Monitor your BGP Advertised Routes with Paramiko

This post moves back to the basics and covers how to perform screen scraping using python and a helpful SSH library called Paramiko. Although the example below is about a specific task of checking the BGP outbound advertised routes of a device, the script can be reused to perform screen scraping for any output that the device offers. This example is for a Cisco IOS device, but it should work on many devices with a few tweaks in the commands sent and regex strings.

I’ve used inline comments for the explanations in the example below, but feel free to ask questions about this example or screen scraping other specific data. Here’s the GitHub Gist version if you want to fork and make your own changes. Continue reading

Give ExaBGP an HTTP API with SimpleHTTPServer or Flask

This entry is part 3 of 6 in the series Influence Routing Decisions with python and ExaBGP

We’ve covered how to setup ExaBGP and peer with a router, and then how to use python to add  and remove advertised routes in BGP either with static definitions or dynamically through health checking. There may be some of you out there with some sort of application that is already monitoring routes and you’re trying to figure out how to connect it with ExaBGP for the actual interaction part? Well, what if we add an HTTP API to ExaBGP to give programmatic access to ExaBGP from some external utility? I’ll go over two ways to do this using the python built-in SimpleHTTPServer or Flask.

Using SimpleHTTPServer

This option is great since you don’t need to install any extra modules. It seems to be pretty lightweight and should be enough for some basic HTTP interaction with ExaBGP. The basic functions that we need this API to do are receive a form via HTTP POST and print that to STDOUT. Since ExaBGP is executing the python script, the STDOUT output will be visible to the ExaBGP process. After the ExaBGP command is printed, we’ll return the command to the browser as confirmation that the call was successful. Here’s the example:

Using Flask

If you have bigger plans for the HTTP side of things and want to work with a web framework like Flask, this example is for you. The biggest difference is that you will have to install Flask and its dependencies, although that’s easy:

$ pip install flask

Now we’ll create a Flask file to listen for prefix commands via HTTP POST calls and print them to STDOUT so ExaBGP can do its magic:

Before you run off and put this on your production systems I have a couple disclaimers:

  • This script uses the built-in Flask debug HTTP server. It’s fine for lab use, but I would use gunicorn and nginx for real heavy lifting.
  • The script doesn’t do any validation of the command. A better script would make sure it’s a valid command and prefix.
  • Flask defaults to listening on the localhost address on TCP port 5000. You can change this though and I highly recommend reading Flask’s QuickStart article to familiarize yourself with the many options.

Hooking the HTTP API up to the ExaBGP process

Update the conf.ini file to run this script instead of our previous health check example:

And now when we run $ exabgp conf.ini, you’ll see the confirmation of running the python script at the end of the output, along with the debug output of both Flask or SimpleHTTPServer:

Once either HTTP service is running (somewhat wrapped by the ExaBGP process), we can make HTTP POST calls via command line (curl, wget) or via a GUI HTTP tool (Postman). I’ll show a quick example of both:


Postman:Postman - HTTP POST


When we run show bgp on the router, we can see our advertised network:

So, there’s a real quick and dirty way to allow external calls to ExaBGP for your RIB manipulation. The next post will cover more advanced peering and advertising options with ExaBGP.

Using service health checks to automate ExaBGP

This entry is part 2 of 6 in the series Influence Routing Decisions with python and ExaBGP

If you haven’t read the intro post to this series, Getting Started with ExaBGP, check that article out first as this post will be expanding on the previous example to show how to use python for more automated interaction with ExaBGP.

The first example I’ll cover is using a basic health check test to determine if a route should be announced or withdrawn from BGP. Here is our python script with comments inline:

Continue reading

ExaBGP and python: Getting Started

This entry is part 1 of 6 in the series Influence Routing Decisions with python and ExaBGP

I’m really excited about these next few posts. I’ve been doing some research on BGP and automating routing decisions with python, which led to my discovery of ExaBGP. ExaBGP is dubbed “The BGP swiss army knife”, and I’m early in my experimentation with this tool, but it seems to be a very easy way to peer with your BGP routers and control the advertisement of networks.

This post will cover basic setup of ExaBGP and peering with a router, as well as how you can tie in python to present control for the advertisement of routes. The next post will use the Flask web framework to offer a simple HTTP API for adding/removing routes. I hope the following posts will be along the lines of receiving the BGP UPDATE messages from peered routers to monitor and analyze advertised networks.

Continue reading

Graphing packet details with PyShark, pygal, and Flask

So you’ve used PyShark to get packet statistics out of your trace files but you want to represent them in a more friendly way than just text output?  How about using Flask and pygal to get those statistics in a graph or chart for use in a web app!

PyGal ExampleThis blog post will be a brief overview of getting some packet data in a chart and on a webpage. Please note that this will be a very simple example and not a recommended production deployment of Flask. I highly recommend using templates, flask-bootstrap, and more advanced Flask topics which you can learn about here.

Continue reading

OnePK – Configuring and Assigning an ACL

This entry is part 5 of 5 in the series Getting started with Cisco OnePK

During my research of the ACL module of OnePK I found some interesting behaviors. I think this feature isn’t fully cooked as it has some definite room for improvement. The ACL module (found in onep.policy) doesn’t have a way to interact with existing ACLs and ACEs on an IOS device. The ACLs seem to be intended for on-the-fly ACL configuration but with a couple caveats:

  • Applying an ACL to an interface overwrites the existing ACL for that direction. Interfaces must play by the rule: ‘One ACL per direction’.
  • Make sure to use OnepLifetime.ONEP_PERSISTENT to keep ACLs applied after the OneP session is disconnected.

First I’ll cover ACL management with OneP, and then I’ll use the onep.vty module to show how to workaround some of the shortcomings.

Continue reading

OnePK – Pulling information from an IOS device

This entry is part 3 of 5 in the series Getting started with Cisco OnePK

The first logical step in controlling your network with python is to have a way of pulling important information from your network devices. This post will cover the gathering of interface and routing table information. In order to keep examples short and to the point, they  will use the script as a connection module as discussed in the second post of the series. My goal for these examples isn’t to show what you should have in your OnePk apps, but rather to introduce you to basic concepts so you can see how the different pieces work and how you might be able to get the information necessary in your applications. Continue reading

OnePK – Connecting to a Network Element

This entry is part 2 of 5 in the series Getting started with Cisco OnePK

The first step in managing your network with Cisco’s OnePK is learning how to connect to a switch or router, what Cisco calls a Network Element. In the early OnePK days this was a very straightforward task using vanilla TCP but in the newest version of OnePK (1.3) and IOS (15.4), unencrypted communications were disabled and we are forced to use TLS. This makes sense from a network security point-of-view; it just makes it a little more difficult to get started.

Fortunately, amongst Cisco’s vast resources I found a document that helps outline a process that makes it easier to use TLS between our OnePK apps and Cisco IOS devices. The guide uses a technique called TLS pinning which allows our OnePK app to bypass certificates but still encrypt communications via TLS. Read more about this technique here: Cisco – TLS Pinning Guide. (Please note that this should not be used for production as it does not verify the endpoints. Certificates should be used for TLS in a production network.)

Continue reading

OnePK – Interacting with Interfaces

This entry is part 4 of 5 in the series Getting started with Cisco OnePK

Getting information from your network devices is really helpful, but actually change device configurations is even more helpful! This post will have a few examples of how to do just that with scripts that will shutdown a specified interface and change an interface IP address. This is where the fun begins, so strap into your chairs and get ready for some network automation! Continue reading

Python and onePK Offer the Power of SDN Today

This entry is part 1 of 5 in the series Getting started with Cisco OnePK

Cisco announced their entry into the Software Defined Networking (SDN) arena with OnePK in early 2013. If you haven’t heard of Cisco’s OnePK yet, please read their introductions before continuing (only because they do a better job of explaining it than I do):

It took Cisco a while to deliver something tangible after the initial announcement, but it was certainly worth the wait. Cisco has a large amount of resources for onePK that range from videos, tutorials, code examples, SDKs in 3 languages (Java, C, python), and full API docs. I’ve been digging through these resources and there is plenty of good info to get people started with SDN. Continue reading