Automating Network Configurations with Jinja2 and Python: A Step-by-Step Guide

 In this post, I worked on collecting a code that works with Jinja template.

the nice thing in working with Jinja is that you can have baseline configs that will be used to all devices and also have variables that will be changed according to your need.

for example: in each device which can be a router, you will have:

1. southbound links to switches and let's assume an interface used for this G1/0/48

2. you have NTP servers to be configured on these routers

3. hostnames

4.routing protocol

.......etc.

all these can be variable in Jinja template which we can use along with python to generate configs. and maybe even later we can use to push to network nodes.

this can automate our work, on the longterm this can make our job easier and more consistent.

let's start by making a directory which we can call routers_configs

in this directory we will have three files:

1. jinja file which is our router configs template and it should have the following:

file name is >> cisco_template.j2

as you can see in template below, you can have a complete configuration file ready and change the parts that you want them to be replaced from your CSV file with the {{ variable }} as below>>

hostname {{ router_name }}

ntp server {{ ntp_ip }}

interface loopback 0

ip address {{ ip_address }} 255.255.255.255

router {{ routing_pro }}

int gig {{ int_number }}

2. devices information, which can be a CSV file where you have saved your new devices list and information that you will add to these devices. 

the file can be used as below with comma to separate the rows.

router-bgd, 192.68.1.2, 2.2.2.2, ospf 1, 1/0/48

router-suly, 172.16.1.1, 1.1.1.1, ospf 1, 1/0/48

rtr-erbil, 10.0.0.1, 1.1.1.1, ospf 1, 1/0/48

router-bgd2, 192.68.1.3, 2.2.2.2, ospf 1, 1/0/48

router-suly2, 172.16.1.2, 1.1.1.1, ospf 1, 1/0/48

rtr-erbil2, 10.0.0.2, 1.1.1.1, ospf 1, 1/0/48

3. file is the python code that we will use to render the information in these two files and printout the configs to an external text files for each device. and we will name the file as ciscojinja.py

import csv

from jinja2 import Environment, FileSystemLoader

#these must always added

file_loader = FileSystemLoader('.') #check this directory to find jinja template

#load environment

env = Environment(loader=file_loader)

template = env.get_template('cisco_template.j2') #find the jinja file and get it

with open ('info.csv') as info_source:

csv_file = csv.reader(info_source)

for row in csv_file:

csv_router_name = row[0]

csv_ip = row[1]

csv_ntp_server = row[2]

routing_protocol = row[3]

interface_slot = row[4]

output = template.render(router_name=csv_router_name, ip_address=csv_ip,

ntp_ip=csv_ntp_server,

routing_pro=routing_protocol,

int_number=interface_slot) #these names must be compatible with jinja template names

with open(csv_router_name + '.txt', 'w') as configs:

configs.write(output)

when you run the python code, you will notice that other text files will be generated that contain configuration rendered from the CSV data. check below:

you can copy these and iterate to what else you need. next will be added more jinja templates to specific parts of configs, for example: jinja template for bgp configs only or ospf only or ACL's and prefixes.

Hope this is helpful.

Automating Firewall Access with SSH Keys for Seamless Network Management

In this post we are going to talk about how to login to the firewall using public key generated from your Linux machine (Network Jumper box) which can be useful in case you want to push scripts to the firewall without the need to authenticate with username and a password, let's go:

1. generate the key

samer@Samers-MacBook-Pro ~ % ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/samer/.ssh/id_rsa):

/Users/samer/.ssh/id_rsa already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase): press enter

Enter same passphrase again: press enter 

Your identification has been saved in /Users/samer/.ssh/id_rsa

Your public key has been saved in /Users/samer/.ssh/id_rsa.pub

here you have created the key on your machine, and you can check it using the command $ls ~/.ssh/ which will view the existence of the generated keys in your hidden directory  of ssh.

samer@Samers-MacBook-Pro ~ % ls ~/.ssh
id_ed25519 id_ed25519.pub id_rsa id_rsa.pub known_hosts

 now you need to copy the public key to the server or firewall or router you want to access and you can do this using:

1. SCP or....

2. importing it on the firewall using GUI.

press OK, then COMMIT.

now you can check access and as you can see below image, the user we used to access was api, if you don't specify the user, the terminal will use your machine name which is in this case "samer" and authentication will fail so we will use the same user "api" but no password will be prompted:

so the main idea here is that as network automation is important and it is recommended that you use LINUX machine as jumping box to do your scripts/codes to do your automation and programming tasks.

so it is better to use the SSH generated keys to login to devices, this will make running automated tasks easier and does not require user/password entering. (for example: no need to input password for netmiko while running a python script).

running CRON-TAB tasks that will also make access easier while it is still secure.

hope this was helpful.

How to change Cisco FTD Command Line from ">" to the classic command line of Cisco ASA?

 This is going to be very short post.

simply, when you login to the FTD and you see the command prompt as ">", issue the following command.

> system support diagnostic-cli

after this, you will be changed to the classic command prompt of Cisco ASA.

How to show Aruba Pre-shared key or PSK password?

 Case: you forgot the password that you configured on a SSID that is already used by many users and you just don't want to do a password reset which might impact user experience.

steps:

1. login to CLI on Aruba WLC using SSH.

2. enter to the configure mode

3. use the command: #encrypt disable

4. issue the command #show running-config

5. use the pipe and include option to filter the output of the configs

or use the following:

#show wlan ssid-profile remote

Network Engineering and Automation Questions for review or prepare for Interview

Hello everyone,

As you know, many of us study and struggle a lot in order to reach the level where we can call ourselves Network Engineers, however studying and learning process is not enough because we will forget what we studied after a while if we don't use it, and while trying to learn new things and stay up-to-date, landing new jobs will need to stay fresh on many of the networking topics.

you might be a great network engineer, but you will not be able to get the job based on incomplete answers about topics you already know but forgot how to talk or explain them in an interview.

I was thinking to make a Anki flashcards for Network Engineers that are willing to apply for a job or review networking topics, so I started working on this and the below link contains the file that I will continue to update and re-upload on daily or weekly bases.  

https://drive.google.com/file/d/1wboDLmZeL1DL_onoDCpt05Pc_7wBq79s/view?usp=sharing

This file contains the following topics:

1. BGP

2. OSPF

3. Network Automation

4. Devops

5. MPLS

6. TCP

7. EIGRP

you can download then open with ANKI software on your computer.

anki software > https://apps.ankiweb.net/

I hope you benefit from it. 

Samer.

Ansible Another Step Into Network Automation

 What is Ansible?

Ansible is a Network Automation tool, it works with YAML to push or get configs from a network device or group of devices or hosts.

Ansible works with SSH, which means you need to have NETMIKO or PARAMIKO installed along with your Python in order for Ansible codes to work.

how to Install Ansible?

simply by typing this command into your terminal (linux or MAC) $pip install ansible

you can then check your installed version using the command $ansible --version

like below:

Since we already mentioned that Ansible work with YAML as data modeling language, then this means we need to install YAML as well, you can install by:

$pip install PyYAML

below link shows more documents about YAML:

https://pypi.org/project/PyYAML/ 

NOTE: you might face problem while trying to run an Ansible code because of SSH keys between your Computer and the Network/host you are trying to connect to and this will cause an error similar to the following screen:

there is a workaround for this by adding some part in the configuration into the ansible.cfg file as below:

you can open a file and name it as ansible.cfg with nano

$nano ansible.cfg

then add

[defaults]

host_key_checking = false

save the file and run your ansible code again.

Ok, now onto writing a simple Ansible code to get_facts from a Cisco IOS device.

1. in order to do that, you need to have a list of hosts/host configured and that will be created in the same directory that I will be creating my ansible code from, which will be:

samer@Samers-MacBook-Pro ansibleproject % pwd

/Users/samer/Documents/ansibleproject

[cisco] is the group of devices/hosts, so it means you can list your hosts below just like Im listing (10.211.10.36) here for my testing.

[cisco:vars] as you can see is the other information like the OS and username and password of the device/host listed in group Cisco above.

Ok now let us create the Ansible code, which will be by creating a file that I named as test.yml (YAML) format file.

as you can see the file starts with (---)

then (-) name, group of hosts, connection type (SSH), then the tasks that ansible will be doing on the host (tasks:)

NOTE: white-spaces are really important and you will face problem in running the codes if you did not have the correct spacing. 

example of error caused by missing space:

Ok, so our ansible task will be to get the software version of the host (10.211.10.36) and this is done with the last task named "VIEW OS VERSION" which has the var: ansible_net_version

how to run the code now?

$ansible-playbook -i hosts testing.yml

Of course my terminal is already inside the same directory, if your path was not in same directory then you need to add the full path for the files.

(-i) here means inventory which means play ansible against the inventory in the path hosts and the ansible file is testing.yml

ansible will check the hosts/groups in the file called hosts and use the login information in the [var] to login to the host using SSH (NETMIKO/PARAMIKO).

once you fix all of the white-spaces issues and run the code, you should get the following screen of output:

The green screen! OK=1 and failed=0.

Note, you can use ad-hoc command for ansible to push fast commands and do things quickly on one host using the following format:

$ansible 10.211.10.36 -m raw -a "show version" -u samer -k

where k is prompt for password.

this is my introduction into Ansible for Network Automation.

good resources can be found here:

https://developer.cisco.com/startnow/

https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_command_module.html#examples

https://learningnetwork.cisco.com/s/question/0D53i00000mt0ZGCAY/mastering-ansible-for-the-devnet-associate-exam-derek-winchester

I hope this was useful.

Samer R. Saleem