network automation (bay area juniper networks meetup)
TRANSCRIPT
Network Automation
Alejandro Salinas
Intro
WHERE ARE YOU WITH REGARDS TO AUTOMATION?
IT’S ALSO ABOUT PROCESS AND CULTURAL CHANGE
Story 1 An experiment that pays off
xkcd.com
• A script to find a host in the network and its port settings
• A script to change the vlan in a specific port
• A script that combines both functionalities
THREE SCRIPTS
THREE SCRIPTS (CONT) [asalinas:juniper_tools] ./set_vlan.py vlan2 myhost.grpn -pPassword:INFO: Looking for myhost.grpn MAC addressINFO: Translating hostname myhost.grpn into MAC address ab:cd:fe:00:01:02INFO: Starting search in: myswitch.grpnINFO: Getting MAC Address tableINFO: Host myhost.grpn (MAC: ab:cd:fe:00:01:02) is in myswitch.grpn (vlan,port) [('vlan1', 'ge-2/0/20.0')]INFO: DISCOVERY COMPLETED - Setting VlansINFO: Getting VLAN info...INFO: vlan vlan2 exists in myswitch.grpn - OKINFO: Getting interface ge-2/0/20 informationINFO: Current vlans are ['vlan1']INFO: Interface ge-2/0/20 is in access mode, setting/changing vlan.INFO: Locking configurationINFO: Configuration Sent OKINFO: Configuration Validation OKINFO: Config diff:
[edit interfaces ge-2/0/20 unit 0 family ethernet-switching vlan]- members vlan1;+ members vlan2;
INFO: Releasing LockINFO: Cleanup: myswitch.grpn
ABOUT LEARNING CURVES
• Small interruptions was a good place to start our automation efforts
• Your first win does not need to be a fully automated process
• Not all automation efforts require a source of truth/systems in place
STORY 1: LEARNINGS
Story 2 Code your way out of a crisis
• Design and build a new datacenter
• Add capacity to an existing datacenter
• Manage Load Balancers
• Manage Firewalls
• Manage On-call
• 1 x Predictable cabling standard
• N x Jinja Templates
• N x YAML Files
• Code to use all of the above
dhcpd.conf
Results
TODO list: • Check ports
• Check OS versions
• Check licenses
• Check IP allocations
• Check vlans
• Check routing
Retrieve: .- Operational status .- Configuration status
Retrieve: .- Allocations
ü Ports
ü OS versions
ü Licenses
ü IP allocations
ü Vlans
ü BGP peers
ü Etc, etc
[email protected]:provisioning] ./config_auditor.py -d access12419.grpn INFO: access12419 : ConnectedINFO: Device is part of a virtual_chassis - checking membership and portsINFO: Both units run 14.2X99-D99.2INFO: FPC0 seems to be the TOP TORS – GoodINFO: RE0 is masterINFO: Port ('fpc0', '2/0') is Configured and UPINFO: Port ('fpc0', '2/1') is Configured and UPINFO: LY0123456 has a valid Routing licenseINFO: vme 10.22.16.220/22 is assigned to this deviceINFO: loopback 10.22.0.57/32 is assigned to this deviceINFO: 0 P2P allocations found for this device, no errors foundINFO: VLAN Audit completed, 7 vlans configured, no errors foundINFO: Looking for interface et-0/1/0INFO: Interface et-0/1/0 is part of LACP interface ae62, will check laterINFO: Checking physical port...INFO: Oper status is UPINFO: Admin status is UPINFO: Checking LLDP neighbors...INFO: LLDP neighbors and descriptions seems consistentINFO: Finished with et-0/1/0 - interface is OKINFO: Checking interface ae62INFO: LACP interface ae62 (et-0/1/0) looks goodINFO: Finished with access12419.grpn - All seems OK!!
CONFIG AUDITING
CONFIG AUDITING (CONT)
CONFIG AUDITING (CONT)
PERMANENT IMPROVEMENT
• It’s not about the system but about delivering • Do not expect immediate results, it could still be nobody’s job,
• Change management / Cultural change is a big challenge
STORY 2: LEARNINGS
Story 3 Ask the Network
Operational status: • Is there a route to x.y.z.t? • Is port xyz up now? • Is this firewall flow allowed?
Configuration information: • Where is subnet x.y.z.w ? • Is port xyz configured for LACP? • What’s the console port for device xyz?
REST
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_host_information?hostname=otherhost.grpn | python -m json.tool{ "device_queried": "access1128.grpn", "interface_information": { "ab:cd:ef:fe:bc:b8": [ { "interface": "ae33.0", "vlan_id": "100", "vlan_name": "vlan100" } ], "ab:cd:ef:fe:bc:ba": null, "ab:cd:ef:fe:bc:bc": null, "ab:cd:ef:fe:bc:bd": null }, "mac_addresses": [ "ab:cd:ef:fe:bc:b8", "ab:cd:ef:fe:bc:ba", "ab:cd:ef:fe:bc:bc", "ab:cd:ef:fe:bc:bd" ], "success": true}
FIND A HOST
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_firewall_zone?destination=10.10.10.21/31 | python -m json.tool{ "colo": "grpn", "destination": "10.10.10.21/31", "device_queried": "somefw.grpn", "success": true, "zone_data": [ { "destination_match": "10.10.10.0/24", "interface": "ae8.0", "next_hop": "10.10.12.3", "zone_name": "trust__zone20" } ]}
SECURITY ZONES
[asalinas@GMGM20689:~] curl -s "http://localhost:8000/check_flow?source=10.1.2.3&destination=10.11.12.13&port=22" | python -m json.tool{ "action_type": "permit", "destination": "10.11.12.13", "destination_zone": "trust__zone1", "device_queried": "somefw.grpn", "dst_colo": "colo1", "policy_name": "NETOPS-9999", "source": "10.1.2.3", "source_zone": "trust__zone2", "src_colo": "colo2", "success": true}
IS THIS FLOW ALLOWED?
[asalinas@GMGM20689] curl -s "http://localhost:8000/get_policy_by_name?device_name=somefw.grpn&policy_name=NETOPS-9999" | python -m json.tool{ "device_name": "somefw.grpn", "policy_information": { "NETOPS-9999": { "action": "permit", "application": "junos-ssh", "destination_addresses": [ "host1.grpn", "host2.grpn" ], "destination_zone_name": "trust__zone1", "policy_sequence_number": "100", "policy_state": "enabled", "seq_check": "No", "source_addresses": "host3.grpn", "source_zone_name": "trust__zone2", "syn_check": "No" } }, "policy_name": "NETOPS-9999", "success": true}
FIREWALL POLICY DETAIL
get_firewall_zone
get_policy_by_name
FIREWALL AUTOMATION BUILDING BLOCKS
check_flow TBD
TBD
TBD
• Not only the network team can take advantage of your automation
• Publish configuration and operational information benefits your team
STORY 3: LEARNINGS
WRAPPING UP
ALEJANDRO SALINAS
Sr Manager – Network Operations
Q+A Thank you very much!