Introduction to Python Network Automation (By building an integrated virtual lab)

https://www.linkedin.com/feed/update/urn:li:activity:6544968586207862784

Hi Everyone,

To share my journey of learning Python and Network Automation, I have been working very hard for the last 12 months to complete a book on Python and Network Automation. My book is titled “Introduction to Python Network Automation (By building an integrated virtual lab)”.This book is a primer to Network Automation using Python for a complete newbies (dummies). The book provides a step-by-step virtualised lab building techniques using 50% pictorials, exposing the readers to a broad range of technologies such as ‘VMware & virtualization’, ‘GNS3 & Cisco VIRL (&IOS) integrated networking lab’, ‘Linux introduction to both Red hat based CentOS 7.5 & Debian based Ubuntu 18.04 LTS administration’, and finally ‘Python coding & Network Automation’. This book helps the readers to build a strong foundation and competencies for a CCNA/CCNP level person to take the first dive into Python and Network Automation. All lab tasks are done on a single laptop with pictorials, which makes the lab mobile and easy to follow!

The book will be first published in Korea and will go on sale in 2 months time. My publisher is talking to their US Publishing partners to publish this book in English. If everything goes well, my book will be also available in English before end of this year.

Advertisements

Cisco CCDP 300-320 ARCH – Just passed & renewed my CCNP (02/Apr/2019)

I was planning to study 300-320 CCDP Arch thoroughly and take the exam. When I say thoroughly, I mean document everything but I was reminded of a very painful experience 3 years ago where I studied for 3 months for new Cisco CIPT2 exam and left it till the last minute and almost lost it all my Cisco Certifications. This time I have changed my re-certification strategy decided to renew the certification first and then study later as I still have to study CCDA 200-210 exam to be fully Certified as CCDP. When re-certifying your Cisco Certs, you definitely need a strategy which will work for you in the long term. Now I passed CCDP Arch exam, I only need to study and pass CCDA to be officially certified as CCDP.

 

Here are some helpful links, notes and topics in CCDP. Happy Cisco re-certification people!

 

802.1X

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386716

802.1X offers unprecedented visibility and secure, identity-based access control at the network edge. With the appropriate design and well-chosen components, you can meet the needs of your security policy while minimizing the impact to your infrastructure and end users.

The need for secure network access has never been greater. Consultants, contractors, and guests now require access to network resources over the same LAN connections as regular employees, who may themselves bring unmanaged devices into the workplace. As data networks become increasingly indispensable in day-to-day business operations, the possibility that unauthorized people or devices will gain access to controlled or confidential information also increases. The best and most secure solution to vulnerability at the access edge is to leverage the intelligence of the network.

802.1X is an IEEE standard for media-level (Layer 2) access control, offering the capability to permit or deny network connectivity based on the identity of the end user or device.

 

ACI network – Default Denial Network

All the traffic between servers is denied (micro segmentation), to allow the traffic between EPGs we need to configure contracts.

 

ACI Fabric policies enforcement

Leaf – Security policies are configured on the APIC, and enforced on the leaves

 

BFD

https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-bfd-overview.html

The Bidirectional Forwarding Detection (BFD) protocol is a simple hello mechanism that detects failures in a network. BFD works with a wide variety of network environments and topologies. A pair of routing devices exchange BFD packets. Hello packets are sent at a specified, regular interval. A neighbor failure is detected when the routing device stops receiving a reply after a specified interval. The BFD failure detection timers have shorter time limits than the OSPF failure detection mechanisms, so they provide faster detection.

 

ECMP – Equal Cost MultiPath

https://learningnetwork.cisco.com/thread/121775

 

EIGRP

Auto-summarization is enabled by default when you turn EIGRP on.

 

eoMPLS – ethernet over MPLS

 

FlexLink design

https://community.cisco.com/t5/networking-blogs/flexlink-in-cisco-layer-2-network/ba-p/3106779

 

  1. What is flexlink

Flexlink is a loop free layer2 redundancy protocol. It’s an enhancement over PVST/RSTP/MST which allows users to turn of STP and provides benifits over STP in terms of faster convergance and high redundancy.

Flex Links are a pair of layer 2 interfaces , either switchports or port channels, configured to act as a backup of each other, when one fails other link immediately comes up .

 

GETVPN vs DMVPN

https://orhanergun.net/2016/03/dmvpn-vs-getvpn/

https://www.cisco.com/c/dam/en_us/solutions/industries/docs/gov/IntegNet_Feb17_915_Lynn.pdf

GETVPN = Group Encrypted VPN

DMVPN = Dynamic Multipoint VPN

 

GLBP & HSRP

GLBP is a first-hop redundancy protocol designed by Cisco that allows packet load sharing among groups of redundant routers.

When HSRP or VRRP is used to provide default-gateway redundancy, the backup members of the peer relationship are idle, waiting for a failure event to occur before they take over and actively forward traffic. Methods to use backup uplinks with HSRP or VRRP are difficult to implement and manage. In one technique, the HSRP and STP or RSTP roots alternate between distribution node peers, with the even VLANs homed on one peer and the odd VLANs homed on the alternate. Another technique uses multiple HSRP groups on a single interface and uses DHCP to alternate between the multiple default gateways. These techniques work but are not optimal from a configuration, maintenance, or management perspective.

 

GLBP provides all the benefits of HSRP and includes load balancing, too. For HSRP, a single virtual MAC address is given to the endpoints when the endpoints use Address Resolution Protocol (ARP) to learn the physical MAC address of their default gateways. GLBP allows a group of routers to function as one virtual router by sharing one virtual IP address while using multiple virtual MAC addresses for traffic forwarding.

 

IRDP

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-irdp.html

The ICMP Router Discovery Protocol (IRDP) allows IPv4 hosts to locate routers that provide IPv4 connectivity to other (nonlocal) IP networks

 

Key Server in GETVPN deployment

https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transportvpn/ deployment_guide_c07_554713.html

Key server is responsible for maintaining security policies, authenticating the GMs and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration the GMs can participate in group SA.

 

MED & AS-PATH

Multi-exit discriminator (MED)

BGP AS Path and AS Path Prepend

https://www.noction.com/blog/as-path-and-as-path-prepending

https://www.cisco.com /c/en/us/support/docs/ip/border-gateway-protocol-bgp/13768-hsrp- bgp.html

This document describes how to provide redundancy in a multihomed Border Gateway Protocol (BGP) network where you have connections to two separate Internet service providers (ISPs). In the event of a failure of connectivity toward one ISP, the traffic is rerouted dynamically through the other ISP with the BGP set AS path {tag | prepend as-path-string} command and Hot Standby Router Protocol (HSRP)

 

MD5 and plaintext authentication support in RP:

Simple password authentication (also called plain text authentication) – supported by Integrated-System to Integrated-System (IS-IS), Open Shortest Path First (OSPF) and Routing Information Protocol Version 2 (RIPv2)

MD5 authentication – supported by OSPF, RIPv2, BGP, and EIGRP

 

MST – Multiple Spanning Tree Protocol (802.1s)

https://networklessons.com/spanning-tree/multiple-spanning-tree-mst

 

NHRP

https://en.wikipedia.org/wiki/Next_Hop_Resolution_Protocol

The Next Hop Resolution Protocol (NHRP) is an extension of the ATM ARP routing mechanism[1] that is sometimes used to improve the efficiency of routing computer network traffic over Non-Broadcast, Multiple Access (NBMA) Networks.

https://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html

A dynamic multipoint virtual private network (DMVPN) is a secure network that exchanges data between sites without needing to pass traffic through an organization’s headquarter virtual private network (VPN) server or router.

Lowers capital and operational expenses — Reduces costs in integrating voice, video with VPN security

Simplifies branch communications — Enables direct branch-to-branch connectivity for business applications like voice

Reduces deployment complexity — Offers a zero-touch configuration, dramatically reducing the deployment complexity in VPNs

Improves business resiliency — Prevents disruption of business-critical applications and services by incorporating routing with standards-based IPsec technology

 

OTV

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro/DCI_1.html

In the current OTV software release, When a multicast enabled transport infrastructure is available, the current NX-OS software release broadcast frames are sent to all remote OTV edge devices by leveraging the same ASM multicast group in the transport already used for the OTV control protocol

 

PfR

https://www.cisco.com/c/en/us/products/ios-nx-os-software/performance-routing-pfr/index.html

Performance Routing (PfR) delivers intelligent path control for application-aware routing across the WAN. PfR provides:

Dynamic selection of the best path for application-based business policies

Application-based load balancing across paths for full utilization of bandwidth with improved network availability

 

RPF

Routers perform a reverse path forwarding (RPF) check to ensure that arriving multicast packets were received through the interface that is on the most direct path to the source that sent the packets. An RPF check is always performed regarding the incoming interface, which is considered to be the RPF interface. The RPF check will succeed if the incoming interface is the shortest path to the source. The router determines the RPF interface by the underlying unicast routing protocol or the dedicated multicast routing protocol in cases where one exists. An example of a dedicated multicast routing protocol is MP-BGP. It is important to note that the multicast routing protocol relies on the underlying unicast routing table. Any change in the unicast routing table immediately triggers an RPF recheck on most modern routers.

 

Route Reflector

https://en.wikipedia.org/wiki/Route_reflector

A route reflector (RR) is a network routing component for BGP (RFC 4456). It offers an alternative to the logical full-mesh requirement of internal border gateway protocol (IBGP). A RR acts as a focal point for IBGP sessions. The purpose of the RR is concentration.

 

STP

STP (L2 loop prevention mechanism) should be implemented in topologies where possible loops may occur and redundant L2 links between distribution switches is a very good example as long as the links are not changelled (PC, vPC, MEC). If the redundant L2 links between distribution switches are changelled, the topology is loop free so no STP is required but the doesn’t say anything about that. With regards to answer “A”, VLAN can be stretched between multiple access switches via distribution layer and still be loop free so (know from experience).

 

ToR vs EoR

Data Center Technology

ToR – Top of Rack

EoR – End of Row

 

https://www.excitingip.com/2802/data-center-network-top-of-rack-tor-vs-end-of-row-eor-design/

In a Data Center, there are several racks of servers/ storage equipment. Each rack contains multiple computing devices. The TOR – Top of Rack approach recommends Network Switches to be placed on every rack and all the computing devices present in the rack to be connected to them. In turn, these Network Switches can be connected to Aggregation Switches using one/few cables.

 

Advantages/ Limitations of TOR – Top of Rack approach:

Cabling complexity is minimized as all the servers are connected to the switch in the same rack and only a few cables go outside the rack.

Amount of cables required (and their lengths) are lesser as each server does not need to connect to the aggregation switch by itself using a long cable (as in EOR configurations).

Generally, copper cables are used to connect within the rack and fiber cables are used to connect each TOR switch to the aggregation switch. This design enables expansion, because the network might run at 1GE/ 10GE today and can be upgraded to run on 10GE/ 40GE in future with minimum costs and changes to cabling.

If the racks are small, there could be one network switch for 2-3 racks.

TOR architecture supports modular deployment of data-center racks as each rack can come in-built with all the necessary cabling/ switches and can be deployed quickly on-site.

Since 1U/2U Switches are used in each rack, achieving scalability beyond a certain number of ports would become difficult. Even if more switches are stacked together, they might not have a non-blocking architecture due to their limited backplane connectivity.

More switches are required in such installations and each switch needs to be managed independently. So, capital and maintenance costs might be higher in TOR deployments.

There maybe more unused ports in each rack (as the switches have fixed configurations and the number of servers varies) and it is very difficult to accurately provide the required number of ports. This results in higher (un-utilized) ports/ power/ cooling.

Unplanned Expansions (within a rack) might be difficult to achieve using the TOR approach.

 

Totally stub area

It is stated that just default route has to be injected to branch routers, thats Totally Stub Area (LSA 1,2 + default route). NSSA would be correct answer if it contains ASBR. it should be answer C (Totally Stub area), as a branch office is not supposed to import external routes and redistribute them (Type 7 LSA´s), and also it specifies it should receive only one default route and not inter-area routes (not receive Type 3 LSA´s).

 

Here are some details:

stub area : LSA 5 no, LSA 3 yes (no external LSA 5 flooding to this area) Totally Stubby Areas : LSA 5 no, LSA 4 no, LSA 3 no, they send just a sinle LSA for the default route Not So Stubby Areas (NSSA) LSA 7 yes

 

LSA types:

LSA 1 ­ originated by every router in the single area

LSA 2 ­ originated by DR within an area

LSA 3 ­ produced by ABR it is sent into an area to advertise destination outside the area LSA 4 ­ originated by ABRs sent into an area by the ABR to advertise the ip address of ASBR LSA 5 ­ originated by ASBR advertises destination external to OSPF AS flooded through the whole OSPF domain

LSA 7 ­ NSSA originated by ASBRS in an NSSA, flooded only to NSSA no through the OSPF AS

 

URPF

https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode.

 

VDC – Virtual Device Context

https://docops.ca.com/ca-spectrum/10-2-3/en/managing-network/cisco-device-management/cisco-technology-support/cisco-nexus-devices-that-support-virtual-device-context-vdc

Virtual device context allows for a partitioning of a single physical device into more than one logical devices. A Cisco Nexus device can support one Admin VDC and multiple non-default VDCs. Each VDC is a virtual entity that can be provisioned, configured and managed like a single physical chassis device.

 

VRF, VDC

Virtual device context (VDC)

Cisco Nexus switches introduce support for virtual device contexts (VDCs). A VDC enables the switches to be virtualized at the device level. Each configured VDC presents itself as a unique device, further expanding tenant separation not only on data and control planes, but also on the management plane. A VDC runs as a separate logical entity within the switch, maintaining its own unique set of running software processes, having its own configuration, and being managed by a separate administrator.

Virtual Routing and Forwarding (VRF)

The goal of every solid network design is to minimize the extent of the broadcast domain and exposure to spanning-tree loops, a method to translate the Layer 2 VLAN to a Layer 3 virtual network or virtual private network (VPN) is required. This Layer 3 VPN must be capable of supporting its own unique control plane, complete with its own addressing structure and routing tables for data forwarding completely isolated from any other Layer 3 VPN on that device and in the network. The technology enabling this type of functionality is known as the virtual routing and forwarding (VRF) instance.

Virtualized Firewalls

Multicontext mode: Virtualized firewalls run on a single physical ASA appliance. Virtual firewalls: Virtual firewalls are software-only firewalls running in a hypervisor (virtual machine’s manager).

The multicontext mode was originally designed for multitenant deployments. It is also commonly deployed in virtual routing and forwarding (VRF) environments, where VLANs map to VRFs, and each VRF has its own virtual firewall.

 

Technology Description

VRF-Lite : Provides Layer 3 separation without the need for MPLS. VDC : Provides data, control, and management plane separation.

VLAN : Provides Layer 2 separation.

VRF : Provides Layer 3 separation in conjunction with MPLS.

 

vPC –  Virtual Port Channel as used in Cisco Nexus 7K’s

https://www.netcraftsmen.com/how-vpc-works/

 

VSL

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch2.html

Virtual Switching System (VSS)

Virtual Switch Link (VSL)

 

VTEP

Virtual Extensible LAN protocol (VXLAN)

VXLAN Tunnel End Point (VTEP)

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/metafabric-2.0-vmware-nsx.html

Each hypervisor has a virtual tunnel end-point (VTEP) that is responsible for encapsulating VM traffic inside of a VXLAN header and routing the packet to a destination VTEP for further processing. Traffic can be routed to another VTEP on a different host or the VMware NSX Edge Gateway to access the physical network.

 

WAE

The WAN Automation Engine (WAE) is a powerful, flexible software-defined networking (SDN) platform. It abstracts and simplifies your WAN environment while making it fully open and programmable. The WAN Automation Engine helps ensure that the most expensive network resources are fully optimized, assigning best load-share metrics using the Path Computation Element Communication Protocol (PCEP). You can optimize and Automate your Network with the WAN Automation Engine.

 

WCCP

https://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol

Web Cache Coordination Protocol (WCCP) on a Cisco Adaptive Security Appliance (ASA).

 

Chasing Packets in GNS3 & Production Environment, Part 1: Capturing packets using built-in Live Wireshark Capture in GNS3 1.4.4

Why do you want to do this lab?

You can capture any interesting packets and analyse for your learning purpose, analyzing packet captures can give you the real inside of how the packets are working on the devices and on different segments of the network. Simply reading the books and learn about how packets work behind the scenes is a little like trying to learn something as if you are three wise monkeys (see no evil, hear no evil, speak no evil).

On the real production, you can use other methods to capture interesting packets. Some examples are IOS Embedded Packet capture and tee off the configuration to a TFTP server, use a sniffer using spanning port or remote spanning port. Also, use more advanced method of Cisco NAM (Network Analyzer).

In this part, I will quickly show you how to whiz up a simple lab and capture some packets on GNS3 and Wireshark live capture within, GNS3. In the next section, I will demonstrate IOS Embedded Packet capture and teeing off to a TFTP server. Lastly, I will demonstrate packet capturing using spanning port and remote span.

Prerequisite 1: GNS3 1.4.4 pre-installed on Windows PC/laptop

Prerequisite 2: IOU VM ova deployed and integrated with GNS3

Prerequisite 3: Familiar with VMware workstation and Windows loopback configuration

 

Topology:

aaa1

Step 1: Add devices as below and make all connections. When you add the devices, your GNS3 topology will look like this. Remember to use dummy switches to make connection between your virtual machines and your host PC loopback to your IOU switches.

aaa2.png

Step 2: Configure your routers and switches similar to the configuration found in  the attached zip file.

r1

r2

sw1

sw2

 

Step 3: Capture packets using various link positions

aaa3

aaa4

If you run into the following error, you will have to go to GNS3 setting and update the path of Wireshark.

aaa5

=> Error: SW3: Could not start the packet capture reader: [WinError 2] The system cannot find the file specified: None

Changing path in GSN3 preferences:

C:\Program Files\Wireshark\wireshark.exe” ==> C:\Program Files (x86)\Wireshark\wireshark.exe

 

Step 4: Wireshark will open automatically and start capturing all the traffic on the link you have selected.

e.g.) TCP/IP packet capture example

aaa6.png

e.g.) Voice packet capture using soft phones (On virtual machines) between two work stations and CUCM.

aaa7

Now you can set up any server and clients and study how TCP/IP, UDP work behind the scenes. Jump straight in and try to enjoy your study!

 

Note: This lab can be completed on a single PC, Save Electricity, save Money, save Time, SAVE THE PLANET.

 

 

 

Notes on Cisco QoS: Clearing the fog – Part 2. Quality issues

Quality of Service

QOS = Method of giving priority to some specific traffic as moving over the network.

The basic aim of QoS is to have a consistent and predictable performance on your network.

 

1 qos intro

General characteristics of today’s Converged Network:

  • Small voice packet compete with bursty data packets, many different applications are using network as services
  • Critical traffic must get priority over less critical traffic, without QoS, default behavior is First In First Out (FIFO)
  • Voice and video traffics are time-sensitive
  • Outages are not acceptable

 

Converged Network Quality issues:

  • Lack of Bandwidth
  • Packet Loss
  • Delay
  • Jitter

 

Bandwidth

2 Bandwidth Measure.png

  • Maximum available bandwidth is the slowest link on the traffic paths
  • On the same physical links (traffic paths), multiple flows compete for the same bandwidth, multiple applications sharing the same bandwidth
  • Lack of bandwidth causes performance degradation on network applications

 

 

Packet Loss

3 Tail Drop due to Queue Congestion

Packet loss due to Tail Drop: Queue only can so much packets and once it is full and more packets arrive at the tail end of the queue before the queue is emptied (due to link congestion etc.), the packets will be dropped, and this behavior is called ‘Tail Drop’. If the tail drop occurs to the time sensitive traffics such as voice and video, the effects are immediately felt by the users on the flow. If this happens to data traffic, it may interrupt file transfer and corrupt the file.

 

 

Delay

4 Types of Delay

  • Processing Delay – time taken by router to process packets from an input interface and put them into the output queue of output interface
  • Queuing Delay – time a packet resides in the output queue of a router
  • Serialization Delay – time taken to place bits on the wire
  • Propagation Delay – time taken for packets to cross links from one end to the other end

 

 

Jitter

5 Jitter

  • Packets from a source will reach a destination with different delay times
  • Congestion on the network will cause jitter
  • Congestion can occur at a router interface/Service Provider network if the circuits are not properly provisioned

 

CCNA Routing Lab 1-0: The set up

We will try to prepare a lab where we can configure and test different features of Cisco Routers and Switches. For the purpose of saving time and minimize our on-going efforts to set up each lab, two multi-purpose lab typologies will be configured, namely one for routing and another for switching. Once the lab is set up, it can be used in multiple scenarios and a lab can be configured on the fly to teach us the required technologies. This section is the routing part and will be titled ‘Routing Lab 1-x’, where x represents the lab number. In the same manner, the switching labs will be titled ‘CCNA Switching Lab 1-x’.

Lab prerequisite: You have followed my blog or other people’s blog, or watched YouTube and set up your GNS3 with IOU at some stage.

I have drawn a lab topology  we are trying to configure and mimic:

사용자 지정 8

Step 1: As shown below, drop four IOU routers, two IOU L2 switches and one GNS3 native GNS3 Frame Relay Switch.

활성화 윈도우 4

Step 2: Add DLCIs in FR1 to prepare for Frame Relay Switch ready for connection.사용자 지정 3

Step 3: Connect all devices as shown below. and now you are ready to start your first Routing lab.

활성화 윈도우 1