Cyber Crane Mesh Lab (ipspace#22)

Co-authored-by: Milan Zapletal <[email protected]>

multi-platform/cyber-crane-mesh/README.md

@@ -0,0 +1,32 @@
+# General lab description
+We really needed to create a lab to test some features and to have a playground for new ideas. Netlab provided an excellent platform to create a lab with a variety of devices and topologies programmatically. 
+The topology looks like an enormous robotic crane with a lot of moving parts - hence the name **Cyber Crane Mesh**.
+
+This lab creates a network with:
+
+- 6 core nodes (srx)
+- 8 distribution FW and RTR nodes connecting core to sites (srx and ios)
+- 6 User site `s1` nodes (eos)
+- 2 User site `s2` nodes (eos)
+- 10 Server site `s3` nodes (eos)
+- 7 VXLAN site `s4` nodes (eos)
+- 8 Multicast site `s5` nodes (ios)
+- 51 linux nodes to emulate users and servers
+
+## Few notes
+We run the lab on the local machine with 128GB RAM and 32 cores:
+- it takes about 30 minutes to start the lab (we use `libvirt.batch_size: 8` to spread the load)
+- with our images it consumes about 110+ GB of RAM (we had to add 3 GB to Arista devices running VXLANs)
+- there's plenty of static addressing involved - we tried to keep it simple and consistent
+  - endpoints are `.60` or `.61` except management servers, those are `.20`
+  - subnets and VLAN IDs are corresponding with the Site ID `172.16.[site_id][1-4].X/24` - VLAN `[site_id]0[site_id][1-4]`
+
+## Playbooks
+We have a few playbooks to help with the lab. We decided that the best was to run the lab smoothly was not to interfere with the lab build process in any way with additional configs or modifications.
+The lab is started only with the `topology.yml` file and with **Netlab** features. Additional playbooks are applied to the lab after it's started:
+- `playbooks/master-playbook.yml` - contains all playbooks to add additional configurations to the lab (Lag, Mgmt protocols, etc.)
+- `playbooks/security-playbook.yml` - contains playbooks to add security features to the lab (Policies, NAT, IPSec, etc.)
+
+## Cyber Crane Topology
+![Cyber Crane Topology](img/cyber-crane-mesh.png)
+

multi-platform/cyber-crane-mesh/playbooks/master_playbook.yml

@@ -0,0 +1,10 @@
+---
+- import_playbook: sub_playbooks/disable_lldp.yml
+- import_playbook: sub_playbooks/mgmt_protocols.yml
+- import_playbook: sub_playbooks/no_ip_host.yml
+- import_playbook: sub_playbooks/s3_eos_lag.yml
+- import_playbook: sub_playbooks/s4_vrf_tenant_routes.yml
+- import_playbook: sub_playbooks/s5_igmp_groups.yml
+- import_playbook: sub_playbooks/s5_pim_interfaces.yml
+- import_playbook: sub_playbooks/save_config_changes.yml
+- import_playbook: sub_playbooks/s4_model_multiagent.yml # This playbook should be last - requires reload

multi-platform/cyber-crane-mesh/playbooks/security_playbooks.yml

@@ -0,0 +1,7 @@
+---
+- import_playbook: sub_playbooks/srx_firewall.yml
+- import_playbook: sub_playbooks/srx_ipsec_d1xfw01.yml
+- import_playbook: sub_playbooks/srx_ipsec_d2xfw01.yml
+- import_playbook: sub_playbooks/srx_policies_d1xfw01.yml
+- import_playbook: sub_playbooks/srx_policies_d2xfw01.yml
+- import_playbook: sub_playbooks/srx_nat_d1xfw01.yml

multi-platform/cyber-crane-mesh/playbooks/sub_playbooks/disable_lldp.yml

@@ -0,0 +1,27 @@
+---
+- name: Disable CDP/LLDP on interface GigabitEthernet 0/0 on IOS routers
+  hosts: iosv
+  gather_facts: no
+  tasks:
+    - name: Configure GigabitEthernet 0/0 interface
+      cisco.ios.ios_config:
+        lines:
+          - "interface GigabitEthernet 0/0"
+          - "no lldp transmit"
+          - "no lldp receive"
+          - "no cdp enable"
+      register: config_result
+      when: "'iosv' in group_names"
+
+- name: Disable LLDP on interface fxp0 on Juniper routers
+  hosts: vsrx
+  gather_facts: no
+  tasks:
+    - name: Configure GigabitEthernet 0/0 interface
+      junos_config:
+        lines:
+          - "set protocols lldp interface all"
+          - "set protocols lldp interface fxp0 disable"
+      register: config_result
+      when: "'srxv' in group_names"
+

multi-platform/cyber-crane-mesh/playbooks/sub_playbooks/mgmt_protocols.yml

@@ -0,0 +1,143 @@
+---
+- name: Configure Syslog, NTP, SNMP and TACACS+ on Cisco IOS
+  hosts: iosv
+  gather_facts: no
+
+  vars:
+    MGMT_SERVER_IP: "172.16.21.20" # IP address of the first server in SITE2
+    NTP_SERVER_IP: "192.168.1.1"
+    tacacs_key: "071B204F4F0A0A0E120B"
+    tacacs_group: "TACACS_GROUP01"
+
+  tasks:
+    - block:
+      - name: Configure Syslog on Cisco IOS Devices
+        cisco.ios.ios_config:
+          lines:
+            - "logging host {{ MGMT_SERVER_IP }}"
+
+      - name: Configure NTP on Cisco IOS Devices
+        cisco.ios.ios_config:
+          lines:
+            - "ntp server {{ NTP_SERVER_IP }}"
+
+      - name: Configure SNMP on Cisco IOS Devices
+        cisco.ios.ios_config:
+          lines:
+            - "snmp-server community ipfabric ro"
+            - "snmp-server contact +420 888-999-111"
+            - "snmp-server location IP Fabric, PRAGUE, DC01"
+            - "snmp-server source-interface traps Loopback0"
+            - "snmp-server host {{ MGMT_SERVER_IP }} traps version 2c ipfabric"
+
+      - name: Configure TACACS+ on Cisco IOS Devices
+        cisco.ios.ios_config:
+          lines:
+            - "tacacs server SERVER01"
+            - "address ipv4 {{ MGMT_SERVER_IP }}"
+            - "key 7 {{ tacacs_key }}"
+            - "port 449"
+            - "timeout 10"
+            - "exit"
+            - "aaa authentication login default local"
+            - "aaa authorization exec default local"
+
+      ignore_errors: yes
+
+- name: Configure Syslog, NTP, SNMP and TACACS+ on Arista EOS
+  hosts: eos
+  gather_facts: no
+
+  vars:
+    MGMT_SERVER_IP: "172.16.21.20" # IP address of the first server in SITE2
+    NTP_SERVER_IP: "192.168.1.1"
+    tacacs_key: "071B204F4F0A0A0E120B"
+    tacacs_group: "TACACS_GROUP01"
+
+  tasks:
+    - block:
+      - name: Configure Syslog on Arista EOS Devices
+        arista.eos.eos_config:
+          lines:
+            - "logging host {{ MGMT_SERVER_IP }}"
+
+      - name: Configure NTP on Arista EOS Devices
+        arista.eos.eos_config:
+          lines:
+            - "ntp server {{ NTP_SERVER_IP }}"
+
+
+      - name: Configure SNMP on Arista EOS Devices
+        arista.eos.eos_config:
+          lines:
+            - "snmp-server community ipfabric ro"
+            - "snmp-server contact +420 888-999-111"
+            - "snmp-server location IP Fabric, PRAGUE, DC01"
+            - "snmp-server source-interface Loopback0"
+            - "snmp-server host {{ MGMT_SERVER_IP }} traps version 2c ipfabric"
+
+      - name: Configure TACACS+ on Arista EOS Devices
+        arista.eos.eos_config:
+          lines:
+            - "tacacs-server host {{ MGMT_SERVER_IP }} key 7 {{ tacacs_key }}"
+            - "tacacs-server timeout 10"
+            - "aaa group server tacacs+ SERVER-GROUP01"
+            - "server {{ MGMT_SERVER_IP }}"
+            - "exit"
+            - "aaa authentication login default local"
+            - "aaa authorization exec default local"
+
+      - name: Configure sFlow on Arista Gateways
+        arista.eos.eos_config:
+          lines:
+            - "sflow destination {{ MGMT_SERVER_IP }} 6343"
+            - "sflow polling-interval 3600"
+            - "sflow sample 2048"
+            - "sflow source-interface Loopback0"
+            - "sflow run"
+
+      ignore_errors: yes
+
+- name: Configure Syslog, NTP, SNMP and TACACS+ on Juniper SRX
+  hosts: vsrx
+  gather_facts: no
+
+  vars:
+    MGMT_SERVER_IP: "172.16.21.20" # IP address of the first server in SITE2
+    NTP_SERVER_IP: "192.168.1.1"
+    tacacs_key: "071B204F4F0A0A0E120B"
+    tacacs_group: "TACACS_GROUP01"
+
+  tasks:
+    - block:
+      - name: Configure TACACS+
+        junos_config:
+          lines:
+            - "set system tacplus-server {{ MGMT_SERVER_IP }}"
+
+      - name: Configure Syslog
+        junos_config:
+          lines:
+            - "set system syslog host {{ MGMT_SERVER_IP }} any info"
+
+      - name: Configure NTP on Juniper SRX Devices
+        junos_config:
+          lines:
+            - "set system ntp server {{ NTP_SERVER_IP }}"
+
+      - name: Configure SNMP on Juniper SRX Devices
+        junos_config:
+          lines:
+            - "set snmp trap-group group1 targets {{ MGMT_SERVER_IP }}"
+            - "set snmp location \"IP Fabric, PRAGUE, DC01\""
+            - "set snmp contact \"IP Fabric, +420 888-999-111\""
+            - "set snmp community ipfabric authorization read-only"
+            - "set snmp interface lo0.0"
+
+      - name: Configure TACACS+
+        junos_config:
+          lines:
+            - "set system tacplus-server {{ MGMT_SERVER_IP }}"
+
+      ignore_errors: yes
+

multi-platform/cyber-crane-mesh/playbooks/sub_playbooks/no_ip_host.yml

@@ -0,0 +1,68 @@
+---
+- name: Remove IP Hosts from the Arista EOS configuration
+  hosts: eos
+  gather_facts: no
+
+  tasks:
+    - name: Executing `no ip host` command
+      arista.eos.eos_config:
+        lines:
+          - "no ip host"
+      when: "'eos' in group_names"
+
+- name: Remove static host mapping for Juniper devices
+  hosts: vsrx
+  gather_facts: no
+
+  tasks:
+    - name: Remove static host mapping
+      junos_config:
+          lines:
+          - "delete system static-host-mapping"
+      when: "'vsrx' in group_names"
+
+- name: Remove IP Host Configurations for Cisco IOS devices
+  hosts: iosv  # Replace with the appropriate group for your devices
+  gather_facts: no
+  tasks:
+    - name: Gather current configurations
+      ios_command:
+        commands:
+          - show running-config | include ^ip host
+      register: current_config
+      ignore_errors: yes
+
+    - name: Parse host names from configurations
+      set_fact:
+        host_names: "{{ host_names | default([]) + [item | regex_search('^ip host\\s+([^\\s]+)', '\\1')] }}"
+      loop: "{{ current_config.stdout[0].splitlines() }}"
+      when: current_config.stdout[0] is defined
+
+    - name: Remove None entries from list
+      set_fact:
+        host_names: "{{ host_names | select('defined') | list }}"
+      when: host_names is defined
+
+    - name: Debug host names list length
+      debug:
+        msg: "Length of host_names list: {{ host_names | length }}"
+      when: host_names is defined
+
+    - name: Generate 'no ip host' commands
+      set_fact:
+        no_ip_host_commands: "{{ host_names | default([]) | map('join', '') | map('regex_replace', '^(.+)$', 'no ip host \\1') | list }}"
+
+    - name: Remove IP Host Configurations
+      ios_config:
+        lines: "{{ item }}"
+      loop: "{{ no_ip_host_commands }}"
+      when: no_ip_host_commands | length > 0
+
+    - name: Save configuration for all devices
+      ios_command:
+        commands:
+          - write memory
+      when: "'iosv' in group_names or 'eos' in group_names"
+
+
+

multi-platform/cyber-crane-mesh/playbooks/sub_playbooks/s3_eos_lag.yml

@@ -0,0 +1,35 @@
+---
+- name: Configure LAG interfaces on Arista EOS devices
+  hosts: eos
+  gather_facts: no
+
+  tasks:
+    - name: Updating LAGs on {{ inventory_hostname }}
+      arista.eos.eos_lag_interfaces:
+        config:
+          - name: 3
+            members:
+              - member: Ethernet3
+                mode: on
+              - member: Ethernet4
+                mode: on
+          - name: 5
+            members:
+              - member: Ethernet5
+                mode: on
+              - member: Ethernet6
+                mode: on
+        state: merged
+      when: inventory_hostname in ['s3xdsw01', 's3xdsw02']
+
+    - name: Updating LAGs on {{ inventory_hostname }}
+      arista.eos.eos_lag_interfaces:
+        config:
+          - name: 5
+            members:
+              - member: Ethernet1
+                mode: on
+              - member: Ethernet2
+                mode: on
+        state: merged
+      when: inventory_hostname in ['s3xdsw03', 's3xdsw04']

multi-platform/cyber-crane-mesh/playbooks/sub_playbooks/s4_model_multiagent.yml

@@ -0,0 +1,25 @@
+# This is not needed for certain Arista images - but I had to do it for mine
+---
+- name: Execute command on Arista devices with 'vx' in their hostname
+  hosts: eos
+  gather_facts: no
+
+  tasks:
+    - name: Run command on specific hosts
+      arista.eos.eos_config:
+        commands:
+          - "service routing protocols model multi-agent"
+      when: "'s4x' in inventory_hostname"
+
+    - name: Save configuration
+      arista.eos.eos_command:
+        commands:
+          - "write memory"
+      when: "'s4x' in inventory_hostname"
+
+    - name: Reboot the switch
+      arista.eos.eos_command:
+        commands:
+          - "reload now"
+      when: "'s4x' in inventory_hostname"
+      ignore_errors: yes