Exam weight: 10% | Labs: 5 | ← Back to CCNP ENCOR
2.1 Device Virtualization Technologies
Hypervisor Types
- Type 1 (Bare-Metal): Runs directly on hardware with no host OS; high performance for production data centers (VMware ESXi, MS Hyper-V, KVM)
- Type 2 (Hosted): Runs on top of a host OS; used for development and testing (VMware Workstation, VirtualBox, Parallels)
Virtual Machines — Key Concepts
- Snapshots: Point-in-time captures of VM state
- vMotion/Live Migration: Zero-downtime movement between hosts
- Templates: Golden master images for rapid deployment
- VM isolation: Each VM has its own OS and resource boundary
- Overcommitment: Allocate more vCPU/RAM than physical capacity
Virtual Switching
- Standard vSwitch (VSS): Single ESXi host, per-host management
- Distributed vSwitch (DVS): Spans multiple hosts, centrally managed via vCenter, follows VMs during migration
2.2 Data Path Virtualization
VRF (Virtual Routing and Forwarding)
Creates multiple isolated routing tables on a single router.
- Route Distinguisher (RD): Makes routes unique across VRFs in MPLS/BGP
- Route Target (RT): Controls which routes are imported/exported
- VRF Lite: VRF without MPLS; uses sub-interfaces or separate physical links
- Route leaking: Selectively shares routes between VRFs
GRE Tunneling
- IP protocol 47
- Supports multicast and routing protocols over the tunnel
- Adds 24-byte overhead; no encryption
IPsec
- Phase 1 (IKE): Establishes a secure management channel (ISAKMP SA)
- Phase 2: Negotiates data encryption parameters (IPsec SA)
- Tunnel Mode: Encrypts entire original packet; used for site-to-site VPNs
- Transport Mode: Encrypts payload only; used for end-to-end host encryption
- GRE over IPsec: Combines multicast/routing protocol support with encryption
2.3 Network Virtualization (Overlay Networks)
LISP (Locator/ID Separation Protocol)
Separates identity (EID) from location (RLOC). Enables seamless mobility without IP address changes.
- ITR (Ingress Tunnel Router): Encapsulates outgoing packets
- ETR (Egress Tunnel Router): Decapsulates incoming packets
- xTR: Performs both ITR and ETR roles
- Map-Server: Receives EID-to-RLOC registrations from ETRs
- Map-Resolver: Answers map-requests from ITRs
VXLAN (Virtual Extensible LAN)
- Extends Layer 2 across Layer 3 boundaries
- 24-bit VNID supporting ~16 million segments (vs. 4,094 VLAN limit)
- UDP port 4789
- ~50 bytes overhead per frame
- VTEP: Performs encapsulation/decapsulation at the network edge
Hands-On Labs
Lab 1: VRF-Lite Configuration
Configure DEPT-A and DEPT-B as isolated routing domains using vrf definition, vrf forwarding. Verify with show ip route vrf.
Lab 2: GRE Tunnel with OSPF
Configure a GRE tunnel between two routers and establish an OSPF adjacency over the tunnel.
Lab 3: IPsec Site-to-Site VPN (IKEv2)
Build a site-to-site VPN using IKEv2. Configure crypto proposal, policy, keyring, profile, transform set, and crypto map.
Lab 4: GRE over IPsec
Combine GRE and IPsec using tunnel protection profiles to support routing protocols with encryption.
Lab 5: VXLAN Configuration
Configure VXLAN on Cisco Nexus/Catalyst with NVE interface, VNI mapping. Verify with show nve peers and show vxlan interface.
