áá±áž áá¬á!
áááŒá¬áá±ážáá®á á€áá±áá¬ááœáẠáá±á¬ááºážáá«ážáá
áºáá¯áẠáá±á«áºáá¬áááºá
áá®ááá¯á¡áá¯ááºáá»áá¯ážá¡ááœáẠáá«á ááááá¯á¶ážá ááºáá®ážááá¯ááºáá«áá°ážá áááááœá±ážáá»ááºááŸá¯ááᯠááœááºáá²á·áá±á¬ááŸá áºáá±á«ááºážáá»á¬ážá áœá¬á á áááºá¡áá±á¬ááºá¡áááºáá±á¬áºáá²á·áááºá ááŒááºáá±áááẠáá¬ážááŸááºáž 1.x.xá á ááºáá®ážááᯠááŸá¬ážááŸá¬ážáá«ážáá«áž á¡áá¯á¶ážááŒá¯ááá±á¬ááŒá±á¬áá·áº á¡áááºáááŒáẠáá¶áá»á±ážáááºáá²á·áááºá áá¬ážááŸááºážáá»á¬ážááᯠá¡ááºááááºáá¯ááºáá±áááºááŸáá·áºá¡áá»áŸ á¡áá¯ááºááá¯ááºááá¯ááºá ááŒá áºáá±á«áºáá¬ááŒááºážáááŸáááŒá±á¬ááºáž á¡áááá¹áá¬ááºááœáá·áºááá¯áááºá ááŒááºáá±ááááº. áá¬ážáá±á¬ááºážááá²á·á¡áá«ááá¯ááºáž áá¶ááŒáá¯ážááŒá¯ááºáá»áᬠáá«ááŸááá¯áẠáá®ážááŒá¯ááºáá»áá¬ááá¯á·á ááá¯á·áá±á¬áºá áááááá¯ááºážá configs áá¯ááºáá±ážááŒááºážááẠáá¶áá±á¬ááºážáá±á¬ááºáá áœá¬á á¡ááŒá²áááºáž ááŸááºážáááºážá áœá¬ á¡áá¯ááºáá¯ááºáá«áááºá jinja2 á¡ááºáá»ááºá ááŒá¬ááŸááºáá¶áááºá áá«áá±ááá·áº áá¯áááá¡ááá¯ááºážááŒá áºáá²á· configs ááœá±ááᯠáá¯ááºááŒáá¬á áá»á¬ážáá±á¬á¡á¬ážááŒáá·áº á¡á¶á·ááŒá áá¬ááœá± áá°áá±á¬ááºáá¬ááŒáá«áááºá ááŒá®ážáá±á¬á· áá»áœááºáá±á¬áº config ááᯠá¡áá±ážááá± áá®ááá¯áá®áᬠáá±á¬ááºáá±á«ááºážáá»á¬ážá áœá¬ á¡ááœá¬ááŸá¬ ááŸááá²á· á¡áá»áá¯á· á ááºáá á¹á ááºáž áá áºáááºáá±á¬ááºááᯠááŒáá·áºáááŸá¬ááá¯áá±á¬á· áá®áááááá¬ááᯠáá¯á¶ážááᬠáááºážáááºážáá±á¬á· ááŒá®ážááœá±á·á áá¬áá±á¬ááºážáááºá
á€áá±áá¬ááœáẠáá»áœááºá¯ááºá ááá±áá»á¬ááá±áá¬ááŸá¯ááŸá¬ áá»áœááºá¯ááºááŸáá·áº áááºážááŸá®ážááŸá¯áááŸáááŒááºážááŒá±á¬áá·áº ááŒá áºááá¯ááºáá»á±áá»á¬ážááŒá±á¬ááºáž áááºáá¶ááá«áááºá ááŒááºáá±ááááºáááºážááá»áá¯á·ááœááºážáá»ááºááẠáá®á¡áá»ááºá á¡áá±ážááŒá®ážáá²á·á¡áá»ááºáá«á ááŒááºáá±áááẠáá¯á¶ááŒááºá áááºáá»ááá±á¬á¡ááá·áºááœáẠááááºážááááºážáá¬ážáááá·áº áááºážáááá¯ááºááá¯áẠDSL (Domain Specific Language) ááŒáá·áº áá¯á¶ážááá®ážááŒá¬ážá áááºážáááá¯ááºááá¯áẠá¡ááááá¬áááºáááºáá áºáá¯ááŒá áºáááºá áá±á¬ááºážááŒá®á á¡á²áá®á¡ááá¯ááºá¡ááá·áº ááŒááºáá±áááẠáááºážááẠá¡ááœááºáá»ááºááŒááºá áœá¬ ááœá¶á·ááŒáá¯ážáá±ááŒá®áž áá±á¬ááºááŒá±á¬ááºážááŒááºááá¯ááºáááºááŸá¯á¡ááœáẠá¡áá°ážááá¯áá áá¯ááºáá²á áááºážááẠáá¯á¶ááŒááºááŸá¯ááᯠáááºááá·áºáááºááá¯ááºáá«á
ááá¯á·ááŒá±á¬áá·áº áááŒá¬áá±ážáá®á á
ááºáá®ážá áá¯ááááá¬ážááŸááºážááᯠá¡áá±á¬ááºá¡ááẠáá±á¬áºáá²á·áááºá áá®áá
áºáá«áá±á¬á· Python ááŸááºá·ááá¯á·ááá¯áẠáá±ážáá¬ážáá±á¬ áá°áá±á¬ááºáá
áºáá¯áá±á«áºááœáẠááá¯ááºáá²á Python ááŸááºá· ááŸáá·áº Python ááŸááºá· á¡áááºááŸá
áá«ááŒá±á¬áá·áº - áá±á¬áºáá®áᬠááẠmicroframework ááŒáá·áºáá±ážáá¬ážáááºá Python ááŸááºá· ááŸáá·áº Python ááŸááºá· ááŸáá·áº automation á¡ááœáẠáá®ááá¯ááºážáá¯ááºáá¬ážáááºá á¡ááŸá¯ááœá²áá²á· á¡áá°áá°áá«áá²á ááŒááºáá±ááááºá€áá±áá¬ááœáẠááŒá¿áá¬áá»á¬ážááᯠááŒá±ááŸááºážááẠá¡áááºá¡áá»ááºážááŒáá·áºáá®áá±á¬ áá±áá¬ááŒááºáááºááŸá¯ ááá¯á¡ááºáááºá ááá¯ááá¯áááºááŸá¬á host áá»á¬ážááŸáá·áº áááºážááá¯á·á parameters áá»á¬ážá á¬áááºážá script áá»á¬ážááá¯áá®ážááŒá¬áž DSL ááœááºááá±ážáá²á á¡ááœááºáá±á¬ááºážáá±á¬ááá¯ááºáá±á¬áºáááºáž á¡ááœááºáá±á¬ááºážááœááºáá±á¬ p[i|i]ton ááŒá áºáááºá
á¡á±á¬ááºáá±á¬áºááŒáá« ááá¯ááºááá¯ááºááá°áá¬ááᯠá¡áá¯á¶ážááŒá¯á áááºááá·áºá¡áá¬ááŒá áºáááºááᯠááŒáá·áºááŒáá«á áá¯á·á
áá»áœááºá¯ááºááœáẠááá¯ááºáá¶á¡ááŸá¶á· áá¯á¶ážááœá²áá±á«ááºáž áá«áááºáá»á¬ážá áœá¬ááŸááá±á¬ áá¯á¶ážááœá²ááœááºáááºáá áºáá¯ááŸááááºá áá¯á¶ážáá áºáá¯á á®ááœáẠááá°áá®áá±á¬ á¡á±á¬áºááá±áá¬áá»á¬ážá០áááºááœááºáá±ážáááºážááŒá±á¬ááºážáá»á¬ážá áœá¬ááᯠáááºááá·áºáá±ážááá·áº WAN router áá áºáá¯ááŸááááºá Routing protocol ááẠBGP ááŒá áºáááºá WAN router áá»á¬ážááẠCisco ISG ááá¯á·ááá¯áẠJuniper SRX áá°á ááŸá áºáá»áá¯ážááŸááááºá
ááá¯áá¯ááºáá±á¬ááºáááá·áºáá¬áááº- áááºááẠáá¬áááœá²ááœááºáááºá WAN routers á¡á¬ážáá¯á¶ážááŸá áá®ážááŒá¬áž port áá áºáá¯ááœáẠáá®áá®ááá¯á á±á¬áá·áºááŒáá·áºááŒááºážá¡ááœáẠáá®ážááŒá¬áž port ááᯠconfigure áá¯ááºáááºááá¯á¡ááºááẠ- ဠsubnet ááᯠBGP ááœááºááŒá±á¬áºááŒá¬áá« - áá®ážááá·áº port á speed limit ááᯠconfigure áá¯ááºáá«á
ááááŠážá áœá¬á Cisco ááŸáá·áº Juniper á¡ááœáẠáá®ážááŒá¬ážá á®áá¯ááºáá±ážááá·áº configurations áá»á¬ážááᯠá¡ááŒá±áá¶á template ááŸá áºáá¯ááᯠááŒááºáááºáááºááá¯á¡ááºáá«áááºá á¡áá»ááºáá áºáá¯á á®ááŸáá·áºáá»áááºáááºááŸá¯ parameters áá»á¬ážá¡ááœáẠdata ááá¯ááŒááºáááºáááºááá¯á¡ááºáááº, i.e. áá°áá®áá±á¬á á¬áááºážááá¯á á¯áá±á¬ááºážáá«á
Cisco á¡ááœáẠá¡áááºááá·áº ááá°áá¬áá¯á¶á á¶-
$ cat templates/ios/base.j2
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface {{ host.task_data.ifname }}
description VIDEOSURV
ip address 10.10.{{ host.task_data.ipsuffix }}.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp {{ host.task_data.asn }}
network 10.40.{{ host.task_data.ipsuffix }}.0 mask 255.255.255.0
access-list 11 permit 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255
access-list 111 permit ip 10.10.{{ host.task_data.ipsuffix }}.0 0.0.0.255 any
Juniper á¡ááœáẠááá°áá¬áá¯á¶á á¶
$ cat templates/junos/base.j2
set interfaces {{ host.task_data.ifname }} unit 0 description "Video surveillance"
set interfaces {{ host.task_data.ifname }} unit 0 family inet filter input limit-in
set interfaces {{ host.task_data.ifname }} unit 0 family inet address 10.10.{{ host.task_data.ipsuffix }}.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.{{ host.task_data.ipsuffix }}.0/24 exact
set security zones security-zone WAN interfaces {{ host.task_data.ifname }}
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiter
Templates áá»á¬ážááẠáá«ážááœáŸá¬áá±á¬áá±á០ááœááºááá¬áá«á áááºážááá¯á·ááẠááá°áá®áá±á¬ áá±á¬áºáááºáá»á¬ážá áá®ážááŒá¬áž routers ááŸá áºáá¯ááœáẠá¡áá¯ááºááŒá±ááŸááºážááŒá®ážáá±á¬áẠáá¯ááºáá±á¬ááºáá²á·ááá·áº configurations áá»á¬ážá¡ááŒá¬áž áááŸááááŒá Ạááœá²ááŒá¬ážááŸá¯áá»á¬ážááŒá áºáááºá
áá»áœááºá¯ááºááá¯á·á ááá°áá¬áá¯á¶á á¶áá»á¬ážá០ááŒá¿áá¬ááá¯ááŒá±ááŸááºážáááºá áá»áœááºá¯ááºááá¯á·ááẠJuniper á¡ááœáẠáá±á¬ááºááŸá áºáá¯ááŸáá·áº Cisco á¡ááœáẠááá·áºáááºáá»áẠ3 áá¯áᬠááá¯á¡ááºáááºááᯠáá»áœááºá¯ááºááá¯á·ááœá±á·ááŒááºááá«áááºá á€ááœááºá
- ifname
- ipsuffix
- asn
ááᯠáá»áœááºá¯ááºááá¯á·ááẠá ááºáá áºáá¯á á®á¡ááœáẠဠparameters áá»á¬ážááᯠáááºááŸááºáááºááá¯á¡ááºáááºá i.e. á¡áá°áá°áá¯ááºáá«á á á¬áááºáž.
á¡ááœáẠá
á¬áááºáž áá»áœááºá¯ááºááá¯á·ááẠá
á¬ááœááºá
á¬áááºážáá»á¬ážááᯠá¡ááá¡áá»ááá¯ááºáá¬áá«áááºá
ááá¯ááá¯áááºááŸá¬á áá°áá®áá±á¬ááá¯ááºá¡ááá¯ážá á¯ááá¯áááºáá®ážááŒáá«á áá¯á·á
.
âââ config.yaml
âââ inventory
â âââ defaults.yaml
â âââ groups.yaml
â âââ hosts.yaml
config.yaml ááá¯ááºááẠstandard nonir configuration file ááŒá áºáááºá
$ cat config.yaml
---
core:
num_workers: 10
inventory:
plugin: nornir.plugins.inventory.simple.SimpleInventory
options:
host_file: "inventory/hosts.yaml"
group_file: "inventory/groups.yaml"
defaults_file: "inventory/defaults.yaml"
ááá¯ááºááŸá áááºááá±á¬ááºáá»á¬ážááᯠáá»áœááºá¯ááºááá¯á·ááœáŸááºááŒáá«áááºá hosts.yamlá á¡á¯ááºá ᯠ(áá«á·ááá á¹á ááœááºá á€á¡áá¬áá»á¬ážááẠlogin/passwords) áá»á¬ážááŒá áºáááºá group.yamlááŸááºá· defaults.yaml áá»áœááºá¯ááºááá¯á·ááẠáááºááá·áºá¡áá¬ááá¯áá»áŸ ááœáŸááºááŒáááºááá¯ááºáá±á¬áºáááºážá áááºážááᯠááœáŸááºááŒáá±á¬áá±áá¬ááœáẠá¡áá¯ááºáá¯á¶ážáá»ááºááá·áºááẠááá¯á¡ááºáááºá yaml ááá¯ááºááẠááá¬ááŒá áºáá±áá±á¬áºáááºážá
á€á¡áá¬ááẠhosts.yaml ááŸáá·áºáá°áááº-
---
srx-test:
hostname: srx-test
groups:
- juniper
data:
task_data:
ifname: fe-0/0/2
ipsuffix: 111
cisco-test:
hostname: cisco-test
groups:
- cisco
data:
task_data:
ifname: GigabitEthernet0/1/1
ipsuffix: 222
asn: 65111
ááŒá®ážáá±á¬á· áá®ááŸá¬ group.yaml:
---
cisco:
platform: ios
username: admin1
password: cisco1
juniper:
platform: junos
username: admin2
password: juniper2
áá«á áá¬ááŒá áºáá¬áá²á á á¬áááºáž áá«ááá¯á·á¡áá¯ááºá¡ááœááºá á¡á ááŒá¯á ááºá¡ááœááºážá á á¬áááºážááá¯ááºáá»á¬ážá០ááá·áºáááºáá»ááºáá»á¬ážááᯠá¡áá¬ááá¹áá¯áá±á¬áºáááºááá¯á· ááŒá±áá¯á¶ááœá²áá¬ážáááºá InventoryElement.
spoiler á¡á±á¬ááºááœáẠInventoryElement model á diagram áá áºáá¯ááŒá áºáááºá
print(json.dumps(InventoryElement.schema(), indent=4))
{
"title": "InventoryElement",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"groups": {
"title": "Groups",
"default": [],
"type": "array",
"items": {
"type": "string"
}
},
"data": {
"title": "Data",
"default": {},
"type": "object"
},
"connection_options": {
"title": "Connection_Options",
"default": {},
"type": "object",
"additionalProperties": {
"$ref": "#/definitions/ConnectionOptions"
}
}
},
"definitions": {
"ConnectionOptions": {
"title": "ConnectionOptions",
"type": "object",
"properties": {
"hostname": {
"title": "Hostname",
"type": "string"
},
"port": {
"title": "Port",
"type": "integer"
},
"username": {
"title": "Username",
"type": "string"
},
"password": {
"title": "Password",
"type": "string"
},
"platform": {
"title": "Platform",
"type": "string"
},
"extras": {
"title": "Extras",
"type": "object"
}
}
}
}
}
á€áá±á¬áºáááºááẠá¡áá°ážáááŒáá·áº á¡á ááá¯ááºážááœáẠá¡áááºážááẠááŸá¯ááºááœá±ážáá±ááá¯ááºáááºá á¡á²áá«ááᯠááœááºáááá¯ááºááá¯á·á á¡ááŒááºá¡ááŸáẠáá¯á¶á·ááŒááºááŸá¯ áá¯ááºáá²ááŸá¬ á áá«ážá¡á¯á¶áž.
$ ipython3
Python 3.6.9 (default, Nov 7 2019, 10:44:02)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.1.1 -- An enhanced Interactive Python. Type '?' for help.
In [1]: from nornir import InitNornir
In [2]: nr = InitNornir(config_file="config.yaml", dry_run=True)
In [3]: nr.inventory.hosts
Out[3]:
{'srx-test': Host: srx-test, 'cisco-test': Host: cisco-test}
In [4]: nr.inventory.hosts['srx-test'].data
Out[4]: {'task_data': {'ifname': 'fe-0/0/2', 'ipsuffix': 111}}
In [5]: nr.inventory.hosts['srx-test']['task_data']
Out[5]: {'ifname': 'fe-0/0/2', 'ipsuffix': 111}
In [6]: nr.inventory.hosts['srx-test'].platform
Out[6]: 'junos'
áá±á¬ááºáá¯á¶ážá¡áá±áá²á·á áá¬ááºááœáŸááºážááá¯ááºááá¯ááºááᯠáááºááœá¬ážááŒáá·áºáá¡á±á¬ááºá áá®áá±áá¬ááŸá¬ á¡áá°ážáá¯ááºáá°á
áᬠáááŸááá«áá°ážá á¡áááºááá·áºáá¯ááºáá¬ážáá²á· á¥ááá¬áá
áºáá¯ááᯠáá°ááá¯ááºáá¯á¶áá«áá²á
from nornir import InitNornir
from nornir.plugins.tasks import networking, text
from nornir.plugins.functions.text import print_title, print_result
def config_and_deploy(task):
# Transform inventory data to configuration via a template file
r = task.run(task=text.template_file,
name="Base Configuration",
template="base.j2",
path=f"templates/{task.host.platform}")
# Save the compiled configuration into a host variable
task.host["config"] = r.result
# Save the compiled configuration into a file
with open(f"configs/{task.host.hostname}", "w") as f:
f.write(r.result)
# Deploy that configuration to the device using NAPALM
task.run(task=networking.napalm_configure,
name="Loading Configuration on the device",
replace=False,
configuration=task.host["config"])
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# run tasks
result = nr.run(task=config_and_deploy)
print_result(result)
Parameter ááá¯á¡á¬áá¯á¶á
áá¯ááºáá«á dry_run=ááŸááºáá«áááºá áá»ááºážá¡áá¬ááá¹áᯠá¡á
ááŒá¯ááŒááºážááœáẠnr.
áá®ááŸá¬ á¡áá°áá°áá«áá²á ááŒááºáá±áááẠRouter ááá¯á· áá»áááºáááºááŸá¯ááŒá¯áá¯ááºáá¬ážááá·áº á
ááºážáááºááŸá¯áá
áºáá¯ááᯠáá¯ááºáá±á¬ááºááŒá®ážá ááá¯á·áá±á¬áẠá
ááºáá
á¹á
ááºážá០ááá¬ážáááºá¡áááºááŒá¯áá¬ážááá·áº ááŒá¯ááŒááºáá¬ážáá±á¬ááœá²á·á
ááºážáá¯á¶á¡áá
áºááᯠááŒááºáááºáá¬ážááẠ(áá«áá±ááá·áº áá«á ááá±áá»á¬áá«áá°ážá áááºážááẠá
ááºáá¶á·ááá¯ážááŸá¯ááŸáá·áº NAPALM ááœáẠáá¬ááºáá±á¬ááºážá¡áá±á¬ááºá¡áááºáá±á¬áºááŸá¯á¡áá±á«áº áá°áááºáááº) áá«áá±ááá·áº ááœá²á·á
ááºážááŸá¯á¡áá
áºááᯠááá¯ááºááá¯ááºááááºáá±á¬ááºáá«áá°ážá ááá¯ááºááá¯ááºáá±ážá¡áá¯á¶ážááŒá¯áááºá¡ááœááºá áááºááẠááá·áºáááºáá»ááºááᯠáááºááŸá¬ážááá«áááºá dry_run ááá¯á·ááá¯áẠáááºážááááºááá¯ážááᯠááŒá±á¬ááºážáá²áá«á ááŸá¬ážáá±á¬.
áá¬ááºááœáŸááºážááᯠáá¯ááºáá±á¬ááºáá±á¬á¡áá«á Nornir ááẠá¡áá±ážá áááºááŸááºáááºážáá»á¬ážááᯠááœááºááá¯ážááºááá¯á·áá¯ááºáá±ážáááºá
á¡á±á¬ááºááœáẠspoiler ááẠá ááºážááẠrouter ááŸá áºáá¯ááŸá combat run á output ááŒá áºáááºá
config_and_deploy***************************************************************
* cisco-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
class-map match-all VIDEO_SURV
match access-group 111
policy-map VIDEO_SURV
class VIDEO_SURV
police 1500000 conform-action transmit exceed-action drop
interface GigabitEthernet0/1/1
description VIDEOSURV
ip address 10.10.222.254 255.255.255.0
service-policy input VIDEO_SURV
router bgp 65001
network 10.10.222.0 mask 255.255.255.0
access-list 11 permit 10.10.222.0 0.0.0.255
access-list 111 permit ip 10.10.222.0 0.0.0.255 any
---- Loading Configuration on the device ** changed : True --------------------- INFO
+class-map match-all VIDEO_SURV
+ match access-group 111
+policy-map VIDEO_SURV
+ class VIDEO_SURV
+interface GigabitEthernet0/1/1
+ description VIDEOSURV
+ ip address 10.10.222.254 255.255.255.0
+ service-policy input VIDEO_SURV
+router bgp 65001
+ network 10.10.222.0 mask 255.255.255.0
+access-list 11 permit 10.10.222.0 0.0.0.255
+access-list 111 permit ip 10.10.222.0 0.0.0.255 any
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* srx-test ** changed : True *******************************************
vvvv config_and_deploy ** changed : True vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv INFO
---- Base Configuration ** changed : True ------------------------------------- INFO
set interfaces fe-0/0/2 unit 0 description "Video surveillance"
set interfaces fe-0/0/2 unit 0 family inet filter input limit-in
set interfaces fe-0/0/2 unit 0 family inet address 10.10.111.254/24
set policy-options policy-statement export2bgp term 1 from route-filter 10.10.111.0/24 exact
set security zones security-zone WAN interfaces fe-0/0/2
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m if-exceeding burst-size-limit 187k
set firewall policer policer-1m then discard
set firewall policer policer-1.5m if-exceeding bandwidth-limit 1500000
set firewall policer policer-1.5m if-exceeding burst-size-limit 280k
set firewall policer policer-1.5m then discard
set firewall filter limit-in term 1 then policer policer-1.5m
set firewall filter limit-in term 1 then count limiter
---- Loading Configuration on the device ** changed : True --------------------- INFO
[edit interfaces]
+ fe-0/0/2 {
+ unit 0 {
+ description "Video surveillance";
+ family inet {
+ filter {
+ input limit-in;
+ }
+ address 10.10.111.254/24;
+ }
+ }
+ }
[edit]
+ policy-options {
+ policy-statement export2bgp {
+ term 1 {
+ from {
+ route-filter 10.10.111.0/24 exact;
+ }
+ }
+ }
+ }
[edit security zones]
security-zone test-vpn { ... }
+ security-zone WAN {
+ interfaces {
+ fe-0/0/2.0;
+ }
+ }
[edit]
+ firewall {
+ policer policer-1m {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 187k;
+ }
+ then discard;
+ }
+ policer policer-1.5m {
+ if-exceeding {
+ bandwidth-limit 1500000;
+ burst-size-limit 280k;
+ }
+ then discard;
+ }
+ filter limit-in {
+ term 1 {
+ then {
+ policer policer-1.5m;
+ count limiter;
+ }
+ }
+ }
+ }
^^^^ END config_and_deploy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ansible_vault ááœáẠá áá¬ážááŸááºáá»á¬ážááᯠááŸááºáá¬ážáááºá
áá±á¬ááºážáá«ážá¡á ááŸá¬ áá»áœááºáá±á¬áº áááºážáááºáž ááá·áºááœá¬ážáááºá ááŒááºáá±ááááºáá«áá±ááá·áº áá®áá±á¬ááºááá¯ážáá¬áá±á¬á· ááá¯ááºáá«áá°ážá áá«áá°ááá¯á·ááá¯ááááºááŒáá¯ááºáááºá áááºáááºáááºážá á±á¬ááºáž á¡ááááá¯ááºááá¶áá±á¬ á¡áá»ááºá¡áááºáá»á¬ážááᯠáá»ááºááœááºááœáẠáá¯á¶ážááœááºááẠáá®ááá¯ááºážáá¯ááºáá¬ážááá·áº áá²á·ááá¯á·ááŒá áºáááºá ááá¯ááºááá¯ááºáá±áž router áá»á¬ážá¡á¬ážáá¯á¶ážá¡ááœáẠáá±á¬á·ááºá¡ááº/á áá¬ážááŸááºáá»á¬áž á¡á¬ážáá¯á¶ážááᯠááá¯ááºáá áºáá¯áá²ááœáẠááœáá·áºáá¬ážáá±á¬ áá¯á¶á á¶ááŒáá·áº áá±á¬ááºááŒá±á¬ááºáá±áááºááᯠáá°á¡áá»á¬áž áááááŒá¯ááááŒáá±áááºá goups.yaml. áááŸáá°áž áá¯ááºáá«áááºá áá®áá±áá¬ááᯠáá¬ááœááºááŒáá«á áá¯á· áááºáááºáááºážá á±á¬ááºáž.
ááá·áºáááºáá»ááºáá»á¬ážááᯠgroups.yaml á០creds.yaml ááá¯á· ááœáŸá²ááŒá±á¬ááºážááŒá®áž ááááºáž 256 á áá¬ážááŸááºááŒáá·áº AES20 ááŒáá·áº á á¬ááŸááºááŒáá«á áá¯á·á
$ cd inventory
$ cat creds.yaml
---
cisco:
username: admin1
password: cisco1
juniper:
username: admin2
password: juniper2
$ pwgen 20 -N 1 > vault.passwd
ansible-vault encrypt creds.yaml --vault-password-file vault.passwd
Encryption successful
$ cat creds.yaml
$ANSIBLE_VAULT;1.1;AES256
39656463353437333337356361633737383464383231366233386636333965306662323534626131
3964396534396333363939373539393662623164373539620a346565373439646436356438653965
39643266333639356564663961303535353364383163633232366138643132313530346661316533
6236306435613132610a656163653065633866626639613537326233653765353661613337393839
62376662303061353963383330323164633162386336643832376263343634356230613562643533
30363436343465306638653932366166306562393061323636636163373164613630643965636361
34343936323066393763323633336366366566393236613737326530346234393735306261363239
35663430623934323632616161636330353134393435396632663530373932383532316161353963
31393434653165613432326636616636383665316465623036376631313162646435
á¡á²áá«á ááá¯ážááŸááºážáá«áááºá áá«ááá¯á· áááºáá±ážááá¯á· áá»ááºáá±ážáááºá áá±á¬áºáá®áá¬-script ááẠá€áá±áá¬ááᯠááá°ááŒá®áž á¡áá¯á¶ážááŒá¯áááºá
áá®ááá¯áá¯ááºááá¯á·á áá»áœááºáá±á¬áºááá¯á·áá²á· script ááá¯á¡á
ááŒá¯ááŒááºážááá¯ááºážááŒá®ážáá±á¬áẠnr = InitNornir(config_file=⊠á¡á±á¬ááºáá«áá¯ááºááá¯ááá·áºáá«á
...
nr = InitNornir(config_file="config.yaml", dry_run=True) # set dry_run=False, cross your fingers and run again
# enrich Inventory with the encrypted vault data
from ansible_vault import Vault
vault_password_file="inventory/vault.passwd"
vault_file="inventory/creds.yaml"
with open(vault_password_file, "r") as fp:
password = fp.readline().strip()
vault = Vault(password)
vaultdata = vault.load(open(vault_file).read())
for a in nr.inventory.hosts.keys():
item = nr.inventory.hosts[a]
item.username = vaultdata[item.groups[0]]['username']
item.password = vaultdata[item.groups[0]]['password']
#print("hostname={}, username={}, password={}n".format(item.hostname, item.username, item.password))
# run tasks
...
áá¯ááºáá«áááº, vault.passwd ááẠáá»áœááºá¯ááºáá¥ááá¬ááœááºááŸáááá²á·ááá¯á· crds.yaml ááá±ážááœáẠááááºááŸáááá·áºáá«á áá«áá±ááá·áº áá á¬ážááᬠá¡áááºááŒá±áááºá
áá±á¬áá±á¬áááºáá±á¬á· áá®áá±á¬ááºáá«áá²á Cisco + Zabbix ááŸáá·áºáááºáááºáá±á¬ áá±á¬ááºáááºáá±á¬ááºážáá«ážá¡áá»áá¯á·ááŸááá«áááºá ááá¯á·áá±á¬áº áááºážááẠautomation á¡ááŒá±á¬ááºážá¡áááºážáááºááá¯ááºáá«á ááá±ážáá±á¬á·áá±á¬á¡áá¬áááºááœáẠCisco ááœáẠRESTCONF á¡ááŒá±á¬ááºážáá±ážáááºá á®á ááºáá¬ážáááºá
source: www.habr.com