Exploding Juniper Devices with NAPALM

In this multi-posts series, We will deep dive into Juniper network automation and how to automate both configuration and operation for Juniper devices using different tools available such as PyEZ, NAPALM and Ansible.

if you missed the first part, Building Basic Configuration using Jinja2 Template, Please Read it first to understand the network topology that we will work on it and generate the initial configuration.

Intro to NAPALM

in this part, we will explore a python library called N.A.P.A.L.M. This is a shortcut for Network Automation and Programmability Abstraction Layer with Multi-vendor Support. It’s vendor neutral, cross-platform open source project that provides a unified API to network devices.

Multi-Vendor?! How?

NAPALM works such that it connect to network devices through SSH interface or using vendor API (API of course is much easier to execute and parse) and execute commands directly on device CLI then parse the output using TextFSM modules and regular expressions to return the final output to use in structured format (lists and dictionaries) so you could basically use the same NAPALM getters methods(get_bgp, get_interfaces,get_mac_address…etc) to connect to devices from different vendors and get the output without even knowing the vendor command.

Moreover, The returned output will be in structured format so you can easily parse it and get the needed data. This allow you to have a unified access to data from all supported vendors with a few lines of codes

Our Use Cases

I’ll implement three use cases using NAPALM. First one is to get the interfaces TX/RX Errors and discards and print it in tabular format

1

Then I want to get summarized information for specific route like the next-hop, outgoing interface and protocol that advertise this route

1

Finally I want to generate compliance report for the running configuration

Note: I’ll upload all scripts to my GitHub repo

“Talk is Cheap, Show me the code”  Linus Torvalds

NAPALM Installation

Step 1

we will start first by installing the napalm module in python using PIP like what we did before in netmiko

pip install napalm

 

Step 2

Then we will import the get_network_driver from the installed napalm module. This method should be inatalized with vendor name as an input in order to prepare the proper configuration for each vendor and use the correct API

from napalm import get_network_driver
junos_driver = get_network_driver("junos")

Step 3

Finally we should provide the username and password for the device that we want to connect

mx_router = junos_driver(hostname=ip,username="root",
                         password="access123")
mx_router.open()

At this moment, The NAPALM will open session to the router and we will have the ability to run multiple getters and return the data. Lets try something simple like get_facts(). This method provide a general information about the device like the hostname, number of interfaces, running version and so on. I’ll create for loop to iterate over all devices in the topology and get the same information

1

Note that I’m checking the device is reachable and live before getting the data from it. The result of is_alive() function is either True or False so I could use it inside if statement

1

Note that the output is structured and actually a result of many executed commands and API calls to juniper device (like “show interface terse” , “show system uptime”, “show chassis hardware detail “). This allow you to focus on development not on finding and parsing the data returned from the device.

Use Case 1: Getting interfaces with errors

Ok, Now let’s implement our first use case. As mentioned, I want to get the Rx/Tx errors per interface in Tabular format. this could be used along with some scheduled jobs to generate nicely looking reports or even trigger an event like sending email or orchestrating another configuration and so on.

I’ll use additional module called “prettytable” that generate the take care of Table format like headers, rows, spacing

First I will ask user to enter the MX IP address as an argument to my script

2

Then I will create two tables with headers using the “prettytable” module. One that hold the Rx/Tx errors and the 2nd for Tx/Rx Discards (you can also create for unicast, multicast,..etc)

2

Finally I’m connecting to device and query the infromation and just selecting the data that I want from the returned output then populate the table with them. I’m using “get_interfaces_counters()” to get the  needed data and also “get_interfaces()” to get the MAC address for each interface

2

Result

1

Use Case 2: Searching in[et0] Routing Table

The second use case is to parse the device routing table and search for specific route attributes. This is useful when you’re troubleshooting large network and want to get a summarized view for a route. Also you can use it to visualize the control plane for the routing table (but this will require some additional modules like matplotlib and networkx).

Anyways, we just need to print the next-hop, protocol and outgoing interface for the provided route. I’ll use the same script above but this time I’ll use another method called “get_route_to()

First I will add also another argument for the route

2

Then I will parse the returned output and search only for the needed attributes.

2

Two things worth to mention. First I wrapped the above code in “try..except” block to catch a case where the route is not exist on a target device. so instead of printeing ugly exception, I will print a custom message. Second, I choosed the first learned path “[0]”. You could enhance the script by getting the length of all route entries and iterate over it. but for sake of bevrity, I just choosed the first occurance.

 Result1

Use Case 3: Compliance Reporting

Our final use case is quite interesting! and it’s related to auditing and compliance stuff. Assume that I want to make sure a specific configuration exist in all my network devices such as TACACS servers, default routes and SNMP communities. or I want to make sure all my devices are running on a specific vendor OS version and so on

NAPALM has a cool feature that allow you to compare the returned information (either operational or in configuration) with a YAML template and if there’s a deviation from the template, it will mention that in the final report. You can check & compare ANY value that returned from device whether it’s IP addresses, interface counters, bgp peer status, OS version..etc

Moreover, You can check if a specific item is just exist regardless it’s value. for example you can check if the router-id is configured, local ASN, ipv4 on specific interface. This what we will do exactly next.

First I will define my YAML template with all values that need to verified and checked against the values inside the device

2

in the above template, I’m verifiying 4 things:

1- JunOS version is “14.1R1.10”

2- There’s IP address configured under ge-0/0/0.0
3-Device has an active BGP connection and peering

4- A router-id is configured under bgp_neighbors

So I’m basically checking both operational and configuration data.

Then I will use compliance_report() function and provide the YAML file created in previous step to check

2

The result will be also structured and will indicate which parts from the template are complied and which are not

2.png

 

Outro

The network automation is evolving rapidly!. Previously we just had PExpect and Paramiko modules that just establish a connection then execpt & read_until specific output. Now, we have a solid modules that able to handle different vendors and return a structured output in such a way that make network engineer/developer focus on building robust network automation solution & open a door for other modules that automate the daily operation tasks for network engineer.

I hope this been informative for you and I’d like to thank you for reading

signature_thumb1

Advertisements

Juniper MX BRAS – Part 3

As you notice from previous configuration. We have to configure the unit 1 with static VLAN (800) to create only ONE SUBSCRIBER INTERFACE . However in real world scenario this not necessarily the case. we need to make MX check the incoming vlan id from DSLAM and handle the creation of both VLANS and Units that hold the PPPoE sessions. BTW, Here’s a golden rule. One Vlan per Unit!

clip_image001

 

You can find below the interface structure in dynamic configuration. The physical interface is ae(Active Ethernet) and beneath it the auto-configure command that “instantiate” the VLAN and SVLAN from dynamic-profile

image

Read More »

Juniper MX BRAS – Part 2

In this post I will continue to deep dive into the Juniper MX configuration and tweak it to work as a BRAS. Please refer to my previous blog post for more information on PPP protocol Stack

Let’s start

to configure MX as a BRAS,  The Following configuration is needed on BRAS

Basics Configuration

  • Interface creation –>configuration inside dynamic profile
    • Vlan Interface
    • PPP Interface
  • PPP Handling(PAP) –>configuration inside dynamic profile
  • Creating loopback
  • Radius Authentication – – >configuration inside access-profile
  • Radius Accounting – – >configuration inside access-profile
  • Address Assignment – – >configuration inside access-profileService and speed allocation

Advanced(Optional)

  • Advanced QoS
  • Change Of Authorization
  • Captive portal/redirection configuration
  • Wholesale

Read More »

Juniper MX BRAS – Part 1

 

In last few weeks, I Spent most of my time working on Juniper MX and try to evaluate it as a BRAS. Previously I was working on Juniper E Series Broadband routers and now some of my customers need to move to the new MX especially after EOL announcement of E series platform. So let’s start

 

Part 1: Introduction To PPP Protocol

Part2: Juniper Mx BRAS Configuration

Part3: Juniper Steel-Belted Radius Configuration

Part4: Final Thoughts and wrapping up!

 

First Here’s my topology that I will work on it

image

 

Nodes Name and Function

Node Name

Platform

PPPoE_Client Windows 7 with PPPoE Interface
PPPoE_server Juniper vMX router working as BRAS and with SM license installed on it RE14.1
AAA Juniper Steel-Belted Radius (SBR)
LDAP Any Open source LDAP , OpenLdap is OK

 

Read More »

Understanding Juniper Steel-Belted Radius(SBR) Attributes

Radius attribute is one of the core part in radius protocol. it allow you to shape and control the subscriber behavior and give BRAS the ability to assign correct services to subscriber and information like routing, IP Address, VRF and other important info. Below I will illustrate type of attributes

1-Attribute without specific value (to be provided by Administrator)

image

Here you should provide value to this attribute. other examples are Framed-IP-Address, Service-Info, Framed-Routing..etc

 

Read More »

How to add new vendor to Juniper Steel-Belted Radius (SBR)

0-Head to /opt/JNPRsbr/radius

1-Add the vendor definition in vendor.ini inside radius directory

clip_image001

-note the dictionary name and the “send-class-attribute” either set to yes or no

-if you’ve multiple products for same vendor, then you need to write multiple instances for the previous section and make it point to same dictionary file.

2-Create a new file (<VendorName>.dct) inside radius directory and define the required attributes (first thing is to include the radius.dct dictionary)

clip_image002

3-Include the vendor name inside dictiona.dcm file

clip_image003

4-restart the SBR and check for any errors appear in logs

How Does it work?

Dictionary files must be placed in the same directory as the Steel-Belted Radius Carrier daemon. During initialization, Steel-Belted Radius Carrier reads the file dictiona.dcm in the server directory to get a list of files with an extension of .dct (standard dictionary files) and uses the list to create a “master dictionary, which includes all known attributes.

Monitoring Juniper Steel-Belted Radius (SBR)

    Introduction

    Proactive monitoring of an important service like AAA is a mandatory task for any ISP. it allow you get insight reports on what’s going on in your network. You can get valuable information on subscriber behavior, Subscriber Management IP allocations beside it show you (with a little tweaking and scripts) number of online sessions.

    Connecting that with DPI monitoring will allow you to get nearly complete picture on Subscriber Management Network

Read More »