Build Your Own Lab (and Beyond)

CCIE Enterprise Infrastructure

Peter Palúch (@Peter_Paluch)

CCIE Enterprise Infrastructure Exam Program Manager
April 7th, 2021
CCIE Enterprise Infrastructure Blueprint
1. Network Infrastructure (30%)
• Traditional networking (L2 + L3)
2. Software Defined Infrastructure (25%)
• SDA, SD-WAN
3. Transport Technologies and Solutions (15%)
• MPLS, basic MPLS L3VPN, DMVPN
4. Infrastructure Security and Services (15%)
• Mix of various networking tools
5. Infrastructure Automation and Programmability (15%)
• EEM + Python in IOS-XE, APIs for IOS-XE + vManage + DNA Center

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
CCIE EI racks in
one of our DC
locations

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Domain 1: Network Infrastructure
• Layer2 Ethernet switching
• Switching, VLANs and related technologies, EtherChannel, STP family
• Unicast routing
• Static, OSPF, EIGRP, BGP, VRF, routing optimizations in every protocol
• Multicast routing
• Sparse, BiDir, RP discovery, SSM, Anycast RP, IPv6 Anycast RP

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Domain 3: Transport Technologies and Solutions
• MPLS
• Basic MPLS, basic MPLS L3VPNs (IPv4/IPv6)
• DMVPN
• Blueprint limited to troubleshooting dual-hub DMVPN deployments
• Please bear in mind that “troubleshooting” still includes fixing a broken or
incomplete configuration or tuning suboptimal performance

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Suggested
topology for
Domains 1 and 3

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Public 6
Topology Breakdown
• Two core / WAN edge routers
• CSR1000v recommended
• IGP/BGP toward ISPs, redundant default
routing, NAT, DMVPN hubs
• Access & distribution layer switches
• vIOS-L2 sufficient
• IGP routing

• Flexibility in defining the L2/L3 boundary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Topology Breakdown
• Two ISPs
• An ISP can be reduced to a single
router inside the cloud, or arbitrarily
expanded so that the traffic between
two sites flows through a PE-P-PE
path (at least one P)
• vIOS sufficient
• One of ISP clouds can be a simple
switch emulating a “backdoor link”
• Two branches
• vIOS + vIOS-L2 sufficient
• Branch #3 allowing diverse L2/L3
scenarios
• Branch #4 kept very simple
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Domain 2: Software Defined Infrastructure
• Software Defined WAN
• New edge router onboarding, basic VPN connectivity, interworking with
traditional networks and with SDA, centralized and localized policies
• Software Defined Access
• Underlay configuration, macro and microsegmentation, VN management,
silent host support, L3 handoff to a traditional network or to SD-WAN

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Suggested
topology for
Domain 2

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Topology Breakdown
• vBond
• At least one, attached to WAN edge
routers
• vSmart
• At least one, attached to an access
layer switch (placement not critical)
• vEdge
• At least one, connected variably to
WAN edge routers and distribution
layer switches
• DNA Center, ISE, vManage
• Attached to the access layer switches
(placement not critical)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Topology Breakdown
• Branch #1
• Simple SD-WAN/SDA site
• SDA Fabric-in-a-Box style
• Branch #2
• More complex site allowing
• 2x fabric edge + 1x fabric border (SDA)
• 1x fabric edge + 2x fabric border (SDA)
• Two SD-WAN vEdges provide
opportunities for redundancy, TLOC
extension, multiple topologies, …

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Putting It All Together
• The topology is a combination
of the previous two with one change
• In Branch #3, one WAN router is
a SD-WAN vEdge, allowing for
SD-WAN with 1 hub and 3 spokes

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Domain 4: Infrastructure Security and Services
• Device Security
• Network Security
• ACLs, DHCP Snooping, IPSG, DAI, Port Security, Private VLANs, RA Guard,
DHCP Guard, ND Inspection/Snooping, Source Guard, 802.1X
• System Management
• Device management through CLI, SNMP, RESTCONF, NETCONF, logging
• QoS
• Network Services
• FHRP, NTP, DHCP operations, NAT
• Network Optimization & Operations
• IP SLA, tracking objects, Flexible NetFlow, SPAN, EPC, Packet Trace
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Domain 4: Infra Security
and Services
• The topology offers a multitude of
options to practice Domain 4 topics
on virtually every location and their
combinations

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Domain 5: Infrastructure Automation and
Programmability
• Automation and Scripting
• EEM, Guest shell, Python, Python modules “cli” and “eem”
• Programmability
• vManage API, DNAC API, IOS-XE API, interaction with these APIs
appropriately using Postman, Python requests, Python ncclient, gRPC

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Domain 5: Infra Automation
and Programmability
• IOS-XE programmability tasks
particularly suited to HQ on r1/r2
• This is due to r1 and r2 being
recommended to run CSR1000v
• DNAC and vManage APIs obviously
located in HQ

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Hardware Requirements

Platform Recommended resources Number of Devices

CSR1000v IOS-XE 16.12 2 vCPUs, 8GB RAM 2

vIOS 15.8 / vIOS-L2 1 vCPU, 2GB RAM 4+ vIOSes, 8+ vIOS-L2

vEdge 18.4 / vBond 18.4 4 vCPUs, 2GB RAM 6 vEdges, 2 vBonds

vSmart 18.4 2 vCPUs, 4GB RAM 2

vManage 18.4 2 vCPUs, 32GB RAM 1

Identity Services Engine 2.6 8 vCPUs, 64GB RAM 1

DNA Center 88 vCPUs, 256GB RAM 1

Host VM 2 vCPUs, 2GB RAM 10

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Host VM
• In CCIE Enterprise Infrastructure, the hosts in the topology are
clones of the same Debian/GNU Linux-based VM
• This VM has been publicly shared for download at
https://learningnetwork.cisco.com/s/article/CCIE-Enterprise-
Infrastructure-Host-VM
• Jordi Schlooz has converted the image into EVE-NG format at
https://www.theansweris101010.network/its-here-the-ccie-lab-image/
• The VM can be used both as an end host as well as a server (in the
lab, it is only used as a host)
• On April 13th, I will be delivering a webinar fully dedicated to this VM
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
What to build the lab in?
• The non-virtualizable part of the topology (for now) consists of
• SDA switches (no image publicly available to emulate the Cat9K)
• DNA Center (virtualization not officially supported, requires immense
resources to run)
• For the virtual part, by far the best choice to go with is Cisco
Modeling Labs v2
• Personal (20 nodes) and Personal Plus (40 nodes) editions
• Allows routing and bridging with external physical devices
• CML does not come with SD-WAN nodes – these need to be
downloaded (and licensed) separately but can be imported into CML

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Building the SDA Part
• At least for now, the SDA part of the topology must be physical
• Different Catalyst switches can be used for this purpose:
• Catalyst 3650: Fabric Edge only
• Catalyst 3850: Fabric Edge, Border Node, Control Node, does not
support Fabric-in-a-Box
• Catalyst 9200: Fabric Edge only
• Catalyst 9300: Fabric Edge, Border Node, Control Node, Fabric-in-a-Box

• More details in Cisco SD-Access Ordering Guide

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Solving the pain points with SDA
• We are internally working on a paid offering of remotely accessible,
scheduled CCIE-targeted training labs
• Rent-a-lab approach
• The labs will be built on top of a topology identical or very similar to the
full topology we have discussed in this webinar, consisting of 4 physical
Catalyst 9300 switches and a virtual part, fully covering the blueprint
• Individual labs will be targeted at selected technologies and their subsets
(for example SD-WAN, SDA, …), but the whole topology will be available
and unlocked to the candidate to play with

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
On what technology
should the training labs A. SDA
focus? B. SD-WAN
C. Programmability
D. Traditional networking
E. Interworking of SDA/SD-
WAN/traditional networking

© 2021 Cisco and/or its

its affiliates.
affiliates.All
Allrights
rightsreserved.
reserved. Cisco
CiscoPublic
Public 24
Our internal steps…
• We keep researching additional options to allow full virtualization of
the entire CCIE Enterprise Infrastructure topology, or at least an
affordable access to a home training lab ownership
• Virtual Catalyst switch images with the necessary SDA/LISP functionality
• Lightweight DNA Center virtual image
• DNA Center Cloud potential usability
• Discounted physical training kits

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Getting ready for CCIE Enterprise Infrastructure
• Refer to CCIE Enterprise Infrastructure (v1.0) Exam Blueprint
• Consult the CCIE Enterprise Infrastructure (v1.0) Learning Matrix
• Visit Cisco Live! On-Demand Library
• Make friends with developer.cisco.com for programmability topics
• Consider using Cisco Learning Library for targeted courses
• Consider using Cisco dCloud for targeted technologies
• Consider using CML-P for your practice lab
• Join and be active in the Enterprise Certifications CLN community
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Q&A

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Thank you.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 28