Paramiko, Netmiko, NAPALM or Nornir?

I had a fantastic chat with David Bombal a while ago in which we covered tons of network automation topics including “should I use Nornir or NAPALM or Netmiko?

The only answer one can give would be “it depends… on what you’re trying to do” as these three tools solve completely different challenges.

Paramiko is SSH implementation in Python. It’s used by most Python tools that want to use SSH to connect to other hosts (including networking devices).

Unfortunately some $vendors never spent time to understand how SSH should really work. Connecting to some networking devices via SSH could easily turn into a nightmare scenario as they don’t support the very basics like:

  • Authenticating with username and password using standard SSH mechanisms (instead of sending username prompt in already-established session)
  • Executing single command that can be specified on ssh command line.

Netmiko is a Python library built on top of Paramiko that addresses these problems. If you want to connect to a wide variety of network devices without losing your sanity Netmiko is your best bet.

For whatever reason the Ansible networking team decided not to use Netmiko and reinvented the wheel… not for the first time.

NAPALM is an abstraction layer on top of whatever protocol you have to use to connect to network devices (SSH, REST, NETCONF…). It gives you the ability to get, merge, or replace configuration on network devices without thinking about the underlying intricacies. It also provides an API that allows you to get the same information (basic facts, MAC address table, IP routing table, ARP table, BGP neighbors…) from a half-dozen platforms without dealing with the stupidities of screen scraping or similar.

NAPALM is an excellent choice if you want to remain sane while having to deal with multiple platforms, be it from a single vendor like Cisco that loves to have different operating systems on different platforms, or multiple vendors.

You can also use it within Ansible to simplify your playbooks because you no longer have to code all the “if this platform then this otherwise that” logic that is so easy to express in so-called programming language written in YAML (hope you noticed the <sarcasm> tags around this statement). Yet again, the Ansible networking team decided not to use NAPALM and implemented their own system that drives me insane every time I try to write a multi-platform playbook (I’m not saying it cannot be done, just that “think twice, code once” mentality is rare).

A long while ago we recorded a webinar with David Barroso explaining how to use NAPALM with Ansible.

SALT implementers didn’t make the same mistake - Mircea Ulinic based SALT networking support on NAPALM from day one. You’ll find even more details in his Using Salt for Event-Driven Network Automation presentation from the Building Network Automation Solutions online course.

However, even if you use NAPALM library in your Python program you still have to deal with the boring stuff that will become 80% of your code base (and bugs) without adding any value: collecting inventory, collecting data from a network data model (including inheritance from group hierarchy), and multi-threading because executing the same task on 100 devices one-at-a-time quickly becomes frustratingly long.

You could solve that challenge with Ansible, and if you’re really brave and want to fix your code every time Ansible team changes their API you could develop an Ansible wrapper and offload these boring parts to Ansible core. It would work, but it would also inherit the “amazing” performance of a tool that relies heavily on templating every single YAML value through Jinja2.

This is where you should start considering Nornir - it provides approximately the same functionality as Ansible core but in pure Python which makes it orders of magnitude faster in large deployments than Ansible.

Does that mean that the only tool you should learn is Nornir? Not so fast. Nornir is just a framework (like Ansible core) and someone still needs to do the heavy lifting like connecting to network devices and executing commands on them. You will have to combine Nornir with NAPALM (assuming NAPALM has functionality you need) or lower-level code that might rely on Netmiko to provide connectivity to network devices.


  1. There's one use case you haven't covered; what should you use if none of those tools have support for your platform?

    That's been my situation, and in that case (assuming SSH interaction), netmiko is the way to go. There are really great instructions on how to add a new platform, and it requires the least amount of infrastructure before you can start automating (as opposed to Nornir or Ansible, where you have to build the netmiko support, then build tasks and playbooks all to get a single runbook going).
  2. Hi Josh,

    Can you tell where can I find these instructions to add a new platform?

Add comment