Wednesday, January 5, 2022

Network Engineering and Automation Questions for review or prepare for Interview


Hello everyone,

As you know, many of us study and struggle a lot in order to reach the level where we can call ourselves Network Engineers, however studying and learning process is not enough because we will forget what we studied after a while if we don't use it, and while trying to learn new things and stay up-to-date, landing new jobs will need to stay fresh on many of the networking topics.

you might be a great network engineer, but you will not be able to get the job based on incomplete answers about topics you already know but forgot how to talk or explain them in an interview.

I was thinking to make a Anki flashcards for Network Engineers that are willing to apply for a job or review networking topics, so I started working on this and the below link contains the file that I will continue to update and re-upload on daily or weekly bases.  

https://drive.google.com/file/d/1wboDLmZeL1DL_onoDCpt05Pc_7wBq79s/view?usp=sharing


This file contains the following topics:

1. BGP

2. OSPF

3. Network Automation

4. Devops

5. MPLS

6. TCP

7. EIGRP


you can download then open with ANKI software on your computer.

anki software > https://apps.ankiweb.net/


I hope you benefit from it. 


Samer.


Friday, December 10, 2021

Fixing PaloAlto Firewall fail to send Telemetry files problem

 In this post, I will be talking about a problem that you may face with PaloAlto Networks Firewall.

the problem can be seen with log that is generated by the Firewalls while trying to send telemetry file and failing:

10>Dec 6 23:40:04 FMC-PA-820-PRMARY 1,2021/12/06 23:40:04,0120010412345,SYSTEM,device-telemetry,2561,2021/12/06 23:40:04,,send-failed,,0,0,general,critical,"Failed to send: file

the problem above is informing us about the existence of an issue in sending telemetry file to PaloAlto cloud.

what does this means?

The firewall collects and forwards different sets of telemetry data to Palo Alto Networks based on the Telemetry settings you enable. The firewall collects the data from fields in your log entries (see Log Types and Severity Levels); the log type and combination of fields vary based on the setting. Review the following table before you Enable Telemetry.

source: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/share-threat-intelligence-with-palo-alto-networks/what-telemetry-data-does-the-firewall-collect.html 

it means we have to fix this issue because it is important.

ok, so one thing to notice here is that the relationship between PaloAlto firewall and PaloAlto cloud is a client-server relationship and since this is going via the internet, authentication and encryption must take a place in this process so secure the connection between Client-Server.

which means we need to authenticate our firewall in order to get the telemetry sent to PaloAlto Networks Cloud.

how we are going to authenticate? the answer is via certificate.

what you need to get this certificate?

1. Telemetry must be enabled and this can be done like this > click on settings icon and enable and choose region. then commit









2. Support and access to support portal of PaloAlto

3. Serial numbers of your firewalls that suppose to be under support.

once you logged in PaloAlto support portal go to > Assets > Device certificates > Generate OTP

here you will must select the serial of the asset and then generate the OTP and copy it.

now you must go back to > Device > Management > Device Certificate > Get Certificate

paste the OTP and apply it, this should make you see success fetch status like below.








Note: above image shows after the certificate import done.

Once all of these steps finished, you should be able to generate telemetry file by doing this>

Device > Telemetry > settings icon > Generate.
















I hope this was useful.

Samer R. Saleem

Thursday, December 9, 2021

How to enable Call Conference on CUCM?

 In this post I will be configuring Cisco Call manager to allow users to join a phone call to make a conference.

follow the following steps:

1. Login to CM Administration page

2. Go to Call Routing > Conference NOW

3. Add new > and configure something similar to the following:











Add a number that you will be dialing to join a conference like (*3000)

select the route partition, and choose the Music on Hold option if want to.

now note that for the number that you want to dial a conference with, it must have the following configs under End User.

Go to > End User > search a number like 1169 in my screenshot.

Add the following because it is really important: self-service user ID





 









 

without this step you will not be able to configure the one below:


 

















Enable End user to Host Conference now must be ticked.

then add the access code that you will have to enter when dialing *3000


Now all you have to do is make a call using the extension: 1169 then use another extension and dial *3000, once you here the reply machine asking for the meeting number you must enter 1169 then you will have to enter the Attendees Access Code 123123

and you will join the call.


hope this helps!

Samer R. Saleem



Thursday, November 18, 2021

Ansible ad-hoc to show information from Cisco Switch

 Ansible proved to be a very useful tool that can make our life easier.

today, I am writing about my learning experience using Ansible and what my baby-steps toward the automation and programmability world of networking!

let's start with mentioning that Ansible has two ways (as I know) of configuration to interact with network devices or servers.

1. the short way > ad-hoc

2. the more advanced way > ansible playbooks

Ansible ad-hoc provides an easy and fast access to devices from your terminal and enables you to execute commands faster then the usual process, and also can help you access a list of multiple hosts at the same time and do stuff like gathering information in one line of command. 

here in my example below you can see how I used the ansible command to access a switch with ip of "10.211.10.36" and used some of the usual commands that we use on Cisco IOS to show configuration or information to do our daily tasks.












the ansible command I used was:

%ansible all -i ./hosts -m raw -a "show interface status" -u samer -k 

here the "all" means all the hosts ip addresses in the file name "hosts"

another output can be seen here below to "show arp" on the same switch:











while seeing the output like this seems very easy, but there might be some problems face you to get to the point that line of command can run without errors, so here is what I got and managed to fix with some google search:

1. Error about deffie-helman group between my MACOS and the switch which 

Fix:

Note: this error will be seen also when you try to make a direct ssh from your terminal to the switch without even using ansible, which makes it a problem in the ssh of the MACOS in this case and here is how to solve.

a. Go to cd /etc/ssh/ and use $sudo nano ssh_config

b. uncomment the following parts






c. paste the following at the end of the same file






save the changes and try to ssh again from your terminal, if that works then try your ad-hoc command and it should work fine.

2. Error about failing the connect to host via SSH and this showed up after fixing error 1 

Failed to connect to the host via ssh: mux_client_request_session: exitval sent twice\r\n"

Fix:

paste the following into the ansible.cfg file by using nano and then saving the changes

connection: local


I hope this was helpful 


Samer R. Saleem



Friday, November 5, 2021

Ansible Another Step Into Network Automation

 What is Ansible?

Ansible is a Network Automation tool, it works with YAML to push or get configs from a network device or group of devices or hosts.

Ansible works with SSH, which means you need to have NETMIKO or PARAMIKO installed along with your Python in order for Ansible codes to work.

how to Install Ansible?

simply by typing this command into your terminal (linux or MAC) $pip install ansible

you can then check your installed version using the command $ansible --version

like below:







Since we already mentioned that Ansible work with YAML as data modeling language, then this means we need to install YAML as well, you can install by:

$pip install PyYAML

below link shows more documents about YAML:

https://pypi.org/project/PyYAML/ 


NOTE: you might face problem while trying to run an Ansible code because of SSH keys between your Computer and the Network/host you are trying to connect to and this will cause an error similar to the following screen:






there is a workaround for this by adding some part in the configuration into the ansible.cfg file as below:





you can open a file and name it as ansible.cfg with nano

$nano ansible.cfg

then add

[defaults]

host_key_checking = false


save the file and run your ansible code again.


Ok, now onto writing a simple Ansible code to get_facts from a Cisco IOS device.

1. in order to do that, you need to have a list of hosts/host configured and that will be created in the same directory that I will be creating my ansible code from, which will be:

samer@Samers-MacBook-Pro ansibleproject % pwd

/Users/samer/Documents/ansibleproject







[cisco] is the group of devices/hosts, so it means you can list your hosts below just like Im listing (10.211.10.36) here for my testing.

[cisco:vars] as you can see is the other information like the OS and username and password of the device/host listed in group Cisco above.

Ok now let us create the Ansible code, which will be by creating a file that I named as test.yml (YAML) format file.








as you can see the file starts with (---)

then (-) name, group of hosts, connection type (SSH), then the tasks that ansible will be doing on the host (tasks:)

NOTE: white-spaces are really important and you will face problem in running the codes if you did not have the correct spacing. 

example of error caused by missing space:







Ok, so our ansible task will be to get the software version of the host (10.211.10.36) and this is done with the last task named "VIEW OS VERSION" which has the var: ansible_net_version

how to run the code now?

$ansible-playbook -i hosts testing.yml

Of course my terminal is already inside the same directory, if your path was not in same directory then you need to add the full path for the files.

(-i) here means inventory which means play ansible against the inventory in the path hosts and the ansible file is testing.yml

ansible will check the hosts/groups in the file called hosts and use the login information in the [var] to login to the host using SSH (NETMIKO/PARAMIKO).

once you fix all of the white-spaces issues and run the code, you should get the following screen of output:






The green screen! OK=1 and failed=0.


Note, you can use ad-hoc command for ansible to push fast commands and do things quickly on one host using the following format:

$ansible 10.211.10.36 -m raw -a "show version" -u samer -k

where k is prompt for password.

this is my introduction into Ansible for Network Automation.


good resources can be found here:

https://developer.cisco.com/startnow/

https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_command_module.html#examples

https://learningnetwork.cisco.com/s/question/0D53i00000mt0ZGCAY/mastering-ansible-for-the-devnet-associate-exam-derek-winchester




I hope this was useful.

Samer R. Saleem




Thursday, October 28, 2021

Access into Network Programmability

 It has been almost two months since I decided to start my studies to get my first certificate into the DEVNET path.

things were really confusing at first because honestly I knew nothing about the programming in general, I studied languages like Pascal in University, but that was longtime ago and lots has changed since then (2005-2009).

Knowing that studying programming in University does not necessarily means you are going to be able to make codes or become a programmer per se.

anyway let us talk about the networking world these days and how Cisco is contributing into making the new network engineering career and keeping it's  certified engineers at the top!


As we all know that working on big size networks can be really time consuming sometimes when it comes to routine tasks, things that you might get tasked to do by your manager that require lots of logins and typing lots of commands into switches/routers/firewalls.

and as we all know, many of our networks today are comprised of different products from different vendors.

this impose many risks in addition to the main one which is the time and effort required to do a tasks that might be very simple to achieve on one or two devices but the risk of making mistakes while working on huge network size is high.

this is why, many network engineers who had the programming skills were already trying to solve such problems using programming tools.

we all worked our way using things to make our jobs little bit easier by using Notepad to make scripts for commands and paste them into Network nodes.

this came up handy even in monster exams like CCIE.

in our work environments we might even used SecureCRT and sent commands to all tabs via Command window. 

but what if we have hundreds of a mixed products from different companies?

well, Cisco created a whole certification path to help us as engineers to understand and ease our tasks and save our time by learning new but not really new skills that will add up to our knowledge and support us to be more innovative, this is why Cisco DEVNET courses launched to teach us from zero to hero how to be in the new era of Network Engineering.

When Cisco published the free courses on Cisco Learning Network Site, the course had materials that teach you Linux, Windows, MacOS, VSCODE, Python, Git, GitHub and how to make your PC a Development Environment.

https://learningnetwork.cisco.com/s/learning-plan-detail-standard?ltui__urlRecordId=a1c3i0000005hsLAAQ&ltui__urlRedirect=learning-plan-detail-standard

You can learn about API and How to practically use Python to make codes that can actually help you in your daily tasks.

All of these mentioned above are standard and can work on any computer free and require nothing to operate.

Of Course the certificate will be joined with a training about Cisco products like Cisco DNA, and Cisco SD-WAN. 

Here is a look at the path of the DEVNET certification:

Image soure: Cisco.com

Cisco Has announced the Expert level recently as you can see the "New" above.

This all brings us to the moment where we ask ourselves, do you want to stay as legacy network engineer? or you need to move on and keep yourself updated? of course in IT field, you should always keep your knowledge fresh and up to date, otherwise, you should really think doing something else because IT world is never gonna stop evolving.

you should evolve as well or you are going to extinct.


Ok, so how adding programmability into networking skills going to help me in my work? in simple words, you can make one script that will help you configure or pull data from large number of nodes in few seconds, of course you will keep these codes and use them from time to time whenever needed! what about if they were from different vendors?

that is also ok because you can use libraries in python that can work on different vendors at the same time without the need to create a unique codes for each vendor.

examples: Using NAPALM to configure or get configuration from Nodes, check the list below for the supported vendors.

Image Source:napalm.readthedocs.io

More information about supported list of devices can be found in the link below:

https://napalm.readthedocs.io/en/latest/support/index.html


That being said, How I started my journey into this path? First of course I started with the denial phase, which is "I'm a network engineer and not a programmer!"

which is basically wrong, because network engineers do programming on daily basis while they do their work on any network device!.

anyway, once I had the courage to start, I started with Practical python learning, which is get the code, even if it's copied entirely from a site, I would do it just for the sake of trying a code and see how it works.

My training started with a very cheap course that I got from Udemy for 11$, this course came out handy! I actually used a code to get all serials for a small inventory job which was done in a matter of seconds! (of course making the code work took some work and time to execute :p, but still I can use it in coming tasks and will spend no time to make it work).

Ok, so this was my first course, and the important thing is how you find the Video/Books or blog or anything that will give you the spark to start understand and love the thing that you have been procrastinating to get your hands dirty with!.


every person learns differently, some people like to read books first and some prefer to study by video first. Well, I am the type of video first learners, I like to know what I'm going through before I start, which means I have to watch the videos first and then books.

It does not matter, just do what makes you comfortable and makes study easy.


Another good resource to study for the DEVASC would be the Official certification guide book by Cisco press, if you get the premium edition, it will be joined with a test engine that you can use to test yourself with its question which comes in a multi-choice form.

the book goes through the blueprint and explains the topics in each chapter, you see python and Cisco DNA, API and REST and SD-WAN, JSON and XML YAML and YANG RESTCONF and NETCONF.

The crucial part of preparing your development environment is choosing the system you will work on, is it gonna be Linux or windows or MacOS? I have seen many people recommending Linux Ubuntu, and Cisco video courses does go through the setup of Ubuntu as a workstation for such a thing, but I chose Windows and MacOS.

basically MacOS is the most programming friendly environment IMO.

so why go to Ubuntu? of course it does not hurt to learn linux but in my case I want to most stable system.

next, you will need to decide how you will practice and run your codes? because you can use VSCODE to make codes and send to a real/lab nodes directly, but also GNS3 is great option to do your labs, especially the option to download network automation appliance that comes with all needed tools ready to use. (you can search it and find it on GNS3 site).

personally I prefer both, GNS3 and real equipment because once you make sure your script is fine, you can make some use of it.

there is a list of requirements that you need to make sure to download and install on your environment whether it was linux or windows or MacOS.

the list is but not limited to: Python (latest version)

Ansible, Paramiko (netmiko), telnet library, NAPALM, PyATS, YANG, JSON....etc. 

Note that with all the pros of network programmability there is of course cons, because we cannot exclude the human error factor from this, imagine running a code for a number of devices with some mistake in the code, this is going to be catastrophic to some environments.  

This is my journey toward Cisco DEVASC, it started and not going to end until I achieve my goal and pass the exam.


Will be updated soon!


Samer R. Saleem




















Monday, October 25, 2021

Product review (Cisco CBS250 Switch)

 In this post, I will be reviewing my notes and experience during my work on new switches from Cisco.

the switches that I used to replace old HP switches with.

first of all, the Cisco CBS250 switches has nice white color and beautiful Cisco logo, they come with different sizes supporting from 8 to 48 ports and of course the SFP's.

have a look on a real photo for the product:

 


 

link to these products:

https://www.cisco.com/c/en/us/products/switches/business-250-series-smart-switches/index.html?ccid=cc001531


Price starting from: $235.00 USD

Ok, now let's start talking a little bit on the configuration part of the switch:

1. It supports GUI (which is very nice and well structured)

2. SSH and Telnet (Remote)

3. Console

 The switch also comes with a default username and password of (cisco), which you will be requested to change both after your first login.

one of the nice things I noticed is that the switch also has the automatic Baud rate detection, which will allow you connecting to switch without even altering your serial configs.



 

 

 

 

Don't mind the rubbish at the first line, this shows up during switch bootup because the auto detection is not active yet.

 So now let's talk about Network features, starting with the commands that you will need to configure the switch in order to make it ready for work.

1. Add a hostname using the command #hostname xxxxxx

2. Enable SSH if you are willing to connect to it via the SSH #ip ssh serve

then you need to go to:

#line ssh   (no more VTY)

(config-line)#login authentication default  (this will make the switch work with the default authentication method configured)

3. set the management IP address #interface vlan x     #ip address x.x.x.x x.x.x.x

4.set the gateway #ip default-gateway x.x.x.x

Note: at this moment, you would be also able to login to the switch using HTTP/HTTPS (GUI) but of course you need to set the IP address for the management.

Creating the vlans can be done at the beginning because you need to have them ready before you configure the SVI.

 

So now we talk about the Voice VLAN, which you must identify in the switch.

#VLAN 34

#voice vlan ID 34

So might need to add the OUI of the phones if it was not listed in the OUI table:


 

 



Ok, what about the switchports access type? well, below the types you can configure a port according to your needs:

1. Access  (vlan unaware port)

2. Trunk (vlan aware port)

3. General (generic port mode)

4. Customer (customer equipment port)


Note: by default the Switch comes with a Macro enabled and will put interfaces into vlan's automatically and even add a description, but in my case I had to disable it and configure ports according to my requirements.

here is how you disable the Macro globally:

#no macro auto

or you can disable per interface:

#no macro auto smartport

you can also create your own macro:

(config)#macro name SAMER

Ok, which mode to put your interface you need to configure, because for end users usually you need ports to be access ports, but since you need a phone then we used to have switchport voice vlan command before but now, this command is no longer available.

you have the following options:

1. automatic configs using the Macro

2. configure port as trunk (I don't think this is a good idea)

3. configure the port as general mode and use the (tagged option for the voice vlan)

and untagged for the PC and then PVID of the PC vlan.


in case you you won't be needing the Phone with your port then make it as Access mode only.

and of course the Uplinks must be Trunk.


here is an example:

interface GigabitEthernet1
 description DESKTOP
 port security max 2
 switchport mode general
 switchport general allowed vlan add 110 tagged  (Voice)
 switchport general allowed vlan add 16 untagged (User PC)
 switchport general pvid 16
 no macro auto smartport

 Lot's of configuration syntax has changed. for example, port security is not like before:



 

 

the modes changed permanent and lock  (not sure if this was changed longtime ago or I just didn't use Cisco switches for a longtime!)

 I found that removing the tab option which shows the options of the syntax for the available commands or completes the command is a bit annoying because it is not working like before.

 Overall, Cisco Switches always great, hardware and software and also the communities that can respond to your questions are really great.

you can't find this on other vendors forums.

 

Lastly
I want to talk about the GUI which I found pretty nice:

 you can choose HTTPS from the window itself as below



 

 

 

 

 

 

 

 

 

 The design is well structured as you can see below and the interface is really interactive:

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Well, this is all I have for now, I hope this was useful!

 

Samer R. Saleem

 

 

Network Engineering and Automation Questions for review or prepare for Interview

Hello everyone, As you know, many of us study and struggle a lot in order to reach the level where we can call ourselves Network Engineers, ...