2013/10/09

Automation scripts to control Cisco devices

As a network engineer in complex network you can have many tasks that can easily be automated to simplify your network operation and reduce operation expenses. To help you automating network over telnet or ssh you can use Exscript (https://github.com/knipknap/exscript). It is a great tool, which simplify command execution over network with telnet or ssh. It could be used as command line tool or as python module. Since I want to show how easily you can establish connection to the remote device and execute commands and process this commands I will show you an example of the basic python script.

First you need to install Exscript to your system It works on python 2.6 or later. Exscript uses paramiko python module, which is used for ssh connections establishment. You can download Exscript via git or manually. I used manual method. And if you use manual method, just go in the directory where you extracted your Exscript and use python setup.py install. If installation go through without errors you are ready to use Exscript.

I want to show example how to get running config from your ASA device. Bellow you will find a simple script that connect to ASA device and get running config and save this running config to variable, which can be further processed based on your requirements.


# Exscript modules import to allow ssh 
# connection and login

from Exscript.protocols import SSH2
from Exscript import Account


# Connection establishment phase

account = Account('admin', 'cisco')
conn = SSH2()
conn.connect('192.168.1.1')
conn.login(account)


# Now you can execute commands in the 
# established ssh connection.
#
# Execute method accept string which is 
# send to remote device and new line command 
# is executed on remote device as well
#
# When you enter enable in your ASA, it waits 
# for the password. I have blank password so 
# I needed \n at the end of the command. 
# Exscript will actually send  enable\n\n.
#
# We also need to set pager to 0, so that 
# all command output is displayed at once 
# without <---  More  --->. Execute method 
# works in such way that command is send, 
# and then execute method is waiting for the 
# prompt. If <---  More  ---> is displayed, 
# prompt is never displayed and python return 
# traceback with the error.
#
# You are then ready to execute show running 
# command and save it to variable with 
# response method.

conn.execute('enable\n')
conn.execute('configure terminal')
conn.execute('pager 0')
conn.execute('show running')
running_config = conn.response

# Now you need to exit your ssh connection. Send 
# method is used because execute is waiting for 
# prompt, while send method only send command 
# without waiting for prompt, which will never 
# be displayed after exit command.
conn.execute('end')
conn.send('exit\r')

This was just a simple example to show how to connect to remote device via ssh and execute some commands. Command output could be further processed. Of course you can also execute some configuration commands. If you understand the script above I belive it is pretty straightforward to create some config scripts as well.


2013/10/03

Cisco ISE - part 1 - Installing

I will start my blogging with the series posts about installing and configuring Cisco Identity Service or Cisco ISE.

Cisco ISE is really cool platform for security management and control. It is primarily used to established secured network and guest access, but it could be also used for device access (routers, switches etc.). Cisco treats ISE as one of the main platform for establish BYOD.

Cisco ISE application runs on top of Cisco ADE-OS. You can do some basic system stuff on that OS, like IP addressing and routing, NTP settings, hostname etc. It can be used to reset admin password for Cisco ISE application as well. To access Cisco ADE-OS you can use SSH with your favorite terminal program.

Cisco ISE could be deployed as a hardware appliance (Cisco ISE 3000 series) or VM. Since I am a big fan of virtualization I prefer VM-based deployment, but it always depends on your requirements. ISE could be deployed in standalone mode or HA mode, in which you can also distribute different services among ISE servers. Since I am currently doing proof-of-concept I will use standalone mode. You can always extend your deployment to HA mode.

Of course to start using Cisco ISE you first need to install your server. The minimum requirements for installation by Cisco is Quad-Core, 4GB RAM and 60GB of disk storage. You must provide 4GB of RAM and 60GB of disk storage at installation. Otherwise the installation process will not let you through. If you just want to do proof-of-concept you can later decrease amount of RAM. You can use 1GB and you should be fine. But of course you need to increase resources to use it in production environment.

You should use iso file for installation. Insert Cisco ISE in your VM and start VM. You have to choose to install ISE and then wait for installation process to get to the login prompt, where you should enter setup mode with setup command. 


Now you will be guided through wizard for basic configuration parameters. As this is pretty straightforward I didn’t paste any screenshoot. After you enter basic parameters ISE application is going to install. You will have to enter database admin and user password. I believe those users are rarely used or are used by Cisco TAC. So you should use some good password and save this somewhere to safe place. By the way KeePass is good tool to store passwords. After some time ISE should be installed and you are able to access ADE-OS via ssh or Cisco ISE admin console via web browser.

You can check ise application status or reset application in ADE-OS. All processes should running to access ISE application through browser.

ciscoise/admin# sh application status ise

ISE Database listener is running, PID: 5237
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 11768
ISE M&T Session Database is running, PID: 4897
ISE M&T Log Collector is running, PID: 7022
ISE M&T Log Processor is running, PID: 7106
ISE M&T Alert Process is running, PID: 6928
% WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE
% RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 64 GB

You can start, stop, reset application, reset admin password or completely reset configuration to factory default. Commands are listed below. 

ciscoise/admin# application ?
 configure     Configure application
 install       Install An Application Bundle
 remove        Uninstall An Application
 reset-config  Reset application configuration to factory defaults
 reset-passwd  Reset application password for specified user
 start         Start an Application
 stop          Stop an Application
 upgrade       Upgrade An Application Bundle

To access Cisco ISE via web browser you should only enter http://x.x.x.x and you are automatically redirected to https page. You enter your credentials that were provided during installation and you are ready to use your fresh installation of the Cisco ISE. What is specially cool about ISE is that Cisco provide 90-days evaluation license with all features. So you can use this to build proof-of-concept or to test some functionalities.