Scripting for Network Audit on a Cisco Device (with bonus)

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on telegram
SCRIPTING FOR NETWORK AUDIT ON CISCO DEVICE

Table of Contents



As networks grow larger, managing them becomes more and more complex. Using the command-line interface for each device is fine if your network consists of five or six switches and a couple of routers. As soon as you reach several dozen devices, however, the network quickly becomes unwieldy.

For this reason, concepts such as network automation and orchestration, as well as device programmability, are being employed to empower network administrators like us—to manage the ever-growing enterprise networks no matter how big they may get. It’s kind of like giving ourselves superpowers to magically gain control over thousands of devices that will eventually help us to take over the world… no, I think I’ve gone too far. That was supposed to go in another blog…

Getting back to the real world, it is almost like magic, and it does give you a sense of powerful control over many devices simultaneously. In this article, we’ll examine one particular aspect of network automation, which is scripting. And in particular, the use of Python scripts to help network administrators wield some of our magic.

Python and the Cisco CLI

What is Python?

Python is a high-level, general-purpose programming language for a multitude of tasks. It is exceptionally readable by humans as it has an extensive indentation. Using appropriate code parsing applications such as Sublime Text or even Microsoft’s Visual Studio Code, readability increases with color-coding of different code components, as shown in the image below.

Python is generally easy to use and understand and consistently ranks as one of the most popular programming languages.

If you’re new to Python programming, it may be worth your while to go through the Beginners Guide to Python available at the Python.org web page. This will give you some of the prior knowledge necessary to understand better the content presented here.

Python for Networking

Python’s ease of use and versatility has made it ideal for network automation applications, specifically in two areas. 

First, Python can be used for scripting. This is especially useful when you have many repetitive tasks to perform. Do you have a series of QoS parameters you want to apply to all your switches? Or do you want to configure all 4500 access ports of your network with port security? Python is ideal.

Secondly, Python can be used to interact with a Cisco device using the CLI, essentially connecting using SSH or Telnet, issuing commands, and retrieving information from show commands.

Using Python to perform a network audit

In this article, we’re going to focus on performing a network audit. Now by no means will this be an exhaustive examination of such an endeavor; we’ll only be scratching the surface. But it will give you a whole look into how certain tasks can be automated. For a more comprehensive overview of how to perform a network audit in general, take a look at “How to Perform a Network Audit.”

We’ll take two aspects of the network audit and automate them in a script for our purposes. Specifically, in our auditing script, we’ll be taking the hardware inventory of a Cisco device, along with the current running configuration.

Preparing for a Cisco Network Audit using Python

What do we want to achieve?

If we were to perform this simple network audit on a Cisco device manually, we would do the following:

  1. Log in to the CLI of the device using SSH
  2. Issue the "show inventory command"
  3. Issue the "show running-configuration command"

You would then either copy and paste all of the output to a text file or have configured your terminal program to save all output to a file. The result is a text file containing the hardware inventory of the device and the running configuration.

Preliminary work and Prerequisites

To get this working, we need to have a framework from which a Python script can be interpreted and executed. Python is pre-installed on most Linux platforms and Mac OS devices. For Windows, you’ll have to install it yourself. You can do so at the Python Download page. Once installed, take a look at the available documentation to find out how to run scripts for your particular platform.

Secondly, we also need Python to initiate an SSH session to gain access to the command-line interface. To do this, you must use a Python SSH module. This is a component of Python that allows you to create an SSH session with a remote device, and it can be downloaded and incorporated into your Python script. There are several options for such a module, but the most popular is Paramiko.

On either a Linux, Windows, or Mac OS device, Paramiko can be added by simply issuing the following command in the command line:

pip install paramiko

Check to make sure that the Paramiko and Python versions used are compatible.

What do we want the code to do?

Now we come to a description of what we want our code actually does. The following diagram shows our network setup:

The code should:

  1. Connect to My_Router using SSH credentials
  2. Issue the required commands
  3. Return the output and save it to a text file

Implementation of a Simple Cisco Network Audit using Python

Router configuration

Before we see the actual Python script, let’s make sure that our router is configured correctly to allow an SSH connection. Below are the configuration parameters on the My_Router device:

My_Router#configure terminal
My_Router(config)#ip domain-name routerfreak.com
My_Router(config)#crypto key generate rsa general-keys modulus 1024
My_Router(config)#ip ssh version 2
My_Router(config)#username rf_admin privilege 15 secret 123456

My_Router(config)#line vty 0 4
My_Router(config-line)#transport input ssh
My_Router(config-line)#login local

The above configuration has:

  • Enabled SSH version 2
  • Configured a domain name to be used in the creation of an RSA key
  • Created an RSA key for use with SSH
  • Configured user credentials in the local database
  • Has enabled connectivity to the device using SSH with authentication to be performed using credentials stored in the local database

Create the Python script

Let’s create the Python script that we’ll be using to issue our audit commands to the router. Here is the code with explanations of what is actually being configured. Comments in the script begin with the “#” character.

import paramiko

# imports the modules from Paramiko that allow Python to create the SSH session

my_ip = "192.168.25.1"
my_username = "rf_admin"
my_password = "123456"

# defines variables that will be used to create the SSH session

command_1 = “show inventory”
command_2 = “show running-configuration”

# defines variables that will be used to issue the required show commands

ssh = paramiko.SSHClient()

# creates a new Paramiko SSH client session

def run_audit_on_device(ip_address, username, password, command):

# defines a function that connects to a device, runs a command, and responds by returning the resulting output

ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# these two commands load the SSH host keys and add them automatically if needed—these are functions defined within the Paramiko module and are used as standard procedure when connecting using SSH

ssh.connect(my_ip, 
            username=my_username, 
            password=my_password,
            look_for_keys=False )

# this function, also part of the Paramiko module, uses the IP address and the credentials needed to connect to the device using SSH

audit_inv = run_audit_on_device(my_ip, my_username, my_password, command_1)
audit_runconfig = run_audit_on_device(my_ip, my_username, my_password, command_2)

# these commands run the previously defined function using the two commands and saves the output to the defined variables

ssh.close()

# this is one more command from the Paramiko module that closes the SSH session

file_name = my_ip + “ audit.txt”

# creates a unique file name of the output text file that is defined by the IP address of the device being connected to

with open (file_name, “w”) as text_file:
	text_file.write(audit_inv)
	text_file.write(audit_runconfig)

# the above commands open a text file to be written to with the name file_name and add the contents of the output of the inventory and the running config to that file

print(“audit complete”)

# this output indicates that the script has been completed

A few comments about the script

This is a fundamental script that can be modified, added to, and improved. Some of the things to keep in mind include:

  • By changing the variables that correspond to IP address, credentials, and audit commands, you can rerun this script for hundreds or even thousands of devices with different show commands.
  • For SSH connectivity, including code that will deal with SSH connectivity failure in the event of an incorrect username or password would be worthwhile. Such a scenario should incorporate output that indicates a connectivity error.
  • It may be helpful to learn more about the open syntax to open, write to, append to, manipulate, and delete text files.

This script saves the output to a text file. This may be limited in its usefulness as it is then up to humans to review these files for auditing purposes. You can add additional Python code to parse the output using regular expressions, but even that can be cumbersome. Luckily there are tools such as REST API, which returns output in JSON format. This is a format that is much easier to parse using Python.

What’s next

The truth is that if you want to get proficient in these automation tools, it will take some reading and some practice too. But in the end, I believe you will find that it is worth it, especially if you are responsible for networks that employ dozens or more network devices.

Conclusion

Now all of this may seem like doing way too much work for something so simple. But imagine if you have to apply this audit to hundreds or even thousands of devices. And imagine including much more complex and involved show commands for each device. As the scale of the necessary tasks increases, you can quickly see how the value of such a script also increases.

As you become more adept at writing scripts, you will quickly see the value in developing them to make your daily and routine tasks more automated and easier to implement.

5/5 - (1 vote)


Lazaros Agapidis

Lazaros Agapidis

Lazaros Agapidis is a telecommunications and networking specialist with over twenty years of experience in network design, architecture, deployment, and management. He’s worked with multiple wired and wireless technologies including IP networks, fiber optics, Wi-Fi, as well as mobile communication networks. He has developed training content and courses for multiple vendors, and has been directly involved with teaching telecommunications for more than a decade. Over the years, he’s gained valuable first-hand experience from working on various large-scale telecom projects from both the enterprise as well as the telecom provider point of view.

What do you think about this article?

10 comments

  1. This article idea is great, but the content is poor in my POV.
    We are in 2021, there is a tons of other way to automate what you want more easily, more usefully, etc… you talk about paramiko, one of the worst way to do it.
    For your readers, please look some other “tool” like netmiko, napalm, ansible, nornir.
    For instance, what you are trying to do, network audit, you should not use netmiko only because you will reinvent the wheel, you should look into ansible or nornir+netmiko+textfsm or nornir+napalm

    • Lazaros Agapidis

      Hello Florian.

      Thanks for the feedback, it’s always welcome! I understand your response, and I appreciate it. Remember that the audience of this post is primarily those network professionals that don’t have very much experience with scripting and with Python. The goal was to provide a simple script that is easy to implement so that they can get their feet wet. Of course, there are always better ways to do things, and the fact that you shared them is helpful. We encourage our readers to further explore the options and recommendations that you have made as well.

      Thanks again!

      Laz

  2. I could not download the bonus script.

  3. Jaroslav Dockal

    Good except inaccessable BONUS – you shoot from the reader.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About us

RouterFreak is a blog dedicated to professional network engineers. We
focus on network fundamentals, product/service reviews, and career advancements.