Network Automation – czyli jak można automatyzować w sieciach. Note for the user of the slide deck: Part of the slides are marketing examples examples on how NetMRI is beneficial to existing customers. Those examples are taken from the published Case studies on the Infoblox website. In the section change technical examples are added on how you can use CCS scripting to automate change. Depending on your public you can either cut some of the marketing slides (are they already convinced on NetMRI and do they have examples to convince their customers). If the presentation is given to a mix of technical and management people, cut the API slides from example 3 (slide 22) onwards until Policy compliance Network Automation – czyli jak można automatyzować w sieciach. Adam Obszyński CCIE #8557, CISSP aobszynski@infoblox.com

Typowy interfejs systemu NMS? Windows 95 © 2013 Infoblox Inc. All Rights Reserved.

NMS + zaangażowany administrator © 2013 Infoblox Inc. All Rights Reserved.

Dlaczego tak się dzieje? http://0.tqn.com/d/desktoppub/1/0/t/e/3/Why.PNG © 2013 Infoblox Inc. All Rights Reserved.

Bo tak :-) © 2013 Infoblox Inc. All Rights Reserved. Source http://www.notcot.com/archives/2006/11/world-usability.php © 2013 Infoblox Inc. All Rights Reserved.

To przynajmniej działa :-) Windows 95 © 2013 Infoblox Inc. All Rights Reserved.

Ale, rozmiar ma znaczenie! http://www.polskamasens.pl/tworcza-kreska/93/Syzyf © 2013 Infoblox Inc. All Rights Reserved.

Ale, rozmiar sieci ma znaczenie! http://www.polskamasens.pl/tworcza-kreska/93/Syzyf © 2013 Infoblox Inc. All Rights Reserved.

I co teraz?! 3*Z czyli ZZZ © 2013 Infoblox Inc. All Rights Reserved. demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

I co teraz?! Zaplanuj Zautomatyzuj Zapomnij demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. © 2013 Infoblox Inc. All Rights Reserved.

Ogromne centrum wystawiennicze w słonecznej Hiszpanii. Czasami do 10 000 portów zmienia konfig… Manualny proces: inżynier -> tester -> help desk -> dział sieci -> LAN Dużo pomyłek Ogromna pracochłonność Brak kontroli nad schematem konfiguracji demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Ogromne centrum wystawiennicze w słonecznej Hiszpanii. Czasami do 10 000 portów zmienia konfig… Zautomatyzowany proces: inżynier -> tester -> portal+API / job -> LAN Dużo mniej pomyłek Pełen „self-service” Dodatkowo policy & standard control demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Ogromne centrum wystawiennicze. Z lotu ptaka. demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR). Problem aktualności danych (sprzęt, soft) Dokumentacja sieci – wiecznie w planach Planowanie powolne… bo zawsze zaczyna się od analizy tego co jest w sieci ;-) Zmiany nie zawsze były optymalne Ręczne procesy demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) – po staremu #1 – Sprawdź dokumentację i kiedy była aktualizowana? #2 – Czy rzeczywistość to czy fikcja? #3 – Zróbmy spotkanie zespołu, może ktoś coś zmieniał? #4 – Wykonajmy zmianę… może będzie dobrze. demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj #1 – Wykorzystanie aktualnych danych (Inwentarz, Topologia, Konfigi) #2 – Narzędzie do analizy i dyskusji na spotkaniach – z aktualnym widokiem #3 – Wprowadzenie zadań/skryptów i wykonanie ich w sieci z ew. rollback. #4 – Eksport danych + Eksport Topologii do Visio demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.

Dokumentacja sieci w koncernie energetycznym (FR) - dzisiaj © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): standaryzacja + zgodność Duży BANK (USA): standaryzacja + zgodność. 25 000 urządzeń sieciowych :-) Prawie milion interfejsów sieciowych. #1 – Robótki ręczne przestały się skalować #2 – Co raz nowsze wymagania prawne #3 – Czas (skrypt A jeszcze trwa, skrypt B już by chciał wystartować…) #4 – Brak centralnego światowego repozytorium konfiguracji #5 – Praca interaktywna (CLI^2) demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): standaryzacja + zgodność Duży BANK (USA): standaryzacja + zgodność. 25 000 urządzeń sieciowych :-) Prawie milion interfejsów sieciowych. #1 – Globalne repozytorium konfigów #2 – Backup, SLA itd.. #3 – API do integracji ( tylko jedno ;-) ) #4 – Globalne sprawdzanie policy + raportowanie #5 – Provision from baseline #6 – Praca dużo mniej terminalowa (less CLI) demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): Przykłady… Rule -> Policy -> Deploy == ZZZ demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): Przykłady… Rule -> Policy -> Deploy == ZZZ demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): Przykłady… demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): Przykłady… Wersja CLI $cli_match = "MTU ([0-9]+) bytes.*";} use NetMRI::API::Client; "MTU" => $s_mtu, our $_client = new NetMRI::API::Client( else {$cli_command_s = "show interface $s_if | match MTU";$cli_match = "Protocol inet, MTU: ([0-9]+).*";} "Remote Device" => $nd->{DeviceName}, UserName => "$http_username”, Password => "$http_password”, "Remote Interface" => $d_ifName, URL => "$api_url” print "command to push is $cli_command_s\n"; ); $output1 = send_command($device_id, $cli_command_s); "Remote MTU" => $d_mtu our $_dis = $_client->get_broker("DisSession"); our $_cli = $_client->get_broker("CliConnection"); print "\tSource Device/interface $dev1->{DeviceName}/$s_if output: $output1\n"; }); our $_issue = $_client->get_broker("IssueAdhoc"); our $_session_id = 0; } else {print "\tMTUs match $s_mtu - $d_mtu\n";}}} my $dev1 = $device_id; $d_mtu = 0;$s_mtu = 0; sub open_session {our $_dis_response = $_dis->open(job_id=> $job_id); my $cli_command_s = "show version"; my $cli_command_d = "show version"; my $cli-match; if ($output1 =~ m/$cli_match/){$s_mtu = $1;}; print "\nOK, now finding far end device for $d_device\n”; $_session_id = $_dis_response->{dis_session}->{SessionID}; my $d_if; my $s_if; my $d_ifName; my $s_ifName; my $d_device; my $s_mtu; my $d_mtu; my $destdev = $broker->find_by_id($d_device); open_session(); print "\tGot Device $destdev->{DeviceName}\n”; END {close_session();}} open_connection($device_id); print "\tNetwork device Indication is $destdev->{NetworkDeviceInd}\n\tManaged is $destdev->{DeviceManagedInd}\n\tCCS Collection is $destdev->{DeviceCCSCollection}\n\tConfig Polling is $destdev->{DeviceConfigPolling}\n”; sub close_session {our $_dis_response = $_dis->close(id=> $_session_id,);} my $broker = $_client ->get_broker("Device"); my $bint = $_client->get_broker("Interface"); sub open_connection { my $devID = shift; $dev1 = $broker->find($dev1); print "++++ Opening session to device $devID\n"; my $output1 ; if (($destdev->{DeviceCCSCollection} eq "on") and ($destdev->{DeviceManagedInd} eq "true") and ($destdev->{DeviceCCSCollection} eq "on") and ($destdev->{NetworkDeviceInd} eq "true") ) { print "\n\nCurrent neighbors of $dev1->{DeviceName} $dev1->{DeviceIPDotted} ($dev1->{DeviceID}):\n”; our $_cli_response = $_cli->open(id => $_session_id, device_id => $devID); my @ns = sort { $a->{ifIndex} <=> $b->{ifIndex} || $a->{NeighborDeviceID} <=> $b->{NeighborDeviceID} || $a->{NeighborIfIndex} <=> $b->{NeighborIfIndex} } $dev1->get_neighbors(); if ($destdev->{DeviceVendor} eq "Cisco") {$cli_command_d = "show interface $d_if | include MTU”; print "DEBUG: _cli_reponse: $_cli_response\n"; END {close_connection($devID);}} sub close_connection { foreach my $n (@ns) { my $nd; our $_cli_response = $_cli->close(id => $_session_id, device_id => $devID);} eval {$nd = $broker->find_by_id($n->{NeighborDeviceID});}; else {$cli_command_d = "show interface $d_if | match MTU";$cli_match = "Protocol inet, MTU: ([0-9]+).*";} sub send_command { if ($@ =~ /^H404/) { print "Could not find device $n->{NeighborDeviceID}\n";next;}; print "\tcommand to push is $cli_command_d\n”; my ($command, $debug) = @_; printf "\nOn %7s %6d %15s %16s \%s\n", ($n->{ifIndex} ? ("if" . $n->{ifIndex}) : "unknown"), $nd->{DeviceID}, $nd->{DeviceName}, $nd->{DeviceIPDotted}, ($n->{NeighborIfIndex} ? ("if" . $n->{NeighborIfIndex}) : "unknown"); if($debug eq "") {$debug = 0;} open_connection($d_device); print "DEBUG: Device ID is: $devID\n"; $output1 = send_command($d_device, $cli_command_d); $_cli_response = $_cli->send_command(id => $_session_id, device_id => $devID,command => $command, debug => $debug); my @sif = $bint->find_by_id($n->{InterfaceID}); print "\tDest Device/interface $nd->{DeviceName}/$d_if output: $output1\n”; return($_cli_response->{command_response});} sub generate_issue { die "\nsource Interface not found.\n\n" if !@sif; close_connection($d_device); my ($issue_type_id, $severity, $params) = @_; if ($output1 =~ m/$cli_match/) {$d_mtu = $1;} foreach my $s (@sif) {printf "Source IF - %10s %s\n",$s->{ifName}, $s->{ifDescr}; my %baseParams = (DeviceID => $device_id, BatchID => $batch_id, IssueTypeID => $issue_type_id, Severity => $severity); if ($d_mtu != $s_mtu) { $s_if = $s->{ifName};$s_ifName = $s->{ifDescr};} print "\tMTUs do not match\n”; my %allParams = (%baseParams, %{$params}); my @dif = $bint->find_by_id($n->{NeighborInterfaceID}); our $_issue_response = $_issue->generate_issue(%allParams);return($_issue_response->{IssueID});} my $issue_id = generate_issue( die "\nsource Interface not found.\n\n" if !@dif; "MTUmismatch”, "Warning", { foreach my $d (@dif) {printf "Dest IF - %10s %s\n",$d->{ifName}, $d->{ifDescr}; "IP Address" => $dev1->{DeviceIPDotted}, $d_if = $d->{ifName};$d_ifName = $d->{ifDescr};$d_device = $d->{DeviceID};} "Host" => $dev1->{DeviceName}, "Interface" => $s_ifName, if ($dev1->{DeviceVendor} eq "Cisco") {$cli_command_s = "show interface $s_if | include MTU”; … demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Duży BANK (USA): Przykłady… Wersja bez CLI – Info z NetMRI # BEGIN-SCRIPT-BLOCK # Script-Filter: true # Script-Login: false # END-SCRIPT-BLOCK use NetMRI_Easy; my $easy = new NetMRI_Easy; my @IFs=$easy->broker->interface->index(DeviceID=>$main::device_id); foreach my $IF (@IFs){ my @NBs=$easy->broker->neighbor->index(InterfaceID=>$IF->InterfaceID); foreach my $NB (@NBs){ if (defined $NB->NeighborInterfaceID) { my $NIF=$easy->broker->interface->show(InterfaceID=>$NB->NeighborInterfaceID)->{interface}; if ($IF->ifMtu==$NIF->ifMtu){ print "Interface ".$IF->ifDescrRaw." has same MTU on neighbor\n"; }else{ print "Interface ".$IF->ifDescrRaw." (MTU:".$IF->ifMtu.") "." has different MTU (".$NIF->ifMtu.") on neighbor\n"; my $NDevice=$easy->broker->device->show(DeviceID=>$NIF->DeviceID)->{device}; print "Neighbor Device:".$NDevice->DeviceName." Interface:".$NIF->ifDescrRaw."\n\n"; };};};}; … © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise © 2013 Infoblox Inc. All Rights Reserved.

Bank (NL) + zespoły Managed Services Inny zespół od rdzenia/dystrybucji a inny od dostępu Ciągłę błędy na styku dystrybucja <-> dostęp (trunking, MTU). Duża ilość niespodzianek w „głębokim ukryciu” Ogromna pracochłonność Brak proaktywności demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Bank (NL) + zespoły Managed Services Kilka procesów (job) Automatyka zgodności VLAN, Trunk, MTU (wykorzystanie tabel/list). Błyskawiczne wykrywanie błędów i pomyłek Stała weryfikacja poprawności. Wykrywanie błędów przed użytkownikami !!! demoty.pl © 2013 Infoblox Inc. All Rights Reserved.

Bank (NL) + zespoły Managed Services Sprawdź VLAN # BEGIN-SCRIPT-BLOCK # Script-Filter: true # Script-Login: false # END-SCRIPT-BLOCK use NetMRI_Easy; my $easy = new NetMRI_Easy; my @IFs=$easy->broker->interface->index(DeviceID=>$main::device_id); my @VLANs=$easy->broker->vlan->index; foreach my $VLAN (@VLANs){ $VLN{$VLAN->VlanIndex}{Index}=$VLAN->VlanIndex; $VLN{$VLAN->VlanIndex}{Name}=$VLAN->VlanName; }; foreach my $IF (@IFs){ my @IFVlans=$easy->broker->if_vlan->index(DeviceID=>$main::device_id, IntefaceID=>$IF->InterfaceID); foreach my $VlanId (@IFVlans){ if ($VLN{$VlanId->VlanID}{Index} and $VlanId->InterfaceID==$IF->InterfaceID) {print "Interface: ",$IF->ifDescrRaw," VLAN:",$VLN{$VlanId->VlanID}{Index}," ",$VLN{$VlanId->VlanID}{Name}, "\n";}; © 2013 Infoblox Inc. All Rights Reserved.

Przypadki z życia wzięte. Network Changes Manual CLI, Perl scripts, and basic config back-ups Time intensive and requires senior engineer Network Discovery Spreadsheets, periodic scans, multiple tools Out-of-date and incomplete data Compliance/Standardization Periodic audit focus with special task force Adds security risk for policy violations Most of you have seen this slide in the general NetMRI presentation. Before looking at some use cases on how NetMRI helped some of our customers review quickly how things are run without NetMRI. Access Provisioning Massive spike in requests and delivery expectations Longer SLAs - manual processes and needed expertise © 2013 Infoblox Inc. All Rights Reserved.

Large Federal Agency NetMRI serves as a constant monitor, and found specific issues in the first few hours of deployment for the agency, such as: Configuration errors before going live Over-temperature conditions Redundant power-supply disconnects Redundant link outages Unstable or marginal WAN links and VPN connections Spanning tree instability Device crashes in remote offices © 2013 Infoblox Inc. All Rights Reserved.

Infoblox Network Automation Discover Automated Network Discovery Change & Configuration Management Automate Compliance & Policy Standardization Maintain Firewall ACL & Rule Automation Control The Infoblox Network Automation platform can help with 4 key areas when dealing with layer 2 and 3 network devices. Automated Network Discovery of the devices and how they connect, Automated change and configuration management that detects, archives and pushes configuration changes, Network security policy and compliance management to verify and prove success ongoing and for audits And provisioning ACL and rules for multi-vendor network security devices. We will drill down into each area in more detail. © 2013 Infoblox Inc. All Rights Reserved.

Large broadband ISP Challenge New naming convention Change 60.000 ports Manual 9000 manhours / several weeks NetMRI By creating a series of scripts in the NetMRI GUI, the network engineering team was able to automate the changes to interface names on 60,000 switch ports. Script generation was extremely simple, requiring no programming skills Solved also similar issue: Password rotation © 2013 Infoblox Inc. All Rights Reserved.

Example 1 Change: All switches Set snmp values Commands on Cisco: config t snmp-server community infoblox RO snmp-server community netmri RW end write mem © 2013 Infoblox Inc. All Rights Reserved.

The Manual Way Script that deals with Easy to make errors Login to switches Apply the commands Build in logging and error handling Maintain a list of switches to run it on Verify manually Easy to make errors Easy to miss errors Time consuming Expert user © 2013 Infoblox Inc. All Rights Reserved.

With Infoblox Network Automation Product does the difficult bit Automation Logic ‘script’ on NetMRI: Script-Filter:      $vendor eq "Cisco" and $sysdescr like /IOS/ Action: Config SNMP Action-Commands:      config t      snmp-server community infoblox RO      snmp-server community netmri RW      end      wr mem © 2013 Infoblox Inc. All Rights Reserved.

Example 2: Like 1 But 2 Different Vendors Without Infoblox Network Automation: Effort doubles With Infoblox Network Automation: Focus on the change itself The script looks the same but there are now two parts The filter of the script no longer matches Cisco but is set to true (so the filter always matches) There are now 2 blocks of action commands. One for Cisco and one for HP The action blocks itself have a filter. So the first one is only executed when it is a HP device The second block will only be executed when it is a Cisco device. Note: it would be better to match here on Cisco IOS only. © 2013 Infoblox Inc. All Rights Reserved.

Example 3 Not only adding the snmp values you want But also removing the others Challenge You first need to see what is configured Automation Logic parts Filter -> Cisco Command to get the snmp config Parse the output of that command and remove © 2013 Infoblox Inc. All Rights Reserved.

Create your own – DHCP & LAN Case #1 DHCP network/range == LAN helper address? Case #2 LAN ip helper address == DHCP networks + range? © 2013 Infoblox Inc. All Rights Reserved.

Closing the Security Lifecycle Gap InfoSec Team Set department policy Know all connected L2/L3 devices & end hosts Automate remediation of non-compliant devices Simplify compliance audits Ensure security policies being followed Reduce risk of security vulnerabilities Integrate with SIEMs and other 3rd parties Secure and enforce access to network infrastructure Within the security realm, there are typically three departments that follow a lifecycle InfoSec team Network Ops Team Security Ops Team Historically there has been a gap in the lifecycle across the three teams where there are different tools, processes and requirements. The InfoSec teams sets department policies, but it’s challenging for the network team to deploy and implement the overall corporate standards and policies because of the gap between goals and actionable requirements. Add in the Security Ops team who’s task is enforcing and monitoring the policies and verifying implementation, the challenge is greater trying to prove aspects that may not be cohesive. Infoblox helps close the gap by bridging the requirements between the 3 teams and helps takes departmental policies and actually creating an actionable plan to implement and ensure security success. Network Ops Team Security Ops Team Deploy & implement Enforce & monitor

Discovery & Change Monitoring Network Ops Team Infoblox Network Automation Send for approval Discover, fingerprint, and identify all switches, routers, firewalls, etc., from 50 vendors 1 Alert on violations 2 Backup the configurations for all L2, L3 devices 3 Automatically check if devices have been changed For the Network Ops team, Infoblox helps with five key areas: Automatic discovery of devices Backup and archives of all L2 and L3 device configurations Continuous change monitoring and detection Change approval for simplified auditing Continuous monitoring to ensure network devices remain within policy Approve change for auditing or remediate directly 4 Deploy policies to continuously monitor network for compliance 5

Visibility & Compliance Auditing Security Ops Team Visibility & Compliance Auditing Send to SIEM, Network Monitoring Infoblox Network Automation Leverage network topology maps to monitor for unmanaged devices 1 2 Set user roles to track who changed what and when 3 Identify network hardware security gaps (EOL, PSIRT, etc.) 4 Turn unused switch ports off to reduce security profile For the Security Ops team, there are 6 key aspects for how Infoblox’s Network Automation can help for visibility and compliance auditing. Automatic detection of new devices with easy to view topology maps User-based roles to secure and track access to network devices Find potential hardware security gaps including Psirts (Cisco Product Security Incident Response Team), field notices and EOL/EOS Safely turn off unused switch ports closing a security gap Track end hosts to determine how the network is being accesses Generate reports on assets and inventories for correct information 5 Track end hosts to determine how network being accessed Generate reports on assets, inventories to reduce risk 6

Bridging the Gap Network Automation Communication and reporting Set department policy Reduced time to audit Simplified & customizable security policies Out of the box compliance reports InfoSec Team Improve agility with automated network change provisioning Inventory all network infrastructure Role based access & user auditing Reduce risk profile Continuous real-time monitoring SIEM and 3rd party integrations Network Automation Communication and reporting Deploy & implement Infoblox Network Automation helps bridge the gap. For the Network ops team, improved agility with automated change provisioning, inventory of all network devices and role-based access and user auditing. For the Security ops team, the reduced risk profile and continuous monitoring ensure policies are being followed and integration with SIEM and 3rd party platforms provide a comprehensive view. This feeds back to the InfoSec team for reduced time to audit and leverage customizable security policies. Best of all, this is a single version of truth for the data. Enforce & monitor Network Ops Team Security Ops Team Single version of truth

To działa najlepiej :-) Windows 95 © 2013 Infoblox Inc. All Rights Reserved.

FIN Infoblox Network Automation helps bridge the gap. For the Network ops team, improved agility with automated change provisioning, inventory of all network devices and role-based access and user auditing. For the Security ops team, the reduced risk profile and continuous monitoring ensure policies are being followed and integration with SIEM and 3rd party platforms provide a comprehensive view. This feeds back to the InfoSec team for reduced time to audit and leverage customizable security policies. Best of all, this is a single version of truth for the data.