1

Devops Day Amsterdam 2015

Network Automation Tools

Chef and Zero Touch Provisioning/Replacement (ZTP/ZTR)

2

Agenda

Introduction (EB)

ZTP/ZTR (MA)- Boot three bare metal switches

Chef (EB)- Orchestrate two switches with baseline interface configuration - Enforce configuration statements- Reject certain config lines

3

Speaker Bios

Michael Amstelveen, Consulting Engineer, Arista Networks

Arista is the fastest growing switch vendor in the 10/40/100 GeE space, our platform is based on Linux and a fully open operating system which is becoming very popular. 

I’m passionate about computer networking, automation and innovation.

Mail: ma@arista.com

Edwin Beekman, Engineer, Schuberg Philis bv

Working at Schuberg Philis bv, a company focused on Critical Application Outsourcing.

My main focus is everything related to networking, from routing/switching/security to SDN, virtualization, programming and automation.

BsC in Telematics and CISSP Certified.

Mail: ebeekman@schubergphilis.com and Twitter: FirebladeEd

4

Automatic Network Provisioning

5

Automatic Network Provisioning

System ID <--> CONFIG

CONFIG

CONFIG CONFIG CONFIG CONFIG

ZTP Server

6

Automatic Network Provisioning

BGP LLDP

VXLAN

IPBGP

IP_9

IP_1

IP_n

EOS4.13.6

Splunk

Actions

DefinitionDefinition

Definition

DefinitionDefinition

System ID <--> Definition

EOS4.12.5

API

ZTP Server

7

Automatic Network Provisioning

BGP

IP = $IP_ADDR

IPBGP

LLDP/sysID <--> Definition

…

VXLAN

IP1, IP2, …

allocate

ZTP Server

8

ZTP Process Overview

DHCP Request

Arista EOS ZTP Server DHCP Server

DHCP Response (MGMT IP, Name Server, Boot File)

HTTP Get Bootstrap

Syslog Server XMPP Server

Run Bootstrap

HTTP Get Config

HTTP Post Nodes

HTTP Get Definition

HTTP Get Action

HTTP Get Resource

Start Logging

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

LoadDefinition

Run Action

. . .

Reboot – if startup-config

Collect Node Details via eAPI

9

Definitions File

Specifies tasks to be performed during the bootstrap of a node.

The definition file can be either: - manually created or

- auto-generated by the server based on match in neighbordb file

Definition file contains…- Actions, with…

- Attributes…- which can call config templates

- and in turn, utilise resource pools to assign values

actions:- action: install_image always_execute: true attributes: url: files/images/vEOS.swi version: 4.13.5F name: "validate image”- action: add_config attributes: url: files/templates/ma1.template variables: ipaddress: allocate('mgmt_subnet') name: "configure ma1”- action: add_config attributes: url: files/templates/system.template variables: hostname: allocate('tor_hostnames') name: "configure global system”

10

Available Actions

Action Descriptionadd_config Adds a block of configuration to the final startup-config

copy_file Copies a file from the server to the destination node

install_cli_plugin Installs a new EOS CLI plugin and configures rc.eos

install_extension Installs a new EOS extension

install_image Validates and installs a specific version of EOS

replace_config Sends an entire startup-config to the node (overrides (overrides add_config)

send_email Sends an email to a set of recipients routed through a relay host. Can include file attachments

run_bash_script Run bash script during bootstrap.

run_cli_commands Run CLI commands during bootstrap.

11

Examples of Templates & Resource Pools

Templates Resource Pools

#login.template#::::::::::::::username admin priv 15 secret admin

#ma1.template#::::::::::::::interface Management1 ip address $ipaddress no shutdown

#mgmt_subnet#::::::::::::::192.168.100.210/24: null192.168.100.211/24: null192.168.100.212/24: null192.168.100.213/24: null192.168.100.214/24: null

#tor_hostnames#::::::::::::::veos-dc1-pod1-tor1: nullveos-dc1-pod1-tor2: nullveos-dc1-pod1-tor3: nullveos-dc1-pod1-tor4: nullveos-dc1-pod1-tor5: null

#hostname.template#::::::::::::::hostname $hostname

12

ZTP Resources

Documentationhttp://ztpserver.readthedocs.org/en/latest/overview.html

ZTPServer Downloadhttps://github.com/arista-eosplus/ztpserver

Packer based ZTPS Virtual Machine https://github.com/arista-eosplus/packer-ztpserver

13

Topology

14

POD IP addressing

15

Lab 1: Preparation www.ravello.com

A virtual Arista VEOS switch and Opscode Chef environment has been prepared in the Cloud.

Login to the website, select the application and canvas to see the environment.

Verify the Public IP address for host X1. This host will function as the admin box for the virtual environment.

Bash: ssh [public_IP] user devops/Dev0ps2015

Chef-server: https://[public_IP] user admin/arista

Connect to the Spine and Leaf switches via ssh s1, ssh l1 etc

16

Lab 0: Get all VMs up and running

Activity Objective

In this activity you will meet these objectives: - Verify all host and switch VM’s in the virtual LAB- Have management connectivity between all lab host- Install a chef-client on a leaf switch

Required Resources

These are the resources and equipment required to complete this activity: - A Ravello lab environment

Command List - Ping - Ifconfig- Show

17

XMPP client on vEOS

The following configuration is required on the Arista switches. The XMPP client is part of EOS and works out of the box. Encryption and AAA is also supported

username all privilege 15 role network-admin nopassword!management xmpp no shutdown server 192.168.0.4 username s2@192.168.0.4 password 7 070E33455D1D18 switch-group all@conference.192.168.0.4 switch-group spines@conference.192.168.0.4 domain 192.168.0.4

Verify your XMPP connection with the XMPP server

s2#show xmpp statusXMPP Server: 192.168.0.4 port 5222Client username: s2@192.168.0.4Default domain: 192.168.0.4Default privilege level for received commands: 1Connection status: connected

18

XMPP client on vEOS

How to verify your XMPP neighbors s1#show xmpp neighborsNeighbor State Time Since Last Change------------------------------ --------------- -------------------------l1@192.168.0.4 present 14:19:09 agol2@192.168.0.4 present 14:19:11 agol3@192.168.0.4 present 14:28:33 agol4@192.168.0.4 present 14:28:32 agos2@192.168.0.4 present 14:19:07 ago

Neighbor Status Message------------------------------ ----------------------------------------l1@192.168.0.4 Arista Networks vEOSl2@192.168.0.4 Arista Networks vEOSl3@192.168.0.4 Arista Networks vEOSl4@192.168.0.4 Arista Networks vEOSs2@192.168.0.4 Arista Networks vEOS

19

XMPP client on vEOS

How to find IP 172.16.2.68 in a large underlay network using XMPPs2#xmpp session all@conference.192.168.0.4xmpp-all#xmpp-all#show arp | grep 172.16.2.68response from: l2@192.168.0.4--------------------------------------------------172.16.2.68 0 2cc2.6029.9828 Ethernet5

Show software version:xmpp-all#show version | grep Softwareresponse from: l1@192.168.0.4--------------------------------------------------Software image version: 4.14.7M

response from: l2@192.168.0.4--------------------------------------------------Software image version: 4.14.7M

response from: l3@192.168.0.4--------------------------------------------------Software image version: 4.14.7M

20

XMPP client on vEOS

Show software version for a specific group, i.e. for all leafs (TOR) switchesl4#xmpp send leafs@conference.192.168.0.4 command show version | grep Softwaremessage from user: l1@192.168.0.4--------------------------------------------------

Software image version: 4.14.7M

message from user: l2@192.168.0.4--------------------------------------------------

Software image version: 4.14.7M

message from user: l3@192.168.0.4--------------------------------------------------

Software image version: 4.14.7M

message from user: l4@192.168.0.4--------------------------------------------------

Software image version: 4.14.7M

21

Task 0: Get your virtual lab prepared for this workshop

Activity Procedure Complete these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

22

Chef controlled network

Chef is an automation platform that transforms infrastructure into code.

Chef relies on reusable definitions known as cookbooks and recipes that are written using the Ruby programming language. Cookbooks and recipes automate common infrastructure tasks.

Their definitions describe what your infrastructure consists of and how each part of your infrastructure should be deployed, configured and managed. Chef applies those definitions to servers to produce an automated infrastructure.

23

Chef controlled network

For coding the infrastructure we have chosen for Chef and rolled out our own private Chef infrastructure. We can automate an awful lot: roll-out new Hypervisors, applications, configurations, services.

But coding the underlay is still something that is in development. Cisco has an integration with OnePK/Chef/Puppet or with an expect script. But what really intrigues me are the implementations that makes directly use of the network Operating System on the device itself. Integrations which allows for off-the-shelve installation of the Chef-client, with or without an additional plugin.

Arista switches can easily be integrated in the Chef deployment and allows for easy central configuration.

But actual any (Linux) network device can be used for automation.

24

Chef controlled network

server

client

RecipesRolesNodesAttribbutesTemplates

25

Task 1: Chef-client on VEOSLogin with SSH to the X1 admin box.

Verify the Chef client nodes, you should see something like: s1, s2, l1, l2, l3

cd ~/chef-repo

knife node list

Install the chef-client on the switch.

copy scp:admin@192.168.0.4/home/admin/switch/chef-11.18.6-1.el6.i686.rpm extension:

extension chef-11.18.6-1.el6.i686.rpm

copy installed-extensions boot-extensions

bash

sudo su –

mkdir /persist/local/chef

scp admin@192.168.0.4:/home/admin/switch/validator.pem /persist/local/chef

scp admin@192.168.0.4:/home/admin/switch/client.rb /persist/local/chef

26

Task 1: Chef-client on VEOSRun the chef-client on the SPINE switch, this will register the switch to the Chef server

chef-client –c /persist/local/chef/client.rb

On the Chef server:

knife node edit s1

{

"name": "s1",

"chef_environment": "spine-leaf",

"normal": {

"tags": [

]

},

"run_list": [

"role[spine-leaf]"

]

}

Run the client again on the switch

chef-client –c /persist/local/chef/client.rb

27

Task 1: Chef-client on VEOSRun the chef-client on the LEAF switch, this will register the switch to the Chef server

chef-client –c /persist/local/chef/client.rb

On the Chef server, add extra node properties:

knife node edit l2

{

"name": "l2",

"chef_environment": "spine-leaf",

"normal": {

"pod": {

"asno": 65001,

"inet6_prefix": "fd00:411:0112:02",

"inet_prefix": "172.16.2",

"name": "l2",

"number": 1

},

"provisioning": {

"boot_option": "EOS-4.14.6M",

"deployed": true

},

"tags": [

]

},

"run_list": [

"role[leaf-spine]"

]

}Run the client again on the switchchef-client –c /persist/local/chef/client.rb

28

Task 2: The Chef cookbook setupThe cookbooks reside on the admin box X1 in /home/admin/chef-repo

Roles/

A role is a way to define certain patterns and processes that exist across nodes in an organization as belonging to a single job function

Environment/

An environment is a way to map an organization’s real-life workflow to what can be configured and managed when using Chef server.

Cookbooks/

A cookbook is the fundamental unit of configuration and policy distribution. A cookbook defines a scenario and contains everything that is required to support that scenario:

Recipes that specify the resources to use and the order in which they are to be applied

Attribute values

File distributions

Templates

Extensions to Chef, such as libraries, definitions, and custom resources

29

Task 2: The Chef cookbook setup

Environment

There is one environment configuration, the spine-leaf.json. It contains all the technical attributes (bgp/ospf/mlag/routes/etc) for the environment.

Roles

Currently two roles are available, for the spine and the leaf. Each containing a different run-list (cookbook).

"run_list": [

"recipe[coreswitch_role]“

30

Task 2: The Chef cookbook setup Cookbooks

Arista_api

Contains the actual code to login and send commands to the the VEOS switch

Arista_switch

Contains the code to translate the environment attributes to VEOS switch configuration and send it to the Arista_api cookbook. Every part (mlag/interface/acls/etc) has it’s own Ruby code file.

Coreswitch_role and Podswitch_role

Controls which configuration is needed and possible default attributes (for example banners or acls).

31

Task 2: The Chef cookbook setup

Updates on cookbooks to adjust/update or add new features

After changing: knife cookbook upload [cookbook_name]

Leaf or Pod switches can be configured from the environment file.

After changing: knife environment from file spine-leaf.json

Verify the VEOS switch by checking the Chef run or run it manually on the switch

Sudo chef-client –c /persist/local/chef/client.rb

32

SDN initiatives in the Netherlands

Early last year we started a new SDN MeetUp group in Amsterdam.

We held four meetings which where well received.

If you are interested make sure to check and join the group:

http://www.meetup.com/Amsterdam-SDN-Group/