A Quick Intro to Google’s Capirca
Yeled left a comment earlier this week asking if I’d seen Google’s Capirca. I’d heard of it and checked out some presentation slides on it, but I’d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do. Remember, now, that I’ve been playing with it for about 2 hours now, so I’m no expert on its use.
Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world. You can’t blame them for wanting to automate it, either. How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?
Capirca is configured similarly to Snort. The concept is that you define objects like hosts, networks, groups, and services, then you define policies based on those objects. You run the app against your definitions, and it pukes out ACLs for you. It can do Cisco ACLs, Juniper ACLs, or IPTables rules, so that may come in handy, but I only care about the Cisco stuff right now.
Like I said, I haven’t messed with it before, but I got it working with very little frustration. From the root of the application (~/capirca-1.0 in my case), I edited def/NETWORK.net and added some custom objects to it to mess around. I added my home networks, my public IP address at home, and some of the work networks that I would use to access home services. Here’s what I added to the sample file.
...SNIP... GUESTS = 10.0.2.0/24 USERS = 10.84.8.0/24 HOMENETS = GUESTS USERS WORKNETS = 192.0.2.0/24 MYPUBLICIP = 192.0.2.1 ...SNIP...
Now I can use those objects to define some rules for the ACL. The rules are defined in the policies/ directory and are a little more complicated than the objects, but it’s not that hard. There are two types of entries in the policy files – headers and terms. Headers define the beginning of a new ACL and define what the platform (Cisco, Juniper, IPTables) you’re using and the name of the list. The terms sections define the details of the ACL like source, destination, protocol, port, and action. Here’s the policy file (that I called home.pol) that I added to simulate letting my work IPs get to SSH on my public IP, everybody get to HTTP on the same, and deny everything else.
header { comment:: "F0/0 Inbound" target:: cisco F00IN } term permit-ssh-services { destination-address:: MYPUBLICIP protocol:: tcp destination-port:: SSH source-address:: WORKNETS action:: accept } term permit-http-services { destination-address:: MYPUBLICIP protocol:: tcp destination-port:: HTTP action:: accept } term default-deny { action:: deny }
That creates a new Cisco ACL called F00IN (for F0/0 inbound) that allows our interesting traffic and denies everything else. Now that the policy is configured, all I had to do was run the executable and see what happens. In the root directory of the application, there’s a Python file called aclgen.py that you run. Since we put all our definitions and policies in the default location, all I had to do is run that with no arguments. The output told me to look in filters/home.acl for my new ACL. That’s where I found this.
no ip access-list extended F00IN ip access-list extended F00IN remark F0/0 Inbound remark permit-ssh-services permit 6 192.0.2.0 0.0.0.255 host 192.0.2.1 eq 22 remark permit-http-services permit 6 any host 192.0.2.1 eq 80 remark default-deny deny ip any any
Looks fine to me. I pasted this into a lab router, and it worked like a champ. I think I’ll put some more time into Capirca to see if I can find a use for it at work.
Send any misspelled Battlestar Galactica references questions my way.
Director’s Commentary: I need to get a better mic if I want to keep doing this.
[audio:https://aconaway.com/wp-content/uploads/2010/04/A-Quick-Intro-to-Googles-Capirca.mp3|titles=A Quick Intro to Google’s Capirca]
- Generating Network Diagrams from Netbox with Pynetbox - August 23, 2023
- Out-of-band Management – Useful Beyond Catastrophe - July 13, 2023
- Overlay Management - July 12, 2023
This looks interesting and very useful. Where I work we are required to fill out change management for all production changes made to the network. This would help me with tracking and possibly be able to automate some of my processes. Keep me updated on your learning progress, I also will start playing with it.
BTW Keep up the good work!
Aaron, thank for taking the time to write up this excellent intro to capirca. I've listened to your podcast as well, and we will be taking many of your comments (content mgmt, push tools, etc) into consideration for future features and additions. If you have any additional suggestions, please send them to capirca-dev@googlegroups.com
[…] check out this introduction http://aconaway.com/2010/04/10/a-quick-intro-to-googles-capirca/ « On industrial design – […]
[…] Intro to Google Capirca […]
FYI, a multi-platform config push tool is now available for Capirca.
It has been released at https://code.google.com/p/ldpush
Hey do you have any more info on your setup? Have you used this since 2010? It looks like its still active but the readme and docs are limited on how to setup. It looks like from running it it requires https://github.com/google/python-gflags. Did you just pip install ipaddr and the other required modules, install the gflags, then it just ‘worked’? I am getting. I feel like in installed something incorrectly b/c this won’t even work->
sean@utility ~/capirca $ python aclgen.py –help
Traceback (most recent call last):
File “aclgen.py”, line 499, in
main(sys.argv)
File “aclgen.py”, line 438, in main
FLAGS(args)
File “/usr/local/lib/python2.7/dist-packages/gflags/flagvalues.py”, line 593, in __call__
name, value, suggestions=suggestions)
gflags.exceptions.UnrecognizedFlagError: Unknown command line flag ‘help’
Thanks for a quick and dirty intro to this super useful tool !!
Is there an update post regarding this? I just started with this and I’m trying to extend the policies. But how do I use this on my system.
Hello,
Thank you for the brilliant write up. I have an architectural question. Will I be able to modify capirca to generate rules based on traffic hit count between various resources between networks. That is, if I am going to install a firewall with Permit Any between two networks, and analyze the whole traffic flowing between various IPs to derive hit counts over a period of time; Will I be able to generate ACL rules based on this hit count using capirca. Is this doable? In simple words, I would want to generate rules based on traffic flow instead of using predefined policies.
FYI for anyone stumbling on this. Capirca is kind of neglected these days. You should check out the new fork Aerleon.
https://github.com/aerleon/aerleon