Skip to content
This repository has been archived by the owner on Jun 16, 2019. It is now read-only.

batfish/ansible-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

checks

checks

 
 

images

images

 
 

inputs

inputs

 
 

playbooks

playbooks

 
 

python

python

 
 

snapshots/snapshot0

snapshots/snapshot0

 
 

templates

templates

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

The experimental content in this repository has been archived. Go to batfish ansible repository for current content.

ansible-demo

This repo contains the files and instructions necessary to reproduce our Ansible demo presentation, which uses Pybatfish and Batfish to validate pre-commit network configuration changes.

Automation without pre-commit validation is risky. Use Batfish in your automated workflow for comprehensive correctness guarantees before pushing to production.

Prereqs

  • Run Batfish. If you don't already have it set up and running, run this to set up and start the docker container:

    mkdir -p data && docker run -d -v $(pwd)/data:/data -p 9997:9997 -p 9996:9996 batfish/allinone:sha_736c753_e840243

  • Install the Pybatfish version used for the demo (to guarantee compatibility):

    pip install git+git://github.com/batfish/pybatfish.git@386d0379e0b16985cee9c6cd12c0e7d8d8c8d6cc

  • Install Ansible (see installation guide for details):

    pip install ansible

Setup

  • Clone this demo repo:

    git clone git@github.com:batfish/ansible-demo.git

  • Edit the group vars in playbooks/inventory file to reflect your setup.

  • Run the setup script to create the base snapshot and policies:

    python python/demo-setup.py -p snapshots/snapshot0/ -a "DC Fabric Policy" checks/fabric/ -a "DC Base Policy" checks/base/

Optional Setup for Integrations

Git Integration

This Git integration allows Ansible to create a branch in the GitHub repository with your network configurations, and commit each change you validate to that branch.

  • Clone your network repo e.g. git clone git@github.com:YOUR_ORG_NAME/YOUR_NETWORK_REPO.git

    Note: The network repo should be formatted the same way as snapshots/snapshot0/, with config files in a configs/ dir at the root of the repo.

  • Generate a GitHub token with access to this repo, then supply the token to the playbooks/inventory file

S3 Integration

This S3 integration is for posting Batfish validation logs to your S3 bucket. Logs are also stored locally whether or not S3 is used.

  • Create an S3 bucket to store your logs

  • Install required Python modules:

    pip install botocore pip install boto3

Slack Integration

Running the Demo

The example network from the demo is shown below. During the demo, we make two changes to the network:

  1. Add new leaf leaf-03, which is not included in the network initially
  2. Update the ACLs on the firewalls to permit a new HTTP service

Note:

  • Both scenarios can optionally be run with extra tags s3, slack, and/or git to enable different integrations.
  • Logs for each playbook run are written to s3_logs/.

Add Leaf Scenario

This scenario adds a new leaf router to an existing datacenter and confirms the changes made adhere to the defined network policies.

Run 1 - Fail Policy

This run fails due to duplicate BGP ASNs between leaf 2 and leaf 3.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65002

Run 2 - Pass Policy

This run passes our predefined policies.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65003

Update ACL Scenario

This scenario is derived from our Provably Safe ACL and Firewall Changes Python notebook. It updates our firewalls to allow access to a new HTTP service (TCP port 80 on subnet 10.1.5.0/27) and confirms the changes:

  1. Are necessary (i.e. firewalls do not currently permit the new traffic)
  2. Allow the new traffic
  3. Don't allow anything other than the new traffic (i.e. confirm no collateral damage)

Run 1 - Fail ACL Validation

This run creates a bigger hole in the firewall than we intended, thus fails collateral damage check.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, adding this line just before the deny all line: "permit tcp any 10.1.5.0 0.0.0.63 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Run 2 - Pass ACL Validation

This run passes our ACL validation checks.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, replacing the line added above with this line: "permit tcp any 10.1.5.0 0.0.0.31 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts, same as the previous run:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Got questions, feedback, or feature requests? Join our community on Slack!

About

Repository for Ansible Demo

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

13 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages