Automating Network Device Configuration Parsing with Ansible: Tips and Tricks for Network Engineers
Dealing with traditional network device configurations can be frustrating. They can be a pain to query and analyze because they lack a predefined schema or data model, and are simply text files where each line represents a single configuration command. This makes it difficult to extract information from them, and to automate tasks such as configuration management and troubleshooting.
As a result, network engineers and administrators often have to convert network device configurations into a more automation-friendly format. This has several benefits, including the ability to describe the network infrastructure as code, which enables version control and makes it easy to keep track of changes. It also allows the network to be represented in a vendor-neutral format, making infrastructure migration easier. This representation can generate configurations for different network devices from a single source.
By converting network device configurations, engineers and administrators can gain valuable insights into the network. This includes identifying critical functions, potential problems, and opportunities for improvement.
Identifying the hierarchy and sections of network device configuration through indentation is possible, but it comes with a few challenges that need to be addressed. These include:
- Vendor-specific configuration syntax: Each network device vendor uses its own specific configuration syntax. Even if you only use Cisco devices, you may still encounter different configuration syntaxes.
- Complexity: Network device configurations can be quite complex, with numerous sections, parameters, and even thousands of lines.
- Lack of a universal solution: Unfortunately, there is no single, out-of-the-box solution that can parse network device configurations for any device. If you decide to write your own code to parse your network device configurations, the number of Python libraries available can be overwhelming: netcopa, ciscoconfparse, nparser, shconfparser, confparser, networkparse…
Let’s take a look at how you can use Ansible to parse network device configurations. By automating this process, you can confidently store the outcomes in a version control system, such as GitHub, or as device variables on NetBox.
Our goal is to capture relevant configuration parameters as key-value pairs from a vendor-specific configuration file. We want to group similar items together, such as creating a list of all interfaces with their respective attributes.
We’ll aim to write as little code as possible and avoid using regular expressions. Although they can be effective, they can also be complicated to comprehend and maintain. Additionally, we’ll save time and energy by leveraging open-source content whenever possible.
“It’s agreed upon that open source software is generally more secure and safer than things that are developed in a silo” Mark Zuckerberg
Let me show you an example using a Cisco ASA configuration file. The output will be in YAML format, which you can see in the image below. To ensure consistency, I’m running a playbook within an execution environment with ansible-navigator . This will allow you to easily replicate the same scenario.
Network Resource Modules
If you’re looking to manage network configuration sections separately (like ACLs, interfaces or VLANs), you might want to check out Ansible’s Network Resource Modules. These modules can parse those sections for you. For instance, you could use the cisco.asa.asa_acls network resource module to generate a YAML file, as the next example shows.
To recreate this, follow these steps:
- Clone this repository: https://github.com/nleiva/ansible-parsing-cisco-asa
- Run the command
ansible-navigator run main.yml -e config=<file>in your terminal, where<file>is your Cisco ASA config file. - The output will be saved in the
outputfolder.
NTC Templates
Network to Code hosts a variety of config templates that can help us parse various sections of a Cisco ASA configuration file. These templates cover areas such as IPSec, IKEv1 encryption and authentication policies, and tunnel groups. In the next example, I loop over some of these templates options using the ansible.utils.cli_parse module and select the ansible.netcommon.ntc_templates parser.
Just like before, to recreate this example clone the repository https://github.com/nleiva/ansible-parsing-cisco-asa and run the following command: ansible-navigator run main.yml -e config=<file>.
Ansible Native Parser
Lastly, there is an option that provides more flexibility but may require more effort. This option is not limited to pre-existing content and involves using Ansible native parsers.
With this approach, we need to instruct Ansible on how to parse a configuration line (or command). For instance, if we want to parse object-group network TEST-NETWORK, we can use the getval expression: object-group\s(?P<type>\S+)\s(?P<name>\S+). Although it may seem intimidating at first, it simply involves repeating the same line, using \s to identify spaces and (?P<name>\S+) to identify a value that we want to map to a variable. That’s all there is to it. Afterward, we describe how we want to structure the data in the field result.
It’s important to note that the result field can be a JSON structure, giving us the ability to create more complex data structures such as lists. Big thanks to Sagar Paul for introducing me to this feature!
Once you have your template set up, you can easily loop through it using the ansible.utils.cli_parse module and selecting the ansible.netcommon.native parser.
To try this out for yourself, clone this repository: https://github.com/nleiva/ansible-parsing-cisco-asa. Then, run this command: ansible-navigator run main.yml -e config=<file>.
Conclusions
Parsing network device configurations can be a daunting task for network engineers and administrators due to the lack of a predefined schema or data model. However, using Ansible, it is possible to convert network device configurations into an automation-friendly format, allowing for version control and easy tracking of changes. Ansible also provides various options for parsing configurations, including using network resource modules, NTC templates, and Ansible’s native parser. With minimal code and open-source content, automating network device configuration parsing becomes a breeze, saving time and effort for network professionals.
