Cisco NSO – Create Service

In NSO, service is defined in YANG model. And once YANG model is defined and compiled, it will then be encoded to XML. There are few variations to define encode, such as “template only” and “python and template”. As name suggests, template is the most basic pattern, and it directly map the YANG model to XML. While with python some arbitrary operation can be configured based on YANG model before passing any values for XML encode.


Continue reading “Cisco NSO – Create Service”

What license is required to use Cisco API?

Basically you don’t need license to access APIs on the network devices directly, because it’s on base license.

However, if you search “Cisco API” online, or when you follow Cisco Devnet contents, it is confusing because a lot of contents are made around ACI/APIC/DNA. And DNA subscription is mandatory for some devices(e.g. Catalyst9k) now, and it sometimes misleads the customer that DNA subscription is required to use any kind of APIs on Cisco boxes.

Continue reading “What license is required to use Cisco API?”

Cisco Umbrella for Home Use – Good baseline

Is you PC protected at home? Where is your most valuable information stored?

In my case, my most valuable information is stored in my PC at home, or the cloud storage which only my PC can access to. It’s obvious that I need to protect my home network more than anything. It’s really scary for anyone getting your PC hacked like the one in BlackMirror.

Continue reading “Cisco Umbrella for Home Use – Good baseline”

k8s ex04: Security daemon – Cisco Stealthwatch

Network security used to be only deployed to investigate the traffic between north and south(in other word external and internal), but as the cloud and virtualization progress, it is now required to have east to west (intra-site) security investigation. For this purpose, ISFW(inter-segment firewall) is deployed on-premise, but it’s quite difficult if the servers are in the cloud.

And with Kubernetes, it’s even more difficult. Because each pod can be connected each other over some kind of tunnel(e.g. overlay network) as I mentioned in the previous post. So all the communications are somewhat hidden and simple security rule/policy cannot be used to restrict the communication. We use network policy or tools like Istio to restrict these unexpected traffic. But similar to the legacy network, these restrictions are still rely on manual work, we need to make policy by ourselves and it needs to be updated every time new service are procured. This is very difficult, the developer wants to deploy the service as smooth as possible, but the security needs to be guaranteed even though some services are dealt by another team…

Cisco Stealthwatch can be used in these cases as a turnkey security monitor.  As the stealthwatch doesn’t require anything to be changed on kubernetes config, actually it deploys a special host network pod in each worker node as a daemonset. It visualizes the inter-node/external communication dynamically and can send an alert in case unexpected communication happens. Please note that I use Stealthwatch Cloud for this trial.

 

Deploy Stealthwatch in K8s


1. Access Stealthwatch portal, and navigate to Integration > Kubernetes. You can find manifest file for stealthwatch daemonset along with service-key, which identifies your account.

2. Apply manifest files.

 

3. After a few minutes, nodes with stealthwatch pod comes up as a sensor.

That’s all we need to do. With this setup, inter-pod/external communication are monitored and statistics information are sent to Stealthwatch cloud, where all the statistics data is processed.

 

Watch it works


1. After a few data being sent to the stealthwatch cloud, the portal starts to populate the valuable information. Dashboard by default shows the endpoint(in our case it includes pods on each nodes) and total in/out traffic.

2. And it shows any observations and alert as well. These are based on either static pattern(e.g. blacklisted), or behavioural basis(e.g. the traffic pattern is unusual compared to last 36 days).

Because this is my initial deployment it observes communication between controller-1(10.240.0.11) and other worker node are rather high. But this will be considered to be normal after some time.

And of course it can send an alert if there is any alert triggered.

3. You can explore network communication more if you would like to.

The good thing about this deployment is you don’t really have to care much of the things. Because the pod can see the traffic and it can also interact with the API server, it integrates all the real-time information with the historical data, and it nicely summarizes and show the outcome on the portal. And you can use them as a baseline to create security policies.

And it can be extended to GCP(with flow logs), AWS(flow logs), On-Premise(with onsite VM and sensor – e.g. Cat9300) to consolidate all the behavioural monitoring. Maybe I will introduce them in another post.

 

 

Python 100 project #36: Cisco CSR Reverse Shell

Sometimes there are a few occasions that edge network devices are not accessible from remote.  The reason varies from security reasons to environmental reasons(no global ip address is assigned and no access to the ISP router etc). In my previous project, I used code from Python Blackhat to show how Windows PC becomes a victim to expose its command access. In this time, I use this similar code for good.

This can be used to deploy periodically or can be triggered by syslog messages via EEM.

 

Output Example:

[ In the Server ]

 

Here is the code:

[ In Cisco Box ] cisco_revshell_client.py

 

[ In the Server ] cisco_revshell_server.py

 

Python 100 project #31: Cisco IOS Login notification to Slack with EEM

It is best practice and most of the router console is only accessible from certain ip address. Usually it is both from the service provider and internal ip address. But time to time, some of internal staff tries to access the router. It’s still just a tedious problem if there is centralised management system(or any syslog actually) to check those activities. But it will be a problem if the deployment is distributed and not centralised. In this project, I used cisco EEM along with python script so that it posts into the channel if there is any login activities.

 

Output Example:

 

Here is the code:

this is relevant eem config in cisco router-

this is relevant script which is saved as /bootflash/gs_scripts/login_post.py in the router-

 

IOx on Cisco: Launch Python

It’s been a long time since Cisco announced Fog computing, and implemented somewhat of programmability on their network devices. However I had never really looked at those functionalities until very recently.

I’m working in telecom industry and there has been no single day I don’t see Cisco devices, but most (if not all) of deployment is legacy, which utilizes only network function of those devices. It’s good as it is what those devices are meant to do, but I took a look on these new capabilities and found it very useful, and fun!

As Cisco mentioned in their article, these function should be used for non-networking functions. But these will be new weapons for those who knows networking very well to add-on new features as they wish, and on the other hand these will also be a good entry point for those who didn’t take care network(i.e developer, application engineer) until now. One of the most reliable network vendor provides small app platform on their small routers and switches.

 

Enable IOX service


It’s not enabled on boot, so you need to enable services on IOS-XE. As this test is done on CSR1000v on AWS, it uses LXC.

 

The environment is almost ready.

  1. Create connection … VirtualPortGroup, which is the connection point between the IOS and the guest system.
  2. Allocate resource for application
  3. Start application

 

Install NAPALM

Using vendor proprietary API is usually a good option if you have only a few vendor to deal with. But It’s very time consuming, and some vendors don’t have those in-built API.

I have numbers of customers to take care, and there are their own demands. There is no one-fit-all network devices, hence I need to take care several vendors. Definitely I cannot be the master of all the network devices, but it’s a key how I can decrease the time taken by routine tasks(e.g monitoring interface stats) so that I can use other time to concentrate customer specific requirement.

Install NAPALM


NAPALM is registered in PyPI, so all you need to do is just use pip to install along with all the dependencies.

Documentation can be found here.

And you can get the interfaces’ ip address with small script as follows:

And output is as follows:

The beauty of this script is:

  • It doesn’t require IOS device to be configured with restconf nor netconf, just needs to be accessible via ssh.
  • It can retrieve other vendors device information if you change ‘ios’ to other platform, such as ‘fortios’.

API on Cisco: IOS-XE 使ってみる (RESTCONF)

NETCONFに続き、RESTCONFのエントリー

 

このエントリーはRESTCONFの概要と、ルータから情報を引きだせるところまで。

ビデオで概要を知る


参考モジュール: Network Device APIs

  1. Learn to CRUD with GET, POST and DELETE using RESTCONF … RESTCONFの使い方概要

 

ラボ環境を作る


AWSに立てたCSR1000Vでテストを行う

    1. CSR1000Vを立ち上げる
    2. sshでCSR1000Vにアクセス
    3. RESTCONFでアクセスできる設定

 

RESTCONFを使ってみる


GigabitEthernet1の状態を確認するスクリプト

CSR1000Vに対して実行したところ。インタフェースの情報が取得できた。

GigabitEthernet1の設定を変更するスクリプト

実行した結果がこちら。ステータスコードは204なので成功。

もう一度インターフェース情報を取得すると、descriptionが追加されているのが確認できる