A Quick Intro to Google’s Capirca

Yeled left a comment earlier this week asking if I’d seen Google’s Capirca.  I’d heard of it and checked out some presentation slides on it, but I’d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do.  Remember, now, that I’ve been playing with it for about 2 hours now, so I’m no expert on its use.

Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world.  You can’t blame them for wanting to automate it, either.  How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?

Capirca is configured similarly to Snort.  The concept is that you define objects like hosts, networks, groups, and services, then you define policies based on those objects.  You run the app against your definitions, and it pukes out ACLs for you.  It can do Cisco ACLs, Juniper ACLs, or IPTables rules, so that may come in handy, but I only care about the Cisco stuff right now.

Like I said, I haven’t messed with it before, but I got it working with very little frustration.  From the root of the application (~/capirca-1.0 in my case), I edited def/NETWORK.net and added some custom objects to it to mess around.  I added my home networks, my public IP address at home, and some of the work networks that I would use to access home services.  Here’s what I added to the sample file.

Now I can use those objects to define some rules for the ACL.  The rules are defined in the policies/ directory and are a little more complicated than the objects, but it’s not that hard.  There are two types of entries in the policy files – headers and terms.  Headers define the beginning of a new ACL and define what the platform (Cisco, Juniper, IPTables) you’re using and the name of the list.  The terms sections define the details of the ACL like source, destination, protocol, port, and action.  Here’s the policy file (that I called home.pol) that I added to simulate letting my work IPs get to SSH on my public IP, everybody get to HTTP on the same, and deny everything else.

That creates a new Cisco ACL called F00IN (for F0/0 inbound) that allows our interesting traffic and denies everything else.  Now that the policy is configured, all I had to do was run the executable and see what happens.  In the root directory of the application, there’s a Python file called aclgen.py that you run.  Since we put all our definitions and policies in the default location, all I had to do is run that with no arguments.  The output told me to look in filters/home.acl for my new ACL.  That’s where I found this.

Looks fine to me.  I pasted this into a lab router, and it worked like a champ.  I think I’ll put some more time into Capirca to see if I can find a use for it at work.

Send any misspelled Battlestar Galactica references questions my way.

Director’s Commentary:  I need to get a better mic if I want to keep doing this.
[audio:http://aconaway.com/wp-content/uploads/2010/04/A-Quick-Intro-to-Googles-Capirca.mp3|titles=A Quick Intro to Google’s Capirca]

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages. If you have any questions, the best way to contact me is through Twitter at @aconaway.

More Posts

Follow Me:

9 comments for “A Quick Intro to Google’s Capirca

  1. April 12, 2010 at 11:52 am

    This looks interesting and very useful. Where I work we are required to fill out change management for all production changes made to the network. This would help me with tracking and possibly be able to automate some of my processes. Keep me updated on your learning progress, I also will start playing with it.

    BTW Keep up the good work!

  2. September 20, 2010 at 10:06 pm

    Aaron, thank for taking the time to write up this excellent intro to capirca.  I've listened to your podcast as well, and we will be taking many of your comments (content mgmt, push tools, etc) into consideration for future features and additions.  If you have any additional suggestions, please send them to capirca-dev@googlegroups.com

  3. July 14, 2014 at 8:42 am

    FYI, a multi-platform config push tool is now available for Capirca.
    It has been released at https://code.google.com/p/ldpush

  4. Sean Cavanaugh
    August 10, 2016 at 4:23 pm

    Hey do you have any more info on your setup? Have you used this since 2010? It looks like its still active but the readme and docs are limited on how to setup. It looks like from running it it requires https://github.com/google/python-gflags. Did you just pip install ipaddr and the other required modules, install the gflags, then it just ‘worked’? I am getting. I feel like in installed something incorrectly b/c this won’t even work->
    sean@utility ~/capirca $ python aclgen.py –help
    Traceback (most recent call last):
    File “aclgen.py”, line 499, in
    File “aclgen.py”, line 438, in main
    File “/usr/local/lib/python2.7/dist-packages/gflags/flagvalues.py”, line 593, in __call__
    name, value, suggestions=suggestions)
    gflags.exceptions.UnrecognizedFlagError: Unknown command line flag ‘help’

  5. Jai
    April 18, 2017 at 9:01 pm

    Thanks for a quick and dirty intro to this super useful tool !!

  6. Sharath
    July 28, 2017 at 2:24 pm

    Is there an update post regarding this? I just started with this and I’m trying to extend the policies. But how do I use this on my system.

  7. sri
    November 11, 2017 at 4:45 pm


    Thank you for the brilliant write up. I have an architectural question. Will I be able to modify capirca to generate rules based on traffic hit count between various resources between networks. That is, if I am going to install a firewall with Permit Any between two networks, and analyze the whole traffic flowing between various IPs to derive hit counts over a period of time; Will I be able to generate ACL rules based on this hit count using capirca. Is this doable? In simple words, I would want to generate rules based on traffic flow instead of using predefined policies.

Leave a Reply

Your email address will not be published. Required fields are marked *