Configuring AAA on Arista EOS Devices Using TACACS+ and ISE

In this blog post, let's look at how to configure TACACS+ AAA authentication on Arista EOS devices using Cisco ISE. When someone tries to log in to the device, we want the Arista device to authenticate and authorize the user against Cisco ISE. We'll go through the necessary configurations and steps to set up this integration between Arista EOS and Cisco ISE.

Local Authorization vs ISE Authorization

You could configure this in two ways with a slight difference. With the first method, ISE authenticates the user and tells Arista which role to apply. Arista devices come with two predefined roles, network-admin and network-operator. For example, if we have two different groups of users, network engineers who need full access and NOC engineers who only need read-only access. When the users log in, depending on the policy, ISE will send TACACS+ attributes that tell the switch which role to apply. With this method, the authorization happens locally at the switch.

For the second method, we will not use these two predefined roles. Each command the user enters on the CLI will be authorized by Cisco ISE. For example, we can allow all commands for network engineers and prevent NOC engineers from Continue reading

NetBox in the Cloud, for Free

Yes, you read that right. NetBox Labs is now offering a generous free plan for their SaaS version of NetBox. This change is a big win for many of us who no longer need to worry about managing our own NetBox instances. With this free plan, you can take advantage of all the powerful features of NetBox without the hassle of maintenance and updates.

Why This Matters to Me?

As a blogger, I create a lot of labs and practice a lot of automation. I rely on NetBox for IP Address Management (IPAM) and other network-related tasks. Before this, I had my NetBox running as a Docker container on one of my VMs. However, there were times when I wanted to access NetBox and found out the VM was powered off. This free plan is music to my ears. There is a 100-device limit, but that's more than enough for my needs.

How to Get it?

Getting started with the free plan is as simple as going to their website and signing up for a free plan. I was up and running within a few minutes. The free plan includes up to 100 devices, 500 IP addresses, and 10k API Continue reading

My Network Lab is a Text File

Yes, you read that right. My Network Lab is indeed a text file (YAML file to be more specific). I can share the file with anyone, put it into version control, and never worry about re-creating the lab manually. No more clicking through the GUI and connecting interfaces. How is that even possible? You must be thinking this is clickbait right? Well, I'm talking about using Containerlab to create and manage your network topologies and labs.

My Life Before Containerlab

I started my networking journey with Packet Tracer, then moved on to GNS3. Most of the time, I've used EVE-NG and some Cisco CML. EVE-NG is a great tool, and I still use it for building complex, large topologies with Cisco ISE, multiple firewalls, Active Directory, etc. But when it comes to labbing up pure networking protocols like BGP, OSPF, STP, or even simple IP routing, I needed something very simple that is easy to deploy and manage.

That's when I came across Containerlab which is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Containerlab provides a command-line interface (CLI) that Continue reading

A Simple Network CI/CD Pipeline

In this blog post, let's look at a very simple Network CI/CD pipeline that manages my Containerlab network topology and configurations. We'll start with the benefits of using CI/CD, cover some basic terminology, and then go through an example.

To give an overview, I use Containerlab to deploy my network labs and Nornir to deploy the configurations. Before CI/CD, my typical workflow involves using containerlab commands to manage the topology. Once the lab is up and running, I use Python to run the Nornir script. This works well because I'm the only one using it. However, I ideally want to put all the configurations into a Git repo to track my changes over time. I also want to test my code (to ensure there are no syntax errors, for example) and automatically push the updates to the devices.

Here is the project repo if you want to clone it and follow along.

Suresh V / simple_bgp_lab · GitLab

GitLab.com

GitLab

What Exactly is CI/CD?

CI/CD stands for Continuous Integration and Continuous Delivery. In simple terms, it means automatically testing and delivering your code. With Continuous Integration (CI), every time you make a change to your code, it's tested automatically Continue reading

Running Palo Alto Firewall in Containerlab

Hi all, in this quick blog post, let's look at how to run Palo Alto firewalls in Containerlab. If you've been following me for a while, you might know that I've started using Containerlab more often in my projects. If you're new to Containerlab or need a quick recap, check out my other introductory post below. Now, let's dive in.

Containerlab - Creating Network Labs Can’t be Any Easier

What if I tell you that all you need is just a YAML file with just a bunch of lines to create a Network Lab that can run easily on your laptop? I’ll walk you through what Containerlab is

PacketswitchSuresh Vina

boxen or vrnetlab

Palo Alto doesn't provide a containerized VM image (not CN-Series), it only has a VM-based image. You can create a container from this VM image using two methods. The official documentation recommends using 'boxen' to generate a container image from the VM. However, I chose to use the vrnetlab project instead.

Creating a containerized image using vrnetlab

First things first, download the VM image (qcow2) from the Palo Alto support portal. You might need a valid support contract to access this image. For this Continue reading

Managing Multiple Python Versions with pyenv

In my Python journey, I've always stuck to just one version of Python at a time. I happily used Python 3.9 for quite a while, then switched to Python 3.10 without any issues. Everything was perfect until recently when I tried installing a Python application using pip, but no matter what I did, the installation kept failing. I couldn't fix the issue even after hours of Googling.

That's when I finally decided to check the documentation (which I should have done from the start), and there it was, this application requires a minimum Python version of 3.8 and was only tested on versions 3.8 and 3.9. That made me think, maybe I should have installed it using Python 3.9, but how? I'm no expert in Linux or Unix systems, and I worried that reinstalling Python 3.9 could mess up other projects I'd built on 3.10.

So, I started exploring how to manage multiple Python versions on the same machine, and that's when I stumbled upon a tool called 'pyenv'. This seemed like the perfect solution to my problem, so I decided to learn more about it.

Engineer’s Dilemma: Constant Learning and Forgetting

As a Network Engineer, I've noticed we're in a constantly evolving field. Traditional networking is already a deep pool of knowledge, covering a wide range of topics. But the tech world doesn't stand still – it's moving at a fast pace.

Now, we're not just dealing with routers and switches. We've got a whole new set of skills to learn. There's Cloud, then there's Automation. We're also diving into tools like Ansible, Docker and Terraform and let's not forget Python. With all these new areas to explore, the big question is how do we keep up? How do we learn all these new skills without forgetting the fundamentals that got us here?

Do You Keep Forgetting?

Let me pull out EIGRP as an example. Back when I was studying for my CCNP certification, EIGRP and I were best buddies. I could set up labs, get EIGRP running between them, and troubleshoot any issues that popped up. Ask me about it now. Well, it's a bit embarrassing, but I'd be scratching my head. I remember something about a 'feasible route', but that's about it.

Simple BGP Lab with Containerlab and Nornir (Lab-as-a-Code)

I'm sure many of you can relate to the familiar headache that comes with setting up Network Labs. Suppose you just want to test some BGP functionalities, perhaps exploring how to use Route Map with BGP route filtering. Normally, you'd start by setting up a lab environment. This involves selecting a platform like EVE-NG or Cisco CML, adding a bunch of routers, and connecting everything with virtual cables.

Once your setup is physically ready, the real "fun" begins. You start configuring each router, setting interface IPs, adding descriptions, and configuring BGP attributes like neighbours and network statements. If this sounds tedious, that's because it is! I've configured interfaces countless times myself, and it never gets any less painful. Ever typed the wrong IP and then spent hours troubleshooting why you can't ping your peer? If you're nodding in agreement, you're definitely not alone. I know how to configure an interface already, I just don't want to do it for the 1000th time this year.

And just when you think about doing some automation or integrating with 3rd party tools (NMS, NCM etc), you're faced with another set of challenges. Setting up local user accounts, configuring management IPs, creating SSH keys—it Continue reading

Why Did No One Tell Me About This VSCode Remote – SSH Feature?

I just discovered the VSCode Remote - SSH feature, and it's a game-changer (at least for me). This tool lets you code directly on a remote server (Linux VM for example) through SSH, right from your local VSCode. It brings your remote environment to your local workspace, making remote development much easier.

The Visual Studio Code Remote - SSH extension allows you to open a remote folder on any remote machine, virtual machine, or container with a running SSH server and take full advantage of VS Code's feature set. Once connected to a server, you can interact with files and folders anywhere on the remote filesystem.

No source code needs to be on your local machine to gain these benefits since the extension runs commands and other extensions directly on the remote machine.

What Problem Does it Solve?

Let me share a challenge I faced until recently. My main machine runs Windows, but for my work with automation tools like Python, Ansible, Terraform, and others such as containerlabs and Git, I prefer a Mac or Linux command line environment. I didn't want to install these tools directly on Windows due to potential issues.

Initially, I thought about using WSL, but Continue reading

Nornir Network Automation

Nornir is a Python library designed for Network Automation tasks. It enables Network Engineers to use Python to manage and automate their network devices. Unlike tools like Ansible which rely on domain-specific languages, Nornir leverages the full power of Python, giving you more flexibility and control over your automation scripts.

Nornir feels like what you'd get if Ansible and Python had a baby. If you're used to Ansible, you know that you first set up your inventory, write tasks, and execute them on all or selected devices concurrently. Nornir operates similarly, but the big difference is you use Python code instead of any Domain Specific Language.

My Life Without Nornir

Before I discovered Nornir, my approach to Python automation involved manually setting up a list of devices, specifying each one's vendor, and credentials. This setup could be a simple Python list or a dictionary. Then, I'd loop through each device with a for loop, using libraries like Netmiko or Napalm to execute tasks. These tasks ranged from getting data from the devices to sending configurations. Here is a very simple snippet of managing the devices and using them with Netmiko. This method can get complicated very easily once you start Continue reading

Getting Started With Juniper PyEZ Library

In this blog post, we're diving into how to use the PyEZ Python library to interact with Juniper devices. I'll be working with a Juniper vMX device as our example, but PyEZ can work with any other Junos-based device. So, whether you have a vMX, an SRX, or any other Junos device, you'll find this guide helpful.

What we will cover?

• What is Juniper PyEZ?
• Why do we need PyEZ?
• Prerequisites
• Getting facts from Juniper vMX
• Getting Interface Stats and Errors
• A few things to note
• Closing thoughts

What is Juniper PyEZ?

Junos PyEZ is a microframework for Python that enables you to manage and automate Junos devices. Junos PyEZ is designed to provide the capabilities that we would typically get from the CLI.

You can use Junos PyEZ to retrieve facts or operational information from a device, execute remote procedure calls (RPC) available through the Junos XML API and even install or upgrade the Junos software. But for the sake of this example, we will retrieve the facts from the vMX and then retrieve some interface statistics.

But, Why Do I need PyEZ?

If you're wondering why we need PyEZ, here's a straightforward reason from my experience. I often Continue reading

My Experience with IP Fabric Automated Network Assurance Platform

I've been following IP Fabric for some time now, checking out their updates and reading their blog posts. It made me curious to want to give their platform a try myself. So, I did just that and thought it'd be helpful to share my thoughts and experiences with you.

If you're curious about IP Fabric too, they offer a 90-day lab license, which is a great way to get hands-on with the platform. The nice people over at IP Fabric set me up with a trial license and I found the setup process to be very straightforward. In fact, it took me less than an hour to get everything up and running.

What we will cover?

• What is IP Fabric?
• Installation
• Automated Network Discovery
• What is a Snapshot?
• Topology Visualization
• Intent-based Verification
• Compliance and Security Checks
• Other Useful Features
• Closing thoughts

What is 'IP Fabric Automated Continue reading

Containerlab – Creating Network Labs Can’t Be Any Easier

What if I tell you that all you need is just a YAML file with just a bunch of lines to create a Network Lab that can run easily on your laptop? You'd call me crazy, right?

Well, in this blog post, I'll walk you through what Containerlab is and how it can simplify creating and managing your labs with ease. Let's dive in.

What we will cover?

• What is containerlab?
• Comparing EVE-NG/GNS3 to Containerlab
• Installation and initial setup
• Lab images (Arista cEOS)
• Containerlab terminology
• Lab example
• Cleaning up
• Closing thoughts

Cisco Restconf - Get Operational Data

In this blog post, we’ll use Restconf to pull operational data from a Cisco switch. So far in our previous posts, we’ve looked at getting and changing configuration data.

PacketswitchSuresh Vina

What is Containerlab?

The official definition is "Containerlab provides a CLI for orchestrating and managing container-based networking labs. It starts the containers, builds a virtual wiring between them to create lab topologies of users choice and manages labs lifecycle."

Simply put, containerlab is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Continue reading

Slurp’it – Network Inventory & Discovery Tool

I recently came across a neat tool called 'Slurp'it', a Network Inventory and Discovery solution. If you've been following my blog for a while, you know I just had to give it a try and share my findings with you. So, in this post, I'm going to quickly go over how to get it up and running, along with a few ways you might find it useful. Let's dive in.

What We Will Cover?

• What is Slurp'it?
• Licenses
• Installation and Setup
• Data Collection
• Custom Planning
• Some Use Cases

What is Slurp'it?

The official definition is "Slurp’it is a powerful and easy-to-use network discovery solution that offers 100% accurate network inventory. No coding required." Out of the box, the tool supports almost all the vendors (117 as of writing this)

In a nutshell, Slurp'it simplifies the whole process of understanding your network's inventory. All you need to do is provide the IP address or hostname of your devices, along with the login credentials. Slurp'it takes it from there. It executes various 'show' commands on your devices, usesTextFSM to parse the outputs, and finally presents you with a tidy table detailing everything it has discovered. It's straightforward yet effective, Continue reading

Palo Alto EDL Hosting Service Example (GitHub URLs)

In this short blog post, we'll explore what the EDL (External Dynamic List) hosting service is and how it solves problems for us. An External Dynamic List is a text file that is hosted on an external server so that the firewall can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce policy on the entries included in the external dynamic list, you can reference the list in a security policy.

EDL Hosting Service

The EDL Hosting Service is a list of SaaS application endpoints maintained by Palo Alto. Each Feed URL contains an external dynamic list (EDL) that is checked daily for any new endpoints added to the publicly available Feed URLs published by the SaaS provider. 

When a SaaS provider adds a new endpoint for a SaaS application the corresponding Feed URL is updated. Leveraging the EDL Hosting Service allows for dynamic enforcement of traffic to and from your SaaS application without the need for you to host and maintain your own EDL.

GitHub Example

For an example, imagine you want to let users SSH into GitHub repositories. Without EDL, you'd either risk security by allowing SSH to 'all IP addresses' or manually Continue reading

Automating NetBox with Ansible

In this post, we're diving into automating NetBox with Ansible. We'll explore how to leverage Ansible's modules to fully automate setting up NetBox. I'll guide you through a simple scenario where we configure a single site, including two racks and several devices, and even detail setting up cabling through a patch panel using Ansible. This approach simplifies the whole process, and I'll make sure it's straightforward for you to follow and apply.

You can clone my repo from GitHub to follow along. I've included everything you see here in the repo, making it easy for you to get hands-on experience.

What we will cover?

• Why do we need Ansible?
• Prerequisites
• Diagram
• Basic Ansible Playbook
• Creating Sites, Racks, Devices and Cables

But why do I need Ansible though?

You might be thinking, "Why do I need Ansible? Can't I just set up and use NetBox manually?" Sure, you could if that's what works best for you and your team. But here are my reasons for choosing Ansible (or any other automation tool) over manual configuration:

Firstly, I'm not a fan of clicking through the GUI. It might seem quicker at first, but repeating the same tasks over and over can Continue reading

Ansible Subelements Lookup Example

When you're working with Ansible, you often come across situations where you need to deal with lists inside of lists. Imagine you have a bunch of servers, and each server has its own set of services to manage.

The subelements lookup plugin is designed to iterate over a list of dictionaries and a specified sub-list within each dictionary. Instead of writing complicated code to dig into each layer, subelements lets you glide through the outer list and then dive into the inner list easily.

What we will cover?

• Subelements syntax
• Subelements example
• What are item.0 and item.1?
• Subelements example with NetBox

Subelements Syntax

To use subelements in your playbook, you write a loop that tells Ansible what main list to look at and which sublist to go through. Here’s what a simple line of code looks like.

loop: "{{ query('subelements', your_main_list, 'your_sublist_key') }}"

your_main_list is where you have all your main items (like servers), and your_sublist_key is the name of the sublist inside each main item (like tasks for each server). Ansible will then loop through each main item and its sub-items in turn.

Ansible Subelements Example

Suppose you have the following data structure defined in your playbook.

 Continue reading

How to Export Large Traffic Logs from Palo Alto Firewall?

Recently, I faced a unique challenge, I needed to export a massive amount of traffic logs from a Palo Alto Firewall for analysis. Initially, I thought it would be straightforward, log into the GUI, apply the necessary traffic log filter, and export the logs as a CSV file. Easy peasy, right? Well, not exactly. I quickly ran into a roadblock that made me rethink my approach.

In this blog post, I'll share the hurdles I encountered and how I managed to find a workaround to export the logs and analyze them using Python Pandas.

The Problem

By default, Palo Alto only exports 65535 rows in the CSV file, which is not nearly enough. If you have a large network, that amount might only cover a few minutes of logs. Even if you change the value, the maximum it can support is 1048576, which might cover maybe an hour's worth of logs. But for my use case, I needed at least a month of logs. I couldn't get what I wanted from the built-in report options, so I was scratching my head. I then tried to export the logs via SCP on the CLI, but again encountered the same maximum row Continue reading

SuzieQ Network Observability

In today’s post, we’re exploring SuzieQ, an open-source network observability platform that’s making waves in the way we monitor and understand our networks. It supports a wide array of devices from top vendors like Arista, Cisco, and Juniper, among others. We’ll start with the fundamentals and finish with a practical example to clearly illustrate how SuzieQ sets itself apart from other automation tools.

What We Will Cover?

1. What exactly is SuzieQ?
2. How does SuzieQ work?
3. How to install SuzieQ?
4. SuzieQ terminology (Configuration, Inventory, suzieq-cli, poller)
5. Configuration and Inventory files
6. Examples using OSPF Topology
7. Path Analysis

What Exactly is SuzieQ?

I first came across SuzieQ a while back but didn't dive deep into it because tools like Netmiko or Napalm were fitting my needs just fine. That changed when I tuned into a recent Packet Pushers podcast featuring Dinesh Dutt, the brain behind SuzieQ. Hearing him talk about it got me really interested.

After the podcast, I couldn't hold back from giving SuzieQ a try. There have been many times when I found myself writing custom scripts to get things done, only to discover that SuzieQ could have handled those tasks much more smoothly.

So, what is SuzieQ? In simple Continue reading

How do we overcome Imposter Syndrome?

I was thinking of writing about Imposter Syndrome for so long but I didn't because I thought someone might figure out I don't know what I am talking about.

This is so real, I'm not even kidding. The feeling of doubting your abilities and feeling like a fraud. It's something many of us experience, especially when we're stepping out of our comfort zones or tackling new challenges. So, I decided to face this head-on and share some ways to deal with it. First, it's important to recognize when we're being too hard on ourselves. We often set unrealistically high standards and then beat ourselves up when we don't meet them. It's okay to not know everything – after all, we're all learning as we go.

Talking to others can also be a big help. You'll often find that many people feel the same way and have their own experiences with Imposter Syndrome. This can be a huge relief to know you're not alone in this.

What Exactly is Imposter Syndrome?

In plain terms, it's when you feel like you're not as competent as others perceive you to be. You might think you're not good enough, despite there being clear signs Continue reading