Pobieranie prezentacji. Proszę czekać

Pobieranie prezentacji. Proszę czekać

Network Automation – czyli jak można automatyzować w sieciach. Adam Obszyński CCIE #8557, CISSP

Podobne prezentacje


Prezentacja na temat: "Network Automation – czyli jak można automatyzować w sieciach. Adam Obszyński CCIE #8557, CISSP"— Zapis prezentacji:

1 Network Automation – czyli jak można automatyzować w sieciach. Adam Obszyński CCIE #8557, CISSP

2 Typowy interfejs systemu NMS? © 2013 Infoblox Inc. All Rights Reserved.2 Windows 95

3 NMS + zaangażowany administrator © 2013 Infoblox Inc. All Rights Reserved.3

4 Dlaczego tak się dzieje? © 2013 Infoblox Inc. All Rights Reserved.4

5 Bo tak :-) © 2013 Infoblox Inc. All Rights Reserved.5 Source

6 To przynajmniej działa :-) © 2013 Infoblox Inc. All Rights Reserved.6 Windows 95

7 Ale, rozmiar ma znaczenie! © 2013 Infoblox Inc. All Rights Reserved.7

8 Ale, rozmiar sieci ma znaczenie! © 2013 Infoblox Inc. All Rights Reserved.8

9 I co teraz?! © 2013 Infoblox Inc. All Rights Reserved.9 demoty.pl 3*Z czyli ZZZ

10 I co teraz?! © 2013 Infoblox Inc. All Rights Reserved.10 demoty.pl Zaplanuj Zautomatyzuj Zapomnij

11 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.11 Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise

12 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.12 Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer

13 Ogromne centrum wystawiennicze w słonecznej Hiszpanii. © 2013 Infoblox Inc. All Rights Reserved.13 demoty.pl Czasami do portów zmienia konfig… Manualny proces: inżynier -> tester -> help desk -> dział sieci -> LAN Dużo pomyłek Ogromna pracochłonność Brak kontroli nad schematem konfiguracji

14 Ogromne centrum wystawiennicze w słonecznej Hiszpanii. © 2013 Infoblox Inc. All Rights Reserved.14 demoty.pl Czasami do portów zmienia konfig… Zautomatyzowany proces: inżynier -> tester -> portal+API / job -> LAN Dużo mniej pomyłek Pełen „self-service” Dodatkowo policy & standard control

15 Ogromne centrum wystawiennicze. Z lotu ptaka. © 2013 Infoblox Inc. All Rights Reserved.15 demoty.pl

16 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.16 Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data

17 Dokumentacja sieci w koncernie energetycznym (FR). © 2013 Infoblox Inc. All Rights Reserved.17 demoty.pl Problem aktualności danych (sprzęt, soft) Dokumentacja sieci – wiecznie w planach Planowanie powolne… bo zawsze zaczyna się od analizy tego co jest w sieci ;-) Zmiany nie zawsze były optymalne Ręczne procesy

18 Dokumentacja sieci w koncernie energetycznym (FR) – po staremu © 2013 Infoblox Inc. All Rights Reserved.18 demoty.pl #1 – Sprawdź dokumentację i kiedy była aktualizowana? #2 – Czy rzeczywistość to czy fikcja? #3 – Zróbmy spotkanie zespołu, może ktoś coś zmieniał? #4 – Wykonajmy zmianę… może będzie dobrze.

19 Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.19 demoty.pl #1 – Wykorzystanie aktualnych danych (Inwentarz, Topologia, Konfigi) #2 – Narzędzie do analizy i dyskusji na spotkaniach – z aktualnym widokiem #3 – Wprowadzenie zadań/skryptów i wykonanie ich w sieci z ew. rollback. #4 – Eksport danych + Eksport Topologii do Visio

20 Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.20

21 Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.21

22 Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.22

23 Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.23

24 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.24 Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations

25 Duży BANK (USA): standaryzacja + zgodność urządzeń sieciowych :-) Prawie milion interfejsów sieciowych. © 2013 Infoblox Inc. All Rights Reserved.25 demoty.pl #1 – Robótki ręczne przestały się skalować #2 – Co raz nowsze wymagania prawne #3 – Czas (skrypt A jeszcze trwa, skrypt B już by chciał wystartować…) #4 – Brak centralnego światowego repozytorium konfiguracji #5 – Praca interaktywna (CLI^2)

26 Duży BANK (USA): standaryzacja + zgodność urządzeń sieciowych :-) Prawie milion interfejsów sieciowych. © 2013 Infoblox Inc. All Rights Reserved.26 demoty.pl #1 – Globalne repozytorium konfigów #2 – Backup, SLA itd.. #3 – API do integracji ( tylko jedno ;-) ) #4 – Globalne sprawdzanie policy + raportowanie #5 – Provision from baseline #6 – Praca dużo mniej terminalowa (less CLI)

27 Duży BANK (USA): Przykłady… Rule -> Policy -> Deploy == ZZZ © 2013 Infoblox Inc. All Rights Reserved.27 demoty.pl …

28 Duży BANK (USA): Przykłady… Rule -> Policy -> Deploy == ZZZ © 2013 Infoblox Inc. All Rights Reserved.28 demoty.pl …

29 Duży BANK (USA): Przykłady… © 2013 Infoblox Inc. All Rights Reserved.29 demoty.pl …

30 Duży BANK (USA): Przykłady… Wersja CLI © 2013 Infoblox Inc. All Rights Reserved.30 demoty.pl … use NetMRI::API::Client; our $_client = new NetMRI::API::Client( UserName => "$http_username”, Password => "$http_password”, URL => "$api_url” ); our $_dis = $_client->get_broker("DisSession"); our $_cli = $_client->get_broker("CliConnection"); our $_issue = $_client->get_broker("IssueAdhoc"); our $_session_id = 0; my $dev1 = $device_id; my $cli_command_s = "show version"; my $cli_command_d = "show version"; my $cli-match; my $d_if; my $s_if; my $d_ifName; my $s_ifName; my $d_device; my $s_mtu; my $d_mtu; open_session(); open_connection($device_id); my $broker = $_client ->get_broker("Device"); my $bint = $_client->get_broker("Interface"); $dev1 = $broker->find($dev1); my $output1 ; print "\n\nCurrent neighbors of $dev1->{DeviceName} $dev1->{DeviceIPDotted} ($dev1->{DeviceID}):\n”; = sort { $a->{ifIndex} $b->{ifIndex} || $a- >{NeighborDeviceID} $b->{NeighborDeviceID} || $a- >{NeighborIfIndex} $b->{NeighborIfIndex} } $dev1- >get_neighbors(); foreach my $n { my $nd; eval {$nd = $broker->find_by_id($n- >{NeighborDeviceID});}; if =~ /^H404/) { print "Could not find device $n->{NeighborDeviceID}\n";next;}; printf "\nOn %7s %6d %15s %16s \%s\n", ($n- >{ifIndex} ? ("if". $n->{ifIndex}) : "unknown"), $nd- >{DeviceID}, $nd->{DeviceName}, $nd->{DeviceIPDotted}, ($n->{NeighborIfIndex} ? ("if". $n->{NeighborIfIndex}) : "unknown"); = $bint->find_by_id($n- >{InterfaceID}); die "\nsource Interface not found.\n\n" if foreach my $s {printf "Source IF - %10s %s\n",$s->{ifName}, $s->{ifDescr}; $s_if = $s->{ifName};$s_ifName = $s- >{ifDescr};} = $bint->find_by_id($n- >{NeighborInterfaceID}); die "\nsource Interface not found.\n\n" if foreach my $d {printf "Dest IF - %10s %s\n",$d->{ifName}, $d->{ifDescr}; $d_if = $d->{ifName};$d_ifName = $d- >{ifDescr};$d_device = $d->{DeviceID};} if ($dev1->{DeviceVendor} eq "Cisco") {$cli_command_s = "show interface $s_if | include MTU”; $cli_match = "MTU ([0-9]+) bytes.*";} else {$cli_command_s = "show interface $s_if | match MTU";$cli_match = "Protocol inet, MTU: ([0- 9]+).*";} print "command to push is $cli_command_s\n"; $output1 = send_command($device_id, $cli_command_s); print "\tSource Device/interface $dev1- >{DeviceName}/$s_if output: $output1\n"; $d_mtu = 0;$s_mtu = 0; if ($output1 =~ m/$cli_match/){$s_mtu = $1;}; print "\nOK, now finding far end device for $d_device\n”; my $destdev = $broker->find_by_id($d_device); print "\tGot Device $destdev->{DeviceName}\n”; print "\tNetwork device Indication is $destdev->{NetworkDeviceInd}\n\tManaged is $destdev- >{DeviceManagedInd}\n\tCCS Collection is $destdev- >{DeviceCCSCollection}\n\tConfig Polling is $destdev- >{DeviceConfigPolling}\n”; if (($destdev->{DeviceCCSCollection} eq "on") and ($destdev->{DeviceManagedInd} eq "true") and ($destdev->{DeviceCCSCollection} eq "on") and ($destdev->{NetworkDeviceInd} eq "true") ) { if ($destdev->{DeviceVendor} eq "Cisco") {$cli_command_d = "show interface $d_if | include MTU”; $cli_match = "MTU ([0-9]+) bytes.*";} else {$cli_command_d = "show interface $d_if | match MTU";$cli_match = "Protocol inet, MTU: ([0-9]+).*";} print "\tcommand to push is $cli_command_d\n”; open_connection($d_device); $output1 = send_command($d_device, $cli_command_d); print "\tDest Device/interface $nd- >{DeviceName}/$d_if output: $output1\n”; close_connection($d_device); if ($output1 =~ m/$cli_match/) {$d_mtu = $1;} if ($d_mtu != $s_mtu) { print "\tMTUs do not match\n”; my $issue_id = generate_issue( "MTUmismatch”, "Warning", { "IP Address" => $dev1->{DeviceIPDotted}, "Host" => $dev1->{DeviceName}, "Interface" => $s_ifName, "MTU" => $s_mtu, "Remote Device" => $nd->{DeviceName}, "Remote Interface" => $d_ifName, "Remote MTU"=> $d_mtu }); } else {print "\tMTUs match $s_mtu - $d_mtu\n";}}} sub open_session {our $_dis_response = $_dis- >open(job_id=> $job_id); $_session_id = $_dis_response->{dis_session}- >{SessionID}; END {close_session();}} sub close_session {our $_dis_response = $_dis- >close(id=> $_session_id,);} sub open_connection { my $devID = shift; print "++++ Opening session to device $devID\n"; our $_cli_response = $_cli->open(id => $_session_id, device_id => $devID); print "DEBUG: _cli_reponse: $_cli_response\n"; END {close_connection($devID);}} sub close_connection { my $devID = shift; our $_cli_response = $_cli->close(id => $_session_id, device_id => $devID);} sub send_command { my $devID = shift; my ($command, $debug) if($debug eq "") {$debug = 0;} print "DEBUG: Device ID is: $devID\n"; $_cli_response = $_cli->send_command(id => $_session_id, device_id => $devID,command => $command, debug => $debug); return($_cli_response->{command_response});} sub generate_issue { my ($issue_type_id, $severity, $params) my %baseParams = (DeviceID => $device_id, BatchID => $batch_id, IssueTypeID => $issue_type_id, Severity => $severity); my %allParams = (%baseParams, %{$params}); our $_issue_response = $_issue- >generate_issue(%allParams);return($_issue_response- >{IssueID});}

31 Duży BANK (USA): Przykłady… Wersja bez CLI – Info z NetMRI © 2013 Infoblox Inc. All Rights Reserved.31 … # BEGIN-SCRIPT-BLOCK # Script-Filter: true # Script-Login: false # END-SCRIPT-BLOCK use NetMRI_Easy; my $easy = new NetMRI_Easy; foreach my $IF foreach my $NB if (defined $NB->NeighborInterfaceID) { my $NIF=$easy->broker->interface->show(InterfaceID=>$NB->NeighborInterfaceID)- >{interface}; if ($IF->ifMtu==$NIF->ifMtu){ print "Interface ".$IF->ifDescrRaw." has same MTU on neighbor\n"; }else{ print "Interface ".$IF->ifDescrRaw." (MTU:".$IF->ifMtu.") "." has different MTU (".$NIF->ifMtu.") on neighbor\n"; my $NDevice=$easy->broker->device->show(DeviceID=>$NIF->DeviceID)->{device}; print "Neighbor Device:".$NDevice->DeviceName." Interface:".$NIF->ifDescrRaw."\n\n"; };};};};

32 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.32 Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise

33 Bank (NL) + zespoły Managed Services © 2013 Infoblox Inc. All Rights Reserved.33 demoty.pl Inny zespół od rdzenia/dystrybucji a inny od dostępu Ciągłę błędy na styku dystrybucja dostęp (trunking, MTU). Duża ilość niespodzianek w „głębokim ukryciu” Ogromna pracochłonność Brak proaktywności

34 Bank (NL) + zespoły Managed Services © 2013 Infoblox Inc. All Rights Reserved.34 demoty.pl Kilka procesów (job) Automatyka zgodności VLAN, Trunk, MTU (wykorzystanie tabel/list). Błyskawiczne wykrywanie błędów i pomyłek Stała weryfikacja poprawności. Wykrywanie błędów przed użytkownikami !!!

35 Bank (NL) + zespoły Managed Services Sprawdź VLAN © 2013 Infoblox Inc. All Rights Reserved.35 # BEGIN-SCRIPT-BLOCK # Script-Filter: true # Script-Login: false # END-SCRIPT-BLOCK use NetMRI_Easy; my $easy = new NetMRI_Easy; foreach my $VLAN $VLN{$VLAN->VlanIndex}{Index}=$VLAN->VlanIndex; $VLN{$VLAN->VlanIndex}{Name}=$VLAN->VlanName; }; foreach my $IF IntefaceID=>$IF->InterfaceID); foreach my $VlanId if ($VLN{$VlanId->VlanID}{Index} and $VlanId->InterfaceID==$IF- >InterfaceID) {print "Interface: ",$IF->ifDescrRaw," VLAN:",$VLN{$VlanId- >VlanID}{Index}," ",$VLN{$VlanId->VlanID}{Name}, "\n";}; };

36 Przypadki z życia wzięte. © 2013 Infoblox Inc. All Rights Reserved.36 Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise

37 Large Federal Agency NetMRI serves as a constant monitor, and found specific issues in the first few hours of deployment for the agency, such as: Configuration errors before going live Over-temperature conditions Redundant power-supply disconnects Redundant link outages Unstable or marginal WAN links and VPN connections Spanning tree instability Device crashes in remote offices © 2013 Infoblox Inc. All Rights Reserved.37

38 Infoblox Network Automation © 2013 Infoblox Inc. All Rights Reserved.38 Discover Automated Network DiscoveryChange & Configuration Management Automate Compliance & Policy Standardization Maintain Firewall ACL & Rule Automation Control

39 Large broadband ISP Challenge New naming convention Change ports Manual 9000 manhours / several weeks NetMRI By creating a series of scripts in the NetMRI GUI, the network engineering team was able to automate the changes to interface names on 60,000 switch ports. Script generation was extremely simple, requiring no programming skills Solved also similar issue: Password rotation © 2013 Infoblox Inc. All Rights Reserved.39

40 Example 1 Change: All switches Set snmp values Commands on Cisco: config t snmp-server community infoblox RO snmp-server community netmri RW end write mem © 2013 Infoblox Inc. All Rights Reserved.40

41 The Manual Way Script that deals with Login to switches Apply the commands Build in logging and error handling Maintain a list of switches to run it on Verify manually Easy to make errors Easy to miss errors Time consuming Expert user © 2013 Infoblox Inc. All Rights Reserved.41

42 With Infoblox Network Automation Product does the difficult bit Automation Logic ‘script’ on NetMRI: Script-Filter: $vendor eq "Cisco" and $sysdescr like /IOS/ Action: Config SNMP Action-Commands: config t snmp-server community infoblox RO snmp-server community netmri RW end wr mem © 2013 Infoblox Inc. All Rights Reserved.42

43 Example 2: Like 1 But 2 Different Vendors Without Infoblox Network Automation: Effort doubles With Infoblox Network Automation: Focus on the change itself © 2013 Infoblox Inc. All Rights Reserved.43

44 Example 3 -Not only adding the snmp values you want -But also removing the others -Challenge -You first need to see what is configured -Automation Logic parts -Filter -> Cisco -Command to get the snmp config -Parse the output of that command and remove © 2013 Infoblox Inc. All Rights Reserved.44

45 Create your own – DHCP & LAN Case #1 DHCP network/range == LAN helper address? Case #2 LAN ip helper address == DHCP networks + range? © 2013 Infoblox Inc. All Rights Reserved.45

46 InfoSec Team Closing the Security Lifecycle Gap Set department policy Network Ops Team Security Ops Team Enforce & monitor Deploy & implement Know all connected L2/L3 devices & end hosts Automate remediation of non-compliant devices Simplify compliance audits Ensure security policies being followed Reduce risk of security vulnerabilities Integrate with SIEMs and other 3 rd parties Secure and enforce access to network infrastructure

47 Discovery & Change Monitoring Discover, fingerprint, and identify all switches, routers, firewalls, etc., from 50 vendors 1 2 Backup the configurations for all L2, L3 devices Approve change for auditing or remediate directly 4 3 Automatically check if devices have been changed Deploy policies to continuously monitor network for compliance 5 Infoblox Network Automation Send for approval Network Ops Team Alert on violations

48 Visibility & Compliance Auditing Infoblox Network Automation Send to SIEM, Network Monitoring Security Ops Team Leverage network topology maps to monitor for unmanaged devices 1 2 Set user roles to track who changed what and when 3 Identify network hardware security gaps (EOL, PSIRT, etc.) Generate reports on assets, inventories to reduce risk 6 4 Turn unused switch ports off to reduce security profile 5 Track end hosts to determine how network being accessed

49 InfoSec Team Bridging the Gap Set department policy Network Ops Team Security Ops Team Communication and reporting Enforce & monitor Deploy & implement Network Automation Improve agility with automated network change provisioning Inventory all network infrastructure Role based access & user auditing Reduce risk profile Continuous real-time monitoring SIEM and 3 rd party integrations Reduced time to audit Simplified & customizable security policies Out of the box compliance reports Single version of truth

50 To działa najlepiej :-) © 2013 Infoblox Inc. All Rights Reserved.50 Windows 95

51 FIN


Pobierz ppt "Network Automation – czyli jak można automatyzować w sieciach. Adam Obszyński CCIE #8557, CISSP"

Podobne prezentacje


Reklamy Google