Merge pull request #9 from gejames/master

Add vtyacl demo for network workshop
2021-06-03 15:55:03 -04:00
parent 2ca3186a95 88521df432
commit 15fd9910f4
3 changed files with 158 additions and 0 deletions
--- a/docs/network/configlet_vtyacl.md
+++ b/docs/network/configlet_vtyacl.md
@@ -0,0 +1,77 @@
+# Demo: Deploy Application
+
+[Click here to return to master demo list](../../README.md#demo-repository)
+
+## Table of Contents
+
+* [Objective](#objective)
+* [What business problem is solved?](#what-business-problem-is-solved)
+* [Features show cased](#features-show-cased)
+* [Video](#video)
+* [Guide](#guide)
+
+# Objective
+
+Demonstrate managing the VTY ACL on a Cisco router.  
+
+# What business problem is solved?
+
+- **speed to market**:
+Reduce the time needed to make changes to Cisco configs.
+- **reduce human error**:
+Automation of routine manual processes
+- **reduce complexity**:
+Allows one Network Engineer to update multiple devices at once.  Automate and test once and allow all users access to deploy Ansible Jobs.
+- **enforce policy**:
+Ansible ensures every device has the same config.  
+
+# Features show cased
+
+- Push button deployment
+
+
+For description of these and other features of the Red Hat Ansible Automation Platform please refer to the [features README](../features.md)
+
+
+# Guide
+
+1. Verify rtr1 config
+
+     ssh to rtr1 from the workshop bastion and perform a ***show run*** on the router.   Verify that there is no VTY ACL on the router.
+
+2. Login to Ansible Platform UX
+
+3. Navigate to **Templates**
+
+     ![job templates](../../images/templates.png)
+
+4. Click the rocket next to **Cisco IOS VTY ACL config audit/remediation** to launch the Job
+
+     ![rocket launch](../../images/rocket.png)
+
+5.  The job will launch and update the VTY ACL on rtr1.
+
+    
+6. What is happening:
+
+     - Job has started executed in the background.  The user can navigate off this page and the job will continue to execute.
+     - On the left is the **Job Details Pane** labeled simply with **DETAILS**.  This information is logged and tells you who, what, when and how.
+       - **who** - who launched the job, in this example is the admin user
+       - **what** - the project and Ansible Playbook used, and which credential to login to the infrastructure
+       - **when** - time stamps for start, end and duration of the job run.
+       - **how** - the job status (pass, fail), enviornment and execution node
+     - The larger window on the right is the **Standard Out Pane**.  This provides the same console output the user would be used to on the command-line for troubleshooting purposes.  Some important takeways to showcase are:
+       - aggregate info is at the top including the amount of Plays, tasks, hosts and time duration.
+       - this pane can be expanded to take up entire browser window
+       - Ansible Playbook can be downloaded for troubleshooting purposes
+       - **click on task output** to show them task-by-task JSON output that can be used for troubleshooting or just getting additional information
+       
+
+7. ssh to rtr1 and verify the VTY ACL has been changed.
+
+       
+
+
+
+---
+You have finished this demo.  [Click here to return to master demo list](../../README.md#demo-repository)
--- a/playbooks/network/configlet_vtyacl.yml
+++ b/playbooks/network/configlet_vtyacl.yml
@@ -0,0 +1,60 @@
+---
+- name: CORRECT VTY-ACL ON CISCO DEVICES
+  hosts: cisco
+  connection: network_cli
+  gather_facts: no
+
+  tasks:
+
+    - name: SAVE RUNNING-CONFIG TO NVRAM FOR RECOVERY IF NEEDED
+      ios_config:
+        save_when: always
+
+    - name: Set the task_status var
+      set_fact:
+        task_status: "OK"
+
+    - block:
+      - name: UPDATE VTY-ACL ACCESS LIST
+        ios_config:
+          parents: ip access-list extended VTY-ACL
+          lines:
+            - permit tcp host {{ hostvars['ansible-1'].ansible_host }} any eq 22
+            - permit tcp 172.16.0.0 0.15.255.255 any eq 22
+            - permit tcp 192.168.0.0 0.0.255.255 any eq 22
+            - permit tcp 10.0.0.0 0.255.255.255 any eq 22 log-input
+            - deny   ip any any log-input
+          match: exact
+          replace: block
+          before:
+            - line vty 0 15
+            - NO access-class VTY-ACL in
+            - NO ip access-list extended VTY-ACL
+          after:
+            - line vty 0 15
+            - access-class VTY-ACL in
+
+      - name: CHECK IF SSH IS STILL ACCESSIABLE FROM NETWORK
+        wait_for:
+          host: "{{ inventory_hostname }}"
+          port: 22
+          state: started
+          delay: 2
+          timeout: 6
+        ignore_errors: no
+        
+
+      - name: SSH TEST SUCCESSFUL.  SAVING RUNNING-CONFIG
+        ios_config:
+          save_when: always
+
+      rescue:
+        - name: UPDATE FAILED. ROLLING BACK CONFIG
+          ios_command:
+            commands:
+                - configure replace nvram:startup-config force
+        - set_fact:
+            task_status: "ERROR"
+
+      when: task_status == 'OK'
+   
--- a/roles/install_demo/vars/main/network/configlet_vtyacl.yml
+++ b/roles/install_demo/vars/main/network/configlet_vtyacl.yml
@@ -0,0 +1,21 @@
+---
+configlet_vtyacl:
+  author: "George James"
+  category: network
+  name: "Cisco IOS VTY ACL config audit/remediation"
+  description: "Cisco IOS VTY ACL config audit/remediation"
+  job_type: "run"
+  inventory: "Workshop Inventory"
+  playbook: "playbooks/network/configlet_vtyacl.yml"
+  credential: "Workshop Credential"
+  survey_enabled: false
+  fact_caching_enabled: true
+  project:
+    name: "Ansible official demo project"
+    description: "prescriptive demos from Red Hat Management Business Unit"
+    organization: "Default"
+    scm_type: git
+    scm_url: "https://github.com/ansible/product-demos"
+  workshop_type:
+    - network
+    - demo