Cisco CCNP - SPCOR (350-501) Certification

Summary

A new revision to the Cisco CCNP is coming on 19 September 2024.

The exam topics for the SPCOR 350-501 can be found on this link.

The release notes list all the upcoming changes to the new CCNP SPCOR certification.

CCIE Service Provider is also changing. CCIE is the Cisco LAB exam and the release notes list the changes coming.

CCNP exams can be found here under Service Provider.

Exam Considerations

The tips for the CCNP are as follows:

• Do not study the day before the exam.
• Create LABs, breaking and fixing them to learn.
• Additional reading: https://njrusmc.net/pub/pub.html

Architecture (15%)

Modern Service Provider Architectures

Basic SP Hierarchy: Core, Aggregation, and Edge

Tier1 or National Service Provider.

Core Network

• it is at the centre of the network, these are high throughput low feature devices.
• Customers never connect to the core.

Aggregation Network

• Adds resiliency and are built for speed.
• The primary objective is to consolidate connectivity from various access networks.

Access Network

• Where customer connects
• Usually Concentric Rings

Reusing Cable TV Lines for Internet via DOCSIS

DOCSIS

The formal name is Data Over Cable Service Interface Specifications.

1) The Service Provider has an aggregation router or router and the customer a computer.

2) The carrier router connects to a cable modem termination system (CMTS). This device aggregates connections from cable subscriber.

3) To connect to the CMTS the customer needs a Cable Modem.

4) The version of DOCSIS needs to match between the CB & CMTS.

5) The Coaxial network was used to provide data services.

6) The carrier has multiple services to deliver. Like TV Feeds from satellite and broadcast.

7) A combiner is added on the carrier side and a splitter on the customer site to split the different signals.

8) To avoid unauthorized use, the provider adds Auth. Servers and DHCP Servers to hand IP to the client.

Reusing Telephone Lines for Internet via DSL

ADSL/DSL

Digital Subscriber Line or DSL leverages the existing telephone connection.

1) The provider needs a DSLAM (Digital Subscriber Line Access Multiplexer) it aggregates connections from subscriber modems.

2) The customer uses a splitter to split the PSTN (phone) signal from data.

3) It is common to ADSL services to use pppoe as authentication methods and DHCP to handle IP Addresses.

What Is a GPON and Why Do I Care?

Many urban and suburban areas migrated to dedicated data networks often using fibre optics cables.

1) An Optical Line Terminal (OLT) is used to aggregate GPON connections from customer sites.

2) The end customer has an Optical Network Unit (ONU) or Optical Network Terminal (ONT). It is common for customers to connect a router to the service.

3) PON is called passive because the splitters do not require power to operate.

4) Like DSL & DOCSIS authentication servers and DHCP will be used to manage the customers.

GPON is not ethernet based. GEM stands for GPON Encapsulating Method.

Common Fiber Termination and PON Types

FTTH

Fibre to the Home is delivered with ONU/ONT, normally a router.

FTTB

Fibre to the Business the ONU/ONT is installed into a rack with further infrastructure behind it to support the users.

FTTC

Fibre to the Curb is when the bare fibre (or the last mile uses copper) is presented on the customer premises. Allowing the ONU/ONT to be located in another location minimising costs.

BPON

BPON is the predecessor of GPON which is much slower. Most ISPs are migrating to GPON.

XGPON

XGPON is a 10G capable solution. The operation is the same only that it is 10G capable.

EPON

Ethernet PON recycles Ethernet.

5G Cellular Networks and Device Mobility

User Equipment (UE) - is the customer equipment. It can be a phone or cellular-enabled router.

Radio Access Network (RAN) - the UE connects to a cell tower which is part of the radio access network or RAN. Cell towers will be connected to the access network.

User Plane Function (UPF) - to access resources, the user accesses a UPF, essentially a router connected to an upstream Data Network (DN) that typically leads to the internet.

• In a private deployment, the DN can also represent a business network.

Session MGMT Function (SMF) - is responsible for maintaining sessions with the User Equipment.

Access/Mobility Function (AMF) - is used to onboard, track and migrate users while they roam.

Auth Server Function (AUSF) - ensure that only authorised users use the network

Policy Control Function (PCF) - apply traffic prioritisation to improve client experience.

Other control protocols are being omitted for brevity that can communicate laterally using APIs. For example, the AUSF can inform the SMF of an authentication failure and the SMF can purge the record from its database.

By decoupling these services it is possible to create a standard vendor-neutral environment that can scale.

To provide seamless roaming in cellular networks, 5G relies on tunnelling between the RAN and the UPF.

A protocol called Generic Packet Radio Service Tunneling Protocol (GTP) is used to connect the RAN to the UPF.

GTP allows wireless traffic to be transported to a central location when egressing from the cellular network.

When the UE roams it must maintain its IP address, once the UE is migrated to tower 2 it will transfer traffic back to the UPF using GTP.

UPF to DN connections often exist in the aggregation layer to service a geographic region.

IPv6 Transition with NAT44 and NAT64

NAT is one of the most commonly deployed technologies in networking.

NAT44 - is used to translate IPv4 addresses. In the example, the private IPv4 is being translated into the public IP address.

NAT64 - is used to translate IPv6 into IPv4 addresses. It is most complex because it requires translating the source and destination addresses at the same time.

The post-NAT64 source IPv4 addresses must come from a dynamic public pool or a single public IPv4 address.

This allows IPv6 clients to access IPv4 resources. The IPv6 clients must target specific addresses that are IPv6 representations of IPv4 destinations.

The IPv6 address space of 64:ff9b::/96 fills the first 96 bits of the IPV6 destination with low-order 32 bits coming directly from the IPv4 destination.

A technology known as DNS64 works in concert with NAT64 to respond to client quad 8 queries with WKP-based destinations enabling seamless communications between IPv6 and IPv4.

Tunneling IPv6 over IPv4 with 6rd

An alternative to translating between IPv6 to IPv4 is to tunnel IPv6 over IPv4.

IPv6 Rapid Deployment (6rd) - the entire 6rd network is summarised within a general 6rd prefix.

The prefix is further divided between individual sites. And using subnetting administrators can determine how many networks are needed in each site.

This is achieved by masking redundant bits in the IPv4 underlying addresses.

The example in the picture uses a 6rd prefix of 2001:db8::/32 . Let's assume that all CPEs have the same first two octets this means that only the lower 16 bits are relevant.

Encoding redundant bits in the 6rd tunnelling address is unnecessary because it will waste address space.

To uniquely identify a prefix for a site, begin with the general 6rd prefix of 2001:db8::/32 and append the lower order 16-bits for each site underlay IPv4 address

This results in a unique IPv6 /48 prefix for each site and assuming we will only create IPv6 /64 networks this provides 65,536 available subnets.

6rd is totally stateless and has no signalled controlled plane it literally has a limited scale in this regard.

To exit a 6rd network at least one upstream router is identified as a border relay or BR, the remote sites rely on a static default IPv6 route towards this border relay to access the IPv6 internet.

Tunneling IPv4 over IPv6 with MAP

It utilises layer 4 port information in constructing IP headers. The general MAP technology involves a CE device with IPv4 behind it and IPv6 if the device is dual-stacked.

The transport network for the BR is IPv6 only. This way it is designed to provide IPv4 connectivity over an IPv6 network.

The CE device performs two important functions:

1) It performs traditional NAT44 translating the private source into a public source. This address is not directly configured on the CE but inferred using EA bits. This process is similar to 6rd and it is possible to specify a degree of uniqueness for port information.

Translation (MAP-T) - translates between IPv6 and IPv4 using layer 4 port information, with a NAT44 completed, the router then translates the IPV4 packet into IPv6.

The resulting IPv6 packet is forwarded to the MAP-BR and upon receiving it translates back into 1Pv4 finally, the IPv4 packet is forwarded to the internet towards the original destination.

Encapsulation (MAP-E) - It relies on IPv6 tunnelling instead of translation. After performing NAT 44 the device encapsulates the IPv4 packet in the IPv6 and forwards it to the MAP-BR. The difference is that the IPv4 packet remains unchanged inside the IPv6 packet.

It avoids the double translation of MAP-T but as encapsulation slightly reduces the customer payload size.

Tunneling IPv4 over IPv6 with DS-lite

DS-lite is also known as Dual-Stack Lite. This technology allows access to IPv4 resources over an IPv6 transport network.

B4 - represents the customer edge device. It tunnels IPv4 inside IPv6 similar to MAP-E towards the AFTR.

The IPv6 tunnels are casually called soft wires.

Address Family Transition Router (AFTR) - upon receiving an encapsulated IPv4 packet the AFTR decapsulates it and performs NAT44.

The major advantage of DS-Lite is that the CE does not need to do NAT. It only tunnels traffic over the existing IPv6 network to the large NAT44 router. This minimises changes to the customer hardware and configuration.

However, it may require a software patch to add IPv6 tunnelling support to the CPE.

The drawback is NAT44 happening on the edge core devices. It can become expensive and does not scale. Unlike MAP, which distributes the complexity of NAT44 across many CEs.

Product Software Architectures and Availability Features

Understanding Cisco IOS and IOS-XE Architecture

Cisco IOS

Cisco IOS was developed in 1980 and is a monolithic, upgradable through a single binary file.

However, all processes share the same address space and if one service had a memory leak the whole system would be impacted.

IOS-XE

Addresses the Cisco IOS issues packaging the operating system into a daemon (IOSd).

It does not address bugs in features but since it is decoupled from the drivers it allows the administrator to treat the platform and the OS as two different things.

• It is possible to insert, reboot and upgrade hardware modules without rebooting the entire operating system.
• There are also new CLI commands specific to the underlying platform, providing additional visibility to network administrators.
• Some platforms allow the hosting of additional applications such as traffic generators, and monitoring scripts.

Cisco almost fully replaced most of its IOS products with IOS-XE.

What Makes Cisco IOS-XR Different?

IOS-XR provides granular software modularity. It creates separate memory spaces for different services.

This prevents a service that has a memory leak from crashing the device and can be troubleshooted separately.

The OS uses a micro Linux distro based on Winriver Linux. The older version uses QNX neutrino instead.

There is no monolithic system controlling the device. All features are installed as packages. These packages can be downloaded from Cisco like BGP, OSPF, MPLS.

The packages can be installed while the device is running without needing to reboot the device.

IOS-XR can also host apps like IOS-XE.

The system modularity adds more complexity since there are more things to manage.

High Availability with Non-stop Forwarding (NSF)

Some Cisco devices have redundancy built into a single device.

A device with redundancy has multiple routing processes (RP) which is the brain of the router and host control plane functionality such as routing protocols.

The line cards (LC) are responsible for data forwarding and are controlled by the RPs.

If the control plane fails the device becomes useless. To mitigate this issue 3 technologies were introduced.

• Non-stop Forwarding (NSF);
• Stateful Switch Over (SSO);
• Graceful Restart (GR)

GR is protocol-dependent, and Cisco implemented it in OSPF, IS-IS, BGP, EIGRP and LDP.

A device can be GR capable or GR aware and participate with a neighbour that is GR capable.

Consider a PE (GR capable) and a CE (GR aware). If the PE suffers an RP failure it can announce it to the CE and the CE will continue to forward traffic through the PE despite the control plane failure because NSF is enabled.

Non-stop Routing (NSR) as a Local Alternative

A service provider has a PE with multiple RPs and some of the CEs attached are not GR-aware. This is when Non-stop Routing (NSR) comes into play.

When the RP fails it signals to GR aware devices about the failover. However, non GR aware devices may converge during a failover.

Cisco devices prefer NSF when available and it is enabled by default.

NSF and NSR Configuration Examples

Service Provider Virtualization Techniques

Improving Service Flexibility with Virtualization

Imagine a service provider point of presence (POP) in a Data Centre with a collection of servers that can run virtual machines.

The servers are connected to the PE making them accessible anywhere within the carrier network.

This design helps the service provider to reduce costs when deploying network nodes. For example, the SP can use virtual routers as BGP route reflectors because the route reflector is limited to the control plane any virtual machine can run it as a virtual router.

A more complex approach is to use virtualisation to directly serve customers, and thanks to these hosted POP data centres, the SP can provide more than transit services.

Virtualisation solutions like VMware or HyperV can be used however, most SP uses OpenStack.

Want Your Own Cloud? Consider OpenStack

OpenStack is based on a modular architecture. There are six primary OpenStack components that handle compute, network and storage functions for on-demand VM provisioning. A bunch of other components enable additional features, such as dashboarding, bare metal provisioning, containers, secrets management and telemetry. In order to handle this complexity, organisations often use OpenStack Charms for fully automated OpenStack installation and post-deployment operations.

Nova

Nova is the primary compute engine of OpenStack, responsible for instance scheduling, creation and termination. In order to ensure widespread interoperability, Nova supports a wide range of hypervisors, including QEMU/KVM, Hyper-V, VMware ESXi and Xen.

Glance

Glance is an image service, responsible for uploading, managing and retrieving cloud images for instances running on OpenStack. Glance works across a variety of stores to provide the most convenient location of images for organisations.

Neutron

Neutron provides network connectivity between OpenStack instances, enabling multi-VM deployments. For this purpose, Neutron uses various software-defined networking (SDN) technologies, including Open Virtual Network (OVN), Open vSwitch (OVS), Juniper Contrail, Cisco ACI, etc.

Cinder

Cinder is a storage component that is responsible for provisioning, management and termination of persistent block devices. Those can be later attached to the instances running on OpenStack to enable persistent block storage.

Swift

Swift is another storage component that provides a highly available and scalable object storage service similar to Amazon S3. It enables storing and retrieving unstructured data objects using a RESTful API for both OpenStack services and instances running on the cloud.

Keystone

Keystone serves as an identity service, providing authentication and authorization functions for the users in order to enable multi-tenancy. Keystone can be easily integrated with external identity systems, such as lightweight directory access protocol (LDAP) or Active Directory.