Using NDNA automation and GRASP to find Juniper Hosts in an NDNA Data Center

This is "part one" in a series of multiple-posts on identifying different vendors in an "NDNA discovered" Cisco Network "Data-Center".

OUIs were obtained from the following URL:

https://code.wireshark.org/review/git web?p=wireshark.git;a=blob_plain;f=manuf

They were then parsed using the GRASP tool-set to build a list of Juniper OUIs. (This list is pre-built for you) and identified in step 3 of this article.

Note 1: The OUI database information from the Wireshark website has the following format: 00:00:0D e.g. Uses a colon every two characters, and uses all CAPs.

Note 2: Cisco IOS and NXOS ARP output has following format: 0000.0d0d. e.g. uses a "dot" every four characters and is all lower case

Must we take all of this into account using GRASP to transform output/input as needed through-out the process.

Note 3: Don't worry about understanding all the grep, regex, awk, and sed syntax in this article. We'll get into the theory more in upcoming articles of what the commands were doing. You can just copy and paste commands directly from this article into the CLI terminal to accomplish the tasks in the article.

/-------------------------/

Procedure:

1. Using NDNA automation within a Data Center, first pull the ARP tables from all devices, using the IOS IP list and the NXOS IP list in an NDNA discovered Data-Center:

Estimated time for the task: 5 minutes

For all IOS devices, run the following command

sh arp

For all NXOS devices sh ip arp vrf all

Note: You run it on all IOS devices, since NDNA classifies a device as L2 or L3 based on if it runs a dynamic routing protocol (or not), so you still need to run discovery for ARP tables on all devices.

and make sure you don't remove the existing "terminal len 0" command which is pre-included in all commands files.

2. Build and format your MAC files

Estimated time for the task: 3 minutes

Change into the configs directory of your Data-Center, and review the files created during the automation run (using the ls command):

cd /usr/DataCenters/<your DC name>/DCDP/configs

ls

10.52.0.254_2017-08-21 08:27_nxos_custom.txt 10.53.0.124_2017-08-21 08:27_nxos_custom.txt

10.53.0.125_2017-08-21 08:27_nxos_custom.txt 10.53.0.121_2017-08-21 08:27_nxos_custom.txt

10.53.0.127_2017-08-21 08:27_nxos_custom.txt 10.53.0.123_2017-08-21 08:27_nxos_custom.txt

10.53.0.200_2017-08-21 08:27_ios_custom.txt 10.53.0.203_2017-08-21 08:27_ios_custom.txt

10.53.0.201_2017-08-21 08:27_ios_custom.txt 10.53.0.204_2017-08-21 08:27_ios_custom.txt

10.53.0.202_2017-08-21 08:27_ios_custom.txt 10.53.0.205_2017-08-21 08:27_ios_custom.txt

(Output Omitted)

Parse and pull just the macs out into “MAC” files appending the NXOS macs to the IOS macs (Into one file)

For IOS

cat *ios*.txt | grep "^Internet"| awk {'print $4'} > macs.txt

For NXOS (append to the same file)

cat *nxos*.txt | grep "^[1-2]" | awk {'print $3'} >> macs.txt

Remove duplicate macs

cat macs.txt | awk '{ if (a[$1]++ ==0) print $0; }' > macs-no-duplicates.txt

Transform the MAC file. This will transform the format into xx:xx:xx:xx:xx:xx to match the format of the OUI info from the wireshark website

cat macs-no-duplicates.txt | sed -e 's/./&:/2;s/./&:/8;s/./&:/14' | sed -e 's/\./:/'g > almost-final-macs.txt

Turn lower case characters into upper case to match OUI info from Wireshark website

cat almost-final-macs.txt | sed -e 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' > final-macs-lower-to-upper-case.txt

3. Parse MACs to grab Juniper MACs

Estimated time for the task: 2 minutes

Now, we are ready to run extended grep to parse every Juniper OUI to see if our ARP tables contain any Juniper devices. What egrep is doing here is matching every string that starts with each of these 24 bits, which covers all Juniper OUIs. It then redirects any matching MACs to a new file called "Juniper-Devices.txt"

Command:

cat final-macs-lower-to-upper-case.txt | egrep "^00:05:85|^00:10:DB|^00:12:1E|^00:14:F6|^00:17:CB|^00:19:E2|^00:1B:C0|^00:1D:B5|^00:1F:12|^00:21:59|^00:22:83|^00:23:9C|^00:24:DC00:26:88|^00:31:46|^00:90:69|^08:81:F4|^08:B2:58|^0C:05:35|^0C:86:10|^10:0E:7E|^20:4E:71|^28:8A:1C|^28:A2:4B|^28:C0:DA|^2C:21:31|^2C:21:72|^2C:6B:F5|^30:7C:5E|^30:B6:4F|^38:4F:49|^3C:61:04|^3C:8A:B0|^3C:94:D5|^40:71:83|^40:A6:77|^40:B4:F0|^44:AA:50|^44:F4:77|^4C:16:FC|^4C:96:14|^50:C5:8D|^54:1E:56|^54:4B:8C|^54:E0:32|^58:00:BB|^5C:45:27|^5C:5E:AB|^64:64:9B|^64:87:88|^78:19:F7|^78:FE:3D|^7C:E2:CA|^80:71:1F|^80:AC:AC|^84:18:88|^84:B5:9C|^84:C1:C1|^88:A2:5E|^88:E0:F3|^9C:CC:83|^A8:D0:E5|^AC:4B:C8|^B0:A8:6E|^B0:C6:9A|^C8:E7:F0|^CC:E1:7F|^D0:07:CA|^D4:04:FF|^DC:38:E1|^E8:B6:C2|^EC:13:DB|^EC:3E:F7|^F0:1C:2D|^F4:A7:39|^F4:B5:2F|^F4:CC:55|^F8:C0:01" > Juniper-Devices.txt

If you find any matches here, they are Juniper devices… Let’s first convert the MACs back to Cisco ARP output format....

4. Convert Juniper MACs back to Cisco ARP output format:

Estimated time for the task: 1 minute

Command:

cat Juniper-Devices.txt | sed -e 's/://'g | sed -e 's/./&\./4;s/./&\./9' | sed -e 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' > Juniper-Devices-To-Cisco-Mac-Format.txt

5. Circle back to the original ARP files and query them to extract IPs

Estimated time for the task: 2 minutes

Let’s now circle back to the original ARP files and query them to extract IPs

First, we'll pull just the IP and MACs from the original ARP configs (IOS and NXOS) and build one file with all of the information.

Command:

cat *ios*.txt | awk {'print $2 " " $4'} | grep "^[1-2]" > IOS-NXOS-IP-MAC-Combined.txt

cat *nxos*.txt | awk {'print $1 " " $3'} | grep "^[1-2]" >> IOS-NXOS-IP-MAC-Combined.txt

Next, we’ll remove duplicates again

Command:

cat IOS-NXOS-IP-MAC-Combined.txt | awk '{ if (a[$2]++ ==0) print $0; }' > IOS-NXOS-IP-MAC-NO-DUPs.txt

6. Finally, We'll build a Shell Script to extract the Juniper IPs, completing the procedure.

Estimated time for the task: 2 minutes

So, now we need to make a script to parse the IOS-NXOS-IP-MAC-NO-DUPs.txt file, grepping on each of the Juniper MACs we found, and return the output, giving us back the IPs.

Command:

Above command will produce the following output if you just hit enter (This is based on me having these three MACs in my Juniper Devices file):

#!/bin/sh

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 0012\.1ea4\.a686

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 0012\.1ea4\.a680

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 0012\.1ea4\.a6d0

We need to have the \ character before each . as an escape to let the shell know to treat the "." as a literal when the script runs.

We run this command again and redirect the output to a new shell script called “get-juniper-IPs.sh”

Command:

Now, we make this script executable

Command:

chmod 755 get-juniper-IPs.sh

Run the script

Command:

./get-juniper-IPs.sh

10.53.2.205 0012.1ea4.a686

10.53.71.197 0012.1ea4.a680

10.53.71.198 0012.1ea4.a6d0

Output it to a file

Command:

./get-juniper-IPs.sh > Juniper-IPs.txt

----------------------------------------------------------

Total estimated time for the entire procedure: 15 minutes

That’s it!

Final notes/Gotchas:

For IOS, you’ll need to know if you need to pull ARP entries on any additional VRFs -- (NXOS will pull all VRFs using this procedure already). IOS not so good... You need to know the name of the VRFs

NDNA can quickly discover all the IOS VRFs in the environment as well…this will be in a future post….so that way, you’ll know what VRF key-words to put in when pulling VRF info from IOS devices.

Next, you can then move onto looking into pulling mac-tables, e.g. to find the exact ports the devices are connected to (this will also be covered in another blog post…coming soon….

Stay tuned for more creative ways to use the NDNA program....

Best Regards,

Brett M. Spunt, CCIE No. 12745