From 88521df4325ddf3ab1df7ad1ea2f4a3984497027 Mon Sep 17 00:00:00 2001 From: George Date: Wed, 14 Oct 2020 14:03:25 -0700 Subject: [PATCH] added vtyacl demo --- docs/network/configlet_vtyacl.md | 77 +++++++++++++++++++ playbooks/network/configlet_vtyacl.yml | 60 +++++++++++++++ .../vars/main/network/configlet_vtyacl.yml | 21 +++++ 3 files changed, 158 insertions(+) create mode 100644 docs/network/configlet_vtyacl.md create mode 100644 playbooks/network/configlet_vtyacl.yml create mode 100644 roles/install_demo/vars/main/network/configlet_vtyacl.yml diff --git a/docs/network/configlet_vtyacl.md b/docs/network/configlet_vtyacl.md new file mode 100644 index 0000000..0d510d2 --- /dev/null +++ b/docs/network/configlet_vtyacl.md @@ -0,0 +1,77 @@ +# Demo: Deploy Application + +[Click here to return to master demo list](../../README.md#demo-repository) + +## Table of Contents + +* [Objective](#objective) +* [What business problem is solved?](#what-business-problem-is-solved) +* [Features show cased](#features-show-cased) +* [Video](#video) +* [Guide](#guide) + +# Objective + +Demonstrate managing the VTY ACL on a Cisco router. + +# What business problem is solved? + +- **speed to market**: +Reduce the time needed to make changes to Cisco configs. +- **reduce human error**: +Automation of routine manual processes +- **reduce complexity**: +Allows one Network Engineer to update multiple devices at once. Automate and test once and allow all users access to deploy Ansible Jobs. +- **enforce policy**: +Ansible ensures every device has the same config. + +# Features show cased + +- Push button deployment + + +For description of these and other features of the Red Hat Ansible Automation Platform please refer to the [features README](../features.md) + + +# Guide + +1. Verify rtr1 config + + ssh to rtr1 from the workshop bastion and perform a ***show run*** on the router. Verify that there is no VTY ACL on the router. + +2. Login to Ansible Platform UX + +3. Navigate to **Templates** + + ![job templates](../../images/templates.png) + +4. Click the rocket next to **Cisco IOS VTY ACL config audit/remediation** to launch the Job + + ![rocket launch](../../images/rocket.png) + +5. The job will launch and update the VTY ACL on rtr1. + + +6. What is happening: + + - Job has started executed in the background. The user can navigate off this page and the job will continue to execute. + - On the left is the **Job Details Pane** labeled simply with **DETAILS**. This information is logged and tells you who, what, when and how. + - **who** - who launched the job, in this example is the admin user + - **what** - the project and Ansible Playbook used, and which credential to login to the infrastructure + - **when** - time stamps for start, end and duration of the job run. + - **how** - the job status (pass, fail), enviornment and execution node + - The larger window on the right is the **Standard Out Pane**. This provides the same console output the user would be used to on the command-line for troubleshooting purposes. Some important takeways to showcase are: + - aggregate info is at the top including the amount of Plays, tasks, hosts and time duration. + - this pane can be expanded to take up entire browser window + - Ansible Playbook can be downloaded for troubleshooting purposes + - **click on task output** to show them task-by-task JSON output that can be used for troubleshooting or just getting additional information + + +7. ssh to rtr1 and verify the VTY ACL has been changed. + + + + + +--- +You have finished this demo. [Click here to return to master demo list](../../README.md#demo-repository) diff --git a/playbooks/network/configlet_vtyacl.yml b/playbooks/network/configlet_vtyacl.yml new file mode 100644 index 0000000..d2db144 --- /dev/null +++ b/playbooks/network/configlet_vtyacl.yml @@ -0,0 +1,60 @@ +--- +- name: CORRECT VTY-ACL ON CISCO DEVICES + hosts: cisco + connection: network_cli + gather_facts: no + + tasks: + + - name: SAVE RUNNING-CONFIG TO NVRAM FOR RECOVERY IF NEEDED + ios_config: + save_when: always + + - name: Set the task_status var + set_fact: + task_status: "OK" + + - block: + - name: UPDATE VTY-ACL ACCESS LIST + ios_config: + parents: ip access-list extended VTY-ACL + lines: + - permit tcp host {{ hostvars['ansible-1'].ansible_host }} any eq 22 + - permit tcp 172.16.0.0 0.15.255.255 any eq 22 + - permit tcp 192.168.0.0 0.0.255.255 any eq 22 + - permit tcp 10.0.0.0 0.255.255.255 any eq 22 log-input + - deny ip any any log-input + match: exact + replace: block + before: + - line vty 0 15 + - NO access-class VTY-ACL in + - NO ip access-list extended VTY-ACL + after: + - line vty 0 15 + - access-class VTY-ACL in + + - name: CHECK IF SSH IS STILL ACCESSIABLE FROM NETWORK + wait_for: + host: "{{ inventory_hostname }}" + port: 22 + state: started + delay: 2 + timeout: 6 + ignore_errors: no + + + - name: SSH TEST SUCCESSFUL. SAVING RUNNING-CONFIG + ios_config: + save_when: always + + rescue: + - name: UPDATE FAILED. ROLLING BACK CONFIG + ios_command: + commands: + - configure replace nvram:startup-config force + - set_fact: + task_status: "ERROR" + + when: task_status == 'OK' + diff --git a/roles/install_demo/vars/main/network/configlet_vtyacl.yml b/roles/install_demo/vars/main/network/configlet_vtyacl.yml new file mode 100644 index 0000000..7d63a4e --- /dev/null +++ b/roles/install_demo/vars/main/network/configlet_vtyacl.yml @@ -0,0 +1,21 @@ +--- +configlet_vtyacl: + author: "George James" + category: network + name: "Cisco IOS VTY ACL config audit/remediation" + description: "Cisco IOS VTY ACL config audit/remediation" + job_type: "run" + inventory: "Workshop Inventory" + playbook: "playbooks/network/configlet_vtyacl.yml" + credential: "Workshop Credential" + survey_enabled: false + fact_caching_enabled: true + project: + name: "Ansible official demo project" + description: "prescriptive demos from Red Hat Management Business Unit" + organization: "Default" + scm_type: git + scm_url: "https://github.com/ansible/product-demos" + workshop_type: + - network + - demo