Roadmap

Network Engineer

The senior networking professional who designs, architects, and implements complex network infrastructure. Moves beyond day-to-day administration into large-scale routing, advanced switching, WAN design, network automation, and cloud networking.

OPTIMISTIC 3–4 yearsREALISTIC 4–6 years

Stage 00

Foundations (Network Administrator Prerequisites)

Network engineering builds directly on network administration depth. Everything from the Network Administrator path is a prerequisite.

All Network Administrator Content Required

Computer and IT hardware fundamentals
Networking fundamentals — full OSI model, TCP/IP, subnetting (must be fast and accurate), IPv6
All protocols: DNS, DHCP, NTP, SNMP, HTTP/HTTPS/TLS
Cisco IOS fundamentals — interface config, VLANs, STP, inter-VLAN routing
Static routing and OSPF basics
Firewall fundamentals — ACLs, NAT, stateful inspection
VPN — IPsec, SSL/TLS
Wireless networking — 802.11 standards, WPA2/WPA3, controller-based architectures
Network monitoring — SNMP, PRTG, Wireshark, tcpdump
Security fundamentals — CompTIA Security+ level

Cert checkpoint

CompTIA Network+ and CCNA 200-301 should be complete before entering network engineer territory.

Stage 01

Advanced Routing Protocols

BGP is the most important routing protocol in enterprise and service provider networking. OSPF multi-area design and EIGRP depth complete the routing picture.

OSPF — Advanced

Multi-area design — backbone (Area 0), regular areas, stub/totally stubby/NSSA
LSA types 1–7 — detailed function of each, where each type flows
OSPF area types and their LSA restrictions:
Standard — all LSA types
Stub — no Type 5; uses default route for external destinations
Totally Stubby — no Type 3, 4, or 5; ABR injects default route (Cisco proprietary)
NSSA — allows Type 7 LSAs (redistributed external) in stub environment; converted to Type 5 at ABR
OSPF network types — broadcast (DR/BDR election), non-broadcast (manual neighbors), P2P (no DR), P2MP, P2MP non-broadcast
DR/BDR election — priority manipulation, preemption behavior
OSPF route redistribution — redistributing from EIGRP, static, BGP, connected into OSPF with metric and metric-type
OSPF authentication — null, plain text, MD5 — interface and area-level configuration
Summarization — inter-area (ABR: area range), external (ASBR: summary-address)
OSPFv3 for IPv6 — separate process, configured per interface, LSA type changes

BGP — Deep (The Internet's Routing Protocol)

BGP basics:
TCP port 179 — manual neighbor configuration
iBGP vs eBGP — same AS vs different AS; eBGP default TTL=1 (no multihop required), iBGP requires full mesh or route reflectors
BGP states — Idle → Connect → Active → OpenSent → OpenConfirm → Established
NLRI (Network Layer Reachability Information) — what BGP actually advertises
Update message — path attributes + prefixes
Keepalive — 60-second default, hold timer 180 seconds
BGP path attributes:
Well-known mandatory — AS_PATH, NEXT_HOP, ORIGIN
Well-known discretionary — LOCAL_PREF, ATOMIC_AGGREGATE
Optional transitive — COMMUNITY, AGGREGATOR
Optional non-transitive — MED, ORIGINATOR_ID, CLUSTER_LIST
WEIGHT — Cisco proprietary, highest wins, not sent to peers
BGP best path selection algorithm (memorize the order):
Highest WEIGHT (Cisco only, locally significant)
Highest LOCAL_PREF (iBGP, local AS)
Locally originated routes (network/redistribute/aggregate)
Shortest AS_PATH
Lowest ORIGIN (IGP < EGP < Incomplete)
Lowest MED (from same neighbor AS)
eBGP over iBGP
Lowest IGP metric to NEXT_HOP
Oldest eBGP route
Lowest Router ID
Lowest neighbor IP address
BGP route manipulation:
Route maps — match (ip address prefix-list, as-path, community) + set (local-preference, weight, med, as-path prepend, community)
Prefix lists — more precise than ACLs for network matching; exact match with ge/le
AS-PATH access lists — regex matching for filtering based on AS_PATH
Communities — standard (2+2 bytes), extended (8 bytes), large (12 bytes); tagging routes for policy
Well-known communities — NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED
Sending/receiving communities — send-community configuration
MED manipulation — influencing inbound traffic from directly connected ASes
LOCAL_PREF — influencing outbound path within an AS
AS-path prepending — making paths look longer to influence inbound traffic
BGP filtering:
distribute-list with ACL — match based on prefix
prefix-list filtering — neighbor prefix-list [name] in/out
route-map filtering — neighbor route-map [name] in/out
filter-list with as-path ACL — neighbor filter-list [acl] in/out
BGP scalability:
Route reflectors — iBGP full mesh alternative; RR reflects routes between clients; ORIGINATOR_ID and CLUSTER_LIST prevent loops
Confederations — split AS into sub-ASes; reduces full mesh requirement; sub-AS peering with eBGP-like rules
BGP synchronization — disabled in modern environments (legacy: don't advertise iBGP route until IGP has it)
BGP advanced features:
Soft reconfiguration — storing inbound BGP table without resetting session (clear ip bgp neighbor soft)
Graceful restart — maintaining forwarding during BGP process restart
BGP dampening — penalty-based route flap suppression
Multiprotocol BGP (MP-BGP) — carrying multiple address families: IPv6, VPN, EVPN, multicast
BGP for MPLS VPNs — VPNv4 address family, route distinguishers, route targets
BGP security — GTSM (Generalized TTL Security Mechanism), MD5 authentication, route origin validation with RPKI

EIGRP — Advanced

DUAL algorithm — Feasibility Condition: RD < FD ensures loop-free alternate path
Successor and feasible successor — active route and pre-computed backup route
Stuck-In-Active (SIA) — when no feasible successor and query process stalls; SIA timers
EIGRP metrics — composite: K1 (bandwidth) and K3 (delay) active by default; K2 (load), K4/K5 (reliability) typically disabled
EIGRP wide metrics — 64-bit metric for high-bandwidth interfaces (100G+)
EIGRP stub — prevents non-stub routers from querying stub routers; reduces SIA
EIGRP route summarization — manual summary at interface level
EIGRP authentication — MD5, SHA-256 (named mode)
EIGRP named mode — address family-based configuration; unified IPv4/IPv6
Redistribution into/from EIGRP — metric values required for redistribution

IS-IS

ISO/OSI routing protocol — widely used in service provider and large enterprise
CLNS addressing vs IP integration — NET (Network Entity Title) format
Level 1 — intra-area routing (like OSPF intra-area)
Level 2 — inter-area/backbone routing (like OSPF backbone area)
Level 1/2 — border routers; similar to OSPF ABR
IS-IS TLVs — Type Length Value encoding; extensible for new capabilities
IS-IS for IPv6 — uses multi-topology TLVs
IS-IS vs OSPF — IS-IS preferred in large service providers; faster convergence, more scalable; carries MPLS TE

Resources

Jeremy's IT Lab (free YouTube)
INE CCNP Enterprise (paid)
Cisco CCNP ENCOR Official Cert Guide (book)
CBT Nuggets CCNP (paid)
GNS3/EVE-NG for labs

Stage 02

Data Center & Campus Architecture

Network engineers design network topologies. Understanding three-tier, spine-leaf, and campus architectures is required for senior roles.

Three-Tier Campus Architecture

Access layer — workstation, phone, AP connections; PoE; Layer 2 (access VLANs)
Distribution layer — inter-VLAN routing; policy enforcement; connection to access and core
Core layer — high-speed backbone; minimum features; fast switching; redundancy

Spine-Leaf (Clos) Architecture

Why spine-leaf — predictable latency, any-to-any connectivity, horizontal scaling
Spine switches — high-port-density Layer 3 switches; connect to all leaf switches
Leaf switches — connect to servers and endpoints; connect to all spines
No oversubscription — every leaf connects to every spine
East-west traffic dominance — server-to-server traffic within data center
BGP vs OSPF as underlay — BGP as underlay becoming common; OSPF traditional
VXLAN overlay — extending Layer 2 over Layer 3 underlay (see EVPN section)

VXLAN and EVPN

Why VXLAN — overlaying Layer 2 networks over Layer 3 spine-leaf infrastructure
VXLAN encapsulation — original Ethernet frame + VXLAN header + UDP + IP; VNI (VXLAN Network Identifier) identifies virtual segment
VTEP (VXLAN Tunnel Endpoint) — encapsulates/decapsulates VXLAN; typically the leaf switch
EVPN (Ethernet VPN) — MP-BGP control plane for VXLAN; replaces flood-and-learn
Route Types — Type 2 (MAC/IP advertisement), Type 3 (Inclusive Multicast), Type 5 (IP prefix)
ARP suppression — VTEP answers ARP locally rather than flooding
Symmetric vs asymmetric IRB — inter-subnet routing models
BGP EVPN address family configuration

Private VLANs (PVLANs)

Primary VLAN contains secondary VLANs
Secondary types — isolated (can only communicate with promiscuous), community (communicate within community + promiscuous)
Promiscuous port — communicates with all ports in primary VLAN (router/firewall uplink)
Use case — hosting environments where tenant isolation is required

FlexPod / Converged Infrastructure

Cisco UCS (Unified Computing System) — server fabric with Fabric Interconnects
Cisco Nexus switching in data center — NX-OS vs IOS differences
vPC (Virtual Port Channel) — eliminates STP blocked ports on dual-connected switches

Cisco SD-Access

Campus fabric solution — underlay (IS-IS or OSPF) + overlay (VXLAN + LISP)
LISP (Locator/ID Separation Protocol) — separating endpoint identity from location
DNA Center (Catalyst Center) — centralized management, automation, assurance
Macro/micro segmentation — policy enforcement through SDA fabric
Integration with ISE — identity-based segmentation

Resources

Cisco Design Guides (free, cisco.com)
David Bombal YouTube (free)
INE CCNP Data Center materials
Cisco Press CCNP Data Center

Stage 03

MPLS and WAN Technologies

MPLS is a foundational WAN technology still widely deployed. Service provider engineers and enterprise WAN engineers must understand it deeply.

MPLS Fundamentals

What MPLS does — adds labels to IP packets; switches based on labels rather than IP header
Why MPLS — faster forwarding (label lookup vs IP route lookup), traffic engineering, VPN services
Label stack — labels stacked; bottom of stack bit (S=1); 20-bit label value, 3-bit EXP (QoS), 1-bit S, 8-bit TTL
Label operations — PUSH (add label), SWAP (replace label), POP (remove label)
PHP (Penultimate Hop Popping) — LSR before egress pops label; reduces egress processing
LSR (Label Switch Router) — all routers in MPLS domain
LER (Label Edge Router) — ingress and egress of MPLS domain

Label Distribution

LDP (Label Distribution Protocol) — distributes labels for all IGP prefixes; follows IGP path
RSVP-TE (Resource Reservation Protocol — Traffic Engineering) — explicit path, bandwidth reservation; required for MPLS TE
Segment Routing — replaces LDP/RSVP-TE; segments encoded in packet header; SR-MPLS and SRv6

MPLS VPNs (L3VPN)

PE-CE routing — BGP, OSPF, EIGRP, or static between PE and CE
VRF (Virtual Routing and Forwarding) — separate routing table per customer on PE router
Route Distinguisher (RD) — 8-byte value prepended to IPv4 prefix creating VPNv4 route; makes routes globally unique
Route Target (RT) — BGP extended community; controls import/export of VPN routes between PE routers
MP-BGP VPNv4 address family — carries VPN routes between PE routers across SP backbone
Hub-and-spoke VPN — central site imports/exports all sites; branch sites only import/export to hub
Extranet VPN — selective route sharing between customer VPNs

MPLS Traffic Engineering (MPLS-TE)

RSVP-TE tunnel — explicit path with bandwidth guarantee
Offline TE — calculating paths manually based on topology
CSPF (Constrained Shortest Path First) — automated path calculation considering constraints
Fast Reroute (FRR) — pre-computed backup paths for < 50ms failover (link-protect, node-protect)
TE accounting — IS-IS and OSPF extensions (TLVs) carry link bandwidth availability

L2VPN (Layer 2 Pseudowire and VPLS)

Pseudowire — tunneling Layer 2 frames across MPLS backbone between PE routers
VPLS (Virtual Private LAN Service) — multipoint L2VPN; creates emulated LAN across MPLS
EVPN as modern VPLS replacement — see Stage 2

SD-WAN — MPLS Replacement

What SD-WAN replaces — expensive MPLS circuits at branch offices with broadband + LTE
Overlay tunnels — encrypted tunnels across any transport (MPLS, broadband, LTE)
Application-aware routing — routing specific applications over preferred transports
Centralized policy — single controller defines policy applied to all edges
Key SD-WAN platforms:
Cisco SD-WAN (Viptela) — vManage (orchestration), vSmart (controller), vBond (validator), vEdge/cEdge (edge)
VMware VeloCloud — SD-WAN with cloud gateway network
Fortinet Secure SD-WAN — SD-WAN built into FortiGate firewall
Cisco Meraki — cloud-managed SD-WAN, simpler configuration model
Zero-touch provisioning — branch router boots and automatically pulls configuration from controller
Migration from MPLS — parallel running, cutover planning, SLA verification

Resources

INE CCNP SP materials
Cisco MPLS Design Guide (free)
Packet Pushers podcast (free)
Russ White's blog (free, with excellent MPLS and routing depth)

Stage 04

Network Security Engineering

Network engineers increasingly own network security design. Zero Trust Architecture and advanced firewall design are core skills in 2026.

Advanced Firewall Design

Security zones — DMZ architecture, trusted/untrusted zones, multi-tiered DMZ
Policy design principles — default deny, explicit allow, zone-pair policies
URL filtering — category-based, reputation-based, custom allow/block lists
Application awareness (NGFW) — App-ID, user-ID, Content-ID
SSL/TLS inspection — decrypt and inspect encrypted traffic; certificate management for inspection
High availability — active/passive, active/active, stateful session failover
Asymmetric routing — challenges with stateful firewalls and routing design solutions

Network Access Control (NAC)

802.1X — EAP-based authentication before network access granted
EAP-TLS — certificate-based, strongest; requires PKI
PEAP-MSCHAPv2 — username/password over TLS tunnel; most common
EAP-FAST — Cisco proprietary, flexible authentication
Cisco ISE (Identity Services Engine) — NAC, RADIUS, TACACS+, guest access, profiling
Policy sets — authentication policy + authorization policy + authorization profile
Profiling — identifying device type from DHCP, SNMP, HTTP probing
Posture — assessing device compliance before full access granted
Guest access — sponsor portal, self-registration, sponsored guest
RADIUS vs TACACS+ — RADIUS encrypts password only; TACACS+ encrypts entire body; TACACS+ for device management, RADIUS for user authentication
Change of Authorization (CoA) — dynamically changing authorization mid-session

DDoS Protection and Mitigation

Volumetric attacks — saturating upstream bandwidth
Protocol attacks — SYN floods, ICMP floods, fragmentation attacks
Application layer attacks — HTTP floods, Slowloris, DNS amplification
Upstream scrubbing centers — ISP-level DDoS mitigation
On-premises mitigation — rate limiting, black hole routing, RTBH (Remote Triggered Black Hole)
Anycast routing for DDoS distribution — spreading attack traffic geographically

Zero Trust Network Architecture

Principles — never trust, always verify; assume breach; least privilege
Micro-segmentation — granular security zones down to workload level
Identity-based access — user identity + device posture determines access, not network location
Software-defined perimeter (SDP) — hide infrastructure from unauthorized users
Network implementation — application-layer firewalls, L4 service mesh (Istio/Envoy), ZTNA solutions
Key vendors — Zscaler, Palo Alto Prisma Access, Cisco Duo, Cloudflare Access

IPv6 Security

IPv6-specific attacks — RA (Router Advertisement) spoofing, DHCPv6 attacks, NDP cache exhaustion
RA Guard — blocks unauthorized RA messages on access ports
DHCPv6 Guard — blocks unauthorized DHCPv6 server responses
ND Inspection / SEND — Secure Neighbor Discovery

Resources

Palo Alto PCNSE study materials
Cisco ISE documentation (free)
NIST SP 800-207 Zero Trust Architecture (free)

Stage 05

Network Automation

Network automation is the fastest-growing skill requirement in network engineering. Manual CLI-only engineers are increasingly uncompetitive.

Why Automation Matters

Scale — managing hundreds of devices manually is error-prone and slow
Consistency — automation ensures identical configurations across all devices
Speed — changes that take hours manually take seconds automated
Audit trails — automated changes are tracked and version-controlled

Python for Network Automation

All Python fundamentals plus:
netmiko — SSH connections to network devices; Cisco IOS, Junos, EOS, NX-OS
ConnectHandler — establishing device connections
send_command() — running show commands, parsing output
send_config_set() — applying configuration commands
Supported device types — cisco_ios, cisco_nxos, juniper_junos, arista_eos
paramiko — lower-level SSH library; more control, more code
napalm (Network Automation and Programmability Abstraction Layer with Multivendor Support):
Vendor-agnostic API — same Python calls work across Cisco IOS, Junos, EOS, NX-OS
get_facts(), get_interfaces(), get_bgp_neighbors(), get_route_to()
load_merge_candidate(), load_replace_candidate(), commit_config()
requests — REST API calls to DNA Center, NSO, Meraki, Fortinet
TextFSM — parsing unstructured CLI output into structured data using templates
ntc-templates — community-maintained TextFSM templates for common show commands
PyYAML — reading/writing YAML configuration files
Jinja2 — templating for generating network configurations dynamically
nornir — parallel task execution framework for network automation
Inventory — hosts.yaml, groups.yaml, defaults.yaml
Tasks — functions that run against inventory hosts
Plugins — netmiko, napalm, nornir_utils

Ansible for Network Automation

Ansible network modules:
cisco.ios — ios_command, ios_config, ios_facts, ios_vlan, ios_bgp_global
cisco.nxos — nxos_* modules
cisco.iosxr — iosxr_* modules
junipernetworks.junos — junos_command, junos_config
arista.eos — eos_command, eos_config
Network inventory — network devices as hosts with connection vars (ansible_network_os, ansible_connection: network_cli)
Gathering facts — ansible_network_os, ansible_net_interfaces, ansible_net_neighbors
Generating configurations with templates — Jinja2 templates + variables + ios_config module
Idempotency in network automation — checking state before making changes
Backup configurations — saving running-config to version control
Compliance checking — validating device state against desired state

IaC and Version Control for Networks

Git for network configs — tracking changes, branching for environments, rollback capability
Network-as-Code (NaC) — storing device intent in YAML/JSON, rendering configs via templates
Terraform for network infrastructure — cloud networking resources (VPCs, security groups, routes)
Cisco NSO (Network Services Orchestrator) — model-driven network orchestration; YANG data models; RESTCONF/NETCONF

NETCONF and RESTCONF

NETCONF — XML-based protocol for device configuration and state; uses YANG models
Operations — get, get-config, edit-config, copy-config, delete-config, lock, unlock, commit
SSH transport, port 830
RESTCONF — REST API equivalent of NETCONF; JSON or XML payloads; HTTPS transport
YANG — data modeling language defining network configuration and state
Yang models — Cisco native, OpenConfig (vendor-neutral), IETF standard models
ncclient — Python NETCONF client

APIs — Vendor-Specific

Cisco DNA Center (Catalyst Center) API — REST API for campus network management
Authentication — basic auth to get token
Device inventory — GET /dna/intent/api/v1/network-device
Site hierarchy — GET /dna/intent/api/v1/site
Issue management — GET /dna/intent/api/v1/issues
Cisco Meraki API — REST API for cloud-managed networks
Dashboard API — managing organizations, networks, devices, clients
Palo Alto PAN-OS API — XML-based REST API
Fortinet FortiGate REST API — JSON-based
Juniper PyEZ — Python library for Junos automation

CI/CD for Network Changes

Why CI/CD — automated testing and validation before network changes are applied
Pipeline stages — syntax validation → configuration rendering → lab simulation → peer review → automated deployment
Network testing frameworks — batfish (offline configuration analysis), pytest for network tests
GitOps for networks — all changes via pull requests, automated deployment on merge to main

Resources

Network Programmability and Automation (Jason Edelman, free online O'Reilly)
Cisco DevNet (developer.cisco.com, free sandbox environments)
Kirk Byers network automation courses (free and paid)
NTC Slack community (free)
Packet Pushers Heavy Networking podcast (free)

Stage 06

Cloud Networking

Cloud adoption has not eliminated network engineering. It has added cloud networking as a required skill set.

AWS Networking — Deep

VPC fundamentals — CIDR allocation, subnets (public/private), route tables, internet gateway
Transit Gateway — hub-and-spoke VPC interconnection; replaces VPC peering at scale
VPC Peering — direct VPC-to-VPC connectivity; non-transitive
AWS PrivateLink — access AWS services or customer services privately via ENI
Direct Connect — dedicated private circuit from on-premises to AWS; 1G or 10G
Private VIF — connecting to VPC
Transit VIF — connecting to Transit Gateway
Public VIF — accessing AWS public services privately
Direct Connect Gateway — connecting to VPCs in multiple regions
Site-to-Site VPN — IPsec over internet as Direct Connect alternative
VPN CloudHub — spoke-to-spoke communication via VGW
Network Firewall — managed stateful inspection and IPS for VPC traffic
Global Accelerator — anycast routing to AWS edge, improving performance
CloudFront — CDN with WAF integration
Route 53 — DNS service, health checks, routing policies (simple, weighted, latency, failover, geolocation, multi-value, IP-based)

Azure Networking — Deep

Virtual Network (VNet) — subnets, route tables, NSGs
VNet Peering — connecting VNets; local and global peering
Virtual WAN (vWAN) — Microsoft-managed hub-and-spoke; replaces manual hub VNets
ExpressRoute — dedicated private circuit to Azure; 50M to 10G
ExpressRoute Global Reach — connecting on-premises sites via ExpressRoute
Azure Firewall — managed stateful NGFW for Azure
Azure Front Door — global load balancer + CDN + WAF
Private Endpoint / Private Link — accessing PaaS services via private IP
Application Gateway — L7 load balancer with WAF

GCP Networking

VPC — global (spans all regions), subnets are regional
Shared VPC — cross-project resource sharing
Cloud Interconnect — dedicated and partner interconnect to GCP
Cloud VPN — IPsec to GCP
Cloud NAT — outbound NAT for private instances
Network Intelligence Center — network topology, performance dashboard

Hybrid Cloud Networking Design

Connectivity options comparison — site-to-site VPN vs dedicated circuits vs SD-WAN cloud on-ramp
IP addressing strategy — non-overlapping addressing across on-premises and all cloud environments
DNS in hybrid environments — split-horizon DNS, Resolver in/outbound endpoints
BGP over Direct Connect/ExpressRoute — dynamic routing, prefix advertisement
SD-WAN cloud on-ramp — integrating SD-WAN with cloud provider on-ramp services

Network Virtualization

VMware NSX — software-defined networking for data center
Overlay networking with GENEVE encapsulation
Distributed firewall — micro-segmentation at the vNIC level
NSX-T — multi-hypervisor, multi-cloud support
Overlay protocols comparison — VXLAN, GENEVE, GRE, STT

Resources

AWS Networking Specialty (ANS-C01) study materials
AWS re:Invent network talks (YouTube, free)
Azure networking documentation (free)
GCP networking documentation (free)

Stage 07

Network Design & Architecture

Network engineers produce design documents. Understanding design methodologies, documentation standards, and capacity planning is required for senior roles.

Network Design Methodology

PPDIOO (Cisco) — Prepare, Plan, Design, Implement, Operate, Optimize
High-Level Design (HLD) — overview, topology, protocols, addressing plan, decision rationale
Low-Level Design (LLD) — specific device configurations, interface assignments, IP addressing, VLAN tables
As-built documentation — recording what was actually implemented
Design trade-offs — availability vs cost vs complexity; documenting decisions

Redundancy and High Availability

N+1, N+N redundancy — calculating sufficient redundancy for requirements
MTTR / MTBF — mean time to repair and between failures; target SLAs
Convergence time analysis — STP (seconds) vs RSTP (<1s) vs OSPF (<1s) vs BGP (seconds to minutes)
Graceful restart and NSF (Non-Stop Forwarding) — maintaining forwarding during control plane restart
BFD (Bidirectional Forwarding Detection) — sub-second failure detection regardless of routing protocol
BFD for OSPF, EIGRP, BGP, static routes
Asynchronous vs echo mode
VSS (Virtual Switching System) — two Cisco switches appearing as one (campus core redundancy)
vPC (Virtual Port Channel) — NX-OS dual-homed server connections without STP blocking

QoS Design

QoS architecture — classification, marking, queuing, shaping, policing, dropping
DiffServ — DSCP markings in IP header; 64 codepoints
EF (101110) — Expedited Forwarding; voice; strict priority queue
AF classes (AF11-AF43) — Assured Forwarding; tiered priority with drop probability
CS classes — Class Selector; backward compatible with IP Precedence
BE (000000) — Best Effort; default
DSCP marking at trust boundary — trusting endpoints vs remarking at ingress
Queuing mechanisms:
Priority Queuing (PQ) — strict priority; can starve lower queues
WFQ (Weighted Fair Queuing) — per-flow fairness; automatic classification
CBWFQ (Class-Based WFQ) — policy-driven bandwidth allocation per class
LLQ (Low Latency Queuing) — CBWFQ + strict priority queue for voice/video
Tail drop vs WRED — WRED proactively drops lower-priority traffic to prevent congestion
Shaping vs policing — shaping buffers excess (smooth); policing drops excess (hard limit)
VoIP QoS requirements — 150ms one-way delay, <30ms jitter, <1% packet loss
QoS on WAN — matching SP DSCP markings, maintaining QoS across hybrid WAN

Capacity Planning

Traffic analysis — NetFlow, SNMP interface counters, bandwidth trending
Growth projections — historical trend extrapolation, application growth forecasts
Bottleneck identification — CPU, memory, interface bandwidth, switch fabric
Upgrade planning — timing capacity upgrades before saturation, not after

Network Documentation Standards

Visio/draw.io — standard diagramming tools
Diagram types — physical topology, logical topology, addressing diagrams, VLAN diagrams, cabling diagrams
IP address management (IPAM) — maintaining accurate IP allocation records
Change management documentation — change requests, test plans, rollback procedures, post-implementation reviews

Resources

Cisco Design Guides (free on Cisco.com)
Packet Pushers Design series
"The Practice of Network Engineering" resources

Stage 08

Hands-On Practice & Portfolio

Lab Build

EVE-NG Community Edition (free) — emulates Cisco IOS-XE, IOS-XR, NX-OS, Junos
GNS3 (free) — similar, widely used, large community
Cisco CML (Cisco Modeling Labs) — licensed, best Cisco emulation; Personal version ~$200/year
Physical gear (optional) — used Cisco 3750X/4500 switches and ASR 1001-X routers for MPLS labs
Lab topologies to build:
Multi-area OSPF with redistribution and summarization
BGP lab — two ASes, iBGP full mesh or route reflector, policy with route maps
MPLS L3VPN — PE-P-PE topology with two customer VRFs
SD-WAN lab — Cisco SD-WAN free DevNet sandbox
Network automation — Python scripts against EVE-NG devices

Automation Portfolio

GitHub repository with:
Python/Netmiko scripts for config backup, compliance checking, bulk changes
Ansible playbooks for VLAN deployment, BGP neighbor configuration, access control
Jinja2 templates for standardized interface and OSPF configurations
README documenting each project's purpose and usage
DevNet Sandbox practice — free Cisco labs at devnetsandbox.cisco.com

What to Document on LabList

Lab topology diagrams — network designs you have built and tested
Automation projects — GitHub links with descriptions
Troubleshooting write-ups — complex issues diagnosed with methodology
Cert progression — CCNA → CCNP ENCOR + ENARSI documented with study notes
Design documents — HLD/LLD templates you have created

FAQ

Common questions

How long does it take to become a Network Engineer?

3–4 years optimistic at 20–25 hours/week, 4–6 years realistic. Network Engineer is a senior role demanding routing protocol depth, network architecture experience, and increasingly automation skills. Most network engineers come from network admin backgrounds with documented architectural projects. Pure self-taught paths exist but the technical bar — BGP, OSPF, MPLS, SD-WAN — is genuinely high.

Which certifications matter for network engineering?

CCNP tracks 4,800–5,100 active job postings per week at average salary $115,000. CCIE for advanced roles. JNCIE for Juniper-focused organizations. AWS Advanced Networking Specialty for cloud-heavy roles. Network automation certs (Cisco DevNet) are increasingly valued — Python + Ansible + network APIs is a major differentiator in 2026.

Do I need a CS degree?

No. Network engineering is meritocratic — demonstrated routing/switching expertise and automation fluency outweigh credentials. What you do need: deep CCNP-level knowledge, automation fluency (Python for network programmability), at least one cloud platform's networking primitives, and experience with at least one large-scale topology design. The gating skill in 2026 is automation; pure CLI engineers without scripting compete poorly with engineers who can describe a Network-as-Code workflow.

What separates a hired Network Engineer?

Network automation experience. Python + Ansible + Nornir + network APIs (Cisco IOS-XE RESTCONF, Juniper PyEZ) signals readiness for modern network shops. SD-WAN, hybrid cloud networking, and network security integration are demand drivers. Generic CCNP candidates without automation depth lose to candidates with both. Bonus differentiators: Terraform for cloud networking, network observability tooling, and documented complex topology troubleshooting writeups.

Network Engineer

Common questions

Related roles