Configure interfaces with Ansible

 Today we will be configuring network devices from Ansible using ios_config module.


Ansible playbook to create loopback interfaces and add description
---
 - name: Define Parameters
  hosts: XE
  gather_facts: no
  connection: network_cli
  tasks:
    - name: Create loopback interfaces
      ios_config:
        lines:
          - description loopback interface by prashant
        parents: "{{ item }}"
      with_items:
          - interface loopback 25
          - interface loopback 30
          - interface loopback 35


Ansible-playbook for backing up running config of Cisco IOS

This ansible-playbook can be used to backup running configuration from Cisco IOS devices. You can refer to my earlier post Getting Started with your first ansible-playbook for Network Automation to know about the parameters used in this playbook.


Inventory file

# Inventory file for Ansible
[XE]
ios-xe-mgmt.cisco.com:8181
ios-xe-mgmt-latest.cisco.com:8181
[XR]
sbx-iosxr-mgmt.cisco.com:8181
[all:vars]
ansible_network_os=ios


Playbook

---
- name: Define Parameters
  hosts: XE
  gather_facts: no
  connection: network_cli
  tasks:
   - name: backup the config
     ios_config:
      backup: yes
     register: backup_config
   - name: Store the config to directory
     copy:
      src: "{{ backup_config.backup_path }}"
      dest: "/tmp/backups/{{ inventory_hostname }}"

LAN Security - Threats and Prevention

MAC Flooding and Spoofing Attacks


MAC Flooding: In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table. Once the mac address table is full with the spurious mac addresses, the switch will start to broadcast the frames including for the genuine MAC address if it has no entry for the destination MAC address in it's Mac address table. After launching a successful MAC flooding attack, a malicious user could then use a packet analyzer to capture sensitive data being transmitted between other computers. 

MAC Spoofing: A MAC spoofing attack consists of generating a frame from a malicious
host borrowing a legitimate source MAC address already in use on the VLAN. This causes
the switch to forward frames out the incorrect port.
The switch updates its mac-address-table based on the most recently seen frame. Because of this behavior of switches, these type of attacks have the potential to cause an immediate denial of service (DoS) to the spoofed host. Traffic to genuine host can resume if-and only if, the genuine host sources a frame, thereby again updating the switch's mac-address-table. The default ageing time for mac-address-table is 300 seconds (5 minutes).

Getting Started with your first Ansible Playbook for Network Automation

Installing Ansible and related components


Updating Yum
# yum -y update


Install/upgrade ansible to latest version
# yum install pip
Or
#curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
#python get-pip.py


Install/upgrade ansible to latest version

# pip install --upgrade ansible


Verify the status/version of tools installed
pip --version
python --version
ansible --version

Install and check version of ansible installed

[developer@devbox Network_Support]$ansible --version
ansible 2.7.8
  config file = /home/developer/Network_Support/ansible.cfg
  configured module search path = ['/home/developer/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.5 (default, Jul 19 2018, 10:49:52) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]



Create inventory file

[developer@devbox Network_Support]$vi inventory

# Inventory file for Ansible

[P-Switches]
P-1 ansible_host=172.16.30.82
P-2 ansible_host=172.16.30.83

[PE-Switches]
PE-1 ansible_host=172.16.30.84
PE-2 ansible_host=172.16.30.85
PE-3 ansible_host=172.16.30.86

[all:vars]
ansible_network_os=ios
In the above inventory file, we specified two groups namely P-Switches and PE-Switches with two and three hosts within them respectively.
Ansible groups can be useful for segregating the devices based on make & model, sites, function, etc and then these groups can be used in ansible-playbooks to define the scope for tasks.

Spanning Tree Protocol Operation

Whenever there is redundancy in the network, there are chances of formation of loops. When loops are at layer 3, TTL value in the packet header saves the packet from looping endlessly. Similarly, to avoid loops at layer 2, Spanning Tree Protocol (STP) comes into play. STP exchanges BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is only one active path between two network devices. A layer 2 network with redundancy without STP can cause following issues:

  • Broadcast Storm
  • Unstable mac-address table in a switch
  • Duplicate frames arriving at host


STP Operation


Election of Root Bridge

With STP, the key is for all the switches in the network to elect a root bridge that becomes the focal point in the network. All other decisions in the network, such as which port to block and which port to put in forwarding mode, are made from the perspective of this root bridge. Each VLAN must have its own root bridge because each VLAN is a separate broadcast domain. The roots for the different VLANs can all reside in a single switch or in various switches.
Below are the attributes for election of a root bridge
• Prefer the switch with lower priority. (Default is 32768 + sys-id-ext)
• Prefer the switch with lower mac-address
We can influence the root bridge election process by changing the priority of the switch using the command
switch(config)# spanning-tree vlan x priority 4096
Bridge priority must be in increments of 4096.

Consider the example in which there are three bridges, A, B and C connected with each others








Basic Datacenter Design with Redundancy

The very basic thing that an organization expects while designing its network is maximum uptime, and this maximum uptime can only be achieved when there is redundancy in the network. So in this article, we'll design a network for a company hosted in a datacenter with redundant devices and links.
NOTE: The configuration of devices in this article does not include configuration for securing the control-plane of core or aggregation routers.

Full Network topology:
Topology of Part of Datacenter

Stacked Switches

A stackable switch is a network switch that is fully functional operating standalone but which can also be set up to operate together with one or more other network switches, with this group of switches showing the characteristics of a single switch but having the port capacity of the sum of the combined switches. Following are some of the benefits of stacked switches.

1. Simplified Network Management

Multiple physical switches in a stack appear as a single logical switch. This eases management overhead because there are fewer devices in the network to manage. A single IP address is used to manage the logical switch. All manageable entities (for example, Ethernet interfaces and VLANs) on all physical switches can be configured and managed from the logical switch. The logical switch will appear as a single entity in the network. In a Layer 2 network, the logical switch will appear as a single spanning-tree entity.

Creating MPLS Layer 3 VPN

When used with MPLS, the VPN feature allows several sites to interconnect transparently through a service provider's network. One service provider network can support several different IP VPNs. Each of these appears to its users as a private network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in the same VPN.
Each VPN is associated with one or more VPN routing and forwarding instances (VRFs). A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table, and a set of interfaces that use this forwarding table.
The router maintains a separate routing and CEF table for each VRF. This prevents information being sent outside the VPN and allows the same subnet to be used in several VPNs without causing duplicate IP address problems.
In this document, we'll be configuring basic MPLS Layer 3 VPN for two customers, each having two physical sites at different location.

Network Topology:

Creating MPLS Layer 3 VPN
MPLS Layer 3 VPN

Traffic Flow Decisions in MPLS Network

In this article, we will study how forwarding decisions are made in a MPLS Network. You can check out the configuration of the network at Creating Layer 3 MPLS VPN.

Network Topology:


Fortigate Backup VPN

You can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility.
You can configure a backup IPsec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified phase 1 configuration. Redundant tunnels do not support Tunnel Mode or Manual Keys. You must use Interface Mode.