Skip to content
Repository for Ansible Demo
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
checks
images
inputs
playbooks
python
snapshots/snapshot0
templates
LICENSE
README.md

README.md

ansible-demo

This repo contains the files and instructions necessary to reproduce our Ansible demo presentation, which uses Pybatfish and Batfish to validate pre-commit network configuration changes.

Automation without pre-commit validation is risky. Use Batfish in your automated workflow for comprehensive correctness guarantees before pushing to production.

Prereqs

  • Run Batfish. If you don't already have it set up and running, run this to set up and start the docker container:

    mkdir -p data && docker run -d -v $(pwd)/data:/data -p 9997:9997 -p 9996:9996 batfish/allinone:sha_736c753_e840243

  • Install the Pybatfish version used for the demo (to guarantee compatibility):

    pip install git+git://github.com/batfish/pybatfish.git@386d0379e0b16985cee9c6cd12c0e7d8d8c8d6cc

  • Install Ansible (see installation guide for details):

    pip install ansible

Setup

  • Clone this demo repo:

    git clone git@github.com:batfish/ansible-demo.git

  • Edit the group vars in playbooks/inventory file to reflect your setup.

  • Run the setup script to create the base snapshot and policies:

    python python/demo-setup.py -p snapshots/snapshot0/ -a "DC Fabric Policy" checks/fabric/ -a "DC Base Policy" checks/base/

Optional Setup for Integrations

Git Integration

This Git integration allows Ansible to create a branch in the GitHub repository with your network configurations, and commit each change you validate to that branch.

  • Clone your network repo e.g. git clone git@github.com:YOUR_ORG_NAME/YOUR_NETWORK_REPO.git

    Note: The network repo should be formatted the same way as snapshots/snapshot0/, with config files in a configs/ dir at the root of the repo.

  • Generate a GitHub token with access to this repo, then supply the token to the playbooks/inventory file

S3 Integration

This S3 integration is for posting Batfish validation logs to your S3 bucket. Logs are also stored locally whether or not S3 is used.

  • Create an S3 bucket to store your logs

  • Install required Python modules:

    pip install botocore pip install boto3

Slack Integration

Running the Demo

The example network from the demo is shown below. During the demo, we make two changes to the network:

  1. Add new leaf leaf-03, which is not included in the network initially
  2. Update the ACLs on the firewalls to permit a new HTTP service

Note:

  • Both scenarios can optionally be run with extra tags s3, slack, and/or git to enable different integrations.
  • Logs for each playbook run are written to s3_logs/.

Add Leaf Scenario

This scenario adds a new leaf router to an existing datacenter and confirms the changes made adhere to the defined network policies.

Run 1 - Fail Policy

This run fails due to duplicate BGP ASNs between leaf 2 and leaf 3.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65002

Run 2 - Pass Policy

This run passes our predefined policies.

  • Run the playbook ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
  • Fill in the prompts:
    • Hostname: lhr-leaf-03
    • POD: 1
    • BGP ASN: 65003

Update ACL Scenario

This scenario is derived from our Provably Safe ACL and Firewall Changes Python notebook. It updates our firewalls to allow access to a new HTTP service (TCP port 80 on subnet 10.1.5.0/27) and confirms the changes:

  1. Are necessary (i.e. firewalls do not currently permit the new traffic)
  2. Allow the new traffic
  3. Don't allow anything other than the new traffic (i.e. confirm no collateral damage)

Run 1 - Fail ACL Validation

This run creates a bigger hole in the firewall than we intended, thus fails collateral damage check.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, adding this line just before the deny all line: "permit tcp any 10.1.5.0 0.0.0.63 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Run 2 - Pass ACL Validation

This run passes our ACL validation checks.

  • Edit the file inputs/acls.json to reflect the desired ACL changes, replacing the line added above with this line: "permit tcp any 10.1.5.0 0.0.0.31 eq 80",
  • Run the ACL playbook: ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
  • Fill in the prompts, same as the previous run:
    • Firewall hostnames: lhr-fw-01|lhr-fw-02
    • POD: 1
    • Source IPs of new traffic to allow: 0.0.0.0/0
    • Destination IPs of new traffic to allow: 10.1.5.0/27
    • IP protocol for new traffic to allow: tcp
    • Destination ports: 80

Got questions, feedback, or feature requests? Join our community on Slack!

You can’t perform that action at this time.