Ansible Project – Deploy a New Network & Network Security Policies

So the last 6 weeks, have been an incredibly enjoyable and at times frustrating (there were times I was close to giving up and thinking I simply was not smart enough for this!), but ultimately it has been thoroughly rewarding. It is great when all the learning you have put so much effort into starts to take shape and you can move forward with it and create something that will potentially have real world value.

This first project is a culmination of this. It is an effort to take what I am learning in labs and all other forms of online learning (video, blogs, posts, forum questions etc etc…) then push myself to think of a real world use case and make what I would call a prototype playbook. The playbook is to be a platform for me using it in the workplace to deliver real world benefits to my company and my colleagues.

The purpose of this post is to introduce this project and give you a presentation of the stages I will need to complete in order to complete the project. This helps with giving goals and a metric of completion and put simply a project is pointless if there is no basic planning. Whilst I am not a project manager and I am by far no super organised guy, I do like to at least think in some way the steps I need to achieve my final goal. I want y’all to know that in new technology and learnings, this gets me about 80% of the way, there are gotcha’s a long the way still so don’t be disheartened if you find this happening to you too – it’s part of the process!

Personally creating stages allows me to see small victories and not lose heart (or interest in the ultimate end goal). It allows me to have those “Charlie Sheen – winning” moments as I accomplish the stages.

I hope you enjoy winning as much as I do, and I hope to post over the course of this week despite being Christmas week, some of these stages being completed. I will naturally be sharing Stage 1 with this post, and since Stage 2 is already completed, I will be sharing that shortly as well.

My sensibilities telling you to be responsible is below…

As a bit of a disclosure, all the ansible playbook I have developed has either directly been leveraged off other peoples works, which I will share in links at the end of the project as a way reference. Everything I have written here is completely free for you to use as you will, but I of course hold no liability or responsibility on how you use it.

I also want to mention that if you want to know more about anything I have mentioned, how to get started, or how I setup my lab and how you could do it as well please feel free to contact me or reply to this post.

Define the project & the stages

I have already described this project previously, but I am going to scrap that. That project description was done in the first weeks of learning Ansible and it was overly ambitious of me to try and create a project, but none-the-less, it gave me drive to get to this point. This is what I was talking about above, in a learning situation guys, don’t be afraid of the gotchas and being too organised, just create ambition in your heart and mind, hard work from this will do the rest.

I want to preface as well by saying that I will not cover how I setup this LAB environment from an infrastructure point of view ie: routing, vmware hosts, hardware etc.. I have provided information on what I have, but not how I did it. The reason for this is to focus on the playbooks and not the underlying infrastructure and how I got there. If you want help setting up your Lab, contact me and I will discuss with you separately.

If you are interested, I have setup a GIT Repo with GitHub which I will be using to deploy all future playbooks.

Project 1 GitHub Repo – https://github.com/danielbostock/Project1-Ansible-Deploy_NewNetwork-SecPol/tree/master

Stages Overview

  • Stage 1 – Define the project
  • Stage 2 – Develop Playbook: Deploy L3 Interfaces to Cisco IOS Routers
  • Stage 3 – Develop Playbook: Deploy VLANs to Cisco NX-OS Core Switch
  • Stage 4 – Develop Playbook: Deploy ACL’s on Cisco Routers & Core Switch
  • Stage 5 – Develop Playbook: Deploy Security Policies on Palo Alto Edge Firewall
  • Stage 6 – Develop Playbook: Deploy all above stages in one consolidated playbook
  • Stage 7 – Post Verififaction Testing: Confirm connectivity, ensure connectivity as expected as per deployed security policies.
  • Stage 8 – Summary of project and next project

Stage 1 – Define the Project

Project 1

Title: Ansible – Deploy New Network Interfaces & Network Security

Goal:

With Ansible, create new network interfaces with IP addresses pre-determined, leverage Jinja2 templating as much as possible, provide basic network security to the new network.  

Playbook Described:

This playbooks intention is to create a new network and network interfaces on the respective devices. The network will be predetermined and allocated based on the Neverland Network structure. This playbook will also deploy various network access control lists and Palo Alto security policies to provide a layer of industry standard security.

The playbook will also provide levels of pre-deployment checks and post deployment verification through the use of display within the ansible deployment tool, basically print to screen.

Technologies Used:

Hardware: 1x 3020 Palo Alto Firewall, 1x ESXi host running free vsphere, 4x Cisco CSR1000v Virtual Routers, 1x Cisco NXOS-9K Virtual Switch.

Deployment Tools: Ansible, PyCharm CE

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.