Orhan Ergun 5 Comments

Beware: CCIE University Steals and Cheats

With more than 13 years of IT related experience, I have spent my past few years using my passion in IT to teach Cisco network design concepts such as CCDE, CCDP and CCDA to help Cisco exam takers get successfully certified.

Through my work, https://orhanergun.net/ not only became one of the most recognized and well respected Cisco exam preparation provider, but my testimonials also speak for themselves.

Recently, a shocking news came to light in my email from one of my student – that another website -CCIE University, stole the years and effort I spent in publishing the Cisco CCDE exam preparation book.

The feeling of disbelief loomed over me as I saw the exact copy of my book being sold on CCIE University’s website without rights or permission. But this act of thievery was not enough for CCIE University as you will see below.

If you check their website, you will notice that they are selling the stolen book for $699 – a whopping $500 markup from my original price of $199. So stealing was apparently not enough; they also shamelessly aim to take every penny possible out of hard working exam taker’s pockets.


Moreover, if you carefully read their description section, it becomes apparent that they also cheat their own customers by making fake promises that the book is “100% Real Lab”. As the author of my own book, I can assure that there are no real exam questions as it is clearly against Cisco CCDE policies.

Buyers – be aware of CCIE University’s scam and do not allow them to scam you too.

Orhan Ergun 28 Comments


CCIE vs.CCDE is probably one of the most frequently asked questions by networking experts.

How many times have you asked yourself or discussed this topic with your friends? Many times, right?

I have CCIE routing switching and/or service provider, should I continue to design certificates such as CCDE or should I study for another expert level certification, perhaps virtualization certification?

To illustrate my answer, let me give you an example.

Consider that you would build Greenfield network. (Usually, it is the same for Brownfield as well).

First, you need to understand the business, how many locations it has, where it is located, where is HQ or HQs, Datacenter, POP locations, and so on.

After that, you try to understand how the business can assist its consumers.

It can be retail, airport, stadium, or service provider network.

All these businesses have similar and different requirements,

For example, stadium architecture requires you to have ticketing systems, access control systems, and streaming the game, all of which are connected to the network. So, you need to understand the business requirements, how they want their revenue to appear, and how their systems interact with one another. Then, you will provide the business an architecture to support its requirements.

You may need to enable QoS or Multicast for that application, as an example.

Architecture refers to the process of gathering, analyzing, and clarifying the business requirements.

Without Architecture, a Design Is Just a Guess

The designer needs to understand the business objectives and high-level functional specifications.

In the retail store example, store sales information may be updated with some central locations such as Datacenter for the purpose of analyzing data only, and high availability requirements of the store may not have much priority.

Now, let me give an example that shows that it is pertinent that you understand why a design is important and why it requires different strategies.

A Business has 1000 sites connected to two data centers. (Technically, we call it Hub and Spoke).

It plans to open 1000 additional sites within 2 years.

The business wants to operate its WAN network. While its data is highly classified, the business carries a small amount of data between remote sites and data centers.

The business can tolerate up to half an hour downtime. Since the enterprise has many remote sites, it wants to reduce the cost of devices in the remote offices.

Ideally, the enterprise wants to operate those sites using small resources on its devices. And since there are many sites, it wants the most cost effective WAN solution.

As you must have observed, I did not mention anything technical so far.

All these requirements can be received from the business leader, perhaps the CIO or CTO of the company.

Let me translate these business requirements and the structure of the technical terms.

  • The company has many sites, and it needs scalable design.
  • The available requirements are not tight.
  • The business’s network physically fits Hub and Spoke (Star) topology.

So far, MPLS L3 VPN service from the provider seems suitable for its requirements. Let’s continue.

  • The business wants to operate its WAN network.

Now, we have eliminated the MPLS L3VPN option. If you get l3 VPN from the provider, you can have multi-point-to multi-point capability; however, you may lose your control. This is because you are transferring SLA and risks to the service provider even though you depend on their performance and control.

After understanding the architecture and business requirements, translating those requirements to technical solution is the design.

You can come up with many valid design alternatives.

But you should always proffer the simplest solution.

  • The business believes that its data is highly confidential, so we need to encrypt its data.

Based on the business requirements, IPSEC over DMVPN would be a valid design.

DMVPN can be set up over leased lines, virtual leased line, Internet, and so on.

Since its availability requirement is not tight and the business wants the most cost effective design, IPSEC over DMVPN over the Internet is suitable.

The equipment choice is important, but not necessarily, from the design point of view. The CCDE task is generally a CCDA engineer’s job.

If you are lucky, you can tell your boss that it is not your job

Which routing protocol would you choose? More importantly, do not forget that they have two data centers.

Architecture understood the applications and the systems, all of which the business needs. The business also needs the interactions those systems have with each other at the conceptual level.

The designer will translate those requirements to the technical requirements. After that, the designer will find the best technologies for these requirements.

CCIE as an operational task will translate these technical requirements and technologies to low-level configuration state.

The designer doesn’t configure NHRP, IPSEC Crypto, Routing Protocols, Redistribution, Area Assignment, and so on.

CCIE does not necessarily need to know if EIGRP or OSPF would be a better option for the business. However, CCIE needs to know how links can be assigned to the OSPF Areas, how EIGRP Stub is configured, and so on.

What would be your design for the above business requirements?


Orhan Ergun No Comments

CCIE R&S,SP,Wireless,Collaboration,Datacenter,Security Preparation Recommendations

CCIEOrhan Ergun and Neil Moore talked about CCIE Preparation on the packetpushers podcast.

Neil Moore is only 8xCCIE in the world and well known geek and HP fellow.



  • Which exam is the hardest ?
  • What are their advises ?
  • Which certification should be received first, what should be the order ?
  • CCIE vs CCDE ?
  • What is the specific preparation methodology for each certification ?

If you liked the podcast and found it helpful, please share your thoughts and additional questions in the comment , I and Neil will be happy to answer you.

Click here to listen.

Orhan Ergun 20 Comments

Inter AS Option A Design Considerations and Comparison

Inter AS Option A is the easiest, most flexible, most secure Inter autonomous system MPLS VPN technology.

In the below topology VPN Customers A and B are connected to two different service providers via MPLS Layer 3 VPN. In order to have end to end MPLS VPN service, Service Providers use special mechanisms. In this article, I will explain the most basic one which is Inter-AS Option A, though there are many other things you need to know about Inter-AS Option A.

Our aim is to carry all the customer routes between the service providers.

There are many different ways of handling this case. In this post, I will explain Inter AS Option A MPLS/VPN, also known as VRF-to-VRF approach.



option a


 Figure 1: Inter-AS OptionA

I will use the topology depicted in fig. 1 throughout this post to explain Inter AS Option A operation.

In the above diagram, we have two service providers and the two customers which require Inter-AS MPLS VPN service.

The PE routers that connect the two providers are also known as ASBR (Autonomous System Boundary Router).

Inter AS Option A: an ASBR router in one Autonomous System attaches directly to an ASBR router in another Autonomous System.

The two ASBR routers are attached to multiple sub-interfaces; at least one of the VPNs whose routes need to be passed from one AS to the other AS is attached. In addition, those sub interfaces associate with the VRF table.

For each customer, service providers could use separate physical connection, instead of sub interface. However, doing that would not produce optimal result for resource utilization.

PE routers connected to the CE devices run MP-IBGP, either through full mesh or through RR (route reflector).


Inter AS Option A allows ASBR routers to keep all the VRFs for customers who require Inter AS service.


SP-A and SP-B ASBR routers maintain VPN forwarding table in LFIB. Furthermore, they keep routing information in RIB and FIB.

Compared to other AS options, ASBRs have high memory usage in Inter AS Option A.

However, other Inter AS VPN options do not have these capabilities.

ASBRs can either run the same routing protocol with the customer on the VRFs or use just EBGP.

For example if the requirement for customer A, is to keep routing information, such as metric end to end, SP-A and SP-B runs  same routing protocol on the ASBRs and the PE devices where the Customer CE device is attached to.

SP-A and SP-B: Inter AS Option A will have to manage redistribution at the ASBRs because the routes appear to the ASBR as BGP route from remote PEs. For customer A, those routes need to be redistributed  from BGP to Customer A PE-CE Routing protocol, and from the Customer A PE-CE routing protocol to BGP.

ASBRs associate each such sub-interface with a VRF.

Inter AS Option A does not require MPLS at the ASBRs unlike the other Inter AS options.

Since we need to have a separate VRF and sub interface for each customer VPN, separate routing protocol, dealing with redistribution for each protocol,  it is operationally cumbersome thus hard to scale.

Among all other Inter AS options since there is only IP routing between the AS, Option A is considered as most secure one.

In addition, it is the easiest option to implement between the AS because Option A does not require another control plane mechanism between service provider ASBRs such as LDP, BGP+label, or BGP-VPNv4.

Between the service providers on ASBRs, either IGP protocols or EBGP is used.

More importantly, other Inter AS Options (Inter AS Option B and Inter AS Option C) require additional control-plane protocols to advertise the customer or infrastructure prefixes between the ASBRs.

Since only IP traffic passes (Not MPLS) between the service providers, most granular QoS implementation is achieved with Option A. (Per sub-interface and IP DSCP vs. MPLS EXP)

For all Inter AS Options, it is very common that customers have to trust to the service provider for data integrity, confidentiality, and availability.

MPLS does not encrypt the packets because if a customer need end-to-end encryption, the user can deploy an IPSEC.

Below Inter AS MPLS VPN Options Comparison Table gives you most comprehensive analysis. In real life and also for the design exams it will be very useful since the comparison are done from the design point of view.



Inter AS MPLS VPN Options Comparison


Do you use MPLS VPN service? Is it from one provider or multiple providers?

Let’s talk about your design in the comment section.