powmia's CCDE marathon

powmia

deth1k: True. In the real world, those are reasons enough to stay away from using the PE routers. If you were to read mine like a lab question, however, no constraints were specified.

The answer is that the GMs would be the CE. As with the majority of the solutions on the CCDE, though, the answer comes from fundamental operation of the technology in question.

GETVPN is not an overlay technology (no tunnels). The GM uses the key server to know which key to use for which destinations (dynamic crypto-maps). Seeing as IPSec on a router simply decrypts on input and encrypts on output of an interface, the destinations would have to be in the global VRF, which they are not in the case of an L3VPN. The GMs would have to be the CE, and a key server would need to exist somewhere in each customer VPN. From a provider perspective, this means managed CE routers, which may be a significant design impact.

GETVPN would typically be deployed by a customer when utilizing a service provider's L3VPN service. I used the CsC model here to make it interesting. What if my question wasn't for a requirement that customer traffic be encrypted, but that customer traffic be encrypted when transiting the CsC network? Does this change anything?

Again, fundamentals.... GETVPN is IPSec. If you are sending label switched packets to an upstream provider (CsC), what's the ethertype on those? Not IP.

The workaround for this is another big design impact. Changing the CsC service to standard transit and running overlays would be one option (MPLSoGRE/IPSec), and if you only had a couple of geographic networks that were interconnected via the CsC originally, this would be the most feasible. The other would be a possibility if you had many regions interconnected via the CsC originally. This would be to change the CsC service to an Inter-AS solution with back-to-back VRFs on each side of the upstream carrier. In those VRFs, you could run VRF-Lite on one of your attachment circuits and drop a key server there. This would limit the customer carrier to providing L3VPN service, as it would break end-to-end LSPs needed for L2VPNs.

flashdumper

Ye guys, putting GM on PE was a stupid thought... It was a quick **** answer.

GETVPN uses IP header preservation, so we'll get our original packet with MPLS and several tags prepended going through SP cloud...

What I'm saying is that there's no need to go with IPSECoMPLSoGRE as long as we're sending these packets throughout MPLS enabled network.
Over the internet we must use some soft of Masking/encapsulation with GRE, and use MPLS over it if there's traffic separation requirements.

Essendon

What the heck happened to these 2 dudes?!

fredrikjj

If he's the guy I think he is, powmia has passed the CCDE.

Essendon

Well I certainly hope he has! A significant number of people have passed the CCDE in 2013, looks like it's gaining some traction, finally.

SecurityThroughObscurity

The second guy has passed, too.

Essendon

Good to know! I hope they post their experience sometime here.

powmia

Yep, dropped off the map for a bit there. I did pass back in November. I have been busy Scrooge McDucking in all of my money and drinking champagne ever since... I wish. The reality is that after an accomplishment as such, I have been doing what is logical... learning more. I still feel like I have a long way to go. It never ends. The difference is that now I am content with my certifications. I am focusing on a mix of what is relevant to my immediate work and what is just plain interesting to dive into, staying away from curriculum and learning tracks.

flashdumper passed too, our numbers are pretty close to each other.

Regarding the CCDE itself, it is worth it. The exam leaves out many things that a network designer typically has to deal with, such as virtualization, data center scaling and DCI, voice, video, etc. It hits those topics, but purely from a network perspective. The exam is about routing and switching design, and critical thinking. If you're an R&S or SP guy, I recommend going for this one.

ande0255

Congrats on the pass, and thanks for the info! You have quite the list of certifications, I bet it is a huuuge breath of fresh air to not be studying on a set track

Essendon

I bow to thee..

jamesp1983

Congrats on the pass!

powmia

Thank you thank you

FloOz

Congrats man!

gorebrush

Congratulations on the pass. I am considering taking this exam as well as CCIE or two - so will read back through this thread for some pointers.

Well done, again.