For years application developers and DevOPS admins have full CI/CD environments which allows them to do changes during business hours on live environments. Yet until this day for networking this is almost not done. This presentation will show how to build a CI/CD environment for your network infrastructure that would allow you to do a (major) network change before the evening PLNOG social.
4. 4
Automated testing
Validation
Cumulus Networks Confidential
Linting tests
• Code validation
• Test Yaml / Jinja2
• Enforce a style
• Easy troubleshooting
Unit and System tests
• Individual tests
• Is the intended configuration
deployed?
• Unit alone testing not useful
• Combine unit and system tests
• Is my configured BGP session up?
• Am I receiving routes?
AND
• Is my service redundant?
• Does my application still work?
The way that networking has always worked is that the hardware and software are welded together. There are no options to pick what is best in class. No way to run JunOS on Nexus hardware. No way to run Arista EOS on Juniper QFX switches.
The idea of open networking is to break these components apart and provide best in class at each layer of the stack: hardware, software and applications.
Cumulus Linux provides the best in class network operating system with full routing and switching features and Cumulus NetQ provides next generation streaming telemetry for all Linux systems, including Cumulus Linux.
Diving deeper into the architecture of Cumulus Linux, we start with the switch hardware: the CPU, memory, fans and most importantly the Switch Silicon, or ASIC. This ASIC is what gives a switch it’s line rate performance, so it can pass 32 ports of 100g or 48 ports of 25g without breaking a sweat. On top of this hardware sits Cumulus Linux. We speak directly to the hardware. We spin the fans, flash the lights and program the forwarding information into the switch silicon. In order to have this level of control over the hardware we have incredibly tight relationships with all of our hardware vendors. We write device drivers to program each component of the switch.
Now on top of Cumulus Linux are a number of applications to do different functions, like a full CLI, provide Layer 2 and Layer 3 connectivity, and enable automation engines like Ansible or Salt.
Each of these applications only have to talk to Linux, they don’t need any knowledge of the underlying switch hardware. If an application and provide configuration or put routing information into the Linux kernel we handle putting that programming into switch Silicon. You can take something off the shelf like Docker Engine or KVM for virtual machines and run them directly on Cumulus Linux, just like a server.
You can use the system as a traditional network device, with a CLI and SNMP or explore new operational workflows like streaming telemetry or automation. Cumulus Linux provides the power and flexibility for as much or as little change as you’d like.
Since Cumulus Vx is just another Linux distro running on standard hypervisors there are almost no limits.
We have a small memory footprint of only 768 MEGS per switch, when combined with the ability to scale to 128+ interfaces you can replicate the exact devices deployed in your datacenter.
Each of these VMs boots quickly and you can rename the interfaces to match exactly what’s in production. If you think about legacy vendor VMs if you provision 4 interfaces you are given Ethernet 1, 2, 3 and 4, but this isn’t how you cabled your environment. You may have two 10G server ports and 2 100G uplinks. Cumulus Linux allows you to rename the interfaces to match exactly what you have in production. This means you can can build and test production configurations against the virtual environment without the need to translate between lab and production configs.
When it’s all put together, for the first time in the industry, you can make an exact simulation of your production environments for testing, change management, training or any other use case. We even have customers, some with the assistance of our consulting services, doing automated testing as part of their change management system, sometimes called Network CI/CD (Continuous Integration/Continuous Delivery)
The way NetQ works is a central server, either on prem or in the cloud, runs a modern webscale timeseries database
As mentioned there is a GUI, CLI and API interface into NetQ. However you wish to consume the data from NetQ we have an option for you.
If there is the requirement for inter tenant traffic … through router on a stick or firewall
“Service” tenant for services like DNS or general tenant services
Not yet implemented in FRR
Micro segmentation inside a tenant for application security
Kernel development for doing filtering with BPF on hosts
Using flowspec for distributing the ACLs