Upload
puppet-labs
View
1.153
Download
0
Embed Size (px)
DESCRIPTION
Peter Sprygada, Arista
Citation preview
Network Automa-on with Puppet
Why?
• Opera-ons Agility – Change management in networks is hard – Lots of moving parts to consider
• Service Velocity – Timeframes for CRUD ac-vity unacceptable
• Configura-on Consistency – Number 1 reason for network outages – History has taught us to fear external systems
! device: $HostnameSpine1 (DCS-‐7508, /$Cer-fiedCode) ! ! boot system flash:/$Cer-fiedCode ! queue-‐monitor length ! logging buffered 10000 no logging console logging vrf MGMT host $SyslogHostAddress logging vrf MGMT host $SyslogHostAddress logging vrf MGMT source-‐interface Management1/1 logging format -mestamp high-‐resolu-on logging facility local6 ! hostname $HostnameSpine1 ip name-‐server $DNSHostAddress ip name-‐server $DNSHostAddress ip domain-‐name $CompanyDomainName ! ntp source Management1/1 ntp server vrf MGMT $NTPHostAddress1 prefer ntp server vrf MGMT $NTPHostAddress2 ! snmp-‐server contact "$SNMPcontact" snmp-‐server loca-on $bldg/$floor/$room/$rack no snmp-‐server vrf main snmp-‐server vrf MGMT snmp-‐server source-‐interface Management1/1 snmp-‐server community $SNMPCommunity ro SNMP-‐RO-‐ACL snmp-‐server community $SNMPCommunity rw SNMP-‐RW-‐ACL snmp-‐server host $SNMPHostAddress traps version 2c $SNMPcommunity snmp-‐server enable traps en-ty snmp-‐server enable traps lldp snmp-‐server enable traps snmp ! tacacs-‐server key $TacacsServerKey tacacs-‐server host $TacacsServerAddress vrf MGMT ip tacacs source-‐interface Management1/1 ! spanning-‐tree mode mstp ! aaa authen-ca-on login default group tacacs+ local aaa authen-ca-on enable default group tacacs+ local aaa authoriza-on console aaa authoriza-on exec default group tacacs+ none aaa authoriza-on commands 1,15 default group tacacs+ none aaa accoun-ng exec default start-‐stop group tacacs+ aaa accoun-ng commands 15 default start-‐stop group tacacs+ ! no aaa root
vrf defini-on MGMT rd $SpineAS01 ! Vlan 999 state suspend name UNUSED-‐PORTS i Interface Ethernet$ModNumber/$SubModNumber/1-‐$HighestPortNumber switchport mode access switchport access vlan 999 shut ! Interface Ethernet3/1/1 descrip-on -‐ P2P Link to LEAF switch-‐1 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet3/1/2 descrip-on -‐ P2P Link to LEAF switch-‐2 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet4/1/1 descrip-on -‐ P2P Link to LEAF switch-‐1 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet4/1/2 descrip-on -‐ P2P Link to LEAF switch-‐2 speed forced 40gfull
logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! interface Loopback0 descrip-on Router-‐ID ip address $IPAddress/32 ! interface Management1 no snmp trap link-‐status vrf forwarding MGMT ip address $MGMTIPAddress/$MGMTSubnetMask ! ip route vrf MGMT 0.0.0.0/0 $GatewayOfLastResortAddress ! ip rou-ng no ip rou-ng vrf MGMT ! ip mul-cast-‐rou-ng ! ip prefix-‐list PREFIX-‐LIST-‐IN seq 10 permit $Prefix/$PrefixLength ! route-‐map ROUTE-‐MAP-‐IN permit 10 match ip address prefix-‐list PREFIX-‐LIST-‐IN ! ip prefix-‐list PREFIX-‐LIST-‐OUT seq 10 permit $Prefix/$PrefixLength ! route-‐map ROUTE-‐MAP-‐OUT permit 10 match ip address prefix-‐list PREFIX-‐LIST-‐OUT ! router bgp $SpineAS router-‐id <Loopback0_Address> bgp log-‐neighbor-‐changes distance bgp 20 200 200 maximum-‐paths 64 neighbor EBGP-‐TO-‐LEAF-‐PEER peer-‐group neighbor EBGP-‐TO-‐LEAF-‐PEER password $Password neighbor EBGP-‐TO-‐LEAF-‐PEER remote-‐as $LeafAS neighbor EBGP-‐TO-‐LEAF-‐PEER send-‐community neighbor EBGP-‐TO-‐LEAF-‐PEER fall-‐over bfd neighbor EBGP-‐TO-‐LEAF-‐PEER next-‐hop-‐self neighbor EBGP-‐TO-‐LEAF-‐PEER route-‐map ROUTE-‐MAP-‐IN in neighbor EBGP-‐TO-‐LEAF-‐PEER route-‐map ROUTE-‐MAP-‐OUT out neighbor EBGP-‐TO-‐LEAF-‐PEER maximum-‐routes 25000 neighbor $Leaf1IPAddress peer-‐group EBGP-‐TO-‐LEAF-‐PEER neighbor $Leaf2IPAddress peer-‐group EBGP-‐TO-‐LEAF-‐PEER !
banner login This system is privately owned and operated. Access to this system is restricted to authorized users only. Criminal and civil laws prohibit unauthorized use. Violators will be prosecuted. You must disconnect immediately if you are not an authorized user. EOF ! management console idle-‐-meout 15 ! management ssh idle-‐-meout 15 ! ! …
! device: $HostnameSpine1 (DCS-‐7508, /$Cer-fiedCode) ! ! boot system flash:/$Cer-fiedCode ! queue-‐monitor length ! logging buffered 10000 no logging console logging vrf MGMT host $SyslogHostAddress logging vrf MGMT host $SyslogHostAddress logging vrf MGMT source-‐interface Management1/1 logging format -mestamp high-‐resolu-on logging facility local6 ! hostname $HostnameSpine1 ip name-‐server $DNSHostAddress ip name-‐server $DNSHostAddress ip domain-‐name $CompanyDomainName ! ntp source Management1/1 ntp server vrf MGMT $NTPHostAddress1 prefer ntp server vrf MGMT $NTPHostAddress2 ! snmp-‐server contact "$SNMPcontact" snmp-‐server loca-on $bldg/$floor/$room/$rack no snmp-‐server vrf main snmp-‐server vrf MGMT snmp-‐server source-‐interface Management1/1 snmp-‐server community $SNMPCommunity ro SNMP-‐RO-‐ACL snmp-‐server community $SNMPCommunity rw SNMP-‐RW-‐ACL snmp-‐server host $SNMPHostAddress traps version 2c $SNMPcommunity snmp-‐server enable traps en-ty snmp-‐server enable traps lldp snmp-‐server enable traps snmp ! tacacs-‐server key $TacacsServerKey tacacs-‐server host $TacacsServerAddress vrf MGMT ip tacacs source-‐interface Management1/1 ! spanning-‐tree mode mstp ! aaa authen-ca-on login default group tacacs+ local aaa authen-ca-on enable default group tacacs+ local aaa authoriza-on console aaa authoriza-on exec default group tacacs+ none aaa authoriza-on commands 1,15 default group tacacs+ none aaa accoun-ng exec default start-‐stop group tacacs+ aaa accoun-ng commands 15 default start-‐stop group tacacs+ ! no aaa root
vrf defini-on MGMT rd $SpineAS01 ! Vlan 999 state suspend name UNUSED-‐PORTS i Interface Ethernet$ModNumber/$SubModNumber/1-‐$HighestPortNumber switchport mode access switchport access vlan 999 shut ! Interface Ethernet3/1/1 descrip-on -‐ P2P Link to LEAF switch-‐1 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet3/1/2 descrip-on -‐ P2P Link to LEAF switch-‐2 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet4/1/1 descrip-on -‐ P2P Link to LEAF switch-‐1 speed forced 40gfull mtu 9214 logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! Interface Ethernet4/1/2 descrip-on -‐ P2P Link to LEAF switch-‐2 speed forced 40gfull
logging event link-‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-‐mode ip pim bfd-‐instance qos trust dscp no shut ! interface Loopback0 descrip-on Router-‐ID ip address $IPAddress/32 ! interface Management1 no snmp trap link-‐status vrf forwarding MGMT ip address $MGMTIPAddress/$MGMTSubnetMask ! ip route vrf MGMT 0.0.0.0/0 $GatewayOfLastResortAddress ! ip rou-ng no ip rou-ng vrf MGMT ! ip mul-cast-‐rou-ng ! ip prefix-‐list PREFIX-‐LIST-‐IN seq 10 permit $Prefix/$PrefixLength ! route-‐map ROUTE-‐MAP-‐IN permit 10 match ip address prefix-‐list PREFIX-‐LIST-‐IN ! ip prefix-‐list PREFIX-‐LIST-‐OUT seq 10 permit $Prefix/$PrefixLength ! route-‐map ROUTE-‐MAP-‐OUT permit 10 match ip address prefix-‐list PREFIX-‐LIST-‐OUT ! router bgp $SpineAS router-‐id <Loopback0_Address> bgp log-‐neighbor-‐changes distance bgp 20 200 200 maximum-‐paths 64 neighbor EBGP-‐TO-‐LEAF-‐PEER peer-‐group neighbor EBGP-‐TO-‐LEAF-‐PEER password $Password neighbor EBGP-‐TO-‐LEAF-‐PEER remote-‐as $LeafAS neighbor EBGP-‐TO-‐LEAF-‐PEER send-‐community neighbor EBGP-‐TO-‐LEAF-‐PEER fall-‐over bfd neighbor EBGP-‐TO-‐LEAF-‐PEER next-‐hop-‐self neighbor EBGP-‐TO-‐LEAF-‐PEER route-‐map ROUTE-‐MAP-‐IN in neighbor EBGP-‐TO-‐LEAF-‐PEER route-‐map ROUTE-‐MAP-‐OUT out neighbor EBGP-‐TO-‐LEAF-‐PEER maximum-‐routes 25000 neighbor $Leaf1IPAddress peer-‐group EBGP-‐TO-‐LEAF-‐PEER neighbor $Leaf2IPAddress peer-‐group EBGP-‐TO-‐LEAF-‐PEER !
banner login This system is privately owned and operated. Access to this system is restricted to authorized users only. Criminal and civil laws prohibit unauthorized use. Violators will be prosecuted. You must disconnect immediately if you are not an authorized user. EOF ! management console idle-‐-meout 15 ! management ssh idle-‐-meout 15 ! ! …
Puppet NetDev Module
NetDev is a vendor-‐neutral network abstrac-on framework contributed freely to the Puppet community
Basic layer-1 and layer-2 network abstractions
Can extend the framework to define any abstractions or features needed for an environment
The NetDev framework is open and free and accessible via Puppet Forge with implementations available for Arista, Juniper, Mellanox, Cumulus
Ready class puppet_switch_ports { case $osfamily { JUNOS: { $db_port = "ge-‐0/0/0" $web_port = "ge-‐0/0/1" $uplink_lag = "ae0" $uplink_lag_ports = [ 'ge-‐0/0/2', 'ge-‐0/0/3' ] } EOS: { $db_port = "Ethernet1" $web_port = "Ethernet2" $uplink_lag = "Port-‐Channel1" $uplink_lag_ports = [ 'Ethernet3', 'Ethernet4' ] } } $all_ports = [ $db_port, $web_port, $uplink_lag_ports ] }
Set class puppet_switch_demo { netdev_device { $hostname: } include puppet_switch_ports $vlans = loadyaml( "$DATADIR/vlans.yaml" ) create_resources( netdev_vlan, $vlans ) netdev_interface { $puppet_switch_ports::all_ports: admin => up } netdev_l2_interface { $puppet_switch_ports::db_port: untagged_vlan => Blue } netdev_l2_interface{ $puppet_switch_ports::web_port: untagged_vlan => Green } netdev_l2_interface { $puppet_switch_ports::uplink_lag_ports: ensure => absent }-‐> netdev_lag { $puppet_switch_ports::uplink_lag: links => $puppet_switch_ports::uplink_lag_ports }-‐> netdev_l2_interface { $puppet_switch_ports::uplink_lag: tagged_vlans => keys( $vlans ) } }
Automate! node "veos01.stormcontrol.net" { include puppet_switch_demo } node "ex4200.stormcontrol.net" { include puppet_switch_demo }
How to take netdev to the next phase?
You want to run what
on my network device?
Devops + NetOps != <3
I have 99 problems
and no time for this
discussion
Lets just teach every netops person to be a developer… problem solved!
Breaking down the configura-on into construc-ble blocks….
Physical Interface
Logical Interface (LAG)
VLAN
L2 Interface (access, trunk)
L3 interface (ipv4, ipv6)
STP MLAG VRRP OSPF
Paqerns start to emerge…
interface lag l2_interface
ospf_instance ospf_area ospf_interface
interface ip_interface vrrp_interface
Hmm, come to think of it…
interface interface ethernet1/1 descrip-on webservers no shutdown
interface ethernet1/1 no switchport ip address 10.10.4.1/24
interface ethernet1/1 vrrp 10 priority 200 vrrp 10 -mers adver-se 3 vrrp 10 ip 10.10.4.10 exit
ip_interface vrrp_interface
Isn’t the CLI just like a DSL?
Start small and expand the sphere of influence automa-on
Services / Applica9ons
Logical Interfaces
Physical Interfaces
VLANS
Feelin the love
What’s taking so long to
upgrade to Enterprise?
Devops + NetOps
= <3
I have 99 problems
but automating my network isn’t one of
them
Standard Binaries Native Enterprise Integration
Orchestrate Arista EOS or Linux OS resource automation
Custom Facter integration for collecting state information
Leverage Arista AEM for responsive automation to state
changes
Linux Kernel
eAPI
Arista EOS Provider
Gems
Sysdb Ruby
Automation with Puppet and EOS
Puppet Master
Enterprise
Resource Abstraction
Arista EOS Types Netdev Types
Community
Automation with Puppet and EOS
Call to ac-on
• Great first step!
• Much more work to do
• Get Involved!! – We cannot model the network without your help