CCIE Enterprise Infrastructure: The Complete Study Hub

CCIE Enterprise Infrastructure study hub - 58 articles mapped to the EI v1.1 blueprint

This is the complete study hub for the CCIE Enterprise Infrastructure v1.1 lab, mapped to the official blueprint and built on real Cisco IOS XE output. Every topic below links to a PingLabz article grounded in a live Cisco Modeling Labs capture - not theory, not vendor slides, but the actual show output an expert reader can trust. Where a technology genuinely cannot be labbed without a controller (SD-Access needs Catalyst Center; SD-WAN needs the full Manager stack), we say so plainly and ground the explanation in the real component protocols instead.

This hub assumes you have the CCNP-level foundations. If your fundamentals are rusty, start with the Start Here onboarding hub and the CCNA lab library first. The CCIE tier is about the layer that separates professional depth from expert depth: edge cases, design trade-offs, policy at scale, failure modes, and integration.

The CCIE EI v1.1 blueprint, at a glance

1.0 Network Infrastructure
30%
BGP, OSPF, EIGRP, switched campus - at expert depth. 27 articles.
2.0 Software-Defined Infrastructure
25%
SD-Access and Catalyst SD-WAN. 13 articles.
3.0 Transport Technologies
15%
MPLS L3VPN and DMVPN. 6 articles.
4.0 Security & Services
15%
L2 security, IOS services, IPv6 services. 12 articles.
5.0 Automation & Programmability
15%
EEM, Python, Jinja, data models, telemetry. 6 articles.

1.0 Network Infrastructure - 30%

The largest domain and the site's deepest coverage - the old CCIE R&S long tail, closed. BGP policy and scale, OSPF pathologies, EIGRP integration, and switched-campus closure, all on real Cisco output.

Expert BGP: policy, scale, and IPv6 transport

BGP conditional advertisement
advertise-map, exist-map and non-exist-map - withhold a prefix until a condition fires.
BGP Outbound Route Filtering (ORF)
push your inbound filter to the neighbor so unwanted routes are never sent.
BGP route dampening
the penalty algorithm, the four timers, and why the internet backed away from it.
Designing BGP policy with communities
an origin/scope/blackhole scheme and a working RTBH.
BGP multipath and load sharing
eBGP, iBGP, eiBGP - and the next-hop rewrite that hides a bug.
IPv6 over BGP and 6PE
IPv6 across an IPv4-only MPLS core, with the labels to prove it.
Expert BGP troubleshooting
five broken scenarios, ticket style, with the diagnostic trail for each.

Expert OSPF: timers, suppression, and pathologies

OSPF SPF and LSA throttling timers
exponential backoff and the modern IOS XE defaults.
OSPF prefix suppression
shrink the routing table - and the external route it can silently kill.
OSPF stub router (max-metric router-lsa)
drain a router for maintenance without dropping a packet.
The OSPF forwarding address
the five conditions and the silent RIB failure.
OSPF filtering compared
area range vs filter-list vs distribute-list vs summary-address.
OSPF path preference
O, O IA, E1, N1, E2, N2 - proven with type beating metric.
Expert OSPF troubleshooting
five broken scenarios and the one error OSPF actually names.

Expert EIGRP and IGP integration

EIGRP over DMVPN: multi-hub
no split-horizon and no next-hop-self on the mGRE hub.
EIGRP Site of Origin (SoO)
loop prevention for dual-homed WAN sites.
EIGRP summarization with leak maps
send the summary and leak the specifics that matter.
EIGRP offset lists
surgical metric manipulation - make one hub primary.
Multi-protocol redistribution
the AD race and route feedback, broken and fixed.
IGP migration: EIGRP to OSPF
ships in the night, zero packet loss.

Switched campus closure: expert Layer 2

MST and PVST+ interoperation
the boundary, the CIST, and the PVST simulation inconsistency.
UDLD
catch the physical fault spanning tree cannot see.
Storm control
stop a broadcast flood at the port.
Switch administration
SDM templates, errdisable recovery, and CAM aging.
Expert Layer 2 troubleshooting
five broken scenarios, and why L2 tells you what's wrong.

2.0 Software-Defined Infrastructure - 25%

SD-Access and Catalyst SD-WAN. SD-Access needs Catalyst Center and cannot be fully labbed, so that series is an honest concept-and-components treatment grounded in the real LISP/VXLAN/TrustSec captures on the site. SD-WAN is presented against Cisco's current 20.x documentation.

SD-Access deep series

SD-Access underlay
manual vs LAN Automation, and the MTU mistake.
SD-Access fabric roles
edge, border, control plane, fabric in a box.
SD-Access host onboarding
from port to policy, and the anycast gateway.
SD-Access border handoff
IP transit, SDA transit, and L2 handoff.
SD-Access segmentation
macro (VN) vs micro (SGT).
SD-Access design questions
where fabrics fit and where they don't.

Advanced Catalyst SD-WAN

SD-WAN templates
device, feature, and CLI templates - and config groups.
OMP deep dive
routes, TLOCs, service routes, and path selection - SD-WAN's BGP.
SD-WAN centralized control policy
shaping the overlay from the Controller.
SD-WAN data policy and AAR
application-aware routing measured live by BFD.
SD-WAN localized policy
ACLs and route policies at the edge.
Direct Internet Access (DIA)
break out branch internet locally, securely.
TLOC extension
share a transport between edge routers for real HA.

3.0 Transport Technologies - 15%

MPLS L3VPN and DMVPN, closed in full - VPNv6/6VPE, BGP PE-CE edge cases, dual-hub DMVPN, and IKEv1 vs IKEv2, all on real Cisco output.

MPLS and DMVPN expert

MPLS VPNv6 and 6VPE
IPv6 L3VPN over an IPv4 core, with the two-label stack.
BGP as the PE-CE protocol
as-override, allowas-in, and SoO.
Dual-hub DMVPN
redundancy designs that actually fail over - and the NHRP holdtime trap.
DMVPN with IKEv1 vs IKEv2
both crypto suites side by side, and the migration.
MPLS and DMVPN together
choosing and combining enterprise transports.
Expert transport troubleshooting
MPLS and DMVPN ticket scenarios, isolated layer by layer.

4.0 Infrastructure Security and Services - 15%

Switch access security and IOS services, closed. The L2 security stack (from domain 1's switching articles) plus VRF-aware NAT, the IOS DHCP server, SNMPv3, EPC, and IPv6 services - including a real SHA/AES-encrypted SNMPv3 trap decrypted on Linux.

Layer 2 access security

DHCP snooping in depth
bindings, Option 82, and trusted ports - the L2 security foundation.
Dynamic ARP Inspection and IP Source Guard
the stack that stops ARP and IP spoofing.

IOS services and IPv6 services

VRF-aware NAT on IOS XE
overlapping tenants reaching a shared service, proven with identical hosts.
The IOS DHCP server in depth
options, classes, and manual bindings.
SNMPv3 in production
users, groups, views, traps and informs - a real encrypted trap decrypted on Linux.
Embedded Packet Capture
Wireshark inside your router.
IPv6 services closure
NPTv6, DHCPv6-PD, and general prefix.
Expert services troubleshooting
NAT, DHCP and services faults where the RIB shows nothing.

5.0 Automation and Programmability - 15%

The programmability domain. A fully-captured YAML-to-Jinja-to-Netmiko pipeline and a real EEM applet, plus the on-box and model-driven features (Guest Shell, telemetry) presented against real IOS XE syntax with honest platform notes.

Automation closure

Jinja2 templates for network configs
the full pipeline: variables to rendered CLI to a live router.
JSON vs XML vs YAML
one payload, three ways - RESTCONF, NETCONF, Ansible.
Advanced EEM
Tcl, multi-event correlation, and EEM + Python.
Guest Shell on IOS XE
Linux inside your router.
On-box Python
scripting IOS XE from the inside.
Model-driven telemetry
gRPC dial-out that ends SNMP polling.

The CCIE Super Labs (member content)

Reading closes the knowledge gap; the Super Labs close the integration gap - the thing the CCIE lab actually tests. These are full-scale, multi-technology topologies that combine everything above into the kind of converged network the exam hands you, plus a ticket gauntlet modelled on the troubleshooting section. They are the membership flagship. See the CCIE Super Lab Library.

How to use this hub

Work each domain in order - they build on each other, and the troubleshooting article at the end of each series is where the theory becomes muscle memory. Run every configuration in a lab; every article on this site is built on real Cisco Modeling Labs output precisely so you can reproduce it. When you can name the cause of each troubleshooting scenario from show output alone, you are ready for that domain.

Prerequisite path: Start HereCCNA labs → the CCNP clusters (BGP, OSPF, EIGRP, MPLS and the rest, linked from each pillar) → this CCIE hub → the Super Labs. That is the full CCNA → CCNP → CCIE Enterprise ladder, every rung on real output.

Key takeaways

The CCIE EI v1.1 lab is 30% infrastructure, 25% software-defined, and 15% each of transport, security/services, and automation. This hub maps all 58 free articles to those five domains, every one grounded in a real Cisco capture. Bookmark this page, work the domains in order, and finish with the Super Labs. By the time you complete it you will have seen, on real output, every EI topic a CCIE lab or a 3 a.m. ticket can throw at you.

The CCIE EI v1.1 Field Reference (PDF)

Download the field reference. A one-page condensed reference - administrative distances, the BGP best-path order, OSPF path preference, the transport and SD-WAN quick-refs, and the gotchas that cost hours - every value verified in Cisco Modeling Labs. Download the CCIE EI v1.1 Field Reference (PDF)
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.