CCBOOTCAMP’s CCDE Written Study Guide version 1.0

AEmail :sales@ccbootcamp.comCCBOOTCAMP’sCCDE ® Written Study Guideversion 1.0Toll Free :(877) NLI-CCIE (654-2243)Int: +1 (702) 968-5100WebSite :www.ccbootcamp.comwww.routerie.comwww.securityie.comwww.voiceie.com

Study Guide for the 2008 Cisco CCDE Written Exam V1.0Author: David ClarkContributing Author: Brad EllisEditor: Rachel FraynaCopyright© 2008 Network Learning, Inc.Published by:Network Learning, Inc. (Cisco Learning Partner)375 N Stephanie Building 21Henderson, NV 89014 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or byany means, electronic or mechanical, including photocopying, recording, or by anyinformation storage and retrieval system, without written permission from the publisher,except for the inclusion of brief quotations in a review.Printed in the United States of AmericaFirst printing April 2008 ISBN: UPC:Warning and DisclaimerThis book is designed to provide information the Cisco CCDE written exam. Every effort hasbeen made to make this book as complete and as accurate as possible, but no warranty orfitness is implied.The information is provided on an “as is” basis. The authors, editors, and Network Learning,Inc., shall have neither liability nor responsibility to any person or entity with respect to anyloss or damages arising from the information contained in this book or from the use of thediscs or programs that may accompany it.The opinions expressed in this book belong to the author and are not necessarily those ofNetwork Learning, Inc.Trademark AcknowledgementsAll terms mentioned in this book that are known to be trademarks or service marks havebeen appropriately capitalized. Network Learning, Inc. cannot attest to the accuracy of this

information. Use of a term in this book should not be regarded as affecting the validity ofany trademark or service mark.Feedback InformationAt Network Learning, Inc, our goal is to create advanced technical material of the highestquality and value. Each book is authored with attention to detail, undergoing strenuousdevelopment that involves input from a variety of technical experts.Readers’ feedback is a natural part of this process. If you have any comments regardinghow we could improve the quality of our materials, or otherwise change it to better suit yourneeds, you can contact us through e-mail at sales@ccbootcamp.com. Please make sure toinclude the book title and ISBN number in your message. Also, feel free to visit our website:www.ccbootcamp.com for information on many more great products!Thank you for your input

About the contributors:Author – David ClarkDavid Clark is a full-time instructor, author, and consulting engineer for CCBOOTCAMP.David has over ten years networking experience working as an architect and implementer.Currently, he is focusing his efforts on developing quality training material for securitycourses, as well as professional services for security and networking technologies. Davidcurrently maintains the following designations: CCIE #14742 (Routing and Switching),CCSP, Cisco Firewall Specialist, Cisco IPS Specialist CCNP and CCNA. David is activelypursuing a Security CCIE through CCBOOTCAMPContributing Author – Brad EllisBrad Ellis (CCIE #5796, CCSI #30482, CSS1, CCDP, CCNP, MCNE, MCSE) works as anetwork engineer and is CEO of Network Learning, Inc. He has been dedicated to thenetworking industry for over 12 years. Brad has worked on large scale securityassessments and infrastructure projects. He is currently focusing his efforts in the securityand voice fields. Brad is a dual CCIE (R&S / Security) #5796.

Table of Content in Brief:Chapter 1 IP Routing Chapter 2 Tunneling Chapter 3 QOS Chapter 4 Security Chapter 5 Management

Table of Content Chapter 1 IP Routing Route Aggregation Purpose of Route Aggregation Scalability and Fault IsolationHow to Aggregate Network Topology Abstraction and Layering Layers and Their PurposeCore, Aggregation, Distribution and Access Fast Convergence Techniques and Mechanisms Bidirectional Forwarding Detection BFD Detection of FailuresBFD Support for Static Routing Routing Protocol Operation Open Shortest Path First (OSPF) Other OSPF Features:OSPF Traffic Types: OSPF Metrics Passive OSPF Interface OSPF Multicast Addresses Default Routes

OSPF TimersInitOSPF Flooding Reduction OSPF Fast Hello Packets EIGRP Types of EIGRP Successors Feasibility ConditionAttributes of EIGRP EIGRP TablesChoosing routes Init FlagEIGRP Stub Routing Simple Hub and Spoke Network Route Summary Auto-Summarization Process ID for an Autonomous SystemShow IP Route EIGRPShow Ip Eigrp Topology Show Ip Eigrp Neighbor ISIS CLNS NSAP Addresses ISIS AdjacenciesRoute Leaking

IS-IS Network Types IP Addressing Border Gateway Protocol (BGP Situations that may require BGP: Interior Border Gateway Protocol (IBGP) Exterior Border Gateway Protocol (EBGP)BGP Attributes Weight AttributeLocal Preference Attribute Multi-Exit Discriminator Attribute Origin Attribute AS_path AttributeNext-Hop AttributeCommunity Attribute Cluster-List Originator IDBGP Neighbor ConnectivitySynchronization/Full Mesh Next-Hop-Self Command Private AS numbersBGP Path Selection Scalability Problems with Internal BGP (IBGP) Peer GroupsConfederations

Route Reflectors Route Summary BGP ClustersBGP Fast Peering Deactivation Route Filtering and Route hidingDesigning Route Distribution Generic Routing and Addressing Concepts Policy-Based Routing Policy-Based Routing Benefits Data Forwarding Using Policy-Based Routing Tagging Network Traffic Applying Policy-Based Routing Policy Route Maps Match Clauses Define the Criteria Set Clauses Define the Route Source-Sensitive and Equal-Access Routing IPv6 Basics Unchanged characteristics of Addressing in IPv6 Zero Compression in IPv6 Addresses IPv6 Mixed NotationIPv6 Address Prefix Length Representation IPv6 Address TypesAggregatable Global Addresses Site-Local Addresses (Also known as Unique)

Link-Local Addresses IPv6 Multicast Addresses IPv6 Multicast Address Format IPv6 Anycast Addresses IPv6 neighbor discovery protocol Host-Router Discovery FunctionsHost-Host Communication Functions Redirect FunctionIPv6 ND Functions Compared to Equivalent IPv4 FunctionsHost-Router Discovery Functions Performed By RoutersHost-Router Discovery Functions Performed By Hosts Next-Hop DeterminationAddress Resolution Duplicate Address Detection IPv6 Tunneling IPv6 Manually Configured Tunnels IPv6 over IPv4 GRE Tunnels Automatic 6to4 Tunnels Automatic IPv4-Compatible IPv6 Tunnels The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP Tunnels) OSPFv3 vs. OSPFv2 LSA Types for IPv6NBMA in OSPF for IPv6 Importing Addresses into OSPF for IPv6

Multicast Listener Discovery Protocol for IPv6Multicast Routing Concepts Multicast Concepts Benefits of IP Multicast MulticastIGMP and CGMP Multicast Protocols Designated Querier IGMP Versions 1, 2, and 3 Multicast Forwarding and Distribution Trees Rendezvous Points (Auto-RP, BSR) Recommended Rendezvous Point Placement Group-RP Mapping MechanismComments on Auto-RP Comments on Static RP Calculating a Multicast AddressProtocol Independent Multicast (PIM) PIM Commands Reverse Path Forwarding (RPF) PIM and Distance Vector Multicast Routing Protocol (DVMRP) PIM-SM Mechanics (Joining, Pruning PIM State, Mroute table) PIM-DM Bidirectional PIM (bidir-PIM) Designated Forwarder (DF) Election Bidirectional Group Tree Building

Packet Forwarding Memory, Bandwidth, and CPU Requirements Debugging bidir-PIM is easier than PIM-SM RP Tree Delivery for All Packets Bidir-PIM Partial Upgrades Not Allowed Bidir-PIM Network Redundancy Not Supported Bidir-PIM Nonbroadcast Multiaccess Mode Not Supported Bidir-PIM Traffic Forwarding Restrictions Secure Multicast Group Member Chapter 1 Questions ! " Chapter 2 Tunneling Tunneling Technologies VPN Models Point to Point Tunneling Protocol Configuration Summary: PPTP Configuration Sample: Basic PAC Setup: Layer 2 Tunneling Protocol L2TP Benefits IPSEC and GRE VPN Security Protocols – IPSEC IPSec Terminology IPSec Functionality

IPSec Modes and Packet Encapsulation VPN Security Protocols – Internet Key Exchange (IKE) Creating IKE Policies Diffie Hellman IPSEC and Fragmentation IPSEC and GRE IPSEC and QoS DMVPN Network Designs DMVPN Phase 3 DMVPN Components DMVPN Functions DMVPN Design Considerations Single DMVPN Cloud Topology Dual DMVPN Hub-and-Spoke Point to Point Tunneling Protocol Configuration Summary: PPTP Peer-to-Peer VPN Technologies MPLS VPNS Tunneling and Traffic Engineering TE within MPLS Constraint Based Routing Algorithm Traffic Engineering Processes RSVP Forwarding Traffic to a Tunnel

IS-IS Extensions for MPLS TE MPLS Traffic Engineering (TE)—Fast Reroute (FRR) Link and Node ProtectionLink Protection Node Protection VPLS Scaling VPLS Chapter 2: Questions Chapter 2 Answers #Chapter 3 QOS QOS and BPR Measuring Jitter Delay and Packet Loss Traffic Conditioning QoS Overview Five Benefits for Implementing QoS in the Enterprise Networks How a Converged Network Behaves Without QoS QoS framework Call Admission Control Functionality Integrated Services vs. Differentiated Services Configure QoS Policy using Modular QoS CLI Classification and Marking Purposes of Classification and Marking Difference Between Classification and Marking Class of Service, IP Precedence and DiffServ Code Points #Network Based Application Recognition (NBAR)

Classify and Mark Traffic Congestion Management ##Identify and Differentiate Between IOS Queuing Techniques Apply Each Queuing Technique to the Appropriate Application IP RTP Priority and Low Latency Queuing (LLQ) Differences Configure WFQ, CBWFQ, and LLQ Congestion Avoidance Explain How TCP Responds to Congestion Explain Tail Drop and Global Synchronization Identify and Differentiate Between: RED, WRED, FRED Configure IOS Congestion Avoidance Features Link Efficiency Tools The Need for Link Efficiency Tools Real Time Protocol Header Compression (CRTP) Configure and Monitor Various LFI methods and CRTP Policing and Shaping The Difference Between Policing and Shaping and How Each Relates to QoS When to Apply and How to Configure Policing Mechanisms Different Types of Traffic Shaping and How to Apply Them Configure the Different Types of Traffic Shaping First-In, First-Out (FIFO) Weighted Fair Queuing (WFQ) Class-Based Weighted Fair Queuing Packet over SONET/SDH (PoS) and IP Precedence

IP Precedence Random Early Detection (RED) Weighted Random Early Detection (WRED) Weighted Round-Robin (WRR)/Queue Scheduling Class of Service (CoS) Shaping vs. Policing Traffic Shaping Committed Access Rate (CAR) Network-Based Application Recognition (NBAR) Configuring NBAR Differentiated Services Code Point (DSCP) Resource Reservation Protocol (RSVP) Load Balancing 802.1x and QoS Syntax Custom Queuing (CQ) Why Use CQ? Restrictions Configuring a Traffic Policy Attaching a Traffic Policy to an Interface Configuring a Traffic Class with NBAR Example ToS Byte DiffServ Field Differences Between Traffic-Shaping Mechanisms

CQ and Extended Burst Capability Committed Access Rate (CAR) definition Analysis Connecting from Spoke to Spoke Chapter 3 Questions ! " Chapter 4 Security Security Availability as a Design Process Paul Baran Model CentralizedDecentralized Distributed Compartmentalization Network Virtualization • Access Control • Path Isolation • Services Edge Access Control Path Isolation OOB Access Network Security Design and Address Identity #Logging Authentication, Authorization and Accounting AAA Overview Overview: AAA Security Services AAA Terminology

Benefits of Using AAA AAA Configuration Process – Overview AAA Request for Comments (RFCs) Remote Authentication Dial-In User Service (RADIUS) Introduction Background Information Authentication and Authorization Accounting Radius Packet Format Radius Packet Types Radius Files Radius Attributes RADIUS Configuration Task List AAA and RADIUS IOS Configuration Named Method Lists for Authorization Terminal Access Controller Access Control System plus (TACACS+) Introduction TACACS+ Packet Format TACACS+ Encryption TACACS+ Authentication TACACS+ Authentication Example Sequence TACACS+ Authorization TACACS+ Accounting RADIUS and TACACS+ Compared

The CCDE Assesses advanced Network Infrastructure Design Principles and Fundamentalsfor large networks.A CCDE can demonstrate an ability to develop solutions which address planning, design,integration, optimization, operations, security and ongoing support focused at theinfrastructure level for customer networks.This guide is intended to aid candidates studying for the qualification exam. The qualificationexam is a two hour, multiple choice test with 100 questions covering IP Routing, Tunneling,QOS, Security and Management.There are no prerequisites for the CCDE qualification however it is recommended thatcandidates already own an extensive amount of knowledge, and be certified as a CCDP.Good luck in your task.David Clark, March 2008

Chapter 1IP RoutingRoute AggregationPurpose of Route AggregationClassless Inter-Domain Routing (CIDR) and Variable Length Subnet Masking (VLSM) areused to consolidate addresses with identical high-order bits to reduce the size of the routingtable.What’s the difference between CIDR and VLSM? The simple answer is that CIDR tends tobe associated with external protocols like BGP, while VLSM is used with internal protocols,like OSPF. In practice, you will often find the two terms used interchangeably.Here are some clues as to how these two standards are commonly used:• CIDR is often called super-netting and is referred to as route aggregation using "supernetnetworks" to reduce the number of entries in the global routing table. In most casesthis will be associated with BGP.• VLSM is usually referred to in connection with route summarization, "sub-netting asubnet" to create more subnet prefixes. In most cases, this will be associated withOSPF and other Interior Gateway Protocols (IGPs).Both of these standards reduce the size of routing tables by creating aggregate routes,minimizing the significance of network classes and supporting the advertising of IP prefixes.Remember that CIDR is primarily used by BGP.Scalability and Fault IsolationSummarization is used to improve routing overhead and improve the stability and scalabilityof routing. The use of summarization to reduce the size of the routing table helps keeptopology changes within a specific area. Network stability is enhanced because a smaller

3 Chapter 1: IP Routing• Interface s0 - 172.108.168.0/24• Interface s1 - 172.108.169.0/24• Interface s2 - 172.108.170.0/24• Interface s3 - 172.108.171.0/24• Interface s4 - 172.108.172.0/24• Interface s5 - 172.108.173.0/24The entire range of subnets could be summarized, as 172.108.168.0/21 and an upstreamneighbor would only have to maintain a single route in its table.Let’s take one more example, but this time review the actual bits involved:a. 172.16.25.0/24b. 172.16.26.0/24c. 172.16.27.0/24d. 172.16.28.0/24e. 172.16.29.0/24f. 172.16.30.0/24First let’s translate the decimal values of the IP addresses to binary:g. 10101100.00010000.00011001.00000000h. 10101100.00010000.00011010.00000000i. 10101100.00010000.00011011.00000000j. 10101100.00010000.00011100.00000000k. 10101100.00010000.00011101.00000000l. 10101100.00010000.00011110.00000000Now let’s compare and determine which the least significant digit is where the numbersremain identical:m. 10101100.00010000.00011 001.00000000n. 10101100.00010000.00011 010.00000000o. 10101100.00010000.00011 011.00000000p. 10101100.00010000.00011 100.00000000q. 10101100.00010000.00011 101.00000000

Chapter 1: IP Routing4 r. 10101100.00010000.00011 110.00000000You have just discovered the summary address and subnet: 172.16.24.0/21Some important reasons to take advantage of summarization:• The larger the routing table, the more memory is required because every entry takes upsome of the available memory.• The routing decision process may take longer to complete as the number of entries inthe table are increased.• An added benefit of reducing the IP routing table size is that it requires less bandwidthand time to advertise the network to remote locations, thereby increasing networkperformance.For large networks, the reduction in route propagation and routing information overhead canbe significant. Route summarization is of minor concern in production networks until theirsize gets considerable. However, if summarization has not been taken into account duringthe initial design phase, it is very difficult to implement later.Some routing protocols, such as EIGRP, summarize automatically. Other routing protocols,such as OSPF, require manual configuration to support route summarization.A routing protocol can summarize on a bit boundary only if it supports variable-length subnetmasks (VLSMs).Remember that when redistributing routes from a routing protocol that supports VLSM (suchas EIGRP or OSPF) into a routing protocol that does not (such as RIPv1 or IGRP) you mightlose some routing information.Most specific network match is used first for a router running multiple protocols to learn howto reach a destination network/host.Some important requirements exist for summarization:• Multiple IP addresses must share the same high-order bits. Since the summarizationtakes place on the low-order bits, the high-order bits must have commonality.

5 Chapter 1: IP Routing• Routing tables and protocols must use classless addressing to make their routingdecisions; in other words, they are not restricted by the Class A, B and C designations toindicate the boundaries for networks.• Routing protocols must carry the prefix length (subnet mask) with the IP address.Network Topology Abstraction and LayeringLayers and Their PurposeThe hierarchical network model breaks networks down into different modules, making iteasier to design and build a scalable network.Using a hierarchical design facilitates the making of changes. Modularity in network designallows you to create design elements that can be reused as the network grows. As eachelement in the network design requires modification, the cost and complexity of making theupgrade is constrained to a small subset of the overall network.In large flat or meshed network architectures, changes tend to impact a large number ofsystems. Improved fault isolation is also facilitated by modular structuring of the network intosmaller, easily defined sections. Network mangers can easily understand the transitionpoints between the network layers, which help to identify points of failure.Core, Aggregation, Distribution and Access

Chapter 1: IP Routing6 The hierarchical model divides networks into three logical groupings:-1. Access Layer2. Distribution layer3. Core Layer (sometimes referred to as the backbone)Access Layer: The access layer is the entry point into the network for end devices. Theaccess layer consists of user end workstations IP Phones and servers, these devicesallow workgroups and users access the services provided by the Distribution and Corelayers. Access Layer devices must also provide connectivity without compromisingnetwork integrity.The key functions of the access layer can be summarized as:-• Controls and authenticates local end user access to network resources.• Sometimes called desktop layer.• Classifies traffic

7 Chapter 1: IP Routing• Supports Multicast and Voice trafficDistribution Layer: Distribution Layer Devices control access to the core and enforceQOS and security policies. The key functions of the Distribution layer can besummarized as:-• Determines the fastest path to the core.• The enforcement of security and network policies such as address translationand fire walling.• Re-distribution between routing protocols including static routing.• Routing between VLANs• IP routing functions such as redistribution, summarization and default gateways.• Definition of broadcast and multicast domains.• Implementation of QOS and Security Policies.The distribution layer uses a combination of Layer 2 and multilayer switching to segmentand isolate network problems. The segmentation of the network prevents problems fromspreading from the distribution to the core.Core layer: The Core is sometimes referred to as the backbone and is centre point forthe other layers in the Cisco Enterprise Campus model. Devices in the Core providerapid connectivity within the network. Core Layer devices are required to provide faulttolerance to provide maximum availability and reliability. Typically the core is concernedwith moving large amounts of data as quickly as possible without regard to QOS andsecurity policies.The Core, Distribution, and Access layers do not have to exist as separate physicaldevices. The layers are defined as a guide to network design and they representfunctions that should be present in the network. The representation of each layer can bein distinct routers or switches or they can be represented by a physical media, combinedinto a single device, or can be omitted altogether. The way the layers are implementedtotally depends on what is trying to be achieved. However for optimal design, the threelayers should be functionally present.