GithubHelp home page GithubHelp logo

nae-ansible-playbooks's Introduction

Ansible Cisco Network Assurance Engine Playbooks

Cisco Network Assurance Engine (NAE) transforms operations in data center networks to a fundamentally more proactive model. Built on Cisco’s patented network verification technology, it is the most comprehensive assurance engine that mathematically verifies the entire network for correctness, giving operators confidence that their network is always operating consistent with intent.

Resources

DevNet Sandbox:

Prerequisites

  • None

Dependancies

  • Ansible 2.8.x
  • Python 3.7.x

Configuration / Getting Started

These playbooks use the Ansible uri module so there's no special requirements. They've been tested with 2.7.10, NAE 3.1(1) and the DevNet API Documentation.

First use nae_api_login.yml to set up the session tokens. It requires setting some NAE specific headers together with a session cookie (not obvious in the docs so worth pointing out).

A user can only be logged in to the Web/GUI OR the API at one time. I had a lot of trouble with expired sessions until I figured it out. If you need to be using the GUI at the same time, then get the CSRF token and cookies from the GUI session manually!

If using the DevNet Sandbox (https://nae-sandbox.cisco.com) or any NAE that can be connected to directly, that's everything.

If using the DCloud Demo, there is an additional layer of DCloud cookies that are required and the easiest way is to retrieve everything manually from the browser session after logging into the NAE app and create a separate vars/session-dcloud.yml file.

To fetch the CSRF token from a running web browser, in Chrome you can type localStorage.CSRF_TOKEN in the developer console. Reload any page with the Network tab open and select a resource to see all the other cookies.

The workflow

All example output here is from the DevNet Sandbox.

First, run ansible-playbook nae_aci_fabrics.yml to get the list of configured fabrics.

Name                          | Operational Mode    | Status         | Fabric ID                                    | APICs               
------------------------------+---------------------+----------------+----------------------------------------------+---------------------
aci-k8tes-sandbox             | ONLINE              | RUNNING        | d9e15b75-19402c77-0f0a-41d8-9ec6-b5409e60cb96|                     
                              |                     |                |                                              | 10.10.20.12         
------------------------------+---------------------+----------------+----------------------------------------------+---------------------

Then get all the epochs for a fabric by running ansible-playbook nae_fabric_epochs.yml -e "fabric_id=d9e15b75-19402c77-0f0a-41d8-9ec6-b5409e60cb96". Note the fabric_id is defined in the playbook and we're overriding it here - there are a few other parameters in the playbook that can be tweaked.

Analysis Time            | Status    | Epoch ID                                     | Events                   
-------------------------+-----------+----------------------------------------------+----------------         
2019-08-10T13:22:09Z     | FINISHED  | d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54|                          
                         |           |                                              | info: 391                
                         |           |                                              | critical: 10             
                         |           |                                              | major: 43                
                         |           |                                              | minor: 3                 
                         |           |                                              | warning: 108             
-------------------------+-----------+----------------------------------------------+----------------         
2019-08-10T13:07:09Z     | FINISHED  | d9e15b75-302611e9-8fdf-332c-a21a-1b549d5e5d16|                          
                         |           |                                              | info: 391                
                         |           |                                              | critical: 10             
                         |           |                                              | major: 43                
                         |           |                                              | minor: 3                 
                         |           |                                              | warning: 108             
-------------------------+-----------+----------------------------------------------+----------------         
... output snipped

Then get all the events for a specific epoch by running ansible-playbook nae_epoch_events.yml -e "epoch_id=d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54". Note the epoch_id is defined in the playbook and we're overriding it here - there are a few other parameters in the playbook that can be tweaked (most notably the severity category).

... output snipped

EPOCH ID: d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54
SEVERITY: EVENT_SEVERITY_CRITICAL

Event                                                       | Category                 | Subcategory              
============================================================+==========================+==========================
CONNECTED_EP_LEARNING_ERROR                                 | TENANT_ENDPOINT          | ENDPOINT_LEARNING        
------------------------------------------------------------+--------------------------+--------------------------
Description: Endpoint information is not consistent across the fabric leafs and spines.
ID: d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54-3980ec56208a822d98d148b99de73507
============================================================+==========================+==========================
ENFORCED_VRF_POLICY_VIOLATION                               | TENANT_SECURITY          | VRF_SECURITY             
------------------------------------------------------------+--------------------------+--------------------------
Description: VRF is in enforced mode. APIC policy for implicit deny log is not enforced on Leaf hardware.
ID: d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54-98d835f0689ef00e15a3782bb093f55b
============================================================+==========================+==========================

And, finally, we can get event details by querying for a specific event_id: ansible-playbook nae_event_details.yml -e "event_id=d9e15b75-8792cd91-0e2d-355d-9a03-f28ce554ed54-98d835f0689ef00e15a3782bb093f55b". Worth noting the event details data model is quite large and deeply nested, we extract only a subset of metadata here and more can be done by inspecting the JSON object as needed.

-------------------------+-----------+----------------------------------------------+----------------         
Primary Affected Object:
  NAME: sbx_shared
  TYPE: CANDID_OBJECT_TYPE_VRF
  ID: uni/tn-common/ctx-sbx_shared

ACI Fabric: aci-k8tes-sandbox
Description: VRF is in enforced mode. APIC policy for implicit deny log is not enforced on Leaf hardware.
Impact: Unauthorized traffic will be allowed in this VRF.
ENFORCED_VRF_POLICY_VIOLATION/TENANT_SECURITY/VRF_SECURITY/EVENT_SEVERITY_CRITICAL
-------------------------+-----------+----------------------------------------------+----------------

All generated reports can be found in the output folder and I've included the ones from the above run into the repository.

Caveats:

If using the Cisco Network Assurance Engine 3.1 v1 dCloud Demo, there is an additional layer of dCloud cookies that are required and the easiest way is to retrieve everything manually from the browser session after logging into the NAE app and create a separate vars/session-dcloud.yml file.

To fetch the CSRF token from a running web browser, in Chrome you can type localStorage.CSRF_TOKEN in the developer console. Reload any page with the Network tab open and select a resource to see all the other cookies.

nae-ansible-playbooks's People

Contributors

movinalot avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.