ddib

Author Archives: ddib

Using Python to Calculate Cisco SD-WAN Tunnel Numbers – Part 2

In the first post I shared with you my code to calculate tunnel numbers in Cisco SD-WAN. I’m a beginner in Python so I thought it would be a great learning experience to have someone experienced in Python, such as Rodrigo, take a look at the code and come up with improvements. As I like to share knowledge, I’m taking this journey with you all. Let’s get started!

You may recall that I had a function to calculate the tunnel number. It looked like this:

def calculate_tunnel_number(interface_name:str) -> int:
    <SNIP>
    return total_score

Rodrigo’s comment was that the function name is excellent as it is clear what the function does. However, my return statement returns total_score which is not clear what it does. It would be better to return tunnel_number which is what the function is calculating.

The next comment is that when splitting things and it is known how many pieces you have, it is better to unpack them, that is, assign the unwanted piece to a throwaway variable rather than using indexing. My code looked something like this:

interface_number = split_interface(interface_name)[1]

It would be better to do something like this:

_, interface_number = split_interface(interface_name)[1]

The first variable, a Continue reading

Using Python to Calculate Cisco SD-WAN Tunnel Numbers – Part 1

When using Cisco SD-WAN on IOS-XE, it uses tunnel interfaces to configure parameters of the implementation. There is a mapping between what interface the tunnel is sourcing from and the name of the tunnel interface. For example, if the tunnel source is GigabitEthernet0, the tunnel interface is Tunnel0, if the tunnel source is GigabitEthernet0.100, the tunnel interface is Tunnel100000. When provisioning a router and not using Zero Touch Provisioning (ZTP), you build a small bootstrap configuration that configures mandatory parameters such as Site ID, System IP, Organization Name, but also a tunnel interface to be able to connect to the controllers. It is possible to create this configuration in vManage, and hence find out the tunnel interface name, but I thought it would be interesting to do this with code and not be dependent on vManage.

In this post, I will describe the code I used and what my logic was when creating different parts of the code. In this first post I will use the code that I came up with. In the second part, my friend Rodrigo who runs an excellent Python blog ,analyzed my code and came up with improvements, which I will describe in that Continue reading

Viewing a Certificate Using OpenSSL

I have started taking Ed Harmoush’s Practical TLS course to learn more about TLS and certificates. When learning about TLS, you want to inspect different certificates to see the various fields and see how different organizations use certificates differently. As always, Linux comes with a great set of tools to work with certificates in the form of OpenSSL. In this post, I will show how to download a certificate and discuss some of the fields that are present in the certificate.

To get the certificate, we will use openssl with s_client and connect to a web site. I’m using twitter.com in this example:

openssl s_client -connect twitter.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Twitter, Inc.", CN = twitter.com
   i:C = US, O =  Continue reading

My Journey to Getting AWS Certified Advanced Networking – Specialty Certified

Last week I took and passed the AWS Certified Advanced Networking – Specialty exam on my first attempt. In this post I will describe the study materials that I used and talk about my experience of taking this test.

What type of skills does this exam test? This is a quote from AWS:

Earning AWS Certified Advanced Networking – Specialty validates expertise in designing and maintaining network architecture for the breadth of AWS services.

The key here I think is “for breadth of AWS services”. It’s not enough to only understand general networking in AWS, you need to understand how to do networking for different AWS services such as S3, WorkSpaces, Lambda, storage gateway, and so on. There is no actual prerequisite to take the exam but it definitely doesn’t hurt if you already have the Solutions Architect Associate (this was previously a prereq) as it will help you in understanding what services are available.

The following is also listed as recommendations for who should take this exam:

  • Professional experience using AWS technology, AWS security best practices, AWS storage options and their underlying consistency models, and AWS networking nuances and how they relate to the integration of AWS services.
  • Knowledge Continue reading

Getting Experience with Public Cloud

Someone reached out to me and asked how you get experience with public cloud. That’s an excellent question so I thought I would give some perspective on it. There are three ways that immediately come to mind:

  • Studying for a certification
  • Playing around with different services in public cloud
  • Getting involved in projects at work

Public cloud is a little like walking into a gigantic supermarket. You are looking for something very specific, maybe just a carton of milk, but if you have never been to this supermarket it could take you hours to find the milk. Maybe the milk is named something else in this store. To understand a specific cloud such as AWS, Azure, or GCP, you must first build up a basic understanding of what services they offer and how to use them. I normally prefer to do this by studying for a certification, such as the AWS Solutions Architect Associate, but there are also more introductory certifications such as the Cloud Practitioner or Azure Fundamentals. You can be super experienced and highly trained in a domain, such as servers or networking, but you must first learn to speak their language and understand their services. It definitely Continue reading

8 Tips for a Successful Network Migration

I have done many network migrations over the years. Now a days it’s a more rare event but this weekend we migrated some Core switches with very little down time. What are some of the things that you should do to maximize the odds of a successful migration?

Plan

If your migration went successful without planning, that doesn’t mean you are smart, just lucky. Every migration requires planning. What steps are involved in the migration? How do you validate each step? Who needs to be involved in the migration? Who needs to validate services when the migration is done? What are the criteria for a successful migration? How much time do you need to perform the migration? At what point do roll back? What are the steps involved in rolling back?

A migration plan can have varying levels of detail. I’ve worked with some very critical networks where we have had to describe each and every step in detail including every command that is involved in the migration. This takes a lot of time but you can’t cut corners when you are working with networks that can affect people’s health and lives.

Prepare

Prepare as much as you can. This Continue reading

Python Script Pulling AWS IP Prefixes – Part 3

The two previous posts described what the script does and modules used as well as how the script leverages YAML.

This time, we will go through the function that generates the access-list name. The code for this is below:

def generate_acl_name(interface_name: str) -> str:
    """Generate unique ACL name to avoid conflicts with any existing ACLs
    by appending a random number to the outside interface name"""
    # Create a random number between 1 and 999
    random_number = random.randint(1, 999)
    acl_name = f"{interface_name}_{random_number}"
    return acl_name

The goal with this code is to generate a new access-list with a unique name. Note that the script doesn’t do any check if this access-list already exists which is something I will look into in an improved version of the script. I wanted to first start with something that works and take you through the process together with myself as I learn and improve on the existing code.

The function takes an interface_name which is a string. This is provided by the YAML data that we stored in the yaml_dict earlier. The function is then called like this:

acl_name = generate_acl_name(yaml_dict["outside_interface"])

The name is stored in the yaml_dict under the outside_interface mapping:

In [6]: yaml_dict  Continue reading

Python Script Pulling AWS IP Prefixes – Part 2

In the previous post I described some of the design considerations for this script and what modules I use. In this post, we will look at using YAML to collect data and use it in Python in the form of a dictionary. Why YAML? YAML is commonly used as a readable way of storing configuration data and there are modules for Python to read that data.

The YAML file is a very basic one containing these mappings:

---
outside_interface: outside
aws_service: s3
aws_region: eu-north-1
asa_ip: 192.168.255.241
...

The three dashes indicate the start of the file and the three dots indicate the end of the file. We have configured what service we are interested in (S3) and in what region (eu-north-1). The outside interface in our Cisco ASA is named outside.

The natural fit to work with mappings in Python is a dictionary. We need to get the data from the file named aws_prefix.yml into a dictionary. To do that, we will use the following code:

def get_yaml_data() -> dict:
    """Gets the interface name, ASA IP address AWS service, and region 
    from the YAML file and returns a dictionary"""
    try:
        with open("aws_prefix.yml")  Continue reading

Python Script Pulling AWS IP Prefixes – Part 1

I have been playing around with Python lately with the goal of building basic skills in it. I have found that to make good progress what works best for me is:

  • Have a project that I find interesting to work on
  • Spend a little time every day on the project

The project I decided on was to get the IP addresses that AWS uses for their services, build an access-list based on these prefixes, and then configure a Cisco ASA with that access-list. The final result looks like this:

Python AWS prefix getter

In a series of blog posts, I will cover how I built this script. Keep in mind that my focus was to get a script that works and then improve on it. I have some plans for getting an experienced Python coder to go through the code with me and to work on improvements. Stay tuned for that!

As with any coding project, you need to come up with some general guidelines on how to get data and what is good enough. These are some of the considerations I had:

  • I will get the configuration needed from a YAML file rather than a CLI (good enough for Continue reading

Route Replication the Easy Way

Easy Virtual Network (EVN) was a technology Cisco came up with back in the days to make it easier to implement VRFs without the pain of running VRF lite or the complexity of running a full MPLS + BGP network. It was actually a pretty cool technology but never became mainstream. However, as part of this technology, Cisco also made it easier to replicate, or in other words leak, routes between VRFs. You don’t need the rest of EVN to do this and this simplified way of replicating routes have kind of been forgotten by the industry. I thought I would share with you the ease of replicating routes with this feature even without BGP.

We have a straight forward topology like the one below:

The USERS switch is a L2 switch and all the L3 configuration is in the CORE router. We have implemented segmentation in the network so we have a USERS VRF and then we have a SERVICES VRF for shared services such as DNS and DHCP. Because these services are in a separate VRF, we will not have reachability to them from the USERS VRF. This lab will use the following IP addresses:

User – 10. Continue reading

11 Tips on Gaining Experience in Network Design

For people that want to pursue a career in network design, it can be tough getting the experience needed for such a role. How do you get design experience if your current role does not involve design? There are still many things you can do and I will give you tips on gaining that experience.

Network fundamentals – I always bring this up because it’s easy to overlook the need for network fundamentals. Being an Architect you still need to have technical chops and hopefully some operational experience as well. How can you design for something you are not familiar with? You can’t! You need to know OSPF, ISIS, BGP, etc. to understand when you should use each protocol. Spend a lot of time building these fundamentals before you move into design. How do you do that? Ivan Pepelnjak has training in this area. There is also the Computer Networking Problems and Solutions book by Russ White and Ethan Banks.

Books – There are several excellent books on network design. Some of them are geared towards network design certifications but they are great reads even if you are not pursuing any certification. One of my favourite books is The Art Continue reading

Networking Interviews – How to Ask Good Questions

I’m not sure if it’s just us in networking/IT, or people leading interviews in general (probably the latter), but we have a tendency to ask really bad questions in interviews. Often the questions revolve around factoids or things that need to be memorized. Some interviewers will even intentionally try to “trick” you. This is a really bad way of conducting an interview and will guaranteed lead to poor results. Instead of asking someone to quote an RFC, you should focus on asking open-ended questions and even guide the candidate if they are getting stuck on something. Why?

Reasoning – You want to see how people reason their way to answering a question. What is their thought process? Asking the administrative distance of BGP will just give you back a one-sentence answer or no answer at all. You can learn much more about someone’s skill level if you give them some clues and see if they can take the discussion forward. Are they comfortable asking you for input? Are they comfortable saying that they don’t know something?

Remove tension – Most, if not all, people are somewhat nervous when being interviewed. You want get an accurate representation of their skill so Continue reading

My Journey Towards the Cisco Certified DevNet Specialist – DevOps – By Nick Russo

On 19 January 2021, I took and passed the Implementing DevOps Solutions and Practices (DEVOPS) exam on my first attempt. This is the sixth DevNet exam I’ve passed … and probably the last! Much like my experience with enterprise and service provider automation, I have years of real-life experience solving a diverse set of business problems using DevOps skills. I’ve spoken about the topic on various podcasts and professional training courses many times. Even given that experience, the exam blueprint introduced me to new technologies such as Cisco AppDynamics and Prometheus, to name a few.

I found DEVOPS to be more difficult than the product-specific concentration exams like ENAUTO, SPAUTO, and SAUTO. Because the exam has very little Cisco-specific content (AppDynamics is about the extent of it), you’ll need extensive hands-on, detail-oriented experience with many third-party products. To name a few: Ansible, Terraform, Docker, Kubernetes, Prometheus, ELK, git/GitHub, Travis CI, Jenkins, and Drone. Like most Cisco specialties, it isn’t enough just to watch video training to learn the details of these technologies; labbing and self-learning are both essential to pass this challenging exam.

Unlike DEVASC, DEVCOR, ENAUTO, and SAUTO, I did not Continue reading

AAA Deep Dive on Cisco Devices

I’ve been working on some AAA configuration lately and I went through some of my older templates and realized that I didn’t want to simply use them without verifying first if I still believed that this was the best way of configuring AAA. I started by reading some of the official docs but quickly realized they were a bit shallow and lacked any real detail of some different scenarios such as what happens when the AAA server is not available. I then realized that there also is a lack of blogs that dive into this into any detail. Being curious, I thought I would lab it out as I have recently built an ISE lab.

The goal of this post is to start with a very simple AAA configuration, expand on it, verify each step what happens when the AAA server is available and when it is not. I will give you relevant debug outputs as well as my thoughts on different parameters in the configuration. Buckle up! because this is going to be a super deep dive!

We start out by applying a simple AAA configuration, where I have specified my ISE server, which is at 192.168.128. Continue reading

Finding Ways of Teaching

Some days ago I tweeted about that when you are trying to master a topic, you should both find different sources to learn from, as well as different mediums, such as reading, listening, watching videos, but also not to forget labbing. I also wrote that teaching someone else is a great way of learning and retaining information yourself. You might be familiar with the saying that “You remember 10% of what we read, 20% of what we hear, 30% of what we see, 80% of what we personally experience, and 95% of what we teach others”. How truthful this statement is, is up for debate, but I think we can all agree that you will recall more of what you have learned if you are teaching the topic to someone, as opposed to just reading about something.

How do you find a place to teach, though?

Thankfully, there are a lot of options today to teach, even some that may not seem obvious at first. Let’s go through a few of them.

Blogging – As you’re reading this blog, hopefully you are learning something. It may not seem like teaching, considering that it’s not a realtime event, but it is Continue reading

Getting DevNet Associate (200-901) Certified

Earlier this week I got DevNet Associate certified, using the online testing offering. The TL DR of this post is going to be this:

I have no affiliation with Pluralsight or anyone else, by the way. It’s just that it happens that Nick’s content is there. This may sound like a very simple plan but it has worked for me and many before me. If you follow his plan, you will be prepared to take the test and have an excellent chance of passing.

Now, for the longer version of this post. As with any certification, you need to check the blueprint and assess your current skill level pertaining to those topics. The DevNet Associate has these major areas of topics:

  • Software development and design (15%)
  • Understanding and using APIs (20%)
  • Cisco platforms and development (15%)
  • Application deployment and security (15%)
  • Infrastructure and automation (20%)
  • Network fundamentals (15%)

With my background as a networking expert, this means that I don’t need to spend much time on network fundamentals. For the rest of the blueprint, Continue reading

No Rush

Intro

We often treat our careers like it’s a race. With only a winner. We setup goals where we want to get a degree by a certain age. Get that certification at another age. Get that job at a certain age and we judge our success by if we make more than say 100k per year. Because that’s what we’ve been told.

However, building a successful career in IT is nothing like that.

Stress

I’ve been there myself and felt the stress. I started my university studies when I was 22. I felt old at the time when I was surrounded by people that were 18-19 years old. I know that people where I lived before my university studies had started asking questions of the kind if I wasn’t to become anything. To do something with my life. I needed a few years break from school before going to university studies , and it turns out that was a great decision. I was able to study in a matter I had never done before.

One of the goals I setup in my career was to become a CCIE by 30. I’m not sure why. It just seemed like getting it Continue reading

My Journey Towards the Cisco Certified DevNet Specialist – Service Provider by Nick Russo

On 14 October 2020, I took and passed the Automating Cisco Service Provider Solutions (SPAUTO) exam on my first attempt. This is the fifth DevNet exam I’ve passed and was a topic area in which I was already strong. Many people know me for my CCIE Service Provider Comprehensive Guide where I cover advanced SP technology. Others know me for my Pluralsight Ansible and Python network automation courses that implement an “infrastructure as code” solution to manage MPLS L3VPN route-targets. Suffice it to say that I’ve been doing SP stuff for a while.

Compared to the other concentration exams I’ve passed (ENAUTO and SAUTO), SPAUTO was about the same level of difficulty. The exam has a fair amount of carryover from DEVASC, DEVCOR, and ENAUTO, given the similarities of their blueprints, but is still quite heavy on SP products. Fortunately, there are only a few key products listed on the blueprint, making it narrower than SAUTO (which tested about 15 different APIs). Like ENAUTO, strong Python and network automation skills are important for this exam, and I’d strongly recommend having real-life SP design, implementation, and operations experience before attempting it.

Unlike DEVASC, DEVCOR, ENAUTO, and Continue reading

My Journey Towards the Cisco Certified DevNet Specialist – Security by Nick Russo

On 10 August 2020, I took and passed the Automating Cisco Security Solutions (SAUTO) exam on my first attempt. In February of the same year, I passed DEVASC, DEVCOR, and ENAUTO to earn both the CCDevA and CCDevP certifications. You might be wondering why I decided to take another concentration exam. I won’t use this blog to talk about myself too much, but know this: learning is a life-long journey that doesn’t end when you earn your degree, certification, or other victory trinket. I saw SAUTO as an opportunity to challenge myself by leaving my “comfort zone” … and trust me, it was very difficult.

One of the hardest aspects of SAUTO is that it encompasses 12 different APIs spread across an enormous collection of products covering the full spectrum of cyber defense. Learning any new API is difficult as you’ll have to familiarize yourself with new API documentations, authentication/authorization schemes, request/response formats, and various other product nuances. For that reason along, the scope of SAUTO when compared to ENAUTO makes it a formidable exam.

Network automation skills are less relevant in this exam than in DEVASC, DEVCOR, or ENAUTO, as they only account for 10% Continue reading

DevAsc – List Consisting of Dictonaries

I was going through Nick Russo’s course Getting Started with Software Development Using Cisco DevNet at Pluralsight and one thing he went through was interacting with the DNA Center API. Using a call to /intent/api/v1/network-device, DNA-C will return a JSON object consisting of an array of objects, or in Python speak, a list of dictionaries. This looks something like below, snipped for brevity:

{
    "response": [
        {
            "memorySize": "3735220224",
            "family": "Wireless Controller",
            "type": "Cisco 3504 Wireless LAN Controller",
            "macAddress": "50:61:bf:57:2f:00",
            "softwareType": "Cisco Controller",
            "softwareVersion": "8.8.111.0",
            "deviceSupportLevel": "Supported",
            "platformId": "AIR-CT3504-K9",
            "reachabilityFailureReason": "",
            "series": "Cisco 3500 Series Wireless LAN Controller",
            "serialNumber": "FCW2218M0B1",
            "inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",
            "hostname": "3504_WLC",
            "lastUpdateTime": 1596457941780,
            "errorDescription": null,
            "interfaceCount": "0",
            "lastUpdated": "2020-08-03 12:32:21",
            "lineCardCount": "0",
            "lineCardId": "",
            "locationName": null,
            "managementIpAddress": "10.10.20.51",
            "reachabilityStatus": "Reachable",
            "snmpContact": "",
            "snmpLocation": "",
            "tagCount": "0",
            "tunnelUdpPort": "16666",
            "waasDeviceMode": null,
            "apManagerInterfaceIp": "",
            "associatedWlcIp": "",
            "bootDateTime": "2020-03-12 16:08:21",
            "collectionStatus": "Managed",
            "errorCode": null,
            "roleSource": "AUTO",
            "upTime": "143 days, 20:24:58.00",
            "location": null,
            "role": "ACCESS",
            "collectionInterval": "Global Default",
            "instanceTenantId": "5e5a432575161200cc4ac95c",
            "instanceUuid": "72dc1f0a-e4da-4ec3-a055-822416894dd5",
            "id": "72dc1f0a-e4da-4ec3-a055-822416894dd5"
        },
        {
            "memorySize": "NA",
            "family": "Switches and Hubs",
            "type": "Cisco Catalyst 9300 Switch",
            "macAddress": "00:72:78:54:d1:00",
            "softwareType": "IOS-XE",
            "softwareVersion": "16.6.4a",
            "deviceSupportLevel": "Supported",
            "platformId": "C9300-48U",
            "reachabilityFailureReason": "",
             Continue reading
1 2 3 8