Example 1 with Aaa
use of org.batfish.datamodel.vendor_family.cisco.Aaa in project batfish by batfish.
the class CiscoConfiguration method toVendorIndependentConfiguration.
@Override
public Configuration toVendorIndependentConfiguration() {
final Configuration c = new Configuration(_hostname, _vendor);
c.getVendorFamily().setCisco(_cf);
c.setRoles(_roles);
c.setDefaultInboundAction(LineAction.ACCEPT);
c.setDefaultCrossZoneAction(LineAction.ACCEPT);
c.setDnsServers(_dnsServers);
c.setDnsSourceInterface(_dnsSourceInterface);
c.setDomainName(_domainName);
c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
c.setTacacsServers(_tacacsServers);
c.setTacacsSourceInterface(_tacacsSourceInterface);
c.setNtpSourceInterface(_ntpSourceInterface);
if (_cf.getNtp() != null) {
c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
}
if (_cf.getLogging() != null) {
c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
}
c.setSnmpSourceInterface(_snmpSourceInterface);
processLines();
processFailoverSettings();
// remove line login authentication lists if they don't exist
for (Line line : _cf.getLines().values()) {
String list = line.getLoginAuthentication();
boolean found = false;
Aaa aaa = _cf.getAaa();
if (aaa != null) {
AaaAuthentication authentication = aaa.getAuthentication();
if (authentication != null) {
AaaAuthenticationLogin login = authentication.getLogin();
if (login != null && login.getLists().containsKey(list)) {
found = true;
}
}
}
if (!found) {
line.setLoginAuthentication(null);
}
}
// initialize vrfs
for (String vrfName : _vrfs.keySet()) {
c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
}
// snmp server
if (_snmpServer != null) {
String snmpServerVrf = _snmpServer.getVrf();
c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
}
// convert as path access lists to vendor independent format
for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
AsPathAccessList apList = toAsPathAccessList(pathList);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert as-path-sets to vendor independent format
for (AsPathSet asPathSet : _asPathSets.values()) {
AsPathAccessList apList = toAsPathAccessList(asPathSet);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert standard/expanded community lists to community lists
for (StandardCommunityList scList : _standardCommunityLists.values()) {
ExpandedCommunityList ecList = scList.toExpandedCommunityList();
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
// convert prefix lists to route filter lists
for (PrefixList prefixList : _prefixLists.values()) {
RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert ipv6 prefix lists to route6 filter lists
for (Prefix6List prefixList : _prefix6Lists.values()) {
Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert standard/extended access lists to access lists or route filter
// lists
List<ExtendedAccessList> allACLs = new ArrayList<>();
for (StandardAccessList saList : _standardAccessLists.values()) {
ExtendedAccessList eaList = saList.toExtendedAccessList();
allACLs.add(eaList);
}
allACLs.addAll(_extendedAccessLists.values());
for (ExtendedAccessList eaList : allACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardAccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
RouteFilterList rfList = toRouteFilterList(eaList);
c.getRouteFilterLists().put(rfList.getName(), rfList);
}
IpAccessList ipaList = toIpAccessList(eaList);
c.getIpAccessLists().put(ipaList.getName(), ipaList);
}
// convert standard/extended ipv6 access lists to ipv6 access lists or
// route6 filter
// lists
List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
allIpv6ACLs.add(eaList);
}
allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardIpv6AccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
Route6FilterList rfList = toRoute6FilterList(eaList);
c.getRoute6FilterLists().put(rfList.getName(), rfList);
}
Ip6AccessList ipaList = toIp6AccessList(eaList);
c.getIp6AccessLists().put(ipaList.getName(), ipaList);
}
// convert route maps to policy maps
Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
for (RouteMap map : _routeMaps.values()) {
convertForPurpose(routingRouteMaps, map);
// convert route maps to RoutingPolicy objects
RoutingPolicy newPolicy = toRoutingPolicy(c, map);
c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
}
// convert RoutePolicy to RoutingPolicy
for (RoutePolicy routePolicy : _routePolicies.values()) {
RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
}
// convert interfaces
_interfaces.forEach((ifaceName, iface) -> {
org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
String vrfName = iface.getVrf();
if (vrfName == null) {
throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
}
c.getInterfaces().put(ifaceName, newInterface);
c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
});
// apply vrrp settings to interfaces
applyVrrp(c);
// get IKE proposals
for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
}
addIkePoliciesAndGateways(c);
// ipsec proposals
for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
}
// ipsec policies
for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
String name = e.getKey();
IpsecProfile profile = e.getValue();
IpsecPolicy policy = new IpsecPolicy(name);
policy.setPfsKeyGroup(profile.getPfsGroup());
String transformSetName = profile.getTransformSet();
if (c.getIpsecProposals().containsKey(transformSetName)) {
policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
}
c.getIpsecPolicies().put(name, policy);
}
// ipsec vpns
for (Entry<String, Interface> e : _interfaces.entrySet()) {
String name = e.getKey();
Interface iface = e.getValue();
Tunnel tunnel = iface.getTunnel();
if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
IpsecVpn ipsecVpn = new IpsecVpn(name, c);
ipsecVpn.setBindInterface(c.getInterfaces().get(name));
ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
Ip source = tunnel.getSource();
Ip destination = tunnel.getDestination();
if (source == null || destination == null) {
_w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
} else {
for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
ipsecVpn.setIkeGateway(ikeGateway);
}
}
if (ipsecVpn.getIkeGateway() == null) {
_w.redFlag("Can't find matching IkeGateway for " + name);
}
}
c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
}
}
// convert routing processes
_vrfs.forEach((vrfName, vrf) -> {
org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
// add snmp trap servers to main list
if (newVrf.getSnmpServer() != null) {
c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
}
// convert static routes
for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
}
// convert rip process
RipProcess ripProcess = vrf.getRipProcess();
if (ripProcess != null) {
org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
newVrf.setRipProcess(newRipProcess);
}
// convert ospf process
OspfProcess ospfProcess = vrf.getOspfProcess();
if (ospfProcess != null) {
org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
newVrf.setOspfProcess(newOspfProcess);
}
// convert isis process
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
newVrf.setIsisProcess(newIsisProcess);
}
// convert bgp process
BgpProcess bgpProcess = vrf.getBgpProcess();
if (bgpProcess != null) {
org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
}
});
// warn about references to undefined peer groups
for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
String name = e.getKey();
int line = e.getValue();
undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
}
// mark references to IPv4/6 ACLs that may not appear in data model
markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
markAcls(CiscoStructureUsage.SSH_ACL);
markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
// mark references to mac-ACLs that may not appear in data model
// TODO: fill in
// mark references to route-maps that may not appear in data model
markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
// Cable
markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
// L2tp
markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
// Vpn
markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
// warn about unreferenced data structures
warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
warnUnusedCommunityLists();
warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
warnUnusedDocsisPolicies();
warnUnusedDocsisPolicyRules();
warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
warnUnusedIpAccessLists();
warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
warnUnusedIpv6AccessLists();
warnUnusedKeyrings();
warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
warnUnusedPeerGroups();
warnUnusedPeerSessions();
warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
warnUnusedServiceClasses();
c.simplifyRoutingPolicies();
c.computeRoutingPolicySources(_w);
return c;
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
Configuration(org.batfish.datamodel.Configuration)
ArrayList(java.util.ArrayList)
Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa)
BatfishException(org.batfish.common.BatfishException)
AsPathAccessList(org.batfish.datamodel.AsPathAccessList)
CommunityList(org.batfish.datamodel.CommunityList)
CommunityListLine(org.batfish.datamodel.CommunityListLine)
Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine)
Route6FilterLine(org.batfish.datamodel.Route6FilterLine)
Line(org.batfish.datamodel.vendor_family.cisco.Line)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpsecPolicy(org.batfish.datamodel.IpsecPolicy)
IkeGateway(org.batfish.datamodel.IkeGateway)
IpAccessList(org.batfish.datamodel.IpAccessList)
Ip(org.batfish.datamodel.Ip)
SubRange(org.batfish.datamodel.SubRange)
Ip6AccessList(org.batfish.datamodel.Ip6AccessList)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
Route6FilterList(org.batfish.datamodel.Route6FilterList)
BigInteger(java.math.BigInteger)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)
Aggregations
BigInteger (java.math.BigInteger)1
ArrayList (java.util.ArrayList)1
BatfishException (org.batfish.common.BatfishException)1
AsPathAccessList (org.batfish.datamodel.AsPathAccessList)1
AsPathAccessListLine (org.batfish.datamodel.AsPathAccessListLine)1
CommunityList (org.batfish.datamodel.CommunityList)1
CommunityListLine (org.batfish.datamodel.CommunityListLine)1
Configuration (org.batfish.datamodel.Configuration)1
IkeGateway (org.batfish.datamodel.IkeGateway)1
Ip (org.batfish.datamodel.Ip)1
Ip6AccessList (org.batfish.datamodel.Ip6AccessList)1
Ip6AccessListLine (org.batfish.datamodel.Ip6AccessListLine)1
IpAccessList (org.batfish.datamodel.IpAccessList)1
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)1
IpsecPolicy (org.batfish.datamodel.IpsecPolicy)1
IpsecVpn (org.batfish.datamodel.IpsecVpn)1
Route6FilterLine (org.batfish.datamodel.Route6FilterLine)1
Route6FilterList (org.batfish.datamodel.Route6FilterList)1
RouteFilterLine (org.batfish.datamodel.RouteFilterLine)1
RouteFilterList (org.batfish.datamodel.RouteFilterList)1
