OnePK – Configuring and Assigning an ACL

This entry is part 5 of 5 in the series Getting started with Cisco OnePK

During my research of the ACL module of OnePK I found some interesting behaviors. I think this feature isn’t fully cooked as it has some definite room for improvement. The ACL module (found in onep.policy) doesn’t have a way to interact with existing ACLs and ACEs on an IOS device. The ACLs seem to be intended for on-the-fly ACL configuration but with a couple caveats:

  • Applying an ACL to an interface overwrites the existing ACL for that direction. Interfaces must play by the rule: ‘One ACL per direction’.
  • Make sure to use OnepLifetime.ONEP_PERSISTENT to keep ACLs applied after the OneP session is disconnected.

First I’ll cover ACL management with OneP, and then I’ll use the onep.vty module to show how to workaround some of the shortcomings.

Continue reading

OnePK – Pulling information from an IOS device

This entry is part 3 of 5 in the series Getting started with Cisco OnePK

The first logical step in controlling your network with python is to have a way of pulling important information from your network devices. This post will cover the gathering of interface and routing table information. In order to keep examples short and to the point, they  will use the one_connect.py script as a connection module as discussed in the second post of the series. My goal for these examples isn’t to show what you should have in your OnePk apps, but rather to introduce you to basic concepts so you can see how the different pieces work and how you might be able to get the information necessary in your applications. Continue reading

OnePK – Connecting to a Network Element

This entry is part 2 of 5 in the series Getting started with Cisco OnePK

The first step in managing your network with Cisco’s OnePK is learning how to connect to a switch or router, what Cisco calls a Network Element. In the early OnePK days this was a very straightforward task using vanilla TCP but in the newest version of OnePK (1.3) and IOS (15.4), unencrypted communications were disabled and we are forced to use TLS. This makes sense from a network security point-of-view; it just makes it a little more difficult to get started.

Fortunately, amongst Cisco’s vast resources I found a document that helps outline a process that makes it easier to use TLS between our OnePK apps and Cisco IOS devices. The guide uses a technique called TLS pinning which allows our OnePK app to bypass certificates but still encrypt communications via TLS. Read more about this technique here: Cisco – TLS Pinning Guide. (Please note that this should not be used for production as it does not verify the endpoints. Certificates should be used for TLS in a production network.)

Continue reading

OnePK – Interacting with Interfaces

This entry is part 4 of 5 in the series Getting started with Cisco OnePK

Getting information from your network devices is really helpful, but actually change device configurations is even more helpful! This post will have a few examples of how to do just that with scripts that will shutdown a specified interface and change an interface IP address. This is where the fun begins, so strap into your chairs and get ready for some network automation! Continue reading

Python and onePK Offer the Power of SDN Today

This entry is part 1 of 5 in the series Getting started with Cisco OnePK

Cisco announced their entry into the Software Defined Networking (SDN) arena with OnePK in early 2013. If you haven’t heard of Cisco’s OnePK yet, please read their introductions before continuing (only because they do a better job of explaining it than I do):

It took Cisco a while to deliver something tangible after the initial announcement, but it was certainly worth the wait. Cisco has a large amount of resources for onePK that range from videos, tutorials, code examples, SDKs in 3 languages (Java, C, python), and full API docs. I’ve been digging through these resources and there is plenty of good info to get people started with SDN. Continue reading