DevNet Associate 30-Day Challenge: Overcoming Week 3 Challenges—Did I Pass?
Hi everyone, I’m back after disappearing for week three, unfortunately I ended up working some ridiculous hours at work as I needed to help a customer upgrade and migrate some of there Cisco ASA’s to mitigate against the ArcaneDoor vulnerability, I’m sure you’ll all be aware of the vulnerability by now but if not here is a link ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices (talosintelligence.com)
The above work started on the Thursday 25/04/24 evening and I worked till the Friday 04:30AM, luckily one of my colleagues was there to assist as we had a few firewalls to upgrade and we also had to complete a migration from a physical ASA to a virtual as the physical was end of life.
Luckily I didn’t need to go into work on the Friday 26/04/24 until I got a call around 4PM saying that I needed to shutdown another one of the customers legacy ASA’s to prevent ArcaneDoor. Now the tricky part here is that the customers critical services traverse this firewall, though at this point the customer just wanted it shutting down and for me to get logs sent through to Cisco TAC to make sure they hadn’t been compromised.
As this was a legacy firewall I knew we would need to migrate to something else to restore service so I prepared for another firewall migration from a physical ASA to virtual, luckily I’d already done most of this pre-work but getting through to TAC was tough, I didn’t manage to speak to them till 1:00AM but the TAC engineer was great and gave us the news I wanted to hear that the customer hadn’t been hit by ArcaneDoor.
09:30AM on the Saturday 27/04/24 I was completing the legacy ASA migration from physical to virtual, this went super smoothly and service was restored within an hour, though I did hit a bit of a snag on the ASA, I needed to add a secondary IP to an interface but the ASA doesn’t support secondary IP’s, WTF!
To get around this I had to create a dummy ARP entry so that the ASA would respond to traffic for the secondary IP that I needed.
arp outside X.X.X.X 00ff.00ff.00ff alias
The Next Challenge
The days running up to exam day didn’t help either as I got an urgent request to provision 400 access points but this has actually turned out be quite an interesting task. We had a mix of 9130AXI and 9130AXE AP’s that needed to replace 3702 and 3802. Building that many in one go and adding them to Catalyst 9800 into specific locations would of taken me a long time, myself and two other team members initially started doing it manually and it was a killer.
I took the team to for some food and a break and decided we needed to automate this build process, I went back to the build room and came up with a very simple automation script utilizing Netmiko.
There were some gotchas that I needed to overcome to build the automation, firstly the AP’s had already been associated to the controller in the past but were part of the wrong location, I did think clearing the AP config would remove them from the existing location but because the mac address already exists within the location when the AP’s come back online it goes back into the same location.
I broke the work into three tasks;
- Remove the AP’s from the existing location via mac address
- Add the AP’s into the correct location
- Rename the AP’s to the correct name
I created three text files, one that contained the AP locations that exist on the 9800, one that contained all the mac addresses of the AP’s that were connected to the build switch, we had around 25 AP’s connected at once and the last text file contained the new AP name.
Below is an example of looping through the mac addresses and make sure that they don’t exist in any of the locations that are specified in the locations.txt.
The other functions follow the below but just changing a few commands, to be able to cut a task down from hours to minutes is something that still fascinates me to this day, I’m not fantastic at Python but creating something within minutes to help me and the team is a great feeling.
def remove_ap_from_location():
username = input("Enter TACACS Username: ")
password = getpass("Enter TACACS Password: ")
try:
netmiko_connect = ConnectHandler(
device_type="cisco_ios",
host="192.168.1.1"
username=username,
password=password
)
locations = open("locations.txt", "r")
mac_address = open("mac_address.txt", "r")
for mac in mac_address:
for location in locations:
remove_ap = netmiko_connect.send_config_set([location,
f"no ap-eth-mac {mac}"])
print(remove_ap)
except NetmikoAuthenticationException:
print("Authentication failed")
except NetmikoTimeoutException:
print("Timeout to device")
Exam Day
I was meant to sit the exam on Sunday 05/05/24 but I was working late on Friday and worked Saturday so I was absolutely worn out on Sunday but I used the day to study, but luckily there was a slot to sit the exam on Monday 06/05/24.
I spent the full day studying and going through Boson ExSim and going through all the API documentation for the things that are mentioned in the blueprint, I also made sure that I was happy with making CURL requests as I knew this would be something that would catch me out.
I sat the exam at 5PM UK time and ended up using the full 2 hours, the first time I’ve nearly run out of time on a Cisco Exam, the exam was the hardest one I’ve taken I think this was because it was a complete mindset shift away from Networking.
Though I am pleased to say I passed! I will do a full exam review as there are a few points I want to bring up about the exam.