Puppet for Junos

PUPPET FOR JUNOS

Jeremy Schulman - Global Solutions Architect | Network Automation
@nwkautomaniac
#ProgramTheNetwork

2013-April

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

LEGAL DISCLAIMER

This presentation contains statements
pertaining to product direction and is subject
to change at any time without notice.
No purchases are contingent upon Juniper
Networks delivering any feature or
functionality depicted on this presentation.


PUPPET FOR JUNOS
AVAILABLE NOW! AS “EARLY-ADOPTER (EA)” 2/15/2013

“DevOps” approach to distribution:
 Puppet “netdev” module source code is in Github

 All packages are stored where they should be (Puppet Forge,…)

 Support done on J-Net community forum

 Juniper Tech-Pages available

 Free, “BSD-style” license

Junos Products at GA
 EX4200, EX4550: 12.3R2.5

 QFX3500, QFX3600: 12.3Q R2

 MX5 ... MX960: 12.3R2.5


PUPPET FOR JUNOS
HOW IT ALL FITS TOGETHER

Puppet Master
(server)
Device running Junos OS
"netdev"

"netdev" are Puppet modules stored
on the Puppet master. The switch Puppet "netdev" modules
running the Puppet agent downloads
this code via SSL

Puppet Agent
(client)
Ruby Gems
jpuppet
Ruby Interpreter
package

All Junos products are equipped with a
XML API that enables programmatic XML
configuration changes and operational (FreeBSD)
management

PUPPET FOR JUNOS
ON THE INTERNET

Puppet Labs Solution Page:
https://puppetlabs.com/solutions/juniper-networks/

Quick Links:
 Junos software package files:
https://downloads.puppetlabs.com/junos
 Juniper TechPubs: http://juni.pr/XTeSgl

 Puppet Module juniper/netdev_stdlib_junos:
http://bit.ly/Z49NkO


ABOUT PUPPET

PUPPET LABS
 8 years Experience in the IT automation market
 10 million+ Nodes being managed worldwide by Puppet. 60,000+
nodes managed in largest deployments
 3.5 million Downloads of Puppet Labs software in the past 12 months
 6,000+ Active and growing community of users around the world
who collaborate with each other 24x7 in variety of forums
 900+ Community-contributed Puppet Forge modules, and
330,000+ downloads of modules in the past 12 months
 750+ Paying customers

Finance, Telecom, Entertainment, Web, R
etail, Hi-
Customer
Tech, Healthcare, Government, Defense,
Verticals
Education, Manufacturing
and Insurance

WHAT IS PUPPET?
AUTOMATION FOR IT INFRASTRUCTURE

Puppet is an automation software product used by IT teams to manage
large scale deployments of complex compute resources (servers)
Puppet Labs offers Puppet in two forms: as open-source and a
commercial Enterprise edition
Puppet Enterprise automates tasks at any stage of the IT infrastructure
lifecycle, including:
 Provisioning
 Discovery Doesn't this list sound
 OS & App Configuration Management exactly like what
 Build & Release Management networking customers
are always asking for ?
 Patch Management
…
 Infrastructure Audit & Compliance


WHY DOES PUPPET MATTER?
APPLICATIONS DRIVE THE BUSINESS

IT infrastructure spend is focused on applications
 Datacenter applications drive business revenue
 Top-of-rack switching is a commodity, the network is a "utility" that
serves the applications

Server admins/DevOps drive IT innovation
 They follow well defined and mature configuration management processes
 They use sophisticated automation tools
 They employ programmers

Puppet developer ecosystem
 Server admins write Puppet "code" to version control and deploy enterprise
applications at large scale
 Puppet Forge is an ecosystem of 3rd-party Puppet developers,
over 850 modules
They want to use one IT modeling process to
orchestrate servers and top-of-rack switching
for integrated delivery of their applications

DEPLOYING INFRASTRUCTURE AT SCALE
LARGE DATACENTERS DEPEND ON PUPPET

The Puppet framework provides for one IT
modeling process to deploy applications
across mixed server/compute environments
(Windows, CentOS, Debian, etc.)
The role of the Puppet Master is to assign
Nodes (devices) into classes, e.g. "web
server", "database server", etc. Each class
definition describes the catalog of resources
needed at on device, e.g.
Apache, MySQL, etc. The resources
describe what to do, not how to do it
Applying this concept to networking, the
resources would be
"interfaces", "vlans", etc. And the As compute has become a software
complexities of network management are defined service to the applications, the
abstracted by the Puppet agent running on network must also become a software
the switch defined service. This "software" can then
be "versioned" for application rollout
The Puppet framework enables large scale
changes to devices by simply changing the
class definition on the Puppet Master

NETDEV PUPPET MODULE

PUPPET FOR JUNOS
NETDEV PUPPET MODULE

Netdev is a vendor-neutral network abstraction
framework developed by Juniper Networks and
contributed freely to the DevOps community

Juniper has contributed basic layer-1 and layer-2
network abstractions. Other abstractions are TBD

DevOps can extend the framework to define any
abstractions or features they need for their environment

The Netdev framework is open and free; i.e. the
“DevOps” way


NETDEV
RESOURCES TYPES

Resource Description
netdev_vlan Manages VLAN configuration
netdev_interface Manages Physical Interface configuration
netdev_l2_interface Manages VLAN to interface assignments
netdev_lag Manages Link Aggregation Group configuration

Every resource supports the standard Puppet ensure property which
creates/removes configuration
Each resource also supports an active property which configures the Junos
“activate / deactivate” control


NETDEV_VLAN
MANAGE VLANS

Property Description
name The name of the VLAN, e.g. “Blue”
vlan_id The VLAN tag-ID value [ 1 .. 4095 ]
description The VLAN description. If one is not provided, then it will
default to:
Puppet created VLAN: <name>: <vlan-id>

VLANs are assigned to ports using the netdev_l2_interface resource


NETDEV_INTERFACE
MANAGE PHYSICAL INTERFACES

name The name of the interface, e.g. “ge-0/0/0”

description Assigns the description value to the interface, defaults to:
Puppet created interface: <name>

admin Configures the administrative state, defaults to up:
up, down

mtu Configures the interface MTU value

speed Defaults to auto, Forces the link speed:
10m, 100m, 1g, 10g, auto

duplex Defaults to auto
Forces the link duplex:
full, half, auto


NETDEV_L2_INTERFACE
MANAGE ASSIGNMENT OF VLANS TO SWITCH PORTS

name The name of the interface, e.g. “ge-0/0/0”, note: does *not*
include the unit number

description Assigns the description value to the interface, defaults to:
Puppet created eth-switch: <name>

untagged_vlan VLAN name for untagged packets. If the port is also processing
tagged packets, then this VLAN is the "native VLAN"

tagged_vlans VLAN names for tagged packets. This could be a single value, or an
array of values. When this property is set, vlan_tagging
property defaults to enable

vlan_tagging Normally not used ... automatic by Puppet
disable (default) - port is in access mode, tagged packets discarded
enable - port is in trunk mode, tagged packets processed
Automatically set to enable if tagged_vlans is also set


NETDEV_LAG
MANAGE LINK AGGREGATION GROUPS


name The name of the interface, e.g. “ae0”

links A list of physical interfaces that makes up the LAG bundle

lacp Controls if and how the Link Aggregation Control Protocol (LACP) is
used.
disabled (default) – LACP is not used
active – LACP is in the active mode
passive – LACP is in the passive mode

minimum_links The number of physical links that must be in the “up” condition to
declare the LAG port in the “up” condition. By default this value is
not set and there is no minimum link requirement


MANIFEST EXAMPLE

SIMPLE EXAMPLE OF VLANS AND SWITCH PORTS

node "jex" {
The node name is the
netdev_device { $hostname: }
hostname of the device. The
netdev_vlan { "Pink":
vlan_id => 703,
variable $hostname comes
description => "This is a pink vlan", from the facter program
}

netdev_vlan { "Green":
vlan_id => 500,
}

netdev_l2_interface { 'ge-0/0/19':
untagged_vlan => Pink,
} ge-0/0/19 will be an
netdev_l2_interface { 'ge-0/0/20': "access" port and
description => "My port, back off!",
untagged_vlan => Blue,
tagged_vlans => [ Green, Black, Yellow ],
ge-0/0/20 will be a
}
} "trunk" port with a
native-vlan-id


PUPPET VARIABLE AND CLASSES
$vlans = {
'Blue' => { vlan_id => 100, description => "This is a blue vlan, just updated" },
'Green' => { vlan_id => 101, description => "This is a Green VLAN" },
'Purple' => { vlan_id => 102, description => "Puple is purdy" },
'Red' => { vlan_id => 103, description => "This is a red vlan" },
'Yellow' => { vlan_id => 104, description => "This is a yellow vlan" }
}

class database_switch {


create_resources( netdev_vlan, $vlans )

$db_port_desc = "This is for database"

$db_ports = {
"ge-0/0/0" => { description => "${db_port_desc} ge0" },
"ge-0/0/1" => { description => "${db_port_desc} ge1" },
"ge-0/0/2" => { description => 'this is ge2' },
"ge-0/0/3" => { description => 'this is ge3' },
}

$db_port_settings = {
untagged_vlan => Red,
tagged_vlans => [Red, Green, Yellow]
}

create_resources( netdev_l2_interface, $db_ports, $db_port_settings )
}


NODES USING CLASSES

node "jex" {
include database_switch
}

node "gizmo" {
include database_switch

netdev_vlan { "myMailserver":
vlan_id => 99,
description => "Private Mailsever VLAN"
}

netdev_l2_interface { "ge-0/0/20":
description => "Going to mailserver",
tagged_vlans => myMailserver
}
}


MORE ADVANCED TECHNIQUES
INFRASTRUCTURE AS CODE + DATA DRIVEN INFRASTRUCTURE
node "ex4" {


$vlans = loadyaml( "/etc/puppet/manifests/files/vlans.yaml" )
$lags = loadyaml( "/etc/puppet/manifests/nodes/lags.yaml" )
$tor_conf = loadyaml( "/etc/puppet/manifests/nodes/tor-config.yaml")

create_resources( netdev_vlan, $vlans )

# define the server ports, even numbers between 10 and 20
$server_ports = bracket_expansion( "ge-0/0/[10-20]", 2 )

netdev_l2_interface { $server_ports:
untagged_vlan => $tor_conf[server_ports][vlan]
}

# define the LAG ports. Take the complete list of all LAG links and ensure that
# there are no layer-2 services on them. Then create the netdev_lag resources and
# assign the list of VLANs. The inline_template below is Ruby/ERB.

$all_lag_links = split( inline_template( "<%= lags.collect{|k,v| v['links']}.join(' ') %>"),' ')
netdev_l2_interface { $all_lag_links: ensure => absent }

create_resources( netdev_lag, $lags )
$lag_names = keys( $lags )
netdev_l2_interface { $lag_names:
tagged_vlans => $tor_conf[lag_ports][vlans]
}
} Special Thanks to Krzysztof Wilczynski for his library of handy
Puppet functions; bracket_expansion()
https://github.com/kwilczynski/puppet-functions

EXAMPLE YAML FILES
tor-config.yaml custom use data
---
server_ports:
vlan: Purple

lag_ports:
vlans:
- Red
- Green
- Blue
- Yellow

vlans.yaml maps directly to resource properties
---
Red:
vlan_id: 57
description: This is a Red vlan
Green:
vlan_id: 101
description: This is a Green vlan
Blue:
vlan_id: 102
description: This is a Blue vlan
Yellow:
vlan_id: 1003
description: This is a Yellow vlan
Purple:
vlan_id: 104
description: This is a Purple vlan

SWITCH PRODUCT FAMILIES
EX + QFX

NETDEV_VLAN

node "ex4" {

vlan_id => 101,
description => 'This is a Green vlan'
}
}

vlans {
Green {
description "This is a Green vlan";
vlan-id 101;
}
}


NETDEV_L2_INTERFACE
ACCESS PORT EXAMPLE

node "ex4" {

untagged_vlan => Green
}
}

interfaces {
ge-0/0/9 {
unit 0 {
description "Puppet created eth-switch: ge-0/0/9"
family ethernet-switching;
port-mode access;
vlan {
members Green;
}
}
}
}


NETDEV_L2_INTERFACE
TRUNK PORT EXAMPLE

node "ex4" {

tagged_vlans => [ Red, Green, Blue, Yellow ]
}
}

interfaces {
ge-0/0/9 {
unit 0 {
description "Puppet created eth-switch: ge-0/0/9";
family ethernet-switching {
port-mode trunk;
vlan {
members [ Green Red Blue Yellow ];
}
}
}
}


NETDEV_L2_INTERFACE
TRUNK PORT WITH NATIVE-VLAN-ID EXAMPLE

node "ex4" {

untagged_vlan => Red
tagged_vlans => [ Green, Blue, Yellow ]
}
}

interfaces {
ge-0/0/9 {
unit 0 {
description "Puppet created eth-switch: ge-0/0/9";
port-mode trunk;
vlan {
members [ Green Blue Yellow ];
}
native-vlan-id Red;
}
}
}


NETDEV_L2_INTERFACE
CONVERTING "TRUNK" TO "ACCESS"

node "ex4" {

# tagged_vlans => [ Green, Blue, Yellow ]
}
}

notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/vlan_tagging: vlan_tagging
changed 'enable' to 'disable'
notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/tagged_vlans: tagged_vlans
changed '[Green,Blue,Yellow]' to '[]'
info: JUNOS: Committing 1 changes.
notice: JUNOS:

[edit interfaces ge-0/0/9 unit 0 family ethernet-switching]
- port-mode trunk;
+ port-mode access;
[edit interfaces ge-0/0/9 unit 0 family ethernet-switching vlan]
- members [ Green Blue Yellow ];
+ members Red;
- native-vlan-id Red;


NETDEV_L2_INTERFACE
CONVERTING BACK ...

node "ex4" {

}
}

notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/vlan_tagging: vlan_tagging
changed 'disable' to 'enable'
notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/tagged_vlans: tagged_vlans
changed '[]' to '[Green,Blue,Yellow]'
notice: JUNOS:

- port-mode access;
+ port-mode trunk;
[edit interfaces ge-0/0/9 unit 0 family ethernet-switching vlan]
- members Red;
+ members [ Green Blue Yellow ];
+ native-vlan-id Red;


NETDEV_LAG
COMPLETE EXAMPLE

node "ex4" {

$ae1_ports = [ 'ge-0/0/10', 'ge-0/0/11', 'ge-0/0/12' ]

netdev_lag { "ae1":
links => $ae1_ports,
lacp => active,
minimum_links => 2
}

netdev_l2_interface { $ae1_ports: ensure => absent }
netdev_l2_interface { 'ae1':
tagged_vlans => [ Black, Yellow ]
}

}

This example is using a few Puppet mechanisms in combination:
• declaring a variable for the interface list $ae1_ports
• creating the netdev_lag port
• ensuring that the ports in the lag don't have any VLANs on them
using ensure => absent
• assigning vlans to the LAG port as a netdev_l2_interface

NETDEV_LAG
CONFIGURATION CREATED ... MORE ON NEXT SLIDE

interfaces {
ae1 {
apply-macro "netdev_lag[:links]" {
ge-0/0/10;
ge-0/0/11;
ge-0/0/12;
}
aggregated-ether-options {
minimum-links 2;
lacp {
active;
}
}
unit 0 {
description "Puppet created eth-switch: ae1";
port-mode trunk;
vlan {
members [ Yellow Black ];
}
}
}
}

The apply-macro is a 'config cookie' that is used exclusively by
the netdev provider code. This apply-macro may be removed in
future releases, so do not make any use or assumptions about it.


NETDEV_LAG
CONFIGURATION CREATED

interfaces {
ge-0/0/10 {
ether-options {
802.3ad ae1;
}
}
ge-0/0/11 {
ether-options {
802.3ad ae1;
}
}
ge-0/0/12 {
ether-options {
802.3ad ae1;
}
}
}


MX PRODUCT FAMILY

MX PRODUCT FAMILY
TARGET AVAILABILITY FOR GA RELEASE

MX240, MX480, MX960 – Intel
MX5, MX10, MX40, MX80 – PowerPC
Functional behavior and “netdev” abstractions are the
same between MX and EX/QFX
Configuration differences between MX and EX/QFX:
 Interfaces use VLAN tag-ID values and not VLAN names
 bridge-domain stanza not vlan stanza
 MX does not support access port with unassigned VLAN-ID
 MX does not support trunk port with unassigned VLAN-ID list


NETDEV_VLAN

node "nadal" {

vlan_id => 101,
description => 'This is a Green vlan'
}
}

bridge-domains {
Green {
description "This is a Green vlan";
domain-type bridge;
vlan-id 101;
}
}


NETDEV_L2_INTERFACE
ACCESS PORT EXAMPLE

node "nadal" {

untagged_vlan => Green
}
}

interfaces {
ge-5/0/3
unit 0 {
description "Puppet created netdev_l2_interface: ge-5/0/3";
family bridge {
interface-mode access;
vlan-id 101;
}
}
}
}


NETDEV_L2_INTERFACE
TRUNK PORT EXAMPLE

node "nadal" {

tagged_vlans => [ Red, Green, Blue, Yellow ]
}
}

interfaces {
ge-5/1/2 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 101 102 1003 57 ];
}
}
}
}


NETDEV_L2_INTERFACE
TRUNK PORT WITH NATIVE-VLAN-ID EXAMPLE

node "nadal" {

}
}

interfaces {
ge-5/3/9 {
flexible-vlan-tagging;
native-vlan-id 57;
encapsulation flexible-ethernet-services;
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list [ 57 101 102 1003 ];
}
}
}
}


NETDEV_L2_INTERFACE
CONVERTING "TRUNK" TO "ACCESS"

node "nadal" {

# tagged_vlans => [ Green, Blue, Yellow ]
}
}

notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/vlan_tagging: vlan_tagging
changed 'enable' to 'disable'
notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/tagged_vlans: tagged_vlans
changed '[Green,Blue,Yellow]' to '[]'
notice: JUNOS:

[edit interfaces ge-5/3/9]
- flexible-vlan-tagging;
- native-vlan-id 57;
- encapsulation flexible-ethernet-services;
- unit 0 {
- description "Puppet created netdev_l2_interface: ge-5/3/9";
- family bridge {
- interface-mode trunk;
- vlan-id-list [ 57 101 102 1003 ];
- }
- }
+ unit 0 {
+ description "Puppet created netdev_l2_interface: ge-5/3/9";
+ family bridge {
+ interface-mode access;
+ vlan-id 57;
+ }
+ } Copyright © 2013 Juniper Networks, Inc. www.juniper.net

NETDEV_L2_INTERFACE
CONVERTING BACK ...

node "nadal" {

}
}

notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/vlan_tagging: vlan_tagging
changed 'disable' to 'enable'
notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/tagged_vlans: tagged_vlans
changed '[]' to '[Red,Green,Blue,Yellow]'
notice: JUNOS:

[edit interfaces ge-5/3/9]
+ flexible-vlan-tagging;
+ native-vlan-id 57;
+ encapsulation flexible-ethernet-services;
[edit interfaces ge-5/3/9 unit 0 family bridge]
- interface-mode access;
- vlan-id 57;
+ interface-mode trunk;
+ vlan-id-list [ 57 101 102 1003 ];


INSTALLING PUPPET FOR JUNOS

PUPPET-MASTER
gem install netconf
puppet module install juniper/netdev_stdlib_junos


JUNOS
1. Download jpuppet-<platform>.tgz onto Junos device
2. configure
3. set system extensions providers juniper
license-type juniper deployment-scope
commercial
4. commit and-quit
5. request system software add <jpuppet-
path> no-validate
6. show version

JUNOS for Puppet [1.0R1.1 (Puppet 2.7.19)]


#ProgramTheNetwork

THANK YOU !


Puppet for Junos

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (13)

Ähnlich wie Puppet for Junos

Ähnlich wie Puppet for Junos (20)

Mehr von Juniper Networks

Mehr von Juniper Networks (20)

Puppet for Junos

Hinweis der Redaktion