Using NDNA automation and GRASP to find Palo Alto hosts in an NDNA Data Center

This is "part two" in my series on identifying different vendors in an "NDNA discovered" Cisco Network "Data-Center".

OUIs were obtained from the following URL:

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf

They were then parsed using the GRASP tool-set to build a list of Palo-Alto OUIs. (This list is, again, pre-built for you) and identified in step 3 of this article.

This article is basically identical to part one of the series, with the exception of the Juniper file names becoming Palo-Alto and parsing the Palo-Alto OUIs.

This shows how easy and repeatable this procedure is for different vendors.

Note 1: The OUI database information from the Wireshark website has the following format: 00:00:0D e.g. Uses a colon every two characters, and uses all CAPs.

Note 2: Cisco IOS and NXOS ARP output has following format: 0000.0d0d. e.g. uses a "dot" every four characters and is all lower case

Must we take all of this into account using GRASP to transform output/input as needed through-out the process.

Note 3: Don't worry about understanding all the grep, regex, awk, and sed syntax in this article. We'll get into the theory more in upcoming articles of what the commands were doing. You can just copy and paste commands directly from this article into the CLI terminal to accomplish the tasks in the article.

/-------------------------/

Procedure:

1. Using NDNA automation within a Data Center, first pull the ARP tables from all devices, using the IOS IP list and the NXOS IP list in an NDNA discovered Data-Center:

Estimated time for the task: 5 minutes

For all IOS devices, run the following command

sh arp

For all NXOS devices sh ip arp vrf all

Note: You run it on all IOS devices, since NDNA classifies a device as L2 or L3 based on if it runs a dynamic routing protocol (or not), so you still need to run discovery for ARP tables on all devices.

and make sure you don't remove the existing "terminal len 0" command which is pre-included in all commands files.

2. Build and format your MAC files

Estimated time for the task: 3 minutes

Change into the configs directory of your Data-Center, and review the files created during the automation run (using the ls command):

cd /usr/DataCenters/<your DC name>/DCDP/configs

ls

10.52.0.254_2017-08-21 08:27_nxos_custom.txt 10.53.0.124_2017-08-21 08:27_nxos_custom.txt

10.53.0.125_2017-08-21 08:27_nxos_custom.txt 10.53.0.121_2017-08-21 08:27_nxos_custom.txt

10.53.0.127_2017-08-21 08:27_nxos_custom.txt 10.53.0.123_2017-08-21 08:27_nxos_custom.txt

10.53.0.200_2017-08-21 08:27_ios_custom.txt 10.53.0.203_2017-08-21 08:27_ios_custom.txt

10.53.0.201_2017-08-21 08:27_ios_custom.txt 10.53.0.204_2017-08-21 08:27_ios_custom.txt

10.53.0.202_2017-08-21 08:27_ios_custom.txt 10.53.0.205_2017-08-21 08:27_ios_custom.txt

(Output Omitted)

Parse and pull just the macs out into “MAC” files appending the NXOS macs to the IOS macs (Into one file)

For IOS

cat *ios*.txt | grep "^Internet"| awk {'print $4'} > macs.txt

For NXOS (append to the same file)

cat *nxos*.txt | grep "^[1-2]" | awk {'print $3'} >> macs.txt

Remove duplicate macs

cat macs.txt | awk '{ if (a[$1]++ ==0) print $0; }' > macs-no-duplicates.txt

Transform the MAC files. This will transform the format into xx:xx:xx:xx:xx:xx to match the format of the OUI info from the wireshark website

cat macs-no-duplicates.txt | sed -e 's/./&:/2;s/./&:/8;s/./&:/14' | sed -e 's/\./:/'g > almost-final-macs.txt

Turn lower case characters into upper case to match OUI info from Wireshark website

cat almost-final-macs.txt | sed -e 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' > final-macs-lower-to-upper-case.txt

3. Parse MACs to grab Palo-Alto MACs

Estimated time for the task: 2 minutes

Now, we are ready to run extended grep to parse every Palo Alto OUI to see if our ARP tables contain any Palo-Alto devices. What egrep is doing here is matching every string that starts with each of these 24 bits, which covers all Palo Alto OUIs. It then redirects any matching MACs to a new file called "Palo-Alto-Devices.txt"

Command:

cat final-macs-lower-to-upper-case.txt | egrep

"^00:1B:17|^00:86:9C|^08:30:6B|^08:66:1F|^24:0B:0A|^58:49:3B|^78:6D:94|^B4:0C:25|^D4:1D:71|^D4:F4:BE|^E4:A7:49|^EC:68:81" > Palo-Alto-Devices.txt

If you find any matches here, they are Palo-Alto devices… Let’s first convert the MACs back to Cisco ARP output format....

4. Convert Palo-Alto MACs back to Cisco ARP output format:

Estimated time for the task: 1 minute

Command:

cat Palo-Alto-Devices.txt | sed -e 's/://'g | sed -e 's/./&\./4;s/./&\./9' | sed -e 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' > Palo-Alto-Devices-To-Cisco-Mac-Format.txt

5. Circle back to the original ARP files and query them to extract IPs

Estimated time for the task: 2 minutes

Let’s now circle back to the original ARP files and query them to extract IPs

First, we'll pull just the IP and MACs from the original ARP configs (IOS and NXOS) and build one file with all of the information.

Command:

cat *ios*.txt | awk {'print $2 " " $4'} | grep "^[1-2]" > IOS-NXOS-IP-MAC-Combined.txt

cat *nxos*.txt | awk {'print $1 " " $3'} | grep "^[1-2]" >> IOS-NXOS-IP-MAC-Combined.txt

Next, we’ll remove duplicates again

Command:

cat IOS-NXOS-IP-MAC-Combined.txt | awk '{ if (a[$2]++ ==0) print $0; }' > IOS-NXOS-IP-MAC-NO-DUPs.txt

6. Finally, We'll build a Shell Script to extract the Palo-Alto IPs, completing the procedure.

Estimated time for the task: 2 minutes

So, now we need to make a script to parse the IOS-NXOS-IP-MAC-NO-DUPs.txt file, grepping on each of the Palo-Alto MACs we found, and return the output, giving us back the IPs.

Command:

Above command will produce the following output if you just hit enter (This is based on me having these three MACs in my Palo-Alto Devices file):

#!/bin/sh

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 001b\.17a4\.77a6

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 001b\.17a4\.77a7

cat IOS-NXOS-IP-MAC-NO-DUPs.txt | grep 001b\.17a4\.77a8

We need to have the \ character before each . as an escape to let the shell know to treat the "." as a literal when the script runs.

We run this command again and redirect the output to a new shell script called “get-Palo-Alto-IPs.sh”

Command:

Now, we make this script executable

Command:

chmod 755 get-Palo-Alto-IPs.sh

Run the script

Command:

./get-Palo-Alto-IPs.sh

10.11.71.2 001b.17a4.77a6

10.11.71.3 001b.17a4.77a7

10.11.71.4 001b.17a4.77a8

Output it to a file

Command:

./get-Palo-Alto-IPs.sh > Palo-Alto-IPs.txt

----------------------------------------------------------

Total estimated time for the entire procedure: 15 minutes

That’s it!

Final notes/Gotchas:

For IOS, you’ll need to know if you need to pull ARP entries on any additional VRFs -- (NXOS will pull all VRFs using this procedure already). IOS not so good... You need to know the name of the VRFs

NDNA can quickly discover all the IOS VRFs in the environment as well…this will be in a future post….so that way, you’ll know what VRF key-words to put in when pulling VRF info from IOS devices.

Be aware of the 64k file size limit too, as ARP tables can get quite large, so be on the lookout for 64k file size (e.g. in WinSCP you’ll see a file size of 65,535 B) and if so, run automation on these IPs again, but with the command "show arp | begin <somewhere near the end of the original file>" for IOS or "show ip arp | begin <somewhere near the end of the original file>" for NXOS. We’ll also cover this in another post on dealing with 64k file size limitation.

Next, you can then move onto looking into pulling mac-tables, e.g. to find the exact ports the devices are connected to (this will also be covered in another blog post…coming soon….

Stay tuned for more creative ways to use the NDNA program....

Best Regards,

Brett M. Spunt, CCIE No. 12745