Network CI/CD – Configuration Management with Napalm and Nornir

Hi all, welcome back to part 4 of the Network CI/CD blog series. So far, we've covered the purpose of a Network CI/CD pipeline, the problems it solves for Network Engineers, and how to set up GitLab, including creating projects, installing runners, and understanding GitLab executors. We also looked at how to use GitLab variables to securely hide secrets.

In this part, we'll explore how to manage a campus network using Nornir and Napalm and deploy configurations through a CI/CD pipeline. Let's get to it!

Network CI/CD Pipeline - What’s the Point?

Hi all, welcome to the ‘Network CI/CD’ blog series. To kick things off, let’s ask the question, “Why do we even need a CI/CD pipeline for networks?” Instead of diving straight into technical definitions

PacketswitchSuresh Vina

As I mentioned previously, I'm not a CI/CD expert at all and I'm still learning. The reason for creating this series is to share what I learn with the community. The pipeline we are building is far from perfect, but that's okay. The goal here is to create a simple pipeline that works and then build upon it as we go. This way, you can start small and gradually Continue reading

Network CI/CD Pipeline – GitLab Variables

Hi all, welcome back to our Network CI/CD blog series. In the previous posts, we covered what CI/CD is and why you need it for Network Automation. We also covered GitLab basics and how to set up your first pipeline. In this post, we’ll look into how to keep your credentials secure by hiding them from the repository and using GitLab variables. Let’s get to it!

GitLab Variables

In GitLab CI/CD, variables play an important role in managing dynamic values throughout your pipeline. These variables can store anything from environment-specific settings to sensitive information like credentials. By using variables, you can easily manage and change values without hardcoding them in your scripts or playbooks.

GitLab provides a secure way to store sensitive data such as passwords or API tokens. You can define these variables in your project’s Settings > CI/CD > Variables section, and they will be securely injected into your pipeline during runtime.

If you recall, in our previous examples, we had the username and password hardcoded in the Ansible variables file. This is not secure at all, and you should never expose sensitive information like credentials directly in your repository. By using GitLab variables, you can securely Continue reading

NetPicker – A Great Network Configuration Backup Tool

Hi everyone, welcome back to the Packetswitch blog. Today, we're going to look into NetPicker, a tool that not only performs Network Compliance Tests but also takes backups of your network devices. In this post, we'll walk you through downloading and installing NetPicker, adding devices, taking backups, and setting up backup schedules.

Is It Free?

As of September 2024, according to NetPicker’s pricing page, there’s a ‘Free for Life’ plan that allows unlimited backup of your device configurations and unlimited automated tests for up to 10 devices. This means you can manage backups for all of your devices without spending a penny. If you need to run tests on more than 10 devices, you’ll likely need to consider purchasing a license.

Download and Installation

To get started with NetPicker, navigate to their website and fill out the form with your name and email. After you complete this step, you'll receive an email with detailed installation instructions. You have two main options for installation.

1. Download an OVA Continue reading

Python OOP – Method vs Function and the Mystery of ‘self’

I just realized how much I didn't know about Python Object-Oriented Programming. I thought I knew the basics, but a few days ago, while going through a Python course, I found out I was wrong. Before I forget what I’ve learned, I wanted to write this blog post and share it with you.

In this blog post, we’ll cover the difference between functions and methods, and what exactly ‘self’ means in Python. So, let’s get to it.

Functions vs Method

class MyClass:
    def say_hello():
        print('Hello')

In this snippet, we’ve defined a Class called MyClass with a function named say_hello. But here’s a question for you - what do you call say_hello? Is it a function or a method?

It’s a common misconception to think that simply defining a function inside a Class automatically makes it a method. However, the distinction lies in how the function is accessed.

1. Function - When you define a function inside a class, it’s just a regular function until it’s accessed through an instance of the class.
2. Method - When you access that function via an instance of the class (e.g., `obj.say_hello'), it becomes a method. This is Continue reading

Napalm Configuration Management With Arista EOS

Hi all, welcome back to the Packetswitch blog. In today's post, we'll explore how to use NAPALM for managing device configurations. We'll focus on Arista EOS as our example. We'll cover the methods available in NAPALM and how to push, commit and revert configurations on Arista devices.

We'll start by explaining what NAPALM is and why you might want to use it. Then we'll move on to a few examples and take a look at what happens behind the scenes. This approach will give you a clear understanding of NAPALM's role in network configuration management and how it works with Arista EOS devices.

What is Napalm?

NAPALM stands for Network Automation and Programmability Abstraction Layer with Multivendor support. It's a Python library that helps network engineers manage and automate different network devices using a common set of functions. NAPALM solves the problem of dealing with multiple vendor-specific interfaces by providing a unified way to interact with network devices from various manufacturers. This means you can use the same code to manage devices from Cisco, Juniper, Arista, and others, saving time and reducing the complexity of network automation tasks.

Network CI/CD Pipeline – GitLab Introduction

Hi all, welcome back to our Network CI/CD blog series. In this part, we’ll discuss what exactly GitLab is and the role it plays in the whole CI/CD process. We’ll explore how to use GitLab as a Git repository, how to install GitLab runners, and how to write a GitLab CI/CD pipeline, among other topics. So let’s get to it.

Prerequisites

Before we proceed, let’s go over some prerequisites. This part of the series assumes you have some familiarity with Git, Ansible, and basic Docker concepts. I’m not an expert in any of these, but I have a basic understanding of what each tool does and how to configure and use them. Even if you’re not very familiar, you can still follow along as we go step by step.

Using GitLab as a Git Repo

Git is a version control system that allows you to track changes to your code, collaborate with others, and manage different versions of your projects. It's a fundamental tool for network automation that works with code or configuration files.

Network CI/CD Pipeline – What’s the Point?

Hi all, welcome to the 'Network CI/CD' blog series. To kick things off, let's ask the question, "Why do we even need a CI/CD pipeline for networks?" Instead of diving straight into technical definitions or showing you how to build a CI/CD pipeline, which might make you lose interest, we’ll focus on the reasons behind it. Why should network teams even consider implementing CI/CD?

In this post, we’ll talk about the benefits and the problems it solves, so you can see why it's worth learning. Let's get to it.

Making Network Changes - The Traditional Way

Even though I call it the “traditional way,” most of us (myself included) still make changes via the CLI. So, let’s imagine you and two colleagues are managing a campus network with 10 access switches. One of your tasks is to configure VLANs on all of Continue reading

How to Create VyOS Firewall Rules?

Hi all, welcome back to another blog post on VyOS. In the previous post, we covered how to install VyOS and set up the initial configurations. In this blog post, we'll cover how to configure firewall rules in VyOS. To demonstrate, we'll create a hypothetical office setup with a VyOS router/firewall. The router will have two interfaces - one facing the Users and another facing the Internet. Our goal is to allow the Users subnet to access the Internet for ICMP, DNS, and general web traffic.

Diagram

Our example is based on the following diagram. I don't have a public IP address on my lab but just play along and pretend that 10.10.0.7 is a public IP 😊 (This IP is behind my ISP's router)

As you can see in the diagram, the VyOS router has two interfaces. The interface connected to the Users subnet (Eth1) has an IP address of 10.1.1.1/24. There's also a test machine in this subnet with the IP address 10.1.1.15. Our goal is to ensure that this test machine can successfully ping an Internet IP address and browse the general Internet.

VyOS Firewall Basics

I Continue reading

Palo Alto Firewall For Absolute Beginners

Hi all, if you are here, I assume you're looking to learn about Palo Alto Firewalls, and you've come to the right place. In this blog post, we will cover the very basics of Palo Alto firewalls and how to get started.

Prerequisites

This blog post assumes you have a basic understanding of networking concepts such as routing, Layer 3 interfaces, traffic flow, subnets, and the necessity of a firewall. If you’ve previously used firewalls from different vendors, that’s even better, and you should find it easier to understand the concepts. When I first started with Palo Alto firewalls, I was already working as a network engineer and had experience with Cisco ASA firewalls. However, it still took some time for me to fully understand the nuances. Therefore, my focus here is to explain the nuances of Palo Alto firewalls using simple examples.

What We Will Cover?

In this post, we’ll touch on several key topics related to Palo Alto firewalls, providing an overview without diving too deep into any single area. I’ve written numerous posts on Palo Alto firewalls, and I will include links to those for more in-depth exploration. Here’s what we’ll cover.

1. Firewall Basics and Why We Continue reading

How Walking Improved My Daily Productivity?

Recently, walking has become a habit for me, and I absolutely love taking short walks while listening to music or podcasts. It helps me rest and recover mentally, emotionally, and physically. Walking clears my mind and helps me process my emotions and thoughts. In this post, I will cover the benefits I experience from walking and how it improves my productivity.

Taking a Break with a Walk

Every time I feel stressed or need a break from everything around me, I go for a walk. It's a simple act, but it refreshes me more than anything else. These quiet moments alone with my thoughts are important for recharging and gaining a new perspective on whatever is bothering me. Walking not only gives me the physical exercise I need but also eases my mind and allows me to return to my tasks with renewed energy and focus.

Setting Up Palo Alto Firewall in VMWare Workstation

Hi all, welcome back to another Palo Alto Firewall blog post. In this post, we will explore how to add a VM-Series Firewall into VMWare Workstation, set up the interfaces, and make initial configurations. This guide is designed for beginners who want to try the Palo Alto Firewall in their home lab but aren’t sure where to start.

Download the Image from the Palo Alto Portal

The first step is to download the image from the Palo Alto Customer Support Portal. To do this, you will need a valid support contract, as sharing the image with others is not allowed. I understand this can be frustrating, as it may seem like vendors make it difficult for users to access and use their products. However, if you use Palo Alto products at work, you might be able to download it there.

To download the required file, navigate to Updates > Software Updates in the portal. Look for the PA-VM section and download the file named PA-VM-ESX-10.1.3.ova (note that the version might differ).

Prepare VMWare Workstation

When setting up the Palo Alto Firewall in VMWare Workstation, I usually allocate 8 GB of RAM, 60 GB of disk space, Continue reading

Why SecureCRT Works Best for Me?

What’s one tool you find is irreplaceable as a Network Engineer? For me, it’s SecureCRT. I’ve relied on it for over eight years and have picked up plenty of tricks along the way. Whenever I start a new job, I always make a case for the business to invest in SecureCRT licenses. Once my colleagues see what it can do, they often decide to get their own. In this blog post, I’ll walk you through some of its key features. Hopefully, you’ll see the benefits and maybe even consider trying it out for yourself.

Why SecureCRT When You Have Other Free Tools?

But you might wonder why you should pay for SecureCRT when there are free tools available. That's a fair question. If you're on Windows, tools like PuTTY are readily available, and I believe Windows 11 even comes with its own SSH client. For those on MacOS or Linux, the native terminal app usually does the job. There are also plenty of other free tools out there, like iTerm or Tmux. I’ve tried most of them, but I still prefer SecureCRT for the following reasons.

Palo Alto Object and Policy Cleanup with pan-os-php

Hi all, welcome back to yet another Palo Alto Automation post. If you work with firewalls, you know that one of the most time-consuming tasks is decommissioning a single resource or an entire subnet from the firewall (aka removing all the references related to the resource). Let's imagine you have thousands of address objects and several hundred security policies. Now, suppose we decommissioned a server and our task is to remove any references we may have in the firewall. It could be an address object, a member in an address group, or a reference in a security policy. Removing this manually would take a lot of time, so in this blog post, let's look at a very simple way of cleaning this up using pan-os-php.

The Problem with the Manual Approach

Here is the problem with the manual approach. Let’s say we are trying to decommission the IP address 10.10.10.25. Let's say we have an address object created for this server, and it has been referenced in a few address groups and several security policies. If you try to remove the address object first, the firewall will complain because the object is being referenced elsewhere. So, you Continue reading

Global Protect Authentication Cookies and Prevent Multiple MFA Prompts

In this blog post, let's look at a common scenario where users face two MFA prompts when trying to connect to Global Protect VPN. Typically, this happens because MFA has been set up for both the portal and the gateway.

When a user connects to GP, the user first logs into the portal and completes the MFA, then, they automatically attempt to connect to the gateway, which triggers another prompt. We'll look at how to prevent two MFA prompts using authentication cookies, so the user only needs to complete the MFA once.

Global Protect Cookie Authentication

Cookie authentication simplifies the authentication process for users because they will no longer be required to log in to both the portal and the gateway in succession or complete multiple MFAs to authenticate to each. This improves the user experience by minimizing the number of times the users enter credentials.

To keep things simple, when a user logs into Global Protect, we can configure it to generate a 'cookie.' This cookie allows the user to re-authenticate automatically without having to re-enter their credentials or go through MFA again. It's similar to how web browsers remember your login details for websites; once Continue reading

I’m a Network Engineer, I Want to Learn Cloud, What Should I Do?

As a Network Engineer, I often receive messages on LinkedIn and through my blog with people asking, “How do I start learning about Cloud?” After getting so many similar messages, I thought it would be more easier to write a dedicated blog post to address this. If you’re looking for a quick answer, I’ll tell you this, Learning about Cloud is easier than you might think, especially if you’re already familiar with networking concepts like BGP, Subnets and Routing.

Please note, this blog post isn’t intended to teach you everything about AWS but rather to point you in the right direction on how to begin learning. The best way to learn is by actively doing something in AWS and picking up more knowledge as you go.

If You Continue reading

How to Implement 802.1X from Scratch?

If you're a Network Engineer looking to learn what 802.1X is and how you can implement it in your network, you've come to the right place. 802.1X might seem confusing at first glance due to its various components, and the fact that it can be implemented in numerous ways. But don't worry, I'm here to break down each component and simplify the whole process for you. By the end of this post, you'll have a clear understanding of 802.1X and how to set it up, whether for wired or wireless networks.

Here is what we will cover in this blog post.

1. What is our end goal?
2. Network Access Control (NAC)
3. What exactly is 802.1X?
4. What do I need to start using 802.1X?
5. Which protocol to use? (EAP-TLS, PEAP, TEAP)
6. Cisco ISE Introduction
7. Supplicant (end-device) configuration
8. MAB

What is Our End Goal?

Let's talk about our end goal - Imagine our current setup where the WiFi network is secured with just a Pre-Shared Key (PSK) and wired networks are open, allowing anyone to plug in a laptop and gain access. This isn't ideal for security.

Our main aim is to shift towards a more secure authentication Continue reading

Palo Alto – Remove Unused Address Objects Using Pan-OS-PHP

If you’ve worked with Palo Alto firewalls, you might have noticed they don’t make it easy to get rid of unused address objects. It seems like such a basic feature should be included, right? While you could use Expedition for this, it requires setting up a separate server and learning a new tool, which might be more hassle than it’s worth.

I’ve talked before about using a simple Python script to clean up unused address objects (link below), but it was pretty basic and I didn't take many scenarios into account. Today, I want to show you an even easier more sophisticated way to handle this using Pan-OS-PHP. This tool is fantastic because you can use it directly from the command line. You don’t need to know any PHP to get started. Let’s look at how this can make managing your firewall a lot easier.

Palo Alto Firewall - Find and Remove Unused Address Objects

In this blog post, I’ll show you a very simple Python script to find unused address objects from the Palo Alto firewall or Panorama and remove them if needed.

PacketswitchSuresh Vina

AWS Networking Fundamentals for Beginners

Welcome to today's blog post where we're focusing on AWS Networking fundamentals. If you're new to AWS or just want to better understand AWS Networking, you've come to the right place.

We'll start by talking about Regions and Availability Zones (AZ). These are the building blocks of AWS infrastructure. Next, we'll cover how to set up your own Virtual Private Cloud (VPC). This will be your private space in the AWS cloud where you can launch resources. From there, we'll discuss subnets, breaking down the difference between public and private ones. Knowing this will help you better plan your network architecture.

To wrap it all up, we'll go through the steps of creating an EC2 instance (Linux server). Not only that, but we'll also walk you through accessing this instance over the Internet. This will give you a full-circle understanding of AWS networking basics.

Audience

If you're brand new to AWS, don't worry. This blog post focuses on AWS basic networking, so having some general networking knowledge is a plus but not a requirement. I'll explain things in clear detail to make sure everyone can follow along.

For those of you who are Network Engineers or familiar with another cloud Continue reading

Switching Jobs When You Love Your Current One

How many times have you found yourself perfectly comfortable in your current job, only to be tempted by a new opportunity? We’ve all been there. It’s tough to leave a place where you know everyone and everything feels familiar. The new job might turn out to be fantastic, or it could be less than ideal. So, how do we overcome these fears and make the right choice? In this post, I’ll share my own journey, exploring what I learned from my experiences. Hopefully, my story can help you navigate your own career decisions with a bit more confidence.

Early in My Career

I kicked off my career back in 2017, filled with an eagerness to learn and make rapid progress. During those early days, I was truly engaged in my work, often pulling long hours because all I could think about was advancing in my field. After spending a Continue reading

Palo Alto Load Partial Configuration

Hi all, welcome back to yet another Palo Alto Firewall blog. Have you ever wanted to load partial config from one Palo Alto Firewall to another or from a Firewall to Panorama and vice versa? There could be times when you just want to import all address objects from one Firewall to another, for example. We could do this in multiple ways, but there is a simple way of doing this. Let’s get into how you can achieve this with just a few steps.

To demonstrate this, I have a firewall and Panorama. On the firewall, there are a few address objects, address groups, and a security policy that I want to import into Panorama, inside a specific device group. Let’s walk through the steps.

1. Export the configuration - Start by exporting the configuration from the firewall.
2. Import it to Panorama - Next, import that configuration into Panorama.
3. Identify the XPath of the objects - You'll need to find where the objects you want to copy are located in both the firewall and Panorama. Keep in mind, the XPath for these objects might be slightly different between the firewall and Panorama.
4. Copy them over with a command - Finally, run Continue reading