Orhan Ergun 39 Comments

I receive lots of questions from my students, readers, customers, followers on network design.

I try to  answer as quickly as possible and in detail.

Thanks to all of them ! I receive a lot of kind emails, messages from them to put my effort on this blog as well.

But for many reasons, I have created this category.

  • Those questions and answer can be beneficial to many other people if I post them here.
  • It is hard anymore to reply every email individually, at least timely manner.
  • When I share a post on social media, I receive a lot of feedback and have a good conversations there. Please share them here as well 🙂

Thus, please ask your questions, give your suggestions for the questions, share your opinion for the blog,recommend new blog categories,

So do you like this blog ? Share in the comment box below if you liked 


0.00 avg. rating (0% score) - 0 votes
  • Haroon

    Nice idea.
    So first q Global table will be either on IGW or on RR for internet routes for injecting or route leaking to CE vrf .

    • @Haroon, I believe you ask about internet for the customer, in that case, first question should be; whether you have Internet and VPN on the same Route reflector. If both service on the same route reflector, then RR will have IPv4 BGP table. Yes BGP table will not be in the VRF but it can be as well.Global routing table of routers different from the BGP table of routers.
      After BGP best path selection,only best route is installed into routing table with BGP y default.
      if you are giving Internet to the customer within VRF, on the PE , Service provider might have many customer with same requirements, then CPU and Memory will be a problem.
      If you provide Internet over global BGP table on that PE to multiple VPN customers, you won’t have CPU and Memory issue as in the case of Internet in the VRF.

  • Hello Orhan,
    Here is a question:

    How much time on average did you and your students study to the Written and the Lab exam?

    I understand it varies a lot due to different levels of experience but it’s always good to be able to get a rough time estimate. For example how much time would a CCIE in R&S need to but in for a CCDE?

    Best regards,
    Claes Leufven

    • Hi Claes,

      As you said it depends but, for me it was not long. After I decide for the CCDE and start to prepare for the exam, I took my first exam after 13 months.

      I know exactly When I decide because,It was evening and we were talking with Russ on some topic ( Specifically I was trying to understand his opinion) and I asked him, should I continue for the CCIE DC or CCDE.
      After short discussion I decided to study CCDE.

      And I failed. It was normal, but it was not because I was not ready, I made an over engineering which I advice my students to not to do.

      CCDE is L3 exam as you might know and if you are good at Enterprise and Service provider technologies and if you know why you do the things you do , more likely you are ready.

      As an example, I ask to people why you want to get an MPLS L3 VPN service from service provider, generally silence or maybe ” It is cheap ” or similar answers.

      You need to know why you want to get it , then how you enable PE-CE routing protocols and so on.

      So you need to understand business aspects of technologies as in the case of this example.

      I was ready mostly from the technical point of view, and I think most people when they come to my class I see they are ready too, but business aspects of the technologies or technology comparison or migration strategies what I needed to learn.

      So even if you are CCIE RS and SP, it will take time because of above reasons.


      • Hello Orhan,

        Thank for a good answer! One follow up question:

        Do you know how many hours you spent on studying for the Written exam?

        Best regards,

        • I didn’t study specifically for the Written. There is an article in the site about Written preparation resources which I prepared with 2 more CCDE for the candidates.
          If you check it, you will see that there is no much difference between written and practical from the technology point of view.

          But I can say that I spend ( Or try after my baby boy born) 4 5 hours to learn, couple hours to write still everyday. Before CCDE it was not different. I like to learn 🙂

          • Hello Orhan,

            Great! I will check it out.

            Same here! Live to learn!:)


  • Roy Lexmond

    Hi Orhan,

    I have a question about VPLS.

    I buy a VPLS service and I run a routing protocol over it can I do loadbalancing towards my redundant DC-core.

    Spoke –> DC-core-1
    Spoke –> DC-core-2

    I would say yes two separate peerings with a routing protocol you can use both paths if they have equal cost etc.

    I also read alot of times about a weakness of VPLS:

    – Does not support multi-path for a site (redundant active active connections), because MAC learning is on the data-plane.

    Does the above statement only apply in the vpls core or when your not using a dynamic routing overlay

  • Hi experts!

    I am dealing with a pair of Nexus7K, I would like inteconnect some aggregation VDC’s.Custoeme requirement is STP isolation, so I discarded vPC solution and SVI with 4 members, also I belive could be some sort of misbehaviour regarding L3 hash flows and L2 portchannel in vPC.

    questions :

    1. Do you recommend new Core VDC to route packers between agreggation VDC? this solution is expensive I would need more SFP’s

    2. I suggested L3 routed ports with ECMP (direct and cross link) for triangles (yes, I read squared vs triangles topology thnaks Orhan 🙂 ) , the nexus7k has vpc peer link so I suggest a l3_SVI for routing adjacencies.

    do you recommend create a OSPF process in area

    3, Do you suggest connected the VDC directly or need a FIrewall or l3 devices in the middl3


    • Both 7Ks are located in the same datacenter ?

      • NAJIB

        Yes, it does

        • so you have one N7K in each side.

          Since you said customer wants STP isolation , you should be extending a layer 2 domain between DCs. Within the subnet traffic will be bridged between the datacenters.

          You are asking now how inter DC across subnets should be handled while STP also isolated .

          Are all my assumptions correct ?

          • Najib

            thanks for your outputs, the topology is simple 2 aggreation VDC are in the same DC, the (VLANS are different ) and customer is no planning “extend VLANS “L2 domain through both VDC’s. they want run separate STP instances

            But he business requirement is inteconnect both VDC’s at routing level, some SVI’s need to have L3 reachability across VDC, currently there is no visibility btw them.

          • Najib

            Normally the VDC ( VIrtual devices context) , has not communication is most of customer I have the run seprate control/data plane, but they want “interconnect them” 🙂

            thanks indeed

          • If you need to do a routing between them , routing has not been supported before , now they do ( vac peer link is an L2 link which you carry control and data traffic ) but still my recommendations run L3 link between them and do the routing in that way.

            Am I missing something regarding to your recommendations or thats it ?

          • Najib

            To building your own services on top of VPLS , separating infrastructure and customer routes between IGP , I am not clear what he means regarding BGP LVPN among bith DC.

          • james

            I mean VRF..

          • Najib

            Ok, if for some reason you won’t share igp domain , ibgp with vrf lite for segmentation is ok, but I don’t you need a vpn label , since ibgp i working in the top of lan emulation, device share a single subnet per vrf, so full mesh ibgp with rd should be ok , even with ebgp but for escalability devices should support route server, why you wont export route targets? i hope understans well the question,

          • Ben Haddou

            Do you recommend create a OSPF process in area or static routing for ECMP?

          • You should use dynamic routing protocol , and ECMP is good in DC in general. If you are a control freak don’t use routing protocol 🙂 Joking , if you have two choices continue with the OSPF otherwise it is not good practice normally in DC

          • Najib

            LOL thanks! there is some blog out there scarying using dynamic routing protocols in vPC topologies. (ospf adjacencies across vpc peer link), I am using l3_SVI for routing in peer link for safe 🙂

          • I didn’t say use Ospf over vac peer-link btw. I said use point to point although cisco is considering or already started l3 over peer-link, read my earlier comment please

          • Najib

            yeah! I got it is clear – you meaned L3 routed ports-,

            I just wondering if there is some sort of orphan port down the N7K (I am not I have not full visiblity in access) could be needed an additional link in the peer link , I am considering add new SVI /.31 and add some ospf (“backup link”), then add this SVI in the L2 Po (vpc peer link)

            Maybe it’s overconfig,

            thanks a lot!

    • Roy Lexmond

      Hi Najib,

      I made a datacenter core design with a core VDC this works perfect with ospf p2p.The core VDC(s) is interconnected with other core VDC(s) works like a charm :). But this will indeed cost alot of SFP’s

      aggr-vdc core vdc
      aggr-vdc core vdc
      aggr-vdc core vdc

      Where would you need an orphan port for exactly ?

      Roy Lexmond

      • Roy Lexmond

        Hmmm that topology did not show up as expected.

        I wanted to describe the following topology:

        Aggr-vdc and core-vdc per DC run in ospf area 0 the different core-vdc(s) per DC are interconnected with eBGP. This way you will always have the same small igp config in each DC separated with eBGP.


  • james

    Hi all
    I’ve to build up a new DCI interconnection were basically we’ll run MPLS around the two DC, we need to extend layer2 for some server (mandatory) and run here OSPF totally stubby and since here it’s clear to me.

    Now my question is: what about all the other routed nets among the two DC ?

    Which is the best design:

    1) run area 0 OSPF with an additional VPLS
    2) use BGP L3 VPN among the two DC

    in the second case I need to be sure no constrain is got in the OSPF to BGP reditribution…
    But from the DC prospective I’ve a doubt in running BGP inside DC, never seen before…

    I attach an explaining pic depicting the two options….

    What is your opinion ?

    here the schema:


    area 0 area 0
    | |
    PE ————————————- PE
    | |
    area 10 tot stub area 10 tot stub


    | |
    PE ————————————- PE
    | |
    VPLS area 10 VPLS area 10
    tot stub tot stub


    • James,

      As I understand you extend your l2 between the datacenters and want to run OSPF over vpls.

      And you are asking what should you do on the northbound interfaces of those devices.

      If you want to run routing protocol over it, it is okay but you don’t need to. Since you extend your L2 between the datacenters, now your first hop redundancy protocol will be active only on one datacenter if you don;t filter the FHRP packets.

      So your exit from the DC will be only from particular DC where your FHRP active is located.

      If you filter the FHRP messages and if you have statefull devices on the southbound interface of these devices, you have a problem if the traffic enters to one datacenter then go to another datacenter.

      You should do either source nat to take the traffic back or carry the state entries between the DC or don’t consider live migration.

      If you will run OSPF over VPLS and want to put southbound in totaly stub it is okay ( you could do NSSA but then you can’t send an external if you need in the future for optimal traffic for example ) into an NSSA ).

      Then don’t introduce BGP unless you need traffic engineering ( local-pref, med, as-path ; if you use IBGP you use MED, if you use EBGP use as-path ) so avoid the unnecessary complexity ( SUCK principle )

      If you use OSPF on the northbound as well, you can have IP traffic engineering at least at the area 0 and you don’t loose your metric ( if you would redistribute ospf into bgp and vice versa you would loose the metric )


    • Roy Lexmond

      Hi James,

      Sounds fun what your doing but I have some questions to better understand it.

      – What is exactly the reason why you need to have layer 2 reachability ? (VM mobility, Disaster recovery, lan extension etc)
      – Your also talking about routing over the L2VPN service why do you want it to be a stub network ? it can only route within the assigned isolated networkvlan.
      – Is your mpls cloud streched over datacenters ?? if not you need to either connect them or use an Inter-as option.

      1) If so you can deploy two pseudowires over your MPLS cloud (ATOM) this is very simple but only point-to-point so adding another DC will be more complex, routing is eassier and both paths will be active. (Ideal for voice, video, and realtime data)

      2) If you want to keep multipoint possibilty VPLS will be your choice your limited to ethernet only, and if a psuedowire fails you will need to converge the standby PW to active PW so this will affect your convergence. (ideal for lan-to-lan bulk data)

      You need to know with vpls how your traffic pattern looks like because of spanning-tree.
      – If you want to do flow load balancing it is not doable with Spanning-tree, one link has to be blocked.
      – If you want to do vlan load balancing, it is possible with spanning-tree.

      your other questions:
      1) run area 0 OSPF with an additional VPLS
      – if you use either option 1 or 2 I described above you can route OSPF area 0 over it dedicated for the assigned VPLS instance or 2 dedicated pseudowires.
      2) use BGP L3 VPN among the two DC
      – This one is not 100% clear for me do you mean should if you should use BGP as your main PE-CE protocol ?

      Roy Lexmond

      • What would be the reason for OSPF over VPLS ? There is one obvious reason and actually there is one logical reason 🙂

      • james

        Hi Roy,
        following my feedback:

        – L2 reachability is desired for an active/active principle, basically some server/services will run on the primary or secondary DC based on their performance/workload
        – Routing is desired totally stubby since the server which runs OPSF only support few network in the DB and we saw in the past it crash with normal area (hence it’s mandatory from service point of view)
        – MPLS is streatched yes, we manage MPLS and we’ll configured vpls multihomed to prevent stp loops
        – We’ve two MPLS PE in DC main and two PE in DC secondary, for load balancing purposes we’ll keep odd vlans active on two PE and even on other two PE. Obviously in case one PE is broken the toher two take over all the vlans

        My question is related to the routing of all the other nets (besides the ones requiring ospf tot stubby as I mention), better to use OSPF area 0 or BGP (through MPLS import/export) ?

        Hope I’ve clarified 🙂


        • Roy Lexmond

          Hi James,

          Thanks for the extra information, I am creating a drawing of your design.

          To get a better understanding, will come back on it 🙂


          • james

            Hi roy, pls provide me your email I ll send the picture offline if you wish… Cheers

  • Najib

    Hi James,

    I didn’t see your last post 🙂

    I like OSPF because converge quickly and can build the FIB quickly with few prefixes , with just 1 concern , with this design how did you selecting between two paths going to the same site in VPLS?, due to the way cost is calculated via outbound interface,


    • james

      hi Najib,
      with VPLS multihoming locally only one of the two PEs is active for the same site, the other remain silent…

      Hope I understand your question 🙂


  • Helo my dear , first thanks for evey help that u given for the world , and in fact i have two question .

    First , suppose we are to transmit 128 Kb file as a sequence of 1Kb frames on a noisy link on which can select the transmission speed. Any frame containing errors must be retransmitted. What is the minimum time needed to transmit the file?

    Secondly ,Supposed a shared medium M offers to hosts A, A2, …,An in round-robin manner an opportunity to transmit one packet; hosts that nothing to send immediately relinquish M.

    (a) How does this differ from STDM? Would it increase the effective use of the shared medium? Justify your answer.

    (b) Would this scheme require a substantially different implementation than STDM?

    • It seems it needs a good mathematician 🙂 I don’t know but I hope someone among the readers can help you.

  • Khalidology

    Salam Alykum Engineer Orhan many thanks to you ( Habibi) I want to ask you as we know you are a valuable CCDE Architect/Sr.instructor I am a college student ! well, have no real world experince

    1- What is your advice should I pay for a training ( Real world ) ? or continue my CCIE RS studies
    2-) what is the start point towards CCDE from CCDA to CCDE what books & video materials you recommend me

    Many thanks to you

    Regards ,

    • Hi @Khalidology , Yes you can pay for the trainings. There are some good instructors and training companies. First you should choose your path for the future IMO.

      For the CCDE , path should be, understand the technologies , especially routing , switching , forwarding and simple design rules first. Then have more knowledge on those technologies , protocols , their interaction and comparison , usages in the network , which one is best for the requirements of the business and so on. In my blog you will find 100 articles on the network design. Join the forums , share your thoughts about the articles , be active in the communities !