Puppet for Junos

Copyright © 2013 Juniper Networks, Inc. www.juniper.net

PUPPET FOR JUNOS

Jeremy Schulman - Global Solutions Architect | Network Automation

@nwkautomaniac#ProgramTheNetwork

2013-April


LEGAL DISCLAIMER

This presentation contains statements pertaining to product direction and is subject

to change at any time without notice.

No purchases are contingent upon Juniper Networks delivering any feature or

functionality depicted on this presentation.




PUPPET FOR JUNOSAVAILABLE NOW! AS “EARLY-ADOPTER (EA)” 2/15/2013

“DevOps” approach to distribution:

Puppet “netdev” module source code is in Github

All packages are stored where they should be (Puppet Forge,…)

Support done on J-Net community forum

Juniper Tech-Pages available

Free, “BSD-style” license

Junos Products at GA

EX4200, EX4550: 12.3R2.5

QFX3500, QFX3600: 12.3Q R2

MX5 ... MX960: 12.3R2.5


Ruby Interpreterjpuppetpackage

Device running Junos OS

Puppet "netdev" modules

XML

(FreeBSD)

Ruby GemsPuppet Agent(client)

Puppet Master(server)

"netdev"

PUPPET FOR JUNOSHOW IT ALL FITS TOGETHER

"netdev" are Puppet modules stored on the Puppet master. The switch running the Puppet agent downloads this code via SSL

All Junos products are equipped with a XML API that enables programmatic configuration changes and operational management


PUPPET FOR JUNOSON THE INTERNET

Puppet Labs Solution Page: https://puppetlabs.com/solutions/juniper-networks/

Quick Links: Junos software package files:

https://downloads.puppetlabs.com/junos

Juniper TechPubs: http://juni.pr/XTeSgl

Puppet Module juniper/netdev_stdlib_junos:http://bit.ly/Z49NkO

https://puppetlabs.com/solutions/juniper-networks/

https://downloads.puppetlabs.com/junos

http://juni.pr/XTeSgl

http://bit.ly/Z49NkO


ABOUT PUPPET


PUPPET LABS

8 years Experience in the IT automation market

10 million+ Nodes being managed worldwide by Puppet. 60,000+ nodes managed in largest deployments

3.5 million Downloads of Puppet Labs software in the past 12 months

6,000+ Active and growing community of users around the world who collaborate with each other 24x7 in variety of forums

900+ Community-contributed Puppet Forge modules, and 330,000+ downloads of modules in the past 12 months

750+ Paying customers

Finance, Telecom, Entertainment, Web, Retail, Hi-Tech, Healthcare, Government,

Defense, Education, Manufacturing and Insurance

Customer Verticals


WHAT IS PUPPET?AUTOMATION FOR IT INFRASTRUCTURE

Puppet is an automation software product used by IT teams to manage large scale deployments of complex compute resources (servers)

Puppet Labs offers Puppet in two forms: as open-source and a commercial Enterprise edition

Puppet Enterprise automates tasks at any stage of the IT infrastructure lifecycle, including:

Provisioning Discovery OS & App Configuration Management Build & Release Management Patch Management Infrastructure Audit & Compliance

Doesn't this list sound exactly like what networking customers are always asking for ? …

http://www.puppetlabs.com/


WHY DOES PUPPET MATTER?APPLICATIONS DRIVE THE BUSINESS

IT infrastructure spend is focused on applications Datacenter applications drive business revenue Top-of-rack switching is a commodity, the network is a "utility" that

serves the applications

Server admins/DevOps drive IT innovation They follow well defined and mature configuration management processes They use sophisticated automation tools They employ programmers

Puppet developer ecosystem Server admins write Puppet "code" to version control and deploy enterprise

applications at large scale Puppet Forge is an ecosystem of 3rd-party Puppet developers,

over 850 modules

They want to use one IT modeling process to orchestrate servers and top-of-rack switching

for integrated delivery of their applications


DEPLOYING INFRASTRUCTURE AT SCALELARGE DATACENTERS DEPEND ON PUPPET

The Puppet framework provides for one IT modeling process to deploy applications across mixed server/compute environments (Windows, CentOS, Debian, etc.)

The role of the Puppet Master is to assign Nodes (devices) into classes, e.g. "web server", "database server", etc. Each class definition describes the catalog of resources needed at on device, e.g. Apache, MySQL, etc. The resources describe what to do, not how to do it

Applying this concept to networking, the resources would be "interfaces", "vlans", etc. And the complexities of network management are abstracted by the Puppet agent running on the switch

The Puppet framework enables large scale changes to devices by simply changing the class definition on the Puppet Master

As compute has become a software defined service to the applications, the network must also become a software defined service. This "software" can then be "versioned" for application rollout


NETDEV PUPPET MODULE


PUPPET FOR JUNOSNETDEV PUPPET MODULE

Netdev is a vendor-neutral network abstraction framework developed by Juniper Networks and contributed freely to the DevOps community

Juniper has contributed basic layer-1 and layer-2 network abstractions. Other abstractions are TBD

DevOps can extend the framework to define any abstractions or features they need for their environment

The Netdev framework is open and free; i.e. the “DevOps” way


NETDEV RESOURCES TYPES

Resource Description

netdev_vlan Manages VLAN configuration

netdev_interface Manages Physical Interface configuration

netdev_l2_interface Manages VLAN to interface assignments

netdev_lag Manages Link Aggregation Group configuration

Every resource supports the standard Puppet ensure property which creates/removes configuration

Each resource also supports an active property which configures the Junos “activate / deactivate” control


NETDEV_VLAN MANAGE VLANS

Property Description

name The name of the VLAN, e.g. “Blue”

vlan_id The VLAN tag-ID value [ 1 .. 4095 ]

description The VLAN description. If one is not provided, then it will default to:Puppet created VLAN: <name>: <vlan-id>

VLANs are assigned to ports using the netdev_l2_interface resource


NETDEV_INTERFACE MANAGE PHYSICAL INTERFACES


name The name of the interface, e.g. “ge-0/0/0”

description Assigns the description value to the interface, defaults to:Puppet created interface: <name>

admin Configures the administrative state, defaults to up:up, down

mtu Configures the interface MTU value

speed Defaults to auto, Forces the link speed:10m, 100m, 1g, 10g, auto

duplex Defaults to autoForces the link duplex:full, half, auto


NETDEV_L2_INTERFACE MANAGE ASSIGNMENT OF VLANS TO SWITCH PORTS


name The name of the interface, e.g. “ge-0/0/0”, note: does *not* include the unit number

description Assigns the description value to the interface, defaults to:Puppet created eth-switch: <name>

untagged_vlan VLAN name for untagged packets. If the port is also processing tagged packets, then this VLAN is the "native VLAN"

tagged_vlans VLAN names for tagged packets. This could be a single value, or an array of values. When this property is set, vlan_tagging property defaults to enable

vlan_tagging Normally not used ... automatic by Puppetdisable (default) - port is in access mode, tagged packets discardedenable - port is in trunk mode, tagged packets processedAutomatically set to enable if tagged_vlans is also set


NETDEV_LAG MANAGE LINK AGGREGATION GROUPS


name The name of the interface, e.g. “ae0”

links A list of physical interfaces that makes up the LAG bundle

lacp Controls if and how the Link Aggregation Control Protocol (LACP) is used.disabled (default) – LACP is not usedactive – LACP is in the active modepassive – LACP is in the passive mode

minimum_links The number of physical links that must be in the “up” condition to declare the LAG port in the “up” condition. By default this value is not set and there is no minimum link requirement


MANIFEST EXAMPLE


SIMPLE EXAMPLE OF VLANS AND SWITCH PORTS

node "jex" {

netdev_device { $hostname: } netdev_vlan { "Pink": vlan_id => 703, description => "This is a pink vlan", } netdev_vlan { "Green": vlan_id => 500, } netdev_l2_interface { 'ge-0/0/19': untagged_vlan => Pink, } netdev_l2_interface { 'ge-0/0/20': description => "My port, back off!", untagged_vlan => Blue, tagged_vlans => [ Green, Black, Yellow ], } }

ge-0/0/19 will be an "access" port and

ge-0/0/20 will be a "trunk" port with a native-vlan-id

The node name is the hostname of the device. The variable $hostname comes from the facter program


PUPPET VARIABLE AND CLASSES $vlans = { 'Blue' => { vlan_id => 100, description => "This is a blue vlan, just updated" }, 'Green' => { vlan_id => 101, description => "This is a Green VLAN" }, 'Purple' => { vlan_id => 102, description => "Puple is purdy" }, 'Red' => { vlan_id => 103, description => "This is a red vlan" }, 'Yellow' => { vlan_id => 104, description => "This is a yellow vlan" } }

class database_switch { netdev_device { $hostname: } create_resources( netdev_vlan, $vlans ) $db_port_desc = "This is for database" $db_ports = { "ge-0/0/0" => { description => "${db_port_desc} ge0" }, "ge-0/0/1" => { description => "${db_port_desc} ge1" }, "ge-0/0/2" => { description => 'this is ge2' }, "ge-0/0/3" => { description => 'this is ge3' }, } $db_port_settings = { untagged_vlan => Red, tagged_vlans => [Red, Green, Yellow] } create_resources( netdev_l2_interface, $db_ports, $db_port_settings )}


NODES USING CLASSES

node "jex" { include database_switch }

node "gizmo" { include database_switch

netdev_vlan { "myMailserver": vlan_id => 99, description => "Private Mailsever VLAN" }

netdev_l2_interface { "ge-0/0/20": description => "Going to mailserver", tagged_vlans => myMailserver } }


MORE ADVANCED TECHNIQUESINFRASTRUCTURE AS CODE + DATA DRIVEN INFRASTRUCTURE

node "ex4" { netdev_device { $hostname: } $vlans = loadyaml( "/etc/puppet/manifests/files/vlans.yaml" ) $lags = loadyaml( "/etc/puppet/manifests/nodes/lags.yaml" ) $tor_conf = loadyaml( "/etc/puppet/manifests/nodes/tor-config.yaml")

create_resources( netdev_vlan, $vlans )

# define the server ports, even numbers between 10 and 20 $server_ports = bracket_expansion( "ge-0/0/[10-20]", 2 ) netdev_l2_interface { $server_ports: untagged_vlan => $tor_conf[server_ports][vlan] } # define the LAG ports. Take the complete list of all LAG links and ensure that # there are no layer-2 services on them. Then create the netdev_lag resources and # assign the list of VLANs. The inline_template below is Ruby/ERB. $all_lag_links = split( inline_template( "<%= lags.collect{|k,v| v['links']}.join(' ') %>"),' ') netdev_l2_interface { $all_lag_links: ensure => absent } create_resources( netdev_lag, $lags ) $lag_names = keys( $lags ) netdev_l2_interface { $lag_names: tagged_vlans => $tor_conf[lag_ports][vlans] } } Special Thanks to Krzysztof Wilczynski for his library of handy

Puppet functions; bracket_expansion() https://github.com/kwilczynski/puppet-functions


EXAMPLE YAML FILES

--- server_ports: vlan: Purple lag_ports: vlans: - Red - Green - Blue - Yellow

--- Red: vlan_id: 57 description: This is a Red vlan Green: vlan_id: 101 description: This is a Green vlan Blue: vlan_id: 102 description: This is a Blue vlan Yellow: vlan_id: 1003 description: This is a Yellow vlan Purple: vlan_id: 104 description: This is a Purple vlan

vlans.yaml maps directly to resource properties

tor-config.yaml custom use data


SWITCH PRODUCT FAMILIESEX + QFX


NETDEV_VLAN

node "ex4" { netdev_device { $hostname: }

netdev_vlan { "Green": vlan_id => 101, description => 'This is a Green vlan' } }

vlans { Green { description "This is a Green vlan"; vlan-id 101; } }


NETDEV_L2_INTERFACEACCESS PORT EXAMPLE


netdev_l2_interface { "ge-0/0/9": untagged_vlan => Green } }

interfaces { ge-0/0/9 { unit 0 { description "Puppet created eth-switch: ge-0/0/9" family ethernet-switching; port-mode access; vlan { members Green; } } } }


NETDEV_L2_INTERFACETRUNK PORT EXAMPLE


netdev_l2_interface { "ge-0/0/9": tagged_vlans => [ Red, Green, Blue, Yellow ] } }

interfaces { ge-0/0/9 { unit 0 { description "Puppet created eth-switch: ge-0/0/9"; family ethernet-switching { port-mode trunk; vlan { members [ Green Red Blue Yellow ]; } } } }


NETDEV_L2_INTERFACETRUNK PORT WITH NATIVE-VLAN-ID EXAMPLE


netdev_l2_interface { "ge-0/0/9": untagged_vlan => Red tagged_vlans => [ Green, Blue, Yellow ] } }

interfaces { ge-0/0/9 { unit 0 { description "Puppet created eth-switch: ge-0/0/9"; family ethernet-switching { port-mode trunk; vlan { members [ Green Blue Yellow ]; } native-vlan-id Red; } } }


NETDEV_L2_INTERFACECONVERTING "TRUNK" TO "ACCESS"


netdev_l2_interface { "ge-0/0/9": untagged_vlan => Red # tagged_vlans => [ Green, Blue, Yellow ] } }

notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/vlan_tagging: vlan_tagging changed 'enable' to 'disable'notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/tagged_vlans: tagged_vlans changed '[Green,Blue,Yellow]' to '[]'info: JUNOS: Committing 1 changes.notice: JUNOS:

[edit interfaces ge-0/0/9 unit 0 family ethernet-switching]- port-mode trunk;+ port-mode access;[edit interfaces ge-0/0/9 unit 0 family ethernet-switching vlan]- members [ Green Blue Yellow ];+ members Red;[edit interfaces ge-0/0/9 unit 0 family ethernet-switching]- native-vlan-id Red;


NETDEV_L2_INTERFACECONVERTING BACK ...



notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/vlan_tagging: vlan_tagging changed 'disable' to 'enable'notice: /Stage[main]//Node[ex4]/Netdev_l2_interface[ge-0/0/9]/tagged_vlans: tagged_vlans changed '[]' to '[Green,Blue,Yellow]'info: JUNOS: Committing 1 changes.notice: JUNOS:

[edit interfaces ge-0/0/9 unit 0 family ethernet-switching]- port-mode access;+ port-mode trunk;[edit interfaces ge-0/0/9 unit 0 family ethernet-switching vlan]- members Red;+ members [ Green Blue Yellow ];[edit interfaces ge-0/0/9 unit 0 family ethernet-switching]+ native-vlan-id Red;


NETDEV_LAGCOMPLETE EXAMPLE


$ae1_ports = [ 'ge-0/0/10', 'ge-0/0/11', 'ge-0/0/12' ] netdev_lag { "ae1": links => $ae1_ports, lacp => active, minimum_links => 2 } netdev_l2_interface { $ae1_ports: ensure => absent } netdev_l2_interface { 'ae1': tagged_vlans => [ Black, Yellow ] }

}

This example is using a few Puppet mechanisms in combination:

• declaring a variable for the interface list $ae1_ports

• creating the netdev_lag port

• ensuring that the ports in the lag don't have any VLANs on themusing ensure => absent

• assigning vlans to the LAG port as a netdev_l2_interface


NETDEV_LAGCONFIGURATION CREATED ... MORE ON NEXT SLIDE

interfaces { ae1 { apply-macro "netdev_lag[:links]" { ge-0/0/10; ge-0/0/11; ge-0/0/12; } aggregated-ether-options { minimum-links 2; lacp { active; } } unit 0 { description "Puppet created eth-switch: ae1"; family ethernet-switching { port-mode trunk; vlan { members [ Yellow Black ]; } } } }

The apply-macro is a 'config cookie' that is used exclusively by the netdev provider code. This apply-macro may be removed in future releases, so do not make any use or assumptions about it.


NETDEV_LAGCONFIGURATION CREATED

interfaces { ge-0/0/10 { ether-options { 802.3ad ae1; } } ge-0/0/11 { ether-options { 802.3ad ae1; } } ge-0/0/12 { ether-options { 802.3ad ae1; } } }


MX PRODUCT FAMILY


MX PRODUCT FAMILYTARGET AVAILABILITY FOR GA RELEASE

MX240, MX480, MX960 – Intel

MX5, MX10, MX40, MX80 – PowerPC

Functional behavior and “netdev” abstractions are the same between MX and EX/QFX

Configuration differences between MX and EX/QFX: Interfaces use VLAN tag-ID values and not VLAN names bridge-domain stanza not vlan stanza MX does not support access port with unassigned VLAN-ID MX does not support trunk port with unassigned VLAN-ID list


NETDEV_VLAN

node "nadal" { netdev_device { $hostname: }

netdev_vlan { "Green": vlan_id => 101, description => 'This is a Green vlan' } }

bridge-domains { Green { description "This is a Green vlan"; domain-type bridge; vlan-id 101; } }


NETDEV_L2_INTERFACEACCESS PORT EXAMPLE


netdev_l2_interface { "ge-5/0/3": untagged_vlan => Green } }

interfaces { ge-5/0/3 unit 0 { description "Puppet created netdev_l2_interface: ge-5/0/3"; family bridge { interface-mode access; vlan-id 101; } } } }


NETDEV_L2_INTERFACETRUNK PORT EXAMPLE


netdev_l2_interface { "ge-5/1/2": tagged_vlans => [ Red, Green, Blue, Yellow ] } }

interfaces { ge-5/1/2 { flexible-vlan-tagging; encapsulation flexible-ethernet-services; unit 0 { description "Puppet created netdev_l2_interface: ge-5/1/2"; family bridge { interface-mode trunk; vlan-id-list [ 101 102 1003 57 ]; } } } }


NETDEV_L2_INTERFACETRUNK PORT WITH NATIVE-VLAN-ID EXAMPLE



interfaces { ge-5/3/9 { flexible-vlan-tagging; native-vlan-id 57; encapsulation flexible-ethernet-services; unit 0 { description "Puppet created netdev_l2_interface: ge-5/3/9"; family bridge { interface-mode trunk; vlan-id-list [ 57 101 102 1003 ]; } } } }


NETDEV_L2_INTERFACECONVERTING "TRUNK" TO "ACCESS"


netdev_l2_interface { "ge-5/3/9": untagged_vlan => Red # tagged_vlans => [ Green, Blue, Yellow ] } }

notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/vlan_tagging: vlan_tagging changed 'enable' to 'disable'notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/tagged_vlans: tagged_vlans changed '[Green,Blue,Yellow]' to '[]'info: JUNOS: Committing 1 changes.notice: JUNOS:

[edit interfaces ge-5/3/9]- flexible-vlan-tagging;- native-vlan-id 57;- encapsulation flexible-ethernet-services;- unit 0 {- description "Puppet created netdev_l2_interface: ge-5/3/9";- family bridge {- interface-mode trunk;- vlan-id-list [ 57 101 102 1003 ];- }- }+ unit 0 {+ description "Puppet created netdev_l2_interface: ge-5/3/9";+ family bridge {+ interface-mode access;+ vlan-id 57;+ }+ }


NETDEV_L2_INTERFACECONVERTING BACK ...



notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/vlan_tagging: vlan_tagging changed 'disable' to 'enable'notice: /Stage[main]//Node[nadal]/Netdev_l2_interface[ge-5/3/9]/tagged_vlans: tagged_vlans changed '[]' to '[Red,Green,Blue,Yellow]'info: JUNOS: Committing 1 changes.notice: JUNOS:

[edit interfaces ge-5/3/9]+ flexible-vlan-tagging;+ native-vlan-id 57;+ encapsulation flexible-ethernet-services;[edit interfaces ge-5/3/9 unit 0 family bridge]- interface-mode access;- vlan-id 57;+ interface-mode trunk;+ vlan-id-list [ 57 101 102 1003 ];


INSTALLING PUPPET FOR JUNOS


PUPPET-MASTER

gem install netconf

puppet module install juniper/netdev_stdlib_junos


JUNOS

1. Download jpuppet-<platform>.tgz onto Junos device

2. configure

3. set system extensions providers juniper license-type juniper deployment-scope commercial

4. commit and-quit

5. request system software add <jpuppet-path> no-validate

6. show version

JUNOS for Puppet [1.0R1.1 (Puppet 2.7.19)]


#ProgramTheNetwork

THANK YOU !

Documents

Puppet for Junos