generate‐customer‐routingpolicies - leofurtadonyc/Network-Automation GitHub Wiki
What does generate-customer-routingpolicies do?
This project addresses common challenges organizations operating an Autonomous System face in generating customers’ routing policies. This ensures route leak prevention, network safety, route security, and operational efficiency. This project leverages the get-as-set.py and get-customer-prefixes.py scripts, highlighting the progress made in this repository, and making it far more robust and interesting.
The aim is to automate network routing policies consistently based on best practices, such as the MANRS. This method simplifies the generation and deployment of prefix and AS-path lists and routing policies. This improves the routing security of an Autonomous System and its cone, reducing engineers’ workload. A task that could take several minutes and is prone to errors, potentially causing significant impact on the Internet if mishandled, can be completed in about 10 seconds or less with high reliability and consistency!
These practices are perfect for an Internet Service Provider (ISP) or any organization operating an ASN. This project rapidly and reliably generates prefix lists, AS-path lists, and routing policies for various vendor syntaxes.
There are six scripts in this tiny 'project':
get-as-set.py: This script accepts a single argument from the operator, the Autonomous System Number (ASN). It communicates with PeeringDB to retrieve information about that ASN. The primary focus is on the field named IRR as-set/route-set.get-whois.py: This script performs whois queries (on RADB) to display information about the given ASN and the AS-SET, as obtained from the previous interaction with PeeringDB. The data is displayed to help the user understand the forthcoming process.get-as-rank.py: This script evaluates the ASN reputation using the AS Rank (CAIDA) API. The information is reported to the operator for potential interest.generate-customer-prefixes.py: This script generates AS-Path and prefix lists based on the AS-SET retrieved from PeeringDB by the get-as-set script. It uses BGPq3 to achieve this. Many files will be produced to suit various routing platforms.generate-customer-routingpolicies.py: This script creates routing policy configurations for various supported vendors following the standards defined by Jinja2 templates in thetemplates/folder. It names these files using the ASN and CUSTOMER_NAME variables provided by the user.generate-customer-allconfigurations.py: This is the real deal; the main script. It is invoked to perform the entire task. It requires two arguments: ASN and CUSTOMER_NAME. It attempts to determine the AS-SET automagically from PeeringDB (using the get-as-set.py) before proceeding to other scripts. The option--as-setis available to directly specify the AS-SET name, bypassing the get-as-set.py and proceeding to the remaining scripts.
How does it work?
python generate-customer-allconfigurations.py -h
usage: generate-customer-allconfigurations.py [-h] [--as-set AS_SET] asn customer_name
Generate BGP customer service activation configurations. This script orchestrates the generation of BGP customer service activation configurations. This automation encompasses your routing policies and BGP session
configurations for your customer cone. It incorporates some of the best practices recommended by MANRS, such as prefix and AS-Path filtering. This script does that by invoking five other scripts in a specific order. The
package fetches ASN and AS-SET information using PeeringDB, Whois, and AS Rank APIs and display these outputs to the operator. It then uses the reported AS-SET to generate prefix lists, AS-Path lists, and routing
policies across multiple supported vendor syntaxes using bgpq3. Outputs are stored in generated_prefixes/ and generated_policies/ folders. Templates are located in templates/. Modify them to suit your needs. This script
requires Whois and BGPQ3 to run properly.
positional arguments:
asn Autonomous System Number (ASN).
customer_name Customer name for file and prefix naming.
options:
-h, --help show this help message and exit
--as-set AS_SET Optional: AS-SET to use for expanding IP prefixes. If not provided, will attempt to retrieve from PeeringDB.
Example usage: python3 generate-customer-allconfigurations.py 16509 AS16509:AS-AMAZON AMAZON
Examples:
For the example below, you could run it in two ways: python generate-customer-allconfigurations.py 28260 ALTAREDE or python generate-customer-allconfigurations.py 28260 ALTAREDE --as-set AS-ALTAREDE:
python generate-customer-allconfigurations.py 28260 ALTAREDE
Output from get-as-set.py:
Details of ASN in PeeringDB:
----------------------------
Organization: Altarede Corporate
Company Website: http://www.altarede.com.br
ASN: AS28260
IRR as-set/route-set: AS-ALTAREDE
Route Server URL:
Looking Glass URL: http://lg.altarede.com.br
Network Type: Network Service Provider
IPv4 Prefixes: 10000
IPv6 Prefixes: 1000
Geographic Scope: Regional
Protocols Supported: IPv6 & IPv4
Last Updated: 2022-07-27T05:33:57Z
Output from get-whois.py:
WHOIS data for ASN 28260:
aut-num: AS28260
as-name: ALTAREDE-1
descr: Altarede Corporate
admin-c: Mauricio Iezzi
tech-c: Rodrigo Souza
mnt-by: MAINT-AS28260
changed: [email protected] 20211013 #18:45:36Z
source: RADB
last-modified: 2023-11-13T16:08:17Z
WHOIS data for AS-SET AS-ALTAREDE:
as-set: AS-ALTAREDE
descr: ALL ALTAREDE CUSTUMERS
members: AS61663,AS268155,AS263950,AS262571,AS262709,AS52716,AS267492,AS28590,AS7063,AS264313,AS27697,AS270972,AS61722,AS266171,AS53225,AS267277,AS28138,AS265086,AS270728,AS268701,AS265256,AS52898,AS270409,AS263108,AS264429,AS28640,AS265465,AS263326,AS270548,AS269080,AS269488,AS270952,AS264229,AS267058,AS268194,AS271622,AS267560,AS263411,AS271181,AS266993,AS269004,AS264402,AS270595,AS270870,AS269183,AS263390,AS265301,AS268091,AS271357,AS269559,AS269524,AS268707,AS271370,AS262377,AS264981,AS273639,AS264181,AS264982,AS266544,AS61776,AS271492,AS264485,AS266043,AS271484,AS61751,AS269261,AS262896,AS266196,AS270440,AS263905,AS262781,AS270453,AS265181,AS262754,AS269149,AS267961,AS269537,AS262485,AS271496,AS272710,AS26616,AS52558,AS28204,AS270525,AS272575,AS271415,AS269121,AS264390,AS268286,AS266015,AS272691,AS267334,AS263549,AS61605,AS265419,AS268242,AS265330,AS267373,AS267938,AS61896,AS271403,AS262369,AS262578,AS269457,AS267286,AS264209,AS271566,AS262664,AS273740,AS52876,AS53194,AS266277,AS271080,AS270263,AS263164,AS263934,AS268160,AS267293,AS267211,AS270334,AS270757,AS269127,AS262739,AS269502,AS267007,AS264301,AS268560,AS265393,AS61857,AS264384,AS266290,AS268632,AS52962,AS262974,AS268233,AS265006,AS53142,AS28233,AS52524,AS268508,AS264297,AS61686,AS268131,AS272712,AS52772,AS264570,AS266279,AS28328,AS272707,AS272671,AS272429,AS265100,AS263324,AS269092
members: AS262377,AS262578,AS262656,AS262663,AS263019,AS264096,AS264390,AS264518,AS264988,AS265027,AS265074,AS265116,AS265289,AS265356,AS265365,AS265440,AS266299,AS267027,AS267037,AS267286,AS267442,AS267646,AS267648,AS268023,AS268215,AS268481,AS268526,AS268817,AS268966,AS269115,AS269186,AS269525,AS269619,AS269669,AS269708,AS270273,AS270422,AS270525,AS270529,AS270548,AS270619,AS270702,AS270882,AS270901,AS270938,AS271125,AS271222,AS271263,AS271325,AS271331,AS271403,AS271488,AS271496,AS271506,AS271566,AS271650,AS271704,AS271744,AS272164,AS272182,AS272234,AS272449,AS272566,AS272600,AS272632,AS272642,AS272657,AS28204,AS28210,AS52800,AS52993,AS61670,AS61857,AS271226,AS270928,AS268039,AS271679,AS272691,AS267014,AS272238,AS273663,AS52624,AS270334,AS53225,AS263296,AS268105,AS28138,AS271071,AS61849,AS272782,AS273709,AS267938,AS273639,AS270409,AS272218,AS271586,AS268853,AS271549,AS271336,AS263476,AS270309,AS272235,AS271600,AS266473,AS271152,AS271623,AS269485,AS266327,AS61613,AS28135,AS28640,AS271074,AS269164,AS264446,AS52684,AS269127,AS262781,AS273761,AS273358,AS273373,AS265453,AS266338,AS266545,AS271704,AS266364
members: AS-CONECTJA-CUSTOMERS,AS-NV7-CUSTOMERS,AS-SJNET-CUSTOMERS,AS-OMASTERTELECOM-CUST,AS270334:AS-ANNOUNCEMENTS,AS271370:AS-ANNOUNCEMENTS,AS-WLENET
remarks: AS272691 ## JBM TELECOM
mnt-by: MAINT-AS28260
changed: [email protected] 20240417 # 1455Z
source: RADB
last-modified: 2024-04-17T14:55:28Z
Output from get-as-rank.py:
Details of ASN from CAIDA's AS Rank API:
----------------------------------------
+----------------------+------------------------------------------------+
| Field | Value |
+======================+================================================+
| ASN | 28260 |
+----------------------+------------------------------------------------+
| ASN Name | |
+----------------------+------------------------------------------------+
| Rank | 428 |
+----------------------+------------------------------------------------+
| Organization ID | bc6e522495 |
+----------------------+------------------------------------------------+
| Organization Name | ALTA REDE CORPORATE NETWORK TELECOM LTDA - EPP |
+----------------------+------------------------------------------------+
| Clique Member | True |
+----------------------+------------------------------------------------+
| Seen | True |
+----------------------+------------------------------------------------+
| Location | -22.4006367546925, -42.7639733899981 |
+----------------------+------------------------------------------------+
| Country | Brazil (BR) |
+----------------------+------------------------------------------------+
| Cone ASNs | 101 |
+----------------------+------------------------------------------------+
| Cone Prefixes | 1120 |
+----------------------+------------------------------------------------+
| Cone Addresses | 266752 |
+----------------------+------------------------------------------------+
| Degree | Provider: 5, Peer: 27, Customer: 60 |
+----------------------+------------------------------------------------+
| Announcing Prefixes | 94 |
+----------------------+------------------------------------------------+
| Announcing Addresses | 16384 |
+----------------------+------------------------------------------------+
Output from generate-customer-prefixes.py:
IPv4 commands for cisco_xe written to generated_prefixes/AS28260-ALTAREDE_cisco_xe_ipv4.txt
IPv6 commands for cisco_xe written to generated_prefixes/AS28260-ALTAREDE_cisco_xe_ipv6.txt
IPv4 commands for cisco_xr written to generated_prefixes/AS28260-ALTAREDE_cisco_xr_ipv4.txt
IPv6 commands for cisco_xr written to generated_prefixes/AS28260-ALTAREDE_cisco_xr_ipv6.txt
IPv4 commands for juniper_junos written to generated_prefixes/AS28260-ALTAREDE_juniper_junos_ipv4.txt
IPv6 commands for juniper_junos written to generated_prefixes/AS28260-ALTAREDE_juniper_junos_ipv6.txt
IPv4 commands for huawei_vrp written to generated_prefixes/AS28260-ALTAREDE_huawei_vrp_ipv4.txt
IPv6 commands for huawei_vrp written to generated_prefixes/AS28260-ALTAREDE_huawei_vrp_ipv6.txt
IPv4 commands for huawei_vrp_xpl written to generated_prefixes/AS28260-ALTAREDE_huawei_vrp_xpl_ipv4.txt
IPv6 commands for huawei_vrp_xpl written to generated_prefixes/AS28260-ALTAREDE_huawei_vrp_xpl_ipv6.txt
IPv4 commands for nokia_sros written to generated_prefixes/AS28260-ALTAREDE_nokia_sros_ipv4.txt
IPv6 commands for nokia_sros written to generated_prefixes/AS28260-ALTAREDE_nokia_sros_ipv6.txt
cisco_xe AS-path commands written to generated_prefixes/AS28260-ALTAREDE_cisco_xe_aspath.txt
cisco_xr AS-path commands written to generated_prefixes/AS28260-ALTAREDE_cisco_xr_aspath.txt
juniper_junos AS-path commands written to generated_prefixes/AS28260-ALTAREDE_juniper_junos_aspath.txt
huawei_vrp AS-path commands written to generated_prefixes/AS28260-ALTAREDE_huawei_vrp_aspath.txt
nokia_sros AS-path commands written to generated_prefixes/AS28260-ALTAREDE_nokia_sros_aspath.txt
Output from generate-customer-routingpolicies.py:
Configuration generated successfully: generated_policies/AS28260-ALTAREDE_policies_juniper_junos.txt
Configuration generated successfully: generated_policies/AS28260-ALTAREDE_policies_cisco_xe.txt
Configuration generated successfully: generated_policies/AS28260-ALTAREDE_policies_cisco_xr.txt
Configuration generated successfully: generated_policies/AS28260-ALTAREDE_policies_huawei_vrp.txt
--- Execution Report ---
User: root
AS-SET found in PeeringDB: Yes
AS-SET found in RADB: AS-ALTAREDE
Total Execution Time: 10.68 seconds
The configuration files (AS-Path ACLs, prefix-lists / prefix-sets / route-filter-lists, route-maps / route-policies, etc.) will be saved under the generated_prefixes and generated_policies folders as shown below:
tree generated_*
generated_policies
├── AS266520-VOOB_policies_cisco_xe.txt
├── AS266520-VOOB_policies_cisco_xr.txt
├── AS266520-VOOB_policies_huawei_vrp.txt
├── AS266520-VOOB_policies_juniper_junos.txt
├── AS28260-ALTAREDE_policies_cisco_xe.txt
├── AS28260-ALTAREDE_policies_cisco_xr.txt
├── AS28260-ALTAREDE_policies_huawei_vrp.txt
└── AS28260-ALTAREDE_policies_juniper_junos.txt
generated_prefixes
├── AS266520-VOOB_cisco_xe_aspath.txt
├── AS266520-VOOB_cisco_xe_ipv4.txt
├── AS266520-VOOB_cisco_xe_ipv6.txt
├── AS266520-VOOB_cisco_xr_aspath.txt
├── AS266520-VOOB_cisco_xr_ipv4.txt
├── AS266520-VOOB_cisco_xr_ipv6.txt
├── AS266520-VOOB_huawei_vrp_aspath.txt
├── AS266520-VOOB_huawei_vrp_ipv4.txt
├── AS266520-VOOB_huawei_vrp_ipv6.txt
├── AS266520-VOOB_huawei_vrp_xpl_ipv4.txt
├── AS266520-VOOB_huawei_vrp_xpl_ipv6.txt
├── AS266520-VOOB_juniper_junos_aspath.txt
├── AS266520-VOOB_juniper_junos_ipv4.txt
├── AS266520-VOOB_juniper_junos_ipv6.txt
├── AS266520-VOOB_nokia_sros_aspath.txt
├── AS266520-VOOB_nokia_sros_ipv4.txt
├── AS266520-VOOB_nokia_sros_ipv6.txt
├── AS28260-ALTAREDE_cisco_xe_aspath.txt
├── AS28260-ALTAREDE_cisco_xe_ipv4.txt
├── AS28260-ALTAREDE_cisco_xe_ipv6.txt
├── AS28260-ALTAREDE_cisco_xr_aspath.txt
├── AS28260-ALTAREDE_cisco_xr_ipv4.txt
├── AS28260-ALTAREDE_cisco_xr_ipv6.txt
├── AS28260-ALTAREDE_huawei_vrp_aspath.txt
├── AS28260-ALTAREDE_huawei_vrp_ipv4.txt
├── AS28260-ALTAREDE_huawei_vrp_ipv6.txt
├── AS28260-ALTAREDE_huawei_vrp_xpl_ipv4.txt
├── AS28260-ALTAREDE_huawei_vrp_xpl_ipv6.txt
├── AS28260-ALTAREDE_juniper_junos_aspath.txt
├── AS28260-ALTAREDE_juniper_junos_ipv4.txt
├── AS28260-ALTAREDE_juniper_junos_ipv6.txt
├── AS28260-ALTAREDE_nokia_sros_aspath.txt
├── AS28260-ALTAREDE_nokia_sros_ipv4.txt
└── AS28260-ALTAREDE_nokia_sros_ipv6.txt
2 directories, 42 files
I have incorporated some best practices into the construction of the routing policies, based on a concept commonly used across many ISPs. However, you should tailor these policies to your organization's standards and operational practices. What works for me or others following these guidelines may not be ideal for you. Therefore, I strongly recommend reviewing the Jinja2 templates and making the necessary adjustments to suit your deployment parameters. You can find these templates in the templates/ folder. More templates will be added over time as I'll keep working on new features for this project.
ll templates/
Permissions Size User Date Modified Name
.rw-r--r--@ 976 lfurtado 14 Apr 14:24 cisco_xe_customer_routing_policy.j2
.rw-r--r--@ 1.0k lfurtado 14 Apr 14:25 cisco_xr_customer_routing_policy.j2
.rw-r--r--@ 1.3k lfurtado 14 Apr 14:26 huawei_vrp_customer_routing_policy.j2
.rw-r--r--@ 1.5k lfurtado 8 Apr 17:25 huawei_vrp_xpl_customer_routing_policy.j2
.rw-r--r--@ 3.4k lfurtado 14 Apr 14:28 juniper_junos_customer_routing_policy.j2
Exceptions and overall error handling
I am implementing improvements to address some failure conditions. Recent modifications to the script now account for the following scenarios: the AS-SET is either obtained automatically (through the get-as-set.py script via PeeringDB), or it is supplied by the operator using the --as-set option. If the identified AS-SET, in either case, is not found in RADB (through the get-whois.py script), the main script will distinctly highlight this at the end, as the produced configurations would be essentially useless to consume or deploy:
--- Execution Report ---
User: root
AS-SET found in PeeringDB: Not Searched
AS-SET found in RADB: AS-SET not found
WARNING: Prefix-lists were NOT generated and as-path lists are denying everything because the customer's AS-SET was not found in RADB.
Total Execution Time: 6.69 seconds
I plan to enhance the script further to handle more corner-case scenarios. These include not generating any output when the data received from PeeringDB and RADB is null or inconsistent. I also intend to add new features, such as creating configurations for a specific device type based on an operator-provided option.