SHARIFUL's TECH BLOG

It was long time I had some fun writing some programming code. The other day I was thinking about one of my daily assignment as a network engineer - configuring network devices. Most of the time when we configure a network device -  we start from a predefined configuration template which is copied from an existing device  (the actual configuration) ; then open it in a text editor and do a search and replace operation to change the configuration according to the new device and it's configurations. What is wrong with this approach? First of all most of the time there is a risk that we will forget to change something; because we are doing a search and replace in a text editor and we have not made a list what are the things/configurations only need to change. Secondly there is no reusability; every time I need to open this text file and make changes by hand. Let's think for a moment. What are the things we actually change - when we configure a new device from an existing configurat

This is a continuation from my pervious blog post . This time we will do again AAA with Arista switches with TACACS protocol. Last time, we used locally defined user-roles in the switch to authorize what cli commands a user is allowed to run. Now we will use ISE's "TACACS Command Sets" instead of sending user-roles by using "AV-Pairs" . Advantage of "TACACS Command Sets" is that we will define different sets of cli commands which different users are allowed to run according to their access level. All of this will be done centrally in ISE/TACACS server . No need of defining network-roles in each device locally. The pitfall is that for every typed command by a user; the network device (router/switch) will ask the ISE server to authorize that command according to "Command Sets". If "Command Sets" permits, it sends a positive acknowledgement to the device and in turn the device executes the user cli command. The opposite happens wh

Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl