Cisco IOS 指令可以設定路由器、交換機等設備,如果在數量較多的設備,或是要執行多個指令才能達成任務時候,人為操作出錯機率就比較高而且比較繁瑣,透過自動化設定,並且藉由管控腳本版本,達到查閱歷史設定,俾利統一所有設定的組態設定。
1. Network Automation 類型
Python:
透過寫程式 SSH 至 IOS 執行控制,彈性高,需要額外開發人力。
Chef:
在設備上啟動 Agent ,由 Master 控制 Agent 執行。
Ansible:
與 Python 同樣使用 SSH ,在 Python 上再封裝一層,藉由 Yaml 執行官方寫好的模組直接執行。
2. 啟用 Ansible 的先決條件
設備均需設定好 IP 及 SSH 連線功能:
Set Hostname
Set Domain-name
Enable password
Create Loing User and Passowrd
Generate a general purpose RSA key pair
Line vty loing and transport via ssh
Linux 安裝 Ansible 套件:
yum install ansible / apt install ansible
不同 Linux 倉庫內的 Ansible 版本皆不同,有些不一定會在預設倉庫
也可以使用 Python 的 pip 直接安裝, pip install ansible
Ansible 安裝 netcommon 相依網路管理套件。
ansible-galaxy collection install ansible.netcommon
測試 Linux 可以 SSH 至所有要管理的 Cisco 設備。
ssh <username>@<cisco ip>
3. Lab 測試環境
使用 Eve-ng 來模擬網路設備,並藉由 Ansible 自動化設定網路設備,測試拓樸圖如下 :
由左上 Workstation Linux 機器控制右方的 LAB-R1 及 LAB-R2 兩顆路由器( IP 及 SSH 已經設定完成 )
3.1. 撰寫 Ansible.cfg
Ansible 起手第一個步驟就是設定其組態檔,囿於是網路設備比原本控制 Linux 機器或 Windows 機器來的單純與多,Ansible.cfg 內容不需要特別定義,只需要設定 inventory 位置及連線 TimeOut(預設執行 30s timeout,太短可以延長) 及可。
1
2
3
4
5
[defaults]
inventory = ./inventory
[persistent_connection]
connect_timeout = 40
如果想學習更多關於 Ansible 內容及其使用方式可以參考 HowHow 的 Ansible 系列文章。
3.2. 設定 Inventory
inventory 設定就會比較多,與 Linux 機器不太一樣,大多數的參數都寫在這(當然也可以寫在 group_vars 、 host_vars 及 playbook 內),囿於全部都控制網路設備就寫在同一個清單內。
1
2
3
4
5
6
7
8
9
10
11
12
[all:vars]
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=ios
ansible_become_method=enable
ansible_become_password=eve
ansible_become=yes
ansible_user=admin
ansible_password=eve
[lab]
lab-R1 ansible_host=10.1.1.1
lab-R2 ansible_host=10.1.1.2
3.1. 測試連線
使用 Ansible ad-hoc 指令指定使用 ping 模式驗證控制端主機是否與 R1 及 R2 互通。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[student@workstation cisco]$ ansible lab -m ping
lab-R2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
lab-R1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
4. Ansible 使用範例
4.1. 查看 R1 及 R2 介面設定
使用 ios_command 模組查看:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[student@workstation cisco]$ ansible lab -m ios_command -a "commands='sh ip int br'"
lab-R2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"stdout": [
"Interface IP-Address OK? Method Status Protocol\nEthernet0/0 192.168.1.50 YES NVRAM up up \nEthernet0/1 10.1.1.2 YES NVRAM up up \nEthernet0/2 unassigned YES NVRAM administratively down down \nEthernet0/3 unassigned YES NVRAM administratively down down"
],
"stdout_lines": [
[
"Interface IP-Address OK? Method Status Protocol",
"Ethernet0/0 192.168.1.50 YES NVRAM up up ",
"Ethernet0/1 10.1.1.2 YES NVRAM up up ",
"Ethernet0/2 unassigned YES NVRAM administratively down down ",
"Ethernet0/3 unassigned YES NVRAM administratively down down"
]
]
}
lab-R1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"stdout": [
"Interface IP-Address OK? Method Status Protocol\nEthernet0/0 192.168.1.60 YES NVRAM up up \nEthernet0/1 10.1.1.1 YES NVRAM up up \nEthernet0/2 unassigned YES NVRAM administratively down down \nEthernet0/3 unassigned YES NVRAM administratively down down"
],
"stdout_lines": [
[
"Interface IP-Address OK? Method Status Protocol",
"Ethernet0/0 192.168.1.60 YES NVRAM up up ",
"Ethernet0/1 10.1.1.1 YES NVRAM up up ",
"Ethernet0/2 unassigned YES NVRAM administratively down down ",
"Ethernet0/3 unassigned YES NVRAM administratively down down"
]
]
}
4.2. 撰寫 Playbook
設定 Banner 訊息及創建四個 Loopback 介面:
撰寫basic_setting.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
- name : Gemeral Config
hosts: lab
tasks:
- name: Add Banner..
ios_banner:
banner: motd
text: |
Hello Cisco Route
Maked by Asible...
state: present
- name: Add loopback
ios_interface:
name: "Loopback{{item}}"
state: present
loop:
- 77
- 78
- 79
- 80
執行 playbook
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[ student @ workstation cisco ] $ ansible - playbook basic_setting . yml
[ DEPRECATION WARNING ]: ios_interface is kept for backwards compatibility but usage is discouraged . The module
documentation details page may explain more about this rationale .. This feature will be removed in a future
release . Deprecation warnings can be disabled by setting deprecation_warnings = False in ansible . cfg .
PLAY [ Gemeral Config ] *****************************************************************************************
TASK [ Gathering Facts ] ****************************************************************************************
[ WARNING ]: Ignoring timeout ( 10 ) for ios_facts
[ WARNING ]: Ignoring timeout ( 10 ) for ios_facts
[ WARNING ]: default value for ` gather_subset ` will be changed to ` min ` from `! config ` v2 . 11 onwards
ok : [ lab - R1 ]
ok : [ lab - R2 ]
TASK [ Add Banner ..] *******************************************************************************************
changed : [ lab - R2 ]
changed : [ lab - R1 ]
TASK [ Add loopback ] *******************************************************************************************
changed : [ lab - R1 ] => ( item = 77 )
changed : [ lab - R2 ] => ( item = 77 )
changed : [ lab - R1 ] => ( item = 78 )
changed : [ lab - R2 ] => ( item = 78 )
changed : [ lab - R1 ] => ( item = 79 )
changed : [ lab - R2 ] => ( item = 79 )
changed : [ lab - R1 ] => ( item = 80 )
changed : [ lab - R2 ] => ( item = 80 )
PLAY RECAP ****************************************************************************************************
lab - R1 : ok = 3 changed = 2 unreachable = 0 failed = 0 skipped = 0 rescued = 0 ignored = 0
lab - R2 : ok = 3 changed = 2 unreachable = 0 failed = 0 skipped = 0 rescued = 0 ignored = 0
至 lab-R1 路由器上查看會顯示 motd 訊息及新增的網路介面
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@workstation cisco]# ssh [email protected]
Password:
Hello Cisco Route
Maked by Asible...
lab-r1>en
Password:
lab-r1#sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.60 YES NVRAM up up
Ethernet0/1 10.1.1.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback77 unassigned YES unset up up
Loopback78 unassigned YES unset up up
Loopback79 unassigned YES unset up up
Loopback80 unassigned YES unset up up
5. 掌握更多的 Ansible 控制 IOS 模組用法
在 Ansible 官方有專門的 Cisco.Ios 用法說明並且附上 Example 用法範例,透過這些模組可以很方便的管理往設備,官網手冊請點我 。
例如設定 ACL 規則:
From docs.ansible.com
6. 小結
Cisco 逐漸增加自動化的佔比在認證考試中,無論是 CCNA 及 CCNP 都佔有相當大的份量,也代表自動化這個趨勢勢不可檔,未來必須要掌握的技能之一。
