AnsibleNetworkAutomation PDF
AnsibleNetworkAutomation PDF
AnsibleNetworkAutomation PDF
NETWORK INFRASTRUCTURE
Steven Carter
Principal Solutions Architect, Ansible
scarter@redhat.com
http://www.ansible.com/network-automation
MANAGING NETWORKS
HASN’T CHANGED
IN 30 YEARS.
WHY HASN’T NETWORKING CHANGED?
PEOPLE PRODUCTS
• Domain specific skillsets • Infrastructure-focused features
Hero Code
Step 1: Translate Infrastructure into Code
Servers
Storage Networking
Infrastructure Code
DEPLOY
PLAN
TEST
DEVELOP
● Revision control, configuration management
● Ensure an ongoing steady-state
● Automated testing, reduce human error
Step 3: Communicate with Code
Security
Team
Developers
Operations
WHAT IS ANSIBLE?
No special coding skills needed Configuration management Uses OpenSSH & WinRM
Ongoing compliance
- compare running configs to golden masters
on schedules
{|}
Networking
Programmability ✔ ✔
Declarative
Intent
29 Platforms Aggregate
Resources
267 Modules
Platform
Persistent Agnostic
17 Platforms Connections
141 Modules
NETCONF
Support
7 Platforms
28 Modules
CMDB
PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CLOUD
CLOUD
PLUGINS
OpenStack, VMware, EC2,
ANSIBLE’S AUTOMATION ENGINE Rackspace, GCE, Azure,
MODULES
• Gears in the engine
[spine]
Spacewalk, Hanlon, Cobbler
PLAYBOOKS
•spine1.example.com
•Tools
Pythonin that
the toolkit
plugs into the
spine2.example.com
• Written in YAML
USERS •CUSTOM
Python, Powershell
CMDB
core engine or
••any
Tasks
[leaf] are executed
language
Adaptability sequentially
for various uses
HOSTS
INVENTORY API
•leaf1.example.com
• Extend
Invokes Ansiblesimplicity
Ansible
& platforms modules
leaf2.example.com
to entire stack
MODULES PLUGINS
NETWORK
ANSIBLE DEVICES
PLAYBOOK
20 CONFIDENTIAL
ANSIBLE UNDER THE HOOD
CMDB
PUBLIC / PRIVATE
CLOUD
USERS
HOSTS
INVENTORY API
MODULES PLUGINS
NETWORKING
ANSIBLE PLAYBOOK
CONFIG EXAMPLE
vars:
ntp_servers:
- 10.11.160.238
- 10.5.27.10
tasks:
• Config example
- name: Set the switch name and domain name
nxos_config:
lines:
- "hostname {{ inventory_hostname }}"
- ip domain-name lab.eng.rdu.redhat.com
provider: "{{ cli }}"
vars:
ntp_servers:
- 10.11.160.238
- 10.5.27.10
tasks:
• Config example
- name: Set the switch name and domain name
nxos_config:
lines:
- "hostname {{ inventory_hostname }}"
- ip domain-name lab.eng.rdu.redhat.com
provider: "{{ cli }}"
vars:
ntp_servers:
- 10.11.160.238
- 10.5.27.10
tasks:
• Config example
- name: Set the switch name and domain name
nxos_config:
lines:
- "hostname {{ inventory_hostname }}"
- ip domain-name lab.eng.rdu.redhat.com
provider: "{{ cli }}"
vars:
ntp_servers:
- 10.11.160.238
- 10.5.27.10
tasks:
• Config example
- name: Set the switch name and domain name
nxos_config:
lines:
- "hostname {{ inventory_hostname }}"
- ip domain-name lab.eng.rdu.redhat.com
Config
TASK• [Set the example
switch name and domain name] *************************************
ok: [nexus-sw03-mgmt]
ok: [nexus-sw04-mgmt]
27
- ios_interface:
...
28
DECLARATIVE INTENT
- name: configure interface
net_interface:
name: GigabitEthernet0/2
Declared description: public interface configuration
Configuration
enabled: yes
state: connected
Intended neighbors:
State - host: core-01
port: Ethernet5/2/6
29
AGGREGATE RESOURCES
- name: configure vlans neighbor
net_vlan:
vlan_id: “{{ item.vlan_id }}”
name: “{{ item.name }}”
state: “{{ item.state | default(‘active’) }}”
with_items:
- { vlan_id: 1, name: default }
- { vlan_id: 2, name: Vl2 }
- { vlan_id: 3, state: suspend }
30
Ansible Best Practices
and Concepts
Layered Implementation
Overlays
Routing/Logical
OSPF EIGRP BGP
STP VLANs
ACL AAA
TRUNK
Inventory
[switches]
spine1 ● Enumerates inventory
spine2 ● Groups hosts by function, location, etc.
● Specify additional attributes
[switches:vars]
ansible_network_os=nxos
[routers]
juniper1 ansible_network_os=junos
cisco1 ansible_network_os=ios
[network:children]
switches
routers
34
The Anatomy of a Repository
ansible.cfg
Project Repository
inventory/
test/
hosts
host_vars/
group_vars/
Per-Environment
prod/ Inventory and Data
hosts
host_vars/
group_vars/
roles/
access_switch/
Community/Organizational
dist_router/
shared code
tenant_firewall/
playbook1.yml Repository-Specific
playbook2.yml Playbooks
Decouple Definition from Implementation
Definition Implementation
- name: Creating vlans
project_tag: foo
nxos_vlan:
tenant_nets:
host: "{{ item[0] }}"
- 192.133.157.0/24
transport: cli
vlan_id: "{{ item[1].id }}"
fw_outside_ip: 192.133.159.73
state: "{{ item[1].state | default('present') }}"
fw_inside_ip: 192.133.159.137
admin_state: "{{ item[1].admin | default('up') }}"
name: "{{ item[1].name }}"
vlan_data:
with_nested:
- { id: 600, name: foo-external }
- "{{ vlan_devices | default([]) }}"
- { id: 601, name: foo-provider601 }
- "{{ vlan_data | default([]) }}"
svis:
- name: Create the SVI interfaces
- { id: 600, cidr: 192.133.157.1/27, vrf: foo, switch: "csn-sjc18
nxos_interface:
- { id: 601, cidr: 192.133.157.33/27, vrf: foo, switch: "csn-sjc1
host: "{{ item.switch }}"
transport: cli
port_data:
interface: "vlan{{ item.id }}"
- { desc: "mcp1.titan1", switch: "aa17-n9k-1", interface: "Ethern
admin_state: up
- { desc: "mcp1.titan1", switch: "aa17-n9k-2", interface: "Ethern
with_items: "{{ svi_data | default([]) }}"
system:
hostname: "{{ inventory_hostname }}"
domain_name: eng.ansible.com
source_interface:
name: Management1
vrf: default
domain_lookup: no
vlan_data:
- { id: 600, name: management }
- { id: 601, name: users }
source_interface:
name: Management1
vrf: default
domain_lookup: no
vlan_data:
- { id: 600, name: management } Engineering/
- { id: 601, name: users }
Implementation
Changes
Definition Implementation Infrastructure
Facts Cache
hostvars[inventory_hostname]:
interfaces:
Gi1/0/1:
description:
"ht3-node1:eth0"
enabled: True
mtu: 1500
mode: trunk
native_vlan: 99
Gi1/0/2:
description:
"ht3-node2:eth0"
enabled: True
mtu: 1500
mode: access
access_vlan: 10
Gi1/0/3:
description:
"ht3-node3:eth0"
enabled: True
mtu: 1500
mode: access
Per-Inventory Item
access_vlan: 10
Facts Cache
Facts Cache
Facts Cache
Facts Cache
Facts Cache
Saving Facts
hostvars[inventory_hostname]:
interfaces:
Gi1/0/1: Playbook writes out to inventory:
description:
"ht3-node1:eth0"
enabled: True
mtu: 1500
mode: trunk - name: write out the interfaces vars
native_vlan: 99 copy:
Gi1/0/2: dest: "{{ inventory_dir }}/{{ inventory_hostname
description: }}/interfaces.yml"
"ht3-node2:eth0" content: "{{ interfaces | to_nice_yaml }}"
enabled: True
mtu: 1500 or write out to CMDB
mode: access
access_vlan: 10
Gi1/0/3:
description: - include_role:
"ht3-node3:eth0" name: save_to_cmdb
enabled: True
mtu: 1500
mode: access
Per-Inventory Item
access_vlan: 10
Facts Cache
The Role of Roles
ios_command
… include_role:
ios_vlan
… name: access_switch
ios_interface
[access_switches]
Test
- hosts: access_switches
Switch by
roles: specifying
- access_switch inventory
[access_switches]
Prod
IaC In Action
SMEs
Test
Develop
Deploy
Operators Plan
Operate
Developers
From Zero to Hero
Problem: Solution:
Routing/
Peering
project_tag: foo
tenant_nets:
- 192.133.157.0/24
fw_outside_ip: 192.133.159.73
fw_inside_ip: 192.133.159.137
Firewall
Context
vlan_data:
- { id: 600, name: foo-external }
- { id: 601, name: foo-provider601 }
svis:
- { id: 600, cidr: 192.133.157.1/27, vrf: foo, switch: "csn-sjc18 SVIs
- { id: 601, cidr: 192.133.157.33/27, vrf: foo, switch: "csn-sjc1
port_data:
- { desc: "mcp1.titan1", switch: "aa17-n9k-1", interface: "Ethern
- { desc: "mcp1.titan1", switch: "aa17-n9k-2", interface: "Ethern
VLANs
SECURITY
Problem: Solution:
• Managing policies across different • Define the policy once, then apply to
types of hardware and software is multiple infrastructures (e.g. physical,
difficult and prone to error virtual, cloud, network, system, etc.)
Problem:
different Devices/Vendors require different ACL formats
fw_rules:
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 32400, proto: tcp, action: allow, comment: plex }
EXAMPLE: PERVASIVE
- { rule:
"public",
- { rule:
SECURITY
src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 1900, proto: udp, action: allow, comment: plex
"public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 3005, proto: tcp, action: allow, comment: plex
}
}
- { rule: "public", src_ip: 0.0.0.0/0, dst_ip: 192.133.160.23/32, dst_port: 5353, proto: udp, action: allow, comment: plex }
Solution:
apply the same abstracted rule set to firewalls, hosts, routers, etc.
Problem: Solution:
• Cloud things are different than • Define the policy once, then apply to
on-prem things and different between multiple infrastructures (e.g.
clouds increasing complexity physical, virtual, cloud, network,
system, etc).
EXAMPLE: ELASTIC CLOUD
build_aws_vpc.yml build_azure_vpc.yml
1. Create Clouds:
VPC Resource Group
ansible-playbook build_aws_vpc.yml
ansible-playbook build_azure_vpc.yml
Builds “hosts” file
Host Host
build_dmvpn.yml
MONITORING INFRASTRUCTURE
Problem: Solution:
port_data:
- { desc: ”Host_A", switch: ”tor1", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" }
- { desc: ”Host_A", switch: ”tor1", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" }
- { desc: ”Host_B", switch: ”tor2", interface: "Port-channel17", vpc: 17, port_list: ["Eth1/17"], port_profile: "ucs-fi" }
- { desc: ”Host_B", switch: ”tor2", interface: "Port-channel18", vpc: 18, port_list: ["Eth1/18"], port_profile: "ucs-fi" }
DEVOPS
Problem: Solution:
Test changes
2
Monitors
Notifies of
repository for
1 Check Out Branch changes
pass / fail
Version Control
Make Changes
Notify of PR
Check In Branch /
Ansible Playbook
Create PR
3
Pulls new Notifies of
Playbooks deployment
Merge Branch
4
Deploy Playbooks
WORKFLOW AUTOMATION
Problem: Solution:
Servers
Networking
Reputation
Monitoring
Storage
59
LOG/EVENT ANALYTICS
Problem: Solution:
Application
Logs
Topology
Servers
NetFlow
Firewalls
Networking
IDS
Switch
Metrics Reputation
Monitoring
Storage
RESOURCES
Ansible Webinars:
https://www.ansible.com/network-automation