Cisco CCIE Security 350-701 – Network Automation Tools

  • By
  • February 25, 2023
0 Comment

1. Config Management Tools

Okay, so probably in this section we’ll try to understand the network automation tools. Like what are the different network automation tools used and what they are capable of doing especially for configuration management and what are the similarities between the different network automation tools. And then later on we’ll try to understand that terminology is used inside the network automation tools like master and agents, the push and pull models probably and then pop it.

Ship Answerable these are the different automation tools which can be used in the config management or the network automation here. So let’s get started here. So the first thing we already discussed a little bit more detail about the automation in our previous sections. Like.

There are plenty of things can be automated where you can do some kind of dynamic provisioning of the devices. You can also do some kind of initial configuration. You can add a new device and add the initial configurations to that, or you can make some changes to the existing initial configurations. Or you can do some kind of software upgrades where multiple devices can be upgraded simultaneously. You can also schedule that.

So these are all the things options, what we have already discussed. This can be done with the help of network automation tools. But the question is these all tasks will be doing from where exactly all this come from. So where exactly we do. Now all these things can be done in two ways.

Either this can be done on the controller itself, so probably you can have a controller and that controller can do all these things inside it. That is one option. Or most of the time you’ll be using the second option. Like most of the time there are some kind of software you’ll be using or some kind of software or we can call them as network conflict tools or configuration management tools. That’s what we call it as. So here we’ll be using for network, it can also be used for server.

So that’s the reason I generally use a common term. In the next slides we’ll be saying configuration management tools. Now these tools can actually work independently without a controller. So maybe they can run independent, you have independent software or the server where exactly this software is running from, where you can do the conflation management that is again one more option. Or this software can again interact with the controller and via the controller again you can do the automation task. So different organizations or different vendors offers different kinds of solutions.

So these softwares can either directly interact with directly they can interact, we can say, or work independently and where you can push the configurations of those things or they can go via controller. So mostly in our Sdn architecture will be using via controller option here. So some of the commonly used network automation tools or the software as you can see here that are going to assist probably these tools will be assisting with Sdn controllers.

Like here we have ansible chef propet salt stack. These are some of the tools. So probably out of this, Ansible is the newest one which was introduced around 2012, and then Chef around 2009, and then the Puppet around 2005 again. So we’ll be getting into individual software or individual tools, how they differ and the options a little bit more in the coming sections. Now whatever the tools were, these network configured tools, in short, these tools was introduced initially to automate the servers. Like typically these tools was first not introduced for network automations. They are basically introduced to automate your service. So like automate the service based on virtualization concepts. Now, what is virtualization? Virtualization is a method where you have one server or one box and let’s say you have a requirement of hosting some services. Like I require five web servers I’m going to host and maybe two email servers and maybe there are some FTP servers I’m hosting. So instead of having, let’s say there are total ten here. So instead of having ten separate physical servers, what I can do is I can go with one box or one server and logically we can create something called Virtual Machine or Virtual Server, which is going to logically act as one separate physical server.

So it does the same job as one physical separate box. So basically this is the concept of virtualization. And these tools, whatever the tools I discussed, these tools were initially developed to do the virtualization where they can dynamically add or create these virtual machines or they can also do some kind of provisioning. Provisioning means dynamically. They can make this virtual machine to come up with a set of pre configured settings and also they can be dynamically removed when you no longer need that particular VM to be a part of the network. So that can be automated. So initially these tools was introduced to Virtualize, the service. Now later on to add more flexibility to these tools. Now these tools are now also used to automate your network as well. What we’ll be doing is we’ll be using the same tools probably apart from automation of your virtual servers or the server virtualization, we can also use these tools for.

2. Config Management Tools – Capabilities

Studio will try to understand what we can do with the configuration management tools and then automation tools make your job easier. Generally the networking units job will be much easier with the help of automation tools. So let’s try to see how exactly these tools will make the job easier. So the first thing it will remove the dependencies of box per a box management. Now, what this exactly means is let’s take an example. You got some 50 plus routers and switches and you are supposed to make any changes to this existing devices. Or maybe you want to add any new configurations or maybe you want to remove any specific configurations on this. So probably what we’ll do is we need to log into the command line using Telenet or SSH. You log into those devices and then you’re going to type in specific commands. Or if you have a specific pre configured text, you can simply go and copy paste on each and every box.

So probably what you need to do is you need to go to each and every box and you have to make the changes. Even though all the devices may have the same copy paste command, you still need to log into each and every device. If there are any changes, slight changes you can use notepad, edit the config little bit and then paste it on individual devices. So all these things are no more required with the help of automation tools. So this tool is going to make your job easier. It’s going to remove the dependencies saying that you don’t need to log into the device, you don’t need to touch the device. You can simply automate all these configurations without going to box, web box. You can simply select the devices from the software and the software will push the commands directly to the individual devices. So the same thing again, apart from that, we can automate the deployment of the changes.

Either it can be scheduled or it can be manual. Now, what this means is like with help of this softwares, like I said, these are the softwares which are generally using, let’s say now what we’ll be doing is we’ll be logging into the specific software here. Once you log into these devices. Now you can either connect to individual devices from the software and you can make the changes and these changes can be done manually or you can simply schedule this one. You can say I don’t want to make the changes right now, but I want the software to automatically make the changes maybe at 03:00 in the morning. And you can schedule those things and you can just define the instructions. What are the changes you need to do on which device? Probably it will do automatically according to the schedule.

And after once you make the changes it can again collect all the statistics of the changes and everything and display back to you on the software here. Now, with the help of this you can avoid the human errors because you are not going to do manually on each and every box. Again the human errors can be minimized. You can check the things before you tell the software, you can verify them and of course it will make your confirmation much faster. Of course avoid the confirmation related problems and also eliminate the repetitive task. Now the next thing the centralized configuration and the software management tasks on a single controller. Again, this is the same thing eliminate effectively you can manage multiple simultaneous updates. Now this is same like the configurations, you can schedule specific updates, you want to upgrade the software or you want to upgrade the images on specific things. Now what you can do is you can use with these tools you can centralize everything from one single software.

Now again, centralization means either this software may be running on a server, so typically it can be like this can be running on a software, maybe a standalone server on its own server, maybe any of these software whatever listed running some kind of Linux or some kind of Ubuntu servers and then that can be automated from the server. This is one option or the second option is this servers or these tools can actually speak to the controller and once they talk to the controller and according to the controller now once they speak to the controller they will be sending out the request to the controller or sending out the instructions to the networking devices via controller. So these are the option. So again, depends upon your environment, depending upon your vendor you are selecting whether you have a controller or not. It totally depends on that. So some of the typically in our SDM Cisco networks will be using will be this software will be speaking to something called Cisco DNA which is running on the controller which is going to be used for a complete set of environment.

Now again, this confirmation management tools will be using some kind of scripts and the tools to perform mass upgrades or any changes. So basically these tools will be using set of commands. So probably what we’ll be doing is we’ll be adding those group of commands and running them and grouping them in the form of scripts. Now these scripts we are going to tell that particular software to run these particular scripts either manually or we can go ahead and schedule and say that okay, you need to run this specific set of commands, we call them a scripts on this particular specific time we can schedule it. Apart from that we can do something called zero day automation. Now this is flag and play device provisioning. Now what this means is we already discussed most of this in the beginning in the foundation topics. So whenever you add any new router or a switch, let’s say I’m adding a new router here and that router needs to come online to be a part of the network.

Now, in order to make that particular new device to be a part of the network, you have to connect and you have to do a lot of manual configurations before it actually becomes fully functional. Like you need to add the IP address. Maybe you need to add some configurations to that before it comes up. So that process will take some time. So with the help of configuration management tools, with the help of this, we can automate this process. So whenever a new device comes up, probably this device will become automatically fully functional without actually logging into that particular device. It will automatically extract the conflicts from the controller or from the software and it can install its own configurations dynamically and can make your device to come up immediately or very fast without actually touching the devices.

And then finally, we’ll be seeing something called with the help of these tools, we can create some resources. Now, resources refers to any changes or anything you want to add on a specific device. Like, let’s say you want to create a VLAN, or you want to apply some route filtering options, or you want to make some changes to the routing, or apply an ACL, or you want to get some statistic information. So these are individually referred as resources. And you can do this. You can apply the resources or make any changes either on a specific note or a group of nodes. Now, you can apply these things at a time on the multiple devices, or you want a specific changes to be applied, or you want to add any new things on a specific selected node. You can do that dynamically from this software.

3. Master-Agent

Next thing we’ll try to understand the concept of master and agents. So the configuration management tools, whatever we are using, we have two components or two pieces. We can say the first one is master and the agent. Now in simple the master is nothing but the device or the server which is responsible for doing the configuration management. So where you have the software installed maybe is a standalone software which is running the Linux or Ubuntu platforms and it is going to control the clients or control the devices from a centralized location. So typically we call this as a master. So the master refers to a server which is going to control the configuration information because we are going to push the configurations from this centralized space. Or maybe I want to pull some information, probably the network information or the server information. And those devices, typically we call them as agents. Okay, so the server is the one or the master.

We call it as a master here. So master is the one from where you actually control the agents. Now again, agent or agents are nothing but the individual nodes where the server or the master is going to manage. So these individual nodes, we can refer them as agents. So we call it as. So probably these agents are going to get their own configurations from the server. So whatever the configuration you want to make any changes. Like in this example you can say router switch or it can be a server which has an agent supported and they will be getting the configurations from the master. So each node, each node we can call it as an agent where it is going to get its own confirmation from the master view.

And again this agent support is only possible when you have this piece of software is present on that particular device. Now remember, all devices, let’s say I got a router or a switch or maybe any server. Now this will not become an agent unless you have that particular software installed. Let’s say if I’m using puppet software. Now this will be a Puppet master.

And whatever the device is they must have an agent installed or they must be capable of reading or understanding these messages between them. So they must be Puppet agent. They must support this puppet agent software. So that’s what we call as agent based. So if your device doesn’t support this agent software, probably means you cannot communicate with a master. So this is something we need to know. So depending upon which program you’re using, again if you’re using any other software like Ansible, the process is different. If you’re using Chef probably then there will be a Chef master and a ship agent like that. Those options will be present. So the main thing we need to know here is these agents, that nodes or the devices, they must have the agent support and that agent is totally depending upon what software they use and then this will be the master and this will be the agent.

So this master agent options probably like the common examples I can say like puppet, puppet, ship and Salztag are the example of this kind of method and they use a different terminology. Like generally if you are using a puppet, probably this will be the master and this will be referred as an agent and chef uses the same terminology and with the help of salt stack there will be like master and the minions probably that is a different terminology used in the salt stack.

So whatever the terminology, the concept remains the same. So if I’m using puppet, probably the nodes must support the puppet agent, whereas if I’m using Shift they should support that. So basically whatever the software is using, the notes should support that particular agent software. But whereas the ansible ansible doesn’t use this master agent option. Now ansible is not in the list because here ansible basically support agent list. Now that is one of the main reasons why ansible is more used because practically having individual devices supporting an agent software, that may not be possible. So probably the alternative is you can use some agent agent less option where you can still communicate with the nodes without having an agent start to install.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img