Sean CavanaughTechnical Marketing ManagerRed Hat Ansible Automationseanc@redhat.com@IPvSean

Ask an Expert: Ansible Network Automation

Iftikhar KhanSenior Manager, Engineering TeamRed Hat Ansible Automationikhan@redhat.com@ifty_k

For more information or to register visit: ansible.com/automates

Tampa, FL

November 14, 2018

New York, NY

December 4, 2018

Nashville, TN

October 25, 2018

For more information or to register visit: ansible.com/workshops

Portland, OR

November 6, 2018

Houston, TX

November 7, 2018

Rochester

November 7, 2018

NETWORKING WORKSHOP NETWORKING WORKSHOP NETWORKING WORKSHOP

WHAT WE’RE TALKING ABOUT TODAY

httpapinet_get and net_putnew netconf modulescli_command and cli_config

New Tower 3.3 UI ImprovementsTower Credential Management for Network DevicesCustom Ansible Environment Support for Ansible Tower

Ansible Network RolesQ/A with Ifty and Sean

httpapi connection plugin● New top level connection method available on Ansible 2.6 and later

● To invoke use connection: httpapi

● Initially supports○ Cisco Nexus NX-API for the NX-OS platform ○ Arista eAPI for the EOS platform

● The httpapi method is implied by the ansible_network_os

Networking Platform ansible_network_os httpapi method

Arista EOS ansible_network_os=eos eAPI

Cisco NX-OS ansible_network_os=nxos NX-API

httpapi connection plugin example---- name: httpapi Playbook hosts: leaf01 connection: httpapi gather_facts: false tasks: - name: type a simple arista command eos_command: commands: - show version | json register: command_output

- name: print command output to terminal window debug: var: command_output.stdout[0]["version"]

net_get and net_put● agnostic network modules

● requires connection: network_cli type

● Support SCP or SFTP transfer protocols

● Requires scp installed and enabled on control and target nodes

net_get and net_put example---- name: PLAYBOOK SHOWCASING NET_GET AND NET_PUT hosts: leaf01 connection: network_cli gather_facts: false tasks: - name: COPY FILE FROM THE NETWORK DEVICE TO ANSIBLE CONTROLLER net_get: src: running_cfg_eos1.txt

- name: COPY FILE FROM THE ANSIBLE CONTROLLER TO THE NETWORK DEVICE net_put: src: temp.txt

netconf● network management protocol developed and standardized by the IETF

● alternative to SSH command line (network_cli) and device APIs (httpapi)

● Three netconf specific modules

○ netconfg_get - fetch configuration/state data from NETCONF enabled network devices

○ netconf_rpc - execute operations on NETCONF enabled network devices

○ netconf_config - netconf device configuration, module allows the user to send a configuration XML file to a netconf device, and detects if there was a configuration change.

netconf - converting RPC to a Playbook<rpc> <get-interface-information> <interface-name>ge-2/3/0</interface-name> <detail/> </get-interface-information></rpc>]]>]]> - name: GET INTERFACE INFO netconf_rpc: display: json rpc: get-interface-information content: interface-name: "em1.0"

---- name: RUN A NETCONF COMMAND hosts: juniper gather_facts: no connection: netconf

tasks:

- name: GET INTERFACE INFO netconf_rpc: display: json rpc: get-interface-information content: interface-name: "em1.0" register: netconf_info

netconf - full example

cli_command and cli_config● agnostic network modules, available Ansible 2.7 and later

● requires connection: network_cli type

[cisco]rtr1 ansible_host=54.201.149.175 rtr2 ansible_host=34.222.129.140 rtr3 ansible_host=34.219.120.71

[cisco:vars]ansible_user=adminansible_network_os=ios

[arista]leaf01 ansible_host=34.217.176.5leaf02 ansible_host=34.217.176.6

[arista:vars]ansible_user=adminansible_network_os=eos

ansible_network_os identifies operating system and plugins to use

Networking Inventory

---- name: AGNOSTIC PLAYBOOK hosts: cisco gather_facts: no connection: network_cli tasks:

- name: CONFIGURE DNS cli_config: config: ip name-server 8.8.8.8

- name: CHECK CONFIGURATION cli_command: command: show run | i ip name-server register: cisco_output

cli_* - full example

What is Tower?

Ansible Tower is an enterprise framework for controlling, securing and managing your Ansible automation with a UI and RESTful API.

Red Hat Ansible Tower

https://www.ansible.com/tower

Red Hat Ansible Tower● When would I need Tower vs the command-line Ansible?

○ When 2 or more people start using the same Playbooks in their organization.

○ When I need a central point of execution ○ When I need an API to control my Playbooks○ When I need integrations with TACACS+, RADIUS, SAML, AD○ When I am doing more than just networks

● How do I get started?○ Free Workshops, Free Trials (Linux, Vagrant, AWS EC2)○ Red Hat Global Learning Services: https://red.ht/2jVOvNg

New Tower 3.3 UI Improvements

Credentials

Orgs, Users and Teams

Notifications

Get more things done,with less clicks!

More Top Level Info under Jobs

Who launched this job

When the job was launched

What the job was launched against

Network Credential Management

● Treat network devices just like servers!

● SSH keys or username/pass

● Utilizing AES-256 in CBC mode alongside a SHA-256 HMAC.

Ansible Environment

● More flexibility

● Control which version of Ansible on a per-Job basis

● No more locking of Tower to specific Engine release

https://galaxy.ansible.com/ansible-network

Ansible Network Roles

Network Activities for Operators

● Distributed through Ansible Galaxy

● Data driven workflows for performing network operator tasks

● Extensible and adaptable for any platform, any device

● Fully Supported through your Red Hat Subscription

cloud_vpn - Network RolePurpose Providers Ansible Version

Agnostic role for creating IPSEC VPN tunnels between two clouds or endpoints.

Cloud: AWS, Azure, OpenStackEndPoints:AWS VPN, VyOS, Cisco CSR, RHEL, CentOS

2.6+

Functions Example

● create_vpn● delete_vpn

- include_role: name: ansible-network.cloud_vpn

- include_role: name: ansible-network.cloud_vpn tasks_from: delete_vpn

https://galaxy.ansible.com/ansible-network/cloud_vpn

Cisco CSR on AWS RHEL on Azure

VPN

config_manager - Network RolePurpose Providers Ansible Version

platform agnostic approach tomanaging the active (running) configuration file on network devices

VyOS, Junos OS, Arista EOS, Cisco IOS, IOS-XR, IOS-XE, NX-OS

2.6+

Functions Example

● get● load● save

---- hosts: network gather_facts: false roles: - name ansible-network.config_manager function: get

https://galaxy.ansible.com/ansible-network/config_manager

Cisco IOS-XE

Juniper Junos

Arista EOS

yang - Network RolePurpose Providers Ansible Version

platform agnostic approach tomanaging the active (running) configuration file on network devices

Cisco IOS-XR and Juniper Junos 2.6.2+

Functions Example

● configure● spec● fetch

- hosts: iosxr connection: netconf gather_facts: false tasks: - name: include yang role include_role: name: ansible-network.yang tasks_from: fetch

https://galaxy.ansible.com/ansible-network/yang

Cisco IOS-XE

Juniper Junos

25

Q / Aansible-network@redhat.com

github.com/network-automation

facebook.com/ansibleautomation

twitter.com/ansible