Network 
Automa-on 
with 
Puppet
Why? 
• Opera-ons 
Agility 
– Change 
management 
in 
networks 
is 
hard 
– Lots 
of 
moving 
parts 
to 
consider 
• Servi...
! 
device: 
$HostnameSpine1 
(DCS-­‐7508, 
/$Cer-fiedCode) 
! 
! 
boot 
system 
flash:/$Cer-fiedCode 
! 
queue-­‐monitor 
...
! 
device: 
$HostnameSpine1 
(DCS-­‐7508, 
/$Cer-fiedCode) 
! 
! 
boot 
system 
flash:/$Cer-fiedCode 
! 
queue-­‐monitor 
...
Puppet 
NetDev 
Module 
NetDev 
is 
a 
vendor-­‐neutral 
network 
abstrac-on 
framework 
contributed 
freely 
to 
the 
Pup...
Ready 
class 
puppet_switch_ports 
{ 
case 
$osfamily 
{ 
JUNOS: 
{ 
$db_port 
= 
"ge-­‐0/0/0" 
$web_port 
= 
"ge-­‐0/0/1"...
Set 
class 
puppet_switch_demo 
{ 
netdev_device 
{ 
$hostname: 
} 
include 
puppet_switch_ports 
$vlans 
= 
loadyaml( 
"$...
Automate! 
node 
"veos01.stormcontrol.net" 
{ 
include 
puppet_switch_demo 
} 
node 
"ex4200.stormcontrol.net" 
{ 
include...
How 
to 
take 
netdev 
to 
the 
next 
phase? 
You want 
to run what 
on my 
network 
device? 
Devops + 
NetOps 
!= <3 
I h...
Lets 
just 
teach 
every 
netops 
person 
to 
be 
a 
developer… 
problem 
solved!
Breaking 
down 
the 
configura-on 
into 
construc-ble 
blocks…. 
STP 
MLAG 
VRRP 
OSPF 
VLAN 
L2 
Interface 
(access, 
tru...
Paqerns 
start 
to 
emerge… 
interface 
lag 
l2_interface 
interface 
ip_interface 
vrrp_interface 
ospf_instance 
ospf_ar...
Hmm, 
come 
to 
think 
of 
it… 
interface 
interface 
ethernet1/1 
descrip-on 
webservers 
no 
shutdown 
ip_interface 
vrr...
Start 
small 
and 
expand 
the 
sphere 
of 
influence 
automa-on 
Services 
/ 
Applica9ons 
Logical 
Interfaces 
Physical ...
Feelin 
the 
love 
What’s 
taking so 
long to 
upgrade to 
Enterprise? 
Devops + 
NetOps 
= <3 
I have 99 
problems 
but 
...
Automation with Puppet and EOS 
Automation with Puppet and EOS 
Standard Binaries 
Native Enterprise Integration 
Orchestr...
Call 
to 
ac-on 
• Great 
first 
step! 
• Much 
more 
work 
to 
do 
• Get 
Involved!! 
– We 
cannot 
model 
the 
network 
...
Upcoming SlideShare
Loading in …5
×

Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)

2,226 views

Published on

Peter Sprygada, Arista

Published in: Software
  • Be the first to comment

Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)

  1. 1. Network Automa-on with Puppet
  2. 2. Why? • Opera-ons Agility – Change management in networks is hard – Lots of moving parts to consider • Service Velocity – Timeframes for CRUD ac-vity unacceptable • Configura-on Consistency – Number 1 reason for network outages – History has taught us to fear external systems
  3. 3. ! device: $HostnameSpine1 (DCS-­‐7508, /$Cer-fiedCode) ! ! boot system flash:/$Cer-fiedCode ! queue-­‐monitor length ! logging buffered 10000 no logging console logging vrf MGMT host $SyslogHostAddress logging vrf MGMT host $SyslogHostAddress logging vrf MGMT source-­‐interface Management1/1 logging format -mestamp high-­‐resolu-on logging facility local6 ! hostname $HostnameSpine1 ip name-­‐server $DNSHostAddress ip name-­‐server $DNSHostAddress ip domain-­‐name $CompanyDomainName ! ntp source Management1/1 ntp server vrf MGMT $NTPHostAddress1 prefer ntp server vrf MGMT $NTPHostAddress2 ! snmp-­‐server contact "$SNMPcontact" snmp-­‐server loca-on $bldg/$floor/$room/$rack no snmp-­‐server vrf main snmp-­‐server vrf MGMT snmp-­‐server source-­‐interface Management1/1 snmp-­‐server community $SNMPCommunity ro SNMP-­‐RO-­‐ ACL snmp-­‐server community $SNMPCommunity rw SNMP-­‐RW-­‐ ACL snmp-­‐server host $SNMPHostAddress traps version 2c $SNMPcommunity snmp-­‐server enable traps en-ty snmp-­‐server enable traps lldp snmp-­‐server enable traps snmp ! tacacs-­‐server key $TacacsServerKey tacacs-­‐server host $TacacsServerAddress vrf MGMT ip tacacs source-­‐interface Management1/1 ! spanning-­‐tree mode mstp ! aaa authen-ca-on login default group tacacs+ local aaa authen-ca-on enable default group tacacs+ local aaa authoriza-on console aaa authoriza-on exec default group tacacs+ none aaa authoriza-on commands 1,15 default group tacacs+ none aaa accoun-ng exec default start-­‐stop group tacacs+ aaa accoun-ng commands 15 default start-­‐stop group tacacs + ! no aaa root vrf defini-on MGMT rd $SpineAS01 ! Vlan 999 state suspend name UNUSED-­‐PORTS i Interface Ethernet$ModNumber/$SubModNumber/1-­‐ $HighestPortNumber switchport mode access switchport access vlan 999 shut ! Interface Ethernet3/1/1 descrip-on -­‐ P2P Link to LEAF switch-­‐1 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet3/1/2 descrip-on -­‐ P2P Link to LEAF switch-­‐2 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet4/1/1 descrip-on -­‐ P2P Link to LEAF switch-­‐1 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet4/1/2 descrip-on -­‐ P2P Link to LEAF switch-­‐2 speed forced 40gfull logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! interface Loopback0 descrip-on Router-­‐ID ip address $IPAddress/32 ! interface Management1 no snmp trap link-­‐status vrf forwarding MGMT ip address $MGMTIPAddress/$MGMTSubnetMask ! ip route vrf MGMT 0.0.0.0/0 $GatewayOfLastResortAddress ! ip rou-ng no ip rou-ng vrf MGMT ! ip mul-cast-­‐rou-ng ! ip prefix-­‐list PREFIX-­‐LIST-­‐IN seq 10 permit $Prefix/ $PrefixLength ! route-­‐map ROUTE-­‐MAP-­‐IN permit 10 match ip address prefix-­‐list PREFIX-­‐LIST-­‐IN ! ip prefix-­‐list PREFIX-­‐LIST-­‐OUT seq 10 permit $Prefix/ $PrefixLength ! route-­‐map ROUTE-­‐MAP-­‐OUT permit 10 match ip address prefix-­‐list PREFIX-­‐LIST-­‐OUT ! router bgp $SpineAS router-­‐id <Loopback0_Address> bgp log-­‐neighbor-­‐changes distance bgp 20 200 200 maximum-­‐paths 64 neighbor EBGP-­‐TO-­‐LEAF-­‐PEER peer-­‐group neighbor EBGP-­‐TO-­‐LEAF-­‐PEER password $Password neighbor EBGP-­‐TO-­‐LEAF-­‐PEER remote-­‐as $LeafAS neighbor EBGP-­‐TO-­‐LEAF-­‐PEER send-­‐community neighbor EBGP-­‐TO-­‐LEAF-­‐PEER fall-­‐over bfd neighbor EBGP-­‐TO-­‐LEAF-­‐PEER next-­‐hop-­‐self neighbor EBGP-­‐TO-­‐LEAF-­‐PEER route-­‐map ROUTE-­‐MAP-­‐IN in neighbor EBGP-­‐TO-­‐LEAF-­‐PEER route-­‐map ROUTE-­‐MAP-­‐OUT out neighbor EBGP-­‐TO-­‐LEAF-­‐PEER maximum-­‐routes 25000 neighbor $Leaf1IPAddress peer-­‐group EBGP-­‐TO-­‐LEAF-­‐PEER neighbor $Leaf2IPAddress peer-­‐group EBGP-­‐TO-­‐LEAF-­‐PEER ! banner login This system is privately owned and operated. Access to this system is restricted to authorized users only. Criminal and civil laws prohibit unauthorized use. Violators will be prosecuted. You must disconnect immediately if you are not an authorized user. EOF ! management console idle-­‐-meout 15 ! management ssh idle-­‐-meout 15 ! ! …
  4. 4. ! device: $HostnameSpine1 (DCS-­‐7508, /$Cer-fiedCode) ! ! boot system flash:/$Cer-fiedCode ! queue-­‐monitor length ! logging buffered 10000 no logging console logging vrf MGMT host $SyslogHostAddress logging vrf MGMT host $SyslogHostAddress logging vrf MGMT source-­‐interface Management1/1 logging format -mestamp high-­‐resolu-on logging facility local6 ! hostname $HostnameSpine1 ip name-­‐server $DNSHostAddress ip name-­‐server $DNSHostAddress ip domain-­‐name $CompanyDomainName ! ntp source Management1/1 ntp server vrf MGMT $NTPHostAddress1 prefer ntp server vrf MGMT $NTPHostAddress2 ! snmp-­‐server contact "$SNMPcontact" snmp-­‐server loca-on $bldg/$floor/$room/$rack no snmp-­‐server vrf main snmp-­‐server vrf MGMT snmp-­‐server source-­‐interface Management1/1 snmp-­‐server community $SNMPCommunity ro SNMP-­‐RO-­‐ ACL snmp-­‐server community $SNMPCommunity rw SNMP-­‐RW-­‐ ACL snmp-­‐server host $SNMPHostAddress traps version 2c $SNMPcommunity snmp-­‐server enable traps en-ty snmp-­‐server enable traps lldp snmp-­‐server enable traps snmp ! tacacs-­‐server key $TacacsServerKey tacacs-­‐server host $TacacsServerAddress vrf MGMT ip tacacs source-­‐interface Management1/1 ! spanning-­‐tree mode mstp ! aaa authen-ca-on login default group tacacs+ local aaa authen-ca-on enable default group tacacs+ local aaa authoriza-on console aaa authoriza-on exec default group tacacs+ none aaa authoriza-on commands 1,15 default group tacacs+ none aaa accoun-ng exec default start-­‐stop group tacacs+ aaa accoun-ng commands 15 default start-­‐stop group tacacs + ! no aaa root vrf defini-on MGMT rd $SpineAS01 ! Vlan 999 state suspend name UNUSED-­‐PORTS i Interface Ethernet$ModNumber/$SubModNumber/1-­‐ $HighestPortNumber switchport mode access switchport access vlan 999 shut ! Interface Ethernet3/1/1 descrip-on -­‐ P2P Link to LEAF switch-­‐1 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet3/1/2 descrip-on -­‐ P2P Link to LEAF switch-­‐2 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet4/1/1 descrip-on -­‐ P2P Link to LEAF switch-­‐1 speed forced 40gfull mtu 9214 logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! Interface Ethernet4/1/2 descrip-on -­‐ P2P Link to LEAF switch-­‐2 speed forced 40gfull logging event link-­‐status no switchport ip address $IPAddress/30 arp -meout 900 ip pim sparse-­‐mode ip pim bfd-­‐instance qos trust dscp no shut ! interface Loopback0 descrip-on Router-­‐ID ip address $IPAddress/32 ! interface Management1 no snmp trap link-­‐status vrf forwarding MGMT ip address $MGMTIPAddress/$MGMTSubnetMask ! ip route vrf MGMT 0.0.0.0/0 $GatewayOfLastResortAddress ! ip rou-ng no ip rou-ng vrf MGMT ! ip mul-cast-­‐rou-ng ! ip prefix-­‐list PREFIX-­‐LIST-­‐IN seq 10 permit $Prefix/ $PrefixLength ! route-­‐map ROUTE-­‐MAP-­‐IN permit 10 match ip address prefix-­‐list PREFIX-­‐LIST-­‐IN ! ip prefix-­‐list PREFIX-­‐LIST-­‐OUT seq 10 permit $Prefix/ $PrefixLength ! route-­‐map ROUTE-­‐MAP-­‐OUT permit 10 match ip address prefix-­‐list PREFIX-­‐LIST-­‐OUT ! router bgp $SpineAS router-­‐id <Loopback0_Address> bgp log-­‐neighbor-­‐changes distance bgp 20 200 200 maximum-­‐paths 64 neighbor EBGP-­‐TO-­‐LEAF-­‐PEER peer-­‐group neighbor EBGP-­‐TO-­‐LEAF-­‐PEER password $Password neighbor EBGP-­‐TO-­‐LEAF-­‐PEER remote-­‐as $LeafAS neighbor EBGP-­‐TO-­‐LEAF-­‐PEER send-­‐community neighbor EBGP-­‐TO-­‐LEAF-­‐PEER fall-­‐over bfd neighbor EBGP-­‐TO-­‐LEAF-­‐PEER next-­‐hop-­‐self neighbor EBGP-­‐TO-­‐LEAF-­‐PEER route-­‐map ROUTE-­‐MAP-­‐IN in neighbor EBGP-­‐TO-­‐LEAF-­‐PEER route-­‐map ROUTE-­‐MAP-­‐OUT out neighbor EBGP-­‐TO-­‐LEAF-­‐PEER maximum-­‐routes 25000 neighbor $Leaf1IPAddress peer-­‐group EBGP-­‐TO-­‐LEAF-­‐PEER neighbor $Leaf2IPAddress peer-­‐group EBGP-­‐TO-­‐LEAF-­‐PEER ! banner login This system is privately owned and operated. Access to this system is restricted to authorized users only. Criminal and civil laws prohibit unauthorized use. Violators will be prosecuted. You must disconnect immediately if you are not an authorized user. EOF ! management console idle-­‐-meout 15 ! management ssh idle-­‐-meout 15 ! ! …
  5. 5. Puppet NetDev Module NetDev is a vendor-­‐neutral network abstrac-on framework contributed freely to the Puppet community Basic layer-1 and layer-2 network abstractions Can extend the framework to define any abstractions or features needed for an environment The NetDev framework is open and free and accessible via Puppet Forge with implementations available for Arista, Juniper, Mellanox, Cumulus
  6. 6. Ready class puppet_switch_ports { case $osfamily { JUNOS: { $db_port = "ge-­‐0/0/0" $web_port = "ge-­‐0/0/1" $uplink_lag = "ae0" $uplink_lag_ports = [ 'ge-­‐0/0/2', 'ge-­‐0/0/3' ] } EOS: { $db_port = "Ethernet1" $web_port = "Ethernet2" $uplink_lag = "Port-­‐Channel1" $uplink_lag_ports = [ 'Ethernet3', 'Ethernet4' ] } } $all_ports = [ $db_port, $web_port, $uplink_lag_ports ] }
  7. 7. Set class puppet_switch_demo { netdev_device { $hostname: } include puppet_switch_ports $vlans = loadyaml( "$DATADIR/vlans.yaml" ) create_resources( netdev_vlan, $vlans ) netdev_interface { $puppet_switch_ports::all_ports: admin => up } netdev_l2_interface { $puppet_switch_ports::db_port: untagged_vlan => Blue } netdev_l2_interface{ $puppet_switch_ports::web_port: untagged_vlan => Green } netdev_l2_interface { $puppet_switch_ports::uplink_lag_ports: ensure => absent }-­‐> netdev_lag { $puppet_switch_ports::uplink_lag: links => $puppet_switch_ports::uplink_lag_ports }-­‐> netdev_l2_interface { $puppet_switch_ports::uplink_lag: tagged_vlans => keys( $vlans ) } }
  8. 8. Automate! node "veos01.stormcontrol.net" { include puppet_switch_demo } node "ex4200.stormcontrol.net" { include puppet_switch_demo }
  9. 9. How to take netdev to the next phase? You want to run what on my network device? Devops + NetOps != <3 I have 99 problems and no time for this discussion
  10. 10. Lets just teach every netops person to be a developer… problem solved!
  11. 11. Breaking down the configura-on into construc-ble blocks…. STP MLAG VRRP OSPF VLAN L2 Interface (access, trunk) Logical Interface (LAG) Physical Interface L3 interface (ipv4, ipv6)
  12. 12. Paqerns start to emerge… interface lag l2_interface interface ip_interface vrrp_interface ospf_instance ospf_area ospf_interface
  13. 13. Hmm, come to think of it… interface interface ethernet1/1 descrip-on webservers no shutdown ip_interface vrrp_interface interface ethernet1/1 no switchport ip address 10.10.4.1/24 interface ethernet1/1 vrrp 10 priority 200 vrrp 10 -mers adver-se 3 vrrp 10 ip 10.10.4.10 exit Isn’t the CLI just like a DSL?
  14. 14. Start small and expand the sphere of influence automa-on Services / Applica9ons Logical Interfaces Physical Interfaces VLANS
  15. 15. Feelin the love What’s taking so long to upgrade to Enterprise? Devops + NetOps = <3 I have 99 problems but automating my network isn’t one of them
  16. 16. Automation with Puppet and EOS Automation with Puppet and EOS Standard Binaries Native Enterprise Integration Orchestrate Arista EOS or Linux OS resource automation Custom Facter integration for collecting state information Leverage Arista AEM for responsive automation to state changes Arista EOS Provider eAPI Gems Ruby Sysdb Linux Kernel Arista EOS Types Netdev Types Resource Abstraction Enterprise Community Puppet Master
  17. 17. Call to ac-on • Great first step! • Much more work to do • Get Involved!! – We cannot model the network without your help

×