§ 1 Cisco / CCIE Foundations
OSI and TCP/IP layering, encapsulation math, Cisco operating systems, lab tooling, automation protocols, and the mental model for reading CCIE-style topologies.
1. § 1.1 — OSI / TCP-IP Stack and Encapsulation
The OSI model is the clean vocabulary; the TCP/IP model is how real hosts and routers are usually configured. The useful habit is to name the PDU at each boundary: application data becomes a TCP segment or UDP datagram, then an IP packet, then an Ethernet frame, then bits.
Ethernet II Frame Layout
Ethernet II uses a 2-byte Ethertype to identify the next protocol. Common values are 0x0800 for IPv4, 0x86DD for IPv6, 0x0806 for ARP, 0x8100 for 802.1Q, and 0x8847 for MPLS unicast.
MTU, MSS, and Fragmentation
Standard Ethernet MTU is 1500 bytes of L3 payload. With minimum IPv4 and TCP headers, the usual TCP MSS is 1500 - 20 - 20 = 1460. If an IPv4 packet is larger than the next-hop MTU and DF is clear, routers may fragment it with a shared IP ID, MF bit, and 8-byte fragment offsets. Reassembly happens only at the destination, which is why NAT and stateful firewalls dislike non-first fragments that lack the L4 header.
Minimal C Demo — Encapsulation Builder
2. § 1.2 — Cisco IOS Variants and CLI Modes
Cisco platforms differ most in process isolation and operational model: IOS Classic is monolithic, IOS-XE runs iosd on Linux, NX-OS exposes data-center features as modular services, and IOS-XR uses an atomic commit model with stronger process isolation for carrier networks.
| OS | Architecture | Typical Platforms | Operational Clue |
|---|---|---|---|
| IOS Classic | Monolithic image | Catalyst 2900/3560/3750, older ISR | Reload required for most upgrades |
| IOS-XE | Linux plus iosd | Catalyst 3850/9000, ISR 1000/4000, CSR1000v | show platform software process list |
| NX-OS | Linux-based modular services | Nexus 5K/7K/9K | feature ospf, checkpoints, run bash |
| IOS-XR | Microkernel-style process isolation | ASR 9000, NCS | commit, rollback config last 1 |
CLI Mode State Machine
Cisco CLI prompts are state. enable moves from user EXEC to privileged EXEC; configure terminal enters global configuration; subcommands enter interface, routing, or line contexts.
AAA, SSH, and NETCONF/YANG
aaa new-modelenables the AAA framework.- TACACS+ uses TCP/49 and is preferred for per-command device authorization.
- RADIUS uses UDP/1812-1813 and is common for end-user authentication.
- NETCONF runs over SSH/830; YANG models define the configuration schema.
Minimal C Demo — IOS CLI Navigator
3. § 1.3 — Certification Path
The Enterprise path is CCNA 200-301, then CCNP ENCOR 350-401 plus one concentration, then CCIE Enterprise Infrastructure. Other professional tracks follow the same core-plus-concentration shape before their CCIE labs.
4. § 1.4 — Lab Tooling
Pick lab tooling by fidelity and workflow. Packet Tracer is a simulator for CCNA learning. GNS3, EVE-NG, and CML emulate vendor images. Containerlab is topology-as-code and fast enough for CI when the NOS supports containers.
| Tool | Image Fidelity | Spin-up Speed | CI Support | Resource Cost | Multi-vendor |
|---|---|---|---|---|---|
| GNS3 | Real images via Dynamips/Qemu | Medium | Limited | High per VM | Strong |
| EVE-NG | Real VM images | Medium | Moderate | High per VM | Very strong |
| Cisco CML | Official Cisco images | Medium | Good via REST API | Medium to high | Cisco-first |
| Containerlab | Container NOS images | Fast | Excellent | Low to medium | Strong for modern NOS |
| Packet Tracer | Simulation only | Fast | Poor | Low | Cisco learning features |
5. § 1.5 — Network Automation
Automation moves from imperative CLI pushes toward model-driven state. Ansible can use SSH or NETCONF; NETCONF provides XML RPCs and transactional operations; RESTCONF maps YANG data to HTTP resources; gNMI adds efficient streaming telemetry over gRPC.
| Mechanism | Transport | Data Model | Common Tools |
|---|---|---|---|
| Ansible CLI | SSH | Text config snippets | ios_config, nxos_config |
| NETCONF | SSH/830 | YANG + XML | ncclient, pyATS |
| RESTCONF | HTTPS | YANG + JSON/XML | curl, Python requests |
| gNMI | gRPC | OpenConfig / vendor YANG paths | gnmic, streaming collectors |
6. § 1.6 — Reading the CCIE Lab Topology
Start by separating control, data, and management planes. Then label the P, PE, and CE roles, count routing domains and AS numbers, mark VRF boundaries, and identify the out-of-band path you will need when the in-band routing task breaks.
Walkthrough Checklist
- Count AS numbers and determine which sessions are eBGP versus iBGP.
- Find the MPLS domain boundary: provider core versus customer edge.
- List VRFs and route-target import/export policy before touching BGP.
- Circle redundancy points: dual PE links, dual distribution switches, or first-hop HA.
- Verify management reachability so recovery does not depend on the broken data plane.
7. Interview Prep
- MTU vs MSS: MTU is the link L3 payload limit; MSS is the TCP payload limit, normally MTU minus IP and TCP headers.
- Why fragmentation hurts NAT: non-first fragments do not carry TCP/UDP ports, so stateful devices cannot classify the flow without fragment tracking.
- IOS-XR commit vs IOS-XE write memory: IOS-XR stages changes and atomically commits them; IOS-XE changes running config immediately and saves with
write memory. - P, PE, CE: P routers carry provider core labels/routes, PE routers attach customer VRFs, and CE routers belong to the customer edge.
- NETCONF and YANG: NETCONF is the RPC protocol; YANG is the schema that gives configuration and telemetry stable structure.