Encapsulating, shim headers, tunnelling – does it matter?

I overheard my manager today giving one of the new junior guys the run-down on basic encapsulation methods and general IP. Basically, how to TCP/IP. In explaining 802.1Q and VLAN tagging, my boss uttered the following phrase:

“…a switch encapsulates the frame with the VLAN number…”

It was at that point I ran over to his desk and put in my point (a bit of semantics, especially for a newbie) that technically, a 802.1Q tag actually modifies the Ethernet header and is more like a shim header.

An 802.1Q frame

But then GRE and IP tunnelling was brought up. And MPLS. And IPSec. And after much debate, I let the coaching continue and probably caused quite a bit of confusion for my green colleague. I’ve come to realize that I tend to fly off the handle and get a bit too far in a technical discussion that I lose those who might not have learnt or had exposure to the technology that myself and others know intimately.

Anyways, onto the whole encap-vs-tunnel-vs-shim debate. Here’s how I like to explain it and understand it myself as it applies generally:

  • encapsulation distinctly divides bits on the wire. When viewing a packet in Wireshark for example, an IP packet is encapsulated in an Ethernet header and an IP header, followed by whatever transport protocol (TCP, UDP or ICMP), and then finally application data. Encapsulation forms the basic structure of data packets, with a clear division of labor. Routers inspect IP headers for destination networks. Switches inspect Ethernet headers for destination MAC addresses.
  • tunnels utilize tunnel and multiple IP headers to create overlay networks riding over underlying infrastructure. GRE (with IPSec for encryption) is the most widely used tunnelling mechanism. It works great for connecting remote sites over the Internet. Internet routers only inspect the outer IP header, which is routed to the tunnel endpoint, at which point the far-end will strip the outer IP and GRE headers, and then make its own routing decisions base on the “inside” IP header. MPLS* also functions in a similar way for VPN applications.
  • shim headers are the muddiest of the bunch. MPLS is often called a shim header because it inserts a small 4 byte* (32 bit) header within a data packet, which is then processed and/or inspected by MPLS-enabled routers. It also doesn’t have only one location where it could appear. In the case of pure IP L3VPNs, it’s shimmed between inner- and outer IP headers. It could also appear between disparate Layer 2 headers, in the case of Any Transport over MPLS (AToM). 802.1Q is further harder to define since it modifies existing Ethernet headers. A frame could have multiple .1Q tags in the case of dot1q tunnelling (confused yet?).

* MPLS adds an additional 20 bits per label.

And yet, after writing those short descriptions of each, it’s apparent to me that all of those terms are muddy. You can’t always define a data type as one over the other, since you’ll find numerous exceptions and special use cases (that are not so special and very widely deployed) that break any rigidly-defined “layering rules”. Smarter people than me have agreed to that fact as it relates to explaining TCP and using dated reference models such as the OSI model. The IETF has also agreed that reference models
that adhere to strict onion layers as it relates to data networks hurts more than it helps.

But I digress. The concepts of encapsulation/decapsulation and tunnelling are central concepts that all networks use. Never will you (or should you) see an end host spit out an IP packet without its data link header (mostly Ethernet these days) along with its IP header and any associated transport/application data. It’s just the way TCP/IP evolved over its development several decades ago. And it’s the best we got. Sometimes, it’s less important about terminology and semantics, and more important of the overall goal said method is trying to achieve.

If I’m grossly mistaken, be sure to let me know in the comments. I’ll try my best not to harass anyone less technical and nerdy than myself with (sometimes) unimportant details.

CCIP retired, new CCNP Service Provider offers no bridge for current CCNP’s

Last week, Cisco announced the retirement of the Cisco Certified Internetwork Professional, the professional-level Cisco certification for service provider networking:

Retirement of CCIP Certification

Beginning October 29, 2012, Cisco CCIP certification will be retired and Cisco will no longer issue new certifications. Individuals interested in pursuing a professional-level Cisco Service Provider certification are encouraged to obtain the new Cisco CCNP Service Provider certification.


The CCIP certification has been a logical next step for individuals completing their CCNP route/switch certifications. A lot of the topics covered (specifically in ROUTE and the old BSCI) also apply to the service provider routing basics which makes it a logical bridge for many CCNP engineers. Essentials such as BGP, IS-IS (removed from ROUTE) as well as controlling routing information such as route filtering, redistribution, path manipulation, etc, are all covered in length throughout the CCNP and should be very familiar for those coming out of their R&S studies.

With the recent announcement of CCIP’s retirement and with the new SP track, this bridge is no longer possible.

Referring to the new CCNP Service Provider curriculum, the following exams are required for certification under the new track:

  • 642-883 SPROUTE Deploying Cisco Service Provider Network Routing
  • 642-885 SPADVROUTE Deploying Cisco Service Provider Advanced Network Routing
  • 642-887 SPCORE Implementing Cisco Service Provider Next-Generation Core Network Services
  • 642-889 SPEDGE Implementing Cisco Service Provider Next-Generation Egde Network Services

Not to mention also under the new track, a valid CCNA Service Provider is required to be certified for CCNP SP.

For those who have had their CCNP’s for some time, much of the CCNA SP topics in the exam blueprint is pure review. Oh the topics in the CCNA SP blueprint(s) (oh yeah, there’s two $250US exams for CCNA SP) I could only find the following topics that aren’t covered in CCNA/CCNP R&S:

  • Basic IOS-XE & IOS-XR CLI operations and router configurations
  • Transport Technologies such as SONET, SDH, DWDM, ROADM
  • Describe relationship between users, user groups, tasks groups and task IDs in IOS XR
  • Configure Resilient Ethernet Protocol (REP) on Cisco IOS switches
  • Configure QinQ on Cisco IOS switches
  • Carrier-grade NAT (CGN) and NAT64
  • Manage IOS XE and IOS XR software packages

Every other topic that is in both SPNGN1 and SPNGN2 exam blueprints covers CCNA-level routing and switching basics, with a few CCNP-level topics thrown in as well such as GRE tunnels and First Hop Redundancy Protocols, amongst others.

What this means is CCNP engineers must now commit both the time and money to acquire the CCNA SP certification before even attempting a CCNP SP certification. With so much overlap in the R&S certification track, it’s a real wonder why Cisco didn’t think to have some sort of bridge exam to get CCNP’s up to speed in preparation for CCNP SP material.

While it’s not completely unexpected that this track got a significant facelift; after all, covering just QoS, BGP and MPLS leaves out a lot of Cisco’s product-centric features such as promoting their IOS XR routing platforms, it has now put a deadline for those considering CCIP studies. And while Cisco has provided a migration for existing CCIP’s, it still puts prospective certified engineers in a crappy spot. What as now 3 exams (2 if you took the BGP+MPLS composite) are 4 brand new exams with nothing but instructor-led training courses…which are also not cheap.

So for those CCNP network admins who are considering Cisco’s service provider certification tracks, here are the exams (with associated costs) required to reach professional-level certification:

For CCIP (last day to certify October 29, 2012):

  • 642-902 Implementing Cisco IP Routing (ROUTE): $200 USD
  • 642-642 Quality of Service (QOS): $200 USD
  • 642-611 Implementing Cisco MPLS (MPLS): $200 USD Last day to test July 27, 2012
  • 642-661 Configuring BGP on Cisco Routers (BGP): $200 USDLast day to test July 27, 2012

Taking into account that you should have ROUTE or BSCI through your CCNP certification, you are looking at a total of 3 exams at $600 USD total*.

*note: You can also taken composite exam 642-691 BGP+MPLS, also last day to test July 27th this year, making total exams 2 at $400 USD.

Now, if you’re interested in going down Cisco’s new SP track, you’ll be starting at ground-zero with CCNA-Service Provider before moving into CCNP SP:

For CCNA-Service Provider:

  • 640-875 Building Cisco Service Provider Next-Generation Networks, Part 1: $250 USD
  • 640-878 Building Cisco Service Provider Next-Generation Networks, Part 2: $250 USD

For CCNP-Service Provider:

  • 642-883 Deploying Cisco Service Provider Network Routing: $200 USD
  • 642-885 Deploying Cisco Service Provider Advanced Network Routing: $200 USD
  • 642-887 Implementing Cisco Service Provider Next Generation Core Network Services: $200 USD
  • 642-889 Implementing Cisco Service Provider Next Generation Edge Network Services: $200 USD

Cisco is offering a credit towards 642-883 for those who have completed the ROUTE exam (which is part of CCNP). Other than that, with the new SP track, you are tasked with a total of 5 exams, totaling a cost of $1100 USD ($500 for CCNA-SP, $600 for CCNP-SP).

This year will be a rough transition for those looking to enter the service provider track. Actual CCIP certification will only be available until October 29th of this year, with both the BGP and MPLS core exams being retired by the end of June. And for those looking to go down the newly released track, training material will be sparse and not as widely available as those offered by Cisco Press covering BGP and MPLS.

In any case, it’s something that I’m passion about and will be looking forward to seeing developments with these certifications. Since I obtained my CCNP last year, I’ve always been interested in large service provider networks so naturally I’ve gravitated towards this side of Cisco certification. I also hold a lot of respect for the titans of our industry, namely Ivan Pepelnjak, for their deep knowledge of MPLS, BGP and everything routing.

In the meantime, I’ll be looking to crank out some blog posts to compliment my studies currently with MPLS. For those looking to learn more about the protocol, I must recommend Luc De Ghein’s fantastic book MPLS Fundamentals. Further on my reading list is Ivan’s book MPLS & VPN Architectures, Sam Halabi’s Internet Routing Architectures and Randy Zhang & Micah Bartell’s BGP Design and Implementation. If I can fit a certification in between all that information, that’ll be fantastic. However, with Cisco’s current and newly updated SP track, it’s not as high on my agenda. I doubt it’s high on other network pros’ to-do lists either.

UPDATE: After making a similar post on the Cisco Learning Network forum, I received a reply from Rigo the Community Manger, who explained that a valid CCIP certification can be used as a prerequisite towards the new CCNP SP certifications. CCNA Service Provider is not required if you already have a valid CCIP. This makes things a little easier this year while CCIP is still being issued new certifications (until October 29th this year).