AAA Deep Dive on Cisco Devices
I’ve been working on some AAA configuration lately and I went through some of my older templates and realized that I didn’t want to simply use them without verifying first if I still believed that this was the best way of configuring AAA. I started by reading some of the official docs but quickly realized they were a bit shallow and lacked any real detail of some different scenarios such as what happens when the AAA server is not available. I then realized that there also is a lack of blogs that dive into this into any detail. Being curious, I thought I would lab it out as I have recently built an ISE lab.
The goal of this post is to start with a very simple AAA configuration, expand on it, verify each step what happens when the AAA server is available and when it is not. I will give you relevant debug outputs as well as my thoughts on different parameters in the configuration. Buckle up! because this is going to be a super deep dive!
We start out by applying a simple AAA configuration, where I have specified my ISE server, which is at 192.168.128. Continue reading
Finding Ways of Teaching
Some days ago I tweeted about that when you are trying to master a topic, you should both find different sources to learn from, as well as different mediums, such as reading, listening, watching videos, but also not to forget labbing. I also wrote that teaching someone else is a great way of learning and retaining information yourself. You might be familiar with the saying that “You remember 10% of what we read, 20% of what we hear, 30% of what we see, 80% of what we personally experience, and 95% of what we teach others”. How truthful this statement is, is up for debate, but I think we can all agree that you will recall more of what you have learned if you are teaching the topic to someone, as opposed to just reading about something.
How do you find a place to teach, though?
Thankfully, there are a lot of options today to teach, even some that may not seem obvious at first. Let’s go through a few of them.
Blogging – As you’re reading this blog, hopefully you are learning something. It may not seem like teaching, considering that it’s not a realtime event, but it is Continue reading
Getting DevNet Associate (200-901) Certified
Earlier this week I got DevNet Associate certified, using the online testing offering. The TL DR of this post is going to be this:
- Get the 10-week study plan from my friend Nick Russo
- Follow him on Twitter
- Sign up for Pluralsight
- Execute the plan
- Take the test and pass
I have no affiliation with Pluralsight or anyone else, by the way. It’s just that it happens that Nick’s content is there. This may sound like a very simple plan but it has worked for me and many before me. If you follow his plan, you will be prepared to take the test and have an excellent chance of passing.
Now, for the longer version of this post. As with any certification, you need to check the blueprint and assess your current skill level pertaining to those topics. The DevNet Associate has these major areas of topics:
- Software development and design (15%)
- Understanding and using APIs (20%)
- Cisco platforms and development (15%)
- Application deployment and security (15%)
- Infrastructure and automation (20%)
- Network fundamentals (15%)
With my background as a networking expert, this means that I don’t need to spend much time on network fundamentals. For the rest of the blueprint, Continue reading
No Rush
Intro
We often treat our careers like it’s a race. With only a winner. We setup goals where we want to get a degree by a certain age. Get that certification at another age. Get that job at a certain age and we judge our success by if we make more than say 100k per year. Because that’s what we’ve been told.
However, building a successful career in IT is nothing like that.
Stress
I’ve been there myself and felt the stress. I started my university studies when I was 22. I felt old at the time when I was surrounded by people that were 18-19 years old. I know that people where I lived before my university studies had started asking questions of the kind if I wasn’t to become anything. To do something with my life. I needed a few years break from school before going to university studies , and it turns out that was a great decision. I was able to study in a matter I had never done before.
One of the goals I setup in my career was to become a CCIE by 30. I’m not sure why. It just seemed like getting it Continue reading
My Journey Towards the Cisco Certified DevNet Specialist – Service Provider by Nick Russo
On 14 October 2020, I took and passed the Automating Cisco Service Provider Solutions (SPAUTO) exam on my first attempt. This is the fifth DevNet exam I’ve passed and was a topic area in which I was already strong. Many people know me for my CCIE Service Provider Comprehensive Guide where I cover advanced SP technology. Others know me for my Pluralsight Ansible and Python network automation courses that implement an “infrastructure as code” solution to manage MPLS L3VPN route-targets. Suffice it to say that I’ve been doing SP stuff for a while.
Compared to the other concentration exams I’ve passed (ENAUTO and SAUTO), SPAUTO was about the same level of difficulty. The exam has a fair amount of carryover from DEVASC, DEVCOR, and ENAUTO, given the similarities of their blueprints, but is still quite heavy on SP products. Fortunately, there are only a few key products listed on the blueprint, making it narrower than SAUTO (which tested about 15 different APIs). Like ENAUTO, strong Python and network automation skills are important for this exam, and I’d strongly recommend having real-life SP design, implementation, and operations experience before attempting it.
Unlike DEVASC, DEVCOR, ENAUTO, and Continue reading
My Journey Towards the Cisco Certified DevNet Specialist – Security by Nick Russo
On 10 August 2020, I took and passed the Automating Cisco Security Solutions (SAUTO) exam on my first attempt. In February of the same year, I passed DEVASC, DEVCOR, and ENAUTO to earn both the CCDevA and CCDevP certifications. You might be wondering why I decided to take another concentration exam. I won’t use this blog to talk about myself too much, but know this: learning is a life-long journey that doesn’t end when you earn your degree, certification, or other victory trinket. I saw SAUTO as an opportunity to challenge myself by leaving my “comfort zone” … and trust me, it was very difficult.
One of the hardest aspects of SAUTO is that it encompasses 12 different APIs spread across an enormous collection of products covering the full spectrum of cyber defense. Learning any new API is difficult as you’ll have to familiarize yourself with new API documentations, authentication/authorization schemes, request/response formats, and various other product nuances. For that reason along, the scope of SAUTO when compared to ENAUTO makes it a formidable exam.
Network automation skills are less relevant in this exam than in DEVASC, DEVCOR, or ENAUTO, as they only account for 10% Continue reading
DevAsc – List Consisting of Dictonaries
I was going through Nick Russo’s course Getting Started with Software Development Using Cisco DevNet at Pluralsight and one thing he went through was interacting with the DNA Center API. Using a call to /intent/api/v1/network-device, DNA-C will return a JSON object consisting of an array of objects, or in Python speak, a list of dictionaries. This looks something like below, snipped for brevity:
{
"response": [
{
"memorySize": "3735220224",
"family": "Wireless Controller",
"type": "Cisco 3504 Wireless LAN Controller",
"macAddress": "50:61:bf:57:2f:00",
"softwareType": "Cisco Controller",
"softwareVersion": "8.8.111.0",
"deviceSupportLevel": "Supported",
"platformId": "AIR-CT3504-K9",
"reachabilityFailureReason": "",
"series": "Cisco 3500 Series Wireless LAN Controller",
"serialNumber": "FCW2218M0B1",
"inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",
"hostname": "3504_WLC",
"lastUpdateTime": 1596457941780,
"errorDescription": null,
"interfaceCount": "0",
"lastUpdated": "2020-08-03 12:32:21",
"lineCardCount": "0",
"lineCardId": "",
"locationName": null,
"managementIpAddress": "10.10.20.51",
"reachabilityStatus": "Reachable",
"snmpContact": "",
"snmpLocation": "",
"tagCount": "0",
"tunnelUdpPort": "16666",
"waasDeviceMode": null,
"apManagerInterfaceIp": "",
"associatedWlcIp": "",
"bootDateTime": "2020-03-12 16:08:21",
"collectionStatus": "Managed",
"errorCode": null,
"roleSource": "AUTO",
"upTime": "143 days, 20:24:58.00",
"location": null,
"role": "ACCESS",
"collectionInterval": "Global Default",
"instanceTenantId": "5e5a432575161200cc4ac95c",
"instanceUuid": "72dc1f0a-e4da-4ec3-a055-822416894dd5",
"id": "72dc1f0a-e4da-4ec3-a055-822416894dd5"
},
{
"memorySize": "NA",
"family": "Switches and Hubs",
"type": "Cisco Catalyst 9300 Switch",
"macAddress": "00:72:78:54:d1:00",
"softwareType": "IOS-XE",
"softwareVersion": "16.6.4a",
"deviceSupportLevel": "Supported",
"platformId": "C9300-48U",
"reachabilityFailureReason": "",
Continue reading
EIGRP Behavior with IP Unnumbered
Carl Zellers asked an excellent question on how EIGRP works when run over FlexVPN with IP unnumbered, considering that routers will not be on a common subnet. I thought this was a great question so I took some help from my great friend, the EIGRP guru, Peter Palúch.
First, let’s examine behavior when EIGRP is run on numbered interface. I have built a very simple lab consisting of three routers, R1, R2, and R3, where R1 and R3 are separated by R2. To demonstrate that EIGRP checks that incoming hellos are received on a common subnet, the following simple configurations were applied to R1 and R2:
R1:
interface GigabitEthernet1 ip address 10.0.0.1 255.255.255.0 ! router eigrp LAB ! address-family ipv4 unicast autonomous-system 64512 ! topology base exit-af-topology network 10.0.0.0 0.0.0.255 exit-address-family
R2:
interface GigabitEthernet1 ip address 10.0.1.1 255.255.255.0 ! router eigrp LAB ! address-family ipv4 unicast autonomous-system 64512 ! topology base exit-af-topology network 10.0.1.0 0.0.0.255 exit-address-family
This results in the well familiar messages on the console:
*Jul 15 08:53:20.966: %DUAL-6-NBRINFO: EIGRP-IPv4 64512: Neighbor 10.0.0.1 (GigabitEthernet1) is blocked: not Continue reading
Happy 10-year Anniversary Lostintransit
Wow! I can’t believe it. I’ve been blogging for 10 years! Where did time go? July 16th 2010 is when I posted the first time to this blog. It was a post saying “I’m game” and I included Radia Perlman’s Algorhyme.
August 27th 2010, I wrote that I wanted to pass the CCIE lab within two years. Turns out I wasn’t too far from the truth. I passed late October 2012. Greg Ferro himself popped in to wish me good luck:
January 2011, I passed the written. I had a little different approach to many where I spent a considerate amount of time, around 200h if I remember correctly, to build a strong foundation before moving on to labbing. Today you would take the ENCOR exams, of course. But I still think this is a valid strategy.
It took me a little more than 6 months to get my first 5000 views. It’s good to remember that. Especially for those of you just starting out. This site has now had more than a million views but it took some time to get there. It doesn’t get as many views as you probably think, either.
I took my first stab at Continue reading
DevAsc – Python Script To Collect Show Commands Output
A colleague needed to connect to several Cisco devices, run some show commands, and save the output. I decided it would be good to practice my Python skills so I coded something together.
Why didn’t do you do this in Ansible, Nornir, or other tool of choice? Because the goal was to learn Python, not minimize amount of work to solve the task.
This work was highly inspired by others such as Debi, John, and wouldn’t be possible without the work from Kirk. Also thanks to Patrick, and Nick for giving me pointers on the code.
From a high level, the script will perform the following tasks:
- Read commands from a text file “commands.txt”
- Read devices from a text file “devices.txt”
- Ask the user for credentials
- Log in to the devices
- Perform show commands
- Save the output to a text file per device
In order to perform the tasks, the script relies on several modules:
Colorama – Used to color code terminal output
Netmiko – Used to setup SSH connection to device and parse the output
Datetime – Used to create a timestamp
Getpass – To get password from user without displaying it to the Continue reading
DevAsc – Python Classes
Python classes are very useful when you need to create objects with the same characteristics. This is often referred to as Object Oriented Programming (OOP). Not having much of a programming background, I found classes to be a bit confusing, and I wasn’t fully understanding the use of __init__ and self. Thanks to the Twitter community, my friend Peter Palúch , and the videos of Cory Schafer, I know feel I have a better understanding, and wanted to share my findings, from a networking person’s perspective.
First, let’s look at why classes are needed in the first case. Let’s say that we want to keep track of our network devices. The attributes we are interested in are:
- Hostname
- Vendor
- Device type
- Model
- Loopback
We can of course create this information manually, without classes, like this:
daniel@devasc:~/DevAsc$ python3 Python 3.8.2 (default, Apr 27 2020, 15:53:34) [GCC 9.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> device1_hostname = "r1" >>> device1_vendor = "Cisco" >>> device1_type = "router" >>> device1_model = "ISR4331" >>> device1_loopback = "192.0.2.1" >>> device2_hostname = "sw1" >>> device2_vendor = "Cisco" >>> device2_type = "switch" >>> device2_model = Continue reading
DevAsc – Python Palindrome Challenge
Time for another Python challenge. This time it’s the palindrome challenge. What is a palindrome? A palindrome is a word, number, phrase, or other sequence of characters which reads the same backward as forward. Some examples are level, radar, stats.
The goal is to take a string the user inputs, reverse the string and see if it’s identical backward as forward. I will divide my code into two functions:
- get_string
- check_palindrome
The first function simply takes the string that is input. The second function checks if it’s a palindrome and prints the result.
As always, let’s first start with a docstring:
"""Program to check if string is a palindrome"""
Then we create a function to get the string from the user. This code should look familiar if you went through the divisors challenge.
def get_string():
"""Get a string from user to be used in function to check for palindrome"""
# Get string from user with input() and return result
user_string = input("Please enter a string to check if it's a palindrome: ")
return user_string
Now for the more interesting part, to check if a string is a palindrome. To do that, we need to reverse the string. How can we Continue reading
DevAsc – Python Divisors Challenge
As part of Nick Russo’s DevAsc study plan, he recommends doing a few Python challenges to check your existing knowledge of Python. One of these is the Divisors challenge. The goal of of this exercise is to take a number, such as 12, and then find all the divisors, that is the numbers that you can divide 12 with and have no remainder. This would 1, 2, 3, 4, 6, and finally 12 itself.
Now, solving this doesn’t take a lot of code. However, I decided that gold plating is allowed in my studies of code. That is, I would rather practice writing functions from the get go rather than just quickly moving from exercises.
To find divisors, we need a little basic math. We can use the Modulo operation to find the reminder of a division. For example, if you divide 5 by 2, the remainder is 1. We call this 5 modulo 2. Because there is a remainder of 1, this means that 2 is not a divisor for 5. If we however use 9 and 3 instead, with 9 modulo 3, the remainder is 0. This means that 3 is a divisor for 9. We then Continue reading
IT Training and Running – Not So Different?
For those that follow me on Twitter, you probably know that I’m an avid runner and post some of my experiences there. My current goal is to become a sub 20 minute 5km runner, which is turning out to be an aggressive goal. I’m probably at around 22 minutes right now. As I always do, I try to learn from different areas of life and cross apply that, to also what I do in IT. When you think about it, it’s not that different! Things I’ve learned from trying to become a better runner, that you can apply in your IT training.
Plan – The saying “failing to plan is planning to fail” is quite accurate. Many runners don’t have a plan and end up just running around the same pace every training session. That leads to mediocre results. The same is true when trying to become better at something in IT. You don’t always need a super detailed plan, but you need a plan. A certification is one of the tools to help you build that plan.
Discipline – A plan is no good if you don’t materialize it. Sometimes it’s tough, and you don’t feel like living Continue reading
DevAsc – Some Handy Linux Commands
Introduction
Linux is becoming more and more prominent in the networking industry. Many of us come from a mixed background and have varying levels of knowledge of Linux. I’ve been around Linux for a long time but really never got beyond the very most basic stuff. Looking back, I wish I had spent some more time learning Sed, Awk, regex, and Bash etc. I was doing some labs over at NRE Labs (great labs), and wanted to highlight some of the things I learned.
Appending To a File With Cat
Sometimes you want to append something quickly to a file or send several lines of text to a Linux command. That can be done using “here documents“.
First, look at this small configuration:
daniel@devasc:~/DevAsc$ cat config.txt interface GigabitEthernet0/1 switchport mode access switchport access vlan 10 ! interface GigabitEthernet0/2 switchport mode access switchport access vlan 10 ! interface GigabitEthernet0/3 switchport mode access switchport access vlan 10 !
Now we want to append another interface to the end of this file. We can do that using cat:
daniel@devasc:~/DevAsc$ cat <<EOT >> config.txt > interface GigabitEthernet0/4 > switchport mode access > switchport access vlan 10 > ! > EOT
After the cat command, Continue reading
DevAsc – Introduction to XML
Introduction
XML, or Extensible Markup Language, rounds out the usual suspects of YAML, JSON, and XML. It’s probably my least favorite of the three, but knowledge of XML is needed when working with code.
XML is, of course, related to HTML. So why didn’t we just settle for HTML? Turns out machines don’t understand HTML very well. They can parse it perfectly fine, yes, but in HTML you put information in, such an address, and you understand it’s an address because you are a human. A machine doesn’t know that Baker Street is an address, unless you tell it.
Syntax
XML consists of tags, elements, and attributes. Let’s take a basic example and then go through these in more detail:
<?xml version="1.0" encoding="UTF-8"?>
<address>
<name>
<title>Mr</title>
<first-name>Sherlock</first-name>
<last-name>Holmes</last-name>
</name>
<street>221B Baker Street</street>
<city state="NA">London</city>
</address>
First, we declare that this is an XML document and the encoding used. This is called a prolog. It’s optional, but if included, should always be the first line.
The tag <address> is the root of the document. We must always have a root. The tag <address> has three children:
<name><street><city>
The tag <name> has three children as well:
DevAsc – Introduction to JSON
Introduction
JSON, JavaScript Object Notation, is one of the usual suspects when it comes to network automation. YAML and XML being the other two. It’s easy for machines to parse and generate and the readability is good, better than XML, although YAML is easier for humans to read.
JSON is based on a subset of the JavaScript programming language, as the name implies.
JSON, just like YAML, supports single values, lists, and key/value pairs.
JSON is commonly used to interchange between different formats.
Syntax
JSON has no requirement for indentation or white space, which YAML has. That said, to make it human readable, it still makes sense to use white space and spaces, most likely either two or four.
- Strings MUST use double quotes
- Object literal names MUST be lowercase (null, false, true etc)
- Special characters need to be escaped
- { says “begin object”
- } says “end object”
- [ says “begin array”
- ] says “end array”
- : separates key and value in key/value pair
- , separates key/value pair in an object or separates values in an array, think of it as “expect another one”
Data Types
JSON supports the following data types:
- Object
- String
- Number
- Boolean
- Null
- Array
We’ll Continue reading
Introduction to YAML
Introduction
YAML, previously known as Yet Another Markup Language, but now YAML Ain’t Markup Language, is a human friendly data serialization standard for programming languages.
YAML and JSON, JavaScript Object Notation, are related to each other, where YAML, according to YAML 1.2 specification, is a superset of JSON.
YAML supports using scalars, sequences, and mappings. A scalar is a string, a number, or boolean, a sequence is a list, and a mapping is a key/value pair.
YAML is commonly used by configuration files in open source tools and Ansible, a network automation tool, uses YAML to run its playbooks.
When it comes to YAML syntax, be aware of the following:
- Indentation matters!
- Tabs aren’t allowed
- Normally two spaces used when indenting
- A single YAML file may contain multiple documents
- Every document starts with three dashes
- YAML is case sensitive
Scalars
Scalars are single values. It can be a string, number, or a boolean value. Strings don’t need to be quoted, except for some special cases:
- The string starts with a special character
- !#%@&*`?|>{[ or –
- The string starts or ends with whitespace characters
- The string contains : or # character sequences
- The string ends with a Continue reading
Getting Over My Fear of Network Automation
People that know me know that I like to be open on sharing thoughts, insights, things I’ve learned, and my struggles. Many people have put their trust in me and I consider it important to show that perceived leaders of the networking industry have the same thoughts and struggles as everyone else.
I wrote this tweet which gained a lot of response and positive comments (thank you).
I’ve dabbled with Python a couple of times the last couple of years. I know the very basics but I haven’t done much more beyond that. Why haven’t I done more automation? There are some different clues as to why, including the fear of not being very good at it.
Job role – I’m a Network Architect. What I enjoy the most, my passion if you will, is to engage in discussions with customers and create Continue reading
It’s 2020 And Android’s IPv6 Is Still Broken
I got into some interesting discussions about IPv6 on Twitter. Then someone asked if Android is getting DHCPv6 support in version 11 of the OS.
When IPv6 was developed, initially with RFC 2460, there was this idea that:
Forget all you've learned about IPv4, and design IPv6 from the ground up
This sounds good in theory but ignores completely the lessons we’ve learned from IPv4. Not to mention, there is no such thing as greenfield. Almost all networks, are existing ones, you don’t get to start all over again. There was this very shiny view of end to end connectivity, /64 everywhere and only SLAAC allowed. I get all of that, it’s like saying “I wish there were no wars”, but unfortunately, people are stupid, so there will be wars. There’s this naivety, similar to a teenager that is growing up. You want to change the world, then you realize the world is run by money, mega corps, and dirty politicians.
This whole mess led to the holy wars of SLAAC + RDNSS vs DHCPv6. Please note that SLAAC Continue reading