2. Why?
• Opera-ons
Agility
– Change
management
in
networks
is
hard
– Lots
of
moving
parts
to
consider
• Service
Velocity
– Timeframes
for
CRUD
ac-vity
unacceptable
• Configura-on
Consistency
– Number
1
reason
for
network
outages
– History
has
taught
us
to
fear
external
systems
3. !
device:
$HostnameSpine1
(DCS-‐7508,
/$Cer-fiedCode)
!
!
boot
system
flash:/$Cer-fiedCode
!
queue-‐monitor
length
!
logging
buffered
10000
no
logging
console
logging
vrf
MGMT
host
$SyslogHostAddress
logging
vrf
MGMT
host
$SyslogHostAddress
logging
vrf
MGMT
source-‐interface
Management1/1
logging
format
-mestamp
high-‐resolu-on
logging
facility
local6
!
hostname
$HostnameSpine1
ip
name-‐server
$DNSHostAddress
ip
name-‐server
$DNSHostAddress
ip
domain-‐name
$CompanyDomainName
!
ntp
source
Management1/1
ntp
server
vrf
MGMT
$NTPHostAddress1
prefer
ntp
server
vrf
MGMT
$NTPHostAddress2
!
snmp-‐server
contact
"$SNMPcontact"
snmp-‐server
loca-on
$bldg/$floor/$room/$rack
no
snmp-‐server
vrf
main
snmp-‐server
vrf
MGMT
snmp-‐server
source-‐interface
Management1/1
snmp-‐server
community
$SNMPCommunity
ro
SNMP-‐RO-‐
ACL
snmp-‐server
community
$SNMPCommunity
rw
SNMP-‐RW-‐
ACL
snmp-‐server
host
$SNMPHostAddress
traps
version
2c
$SNMPcommunity
snmp-‐server
enable
traps
en-ty
snmp-‐server
enable
traps
lldp
snmp-‐server
enable
traps
snmp
!
tacacs-‐server
key
$TacacsServerKey
tacacs-‐server
host
$TacacsServerAddress
vrf
MGMT
ip
tacacs
source-‐interface
Management1/1
!
spanning-‐tree
mode
mstp
!
aaa
authen-ca-on
login
default
group
tacacs+
local
aaa
authen-ca-on
enable
default
group
tacacs+
local
aaa
authoriza-on
console
aaa
authoriza-on
exec
default
group
tacacs+
none
aaa
authoriza-on
commands
1,15
default
group
tacacs+
none
aaa
accoun-ng
exec
default
start-‐stop
group
tacacs+
aaa
accoun-ng
commands
15
default
start-‐stop
group
tacacs
+
!
no
aaa
root
vrf
defini-on
MGMT
rd
$SpineAS01
!
Vlan
999
state
suspend
name
UNUSED-‐PORTS
i
Interface
Ethernet$ModNumber/$SubModNumber/1-‐
$HighestPortNumber
switchport
mode
access
switchport
access
vlan
999
shut
!
Interface
Ethernet3/1/1
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐1
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet3/1/2
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐2
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet4/1/1
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐1
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet4/1/2
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐2
speed
forced
40gfull
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
interface
Loopback0
descrip-on
Router-‐ID
ip
address
$IPAddress/32
!
interface
Management1
no
snmp
trap
link-‐status
vrf
forwarding
MGMT
ip
address
$MGMTIPAddress/$MGMTSubnetMask
!
ip
route
vrf
MGMT
0.0.0.0/0
$GatewayOfLastResortAddress
!
ip
rou-ng
no
ip
rou-ng
vrf
MGMT
!
ip
mul-cast-‐rou-ng
!
ip
prefix-‐list
PREFIX-‐LIST-‐IN
seq
10
permit
$Prefix/
$PrefixLength
!
route-‐map
ROUTE-‐MAP-‐IN
permit
10
match
ip
address
prefix-‐list
PREFIX-‐LIST-‐IN
!
ip
prefix-‐list
PREFIX-‐LIST-‐OUT
seq
10
permit
$Prefix/
$PrefixLength
!
route-‐map
ROUTE-‐MAP-‐OUT
permit
10
match
ip
address
prefix-‐list
PREFIX-‐LIST-‐OUT
!
router
bgp
$SpineAS
router-‐id
<Loopback0_Address>
bgp
log-‐neighbor-‐changes
distance
bgp
20
200
200
maximum-‐paths
64
neighbor
EBGP-‐TO-‐LEAF-‐PEER
peer-‐group
neighbor
EBGP-‐TO-‐LEAF-‐PEER
password
$Password
neighbor
EBGP-‐TO-‐LEAF-‐PEER
remote-‐as
$LeafAS
neighbor
EBGP-‐TO-‐LEAF-‐PEER
send-‐community
neighbor
EBGP-‐TO-‐LEAF-‐PEER
fall-‐over
bfd
neighbor
EBGP-‐TO-‐LEAF-‐PEER
next-‐hop-‐self
neighbor
EBGP-‐TO-‐LEAF-‐PEER
route-‐map
ROUTE-‐MAP-‐IN
in
neighbor
EBGP-‐TO-‐LEAF-‐PEER
route-‐map
ROUTE-‐MAP-‐OUT
out
neighbor
EBGP-‐TO-‐LEAF-‐PEER
maximum-‐routes
25000
neighbor
$Leaf1IPAddress
peer-‐group
EBGP-‐TO-‐LEAF-‐PEER
neighbor
$Leaf2IPAddress
peer-‐group
EBGP-‐TO-‐LEAF-‐PEER
!
banner
login
This
system
is
privately
owned
and
operated.
Access
to
this
system
is
restricted
to
authorized
users
only.
Criminal
and
civil
laws
prohibit
unauthorized
use.
Violators
will
be
prosecuted.
You
must
disconnect
immediately
if
you
are
not
an
authorized
user.
EOF
!
management
console
idle-‐-meout
15
!
management
ssh
idle-‐-meout
15
!
!
…
4. !
device:
$HostnameSpine1
(DCS-‐7508,
/$Cer-fiedCode)
!
!
boot
system
flash:/$Cer-fiedCode
!
queue-‐monitor
length
!
logging
buffered
10000
no
logging
console
logging
vrf
MGMT
host
$SyslogHostAddress
logging
vrf
MGMT
host
$SyslogHostAddress
logging
vrf
MGMT
source-‐interface
Management1/1
logging
format
-mestamp
high-‐resolu-on
logging
facility
local6
!
hostname
$HostnameSpine1
ip
name-‐server
$DNSHostAddress
ip
name-‐server
$DNSHostAddress
ip
domain-‐name
$CompanyDomainName
!
ntp
source
Management1/1
ntp
server
vrf
MGMT
$NTPHostAddress1
prefer
ntp
server
vrf
MGMT
$NTPHostAddress2
!
snmp-‐server
contact
"$SNMPcontact"
snmp-‐server
loca-on
$bldg/$floor/$room/$rack
no
snmp-‐server
vrf
main
snmp-‐server
vrf
MGMT
snmp-‐server
source-‐interface
Management1/1
snmp-‐server
community
$SNMPCommunity
ro
SNMP-‐RO-‐
ACL
snmp-‐server
community
$SNMPCommunity
rw
SNMP-‐RW-‐
ACL
snmp-‐server
host
$SNMPHostAddress
traps
version
2c
$SNMPcommunity
snmp-‐server
enable
traps
en-ty
snmp-‐server
enable
traps
lldp
snmp-‐server
enable
traps
snmp
!
tacacs-‐server
key
$TacacsServerKey
tacacs-‐server
host
$TacacsServerAddress
vrf
MGMT
ip
tacacs
source-‐interface
Management1/1
!
spanning-‐tree
mode
mstp
!
aaa
authen-ca-on
login
default
group
tacacs+
local
aaa
authen-ca-on
enable
default
group
tacacs+
local
aaa
authoriza-on
console
aaa
authoriza-on
exec
default
group
tacacs+
none
aaa
authoriza-on
commands
1,15
default
group
tacacs+
none
aaa
accoun-ng
exec
default
start-‐stop
group
tacacs+
aaa
accoun-ng
commands
15
default
start-‐stop
group
tacacs
+
!
no
aaa
root
vrf
defini-on
MGMT
rd
$SpineAS01
!
Vlan
999
state
suspend
name
UNUSED-‐PORTS
i
Interface
Ethernet$ModNumber/$SubModNumber/1-‐
$HighestPortNumber
switchport
mode
access
switchport
access
vlan
999
shut
!
Interface
Ethernet3/1/1
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐1
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet3/1/2
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐2
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet4/1/1
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐1
speed
forced
40gfull
mtu
9214
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
Interface
Ethernet4/1/2
descrip-on
-‐
P2P
Link
to
LEAF
switch-‐2
speed
forced
40gfull
logging
event
link-‐status
no
switchport
ip
address
$IPAddress/30
arp
-meout
900
ip
pim
sparse-‐mode
ip
pim
bfd-‐instance
qos
trust
dscp
no
shut
!
interface
Loopback0
descrip-on
Router-‐ID
ip
address
$IPAddress/32
!
interface
Management1
no
snmp
trap
link-‐status
vrf
forwarding
MGMT
ip
address
$MGMTIPAddress/$MGMTSubnetMask
!
ip
route
vrf
MGMT
0.0.0.0/0
$GatewayOfLastResortAddress
!
ip
rou-ng
no
ip
rou-ng
vrf
MGMT
!
ip
mul-cast-‐rou-ng
!
ip
prefix-‐list
PREFIX-‐LIST-‐IN
seq
10
permit
$Prefix/
$PrefixLength
!
route-‐map
ROUTE-‐MAP-‐IN
permit
10
match
ip
address
prefix-‐list
PREFIX-‐LIST-‐IN
!
ip
prefix-‐list
PREFIX-‐LIST-‐OUT
seq
10
permit
$Prefix/
$PrefixLength
!
route-‐map
ROUTE-‐MAP-‐OUT
permit
10
match
ip
address
prefix-‐list
PREFIX-‐LIST-‐OUT
!
router
bgp
$SpineAS
router-‐id
<Loopback0_Address>
bgp
log-‐neighbor-‐changes
distance
bgp
20
200
200
maximum-‐paths
64
neighbor
EBGP-‐TO-‐LEAF-‐PEER
peer-‐group
neighbor
EBGP-‐TO-‐LEAF-‐PEER
password
$Password
neighbor
EBGP-‐TO-‐LEAF-‐PEER
remote-‐as
$LeafAS
neighbor
EBGP-‐TO-‐LEAF-‐PEER
send-‐community
neighbor
EBGP-‐TO-‐LEAF-‐PEER
fall-‐over
bfd
neighbor
EBGP-‐TO-‐LEAF-‐PEER
next-‐hop-‐self
neighbor
EBGP-‐TO-‐LEAF-‐PEER
route-‐map
ROUTE-‐MAP-‐IN
in
neighbor
EBGP-‐TO-‐LEAF-‐PEER
route-‐map
ROUTE-‐MAP-‐OUT
out
neighbor
EBGP-‐TO-‐LEAF-‐PEER
maximum-‐routes
25000
neighbor
$Leaf1IPAddress
peer-‐group
EBGP-‐TO-‐LEAF-‐PEER
neighbor
$Leaf2IPAddress
peer-‐group
EBGP-‐TO-‐LEAF-‐PEER
!
banner
login
This
system
is
privately
owned
and
operated.
Access
to
this
system
is
restricted
to
authorized
users
only.
Criminal
and
civil
laws
prohibit
unauthorized
use.
Violators
will
be
prosecuted.
You
must
disconnect
immediately
if
you
are
not
an
authorized
user.
EOF
!
management
console
idle-‐-meout
15
!
management
ssh
idle-‐-meout
15
!
!
…
5. Puppet
NetDev
Module
NetDev
is
a
vendor-‐neutral
network
abstrac-on
framework
contributed
freely
to
the
Puppet
community
Basic layer-1 and layer-2 network abstractions
Can extend the framework to define any abstractions or
features needed for an environment
The NetDev framework is open and free and accessible
via Puppet Forge with implementations available for
Arista, Juniper, Mellanox, Cumulus
9. How
to
take
netdev
to
the
next
phase?
You want
to run what
on my
network
device?
Devops +
NetOps
!= <3
I have 99
problems
and no time
for this
discussion
10. Lets
just
teach
every
netops
person
to
be
a
developer…
problem
solved!
11. Breaking
down
the
configura-on
into
construc-ble
blocks….
STP
MLAG
VRRP
OSPF
VLAN
L2
Interface
(access,
trunk)
Logical
Interface
(LAG)
Physical
Interface
L3
interface
(ipv4,
ipv6)
12. Paqerns
start
to
emerge…
interface
lag
l2_interface
interface
ip_interface
vrrp_interface
ospf_instance
ospf_area
ospf_interface
13. Hmm,
come
to
think
of
it…
interface
interface
ethernet1/1
descrip-on
webservers
no
shutdown
ip_interface
vrrp_interface
interface
ethernet1/1
no
switchport
ip
address
10.10.4.1/24
interface
ethernet1/1
vrrp
10
priority
200
vrrp
10
-mers
adver-se
3
vrrp
10
ip
10.10.4.10
exit
Isn’t
the
CLI
just
like
a
DSL?
14. Start
small
and
expand
the
sphere
of
influence
automa-on
Services
/
Applica9ons
Logical
Interfaces
Physical
Interfaces
VLANS
15. Feelin
the
love
What’s
taking so
long to
upgrade to
Enterprise?
Devops +
NetOps
= <3
I have 99
problems
but
automating
my network
isn’t one of
them
16. Automation with Puppet and EOS
Automation with Puppet and EOS
Standard Binaries
Native Enterprise Integration
Orchestrate Arista EOS or Linux
OS resource automation
Custom Facter integration for
collecting state information
Leverage Arista AEM for
responsive automation to state
changes
Arista EOS Provider
eAPI
Gems
Ruby Sysdb
Linux Kernel
Arista EOS Types
Netdev Types
Resource Abstraction
Enterprise
Community
Puppet Master
17. Call
to
ac-on
• Great
first
step!
• Much
more
work
to
do
• Get
Involved!!
– We
cannot
model
the
network
without
your
help