Author: Louis Lau

Additional Note 2


Cisco Network Product Overview


I want to briefly summarize the cisco product portfolio in this note.


Catalyst 9XXX series are running IOS XE OS.


Catalyst 9100 - Cisco Wireless AP product range. 9105w and 9105i are having dual band, 2x2, support Wi-Fi 6. 9105w is for hotel and can not be configured as a controller but have multiple ports for sharing connection to other device in the hotel room. The series 9105i, 9110, 9115, 9120, 9125, 9130 are support embedded WLC. Then starting from 9135, 9136, 916x must work with a WLC like Catalyst 9800 and is targeted for enterprise use.


Catalyst 9200, 9300, 9400, 9600 are Layer 2/Layer 3 switch/router. 9200, 9300 are 1U rack based stackable switch that is suitable for distributed layer 2 or layer 3. 9400, 9500 and 9600 are chassis based core router model or Fabric Core Router/Switch that is support for core layer2/layer3 switch or router. All the C9XXX series can integrate with Cisco DNA for SD-Access Solution (or Fabric Switch)


Catalyst 9800 series are embedded WLC model. Other Catalyst series can also be configured as WLC if they download the 9800 firmware. 9800 series is specifically designed for Wireless use and has native intergration with DNA for SD-Access Wireless.


Catalyst 29XX is layer 2/layer 3 model, mainly use as layer 2. but is no longer available. It is replaced by Catalyst 1000 series.


Catalyst 37XX is layer 2/layer 3 model, and is also no longer supported by Cisco


Catalyst 8000 are Integrated Edge Router that support integration with SD-WAN. 8200 is a uCPE version. vCPE means it is used as a "white-box" to load a virtual instance of the software on the box. It should load the catalyst 8000V virtual version of Edge Router for configuring as vEdge router in SD-WAN. 8100, 8300, 8400, 8500 are hardware appliance that is running IOS XR OS and is used to configure as service Edge Router, and can work with Cisco DNA as SD-WAN edge router.


Catalyst 5000 series are for those uCPE or white-box model that can host Cisco IOS and other vendor virtualise instance in the "white-box", 8200 is one of the 5000 series that specificallly can run SD-WAN, but 5000 series can also run other virtual instance for other applications.


Catalyst 4000 series are Integrated Service Router or ISR series or sometimes it is called ISR4000 series instead of Catalyst 4000, (It is different to Edge Router or Aggregated Service Router ASR), Integrated Service Router usually refer to as Security Device, it is using ISR-4000 series OS, and it supports the SD-WAN if integrated with Cisco DNA or can be used by operator to configure MPLS as a CE router. ISR is considered as a Branch-In-A-Box product and deploy on the remote office. The ASR stands for Aggregated Service Router, it is designed to support aggregation of traffic from multiple branch office and hence has higher throughput. But the functionality supported in ISR4000 and ASR4000 shall be similar.


And then Cisco 1000 series is ASR 1000 series is also an Service Router to be deployed in branch office.


The key differentiation of Catalyst vs ASR vs NEXUS are that, Catalyst is more like enterprise-grade use in branch or core, ASR is more on the core side with aggregated capacity, and NEXUS is for data-center fabric grade deployment


And then Cisco has another brand called Meraki. It has been acquired by Cisco and it has its own product line for Wireless and Switches/Router. The Meraki series router and switch are targeted for Small Business sector with self management function. (Like the MX6x MX7x MX100 series switch and service router)


And then there is the Cisco Silicon One G series ROADM and/or WDM solution for large capacity Layer 2 switching or Layer 3 routing function for Top-of-the-Rack data center solution for connection between racks or between data center long range optical transfer


Cisco Network Software Overview


Cisco has a lot of Network Software.


https://www.cisco.com/c/en/us/products/software/index.html


https://www.cisco.com/c/en/us/products/software/a-to-z-saas-software-index.html


Above has a list of software. I think we shall need to know what some of them do, not in deep detail.


Cisco ACI Data Center - ACI stands for Application Centric Infrastructure. It is actually a Cisco termed Software Defined Network (SDN). ACI is mainly focus on having controller to manage the traffic of the ACI Virtual Edge or ACI Virtual POD by the ACI Controller. Note that Virtual Edge is for data-plane, and Virtual POD is for control plane tunnel in the spine and leaf structure, so in a data center, maybe only a few virtual POD but many virtual Edge (AVE <- some use this abbreviation). ACI is actually not an appliance or software, it is an infrastructure architecture use an Spoke-and-Leaf architecture, and this ACI Data Center is the management plane software to manage the ACI network. Those ACI Edge or ACI Pod or ACI Controller are actually NEXUS router/switch or some virtual appliance running on some hypervisor or created as a container instance (pod) on containers in cloud providers, user may not require to install a physical network appliance on site and be managed by a common ACI data center software.



Cisco Active Advisor - A free tools from Cisco to check the compliance. for example, if the existing network equipment configuration has security issue, best-practice configuration, if firmware is update etc.


Cisco AppDynamic - Cloud based solution, integrated infrastructure and application monitoring and provide AI to detect analony for database, application, infra, business process system or even SAP system performance.


Cisco ASDM - ASA security firewall device manager, to manage multiple ASA devices


Cisco Adaptive Wireless IPS - Wireless IPS is a key in US because equipment such as mobile POS terminal accepting VISA card payment need to compliance to certain IPS security requirement, this Cisco Adaptive Wireless IPS solution work with the CleanAir to monitor if any rogue AP or security threat and identify intrusion event.


Cisco AMP Virtual Private Cloud- Cisco Advanced Malware Protection (AMP) is usually a cloud and subscription based service. Cisco has acquired a company called sourceFire, and sourceFire provide the open source Intrusion Detection Solution (IDS) software called Snort. It has one of the largest community to work on the way to detect new malware and identify new security risk. After Cisco acquired SourceFire, source fire keep providing the Snort service as open-source service, and Cisco has offered the AMP service which is a subscription based service. User with the AMP subscription can have the most updated security malware detection function from this service and the security threat and algorith is continuously updated by the expert in Cisco and Snort. This virtual private cloud version is for company that can not allow their firewall to connect to the public AMP cloud to install a private cloud version of AMP system in their premises and the on-premise AMP virtual private cloud will synchronize within the Cloud AMP system to perform similiar function within the private cloud for customer.


Cisco Crosswork - Is for integration of business process with network automation, like how to get a switch configuration change approved and applied on site.


Cisco DNA Center and DNA Software (Wireless/Switching/SD-WAN) - The Cisco DNA center is the management plane to manage the SD-Wireless, SD-Access and SD-WAN solutions. The DNA Software suite are separated module for each feature if the user only have say SD-WAN.


Cisco Defense Orchestration - Cisco firewall (ASA) can be monitor and manage by three options. Option 1 is the Security Manager Software on the firewall, Option 2 is manage by the former Firepower Management Center or the current Security Firewall Management Center. And Option 3 is manage by the Defense Orchestration. Defence Orchestration is the Cloud-bases SaaS service provided by Cisco to company in subscription based to manage the customer procured firewall(s).


Cisco ISE - The TACAC+ and Radius server (for enterprise) from Cisco for Identity integration to user access to network.


Cisco Integrated Management Controller - It is for management of the Cisco Unified Communication Servers and Storages.


Cisco Intersight (Intersight Kubernate/Intersight Workload Optimizer) - Cisco Intersight is mainly for IT operation management for compliance and simplify configuration compliance and firmware compliance. (Similar to Ansible?) It can manage not only network resources but also server resources or kubenate container resources and virtualization work load etc.


Cisco Meraki vMX100 - Meraki vMX100 is enterprise grade meraki SD-WAN solution that can be installed in Cloud Service Provider such as AWS for configuring site-to-site tunnel, SD-WAN solution and simple firewall feature on cloud instances. I think now they are changed to vMX-S/M/L to support different capacity. The investment and configuration of SD-WAN on Meraki has lower entrance-cost than the Cisco SD-WAN solution and is easier to configure.


Cisco Modeling Labs - The simulation tool used to practice or verify configuration of cisco device.


Cisco Network Service Manager - The software to manage Cisco device like a NMS or EMS of cisco equipment, for common configuration and monitoring purpose. For operator, they may have integration with OSS/BSS for provisioning and monitoring purpose.


Cisco Nexus 1000VE - The cisco virtual nexus instance that can be purchased and installed on cloud service provider for fabric operation


Cisco ONE - An integrated Wireless and Wired management suite of Cisco Equipment to manage campus fabric or other medium/large scale deployment, it has Cisco ONE for Access, Cisco One for Data Center, Cisco One WAN etc.


Cisco Prime Network - For carrier-grade network solution, it consists of other package for managing network provisioning and DNS/DHCP assignment in carrier network. (SIP registra and other carrier based 3GPP Radius solution, P-GW, Prime Optic for xWDM etc may be managed by this Cisco Prime Network)


Cisco Secure Email Security - This can be an appliance or a virtual instance on cloud service. This software can detect phishing email, ransom email or other email related security threat, and provide a management interface for you to monitor those email security event, isolation of those email or use other action. (I think it work as a standalone product, or may have some special integration to Cisco firewall for URL filtering capability or AMP capability for example, but i think it mainly work as standalone product, if you happen to know more please let me know)


Cisco Security Endpoint or AMP Endpoint - This software handles the end-device security, it include feature like encrypting your entire hard-disk, managing usb usage, detection of virus or detection of malware on end-device. I think it shall require to work with the AMP cloud-base software. And AMP can be installed on Secure Email Security device above to have AMP malware detection support on email, email going through the Secure Email Security Appliance will get security update from AMP cloud to identify suspicious mail and make decision to allow the email or not allow the email to be received by user, or AMP can be avaliable in ISR router, ASA firewall (NGFW), Switches, Cloud instance etc. Security Endpoint is mainly focus on installation of AMP client on end device such as handset, PC, industrial server or notebook.





Cisco Umbrella - While Cisco AMP work on "file" level security, Cisco Umbrella is focus on URL access security. Cisco Umbrella is also a cloud-based subscription based service to monitor end user security. It mainly focus on cases like detect if the user has DNS attack and redirected to malicious website and those command-and-control callback at DNS layer.. So the user may configure to use the Umbrella DNS, and this Umbrella DNS will manage these kind of security for the end-user (I am not really familiar with security product of Cisco but it seem like function like that to me. Please correct me if i am wrong)


WLAN notes 2


There are a bit more additional note about WLAN. (Yes, WLAN again.. I think it is a bit too deep this core go with Wi-Fi related information.) In the exam, comes up with a question related to Dynamic VLAN assignment for Wi-Fi user and ask how to do this in the WLC configuration.


https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html


Usually a SSID will put all user in the same VLAN, if we want a different user experience per user, it is usually done by the "authorization" profile of the user. Depends on the authorization profile, the network equipment can define for example their session timeout time, bandwidth max etc. These kind of configuration is usually done in the Radius server and in cisco, they have the ISE which served as a radius server and can be integrated to local Database or integrated with a Window Active Directory server. So the usual flow is like below


[User Device] ----- connect to ----- [NE port /AP SSID] -----(tunnel) ---- [WLC] ------- [ISE] -------- [AD]


In order to achieve a separation of network for the user depends on the user identity, one way is to use SD-Access Wireless and with the SD-Access Edge Router connected, the Cisco DNA center can manage the assignment of the correct "Network" segment it shall connect and locally breaking out without tunnelling all user traffic to WLC. (The capwap must be tunnel to WLC) However, the older way to do this is by managing the Radius Replied Attribute from the radius server and the network device make corresponding change for the user network configuration based on the reply attributes.


For example in juniper, it can be done by creating the AAA server configuration, and then on the interface, set the interface to use authentication based on the configured radius group. And then in the Radius server configure those AVP reply attributes for a particular user to return a reply attribute containing the name of the created VLAN or VLAN-ID and the switch, when received the attribute (must match attribute ID), will set the user to the corresponding VLAN when it is attached to the network.


https://supportportal.juniper.net/s/article/Configuring-Dynamic-VLAN-assignment-on-the-EX-Switch-SRX-with-standard-Windows-XP2-client-and-Steel-Belted-RADIUS-SBR?language=en_US


Similar to above configuration, Cisco uses similar mechanism too for the Wi-Fi Dynamic VLAN assignment based on dot1x and ISE. The configuration flow are


  1. Assume ISE and AD integration and WLC radius configuration with ISE server already setup
  2. Create a SSID and the interface group need to select "DUMMY"
  3. In the SSID configuration, advance section, select allow AAA override the configuration
  4. In the SSID security configuration, select to use Layer 2 WPA+WPA2, and select dot1x and select to authenticate with the configured ISE server
  5. Create the VLANs required for assignment
  6. In AD, create the group such as Marketing Group/ IT group etc.
  7. In ISE, create the auhtorization group that match with the AD group (load it from AD if it is already connected)
  8. In ISE, set the attribute to be created for those authorization group, in the "common task" set the VLAN tag to the VLAN ID created on WLC


Authentication and Authorization Note


The security of the network equipment can be managed in multiple way


For example,


Limit the console access by password

Limit the console access by local username password

Encrypt the local user password

Limit the access to enable by password

Limit the right of a particular local user

Limit the console access by authentication by AAA or TACCAC+ server

Enable SSH for remote login

Enable Telnet for remote login

Set multiple login method and failover to other login method if the first one is not avaliable

What are the different encryption level


To limit the access of console


>conf t

>line console 0

>password 0 cisco

>login


Noted that line console refer to the console port configuration, password means it shall use password to gain access, and login means it shall show a login prompt for the user to enter password.. (Without login, it won't ask for password)


To ask console to use username and password, first create a local user on the switch


>conf t

>username cisco password 0 cisco


And then in the line console 0, change login to login local


>conf t

>line console 0

>login locall


The cosnole now require to input username to login too.


But the password is shown as clear text form in the show run configuration now. We can encrypt the password in configuration file by this command


>conf t

>service password-encryption



Password is now encrypted in Vigenere cipher (level 7), this is not a very strong encryption method though but console login require physical access to the equipment so should be fine.


Apart from login password, we can also set password for enable


>conf t

>enable password 0 cisco


The enable password will set the password to use the privileged right (15) for all configuration in the switch.


We can use enable secret instead of enable password because enable secret is by default encrypted by type 9 encryption which is SCRYPT


To control the access right of the user, we can limit the user privilege level. Let's create multiple user


>conf t

>username cisco1 secret 0 cisco1

>username cisco2 privilege 7 secret 0 cisco2


There are two users created. We need to shift the local user data base to a user database similar to radius or ldap, to enable AAA configuration, we need to do aaa new-model


>aaa new-model


After this, the aaa command options will be allowed.


Add the aaa authentication setting for default


>aaa authentication login default local


This means a login list called "default" is configured, the first authentication method used is local database.


And then on line console 0, change the setting (note that once aaa new-model is enabled, the original login local is removed, we need to use another command login authentication default to ask it to use the default method list we created just now for authetication


>conf t

>line console 0

> login authentication default


Now it asks for user loign name to login, and cisco2 account will have level 7 user privilege. To see its user privilege after login, do show privilege


To configure to use aaa or tacac server, need to first configure the aaa or taccac server group


>radius server [name-of-radius-server say test-radius]

>radius server test-radius

(config-radius-server)>address ipv4 [address of the radius server] [optional port specification]

(config-radius-server)>key [secret key to be used]


Then create a radius server group


>aaa group server [radius | taccac | diameter and other] [name: i use radgroup]

(config-sg-radius)>server name [the name we used is test-server]


And then in the authentication specify the group radgroup we created above and fall back to local if fail


>aaa authentication login default group radgroup local



To enable telnet or SSH, first illustrate enable telnet


>line vty 0 4

>login local

>transport input telnet ssh


This shall enable telnet on the router. Telnet is working, but ssh failed. To fix tihs.


First need to add an ip domain name


>conf t

>ip domain-name localdomain.com


Then create a RSA key for SSH


>crypto key generate rsa


Use at least 768 bit key because SSH version 2 is default and require at least 768 bit key to work


To check if ssh is running


>show ip ssh


And now ssh can work


We can limit the number of retry by >ip ssh retry [number of time]


Lastly is the encryption password encryption method


The default is encryption 9 which is SCRYPT


encryption 5 is MD5


encryption 7 i think is VIgenere ciper which can not be used to configure user secret password anymore.


encryption 8 is PBKDF2 HASH


encryption 9 is SCRYPT HASH


HTTP Return Code


HTTP 2XX are normal server response.


HTTP 3XX is for redirect. Like 307 is temporary redirect and 308 is permanant redirect, the client shall be redirected to another URL after receiving this response.


HTTP 4XX are some server return response such as the requested URL is not found


HTTP 5XX is the server engaged some server internal problem


https://en.wikipedia.org/wiki/List_of_HTTP_status_codes


HTTP 2XX common one are


200 Return OK


201 Created (in response to POST request for instance)


204 No Content (An empty response with only header)


400 Bad Request (It can be size too large, for example when i update this post and this post data is too large, it will have a 400 Bad Request return from my HTTP server)


401 Un-Authorized (This usually mean user login problem, login password incorrect etc)


403 Forbidden (This is when the user login creditial is correct but the user does not have the authorization to access this resource)


404 Not found (URL is incorrect)


405 Method Not Allowed (This is usually used to indicate the Web service requested is not allowed for this user)


429 Too many request (When the user has too many attempt of this)


500 Server Internal Error (A General Server side error, doesn't indicate what may be the problem)


Other 5xx are other server error that may indicate some hints on what may went wrong on server side, for example 501 not implemented maybe returned from server when an request method, the server does not have any logic to handle this. 504 Gateway timeout, may indicate server receive the request but the backend gateway timeout so it can not serve this request now, 507 indicate internel server has some storage problem. But these is up to the server what kind of information they would like to return to you.


Automation tools comparison


Puppet and Chef are ruby based.


Puppet architecture has a Agent-Master architecture. (It can be used as standalone too if master and agent are both reside in same server) the master is a Puppet Server, the agent are pre-compiled downloadable agent that already have some fixed logic feature built in that we need to store in the network equipment. What puppet do is that on the Puppet Server, we configure the catalogue that describe the "state" the network element shall be, and then on the agent side, it should configure which one is the Puppet Server Master it shall contact, and then pull down the catalogue from master server and use the agent internal logic to check if the current server meet the "state" required. If it does not match, it can apply changes to make it to the intended state. This is called a PULL model, because it pull the configuration from master. It is an AGENT-BASE, and there is not much customization on the AGENT, it rely on the AGENT to do this. One of the limitation is that, Puppet can only specify the state, it can not for example make a sequential update of packages. However, now Puppet also has a Puppet BOLT, which can specify multiple TASK and when the agent retrieve those BOLT, it knows how to do the upgrade task in sequence. And Puppet is considered declarative approach because its original purpose is to declare the state and the user does not have to worry about how to make the equipment to the expected state, this shall all handled by the agent on the network equipment


Chef is similar to Puppet, they have Chef server and Agent, but they also have a tools called Workstation. The Workstation use is to customize the agent. For each network element to be monitored by the Chef, we need to use the workstation to customize the things the agent shall maintain on server and the procedure to check its state and update its state or fall back steps. This is considered to be procedural approach or imperative approach because the user need to know very well how to customize those agent. It is harder to use but provide more flexibility and more powerful than Puppet. And Chef uses Recipe instead of catalogue, and a recipe is usually more specific and detail and so i guess this is how to remember the difference of these two tools. It is also a PULL model where the loaded AGENT on equipment shall connect to the configured Chef server. Both Puppet and Chef are ruby based and the agent are ruby based, so their recipe or catalogue configuration has the common in Ruby configuration so that it require the configuration files to be named in certain way and put in certain structure to put their configuration in manifest or other configuration file (Ruby is a language that prefer using configuration and have strict naming convention)


Ansible approach is a bit difference, it is AGENTLESS, and it pushed task or configuration to the network element side. The main difference is that Ansible doesn't put an agent on the network equipment, it uses other southbound method to check the status of the system, for example by ssh to the node and execute a few command. It is python based and is more popular than Ruby and is acquired by RedHat now. The user specify some HOST or network element list to be managed by the Ansible system, and then specify the Playbook for those host/network element. Ansible playbook is in YAML format, and it specify a sequence of task to do. The yaml file specify the event to check for example, use yum to check if httpd is running. We do not have to type in the yum command, ansible has the pre-stored function so we can just use configuration to tell it to check the status to match the version we need. It is usually PUSHed to the device on demand basis, so it is not a pull model, even though there are command to make this a pull model where server check if there are task required on server, but i think we should answer it is PUSH model. Whether this is declarative or imperative, i am not too sure. I think it does not go that imperative to CHEF but since it is task or event driven, it is more declarative than Puppet without Puppet Bolt feature. [I have no way to know what is the preferred answer from Cisco exam.. please let me know if you know what is the answer if need to group Ansible as declarative or imperative)


Lastly SaltStack is also based on Python, it can be agent-based or it can also be ssh-based like Ansible agentless approach, I do not have much information of SaltStack apart from it is mainly focus on IT operation and compliance issue, so it has more features on like approval flow, documenting changes in the configuration of managed equipment etc.


Other msiellenous configuration


To enable NTP


>conf t

>ntp server [NTP server address]


This shall make the switch making query of time from the ntp server configured. It will not participate in the time so it will not send it's own time to anyone.


If we want the switch to join the NTP domain and be a NTP source of other switch we need to make this ntp peer with other, and setup the authentication method for the NTP connection.


and we need to specify the ntp source interface to tell from which interface we are going to receive and send ntp request. NTP can be broadcast or unicast. if make this NTP as a master clock, it will become the server mode and will start broadcasting its time to the interface if broadcast is enabled.


To enable syslog, use logging command


>logging [IP of syslog server] [option to specify transport] [option to specify tcp|udp default is tcp]


To manage which level to send to syslog server,


>logging trap [level of severirty]


Severity Level Name Description

0 Emergencies Router unusable

1 Alerts Immediate action required

2 Critical Condition critical

3 Errors Error condition

4 Warnings Warning condition

5 Notifications Normal but important event

6 Informational Informational messages

7 Debugging Debug message


At the point of this note, i finally got my ENCOR 350-401 exam passed. And need to move on for the CCIE Lab Exam or the additional written exam for CCNP. Since now I am a CCIE candidate, i can book the Cisco Practice Lab for 50USD 4 hours, i will book a few and see if i should go for the Lab Exam, as the exam cost for Lab exam is quite high and not sure the scope to be tested in the lab exam, heard fail rate is still high for Lab exam even though it is expensive, and need at least 70 out of 100 and can't fail either the design or the lab portion. So will try to schedule a few of those lab and see. Will try to document my experience in this and jot down some notes as i like to do as usual.