Automation tools: Paramiko, Netmiko, NAPALM, Ansible, Nornir or ...?
Last post was all about setting up a simple EVE-NG lab with 3 different vendors (Cisco, Juniper and Huawei). In this post, let’s get our hands dirty and get some network automation action going.
1 What are the differences of Paramiko, Netmiko, NAPALM, Ansible and Nornir?
Before we start network automation lab, I feel obligated to discuss a bit about how different automation tools work and what their differences are.
I’m not an expert in any of the following tools by any stretch, but I will try my best to describe these in layman’s terms based on my experience.
-
Paramiko: Just a handy Python SSH library, used for ssh-ing (obviously) to devices.
-
Netmiko: Another Python SSH library which is based on Paramiko, but geared more towards network devices. Unlike Paramiko, it supports Telnet. When combined with Python scripts, this tool is sufficient to kickstart your network automation. Very easy to get started and have results of your commands printed and screen scrape the things you need with regex, or even better if you utilize TextFSM & NTC templates for parsing results. Little caveat is that you must handle multi-threading yourself if the intention is to use Netmiko for large scale network.
-
NAPALM: A Python library/framework that supports multiple vendors using API. It’s an abstraction framework, and NAPALM’s underlying network drivers will enable it to return the same output for your request (Eg: get_interfaces, get_facts) regardless of which type of device you’re working on. If your devices are not fully supported, you have the option to write your own Python library (which I tried, and I don’t recommend, will discuss in detail later in this post). NAPALM framework can be used in conjunction with Ansible, Salt and Nornir.
-
Ansible: One of the most famous automation tools. The thing with Ansible is that you have to write Ansible playbooks in YAML, which is kind of a double-edged sword; it doesn’t require you to know how to code in Python, but working with only YAML takes away the flexibility of your automation tasks. Ansible IMO is better suited for overall IT environment rather than network devices.
-
Nornir: A Python framework made specifically for network devices, developed and maintained by the same guys who did NAPALM and Netmiko. It’s 100% Python, framework is written in Python, and you write Python code in order to use Nornir. NAPALM and Netmiko libraries can act as getters and connection driver for Nornir. Also, Nornir is multi-threaded and it’s absurdly fast compared to Ansible.
There are some other automation tools that I didn’t mention; like Scrapli, Puppet, Chef, Salt, pyATS, etc.
2 Testing out automation tools (Netmiko, NAPALM, Nornir)
In this section, I’m going to show basic usage of some of the tools covered above.
2.1 SSH Connectivity to devices
First, enable SSH on each device:
Juniper Junos: 20.4R3.8
set system login user juniper class super-user authentication plain-text-password
set system services ssh root-login allow
set system services ssh protocol-version v2
set system services ssh connection-limit 10
Huawei VRP: 8.180
aaa
local-user huawei password irreversible-cipher $1c$jF...
local-user huawei service-type telnet ssh
local-user huawei state block fail-times 3 interval 5
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 0 0
stelnet server enable
ssh user huawei
ssh user huawei authentication-type all
ssh user huawei service-type all
ssh authorization-type default password
Cisco IOS-XR: 6.1.3
crypto key generate rsa
ssh server v2
line console transport input all
Above commands will give us full SSH connectivity from outside VM I'm using. Both my EVE-NG VM and my Linux VM (Kali Linux) are configured as NAT, and I will run my automation setup on Kali Linux. Since my NAT is using 192.168.13.0/24 subnet, I've modified interface addresses between routers to 10.0.XY.X, instead of 192.168.XY.X pool. All 3 devices are connected to Management(Cloud0) node, ensuring their connectivity to my Kali Linux.
2.2 Netmiko
Following is a very simple example of how to use Netmiko ConnectHandler to retrieve show command output from routers. In this example, send_command() method will return interface description and IP addresses of each device. If you want to convert the result to structured data, you might want to use TextFSM & NTC templates.
|
|
2.3 NAPALM
My plan was to retrieve BGP neighbor info with NAPALM. NAPALM is very straightforward tool IF all of your device types are suppored. However that’s not the case in our scenario. Huawei routers are not officially supported by NAPALM, there is a community NAPALM library (NAPALM-Huawei-VRP), but that only has very limited functions built-in. My only option was to write my own functions based on the community version, while I was researching, found out I wasn’t the only one who has attempted this. Michael did some heavy lifting but his code was still missing some parts. Expand the following code snippet for BGP neighbor implementation for Huawei VRP platform. My github repo has complete code so that you don’t have to reinvent the wheel.
|
|
Now the NAPALM library is finally ready for action, let’s give it try!
|
|
Unlike what Netmiko did, NAPALM generates structured result for each router. The BGP neighbors result is returned as a dictionary of dictionaries.
With nested dictionaries, you can easily access the elements using the [ ] syntax. This line of code returns the BGP uptime of peer 10.0.12.2 in seconds.
print (juniper_router.get_bgp_neighbors()['global']['peers']['10.0.12.2']['uptime'])
> 211073
2.4 Nornir
2.4.1 Initializing Nornir
In this lab, we are using SimpleInventory plugin, which stores all the relevant data in three files (hosts.yaml, groups.yaml, defaults,yaml).
We need a config.yaml file to let Nornir know we have inventory files ready for Nornir. You can change multi-thread option in this file as well.
|
|
Now we can create Nornir object like below:
|
|
As I already mentioned, Nornir supports third-party plugins such as Netmiko, Scrapli, NAPALM, Ansible, Jinja2, Netbox, etc.
Let’s see how we can use Netmiko and NAPALM within Nornir.
2.4.2 Nornir with Netmiko plugin
First off, let’s try Netmiko plugin. Let’s make it more fun with the use of Nornir filter function, to select specific group of routers in our inventory and show BGP neighbor info on that router with Netmiko. Getting command result requires importing the plugin and running only one line of code.
|
|
Result from above code:
2.4.3 Nornir with NAPALM plugin
Now, let’s try NAPALM plugin for Nornir. This time, I’m using ~F function to filter routers that are not “huawei_vrpv8”. Then run NAPALM getters to retrieve BGP neighbor info.
|
|
Again, NAPALM plugin is capable of returning structured data for easier manipulation of the data.
This lab is merely scratching the surface of what Nornir and other automation tools can achieve.
3 Which automation tool to use?
Nobody can tell you which automation tool is the best; it all depends on the scenario. A great way to start learning automation is Python combined with Netmiko. Build a lab on either GNS3 or EVE-NG and writing some scripts will build your confidence over time. Although both Netmiko and NAPALM are great in lab environment, with real-world use cases, you may need to take scalability and performance into consideration. Ansible and Nornir are more capable in real-world production networks. Of course, you can make your own multiprocessing/multithreading script with lower level automation tools as well, but it makes the code more complicated than necessary.
My personal choice of automation tool at the moment is Nornir, as it gives me the flexibility to write in Python, also it’s very powerful when combined with various third-party tools. And it’s fast, according to this speed challange.