Additional menu

Rowell Dionicio

Networking, security, and entrepreneurship

Archives for November 2020

Cisco Catalyst 9800-CL – High Availability

By 4 Comments

Everyone wants high availability with their infrastructure. With Catalyst 9800 wireless LAN controller capable of being installed as a virtual machine, do you really need high availability?

I’d be nervous to have all my virtual machines on a single host. If that host failed, you lose everything. In regards to the Catalyst 9800-CL wireless LAN controller, we have the ability to configure two instances in high availability with stateful switchover.

High availability (HA) will provide minimal downtime for the wireless controllers. In this configuration, there will be an Active and Standby wireless controller.

Stateful switchover allows access points to establish a CAPWAP tunnel to the Active controller. The Active controller will copy a database of joined access points to the Standby wireless controller. Additionally, a client database is copied to the Standby wireless controller.

In summary, when the Active wireless controller fails, the Standby takes over with the access points and clients still connected seamlessly. The access points will not go into a Discovery state and clients will not get disconnected.

When deploying the Catalyst 9800-CL, there are three interfaces binded in the configuration. The third interface, GigabitEthernet3, is used as the dedicated Redundancy Port (RP).

This post describes configuring High Availability for the Catalyst 9800-CL in VMware ESXi 6.7.

Restrictions

There are some restrictions to keep in mind before configuring High Availability:

  • Keep the VMs on the same platform (ESXi, KVM, AWS, etc)
  • Both VMs are running the same version of software
  • Both VMs are running in the same installation mode
  • The IP addresses of the Redundant Port should be on the same subnet
  • Both devices have their own wireless management interface
  • Wireless management interface of both VMs must be in the same subnet
  • Both VMs should have the same CPU, memory, and hard disk

Connecting the Redundancy Port to a vSwitch

The RP on each Catalyst 9800-CL should be connected to their own vSwitch.

I’m running VMware ESXi 6.7. The first thing we need to do is create a vSwitch for the purposes of connecting the Redundancy Ports. For this demo, I’ll be configuring High Availability on a single host.

INSERT DIAGRAM ON VSWITCH AND REDUNDANT PORT NETWORK

Go to Networking -> Virtual switches -> and click on Add standard virtual switch

Give the vSwitch a name and click Add.

Edit the settings for each 9800-CL virtual machine and change the network interface for the RP to use the newly created vSwitch.

Redundancy and stateful switchover is already enabled in the configuration by default. We just need to set up the communications between the two wireless controllers.

I’m assuming you already have two 9800-CL configured and all you need to do is set up High Availability.

CLI

On wireless controller that will be your primary Active controller we configure the HA interface. The syntax is as follows:

Chassis redundancy ha-interface <rp-port> local-ip <local-ip-of-vm> <subnet-mask> remote-ip <ip-of-standby-vm>

chassis redundancy ha-interface GigabitEthernet2 local-ip 192.168.1.1 255.255.255.0 remote-ip 192.168.1.2

<rp-port> – The interface that is the Redundancy Port
<local-ip-of-vm> – The redundancy IP address of the VM you’re currently configuring.
<subnet-mask> – The subnet mask for the IP above
– The redundancy IP address of the Standby VM

Save the configuration and reboot the wireless controller.

Once the reboot process is complete, head over to your standby wireless controller.

We’ll run the same chassis redundancy command but swap the IP addresses.

Income Report – Q3 2020

By Leave a Comment

Uncertainty is an enemy of business just as kryptonite weakens Superman. It’s difficult to predict or forecast what will happen. Whether that is paying yourself, paying employees who rely on you, or putting food on the table. If you’d like to see my other reports, check out the Income Report tag.

In Q3 of 2020 I noticed a change during the pandemic. Companies began their work again. My Professional Services increased 199% compared to Q2. It is a good sign but how long will it last given the restrictions due to COVID19 happening all over the world? People must be getting frustrated over the pandemic and so business must move forward. The shift I’m noticing is less carpeted office work. But warehouses and research labs continued to push through. 

The Clear To Send podcast released its first course and we saw some sales trickle through. We weren’t expecting a large number of people purchasing the course but we wanted to release something we cared about. Over the next 12 months I can compare how these sales perform.

Income Analysis

Overall, revenue increased 10% compared to Q2. I’ll take what I can get with an increase that big! But revenue is just a portion of the picture. With Q3 at a close, net income was down -81%. 

As I noted in the beginning, the Professional Services section of revenue increased 199% compared to the previous period (PP), Q2. It’s the main focus of my business at Packet6.

There are highs and lows in business. And when you aren’t watching cash flow or line item details of where money is spent then you have those lows. 

Hardware and software sales have consistently been a weak area for me. The disappointing part is not making people aware that I resell Cisco, Meraki, Juniper, Mist, and other vendors. I’m missing out on a significant amount of potential revenue. On the plus side, I saw a 15% increase in reselling activities but it was a small percentage of revenue.

Traveling during pandemic

I’m not disappointed in Q3 because I still have a good amount of cash saved up in the business. That’s an important objective of mine because it can also help keep the business afloat during rough times. 

Expense Analysis

A goal I made at the beginning of 2020 was to decrease expenses. I made some risks in Q3 that increased expenditures. One of those was learning how to do sales. 

I invested in training since I didn’t know how exactly to do sales. It didn’t work out the way I wanted to but I did learn a few things. 

Luckily, General & Administrative Expenses did decrease by 66% but I did have to pay for taxes from 2019. One tip for those starting a business is to save for these taxes so you’re not shocked during tax time.

Lessons Learned

Reflecting on Q3, I realized I had not looked at my reports regularly. I’m referring to the expenditures compared to income. I saw Q3 as a way to take on new challenges and take calculated risks. The results won’t be instant but they were made to survive through this pandemic.

Occasionally, you need to make a calculated risk. The outcome could be rewarding, such as higher revenue. I’ve placed a lot of focus learning how to do sales, to create a process, and experiment with non-traditional sales methods.

Learning when to pivot and how is not just important but life saving. 

UniFi Switch Port Profiles

By 8 Comments

Consistency in configuration is key for management and troubleshooting. The UniFi platform allows the configuration of Profiles. I’ll be looking at Switch Port Profiles in order to quickly set parameters to a switch port with just a drop down option.

In my lab, I have an 8-port UniFi switch, UniFi Cloud Key Gen2 Plus, and a UniFi Security Gateway (USG).

As an example, let’s say there’s an environment where many access points will connect. In my Wi-Fi network I’ll have two SSIDs broadcasting, both on different subnets. Rather than going every single port, converting it to a trunk and allowing the specific VLANs, I’d like to just select a Switch Port Profile to configure that all for me.

Log into your UniFi dashboard and click on the Gear icon located on the bottom left of the window. Once the Settings page is available, on the left navigation under Settings, click on Profiles.

Profiles has two sections, RADIUS and Switch Ports. Click on Switch Ports.

I already have Switch Port profiles configured. But we’ll add a new one for this example. On the bottom, click on Add New Port Profile.

Next, we enter the various parameters for our UniFi Switch Port Profile. Give it a descriptive name. Since I’m configuring this profile for access points I will enable PoE/PoE+.

My access points will be plugged into a trunk port. I’ll need to set the Native VLAN or what UniFi calls the Native Network. I like to place all my access points on my infrastructure VLAN which I’ve selected in the drop down. 

Next, we tag the networks we want to include on this trunk. These are the two networks I’ll map to my SSIDs.

The other settings I’ll leave as default. But we could modify settings such as the Link Speed or maybe set up Storm Control. There have been scenarios where I’ve needed to set a threshold for multicast or broadcast.

Once finished, click on Save.

Now it’s time to use this Switch Port Profile. I head over to  Devices and select my UniFi switch. 

I see see switch ports I can modify. Select one of the ports to bring up the menu so we can modify the settings.

Hover over the port you want to configure and click on the pencil icon to modify.

Within the individual switch port, we can select a Switch Port Profile, the one we just configured, in the drop down menu.  Select this profile and click on Apply.

The switch port is now configured as a trunk with the requirements we need to properly allow the broadcast and operation of our Wi-Fi network. 

Switch Port Profiles can be configured to your requirements. In my example, I used access points. But maybe you have a set of different server port configurations. Configure the Switch Port Profile and now it’s much simpler, efficient, and clean to set the port configuration. 

Sure, you can set up the port to be a trunk allowing all VLANs, but why should you allow VLANs on a port that isn’t required to be on? 

Listing Cisco DNA Center Devices Using the API (DevNet)

By 6 Comments

DNA Center (DNAC) is an essential component of Cisco’s intent-based networking. It serves as the central point for network management and network provisioning. There are different functions of DNA Center such as network assurance which provides you with the overall health of the network. 

Included with DNA Center are APIs for further extensibility and network automation. DNAC’s capabilities include intent and integration APIs. 

Intent APIs provide a method of access to automation and assurance workflows. These actions can include configuring interfaces consistently across network devices or configuring security policies network wide.

Integration APIs integrate other applications with DNA Center such as a ticket system or change management and approvals through WebEx Teams.

DNA Center and DevNet Associate Objective

An objective of the DevNet Associate is to construct code to obtain a list of network devices using DNA Center. 

But don’t worry if you don’t have access to DNA Center. We have the DevNet Sandbox to help us out. 

DNA Center Always-On Lab

The DevNet Sandbox is perfect for learning how to use Python against the DNA Center lab. All the information is located on https://developer.cisco.com.

But here are the details of the DNA Center lab environment:

Server URL: https://sandboxdnac.cisco.com
username: devnetuser
password: Cisco123!

Start in Postman

We’ll begin in Postman to interact with DNA Center. Because DNA Center API uses token-based authentication we need to generate a token. This token will be used for our API calls. 

Taking a look at the DNA Center API, we create our token by creating a POST method using the URL, https://sandboxdnac.cisco.com/dna/system/api/v1/auth/token

We must add our authentication token to the header, which I grabbed from the DevNet Sandbox. Click on Headers and create an Authorization key with the value of Basic ZGV2bmV0dXNlcjpDaXNjbzEyMyE=

Once you click on Send your should get a response containing our token.

Save that token because we’ll need to include it in our GET requests.

We need to browse the DNA Center API documentation to find out how we’re going to list the devices. Conveniently, there’s an API call just for retrieving the device list.

With Postman, we’ll create a GET request to the url based on the API documentation for getting the device list. That URL is https://sandboxdnac.cisco.com/dna/intent/api/v1/network-device.

Before sending the request, we must add our token to the header. Add a new key, X-AUTH-TOKEN, and paste the token from earlier into the Value field.

The response from DNA Center lists the devices in a pretty JSON format. We can start constructing our Python script with our current scenario by clicking on Code and copying the generated code to Atom.

Python Script

In Atom, we’re going to import the json library. I’m going to take the response and deserialize it so we can get it in json format. This is a method  I’ve learned in previous lessons from DevNet labs. 

The response we receive from DNA Center is a dictionary. We have a key, response, with a value of all the data we need, which is contained in a list. I’m going to pass that value into its own variable with an intent to iterate through the list.

Now that we have our data in a list, I can iterate through the data and create a list of all the devices in DNA Center with a for loop.

import requests
import json

# API URL TO GET A LIST OF NETWORK DEVICES
url = "https://sandboxdnac.cisco.com/dna/intent/api/v1/network-device"

payload = {}

# WE MUST ADD OUR AUTHENTICATION TOKEN TO THE HEADERS
headers = {
    'X-Auth-Token': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1ZTlkYmI3NzdjZDQ3ZTAwNGM2N2RkMGUiLCJhdXRoU291cmNlIjoiaW50ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVkYzQ0NGQ1MTQ4NWM1MDA0YzBmYjIxMiJdLCJ0ZW5hbnRJZCI6IjVkYzQ0NGQzMTQ4NWM1MDA0YzBmYjIwYiIsImV4cCI6MTYwNTA1MjYzOSwiaWF0IjoxNjA1MDQ5MDM5LCJqdGkiOiI3MmM5ZDY0Yy0xNjBhLTRlYzAtYTJmYi1mMzQyOGJlY2I4N2QiLCJ1c2VybmFtZSI6ImRldm5ldHVzZXIifQ.GCiuhxuWOPFmqjFSa6PRnqztDlGTTAjV22HdinMY27CAGAelCRcZx1sw9idhzesv538cIFx6XxHdffipIroBGu-a1IG0L6YRnECsMYBG4F_uDLuXPSgXJfZ0hkXB6qawXdtLJtzB9-bQ7hXAn9H_EdD_fW5nX7znTKImuiik70xMo9P0Rb2bOUPn7h0qT6hmwGfa7IMwk11sU-UBm73vt8-c6-2bqWBGiP2DcOcD_r6sIwpUPX4Go9B2fmA5AV4O5Aepa2sMVIfSYrRZv9FP1YwejbOXPq1mck_h31J1nRki8iRwgfTk0n0QoLNgvO2KVPTIxQQqe6rbEHrZYqFiMg'
 }
 
response = requests.request("GET", url, verify=False, headers=headers, data=payload)

# TAKE THE RESPONSE AND TURN IT INTO PYTHON OBJECTS
raw_output = json.loads(response.text)

# raw_output IS A DICTIONARY. TAKE THE VALUE OF response AND ASSIGN TO devices
devices = raw_output["response"]
 
# ITERATE THROUGH THE LIST TO PRINT OUT HOSTNAMES OF DEVICES
for device in devices:
    print("Hostname: {}".format(device["hostname"]))

Python – Basic API Access with Mist Wi-Fi

By Leave a Comment

The Mist access points were designed with API first. The information you’re able to retrieve from their API is quite impressive. It’s enough for you to build your own dashboard, if you dare to take that leap.

The Mist API architecture is simple. It starts with the REST API client, which in this example, is my computer running a script. That request is made via HTTPS to the Mist cloud and processed. In return, the Mist API sends a response.

https://www.mist.com/documentation/mist-api-architecture/

Here’s a simple script that makes a request for the WLANs I have enabled. I then print it out the result to screen.

import json
import requests

site_id = '<your-site-id>'
url = "https://api.mist.com/api/v1/sites/{}/wlans".format(site_id)

headers = {
  'Authorization': 'Token <your-token>'
}

response = requests.request("GET", url, headers=headers)
r = json.loads(response.text)

for wlans in r:
    wlan_name = wlans['ssid']
    wlan_enabled = str(wlans['enabled'])
    wlan_vlan = str(wlans['vlan_id'])
    print("SSID: " + wlan_name, "\t Enabled: " + wlan_enabled, "\t VLAN: " + wlan_vlan )

Here is the output:

% python3 get_wlans.py
SSID: D-NET  Enabled: True 	 VLAN: 2
SSID: CTS 	 Enabled: True 	 VLAN: 2