On June 9th – 2019, Cisco made an announcement of deleting and replacing ALL their CCNP Level “Exams”.
saying exams instead of certificates, as the labels of most the Certificates remained the same
(except for CCNP RS, who got replaced with CCNP – Enterprise).
The new Exams as they are linked to the CCNP badges, came with a new criteria of becoming “Certified”.
now you will need to pass ONLY 2 exams and you will get granted the CCNP Badge, rather than needing a minimum of 3-4 exams in the previous system.
The new system requires 2 isolated parts to fulfill, before you become certified:
1- A Technology Core Exam, which plays a role in engaging you in 2 paths of certs. (The CCNP & The CCIE).
– and that will be:
– Enterprise, Security, Service Provider, Collaboration, Data Center, and the newly established DEVNET & CyberOps
2- A Technology Concentration Exam, every domain of the 7 mentioned in Point “1”, has a 1-7 different technologies to concentrate on.
This will be kind of having a Master degree in engineering, you consider some general topics, and focus on some other.
Continue reading
GARP (Gratuitous ARP): Is an ARP message sent without request. Mainly used to notify other hosts in the network of a MAC address assignment change. When a host receives a GARP it either adds a new entry to the cache table or modifies an existing one. I will expand more about GARP in the next section, as it’s the one that concerns us most from a security point of view.
Gratuitous ARP
GARP messages
GARP Request: A regular ARP request that contains the source IP address as sender and target address, source MAC address as sender, and broadcast MAC address (ff:ff:ff:ff:ff:ff) as a target. There will be no reply to this request
GARP Reply: The source/destination IP addresses AND MAC addresses are set to the sender addresses. This message is sent to no request.
GARP Probe: When an interface goes up with a configured IP address, it sends a probe to make sure no other host is using the same IP; hence, preventing IP conflicts. A probe has the sender IP set to zeros (0.0.0.0), the target IP is the IP being probed, the sender MAC is the source MAC, and the target MAC address Continue reading
Many people have been searching these words on OrhanErgun.Net for some time.
Many people also have been asking me, how much they can earn monthly if they start their Network Engineering career or if they change the country, as an experienced Senior Network Engineer how much they can get.
Check these courses on CCNP Course and CCIE course content for becoming a better Network Engineer and definitely getting a higher salary as well.
I think the answer depends on many criterias. Since this post will be read by people all around the world, it is important to share some insights on the topic.
Before talking about dependencies, you should know some facts about the CCNA, CCNP, and CCIE certification. These are some of the most popular certifications which help you to get or change jobs. Of course, as of 2022, Cloud Computing and Network Automation jobs are getting very popular and there are some certifications for those technologies as well.
But I will use Cisco examples in this post.
Unlike CCDE, Cisco CCNP and Cisco CCIE Certification is known by the recruiters very Continue reading
I have been seeing this discussion on social media, especially Linkedin and Twitter for some time. In this post, I will be sharing my opinions on it and hope it can help the decision of some Network Engineers who follow our blog.
As of 2022, you may realize that many Evolving Technologies getting a lot of attention and I think, most of them deserve the attention.
These are SD-WAN, SDA, Cloud Computing, Network Automation and Programmability, SDN, IOT we can say. Of course, there are many other technologies if you are dealing with Security, Wireless, Service Provider, Datacenter or many other domains of IT.
But, as a certification, if we remember the subject of this post: Is CCIE still worth it in 2022?.
CCIE is not just a technology but as a certificate, deals with many technologies and products.
And, there are many different CCIE Tracks. CCIE Enterprise is the most popular one and I will give my examples by using CCIE Enterprise Infrastructure Exam as it is the by far most popular and most well-known by the Network Engineering community.
CCIE Enterprise Infrastructure exam doesn’t only cover Continue reading
Which CCIE is most demanded in 2022?. Most of us, almost every Network Engineer in our IT career probably asked this question. It is important because demanded certification provides job security and having it means finding a job or changing the company easily.
Cisco CCIE has many different tracks as of 2022. After CCIE certification, the next step is CCDE. Before we continue most demanded CCIE, I would like to say that CCDE is not well known by the recruiters, so may be hard to find a job easily with it, but it is quite popular and respectful among the CCIEs. So, if someone passes CCIE Enterprise or CCIE Service Provider, they are definitely aware of CCDE and start considering that certificate.
Let’s continue our most demanded CCIE track discussion.
For many years most demanded CCIE was always CCIE Routing and Switching. As you might be aware, Cisco changed the CCIE Routing and Switching certification name to CCIE Enterprise Infrastructure, and the CCIE Enterprise syllabus has been updated as well.
We provide many CCIE tracks and among our students, CCIE Enterprise Infrastructure training is the most popular CCIE, most demanded CCIE track as well.
We recommend CCIE Continue reading
CCIE Salary, Cisco CCIE salary. Many people have been searching these two words on OrhanErgun.Net for some time.
Many people also have been asking me, how much they can earn monthly if they pass Cisco CCIE practical/lab exam.
For more information on CCIE course content, success stories, and registration, this is our CCIE Course.
I think the answer depends on many criteria. Since this post will be read by people all around the world, it is important to share some insights on the topic.
Before talking about dependencies, you should know some facts about the CCIE certification. Unlike CCDE, Cisco CCIE Certification is known by the recruiters very well as it has been posted as a job requirement for decades.
There are thousands of them in the world, especially Cisco CCIE Routing and Switching, the new name Cisco CCIE Enterprise Infrastructure certificate is around 50000+ people we are talking about.
At the beginning of his post, I said that CCIE salary depends on many criteria.
These are in general
Most probably there are other things that would affect the salary of the CCIE but these are my observations.
The country is Continue reading
The post Cisco and Juniper Acquired IETF, all the RFCs name will be converted to JuCi appeared first on orhanergun.net.
After I published the Telstra’s hijack effecting many networks post on Linkedin, one of my students asked couple good questions under that post.
I thought sharing that post here would be beneficial for those who follow orhanergun.net blog, as I explained couple important frequently asked questions about BGP Global routing security.
John Ojo sent the below question/comment:
Orhan Ergun thanks for the insights. Hence the need for IRR & RPKI. I attended your BGP Zero to Hero training now this makes more sense to me haven seen flowspec a few weeks ago previously from Centurylink to this protonmail /24 prefix highjack. But my questions are; 1. Why do all these companies not implement these path validation controls?
2. Is it lack of competent BGP Engineers or Peering Coordinators can BGPSec not be automated to avoid human errors? BGP Security controls seem to overwhelm a lot of companies and not all the Security approaches are full proof anyway. Should they just wait until it happens? The need for continuous training and retraining cannot be overemphasized on BGP in-depth. I recommend them to train at Orhan Ergun LLC www.orhanergun.net
My answer to his Continue reading
Today I woke up with a Telstra’s ProtonMail Hijack news. In fact, one of my Linkedin connections, friend, sent me the ITNews post about the incident.
When I saw it, obviously it was Hijack, not Route Leak or other type of attacks but, the post was not explaining any technical detail, what kind of attack it was, can it be prevented somehow ,etc.
Thus, I wanted to mention briefly about those points, explaining technically, while trying to keep it understandable.
By the way, BGP Security and many other topics about BGP was covered in my week long BGP Zero to Hero course. If you are technical person, don’t miss it!.
Before I start explaining this incident, I should mention that, this incident was totally different than recent Century Link caused outage. In Century Link case, issue was their routing policy. In fact, carrying security policy over routing (I know sounds complex, thus I won’t mention, lack of feedback loop with Flowspec, RFC 5575).
Okay, what happened with Telstra’s Hijack?
Swiss email provider ProtonMail shared a tweet that Telstra was announcing its 185.70.40.0/24.
This subnet belongs to ProtonMail and Telstra announcing it as Continue reading
On August 30, 2020, Level 3/Century Link, AS 3356 had major Internet outage. In fact this outage effected massive amount of networks, including very well know ones such as Amazon, Microsoft, Twitter, Discord, Reddit etc.
3.5% Global Internet Traffic was dropped due to this outage and entire network converged after almost 7 hours. This is huge amount of time. When we usually discuss convergence, specifically fast convergence, ‘Seconds’ if not ‘ Milliseconds ‘ are the target values.
No one wants to have minutes level network convergence. But when there is an Outage like this, we categorize them as ‘ Catastrophic Failures’ and unfortunately network design usually doesn’t take this kind of failures into an account.
But could it be prevented?
In the first place, let’s understand that, this event, similar to many other catastrophic network events, started at a single location. (According to a CenturyLink status page, the issue originated from CenturyLink’s data center in Mississauga, a city near Ontario, Canada.)
But it spread over entire backbone of AS3356.
In fact, I remember on 2014, which we famously know as 512k incident happened because of this network (Level 3) as well and that event also caused Continue reading
The post BGP Route Server – Scalable IXP BGP Architecture appeared first on orhanergun.net.
MPLS Applications, what are the MPLS Applications?. MPLS Applications mean MPLS Services. So what can we do with MPLS basically.
Although the very first purpose of MPLS was fast switching, by the time services/applications with MPLS evolved and there are just so many reasons to use MPLS.
Below are some of the most common use case , or in other words, Applications with MPLS.
Important MPLS applications/services for the network designers are listed below.
MPLS infrastructure can have all of the above MPLS application/ services at the same time. Most of them are architecture, so MPLS Labeling protocols itself (such as LDP, RSVP) are not enough for providing above applications/services.
Usually MPLS protocols, are used commonly with BGP, IGP and other protocols.
I just wanted to mention what people mean when they talk about MPLS applications, thus I am keeping post short but before I finish the post, let me recommend you a book, called . ‘ MPLS Continue reading
Integrated Services QoS – Hard QoS is first QoS approach, but currently we are not using. At the end of this post, you will know what is Integrated QoS, what was the idea with it and why it is not used today.
Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network.
Two QoS approaches have been defined by standard organizations.
These are:
Intserv QoS demands that every flow requests a bandwidth from the network and that the network would reserve the required bandwidth for the user during a conversation.
Think of this as on-demand circuit switching, each flow of each user would be remembered by the network. This clearly would create a resource problem (CPU, memory , bandwidth) on the network, and thus it was never widely adopted.
Not only allocation bandwidth for each and every flow on each network device in the path, but also keep tracking these flows and tearing down when the flow is terminated is very resource intensive and people thought this will not be scalable and we haven’t seen deployment for it.
Protocol Continue reading
VPN – Virtual Private Network is most common overlay mechanism in Networking. We have many of them, GRE, mGRE, IPSEC, DMVPN, GETVPN, LISP, FlexVPNs, MPLS VPNs and so on. But what are the important and fundamentals thing about VPNs?.In this post I will explain some of them.
Virtual Private Network is the logical entity, which is created over a physical infrastructure. It can be setup over another private network such as MPLS or public network such as Internet.
All VPN technologies add extra byte to the packet or frame, which increases the overall MTU so the network links should be accommodated to handle bigger MTU values.
VPN technologies work based on encapsulation and decapsulation.
For example GRE, mGRE and DMVPN encapsulate IP packets into another IP packet, VPLS and EVPN encapsulates Layer 2 frame into an MPLS packets.
You can run routing protocols over some VPN technologies but not all VPN technologies allow you to run routing protocols.
In order to support routing over tunnel, tunnel endpoints should be aware from each other.
For example MPLS Traffic Engineer tunnels don’t support routing protocols to run over, since the LSPs are unidirectional which mean Head-end Continue reading
OPEX and CAPEX are two important network design considerations. From the high level we should understand these two design requirements.
OpEx refers to operational expenses such as support, maintenance, labor, bandwidth and utilities. Creating a complex network design may show off your technical knowledge but it can also cause unnecessary complexity making it harder to build, maintain, operate and manage the network.
A well- designed network reduces OpEx through improved network uptime (which in turn can avoid or reduce penalties related to outages), higher user productivity, ease of operations, and energy savings. Consider creating the simplest solution that meets the business requirements.
CapEx refers to the upfront costs such as purchasing equipment, inventory, acquiring intellectual property or real estate. A well-thought design provides longer deployment lifespan, investment protection, network consolidation and virtualization, producing non-measurable benefits such as business agility and business transformation and innovation, thus reducing risk and lowering costs in the long run.
Last metric in the COST constraint is TCO (Total cost of ownership).
TCO is a better metric than pure CapEx to evaluate network cost, as it considers CapEx plus OpEx. Make your network designs cost-effective in the long run and do more Continue reading
When it comes to Routing Security, BGP Origin and Path Validation should be understood very well.
It is the problem of all, not just large Service Providers. Enterprises, Service Providers, Mobile Operators, basically whoever are interacting with Global Routing.
IRR, RPKI, BGPSEC, Origin Validation and Path Validation are the fundamentals of BGP Routing Security. We have many other posts for the subject on the website but in this post I want to share with you new approach for BGP Path Validation. It is called as AS-Cones.
At the moment, it is still IETF draft but soon it is expected to be Standard RFC.
I discussed it with the inventor of the mechanisms, Melchior Aelmans along with many other routing security topic and decided to share with you!
In the below video, Orhan Ergun, Melchior Aelmans and Jeff Tantsura, discussing new approaches in BGP Security – Path Validation.
They explain ASPA – Autonomous System Provider Authorization , and another approach AS-Cone and they compare those two.
Not only BGP Security Path Validation, but they identify the current known problems of the Global Routing Table/DFZ, such as Hijacks, different types of hijacks, route leaks and they discuss some prevention techniques such Continue reading
Flat/Single Level vs. Multi Level IS-IS Design Comparison. Flat routing means, without hierarchy, entire topology information of the network is known by each and every device in the network.
IS-IS has two levels. Thus, for IS-IS, Multi Level means Two Level IS-IS. Level 1 and Level 2.
When we have two levels, Level 1 routers don’t know the topology of Level 2 and vice versa. By hiding topology information of different level routers, scalability is achieved. Reason we achieve more scalable network is when there is a failure or new information added or metric changes in one Level, another level doesn’t run SPF algorithm.
But what are the design consideration when we have Flat or Multi Level IS-IS networks. Is Multi Level IS-IS design, which mean, Hierarchical IS-IS design always good? Answer is no. Although Multi Level provides Scalability, it comes with extra complexity and end to end routing convergence time increase.
So, I prepared below comparison charts to discuss different design aspects when it comes to IS-IS Single vs. Multi Level design.
If you like this comparison chart, you can see more of them in my CCIE Enterprise Training.
When it comes to fast convergence, first thing that we need to understand what is convergence?
Convergence is the time between failure and the recovery. Link, circuits, routers, switches all eventually fails. As a network designers, our job is to understand the topology and whenever there is qrequirement, add backup link or node. Of course, not every network, or not every place in the network requires redundancy though. But let’s assume, we want redundancy, thus we add backup link or node and we want to recover from the failure as quickly as possible, by hoping before Application timeout.
But what is the time for us to say , this network is converging fast. Unfortunately, there is no numerical value for it. So, you cannot say, 30 seconds , or 10 seconds , or 1 second is fast convergence. Your application convergence requirement might be much below 1 second.
Thus, I generally call ‘ Fast Convergence’ is the convergence time faster than default convergence value. Let’s say, OSPF on Broadcast media is converging in 50 seconds, so any attempt to make OSPF convergence faster than 50 seconds default convergence value is OSPF Fast Convergence on Broadcast media.
There Continue reading