Passing the CWSP – PearsonVue Online

I passed the CWSP on my first try last week, which I was happy about. With Covid-19 running rampant and changing things I had to take the test at home with PearsonVue. I liked the idea of testing at home and ran through all of the steps for PearsonVue that they recommended. However that didn’t stop from needing to reboot my machine multiple times and have to spend quite a bit of time trying to get setup and talking to their online people over chat. It took about 30 minutes for them to finally present the test and for me to be able to take it online successfully.

Once I finally got the technical issues resolved with their service and I was able to take the test I was surprised at how quick it went and I was glad I could do it at home. Seeing as how it would have taken me longer to drive to and from the testing center than to take the test. The content was tough as I deal with it almost every day in regards to network security and trying to build a secure network

So now I get to display this logo:

Cwsp 200x200

My next exam is going to be the CWDP and given the fact that I am still working from home and testing centers aren’t open I will be taking this one also at home. Hopefully the whole testing experience will go better.

How to rebuild an F5 Physical Load Balancer

Because I forget this and it always seems to cause me more pain than it should to have to rebuild one. I’ve had this happen 3 times in the 8 years of dealing with the physical 1600 LTMs all of them have failed due to some power problem that won’t let them startup completely and I end up spending 8 or more hours having to rebuild them and figure out what the heck happened to them. Luckily they have always been in a fault tolerant pair so I haven’t been down completely, but have never wanted to push the amount of time one is down because of how important they are to my company.

Steps:

Call into Support and open a ticket with the s/n of the failed unit and the error message on the screen.

If you don’t already have enhanced 4 hour replacement ask for an upgrade to it via credit card. Waiting more than 4 hours is very painful and dangerous for us.

Wait 4 hours for the new unit to come in.

While waiting:
Unrack the currently failed unit making sure that all of the cables are correctly labeled and ready to be plugged into the new unit.

Download the current version ISO along with any hot fixes to match the current install version. Download your latest backup for the unit and have it all ready and waiting to go on your laptop.

On the active unit make sure to clear out any ssh keys if needed from the failover interface

Also Reset the Device Trust under Device Management/Device Trust on the active unit

When the new unit finally arrives rack it and plug in at least the serial cable and the management ethernet cable. Before powering on plug in the recovery USB stick if it came with one that has the version of LTM that you need on it. This will greatly simplify the upgrade process and get it to at least the major version you need.

Once the unit has been upgraded to at least the major base version that you need. Login via the serial console with root/default and type config. This will let you set the management IP address for the unit.

Once the management address is set, connect to it via the browser with admin/default and start going through the licensing and configuration process.

Upload the hot fixes if necessary to the replacement unit and update to the version needed to restore the backup file. Once the hot fixes are done updating go ahead and restore the backup to the failed unit.

Hookup the failover ethernet cable.

Set backup the HA configuration between the units and ensure that you can ssh between the units on their failover interfaces.

Push the configuration from the Active unit to the new unit with an override, if it fails or there is any issue during the time run this command on the failed unit to see what the issue is:

tmsh show cm sync-status

Once it’s all done and happy it should be back in sync and in an active/standby state.

Then plug in the last of the cables for the internal/external interfaces and then you should be done.

Pack the old unit up and ship it out.

Reboot Meraki APs

I have found myself several times over the last couple of months needing to reboot all of the APs within a Meraki network. Sometimes due to changes or sometimes due to them not responding for some reason. There really isn’t a clean way of going through and rebooting them aside from one a time within the console. I thought hey I can make this one better and do it via the API. So I went through and built this script to allow someone to put in the Org id and then it will pull back all of the networks that are in that Org and allow you to choose one to reboot all of the APs. It will ask should it go as fast as possible or would you like to put in a delay so that they all don’t go down at the same time. I’ve tested it a couple of times and everything works as its supposed to. As always I look forward to any comments or updates that I can put into the code to make it better.

https://github.com/undrwatr/MERAKI_AP_REBOOT

As usually my code isn’t fancy or special, just serviceable and able to get done what I need and save me some time and headaches.

Retrieve SSID info from Meraki Wireless Network

I support multiple Meraki Wireless networks and I wanted the ability to pull in pertinent data from the wireless networks that I support. This will allow me to pull in the data and then upload it into the wireless mapping programs and design software. This will also allow me to easily pull the channels, power settings, SSIDs, and other pertinent information. Here is the link to my GitHub site where I will be keeping the most up to date program as I fix things and work to improve it.

#!/usr/bin/env python

#import necessary modules
import cred
import requests
#Meraki site information
MERAKI_DASHBOARD = 'https://api.meraki.com'
HEADERS = {'X-Cisco-Meraki-API-Key': (cred.key), 'Content-Type': 'application/json'}
#NETWORK = input(str("What network are we looking at? "))
NETWORK = cred.network
NETWORK_URL = MERAKI_DASHBOARD + '/api/v0/networks/%s/devices' % NETWORK
NETWORK_GET = requests.get(NETWORK_URL, headers=HEADERS)
NETWORK_RESPONSE = NETWORK_GET.json()
#Create a function pull in the information
def WIRELESS_SETTINGS():
WIRELESS_SETTINGS_URL = MERAKI_DASHBOARD + '/api/v0/networks/%s/devices/%s/wireless/status' % (NETWORK, DEVICE['serial'])
WIRELESS_SETTINGS_GET = requests.get(WIRELESS_SETTINGS_URL, headers=HEADERS)
WIRELESS_SETTINGS_RESPONSE = WIRELESS_SETTINGS_GET.json()
for SSIDS in WIRELESS_SETTINGS_RESPONSE['basicServiceSets']:
if SSIDS['enabled'] == True:
print("SSID " + (SSIDS['ssidName']) + " BAND " + (SSIDS['band']) + " BSSID " + str(SSIDS['bssid']) + " Channel " + str(SSIDS['channel']) + " Power " + str(SSIDS['power']))
#Loops through the network and the devices to find all of the information.
for DEVICE in NETWORK_RESPONSE:
if DEVICE['model'] == "MR42":
print("AP " + DEVICE['name'])
WIRELESS_SETTINGS()

Passing the CWAP

Last weekend I was able to pass the CWAP exam on my second attempt. The first time through the exam I was thrown by some of the questions and didn’t have as good a grasp on some of the random things that were asked for. So I spent 2 weeks between exam takes watching all of the videos again and then going through all of my notes and flash cards that I had made. I also spent a good amount of time looking at packet traces and figuring out where all of the information and how Transmit Beamforming works with NDP. Overall I felt it was a good exam even though it took me two times to pass it. I definitely feel a lot better now about the information and that I was able to absorb it for the exam. So now I get to use the cool CWAP image for things:Cwap 200x200 My next exam will be the CWSP exam as I work my through to the CWNP.

Here are some of the resources that I used while for the CWAP:
CWNP – Video training
CWNP – Practice Tests
WIFItraining – CWAP Workbook
CWNP – Official CWAP Study Guide

One Source of the truth for IP Addressing

I’ve been working on my python programming skills and using scripts to configure all of my Meraki equipment through their API and cloud platform. It’s been a lot of work building the scripts and working through some of the limitations that are inherent in Meraki’s cloud and also in the way we manage our environment. I have over 1500 stores and use 2 /28 ranges for each store and I have been trying to use a formal IP management solution that would support it. Unfortunately after looking at Solarwinds, Bluecat, and other IPAMs I didn’t find what I wanted. I ended up going with a MS SQL Database that I can call via PYODBC and get the data based on the store#. This also allows me to put in other specialized information and I can basically build out what I need then call it from within my python programs.

Obviously I would never be confused with a web designer of any sort. However what it is, is quick and easy to use. The asp page pulls up fast and things can be added and removed within a few minutes. The amount of time I was going to have to spend in a formal solution was just more time than I had. The downside of course is that if I leave someone else has to learn what I did and then take over the support of it. That will however be a problem for a different day, unless of course I find a great solution that allows me to treat everything separately and not as part of a huge network.

What it is like to be a Network Engineer as translated into normal person speak.

I don’t remember where I found this, but figured it was an appropriate explanation of my job and what I do.

What it’s like to be a network engineer…translated into normal people speak:

User: I think we are having a major road issue.

Me: What? No, I just checked, the roads are fine. I was actually just on the roads.

User: No, I’m pretty sure the roads are down because I’m not getting pizzas.

Me: Everything else on the roads is fine. What do you mean you aren’t getting pizzas?

User: I used to get pizzas when I ordered them, now I’m not getting them. It has to be a road issue.

Me: As I said, the roads are fine. Where are you getting pizzas from?

User: I’m not really sure. Can you check all places that deliver pizzas?

Me: No I don’t even know all the places that deliver pizza. You need to narrow it down.

User: I think it is Subway.

Me: Okay, I’ll check…No, I just looked and Subway doesn’t deliver pizzas.

User: I’m pretty sure it is Subway. Can you just allow all food from Subway and we can see if pizza shows up?

Me: Sigh, fine I’ve allowed all food from Subway, but I don’t think that is the issue.

User: Yeah I’m still not getting pizza. Can you check the roads?

Me: It’s not the roads, the roads are fine. I’m pretty sure Subway isn’t the place.

User: Okay, I found it. It’s Papa Johns.

Me: Okay, I looked and Papa Johns does deliver pizza. Is it the local Papa Johns or one in a different town?

User: I don’t know. Can you allow pizza from all Papa Johns to me?

Me: No I can’t do that. Can you get me an address for Papa Johns?

User: No, I only know it as Papa Johns. Can you get me all the addresses of all Papa Johns and I’ll tell you if one of them is correct?

Me: No, I don’t have time for that. Okay, I looked at the local one and it looks like they have sent you pizza in the past and they are currently allowed to send you pizzas. Try ordering a pizza while I watch.

User: Yeah still no pizza. I’m guessing they are getting blocked at the freeway. Can you check the freeway to make sure they can get through?

Me: No, this is a local delivery. They aren’t even using the freeway.

User: Okay, well then it has to be a road issue.

Me: No, the roads are fine. Okay, I just drove from the Papa Johns to the address they have on file for you and there is nothing there.

User: Hmm, wait we did move recently.

Me: Did you give your new address to Papa Johns?

User: No, I just thought they would be able to look me up by name.

Me: No they need your new address. What’s your new address?

User: I’m not really sure. Can you look it up?

Me: Sigh, give me a second…Okay, I found your address and gave it to Papa Johns. Try ordering a pizza now.

User: HEY! PIZZA JUST SHOWED UP!

Me: Okay, good.

User: (To everyone else they know) I apologize for the delay in the pizza but there was a major road issue that was preventing the pizza from getting to me. The network engineer has fixed the roads and we are able to get pizza again.

Me: But it wasn’t the roads…whatever.

User: Oh, can you also check on an issue where Chinese food isn’t getting to me? I think it may be a road issue.

pyenv on Mac OS 10.15 Catalina

I have been running pyenv from homebrew on Mac so I could run Python3 rather than 2.7. However when I upgraded to Catalina I ran into an issue that pyenv wasn’t working anymore. When I went through the GitHub page for pyenv at: pyenv and followed all of the steps and got to this part:

  • Add pyenv init to your shell to enable shims and autocompletion. Please make sure eval "$(pyenv init -)" is placed toward the end of the shell configuration file since it manipulates PATH during the initialization.$ echo -e ‘if command -v pyenv 1>/dev/null 2>&1; then\n eval “$(pyenv init -)”\nfi’ >> ~/.bash_profile
    • Zsh note: Modify your ~/.zshenv file instead of ~/.bash_profile.
    • fish note: Use pyenv init - | source instead of eval (pyenv init -).
    • Ubuntu and Fedora note: Modify your ~/.bashrc file instead of ~/.bash_profile.General warning: There are some systems where the BASH_ENV variable is configured to point to .bashrc. On such systems you should almost certainly put the abovementioned line eval "$(pyenv init -)" into .bash_profile, and not into .bashrc. Otherwise you may observe strange behaviour, such as pyenv getting into an infinite loop. See #264 for details.

.zshenv should actually be .zshrc

First Half of Python for Network Engineers

It’s been non stop for 5 weeks of training, but this week we had a week off so I thought I would post this.

I was able to get my work to fund the Python for Network Engineers course taught by Kirk Byers. 

https://pynet.twb-tech.com/class-pyauto.html

I had taken the free class a couple of times and learned quite a bit. I thought that being able to take the paid course would give me a better understanding of things related to python and how to handle some of the more complex things that I want to do. I really want to be able to take advantage of more automation in our environment and make things work better/easier with fewer chances for errors. I also want to empower my Helpdesk to be able to do more things, we are a very small shop with a large footprint of stores/offices. We have deployed Meraki to almost all of the locations so being able to take advantage of python/rest apis has been a great benefit so far. However I feel there is more that I can do, I just need some more training. Also the more stuff I can give to my Helpdesk the less they have to call me for and I can try and get some more sleep(as though that would happen). 

I have really enjoyed the first half of the class and learned quite a bit so far in just using Netmiko, textfsm, and jinja2. The other part that is nice is the community of people that Kirk has put together so that we can all learn off from each other and exchange ideas and questions. Between using Slack and some group channels there has been a lot of good comments/questions exchanged back and forth. 

As for the class Kirk’s videos have been informative and I have found a lot of useful information in them. His examples have been good and have shown some real life information in working with equipment. Not diving into actual network engineering, but showing some information in relation to real life data/examples. I have also found the exercises he has assigned us to be challenging and quite good. I have picked up some good ideas from them and it has pushed my learning and understanding of python.

In all I am really enjoying it and can’t wait for the next half and to see how my python programming improves.

Meraki Script to pull LTE Card Signal

Script for pulling the make and signal strength of wireless cards

We are trying to continually audit our LTE cards in the Meraki Routers so we wanted to be able to monitor the stores LTE connections and see the signal strength and then determine which if any needed to be swapped out. However that data is only stored at the device level so you have to iterate through the whole Organization then by network and then by device in the network. Meraki has a polling limit for how many times you can poll the cloud per second so I put a 1 second delay in there to keep the program from overwhelming everything and causing issues for itself or for our users monitoring on the website.

The script can be found here:

https://github.com/undrwatr/MERAKI_CARD_SIGNAL