system 3. goole 2512 bc mobiii nsn
DESCRIPTION
Jdnd nsn nmzzTRANSCRIPT
Network Automation
Alejandro Salinas
Intro
WHERE ARE YOU WITH REGARDS TO AUTOMATION?
IT’S ALSO ABOUT PROCESS AND CULTURAL CHANGE
Story 1 An experiment that pays off
xkcd.com
• A script to find a host in the network and its port settings
• A script to change the vlan in a specific port
• A script that combines both functionalities
THREE SCRIPTS
THREE SCRIPTS (CONT) [asalinas:juniper_tools] ./set_vlan.py vlan2 myhost.grpn -pPassword:INFO: Looking for myhost.grpn MAC addressINFO: Translating hostname myhost.grpn into MAC address ab:cd:fe:00:01:02INFO: Starting search in: myswitch.grpnINFO: Getting MAC Address tableINFO: Host myhost.grpn (MAC: ab:cd:fe:00:01:02) is in myswitch.grpn (vlan,port) [('vlan1', 'ge-2/0/20.0')]INFO: DISCOVERY COMPLETED - Setting VlansINFO: Getting VLAN info...INFO: vlan vlan2 exists in myswitch.grpn - OKINFO: Getting interface ge-2/0/20 informationINFO: Current vlans are ['vlan1']INFO: Interface ge-2/0/20 is in access mode, setting/changing vlan.INFO: Locking configurationINFO: Configuration Sent OKINFO: Configuration Validation OKINFO: Config diff:
[edit interfaces ge-2/0/20 unit 0 family ethernet-switching vlan]- members vlan1;+ members vlan2;
INFO: Releasing LockINFO: Cleanup: myswitch.grpn
ABOUT LEARNING CURVES
• Small interruptions was a good place to start our automation efforts
• Your first win does not need to be a fully automated process
• Not all automation efforts require a source of truth/systems in place
STORY 1: LEARNINGS
Story 2 Code your way out of a crisis
• Design and build a new datacenter
• Add capacity to an existing datacenter
• Manage Load Balancers
• Manage Firewalls
• Manage On-call
• 1 x Predictable cabling standard
• N x Jinja Templates
• N x YAML Files
• Code to use all of the above
dhcpd.conf
Results
TODO list: • Check ports
• Check OS versions
• Check licenses
• Check IP allocations
• Check vlans
• Check routing
Retrieve: .- Operational status .- Configuration status
Retrieve: .- Allocations
ü Ports
ü OS versions
ü Licenses
ü IP allocations
ü Vlans
ü BGP peers
ü Etc, etc
[email protected]:provisioning] ./config_auditor.py -d access12419.grpn INFO: access12419 : ConnectedINFO: Device is part of a virtual_chassis - checking membership and portsINFO: Both units run 14.2X99-D99.2INFO: FPC0 seems to be the TOP TORS – GoodINFO: RE0 is masterINFO: Port ('fpc0', '2/0') is Configured and UPINFO: Port ('fpc0', '2/1') is Configured and UPINFO: LY0123456 has a valid Routing licenseINFO: vme 10.22.16.220/22 is assigned to this deviceINFO: loopback 10.22.0.57/32 is assigned to this deviceINFO: 0 P2P allocations found for this device, no errors foundINFO: VLAN Audit completed, 7 vlans configured, no errors foundINFO: Looking for interface et-0/1/0INFO: Interface et-0/1/0 is part of LACP interface ae62, will check laterINFO: Checking physical port...INFO: Oper status is UPINFO: Admin status is UPINFO: Checking LLDP neighbors...INFO: LLDP neighbors and descriptions seems consistentINFO: Finished with et-0/1/0 - interface is OKINFO: Checking interface ae62INFO: LACP interface ae62 (et-0/1/0) looks goodINFO: Finished with access12419.grpn - All seems OK!!
CONFIG AUDITING
CONFIG AUDITING (CONT)
CONFIG AUDITING (CONT)
PERMANENT IMPROVEMENT
• It’s not about the system but about delivering • Do not expect immediate results, it could still be nobody’s job,
• Change management / Cultural change is a big challenge
STORY 2: LEARNINGS
Story 3 Ask the Network
Operational status: • Is there a route to x.y.z.t? • Is port xyz up now? • Is this firewall flow allowed?
Configuration information: • Where is subnet x.y.z.w ? • Is port xyz configured for LACP? • What’s the console port for device xyz?
REST
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_host_information?hostname=otherhost.grpn | python -m json.tool{ "device_queried": "access1128.grpn", "interface_information": { "ab:cd:ef:fe:bc:b8": [ { "interface": "ae33.0", "vlan_id": "100", "vlan_name": "vlan100" } ], "ab:cd:ef:fe:bc:ba": null, "ab:cd:ef:fe:bc:bc": null, "ab:cd:ef:fe:bc:bd": null }, "mac_addresses": [ "ab:cd:ef:fe:bc:b8", "ab:cd:ef:fe:bc:ba", "ab:cd:ef:fe:bc:bc", "ab:cd:ef:fe:bc:bd" ], "success": true}
FIND A HOST
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_firewall_zone?destination=10.10.10.21/31 | python -m json.tool{ "colo": "grpn", "destination": "10.10.10.21/31", "device_queried": "somefw.grpn", "success": true, "zone_data": [ { "destination_match": "10.10.10.0/24", "interface": "ae8.0", "next_hop": "10.10.12.3", "zone_name": "trust__zone20" } ]}
SECURITY ZONES
[asalinas@GMGM20689:~] curl -s "http://localhost:8000/check_flow?source=10.1.2.3&destination=10.11.12.13&port=22" | python -m json.tool{ "action_type": "permit", "destination": "10.11.12.13", "destination_zone": "trust__zone1", "device_queried": "somefw.grpn", "dst_colo": "colo1", "policy_name": "NETOPS-9999", "source": "10.1.2.3", "source_zone": "trust__zone2", "src_colo": "colo2", "success": true}
IS THIS FLOW ALLOWED?
[asalinas@GMGM20689] curl -s "http://localhost:8000/get_policy_by_name?device_name=somefw.grpn&policy_name=NETOPS-9999" | python -m json.tool{ "device_name": "somefw.grpn", "policy_information": { "NETOPS-9999": { "action": "permit", "application": "junos-ssh", "destination_addresses": [ "host1.grpn", "host2.grpn" ], "destination_zone_name": "trust__zone1", "policy_sequence_number": "100", "policy_state": "enabled", "seq_check": "No", "source_addresses": "host3.grpn", "source_zone_name": "trust__zone2", "syn_check": "No" } }, "policy_name": "NETOPS-9999", "success": true}
FIREWALL POLICY DETAIL
get_firewall_zone
get_policy_by_name
FIREWALL AUTOMATION BUILDING BLOCKS
check_flow TBD
TBD
TBD
• Not only the network team can take advantage of your automation
• Publish configuration and operational information benefits your team
STORY 3: LEARNINGS
WRAPPING UP
ALEJANDRO SALINAS
Sr Manager – Network Operations
Q+A Thank you very much!