./3_start_network.sh network/6.1_assurance/
Netpicker allows us to validate our device configurations. It can be used to validate anything you can express in code, but also makes it easy to generate validations even if you can’t code. Perhaps you’d like to know if there are any known vulnerabilities for a platform version you’re running in your network, or if your device configurations adhere to your company’s security policies? Netpicker can do all of that and more.
To get started we need to tell Netpicker about our devices. Now that we have NetBox as our Network Source of Truth, we’ll be importing our devices from NetBox into Netpicker.
First log-in to Netpicker and click on Add Device
Netpicker URL: ./0_set_envvars.sh | grep -i netpicker
username admin@admin.com
password 12345678
Now click on + Add devices
and then click on Import from NetBox
Then provide your NetBox URL, NetBox API key and click Next
NetBox URL: ./0_set_envvars.sh | grep -i netbox
NetBox API Key: 1234567890
Then on the next screen under Vault
select autocon_workshop
. Then click Next
Our network devices have now been imported from NetBox into Netpicker!
Netpicker is a powerful tool for staying in control of our device configurations. Let’s first ask Netpicker to backup our device configurations. On the Devices
screen click Run backups
Navigate over to Backups
and wait for the backups to arrive. You can hit Refresh
to update the view until both backups report Success
.
You can now inspect the backups. Click on clab-autocon2-srl1
, and then click on the backup to view it.
Now that Netpicker has pulled the configuration backups from our devices, we can use the real power of Netpicker, Policies
and Rules
. Policies
are logical groupings of Rules
. There are two different types of Rules
:
Let’s start by creating a simple rule to check if ntp
is configured on our devices. First we need to create a Policy
for our simple rule to live in. Click on Policies
in the left hand menu bar, and then + Create Policy
in the top right. Give your policy a name, and then click Create
.
You’ll now be taken to your new policy. Click + Add Rule
in the top-right. Fill in the following details and click Save
.
You’ll now be taken to your new rule. Click on Properties
, where you can now configure your rule. In this case we’re going to define a very simple rule which just checks for the existence of the string ntp
in the device’s configuration backup.
In the textbox under Must include the text:
add ntp
and then click Save
.
Now our Netpicker simple rule is configured, we can test it. Netpicker provide a handy debug mode, we can use to test our rules. In the textbox above the Debug
button enter clab-autocon2-srl1
and then click Debug
.
After a few seconds you’ll see the output of the debug run on the right. In this case, the rule is Not compliant
meaning that ntp
is not configured on this device, because the string ntp
cannot be found in the configuration backup.
When you’re done testing hit Save & Close
. You’ll now be taken back to the policy you created earlier.
As mentioned earlier, Netpicker Python rules afford us much more flexibility, because we can write our tests in code. Python rules also allow us to query the Source of Truth, NetBox. Let’s create a Python rule to check if the hostname on the device, is the same as it’s hostname in NetBox!
In your policy, click + Add Rule
in the top-right. Fill in the following details and click Save
.
You’ll now be taken to your new rule. Click on Properties
, where you can now configure your Python rule. In this case our rule is going to check that the hostname
defined in NetBox appears in the device’s configuration backup.
In the code editor on the right, remove the current content, replace it with the code below and then click Save
.
@medium(
name='rule_check_hostname',
platform=['nokia_srl'],
# commands=dict(version='show version')
)
def rule_check_hostname(configuration, commands, device):
assert device.name in configuration
As with our simple rule, you can now use the Netpicker rule debugger run the rule against clab-autocon2-srl1
.
After a few seconds you’ll see the output of the debug run on the right. In this case, the rule is Not compliant
meaning that the hostname
in NetBox is not present in the device’s configuration backup.
When you’re done testing hit Save & Close
. You’ll now be taken back to the policy you created earlier.
We now have two Netpicker rules set up to help us check when our device configurations are not compliant. Our simple rule states that ntp
should be configured on the devices, and our Python rules states that the hostname
in the device configurations must match the hostname
in NetBox. Both are currently failing, so let’s fix that.
./3_start_network.sh network/6.2_assurance
First let’s fix clab-autocon2-srl1
.
username admin
password NokiaSrl1!
ssh admin@clab-autocon2-srl1
# First fix NTP
enter candidate
/ system ntp admin-state enable
/ system ntp network-instance default server 0.pool.ntp.org
/ system ntp network-instance default server 1.pool.ntp.org
commit now
# Then fix the hostname
enter candidate
/ system name host-name clab-autocon2-srl1
commit now
Ctrl+D
to exit the Nokia SR Linux CLINow let’s fix clab-autocon2-srl2
.
username admin
password NokiaSrl1!
ssh admin@clab-autocon2-srl2
# First fix NTP
enter candidate
/ system ntp admin-state enable
/ system ntp network-instance default server 0.pool.ntp.org
/ system ntp network-instance default server 1.pool.ntp.org
commit now
# Then fix the hostname
enter candidate
/ system name host-name clab-autocon2-srl2
commit now
Ctrl+D
to exit the Nokia SR Linux CLIWe have now configured ntp
and added the correct hostname
for each of our lab devices, so our network should be compliant. First let’s manually inspect the differences.
First we need to ask Netpicker to pull the device configurations again. As we did earlier, go back to Backups
and click Backup Now
.
You can hit Refresh
until the you see the Backup date
column has been updated to the current time, showing us that new configuration backups have been pulled from our devices. Click on clab-autocon2-srl1
and you’ll see that we now have two backups.
Let’s compare the two backups to see what has changed. Check the checkboxes on the left of each backup and then click ± Compare
.
tip
to skip the manual configuration you’ll see a lot of differences between the two backups.Scroll through the differences between the two configurations until you find the hostname
section.
Keep scrolling until you find the ntp
section.
Our changes look good. Let’s see if Netpicker policy agrees!
So far we have been using Netpicker’s debug mode to run our rules, but running individual rules per device doesn’t scale very well, so let’s run our whole policy in one go.
Click Policies
on the left hand menu bar and then hit Run Policies
. After a short while, you should see that 4 rules have run successfully.
Next Section – Automated Network Changes – Ansible
You can find the Network Automation Zero to Hero GitHub Repo here.
If you have any questions as you go through the course then pop on over to the NetBox Learning channel on the NetDev Community Slack! If you aren’t already a member then you can sign up for free here.