powmia's CCDE marathon
Comments
-
powmia Users Awaiting Email Confirmation Posts: 322deth1k: True. In the real world, those are reasons enough to stay away from using the PE routers. If you were to read mine like a lab question, however, no constraints were specified.
The answer is that the GMs would be the CE. As with the majority of the solutions on the CCDE, though, the answer comes from fundamental operation of the technology in question.
GETVPN is not an overlay technology (no tunnels). The GM uses the key server to know which key to use for which destinations (dynamic crypto-maps). Seeing as IPSec on a router simply decrypts on input and encrypts on output of an interface, the destinations would have to be in the global VRF, which they are not in the case of an L3VPN. The GMs would have to be the CE, and a key server would need to exist somewhere in each customer VPN. From a provider perspective, this means managed CE routers, which may be a significant design impact.
GETVPN would typically be deployed by a customer when utilizing a service provider's L3VPN service. I used the CsC model here to make it interesting. What if my question wasn't for a requirement that customer traffic be encrypted, but that customer traffic be encrypted when transiting the CsC network? Does this change anything?
Again, fundamentals.... GETVPN is IPSec. If you are sending label switched packets to an upstream provider (CsC), what's the ethertype on those? Not IP.
The workaround for this is another big design impact. Changing the CsC service to standard transit and running overlays would be one option (MPLSoGRE/IPSec), and if you only had a couple of geographic networks that were interconnected via the CsC originally, this would be the most feasible. The other would be a possibility if you had many regions interconnected via the CsC originally. This would be to change the CsC service to an Inter-AS solution with back-to-back VRFs on each side of the upstream carrier. In those VRFs, you could run VRF-Lite on one of your attachment circuits and drop a key server there. This would limit the customer carrier to providing L3VPN service, as it would break end-to-end LSPs needed for L2VPNs. -
flashdumper Member Posts: 33 ■■□□□□□□□□Ye guys, putting GM on PE was a stupid thought... It was a quick **** answer.
GETVPN uses IP header preservation, so we'll get our original packet with MPLS and several tags prepended going through SP cloud...
What I'm saying is that there's no need to go with IPSECoMPLSoGRE as long as we're sending these packets throughout MPLS enabled network.
Over the internet we must use some soft of Masking/encapsulation with GRE, and use MPLS over it if there's traffic separation requirements. -
Essendon Member Posts: 4,546 ■■■■■■■■■■Well I certainly hope he has! A significant number of people have passed the CCDE in 2013, looks like it's gaining some traction, finally.
-
Essendon Member Posts: 4,546 ■■■■■■■■■■Good to know! I hope they post their experience sometime here.
-
powmia Users Awaiting Email Confirmation Posts: 322Yep, dropped off the map for a bit there. I did pass back in November. I have been busy Scrooge McDucking in all of my money and drinking champagne ever since... I wish. The reality is that after an accomplishment as such, I have been doing what is logical... learning more. I still feel like I have a long way to go. It never ends. The difference is that now I am content with my certifications. I am focusing on a mix of what is relevant to my immediate work and what is just plain interesting to dive into, staying away from curriculum and learning tracks.
flashdumper passed too, our numbers are pretty close to each other.
Regarding the CCDE itself, it is worth it. The exam leaves out many things that a network designer typically has to deal with, such as virtualization, data center scaling and DCI, voice, video, etc. It hits those topics, but purely from a network perspective. The exam is about routing and switching design, and critical thinking. If you're an R&S or SP guy, I recommend going for this one. -
ande0255 Banned Posts: 1,178Congrats on the pass, and thanks for the info! You have quite the list of certifications, I bet it is a huuuge breath of fresh air to not be studying on a set track
-
jamesp1983 Member Posts: 2,475 ■■■■□□□□□□Congrats on the pass!"Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
-
gorebrush Member Posts: 2,743 ■■■■■■■□□□Congratulations on the pass. I am considering taking this exam as well as CCIE or two - so will read back through this thread for some pointers.
Well done, again.