Professional Documents
Culture Documents
Alejandro Salinas
Intro
WHERE ARE YOU WITH REGARDS TO AUTOMATION?
IT’S ALSO ABOUT PROCESS AND CULTURAL CHANGE
Story 1
An experiment that pays off
xkcd.com
THREE SCRIPTS
• Manage Firewalls
• Manage On-call
• 1 x Predictable cabling standard
• N x Jinja Templates
• N x YAML Files
TODO list:
• Check ports
• Check OS versions
• Check licenses
• Check IP allocations
• Check vlans
• Check routing
Retrieve:
.- Operational status
.- Configuration status
ü Ports
ü OS versions
ü Licenses
ü IP allocations
ü Vlans
REST
Configuration information:
• Where is subnet x.y.z.w ?
• Is port xyz configured for LACP?
• What’s the console port for device xyz?
FIND A HOST
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_host_information?
hostname=otherhost.grpn | python -m json.tool
{
"device_queried": "access1128.grpn",
"interface_information": {
"ab:cd:ef:fe:bc:b8": [
{
"interface": "ae33.0",
"vlan_id": "100",
"vlan_name": "vlan100"
}
],
"ab:cd:ef:fe:bc:ba": null,
"ab:cd:ef:fe:bc:bc": null,
"ab:cd:ef:fe:bc:bd": null
},
"mac_addresses": [
"ab:cd:ef:fe:bc:b8",
"ab:cd:ef:fe:bc:ba",
"ab:cd:ef:fe:bc:bc",
"ab:cd:ef:fe:bc:bd"
],
"success": true
}
SECURITY ZONES
[asalinas@GMGM20689:juniper_tools] curl -s http://localhost:8000/get_firewall_zone?
destination=10.10.10.21/31 | python -m json.tool
{
"colo": "grpn",
"destination": "10.10.10.21/31",
"device_queried": "somefw.grpn",
"success": true,
"zone_data": [
{
"destination_match": "10.10.10.0/24",
"interface": "ae8.0",
"next_hop": "10.10.12.3",
"zone_name": "trust__zone20"
}
]
}
IS THIS FLOW ALLOWED?
[asalinas@GMGM20689:~] curl -s "http://localhost:8000/check_flow?
source=10.1.2.3&destination=10.11.12.13&port=22" | python -m json.tool
{
"action_type": "permit",
"destination": "10.11.12.13",
"destination_zone": "trust__zone1",
"device_queried": "somefw.grpn",
"dst_colo": "colo1",
"policy_name": "NETOPS-9999",
"source": "10.1.2.3",
"source_zone": "trust__zone2",
"src_colo": "colo2",
"success": true
}
FIREWALL POLICY DETAIL
[asalinas@GMGM20689] curl -s "http://localhost:8000/get_policy_by_name?
device_name=somefw.grpn&policy_name=NETOPS-9999" | python -m json.tool
{
"device_name": "somefw.grpn",
"policy_information": {
"NETOPS-9999": {
"action": "permit",
"application": "junos-ssh",
"destination_addresses": [
"host1.grpn",
"host2.grpn"
],
"destination_zone_name": "trust__zone1",
"policy_sequence_number": "100",
"policy_state": "enabled",
"seq_check": "No",
"source_addresses": "host3.grpn",
"source_zone_name": "trust__zone2",
"syn_check": "No"
}
},
"policy_name": "NETOPS-9999",
"success": true
}
FIREWALL AUTOMATION BUILDING BLOCKS
TBD get_policy_by_name
• Not only the network team can take advantage of your automation