Focus on Scalability• Common Cases verses the Worst Case

Determine what is likely, and plan for that, rather than for the worse case

• Focus on Elegance and SupportabilityKnow what’s necessary and what’s unnecessaryConsider operational expenses (OPEX)

• Minimize Impact of Network Failures



Implementation

• Develop an Implementation PlanConsider interactions between the phases of implementation

Minimize impact on services during implementation

• Develop a Contingency Plan


Justification

• Justify Technologies Chosen

• Justify Changes in the DesignBased on functional requirements

Based on technical requirements

• Consider Alternate OptionsJustify moving or not moving to an alternate



Abstraction

• Underlies Many of the ConceptsAnalysis, Scalability, Elegance, Supportability, Resiliency, etc.

• Deploy a New Data CenterThe Data Center as a Network

Capacity, Addressing, etc.

The Data Center as an ObjectPlacement, Capacity, etc.


The Practical Format

• You Begin with a Set of DocumentsBackground documentsNetwork diagramsEmail threads

• You then get a Set of QuestionsNetwork diagram drag and drop/modify attributesMultiple choiceOrdering a listMatch two lists



The Practical Format

• As You Complete Questions You Gain Access to More Information

Decisions made in the design process

New information about the network

Changes in the network state


A Short Practical Example

• We need to install a new credit card processing application between Host A and Host K




• What do we need to know to solve this problem?

What other applications are A and K running?For simplicity, none

What QoS expectations does this new application have?

Session resets in outage of longer than 1 second

What are the security requirements for this new application?

Must be confidential through the public parts of the network

Why is there a firewall between Router F and Router B?

To protect K from attacks



• Encrypt from A to B?This doesn’t solve confidentiality in the public part of the network

Doesn’t meet business requirements

Encryption




• Secure Tunnel from A to K?This bypasses the firewall, allowing A to attack K

Doesn’t meet business requirements

Encrypted Tunnel



• Secure Tunnel from A to G?

Provides confidentiality through the public parts of the network

Does not bypass the firewall

Appears to meet the requirements....

Encrypted Tunnel




• What sort of tunnel should we use?

MPLS?GRE?IPsec AH?IPsec ESP?L2TPv3?

• Which one meets the business requirements?

Encrypted Tunnel



• How do we handle the convergence requirement?

Less than 1 second of failure time

What are our considerations here?




• What problems might we have with these two switches?

How does B find out if E fails?

How long does this detection take?

How long does convergence take once the failure is detected?



• You need to think through each aspect of the problem

• Consider how the pieces will interact

• Consider how to solve each specific problem presented



Q and A


Recommended Reading

Available Onsite at the Cisco Company Store

Continue your learning experience with further reading from Cisco Press

Optimal Routing Design, ISBN 1-58705-187-7



Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
