Network Automation with Juniper

stephen Network Automation

I know a bit about networking – IP addresses, different layers, HTTP, DNS, ethernet cables, default gateway, routers, switches, TCP/UDP and DHCP. However, this is mainly from a home network perspective.

Getting into bigger and more advanced networking – I don’t know my arse from my elbow.

I do know quite a bit of stuff from server to application though and the automating of deploys, continuious integration and continuous delivery. At work they use Juniper MX routers, so I wanted to see what I could do with Juniper:

I found this post…get started with Junos quickly

So you can get a Juniper switch running locally on your pc with vqfx10k-vagrant

So now I have a juniper switch up and running in vagrant on my pc, a virtual instance of the switches below.

 

juniper-qf-switches
Juniper QF Switches

The next step is exploring the junOS cli with this Juniper Day One Book

JunOS CLI

The next thing to look at is the Junos CLI.

In operation mode – you are managing and monitoring device operations

junos-cli-operational-command-tree

Then there is configuration mode – where you configure the device and its interfaces – including access, interfaces, protocols, security services and system hardware.

junos-configuration-mode-command-treeLogging In

Oftentimes: routers, switches, security devices are on a subnet behind a gateway that prevents unauthorized access to these devices.

telnet gatewayserver

then log into the device

telnet routername

The operation command prompt is: >
The configuration command prompt is: #

To go into configuration mode, type:configure

Exit configuration mode with exit

Abreviations are autompleted, eg sh int

To view possible commands type: ?

  • show `?`
  • ping `?`
  • traceroute `?`

Use help apropos <command> when you remember some of the command but not the whole thing

You can also pipe commands, example storing support info to a file:


vagrant@vqfx-re> request support information | save support_file.txt 
Wrote 6929 lines of output to 'support_file.txt'

To check available commands with a pipe:


vagrant@vqfx-re> show interfaces | ?
Possible completions:
  append               Append output text to file
  count                Count occurrences
  display              Show additional kinds of information
  except               Show only text that does not match a pattern
  find                 Search for first occurrence of pattern
  hold                 Hold text without exiting the --More-- prompt
  last                 Display end of output only
  match                Show only text that matches a pattern
  no-more              Don't paginate output
  refresh              Refresh a continuous display of the command
  request              Make system-level requests
  resolve              Resolve IP addresses
  save                 Save output text to file
  tee                  Write to standard output and file
  trim                 Trim specified number of columns from start of line

Multiple pipes are seen as a logical AND

Remember a C Shell is % and a bournce shell prompt is $

In operation mode you can start a shell with : start shell

In configuration mode you start the shell with: run start shell or run start shell sh

Operational mode:


vagrant@vqfx-re> ?                    
Possible completions:
  clear                Clear information in the system
  configure            Manipulate software configuration information
  file                 Perform file operations
  help                 Provide help information
  load                 Load information from file
  monitor              Show real-time debugging information
  mtrace               Trace multicast path from source to receiver
  op                   Invoke an operation script
  ping                 Ping remote target
  quit                 Exit the management session
  request              Make system-level requests
  restart              Restart software process
  save                 Save information to file
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  ssh                  Start secure shell on another host
  start                Start shell
  telnet               Telnet to another host
  test                 Perform diagnostic debugging
  traceroute           Trace route to remote host

Showing device status:


vagrant@vqfx-re> show ?  
Possible completions:
  access-cac           Show access cac under enhanced-broadband-edge
  access-security      Show access security information
  accounting           Show accounting profiles and records
  agent                Show SDN agent information
  analytics            Show Analytics information
  app-engine           Show App-engine information
  arp                  Show system Address Resolution Protocol table entries
  as-path              Show table of known autonomous system paths
  authentication-whitelist  Show 802.1X White List MAC addresses
  auto-bandwidth       Show auto-bandwidth information
  auto-configuration   Show auto-configuration
  backup-selection     Show backup selection policies information
  bfd                  Show Bidirectional Forwarding Detection information
  bgp                  Show Border Gateway Protocol information
  captive-portal       Show captive portal information
  chassis              Show chassis information
  class-of-service     Show class-of-service (CoS) information
  cli                  Show command-line interface settings
  configuration        Show current configuration
  connections          Show circuit cross-connect connections
  database-replication  Show database replication information
  dcbx                 Show DCBX protocol information
  ddos-protection      Show DDOS information
  dhcp                 Show Dynamic Host Configuration Protocol information
  dhcp-security        Show DHCP access security information
  dhcpv6               Show Dynamic Host Configuration Protocol v6 information
  diagnostics          Show diagnostics information
  diameter             Show diameter information
  dot1x                Show 802.1X information
  dynamic-profile      Show dynamic profile information
  dynamic-tunnels      Show dynamic tunnel information information
  ephemeral-configuration  Show ephemeral configuration
  ethernet-switching   Show ethernet switching information
  event-options        Show event-options information
  evpn                 Show EVPN information
  extension-service    Extension service information
  firewall             Show firewall information
  forwarding-options   Show forwarding-options information
  helper               Show port-forwarding helper information
  hfrr                 Show information related to Host (Direct route) Fast reroute
  host                 Show hostname information from domain name server
  iccp                 Show Inter Chassis Control Protocol information
  igmp                 Show Internet Group Management Protocol information
  ike                  Show Internet Key Exchange information
  ilmi                 Show interim local management interface information
  ingress-replication  Show Ingress-Replication tunnel information
  interfaces           Show interface information
  ipsec                Show IP Security information
  ipv6                 Show IP version 6 information
  isis                 Show Intermediate System-to-Intermediate System information
  jdaf                 Show JDAF information
  l2circuit            Show Layer 2 circuit information
  l2cpd                Show l2cpd information
  l2vpn                Show Layer 2 VPN information
  lacp                 Show Link Aggregation Control Protocol information
  ldp                  Show Label Distribution Protocol information
  link-management      Show link management information
  lldp                 Show Link Layer Discovery Protocol information
  log                  Show contents of log file
  loop-detect          Show loop detect information
  mac-refresh          Display mac-refresh is enabled on interface or not
  mac-rewrite          Show layer 2 protocol tunneling information
  mld                  Show multicast listener discovery information
  mpls                 Show mpls information
  msdp                 Show Multicast Source Discovery Protocol information
  multi-chassis                         
  multicast            Show multicast information
  mvpn                 Show Multicast Virtual Private Network (MVPN) information
  mvrp                 Show MVRP Protocol information
  network-access       Show network-access related information
  nonstop-routing      Show nonstop routing information
  ntp                  Show Network Time Protocol information
  oam                  Show OAM-related information
  ospf                 Show Open Shortest Path First information
  ospf3                Show Open Shortest Path First version 3 information
  ovsdb                Show Virtual-Tunnel End-point gateway information
  path-computation-client  Show Path Computation Client information
  performance-monitoring  Show performance monitoring statistics
  pfe                  Show Packet Forwarding Engine information
  pim                  Show Protocol Independent Multicast information
  policer              Show interface policer counters and information
  policy               Show policy information
  programmable-rpd     Show RPD Server information
  protection-group     Show protection group information
  ptp                  Show Precision Time Protocol (IEEE 1588) information
  redundant-trunk-group  Show redundant trunk group information
  rip                  Show Routing Information Protocol information
  ripng                Show Routing Information Protocol for IPv6 information
  route                Show routing table information
  rsvp                 Show Resource Reservation Protocol information
  sap                  Show Session Announcement Protocol information
  security             Show security information
  services             Show services information
  sflow                Show sFlow information
  shmlog               Show log information
  snmp                 Show Simple Network Management Protocol information
  spanning-tree        Show Spanning Tree Protocol information
  spring-traffic-engineering  Show ingress details of SPRING Traffic Engineering
  ssl-certificates     Show SSL certifcates
  subscribers          Show subscriber information
  system               Show system information
  task                 Show routing protocol per-task information
  ted                  Show Traffic Engineering Database information
  telemetry-agentd     Show agent information
  uplink-failure-detection  Show uplink failure detection information
  v4ov6-tunnels        Show information related to V4 over V6 tunnels
  validation           Show route validation information
  version              Show software process revision levels
  virtual-chassis      Show virtual chassis information
  vlans                Show VLANs information
  vpls                 Show VPLS information
  vrrp                 Show Virtual Router Redundancy Protocol information

Configuration Mode

The 3 basic steps to configure a device are:

  1. Make changes to the candidate configuration

  2. Commit your changes

  3. Candidate becomes active

There are 3 config modes: standard, exclusive and private.

You can enter modes with configure private, configure exclusive

Enable Telnet and Disable SSH and Web-management


set system services ftp
set system host-name juniper1
set services telnet
delete services web-managemen
delete services ssh

Test Driven Network Juniper Devices

There is a write up on jsnapy by keeping it classless about using jsnapy to test your juniper configurations.

Here is another post on test driven development for networks using ansible.

I wanted to test jsnapy with vqfx10k-vagrant but I couldn’t manage to access it via standard ssh, so the config file for jsnapy wouldn’t work. I couldn’t even ping the device when I gave it a private network.

 

 

Building a rest API client or SDK as a python package

stephen API, python

The best way to learn ways of building your API wrapper / SDK is to see ones that already exist. Here is a list of python api wrappers you can checkout and view. Most if not all of them are already python packages.

Here is a good post on how to test and build an API client / wrapper. In the post the author uses vcrpy as a way to replay stored responses, however they do actually happen the first time. To prevent your tests from ever hitting a real API you should look at Responses.

I also found a few generic wrappers for the requests library that are supposed to make your life easier, but it looked like many were just abstraction for abstraction sake and the closer your are to requests the better.

I did however find uplink which is a python api boilerplate module based on retrofit – which is the goto http client for Android development. I like it and I think it will make my life a bit easier when creating the api wrapper. It is however still in beta. Tapioca is another one, but I didn’t rate it. It arised from this fellow not liking how API wrappers are done and the added abstraction.

As a side note, Braintree doesn’t even make the rest API available, it forces clients to use a client or wrapper built by them mainly to ensure security.

I found uplink hard to work with…it seems as though the further you are from requests the harder your life becomes.

Allowing for a User Provided Session

One of the key things needed when making an API wrapper/client available is letting the user provide their own session. A reason for this is that user could have added additional auth to the API they are connecting to or may be using a different method of auth altogether.

Also, the client may be using an API gateway like kong so the client may need an auth token or some other permission. So it is better to just allow the user to provide their own session – which can then be modified with the session id’s.

So in the class constructor – __init__() method, ensure a session can be set and default it to none. The below example is adapted from the hvac client. eg:


class MyClient(object):
    """My Api Client"""

    def __init__(self, base_uri=DEFAULT_BASE_URI, cert=None, verify=True, timeout=30, proxies=None, session=None):
        """Create a new request adapter instance.

        :param base_uri: Base URL for the Vault instance being addressed.
        :type base_uri: str
        :param cert: Certificates for use in requests sent to the Vault instance. This should be a tuple with the
            certificate and then key.
        :type cert: tuple
        :param verify: Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault,
            or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification.
        :type verify: Union[bool,str]
        :param timeout: The timeout value for requests sent to Vault.
        :type timeout: int
        :param proxies: Proxies to use when preforming requests.
            See: http://docs.python-requests.org/en/master/user/advanced/#proxies
        :type proxies: dict
        :param session: Optional session object to use when performing request.
        :type session: request.Session
        """
        if not session:
            session = requests.Session()

        self.base_uri = base_uri
        self.token = token
        self.namespace = namespace
        self.session = session
        self.allow_redirects = allow_redirects

        self._kwargs = {
            'cert': cert,
            'verify': verify,
            'timeout': timeout,
            'proxies': proxies,
        }

As you can see in the example above it is not just the session. Other things like SSL verification, the certificate to use for SSL verification and proxies can be passed to the constrator to allow for versatility.