Exploring the quirks of Network Engineering
Network automation is becoming more and more ubiquitous these days. Configuration generation is a good example of this – why spend time copy and pasting from prepared templates if a script can do it for you?
This small blog introduces the first python script to be released on netquirks. The script is called PeerPal and it automates the creation of Cisco eBGP peering configuration by referencing input from both a config file and details gather by utilising the peeringdb.com API. This serves as a good example of how network automation can make performing regular tasks faster, with fewer errors and more consistency.
The GitHub repo be found here.
It works by taking in a potential peers autonomous system number and checking with Peering DB to find which Internet Exchanges both your ASN and theirs have common presence. A list is then presented, one for IPv4 then one for IPv6, allowing you to select which locations to generate the peering config for. It can do this for either IOS or XR format. It reads the neighbors IP, prefix limits and even IRR descriptions from Peering DB and integrates them into the final output.
Other specifics of the peering, like your ASN, neighbor groups, MD5 passwords, ttl-security or what the operating system format should be, are all stored in a local config file. This can be customised per Internet Exchange.
The best way to demonstrate the script is to give a quick example. Let’s say the ISP netquirks (ASN 1234) wants to peer with ACME (ASN 5678). The script is run like this:
myhost:peerpal Steve$ python3 ./peerpal.py -p 5678 The following are the locations where Netquirks and ACME have common IPv4 presence: (IPs for ACME are displayed) 1: LINX LON1 - 192.168.101.1 2: CATNIX - 10.10.1.50 3: DE-CIX Frankfurt - 172.16.1.90,172.16.1.95 4: IXManchester - 10.11.11.25 5: France-IX Paris - 172.16.31.1,172.16.31.2 6: DE-CIX_Madrid - 192.168.7.7 Please enter comma-seperated list of desired peerings (e.g. 1,3,5) or enter 'n' not to peer over IPv4:
The script first lists the Exchange names and their IPv4 IPs. Enter the Exchanges you want to peer at, and then do the same for IPv6…
myhost:peerpal Steve$ python3 ./peerpal.py -p 5678 The following are the locations where Netquirks and ACME have common IPv4 presence: (IPs for ACME are displayed) 1: LINX LON1 - 192.168.101.1 2: CATNIX - 10.10.1.50 3: DE-CIX Frankfurt - 172.16.1.90,172.16.1.95 4: IXManchester - 10.11.11.25 5: France-IX Paris - 172.16.31.1,172.16.31.2 6: DE-CIX_Madrid - 192.168.7.7 Please enter comma-separated list of desired peerings (e.g. 1,3,5) or enter 'n' not to peer over IPv4: 2,4 The following are the locations where Netquirks and ACME have common IPv6 presence: (IPs for ACME are displayed) 1: LINX LON1 - 2001:1111:1::50 2: CATNIX - 2001:2345:6789::ca7 3: DE-CIX Frankfurt - 2001:abc:123::1,2001:abc:123::2 4: IXManchester - 2001:7ff:2:2::ea:1 5: France-IX Paris - 2001:abab:1aaa::60,2001:abab:1aaa::61 6: DE-CIX_Madrid - 2001:7f9:e12::fa:0:1 Please enter comma-separated list of desired peerings (e.g. 1,3,5) or enter 'n' not to peer over IPv6: 6
The output produced looks like this:
IPv4 Peerings: **************** The CATNIX IPv4 peerings are as follows: ============================================================= Enter the following config onto these routers: cat-rtr1.netquirks.co.uk IOS CONFIG ---------- router bgp 5678 neighbor 10.10.1.50 remote-as 1234 neighbor 10.10.1.50 description AS-ACME neighbor 10.10.1.50 inherit peer-session EXTERNAL address-family ipv4 unicast neighbor 10.10.1.50 activate neighbor 10.10.1.50 maximum-prefix 800 90 restart 60 neighbor 10.10.1.50 inherit peer-policy CATNIX The IXManchester IPv4 peerings are as follows: ============================================================= Enter the following config onto these routers: mchr-rtr1.netquirks.co.uk mchr-rtr3.netquirks.co.uk XR CONFIG ---------- router bgp 5678 neighbor 10.11.11.25 remote-as 1234 use neighbor-group default_v4_neigh_group ttl-security description AS-ACME address-family ipv4 unicast maximum-prefix 800 90 restart 60 IOS CONFIG ---------- router bgp 5678 neighbor 10.11.11.25 remote-as 1234 neighbor 10.11.11.25 description AS-ACME neighbor 10.11.11.25 inherit peer-session peer-sess-mchr4 neighbor 10.11.11.25 ttl-security hops 1 address-family ipv4 unicast neighbor 10.11.11.25 activate neighbor 10.11.11.25 maximum-prefix 800 90 restart 60 neighbor 10.11.11.25 inherit peer-policy peer-pol-mchr4 IPv6 Peerings: **************** The DE-CIX_Madrid IPv6 peerings are as follows: ============================================================= IOS CONFIG ---------- router bgp 1042 neighbor 2001:7f9:e12::fa:0:1 remote-as 1234 neighbor 2001:7f9:e12::fa:0:1 description AS-ACME neighbor 2001:7f9:e12::fa:0:1 peer-group Mad1-6 neighbor 2001:7f9:e12::fa:0:1 ttl-security hops 1 address-family ipv6 unicast neighbor 2001:7f9:e12::fa:0:1 activate neighbor 2001:7f9:e12::fa:0:1 maximum-prefix 40 90 restart 60
From the output you can see that there are different specifics based on the internet exchange. Madrid uses ttl-security and peer-groups, whereas CATNIX doesn’t have ttl-security and uses peer session and policy templates. All of these specifics are stored in a local config file:
[DEFAULT] as = 1234 op_sys = xr ttl_sec = true xr_neigh_grp_v4 = default_v4_neigh_group xr_neigh_grp_v6 = default_v6_neigh_group ios_neigh_grp_v4 = default_v4_peer_group ios_neigh_grp_v6 = default_v6_peer_group [CATNIX] routers = cat-rtr1.netquirks.co.uk op_sys = ios ios_neigh_grp_v4 = EXTERNAL,CATNIX ios_neigh_grp_v6 = EXTERNAL,CATNIX6 ttl_sec = false [IXManchester] routers = mchr-rtr1.netquirks.co.uk,mchr-rtr3.netquirks.co.uk op_sys = both ios_neigh_grp_v4 = peer-sess-mchr4,peer-pol-mchr4 ios_neigh_grp_v6 = peer-sess-mchr6,peer-pol-mchr6 [France-IX Paris] xr_neigh_grp_v4 = FRANCE-NEIGH-IX xr_neigh_grp_v6 = FRANCE-NEIGH-IXv6 ttl_sec = false [Exchange_Number_1250] as = 1042 op_sys = ios ios_neigh_grp_v4 = Mad1-4 ios_neigh_grp_v6 = Mad1-6 correction = DE-CIX_Madrid
The script generally follows the structure of reading from the more specific sections first. If an IX section contains a characteristic like ttl-security, the config for that exchange will use that characteristic. If it is absent, the config will fall back on the DEFAULT section. There are a couple of exceptions to this and full details can be found in the README file on the repo. The script can also specify the routers to put the config onto and show the name of an Internet Exchange if Peering DB doesn’t have one set (DE-CIX_Madrid is an example of this as shown above). Again, full details are in the README.
This gives a brief introduction to PeerPal. It’s not a revolutionary script by any means but will hopefully come in handy for anyone working on peering or BGP configurations on a regular basis. Future planned features include pushing the actual config to the routers and conducting automated checks to make sure that prefixes and traffic levels adhere to your peering policy – watch this space.
So feel free to clone the repo and give it a go. Thoughts and comments welcome as always.