Skip to content
This repository has been archived by the owner on Jun 16, 2019. It is now read-only.

Latest commit

 

History

History
117 lines (84 loc) · 6.28 KB

README.md

File metadata and controls

117 lines (84 loc) · 6.28 KB

The experimental content in this repository has been archived. Go to batfish ansible repository for current content.

ansible-demo

This repo contains the files and instructions necessary to reproduce our Ansible demo presentation, which uses Pybatfish and Batfish to validate pre-commit network configuration changes.

Automation without pre-commit validation is risky. Use Batfish in your automated workflow for comprehensive correctness guarantees before pushing to production.

Prereqs

  • Run Batfish. If you don't already have it set up and running, run this to set up and start the docker container:

    mkdir -p data && docker run -d -v $(pwd)/data:/data -p 9997:9997 -p 9996:9996 batfish/allinone:sha_736c753_e840243

  • Install the Pybatfish version used for the demo (to guarantee compatibility):

    pip install git+git://github.com/batfish/pybatfish.git@386d0379e0b16985cee9c6cd12c0e7d8d8c8d6cc

  • Install Ansible (see installation guide for details):

    pip install ansible

Setup

  • Clone this demo repo:

    git clone [email protected]:batfish/ansible-demo.git

  • Edit the group vars in playbooks/inventory file to reflect your setup.

  • Run the setup script to create the base snapshot and policies:

    python python/demo-setup.py -p snapshots/snapshot0/ -a "DC Fabric Policy" checks/fabric/ -a "DC Base Policy" checks/base/

Optional Setup for Integrations

Git Integration

This Git integration allows Ansible to create a branch in the GitHub repository with your network configurations, and commit each change you validate to that branch.

S3 Integration

This S3 integration is for posting Batfish validation logs to your S3 bucket. Logs are also stored locally whether or not S3 is used.

  • Create an S3 bucket to store your logs

  • Install required Python modules:

    pip install botocore pip install boto3

Slack Integration

Running the Demo

The example network from the demo is shown below. During the demo, we make two changes to the network:

  1. Add new leaf leaf-03, which is not included in the network initially
  2. Update the ACLs on the firewalls to permit a new HTTP service

Note:

  • Both scenarios can optionally be run with extra tags s3, slack, and/or git to enable different integrations.
  • Logs for each playbook run are written to s3_logs/.

Add Leaf Scenario

This scenario adds a new leaf router to an existing datacenter and confirms the changes made adhere to the defined network policies.

Run 1 - Fail Policy

This run fails due to duplicate BGP ASNs between leaf 2 and leaf 3.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65002

Run 2 - Pass Policy

This run passes our predefined policies.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65003

Update ACL Scenario

This scenario is derived from our Provably Safe ACL and Firewall Changes Python notebook. It updates our firewalls to allow access to a new HTTP service (TCP port 80 on subnet 10.1.5.0/27) and confirms the changes:

  1. Are necessary (i.e. firewalls do not currently permit the new traffic)
  2. Allow the new traffic
  3. Don't allow anything other than the new traffic (i.e. confirm no collateral damage)

Run 1 - Fail ACL Validation

This run creates a bigger hole in the firewall than we intended, thus fails collateral damage check.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, adding this line just before the deny all line: "permit tcp any 10.1.5.0 0.0.0.63 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Run 2 - Pass ACL Validation

This run passes our ACL validation checks.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, replacing the line added above with this line: "permit tcp any 10.1.5.0 0.0.0.31 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts, same as the previous run:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Got questions, feedback, or feature requests? Join our community on Slack!