NETCONF, ncclient and Network Automation

I my last blog post I had discussed various network management protocols and promised that I will try to experiment with ncclient. ncclient is a Python library you need as a NETCONF client to communicate with a NETCONF server in this instance it will be an instance of Cisco CSR1000v.

The whole process is very straight forward.. in brief

  1. A Ubuntu Server instance ( could also be a Windows server/Workstation)
  2. Python install and configured (all instances of Ubuntu server have Python installed by default)
  3. ncclient installed and configured
  4.  NETCONF enabled on network device (HP, Cisco, Juniper and other supported)

My not so beefy laptop (8GB RAM and intel i5) but powerful enough to run VMware WorkStation with Ubuntu Server and Cisco CSR1000v instance

CSR1000V  VMware Workstation Settings

Capture

The Network Adapter corresponds to the GigabitEthernet1 Interface on the router

interface GigabitEthernet1
ip address 192.168.75.1 255.255.255.0
negotiation auto

Enable SSH and NETCONF access on the router

TEST_CSR#conf t
TEST_CSR(config)# ip ssh rsa keypair-name sshkeys
TEST_CSR(config)# crypto key generate rsa usage-keys label sshkeys modulus 1024
TEST_CSR(config)# ip ssh timeout 120
TEST_CSR(config)# ip ssh version 2


TEST_CSR(config)# netconf ssh

Ubuntu server NIC interface configured with an address of 192.168.75.128/24.

Ping 192.168.75.1 from the server – Success !!!

The next item on the agenda was to set up the ncclient.  Please follow the well explained instructions documented here.  Thanks for your help guys.

Cisco CSR1000v, and ncclient setup completed…

Get Device Config

>>> cisco_manager = manager.connect(host='192.168.75.1',
... port=22,
... username='cisco',
... password='cisco',
... hostkey_verify=False,
... device_params={'name': 'csr'},
... allow_agent=False,
... look_for_keys=False
... )

Connection established.

RPC call requesting running configuration

>>> c = cisco_manager.get_config(source='running')

Print output on terminal console

>>> c

<?xml version=”1.0″ encoding=”UTF-8″?><rpc-reply message-id=”urn:uuid:e147c6d6-cebf-11e5-afac-000c29e6c046″ xmlns=”urn:ietf:params:netconf:base:1.0″>

! Last configuration change at 23:55:29 UTC Mon Feb 8 2016
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname TEST_CSR
!
boot-start-marker
boot-end-marker

…..truncated

</cli-config-data-block></data></rpc-reply>

 

Small step hopefully in right direction.. I will try few other NETCONF options .. stay tuned.

@hkdaiya

 

Linux IP clustering with ucarp

A quick way to configure a cluster / failover address between two (or more) Ubuntu / Linux servers.

Install the ucarp package (I originally looked at using VRRP, however noted PFSense used ucarp so gave that a try and stuck with it) :

sudo apt-get install ucarp

edit /etc/network/interfaces:

auto eth0
iface eth0 inet static
address 10.10.10.2
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.254
dns-nameservers 8.8.8.8

# UCARP cluster IP config
ucarp-vid 101
ucarp-vip 10.10.10.1
ucarp-password YOUR-PASSWORD
ucarp-advskew 10
ucarp-advbase 1
ucarp-master no

iface eth0:ucarp inet static
address 10.10.10.1
netmask 255.255.255.0

Physical cable test on a Cisco switch

Here’s how to run a TDR (Time Domain Reflection) cable test on a Cisco Catalyst switch.

This should work on the 2960, 3750 and 4500 range as far as I’m aware.

To run the test :

switch# test cable-diagnostics tdr interface gig 1/0/1
 TDR test started on interface Gi1/0/1
 A TDR test can take a few seconds to run on an interface
 Use 'show cable-diagnostics tdr' to read the TDR results.

Results from a normal cable run look like this :

switch# show cable-diagnostics tdr int gig 1/0/2
Interface Speed Local pair Pair length Remote pair Pair status
--------- ----- ---------- ------------------ ----------- --------------------
Gi1/0/2  1000M Pair A 64 +/- 10 meters Pair B Normal
               Pair B 64 +/- 10 meters Pair A Normal
               Pair C 64 +/- 10 meters Pair D Normal
               Pair D 64 +/- 10 meters Pair C Normal

And from a faulty cable run something like this :

switch# show cable-diagnostics tdr int gig 1/0/1
 Interface Speed Local pair Pair length Remote pair Pair status
 --------- ----- ---------- ------------------ ----------- --------------------
 Gi1/0/1 auto Pair A 0 +/- 10 meters N/A Open
              Pair B 0 +/- 10 meters N/A Short/Crosstalk
              Pair C 1 +/- 10 meters N/A Short/Crosstalk
              Pair D 63 +/- 10 meters N/A Open

Read more here : https://supportforums.cisco.com/blog/9913546/switch-how-test-cable-status

 

Cisco 3G router basic config

Here is the basis of a Cisco 3G router config, from an 887VAG. Includes the common UK carrier APN settings.

O2 contract :
cellular 0 gsm profile create 1 mobile.o2.co.uk

O2 PayG :
cellular 0 gsm profile create 1 payandgo.o2.co.uk

Vodafone contract :
cellular 0 gsm profile create 1 internet

Three PayG :
cellular 0 gsm profile create 1 three.co.uk

Lebara PayG :
cellular 0 gsm profile create 1 uk.lebara.mobi

General config

chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

interface Cellular0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive

dialer-list 1 protocol ip permit

ip route 0.0.0.0 0.0.0.0 cellular 0

EEM Script to shut / no shut ATM interface automatically

Tired of DSL lines mysteriously dropping I knocked together this EEM script to bounce the ATM interface on a Cisco router if it has been down for 1 minute. Known affectionately as the “ATM brown trousers” script 🙂

This is a dirty hack, but sometimes needs must, especially when you’re at the end of a long DSL line that just never settles.

track 1 interface ATM0 line-protocol
delay down 60 up 5

event manager applet atm0-down
event track 1 state down
action 1.0 syslog msg “%ATM-BRWNTRSRS: Interface ATM 0 failed, reset via EEM.”
action 1.1 cli command “enable”
action 1.2 cli command “conf t”
action 1.3 cli command “interface atm 0”
action 1.4 cli command “shut”
action 1.5 wait 5
action 1.6 cli command “no shut”
action 1.7 cli command “end”
action 1.8 syslog msg “EEM script complete”
action 1.9 wait 60
action 2.0 snmp-trap strdata “%ATM-BRWNTRSRS: Interface ATM 0 failed, reset via EEM.”

HOWTO: Prime a Cisco lightweight (CAPWAP) access point

Quick note on how to pre-configure the IP, subnet, gateway and controller IP address on a CAPWAP access point – a 3602 joining a Cisco 5508 WLC in this case.

Handy when you’re sending out a replacement AP and that’s statically addressed with no sign of a DHCP server. Saves temporarily configuring one on the WLC.

Console in, enable password is Cisco

No need to ‘conf t’ just drop these in at the prompt

capwap ap ip address <IP> <mask>

capwap ap ip default-gateway <GW IP>

capwap ap controller ip address <Controller IP>

Network Address Translation – NAT explained

Like it or not, NAT has been with us for some time and is unlikely to go anywhere in the near future, at least not until IPv6 becomes mainstream and even then it will be a slow process.

NAT typically comes in three flavours. Static, dynamic and overloading.

Static NAT can be found where a direct mapping between between addresses is necessary. An example would be where overlapping address space is an issue, typically when companies networks’ merge or a VPN link is required for remote support.

In the example below, traffic inbound to fa0/0 exiting fa0/1 from the host 10.0.0.10 would be translated and will arrive at the destination with a source address of 192.168.1.10. When the return traffic crosses the router, packets will be destined for 192.168.1.10 and then re-addressed and forwarded to the original host at 10.0.0.10. The same applies to traffic on the inbound direction. This is also known as a 1:1 NAT mapping.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

ip nat inside source static 10.0.0.10 192.168.1.10

Dynamic NAT can provide a pool of address space where no bi-directional static relationship is required between hosts. For example, where a sufficient range of publicly routable addresses are available to service internal hosts requesting resources from the Internet, a dynamic translation may be configured on a border router to service outbound requests from local hosts. This method is becoming less common due to rapid depletion of IPv4 public address space.

In the example below traffic from the 10.0.0.0/24 network will be dynamically assigned an address between 192.168.1.10 to 192.168.1.19 when crossing the router outbound. Return traffic will be translated back, depending on the outbound address translation. You may notice that only 10 addresses are available in the translation pool, once all ten addresses are assigned the NAT pool will be exhausted and any further translations will fail. It is also worth noting this method will only work where traffic is initiated outbound, since until this point no translation will exist in the router’s NAT table.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 192.168.1.1 255.255.255.0

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool NATPOOL 192.168.1.10 192.168.19 prefix-length 24
ip nat inside source list 1 pool NATPOOL

Overloading NAT is most commonly used, especially in the home environment where one public IP address is shared between several hosts on the internal LAN. Overloading, or PAT (Port Address Translation) works in a similar way to dynamic NAT. However, instead of translating internal to external IP addresses the router builds a dynamic mapping of source and destination address / port pairs for each connection. These mappings allow the router to map individual connections to internal hosts using only one external IP address, typically this address is publicly routable.

In the configuration example below, a single public IP address is assigned to fa0/1 which will be used to service outbound requests from the internal network on fa0/0. The router will record the source address and port numbers of connections initiated from internal hosts, packets will then be assigned a the external IP address and a port number chosen by the router’s NAT process. A table will be built mapping inside source address / port pairs to the outside source address / port pair and traffic will be forwarded to the remote host with a source address of that on fa0/1. The return traffic will be translated to the relevant internal host using the NAT mapping table as it crosses the router.

Configuration example:

interface fa0/0
ip nat inside
ip address 10.0.0.1 255.255.255.0

interface fa0/1
ip nat outside
ip address 178.79.134.87 255.255.255.248

access-list 123 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 123 destination interface fa0/1 overload

That’s about it for a basic introduction, in my next post I will cover NAT timeouts and overlapping NAT.

 

Cisco PPP ADSL config – UK ISP

Some standard config for UK ADSL using a Cisco router, again from an 1800. Remember to add NAT config and inbound access control if required.


interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
bandwidth [X]
bandwidth receive [X]
ip address negotiated
ip flow ingress
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname [username]
ppp chap password 0 [password]
ppp ipcp route default
end