ProHoster > Blog > Utongi > Network otomatiki. Mhosva kubva muupenyu hwemunhu

Network otomatiki. Mhosva kubva muupenyu hwemunhu

Hei Habr!

Muchikamu chino tinoda kutaura nezve automation ye network network. Dhiagiramu inoshanda yetiweki inoshanda mune imwe kambani diki asi inodada kwazvo icharatidzwa. Mechi dzese nemidziyo chaiyo yetiweki inongoitika. Tichatarisa nyaya yakaitika mune ino network, iyo inogona kunge yakakonzera kuvharwa kwebhizinesi kwenguva yakareba uye kurasikirwa kwakanyanya kwemari. Mhinduro yenyaya iyi inonyatsoenderana nepfungwa ye "Automation ye network network". Tichishandisa otomatiki maturusi, isu ticharatidza maitiro aungaita zvinobudirira matambudziko akaomarara munguva pfupi, uye isu tichafungisisa kuti sei matambudziko aya achifanira kugadziriswa nenzira iyi uye kwete neimwe nzira (kuburikidza nekoni).

Disclaimer

Maturusi edu makuru e otomatiki anobatika (sechishandiso otomatiki) uye Git (senzvimbo yeAnsible playbooks). Ndinoda kukurumidza kuita chengetedzo kuti ichi hachisi chinyorwa chekutanga, patinotaura nezve logic yeAnsible kana Git, totsanangura zvinhu zvakakosha (semuenzaniso, chii chinonzi roletaskimodules, inventory mafaera, akasiyana muAnsible, kana chii chinoitika kana iwe unopinda iyo git push kana git commit mirairo). Nyaya iyi haisi yekuti ungadzidzira sei Ansible uye kugadzirisa NTP kana SMTP pamidziyo yako. Iyi inyaya yekuti iwe unogona sei nekukurumidza uye zviri nani kugadzirisa dambudziko retiweki pasina zvikanganiso. Izvo zvakare zvinokurudzirwa kuve nekunzwisisa kwakanaka kwekuti network inoshanda sei, kunyanya izvo TCP / IP, OSPF, BGP protocol stack. Isu tichatorawo sarudzo yeAnsible uye Git kunze kweiyo equation. Kana iwe uchiri kuda kusarudza imwe mhinduro, tinokurudzira zvikuru kuverenga bhuku "Network Programmability uye Automation. Unyanzvi hweNext-Generation Network Engineer" naJason Edelman, Scott S. Lowe, uye Matt Oswalt.

Zvino kune pfungwa.

Kugadzirwa kwedambudziko

Ngatimbofungidzira mamiriro ezvinhu: 3 o'clock mangwanani, iwe wakarara uye uchirota. Kufona. The technical director anofona:

- Ehe?
- ###, ####, #####, chisumbu chefirewall chadonha uye hachisi kusimuka !!!
Unopukuta maziso ako, uchiedza kunzwisisa zviri kuitika uye fungidzira kuti izvi zvingatoitika sei. Pafoni unogona kunzwa bvudzi riri mumusoro wemutungamiriri richibvarura, uye anokumbira kuti adzoke nekuti mukuru ari kumudaidza pamutsetse wechipiri.

Hafu yeawa gare gare, iwe wakaunganidza zvinyorwa zvekutanga kubva kubasa rekuchinja, wakamutsa munhu wese aigona kumutswa. Nekuda kweizvozvo, mutungamiriri wehunyanzvi haana kunyepa, zvese zviri sezvazviri, boka guru remafirewall radonha, uye hapana mafambisirwo emuviri ekutanga anomuunza kupfungwa dzake. Masevhisi ese anopihwa nekambani haashande.

Sarudza dambudziko kune kuravira kwako, munhu wese acharangarira chimwe chinhu chakasiyana. Semuenzaniso, mushure mekuvandudzwa kwehusiku mukusavapo kwemutoro unorema, zvese zvakashanda zvakanaka, uye munhu wese akaenda kunorara achifara. Traffic yakatanga kuyerera, uye ma-interface buffers akatanga kupfachukira nekuda kwebug mune network network driver.

Jackie Chan anogona kutsanangura mamiriro acho zvakanaka.

Network otomatiki. Mhosva kubva muupenyu hwemunhu

Ndatenda, Jackie.

Haasi mamiriro ezvinhu anofadza kwazvo, handizvo here?

Ngatimbosiya network yedu mukoma nepfungwa dzake dzinosuwa kwekanguva.

Ngatikurukurei kuti zviitiko zvichawedzera sei.

Tinokurudzira kurongeka kunotevera kwemharidzo yezvinyorwa

  1. Ngatitarisei dhayagiramu yetiweki tione kuti inoshanda sei;
  2. Isu tichatsanangura machinjiro atinoita marongero kubva kune imwe router kuenda kune imwe tichishandisa Ansible;
  3. Ngatitaurei nezve otomatiki yeIT zvivakwa zvakazara.

Network diagram uye tsananguro

The scheme

Network otomatiki. Mhosva kubva muupenyu hwemunhu

Ngatitarisei dhayagiramu ine musoro yesangano redu. Hatisi kuzodoma vagadziri vemidziyo chaiyo; nezvinangwa zvechinyorwa ichi hazvina basa (Muverengi anoteerera anofungidzira kuti rudzii rwemidziyo inoshandiswa). Iyi ingori imwe yemabhenefiti ekushanda neAnsible; pakumisikidza, isu kazhinji hatina basa kuti rudzii rwemudziyo. Kungonzwisisa, iyi midziyo kubva kune vanozivikanwa vatengesi, seCisco, Juniper, Check Point, Fortinet, Palo Alto ... unogona kutsiva yako sarudzo.

Tine mabasa maviri makuru ekufambisa traffic:

  1. Iva nechokwadi chekuburitswa kwemasevhisi edu, ari bhizinesi rekambani;
  2. Ipa kutaurirana nemapazi, nzvimbo iri kure yedata uye masangano echitatu (vanoshamwaridzana nevatengi), pamwe nekuwana matavi kuInternet kuburikidza nehofisi yepakati.

Ngatitange nezvinhu zvakakosha:

  1. Nzira mbiri dzemuganhu (BRD-01, BRD-02);
  2. Firewall Cluster (FW-CLUSTER);
  3. Core switch (L3-CORE);
  4. Router iyo ichava mutsara wehupenyu (sezvatinogadzirisa dambudziko, tichaendesa zvigadziriso zvetiweki kubva kuFW-CLUSTER kuenda kuEMERGENCY) (EMERGENCY);
  5. Kuchinja kwe network network management (L2-MGMT);
  6. Virtual muchina neGit uye Ansible (VM-AUTOMATION);
  7. Laptop painoyedzwa uye kuvandudzwa kwemabhuku ekutamba eAnsible (Laptop-Automation) inoitwa.

Iyo network inogadziriswa ine simba OSPF routing protocol nenzvimbo dzinotevera:

  • Nzvimbo 0 - nharaunda inosanganisira ma routers ane mutoro wekufambisa traffic muEXCHANGE zone;
  • Nzvimbo 1 - nzvimbo inosanganisira ma routers ane basa rekushanda kwekambani mabasa;
  • Nharaunda 2 - nzvimbo inosanganisira ma routers ane basa rekufambisa manejimendi traffic;
  • Nzvimbo N - nzvimbo dzebazi network.

Pamabhodha routers, virtual router (VRF-INTERNET) inogadzirwa, iyo iyo eBGP yakazara maonero akaiswa pamwe neanoenderana akapiwa AS. iBGP inogadziriswa pakati peVRFs. Iyo kambani ine dziva remakero machena anoburitswa pane aya VRF-INTERNET. Mamwe kero chena anofambiswa zvakananga kuFW-CLUSTER (kero panoshanda masevhisi ekambani), mamwe anofambiswa kuburikidza neEXCHANGE zone (yemukati kambani masevhisi anoda ekunze IP kero, uye ekunze NAT kero dzemahofisi). Tevere, traffic inoenda kune chaiwo ma routers akagadzirwa paL3-CORE ane chena uye grey kero (security zones).

Iyo Management network inoshandisa yakazvitsaurira switch uye inomiririra inetiweki yakazvitsaurira. Iyo manejimendi network yakakamurwawo munzvimbo dzekuchengetedza.
Iyo EMERGENCY router panyama uye zvine musoro inodzokorora iyo FW-CLUSTER. Yese mainterface pairi akaremara kunze kweaya anotarisa kune manejimendi network.

Automation uye tsananguro yayo

Takaona kuti network inoshanda sei. Zvino ngatitorei nhanho-nhanho kutarisa zvatichaita kuendesa traffic kubva FW-CLUSTER kuenda EMERGENCY:

  1. Isu tinodzima mainterfaces pane core switch (L3-CORE) inoibatanidza neFW-CLUSTER;
  2. Isu tinodzima mainterfaces paL2-MGMT kernel switch inoibatanidza neFW-CLUSTER;
  3. Isu tinogadzirisa iyo EMERGENCY router (nekusagadzika, ese mainterface akavharwa pairi, kunze kweaya ane hukama neL2-MGMT):

  • Isu tinogonesa interfaces paEMERGENCY;
  • Isu tinogadzirisa yekunze IP kero (yeNAT) yaive paFW-Cluster;
  • Isu tinogadzira zvikumbiro zvegARP kuitira kuti kero dzepoppy dziri muL3-CORE arp matafura ashandurwe kubva paFW-Cluster kuenda EMERGENCY;
  • Isu tinonyoresa iyo yakasarudzika nzira seyakamira kuBRD-01, BRD-02;
  • Gadzira mitemo yeNAT;
  • Simudza kune EMERGENCY OSPF Nzvimbo 1;
  • Simudza kune EMERGENCY OSPF Nzvimbo 2;
  • Isu tinoshandura mutengo wemigwagwa muNzvimbo 1 kusvika ku10;
  • Isu tinoshandura mutengo weiyo default nzira muNzvimbo 1 kusvika 10;
  • Isu tinoshandura IP kero dzakabatana neL2-MGMT (kune dzaive paFW-CLUSTER);
  • Isu tinogadzira zvikumbiro zve gARP kuitira kuti kero dzepoppy muL2-MGMT arp matafura ashandurwe kubva paFW-CLUSTER kuenda EMERGENCY.

Zvakare, tinodzokera kune yekutanga kuumbwa kwedambudziko. XNUMX o'clock mangwanani, kushushikana kukuru, kukanganisa chero nguva kunogona kutungamirira kumatambudziko matsva. Wagadzirira kunyora mirairo kuburikidza neCLI? Ehe? Zvakanaka, enda unogeza kumeso kwako, unwe kofi uye uunganidze kuda kwako.
Bruce ndapota ndibatsireiwo vakomana.

Network otomatiki. Mhosva kubva muupenyu hwemunhu

Zvakanaka, isu tinoenderera mberi nekuvandudza otomatiki yedu.
Pazasi pane dhizaini rekuti bhuku rekutamba rinoshanda sei mune Ansible mazwi. Ichi chirongwa chinoratidza zvatakatsanangura pamusoro apa, ingori chaiyo kuita muAnsible.
Network otomatiki. Mhosva kubva muupenyu hwemunhu

Panguva ino, takaona zvinoda kuitwa, takagadzira bhuku rekutamba, takaita bvunzo, uye zvino tagadzirira kuritanga.

Imwe diki diki digression. Kureruka kwenyaya hakufaniri kukutsausa. Nzira yekunyora mabhuku ekutamba yakanga isiri nyore uye yakakurumidza sezvaingaita. Kuyedzwa kwakatora nguva yakati rebei, chimiro chechokwadi chakagadzirwa, mhinduro yakaedzwa kakawanda, bvunzo dzinosvika zana dzakaitwa.

Ngatitangei ... Pane manzwiro ekuti zvinhu zvose zviri kuitika zvishoma nezvishoma, pane kukanganisa pane imwe nzvimbo, chimwe chinhu hachizoshanda pakupedzisira. Manzwiro ekusvetuka neparachute, asi parachute haidi kuvhura pakarepo ... izvi zvakajairika.

Tevere, tinoverenga mhedzisiro yemabasa akaitwa eAnsible playbook (iyo IP kero yakatsiviwa nechinangwa chekuvanzika):

[xxx@emergency ansible]$ ansible-playbook -i /etc/ansible/inventories/prod_inventory.ini /etc/ansible/playbooks/emergency_on.yml 

PLAY [------->Emergency on VCF] ********************************************************

TASK [vcf_junos_emergency_on : Disable PROD interfaces to FW-CLUSTER] *********************
changed: [vcf]

PLAY [------->Emergency on MGMT-CORE] ************************************************

TASK [mgmt_junos_emergency_on : Disable MGMT interfaces to FW-CLUSTER] ******************
changed: [m9-03-sw-03-mgmt-core]

PLAY [------->Emergency on] ****************************************************

TASK [mk_routeros_emergency_on : Enable EXT-INTERNET interface] **************************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Generate gARP for EXT-INTERNET interface] ****************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Enable static default route to EXT-INTERNET] ****************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Change NAT rule to EXT-INTERNET interface] ****************
changed: [m9-04-r-04] => (item=12)
changed: [m9-04-r-04] => (item=14)
changed: [m9-04-r-04] => (item=15)
changed: [m9-04-r-04] => (item=16)
changed: [m9-04-r-04] => (item=17)

TASK [mk_routeros_emergency_on : Enable OSPF Area 1 PROD] ******************************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Enable OSPF Area 2 MGMT] *****************************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Change OSPF Area 1 interfaces costs to 10] *****************
changed: [m9-04-r-04] => (item=VLAN-1001)
changed: [m9-04-r-04] => (item=VLAN-1002)
changed: [m9-04-r-04] => (item=VLAN-1003)
changed: [m9-04-r-04] => (item=VLAN-1004)
changed: [m9-04-r-04] => (item=VLAN-1005)
changed: [m9-04-r-04] => (item=VLAN-1006)
changed: [m9-04-r-04] => (item=VLAN-1007)
changed: [m9-04-r-04] => (item=VLAN-1008)
changed: [m9-04-r-04] => (item=VLAN-1009)
changed: [m9-04-r-04] => (item=VLAN-1010)
changed: [m9-04-r-04] => (item=VLAN-1011)
changed: [m9-04-r-04] => (item=VLAN-1012)
changed: [m9-04-r-04] => (item=VLAN-1013)
changed: [m9-04-r-04] => (item=VLAN-1100)

TASK [mk_routeros_emergency_on : Change OSPF area1 default cost for to 10] ******************
changed: [m9-04-r-04]

TASK [mk_routeros_emergency_on : Change MGMT interfaces ip addresses] ********************
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n.254', u'name': u'VLAN-803'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+1.254', u'name': u'VLAN-805'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+2.254', u'name': u'VLAN-807'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+3.254', u'name': u'VLAN-809'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+4.254', u'name': u'VLAN-820'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+5.254', u'name': u'VLAN-822'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+6.254', u'name': u'VLAN-823'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+7.254', u'name': u'VLAN-824'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+8.254', u'name': u'VLAN-850'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+9.254', u'name': u'VLAN-851'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+10.254', u'name': u'VLAN-852'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+11.254', u'name': u'VLAN-853'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+12.254', u'name': u'VLAN-870'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+13.254', u'name': u'VLAN-898'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+14.254', u'name': u'VLAN-899'})

TASK [mk_routeros_emergency_on : Generate gARPs for MGMT interfaces] *********************
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n.254', u'name': u'VLAN-803'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+1.254', u'name': u'VLAN-805'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+2.254', u'name': u'VLAN-807'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+3.254', u'name': u'VLAN-809'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+4.254', u'name': u'VLAN-820'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+5.254', u'name': u'VLAN-822'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+6.254', u'name': u'VLAN-823'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+7.254', u'name': u'VLAN-824'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+8.254', u'name': u'VLAN-850'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+9.254', u'name': u'VLAN-851'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+10.254', u'name': u'VLAN-852'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+11.254', u'name': u'VLAN-853'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+12.254', u'name': u'VLAN-870'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+13.254', u'name': u'VLAN-898'})
changed: [m9-04-r-04] => (item={u'ip': u'Ρ….Ρ….n+14.254', u'name': u'VLAN-899'})

PLAY RECAP ************************************************************************

Yakaitwa!

Muchokwadi, haisati yanyatso gadzirira, usakanganwe nezve kuchinjika kweane simba routing mapuroteni uye kurodha nhamba huru yenzira muFIB. Hatigoni kufurira izvi nenzira ipi zvayo. Tinomirira. Zvakaitika. Zvino zvagadzirira.

Uye mumusha weVilabajo (uyo usingade kushandura network setup) vanoramba vachisuka ndiro. Bruce (zvinobvumwa, zvatove zvakasiyana, asi zvisinganyanyi kutonhorera) ari kuedza kunzwisisa kuti yakawanda sei bhuku reconfiguration yemidziyo ichaitika.

Network otomatiki. Mhosva kubva muupenyu hwemunhu

Ndinodawo kugara pachinhu chimwe chakakosha. Tingadzosa sei zvinhu zvose? Mushure menguva yakati, isu tichadzosa yedu FW-CLUSTER kuhupenyu. Ichi ndicho chishandiso chikuru, kwete backup, network inofanirwa kumhanya pairi.

Iwe unonzwa here kuti ma network ari kutanga kupisa sei? The technical director achanzwa zviuru zvenharo nei izvi zvisingafanirwe kuitwa, nei izvi zvichigona kuitwa gare gare. Nehurombo, aya ndiwo mashandiro anoita network kubva kuboka rezvigamba, zvimedu, uye zvisaririra zveyaimbova yakasarudzika. Inobva yaita patchwork quilt. Basa redu kazhinji, kwete mumamiriro ezvinhu aya, asi kazhinji, senyanzvi dzeIT, ndere kuunza basa retiweki kune iro rakanaka reChirungu izwi rekuti "kusagadzikana", rine zvakawanda, rinogona kududzirwa se: kubatana. , kuwirirana, kufunga, kuwirirana, kurongeka, kuenzanisa, kubatana. Zviri pamusoro pake. Mumamiriro ezvinhu aya chete iyo network inogoneka, tinonzwisisa zvakajeka kuti chii chinoshanda uye sei, isu tinonzwisisa zvakajeka izvo zvinoda kuchinjwa, kana zvichidikanwa, tinoziva zvakajeka kwekutarisa kana matambudziko amuka. Uye chete munetiweki yakadai ndimo maunogona kuita matinji seaya achangotsanangura.

Chaizvoizvo, rimwe bhuku rekutamba rakagadzirwa, iro rakadzosera marongero kumamiriro avo epakutanga. Pfungwa yekushanda kwayo yakafanana (zvakakosha kuyeuka kuti kurongeka kwemabasa kwakakosha), kuitira kuti tisarebesa chinyorwa chatove chakareba, takasarudza kusatumira rondedzero yekuitwa kwebhuku rekutamba. Mushure mekuita maekisesaizi akadai, iwe uchanzwa wakadzikama uye uine chivimbo mune ramangwana, uyezve, chero madondoro awaunganidzira ipapo anobva angozviratidza.

Chero ani zvake anogona kutinyorera uye kugamuchira zvinyorwa zvekodhi yose yakanyorwa, pamwe chete nemabhuku ose epa palybook. Mazita muprofile.

zvakawanikwa

Semaonero edu, maitiro anogona kuve otomatiki haasati anyatsojeka. Zvichienderana nezvatakasangana nazvo uye zviri kukurukurwa nevamwe vedu vekuMadokero, madingindira anotevera ari kuoneka kusvika parizvino:

  • Kugovera mudziyo;
  • Data collection;
  • Reporting;
  • Troubleshooting;
  • Kuteerera.

Kana paine fariro, tinogona kupfuuridzira kurukurirano pane imwe yemisoro yakapiwa.

Ndinodawo kutaura zvishoma nezve automation. Zvazvinofanira kuva mukunzwisisa kwedu:

  • Iyo system inofanirwa kugara isina munhu, ichivandudzwa nemunhu. Hurongwa hahufanire kuvimba nevanhu;
  • Operation inofanira kuva nyanzvi. Iko hakuna kirasi yenyanzvi dzinoita mabasa enguva dzose. Kune nyanzvi dzakagadzira iyo yose maitiro uye kugadzirisa chete matambudziko akaoma;
  • Mabasa akajairika anoitwa otomatiki "pakubata kwebhatani", hapana zviwanikwa zvinoraswa. Mhedzisiro yemabasa akadaro nguva dzose inofanotaurwa uye inonzwisisika.

Uye izvo zvibodzwa izvi zvinofanirwa kutungamirira kune:

  • Transparency of IT infrastructure (Njodzi shoma dzekushanda, zvemazuva ano, kushandiswa. Kuderera zvishoma pagore);
  • Kukwanisa kuronga IT zviwanikwa (Capacity-planning system - unogona kuona kuti yakawanda sei inopedzwa, unogona kuona kuti zvingani zviwanikwa zvinodiwa mune imwechete system, uye kwete netsamba uye kushanya kumadhipatimendi epamusoro);
  • Kugona kuderedza nhamba yevashandi veIT.

Vanyori venyaya: Alexander Chelovekov (CCIE RS, CCIE SP) naPavel Kirillov. Isu tiri kufarira kukurukura uye kupa mazano pamusoro peiyo IT zvivakwa otomatiki.


Source: www.habr.com

Voeg