Top Banner

of 32

Network Automation (Bay Area Juniper Networks Meetup)

Feb 07, 2017

ReportDownload

Technology

  • Network Automation

    Alejandro Salinas

  • Intro

  • WHERE ARE YOU WITH REGARDS TO AUTOMATION?

  • ITS ALSO ABOUT PROCESS AND CULTURAL CHANGE

  • Story 1 An experiment that pays off

  • xkcd.com

  • A script to find a host in the network and its port settings

    A script to change the vlan in a specific port

    A script that combines both functionalities

    THREE SCRIPTS

  • THREE SCRIPTS (CONT)[asalinas:juniper_tools] ./set_vlan.py vlan2 myhost.grpn -pPassword:INFO: Looking for myhost.grpn MAC addressINFO: Translating hostname myhost.grpn into MAC address ab:cd:fe:00:01:02INFO: Starting search in: myswitch.grpnINFO: Getting MAC Address tableINFO: Host myhost.grpn (MAC: ab:cd:fe:00:01:02) is in myswitch.grpn (vlan,port) [('vlan1', 'ge-2/0/20.0')]INFO: DISCOVERY COMPLETED - Setting VlansINFO: Getting VLAN info...INFO: vlan vlan2 exists in myswitch.grpn - OKINFO: Getting interface ge-2/0/20 informationINFO: Current vlans are ['vlan1']INFO: Interface ge-2/0/20 is in access mode, setting/changing vlan.INFO: Locking configurationINFO: Configuration Sent OKINFO: Configuration Validation OKINFO: Config diff:

    [edit interfaces ge-2/0/20 unit 0 family ethernet-switching vlan]- members vlan1;+ members vlan2;

    INFO: Releasing LockINFO: Cleanup: myswitch.grpn

  • ABOUT LEARNING CURVES

  • Small interruptions was a good place to start our automation efforts

    Your first win does not need to be a fully automated process

    Not all automation efforts require a source of truth/systems in place

    STORY 1: LEARNINGS

  • Story 2 Code your way out of a crisis

  • Design and build a new datacenter

    Add capacity to an existing datacenter

    Manage Load Balancers

    Manage Firewalls

    Manage On-call

  • 1 x Predictable cabling standard

    N x Jinja Templates

    N x YAML Files

    Code to use all of the above

  • dhcpd.conf

  • Results

    TODO list:

    Check ports

    Check OS versions

    Check licenses

    Check IP allocations

    Check vlans

    Check routing

  • Retrieve:.- Operational status.- Configuration status

    Retrieve:.- Allocations

    Ports

    OS versions

    Licenses

    IP allocations

    Vlans

    BGP peers

    Etc, etc

  • asalinas@netserver.grpn:provisioning] ./config_auditor.py -d access12419.grpn INFO: access12419 : ConnectedINFO: Device is part of a virtual_chassis - checking membership and portsINFO: Both units run 14.2X99-D99.2INFO: FPC0 seems to be the TOP TORS GoodINFO: RE0 is masterINFO: Port ('fpc0', '2/0') is Configured and UPINFO: Port ('fpc0', '2/1') is Configured and UPINFO: LY0123456 has a valid Routing licenseINFO: vme 10.22.16.220/22 is assigned to this deviceINFO: loopback 10.22.0.57/32 is assigned to this deviceINFO: 0 P2P allocations found for this device, no errors foundINFO: VLAN Audit completed, 7 vlans configured, no errors foundINFO: Looking for interface et-0/1/0INFO: Interface et-0/1/0 is part of LACP interface ae62, will check laterINFO: Checking physical port...INFO: Oper status is UPINFO: Admin status is UPINFO: Checking LLDP neighbors...INFO: LLDP neighbors and descriptions seems consistentINFO: Finished with et-0/1/0 - interface is OKINFO: Checking interface ae62INFO: LACP interface ae62 (et-0/1/0) looks goodINFO: Finished with access12419.grpn - All seems OK!!

    CONFIG AUDITING

  • CONFIG AUDITING (CONT)

  • CONFIG AUDITING (CONT)

  • PERMANENT IMPROVEMENT

  • Its not about the system but about delivering

    Do not expect immediate results, it could still be nobodys job,

    Change management / Cultural change is a big challenge

    STORY 2: LEARNINGS

  • Story 3 Ask the Network

  • Operational status: Is there a route to x.y.z.t? Is port xyz up now? Is this firewall flow allowed?

    Configuration information: Where is subnet x.y.z.w ? Is port xyz configured for LACP? Whats the console port for device xyz?

    REST

  • [asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_host_information?hostname=otherhost.grpn | python -m json.tool{ "device_queried": "access1128.grpn", "interface_information": { "ab:cd:ef:fe:bc:b8": [ { "interface": "ae33.0", "vlan_id": "100", "vlan_name": "vlan100" } ], "ab:cd:ef:fe:bc:ba": null, "ab:cd:ef:fe:bc:bc": null, "ab:cd:ef:fe:bc:bd": null }, "mac_addresses": [ "ab:cd:ef:fe:bc:b8", "ab:cd:ef:fe:bc:ba", "ab:cd:ef:fe:bc:bc", "ab:cd:ef:fe:bc:bd" ], "success": true}

    FIND A HOST

  • [asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_firewall_zone?destination=10.10.10.21/31 | python -m json.tool{ "colo": "grpn", "destination": "10.10.10.21/31", "device_queried": "somefw.grpn", "success": true, "zone_data": [ { "destination_match": "10.10.10.0/24", "interface": "ae8.0", "next_hop": "10.10.12.3", "zone_name": "trust__zone20" } ]}

    SECURITY ZONES

  • [asalinas@GMGM20689:~] curl -s "http://localhost:8000/check_flow?source=10.1.2.3&destination=10.11.12.13&port=22" | python -m json.tool{ "action_type": "permit", "destination": "10.11.12.13", "destination_zone": "trust__zone1", "device_queried": "somefw.grpn", "dst_colo": "colo1", "policy_name": "NETOPS-9999", "source": "10.1.2.3", "source_zone": "trust__zone2", "src_colo": "colo2", "success": true}

    IS THIS FLOW ALLOWED?

  • [asalinas@GMGM20689] curl -s "http://localhost:8000/get_policy_by_name?device_name=somefw.grpn&policy_name=NETOPS-9999" | python -m json.tool{ "device_name": "somefw.grpn", "policy_information": { "NETOPS-9999": { "action": "permit", "application": "junos-ssh", "destination_addresses": [ "host1.grpn", "host2.grpn" ], "destination_zone_name": "trust__zone1", "policy_sequence_number": "100", "policy_state": "enabled", "seq_check": "No", "source_addresses": "host3.grpn", "source_zone_name": "trust__zone2", "syn_check": "No" } }, "policy_name": "NETOPS-9999", "success": true}

    FIREWALL POLICY DETAIL

  • get_firewall_zone

    get_policy_by_name

    FIREWALL AUTOMATION BUILDING BLOCKS

    check_flow TBD

    TBD

    TBD

  • Not only the network team can take advantage of your automation

    Publish configuration and operational information benefits your team

    STORY 3: LEARNINGS

  • WRAPPING UP

    ALEJANDRO SALINAS

    Sr Manager Network Operations

  • Q+A Thank you very much!