-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathaoscx_deploy_ebgp_evpn_vxlan_fabric.yml
271 lines (232 loc) · 7.36 KB
/
aoscx_deploy_ebgp_evpn_vxlan_fabric.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
---
- hosts: aoscx_switches
connection: local
gather_facts: False
tasks:
- name: Generate Template for Device
template: src="{{config_template}}" dest="{{config_path}}{{inventory_hostname}}.conf" mode='0777'
- block:
# Login to AOS-CX Switch
- name: Login to AOS-CX Switch
uri:
url: "https://{{ansible_host}}/rest/v1/login"
method: POST
return_content: yes
headers:
Content-Type: "application/x-www-form-urlencoded"
Accept: application/json
body: "username={{ansible_user}}&password={{ansible_password}}"
validate_certs: no
status_code: 200
use_proxy: no
register: cx_session
- name: Push Generated Config to Device
uri:
url: "https://{{ansible_host}}/rest/v1/fullconfigs/running-config?from=tftp%3A%2F%2F{{tftp_server}}%2F{{inventory_hostname}}.conf&vrf=mgmt"
method: PUT
headers:
cookie: "{{ cx_session.set_cookie }}"
validate_certs: no
status_code: 200
register: response
changed_when: response.status == 200
rescue:
- debug:
msg: "{{response.msg}}"
always:
# Logout from AOS-CX Switch
- name: Logout from AOS-CX Switch
uri:
url: 'https://{{ansible_host}}/rest/v1/logout'
method: POST
body_format: json
headers:
cookie: "{{ cx_session.set_cookie }}"
validate_certs: no
status_code: 200
- hosts: spines
connection: local
tasks:
- name: Create BGP Neighbors and EVPN Address Family on Spine for Leaf1
include: aoscx_task_lists/bgp_neighbor.yml
vars:
neighbor_ip: "{{item}}"
ebgp_hop_count: 3
remote_as: "{{leaf1_asn|int}}"
loop: "{{leaf1_loopback}}"
- name: Create BGP Neighbors and EVPN Address Family on Spine for Leaf2
include: aoscx_task_lists/bgp_neighbor.yml
vars:
neighbor_ip: "{{item}}"
ebgp_hop_count: 3
remote_as: "{{leaf2_asn| int}}"
loop: "{{leaf2_loopback}}"
- name: Create BGP Neighbors and EVPN Address Family on Spine for Leaf3
include: aoscx_task_lists/bgp_neighbor.yml
vars:
neighbor_ip: "{{item}}"
ebgp_hop_count: 3
remote_as: "{{leaf3_asn | int}}"
loop: "{{leaf3_loopback}}"
- hosts: leafs
roles:
- role: aoscx-ansible-role
vars:
ansible_connection: httpapi
ansible_network_os: aoscx
ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
ansible_acx_no_proxy: True
gather_facts: False
tasks:
- name: Create BGP Neighbors and EVPN Address Family
include: aoscx_task_lists/bgp_neighbor.yml
vars:
neighbor_ip: "{{hostvars.Spine1.loopback0_ip}}"
ebgp_hop_count: 3
remote_as: "{{spine1_asn}}"
- name: Create BGP Neighbors and EVPN Address Family
include: aoscx_task_lists/bgp_neighbor.yml
vars:
neighbor_ip: "{{hostvars.Spine2.loopback0_ip}}"
ebgp_hop_count: 3
remote_as: "{{spine2_asn}}"
- name: Create Server VLAN
aoscx_vlan:
vlan_id: "{{client_vlan}}"
description: Apache Server
- name: Vlan Access
aoscx_l2_interface:
interface: "{{client_int}}"
vlan_mode: access
vlan_access: '{{client_vlan}}'
- name: Create VXLAN interface
include: aoscx_task_lists/vxlan.yml
vars:
vxlan: vxlan1
source_ip: "{{loopback1_ip}}"
vlan_id: "{{client_vlan|int}}"
- name: Create EVPN instance and VLAN mapping
include: aoscx_task_lists/evpn.yml
vars:
export_route: ['1:{{client_vlan}}']
import_route: ['1:{{client_vlan}}']
rd: auto
vlan_id: "{{client_vlan|int}}"
- hosts: servers
become: true
gather_facts: false
vars:
create_user: aruba
copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
sys_packages: [ 'curl', 'vim', 'git', 'ufw']
app_user: "aruba"
http_host: "aruba_apache_server"
http_conf: "aruba_apache_server.conf"
http_port: "80"
disable_default: true
tasks:
- name: Install Prerequisites
apt: name=aptitude update_cache=yes state=latest force_apt_get=yes
# Sudo Group Setup
- name: Make sure we have a 'network_admin' group
group:
name: network_admin
state: present
- name: Allow 'network_admin' group to have passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%network_admin'
line: '%network_admin ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
# User + Key Setup
- name: Create a new regular user with sudo privileges
user:
name: "{{ create_user }}"
state: present
groups: network_admin
append: true
create_home: true
shell: /bin/bash
- name: Set authorized key for remote user
authorized_key:
user: "{{ create_user }}"
state: present
key: "{{ copy_local_key }}"
- name: Disable password authentication for root
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin prohibit-password'
# Install Packages
- name: Update apt
apt: update_cache=yes
- name: Install required system packages
apt: name={{ sys_packages }} state=latest
# UFW Setup
- name: UFW - Allow SSH connections
ufw:
rule: allow
name: OpenSSH
- name: UFW - Deny all other incoming traffic by default
ufw:
state: enabled
policy: deny
direction: incoming
# Install Packages
- name: Update apt
apt: update_cache=yes
- name: Install required system packages
apt: name={{ sys_packages }} state=latest
# UFW Setup
- name: UFW - Allow SSH connections
ufw:
rule: allow
name: OpenSSH
- name: UFW - Deny all other incoming traffic by default
ufw:
state: enabled
policy: deny
direction: incoming
- name: Install prerequisites
apt: name={{ item }} update_cache=yes state=latest force_apt_get=yes
loop: [ 'aptitude' ]
- name: Install Apache
apt: name=apache2 update_cache=yes state=latest
- name: Create document root
file:
path: "/var/www/{{ http_host }}"
state: directory
owner: "{{ app_user }}"
mode: '0755'
- name: Copy index test page
template:
src: "files/index.html.j2"
dest: "/var/www/{{ http_host }}/index.html"
- name: Set up Apache virtualhost
template:
src: "files/apache.conf.j2"
dest: "/etc/apache2/sites-available/{{ http_conf }}"
- name: Enable new site
shell: /usr/sbin/a2ensite {{ http_conf }}
notify: Reload Apache
- name: Disable default Apache site
shell: /usr/sbin/a2dissite 000-default.conf
when: disable_default
notify: Reload Apache
- name: "UFW - Allow HTTP on port {{ http_port }}"
ufw:
rule: allow
port: "{{ http_port }}"
proto: tcp
handlers:
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Restart Apache
service:
name: apache2
state: restarted