As networks grow larger, managing them becomes more and more complex. Using the command-line interface for each device is fine if your network consists of five or six switches and a couple of routers. As soon as you reach several dozen devices, however, the network quickly becomes unwieldy.
For this reason, concepts such as network automation and orchestration, as well as device programmability, are being employed to empower network administrators like us—to manage the ever-growing enterprise networks no matter how big they may get. It’s kind of like giving ourselves superpowers to magically gain control over thousands of devices that will eventually help us to take over the world… no, I think I’ve gone too far. That was supposed to go in another blog…
Getting back to the real world, it is almost like magic, and it does give you a sense of powerful control over many devices simultaneously. In this article, we’ll examine one particular aspect of network automation, which is scripting. And in particular, the use of Python scripts to help network administrators wield some of our magic.
Python and the Cisco CLI
What is Python?
Python is a high-level, general-purpose programming language for a multitude of tasks. It is exceptionally readable by humans as it has an extensive indentation. Using appropriate code parsing applications such as Sublime Text or even Microsoft’s Visual Studio Code, readability increases with color-coding of different code components, as shown in the image below.
Python is generally easy to use and understand and consistently ranks as one of the most popular programming languages.
If you’re new to Python programming, it may be worth your while to go through the Beginners Guide to Python available at the Python.org web page. This will give you some of the prior knowledge necessary to understand better the content presented here.
Python for Networking
Python’s ease of use and versatility has made it ideal for network automation applications, specifically in two areas.
First, Python can be used for scripting. This is especially useful when you have many repetitive tasks to perform. Do you have a series of QoS parameters you want to apply to all your switches? Or do you want to configure all 4500 access ports of your network with port security? Python is ideal.
Secondly, Python can be used to interact with a Cisco device using the CLI, essentially connecting using SSH or Telnet, issuing commands, and retrieving information from show commands.
Using Python to perform a network audit
In this article, we’re going to focus on performing a network audit. Now by no means will this be an exhaustive examination of such an endeavor; we’ll only be scratching the surface. But it will give you a whole look into how certain tasks can be automated. For a more comprehensive overview of how to perform a network audit in general, take a look at “How to Perform a Network Audit.”
We’ll take two aspects of the network audit and automate them in a script for our purposes. Specifically, in our auditing script, we’ll be taking the hardware inventory of a Cisco device, along with the current running configuration.
Preparing for a Cisco Network Audit using Python
What do we want to achieve?
If we were to perform this simple network audit on a Cisco device manually, we would do the following:
- Log in to the CLI of the device using SSH
- Issue the
"show inventory command"
- Issue the
"show running-configuration command"
You would then either copy and paste all of the output to a text file or have configured your terminal program to save all output to a file. The result is a text file containing the hardware inventory of the device and the running configuration.
Preliminary work and Prerequisites
To get this working, we need to have a framework from which a Python script can be interpreted and executed. Python is pre-installed on most Linux platforms and Mac OS devices. For Windows, you’ll have to install it yourself. You can do so at the Python Download page. Once installed, take a look at the available documentation to find out how to run scripts for your particular platform.
Secondly, we also need Python to initiate an SSH session to gain access to the command-line interface. To do this, you must use a Python SSH module. This is a component of Python that allows you to create an SSH session with a remote device, and it can be downloaded and incorporated into your Python script. There are several options for such a module, but the most popular is Paramiko.
On either a Linux, Windows, or Mac OS device, Paramiko can be added by simply issuing the following command in the command line:
pip install paramiko
Check to make sure that the Paramiko and Python versions used are compatible.
What do we want the code to do?
Now we come to a description of what we want our code actually does. The following diagram shows our network setup:
The code should:
- Connect to My_Router using SSH credentials
- Issue the required commands
- Return the output and save it to a text file
Implementation of a Simple Cisco Network Audit using Python
Before we see the actual Python script, let’s make sure that our router is configured correctly to allow an SSH connection. Below are the configuration parameters on the My_Router device:
My_Router(config)#ip domain-name routerfreak.com
My_Router(config)#crypto key generate rsa general-keys modulus 1024
My_Router(config)#ip ssh version 2
My_Router(config)#username rf_admin privilege 15 secret 123456
My_Router(config)#line vty 0 4
My_Router(config-line)#transport input ssh
The above configuration has:
- Enabled SSH version 2
- Configured a domain name to be used in the creation of an RSA key
- Created an RSA key for use with SSH
- Configured user credentials in the local database
- Has enabled connectivity to the device using SSH with authentication to be performed using credentials stored in the local database
Create the Python script
Let’s create the Python script that we’ll be using to issue our audit commands to the router. Here is the code with explanations of what is actually being configured. Comments in the script begin with the “#” character.
# imports the modules from Paramiko that allow Python to create the SSH session
my_ip = "192.168.25.1"
my_username = "rf_admin"
my_password = "123456"
# defines variables that will be used to create the SSH session
command_1 = “show inventory”
command_2 = “show running-configuration”
# defines variables that will be used to issue the required show commands
ssh = paramiko.SSHClient()
# creates a new Paramiko SSH client session
def run_audit_on_device(ip_address, username, password, command):
# defines a function that connects to a device, runs a command, and responds by returning the resulting output
# these two commands load the SSH host keys and add them automatically if needed—these are functions defined within the Paramiko module and are used as standard procedure when connecting using SSH
# this function, also part of the Paramiko module, uses the IP address and the credentials needed to connect to the device using SSH
audit_inv = run_audit_on_device(my_ip, my_username, my_password, command_1)
audit_runconfig = run_audit_on_device(my_ip, my_username, my_password, command_2)
# these commands run the previously defined function using the two commands and saves the output to the defined variables
# this is one more command from the Paramiko module that closes the SSH session
file_name = my_ip + “ audit.txt”
# creates a unique file name of the output text file that is defined by the IP address of the device being connected to
with open (file_name, “w”) as text_file:
# the above commands open a text file to be written to with the name file_name and add the contents of the output of the inventory and the running config to that file
# this output indicates that the script has been completed
A few comments about the script
This is a fundamental script that can be modified, added to, and improved. Some of the things to keep in mind include:
- By changing the variables that correspond to IP address, credentials, and audit commands, you can rerun this script for hundreds or even thousands of devices with different show commands.
- For SSH connectivity, including code that will deal with SSH connectivity failure in the event of an incorrect username or password would be worthwhile. Such a scenario should incorporate output that indicates a connectivity error.
- It may be helpful to learn more about the open syntax to open, write to, append to, manipulate, and delete text files.
This script saves the output to a text file. This may be limited in its usefulness as it is then up to humans to review these files for auditing purposes. You can add additional Python code to parse the output using regular expressions, but even that can be cumbersome. Luckily there are tools such as REST API, which returns output in JSON format. This is a format that is much easier to parse using Python.
The truth is that if you want to get proficient in these automation tools, it will take some reading and some practice too. But in the end, I believe you will find that it is worth it, especially if you are responsible for networks that employ dozens or more network devices.
Now all of this may seem like doing way too much work for something so simple. But imagine if you have to apply this audit to hundreds or even thousands of devices. And imagine including much more complex and involved show commands for each device. As the scale of the necessary tasks increases, you can quickly see how the value of such a script also increases.
As you become more adept at writing scripts, you will quickly see the value in developing them to make your daily and routine tasks more automated and easier to implement.