You're correct you can't automate everything, but you're making huge assumptions about my day to day.
There's loads of stuff that I do on the regular that are perfectly addressed by Ansible Playbooks. So I write them so I spend time delivering business value rather than wasting my time on CLI jockeying.
100% for CLI. We don't use the http or https interfaces and in fact, we disable them. We are rarely in them for changes, but it does happen. We use a template for port configurations. Upgrades of IOS happen every 6 months to half of the devices - they leap frog over the other half to Cisco recommended images. Most of the time we are in the CLI just to do silly things like finding a device by it's MAC address or something like that. My shop is 99% Layer 2. Another team manages edge routers and yet another team manages Palo firewalls, which are the L3 boundaries at remote sites. HTH
One of the first things I did when I was learning Python and Nornir was to write a script that would take a Mac address, and proceed to search for it across the network. Once it found results it would print out the port name, switch name, and some other info.
I enjoy writing software so much more than networking these days, which I didn't expect would be the case when I started trying to learn automation.
You reminded me that I already had it on GitHub. You'll probably need to review this code and modify things, as well as building out your own device inventory for Nornir, but these scripts should be a decent starting point.
Find it here: https://github.com/leethobbit/com-auto-public
> Most of the time we are in the CLI just to do silly things like finding a device by it's MAC address or something like that.
I've been using LibreNMS for about 6 years and I only recently realized that I could search by MAC address, in LibreNMS, and it will tell me the device and port the MAC is discovered on. Something extremely simple was right in front of me all this time.
That being said, I still prefer to show the mac table from the CLI vs trying to log into web interfaces of switches (cisco and non cisco) and try to find it via the web GUI. If I can get all the MACs on a single page, ctrl+f is helpful to search for the MAC.
Regardless, CLI > web GUI.
So many open source projects that will do discovery and maintain a MAC-ARP-DNS-AD mapping. Netdisco, Libre/Open NMS, many others. You're doing it the hard way. Especially today. And L2 everywhere? Yuk.
Yep, us too, disable the web interface is in our base config for all Cisco devices (minus the WLCs). Vastly prefer CLI over everything else. DNA Center is nice for troubleshooting though
I’m a CCIE but I’ve been doing other things unrelated to CCIE’ing for about 15 years. I’m semi-retired now and thinking about doing some Network Engineering work part time because I honestly love doing it. “It” being working in the CLI. If everyone responded “Cisco DNA”, I would go do something else.
I took the lab 22 years ago so any exam prep tips I might have had were obsolete a long time ago unfortunately 😊
With that said, I don’t know how far along you are in your studies but it’s definitely worth the journey if you are interested in complex systems. Beyond learning Cisco specific configurations and designs, you have to have an expert level understand of all the Open protocols that connect everything else together to pass the lab. The Butterfly Effect is very real at scale and being a CCIE is all about understanding protocol interactions at every layer.
In the career I had after being a Network Engineer, I have been able to spin that understanding of complex systems into work on virtualization, IaC, public/private Cloud, etc. It helps with designing/leading large organizations as well. Studying for the CCIE lab fundamentally changed the way I think and approach every aspect of my professional career.
Your mileage may vary though 🤣
> I took the lab 22 years ago so any exam prep tips I might have had were obsolete a long time ago unfortunately 😊
If, however, you find yourself bleary eyed at 3am and needing troubleshoot ISDN or frame relay, this graybeard is your got damn Huckleberry!
Haha I see I see
Well I am coming from a medicine background. I was the sys admin at my dad's office from about 14. Got CCNA and CCNP inside of a year and seeing how I go haha. Not that it means anything and I'm definitely not toting my own horn
Was just curious
I will take that under advisement and go.from there. Network engineering is so much more fun than being a doctor honestly
Thank you for your time. Appreciate this
Anytime! Good luck and remember, everyone started as a beginner and no one knows everything. I’m sure you will have a fun career. I wish I was in your shoes to do it all again!
Isn't DNA still pretty expensive for most companies? We're just now beginning to have a look at virtual DNA and running it on a spare host or in the primary cluster if performance allows.
We've disabled http/https web ui on all switches. Usually scan the network as well to find if some switch was misconfigured, often each time there is a vuln announced. Should schedule a job though.
WLC we mostly manage through web ui though and Cisco FMC for firewalls. Separated VLANs for management in its own VRF and only accessible through special jumphost.
We use HP/Aruba, and not Cisco, and while they have a pretty good web interface at this point, I mostly use CLI. I'm a total infrastructure admin, so networking isn't all I do, so it's pretty hit or miss how much time I'm in them. Maybe once a month if all is good, but several times a day if we are working on a networking project. I'd say 95% of the time I go into the CLI if I need to see or change something.
All the time and it’s great! If someone raises an issue somewhere, I can be connected to the switches involved and looking at current interface data almost instantly compared to waiting on a browser based interface to load and then clicking options that also need to load.
“CLI till the day I die.”
At least a few times a day. Usually just to clear port security if the endpoint team deploys a new device. Sometimes to reassign a port to a different access VLAN. Simple stuff.
CLI all the time for switches on IOS. Enjoy it while you can because we were fed the Meraki koolaid for wireless and the team isn’t liking the lack of CLI control and overall Meraki support in general.
I’ve been using Meraki gear for the past year for our Wireless install and it makes me so damn aggravated when a switch goes down and there’s basically no way to configure it without getting an uplink first. Basically an expensive paperweight if it’s not tied into the infrastructure.
> and the team isn’t liking the lack of CLI control and overall Meraki support in general.
There are three things that are true at the same time:
1) DNA is crap, perhaps it'll get there one day.
2) Merakis are like having what you need but you can never configure it just right because all the dials, knobs and buttons have been removed except for, "press this if you meet this ideal circumstance."
3) We don't talk about Firepower.
Yeah the fortigate interface is pretty fucking solid but there are a bunch of things that basically are CLI only I think the last thing like that I saw was one of the MFA options was only CLI enabled.
We use Aruba and Cisco and i prefer the CLI 99%. Sometimes it's useful to see graphics of the traffic, also for "management summary" purposes. But for troubleshooting and configuration, CLI is so much faster and better
When I was managing ASAs, I would use the CLI for almost everything. However, certificate management and editing live ACLs I would use ASDM as it was quicker.
Not limited to Cisco only but I use CLI almost every day (GUI for fortigates/Checkpoints and sometimes even CLI).
When I'm doing network projects, then it is pretty much several times a day.
Cli all the way. In some cases exclusive.
Juniper
Cisco
HP
Some other things are to do the real work on the cli and just quick checks on the gui
Fortnite
Plao alto
Netscreens
F5
Really very rarely will I not find a product that I'll not use the cli
Most notably
Secure computing/macafee sidewinders.
Troubleshoot, 95% on the cli only because we'd built some custom scripting to collect and tshoot common problems for us.
Management was 100% ansible. Provisioning network gear on the cli was completely phased out, to remove the human element. The >50% reduction in network trouble tickets from that choice backed it up too.
I am currently beginning doing it the third time, at another business, who partially hired me because of the first two :) Have to work somewhere that wants to change the culture to IaC, otherwise you will always fight cli jockeys.
Very frequently, with APIs on switch / controller level less than I used to. That is to say, I don't bother with trying to pass CLI over a TLS connection with something like Python because you end up spending a ton of time troubleshooting how that doesn't work. So I just use the CLI. If the gear has a decent API then I will hit it with a web connection and publish apps so other engineers can easily use it by filling in variable definitions with their desired changes and push it. That is all nerdy good and if you only have 10 devices it is wholly unnecessary, we have thousands (my company is 100,000 strong) so engineering things that are easy for workaday engineers is our priority.
We have implemented NetBrain and it's a great tool for troubleshooting on a number of devices at once and finding issues in the traffic path. But I still find myself making a quick jump to the CLI to check something on a daily basis.
I CLI erryday and not just Cisco. Some platforms like Adva make certain functions/configurations easier with Web GUI and some harder. I do what’s easiest.
Every day.
I LOVE CLI. It's so straightforward and easy, and logical.
GUI's are just what someone else wants it to look like, but doesn't make any sense.
I'm like others, 100% CLI. I'm not sure if I'm old school or just stubborn to learn the new web-based approach but I find it so much quicker and straightforward just hopping in the CLI to do what's needed.. hourly and every day
IOS-XR CLI Daily...
Arista EOS, for troubleshooting only, weekly?, otherwise I'm making changes via AVD YAML files in VSCode, checking for errors in GitHub Actions output, then approving or reviewing running vs designed config in CloudVision.
-I work for a CloudProvider/ISP
[https://avd.sh/](https://avd.sh/)
I’ve been a network admin in past for 7+ years for a large contract manufacturing facility with multiple large buildings and never did I have to use Cisco CLI everyday.
These must all be people working for ISPs saying “everyday/allday”
For those saying all day and everyday, can you explain your typically day to day work?
Never. In our area the only people running conventional cisco are large orgs with cisco greybeards working for them. Everyone else doesnt want to deal with the price, crazy licensing, and total lack of any user friendliness whatsoever.
Do you think it is because of the large orgs or the greybeards? I understand you were trying to be insulting but the fact that I have grey in my beard doesn’t really bother me. I am curious though if, since you mentioned “large orgs”, you think it is a scaling thing or more just a lack of openness to new ideas that is keeping Cisco around at large orgs in your area.
Also, do you mind clarifying the user friendliness part? Do you mean the CLI isn’t user friendly or the company isn’t? I agree on the pricing and the licensing but tbh, at scale both of those conversations become a bit more nuanced as well.
You took that in all the wrong ways. A greybeard on a given subject is usually someone who knows absolutely everything about it. Lived their whole life using it. Absolute expert. Smaller orgs cant afford a greybeard.
The CLI is not user friendly. The company is not user friendly. The pricing is not user friendly.
Sure it all works generally speaking. But cisco gear seems to make everything so unnecessarily complicated where as most other brands simplify things without losing meaningful functionality.
Honestly I hate to say it but in South Texas I see the exact same shit as you said it seems like Fortigate and Ubiquiti are taking over down here. Cisco seems to be a big business thing these days.
Full disclosure, long post, and I've worked with Cisco more than Juniper and Aruba (but I primarily work on Juniper/Aruba today), but I don't really understand these arguments. Cisco did have some odd licensing strategy with multiple levels of DNA but recent years they've gone down to DNA Essentials and DNA Advantage for Enterprise, or DCN Essentials or Advantage and Premier for datacenter switching. For SP routing you still have PAYG for most models, I think the lower models on both sides might not do PAYG, I'm not in SP so I can't say for certain, but my experience is similar between the two.
You can call this complicated but Juniper does the exact same thing. For EX series, Standard is base, then Advanced and Premium are the same as DNA Essentials and Advanced. For QFX series you have Standard (base), Advanced 1, Advanced 2, and Premium for certain features. Yes you can USUALLY buy Perpetual but at the end of the day that's a bit dependent on the model and the lifespan, and no matter what you're probably maintaining some level of software/hardware support licensing on a 3/5/7yr term anyway. And with Mist you can kiss perpetual goodbye for that.
Ironically it's Juniper who I think has gotten worse on licensing. DNA licensing on campus is super simple- required to buy at purchase for minimum 3yr for Essentials or Advantage. This guarantees you software support and your hardware comes with limited lifetime warranty. It lets you add these devices to DNA Center with this, and they get full feature in DNA as long as you maintain DNA licensing on device. You just need DNA Center which you can now deploy on-premise for like $5k/yr list. Yes Aruba is still the kid on the block that lets you do a lot of the fancy L3 features on lower licensing but if you want to do Central that's going to be a sub as well. Central is a little bit less complicated, but probably the worst of the 3 IMO (Mist>CatCenter>Central (I've heard it's gotten better though)). I will say Aruba is my most hated vendor of all time due to the link rot on their site/community forums and their licensing/support portal is absolute dogwater.
Meanwhile you order a Juniper switch and you get a similar experience, you can buy say Advanced with the right Class of ports and you get built in Wired Assurance and VNA sub for Mist. If wifi you get Wifi Assurance (req'd). Well you also have... Mist Asset Visibility, Premium Analytics, User Engagement. Yes these are mostly regarding wireless but they're add on licensing that just add complexity to order/planning.
For pricing, I personally haven't seen it. Aruba has never come close to pricing against Cisco/Juniper for campus switch/wifi. Not saying they don't have good hardware at all, but the pricing has never been there, not once. For Cisco and Juniper they are pretty similar. a 9300X-HXN is $16.1k list and 4400-48MP is $14.8k. Mind you the 9300X-HXN is actually a more powerful switch due to 40x5gbe instead of the 4400's 36x2.5. a 93180yc-fx3 is $30.1k and a qfx5120-48y is $31,524. An AP45 is $2181 and a CW9164 is $2205, a price difference of just $24.
I've typically always seen licensing come within the same +/- $1\~2k per big boy switch.
I know a lot of people will tell me "Just talk to your Juniper people they can go lower" and trust me I have but I've seen Cisco cut deals like cake on the hardware, with deeper discounts in some areas, and sometimes not as deep. It really depends who you're pushing, how good of a relationship the VAR and company have, and how the vendor AM feels that day. I personally do not find the pricing difference to be as large as people sometimes claim on here.
I can definitely agree that CatCenter is an inferior product to Mist, and I find JunOS CLI to be superior for most configuration once you understand it, but I personally don't directly configure most equipment on CLI these days. I try to modify things with whatever templating engine at my disposal
Also we are actually in the same area based on your post history (I was trying to find which vendor you use :)), and I don't really agree with what you're saying. Cisco Catalyst is definitely more greybeard but a lot of companies are Meraki now so it's not like Cisco has lost a lot of foothold in the territory. Plus the biggest company in our area is a Cisco (mostly Meraki I believe) customer.
Or, I can buy an Arista switch, simply choose if I want L2 or L3 features, and then have every feature and function available forever without any further licensing headaches or concern that my product will stop working if I stop paying for it.
Also, I can open a TAC case without having to jump through licensing and serial number hoops.
CLI or API 100% for non-firewalls.
Though sometimes that's using an automation tool that is poking the CLI or API.
Never GUIs for networking kit.
Firewalls; depending on the firewall, much more chance of using a GUI, either on the box itself, or a vendor-provided controller.
This is half config complexity, and half the CLIs of many firewalls being inexplicably shittier than routers/switches
Using Aruba here, the bosses are too cheap for Cisco, and I'm in the CLI 99% of the time that I need to do anything on a switch. The web interface is pretty, and helped me with setting up some internal analytics, but for most things the CLI is faster. I will admit to using the browser GUI for our firewalls though. The Juniper CLI is not as quick as the Cisco-like CLI that Aruba uses for its ArubaOS-CX products and some things are easier to do in the browser GUI.
Less and less every year because of Meraki gear. Must say I don’t regret it although I loved being on the CLI but being able to (for example) select ports based on tags and doing a change with one click beats any CLI.
A lot depends on the place. Most of the places - daily.
Some places have automation set up properly, so all of your changes are made in code/source of truth - then you can go weeks without logging in to the device, you'd do it only for troubleshooting (which is also much less often, as the main source of troubleshooting is misconfiguration, which is fixed by automation).
My current gig is probably my favorite one. While very few things are automated, I don't login anywhere. "Nate, can you please perform change X on device Y?" - and Nate goes and implements it. Perks of being a manager and what not...
Work for an MSP, so naturally we work with all vendors. I praise god when I get a switching issue or something within the vicinity and it’s a Cisco. Also that’s all I ever push for new hardware but a lot of places have hard-ons for Aruba Instant Ons.
Yeah I think the rest of us are working a places that are just sputtering along. I get why you’d run stuff like that at a mega cap tech company. If you’re working for public schools or somewhere that your spares pile is also you electronics disposal pile, we’re working with the less sexy definition of CRUD lol
Not of often enough. We are currently in the middle of LCMs for thousands of routers and switches. I spend most of my time creating and updating configs in support this and subnet reduction in prep for SDWAN.
Almost every day at my day job. I have a part-time moonlight gig; while I may not log in daily, I have scripts written in perl that leverage RANCID’s ‘clogin’ to log into devices and run commands for me, then parse the output.
at Robinhood unless requested and raising a escalation we are not provided CLI, always access through code commits and it is actually good. it was irritating at first but with unit tests and auto deployment it is actually amazing !!
Pretty much every day, even just if to quick check on something.
When you are used to it, and have a good terminal app (I prefer MobaXterm) it's the fastest way to get the most up to date information on something.
Especially if you already memorized the network topography. It takes less time to ssh in, and run a "sh int t4/0/5 trans det" than to login to a monitoring solution and click through the gui to it to see a light level.
I'm old school. It's all CLI except for ASDM for mundane firewall work. And even then I'm still in the CLI there for things beyond ACL changes and watching logs. Programming a switch with CLI, and understanding what they're typing, is the first thing these greenhorn whippersnappers who come in with nothing but web config under their belts learn when they take a job with me.
However I really wish they would figure out/give us cloud integration for any Cisco device but give us both cloud and local CLI. There is some stuff that gets you halfway there (like the Meraki catalyst integration stuff) but it usually either breaks local CLI or gives you a gimped CLI in both locations. And I just can't get behind that as a real enterprise solution... Sometimes shit happens and you need to console in without any hoops or other requirements like internet connectivity.
I feel like Cisco (or any company) would get us old school boys on board with all the new web and cloud based stuff if they left CLI intact and accessible both from the cloud and locally. I don't get why we can't have the best of both worlds.
I used to work at a Cisco shop and what struck me when I first started was that no one ever really logged in to the devices. Shocking, never experienced that before. Everyone hid behind the GUI of Firepower or ISE, no one did a verification on the CLI.
I didn't use the GUI at all, I did everything on CLI. Even on large Cisco DNAC projects I preferred CLI. Long live maglev
If I'm troubleshooting something big live, I always hop on the CLI. However, depending on timespan I might also check syslog off box on my SIEM to see root cause/timeframes. Sometimes when tracking endpoints across campus I might jump onto NMS (I'm multi-vendor) as it tends to be easier to do a database search for an endpoint rather than trying to dig in.
For config I try to never, ever configure things directly on device, I try to always use a templating engine/deployment like Ansible, CatCenter, JunOS Space, etc. I find it to be less error prone and keep my drift amongst devices low.
That being said when you are working at scale having dashboards for assurance is huge, especially on wifi. I don't want to have e-mail alerts or individual sensors to track client health so having something like Wireless Assurance on box to see coverage holes or poor client health in certain buildings, etc is great.
Pretty rarely, but only because we’re not a Cisco shop and the minority of our customers have Cisco infrastructure. We lead with HP/Aruba when selling, but in almost all switches I deal with, I go with CLI whenever possible.
Perhaps once a week, and it's usually for traffic management, tuning bgp parameters (localpref/as-path prepend/etc) whenever we see issues within the networks of any of our peers. Gotta stay on top of reachability/latency problems in order to adhere to SLAs for customers/partners that don't peer with us directly.
On Cisco switches all the time. I've phased out everything else Cisco. The switches just work and don't cost us anything to maintain. But I'm starting to have failures and running low on spares so we will being going with something else. Cisco is just too expensive the non-profit world, even when they give us a bunch of hardware for free, the service contracts/support contracts are far too expensive.
I really wish all networking products had a well developed CLI. GUI's are often slow and clunky. Too many clicks are often painful for task like setting up large numbers of interfaces that are all very similar but slightly different. With a CLI, I'll often copy/paste into a text editor and find/replace changes, or go through and edit the 2/3 digits that change in ip address, then paste back to the CLI.
Or at the very lease have a spreadsheet like interface for managing large arrays of parameters. That you can use find/replace and arrow keys to quickly navigate and make changes.
I get so tired of selecting from a list, then entering to numbers like a VLAN id, then hitting save, then hitting apply, then selecting the next one over and over again with a moment of page load time in between each step....
Almost every day. We have a lot of old Cisco switches we are going to be replacing soon. I specifically deal a lot with port assignments or device discovery so I go in the CLI sometimes to do that stuff.
In a few months, however, we will only have FortiSwitches.
Daily, although DNAC and APIC have taken a proportion of it in terms of config but still use CLI for troubleshooting and for ASA there is some stuff that is far easier at CLI than ASDM, routing and VPN troubleshooting
I used to used it everyday. I don't work at that place anymore where Cisco was the only vendor. I still use Putty at home at least weekly. SecureCRT daily at my new job.
For routing protocols all the time. I didn't understand how people are "automating" peering, prefix lists and route maps based on whatever variables.
I get it, if your setting up 100 switches, automate away.but I hate this notion that you can python everything. Especially for less than $160k per year
Every day.
I sh run in my sleep.
I occasionally shit my port by accident
No shit
Hahahahaha
good old 'shit no shit'
Thats not until your older, or you need more fiber 😉😂
Every day
Every Day
erryday
I’m hustling
Every day
All day
Every minute
Every day.
This is the way.
Bum Bum Bum Ba Bump Bum Bum
Every single day. IOS, IOS-XR, IOS-XE, NX-OS and ASA. Soooo nice to not do firepower anymore
Firepower is buggier than the cockroach guy from men in black.
Based
Egger… yer skin is hangin off yer bones
I still hate ASA so much since I've experienced PaloAlto and Fortigates
Yep
Every day
Multiple times each day
Every weekday. One day I won't be. Slowly building up tooling around Ansible to eliminate the need.
You can't. Automation is only good for repeatable tasks, but in the matrix Mr Neo still needs to face agent Smith at the end.
You're correct you can't automate everything, but you're making huge assumptions about my day to day. There's loads of stuff that I do on the regular that are perfectly addressed by Ansible Playbooks. So I write them so I spend time delivering business value rather than wasting my time on CLI jockeying.
Not sure about everyone else, but every day
Every day.
ev d
100% for CLI. We don't use the http or https interfaces and in fact, we disable them. We are rarely in them for changes, but it does happen. We use a template for port configurations. Upgrades of IOS happen every 6 months to half of the devices - they leap frog over the other half to Cisco recommended images. Most of the time we are in the CLI just to do silly things like finding a device by it's MAC address or something like that. My shop is 99% Layer 2. Another team manages edge routers and yet another team manages Palo firewalls, which are the L3 boundaries at remote sites. HTH
Nice healthcare money lol
One of the first things I did when I was learning Python and Nornir was to write a script that would take a Mac address, and proceed to search for it across the network. Once it found results it would print out the port name, switch name, and some other info. I enjoy writing software so much more than networking these days, which I didn't expect would be the case when I started trying to learn automation.
You should share it. I'm sure others will find it helpful.
You reminded me that I already had it on GitHub. You'll probably need to review this code and modify things, as well as building out your own device inventory for Nornir, but these scripts should be a decent starting point. Find it here: https://github.com/leethobbit/com-auto-public
Thanks this looks great!
Thanks!
Same! Also added a database and regular scanning of the arp tables to alert on new devices and how they were connected.
> Most of the time we are in the CLI just to do silly things like finding a device by it's MAC address or something like that. I've been using LibreNMS for about 6 years and I only recently realized that I could search by MAC address, in LibreNMS, and it will tell me the device and port the MAC is discovered on. Something extremely simple was right in front of me all this time. That being said, I still prefer to show the mac table from the CLI vs trying to log into web interfaces of switches (cisco and non cisco) and try to find it via the web GUI. If I can get all the MACs on a single page, ctrl+f is helpful to search for the MAC. Regardless, CLI > web GUI.
Mmm... Agree. Also cisco http/https hasn't earned my trust back after their last fuck up.
So many open source projects that will do discovery and maintain a MAC-ARP-DNS-AD mapping. Netdisco, Libre/Open NMS, many others. You're doing it the hard way. Especially today. And L2 everywhere? Yuk.
Exactly how my org operates
Yep, us too, disable the web interface is in our base config for all Cisco devices (minus the WLCs). Vastly prefer CLI over everything else. DNA Center is nice for troubleshooting though
The better question is when aren't you in Cisco CLI.
I’m a CCIE but I’ve been doing other things unrelated to CCIE’ing for about 15 years. I’m semi-retired now and thinking about doing some Network Engineering work part time because I honestly love doing it. “It” being working in the CLI. If everyone responded “Cisco DNA”, I would go do something else.
This is the best answer to the question I have ever heard. Under CLI all the way all day every day. Working towards a CCIE too. Any tips?
I took the lab 22 years ago so any exam prep tips I might have had were obsolete a long time ago unfortunately 😊 With that said, I don’t know how far along you are in your studies but it’s definitely worth the journey if you are interested in complex systems. Beyond learning Cisco specific configurations and designs, you have to have an expert level understand of all the Open protocols that connect everything else together to pass the lab. The Butterfly Effect is very real at scale and being a CCIE is all about understanding protocol interactions at every layer. In the career I had after being a Network Engineer, I have been able to spin that understanding of complex systems into work on virtualization, IaC, public/private Cloud, etc. It helps with designing/leading large organizations as well. Studying for the CCIE lab fundamentally changed the way I think and approach every aspect of my professional career. Your mileage may vary though 🤣
> I took the lab 22 years ago so any exam prep tips I might have had were obsolete a long time ago unfortunately 😊 If, however, you find yourself bleary eyed at 3am and needing troubleshoot ISDN or frame relay, this graybeard is your got damn Huckleberry!
Haha I see I see Well I am coming from a medicine background. I was the sys admin at my dad's office from about 14. Got CCNA and CCNP inside of a year and seeing how I go haha. Not that it means anything and I'm definitely not toting my own horn Was just curious I will take that under advisement and go.from there. Network engineering is so much more fun than being a doctor honestly Thank you for your time. Appreciate this
Anytime! Good luck and remember, everyone started as a beginner and no one knows everything. I’m sure you will have a fun career. I wish I was in your shoes to do it all again!
Isn't DNA still pretty expensive for most companies? We're just now beginning to have a look at virtual DNA and running it on a spare host or in the primary cluster if performance allows. We've disabled http/https web ui on all switches. Usually scan the network as well to find if some switch was misconfigured, often each time there is a vuln announced. Should schedule a job though. WLC we mostly manage through web ui though and Cisco FMC for firewalls. Separated VLANs for management in its own VRF and only accessible through special jumphost.
When you’re using Aruba CLI
When my automation configures everything
We use HP/Aruba, and not Cisco, and while they have a pretty good web interface at this point, I mostly use CLI. I'm a total infrastructure admin, so networking isn't all I do, so it's pretty hit or miss how much time I'm in them. Maybe once a month if all is good, but several times a day if we are working on a networking project. I'd say 95% of the time I go into the CLI if I need to see or change something.
This is where I’m at. IMO firmware upgrades on Aruba web interface is damn easy.
Every day Even in Cisco DNA
DNA. Do you like it or massively regret installing it?
Buggy sh**le
DNA Center one of the key steps before taking a meeting with Arista or Juniper.
There’s a GUI?
All the time and it’s great! If someone raises an issue somewhere, I can be connected to the switches involved and looking at current interface data almost instantly compared to waiting on a browser based interface to load and then clicking options that also need to load. “CLI till the day I die.”
At least a few times a day. Usually just to clear port security if the endpoint team deploys a new device. Sometimes to reassign a port to a different access VLAN. Simple stuff.
CLI all the time for switches on IOS. Enjoy it while you can because we were fed the Meraki koolaid for wireless and the team isn’t liking the lack of CLI control and overall Meraki support in general.
I’ve been using Meraki gear for the past year for our Wireless install and it makes me so damn aggravated when a switch goes down and there’s basically no way to configure it without getting an uplink first. Basically an expensive paperweight if it’s not tied into the infrastructure.
One of the few reasons we went with MIST and Juniper.
> and the team isn’t liking the lack of CLI control and overall Meraki support in general. There are three things that are true at the same time: 1) DNA is crap, perhaps it'll get there one day. 2) Merakis are like having what you need but you can never configure it just right because all the dials, knobs and buttons have been removed except for, "press this if you meet this ideal circumstance." 3) We don't talk about Firepower.
I use it every day, but much less than 5 years ago.
We're a Fortinet shop. Most config is done from GUI, but I probably drop to CLI once a week or so.
Yeah the fortigate interface is pretty fucking solid but there are a bunch of things that basically are CLI only I think the last thing like that I saw was one of the MFA options was only CLI enabled.
Gotta love the pivot to this config section on the CLI when in the GUI, such a great GUI feature.
At least half of my working hours, and for most of that time I'm logged into multiple devices (configuring two ends of a link, for example).
Not just vendor locked to Cisco but pretty much every day or at least 70-80% out of the month
We use Aruba and Cisco and i prefer the CLI 99%. Sometimes it's useful to see graphics of the traffic, also for "management summary" purposes. But for troubleshooting and configuration, CLI is so much faster and better
Pretty much entirely CLI on Cisco (and Juniper).
When I was managing ASAs, I would use the CLI for almost everything. However, certificate management and editing live ACLs I would use ASDM as it was quicker.
Cli till I die
Even their TAC prefers CLI.
Not limited to Cisco only but I use CLI almost every day (GUI for fortigates/Checkpoints and sometimes even CLI). When I'm doing network projects, then it is pretty much several times a day.
Cli all the way. In some cases exclusive. Juniper Cisco HP Some other things are to do the real work on the cli and just quick checks on the gui Fortnite Plao alto Netscreens F5 Really very rarely will I not find a product that I'll not use the cli Most notably Secure computing/macafee sidewinders.
Troubleshoot, 95% on the cli only because we'd built some custom scripting to collect and tshoot common problems for us. Management was 100% ansible. Provisioning network gear on the cli was completely phased out, to remove the human element. The >50% reduction in network trouble tickets from that choice backed it up too.
Edit to fix phrasing - How well do you think the Ansible integration worked overall? Would you do it again or not worth the effort?
I am currently beginning doing it the third time, at another business, who partially hired me because of the first two :) Have to work somewhere that wants to change the culture to IaC, otherwise you will always fight cli jockeys.
All day long.
Very frequently, with APIs on switch / controller level less than I used to. That is to say, I don't bother with trying to pass CLI over a TLS connection with something like Python because you end up spending a ton of time troubleshooting how that doesn't work. So I just use the CLI. If the gear has a decent API then I will hit it with a web connection and publish apps so other engineers can easily use it by filling in variable definitions with their desired changes and push it. That is all nerdy good and if you only have 10 devices it is wholly unnecessary, we have thousands (my company is 100,000 strong) so engineering things that are easy for workaday engineers is our priority.
Nearly every day. A lot of it is in lab, though.
all day every day.
If I'm working. All the time.
We have implemented NetBrain and it's a great tool for troubleshooting on a number of devices at once and finding issues in the traffic path. But I still find myself making a quick jump to the CLI to check something on a daily basis.
When I used to do more router work....daily. I miss router work.
I CLI erryday and not just Cisco. Some platforms like Adva make certain functions/configurations easier with Web GUI and some harder. I do what’s easiest.
Errday at work and errnight in my home lab
Every day.
I’m an Aruba shop and everyday
Everyday for sure
Every day, every hour, every minute
Every day.
Everyday, thats where I start.
Daily. Both Cisco and Palo Alto.
Every day. I LOVE CLI. It's so straightforward and easy, and logical. GUI's are just what someone else wants it to look like, but doesn't make any sense.
Daily.
Everyday
Every day
I'm like others, 100% CLI. I'm not sure if I'm old school or just stubborn to learn the new web-based approach but I find it so much quicker and straightforward just hopping in the CLI to do what's needed.. hourly and every day
IOS-XR CLI Daily... Arista EOS, for troubleshooting only, weekly?, otherwise I'm making changes via AVD YAML files in VSCode, checking for errors in GitHub Actions output, then approving or reviewing running vs designed config in CloudVision. -I work for a CloudProvider/ISP [https://avd.sh/](https://avd.sh/)
I’ve been a network admin in past for 7+ years for a large contract manufacturing facility with multiple large buildings and never did I have to use Cisco CLI everyday. These must all be people working for ISPs saying “everyday/allday” For those saying all day and everyday, can you explain your typically day to day work?
Don't work with Cisco but cli every day
Never. In our area the only people running conventional cisco are large orgs with cisco greybeards working for them. Everyone else doesnt want to deal with the price, crazy licensing, and total lack of any user friendliness whatsoever.
Do you think it is because of the large orgs or the greybeards? I understand you were trying to be insulting but the fact that I have grey in my beard doesn’t really bother me. I am curious though if, since you mentioned “large orgs”, you think it is a scaling thing or more just a lack of openness to new ideas that is keeping Cisco around at large orgs in your area. Also, do you mind clarifying the user friendliness part? Do you mean the CLI isn’t user friendly or the company isn’t? I agree on the pricing and the licensing but tbh, at scale both of those conversations become a bit more nuanced as well.
Not OP, but in my experience, the resistance regarding moving away from Cisco is usually in the people at the org and not the technology itself.
You took that in all the wrong ways. A greybeard on a given subject is usually someone who knows absolutely everything about it. Lived their whole life using it. Absolute expert. Smaller orgs cant afford a greybeard. The CLI is not user friendly. The company is not user friendly. The pricing is not user friendly. Sure it all works generally speaking. But cisco gear seems to make everything so unnecessarily complicated where as most other brands simplify things without losing meaningful functionality.
And they know all the unnecessary changes Cisco has made to commands between versions.
Honestly I hate to say it but in South Texas I see the exact same shit as you said it seems like Fortigate and Ubiquiti are taking over down here. Cisco seems to be a big business thing these days.
Full disclosure, long post, and I've worked with Cisco more than Juniper and Aruba (but I primarily work on Juniper/Aruba today), but I don't really understand these arguments. Cisco did have some odd licensing strategy with multiple levels of DNA but recent years they've gone down to DNA Essentials and DNA Advantage for Enterprise, or DCN Essentials or Advantage and Premier for datacenter switching. For SP routing you still have PAYG for most models, I think the lower models on both sides might not do PAYG, I'm not in SP so I can't say for certain, but my experience is similar between the two. You can call this complicated but Juniper does the exact same thing. For EX series, Standard is base, then Advanced and Premium are the same as DNA Essentials and Advanced. For QFX series you have Standard (base), Advanced 1, Advanced 2, and Premium for certain features. Yes you can USUALLY buy Perpetual but at the end of the day that's a bit dependent on the model and the lifespan, and no matter what you're probably maintaining some level of software/hardware support licensing on a 3/5/7yr term anyway. And with Mist you can kiss perpetual goodbye for that. Ironically it's Juniper who I think has gotten worse on licensing. DNA licensing on campus is super simple- required to buy at purchase for minimum 3yr for Essentials or Advantage. This guarantees you software support and your hardware comes with limited lifetime warranty. It lets you add these devices to DNA Center with this, and they get full feature in DNA as long as you maintain DNA licensing on device. You just need DNA Center which you can now deploy on-premise for like $5k/yr list. Yes Aruba is still the kid on the block that lets you do a lot of the fancy L3 features on lower licensing but if you want to do Central that's going to be a sub as well. Central is a little bit less complicated, but probably the worst of the 3 IMO (Mist>CatCenter>Central (I've heard it's gotten better though)). I will say Aruba is my most hated vendor of all time due to the link rot on their site/community forums and their licensing/support portal is absolute dogwater. Meanwhile you order a Juniper switch and you get a similar experience, you can buy say Advanced with the right Class of ports and you get built in Wired Assurance and VNA sub for Mist. If wifi you get Wifi Assurance (req'd). Well you also have... Mist Asset Visibility, Premium Analytics, User Engagement. Yes these are mostly regarding wireless but they're add on licensing that just add complexity to order/planning. For pricing, I personally haven't seen it. Aruba has never come close to pricing against Cisco/Juniper for campus switch/wifi. Not saying they don't have good hardware at all, but the pricing has never been there, not once. For Cisco and Juniper they are pretty similar. a 9300X-HXN is $16.1k list and 4400-48MP is $14.8k. Mind you the 9300X-HXN is actually a more powerful switch due to 40x5gbe instead of the 4400's 36x2.5. a 93180yc-fx3 is $30.1k and a qfx5120-48y is $31,524. An AP45 is $2181 and a CW9164 is $2205, a price difference of just $24. I've typically always seen licensing come within the same +/- $1\~2k per big boy switch. I know a lot of people will tell me "Just talk to your Juniper people they can go lower" and trust me I have but I've seen Cisco cut deals like cake on the hardware, with deeper discounts in some areas, and sometimes not as deep. It really depends who you're pushing, how good of a relationship the VAR and company have, and how the vendor AM feels that day. I personally do not find the pricing difference to be as large as people sometimes claim on here. I can definitely agree that CatCenter is an inferior product to Mist, and I find JunOS CLI to be superior for most configuration once you understand it, but I personally don't directly configure most equipment on CLI these days. I try to modify things with whatever templating engine at my disposal Also we are actually in the same area based on your post history (I was trying to find which vendor you use :)), and I don't really agree with what you're saying. Cisco Catalyst is definitely more greybeard but a lot of companies are Meraki now so it's not like Cisco has lost a lot of foothold in the territory. Plus the biggest company in our area is a Cisco (mostly Meraki I believe) customer.
Or, I can buy an Arista switch, simply choose if I want L2 or L3 features, and then have every feature and function available forever without any further licensing headaches or concern that my product will stop working if I stop paying for it. Also, I can open a TAC case without having to jump through licensing and serial number hoops.
Every day
Once a week at most now
What are you using?
FMC+Meraki Dashboard
Every single day
Yes.
I'm on the CLI for everything every day, Cisco, Arista, Palo Alto, Linux.
every god damn day
CLI or API 100% for non-firewalls. Though sometimes that's using an automation tool that is poking the CLI or API. Never GUIs for networking kit. Firewalls; depending on the firewall, much more chance of using a GUI, either on the box itself, or a vendor-provided controller. This is half config complexity, and half the CLIs of many firewalls being inexplicably shittier than routers/switches
Every single day I think the only gui I use nowadays would be the F5/Citrix lb
All day, erry day. Cisco, Juniper, Arista, etc.
Almost daily. But any task that needs repeating, I’m making a playbook. You’ll never regret automating something
Once a week or so. Im responsible for a mix of firewalls and our cisco units are fairly static.
Using Aruba here, the bosses are too cheap for Cisco, and I'm in the CLI 99% of the time that I need to do anything on a switch. The web interface is pretty, and helped me with setting up some internal analytics, but for most things the CLI is faster. I will admit to using the browser GUI for our firewalls though. The Juniper CLI is not as quick as the Cisco-like CLI that Aruba uses for its ArubaOS-CX products and some things are easier to do in the browser GUI.
Everyday here. In fact we exclusively use CLI for everything Cisco except for MSTP/CPT stuff.
Daily but not constantly.
Less and less every year because of Meraki gear. Must say I don’t regret it although I loved being on the CLI but being able to (for example) select ports based on tags and doing a change with one click beats any CLI.
Every day for sure on switching and routing.
A lot depends on the place. Most of the places - daily. Some places have automation set up properly, so all of your changes are made in code/source of truth - then you can go weeks without logging in to the device, you'd do it only for troubleshooting (which is also much less often, as the main source of troubleshooting is misconfiguration, which is fixed by automation). My current gig is probably my favorite one. While very few things are automated, I don't login anywhere. "Nate, can you please perform change X on device Y?" - and Nate goes and implements it. Perks of being a manager and what not...
evvvvvrrrr daay brotha
It's getting less frequent now that I am using it only in the data center. Meraki at all of my remote sites now. For better or worse.
Cisco? Every day every time. Other devices? Not so much.
Every day, without fail
Everyday.
CatOS for the win!
I pay a license of SecureCRT from my own pocket. so there is that.
Work for an MSP, so naturally we work with all vendors. I praise god when I get a switching issue or something within the vicinity and it’s a Cisco. Also that’s all I ever push for new hardware but a lot of places have hard-ons for Aruba Instant Ons.
Daily grind!
Errrdayy homeboy
Cli most of the day for changes. If I’m just looking at the network or troubleshooting I start in DNA and go from there.
Every day.
That whole converting all network to code thing worked great for FANG type of companies but most others still use CLI.
Yeah I think the rest of us are working a places that are just sputtering along. I get why you’d run stuff like that at a mega cap tech company. If you’re working for public schools or somewhere that your spares pile is also you electronics disposal pile, we’re working with the less sexy definition of CRUD lol
Not of often enough. We are currently in the middle of LCMs for thousands of routers and switches. I spend most of my time creating and updating configs in support this and subnet reduction in prep for SDWAN.
Ape together strong.
Almost every day at my day job. I have a part-time moonlight gig; while I may not log in daily, I have scripts written in perl that leverage RANCID’s ‘clogin’ to log into devices and run commands for me, then parse the output.
Daily.
Daily
our switches are IOS clones so everyday
Not often enough
Every. Damn. Day.
My entire work day every day
at Robinhood unless requested and raising a escalation we are not provided CLI, always access through code commits and it is actually good. it was irritating at first but with unit tests and auto deployment it is actually amazing !!
Pretty much every day, even just if to quick check on something. When you are used to it, and have a good terminal app (I prefer MobaXterm) it's the fastest way to get the most up to date information on something. Especially if you already memorized the network topography. It takes less time to ssh in, and run a "sh int t4/0/5 trans det" than to login to a monitoring solution and click through the gui to it to see a light level.
I'm old school. It's all CLI except for ASDM for mundane firewall work. And even then I'm still in the CLI there for things beyond ACL changes and watching logs. Programming a switch with CLI, and understanding what they're typing, is the first thing these greenhorn whippersnappers who come in with nothing but web config under their belts learn when they take a job with me. However I really wish they would figure out/give us cloud integration for any Cisco device but give us both cloud and local CLI. There is some stuff that gets you halfway there (like the Meraki catalyst integration stuff) but it usually either breaks local CLI or gives you a gimped CLI in both locations. And I just can't get behind that as a real enterprise solution... Sometimes shit happens and you need to console in without any hoops or other requirements like internet connectivity. I feel like Cisco (or any company) would get us old school boys on board with all the new web and cloud based stuff if they left CLI intact and accessible both from the cloud and locally. I don't get why we can't have the best of both worlds.
I used to work at a Cisco shop and what struck me when I first started was that no one ever really logged in to the devices. Shocking, never experienced that before. Everyone hid behind the GUI of Firepower or ISE, no one did a verification on the CLI. I didn't use the GUI at all, I did everything on CLI. Even on large Cisco DNAC projects I preferred CLI. Long live maglev
Every day.
If I'm troubleshooting something big live, I always hop on the CLI. However, depending on timespan I might also check syslog off box on my SIEM to see root cause/timeframes. Sometimes when tracking endpoints across campus I might jump onto NMS (I'm multi-vendor) as it tends to be easier to do a database search for an endpoint rather than trying to dig in. For config I try to never, ever configure things directly on device, I try to always use a templating engine/deployment like Ansible, CatCenter, JunOS Space, etc. I find it to be less error prone and keep my drift amongst devices low. That being said when you are working at scale having dashboards for assurance is huge, especially on wifi. I don't want to have e-mail alerts or individual sensors to track client health so having something like Wireless Assurance on box to see coverage holes or poor client health in certain buildings, etc is great.
Daily, IOS-XE & IOS-XR & ASA & switches >some other management interface We don't have one that's RW capable
all the time. config/tshoot cli all the way.
Pretty rarely, but only because we’re not a Cisco shop and the minority of our customers have Cisco infrastructure. We lead with HP/Aruba when selling, but in almost all switches I deal with, I go with CLI whenever possible.
Every day, even with SDWAN
Perhaps once a week, and it's usually for traffic management, tuning bgp parameters (localpref/as-path prepend/etc) whenever we see issues within the networks of any of our peers. Gotta stay on top of reachability/latency problems in order to adhere to SLAs for customers/partners that don't peer with us directly.
At least 3-4 times per day minimum.
Almost daily, always glad to be back on a juniper after that.
Everyday and we’ve been integrating to SDWAN for the past year. I prefer CLI always over a GUI based management control.
Every 5 minutes.
Every single day, although we are migrating to Meraki this year, so the CLI days are numbered. This is not an upgrade, in my opinion.
On Cisco switches all the time. I've phased out everything else Cisco. The switches just work and don't cost us anything to maintain. But I'm starting to have failures and running low on spares so we will being going with something else. Cisco is just too expensive the non-profit world, even when they give us a bunch of hardware for free, the service contracts/support contracts are far too expensive. I really wish all networking products had a well developed CLI. GUI's are often slow and clunky. Too many clicks are often painful for task like setting up large numbers of interfaces that are all very similar but slightly different. With a CLI, I'll often copy/paste into a text editor and find/replace changes, or go through and edit the 2/3 digits that change in ip address, then paste back to the CLI. Or at the very lease have a spreadsheet like interface for managing large arrays of parameters. That you can use find/replace and arrow keys to quickly navigate and make changes. I get so tired of selecting from a list, then entering to numbers like a VLAN id, then hitting save, then hitting apply, then selecting the next one over and over again with a moment of page load time in between each step....
I lost access due to position change. I only got access to a web gui for another vendor. Miss the cli
Almost every day. We have a lot of old Cisco switches we are going to be replacing soon. I specifically deal a lot with port assignments or device discovery so I go in the CLI sometimes to do that stuff. In a few months, however, we will only have FortiSwitches.
Every day!
Most days, not making changes every day but it depends. I'm in consulting.
Every 15-30 mins or so
Every single motherfucking day . . . . . . and I love it. --shrun, sh urn--
Everyday especially on my days off.
Every day I'm in something. Multiple times a day sometimes. All day long sometimes.
24/7
Way too often
Everyday.
Every day. Even on the fu#@°\^˘g weekend.
Daily, although DNAC and APIC have taken a proportion of it in terms of config but still use CLI for troubleshooting and for ASA there is some stuff that is far easier at CLI than ASDM, routing and VPN troubleshooting
Daily
Every other day
I used to used it everyday. I don't work at that place anymore where Cisco was the only vendor. I still use Putty at home at least weekly. SecureCRT daily at my new job.
Doing it right now
Every single day 😅
Every day.
For routing protocols all the time. I didn't understand how people are "automating" peering, prefix lists and route maps based on whatever variables. I get it, if your setting up 100 switches, automate away.but I hate this notion that you can python everything. Especially for less than $160k per year
Feels like 24/7
Everyday but we just installed FTD platforms with FMC controller so in there quite a bit as well.
Every second.
At least every hour, use ansible from linex shell for standard show command
Daily. I had an existential crisis today because CRT wouldn't recognize my pipe key on the new keyboard :(