《大规模现代网络自动化和编排.pdf》由会员分享,可在线阅读,更多相关《大规模现代网络自动化和编排.pdf(48页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveBryn G Pounds(BGP)Principal Architect Cisco Global EnterpriseBrynPoundsBRKOPS-2827A Real-World Case StudyModern Network Automation and Orchestration at Mass Scale 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex
2、App 3Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker unti
3、l June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKOPS-2827#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaNetwork ProfileThe Starting Point(Technical ANDAND Organizational)Tool Selection ProcessWhat was BuiltMigration fro
4、m then to nowMOST IMPORTANT LESSONS LEARNEDConclusions4BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat can grilling teach us about Network Automation?Hungry Family Buy in.Willing to investWilling to invest in more than a microwave dinner.Traeger?Big Green
5、Egg?Right tool(s)for the right job(s)Right tool(s)for the right job(s).What do we want to grill?Agree on the success criteriasuccess criteria.Reverse Sear Changing processesChanging processes.Pull when its done-not after 6 min.Is the BBQ steady at 225 degrees?Visibility Visibility ComplianceComplian
6、ce.Pushing through the stall.Be patient through changeBe patient through change.Resting.See it through to completion for the agreed resultscompletion for the agreed results?Satisfied family=Met or exceeded approval criteriaMet or exceeded approval criteria.A LOT!5BRKOPS-2827The DIY Network Profile 2
7、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive(Examples of)The DIY Network ProfileUniversities European Rail Systems.Web&Service Providers 7BRKOPS-282730+Years of Networking20ish Schools&200 buildings,each with“unique”requirements.(almost like small cities)IT Delegation a
8、 requirementMultiple Vendors a constantDiverse Management Tools4000+Access Switches100s of Distribution Switches16,000 Access Points 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCommon DesignsCommon Core.Distribution to the building/Station.8BRKOPS-2827CoreCoreDistribut
9、ionDistributionDistributionDistributionAccessAccessAccessAccessAccessAccessAccessAccess 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Organization:The Starting PointTraditional Network Architecture and Operations TeamsStaff manually logging into devices.(Human Er
10、ror&Config Drift)Staff member would“win the lottery”and leave.(Loss of“tribal knowledge”)Experts spending lots of time on menial tasks,rather that solving“fun”problemsTime spent“configuring network devices”.Time spent“configuring network devices”.Not“deploying network services”.Not“deploying network
11、 services”.Difficult to control delegated network support where required.Minimal Software/Automation/Orchestration Experience9BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Management:Where they Started.(Dont worry about trying to understand this)10BRK
12、OPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Management:Where they Started.Network Details spread all over11BRKOPS-2827“Every university built a nightmare of PERL or EXPECT scripts that scrape the routers&switches to pull some minimal data in.To classif
13、y and then determine what changes to push.”Each College can(inconsistently)configure their own gear(and break it)IPAM on its own systemSerial Numbers and Service Contracts on their own systemWhat VLAN is on which port only found in the networkWho is authoritative for what?Starting the Journey 2023 C
14、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetting the VisionLeverage Network Automation to build a better product build a better product(faster).Solution needs to be fully trusted by Ops as well as Architecture.Ability to delegate individual IT support using same core back
15、 end.Find the right balance between vendor agnostic automation and the flexibility to leverage specific vendor strengthsEliminate fringe&outlaw projectsEliminate Config Drift and ensure Config ComplianceNone of this will change daily requirement of a robust 100%uptime network!None of this will chang
16、e daily requirement of a robust 100%uptime network!and establishing the first tenets.13BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEarly Moves and DecisionsNetwork Engineers are NOT Software EngineersNetwork Engineers are NOT Software Engineers.Quickly add
17、Software Developers into the network team.Leverage Software Development“best practices”in the network.EVERYONE on the team needs to learn baseline software skills(and given the time to explore and make mistakes in a safe environment)Not looking to reduce staff.Looking to move staff to more“interesti
18、ng”problems.No one will log onto a router/switch again!No one will log onto a router/switch again!Take time to carefully define the problems we want to solve.14BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLevel setting required Skills and ToolsEveryone needs
19、 to be comfortable in each of these spaces15BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInitial FindingsDefining the problem is often the most difficult part.Preferred the model of deploying abstracted abstracted network servicesnetwork servicesvs automatin
20、g the configuration of network devices.“Source of Truth”Is there a single source of truth?(Probably not)There is rarely such a thing as greenfield.Involve operations early Involve operations early they will be supporting what you automate.Give everyone enough time to learn new tooling typically hand
21、s on learning.(“What is a code review?”)16BRKOPS-2827Tool Selection“Which is better?X or Y?”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOften said by those who have implemented large scale network automationThe Better Question“Which tools are better together better tog
22、ether for what you need?”18BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelecting the“best”tools.(Plural“tool-s”)19BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFundamental Questions for Tool SelectionIs your company
23、ready to evolve culturally to achieve this?Is your company ready to evolve culturally to achieve this?What are the fundamental problems we are trying to solve?Are we configuring boxes,or deploying Network Services?Get out of the mindset of configuring boxes.Who will be the“Source of Truth”?Can you g
24、et down to a singlesingle source of truth?(Ive never seen it)How early to involve Operations in the Architecture Process?How many tools are we willing to integrate?Is orchestration the goal?Visibility as well?Telemetry?Big Questions.Big Questions.20BRKOPS-2827 2023 Cisco and/or its affiliates.All ri
25、ghts reserved.Cisco Public#CiscoLiveFundamental Questions for Tool SelectionThe actual full box config is the intended config?Part of the total running config is the intended config for that section?Nobody cares about other parts of the running config.(automated systems access happening)A specific f
26、eature on box has the intended config for that feature?DNS?NTP?SYSLOG?A“version”of a config snippet is running on box.The active box code has no known vulnerabilities.How to handle Remediation?What is Config Compliance?Can there be versions?What is Config Compliance?Can there be versions?21BRKOPS-28
27、27 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJourney through tool evaluation.Started with ANSIBLE with Tower.Then evaluated SALT.Result:Good tools,although somewhat fragmented.Liked NETBOX as“Source of Truth”for InfrastructureDevice Inventory/VLAN&VRF Assignments/Ass
28、et TrackingNSO had the advantage of“Network Service Abstraction”Deploy a switchport.Enable BGP Routing.Enable consistent policy.What are you really trying to do.Design a Network Service to abstract the CLI config.NSO is multi-vendor“Source of Truth”for the network configuration.Manages a heterogeneo
29、us multi-vendor network.Legacy and new.Verifies network is secure per policy.Detects config drift.Config Consistency.Network friendly CLI enables faster evolution to software skills for network engineersCustomer Quotes22BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
30、scoLiveCampus WirelessContinue Leading with NSO Automation and OrchestrationContinue with NSO approach same as switching.IOS-XE NED(Network Element Driver)has solid support for Cisco Catalyst 9800,just like rest of the Catalyst product portfolio.Deploy common network services across wired and wirele
31、ss(“Name Spaces”)with same deployment.Lead with Cisco DNA Center.(See DEVWKS-1004&DEVWKS-2004)Easy automation of Cisco Catalyst 9800s and APsWhy did Jimmys iPhone not associate the the network last Thursday at 4:45PM?Often a lead choice for an Operations centric environment.Typically end up with 1 o
32、f 2 paths at this point23BRKOPS-2827Migration from then to now 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBest Practices&Lessons LearnedSeveral opinions-Happy middle ground seems to beEncourage Operations to lead the cultural evolution.No more consoling into boxes,oth
33、erwise youre doomed before you begin.Migrate early,any nondisruptive services possible to the“new way”.When you bring a building or station into”new way”automation,leverage this as being the closest youll ever be to Greenfield.“Measure twice then cut once”Migrate the access layer to the“new way”.Thi
34、s is where you spend the most time.Distribution/Core Maybe not.Leverage NSO“Actions”(more later)to pre-populate NetBoxWhere possible,add communication to/from old tools to leverage one of NSOs interfaces many interface options.Makes it smoother to migrate away from old tools when the time is rightBE
35、WARE:Open Source ver 1.0 is cool.Were special,so lets modify it.(Now Stuck!)What to migrate from the“old way”to the“new way”?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive“Code Review”The new Network Procedure(s)Network Code Review are the new norm.26BRKOPS-2827SourceThe
36、 Common Solution(s)and“Why NSO”?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive(Multiple)Sources of TruthNetBox for DCIM and IPAMDevice Inventory and categorizationAsset TrackingPrefix,VLAN,and VRF AssignmentsNSO:Network Configuration“Network Service”config managementSour
37、ce of Truth for service dataConfig Drift NotificationOperational SnapshotsAdded existing Access switches and all New Network Gear to NSO28BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetBox Summary29BRKOPS-2827SitesIPv4 PrefixesIPv6 PrefixesAggregate Prefixe
38、sVRFsVLANsInterface ParametersBGP ASNsNetwork DevicesCompute Devices(Server/Storage)Ownership/TenancyRack DetailsCabling MatricesCircuit InformationHostnamesDomainsClients/AutomationClients/AutomationNetwork SimulationNetwork SimulationProduction NetworkProduction NetworkTicketing/Change/CMDBTicketi
39、ng/Change/CMDBMonitoring/ITIL SystemsMonitoring/ITIL SystemsDNS/DHCPDNS/DHCP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNSO Multi Vendor Support100+Vendors,170+Device Families 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNSO Network Servi
40、ce Models31Model the Service ONCEONCENSO Uses Device ModelsNSO translates the device configs100 devices in the service.2 dont deploy,NSO rolls the WHOLE THING back.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimple Example Firewall RulesPush config with Service Templat
41、es.Pull configs with Actions.32 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNSO“Actions”non-configuration stepsGo to all my switches(or a subset,or a single switch)and discover all the VRFs and their associated Details.Then see if that VRF exists in NetBox.(Potentially
42、)then add the VRF details to NetBox,and add the VRF configuration to the switch per defined policy.Thus reconciling the previously unknown network parameters to the“source of truth”.(Potentially)Then open a service ticket with the details of the previously unknown VRF.Check the common services,and r
43、econcile if they are not per policyDiscover all VLANs on a switch(s)and reconcile.Discover BGP Routes.OSPF Neighbors Verify etcExample:Great for migrating legacy to new systems33Same API call:all switches,a subset of switches,or single switch-*All VENDORS*All VENDORS*2023 Cisco and/or its affiliates
44、.All rights reserved.Cisco Public#CiscoLiveNSOs Programmatic InterfacesInterface with NSO however you choose34BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbility to Front-End common NSO servicesDjango Calling NSO via NETCONF35BRKOPS-2827 2023 Cisco and/or i
45、ts affiliates.All rights reserved.Cisco Public#CiscoLiveConfig Drift via NSO“Compare Config”example Palo Alto36BRKOPS-2827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWork Smarter,not Harder.(No Polling)Do I really need to check it every day?37BRKOPS-2827Event Driven.G
46、enerate a syslog message when someone logs into a device.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWork Smarter,not Harder.(No Polling)Do I really need to check it every day?38BRKOPS-2827Event Driven.Generate a syslog message when someone logs into a device.Someone l
47、ogs into a device.Syslog is generatedCollect syslog(s)and processor put in a messaging busor monitoring your existing collectoror Kafkaor“login”detected and initiates the NSO compare-config.If DIFF found,send to.MOST IMPORTANT LESSONS LEARNED 2023 Cisco and/or its affiliates.All rights reserved.Cisc
48、o Public#CiscoLiveMOST IMPORTANT LESSONSBe sure you have buy-in from Operations.If you dont,you will fail.No more consoles.No more SSHing into CLI.Network Engineers are not Software Developers.Integate your teams EARLY!(Also,Software Developers are not Network Engineers)Time to apply Unit Test Lifec
49、ycle to the networkChange your perspective.Network Services not box configs.There is no such thing as a“Single Source of Truth”for everything.Pick 2-3 tools that work well together.No such thing as 1.Dont try 12.Modify process to match your preferred software.Not the other way around.Decide what Com
50、pliance really means to your org.Work Smarter Not Harder!8-)40BRKOPS-2827Conclusions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal ThoughtsThis“Network Profile”isnt every network.This is for specific organizations who need/want very specific customized network auto
51、mation and orchestration.It can be done.Give your network engineers time to make mistakes.Python was made for Network Engineers,who can be productive with 1-2 weeks of training.Enjoy the ride.Learn a few new skills and build a better network.42BRKOPS-2827Ping me 2023 Cisco and/or its affiliates.All
52、rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!44BRKOPS-2827These points help you get on the leaderboard and increase your chances of winn
53、ing daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend t
54、he interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive47Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123447 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKOPS-2827#CiscoLive