Everyone will have computer with Anyconnect to dcloud instance with IOSXR, IOSXE, IOS, NXOS, ASA devices.
Try out simple ansible core network modules for IOS/IOSXE/IOSXR/NXOS, and asa-api
Clients need
Python, ansible, pycsco, pyiosxr, netmiko from pip
Git pull asa-api,
Show VIRL with the layout and intended outcome
I want to deploy (or redeploy) a new Datacenter. “Server A” and “server B” are in separate subnets and different security zones on the fw. We need L2, L3, FW rules, and routing all configured to establish connectivity.
I’m going to kick off the ansible playbooks to create and deploy configs. Then we’ll step through the simple bulding blocks to get us there.
I something that is ...
efficient - it has to save time, not just for fun
repeatable - repeat the process and expect a similar result if there are minor changes or I want to run again and take advantage of idempotency
reusable - the same framework Im using for routers I want to use for switches or even servers
observable - logging and output data to validate and audit
revision controlled - a central repo for code to share and collaborate (git, gerrit, cvs, etc)
standard - I want an industry backed product or tool that is going to be there for a while and that I can leverage a wide range of developers
Got permission from Warren Zweigart <wzweigart@ansible.com>
https://www.ansible.com/logos
Agentless- we cant load an agent on most network devices
Server team was already on ansible for deployment and
Represented the infrastrucure as code – maintain the yaml and deploy via playbooks
Simple – can spin up users and developers in days or weeks
Community – there are modules for nearly everything you could need
Modular – chop up, add, remove, whatever its all open source
Leverage languages – python, perl, ruby, tcl, bash, whatever the endpoint can execute and return values
Let’s say your OSS team just deployed another Monitoring server or the security team has a new scanning tool that you need to permit access.
Oridinarily that would mean updating a VTY acl on every device.
Ansible can take an inventory of devices and make the vty update via config module
Command – sends arbritrary command
Config – Block of commands with context and order
Template – Push config based on template, compare config to template
https://docs.ansible.com/ansible/list_of_network_modules.html
https://github.com/ansible/ansible-modules-core/tree/aa995806b9b5a41de4bd3d2a6ba917528fe8b6bb/network/ios
Education is multiline entry to preserve the newline
Now, we want to use what we learned to deploy a new site. We don’t want to do find/replace on a template document (show getvpn cvd). We’d like something that can grow dynamically. What do we really need to know to build a config from the template. Show the vars/main.yml. We can generate configs based on a template.
We can take it a step further and generate the config from the template and apply it to the inventory of devices.
ASA-API, NAPALM, nxos-ansible
Bring up git hub to show the code and examples of what they can do.
Demonstrate ASA-API
Modules are an executable piece of code, many are python
Bring up github, and show the code. Bring up code in
There is a lot of functionality baked into ansible and there are several projects created as foundation or to enhance the experience. If something is not quite what you want, fork the code and do it yourself or create something altogether new.
Go to github and start looking at ansible network code, then…
For example,
Nxos-ansible (Jason Edelman), many have become core Ansible
Pyiosxr
Napalm
Or stay in python
Ignite
Netmiko
I’d be remiss in not mentioning APIC-EM or NSO which can present a northbound API with CLI southbound. Similarly, Prime can interact with the devices.