New network challenge

Thu 23 January 2020

So we have had a project growing for some time now to start working towards a zero trust network. Now the specifics and all of the tools we are using to get there, is beyond the scope of this article. I will say though that a particular challenge arose in one of the requirements that we had, and I knew this would be a great example of something that I could solve easily with python.

Requirements

  • We needed to get every port that currently has 802.1x turned on (in monitoring or open mode).
  • we needed to write out work orders to have the changes made to put all of these ports into closed mode.
  • we had do to this on 700 + switches
  • We could not affect ports in vlans that were not included in the enforcement activity
  • Local or specific requirements for me
    • Scripts must log all failures
    • Scripts must give some kind of representation of status
    • Script must not have passwords in it
    • Script must be scalable (abiltiy to use an outside IP list, that could be modified)

With all of this in mind, I was able to start playing around with what would be my script to complete the (what would be an ardous) task by hand with minimal effort.

Libraries

I knew that I would require a couple of libraries, just to not re-invent the wheel. So I imported the following:

from netmiko import ConnectHandler
import re, sys, logging, glob, getpass

The glob library has not been used yet, but wanted it for future expansion. The primary thing was netmiko. If you have never used Netmiko, and you want to do anything with python and networking I would strongly suggest a good look at this library. Kurt Byers is the main developer of this library and he has spent enormous amounts of time making this very robust and capable of doing much more than just Cisco networking. The next most important would the be the re or "regular expression" Library. Searching for patterns in our specific case was very helpful. Then getpass to securely pass passwords from the cli to the script, without hard coding passwords in the code (BAD IDEA). The other two libraries are for logging purposes, and with a little help from google and others, I was able to get a baseline logging function and throw it in to capture any success or failure while running.

GetVlans() function

First thing I wanted to do was make a module that would get the result of :

# show vlan | inc Protected

This one command would give me a one line string, that I could then use re.findall to grab the pattern and create a list to print out the interface range command with an exact list of all ports that were in the "Protected" vlans (those affected by our enforcment efforts).

So I wrote this function:

def GetVlans(ip, usr, paswd):
        try:
                s = ConnectHandler(device_type='cisco_ios', ip=ip, username=usr, password=paswd)
                vlans = s.send_command("show vlan | inc Protected")
                pattern = "Et.*"
                result = re.findall(pattern, vlans)
                s.disconnect()
                print("#"*30 + "#  {}  #".format(ip) + "#"*30)
                print("!")
                print("interface range {}".format(result[0]))
                print("no authentication open")
                print("!\n")
                print("#" + "~"*75)
                logger.info("Success on {}".format(ip))
        except:
                print("\n\n#" + "*!"*35)
                logger.error("Something went wrong on {}".format(ip))
                print("something went wrong with {}".format(ip))
                pass

For that function all I had to pass in was the ip, username, and password of a switch, and I could get the result printed in and interface range command then the next line being simply no authentication open. You may notice one line also that has logger.info("Success on {}".format(ip)) That line ties into the function that I wrote afterward, (but placed above this function!!). I will show the logging function next, but let me finish with the GetVlans function. I tested it extensively, but found that if it errored out for any reason, it would not run through the next interation if it was in a loop, so I added the try and except clauses.

Logging function

The logging function was added after I got the main function working properly, but please note as in much code, the sequence matters, so I did add this function and initiate it above the GetVlans() function.

def setup_custom_logger(name):
    formatter = logging.Formatter(fmt='%(asctime)s %(levelname)-8s %(message)s',
                                  datefmt='%Y-%m-%d %H:%M:%S')
    handler = logging.FileHandler('log.txt', mode='w')
    handler.setFormatter(formatter)
    screen_handler = logging.StreamHandler(stream=sys.stdout)
    screen_handler.setFormatter(formatter)
    logger = logging.getLogger(name)
    logger.setLevel(logging.DEBUG)
    logger.addHandler(handler)
    logger.addHandler(screen_handler)
    return logger

logger = setup_custom_logger("PyNAC")

This bit of code is not my own, in fact I found it on stackoverflow, and you will find that often when trying to do something new, someone else has done it before you. Logging is a pretty simple thing, but knowing the best approach is sometimes easy to take it from someone who has already put in the sweat and tears. stackoverflow
The above function just writes out to a log.txt file and also presents onscreen as a status when executed in the GetVlans() function.

Looping and reading IP list

The final step was to setup a way to execute these functions on multiple switches. So I decided to just make a flat text file with IPs on each line that are switch IPs. Then read them into a list and iterate through that list executing the (ip) variable in GetVlans for each.

ips = [line.rstrip("\n") for line in open("iplist.txt")]

That line is a simple list comprehension that reads in iplist.txt file, strips the newline and puts it into a list.

Then we iterate through the list and execute the GetVlans function... but I wanted to protect passwords too, so I added the Getpass() function to have the user enter the password (outside of the loop) and then pass that for each iteration of the loop:

PassWD = getpass.getpass()
for n in ips:
        GetVlans(ip=n, usr='cisco', paswd=PassWD)

Executing the script

root@gns3-network_automation-1:~# python PyNac.py
Password:
###############################  2.2.2.2  ##################################
!
interface range Et3/0, Et3/1, Et3/2, Et3/3
no authentication open
!

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-01-24 03:44:12 INFO     Success on 2.2.2.2
###############################  3.3.3.3  ##################################
!
interface range Et3/0, Et3/1, Et3/2, Et3/3
no authentication open
!

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-01-24 03:44:19 INFO     Success on 3.3.3.3
###############################  4.4.4.4  ##################################
!
interface range Et3/0, Et3/1, Et3/2, Et3/3
no authentication open
!

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-01-24 03:44:26 INFO     Success on 4.4.4.4


#*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!*!
2020-01-24 03:44:27 ERROR    Something went wrong on 5.5.5.5
something went wrong with 5.5.5.5
###############################  6.6.6.6  ##################################
!
interface range Et3/0, Et3/1, Et3/2, Et3/3
no authentication open
!

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-01-24 03:44:34 INFO     Success on 6.6.6.6

So the first thing that occurs there is the Password prompt, after entering your credentials (for user cisco in my lab) then the execution starts. First line indicates the IP of the router that is being polled, then the full commands that will need to be put into the work order for someone else to run (...I know, wouldn't it be easier to just have the script turn it on...politics). This action between each switch/router, takes approx 7 seconds to complete (notice times between on the INFO line). A user logging into each switch and scraping this data would presumably take much longer. Also note that 5.5.5.5 errored out, that was by design to test the except function and logging. I had just turned the router off.

Final notes

This is still a work in progress....but so far it has successfully executed on 20 switches with no issue. (now on to all 700+).

Also some things to note, the above script was written and ran on a GNS3 LAB, thus the "Et.*" pattern and ranges, I did test it on production with "Gi.*" and that worked GNS3-lab I may also add some features like threading to do more than one switch at a time, but that is all dependant on memory restrictions etc.

--Carl

blogroll

social