Manipulating IOS with Python

Manipulating IOS with Python

Keeping Cisco Switches Consistent
Author: Kim Oldfield

Introduction
Many people who have worked with Cisco switches and routers running IOS will have looked for better ways of interpreting ACLs, and making changes to a large number of switches. This paper describes several tools I've written in Python to help solve these problems.

acllint Highlights redundant ACL lines grepacl Shows which lines in an ACL will match certain packets. iosrun Command line tool and python library for executing commands on IOS ioslogin Bring up an interactive command prompt The programs listed above are available under the GPL and can http://oldfield.wattle.id.au/programs/cisco/.

be

found

at

Compatibility
The programs described here have been used with python versions 2.1 through to 2.3, and would be expected to work with any later version. They have been developed and tested on Linux systems. If you have tried them on other platforms I'd welcome your feedback.

acllint and grepacl do not have any exotic requirements, and would be expected to run anywhere that python will run. iosrun (and ioslogin) are built on top of pexpect and therefore require a working pty module. pexpect is a pure python module which provides functionality to a python script similar to expect. They should work on any POSIX system, which includes most Unix systems and Cygwin, but not on standard Windows Python.

acllint
acllint is a command line program which will print out redundant lines in an ACL. It will highlight several situations:
1. The same line is repeated twice in the one ACL 2. One line covers a super set of packets which would be matched by a later line. 3. One line covers a super set of packets which would be matched by an earlier line, and there are no intervening lines which may cause these packets to be matched. Features:

Understands how source and destination IP addresses can overlap Understands how source and destination udp and tcp port can overlap Understands port names for services, eg smtp=25 (/etc/services is read) Only understands named access lists (does not understand the older numbered access lists) Can work on an original router configuration, ie the output from "show run".

68 - Open Source Developers' Conference 2005

Manipulating IOS with Python

Example
Running acllint on sn2.acl from appendix 1 gives:
bash> acllint sn2.acl Filename sn2.acl, ACL: sn2-in Line 6 will never match due to line 5. 5: permit ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255 6: deny ip host 172.16.2.8 172.16.44.0 0.0.0.255 Line 9 makes line 6 redundant. 6: deny ip host 172.16.2.8 172.16.44.0 0.0.0.255 9: deny ip any any log-input Line 9 makes line 7 redundant. 7: deny ip any host 172.19.19.19 ! don't log these 9: deny ip any any log-input Filename sn2.acl, ACL: sn2-out ACL lines are the same. 16: deny udp any any range 135 20: deny udp any any range 135 Line 21 makes line 16 redundant. 16: deny udp any any range 135 21: deny ip any any ! implicit Line 21 makes line 20 redundant. 20: deny udp any any range 135 21: deny ip any any ! implicit

139 139 139 end 139 end

acllint concentrates on functional differences - the log and log-input directives are ignored when comparing lines.
IOS adds an implicit "deny ip any any" at the end of all non-empty ACLs. acllint knows about this, hence the non-real line 30 with ! implicit end.

grepacl
Given a (partial) packet specification this program will show which lines in a given ACL may match this packet. Some or all of the following may be specified:

Protocol (ip, tcp, udp, icmp) Source IP address Destination IP address Source port Destination port

grepacl works best with one file for each subnet, with the name of the acl for packets going out of the router ends with "-out", and packets going into the router ending with "-in". grepacl's default action is to check the "-in" acl, then reverse the source and destination and check the "-out" acl in the next file. This entire process is then reversed for return packets travelling in the opposite direction. This lets one command check multiple routers for forward and return packets.

Example
bash> grepacl -s 172.16.2.3 -d 172.16.4.4 sn2.acl file: sn2.acl ip access-list extended sn2-in permit tcp 172.16.2.0 0.0.0.255 any established permit ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip any any log-input

Open Source Developers' Conference 2005 - 69

Manipulating IOS with Python

Reversing direction: file: sn2.acl ip access-list extended sn2-out permit tcp any 172.16.2.0 0.0.0.255 established deny udp any any range 135 139 permit icmp any 172.16.2.0 0.0.0.255 deny udp any any range 135 139

iosrun
iosrun is a python library which can be used to interact with Cisco switches. It can also be used as a command line tool to run individual commands. In its simplest form iosrun logs in to the switch, for each command specified it runs the command and then waits for a command prompt. After all commands have been run it logs out.
Usernames and passwords can be either specified each time the program is used (with -l and -L options), or they can be stored in ~/.iosrunrc or /etc/iosrunrc. A limited number of usernames and passwords can be listed which will be tried in order until on succeeds. This is limited to the number or retries your switch will allow (typically 3). Command line operation supports telnet or ssh, and execution of arbitrary user supplied commands. There is extra support for "copy" and "delete" commands which will automatically press enter at each prompt. Limited support for CatOS is also provided. The full list of command line options can be seen by running iosrun without any arguments:
bash> iosrun iosrun [-options...] address [+command] command ... Logs into address, and runs the commands listed. -c execute "conf t" before running the command, run "write mem" after -e toggle enable mode (default is on) -i Ignore comment lines starting with ! -l username[,password[,enablepassword]] Use these login details instead of details in iosrunrc -L username,password,enablepassword Append the given login details to the list of login details to attempt to connect with. Can be used multiple times to try multiple different logins. -m Do not set terminal length=0 (useful for interactive sessions) -r Remove carriage returns (^m) from all output -T timeout set timeout in seconds -t use telnet to connect (default is ssh) -v verbose - show all output address is the IP address or hostname to connect to +k keyboard, go interactive, accept command from the user Use ^] to exit interactive mode. +s Read commands from stdin +f filename Read commands from filename +c src dst run "copy src dst" pressing enter at prompts eg: tftp://10.2.3.4/config scp://user:password@10.2.3.4/file flash:fred +d file run "delete file" pressing enter at confirmation prompts Sample ~/.iosrunrc or /etc/iosrunrc file: appenddomain .net.example.edu.au login username,userpassword,enablepassword "appenddomain" will append the given domain to any filenames to connect to which do not already have a domain name.

70 - Open Source Developers' Conference 2005

Manipulating IOS with Python

"login" my be repeated multiple times. Each login line is tried in order until one succeeds. Written by Kim Oldfield, 2004, 2005. $Id: iosrun.py,v 1.31 2005/11/19 05:34:38 kim Exp kim $

Example
Viewing a port configuration:
bash> iosrun switch1 'show run int gig1/0/4' Session log for switch1: switch1#show run int gig1/0/4 Building configuration... Current configuration : 238 bytes ! interface GigabitEthernet1/0/4 switchport access vlan 168 no cdp enable end switch1#

Changing a port's vlan:

bash&th; iosrun -c switch1 'interface gig1/0/4' 'switchport access vlan 122' Session log for switch1: switch1(config)#interface gig1/0/4 switch1(config-if)#switchport access vlan 122 switch1(config-if)#end switch1#wr mem Building configuration... [OK] switch1#

To copy the acls in sn2.acl to a router:

bash> iosrun 172.16.8.1 +c tftp://172.16.7.7/sn2.acl running-config Session log for 172.16.8.1: router1#copy tftp://172.16.8.1/sn2.acl running-config Destination filename [running-config]? Accessing tftp://172.16.8.1/sn2.acl... Loading acl/sn2.acl from 172.16.8.1 (via Vlan8): ! [OK - 274 bytes]

For more demanding applications iosrun.py can also be used as a python library. I've used this functionality to write scripts which, amongst other things, log in to a switch, check certain settings and update the switch config where required; upgrade firmware; backup switch configurations. These scripts are currently highly localised, with hard coded switch settings, firmware versions, and other details, and have not been generally made available.

ioslogin
ioslogin is a thin wrapper around iosrun which will login to a switch and present an interactive command prompt. This avoids having to type in the passwords stored in ~/.iosrunrc or /etc/iosrunrc.

Open Source Developers' Conference 2005 - 71

Manipulating IOS with Python

Alternatives
At the time I started writing iosrun I could not find a similar tool for python. The closest I could find was Net::Telnet::Cisco which had two problems: it doesn't work with python (perl only); and it does not support ssh (telnet only). The second reason was a show stopper for me, which meant I managed to get out of having to learn any more perl. Switch management can also be performed via SNMP. While this is useful for some types of queries I've encountered various settings that I know how to check at the command line but have been unable find out how to access the equivalent information via SNMP. In these situations the quickest way to check the setting on 500 switches is with iosrun.

Conclusion
acllint, grepacl, iosrun, and ioslogin have proved to be invaluable tools for maintaining and updating over 500 Cisco switches and routers. By making them available under the GPL I hope that others can also benefit from them and help improve them.

Appendix 1 - sn2.acl
The somewhat contrived example ACL file sn2.acl used in several examples earlier contains the following (line numbers on the left):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ! file sn2.acl no ip access-list extended sn2-in ip access-list extended sn2-in permit tcp 172.16.2.0 0.0.0.255 any established permit ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip host 172.16.2.8 172.16.44.0 0.0.0.255 deny ip any host 172.19.19.19 ! don't log these permit udp any eq bootpc host 255.255.255.255 eq bootps deny ip any any log-input exit no ip access-list extended sn2-out ip access-list extended sn2-out permit tcp any 172.16.2.0 0.0.0.255 established permit ip host 172.7.7.7 172.16.2.0 0.0.0.255 ! dns deny udp any any range 135 139 permit tcp 172.16.8.0 0.0.0.255 172.16.2.0 0.0.1.255 eq 9100 permit icmp any 172.16.2.0 0.0.0.255 permit udp 172.16.15.0 0.0.0.255 eq bootps host 255.255.255.255 eq bootpc deny udp any any range 135 139 exit

72 - Open Source Developers' Conference 2005