BGP Study Group | CCIE Sessions (with sound!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

one more second here okay sorry about that that's embarrassing you didn't hear me at the beginning at the very beginning of this thing i said that um live streams for some reason they they just get me they they crush me pretty hard so um let's start over i'm so sorry thank you all for hanging tight and watching with me um now bgp border gateway protocol what are we here to talk about we're going to jump back to this whiteboard and we're going to talk about border gateway protocol so so sorry about that um here we go let's let's take this from the top so bgp border gateway protocol this is uh the live stream this is going to be the session that's all about how the internet is built and things that really caught me off guard and i hope that we can talk about things that may be catching you off guard too because i'm very much in my journey and i'm very much learning oh do we have an echo do i have another hot mic somewhere no echo so we're good okay all right so uh things that are catching me off guard when it comes to bgp border gateway protocol and um you know things that are really really i think challenging and the important things about bgp when we look at the exam blueprint the actual topics themselves this is a big section of the exam just bgp i mean the network infrastructure only accounts for 30 of the exam right but bgp is a big big part of that and that's because bgp is the thing that has the most configurations to it it's the most nuanced and it's the most powerful that's why i like to say that bgp is a very deliberate protocol it's not it's not necessarily dynamic in a lot of senses it does exactly what we tell it to do and nothing more nothing less and that's why it's actually easy to mess up because it can do so much in a bunch of different ways and you probably saw that if you were watching my bgp session my bgp exam topics there were things that messed me up so the things that messed me up things that really still catch me off guard are right here in the policy section conditional advertisement outbound route filtering and communities when do we do filtering versus when do we commute do communities you saw that was one of the ways that it really messed me up so um other things that we're talking about was route reflectors and then aggregations um that's another thing that i want to talk about in this particular session so let's bring this up let's bring back to the topology and talk about this route reflectors and confederations and scaling when it talk about bi bgp in particular we're talking about a scaling issue because by default if you really want them all to share network or route prefixes with each other they have to be a full mesh that's why they came up with things like route reflectors and confederations and a lot of you all were quick to point out that confederations are not on the exam blueprint whereas route reflectors are and in the first challenge there aren't route reflectors so here we go we put confederations i put a confederation right here why did i do that if it's not on the exam topic why did i do it because confederations are out there in the real world they're important to know um and if you didn't get it if if that was if you didn't study that that's okay like don't worry i just put it out there because you know something that i knew how to do and it's a real world scenario and i thought it was important to do and you could see that it actually tripped me up a little bit the behavior from one confederation sharing routes to the other uh kind of behaves like an ebgp relationship now the route reflector section if you've already worked ahead that comes in the mpls layer 3 vpn section and this is what i was trying to say earlier where i found out that i didn't have a mic um let's let's talk about this uh mpls layer 3 vpn is very cool because you know it's well it's an mpls layer 3 vpn and here in our section we've got our provider edges and we've running ibgp throughout this in order to exchange these routes so when we've got customer 1 sending in routes here customer two sending in routes here they're going to be segmented in their own vrfs and when these get redistributed into bgp they become vpn v4 routes the challenge tells us that r1 should correctly forward vpn v4 routes throughout the topology so how does it do that because we're not talking ipv4 routes anymore and that's probably where we've all gotten familiar with route reflectors we're talking about vpn v4 routes so check this out this is the way this is really going to work i'm on r1 right now and if i give it a show run section bgp see this this is what i was trying to show earlier the route reflector configuration comes under the address families so this is a vpn v4 route that we learned from our customer edges not from within our own topology so we're using the route reflector configuration to reflect the vpn v4 routes on to the next destination so that way let me go back here that way when r4 sends a vpn v4 route onto r1 it reflects it to r2 r5 and r3 and then they redistribute the routes back out and into the customer edges again it's really cool and i thought this was a unique way to see route reflectors in action rather than the traditional ipv4 challenge that everybody's kind of seen and gotten used to uh so that's why i did it that way um if you haven't gotten ahead spoiler alert that's coming uh in the mpls layer 3 vpn video which is going to release on monday but um so there weren't route reflectors in the network challenge or in the internet challenge here but it does come in bgp in a bgp configuration in mpls layer 3 vpn now things that really did trip me up we're going to talk about first of all the communities we said one of our challenges here was to stop the advertisement of isp 401's loopback outside of this particular confederation and probably the cleanest way that i should have handled that was just to simply filter the prefix at the edges right here from going outbound now why didn't i do that well the first thing is is if i were to create a filter here i'd also have to create it here and that's just more to maintain and it's less scalable in a real world situation however it didn't the the exam task itself for the challenge that i wrote didn't explicitly say to do it one way or the other so i thought like you know what this would be cool if i could just do it with a community that we only have to create one route map that sets the community and then the rest handles itself and then of course you know i forgot to uh configure the route map in two directions i only configured the route map in one direction so so many lessons to be learned right there first of all is the behavior of communities as well as mental stamina i mean i'm an hour into this challenge and i start slipping up i start making careless mistakes like not applying the route map to both neighbors and you know that's that there's something to be said about that or even you know skipping an entire problem altogether because i got anxious and jumped ahead um so i guess the the the tip there the advice i give there is just remember that um mental stamina is a thing and sometimes going for the easiest solution in fact usually going for the easiest solution is the best solution unless they explicitly tell you to do something else so one of the places where i did explicitly say do something else actually comes in mpls layer 3 vpn again i said r1 should leverage templates well if we look at the exam blueprint here one more time we've got templates and peer groups peer groups are not templates they are two different configurations so your temptation when you jump into that may be to configure a peer group but it's explicitly says leverage templates to do this um whereas in the other you know problems that i created it doesn't say explicitly use a community or not a community or something like that so that's something also to keep in mind is like you do have to take the challenges verbatim and when it's not explicitly said you're free to do whatever you want at least in my opinion you should be free to do whatever you want um and oftentimes i feel like going for the simplest solution is the best one so again sorry about those audio problems when we got started uh thank you those of you for hanging out and making it with me um through that that's you know it's embarrassing but it happens and it won't happen again for the for the remaining live streams so let's take a look one more time at some of these oh yeah we talked we said we're going to talk about aggregation so that was another thing that got me at the very end of the video and again it probably comes down to mental stamina and staying focused i used the aggregate address command so i'm going to put aggregate address here but i forgot to use the summary only now it also didn't specify that it should maintain the aspath attribute so that's another thing that you have to keep in mind as the as set command for maintaining the actual full as path instead of just where the aggregation occurs so look for those things on the exam itself when it tells you you need to summarize all of these routes in such a way that we are going to unsuppress or leak one specific prefix out that to me in our case that was our exam challenge here i should have used summary only i ended up using it but it took some troubleshooting to forget it or to get to that point and then the last thing was the as set in case we needed to provide the full as path so those are the things that were catching me off guard uh outside of that i feel relatively comfortable with all of the remaining bgp items that are listed here on the um the list here you know obviously i think one of the things that scares all of us is regex unless you work with regex or bgp regularly and those as path acls um that's definitely something that will scare some people um so yeah regex is something i'm going to need to brush up on of course we should know that this the carrot dollar sign means this local as routes originated in this local as that's one that you should just commit to memory because it may be one that you need to use uh if we're trying to manipulate or load balance how traffic comes in or goes out of our as so i think that's another thing that i tried to do in this particular challenge is we have two exit points for as400 and there's a lot of manipulation that can happen when there's two exit points we can manipulate how traffic comes into the as or how traffic goes out or load balanced out of the as there uh and i would fully expect there to be lots of challenges surrounding that um let's see so do y'all have any questions for me um you know while i take a breath here and look at uh this topology that's going on and look at some of the chat questions so embarrassing about that audio stuff it happens to me all the time it really gets me um yeah so let's i mean we can talk about bgp in general um like i said it's a very deliberate protocol uh there's not you can do things like dynamic uh neighbor associations um when you do uh the bgp listener in fact let's let's google that bgp listen cisco something like that so this is what we're talking about the bgp list and range command this is something that i didn't put so thanks roger perkins for your blog here for letting us use this this is really really cool go check out roger perkins blog where we've got this the idea here is that we can create a peer group and then dynamically when we specify if peers come in from a specific ip address or a range of ip addresses automatically form a neighbor relationship with them as long as the things you know show up correctly like the remote as so again shout out to roger perkins for providing this cool free information um when it comes to learning how dynamic bgp neighbor relationships can come to life this is something that you'll probably want to study up on is the bgp range the bgp listen range command in case we do need to have dynamic neighbors are listed right there in 1.5 a so that's pretty cool too um yep and we had some fun stuff coming up in the mpls layer 3 vpn network so yeah that's a good question there any particular topic you are worried about um so is this specific to bgp when it comes specific to bgp uh i am going to be i'm going to be worried about policies in general and specifically i am worried about choosing the right solution um because you know when i watch these videos of myself uh working through these problems and i'm going like that wasn't the right solution or that wasn't the best solution should i just filter that prefix out in this one specific spot or should i have used a community see communities i think this is one that it's easy to mess up because we set a community on isp 400-1 what does it then do it still advertises the prefix onward to the next hop or the next network and that's really when the community takes effect at least most of the time so if i were to set say the no export community right here on isp 400-2 it would send it on to isp 200 and isp 300 and that's when isp 200 and 300 will go hmm it says no export so i shouldn't export it so if my goal was to not export it out of as400 this is not the solution to do it at least not on the edge because communities don't really take effect so to speak until they've been advertised forward saying dear neighbor you should behave this way not me you should behave this way because we've set this community so communities tend to trip me up um and and that i think that really just comes down to practice i need to practice using communities a lot more i can make a smaller little lab an even g here and just practice and figure out the behavior of no export no advertised local as um that's that's really kind of the point of community so uh should i have used no export right here and then advertised it onwards probably would have worked if i had remembered to put the route maps in both directions i only applied it in one direction instead of both directions so it sent the community in this direction but it didn't send the community in that direction and this guy just kept on behaving the way it always behaved and forwarded the prefixes all the way out to the internet so communities and careless mistakes tripped me up there i am definitely concerned about mental stamina and choosing the wrong solution um some other things um let's see how do you deal with remembering all the subject there's so many details to remember well that is a good question the first thing is i don't remember all the subjects and i screw up a lot um you're really going to see that in the mpls layer 3 vpn video on monday that i actually created a video on youtube i went live i think to talk about mental stamina and maintaining mental stamina there there was an issue i can tell you right now what's gonna happen um this the green customer runs eigrp we already went through this challenge this challenge was released on wednesday where all of the er grp configurations took place but then i wanted to have eigrp running on the provider edge to the customer edges here so this needed to be a separate instance of eigrp this was a different autonomous system so for whatever reason i went to type the commands and it didn't work exactly the way i thought it would and my brain just imploded you see at that point i'm like eight hours deep going through this practice lab and uh i ended up making the squirreliest craziest work around to get that thing to work i ended up running a vrf on the lan side and a vrf on the lan side then i redistributed into bgp and then pulled it out of bgp and into this vrf it was a mess uh it sort of worked it took a little it took a lot of troubleshooting and some help from even cisco employees to help me figure out why it was behaving the way it was when really i could have just created a whole new eigrp instance and redistributed between them that's what i'm talking about when i say like mental stamina really takes over and then even things that you do remember you forget like i know that you can create router eigrp 1 and then router eigrp 2 and then redistribute between them but for whatever reason in that moment when i went to make this configuration and it didn't work i just imploded and i ended up spending all of this extra time finding this weird work i did get it to work um and if you watch this video on monday i guarantee you will learn some fascinating stuff about how bgp interacts with eigrp but it wasn't the right solution and i do make sure to call that out that the right solution was something different so with all of these things with all of these things that you know it's it's so much information um you know i've spent the last year working on network automation year plus working on network automation for devnet course and in auto and got the devnet professional so i'm super comfortable in these topics in this domain uh software-defined infrastructure i mean after you've gone through sd access and dna center and sd-wan like you won't forget it like you come out of that with some bruises um and that's one of those things uh i'm so fascinated by dmvpn and mpls layer 3 vpn that i feel like i've got those locked down pretty good it's this stuff up here like this list is so overwhelming especially when it comes to bgp bgp is so nuanced that the only way i think i'm gonna make it out of the bgp and the multicast section is just practice practice practice practice practice like going through each one of these things over and over again just learning how they behave but i fully anticipate that i'm gonna forget some really important stuff or more importantly lose my mental stamina you know in hour five of the exam um and you know make a careless mistake that's the thing that i'm scared about let's see some other good questions here yeah unless the access and sd-wan you're exactly right like that is uh you know i'm fascinated to see what they do there um you know my first thought was like oh maybe sd access will be just design um but then you know in they did a webinar uh peter did a webinar where he talked about the actual exam environment and how to study and they showed a picture of of the actual data center and they said like this is this is a dna center appliance and you know four switches catalyst 9000 switches that go with it so i'm like okay well they actually have a dna center appliance and the switches so there's a real chance that we're going to have to configure an sd access fabric um i'll tell you a lot of heart and soul went into building our dna center and sc access fabric course at cbt nuggets that was that was probably the biggest challenge i've had in recording and learning yet throughout my career there was you know finding the correct information it was scattered all over the place so it took a lot of trying things didn't work factory defaulted over and start over again so what you do when you're watching our dna center course know that the stuff that we're teaching there is the real battle tested stuff because it was basically like a dna center appliance showed up at my door one day and it was like good luck go get them tiger so we had to we had to really really learn things the hard way and i wanted to get a working sd access fabric so in order to make it work you know we had to trudge through mud and try things until we found the right things that work i mean i found the correct answers in forum posts i found the correct answers in reddit posts i found the correct answers and white paper pdfs i found some of the correct answers were only in cisco live presentations i mean it was crazy uh the stuff that we had to go through so that's what i'm trying to say when it comes to sd access i feel confident that the study material that you need is our course because it really is the culmination of all of that troubleshooting and learning and everything that went into that uh one of the things one more thing i'll say about that is the longest nugget i've ever recorded for cbt nuggets was closing in right around 17 minutes and that's troubleshooting lan automation um with dna center because that's a very nuanced topic and there are like quick start guides or you can just click this this this and it'll just work and that's that's not the case um there's there's a lot of stuff that has to be done up front correctly in order for lan automation to work and we walk through what those things are and how to troubleshoot it when it doesn't work so let's see how many months are you giving yourself to prepare for the exam so that's a good question um i mean in some ways i've been studying for over a year now even though i haven't um i started you know really digging deep into network automation uh june of last year when the devnet courses were announced at cisco live and all of that is applicable to the um ccie you can make the same arguments about we recorded encore and then the nrc course at that point i wasn't going for my ccie but now it's all applicable to it uh same thing with sd access um that being said you know i had declared in may that i'm going for my ccie officially and when i look at it in may like i already had a lot of boxes checked because i had done recording for encore and rc and devnet um and in auto and uh how much time do i have left well so first of all the lab centers are closed they're going to be closed to the rest of the year in i i've heard from people close to the source that they're not going to reopen the lab in the united states until cisco employees return to work um so even if texas is fully open uh there's a good chance that cisco won't be fully open and they still won't be uh you know open the other kicker you guys is is that i have babies on the way we're expecting kids and um they're they're due at the very beginning of the year next year so when they come i won't be able to take the exam you know for an extended period of time after that because i'm going to be helping with the babies so that's you know i i am going to take it i'm going to take my i would love to take it right now uh just to have a crack at it i might not pass but i want to know what it's like because nobody else knows what it's like right now and i want to know where i'm weakest and where i can improve if they had a remote option tomorrow i would take it guarantee it um but you know when am i going to take it if if it doesn't open you know january 2 uh then i you know i'm probably looking at a fall 2021 or even a winter 2021 attempt um i like that too because it gives me time to read more resources get more practice in one of the things i'm excited about reading is nick russo's ccie service provider textbook and i know you're like wait service provider we're talking enterprise here there's so much overlap between those two exams like 60 to 70 percent overlap i think is relevant there um and i think his textbook is something like 3 000 pages so it gives me plenty of time to read it especially you know during my sleep exhausted days in the coming year um so yeah i would take it as soon as i could but realistically if they're not going to open anytime soon it'll be late next year when i can take it um let's see yeah that's that's definitely going to be my strategy there um so yeah so bgp um how do y'all feel about bgp uh are you more stressed that's my question for y'all are you more stressed about other topics on the exam than you are about bgp are you more stressed about bgp than the other routing protocols do you feel stronger in ospf and eigrp than you do in bgp or vice versa i am very eager to hear y'all's opinion about that too where be where does bgp fall on your scale of how how stressed do you think i should be about bgp let's put it that way um i i am very eager to hear y'all's opinion on that yeah that nick russo book is ccie service provider he wrote a textbook on ccie service provider i think it's leanpub.com you can always just tweet him he'll he'll tweet you and let you know um the name of that textbook bgp gives you more stress yeah i mean yeah which attribute to use and where that's exactly it right um i mean there's just so many things about bgp you know with eigrp ospf and even spanning tree because they're kind of dynamic in nature they're like kind of like controlled chaos um you can kind of just trust that they're gonna work as long as you manipulate it the right way whereas bgp like if you don't explicitly tell it to do exactly what it's supposed to do it's not gonna figure it out on its own and that's why i think and because bgp does so much stuff i think that's why i'm a little more stressed about it sd-wan in the design section that's a good point too i mean sd-wan y'all out of all the things that i've done i'm like i don't think sd-wan is that simple um i definitely think it's powerful oh for sure i definitely see the value of sd-wan and 110 percent but simple i don't know that i'd call it simple um definitely takes some practice to get used to sd-wan and how it's different templates and policies and just getting to know viptela in general too spoiler alert for the sd-wan content that's coming up in this ccie practice exam look at this uh let's go let's jump back to the ccie enterprise blueprint for a second nowhere in sd-wan is it talking about standing up the controllers so i didn't add anything about configuring the controllers within that's v-smart v-bond and v-manage or the certificates there nowhere in there is there any actual so there's design that's here we've got design these things we see v smart view management on but there's nothing about configure v smart v management and stand it up so in our challenges here i didn't add anything about actually standing up the controllers and vmanage is not something that i could export a default configuration on you see under the hood it uses a hard drive and i can't export a hard drive uh so you know it's kind of a bummer that i couldn't send you like a pre-built controller situation but um for the sd-wan challenge it will be on you the learner to stand up your controller environment before you can move on to the actual configuration items which are wan edge deployments so when we're talking about wind edges and i know we're getting away from bgp at this point but bgp is part of sd-wan you do have to know how to configure bgp in sd-wan um when it comes to deploying the wan edges there is zero touch provisioning and plug-and-play that's also not something that you can easily do in a lab environ you can you can do it in a lab environment you have to simulate dns because it has to find what is it ztp.viptela.com so when your device plugs in as long as it gets an ip address via dhcp and it can resolve global dns it's gonna find ztp.viptela.com and check in and say hey i'm here this is my serial number and ztp.viptela.com will say like talk to cisco cisco will say your v bond is located here and then it comes to life that's kind of the gist of it but understanding how to deploy it with how o omp is going to behave how t locks are going to be advertised and then how to configure these things like like ip addresses ospf bgp with templates and then altering your topology itself the actual traffic flows itself with localized and centralized policies that's actually the section that i covered in our sd-wan course uh i was the policy guy so qos i'm sure qos is going to be on there or i'm not sure i don't know i haven't taken the exam i'm going to bet that qos will be somehow on there uh and um maybe a topology change like going through a service um that's that's going to be in like sending traffic through a firewall before it could sleep through a vpn which is a vrf uh yeah sd-wan i that's a big one um which cci am i studying for enterprise infrastructure how am i planning to run the sd access lab so i have an sd access lab it's sitting about 15 feet in that direction i have a dna center appliance and then i virtualized ice a wireless lan controller and uh info blocks so that's my ipam and if you haven't checked out our sd access course on cbt nuggets i i cannot stress it enough um that is what you need you need to watch that because that will teach you how to deploy an sd access fabric from scratch you've got your dna center appliance sitting in a brown box on the floor what comes next that's our course and then includes the ice configuration cisco has said okay other things to say real quick before we move on from sd-wan i want to make sure i point this out cisco in a forum post somewhere has said that there will not be c edge on the at least this version of the exam right now um but you do need to know how sea edges are deployed because that's what's getting deployed in the real world uh so for the exam environment don't stress about sea edge until they explicitly say it um otherwise uh no sea edges especially for the ens dwi course and for when you go out into the real world sd access cisco has said you don't need to know ice they said we're going to give you a pre-configured ice environment in the real world your sd access fabric will not work unless you configure ice to actually handle the authentication the scalable groups and assigning them to the correct vlan that configuration is done in both dna center and ice so i can't stress this enough if you you don't want to roll up to an employer and say i know sd access i can deploy because i took the ccie and then you know you get out there and you have to do all this stuff in ice and you're like i've never seen ice before that's why you need our course you also need to know the nuances that go into deploying lan automation in the real world because that is a very real thing uh so yeah that's i that's why um outside of that if you don't have access to an sd access environment the devnet sandbox or dcloud is a great way to get hands-on the dcloud has a great sd access environment for getting to know assurance so this section right here they have an assurance demo version where there's like hundreds of different users uh wireless and wired and different network devices and stuff and you can actually get hands-on on actually performing troubleshooting and monitoring and automation items and you can click around and poke through things like the policies in the fabric but you can't do much same thing with the devnet sandbox but it's better than nothing so if you just need to get familiar with clicking on things where do i click on things to create a new hierarchy in my topology where do i create a new address pool where do i create a new micro segmentation policy what's the difference between micro segmentation and macro segmentation you got to know those things let's see what else here all right how can we learn network automation along with networking stuff um it goes back to cbt nuggets again uh we've got a lot of content for the devnet associate leonato and our core course is probably around 33 done right now that being said let's talk about that i like this question there are a lot of stuff on the ccie exam that occurs nowhere else on any other exams what are those things pretty much 5.2 and 5.3 um you see this right here you need to know linux you need to know cli python module what is the cli python module give me one hang on we're going to do this we're gonna have some fun here the cli python module actually you know there's a better way to do this um the cli python module is uh running on our ios xc devices so if we have an ios xc device like this csr 1000v that's located right here this is running ios xc 17.01.01 i think they have python on them and they have linux on them so what you can do is you can go into python you can go into you can create a python script using vi and we can call it my script yep kind of doing this my script dot pi and then we can say things like i can't remember exactly what it is off the top of my head i think it's import cli or from cli import cli but just like any other import statement in python you can import cli and this in your python script allows you to run cli commands like show ip interface brief so if we save this in a variable called brief we can then say print br and that will run these cli commands on our devices take it a step further the eem python module when we have an eem applet something occurs some sort of event that triggers our eem applet we can tell it run my python script that i just created so that way you know if somebody shuts down a loopback address we can find out who that user is and what interface do they shut down and then run a python script that may send that data to slack we can get a slack alert somebody shut down the loopback address or something like basically the world is your oyster when it comes to python python is on ios xe and you can run cli commands or import requests or any other python library by using this particular guest shell experience the guest shell experience uh is tricky to deploy and that is what our lab task is when it comes to that point the very last nugget that we're going to release on october 21st is setting up the guest shell and creating eem applets that run scripts that we create now beyond that i do have a challenge in there about using uh rest conf and netconf they're very basic because we've covered that so extensively on our cvt nuggets content i didn't want to go too deep into netconf and rest comp because if you've watched your content you've seen that a million times and you know how to work it but this one right here this is also new in the anato course they talk about model driven telemetry but i'm pretty sure this is using netconf this particular statement is using an unchanged subscription using grpc so our automation task in the ccie practice exam here is when the cdp neighbors change that's an unchanged moment so it's not just send me this data no matter what every five minutes this is saying only when this data changes fire off a notification using the grpc protocol where does this really come into play this usually comes into play when we're streaming data to an elk stack which is elastisearch logstash and kibana or a tig stack which is uh what is i don't remember i don't remember i want to say telegraph or something influx db and then grafana um these devices are all about ingesting cisco notifications and data and turning them into a pretty dashboard that you can digest so that's what this is all about this automation here is when something changes in our environment like cdp neighbors or interface status or something send that data outbound using the grpc protocol and that's really going to be destined for something like the tig or the elk stack so that way when we've got a gigantic knock monitor uh we can see ah cdp neighbors has changed what's really going on so um yeah so the these things are brand new like 5.2 and a lot of stuff in 5.3 and um they don't exist in any other exams that's why i made sure to include it on our lab tasks and record it so that way you know in the coming weeks or so you will be able to see and learn how to do these specific things so thank you for that question and hang tight a lot of other stuff is going on here let me see um let's see ah yes you can that's a great way to put print cli show ip interface brief if that's what you want to do you can do it that way um and i was just saying like let's just hold it in a variable so we could do stuff to it later but you don't have to you know there the telegraph thank you it was telegraph thank you for that i just you know it's mental stamina right it's a thing um let's see what else do we have here um i know this is this is a huge exam and one of the things i may be telling myself and i may be lying to myself about it is there's three hours of design and five hours of deploy operate and optimize is it possible to have all of this stuff in i mean if realistically if you were really good at deploying an sd access fabric including the time for like automation to occur and stuff i still can't see that happening any quicker than like 45 minutes to an hour so if you've only got five hours to deploy operate and optimize and that will leave you with four hours to do all of this other stuff i don't know like i'm just wondering what are they cutting out um that doesn't mean you can cut corners that doesn't mean you know you don't need to know this you do you need to know it um yeah the dmvpn phase three stuff i think look at this right here this is two more interesting i know we're straying way off the path of bgp at this point but the questions are going away from bgp so you know let's just talk about this um keywords troubleshoot and identify use cases uh so there's no config here no config from scratch i think that's probably a good thing because they do explicitly call out ipsec and ike v2 using pre-shared keys um so i would fully expect that to mean you need to know how to configure them anyways luckily if you know hopefully they're not changing the actual ikev2 policies are just using the default policies when i recorded dmvpn uh for this practice exam thing i just did it let's just configure it from scratch because if you can configure it from scratch and you know your show commands chances are you can troubleshoot it um so that's that's what we're going to do uh not this upcoming week but the following week i think it's the monday not this upcoming monday but the following monday that comes out the next thing identify use cases for flex vpn that's design folks does flex vpn is covered extensively in the security track of things it's uh talked about in score and i literally just peer reviewed keith barker's flex vpn content for the score exam yesterday so i feel a lot better about that stuff now and what its use cases are i do need to dig into mpls over flex vpn that's something that i'll look into but i'm not terribly worried about it but yeah uh know that we have content at cbtnox coming on flexvpn and you can understand the use cases for it uh in the score exam let's see what else can we run sda on even g without dna centers so i love that question let me show you what i did so i have a dna center environment with sd access so if i fire up my border nodes here and my edge nodes let's fire them up and watch them come to life so uh yes and no mostly no because remember sd access really relies on dna center but it relies on ice more the policies that come into play here cisco trustsec is a key protocol that makes sd access work that way we know which virtual networks that our clients belong in and then we know if our clients can talk to other clients within the virtual network before a packet comes into the edge devices it needs to be able to know and identify how our users got authenticated and what vlans they exist in and what their policies are so without ice and dna center in g you can't truly run a an sd access fabrics but i that that's one thing i want to make sure that everybody's aware of is that it's not just dna center that makes an sd access fabric work ice is actually i mean arguably equally if not more important to an sd access fabric than dna center dna center is really the automation and orchestration part of it but the the ongoing operations of a fabric really rely heavily on ice so let's bring up like let's say border one here if all has gone well and i do show ip interface brief see this is what i did here i actually copied the running configs out of my sd access fabric and then i remove some of the things that i knew were going to blow it up so i removed the cisco trusset configuration i removed a lot of the policies and i removed the certificate chains because there's a ton of certificates that go back and forth from the running config but if you see here we can do show run and you can see that that's a lot right there's a lot of configs that go on here and at this point this is basically working this is the core routing functionality of an sd access fabric that i've made in this environment here so if you've if you've watched our content on on deploying an sd access fabric on cbt nuggets you'll understand the differences between the loopback interfaces the lisp interfaces uh and the vlan interfaces how one is the anycast gateway how others are the point-to-point connectivities and how bgp operates here you can see things like we've got the lisp configuration here and we can see that the list configuration is specifying uh the tables the r-locks uh the vxlan configuration even though vxlan doesn't work in a virtualized environment you get the idea like this is like the the core functions of an sd access fabric are all here and if i give it show ip route you can see it's got the lisp level one uh routing configuration shared here and then uh you know a little spoiler here's the bgp configuration uh the bgp configuration is the real challenge in my opinion um if you watch our content on cbt nuggets you'll probably be doing fine until it comes time actually i need to change my my color on my pen one second because this is pink okay you'll find that the challenge when it comes to deploying an sd access fabric happens right here you see these four devices border one border two edge one and edge two this is the xd access fabric these things over here are not the sd access fabric so how do devices or people or the people that are over here connected into the fabric how do they get out of the fabric maybe to the internet or maybe to a dns server or a dhcp server or a firewall or anything like that that's the challenge i think when it comes to sd access and that's where you really do have to have expert level skills this is going to be a bgp handoff and then we have to perform the correct amount of route leaking depending on the border node rolls that's why like this is a really advanced and challenging topic and i think the challenge here is centered all around understanding the sd access design one of these is an internal border one of these is a default border so how routes get leaked on the fusion router is very important depending on what kind of border node they're connecting to so if if that's new to you if this is challenging or new uh you're in for quite the learning experience when uh the a little practice exam video goes live on that but i can't i cannot stress this enough if you're worried about sd access on the ccie exam you need to get hands on even for free even if you can't change the config you need to get hands-on with the devnet sandbox or d-cloud and you got to watch the content on cbt nuggets because we really did shift through a lot of stuff in order to show you exactly how to deploy that fabric what else we got here i like okay that's a good question here is multi-fabric part of the sd access in the blueprint it doesn't does it specify that i don't think it specifies it but it could be a good design question um no it's right there multi-site using sd-wan transit uh oop lost my pin there we go yeah so there's single sight and multi-site so we could have a fabric here and a fabric here and then we have to use sd-wan to transit between these how does uh our scalable group tags make it over this tunnel that's going to be an important design consideration that you're going to have to it's i don't think it's very challenging they have when you deploy sd access you do have transit fabrics that you deploy as part of it and that's actually very important for how you configure the border node handoff in the first place you can deploy a basic ip transit network or you can deploy an sd access transit network so handing that off via sd-wan making sure your scalable group tags if that's the kind of fabric you're trying to deploy that's called a multi-campus fabric distributed fabric that's what it's called a distributed campus where you have the same vlans and same virtual networks separated maybe geographically um and that's that's what you would need to look into is how to deploy a distributed campus good question um [Music] i drew you beer listens to you but i'm only cc name starting to play an encore in six months why because i'm interested thank you do more thank you for that um and and cheers to to you who is drinking a beer and watching me rant and rave about um this it's past one o'clock um so i do have to wrap it up here in the next couple minutes uh we'll try and wind this down in the next four or five minutes i i'm gonna go a little over cause man that's so embarrassing about that that audio problem at the very beginning um what other questions do y'all have for me are you going to provide a unl file for sd-wan for cbt when it's released the the answer to that right now is no but there is an ongoing discussion about how we could um great question uh but as for right now the answer is no but the idea has been punted around um we are using even g in the in sandwich course and we have an entire skill dedicated to helping you set up an sd-wan environment in even g so we walk you through the steps on you click on this you go here you type this in in order to get your sd-wan environment up and running in even-g so that's a great question while we might not provide the topology we still can help you set it up and we have content specifically for building an sd-wan lab coming as part of that course has software-defined networking data center routing technology enterprise okay so software-defined networking technologies are absolutely in this data center no um there's not going to be any aci or ucs uh no ucs director in in the enterprise infrastructure one you know it's it's an interesting question because um when you're learning about sd access uh there's absolutely a data center on a large campus right so people in our sd access fabric may need to communicate to a data center and in that data center they may be running aci so it's not uncommon for today's network engineer to need to know both but that is of course reserved for very large enterprises i myself have not been in an environment like that where i needed to know um aci as well as something else so interesting question are you going to record a ccnp design course we kicked it off this week uh so we are actually we had a sign up sheet this week we're going to be kicking off on monday so yes um we're finishing up score in dev core right now then we're going into the in salad exam the design course next so uh might not be out this year that would be a little bit of a time crunch but it is coming um going further to sd access cbt nuggets thank you cool thank you for checking us out on cbt nuggets for the sd access course uh i i can promise you're going to like it it's a big one it's a um screen is not moving that's because i'm right here and i hit the wrong button i see what's happening here sorry about that um here we go uh so yeah um crazy day uh crazy crazy day any other good questions that we got here i i really appreciate y'all i really appreciate the community and being able to chat with y'all um and learn about what you've got going on um your stress is because look i'm i'm in the same i'm in the trenches with you right i'm trying to pass this thing and learn for myself um what else what else do i want to talk about now we're going to be doing this every friday in october starting at noon uh promise there will be no technology problems next time as long as i hit the right buttons uh live streams really do have me beat in a lot of ways [Laughter] there's some good stuff here um two more things i want to point out about automation the vmanage api and the dna center api um cover those extensively in our sd-wan course and our sd access course that will have what you need in order to get going with those things cool thing about dna center is the api documentation is on the dna center appliance itself so you can browse and like just grab what you need straight out of the dna center documentation let's see do i prefer even g or g and s3 even g and it's not even close but even g pro that's that's the appropriate uh one to say there um even g pro provides the docker containers um so one of my favorite things if i start this switch up right here uh you see this little wire shark container here all i have to do now i can um you know click on this device and launch it let me bring it over here bring it onto the screen i'll click ok and ethernet that's what i'm scanning and you can see it launches a little wireshark container for me right here even cooler i can right click on the device choose capture and choose which interface i want to capture on does the exact same thing got to reconnect and there we go see now i've got a wire sharp capture running on that exact interface this is what evgpro brings to the table is the fact that it has wireshark the gui server if you haven't seen the gui server this is another big one for me this is a little container that comes with even g pro i'll launch it real quick click ok maybe expand it out a little bit there it is see i've got a little gui server here it comes with firefox it's running nginx on it so it's running a little web server on it and now i have the and it's got a little tftp server now i have the ability to test all sorts of protocols uh with a little lightweight little gui server that comes built into evgpro you know even g pro has the lab tasks and the lab details and things like that so that way you know when i i have these laptops like the internet network one that we were challenged on that's a big deal for me that's worth the money um when it comes to evg just passed in rc yesterday congratulations that's a huge thing um should i start preparing for ccie enterprise if you want to um it you know there's only a handful of ccies in the world what like two or three thousand people a year pass in the world that's it uh it's gonna be some great job security for you but it's a mountain it's a huge mountain to climb um and it's it takes you know a pretty tough mentality to get there it's gonna take you six plus months um for most people uh and it's just grueling studying and a tremendous amount of content to learn make you a better network engineer it'll make you a lot more valuable but you know don't hurt yourself trying to do it either can you prepare for the ccie with only virtualization most people do um most people do prepare for the ccie with only virtualization your challenge of course is going to be sd access uh because you can't virtualize that i say that um you can virtualize dna center uh there are people out there who have done it there's actually youtube content on it i've seen it where somebody you know got an iso of dna center and got it up and running in esxi it takes a gigantic server to do that um but uh yeah for the most part you're gonna have a hard time uh when it comes to sd access literally everything else though you can do right here in even g um including the automation including sd-wan uh and all of the routing protocols so um most of it yes any even g discount koopa i you know i don't know um i'm not affiliated with even g at least not yet um and uh i don't i don't have any like partnership coupons or anything like that you can always reach out to them just tweet them see what they say um you know they're they're super helpful people uh in helping people get stood up with even g pro um so that's that's another good question uh i don't have anything there in that regard what specs of my server am i running for this topology um my virtual machine has 24 vcpus and 48 gigs of ram um with all of these devices turned on uh it only sits like six percent cpu usage and like 47 ram usage so it's wildly over provisioned um my virtual machine is widely over provisioned for this lab uh beyond that you don't have to turn everything on you can like you can see right here i've only got a handful of these devices turned on for what i needed for like the internet network can challenge or the mpls network challenge uh and these are using the iol images which are tiny tiny tiny lightweight images that barely use any resources so yeah it's like small computers could still run portions of this lab so that's what i would say there uh never ready for the exam one hand learning the technology second is passing assert yeah i get what you mean um you know it's it's easy to learn and lab and feel comfortable and then you get into an exam environment and they hit you with something hard boson practice exams have been one of the most critical reasons that i pass a practice exam or a real exam because they get me in the mindset of what kinds of questions can be asked and how to think through them cci is going to be totally different and that's why i just want to take the exam i just want to see what it's like because without like without any sort of practice exams out there on this new content uh you know what what do you have to go off of other than the exam itself so um sympathize with you there i would definitely dig into boson practice exams if you struggle in the exam environment what sources am i using for ccie cbt nuggets first of all i think that's you know kind of an obvious one um we've got all of the content somewhere on our site or at least the majority of the content somewhere on our site you know you'll look you'll see like our cci content you're like this is kind of old but you know so is the book routing tcp it's like 15 or 20 years old and we all still read it right that's because some of these protocols don't change that much year in and year out um so i've used cbt nuggets first and foremost that's been a critical part of my learning um and then of course all of the new technologies we have or will be out very soon within the catalog like sd-wan um i used some stuff off of udemy i like jp cedino i think that's how you say his name um he is with extreme ie i think i i bought some of his routing courses uh and that helped a lot um i've used a little bit of ines content they have a nice little exam walkthrough type thing it's like 20 hours long i blasted right through that um but for the most part it's been like really just me reading a ton of books that's been cbt nuggets and reading reading reading reading reading any book that i can get my hands on and then labbing in even g as much as possible that's been my primary resources so that's it that's where i'm going to wrap up uh you know we've gone a little bit over and you know it's because i had the audio problems in the first 10 minutes i'm so sorry about that next week we're going to have that worked out i promise um thank you guys so much for spending some time with me and watching and chatting and talking about uh bgp and then of some other things next week we're going to talk about igps like ospf and eigrp then we're going to talk about vpns then software-defined networking which i know you all are excited about and then automation which i'm excited about so that's been what i've got to bring to the table we're all in this together let me know what i can do to help you let me know you know in the comments below let me know on twitter whatever the case you need just holler at me i'm here to help thank you all for stopping by we'll see you next week

Info

Channel: Data Knox

Views: 1,320

Rating: undefined out of 5

Keywords: ccie routing and switching, cisco ccie, cbt nuggets, cisco certification, ccie certification, ccie lab builder, ccie routing & switching, ccie routing and switching lab, ccie enterprise lab, ccie enterprise, ccie enterprise infrastructure, ccie enterprise infrastructure lab, ccie enterprise infrastructure training, ccie enterprise infrastructure lab exam, ccie enterprise wireless equipment list, ccie enterprise core encor 350-401, ccie bgp, ccie bgp tutorial

Id: 1Xtz7_0krJ8

Channel Id: undefined

Length: 60min 10sec (3610 seconds)

Published: Fri Oct 02 2020