RobI am about one year away from having to renew my CCNP for the first time. Renewing certifications are little different now than they were before. Today Cisco offers a few different methods to renew, this includes taking exams, writing test questions, or continuing education credits. Some methods will cost you a bit more financially, but this gives people who maybe aren’t the best test takers an opportunity to stay active.
I was able to get one half of my 80 continuing education credits through Cisco’s Digital Training Library at no cost. To achieve this you had to take a series of their SD-WAN training modules. While starting to explore these I really became intrigued by the solution and began looking at running my own home lab to hopefully take the exam before I needed to re-certify. Taking this concentration exam for the cost of $300 would get me the last of my 80 credits needed to re-certify, assuming I pass.
There are tons of resources out there to help you kick off your home lab of Cisco’s SD-WAN solution using things like GNS3 and Eve-NG. I am very familiar with Eve-NG so that is what I choose to use. I started searching YouTube for basic tutorials on setting this up and stumbled on Rob Riker’s channel were he created an entire series on SD-WAN for free….yes, FREE. You can find this series here:
He goes over setting up the lab and walks you through pretty much everything you need to know for the home lab and the exam.
There were a few things I struggled with initially, including losing all my configs and had to start over. I also did that one more time after that. I created the whole CA infrastructure and installed certs on all controllers and vEdges about 3-4 times, so needless to say, I am good at it now. Something I did struggle with was getting the root CA file on all the controllers and the vEdges. I did not use vManage as a CA, but and an IOS-XE router to keep it semi-realistic. After generating the root CA file on the CA-Router I could not download it from the vManage controller. It would seem like it did, but when checking the directory in vshell mode it was not there. So I began to dig into the internet. It seemed that viptela CLI did not like tftp or scp for that matter, I am unsure why, but the work-around was to achieve this in vshell mode.
Dropping into vshell mode is as simple as typing “vshell” in the viptela CLI. You are now in vshell cli and from here you can tftp or scp successfully.
vmanage:~$tftp -g -r PKI.ca 220.127.116.11 // PKI.ca is the filename and 223.1.113 is the ca router ip address
vmanage# request root-cert-chain install home/admin/PKI.ca
After a few times of doing this I did discover that you can successfully get the RootCA cert from the CA-router when setting up HTTP server to be used to transfer from the viptela CLI and not have to use vshell. This is now the preferred method for me as it is much easier.
vmanage#request download http://cisco:firstname.lastname@example.org/PKI.ca
vmanage#request root-cert-chain install home/admin/PKI.ca
I would say that the cert enrollment and CA infrastructure setup is not so much complicated as it is tedious and can be frustrating at times. I would think in a real world scenario you would be using Windows CA or Linux CA, which probably makes the process easier, but this is just a lab so not need for all that leg work.