Orhan Ergun 28 Comments

CCIE vs.CCDE is probably one of the most frequently asked questions by networking experts.

How many times have you asked yourself or discussed this topic with your friends? Many times, right?

I have CCIE routing switching and/or service provider, should I continue to design certificates such as CCDE or should I study for another expert level certification, perhaps virtualization certification?

To illustrate my answer, let me give you an example.

Consider that you would build Greenfield network. (Usually, it is the same for Brownfield as well).

First, you need to understand the business, how many locations it has, where it is located, where is HQ or HQs, Datacenter, POP locations, and so on.

After that, you try to understand how the business can assist its consumers.

It can be retail, airport, stadium, or service provider network.

All these businesses have similar and different requirements,

For example, stadium architecture requires you to have ticketing systems, access control systems, and streaming the game, all of which are connected to the network. So, you need to understand the business requirements, how they want their revenue to appear, and how their systems interact with one another. Then, you will provide the business an architecture to support its requirements.

You may need to enable QoS or Multicast for that application, as an example.

Architecture refers to the process of gathering, analyzing, and clarifying the business requirements.

Without Architecture, a Design Is Just a Guess

The designer needs to understand the business objectives and high-level functional specifications.

In the retail store example, store sales information may be updated with some central locations such as Datacenter for the purpose of analyzing data only, and high availability requirements of the store may not have much priority.

Now, let me give an example that shows that it is pertinent that you understand why a design is important and why it requires different strategies.

A Business has 1000 sites connected to two data centers. (Technically, we call it Hub and Spoke).

It plans to open 1000 additional sites within 2 years.

The business wants to operate its WAN network. While its data is highly classified, the business carries a small amount of data between remote sites and data centers.

The business can tolerate up to half an hour downtime. Since the enterprise has many remote sites, it wants to reduce the cost of devices in the remote offices.

Ideally, the enterprise wants to operate those sites using small resources on its devices. And since there are many sites, it wants the most cost effective WAN solution.

As you must have observed, I did not mention anything technical so far.

All these requirements can be received from the business leader, perhaps the CIO or CTO of the company.

Let me translate these business requirements and the structure of the technical terms.

  • The company has many sites, and it needs scalable design.
  • The available requirements are not tight.
  • The business’s network physically fits Hub and Spoke (Star) topology.

So far, MPLS L3 VPN service from the provider seems suitable for its requirements. Let’s continue.

  • The business wants to operate its WAN network.

Now, we have eliminated the MPLS L3VPN option. If you get l3 VPN from the provider, you can have multi-point-to multi-point capability; however, you may lose your control. This is because you are transferring SLA and risks to the service provider even though you depend on their performance and control.

After understanding the architecture and business requirements, translating those requirements to technical solution is the design.

You can come up with many valid design alternatives.

But you should always proffer the simplest solution.

  • The business believes that its data is highly confidential, so we need to encrypt its data.

Based on the business requirements, IPSEC over DMVPN would be a valid design.

DMVPN can be set up over leased lines, virtual leased line, Internet, and so on.

Since its availability requirement is not tight and the business wants the most cost effective design, IPSEC over DMVPN over the Internet is suitable.

The equipment choice is important, but not necessarily, from the design point of view. The CCDE task is generally a CCDA engineer’s job.

If you are lucky, you can tell your boss that it is not your job

Which routing protocol would you choose? More importantly, do not forget that they have two data centers.

Architecture understood the applications and the systems, all of which the business needs. The business also needs the interactions those systems have with each other at the conceptual level.

The designer will translate those requirements to the technical requirements. After that, the designer will find the best technologies for these requirements.

CCIE as an operational task will translate these technical requirements and technologies to low-level configuration state.

The designer doesn’t configure NHRP, IPSEC Crypto, Routing Protocols, Redistribution, Area Assignment, and so on.

CCIE does not necessarily need to know if EIGRP or OSPF would be a better option for the business. However, CCIE needs to know how links can be assigned to the OSPF Areas, how EIGRP Stub is configured, and so on.

What would be your design for the above business requirements?

 

 
0.00 avg. rating (0% score) - 0 votes
  • Daniel Dib

    For the DMVPN, I think EIGRP or BGP would be most suitable as OSPF is link state and very chatty protocol compare to distance or path vector protocols. Also, the LSDB does not really add much functionality in hub and spoke design.

    Would the datacenter be running any MPLS? As I believe EIGRP does not work in those scenarios. You could also run different protocol in DC than in DMVPN but it may add redistribution and complexity to the design.

    Interested in hearing your thoughts.

    • Daniel, welcome first. For the first part, nothing to say. These are the truths, EIGRP and BGP is the most scalable and requires minimal configuration over DMVPN. If customer would day that they need multi tenancy requirements, so virtualization over virtualization, 2457overDMVPN we would tart to evaluate.
      EIGRP works well in MPLS environment, it is not a problem, problem would start if MPLS Traffic Engineering is the requirement. (Even for TE maybe Verbatim is enough, so you can use EIGRP) But in this case, you would do your traffic engineering with some DC solutions, let’s say for the Elephant and Mice flows situations.
      OTOH, if traffic engineering on the WAN is necessary, you can use BGP for policy but there are also other alternatives there such as PFR. You can control the routing table with it, as you know.

      But these are all assumptions, and nothing has been given in the requirement in this example. As an architect you should identify these requirements with the customer.
      Lastly, I wouldn’t use different protocols in datacenter and the WAN. But Internet edge is of course different story and may or may not require BGP.

  • Daniel Dib

    For the DMVPN, I think EIGRP or BGP would be most suitable as OSPF is link state and very chatty protocol compare to distance or path vector protocols. Also, the LSDB does not really add much functionality in hub and spoke design.

    Would the datacenter be running any MPLS? As I believe EIGRP does not work in those scenarios. You could also run different protocol in DC than in DMVPN but it may add redistribution and complexity to the design.

    Interested in hearing your thoughts.

  • Driss Jabbar

    If you are lucky, you can tell your boss that It is not my job , i like this sentence but the time on time i m obligated to do this CCDA jobs 🙁

    BTW i will use flexVPN instead of DMVPN :p

  • Driss Jabbar

    If you are lucky, you can tell your boss that It is not my job , i like this sentence but the time on time i m obligated to do this CCDA jobs 🙁

    BTW i will use flexVPN instead of DMVPN :p

  • Philippe

    Hi Orhan,

    Good example to show the design “state of mind”. And since you let your readers evaluate the trade-off between resilienty, performance, agility and cost, i am sure that you will have one different design per answer…

    From my point of view, i think an old school DMVPN Phase 1 or 2 overlay is fine.
    Each remote site belongs to 2 different clouds and periodically advertise its LAN using RIPv2 (with an offset-list adding 3 hops on the backup tunnel). It has a default route via primary tunnel (on which DPD is activated) and a backup default route via the second tunnel.
    The hubs will collect the RIP advertisments and translate them into BGP with a policy (route-map) which maps the RIP hops into BGP MED/local-pref. BGP routes are exchanged between the hubs (collapsed core distribution) or between hubs and core which is a more scalable architecture (you can provision new hubs without disrupting the core).

    The cons : 2 different routing protocols and 2 different clouds, no spoke to spoke connectivity.
    The pros : signalisation overhead is tunable and deterministic, maximum scalability and no domino effects when a hub fails (backup tunnels are already established and backup routes are asynchronously advertised)

    Philippe

  • Philippe

    Hi Orhan,

    Good example to show the design “state of mind”. And since you let your readers evaluate the trade-off between resilienty, performance, agility and cost, i am sure that you will have one different design per answer…

    From my point of view, i think an old school DMVPN Phase 1 or 2 overlay is fine.
    Each remote site belongs to 2 different clouds and periodically advertise its LAN using RIPv2 (with an offset-list adding 3 hops on the backup tunnel). It has a default route via primary tunnel (on which DPD is activated) and a backup default route via the second tunnel.
    The hubs will collect the RIP advertisments and translate them into BGP with a policy (route-map) which maps the RIP hops into BGP MED/local-pref. BGP routes are exchanged between the hubs (collapsed core distribution) or between hubs and core which is a more scalable architecture (you can provision new hubs without disrupting the core).

    The cons : 2 different routing protocols and 2 different clouds, no spoke to spoke connectivity.
    The pros : signalisation overhead is tunable and deterministic, maximum scalability and no domino effects when a hub fails (backup tunnels are already established and backup routes are asynchronously advertised)

    Philippe

  • Driss,Valid for this case 🙂 No problem, and What I want to show is definitely this. Always will be more than one valid design. As much as requirements are provided, options can be reduced to only one.
    But it is not always possible especially if you are designing a network from scratch (Greenfield )

    • driss jabbar

      thank you orhan for your respnse.

      could you please expalain why it will not be possible especially if you are designing a network from scratch (Greenfield )

      • Because early phase of design,application in use may not sensitive Delay,Jitter,Loss, security,policy and so on. But by the time Business grows and more application runs on the network,requirements change, thats why Network design is not a static.
        It is dynamic. We add/remove, replace the solutions. It is all about business really.
        Companies merge,diverse and so on,you cannot design for every case but at least if you follow the general principles such as Modularity,Hierarchy,Summarization and Scalability in mind, so when the time comes, it gives you a flexibility. Is this answer okay for you ?

        • driss jabbar

          very clear,Thank you

          • driss jabbar

            i chose FlexVPN to response to one of our customers that he want to use 3G as a backup to minimise ISP charges.
            i found FlexVPN very flexible as a solution because you can define the primary tunnel and the second one easly and the second option is you re not obligated to run any kind of routing protocole between hub and spooks and you can count on pushing route via policies and the advantage of this feature is there is no hello trafic ou keeplive of routing protocole passes trought 3G.the third option is the number of the tunnels.what if we have 1500 spooks and the customers wants to separate between services via VRF,with DMVPN i should setup a tunnel by vrf so it’s not scalable enough,in this case if i have 3 services then i need 1500×3=4500 tunnels and even if the HUB is an ASR1000X it s not recommanded to go above 4000 tunnels.but with FlexVPN you can use only on tunnel and pass your services separetly (not tested 🙂 ).

          • You could suppress the hellos with the routing protocols as well (Demand circuit ? ) . I am not saying btw Flex is bad, as a technology I like it and definitely I will share a post to put my opinion. And i know we will discuss again under that post 🙂

  • Philippe, absolutely, It is the purpose of the post. Everyone can share their ideas so we can discuss the pros and cons.
    Driss threw one idea which is valid for the given requirements, in your case there are assumptions such as Traffic Engineering, but definitely RIP scales better than OSPF. Nice participation with RIP 🙂

    As you know is-is is not an option if the Overlay is setup with DMVPN.

    If traffic engineering was the requirements, although BGP cannot take bandwidth into an account ( DMZ etc feature is not dynamic ), still provides inbound-outbound path optimisation.

  • Grzegorz Wypych

    Let me leave my comment.

    CCDE is what most CCIEs do. Believe me or not but no one need CCIEs to just put commands on devices. I think cisco observed the trends from last 10 years that many CCIEs are involved in design and architecture role after they passed CCIE. They decide to distinguish both roles CCIE and CCDE but to be honest many colegues including me also work as Senior Network Architect, and do designs, consulting and implementation on daily bassis. Companies that hire Network Architects looks for experience not only with customer relations and soft skills but also for technical knowledge which has been achieved during working with devices closely. You cannot be a perfect designer without dirty hands. There is a lot hardware/software and network technologies dependency which is openning to you during your entire career. Design is not what you can teach, design is you experience under projects and working with customers.

    But to be a good designer CCIE is not enough, You need to think like designer and solve problems from high to low perspective. This is why some people spend entire life in TAC and some love works with projects. Creativity is what make you designer. It doesnt matter you have CCIE or CCDE or both. You can get both skills during your work but decision to go or not for CCDE is personal choice. I dont see so much job offers that clearly states that CCDE is required. 90% of Network Architect jobs, asks for CCIE, because many CCIEs do design job and Cisco vision that CCIE only implements stuff is not true and this opinion is more for marketing of CCDE than for real truth.

    • I agree mostly 🙂 But you can share, teach your experiences, so you can teach design of course. But How long, How much do you need ?
      It depends on trainer but mostly depends on the student.
      I learned a lot during my career from many people, including Russ, Alvaro and many other people, from my colleagues, mostly from my mistakes 🙂 Recently from the readers and even from students.
      Don’t stop listening, reading, experiencing.
      Putting a command down ? Hmm maybe good for clarify somethings , sometime. But I wouldn’t get experience with those.
      In a big projects which I design, I don’t generally configure but I get tons of lessons learned which gives me a design experience believe me.
      As I said, most of the part, we are on the same line and hope to see you soon as CCDE Greg 🙂

  • Grzegorz Wypych

    I need to correct myself. You can teach design and you are doing good job. Teaching and learing for CCDE give profits, you understand how connect technologies, how they impact each other and that customer requirments are on top of that. It’s very important skill that you are able to teach. Problem appears in real life, when 99.9% projects and customer expectations are higher that money they want to invest. Then CCDE skill is helping, because you are able to seat.. think about all possibilities you have and provide something that will fulfill customer requirements and works… but it will not be optimal, even.. more risky than before and complicated. I had this on daily basis in each project: “no money.. please do miracles”. This is why CCDE is different, on exam you don’t have buget and you care only about customer requirements and technologies. In real life sometimes you need to accept single points of failure, worts convergence because of buget you have. Of course you consult risk with client… and most time they accept it at the beginning but ask you “Why it happen..” when disaster appear 🙂

    • This time I agree less part of it , why ?
      In the CCDE exam also there is budget constraints,
      Yes they will not tell you that for the Training we have this amount of money, for the License that amount etc. but in the background information, if company has budget problem, they will tell you that we can’t spend money, we don;t want to spend this year etc, So you will understand that you need to continue with the existing equipments.
      Now the question :
      Let’s say they decided that they cannot tolerance down time in remote offices which has single link, single node connected to the WAN. But they don’t give you a money ? Then you can’t do anything.
      But let’s say they had an outage because of spanning tree ( in general it would be user mistake ), and they want more resilient design. (Failures unavoidable, resiliency provides you an availability under even failure condition). You can maybe just with the software upgrade support MLAG and mostly eliminate STP issues.
      Conclusion : It will be giving you if the budget is the constraint.
      You can even find better solution for the given business requirement ( This is network design) without HW and most of the time without money.
      It depends on the expectation, in my first example there was a SPOF and required HW upgrade and would cost money, but in the second case with code upgrade you have a feature and use it. OPEX is different story.

  • Elaine Lopes

    I think that before it comes to a CCIE certification vs. CCDE certification, it’s about the skills, experience you already have and where you’re headed. For me it’s logical from a career progression perspective to not only move up but also to move laterally. From a design perspective, being able to choose products, blades and version of code evolves to choosing the best solutions to meet business needs, and to collaborate and create architectures. From an expert-level skills and experience perspective, having a solid configuration and troubleshooting background is critical when it comes to design, because one has a collection of things that work and that don’t under their belts, that it makes natural to use them when designing robust networks. These things being able to be assessed and translated into certifications? Oh yeah!

    • Good to see CCDE and CCAr program manager Elaine Lopes here. As a person who is working with you in many projects, I can tell that you are doing great job. I would like to hear latest announcement from you here.Your comment always welcome. Cheers !

  • Richie

    So for a network engineer like myself who studies for the ccie with no real.lab time frame in mind , is the ccde a better path to go down in your opinion ?

    • i like to deal with design, if you like it , you will enjoy during exam preparation but learning never will end. If you have a mentor for something, time might be reduced and you can learn from their experiences.
      Thats correct.
      But eventually all certificates can be managed with self study, having different opinions, learning tricks etc from the instructor is helpful for the exams for sure

  • Richie

    I really like being the guy who implements the solution but I would like to also influence the design.

    I may have a look at the CCDA just to get a feel for the cert track.

    • But the requirements that you need to take into an account and the answers you provide, complexity level of problems are different between CCDA,CCDP and CCDE.

      So you won’t feel the same thing for each one of them

  • Richie

    So if I’m interested im aswell just looking into it at CCDE level ?

    • No I don’t mean it. You may have many technologies,architectures and so on which you should learn first. But learning and understanding of spanning tree vs Seamless Mpls was not the same. For me at least.

      • Richie

        I think I get what your saying .

        Thanks man

        • They were very valid questions and my answers probably very subjective but tried to give my insights Richie. Thanks for the discussion