Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management

Reply
Highlighted
Accepted Solution

Possible to create a perimeter devices group on network automation

Techie
Posts: 2
3499     0

In network Automation I am trying to create ideally a 'device group' (interface group, report, view would also be ok) which automatically displays/updates on all non rfc1918 addresses as they are discovered (not just managed the managed device IPs).  Standard '$IP Address' is no good as it relies upon the discovery being enabled for the public address space. 

 

So I need it to identify the public IPs from both the managed device IP addresses plus from any layer 3 interfaces on those devices.  I know netmri has the data as can see all the layer3 public IP addresses in network discovery.

 

Help much appreciated.

 

Thanks

 

 

 

 

Highlighted

Re: Possible to create a perimeter devices group on network automation

Authority
Posts: 21
3499     0

Hi,

One type of solution is custom view for NetworkExplorer->Inventory->Interfaces->InterfaceConfig table.

You have to prepare filter for field "IPAddress" with operator "contains" and value like below:

/(^(.*,)?[0-9]\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?((1[1-9])|([2-9][0-9])|(1[0-6][0-9])|(17[01]))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?172\.(([0-9])|(1[0-5]))\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?172\.((3[2-9])|([4-9][0-9])|([0-9]{3}))\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?((17[3-9])|(18[0-9])|(19[01]))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?192\.(([0-9])|([1-9][0-9])|(1[0-5][0-9]))\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?192\.16[0-7]\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?192\.(169|(1[7-9][0-9])|(2[0-9]{2}))\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)|(^(.*,)?((19[3-9])|(2[0-9]{2}))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(,.*)?$)/

 

I prefere to include all public IPs  instead exclude all private IPs because interface could have more than one IP and it is possible that one will be private and second public and this interface will be not shown because of exclusion of private one

 

In Regexp are also two special strings:

^(.*,)? - it means that before IP could be any number of any characters with a comma at the end of this expression OR nothing

(,.*)?$) - it means that after IP could be any number of any characters with a comma at the beginning of this expression OR nothing

It is needed because interface could have more than one IP and all IPs are divided by comma, i.e:

10.0.1.1,23.1.1.1

 

This regexp is divided into parts with explanation below:

[0-9]\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}                                                              #0.0.0.0-9.255.255.255
((1[1-9])|([2-9][0-9])|(1[0-6][0-9])|(17[01]))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}    #11.0.0.0-171.255.255.255
172\.(([0-9])|(1[0-5]))\.[0-9]{1,3}\.[0-9]{1,3}                                                     #172.0.0.0-172.15.255.255
172\.((3[2-9])|([4-9][0-9])|([0-9]{3}))\.[0-9]{1,3}\.[0-9]{1,3}                               #172.32.0.0-172.255.255.255
((17[3-9])|(18[0-9])|(19[01]))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}                         #173.0.0.0-191.255.255.255
192\.(([0-9])|([1-9][0-9])|(1[0-5][0-9]))\.[0-9]{1,3}\.[0-9]{1,3}                            #192.0.0.0-192.159.255.255
192\.16[0-7]\.[0-9]{1,3}\.[0-9]{1,3}                                                                   #192.160.0.0-192.167.255.255
192\.(169|(1[7-9][0-9])|(2[0-9]{2}))\.[0-9]{1,3}\.[0-9]{1,3}                                 #192.169.0.0-192.255.255.255
((19[3-9])|(2[0-9]{2}))\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}                                    #193.0.0.0-255.255.255

I tested it , AFAIK it works. I hope it helps

Dariusz

Highlighted

Re: Possible to create a perimeter devices group on network automation

Techie
Posts: 2
3499     0

brilliant that works a treat. 

 

Thanks for the comprehensive explanation as well :-)

 

Hopefully in future releases they will build this functionality in as its pretty useful from a security perspective to know when new external links are being deployed.

Highlighted

Re: Possible to create a perimeter devices group on network automation

Adviser
Posts: 429
3499     0

You can use the following for the group Smiley Happy

 

$ip not in [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

www.sifbaksh.com
Highlighted

Re: Possible to create a perimeter devices group on network automation

Expert
Posts: 236
3499     0

Just change the variable to $ipAddress:

 

$ipaddress not in [10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]

Highlighted

Re: Possible to create a perimeter devices group on network automation

Adviser
Posts: 429
3499     0

So this is a two parter, you have to discover the devices in order to create the group Smiley Happy

 

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

www.sifbaksh.com
Showing results for 
Search instead for 
Do you mean 

Recommended for You