Post on 24-Sep-2020
+
Philip DiLeo - EOS+ Consulting Services
But first, football...
Odell Beckham:1. Sprint 10 yards2. Slant at 45 degrees3. Run 4 yards4. Catch ball at 60mph
Third string player:1. Sprint 5 yards2. Slant at 45 degrees3. Run 1 yard4. Catch ball at 20mph
What would a data model look like for the player?
Odell Beckhamslant_route: sprint: 10 post_slant_sprint: 5 ball_speed: 60
Third string playerslant_route: sprint: 5 post_slant_sprint: 1 ball_speed: 20
Group Variableslant_angle: 45
How would you describe the play for the wide receiver in red?
- players: wide_receivers
tasks: - name: On hike, sprint! sprinting: distance={{ slant_route.sprint }}
- name: Then slant in change_direction: angle={{ slant_angle }}
- name: Then sprint again sprinting: distance={{ slant_route.post_slant_sprint }}
- name: Prepare to catch receive_ball: speed={{ slant_route.ball_speed }}
Okay Coach, write the play...
group_vars/wide_receivers:slant_angle: 45
player_vars/odell_beckham:slant_route: sprint: 10 post_slant_sprint: 5 ball_speed: 60
player_vars/third_string:slant_route: sprint: 5 post_slant_sprint: 1 ball_speed: 20
players file:[wide_receivers]odell_beckhamthird_string
1. Who runs the play?
4. Gather Player Vars
5. Run tasks
3. Any group vars?
2. Who’s in that group? (Iterate per player)
Conceptually, then...
- host_vars- group_vars- sql database- git repo- static config lines
- Ansible Tasks/Roles - Config Blocks - API Calls
Data Execution Strategy
RunningConfig
Some Background on Ansible● Goal: simplicity and ease of use● Playbooks written in easily-read YAML● Written in Python● Agent-less architecture (no client daemon)● Security (uses OpenSSH or SSL)● Can be used by all within organization● Tower: Operationalize Ansible
Why do I need Ansible?
“Why can’t I write a python or shell script that configures the switch?”
● Idempotency● Manageability● One platform for entire infra● Community-driven (1000 >> 1)
Ansible ModulesAnsible includes 400+ built-in modules including:● apt, yum, copy, command, cron, dns,
docker, easy_install, ec2 (amazon modules), file, filesystem, find, git, known_hosts, mysql, mongodb, nagios, npm, openstack, rax (rackspace) pip, shell, snmp_facts…
Sample options for the yum module
But where are the networking modules?
Ways to use Ansible with Arista
● API-based approach with arista.eos role available through Galaxy
● Config-based approach with ansible core module eos_config (Ansible 2.0+)
The Ansible Role for EOS
The Ansible Role for EOS allows us to package multiple EOS-related modules into one convenient role.
This can be installed using Ansible Galaxy
$ ansible-galaxy install arista.eos
EOS Role - What’s included?
● eos_acl_entry● eos_bgp_config● eos_bgp_neighbor● eos_bgp_network● eos_ethernet● eos_facts● eos_interface● eos_ipinterface● eos_mlag_config● eos_mlag_interface● eos_ping● eos_portchannel● eos_purge
● eos_routemap● eos_staticroute● eos_stp_interface● eos_switchport● eos_system● eos_user● eos_varp● eos_varp_interface● eos_vlan● eos_vrrp● eos_vxlan● eos_vxlan_vlan● eos_vxlan_vtep
Handler● save running config
Modules
How does it work?tasks:
- name: Configure Vlan 1 eos_vlan: vlanid=1 enable=yes name=foo
Additional EOS Roles[ Ansible Roles that built on top of arista.eos ]
Stop writing tasks.Start to model your configuration as CLI-
agnostic data structures
arista.eos base role
(includes mainly modules)
arista.eos-route-control
(mainly tasks)
arista.eos-system(mainly tasks)
arista.eos-virtual-router
(mainly tasks)
arista.eos-vxlan(mainly tasks)
arista.eos-bridging(mainly tasks)
arista.eos-interfaces(mainly tasks)
arista.eos-ipv4(mainly tasks)
arista.eos-bgp(mainly tasks)
arista.eos-mlag(mainly tasks)
Available Through Galaxy[ Ansible Roles that built on top of arista.eos ]
https://galaxy.ansible.com/detail#/user/5790
Connection Methods
Option A - SSH
Requirements:● Password-less SSH
associations● pyeapi installed on switch
(you can do this with Ansible)
● eAPI enabled● bash user
Notes:● You can use http_local or
unix sockets on >4.14.5F● Technically more secure
Option B - eAPI
Requirements:● pyeapi installed on
Ansible Control Host● eAPI enabled
Notes:● Simplicity but
potentially less secure. Need to store eapi credentials in cleartext.
A New Method...
eos_config Core Module[ New in Ansible 2.0+ ]
- name: get eos facts
eos_facts:
include_config: yes
device: "{{ eapi }}"
- name: Configure Arista Interface
eos_config:
block:
- "description {{ item.description }}"
- "{{ item.enabled | ternary('no shutdown', 'shutdown') }}"
- "no switchport"
- "ip address {{ item.address }}"
parent: "interface {{ item.name }}"
device: "{{ eapi_connection }}"
config: "{{ eos_facts.config }}"
with_items: interfaces
ansible_connection: local
eapi_connection:
host: "{{ inventory_hostname }}"
username: admin
password: admin
use_ssl: no
interfaces:
- name: Ethernet1
enabled: yes
description: My interface 1
address: 1.1.1.1/24
- name: Ethernet2
enabled: yes
description: My interface 2
address: 1.1.2.1/24
eos_config Core Module[ New in Ansible 2.0+ ]
Advantages
● No third-party libraries needed (pyeapi, arista.eos)● Work directly with known running-configuration● Easy to use/understand. Zero barrier to entry● Offline-mode (generate configuration lines)● Leverages eAPI connection
Best Practices...
Beginner’s Playbook(s)#1. playbooks/deploy_app1_spine.yml
---
- hosts: spine
tasks:
- name: Configure App Vlan vlan: vlanid=10 enable=yes name=app1
- name: Configure BGP bgp: key=value key=value key=value
- name: Configure Interfaces intf: key=value key=value key=value
- name: Configure SMNP system: key=value key=value key=value
- name: Configure mlag mlag: key=value key=value key=value
#N. playbooks/deploy_appN_spine.yml
---
- hosts: spine
tasks:
- name: Configure App Vlan vlan: vlanid=1000 enable=yes name=app1
- name: Configure BGP bgp: key=value key=value key=value
- name: Configure Interfaces intf: key=value key=value key=value
- name: Configure SMNP system: key=value key=value key=value
Solution: Ansible Roles“We’ll pretty much assume you are using roles at this point. You should be using roles for sure. Roles are great. You are using roles aren’t you? Hint hint.” docs.ansible.com
“...they allow you to focus more on the big picture and only dive down into the details when needed.”
Example EOS Role - Varp[ Abstract Virtual Router Configuration ]
host_vars/veos-3
virtual_mac_addr: "00:1c:73:00:00:99"varp_interfaces: - vlanid: 1001 name: Varp_Vlan1001 interface_addr: 192.168.1.3/24 virtual_addrs: - 192.168.1.1 - vlanid: 1002 name: Varp_Vlan1002 interface_addr: 192.168.2.3/24 virtual_addrs: - 192.168.2.1
host_vars/veos-4
virtual_mac_addr: "00:1c:73:00:00:99"varp_interfaces: - vlanid: 1001 name: Varp_Vlan1001 interface_addr: 192.168.1.4/24 virtual_addrs: - 192.168.1.1 - vlanid: 1002 name: Varp_Vlan1002 interface_addr: 192.168.2.4/24 virtual_addrs: - 192.168.2.1
# Playbook- hosts: leafs roles: - arista.eos-virtual-router
# Run
ansible-playbook -i hosts play.yml
# hosts file[leafs]veos-3veos-4
Using Roles - Site Configuration[ Simply include roles ]
# Run
ansible-playbook -i hosts site.yml
# hosts file[spine]veos-1veos-2
[leaf]veos-3veos-4
# Playbook site.yml- include: spine.yaml- include: leaf.yaml
# Playbook spine.yml- hosts: spine gather_facts: no
roles: - arista.eos-system - arista.eos-interfaces - arista.eos-bridging - arista.eos-ipv4 - arista.eos-route-control - arista.eos-bgp
# Playbook leaf.yml- hosts: leaf gather_facts: no
roles: - arista.eos-system - arista.eos-interfaces - arista.eos-bridging - arista.eos-ipv4 - arista.eos-route-control - arista.eos-bgp - arista.eos-mlag - arista.eos-virtual-router
Sample Demo[ Zero Touch into Tower ]
https://youtu.be/VB29kjSOp7ESetup
1. Spine/leaf in bowtie2. All nodes in ZTP mode3. Nodes statically +
dynamically identified by ZTPServer
4. Nodes get base config:a. hostnameb. mgmt ipc. eAPI enabled
5. Nodes register themselves with Tower
6. Run Job Template in Tower to provision nodes.
Getting Started● Main Ansible Documentation● Ansible EOS Quickstart Guide● Writing a Module● Ask about our Ravello Blueprint
● Ask for Help - ansible-dev@arista.com
Thanks!