Saturday, 19 September 2020

API-Based Tools Make Cisco Device Management and Monitoring Easier

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides

Cisco’s Intent-Based Networking (IBNG) Innovation Team is responsible for providing training labs, bootcamps and demos for customers, partners, internal sales at individual and public events. After each training we have to reset hundreds of devices and multiple controllers like Cisco DNA Center, ISE, DHCP, WLC etc. This manual reset takes the team a lot of time. During some of our events, we are required to reset multiple times a week or daily. To minimize the manual work and be more efficient, we created some API based tools that can complete the whole process in less than 30 minutes.

If you have any requirement for similar use cases, you can try our API-based tools that can save you time and reduce the tedious work!

We have 20-30 pods in each training lab. A pod is an individual testbed that contains different devices, such as edge/access, distribution and core devices.  These devices mimic a small customer Enterprise environment, with Catalyst3k and 9k switches, ASR and ISR routers and wireless controllers. During the lab, the devices are configured per various use cases.  Post each event, the devices need to be brought back to the beginning state. With the help of the APIs and scripts, we automated this reset process.

API-based Tools


For resetting devices such as Cat9ks, Cat3ks, ASRs and ISRs we are using SecureCRT APIs which can reset the device to a default state or configure the device to a base state. Using these scripts if a switch is in configuration mode, enable mode or in any other mode it will do necessary configuration changes and do the reset on the devices. Sometimes after reset we want to provide additional configuration that is not part of the base. For that we will use another script which can simultaneously run on multiple devices.

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides

We also created a button bar in secure CRT and pointed the script to this button. This button bar is a quick way to run scripts, send strings and issue protocol commands on multiple sessions simultaneously. Step by step instructions for configuring this button can be referred here. Whenever we want to execute a script on any number of sessions just clicking on the button will execute the script on all the sessions opened. The following is an example for mapping a python script to a button in a button bar. All the links to these scripts is referred in What Next? section.

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides

Next step is to reset Cisco DNA Center. For Cisco DNA Center, we are using Cisco DNA Center internal APIs to perform the backup and restore operations. We can also use these APIs to check the status of backups and restoration operations. Currently backup/restore APIs are for internal purposes only, these will be published in future. We also integrated these backup/restore scripts with Webex teams. So, if you execute any backup or restore script it will send a notification to the Webex teams and everyone in that Webex group will be aware of the changes.

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides

Next step is to reset other controllers such as ISE/DHCP/DNS/Cat9800. We installed these controllers as VMs on ESXI hosts. To reset these VMs, we are using the snapshots and non-persistent modes for the VMs. Using the PowerCLI cmdlets we are creating new VMs from the snapshots and resetting the VMs for non-persistent mode. The following is an example to reset the controllers and create VMs from snapshots. All the links to these scripts is referred in What Next? section.


Monitoring API-Based Tools


After the reset process has completed, we are also monitoring the devices by using python applications.  If something happens to the device, such as a link or switch goes down, we will be notified in Webex Teams of this issue. We integrated Cisco DNA Center with Webex teams and configured the events on Cisco DNA Center to notify us of these alerts. If any issue happens, we will get a notification in the webex teams as alert. The following is an example for the switch unreachable notification in Webex teams that DNAC has sent via APIs.

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides


The following is an example to subscribe to an event in Cisco DNA center and provide receiver details for sending the alerts. You can subscribe to specific events that may occur in your network. After your subscription, if the event does occur you will receive a notification by REST APIs. You can refer here for more details on how to subscribe to events.

Cisco Prep, Cisco Learning, Cisco Tutorial and Material, Cisco Guides

Friday, 18 September 2020

Cisco 500-440 Sample Questions | Syllabus | UCCED Practice Test


Cisco UCCED Exam Description:

This exam tests a candidate's knowledge of design considerations and guidelines for deploying Cisco Unified Contact Center Enterprise (Cisco Unified CCE) solutions. Cisco Unified CCE is part of Cisco Unified Communications application suite, which delivers intelligent call routing, network-to-desktop computer telephony integration (CTI), and multichannel contact management to contact center agents over an IP network.

Cisco 500-440 Exam Overview:

Streamline NX-OS fabric deployments with Cisco DCNM and Red Hat Ansible

Cisco Prep, Cisco Tutorial and Materials, Cisco Certification, Cisco Learning

Today I will give an overview of our recent integration between Cisco Data Center Network Manager (DCNM) and Red Hat Ansible to streamline NX-OS fabric deployments.

Introduction

Traditionally in data center network management, configuration was often a manual, error prone process, with an operator going device by device to make changes, with every change requiring a deep understanding of both the OS specific CLIs as well as an knowledge of the technology and the implications of each CLI change, to attain a desired outcome.

Cisco DCNM

Cisco DCNM is a turnkey solution for NX-OS network-wide workload orchestration and workflow automation, providing everything from Day 0 auto-provision, through Day N configuration changes. The solution is delivered through an easy to use UI for a single point of management for both network configuration and monitoring.

Additionally, operators have begun to understand and embrace the DevOps model to streamline network management. It is now widely accepted that network automation can be leveraged to accelerate network deployment and optimize network operations in a data center.

With the current global COVID-19 pandemic, network teams are being asked to do more with less, all while working remotely.

The importance of automation was highlighted even further in a recent IDC survey[1].

As part of the responses to the survey,

1. 48% of respondents said they will increase investment in automation solutions to reduce manual management of the network

2. 46% require increased ability to remotely manage network operations

Ansible and Cisco DCNM

Red Hat Ansible is an open-source solution that addresses challenges from network automation and application deployment, to managing a cloud infrastructure, in order to drive a more efficient IT environment with a simplified toolchain.

Ansible has emerged as one of the most popular platforms to automate and simplify network management tasks and boost cost savings and operational efficiency. Ansible works with many different operating systems that run on Cisco Networking platforms including ACI, IOS-XE and IOS-XR.

For several years now, Cisco has offered industry leading Ansible modules for NX-OS, which have been widely adopted and remain extremely popular to automate and streamline network deployments.

However, customers are increasingly looking to move towards a single point of management for their fabrics, rather than making changes at a device by device level.

Ansible, in conjunction with Cisco DCNM, provides a perfect combination for customers to embrace the DevOps model and accelerate NX-OS deployment, monitoring, day-to-day management, and more. Ansible achieves this goal by leveraging the open APIs of DCNM to automate the most common tasks.

Operational efficiencies made possible by Ansible and Cisco DCNM include the following:

◉ Addition or removal of NX-OS switches from a fabric

◉ Management of networks within a VXLAN fabric

◉ Addition or removal of VRFs from a VXLAN fabric

◉ Orchestration of switch interfaces within a DCNM managed fabric

Cisco Prep, Cisco Tutorial and Materials, Cisco Certification, Cisco Learning

Key Benefits of Cisco DCNM/Ansible solution


◉ Enables Admins to align on a unified approach to managing NX-OS fabrics with the same toolchain of their application deployments, enabling a tight coupling of application and network provisioning.

◉ Like all Ansible modules, the DCNM modules are idempotent ensuring that only necessary changes are made to the fabric. If the fabric is already in the desired state, no changes are made.

◉ Easy entry to leveraging Ansible, with all playbooks being written in human readable YAML.

Thursday, 17 September 2020

Cisco Secure Remote Worker Architecture for Azure

Today companies are investing in empowering their workforce to have a secure connection to the resources hosted in the Cloud. Cisco provides a secure remote worker solution that uses the Cisco AnyConnect Secure Mobility Client, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP) for Endpoints.

◉ Cisco AnyConnect Secure Mobility Client: Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off-premises, without creating a headache for your IT teams. Simplify management with a single agent.

◉ Cisco Duo: Cisco Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Cisco Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administrative, visibility, and monitoring.

◉ Cisco Umbrella Roaming Security Module: Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname both on and off your network or VPN.

◉ Cisco Advanced Malware Protection (AMP) Enabler: Cisco AnyConnect AMP Enabler module is used as a medium for deploying Advanced Malware Protection (AMP) for Endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base. This approach provides AnyConnect user base administrators with an additional security agent that detects potential malware threats in the network, removes those threats, and protects the enterprise from compromise. It saves bandwidth and time taken to download, requires no changes on the portal side, and can be done without authentication credentials being sent to the endpoint. AnyConnect AMP Enabler protects the user both on and off the network or VPN.

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 1 – Components of the Cisco secure remote worker solution

Cisco Secure Remote Worker Architecture for Azure


Today organizations are consuming services, workloads, and applications hosted in Azure (Public Cloud). Azure provides a wide range of services that offer ease of usability, orchestration, and management. Customers are embracing these services, but this resource consumption model opens another attack surface. Using Cisco Security controls, customers can provide a secure connection to the Azure cloud infrastructure. This remote access VPN architecture protects multi-VNet, multi-AZ (availability zone) by extending the Cisco Secure Remote Worker solution. This Architecture brings together Cisco Security and Azure Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with Duo, Umbrella, and AMP Enabler.

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 2 – Secure Remote Worker architecture for multi-VNet, multi-AZ

The above network design has the following components and services:

◉ Cisco ASAv or Cisco NGFWv for Remote access VPN termination (TLS or DTLS)
◉ Cisco Secure AnyConnect Mobility Client on the endpoints
◉ Microsoft Windows 2019 Active Directory for LDAP
◉ Cisco Duo for Multi-Factor Authentication
◉ Umbrella Security Roaming Module for DNS Layer Security
◉ AMP Enabler for protection against Malware

This Architecture is designed on the bases of the Hub and Spoke model, the hub-vnet has firewalls for VPN termination. The Hub-VNet is connected to spoke-VNets using VNet peering. VNet peering uses the Azure backbone network and the Azure backbone network provides higher throughput.

◉ Remote Access VPN sessions are load balanced by Azure Traffic Manager
◉ Azure Internal Load Balancer (Standard) is used for non-VPN traffic load balancing (East/West)
◉ Azure External/Public Load Balancer is used for non-VPN traffic load balancing (North/South)

Traffic Flow 


Remote Access VPN: Azure blocks layer-2 visibility required for native HA and VPN load balancing to work. To enable resiliency and VPN load balancing, one must rely on the native cloud services such as Azure Traffic Manager (ATM), DNS, and UDR. In this architecture, VPN users send VPN traffic to the Azure Traffic Manager. ATM tracks all the firewalls using probes, and it load-balances VPN connection endpoints (Cisco Firewalls).

◉ Each Firewall has a separate VPN pool
◉ Azure User Defined Route (UDR) forwards traffic back to the correct firewall
◉ Azure Traffic Manager load balances the RAVPN traffic

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 3 – Secure Remote Worker architecture for multi-VNet, multi-AZ (RA VPN Traffic Flow)

Non-VPN (East/West): Firewalls in the HubvNET inspects east-west traffic, each subnet in the spoke VNet has a route-table that has a user-defined route (UDR) pointing to Azure ILB “virtual-IP address”. Traffic lands on ILB and ILB forward it to the firewall. The firewall inspects the traffic; if traffic is allowed, it is sent to the destination VNet using VNet peer. Return traffic is forwarded back to the ILB because of the similar UDR is applied on destination VNet also. ILB maintains the state and sends traffic back to the same firewall that processed the initial packet flow.

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 4 – Non-VPN East/West Traffic Flow

Non-VPN (North/South)

◉ Outbound Traffic Flow: Each spoke subnet has a route-table associated with it. UDR controls traffic routing, and it has a default route that points to ILB’s virtual IP (VIP). HubvNET has ILB, and ILB points to firewalls for internet connectivity. Internet traffic is load-balanced on the perimeter firewall, and traffic is SNATed to the outside interface IP address. Outbound traffic does not hit the external load balancer because a public IP mapped to the outside interface of the firewall and UDR on the outside subnet used 10.82.1.1 as a default gateway. Azure ILB used in this architecture is a standard SKU that requires explicit Azure NSG to allow traffic on firewalls (backend devices). There is an azure NSG applied to inside and outside interfaces of firewalls; this NSG has allow-all rule applied, but you can restrict traffic according to your Infosec policy.

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 5 – Non-VPN North/South (Outbound Traffic Flow)

◉ Inbound Traffic Flow: External users would access frontend IP on the Azure public load balancer (ELB), ELB has external interfaces in the backend pool. ELB is responsible for load balancing incoming non-VPN traffic, ELB sends traffic to the firewall if allowed traffic is SNATed to inside interface to maintain traffic symmetry.

Cisco Tutorial and Material, Cisco Learning, Cisco Exam Prep, Cisco Study Materials

Figure 6 – Non-VPN North/South (Inbound Traffic Flow)

Wednesday, 16 September 2020

Adapting to the New Work Environment through Automation

Cisco Prep, Cisco Certification, Cisco Learning, Cisco Exam Prep

This blog is one in a series focusing on aspects of Cisco DNA and intent-based networking. #IntentBasedNetworking

It’s such an odd time right now. Standing where we are, we know the world and the workforce is changing. While there’s universal consensus that nothing will be the same, no one is sure exactly what the new workforce environment will look like. Sure, there are hints. According to a recent IDC webinar—COVID 19 and Enterprise Networking—Assessing the Impact, Planning for the Future—the number of remote workers will surge from less than 7% to nearly 30%. And networks will need to change to support business continuity in this geographically dispersed workforce with application and collaboration experiences that mirror those in the office.

But what will that look like? VPN? Cloud?

One sure thing is that network automation will play an increasingly important role going forward. The same IDC report bears this out, indicating that, at 48%, the number one area of increased IT investment will be for network automation. Why? Because regardless of how IT pivots to support distributed workers, the infrastructure required to handle that load will be more complex and more demanding. The management task is simply too heavy a lift to perform manually. It must be handled through automation.

This distributed workforce requirement aligns with the core automation capabilities built into Cisco DNA Center. We have always touted the time and cost savings available using Cisco DNA Center automation capabilities. Those benefits still remain. However, the emphasis moving forward will be on business resilience and continuity.

Cisco DNA Center automation works because it uses business intent to define how a network should run. Then it defines policies and configurations to ensure the network operates as intended. Then—and here’s the real power—Cisco DNA Center automatically pushes those polices and configurations throughout the network. Even a geographically distributed network.

There are several aspects of the new workforce environment that require this higher level of automation: deployments, complexity, consistent experience, configuration changes, security, and software maintenance. Let’s take a closer look at each.

Deployments


As enterprises scramble to support work from home, the number of new device deployments—for remote access, security, and routing—has exploded. The number and overnight turnaround makes managing the deployments manually nearly impossible. An IT department with a dozen techs can’t scale up to instantaneously deploy thousands or tens of thousands of remote deployments over one weekend. And, I’ve heard story after story of that’s exactly what Cisco DNA enabled.

Complexity


Complexity is likely to grow as organizations adapt to a more remote workplace. This is because of two factors—distribution and control. First, as workers work from home, the number of points of connection will become more distributed. And, second, the organization has less control over the technology in those home office environments. Sure, you can send virtual office routers, but you won’t have control over the ISP or wiring in the house. This makes access policy more difficult to implement and enforce – and configurations more difficult to establish and manage.

It’s just not realistic to assume that any IT department would have the manual resources to tackle this complexity. That’s where Cisco DNA automation comes in. You can establish different configurations for remote offices, headquarters, even different ISPs, then use Cisco DNA Center to automatically configure all of the necessary devices to support that remote access.

Consistent Experience


One of the things I keep hearing about the shift to working remotely is that employees don’t see their home office as workplace lite. It’s their new office. To deliver the same level of productivity, employees need to have an experience that’s consistent with the one they had in the campus or branch. That means consistent application access and performance, even while working from their new home office.

Sure, some of this consistent experience is dependent on the network devices used in the remote office. But consistent configurations and access policies are even more important. Again, with the number of home office locations exploding, there is no way for an IT department to manually provision all of these offices for optimal experience. And, if they try, the manual effort is guaranteed to introduce configuration errors that diminish the expected application and access experience and create potential security vulnerabilities.

Configuration Changes


While remote workplaces will be a big part of future collaboration, so will change. Employees may more frequently migrate between remote and campus environments. And enterprises may need to continually change configurations, policies and access permissions to accommodate this new demand for flexibility.

Through the configurations templates and automated deployment already discussed, Cisco DNA Center helps you easily make these changes. More importantly, because of the intent-based templates, those changes, regardless of how quickly they need to be deployed, will maintain the same level of consistency and application support as the initial deployment.

Security


With the expanded threat surface created by more remote work environments, security is a huge concern going forward. Vulnerabilities may be introduced into the network during rollout and management through deployment glitches, missed security patches and non-integrated security applications. The automation capabilities of Cisco DNA Center help with all three.

For deployments, the automated nature of the Cisco DNA deployments uses consistent configurations templates and significantly reduces manual errors, thereby greatly minimizing the introduction of security vulnerabilities through incomplete or inaccurate deployments.

Going further, Cisco DNA Center has security integrated into its automation capabilities. First, all applications are under constant attack and require effective security patch management to quickly address vulnerabilities. Cisco security advisories are made available from within Cisco DNA Center. The highest level threats for devices on your network rise to the top of the list where you can directly download and deploy the new patches to all affected devices.

In addition, Cisco DNA Center integrates several Cisco security solutions right into the solution dashboard. Stealthwatch and Umbrella can be deployed directly from within Cisco DNA Center. And rogue and adaptive wireless intrusion prevention is built right into the solution. As a result, security and network management, both in greater demand in this new environment, can be more effectively managed through the automation capabilities of Cisco DNA Center.

Software Maintenance


In the best of times, maintaining current versions of system software for all of your network devices can be a challenge. But when those devices are distributed across thousands or tens of thousands of remote worksites, the challenge is no longer possible with manual updates.

Again, Cisco DNA Center automation capabilities help you overcome this challenge. Cisco DNA Center can actively discover all the system software versions on your network devices, highlight those that are inconsistent or out of compliance, and even push the correct, up-to-date image to the identified network devices. All automatically from your Cisco DNA Center dashboard and regardless of location. In fact, you can even define different configurations by location and keep those up to date as well.

The bottom line is no one really knows the exact shape of the future workforce environment. But Cisco DNA Center automation capabilities all support the agility, flexibility, and remote access that will help you adapt as we all move forward.

Tuesday, 15 September 2020

Managing a safer return to work with Cisco DNA Spaces — An early report

As pandemic restrictions ease, we’re working to manage a safer return to the office. Our strategy includes monitoring workspace density. If people are maintaining the recommended distance, we’ll consider inviting more people back. If not, we’ll pause.

This blog is an update to the initial plans I shared in Helping to keep employees safe by measuring workspace density with Cisco DNA Spaces. As I write this, we’re using Cisco DNA Spaces to monitor workplace density in 20 Cisco offices, including several in Asia Pacific and Europe. Here are our experiences after the first few months, and what’s ahead.

Counts are accurate


Before using Cisco DNA Spaces to monitor workspace density, we needed to confirm that most people in our buildings connect at least one device—phone, tablet, or laptop. In the first offices to open, Seoul and Beijing, we assigned people to count the number of people entering and exiting each floor lobby. The count closely matched the Cisco DNA Spaces count, giving us the confidence to move ahead.

Cisco Prep, Cisco Exam Prep, Cisco Learning, Cisco Certification

To make sure we don’t count one person with a connected laptop, tablet, and phone as three people, Cisco DNA Spaces groups all devices that log in with the same username. Privacy is a top priority at Cisco, so we don’t capture or store the username. Instead it shows up as a string of random characters (a hash) that can’t be mapped back to a person.

Grouping devices by username was one of our suggestions as “Customer Zero.” While we’re not the first company to use Cisco DNA Spaces, we are the first to use it to monitor workspace density to plan a safer return to work. As Customer Zero we’re giving the DNA Spaces product team our feedback as a customer so they can continually improve the product. We’re also sharing our experiences with other customers, as I’m doing here, to help them get the most value from their own deployments.

More accurate than the access-control system


Before the pandemic, our Workplace Resources (WPR) team estimated building occupancy based on data from the access-control system. But badge-in data has limitations for measuring workplace density. One problem: it doesn’t report when people exit the building. If 500 people enter a building throughout the day, at 4:30 p.m. there could be 500 people (dense)—or 100 (less dense). Another drawback of badge data is that readers typically are only at the building entrance—not on each floor. We don’t know if everyone is on one floor or they’re spread out across all floors.

Cisco DNA Spaces solves both problems. We can see how many people are present right now. And we can also see which floor people are on. We can even divide floors into zones, measuring density by zone.

What if people are too close?


The sooner we find out that too many people are in a particular zone, the sooner we can take action to get back to target density. Using the DNA Spaces Right Now app, we entered rules—for example, no more than 20 people in building 14, floor 1, zone A. if that rule is broken, the app sends an alert to the specified teams—via email, in a Webex Teams space, or another system. Our WPR team prefers Webex Teams alerts so they don’t have to worry about missing an email.

Beyond density measuring


During the pandemic our WPR team is cleaning surfaces more frequently. They can see which areas are the most heavily trafficked (and need more frequent cleaning) by checking the Right Now app. Some of our other ideas:

◉ Show floor occupancy to employees to help them decide when and where to work. We plan to integrate Cisco DNA Spaces with digital signage and our employee self-check app for COVID-19 symptoms, Cisco Office Pass. Employees will see historical occupancy of different areas of the building at different times. (You might have seen this on store and hospital ER websites). We’ll use Cisco DNA Spaces Firehose API to integrate with digital signage and the mobile app.

◉ Bring more kinds of sensor data into Cisco DNA Spaces, such as Cisco Meraki door intrusion sensors and cameras.

◉ Report the location of things as well as people. We could track expensive engineering and test equipment, for example, and alert security staff when wireless devices leave the building with someone other than their registered owner.

◉ Provide wayfinding (aka blue-dot navigation) on a mobile app. We’re already trying this out in the Cisco LifeConnections Health Center.

◉ Improve safety during disasters. When a building is evacuated, we can check if any devices remain connected to Wi-Fi. We’re thinking that employees who want to associate their name with their location will be able to opt in.

Lesson learned: check if building maps are accurate


Here’s a lesson learned from our experience as Customer Zero. Be sure to double-check access point locations, height, and orientation on building maps before uploading the maps to DNA Spaces. In our case, inaccurate building maps complicated deployment for the first few buildings. The maps had “drifted” over time as building layouts changed and access points were installed and moved. If an access point isn’t where you think it is, the reported location of devices connected to that access point won’t be accurate.

Monday, 14 September 2020

Using the New Cisco SD-WAN SDK

What is a Software Development Kit (SDK)?


Put simply this is a set of tools, libraries, and documentation to simplify interacting with a REST API. The Cisco SD-WAN Python SDK is a Python-based SDK for Cisco vManage. The SDK is intended for anybody interested in automating the configuration and operation of Cisco SD-WAN deployments using Python.

What can you do with the SDK? 


The SDK enables configuration and operations of Cisco vManage via Python-based API bindings. In a traditional SD-WAN deployment, nearly all management of the SD-WAN control plane and overlay of VPNs and edge devices is done via the Cisco vManage GUI. The SDK allows automation of vManage via Python without any GUI interaction. The following examples illustrate some of the benefits of interacting with Cisco vManage programmatically.

◉ Integration with other platforms
◉ Basic management of policy or device/feature templates
◉ Backup/restore
◉ CI/CD

So, let’s get started:

Installing the Cisco SD-WAN SDK


The Cisco SD-WAN SDK is available via PyPI, so all that is required is “pip install”. It is also recommended to use a virtual environment. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

You are now able to use the SDK. The SDK has a great help function built-in too, just in case you find yourself stuck. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Using the Cisco SD-WAN SDK


In this example, we can use the Always-On DevNet SD-WAN Sandbox. First we set credentials as environment variables from the sandbox supplying valid values for the following variables: 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Next, open your python shell, in this example, I am using python. Create an authentication object and call the login function. Once you are authenticated to Cisco vManage, make API calls by creating an instance of the API object you are interested in (e.g. Device, Settings, Local Policy, etc.) and calling the functions from that object. The example below retrieves a list of all devices on the DevNet SD-WAN sandbox. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Source Code 

You can also get the source code, as the SDK is developed as a community project on GitHub. To get the source code go to DevNet Code Exchange.You can then install the package to your environment for development purposes: 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials