SD WAN Underlay Options

This article was first written by @aaronengineered and posted to his blog aaronengineered.com.

SD WAN typically consists of two parts. An overlay and an underlay. This article will cover the underlay.

And we can kick this off by saying that underlay is just a fancy term for connectivity. 

I would hope this goes without saying but here it goes anyway, we need connectivity for SDWAN to work at all. Yes, you read that right. We need external connectivity to the outside world. 

I know. EARTH shattering stuff there.

After all, the idea here is to get you off and running with your first WAN or to give you a nice shiny new version of the one you have now. 

Take note of the image below. This is an Edgeconnect SD ROUTER from Silverpeak – an SDWAN vendor. You can see that even on this device there are two dedicated WAN ports, wan0 and wan1. We know that these are clearly WAN ports because it’s telling us that(obviously). What we don’t know is what are we allowed to plug into those ports?

In this image we can see that we have two different Internet connections. Specifically, a Cable and DSL internet connection.

That being said, we aren’t limited to just using internet connections like the example. We have options and I have narrowed down them down to two distinct categories.

The first is just a standard internet connection, sometimes referred to as a “public” connection. The other is some type of managed wan or leased line often referred to as a “private” connection. I want to point out too that the options listed below are based in the United States. Names and connection types can vary from country to country.

Typical Internet connection types

For the most part, these are geographically dependent. Meaning, if you live in a large metropolitan area you may be lucky enough to have all of these options at your fingertips. If you don’t live in a large city you might be in a different situation so T1’s and 4G LTE connections become the primary option. Normally that might be pretty limiting but with SDWAN we will see that it isn’t so much of a big deal any more. 

Here are some of the main Internet connection types:

  • Cable internet 
  • DSL
  • Fiber based Ethernet 
  • T1 
  • 4G LTE 

All of these vary in their delivery method and price but most importantly their speed and quality. (Which are a big deal to Network Engineers like us)

There are other factors at play here as well and any good WAN architect will tell you it’s not all about the speed. So of course latency, jitter, and packet loss will all be considered as well. 

Managed connectivity options from your ISP

  • Metro Ethernet
  • MPLS

*There are other flavors of these connection types that are slightly different but the idea is pretty much the same so I have left those off the list. For a better look at some of the offerings, click here.

In the past, as a WAN architect, it would be your job to make sure that you aligned the company’s goals and the company’s budget into a nice pretty little package. It’s your job to sell the trade-offs. To better understand what this means, take a look at the above connectivity options. If you did not know, there is quite the price difference between a managed connectivity product like an MPLS and a cable modem that brings you Internet connectivity. 

BUT…. we know that the reason you pay for a managed service is so that you can get things that you need. Those things are usually guarantees around up time, packet loss, jitter and latency just to name a few. 

You see the applications that enterprises are using in todays networks are all very unique. Sometimes they come with strict requirements in the network and can’t tolerate any sort of inconsistency. And that’s ok because managed connectivity solves for that by basically guaranteeing that our traffic will get the white glove treatment. 

The opposite end of this of course, is just a standard broadband internet connection. (See list above) 

These are typically high-bandwidth and low-cost. That’s great if those are my only two requirements but as we read earlier, but that’s not always the case. 

OK let’s make sure we are all on the same page here. 

Private managed WAN’s – typically higher in price but definitely get you the guaranteed delivery you need.

Public Internet connections – low price, high bandwidth, low reliability.

I have to decide between the two options here. Or do I… 

Well my friend, another feather in the cap of the SDWAN router is that it’s often underlay agnostic. Meaning, it doesn’t care what you plug into it. All connections are created equal. 

Well not completely equal but pretty darn close. This just means that the SD Router is going to be looking at whatever you plug into it with a watchful eye. It’s going to be monitoring it for packet loss, jitter, and latency and report back to you with what it finds. On top of that, it’s going to make QoS decisions about what traffic to send and how much of it based on the current health of that link. Again, it doesn’t matter what that link does. 

RAD. 

Putting it all together.

So how does this change the role of the WAN architect? Well for one, it makes the job a lot easier. Since I now have the freedom of picking whatever connection fits the budget best or picking the only service available to me based on geography I can get a LOT more creative in solving for the organizational goals of the company. 

Remember from my previous articles that SDWAN is all about efficiency. How it accomplishes that is by using insights and control. Putting that into context with the underlay – we have insights on how those regular internet connections are performing and make different QoS decisions based off that information to prioritize mission critical traffic in our WAN.

What being ‘underlay agnostic’ means to the SDWAN router is being able to compensate for some of the short-comings of lesser guaranteed connections. This is achieved by having multiple WAN links that are closely monitored. This in turn allows the router to make application routing decisions on the fly if one or more of the connections are not performing up to your pre-defined standards.

Hopefully this has given a bit more insight than you may have had previously. If you enjoyed what you read and would like to learn about something WAN or SDWAN related, find me on twitter at @aaronengineered.

Enjoy responsibly!

Faces of the Journey – Robin Canela

“Faces of the Journey” is a series that highlights individuals in the network engineering community. The journey is the path we take through our careers, and it can be very different for each of us. While the destination is important, it’s all about the journey!

Meet Robin!

Robin Canela, originally from New York City, is a Unified Communications Engineer for a software company based in Florida. While the company is based in Florida, he has been working remotely in Virginia since 2017. Robin has been no stranger to hard work. At just fifteen years old, he started a part time job at a pharmacy. After three years, Robin ventured into retail, and eventually began training as a pharmacy technician. He had aspired to become a pharmacist, but found that school really wasn’t for him. When he turned twenty, Robin made a bold and risky decision to move to Virginia. There, he went back to retail for about a year with Toys R Us, then became a utility locater for around two years. Robin then decided it was time for a change. He updated his resume, and began interviewing. His break into IT came in the form of a contract position imaging computers, that kept getting extended until he was hired on full time as a Desktop Support technician! Robin was drawn to IT by being an avid gamer when growing up. His enjoyment of video game consoles led to the building of his own computers and getting exposure to programming languages. He began to love technology and became more invested in learning and growing. Robin has an aspiration to become CCIE certified and is currently studying for the CCNP certification (he became CCNA certified in February of this year). Eventually, he wants to design networks and travel the world!

Follow Robin:

Blog

Twitter

LinkedIn

YouTube (under construction)

Alright Robin, We’ve Got Some Questions

When learning something new, what methods work best for you? Hands-on learning works best for me. The method I use when studying:
1 – Read
2 – Watch Videos
3 – Practice/labs
4 – Teach others

What advice do you have for aspiring IT professionals? Hard work, enthusiasm and dedication. Don’t compare yourself with others, and most importantly, believe in yourself. One thing I always remember and hold on to is that “every expert was once a beginner”.

What is something you enjoy to do outside of work? This past year I got into woodworking and I absolutely love it. So far I have built an arbor for my wedding (article about it on my blog), storage compartment in my garage, two dog feeding stations, built-in bench with batten boards, and the list keeps growing for things to do. I also love learning new technologies so much that I have invested in a home lab. I have a couple of servers, routers, switches, etc. Virtualization is amazing.

How do you manage your work/life balance? Haha, feels like a trick question. In my relationship the most important things are communication and boundaries. Letting my wife know ahead of time my plans, goals, and schedule for the day really helps. When I don’t communicate, oh boy. Since I have been working remotely for over three years, setting boundaries between work/life is very important. I make sure to stop working when work is over and stop checking work emails after hours. It doesn’t always happen but I am getting there.

What motivates you on a daily basis? Challenging myself to become a better person today than I was yesterday and coffee, coffee, coffee.

Bert’s Brief

If I had a pick a few words to describe Robin Canela, they would be “balanced” and “well-rounded”. It can be very difficult for many of us to find the right balance between work, professional/career development, and personal life. Robin just seems to have it all figured out, and that is excellent. He is extremely down to earth and willing to carry on a discussion with anyone. Robin also has a skill that I think is very important which is determining goals. He figures out some future direction, sets a plan, and sticks to it. While maintaining and building on his life, Robin takes the time to remain active in the “It’s All About the Journey” community. He is often sharing ideas, providing encouragement, and just being an all around nice guy. Keep an eye out, I’m seeing big things on the horizon for Robin Canela!

Ep 14 – Data

In this week’s episode we talk to Knox Hutchinson. That’s right, CBT Trainer, Knox joins us and tells us about how he got into IT and eventually IT Training at CBT. We had such a great conversation we had to break it up over two episodes! So, check out part one this week and come back next week for part two!

This episode was not sponsored by CBT Nuggets. Knox just happens to be big fan of the podcast and we’re are a big fan of him, so this just made sense!

To get more Knox check him out on:
YouTube: https://www.youtube.com/c/DataKnox
Twitter: @Data_Knox (https://twitter.com/Data_Knox)
LinkedIn: https://www.linkedin.com/in/knox-hutchinson/
CBT Nuggets: http://learn.gg/dataknox

Now through the end of the year you can save 15% off your next purchase from Boson Software (https://boson.com/) using code artofneteng *Some restrictions apply, subject to change at anytime

NEW – AONE Merchandise store! Checkout https://teespring.com/stores/artofneteng All profits go to funding the podcast – web hosting, etc. After those obligations are met we plan to put the money back into the community by purchasing books and exam vouchers to give away!

Follow us on Twitter https://twitter.com/artofneteng
Follow us on Instagram https://www.instagram.com/artofneteng/
Join the group on LinkedIn https://www.linkedin.com/company/artofneteng/
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – It’s all About the Journey- https://discord.gg/hqZ7XEG

Why people go for Network+ before CCNA?

This article was written by Chris and first appeared on his blog christechjourney.wordpress.com

This week, I tweeted about my career goals and I got some interesting comments about people’s goals (tweet link). I can see that a lot of you are choosing to go for Network+ before CCNA, I asked why to some of you, and here I will try to summarize what I got:

First of all, N+ provides foundations/general network fundamentals for Neutral Vendors- that can be a very good point if your goal is to work with different vendors (list of every networking hardware vendor)- and the CCNA is specific to Cisco Material. CCNA provides principal Network fundamentals but with more depth into Cisco materials (specific Cisco commands, for example, you will not learn that in N+, but you will learn Subnetting, for example, in both certificates because that is universal).

By comparing the two blueprints, you can see that CCNA details many in-depth non-cisco topics: IPv6, Interface issues, etc. Check it out:

Network+ Topics
CCNA Topics

You can download the blueprints here for more information about the topics:BluePrint N+DownloadBluePrint CCNADownload

I got a comment from Carl (@cfzellers4 on Twitter) and I want to share with you his words:

He doesn’t suggest any order, but he said that the way he would lay out a Zero to Certified ~ Networking ~ plan would be like:

  1. CompTIA ITF+
  2. CompTIA N+
  3. JNCIA-Junos (*Optional*)
  4. Cisco CCT R/S
  5. Cisco CCNA

This is the pathway he would choose if he had to start over, but not a specific pathway.

A lot choose to go into N+ at first because it’s a general entry-level for Networking, and Cisco more a Specialization, but keep in mind that the new CCNA is an entry-level as well.

Besides N+ and CCNA, the new DEVNETAS and CyberOps are both entry-level as well. After my CCNA, I plan to get those two certificates in this order.

Keep in mind that Cisco is the leader on the market but it’s not the only vendor. They are many out there, but if you want to choose the CCNA, are motivated and passionate, go for it. You are on the right track.

Don’t forget, if you’re studying, for whatever IT certification, you can get support on our discord channel ~ It’s All About the Journey! ~, Reach me on Twitter, and of course, listen ~ The Art of Network Engineering Podcast ~.

Faces of the Journey – Luis F Garcia Jr

“Faces of the Journey” is a series that highlights individuals in the network engineering community. The journey is the path we take through our careers, and it can be very different for each of us. While the destination is important, it’s all about the journey!

Meet Luis!

Luis, a.k.a NetSecWheezy, has a very busy life all of the sudden. He is in the process of starting a new professional journey. Not only is he going from a SOC Analyst to a Network/Security Administrator, but he is moving from South Texas to Arizona to do so! Previous to the most recent roles, Luis got his start in IT with a helpdesk role. Before venturing into IT, Luis sold ice cream. One day while working at a baseball game, Luis ran into someone who worked in IT at a company where Luis once had an internship. After exchanging information, Luis ended up getting a call and got his start as a contractor with a helpdesk. Outside of Luis’ control, the beginning was not exactly smooth. Many times he was told that it could be his last week or even last day! Eventually he was brought on into a full-time role managing fifteen sites and two mobile units on his own. Luis has had a passion for IT since around the age of eight. He started watching YouTube videos to see how computers work, and then would play some harmless pranks on his family. Security was Luis’ main love, then in college, he was introduced to Cisco. He was fascinated by what he was learning, which led him to achieve the CCNA certification. Luis has been striving to get into a network/security role and is very excited to get started in his new position. Being able to support his family and live a good life in which he can travel is the ultimate goal.

Wheezy at the Grand Canyon

Follow Luis:

Blog

Twitter

Alright Luis, We’ve Got Some Questions

What advice do you have for aspiring IT professionals? The advice I have for aspiring IT professionals is to never give up. I know it is very easy to doubt yourself, but we must break down these walls if we want to follow our dreams. We can all succeed in this field, there are more than enough opportunities if you want them. I will be honest in that self-doubt slowed down me following my dreams. It does not have to slow you down. I believe in each one of you.

What is something you enjoy doing outside of work? Something I really enjoy outside of work is to travel. I have not been many places, but it feels surreal when I get to travel and see new places and experience new things. I always dreamed of traveling and thanks to the IT field I have been able to follow through on my dreams. I also love the Dallas cowboys and consider myself a super fan. Every game I’ll be watching no matter the outcome. I have been to their stadium a few times and it is mind blowing to me each time.

How did you figure out that information technology was the best career path for you? I just realized it was something I wanted to do. It just was amazing to me. I wasn’t always sure exactly what I wanted to do but I knew that it had to be something with computers. I was always trying to learn about them and learn what they did. I still remember using a computer we had that was Windows 95. I think my big moment came when I got into college that realized I could do this. I went through a cybersecurity and networking degree program at a local community college and if I remember correctly, we had about 60-70 students and only 8 graduated. I admit I struggled a lot that first semester but after that I really started hitting the books and managed to excel after that. I knew that I could do this from that moment on. Eventually it lead to me getting my CCNA and Security+ certifications.

What is your favorite part about working in IT? My favorite part of working in this field is that it seems that two days are never the same and there’s always so much to learn. This field is constantly growing everyday and it is amazing to be a part of it. When I was in helpdesk, I loved being able to solve people’s issues and just speaking to them. I went through so many experiences in my time working in this field. My favorite thing is just learning about all the new security trends and things that are happening in security and knowing that I’m a line in the defense against malicious actors makes me feel proud.

What motivates you on a daily basis? What motivates me is my wonderful girlfriend. She stood by me when I did not make enough money to buy food sometimes and she has been with me through so much. She has always pushed me to follow my dreams and aspirations and has always taught me to believe in myself even when times are hard. I owe a lot of my success to her and to my family for all the support. I am nowhere close to being done with my journey yet though. Another motivation is when someone tells me that I cannot do something, I tend to draw a lot of energy from those words to prove them wrong not for them but for myself. You should never listen when someone tries to put you down.

Bert’s Brief

Luis is an incredible person with a story that proves that the journey is rarely a straight and narrow path. He has been through so much throughout his life and doesn’t seem to waste time complaining, but rather focuses his energy on growing professionally. The production of this article came during a really exciting time for Luis. I started talking with him right before he interviewed for his new position so I got to hear about the entire process. It was really neat for me to essentially get to experience the suspense and eventual joy when he was awarded the job. With the effort and passion he has put into his career, it is awesome to see him get to take this next step. Luis, however, is not selfish with his passion for IT/networking. He is constantly contributing to the “It’s All About the Journey” Discord channel by providing thoughts, insight, and endless encouragement to others in the community. It has been a pleasure getting to know Wheezy. We all wish him luck with the next chapter in his life, and know that he will excel.

Ep 13 – Deirra Footman, CCIEby30

In this episode Aaron returns, and along with Dan and Andy they chat with Deirra Footman, CCIEby30! Deirra shares her journey on getting into IT and finding her way into Network Engineering. Along the way she shares some great advice, that we haven’t yet heard on the show yet! And, Dan learns a lesson he shouldn’t soon forget…

You can find Deirra on:
Twitter @CCIEby30 https://twitter.com/ccieby30
Instagram @CCIEby30 https://www.instagram.com/ccieby30/
Her Blog https://www.ccieby30.com/

Now through the end of the year you can save 15% off your next purchase from Boson Software (https://boson.com/) using code artofneteng *Some restrictions apply, subject to change at anytime

Follow us on Twitter https://twitter.com/artofneteng
Follow us on Instagram https://www.instagram.com/artofneteng/
Join the group on LinkedIn https://www.linkedin.com/company/artofneteng/
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – It’s all About the Journey- https://discord.gg/hqZ7XEG

Real World Experience

This article first appeared on Girard Kavelines’s blog techhouse570.wordpress.com/

In our industry nothing is more valuable than that real world experience. The opportunity to work on real hardware, troubleshooting real problems and facing those challenges everyday. So now the questions left: How do you seize those opportunities? Where do you look first to begin?

For me getting into the industry my path, like everyone’s, was faced with hardships and obstacles, and though you’ll overcome them getting there seems like it takes forever. I’ve said most recently this past week while talking to a good friend – “It’s amazing how far we’ve come as a community its indescribable.”

When I got into this industry YouTubers weren’t a thing, communities were hard to come by, and knowledge that those did have was guarded like pentagon secrets! But today as technology has grown, the people, the professionals that have made this industry what it is and have given so much are now sharing that wealth of knowledge with the next generation and those to come after it.

My foot in the door for me was working in retail. Working in those different organizations gave me that sense of growth, and for that I’m forever grateful. It was a way for me to take those skills I already possessed to a whole new level, and as I’ve mentioned before where I both personally and professionally found my love of networking. That led me into my many other opportunities and now I share with you – How do you make your own path ?

Apply yourself. In todays world we have so many outlets to explore from social media, internships, both paid and unpaid, and more. They say also its about who you know and in some cases… it is. Word of mouth is a powerful thing, and the more you network the more opportunities it can present you. If you have or are given an opportunity to showcase your skills do it my friends, cause you never know if you’ll be given another. Showcase that passion, that drive, that desire to be the best in whatever you do cause it shows and those that are the hungriest. The ones who thrive on learning at every opportunity given to them, they prove it. Times are changing and the technology with it. If I can ever help any of you in anyway, please don’t hesitate to reach out to me! Whether you’re finding that first or that next opportunity or studying to get those certifications. Remember to study hard, and win harder. Whatever it is you look to achieve your drive will continue to take you.

Best Regards,

Girard

Faces of the Journey – Chris Dedman-Rollet

“Faces of the Journey” is a series that highlights individuals in the network engineering community. The journey is the path we take through our careers, and it can be very different for each of us. While the destination is important, it’s all about the journey!

Meet Chris!

Chris Dedman-Rollet is a country boy from France who recently immigrated to the United States of America and resides in Los Angeles, California. He is currently a full time student, covering a vast amount of content ranging from computer information systems, CCNA study, and English as a Second language, all while working toward obtaining a GED. Chris is also a self taught Python programmer. Just recently, Chris received a work permit and is now eligible in the job market! There has been no shortage of life experience for Chris. While in France, he worked as butcher for twelve years and spent a couple of months pulling cable for a fiber optic cable company. Chris had also spent four months in the French Army as a paratrooper, but had to be discharged due to injury. In search of the next chapter in his journey, in late 2019, Chris asked his wife (a software developer) to teach him programming. He was introduced to Python and immediately fell in love with the language. In February of 2020, Chris moved to the USA and got the opportunity to enroll in an academy program to prepare for the new CCNA exam. Through the education program Chris has been going through, he has been presented with four paths that include careers as a nurse, CNC technician, network engineer, or a career in child development. Being a lover of technology, Chris wanted to pursue the network engineering path and immediately began learning more about the CCNA certification and network engineering in general. Chris appreciates the power of connecting devices together, controlling the security of the network, and automating tasks.

Follow Chris:

Blog

Twitter

GitHub

LinkedIn

Alright Chris, We’ve Got Some Questions

What do you want to be when you “grow up”? I want to be a lot of things LOL. I want to be a network engineer with programming and cyber security skills. My goal is to be able to be where I am needed and assist a company that needs help in any department. For example, let’s say I’m a Network Engineer, and tomorrow my company needs someone to do a programming or cybersecurity job. I want to be the guy whom they can count on. And, more skills mean a secure job. Besides, I want to be able to help a maximum number of people through my blog and my Twitter, like learning help or motivation. If I can help even one person, it will already be a victory for me.

What is something you enjoy to do outside of work? To be honest, studying is a kind of hobby for me. I love to learn new stuff; I try to learn something new at least every day. Maybe because when I was younger I wasn’t a school guy. I dropped out pretty early, when I was fourteen years old. I’m a Sci-Fi TV show lover, I’m currently watching “The 100” on Netflix (best show ever). I love programming, I play a lot with Python and automate everything I can. Besides all of that, I love sport (even if since the pandemic I practice a lot less), and I have been a CrossFitter for four years now. On the weekends I love to go to the beach for a walk with my wife and my dog.

What is the next big thing that you are working toward? After the CCNA, I’m going to work on the DevNet Associate certification, I’ve already pre-ordered the book on Cisco Press. Then, it’s onto the CyberOps Associate certification. Networking, programming/automation, and cyber security are three positions that I will be working toward. I’m actively working on my English, I would like to share more, for example in video interviews, and share with the community.

When learning something new, what methods work best for you? The best thing that works for me, is practice. I’m a true believer in “learning by doing”. I’m learning with books, and I practice everything that I read. I love to ask questions as well. No one should be afraid to ask for help when they are stuck on something. I recently bought the Unifi Dream Machine and put it to the test (my wife goes crazy when I mess up the network LOL). I asked for some help on the Discord channel “It’s All About the Journey”. Shout out to Carl, he’s the real MVP.

What motivates you on a daily basis? My past life as a butcher, I don’t want to go back to where I came from. It’s difficult and you don’t have really the opportunity to grow as an employee. If you get a position, you keep the same position for the rest of your career.
Now, I’m freshly married and have two pets (a young puppy and a cat☺). I want to take care of my family by growing as a husband and becoming someone better every day. The Twitter and Discord community motivates me a lot as well. It’s always good to see when other folks succeed at what they are working on. The happiness of others makes me feel good.

Bert’s Brief

Chris’ life is the epitome of “the journey”, not just figuratively, but also literally. He has traveled from France to the USA and is now working on becoming a network engineer. Chris is always looking for that next opportunity to make himself better, and seeing him learn and grow through the “It’s All About the Journey” Discord channel is truly inspiring. He always brings his positive attitude to discussions and is constantly encouraging others. Chris is definitely someone you will want to connect with and I can’t wait to see him begin his professional IT journey.

Ep 12 – The Packet Pilot!

Matt is a Cisco Champion and he currently works as a Deployment Engineer working for a large Cisco Partner where he focuses on Enterprise Networking and SD-WAN. Matt is also a huge hockey fan and really enjoys playing the drums.

ATA = Analog Telephone Adapter, see also: https://www.cisco.com/c/en/us/products/collateral/unified-communications/ata-190-series-analog-telephone-adapters/datasheet-c78-739907.html#:~:text=The%20Cisco%20ATA%20191%20Analog,devices%20into%20the%20IP%20world.&text=Customers%20can%20take%20advantage%20of,to%20Cisco%20analog%20telephone%20adapters.

Matt’s article on structured cabling: https://www.packetpilot.com/back-to-basics-patching-a-switch/#more-806

You can find Matt on Twitter https://twitter.com/mattouellette, and if you’re going to follow him you need to follow his dog to https://twitter.com/WoofAurora. Also, be sure to checkout Matt’s blog https://www.packetpilot.com.

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – It’s all About the Journey- https://discord.gg/hqZ7XEG

Adopting the Mindset of the IT Ninja

This article first appeared on A.J.’s blog, blog.noblinkyblinky.com

Adopting the Mindset of the IT Ninja

Lately I see a lot of people, IT Professionals and others, seeking (not always giving) gratitude online for their hard work. Now, first off, it’s certainly earned during these trying times. With everyone working, learning, and, well, living at home – all the time – we are putting the internet, remote access related resources, and various SaaS to a serious test and with few exceptions they really haven’t skipped a beat. IT Professionals are doing amazing things right now to help keep life going throughout this pandemic. But if I’ve learned anything from working in IT for the last 15 plus years it’s that silence is the highest form of gratitude.

I didn’t always feel this way. I, too, often sought feedback and gratitude as a greenhorn Help Desk’er. Gratitude meant happy customers and if people weren’t happy with my work I took it as a learning experience. However, that all changed one day thanks to a promotion from SolarWinds.

I got this promotional email one day. If I signed up for a free trial of some product, participated in a webinar, I’d get an IT Ninja sticker. Nearly identical to the Ninja pictured here:

This image has an empty alt attribute; its file name is switninja.jpg

Now, what I thought I was getting was a sticker small enough to slap on the lid of my laptop, so I filled out the form and downloaded the promotional stuff. Six to eight weeks later I had nearly forgotten about the sticker when a long tube arrived in my mailbox. Puzzled, because I didn’t order anything that I was expecting to show up in a tube, I opened it and BAM! It’s a giant wall sized sticker of this IT Ninja! It was about two feet or so wide and three feet from head to toe. It was amazing!

For years this IT Ninja lived in the tube as I tried to find the perfect home for it. So, one day I just decided to bring it to work and I hung it up in the office. At the time as I was an IT Manager for a global manufacturing company. Members of my team were starting to get frustrated. They’d spend literally hours and days working away on projects for people or departments and then receive next to nothing in return for their hard work, often not even a simple “thank you.”

If you can’t change your situation, change your attitude.

One day, as this IT Ninja and I were having our regularly schedule staring contest I realized – we are Ninjas! Ninjas do their jobs undetected! They get in, do their job, and then they get out! They lurk in the shadows and only other Ninjas would truly understand and appreciate the effort that they put in, and the training, discipline, and dedication it takes to be a Ninja.

This image has an empty alt attribute; its file name is screen-shot-2020-05-17-at-9.04.53-pm.png

I shared my thoughts with my team one day during our weekly team meeting and we all agreed and adopted the mantra of the IT Ninja. We understood that fewer help desk calls and complaints meant that people were, generally speaking, happy and able to work with few to no interruptions. We worked hard, we stayed late to do maintenance windows, and we did it mostly without thanks or praises from anyone other than each other. This paid off! We helped each other, we thanked each other, we kept tickets to a minimum and basked in the glow that was the silence from those around us. Our spirits rose and we felt better and more appreciated for the work we were doing.

People that don’t work in IT often can’t even begin to understand what we do. But, that can also be said about jobs outside of IT that we, as IT Professionals, just don’t understand. We often don’t appreciate as much what we don’t understand. We take for granted the stuff that just works and don’t care to peak behind the curtain until it stops working.

So, before you go seeking thanks and praise, pandemic or not, think of the IT Ninja. If you don’t have anyone knocking down your door, blowing up your inbox or phone then you’re doing your job! Bask in the quiet and enjoy being undetected. Show gratitude to your fellow IT Ninjas because only you know what it took to get here.

This image has an empty alt attribute; its file name is ninja-bow-prints.jpg

In, closing, I do want to take a minute to thank everyone for their hard work. I know a lot of people that have been working very hard to transition entire workforces to work from home. Building the laptops, deploying the upgraded firewalls to support additional VPN connections. Rushing through SaaS migrations. Stretching already thin budgets to make it work. You’ve taken entire school districts and moved their curriculum online. Taught your co-workers how to use Zoom, Webex or [insert online meeting tool here]. The late nights. The early mornings. All while home schooling your kids. And the list of extraordinary work goes on. Keep up the amazing work and stay safe my fellow Ninjas!

Ep 11 – Gifted Lane!

You can find Shala everywhere using her handle @GiftedLane.

Twitter: https://twitter.com/giftedlane
Instagram: https://www.instagram.com/giftedlane/
Twitch: https://www.twitch.tv/giftedlane
YouTube: https://www.youtube.com/channel/UCCNvBz8s77j2AMI_p_m9B0g
Website: https://giftedlane.com/

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

Conversation Starter: What do certs mean to you?

This article first appeared on Tim Bert’s blog neticaded.com

Over the years, I have had an “on again, off again” relationship with IT certifications. I tend to take what I think is a long time to prepare, and I’m not a fan of failing when I have dedicated so much time to preparation. I won’t say that my reasoning for pursuing certifications has changed over the years, but rather evolved. My reasoning started with trying to advance my career and get that next job. While that reasoning continues, I have also added the concept of certifications as an “insurance policy”. The primary goal of my career is to be able to provide for my family. If that worse case scenario were to happen and I need a new job tomorrow, I want as much as I can put on my resume to help it float to the top of the stack with hiring companies, and I believe that certifications are a part of that. I still believe that knowledge and experience are key, which you can have without certifications, but I want that “insurance”.

I would say that career insurance and progression are my main reasons for pursuing certifications as this point in my career. That being said, there were multiple times over that last ten or so years that I wasn’t sure if that was enough. Was learning the certification curriculum for the given cert the best way to learn applicable skills to my current job or the next one that I wanted? This is where I think it’s important to do at least a bit of high level planning. I think you need to know what you want out of a certification and the training that comes with it to decide if knowing that curriculum is “enough” for you to be satisfied. For now and the immediate future, I’ve decided to be focused on Cisco Enterprise technologies. Between CCNA and now CCNP studies, I have been happy with what is in the curriculum. I am learning things in the curriculum that I didn’t know in depth before, but are applicable to my current role. That is very rewarding for me and is part of what makes this whole process worth it.

I would love to hear what your reasoning is to, or to not, pursue IT certifications. I think there is a lot of good conversation around this topic.

Faces of the Journey – Girard Kavelines

“Faces of the Journey” is a series that highlights individuals in the network engineering community. The journey is the path we take through our careers and it can be very different for each of us. While the destination is important, it’s all about the journey!

Meet Girard!

Girard Kavelines is an IT Specialist in the healthcare industry in Dunmore, Pennsylvania, USA. He has been an IT Professional for fourteen years, in roles ranging from PC Technician, IT/Sales Professional, and Network Technician, to IT Specialist. He has also owned and operated a successful IT support and consulting company! In his current role, he is a “jack of all trades” in an IT department of twelve people. Girard prides himself on being personable. In fact, he is such a people person, that he runs the new employee orientation within his organization. He sets up accounts, prepares the necessary IT equipment and provides knowledge to the new hires so they can get started in their own roles. Girard earned an Associate’s Degree in Network Administration from McCann School of Business and Technology and a Bachelor’s Degree in Network Security from Central Penn College. He has a passion for network engineering and is currently working toward a Cisco Certified Network Associate (CCNA) certification to be followed up by a Cisco Certified Network Professional (CCNP) certification. Girard shares his life and journey with his wife and FOUR children!

Follow Girard:

Twitter: @GKavelines

Blog: TechHouse570

Alright Girard, We’ve Got Some Questions

What advice do you have for aspiring IT Professionals? Never stop learning! Change is constant in this industry. There are so many different paths to follow and today we have so many different outlets to learn than when I was first starting. Your path and your journey are all decided by you. Stay positive! Always ask questions and most importantly keep an open mind! There are many great professionals and resources out there and you’ll always have a new challenge awaiting you.

What is something you enjoy to do outside of work? I love spending time with my family. I have 4 beautiful children of all different ages, so for me, I take it in every day. From playing Minecraft, having tea parties, and chasing my one year old around, to just watching movies and holding my 3 month old. Time with them and my wife is priceless.

What is the next big thing that you are working toward? Right now, my two biggest goals are my CCNA and becoming Cisco Champion this year. They both mean a great deal to me and I know I can achieve both! Once that’s done I’ll begin focusing on my CCNP!

How do you manage your work/life balance? I believe you have to give 200% to everything you do, and with my professional & personal commitments, it’s no different. It’s managing your time as effectively as possible! With four kids, time for things can be limited. Planning is key! But, I set aside all my time for labbing, studying, etc then commit the rest of it to my family. My current regimen now is weekends anywhere from 1-3 hours of study time. Then another two or so labbing. The rest of my weekend is time with the family.

When learning something new, what methods work best for you? For me, no doubt, hands on learning is the most effective way! Especially when learning about different topologies, etc. I feel you can retain information many ways, set a good study regimen, watch videos, etc. But in my opinion the best way to fully grasp a concept is to apply it physically in a lab! Now, everyone has their own opinions and different methods that work for them and may help them learn differently, which is awesome too! I’ve always loved being able to take those concepts, power on my switches, and apply it hands on to fully grasp what I’m learning.

Bert’s Brief

I obviously cannot just offer this up, but if you are ever having a rough time, just reach out to Girard for a chat! He is an incredible wealth of positivity and drive. I mean, how cool is it to be able to list “CEO” of a company on your LinkedIn profile? One of my biggest takeaways from my multiple chats with Girard is that he never sees challenges as burdens, but rather as opportunities. Girard is also always working on perfecting his craft and climbing that next step. He is currently blogging and technical writing at his site listed above in the “Follow” section. I cannot wait to hear what Girard does next. We’ll have to share a follow up when he passes the CCNA exam and becomes a Cisco Champion!

Ep – 10 – Single pa… I won’t say it

Brittany Mussett, Technical Recruiter – https://www.linkedin.com/in/brittany-mussett-6836a2146/

Knox Hutchinson, aka Data Knox
Twitter: https://twitter.com/Data_Knox
YouTube: https://www.youtube.com/c/DataKnox

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

Simple Cisco Text File Changes

This article first appeared on David’s blog, zerosandwon.blog.

As we are busy diving into the world of programming and automation, I’d like to remind everyone of a way to make simple config changes to a Cisco switch or router using a text file. This might not be a breakthrough, but it helps when making changes to switches or routers when those changes can possibly disconnect you from the device. Imagine working on a re-IP of a switch or even a point to point link. You have your notepad ready to go. There is a new IP and default route and all you have to do is copy/paste. You paste in the IP and lose connection. Your default route change never actually pasted because you lost connection right after the IP change. You can no longer connect to the device; panic ensues. What might be a better way to make this change and avoid the “Uh oh!” moment?

In this scenario, we need to re-IP an administrative network, specifically a switch from the 192.168.50.64/26 network to 192.168.35.0/24 network. For the example, our switch has an IP on VLAN1 of 192.168.50.112. The default-gateway command is pointing to 192.168.50.65.

I would like to re-IP the switch to 192.168.35.5/24 with the gateway of 192.168.35.100 on another network that exists on the switch, VLAN 21. If I was onsite, I might just console in and make the changes. Sometimes this is not possible. You might be remote or the switch might not be in a convenient or accessible area to let you setup a console connection. I’ll create a notepad with the following config:

Let’s save that notepad file as NewConfig.txt. Now we need to send the file over to the switch. You can use FTP or whatever method you normally transfer files to devices with. My goal is to send the file over to this switch’s Flash.

Once the file is there we are ready to go. Perhaps we need to wait for a specific change window for the re-IP. Either way, you will have the text file ready to make the changes for you. Once the change window is active, login to the switch and run the following command: copy <file path>\NewConfig.txt running-config. For this switch specifically, it is copy flash:\NewConfig.txt running-config. This will copy the config changes into your device’s running configuration. As I was connected to the old IP, I will lose connection and have to reconnect to the new IP address. You can see the change in pings below.

That is it! Using the notepad file I was able to re-IP the switch on a different interface VLAN and change the default-gateway.

There is plenty more you can do with a notepad. Years back, I’ve had some scenarios were multiple devices needed to be re-IP’d in a certain window and this helped complete the project in a couple of clicks. You can save some time and pre-stage some changes for an upcoming change window and run the notepad files. I am sure software can take care of most scenarios, but for now this has been your old-school tip.

MPLS for Dummies

This article first appeared on Aaron’s Blog – aaronengineered.com

MPLS can be a bit confusing because a technology… and well, it’s kind of a product too.

Hear me out.

In this post we will try to nail down exactly what it is even though that can be quite complex given that it can be a number of different things. The goal here is to make this less confusing and easy to comprehend.

That being said, there are two different ways to look at MPLS. One if you are a consumer, and one if you are a network engineer. We will look at both here.

MPLS stands for Multi Protocol Label Switching

MPLS is a very common WAN technology that is sold by ISP’s (internet service providers).

If you are a business/consumer trying to create a WAN between your branches, the main goals of MPLS are to provide guaranteed traffic delivery, up time, and in most cases QoS metrics. All of this is achieved using the service providers network as your own private network.

As you can see, what you get here are a lot of guarantees and the use of a gigantic network as your own. That should be enough right there to get you excited. This is the core foundation of MPLS as a product. Being able to reliably deliver a service that is seemingly transparent to the end user.

The ISP is using a cool little technique called an ‘LSP’ – Label Switched Path to get your traffic from one site to another. When traffic enters the MPLS cloud, its first stop is an LSR – Label Switched Router (so appropriately named) where it is identified as a certain customer. Next, a label is applied to the customer traffic. That label is what will get you from one of your sites to the other.

Pretty straight forward stuff.

Here is a visual representation of the Label Switched Path, marked by the dotted purple line. The ISP network as represented by the cloud is full of Label Switched Routers which forward the customer traffic from London to New York.

Let us now look at the exact same visual but instead this is what the customer perceives. Identified below by the red dotted line, is a conceptual view of what the private MPLS network looks like to each customer. It appears that the London and New York offices are directly connected! The MPLS behind the scenes magic is pretty much invisible to the end user!

Rad!

It shouldn’t matter to you as a customer what’s happening behind the scenes, necessarily. You just want to make sure that your traffic arrives guaranteed and private.

To sum it up, the ISP has created a label switched path between two of my branch offices making it a direct route. This was accomplished by wrapping my traffic in a label.

And really, unless you are the ISP, why do you care how the traffic gets from London to New York just as long as it gets there?

Let’s stop there for a second. Are there other ways to make two geographically distant sites appear as one? Absolutely! You can learn more about those types here. Now lets take a peek under the hood.

A bit more for the current and aspiring networking engineers

Of course this wouldn’t be complete without a few juicy details of how this works and why it’s so popular.

The first is the use of labels and why it’s more efficient than normal routing… well… used to be. In traditional routing there is a lookup done at each router to determine where that traffic has to be sent. That lookup takes some processing power from our routers CPU and that in turn takes a little time (think milliseconds). If this lookup happens at every router, we start adding up milliseconds pretty quickly and taxing our routers CPU. Now if you have 100,000 customers all trying to do the same thing you can see how this could get sticky, very quickly.

Since the label is already mapped to a predetermined path, the lookup time is much faster and as a result the forwarding of the packet or frame is much quicker. It’s almost like having one of those passes that gets you to the beginning of the line at Disney Land even when there’s a hundred people standing in front of you.

There are some technologies that exist that can make the speed advantage a non-issue these days. So while speed was a clear selling point in the past, it’s no longer something that can only be achieved by MPLS. However, other MPLS benefits like guaranteed up time and traffic segregation still exist making it a great technology still.

MPLS allows encapsulation of many different protocols since it’s protocol independent. Think, ‘multi’ in multi protocol label switching. This is why some consider it a layer 2.5 protocol. Referring to the OSI model, we know that routers look at layer 3 and switches look at layer 2 to make forwarding decisions. Since label switched routers look at a label injected between layers 2 and 3 instead and can encapsulate both Ethernet frames (layer 2) and IP (layer 3) we then arrive at layer 2.5. Seems logical.

Being able to encapsulate layer 3 and layer 2 gives the ISP the ability to provide different products using the MPLS technology. An example would be the encapsulation of layer 2. With that, they could provide one big ethernet domain for your sites. If the MPLS label was added to my ethernet frame, I could maintain the same broadcast domain between all of my sites if I wanted. The ISP network would still be transparent to me and all of my devices across all of the sites would be on the same subnet. It’s sort of like having one long private cable stretched between all of my sites no matter where they are or how far away from each other they are. That of course, is just one example of MPLS being a product and there are many although beyond the scope of this article.

Final thoughts

I hear a lot of talk about MPLS not being a viable solution in today’s networks. That simply is just not the case for every network. While new technologies come out all the time all promising to make things easier or to be better, they are really just new tools to use. There isn’t and never has been a “one-size-fits-all” solution. Having guaranteed service metrics is a must-have for a lot networks today and that will continue to let MPLS be a viable solution for years to come.

Perhaps this will give you a new outlook on MPLS and how it could be beneficial in meeting your WAN needs.

Thanks for readaing!

Ep 9 – Time 2 Rize and Grind

Follow Eugene on Twitter he is @_rize2grind https://twitter.com/_Rize2Grind. You can also find him on LinkedIn as well, here: https://www.linkedin.com/in/eugenebyersjr/

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

Success in Interviews

This article first appeared on Danny’s blog, semperfinein.com

Know Yourself

I know that I would not be very well suited in server position. My career path does not align me for that. Even if I picked up skills that could be used for servers, I do not enjoy nor is my background in it. If I somehow went to apply for a position in server administration, I would not see myself being a senior systems engineer or architect. I have references and colleagues who are very well suited for this. Why do I say this? Because I have had so many people interview for senior and top-level engineering positions, who fail at the interview because their background is either not strong enough for the position they are interviewing or they outright don’t have the background. Instead of joining my organization in places that best suit their skills, they attempt senior-level positions. Almost every organization I have seen has feedback to HR in the same manner: Recommend or Do Not Recommend. There is never a feedback to say “this person would be better over here”. And ultimately, as rude as it may seem, I don’t have the time to work with candidates to direct them to the type of jobs they are best suited for. Pay and skills do not necessarily go hand-in-hand (and that statement works both ways!). Finally, think about what would happen if you got the position. Your time at an organization will be significantly shortened if they realized you cannot perform the duties of that position.

Résumé

Your resume is similar to if you were to make a profile for an online dating site. It is intended to make prospective organizations interested in calling you. If there is a position posted that you want, there are other people interviewing for that position. If you are applying to a position that isn’t posted, then it really needs to spark interest in potential employers. Adding experience in common projects allows the employer to see where your background is, because are going to want to make sure that you both “match” on expectations. Furthermore, listing emerging technologies would be an attention grabber, because it lets employers know that you are staying on top technology. However, Rule 1: DO NOT LIE . We will get to this later on, but make sure you bare it in mind when editing your résumé. In fact, you should be editing your résumé at least a few times a year to make sure you capture projects and achievement while they are still freshly earned.

Secondly, make sure your résumé is condense: 1 to 2 pages maximum. List highlights from previous employments that are going to stand out to employers, speaking in real numbers. When speaking in abstract, it gives the impression that you are inflating your résumé and not speaking from truth points. Also, do not underestimate prior employments, as every job in your career path has given you skills that you feel are necessary for the position you are applying for.

For a very broad list of Do’s and Don’ts:

  • DO list positions in your current career (if they are IT-related or could be IT-related)
  • DO list all current certifications and the dates you recieved them
  • DO list emerging technologies you have worked on
  • DO list quantifiable statistics of your past performance
  • DO have your résumé memorized – this will be huge in the interview. Know what you said
  • DO NOT LIE !!!
  • DO NOT post TCP/IP as protocol you know – I believe you if you have a CCNA. But if you list it, I will quiz you on it
  • DO NOT list anything that you cannot speak to. If it is listed, it is a conversation point
  • DO NOT give yourself a title or responsibilities you did not have. You will be expected to speak to them
  • DO NOT list expired certifications. If you did not feel the need to keep them current, then they are just as meaningless to the interviewer

The Interview

Congratulations! You have a match! What does this mean? The HR department of an organization had flagged your résumé as a match for what they are looking for to fill a position. This goes back to knowing yourself. You should be anxious, but after re-reading the job description and duties, you know you can perform at least 90% of them without issues. From here, there may be one or several interviews, based on what the orgnization is looking for. Keep in mind the employer is feeling you out, but you shoudl also be feeling the employer out – there is a reason this position is available, and it is completely acceptable to ask why. Almost all interviewers will reserve the last 25% or more of the interview for questions from you, so let them talk first. Be confident in what you answer or say. Words like “uh” or “um” may detract from your message, so practicing some go-to lines prior to the interview is definitely worth some time. When inquiring about salary, make sure to ask if that is a question for your interviewer prior to asking the question. Telling an interviewer what you want in compensation may be counterproductive if he or she is not the right person.

The sunsequent interview (or part of the same) will involve some technical examination. Depending on the interviewer, they will ask a combination of technical aspects related to the position AND points résumé. Let’s cover that second point first. Remember what I said about your résumé? If you said you were a Data Center networking expert, then be prepared for high level questions about data center right off the bat. If this is an online interview, chances I have Wikipedia and Google pulled up, so if I get a response from the interviewee that is directly from a website, I am less inclined to believe they have experince. The level of questions will be related to the experience and the position. If someone claims to have deployed VXLAN in the data center, I will ask what platform, what use-case, what challenges, and how to do it. If any of those aspects fall short, I will doubt the level of experience in it. Secondly, (and more related to working for a VAR), I am going to take the technical interview one step past your comfort level. This has nothing to do with wanting to sound smarter, but more to see what your natural reaction is being outside of your comfort zone. Even the best plans may need to be changed on the fly, because customers may change the environment while you are working on them. This has nothing to do with the technical portion and everything to do with your soft skills when dealing with people (especially difficult ones). The issue, however, is that you will never know whether it was to test your knowledge or soft skills during the interview.

As a side tip for more junior engineers, do not be afraid to respond (later, after the interview), asking how you did, if the interviewer had any feedback or areas of improvement, or anything you wished you had said (not things you want to say again). This feedback may be invaluable at other interviews, and let’s you grow in the process. After all, it is still another human doing the interview, and they may want to help you even if it wasn’t a good match. Finally, if you don’t get the position, it only means that it wasn’t a perfect match. Don’t be discouraged, because the right one is out there.

A quick list of Do’s and Don’ts for the Interview:

  • DO talk yourself up – this may be one of the few times to throw (most) modesty out the window and talk about how great your are
  • DO NOT be cocky or pompous during the interview – this is a quick way to to clash with the interviewer
  • DO feel relaxed and candid – the interview should be a time for both sides to better get to know each other
  • DO NOT ask about salary with the wrong group – this can create an issue resulting in a lower offer than expected
  • DO be on time, and as “in-person” as possible – if you are meeting on a web-meeting platform, join video.
  • DO NOT LIE!!!
  • DO talk about what your work on a team was, and make sure to credit other members of your team if they did the work
  • DO NOT pretend you did something if you didn’t – speak to how you enabled someone else to do the work
  • DO have fun – this sounds silly, but if you take it too seriously, your anxiety will get the better of you
  • DO NOT talk poorly about prior organizations or management – it only shows your inability to work in difficult situations

Golden Interview Question

If you have read this far, it is only fair to give away my favorite interview question: What IT project have you worked on that was your absolute favorite? If we were sitting at the bar at an IT event, what would be your ultimate story, and then talk it through from beginning to end. This one question has the most profound impact on the interview, because it shows what your level of passion is for the industry. Dredging up a mundane story, when given an open platform, shows little passion, and I will be less willing to be passionate about bringing someone on board. Even if it is a lab situation, it shows what made you proud. On the opposite side of the coin, I will also ask follow up questions about the project, so make sure that it wasn’t a lie.

Conclusion

Tying it all together, start with a strong résumé, putting your best stuff forward. Keep the résumé concise, so that I want to talk to you and ask more during the interview, and just be yourself. If everything goes well, you will be working at that organization for a long time, so make you like the people and the position, and I know they will do the same!

We Don’t Need No Stinkin’ Flags! ACI External EPG Subnet Flags…Just for Fun!

This post was originally written by Micheline Murphy, Cisco Learning Network VIP and Cisco Champion and first appeared on the Cisco Learning Network Blog

In ACI, the L3Out is a veritable Howl’s Moving Castle[i] of configuration whose ultimate goal is to deliver external connectivity to the endpoints in the ACI fabric. All told, I think there are something in excess of twenty steps to go from zero to full connectivity between an outside subnet and internal EPG members. That includes configuring all of the pre-requisites needed to support a L3Out, all of the steps that enable internal EPGs to be able to share their own subnets, and all the contract config between EPGs. Representing the whole thing is the external EPG, which might possibly be the single most complicated object in the whole curious and delicate complex.

In this latest installment of …Just for Fun, I take a deep dive into the external EPG and explore each of its eight flags.

Topology

As always, I like to start with a tour of the local topology. Here you go.

In this topology, Leaf 101 and Leaf 102 belong to the ACI fabric. I just teased the two border leaf switches out of the cloud so we could see the important bits. As you can see, this physical topology will require the building of two L3Outs. Unsurprisingly, I called one L3Out_via_ASR-a and the other L3Out_via_ASR-b. Both L3Outs are associated with the same tenant, Bluefish.

There are four subnets involved—two /31 subnets for transit between the border leaf and its peer ASR router, and two /24 subnets that accessible via either ASR. For ACI, I’m using Release 3.2(4e) and the ASRs are Cisco 1002 IOS-XE Release 15.5(3)S4a.

I’m not going to go through the nitty-gritty of building the L3Out, but if you are interested in building an L3Out, I covered the topic in “Walking on the Wild Side: ACI External Layer 3 Networks…Just for Fun”.[ii] Here, our starting point is that both L3Outs work and are passing routes.[iii] L3Out_via_ASR-a uses OSPF and L3Out_via_ASR-b uses eBGP over OSPF.

The Flag that is No Flag: Import Route Control Enforcement

First, let’s talk about the flag that isn’t. And that is Import Route Control Enforcement. Import Route Control Enforcement is an innocuous looking little check box that’s easy to skip over when you’re configuring the L3 Outside. If you look about halfway down, just before the VRF, you’ll find the little critter.

It’s checked here, but by default it is not. The default behavior (that is, IMPORT = False, or unchecked) is for ACI to import all routes advertised to it from any peers on this L3Out. When the box is checked (IMPORT = True), ACI will only import specifically tagged routes.

Messing with Import Route Control Enforcement is not recommended, but if for some reason you need to lock down what routes come into your ACI fabric, you will need to be able to configure the corresponding flag that lets routes come into your fabric. That flag is called Import Route Control Subnet, and it is the first flag we will cover. You configure the Import Route Control Subnet flag on the External Network Instance Profile, external EPG, for short. If you look at the screenshot below, you can see where you need to navigate.

From here, you scroll down the Work Pane until you see Subnets. Double-clicking a subnet will bring you to a pop-up window where all of our external EPG subnet flags reside. Like this:

To configure the Import flag, check the box. Hit the submit button. Easy-peasy. But more important than just being able to configure this flag, we need to know what it does. With IMPORT = True, you must have this flag to identify any subnet you want ACI to learn from external neighbor. Let’s take a look at the border leaf routing table with IMPORT = True and with no flag.

apic1# fab 101 show ip route 172.50.1.0 vrf Bluefish:VRF1
----------------------------------------------------------------
Node 101 (aci1-leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "Bluefish:VRF1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
Route not found
... And now after the flag is checked.
apic1# fab 101 show ip route 172.50.1.0 vrf Bluefish:VRF1
----------------------------------------------------------------
Node 101 (aci1-leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "Bluefish:VRF1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
1. 172.50.1.0/24, ubest/mbest: 1/0
*via 172.30.0.2, eth1/48, [110/41], 00:00:08, ospf-default, intra

We DO Need Some Stinking Flags: The Default Flag

If you go to add a new subnet to the external EPG, there’s always one flag that starts off as checked, the default flag, external subnets for the External EPG. This flag associates subnets with the external EPG. Without it, routes might pass, but traffic won’t be allowed because no contract will recognize the subnet as belonging to an EPG.

Let’s take a deeper look by examining 172.50.1.0, the subnet from ASR-a. I’ve gone and taken off all of its flags. First, we can see that the ACI fabric clearly receives the route from ASR-a. We can confirm that by both GUI and CLI. In the GUI, we can navigate to the OSPF Routes folder under the Configured Node of L3Out_via_ASR-a.

If you want to checkout the rest of this article head on over to Micheline’s article on the Cisco Learning Network blog here: https://learningnetwork.cisco.com/s/blogs/a0D3i000002SKPVEA4/we-dont-need-no-stinkin-flags-aci-external-epg-subnet-flagsjust-for-fun

Ep 08 – (Dis)Order in the Data Center!

Micheline is a Consulting Engineer at CDW building ACI Data Centers. Micheline is also a Cisco Learning Network VIP and a Cisco Champion.

Make sure you’re following Micheline on Twitter for her very motivational quotes of the day!

You can follow her here: https://twitter.com/MichyfishMurphy

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

Upgrading IOS-XE on Catalyst 9000 series Switch Stack

This article was originally written by A.J. Murray and first appeared on his blog noblinkyblinky.com

I recently had to put together a Catalyst 9300 stack of switches and upgrade the switch stack, so I thought I’d document the process and share it. The process is very similar to stacking other switches, if you’re familiar with stacking Cisco switches. I believe there are some newer commands in IOS-XE that help facilitate and make the process a little easier than in previous versions of IOS.

Copy the new IOS file over

As with any other IOS upgrade you have to get the files onto the switch stack. By default when you’re working with a switch stack you’re working on the stack master. Copy the file to the switch stack using copy tftp bootflash: <filename>. In this case I installing IOS-XE Fuji 16.9.3. You’ll be prompted to enter in the IP Address of your TFTP server – which could simply be your laptop running tftpd.

copy tftp flash:cat9k_iosxe.16.09.03.SPA.bin

Sync the file to all the Switches in the Stack

Now traditionally you’d have to copy the bin files over to all of the switches in the stack. However, in this case we use a command to help us with that – install add file <filename>

C9300-STACK#install add file flash:cat9k_iosxe.16.09.03.SPA.bin
! The following is output from the command
install_add: START Tue Jul 23 14:19:09 EDT 2019
*Jul 23 18:19:10.806: %IOSXE-5-PLATFORM: Switch 1 R0/0: Jul 23 14:19:10 install_engine.sh: %INSTALL-5-INSTALL_START_INFO: Started install add flash:cat9k_iosxe.16.09.03.SPA.bin
install_add: Adding PACKAGE
--- Starting initial file syncing ---
[1]: Copying flash:cat9k_iosxe.16.09.03.SPA.bin from switch 1 to switch 2
[2]: Finished copying to switch 2
Info: Finished copying flash:cat9k_iosxe.16.09.03.SPA.bin to the selected switch(es)
Finished initial file syncing
--- Starting Add ---
Performing Add on all members
[1] Add package(s) on switch 1
[1] Finished Add on switch 1
[2] Add package(s) on switch 2
[2] Finished Add on switch 2
Checking status of Add on [1 2]
Add: Passed on [1 2]
Finished Add
SUCCESS: install_add  Tue Jul 23 14:21:21 EDT 2019

Install add takes the file and copies it to bootflash on all of the switches in the switch stack. In this case there was only one additional switch, switch 2.

Activate the Software

Next we’ll use install activate to unpack the bin files and add them to the boot config. Once this operation completes you’ll get prompted to reboot the switch stack.

C9300-STACK#install activate
install_activate: START Tue Jul 23 14:25:01 EDT 2019
install_activate: Activating PACKAGE

*Jul 23 18:25:03.046: %IOSXE-5-PLATFORM: Switch 1 R0/0: Jul 23 14:25:03 install_engine.sh: %INSTALL-5-INSTALL_START_INFO: Started install activateFollowing packages shall be activated:
/flash/cat9k-wlc.16.09.03.SPA.pkg
/flash/cat9k-webui.16.09.03.SPA.pkg
/flash/cat9k-srdriver.16.09.03.SPA.pkg
/flash/cat9k-sipspa.16.09.03.SPA.pkg
/flash/cat9k-sipbase.16.09.03.SPA.pkg
/flash/cat9k-rpboot.16.09.03.SPA.pkg
/flash/cat9k-rpbase.16.09.03.SPA.pkg
/flash/cat9k-guestshell.16.09.03.SPA.pkg
/flash/cat9k-espbase.16.09.03.SPA.pkg
/flash/cat9k-cc_srdriver.16.09.03.SPA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]

Switch upgrade complete!

Upon reboot the switch stack will be upgraded. Use a show version to verify (verify all the things!) that the stack is running the new version. You can also clean up old IOS files that may be left over from the previous version using “install deactivate <filename.> For more detailed information and additional configuration options and examples check out the Cisco documentation.

The Importance of TAC along with some SSO Info

This article is by Andy West and first appeared on his blog, blueboxredbox.com.

For those that have worked with me this formatting approach is either going to make you smile or make you cringe with memories of overly complex email updates.

OPENING

Someone once asked me why I seem to enjoy dealing with TAC, Tech Support, Support, insert some other title here as much as I do and the answer was simple: every time I deal with TAC I come away with some new piece of knowledge. 

Yes I know we all have played TAC roulette where maybe the person you get handling your case doesn’t seem to have that much knowledge of what you are calling about. Maybe they are just starting down their career path and it’s their first day. Maybe English isn’t their first language. In the end though , for me, calling TAC isn’t just about solving a problem but rather learning something new each time I end a given case. That doesn’t have to be something technical because like many things in life , the results of an action are only as good as the effort you put into that action.

As a reference point I’ll talk about a recent case I worked through around getting SAML based SSO, IDP = Okta, to work with Cisco Collab. After burning on this for a few days with two internal engineers we then engaged both Cisco and Okta TAC. Having worked with the Cisco engineer we got before we knew we were in a great spot. The Okta engineer was new to us though. The first Webex we did with all of us didn’t go great, no real progress seemed to be made and the Okta TAC had to drop earlier. It would have been easy to just write that engineer off as not caring as much as the Cisco TAC did or maybe he didn’t know what he was talking about but he asked us to reschedule for later in the afternoon.  So we waited and within about 30 minutes of that second call starting the Okta Engineer and resolved both issues. Maybe they were able to clear their head , maybe they spoke to someone else , maybe they didn’t do anything at all related to our case and just found the right logs to look at when we all got back together.

The point being that TAC is there to solve problems for their customers , among other things, and this engineer did just that which is why we all pay for such support. So great, what new things did I get from that case that made this another enjoyable scenario:

NON-TECHNICAL

This was the first time I had gone through dealing with Okta support so I got to learn what that process is and what mechanisms they use to interface with their customers.

TECHNICAL

I picked up this CUCM CLI driven command:

set samltrace level

TAC also pointed us to these two documents which really seemed to help explain and troubleshoot SSO.

Troubleshoot SSO in Cisco Unified Communications Manager

SAML SSO Okta Identity Provider

CLOSING

Not every TAC engineer is going to be the all star you hope for but remember the following: life is a two way street. You as a customer have the responsibility to be a good customer on that call. You have a responsibility to do your part to try and make it easier for TAC to do their part and for me that comes down to always trying to learn something new. =)

TAC Connect Bot – Devvie Has a Sibling!

This article is written by Ben Story and originally appeared on his blog packitforwarding.com

Recently I opened a TAC case through my Cisco Partner. In the initial automated response from Cisco TAC, I noticed something new. There was a link (https://tacconnect.cisco.com) that I had not seen before. Since it mentioned a bot, I figured why not let’s see what it’s all about.

Screenshot of the TAC Connect website showing the options of using TAC Bot through Webex Teams or through a web interface.
TAC Connect Website

Using the TAC Connect Bot

After signing into the TAC Connect website, I was presented with the choice to use the bot through Webex Teams or through a web interface. As I already had Webex Teams I went that route. TAC Connect quickly sent me an introductory message in Webex Teams. This message gave me a list of ways to interact with the bot.

Hello! I can help you get case, bug and RMA details and connect with Cisco TAC. You can make the following requests in English language:

my cases
what is the status of (case number or bug number or rma number)
connect with engineer (case number)
create a virtual space (case number)
request an update for (case number)
update the case (case number)
escalate (case number)
raise severity (case number)
requeue (case number)
close the case (case number)

I can help you manage cases that are opened from Cisco.com Support Case Manager. Currently, I can't open new cases, reopen closed cases or answer technical questions. Type "/list commands" to get a list of command requests and find details of supported features using the documentation and demo videos.
Instructions for using the TAC Connect Bot

My first step was to issue the command “create a virtual space” followed by my case number. This created a new space with the service request number as the name and automatically invited me, the TAC engineer, and the partner’s engineer. At this point, my engineer engaged us and we were able to quickly work through troubleshooting my issue. For this particular case I didn’t end up using any of the other commands, but I can definitely see them as being useful as well. No more calling to requeue the case or to escalate. It also gives great tools to get the status of cases without having to log in to the support case manager. This makes it very easy to get updates from your mobile device.

API for TAC?

Beyond the natural text commands, there are additional bot commands that form a quasi API for TAC. I’m sure that some of our DevOps fans will see ways to use this with their tools.

  • /action-plan: Sends the last note containing action plan
  • /bug: Get list of Bugs associated with TAC case
  • /case-feedback: Give multi-line feedback about the case in a single message
  • /clear or /reset: Reset the conversation dialog
  • /close-case: Request engineer to close case
  • /connect: Connect to case owner of a case
  • /create-space: Create a Webex Teams virtual space for a case
  • /customer: Get customer information associated with TAC Case
  • /description: Get problem description for the TAC case
  • /escalate: Escalate a case
  • /feedback: Give multi-line feedback about the bot in a single message
  • /last-note: Get the last note from the TAC case
  • /link: Get link to the case in Support Case Manager
  • /list cases: View the prioritized list of your cases
  • /owner: Get case owner (TAC CSE) for TAC case
  • /raise-severity: Raise the severity of a case
  • /reopen: Re-open a case
  • /request-update: Request engineer to provide the latest case update
  • /requeue: Requeue a case
  • /rma: Get list of RMAs associated with TAC case
  • /status: Get status of a case, bug or RMA
  • /update: Add a note to the TAC case
  • /updated: Get the date on which the TAC case was last updated, and calculate the time since last update

My Final Thoughts

TAC Connect bot is a great new tool for Cisco customers. I look forward to seeing it evolve. I would really like to see TAC push more use of it and other tools like the Cisco CLI Analyzer, but that’s another post.

Virtual Port Channel (VPC) – Base Configuration

This article was written by Taylor and first appeared on his blog on ucadministrator.com

Overview

In my last post, we talked about some differences between traditional port channels and virtual port channel found on the Nexus line of switches. If you have not seen it, make sure to check it out here. Now that you understand some differences, its time to jump into the required configuration.

Configure

There are a few main steps that need to be done to configure VPC. The first step is to enable the VPC feature. This is done with the following command and will need to be done on both switches.

NEXUSSWITCH(CONFIG)#FEATURE VPC

Once the feature has been enabled. Its time to create the VPC Domain. The commands are shown below. Replace xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy with the IP address of your switch. Each switch will have these addresses reversed as the source and destination will change.

NEXUSSWITCH1(CONFIG)#VPC DOMAIN 1
NEXUSSWITCH1(CONFIG-VPC-DOMAIN)#ROLE PRIORITY 24576
NEXUSSWITCH1(CONFIG-VPC-DOMAIN)#PEER-KEEPALIVE DESTINATION XXX.XXX.XXX.XXX SOURCE YYY.YYY.YYY.YYY
NEXUSSWITCH1(CONFIG-VPC-DOMAIN)#EXIT

!Move to Switch 2

NEXUSSWITCH2(CONFIG)#VPC DOMAIN 1
NEXUSSWITCH2(CONFIG-VPC-DOMAIN)#ROLE PRIORITY 28672
NEXUSSWITCH2(CONFIG-VPC-DOMAIN)#PEER-KEEPALIVE DESTINATION YYY.YYY.YYY.YYY SOURCE XXX.XXX.XXX.XXX
NEXUSSWITCH2(CONFIG-VPC-DOMAIN)#EXIT

The priority value should be different between both of your switches. I typically use the same values as STP. This is more of an OCD thing for me… There is absolutely no requirement to do this and remember that the switch with the lower value will become primary.

Once the domain has been created. Its time to create the peer-link. It can be done with the following commands:

NEXUSSWITCH(CONFIG)#INTERFACE PORT-CHANNEL1
NEXUSSWITCH(CONFIG-IF)#DESCRIPTION VPC PEER-LINK
NEXUSSWITCH(CONFIG-IF)#SWITCHPORT MODE TRUNK
NEXUSSWITCH(CONFIG-IF)#SPANNING-TREE PORT TYPE NETWORK
NEXUSSWITCH(CONFIG-IF)VPC PEER-LINK
NEXUSSWITCH(CONFIG-IF)#NO SHUTDOWN
NEXUSSWITCH(CONFIG-IF)#EXIT
 
NEXUSSWITCH(CONFIG)#INTERFACE ETHERNET1/31-32
NEXUSSWITCH(CONFIG-IF)#DESCRIPTION VPC PEER-LINK
NEXUSSWITCH(CONFIG-IF)#SWITCHPORT
NEXUSSWITCH(CONFIG-IF)#SWITCHPORT MODE TRUNK
NEXUSSWITCH(CONFIG-IF)CHANNEL-GROUP 1 MODE ACTIVE
NEXUSSWITCH(CONFIG-IF)#NO SHUTDOWN
NEXUSSWITCH(CONFIG-IF)#EXIT

This configuration needs to be identical on both switches. Any variation (outside of the description and interface number) can cause a consistency failure and the VPC to not be established.

The next and final step is to configure the Keepalive. You can use any interface for the keepalive including the MGMT0 Interface. Be aware that if you use the Management interface you will have to specify the Management VRF on the peer-keepalive command within the VPC domain.

NEXUSSWITCH1(CONFIG)#INTERFACE ETHERNET1/30
NEXUSSWITCH1(CONFIG-IF)#DESCRIPTION VPC KEEP-ALIVE
NEXUSSWITCH1(CONFIG-IF)# IP ADDRESS YYY.YYY.YYY.YYY/YY
NEXUSSWITCH1(CONFIG-IF)#NO SHUTDOWN
NEXUSSWITCH1(CONFIG-IF)#EXIT
 
!Move to Switch 2

NEXUSSWITCH2(CONFIG)#INTERFACE ETHERNET1/30
NEXUSSWITCH2(CONFIG-IF)#DESCRIPTION VPC KEEP-ALIVE
NEXUSSWITCH2(CONFIG-IF)# IP ADDRESS XXX.XXX.XXX.XXX/XX
NEXUSSWITCH2(CONFIG-IF)#NO SHUTDOWN
NEXUSSWITCH2(CONFIG-IF)#EXIT

You do have the ability and it is recommended to configure the KeepAlive with a port channel. This will give you redundancy if a cable or port ever fails. In the event, you want to use a different VRF for the keep-alive link you can do so with the following configuration. Remember to add that VRF to the keep-alive command within the VPC domain.

NEXUSSWITCH(CONFIG)#VRF CONTEXT KEEPALIVE
NEXUSSWITCH(CONFIG-VRF)#EXIT
NEXUSSWITCH(CONFIG)#INTERFACE ETHERNET1/30
NEXUSSWITCH(CONFIG-IF)#DESCRIPTION VPC KEEP-ALIVE
NEXUSSWITCH(CONFIG-IF)#VRF MEMBER KEEPALIVE
NEXUSSWITCH(CONFIG-IF)# IP ADDRESS XXX.XXX.XXX.XXX/XX
NEXUSSWITCH(CONFIG-IF)#NO SHUTDOWN
NEXUSSWITCH(CONFIG-IF)#EXIT

This configuration should get you up and running and allow you to create virtual port channels. In the next post, we will go over some additional configuration you can add to the VPC Domain like the peer-switch command to manipulate and improve STP convergence.

Ep 06 – 24

To hear more from Taylor you can follow him on Twitter @VirTaylor (formerly @UCAdmin) (https://twitter.com/VirTaylor) and checkout his blog at https://virtualizedtaylor.com/

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

5 Tips for New Engineers

This article first appeared on Dave A‘s blog zerosandwon.blog

Next year will be my tenth in a network engineering role. I’ve seen team members come and go, leadership change and roles changes as well. Nothing is ever static, especially the technology. For those looking to enter a network engineering role or are simply young in their IT career, I wanted to jot down a couple of tips that I hope can help them be successful in their roles. I originally was going to make this network-centric, but honestly it applies to any type of role you might be in.

Become a Shadow

You have the power to climb to height you want. With enough time and work, you will accomplish your goals. However there is nothing wrong with looking to someone with more experience as a way to carve out your own path. During my first year in a network engineer role, I was not thinking about obtaining a cert. I felt a little bit like a fish out of water helping support 100+ sites in education. One of the more senior engineers on the team was working on his CCIE. He was my go to person when I became stuck in some issue I could not understand. He was always willing to help. He also spoke to me about certs and their importance as well. The importance was not just obtaining a cert, but the amount of knowledge gained during the process. Many of the other engineers were extremely helpful. I stuck to anyone who was willing and able to help. If you are part of a team of engineers, find someone who is willing and able to help you, provide guidance, and answer questions. A good leader knows and understands what it feels to be new. A good leader will help push you forward as needed. A good leader will also correct you when you are completely wrong, but won’t bury you because of it. “But, I’m the only one here. I guess I’ll have to be my own mentor.” That might be your situation, but thankfully we live in the age of social media. There are plenty of people out there in the Twittersphere who always have good words and are there to help

Learn From Your Mistakes

Image from Pexels.com.

If I had a dollar for every mistake I’ve made in my career, I would definitely have enough to host a nice dinner party for a bunch of people and probably give out a few gifts. I do enjoy seeing other’s Tweets about “mistakes they have made at work.” The reason I enjoy it is because it shows how human we all are. We all make mistakes. I always refer to my reboot of wireless controller services in the middle of the day. I did not know that applying a “small” change to the controller would turn off all radios and turn them back on. Off-hours, this would have been fine, not when the CIO and a bunch of others were having a meeting; not to mention the dozens of others connected to the wireless in the building. That reset felt like forever, even thought it was probably 30 seconds. However, it was enough for everyone to notice and question what happened. Now I do my best to know what the outcome of pushing different buttons will be. There was another time that some strange PoE bug would randomly take down all of the access points at a remote location. It was a known bug within the team and a reset of the port would have brought all the access points back up. I remote into the switch and look for all the ports labeled “Wireless_AP”. The first switch I took a look at only had one port. I shut down the port and immediately lost connection to the switch. It ended up being the uplink to the router and was not a “Wireless_AP”. It was pretty early at the site, no one was there, and there was no out-of-band access. Support was not planning on driving to this site. I had to give them a call, force them out of bed so they can drive an hour to the destination to bounce the switch. Good times, however now I make sure to double-check what is on the port and not just trust a description. Mistakes will be made; the important part is learning from them and adjusting.

Learn Your Environment

Image from Pexels.com.

The first time you travel somewhere even within the same city you live in you will probably use a GPS. The second time you visit the same place, you might use the GPS again. Eventually you’ll be comfortable enough to leave home and travel to the destination without the need to rely on that GPS. The same applies at work. Learn your environment and what components make up the enterprise. I encourage you to not only learn your area, but IT as a whole. You might be working at a helpdesk, don’t just learn the ins and outs of your area only. If you take the time to see how the other areas interact with each other, you can gain a different level of understanding that will help when troubleshooting. This does not just apply if you are new in a role, but it is something that will help at any time and any place. Sure as a network engineer its pretty cool to just spit out the answer to “What is this IP?” or “What is this subnet?”, but it is far more important to know what lives in those IP spaces and how they interact with the rest of the network.

Speak Up

Being new to a role in a different company can at times be nerve-racking. This is perfectly normal. However, do not let the nervousness silent you. You will have ideas about new processes, technology or designs that might be a benefit to the team or the organization as a whole. Speak with the team leaders. Communication in any role is key. Perhaps those ideas make sense. Sometimes they might not. The important part here is that you are doing some thinking about ways to improve things. This is usually good (again, with good leaders). Even if your role does not call for you to “improve or design something” you should always have it in mind. You never know when you will be called upon for some ideas or to present something. You might eventually end up in a role that calls for some public speaking. Yes, public speaking can be another nerve-racking experience, but it is something you can overcome. It is also something to practice. If you ever end up in an opportunity to present a project or an idea to stakeholders, you will probably be glad you took the time to practice it.

Change is difficult. I remember when there was an uproar because the Microsoft Office version was changing and it “looked different.” That might be a small change, but sometimes there are big changes we have to deal with. There has always been change and there always will be. The way we adapt to change in the world of IT is what determines if we continue or are left behind. In whatever role you might be right now, take a look at its future. If your goal is to still be <insert position here>, how will your role look like in another five years? Will it still exist? What skill set will you need to continue to develop yourself in that position? As a network engineer the worlds of programming and virtualization are coming together. It is essential to dive in to automation. As the position changes, I need to make an effort to continue learning to make sure I am not left behind. In our world things seldom stay static. Being dynamic and learning in a dynamic way will make sure you continue to adapt to change, no matter what it is.

Continue to Adapt

A master adapter. Image from Pexels.com.

There is much more I can say, but there is much to your journey I do not want to spoil. Keep learning and keep climbing. Opportunities will come at the right time. Doors or windows will open. No matter how much you think you know, there is still room to continue learning.

An Introduction to DMVPN

This article was written by Danny Finein and first appeared on his blog semperfinein.com.

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software solution for building scalable IPsec Virtual Private Networks (VPNs). Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users.

Cisco DMVPN allows branch locations to communicate directly with each other over the public WAN or Internet, such as when using voice over IP (VOIP) between two branch offices, but doesn’t require a permanent VPN connection between sites. It enables zero-touch deployment of IPsec VPNs and improves network performance by reducing latency and jitter, while optimizing head office bandwidth utilization.

Cisco Systems. “Dynamic Multipoint VPN (DMVPN).” Cisco DMVPN, Cisco Systems, 4 Feb. 2020, www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html.

DMVPN Comparisons

To start, I want to post some articles that have really helped in understanding the different DMVPN Phases and technologies. This list will continue to grow as I find more resources to thoroughly explain DMVPNs.

I summarized these three posts throughout the DMVPN configurations and phases articles. However, I wanted to take a moment to piggy-back off of Rajesh’s comments on the Cisco forums. Essentially, the break down of the three phases are as follows:

DMVPN Phase 1

I read a document Cisco prepared for a friend of mine, and I am going to piggy-back some of the terminology. In particular, when I refer to “DMVPN”, I am referring to the tunneling mechanisms, and not the IPSec protection overtop. That will be covered in a separate post of this section, as it is is configured more a la carte than an entree.

With that part covered, the phases of the DMVPN relate very closely to the phase of NHRP being used, which is the main driver of DMVPNs. Next-Hop Resolution Protocol (NHRP) works similar to reverse ARP. Spokes, acting as Next Hop Clients (NHC) register to a Next Hop Server (NHS). The registration is for the logical IP address of a tunnel to a physical address of an interface. While the original intent and mechanism was designed for NBMA networks, it lended itself really well to sites over the Internet, and that’s just what it got used for.

So, to make a Phase 1 NHRP tunnel, it’s the same as making a normal tunnel, with a few extra tweaks. Start by making a point to point tunnel, with the generic (default) mode, which is a point-to-point GRE tunnel:

Spoke:

interface Tunnel 0
     ip address 192.168.1.10 255.255.255.0
     tunnel source Loopback0
     tunnel destination 10.13.13.1  
! Only the spokes get a tunnel destination

Next, flip the hub to a point-to-multipoint. This allows multiple spokes (still in point-to-point) to connect to a single interface on the hub:

Hub:

   interface Tunnel 0
     tunnel mode gre multipoint  
! Hub is mGRE, so no destination

At this point, we have a pretty bland tunnel, so we need to start trying to make them talk. Obviously, the spokes know how to get back to the hub, but the hub doesn’t really know how to get to the spokes. In order to accomplish this, we are going to start by telling the hub to listen and learn.

Hub:

  interface Tunnel0
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast dynamic
   ip nhrp network-id 13

Now add the NHC stuff so the client will actually talk to the hub.

Spoke:

  interface Tunnel0
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast 10.13.13.1
   ip nhrp map 192.168.1.1 10.13.13.1
   ip nhrp nhs 192.168.1.1
   ip nhrp registration timeout 30
   ip nhrp holdtime 60

The last few points about Phase 1 DMVPNs would be wrapped around routing protocols. Specifically, distance-vector routing protocols need to have split-horizon disabled, but the next-hop should reflect the hub (the default configuration). This allows the spokes to send their traffic to the hub and have it routed back out the same interface to the other spoke.

At this point, the spokes should be able to communicate back to the hub to give their next-hop information to the NHS. The downside to this is that the NHS keeps the information itself, forcing the spokes to only communicate with the hub. To get around this, NHRP phase 2 (making a Phase 2 DMVPN) can be used, as described in Phase 2 DMVPN.

DMVPN Phase 2

Using Phase 1 DMVPN as a reference, we will expand on the capabilities. As you recall, the main work-horse is still the NHRP mechanism. Whereas Phase 1 needed the hub to be an mGRE and the spokes were P2P GRE tunnels, Phase 2 allows all nodes to be mGRE tunnels. This shift allows spoke-to-spoke tunnels to be created to route traffic without first sending it to the hub. However, there are some pit-falls in phase 2 as well.

First, when using a distance-vector protocol (in most cases, EIGRP), we must disable the routing updates having 0.0.0.0 next-hop. That is to say, disable next-hop-self, no ip next-hop-self eigrp 13. When the routing update is sent from a spoke to the other spokes, it needs to have the original source in it. Without it, the update will look like it’s coming from the hub, and if that prefix goes into the RIB that way, then traffic gets sent that way.

The part I am still a little fuzzy on deals with CEF versus process switching. Basically, if I understand correctly (and I am still labbing this), basically, the first packet of a stream goes back to the hub and gets redirected to the spoke. Until this happens, the spoke will be process switching the packets, and once the NHS replies, it can begin using CEF. The second issue is that because all the routes are bouncing off of the hub, you cannot summarize. Consider every site being behind a 192.168.X.X/24 network and the rest of the enterprise is 192.168.X.X. It may make sense to summarize a 192.168.0.0/16 route into the DMVPN. However, in doing so, you block the visibility of the other spokes. Therefore, you cannot summarize on the hub or run the risk of breaking spoke-to-spoke traffic. This gets fixed in Phase 3.

To migrate from a Phase 1 DMVPN to Phase 2, you simply need to remove the tunnel destination 10.13.13.1 and replace it with tunnel mode gre multipoint, along with EIGRP config mentioned above (if it applies to your case). The end result looks like this:

Hub:

  interface Tunnel 0
   ip address 192.168.1.1 255.255.255.0
   tunnel source Loopback0
   tunnel mode gre multipoint
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast dynamic
   ip nhrp network-id 13
   no ip split-horizon eigrp 13
   no ip next-hop-self eigrp 13
   no ip redirects

Spoke:

  interface Tunnel 0
   ip address 192.168.1.10 255.255.255.0
   tunnel source Loopback0
   tunnel mode gre multipoint
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast dynamic
   ip nhrp network-id 13
   ip nhrp map multicast 10.13.13.1
   ip nhrp map 192.168.1.1 10.13.13.1
   ip nhrp nhs 192.168.1.1
   ip nhrp registration timeout 30
   ip nhrp holdtime 60 

However, we can’t stop with just that. As I mentioned above, we cannot summarize on the hub, and it takes a few packets for CEF to get rid of the invalid entries (move from process switches to CEF). To get around these shortcomings of Phase 2, and provide a true multi-access mGRE medium, Phase 3 DMVPNs started being used.

DMVPN Phase 3

Finally! In this version of DMVPN, we can summarize and there’s no more CEF invalid adjacencies. In order to accomplish this, we need only sprinkle a few more commands on our already solid tunnel.

The first command, ip nhrp redirect is configured on the hub. The command basically tells spokes “go ask him yourself”, telling a spoke to speak directly to another spoke for informaion. This is a vital piece for the hub, so that the hub can allow spoke-to-spoke communication without being caught in the middle being the NHS.

The second command, of equal importance, goes on the spoke ip nhrp shortcut. This command tells the spokes “we can talk direct, it’s fine”. The two combine kind of work like this: Two people use a dating site (the NHS) to meet and chat. Now, they decide the other one isn’t a serial killer, so it’s okay for the two to talk directly (shortcut), and the dating site (NHS) gives them the personal information to do that (NHRP redirects).

This makes our final configuration look like the one below:

Hub:

  interface Tunnel 0
   ip address 192.168.1.1 255.255.255.0
   tunnel source Loopback0
   tunnel mode gre multipoint
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast dynamic
   ip nhrp network-id 13
   no ip split-horizon eigrp 13
   no ip next-hop-self eigrp 13
   no ip redirects
   ip nhrp redirect
   ip nhrp shortcut 

Spoke:

  interface Tunnel 0
   ip address 192.168.1.10 255.255.255.0
   tunnel source Loopback0
   tunnel mode gre multipoint
   ip nhrp authentication NHRP_authC
   ip nhrp map multicast dynamic
   ip nhrp network-id 13
   ip nhrp map multicast 10.13.13.1
   ip nhrp map 192.168.1.1 10.13.13.1
   ip nhrp nhs 192.168.1.1
   ip nhrp registration timeout 30
   ip nhrp holdtime 60
   ip nhrp shortcut

This is a completely valid Phase 3 DMVPN configuration. “But wait!” you’re saying, “there’s no crypto!” You would be completely correct. DMVPNs refer to the Dynamic Multipoint Virtual Private Network… no where does that say security. However, it’s probably a good idea to throw encryption over top of this tunnel, especially if you’re running it over the Internet. I purposefully left it off to show, crypto is not part of the DMVPN configuration. Simply adding the proper ISAKMP and IPSec profiles provide the necessary encryption to secure this wonderful tunnel, as described in the DMVPN Encryption section.

DMVPN Encryption

DMVPNs, by definition, are simply mGRE tunnels on steriods, and GRE tunnels do not implicitly encrypt. Instead, the GRE tunnel does just as the name implies, and tunnels a layer 3 protocol over a layer 3 protocol. However, GRE tunnels allow a protection profile to be applied to add a layer of encryption over top of them. To start, we need to make an ISAKMP policy, using the following as a template:

 crypto isakmp policy 10
  encryption 3des
  authentication pre-share
  hash md5
  group 2
 crypto isakmp key SECRET_KEY address 0.0.0.0 0.0.0.0

Next, we need to create the IPSec policy as well, which will be tied to the tunnel itself.

 crypto ipsec transform-set TS_DMVPN esp-3des esp-md5-hmac
  mode transport
 crypto ipsec profile DMVPN_IPSec
  set transform-set
 interface Tunnel0
  tunnel protection ipsec profile DMVPN_IPSec

At this point, the tunnel is now protected, and traffic will be encrypted with the encryption specified in the transform set. The ISAKMP policy is used to negotiate Phase 2 of the encryption (the IPSec), but you can use certificates or other methods. Pre-shared keys aren’t the most secure, because well, sharing is in their name. But with proper security controls in place, they will suffice.

Ep 05 – Halo Memes and Harry Potter Castles

Danny is a very distinguished Network Engineer holding his CCNP, CCDP, Cisco DevNet Associate, and he holds many more industry certifications. He is also a Cisco Champion and part of the Cisco DevNet 500.

To hear more from Danny you can follow him on Twitter https://twitter.com/semperFinein and visit his blog at http://www.semperfinein.com/.

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com
Join the Discord Study group – https://discord.gg/hqZ7XEG

Conversation Starter: Route Where You Can, Switch Where You Must?

This article was written by Tim Bertino, and first appeared on his blog neticaded.com

Disclaimer: There is a fair amount of my opinion in this post. I welcome feedback, especially on anything that doesn’t seem right.

When discussing and thinking about campus networking, I go back and forth on where the L2/L3 boundary should be placed. In a traditional three tier architecture of core, distribution, and access, how far toward the access layer should we take routing? Of course, that answer is probably the all popular “it depends” reply.

Image courtesy of Cisco Systems

My thought is that with multi-layer switches being common for some time now, and that modern switches (depending on what you’re dealing with) can function at Layer 2 and Layer 3, taking routing all the way to the access makes sense. My reasoning behind this is simplicity and bandwidth. Spanning Tree Protocol does its job well, but if I don’t even have to think about STP, generally I’m happy. On the bandwidth side, leveraging Layer 3 means we can reap the benefits of Layer 3 Equal Cost Multi-path (ECMP).

Traffic recovery in a hierarchical design. Image courtesy of Cisco Systems.

That all being said, any design should be approached by understanding the business requirements. Is there a business need to have VLANs span multiple switches? If so, and if there is no overlay technology in play, then Layer 2 from distribution to access is necessary, which is still a valid design. Also, to maintain redundancy and utilize more physical links, Mutlichassis Etherchannel (MEC) supported designs can be deployed.

In conclusion, I think it is great to have standards to strive to implement, however you always need to be mindful of business requirements. I do think that overlay technologies will continue to become more prevalent and allow for standard underlay designs of Layer 3 to the edge (access layer) while the overlay handles any Layer 2 extension requirements.

Packaging Cisco AnyConnect

This article originally appeared on Ben Story’s personal blog, packitforwarding.com

Photo by Andrea Piacquadio from Pexels

The Problem

Just like many corporations, my corporation recently had to scramble for solutions to move our workforce to their homes for COVID-19. For our emergency work from home solution, we used VMWare’s Horizon software for the majority of our workers. This worked great, but there was a small subset that had specialized software on their laptops that needed true VPN access. Cisco AnyConnect has been our choice for VPN access, but we suddenly had a lot of new AnyConnect users that had already left the building. Unfortunately, with browsers disabling Active-X and Java the web installer is basically just a glorified downloader now and it ends up confusing many users.

This led us to a need to package Cisco AnyConnect for distribution from our colleague support website. We wanted to have three components (AnyConnect, DART, and SBL) installed, but we didn’t want colleagues having to download and install the three separate MSI files.

Solution Part 1

More on why there is a part two later, but first part one. To combine the MSIs into one package and install them in the order that I wanted, I needed a packaging tool. Since the budget for the project was $0 and my roots are in OSS, I sought out a free solution. Inno Setup has been around since 1997 and is free so it has a good track record and meets my budget.

Inno Setup is a compiler that takes a plain text file along with the source files like the MSIs and puts them into an EXE setup file. At it’s simplest I could just write the text file and run the program, but I needed something fast and I didn’t want to spend time troubleshooting my lack of understanding of the Inno Setup configuration. That’s where Inno Script Studio, also free, comes into the picture. Inno Script Studio gave me a graphical IDE to design my installer.

Using the tools I created a Inno Setup script that included the three MSIs and then the required msiexec commands to run the installers in order. With a few edits for eliminating my employer, here is the script that I used.

; Script generated by the Inno Setup Script Wizard.
; SEE THE DOCUMENTATION FOR DETAILS ON CREATING INNO SETUP SCRIPT FILES!
 
#define MyAppName "PackIT Forwarding Cisco AnyConnect"
#define MyAppVersion "1.0"
#define MyAppPublisher "PackIT Forwarding"
#define MyAppURL "https://packitforwarding.com"
 
[Setup]
; NOTE: The value of AppId uniquely identifies this application.
; Do not use the same AppId value in installers for other applications.
; (To generate a new GUID, click Tools | Generate GUID inside the IDE.)
AppId=
AppName={#MyAppName}
AppVersion={#MyAppVersion}
;AppVerName={#MyAppName} {#MyAppVersion}
AppPublisher={#MyAppPublisher}
AppPublisherURL={#MyAppURL}
AppSupportURL={#MyAppURL}
AppUpdatesURL={#MyAppURL}
DefaultDirName={pf}\{#MyAppName}
DefaultGroupName={#MyAppName}
DisableProgramGroupPage=yes
OutputDir=C:\Users\packitforwarding\Desktop\AnyConnect-Installer
OutputBaseFilename=pifanyconnect.exe
Compression=lzma
SolidCompression=yes
PrivilegesRequired=admin
DisableReadyPage=True
DisableReadyMemo=True
DisableFinishedPage=True
AlwaysShowGroupOnReadyPage=True
AlwaysShowDirOnReadyPage=True
VersionInfoVersion=1.01
VersionInfoCompany=PackIT Forwarding
VersionInfoProductName=PackIT Forwarding Cisco AnyConnect
VersionInfoProductVersion=1.01
VersionInfoProductTextVersion=1.01
MinVersion=0,6.1
SignTool=signtool
 
[Messages]
 
AdminPrivilegesRequired=This install requires administrative privileges.
 
[Languages]
Name: "english"; MessagesFile: "compiler:Default.isl"
 
[Files]
Source: "anyconnect-win-4.8.02045-core-vpn-predeploy-k9.msi"; DestDir: "{app}"; Flags: ignoreversion
Source: "anyconnect-win-4.8.02045-dart-predeploy-k9.msi"; DestDir: "{app}"; Flags: ignoreversion
Source: "anyconnect-win-4.8.02045-gina-predeploy-k9.msi"; DestDir: "{app}"; Flags: ignoreversion
; NOTE: Don't use "Flags: ignoreversion" on any shared system files
 
[Run]
Filename: "msiexec"; Parameters: "/package ""{app}\anyconnect-win-4.8.02045-dart-predeploy-k9.msi"" /norestart /passive /lvx* C:\anyconnectdartinstall.log"
Filename: "msiexec"; Parameters: "/package ""{app}\anyconnect-win-4.8.02045-gina-predeploy-k9.msi"" /norestart /passive /lvx* C:\anyconnectginainstall.log"

At this point, I had a working installer that did everything I wanted. But as usual, it can’t be THAT easy.

The Problem TNG

I took the newly minted installer and ran it through some testing. Everything worked great. Unfortunately, when I uploaded the file to our website for colleagues to download, things went off course a bit. The new problem was Microsoft Windows Defender SmartScreen. Every time a colleague downloaded the installer and ran it, they were given a big warning that was not readily clear on how to say run anyway. Spoiler, click “more info” to get the ability to run it anyway.

The Bandaid (aka Solution Part 2)

Unfortunately, I can’t fully call this a solution, but it did help. Microsoft Windows Defender SmartScreen wants to see two things to not put up the big warning. They are a signed application and an application that it has seen on a large number of computers.

To sign applications you need two things, the signtool.exe and a certificate. To get that exe you have to download and install part of the Windows 10 SDK. When doing the install you only need to install “Windows SDK Signing Tools for Desktop Apps”. This will install signtool.exe into C:\Program Files (x86)\Windows Kits\10\x86\ .

Getting the certificate signed by our CA ended up being the most difficult part of the project. Mainly this was due to layers 8 and 9 of the OSI model getting gummed up with everyone out of the office for COVID-19. Once I had the certificate though, it was fairly easy to sign the EXE.

1"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /f "C:\users\packitforward\Desktop\Certs\PIF_CodeSigning.pfx" /t http://timestamp.comodoca.com/rfc3161 /p "Sup3rS3cre7" pifanyconnect.exe

After manually signing the package, I also setup Inno Setup Studio so that it could do it as part of the compilation in the future. It’s fairly simple to do as shown below.

Visual of adding the signtool configuration.

As I alluded to in the header for this section, the code signing wasn’t a perfect solution. Microsoft still requires the application to be downloaded a lot to be trusted. If anyone knows of a way to speed that up, or submit an exe to Microsoft for validation, please comment below.

Final Thoughts

All told, this project was a quick win in the midst of the chaos of trying to move our work force to work from home. It also had the benefit of allowing me to help our telecommunications team when they needed to push out Jabber with some custom post-install powershell scripts. I hope it is of value to someone else.

Ep 04 – Personal Brand

In this episode, Dan is off doing a site migration and enjoying some spectacular Memphis BBQ. A.J., Aaron, and Andy discuss the importance of your personal brand and what that doesn’t mean. We also give some great tips and advice on professional success, including how to stand out in a crowd, and interview even when you’re not job hunting.

Aaron’s book recommendation The Unfair Advantage, by Hasan Kubba
https://www.amazon.com/Unfair-Advantage-Startup-Success-Starts/dp/1788163311

Follow us on Twitter https://twitter.com/artofneteng
Check out our website https://artofnetworkengineering.com
Contact us artofnetworkengineering@gmail.com

SDWAN for Dummies

This article originally appeared on Aaron’s blog aaronengineered.com on Monday August 3 2020

SD-WAN defined.

If SD-WAN had to be defined in one word, it would be “efficiency”. So, that begs the question… are current networks inefficient?

You betcha.

There has long been a need for the WAN. Many businesses are distributed geographically and have the need to share resources across these locations. In fact, this is more common than not.

Unfortunately, at some point, the applications and data that we have been sharing across these WANs outgrew our ability to manipulate it efficiently across the current technologies we have transporting it thus making our networks inefficient.

If you want to learn briefly about some of the basics of legacy WAN technologies, check out my other post here.

This post aims to demystify SD-WAN and get to the roots of why it’s so revolutionary. You might find yourself at the end of this post wondering why this took so long to emerge in the marketplace. And you would be right in wondering that. These concepts are very basic. Yet the fly in the face of traditional WAN architecture. This makes the industry shift towards SD-WAN a generational moment.

Let’s start with an example of a traditional WAN.

In this example you can see we have two different branch offices connected with a traditional VPN. Nothing too special at all. Does it get the job done? Absolutely. And this is something I want to be clear about. It’s not that traditional WANs don’t get the job done. They do, and they do it well it most cases.

They could just be so much better.

Now if we look at the below image of how to configure the traffic to traverse the VPN we can then start to understand the simplicity of what we are dealing with here.

The picture illustrates two basic options. We have one Internet connection. When traffic enters the router destined for a remote network, a decision will be made that says whether you are to be sent over the VPN or not.

That’s it.

No fluff here.

Just a simple A or B decision. Since a router uses IP addresses to make forwarding decisions, you either fall into the first ‘bucket’ of IP addresses or the second. Once that simple decision is made, you are off on your merry way.

Like I pointed out before, there is nothing wrong with this at all. In fact, most WAN’s today operate on some version of this simplistic decision-making tree.

There’s so much more…

Like what you have read so far? Head on over to Aaron Engineered’s blog to learn more about SDWAN.

The Art of Preparing for a Cisco Exam

This article was written by guest author Carl Zellers

So, you’re either thinking about or being “encouraged” to get certified in one of the many exciting and new Cisco certification offerings? 

Either way, that’s fantastic news! 

Ok, first things first; Cisco, (like many other certification granting entities), have long since developed proven formats for designing certification exams as well as the supporting documentation that accompany them to aid candidates in their quest in getting certified.  For every certification exam, there is a certification “blueprint”, a syllabus of sorts.

Let’s assume now that since you are an extremely talented, smart, and motivated individual, and as such you have decided to embark on the extremely prestigious and by far the most superior certification track of all > Security, (not because I’m currently studying for the CCNP Security Core exam – [SCOR] or anything). 

But seriously, this applies to any of the certification exams that cisco offers simply because they use the same blueprint format. So, the good news is, if you apply this to your CCNA for example, you can also apply this to your CCNP(Security 🙂 ) and so on.

Alright, so what now, go straight to Amazon or ciscopress and start buying up your reading list or heading to your favorite content provider and drinking from the proverbial firehose!? 

Not necessarily!

Effective study takes preparation in and of itself!  Back to the blueprint we go!

As I mentioned, Cisco has generously provided us, the hopeful glutton-for-punishment candidates, exam blueprints that outline the exam material* (umm, more on this later). 

Before we get started, head over to the exam blueprint for the CCNA at cisco.com and save a copy to your local machine as well as a printed copy for your desk at home and/or work, (helpful hint: doing this will inevitably serve as a reminder as well as a tangible piece of personal accountability).  Now for the REAL reason you came here, deciphering and evaluating the blueprint!

Cisco blueprint now in hand, (regardless of which blueprint you have), you’ll no doubt have noticed a theme and believe me that theme is a universal truth across all blueprints. 

Let’s take a deeper look at some of the words they use on the blueprint:

  • Compare
  • Describe
  • Implement
  • Configure

And my personal favorite:

  • Configure and Verify or “be ready for literally anything”. 

You really need to think about these and what they are asking to maximize your study efforts.  Let’s look at a couple in particular and break them down.  At first glance, “implement” and “configure”, same thing right!? 

Not necessarily.

Cisco chose their words ‘carefully’. 

In my opinion/experience, implementation(s) generally involve solutions, solutions that oftentimes have dependencies or go beyond simply enabling a protocol for example, (think OSPF virtual-links), the idea is that you have a working knowledge of OSPF and have layered on scenario specific knowledge.  However, on the “configure” side of things, seems to be aimed at evaluating a candidate’s knowledge of a particular protocol itself, (think simply configuring a single-area OSPF routing domain).  With this kind of understanding of the nuance in the blueprint, I’m certain you will see a better return on investment with your study time!

You: “Ugh, but it says here in the blueprint SNMP, SNMPv2, and SNMPv3”, or “RIP/Frame-Relay/etc do I really need to learn all of that?”

Me: “Yes, yes, and more yes. “

Older protocols and technologies do show up on exams, it’s a fact of life, and likely always will be.  Truth is, those types of things DO still exist today, albeit a very low likelihood you’ll ever run into them.  DO NOT let these small things deter you from continuing on.  Progress in technology and networking especially is iterative, meaning while it may seem arbitrary to have to study ‘legacy’ technology, you will still likely benefit from having learned and been exposed to it.  Embrace it, learn it, prove it in the exam, then you’re free and clear to intellectually bad mouth it with a certain technical aptitude for the rest of your days, (like the rest of us!).

So, I said previously, “you will still likely benefit from having learned and been exposed to it”.  What do I mean by being exposed to it?  Long story short, LABBING WORKS.  Hands on practice is KEY in solidifying these items you’re looking at skeptically on the blueprint.  I don’t care how many times you watch a video or read a paragraph, doing it for yourself is a must, ok I’ll go and say it, is nonnegotiable!  And while we’re here, don’t just lab it, lab it again, and again.  Some helpful tips for labbing:

  1. Go find or create a new use case for the same topic! 
  2. Break it, break it in multiple ways, fix it, break it again, repeat
  3. Don’t take documentation at face value!, if the documentation says a configuration won’t work or isn’t suggested.  TEST THAT! You’ll learn just as much about how something works by seeing it not work and why.
  4. Collaborate in some way while labbing if you can with others.  Use someone else’s topology, let them break it for you to fix.
  5.  Take wireshark captures frequently.  A lot of people take for granted that adhering to the ‘rules’ of OSPF adjacencies is simply enough to know OSPF.  Ummm, ok but it’s really cool to see the all routers multicast address in a pcap and what kinds of messages are sent to and from certain addresses.  Honestly, what’s the worst that, happens you gain a real-world skill in become proficient in wireshark!?

Wrapping up, let’s re-cap where we’ve been and where we go from here. 

  • The blueprint is the framework to center your studies around.
  • The more reference material you have the better.  Probably THE single most underrated resource is via Cisco docs, (configuration guides/examples, command references, etc.).
  • LAB, Lab, lab, and lab some more.  As for my “more on this later” teaser, there is another important aspect of the blueprint itself. 

The following is something that you will also find on ALL the Cisco blueprints:

“The following topics are general guidelines for the content that is likely to be included on the exam. However, other related topics may also appear on any specific version of the exam. To better reflect the contents of the exam and for clarity, the following guidelines may change at any time without notice.”

            Yep, you read that correctly!  Although the blueprint is a great authoritative and comprehensive outline, we are still at the mercy of the question authors and exam architects for the foreseeable future, so lean into it and enjoy!

My Journey to the CCNP Enterprise

This image has an empty alt attribute; its file name is ccnp_enterprise_large.png
CCNP logo courtesy of Cisco Systems

This article first appeared on A.J.’s blog, NoBlinkyBlinky on Monday August 3, 2020

My journey to the CCNP Enterprise started last year in February, after I passed my CCDA exam. I jumped right in, full steam ahead. In 2019 the CCNP Routing and Switch required three exams, the 300-101 Route exam, the 300-115 Switch exam, and the 300-135 TShoot exam.

First up: The Switch Exam

Hot off the heels of my CCDA I was pumped full of STP knowledge, plus I did a bunch of Layer 2 at work. I quickly set off on my switch studies and using the Official Cert Guide and a series from Pluralsight, I passed the switch exam. It was certainly a challenging, professional level, exam. In fact, I only narrowly passed it by a few points. The margin of passing was so low I initially wished I had’t! I thought I could do better, and wished I had.

In conversions with a friend about my recent success I told her that while I was happy to have passed that I wished I had done better. Her response was eye opening: “What do you called a med student that got straight D’s? A Doctor!”

She was right! Although I did not pass by huge margins like I had dreamt, I still worked my butt off and passed, and I should be proud of that and not be disappointed. A pass is a pass.

What do you called a med student that got straight D’s? A Doctor!

Free Exams are Nice

In June of 2019, I flew to San Diego to attend Cisco Live. Full pass attendees get a free shot at an exam as long as they can be at the temporary Pearson Vue testing center on the Cisco Live campus. It was here in the very previous year I passed my CCENT exam, so I was excited to be back. I already had my route exam scheduled so I figured I’d give T-Shoot exam a try.

While hopeful I’d pass the exam that day, once I got in I realized the T-Shoot was a beast all it’s own. It was the choose your own adventure of exams. The scenario in each question was the same, Client 1 can’t ping the webserver. The object was to troubleshoot the entire topology to determine where the issue was. Each answer had a possible list of sub-answers, which had even more sub answers possible. It was impossible to guess your way through this thing and eliminate enough other answers in a timely fashion to make it through the entire exam in the time allotted. The end result, I failed, and that was okay.

New Certs are Coming

At Cisco Live in 2019 Cisco announced a HUGE revamp to the Certification Program. The new certifications would essentially be shallower in depth, but wider in content. This would better prepare candidates for a wider variety, rather than just having someone deeply skilled in Routing and Switching, Wireless, or Collaboration, it would allow more of a network generalist: ready for anything.

This image has an empty alt attribute; its file name is screen-shot-2019-06-10-at-5.43.34-am.png
Cisco’s new certification line up

The real depth would occur at the Professional level exams. The big kicker was the addition of Automation and Software-Defined topics in the new blueprints, and an entire line of new Cisco DevNet Certifications.

The clock was now ticking in my eyes. I wanted to get my CCNP Routing and Switch AND my CCDP before the changeover.

Limited Availability

To make a long story short over the rest of 2019 I would attempt t-shoot two more times and route four more times. I studied hard, I read, I watched videos, I felt confident… and then I failed the exam. But every time I came closer and closer and closer. The most frustrating part was the local Pearson Vue testing center’s availability.

Despite living in a somewhat populated area in Northern Vermont there was only one testing center close to me, about a 30 minutes drive, the rest were nearly two hours driving time away. The closer center, however, had poor availability more often than not. So poor that if I wanted a seat there I had to schedule at least a month in advance, and sometimes that wasn’t enough.

On a few occasions I came so close to passing the exam I immediately rescheduled for the following week. However, in order to land a spot so soon I had to accept a time at the exam centers that were further away.

Driving for two hours before an exam you can really get into your own head second-guessing your knowledge and capabilities. And driving home for two hours after a failure will kill your self-confidence.

Study for the exam you’re about to take – Not the One you just took

On more than one occasion I made the fatal mistake of trying to just studying those things I felt like stumped me on the exam, and not the entire blueprint as a whole. Feeling prepared walking into the testing center on my next attempt I was thrown the curviest of curve balls and got questions I did not fully prepare myself for.

Remember, anything on the exam blueprint is fair game, and there are hundreds if not thousands of questions in the exam pool. You may see see a few questions from the exam you just took on the next one, you may not, and it’s a certainty that will not get the same exam twice. Make sure you study everything and not just the areas you feel stumped you on that particular attempt.

Shaken

After walking into the exam center feeling more and more prepared to face these exams but continuing to fail my confidence was shaken. I didn’t understand what I didn’t understand. I started having these awful feelings of self doubt come over me whenever I sat down to study. For a while, I avoided studying as a result. Then when the scheduled exam drew near I went into cram mode, but failed again.

Success is not final, failure is not fatal: it is the courage to continue that counts.

Winston Churchill

It’s all About the Journey

As I did when I was taking my CCNA I was very transparent about my trials and tribulations as I sought my CCNP. As I sit here on the evening that I passed my Design exam and obtained my CCNP Enterprise I am reflecting on this entire journey and came try some very solid conclusions.

You always hope for the pass, but in the end it’s all about the journey.

Kevin Myers @stubarea51

Had I not failed these exams so many times and struggled I likely would not have posted it to Twitter and Kevin Myers wouldn’t have made the comment that changed the course of history for me, and I may have never have created the study group – It’s All About the Journey. I’m happy to report that this study has gained a lot of members and seems to be buzzing all the time with people sharing what they are working on/labing/studying for. There’s been nothing but words of encouragement flying around in there too.

Had I not failed all of those exams or created the study group I would not have come up with the idea for, and started The Art of Network Engineering podcast.

The study group came from a response to a post I had made about failing an exam. Kevin Myers literally said to me – in the end, it’s all about the journey. And it’s true, it is. The people I’ve met, the new friends I’ve made, are all more valuable to me than the CCNP itself, and the CCNP has more value to me than had I just passed it the first time around. The podcast came to me during our study group sessions. We had such good conversation that a podcast seemed like the next logical step.

And the clock runs out

One last attempt at route and the clock runs out! I took my last attempt at route the Friday before the deadline. I was “doomed” to start back at square one with the CCNP Enterprise.

Game Changing

While COVID19 has brought a lot of horrible things into our world it’s also brought about some positive change too. One such change, in my opinion, is the ability to test at home. No more two-hour drives (or 4 hour round trips) to exam centers for me. Testing from the comfort of my own home couldn’t be better. While some OEMs have been allowing for some time this was new for Cisco.

With testing from home you have to login prior to exam start time, take a bunch of pictures of you, a valid ID, and your work area. The work area must not have anything in it like books, notes, electronics (other than the device you’re taking the exam on). Additionally, you can’t be connected to external monitors or use more than one monitor. All applications not related to the exam software must be closed. Given the above alone this precludes me from using my home office from taking the exam. It would be far too much work to make it exam ready.

So, I take the exam in my youngest son’s room. He’s 5 now and has none of the above listed distractions in his room. I bring a spare desk into his room, roll my office chair into there and prepare for the exam. And by prepare I mean I play with his monster trucks for like five or so minutes. It really helps calm my heart rate and distract me before taking the exam.

Slow Down!

Photo by Pixabay from Pexels

I took the ENCOR exam twice and in both times I scored above 800, but below the minimum passing score of 825. So, if you’re keeping score that’s 10 failed exams. Some people ask me, how do you do it? How do you keep coming back failure after failure. Because I want it. Because I know I’m capable. Because employers don’t ask how many times you failed an exam. Points aren’t assessed against you because you failed. It literally doesn’t matter how many times you fail, all that matter is that time that you did. I’m not better or worse a CCNP for having failed 10 exams before passing the two that I needed to in order to get my CCNP.

Here’s a great video on the Super Mario Affect from famed YouTuber Mark Rober. If you haven’t watched this video you simply have to.

Mark discusses the effect on learning when learners do not concern themselves with failure.

While trying to figure out what I was missing, during practice exam I got a question wrong that I swore I should’ve got right. I went back ready to argue my stance and report the “bug” to the software developer. However, upon closer inspection, I realized I didn’t fully read the question. It was at that moment I also realized I was rushing. I was rushing in dev and I was rushing in prod. The speed was causing me to misread the question, not all of the answers, and select the close, but not so correct, answer. While I can’t say for sure I can only assume I’ve suffered from this for a long time.

In addition to seeking help from a co-worker and friend, I started being more deliberate in my exam attempts. I began practicing to be more thorough and slower. I carefully read the question, sometimes twice, read the answers, selected the one I liked but still read the rest of the available answers before making my final choice. My practice exam scores were getting higher and higher. Practicing this new approach was paying off.

On exam day I completed the ENCOR and it took me much longer than my previous attempts and I walked away with my first score over 900 points, a new personal record. I was amazed.

One Door Closes and Another Door Opens

On Thursday 7/30/2020 I passed my Design exam and earned my CCNP Enterprise. It still doesn’t seem real. But I am so thankful for all those times I failed. Every time it tested how far I was willing to go. I learned to keep a positive attitude, I always scheduled my next attempt right away, and I always got support from this awesome community. While my journey to CCNP Enterprise may be over a new journey begins. From here the plan is to set my sights on Cisco’s DevNet Associate.

Final Thoughts

While the failures sucked and felt like setbacks I wouldn’t change this journey for anything in the world. I’m happy things went the way that they did, failures, struggle, and all the rest. Always be proud of your journey no matter where it takes you.

Cisco Certified DevNet Associate, what to expect?

In 2019 Cisco announced a whole new series of certifications, in parallel with updating their existing offering; this time is not a change, but something brand new, and everyone is very excited. Still, some of us (old fashioned network engineers) did not fully understand what this new DevNet is all about. Buzzwords like “Automation,” “DevOps,” “Programmability, “APIs” and the list goes on. Should a Network Engineer spend time on this? The answer is definitely yes!

The goal of this blog post is to demystify and have a good expectation of this certification, to help you decide if you want to pursue this track or not. I strongly recommend it. As you may already know, or have heard, the work we do is evolving, and it’s happening right now.

I will begin setting some ground on an interesting use case called “Net DevOps”, followed by breaking down the major topics found on the blueprint and their lab resources. I will wrap it up with some recommendations of guides/courses that you can leverage if you want to follow a structured plan to get certified.

 

What makes a DevNet associate?

There are two major candidates to this certification, network engineers and software developers; Cisco wants to close the gap between these two to enter the world of “Net DevOps.” I want to brief you on this topic or use case because it explains well how things will change in today’s networks, and may even interest you in learning more.

Imagine yourself working for a big corporation XYZ and the Network Architect decided to migrate from EIGRP to OSPF. You, as the network engineer, need to plan in detail all the commands and testing you will do, possibly on a Saturday night. You try your best to make sure nothing will break but human error is always a possibility. This is both very time consuming and risky, but it has to be done. Now, what if I tell you that you can dispatch your desired changes to an automated pipeline called “CI/CD”, this will run extensive tests to ensure that not only the syntax is right but it makes sense. Then, a virtualized environment is generated automatically, emulating your production network to test your changes and validate the impact. If everything goes well the system can update the production network in minutes, down from probably a window of 8 hours or more. You can learn this in more detail on this certification, I found it to be quite interesting and fun!

What I just described already happens in the world of Software Development as DevOps. We are taking all its advantages and excellent features to the Network, often called “Infrastructure as Code.” What else can you learn as a DevNet associate candidate:

  • Understand the different software development strategies and design models, a good introduction for the rest of the course.
  • Understand the various data modeling formats (XML, JSON, and YAML), this is the standard language that devices use to transport their configuration or state in a standard format any program can consume.
  • Learn about some of Cisco products APIs, this is how you can quickly configure, verify, or delete stuff from your network devices without manually interacting with their CLI.
  • Implement those APIs requests in a fully automated scripts in Python.
  • Learn the basics of Linux Bash shell and Git version control.
  • Understand the foundation and building blocks of configuration management tools such as Ansible, Puppet, Chef, and many others. These are used to keep a state of your desired network/server configuration and run to make sure that the state is always enforced.
  • Learn the foundation of Cloud, this includes their deployment models and types (Virtual machines, Bare-Metal, and containers)
  • Learn the concepts of the “CI/CD” pipeline, what I previously described of the process that a network/software change takes to be deployed in production.
  • Understand the concepts of network fundamentals and web security.

The exam blueprint describes this is in more detail, but I wanted to add a more human-readable description of the exam, here is the official exam topics if you want a deep-dive:

https://learningnetwork.cisco.com/s/devnet-associate-exam-topics

Python, the elephant in the room.

Some people believe that they are required to be a Python developer to pass this certification. Well, it’s not quite like that. Python knowledge is indeed a pre-requisite, but you will be only scripting. This means that you must learn the basics of Python well enough to use some of its libraries to consume various APIs and interact with the data they send or receive.

Remember that practice is vital, build the habit of doing Python scripts by yourself and from scratch. It doesn’t cut it to just understand any given script, get your hands dirty! There are literally hundreds of courses online (Udemy, Pluralsight, YouTube, and more) to help you learn Python from zero to hero.

How about Labs?

The good news for any DevNet associate candidate is that you have everything you need to practice extensively, all you need is a personal computer or laptop, with the following at the bare minimum:

  • Python (Any 3.X version will do, version does not matter much for this exam)
  • Postman, to practice building and testing API.
  • GitBash if you have Windows, to practice Bash and Git.
  • Internet Access to use all the free DevNet sandboxes available at developer.cisco.com.
  • Docker, installation instructions at docker.com, this is to practice your container skills.

Study Plans and guides.

Here is my list of the best resources to get certified, an excellent structure to become prepared in a reasonable timeline:

There may be other resources out there, but I consider these three the best in my opinion, and from personal experience. Cisco Press is soon to release a DevNet Associate Official Study guide that will make it a lot easier to get certified. It’ll be released on or around September 22nd, 2020, but you can pre-order it today.

My take on this Exam

I started this journey as an old-fashioned network engineer (describing myself as such with pride), I learned a lot, quite a lot of new things. I didn’t know the very basics of automation that I can apply now to my current job role. I also have the necessary skills to automate a given network or at least an extension of it.

I feel any employer will be happy to have someone making your Network smarter and more efficient. I highly recommend any Network Engineer to complement their career with this toolset. The future is here, we need to adapt and also forget about the good-old CLI (for configuration purposes) to welcome the era of programmability and automation.

As per the exam, I believe it is fair and challenging at the same time, don’t take your studies lightly for this one. I was surprised to see the new “fill the blanks” type of questions which

makes you know some things by heart, there are around 100 questions on this exam which may be a bit overwhelming, it is important to be well-rested and sharp to manage your time wisely but at the same time analyze each item thoroughly. Whether you decide to go down this road or not, I wish only the best for you on what is to come.

Ep 03 – Lame Relay and VTP Heroes

In this episode, Aaron, A.J., Andy, and Dan discuss the changes to the CCNA blueprint compared to previous versions, the perceived value of certifications and what they’ve actually done for us (also perceived), we then discuss what works in an interview and what doesn’t.

Have you recently taken and passed the Cisco CCNA 200-301? We’d love to hear from you! Head to our website https://artofnetworkengineering.com or hit us up on Twitter @artofneteng

Looking for a study group to help tackle those certifications? It’s all About the Journey! Join us in Discord – https://discord.gg/hqZ7XEG

Ep 02 – Failure Plaques and Cloud People

In this episode Aaron, A.J., and Andy discuss COVID workforce impacts – Failure Plaques – Moving people to the cloud – Certification Walk of Shame – Testing from Your Bed. How has COVID19 impacted you?

Dan couldn’t make it this week he was taking some much needed r&r.

Follow us on Twitter @artofneteng and visit our website https://artofnetworkengineering.com.

Ep 01 – Meet the Team

In this, the first episode, of The Art of Network Engineering, you’ll meet the team of co-hosts. We each take a moment to introduce ourselves, share our backgrounds, and the steps we took to get where we are today.

 

WAN for Dummies

Ok don’t be so hard on yourself you aren’t a dummy! Whew, now that we have gotten over that let’s talk about a few things.

In this article we will explain what a WAN is, why you would have one, and a few different ways to create one.

But first, let’s give a brief overview of the LAN before we dive in.

LAN: Local Area Network

Example Local Area Network

It’s important to quickly touch on this here for reference. Local area networks are typically confined to one geographical space. Let’s say, an office building or even your own home as an example. In these networks all the components are designed to talk to each other using a combination of an IP address and a MAC address. The devices that move traffic from one device to another are called switches. And those switches use the MAC address of every device on the network to figure out where traffic needs to go. If you want to leave your LAN and go to the internet, enter the router. That device looks at the IP address you are trying to talk to and quickly determines that you are trying to find something that isn’t on the LAN and then promptly sends you out to the Internet. The router is going to play a key role going forward here so just keep that in mind.

OK – Pretty straight-forward so far. Let’s move on to the opposite of a LAN.

WAN: Wide Area Network

Example of a WAN

Since a LAN is typically ‘Local’(duh) what happens if my business has more than one location? Or, what if my business utilizes a datacenter to store information? Well in that case you end up with more than one LAN.

There is a way to connect these LANs together to make them SEEM like one LAN. So if you find yourself with more than one location and have the need to share resources between them, you will need to create a WAN.

Just to clarify, we are taking two geographical disperse LANs and making it feel like one. Those LAN’s can be across the world or across the street from each other. It doesn’t make much of a difference. We certainly don’t want to limit ourselves here either. It can be WAY more than just two LANs becoming one. You could have 30 or 3,000 or 300,000… different LANs, it’s not just limited to two – you get the point.

To create this fancy new WAN, there are several different products and technologies that exist in the world to help us.

Here are just a few of the most popular ways.

VPN

Virtual Private Network. The name pretty much is the recipe here. It is a technology that is designed to connect two different LAN’s together using the regular ole public Internet. Yep that same Internet you are using right now to read this.

A VPN can be created between two or more routers that support VPN tunneling and that are connected to the Internet.

Example of a Virtual Private Network

That’s it! Pretty darn simple.

As you can probably figure out, this has the lowest barrier to entry. This obviously makes it a VERY popular choice among distributed businesses. It’s relatively easy to configure, and really doesn’t add much more in the way of cost because you are utilizing the Internet connection you already have. With that being said, of course you would need to have a device like I mentioned earlier that supports VPN functionality but most small business routers on the market do so perhaps you might incur a small cost there if you don’t already have this.

There’s more…

Head on over to Aaron Engineered’s Blog to learn more about MPLS, and Metro Ethernet!

This blog article originally appeared on AaronEngineered.com and was written by Aaron.

Welcome to the Art of Network Engineering Podcast!

We’re excited to bring you new and exciting content! We’ll talk about what’s hot in the industry, focus on technologies, train you and help prepare you for your next cert exam, job interview, or just to level up in your career as a network engineer.

Stay tuned here and make sure you follow us on our Social media channels on Twitter and Instagram for when we plan to release our first episode!