Network Automation

Alejandro Salinas

Intro

WHERE ARE YOU WITH REGARDS TO AUTOMATION?

IT’S ALSO ABOUT PROCESS AND CULTURAL CHANGE

Story 1 An experiment that pays off

xkcd.com

•  A script to find a host in the network and its port settings

•  A script to change the vlan in a specific port

•  A script that combines both functionalities

THREE SCRIPTS

THREE SCRIPTS (CONT) [asalinas:juniper_tools] ./set_vlan.py vlan2 myhost.grpn -pPassword:INFO: Looking for myhost.grpn MAC addressINFO: Translating hostname myhost.grpn into MAC address ab:cd:fe:00:01:02INFO: Starting search in: myswitch.grpnINFO: Getting MAC Address tableINFO: Host myhost.grpn (MAC: ab:cd:fe:00:01:02) is in myswitch.grpn (vlan,port) [('vlan1', 'ge-2/0/20.0')]INFO: DISCOVERY COMPLETED - Setting VlansINFO: Getting VLAN info...INFO: vlan vlan2 exists in myswitch.grpn - OKINFO: Getting interface ge-2/0/20 informationINFO: Current vlans are ['vlan1']INFO: Interface ge-2/0/20 is in access mode, setting/changing vlan.INFO: Locking configurationINFO: Configuration Sent OKINFO: Configuration Validation OKINFO: Config diff:

[edit interfaces ge-2/0/20 unit 0 family ethernet-switching vlan]- members vlan1;+ members vlan2;

INFO: Releasing LockINFO: Cleanup: myswitch.grpn

ABOUT LEARNING CURVES

•  Small interruptions was a good place to start our automation efforts

•  Your first win does not need to be a fully automated process

•  Not all automation efforts require a source of truth/systems in place

STORY 1: LEARNINGS

Story 2 Code your way out of a crisis

•  Design and build a new datacenter

•  Add capacity to an existing datacenter

•  Manage Load Balancers

•  Manage Firewalls

•  Manage On-call

•  1 x Predictable cabling standard

•  N x Jinja Templates

•  N x YAML Files

•  Code to use all of the above

dhcpd.conf

Results

TODO list: •  Check ports

•  Check OS versions

•  Check licenses

•  Check IP allocations

•  Check vlans

•  Check routing

Retrieve: .- Operational status .- Configuration status

Retrieve: .- Allocations

ü  Ports

ü  OS versions

ü  Licenses

ü  IP allocations

ü  Vlans

ü  BGP peers

ü  Etc, etc

[email protected]:provisioning] ./config_auditor.py -d access12419.grpn INFO: access12419 : ConnectedINFO: Device is part of a virtual_chassis - checking membership and portsINFO: Both units run 14.2X99-D99.2INFO: FPC0 seems to be the TOP TORS – GoodINFO: RE0 is masterINFO: Port ('fpc0', '2/0') is Configured and UPINFO: Port ('fpc0', '2/1') is Configured and UPINFO: LY0123456 has a valid Routing licenseINFO: vme 10.22.16.220/22 is assigned to this deviceINFO: loopback 10.22.0.57/32 is assigned to this deviceINFO: 0 P2P allocations found for this device, no errors foundINFO: VLAN Audit completed, 7 vlans configured, no errors foundINFO: Looking for interface et-0/1/0INFO: Interface et-0/1/0 is part of LACP interface ae62, will check laterINFO: Checking physical port...INFO: Oper status is UPINFO: Admin status is UPINFO: Checking LLDP neighbors...INFO: LLDP neighbors and descriptions seems consistentINFO: Finished with et-0/1/0 - interface is OKINFO: Checking interface ae62INFO: LACP interface ae62 (et-0/1/0) looks goodINFO: Finished with access12419.grpn - All seems OK!!

CONFIG AUDITING

CONFIG AUDITING (CONT)

CONFIG AUDITING (CONT)

PERMANENT IMPROVEMENT

•  It’s not about the system but about delivering •  Do not expect immediate results, it could still be nobody’s job,

•  Change management / Cultural change is a big challenge

STORY 2: LEARNINGS

Story 3 Ask the Network

Operational status: •  Is there a route to x.y.z.t? •  Is port xyz up now? •  Is this firewall flow allowed?

Configuration information: •  Where is subnet x.y.z.w ? •  Is port xyz configured for LACP? •  What’s the console port for device xyz?

REST

[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_host_information?hostname=otherhost.grpn | python -m json.tool{ "device_queried": "access1128.grpn", "interface_information": { "ab:cd:ef:fe:bc:b8": [ { "interface": "ae33.0", "vlan_id": "100", "vlan_name": "vlan100" } ], "ab:cd:ef:fe:bc:ba": null, "ab:cd:ef:fe:bc:bc": null, "ab:cd:ef:fe:bc:bd": null }, "mac_addresses": [ "ab:cd:ef:fe:bc:b8", "ab:cd:ef:fe:bc:ba", "ab:cd:ef:fe:bc:bc", "ab:cd:ef:fe:bc:bd" ], "success": true}

FIND A HOST

[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_firewall_zone?destination=10.10.10.21/31 | python -m json.tool{ "colo": "grpn", "destination": "10.10.10.21/31", "device_queried": "somefw.grpn", "success": true, "zone_data": [ { "destination_match": "10.10.10.0/24", "interface": "ae8.0", "next_hop": "10.10.12.3", "zone_name": "trust__zone20" } ]}

SECURITY ZONES

[asalinas@GMGM20689:~] curl -s "http://localhost:8000/check_flow?source=10.1.2.3&destination=10.11.12.13&port=22" | python -m json.tool{ "action_type": "permit", "destination": "10.11.12.13", "destination_zone": "trust__zone1", "device_queried": "somefw.grpn", "dst_colo": "colo1", "policy_name": "NETOPS-9999", "source": "10.1.2.3", "source_zone": "trust__zone2", "src_colo": "colo2", "success": true}

IS THIS FLOW ALLOWED?

[asalinas@GMGM20689] curl -s "http://localhost:8000/get_policy_by_name?device_name=somefw.grpn&policy_name=NETOPS-9999" | python -m json.tool{ "device_name": "somefw.grpn", "policy_information": { "NETOPS-9999": { "action": "permit", "application": "junos-ssh", "destination_addresses": [ "host1.grpn", "host2.grpn" ], "destination_zone_name": "trust__zone1", "policy_sequence_number": "100", "policy_state": "enabled", "seq_check": "No", "source_addresses": "host3.grpn", "source_zone_name": "trust__zone2", "syn_check": "No" } }, "policy_name": "NETOPS-9999", "success": true}

FIREWALL POLICY DETAIL

get_firewall_zone

get_policy_by_name

FIREWALL AUTOMATION BUILDING BLOCKS

check_flow TBD

TBD

TBD

•  Not only the network team can take advantage of your automation

•  Publish configuration and operational information benefits your team

STORY 3: LEARNINGS

WRAPPING UP

ALEJANDRO SALINAS

Sr Manager – Network Operations

Q+A Thank you very much!