The Fairy Tale of Cisco ISE Posture

Posture or Endpoint Compliance is the way to check the health of machines before accessing our network, health could be having the latest anti-virus or having a specific application already installed or making sure no USB drive is attached to it, etc.
Here is story frame by frame 🙂

Note: By saying Knowledge here, I mean how AnyConnect will know what is the latest version for a specific Anti Virus for instance and so on

Created by Yasser Ramzy Auda

BGP Zero to Hero Part 8 is coming soon in CLN

I am writing BGP Zero to Hero Part 8 it will be about BGP Filtering 
This includes using distribute-list, Outbound Route Filtering (ORF), and filter-list using as-path-ACL .
Also will explain Regular Expressions and use them with BGP AS-path filtering.
All coming with Labs to practice as usual.
This part will include as well Soft Reconfiguration Inbound & Maximum Prefix.

This part might be avilaible in CLN by mid of March 2022.

Previous parts:

BGP Zero to Hero Part 1 , Establishing Peering’s

BGP Zero to Hero Part 2 , Attributes and Best Path Selection Algorithm

BGP Zero to Hero Part 3 , iBGP Scaling

BGP Zero to Hero Part 4, BGP Peer Group, Peer Templates

BGP Zero to Hero Part 5, BGP Conditional Advertisement & Redistribution

BGP Zero to Hero Part 6, BGP Aggregation & Load sharing/balancing

BGP Zero to Hero Part 7, BGP Communities

Databases for Network Engineers

Understanding Databases is a must for network engineers nowadays.
We should understand databases, not only relational databases such as Mysql but also nonrelational databases (aka NOSQL), which are commonly used with Big Data.

For example we are living now in the era of Streaming Telemetry and Model Driven Telemetry (MDT).
Streaming telemetry is a new approach for network monitoring in which data is streamed from devices continuously with efficient, incremental updates.

Your Network devices such as a switch are the publisher, Your machine (where the application reside) that getting the data is the subscriber.
One of the major benefits of model-driven telemetry is that you can define the frequency and amount of data that the network device will stream back to the collector or application.

Telemetry subscription is a subscription that is used to define the set of data that is requested as part of the telemetry data.

The telemetry subscription allows you to choose the subset of the data for which you want to receive information.
There are two types of subscriptions that are used in telemetry on Cisco IOS XE Software systems:
• Dynamic (also known as dial-in) using YANG and Netconf
• Configured subscriptions (also known as dial-out) using YANG and gRPC

Switches, Routers support Streaming telemetry and can be configured to send data for instance, when CDP or BGP neighbors changed (on-change Telemetry publications); we can also get data about our switch CPU status in the last few minutes and keep getting these data every few minutes (periodic Telemetry publications)

All these data will be sent to your machine and stored in nonrelational databases from the type (Time-series database) such as InfluxDB

Another example, Cisco SD-WAN (Viptela) , all Statistics saved in your NMS (vManage) in nonrelational databases from the type (Document-based database) such as Elasticserach.
While vManage Configuration database saved in ( Graph-based database) such as Neo4j

You should know how to query these databases and how to visualize data in it using visualization tools such as Grafana or Kibana


To download any of these databases in VM for free and practice with:

Common used nonrelational databases (aka Unstructured-Data DB)

• Key-value database: A travel blog on a website, which uses a key-value database. Each value (in this case, a blog post) is stored under a different key, and the keys represent URIs on which the blog is available.

• Document-based database: Suitable for a successful startup company that uses an application with fast-changing specifications. Data is saved as semistructured documents, facilitating change management.

• Column-based database: For business analysis, where huge amounts of data need to be processed, a column-based database is perfect because the data is stored in columns, instead of rows. Most of the operations are performed on only one column, so performance is much greater than with row-based databases.

• Time-series database: With the rise of smart cars and the Internet of Things (IoT), gigabytes of telemetry data are being generated each day. The data is sent back to a vendor for analysis and stored in a simple time-series database.

• Graph-based database: Social media has become very popular in the past few years. Due to a huge number of complex relations between entities, the social media application uses a graph-based database, where data is defined and traversed via nodes (entities) and edges (relations).

Soft Code Your Secrets

Hard coding your secrets in python or any programming language is something you should avoid.

What is your secrets ?

User credentials , API Keys , API Tocken or Cookies etc

You should always Soft coding it and there are many ways to do that , let me show you a few of them in the following script I created.

In this script you will see three options for soft coding your secrets.

Option 1 With help of using “Input” built-in function and  “getpass” python library we can allow the user to interactively type his credential.

“getpass” python library reads the input from the user as Password and not showing while not showing what characters he is typing.


import getpass

username=str(input(‘Type Your Username:\n’))


print(“User Credential is” + ” ” + “Username is” + ” ” + username + ” ” +”Password is” +” ” + password)

Option 2 you can save your username and password as Environment variables in windows then we call it using “os” python library.


import os

input(“Press Enter to continue…”)

print(“*” * 20  + ” “+  “Method 2″ +” ” +”*” * 20)

username2 = str(os.environ.get(‘USER’))

password2 = str(os.environ.get(‘Password’))

print(“User Credential is” + ” ” + “Username is” + ” ” + username2 + ” ” +”Password is” +” ” + password2)

Option 3 you can save your username and password in a file then  call the  credential  using ” Python-dotenv ” python third party library.

Python-dotenv reads key-value pairs from a .env file and can set them as environment variables. It helps in the development of applications following the 12-factor principles.

You will need to install first using pip install Python-dotenv command

Code :

from dotenv import dotenv_values

input(“Press Enter to continue…”)

print(“*” * 20  + ” “+  “Method 3″ +” ” +”*” * 20)

user_Credential_from_envfile = dotenv_values(“.env”)


Script code avaiable here in my github account:

output of this script:

Cisco SD-WAN Automation

Someone was asking me about Cisco SD-WAN Automation.

Mainly you use REST API to communicate with vManage.

To learn more about the Viptela API Library and Documentation, consult the product documentation:

They are also available by accessing the documentation through https://{{vmanage}}:{{port}}/apidocs.

You can even try it for free:


Log in using username devnetuser and password RE!_Yw519_27

More in blog:

The Viptela REST API calls expose the functionality of Viptela software and hardware features and of the normal operations you perform to maintain Viptela devices and the overlay network itself.

In REST API terminology, each of these features or operations is called a resource.

A resource is an object with a type, associated data, relationships to other resources, and a set of methods that operate on it.

Resources are grouped into collections.

Each collection contains a single type of resource, and so is homogeneous.

In the Viptela REST API, the collection of resources is present at the top level of the API.

The Viptela REST API resources are grouped into the following collections:

•Monitoring: This collection views status, statistics, and other information about operational devices in the overlay network. Viptela devices collect monitoring information about themselves every 10 minutes. After collecting these statistics, each Viptela device places them in a zip file. The vManage server retrieves these zip files every 10 minutes or, if the vManage server cannot log in to the device, it retrieves them whenever it is next able to log in.

•Real-Time Monitoring: This collection retrieves, views, and manages real-time statistics and traffic information. Real-time monitoring information is gathered in real time, approximately once per second.

•Configuration: This collection creates feature and device configuration templates, retrieves the configurations in existing templates, and creates and configures vManage clusters.

•Administration: This collection manages users and user groups, views audit logs, and manages the local vManage server.

•Device Inventory: This collection collects device inventory information including serial numbers and system status.

•Certificate Management: This collection manages certificates and security keys.

•Troubleshooting Tools: This collection provides tools to help troubleshoot devices, determine the effect of policy, update software, and retrieve software version information.

Here is example I created
I used DevNet always on sandbox and I used this script which is part of it in Cisco CLN ENAUI materials.
The script will ask vManage for devices that exist in your Viptela org.
Try it by yourself. I am open to answer any question about the content of this script, But you need to ask it in the below CLN link.


Script Output:

Script can be downloaded from my github :

SD-WAN Automation can be done using REST API tools such as python requests module or Ansible uri module

There is another python module can be used called Sastre 

Sastre python module tutorial and how to install:

Sastre is available in two flavors:

Sastre: Public open-source under MIT license available on Cisco DevNet repository. Supports a limited set of tasks.

Sastre-Pro: Cisco licensed version, supporting the full feature-set. Sastre-Pro is available for customers with a CX BCS subscription and Cisco internal at Cisco eStore.