├── LICENSE ├── README.md ├── ansible-policies ├── external-services.yml ├── internal-services-tcp.yml ├── internal-services.yml ├── internal_protection.yml ├── internal_protection_tcp.yml ├── inventory └── reachability.yml ├── batfish ├── isp_config.json ├── layer1_topology.json └── testrig_positions ├── code ├── acl_gen.py ├── gen_configs.py ├── gen_inventory.py ├── gen_leaf_yaml.py └── gen_topology.py ├── images ├── gitlab-runner-setup-small.png └── gitlab_repo_clone.png ├── inputs ├── bl01.yml ├── bl02.yml ├── bor01.yml ├── bor02.yml ├── firewall │ ├── fwl_in_out.yml │ ├── fwl_out_in.yml │ ├── network.net │ └── services.svc ├── fwl01.yml ├── leaf01.yml ├── leaf02.yml ├── leaf03.yml ├── leaf04.yml ├── leaf05.yml ├── leaf06.yml ├── leaf07.yml ├── leaf08.yml ├── leaf09.yml ├── leaf10.yml ├── leaf11.yml ├── leaf12.yml ├── leaf13.yml ├── leaf14.yml ├── leaf15.yml ├── leaf16.yml ├── leaf17.yml ├── leaf18.yml ├── leaf19.yml ├── leaf20.yml ├── leaf21.yml ├── leaf22.yml ├── leaf23.yml ├── leaf24.yml ├── leaf25.yml ├── leaf26.yml ├── leaf27.yml ├── leaf28.yml ├── leaf29.yml ├── leaf30.yml ├── leaf31.yml ├── leaf32.yml ├── leaf33.yml ├── leaf34.yml ├── leaf35.yml ├── leaf36.yml ├── leaf37.yml ├── leaf38.yml ├── leaf39.yml ├── leaf40.yml ├── leaf41.yml ├── leaf42.yml ├── leaf43.yml ├── leaf44.yml ├── leaf45.yml ├── leaf46.yml ├── leaf47.yml ├── leaf48.yml ├── leaf49.yml ├── leaf50.yml ├── leaf51.yml ├── leaf52.yml ├── leaf53.yml ├── leaf54.yml ├── leaf55.yml ├── leaf56.yml ├── leaf57.yml ├── leaf58.yml ├── leaf59.yml ├── leaf60.yml ├── leaf61.yml ├── leaf62.yml ├── leaf63.yml ├── leaf64.yml ├── leaf65.yml ├── leaf66.yml ├── leaf67.yml ├── leaf68.yml ├── leaf69.yml ├── leaf70.yml ├── leaf71.yml ├── leaf72.yml ├── leaf73.yml ├── leaf74.yml ├── leaf75.yml ├── leaf76.yml ├── leaf77.yml ├── leaf78.yml ├── leaf79.yml ├── leaf80.yml ├── leaf81.yml ├── leaf82.yml ├── leaf83.yml ├── leaf84.yml ├── leaf85.yml ├── leaf86.yml ├── leaf87.yml ├── leaf88.yml ├── leaf89.yml ├── spine01.yml ├── spine02.yml ├── spine03.yml └── spine04.yml ├── playbooks ├── add_leaf.yml ├── inventory └── request_service.yml ├── policies ├── .gitignore ├── __init__.py ├── address-groups.yml ├── conftest.py ├── test_base.py ├── test_routing.py └── test_utils.py ├── requirements.txt ├── setup-gitlab-repo.sh ├── template.gitlab-ci.yml ├── template.requirements.txt └── templates ├── border_config.j2 ├── border_leaf_frr.j2 ├── border_leaf_interfaces.j2 ├── border_leaf_ports_conf.j2 ├── fwl_base_config_h.j2 ├── fwl_zone_config_h.j2 ├── inventory.j2 ├── leaf_frr.j2 ├── leaf_interfaces.j2 ├── leaf_ports_conf.j2 ├── spine_frr.j2 ├── spine_interfaces.j2 └── spine_ports_conf.j2 /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This repository contains all of the code for the [Batfish enabled CI pipeline demonstration from Ansiblefest 2019](https://www.youtube.com/watch?v=ORFiReqaUzY), including a script to initialize the Gitlab repository from where the CI tests are run. 2 | 3 | # Repository organization and CI workflow 4 | 5 | Each time a commit is made to the Gitlab repository, device configs are generated and the generated configs are evaluated against defined policies. 6 | * The device configs are generated using jinja2 templates in the `templates` folder and input data in the `inputs` folder. The code for configuration generation is in the `code` folder. 7 | * Batfish supports both Ansible and Python (pytest) based policies. The `policies` folder contains pytest-based policies, and the `ansible-policies` folder contains Ansible-based policies. The setup for pytest policies (`conftest.py`) initializes a Batfish snapshot with generated device configs. Ansible policy playbooks assume that the snapshot has already been initialized. 8 | 9 | The exact sequence of commands to generate configs and run policies are in `template.gitlab-ci.yml` file, which is uploaded to the Gitlab repository as its pipeline file (`.gitlab-ci.yml`) when the repository is initialized. 10 | 11 | Network changes are proposed using Ansible playbooks in the `playbooks` folder. These playbooks change the inputs used to generate device configs. When these changes are committed to Gitlab, new configurations are generated and evaluated as described above. 12 | 13 | # Pre-requisites for running the demo 14 | 15 | * Access to Gitlab server and runner. See below for local setup. 16 | * In Gitlab, create a new project 17 | * Recommend naming it `af19-template` 18 | * Register the runner with the project 19 | * BF server running on localhost 20 | * Clone (or Download) this repository onto your local machine 21 | * Install python dependencies listed in `requirements.txt` file 22 | * `pip install -r requirements.txt` 23 | 24 | Note: 25 | You can reduce execution time of the demo by leveraging an existing virtual environment that has the necessary dependencies install. 26 | To leverage an existing environment, edit the `before_script` stage of the Gitlab-CI pipeline file `template.gitlab-ci.yml`. 27 | 28 | 29 | ## Local Gitlab setup on a Mac 30 | 31 | The instructions below assume that you are installing a Gitlab server locally. If you use the online service, you can skip this part. 32 | 33 | #### Gitlab server 34 | 35 | Make sure that you have Docker installed on your laptop 36 | 37 | * Run the docker image 38 | ``` 39 | docker run --detach \ 40 | --publish 443:443 --publish 80:80 --publish 22:22 \ 41 | --hostname localhost \ 42 | --name gitlab \ 43 | --restart always \ 44 | --volume ${HOME}/gitlab/config:/etc/gitlab \ 45 | --volume ${HOME}/gitlab/logs:/var/log/gitlab \ 46 | --volume ${HOME}/gitlab/data:/var/opt/gitlab \ 47 | gitlab/gitlab-ce:latest 48 | ``` 49 | The initialization process may take a long time. You can track this process with the command `sudo docker logs -f gitlab` 50 | 51 | * Navigate to http://localhost/ 52 | * Create an admin password 53 | * Register a new user 54 | * Create a new project 55 | * `AF19-Template` 56 | 57 | Initialize a README, but leave them private 58 | * Add an SSH key to your profile so you can clone the repos 59 | * Via user icon on top right -> settings -> ssh key 60 | 61 | 62 | ###### Clone AF19-Template repo locally 63 | The demo requires a local clone of the GitLab repository that you just created. 64 | 65 | Steps: 66 | * Go to the project page 67 | * Click on `Clone` (towards the top right) 68 | * Copy the `Clone with SSH` URL to clipboard 69 | 70 | ![](images/gitlab_repo_clone.png) 71 | * Open a terminal window 72 | * Type `git clone git@localhost:samir-demo/af19-template.git` (replace the `git@...` with what you copied from the Project page) 73 | * All of the playbooks referenced in the demo below, will need to be executed from the directory of this local clone. 74 | 75 | ##### Gitlab runner 76 | 77 | ###### Install GitLab runner 78 | ``` 79 | sudo curl --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-darwin-amd64 80 | sudo chmod +x /usr/local/bin/gitlab-runner 81 | ``` 82 | 83 | ###### Register Gitlab runner with the project 84 | This requires getting a token from Gitlab for the project. 85 | Steps: 86 | * Go to the project page 87 | * Settings (left side menu) —> CI/CD -> Expand Runners 88 | 89 | ![](images/gitlab-runner-setup-small.png) 90 | 91 | 92 | * Run `gitlab-runner register` 93 | * Enter the URL: `http://localhost/` 94 | * Enter the project specific Gitlab token from above 95 | * Accept default value for description 96 | * Accept the default value for tags 97 | * Enter `shell` as the executor 98 | 99 | 100 | ###### Start the Gitlab runner 101 | * `gitlab-runner run` if the process is not already running 102 | * `gitlab-runner restart` if the process is already running 103 | 104 | 105 | ## Setup Gitlab Repo 106 | 107 | Set the following environment variable: 108 | * `GIT_TEMPLATE` - This is the Git Clone URL for the repo you setup in Gitlab 109 | * Example: `git@localhost:samir-demo/af19-template.git` 110 | 111 | Then, initialize your Gitlab repo by running the following command from the local clone of the `batfish/af19-demo` repository: 112 | 113 | `bash setup-gitlab-repo.sh` 114 | 115 | NOTE: This will reset the GitLab repository to the base state, so you can run the demo scenarios again. 116 | 117 | # Running the demos 118 | 119 | To run the demos you will need to have a local clone of the `af19-template` repo. 120 | Both demo scenarios require you to run an Ansible playbook from this directory 121 | 122 | ## Demo Scenario #1 123 | 124 | The first demo involves adding a new leaf to the existing DC fabric. Run the following command: 125 | ```angular2 126 | ansible-playbook -i playbooks/inventory playbooks/add_leaf.yml 127 | ``` 128 | 129 | Enter the following information when prompted: 130 | * Enter the number for the new leaf router: `90` 131 | * Enter the BGP AS number for the new leaf router: `65009` 132 | * Enter commit message [adding leaf90 to fabric]: 133 | * this will accept the default commit message 134 | 135 | And that's all you need to do to start the demo. In about 2-3 minutes you will see a new snapshot in Batfish. 136 | 137 | Navigate to the Gitlab project `AF19-Template` to see the pipeline execution logs. 138 | * The `build` stage of the pipeline builds all of the configurations. 139 | * The `test` phase uploads the configurations to the BF server and evaluates the policies. 140 | * This is where you will see the results of the BF policy execution, under `policy_eval` 141 | 142 | 143 | You should see 2 failures: 144 | * Unique BGP AS 145 | * All leaf routers have all host subnets 146 | 147 | The leaf routers do not have `bgp allow-as in` configured, so `leaf09` and `leaf90` reject either others routes. 148 | 149 | To correct the error, re-run the ansible playbook with the correct BGP ASN - `65090`. 150 | * For correct operation each leaf should set the BGP AS to be equal to it's id/number 151 | 152 | ## Demo Scenario #2 153 | 154 | The first demo involves adding a new leaf to the existing DC fabric. Run the following command: 155 | ```angular2 156 | ansible-playbook -i playbooks/inventory playbooks/request_service.yml 157 | ``` 158 | 159 | Enter the following information when prompted: 160 | * Direction of request flow. IN for opening up access to internal service from the internet. OUT for opening up access to external service: `IN` 161 | * Enter the destination IP address/prefix: `10.100.10.0/24` 162 | * Enter the source IP address/prefix: `0.0.0.0/0` 163 | * Enter the IP protocol (TCP or UDP): `tcp` 164 | * Enter the destination port: `443` 165 | * Enter the name of the application: `SSL` 166 | * Enter the change request id: `CHG12345` 167 | * Enter commit message [Change request CHG123345 for access to 10.100.10.0/24 application SSL from 0.0.0.0/0]: 168 | * this will accept the default commit message 169 | 170 | 171 | And that's all you need to do to start the demo. In about 2-3 minutes you will see a new snapshot in the BFE Dashboard with policy execution complete. 172 | 173 | Navigate to the Gitlab project `AF19-Template` to see the pipeline execution logs. 174 | * The `build` stage of the pipeline builds all of the configurations. 175 | * The `test` phase uploads the configurations to the BF server and evaluates the policies. 176 | * This is where you will see the results of the BF policy execution, under `policy_eval` 177 | 178 | 179 | You should see 1 test failure: 180 | 181 | * Protect internal services (TCP) 182 | * Private subnets (new-TCP) reachability 183 | 184 | This test fails because the network `10.100.0.0/16` has been designated as internal only. So traffic from the internet is allowed to it. 185 | 186 | **NOTE**: If you want to re-run the scenario and select another subnet, you must provide a new `source IP prefix` and `application` since Capirca doesn't allow multiple entries for the same named object even if the definition is identical 187 | 188 | ## Restart demo 189 | 190 | To restart the demo, go back to the window where you ran the demo setup script and re-run the script. 191 | 192 | -------------------------------------------------------------------------------- /ansible-policies/external-services.yml: -------------------------------------------------------------------------------- 1 | external_services: 2 | - name: Google DNS 3 | ip: '8.8.8.8' 4 | protocol: 'udp' 5 | port: '53' 6 | 7 | - name: Cloudflare DNS 8 | ip: '1.1.1.1' 9 | protocol: 'udp' 10 | port: '53' 11 | 12 | - name: AWS 13 | ip: '@addressGroup(metadata, aws)' 14 | protocol: 'icmp' -------------------------------------------------------------------------------- /ansible-policies/internal-services-tcp.yml: -------------------------------------------------------------------------------- 1 | internal_services: 2 | - name: Private subnets (new-TCP) 3 | ip: '10.100.0.0/16' 4 | 5 | - name: All MySQL DB ports 6 | ip: '10.200.0.0/16' 7 | port: '1433-1434' 8 | 9 | - name: Finance (new-TCP) 10 | ip: '10.200.10.0/24' 11 | 12 | - name: HR (new-TCP) 13 | ip: '10.200.20.0/24' 14 | 15 | - name: Development (new-TCP) 16 | ip: '10.200.30.0/24' 17 | 18 | - name: RDP 19 | ip: '10.100.0.0/16, 10.200.0.0/16' 20 | port: '3389' 21 | 22 | - name: High-ports (new-TCP) 23 | ip: '10.200.0.0/16' 24 | port: '1024-65535' 25 | -------------------------------------------------------------------------------- /ansible-policies/internal-services.yml: -------------------------------------------------------------------------------- 1 | internal_services: 2 | - name: Private subnets (non-TCP) 3 | ip: '10.100.0.0/16' 4 | protocol: '!tcp' 5 | 6 | - name: Finance (non-TCP) 7 | ip: '10.200.10.0/24' 8 | protocol: '!tcp, !icmp' 9 | 10 | - name: HR (non-TCP) 11 | ip: '10.200.20.0/24' 12 | protocol: '!tcp, !icmp' 13 | 14 | - name: Development (non-TCP) 15 | ip: '10.200.30.0/24' 16 | protocol: '!tcp, !icmp' 17 | -------------------------------------------------------------------------------- /ansible-policies/internal_protection.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Protect internal services (non-TCP) 3 | hosts: all 4 | gather_facts: no 5 | roles: 6 | - batfish.base 7 | 8 | tasks: 9 | 10 | - name: Create Batfish session in a block that is "delegate_to -> localhost" and "run_once -> true" 11 | block: 12 | - name: Setup connection to Batfish Enterprise service 13 | bf_session: 14 | host: localhost 15 | name: local_batfish 16 | parameters: 17 | session_type: bfe 18 | rescue: 19 | - name: Setup connection to Batfish service 20 | bf_session: 21 | host: localhost 22 | name: local_batfish 23 | parameters: 24 | session_type: bf 25 | 26 | delegate_to: localhost 27 | run_once: true 28 | 29 | - name: Set network and snapshot 30 | bf_set_snapshot: 31 | network: "{{ lookup('env','BF_NETWORK') }}" 32 | snapshot: "{{ lookup('env','BF_SNAPSHOT') }}" 33 | delegate_to: localhost 34 | run_once: true 35 | 36 | - name: Execute Batfish related tasks in a block that is "delegate_to -> localhost" and "run_once -> true" 37 | block: 38 | 39 | - name: Read internal services 40 | include_vars: 41 | file: internal-services.yml 42 | name: internal_services 43 | 44 | - set_fact: 45 | assertions: [] 46 | 47 | - name: Get a list of assertions from list of internal services that should be blocked from Internet 48 | set_fact: 49 | assertions: "{{ assertions + [ 50 | { 'type': 'assert_all_flows_fail', 51 | 'name': item.name + ' reachability', 52 | 'parameters': { 53 | 'startLocation': 'internet', 54 | 'headers': { 55 | 'dstIps': item.ip, 56 | 'ipProtocols': item.protocol|default(omit), 57 | 'dstPorts': item.port|default(omit), 58 | 'flowStates': ['new'] 59 | } 60 | } 61 | } ] }}" 62 | loop: "{{ internal_services.internal_services }}" 63 | 64 | - name: Initialize fact that records cumulative failure status 65 | set_fact: 66 | cumulative_failed: false 67 | 68 | - name: Validate that critical internal services are protected from Internet 69 | bf_assert: 70 | assertions: "{{ assertions }}" 71 | ignore_errors: true 72 | register: assertion_result 73 | 74 | - name: Update cumulative failure 75 | set_fact: 76 | cumulative_failed: "{{ cumulative_failed or assertion_result.failed }}" 77 | 78 | 79 | - name: Fail if any assertion failed 80 | fail: 81 | msg: At least one assertion failed. See logs for details. 82 | when: cumulative_failed|bool 83 | 84 | 85 | delegate_to: localhost 86 | run_once: true -------------------------------------------------------------------------------- /ansible-policies/internal_protection_tcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Protect internal services (TCP) 3 | hosts: all 4 | gather_facts: no 5 | roles: 6 | - batfish.base 7 | 8 | tasks: 9 | 10 | - name: Create Batfish session in a block that is "delegate_to -> localhost" and "run_once -> true" 11 | block: 12 | - name: Setup connection to Batfish Enterprise service 13 | bf_session: 14 | host: localhost 15 | name: local_batfish 16 | parameters: 17 | session_type: bfe 18 | rescue: 19 | - name: Setup connection to Batfish service 20 | bf_session: 21 | host: localhost 22 | name: local_batfish 23 | parameters: 24 | session_type: bf 25 | 26 | delegate_to: localhost 27 | run_once: true 28 | 29 | - name: Set network and snapshot 30 | bf_set_snapshot: 31 | network: "{{ lookup('env','BF_NETWORK') }}" 32 | snapshot: "{{ lookup('env','BF_SNAPSHOT') }}" 33 | delegate_to: localhost 34 | run_once: true 35 | 36 | - name: Execute Batfish related tasks in a block that is "delegate_to -> localhost" and "run_once -> true" 37 | block: 38 | 39 | - name: Read internal services 40 | include_vars: 41 | file: internal-services-tcp.yml 42 | name: internal_services 43 | 44 | - set_fact: 45 | assertions: [] 46 | 47 | - name: Get a list of assertions from list of internal services that should be blocked from Internet 48 | set_fact: 49 | assertions: "{{ assertions + [ 50 | { 'type': 'assert_all_flows_fail', 51 | 'name': item.name + ' reachability', 52 | 'parameters': { 53 | 'startLocation': 'internet', 54 | 'headers': { 55 | 'dstIps': item.ip, 56 | 'ipProtocols': 'tcp', 57 | 'dstPorts': item.port|default(omit), 58 | 'flowStates': ['new'] 59 | } 60 | } 61 | } ] }}" 62 | loop: "{{ internal_services.internal_services }}" 63 | 64 | - name: Initialize fact that records cumulative failure status 65 | set_fact: 66 | cumulative_failed: false 67 | 68 | - name: Validate that critical internal services are protected from Internet 69 | bf_assert: 70 | assertions: "{{ assertions }}" 71 | ignore_errors: true 72 | register: assertion_result 73 | 74 | - name: Update cumulative failure 75 | set_fact: 76 | cumulative_failed: "{{ cumulative_failed or assertion_result.failed }}" 77 | 78 | 79 | - name: Fail if any assertion failed 80 | fail: 81 | msg: At least one assertion failed. See logs for details. 82 | when: cumulative_failed|bool 83 | 84 | 85 | delegate_to: localhost 86 | run_once: true -------------------------------------------------------------------------------- /ansible-policies/inventory: -------------------------------------------------------------------------------- 1 | [all] 2 | www.example.com 3 | [localhost] 4 | ansible_connection=local 5 | localhost ansible_python_interpreter=python 6 | -------------------------------------------------------------------------------- /ansible-policies/reachability.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Reachability policies 3 | hosts: all 4 | gather_facts: no 5 | roles: 6 | - batfish.base 7 | 8 | tasks: 9 | 10 | - name: Create Batfish session in a block that is "delegate_to -> localhost" and "run_once -> true" 11 | block: 12 | - name: Setup connection to Batfish Enterprise service 13 | bf_session: 14 | host: localhost 15 | name: local_batfish 16 | parameters: 17 | session_type: bfe 18 | rescue: 19 | - name: Setup connection to Batfish service 20 | bf_session: 21 | host: localhost 22 | name: local_batfish 23 | parameters: 24 | session_type: bf 25 | 26 | delegate_to: localhost 27 | run_once: true 28 | 29 | - name: Set network and snapshot 30 | bf_set_snapshot: 31 | network: "{{ lookup('env','BF_NETWORK') }}" 32 | snapshot: "{{ lookup('env','BF_SNAPSHOT') }}" 33 | delegate_to: localhost 34 | run_once: true 35 | 36 | - name: Execute Batfish related tasks in a block that is "delegate_to -> localhost" and "run_once -> true" 37 | block: 38 | 39 | 40 | - name: Read external services 41 | include_vars: 42 | file: external-services.yml 43 | name: external_services 44 | 45 | - set_fact: 46 | assertions: [] 47 | 48 | - name: Get a list of assertions from list of external services that should be accessible 49 | set_fact: 50 | assertions: "{{ assertions + [ 51 | { 'type': 'assert_all_flows_succeed', 52 | 'name': item.name + ' reachability', 53 | 'parameters': { 54 | 'startLocation': '@enter(/leaf.*/[/vlan.*/])', 55 | 'headers': { 56 | 'dstIps': item.ip, 57 | 'ipProtocols': item.protocol, 58 | 'dstPorts': item.port|default(omit) 59 | } 60 | } 61 | } ] }}" 62 | loop: "{{ external_services.external_services }}" 63 | 64 | - name: Initialize fact that records cumulative failure status 65 | set_fact: 66 | cumulative_failed: false 67 | 68 | - name: Validate that external services are reachable from each leaf 69 | bf_assert: 70 | assertions: "{{ assertions }}" 71 | ignore_errors: true 72 | register: assertion_result 73 | 74 | - name: Update cumulative failure 75 | set_fact: 76 | cumulative_failed: "{{ cumulative_failed or assertion_result.failed }}" 77 | 78 | - name: Validate that all pairs of leafs can reach each other 79 | bf_assert: 80 | assertions: 81 | - type: assert_all_flows_succeed 82 | name: All leaf-pairs reachability 83 | parameters: 84 | startLocation: '@enter(/leaf.*/[/vlan.*/])' 85 | headers: 86 | dstIps: '@enter(/leaf.*/[/vlan.*/])' 87 | ipProtocols: 'icmp' 88 | ignore_errors: true 89 | register: assertion_result 90 | 91 | - name: Update cumulative failure 92 | set_fact: 93 | cumulative_failed: "{{ cumulative_failed or assertion_result.failed }}" 94 | 95 | - name: Fail if any assertion failed 96 | fail: 97 | msg: At least one assertion failed. See logs for details. 98 | when: cumulative_failed|bool 99 | 100 | 101 | delegate_to: localhost 102 | run_once: true -------------------------------------------------------------------------------- /batfish/isp_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "borderInterfaces": [ 3 | { 4 | "borderInterface": { 5 | "hostname": "bor01", 6 | "interface": "xe-1/2/0.0" 7 | } 8 | }, { 9 | "borderInterface": { 10 | "hostname": "bor02", 11 | "interface": "xe-1/2/0.0" 12 | } 13 | } 14 | ], 15 | "filter": { 16 | "onlyRemoteAsns": [], 17 | "onlyRemoteIps": [] 18 | } 19 | } -------------------------------------------------------------------------------- /batfish/testrig_positions: -------------------------------------------------------------------------------- 1 | {"leaf07": {"fx": 679.6342141337636, "fy": 0.24385882267054626}, "leaf06": {"fx": 582.7606789775136, "fy": -32.455718801387604}, "leaf05": {"fx": 679.6342141337636, "fy": -65.15529642544575}, "leaf49": {"fx": 1456.837745973644, "fy": 736.6798726898336}, "leaf04": {"fx": 582.7606789775136, "fy": -97.8548740495039}, "leaf48": {"fx": 1422.2046236351775, "fy": 833.5534078460837}, "leaf03": {"fx": 679.6342141337636, "fy": -130.55445167356206}, "leaf47": {"fx": 1387.5715012967112, "fy": 736.6798726898336}, "leaf02": {"fx": 582.7606789775136, "fy": -163.2540292976202}, "leaf46": {"fx": 1352.938378958245, "fy": 833.5534078460837}, "leaf01": {"fx": 679.6342141337636, "fy": -195.95360692167836}, "leaf45": {"fx": 1318.3052566197787, "fy": 736.6798726898336}, "leaf89": {"fx": 2053.8498342620437, "fy": 719.6345665519499}, "leaf44": {"fx": 1283.6721342813125, "fy": 833.5534078460837}, "leaf88": {"fx": 2150.7233694182937, "fy": 686.9349889278918}, "leaf43": {"fx": 1249.0390119428462, "fy": 736.6798726898336}, "leaf87": {"fx": 2053.8498342620437, "fy": 654.2354113038336}, "leaf42": {"fx": 1214.4058896043798, "fy": 833.5534078460837}, "leaf86": {"fx": 2150.7233694182937, "fy": 621.5358336797755}, "leaf41": {"fx": 1179.7727672659134, "fy": 736.6798726898336}, "leaf85": {"fx": 2053.8498342620437, "fy": 588.8362560557173}, "leaf40": {"fx": 1145.139644927447, "fy": 833.5534078460837}, "leaf84": {"fx": 2150.7233694182937, "fy": 556.1366784316591}, "leaf83": {"fx": 2053.8498342620437, "fy": 523.4371008076009}, "leaf82": {"fx": 2150.7233694182937, "fy": 490.73752318354286}, "leaf81": {"fx": 2053.8498342620437, "fy": 458.0379455594847}, "leaf80": {"fx": 2150.7233694182937, "fy": 425.3383679354266}, "leaf09": {"fx": 679.6342141337636, "fy": 65.64301407078685}, "leaf08": {"fx": 582.7606789775136, "fy": 32.9434364467287}, "leaf39": {"fx": 1110.5065225889807, "fy": 736.6798726898336}, "leaf38": {"fx": 1075.8734002505146, "fy": 833.5534078460837}, "leaf37": {"fx": 1041.2402779120482, "fy": 736.6798726898336}, "leaf36": {"fx": 1006.6071555735818, "fy": 833.5534078460837}, "leaf35": {"fx": 971.9740332351156, "fy": 736.6798726898336}, "leaf79": {"fx": 2053.8498342620437, "fy": 392.63879031136844}, "leaf34": {"fx": 937.3409108966493, "fy": 833.5534078460837}, "leaf78": {"fx": 2150.7233694182937, "fy": 359.93921268731026}, "leaf33": {"fx": 902.707788558183, "fy": 736.6798726898336}, "leaf77": {"fx": 2053.8498342620437, "fy": 327.2396350632521}, "leaf32": {"fx": 868.0746662197166, "fy": 833.5534078460837}, "leaf76": {"fx": 2150.7233694182937, "fy": 294.5400574391939}, "leaf31": {"fx": 833.4415438812504, "fy": 736.6798726898336}, "leaf75": {"fx": 2053.8498342620437, "fy": 261.8404798151357}, "leaf30": {"fx": 582.7606789775136, "fy": 752.3341441760081}, "leaf74": {"fx": 2150.7233694182937, "fy": 229.1409021910776}, "leaf73": {"fx": 2053.8498342620437, "fy": 196.44132456701945}, "leaf72": {"fx": 2150.7233694182937, "fy": 163.7417469429613}, "leaf71": {"fx": 2053.8498342620437, "fy": 131.04216931890315}, "leaf70": {"fx": 2150.7233694182937, "fy": 98.342591694845}, "spine02": {"fx": 1264.9430236819294, "fy": -77.76748452604107}, "spine01": {"fx": 1155.4492671433013, "fy": -75.64977505548984}, "spine04": {"fx": 1527.7644818488188, "fy": -80.96961617009651}, "spine03": {"fx": 1388.2310774971604, "fy": -80.95943551250869}, "leaf29": {"fx": 679.6342141337636, "fy": 719.6345665519499}, "leaf28": {"fx": 582.7606789775136, "fy": 686.9349889278918}, "leaf27": {"fx": 679.6342141337636, "fy": 654.2354113038336}, "leaf26": {"fx": 582.7606789775136, "fy": 621.5358336797755}, "leaf25": {"fx": 679.6342141337636, "fy": 588.8362560557173}, "leaf69": {"fx": 2053.8498342620437, "fy": 65.64301407078685}, "leaf24": {"fx": 582.7606789775136, "fy": 556.1366784316591}, "leaf68": {"fx": 2150.7233694182937, "fy": 32.9434364467287}, "leaf23": {"fx": 679.6342141337636, "fy": 523.4371008076009}, "leaf67": {"fx": 2053.8498342620437, "fy": 0.24385882267054626}, "leaf22": {"fx": 582.7606789775136, "fy": 490.73752318354286}, "leaf66": {"fx": 2150.7233694182937, "fy": -32.455718801387604}, "leaf21": {"fx": 679.6342141337636, "fy": 458.0379455594847}, "leaf65": {"fx": 2053.8498342620437, "fy": -65.15529642544575}, "leaf20": {"fx": 582.7606789775136, "fy": 425.3383679354266}, "leaf64": {"fx": 2150.7233694182937, "fy": -97.8548740495039}, "leaf63": {"fx": 2053.8498342620437, "fy": -130.55445167356206}, "leaf62": {"fx": 2150.7233694182937, "fy": -163.2540292976202}, "leaf61": {"fx": 2053.8498342620437, "fy": -195.95360692167836}, "leaf60": {"fx": 1837.8020916967735, "fy": 833.5534078460837}, "leaf18": {"fx": 582.7606789775136, "fy": 359.93921268731026}, "leaf17": {"fx": 679.6342141337636, "fy": 327.2396350632521}, "leaf16": {"fx": 582.7606789775136, "fy": 294.5400574391939}, "leaf15": {"fx": 679.6342141337636, "fy": 261.8404798151357}, "leaf59": {"fx": 1803.168969358307, "fy": 736.6798726898336}, "leaf14": {"fx": 582.7606789775136, "fy": 229.1409021910776}, "leaf58": {"fx": 1768.5358470198407, "fy": 833.5534078460837}, "leaf13": {"fx": 679.6342141337636, "fy": 196.44132456701945}, "leaf57": {"fx": 1733.9027246813744, "fy": 736.6798726898336}, "leaf12": {"fx": 582.7606789775136, "fy": 163.7417469429613}, "leaf56": {"fx": 1699.269602342908, "fy": 833.5534078460837}, "leaf11": {"fx": 679.6342141337636, "fy": 131.04216931890315}, "leaf55": {"fx": 1664.6364800044416, "fy": 736.6798726898336}, "leaf10": {"fx": 582.7606789775136, "fy": 98.342591694845}, "leaf54": {"fx": 1630.0033576659755, "fy": 833.5534078460837}, "leaf53": {"fx": 1595.3702353275091, "fy": 736.6798726898336}, "leaf52": {"fx": 1560.737112989043, "fy": 833.5534078460837}, "leaf51": {"fx": 1526.1039906505766, "fy": 736.6798726898336}, "leaf50": {"fx": 1491.4708683121103, "fy": 833.5534078460837}, "leaf19": {"fx": 679.6342141337636, "fy": 392.63879031136844}, "isp_600": {"fx": 1411.6029481592911, "fy": -402.95759570384337}, "bl02": {"fx": 1212.6055751035317, "fy": -178.38238061452023}, "bl01": {"fx": 1447.029050755248, "fy": -172.02055394889794}, "fwl01": {"fx": 1318.3052566197787, "fy": -243.2649161350435}, "isp_577": {"fx": 1205.0384012251657, "fy": -396.9181630702547}, "internet": {"fx": 1305.1574660557299, "fy": -463.8790017097289}, "bor01": {"fx": 1211.287125676471, "fy": -282.31926518714306}, "bor02": {"fx": 1417.782076842142, "fy": -294.24906315365195}, "leaf90": {"fx": 2150.7233694182937, "fy": 752.3341441760081}} -------------------------------------------------------------------------------- /code/acl_gen.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import os 3 | import shlex 4 | import subprocess 5 | import sys 6 | import tempfile 7 | import yaml 8 | from capirca.lib import naming, policy 9 | 10 | from pybatfish.client import capirca 11 | 12 | DEFAULT_DENY = { 13 | "name": "default-deny", 14 | "clauses": { 15 | "action": "deny" 16 | } 17 | } 18 | 19 | 20 | def get_definitions(networks_file, services_file): 21 | defs = naming.Naming() 22 | with open(networks_file, "r") as f: 23 | defs._ParseFile(f, "networks") 24 | with open(services_file, "r") as f: 25 | defs._ParseFile(f, "services") 26 | return defs 27 | 28 | 29 | def to_capirca_term(term_dict): 30 | head = "term {} {{".format(term_dict["name"]) 31 | tail = "}" 32 | 33 | term_clauses = [] 34 | for type, value in term_dict["clauses"].items(): 35 | term_clauses.append(" {}:: {}".format(type.replace('_', '-'), value)) 36 | 37 | return "{}\n{}\n{}\n".format(head, "\n".join(term_clauses), tail) 38 | 39 | 40 | def get_policy_from_capirca(policy_file): 41 | with open(policy_file, "r") as f: 42 | return f.read() 43 | 44 | 45 | def get_policy_from_yaml(policy_file): 46 | with open(policy_file, "r") as f: 47 | pol_data = yaml.safe_load(f) 48 | 49 | capirca_header = """ 50 | header {{ 51 | target:: {} 52 | }} 53 | """.format(pol_data["target"]) 54 | 55 | capirca_terms = [] 56 | for term in pol_data["terms"]: 57 | capirca_terms.append(to_capirca_term(term)) 58 | 59 | # append default deny 60 | capirca_terms.append(to_capirca_term(DEFAULT_DENY)) 61 | 62 | return "{}\n{}".format(capirca_header, "\n".join(capirca_terms)) 63 | 64 | 65 | if __name__ == "__main__": 66 | parser = argparse.ArgumentParser() 67 | parser.add_argument('-n', '--networks-file', help='Networks file', required=True) 68 | parser.add_argument('-s', '--services-file', help='Services file', required=True) 69 | parser.add_argument('-p', '--policy-file', help='Policy file', required=True) 70 | parser.add_argument('-f', "--input-format", help="Input format", choices=["yaml", "capirca"], default="yaml") 71 | 72 | args = parser.parse_args() 73 | 74 | defs = get_definitions(args.networks_file, args.services_file) 75 | 76 | policy_string = get_policy_from_yaml(args.policy_file) if args.input_format == "yaml" else get_policy_from_capirca( 77 | args.policy_file) 78 | pol = policy.ParsePolicy(policy_string, defs) 79 | 80 | acl_text = capirca._get_acl_text(pol, "juniper-srx") 81 | 82 | print(acl_text.replace("replace: ", "")) -------------------------------------------------------------------------------- /code/gen_configs.py: -------------------------------------------------------------------------------- 1 | from jinja2 import Environment, FileSystemLoader 2 | import os 3 | import re 4 | 5 | import yaml 6 | import pathlib 7 | 8 | BASE_DIR = os.getcwd() 9 | yaml_dir = BASE_DIR + '/inputs/' 10 | template_dir = BASE_DIR + '/templates/' 11 | 12 | cfg_dir = "{}/configs".format(os.environ.get("BF_SNAPSHOT_DIR", ".")) 13 | 14 | # Do not change the ordering of the templates in the dict below 15 | # Batfish requires config stanzas for Cumulus to show up in a specific order in the config file 16 | template_map = { 17 | 'leaf': ['leaf_interfaces.j2', 'leaf_ports_conf.j2', 'leaf_frr.j2'], 18 | 'bl': ['border_leaf_interfaces.j2','border_leaf_ports_conf.j2', 'border_leaf_frr.j2'], 19 | 'spine': ['spine_interfaces.j2', 'spine_ports_conf.j2', 'spine_frr.j2'], 20 | 'bor': ['border_config.j2'], 21 | 'fwl': ['fwl_base_config_h.j2', 'fwl_zone_config_h.j2'] 22 | } 23 | 24 | 25 | def get_router_list(yaml_dir): 26 | if not os.path.isdir(yaml_dir): 27 | raise ValueError("YAML input directory does not exist") 28 | 29 | file_map = { 30 | 'leaf': [], 31 | 'spine': [], 32 | 'bl': [], 33 | 'bor': [], 34 | 'fwl': [] 35 | } 36 | 37 | for k in file_map.keys(): 38 | regex = re.compile("(^{}[\d]+).yml$".format(k)) 39 | 40 | for f in os.listdir(yaml_dir): 41 | match = re.match(regex, f) 42 | if match: 43 | file_map[k].append(match.group(1)) 44 | 45 | file_map[k].sort() 46 | 47 | return file_map 48 | 49 | def assemble(template_dir, yaml_dir, router, cfg_dir, templates): 50 | file_loader = FileSystemLoader(template_dir) 51 | env = Environment(loader=file_loader, trim_blocks=True, extensions=['jinja2.ext.do']) 52 | 53 | with open("{}/{}.yml".format(yaml_dir, router), 'r') as f: 54 | router_conf = yaml.safe_load(f) 55 | f.close() 56 | config_file = "{}/{}.cfg".format(cfg_dir, router) 57 | 58 | f = open(config_file, "w") 59 | for template in templates: 60 | cfg_template = env.get_template(template) 61 | cfg = cfg_template.render(router_conf) 62 | f.write(cfg) 63 | f.close() 64 | 65 | router_map = get_router_list(yaml_dir) 66 | 67 | pathlib.Path(cfg_dir).mkdir(parents=True, exist_ok=True) 68 | for rt_type in router_map.keys(): 69 | print(rt_type) 70 | for router in router_map[rt_type]: 71 | print(router) 72 | assemble(template_dir, yaml_dir, router, cfg_dir, template_map[rt_type]) 73 | -------------------------------------------------------------------------------- /code/gen_inventory.py: -------------------------------------------------------------------------------- 1 | from jinja2 import Environment, FileSystemLoader 2 | import json 3 | import os 4 | from os import listdir 5 | from os.path import isfile, join 6 | import re 7 | 8 | BASE_DIR = os.getcwd() 9 | yaml_dir = BASE_DIR + '/inputs/' 10 | template_dir = BASE_DIR + '/templates/' 11 | inventory_file = BASE_DIR + '/playbooks/inventory' 12 | inventory_template = template_dir + 'inventory.j2' 13 | 14 | if not os.path.isdir(yaml_dir): 15 | raise ValueError("YAML input directory does not exist") 16 | 17 | file_map = { 18 | 'leaf': [], 19 | 'spine': [] 20 | } 21 | 22 | for k in file_map.keys(): 23 | regex = re.compile("(^{}[\d]+).yml$".format(k)) 24 | 25 | for f in os.listdir(yaml_dir): 26 | match = re.match(regex, f) 27 | if match: 28 | file_map[k].append(match.group(1)) 29 | 30 | file_map[k].sort() 31 | 32 | #render template 33 | file_loader = FileSystemLoader(template_dir) 34 | env = Environment(loader=file_loader, trim_blocks=True, extensions=['jinja2.ext.do']) 35 | 36 | template = env.get_template('inventory.j2') 37 | template_output = template.render(leaf_list = file_map['leaf'], spine_list = file_map['spine']) 38 | 39 | with open(inventory_file, 'w') as f: 40 | f.write(template_output) -------------------------------------------------------------------------------- /code/gen_leaf_yaml.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | import copy 3 | 4 | BASE_DIR = './' 5 | yaml_template = BASE_DIR + '/inputs/leaf01.yml' 6 | 7 | with open(yaml_template, 'r') as fp: 8 | template_data = yaml.safe_load(fp) 9 | 10 | blank_template = copy.deepcopy(template_data) 11 | 12 | for i in range (2,90): 13 | hostname = "leaf"+ f'{i:02d}' 14 | file_name = BASE_DIR + '/inputs/' + hostname + ".yml" 15 | blank_template['hostname'] = hostname 16 | blank_template['bgp_as'] = template_data['bgp_as'] + (i-1) 17 | blank_template['loopback']['address'] = "10.1.1.{}".format(str(i)) 18 | blank_template['mgmt']['address'] = "10.254.1.{}/16".format(str(i)) 19 | blank_template['ports'][4]['vlan'] = 100 + i 20 | blank_template['ports'][5]['vlan'] = 200 + i 21 | blank_template['vlans'][0]['id'] = 100 + i 22 | blank_template['vlans'][0]['address'] = "10.100.{}.1/24".format(str(i)) 23 | blank_template['vlans'][1]['id'] = 200 + i 24 | blank_template['vlans'][1]['address'] = "10.200.{}.1/24".format(str(i)) 25 | 26 | with open(file_name, 'w') as yaml_file: 27 | yaml.dump(blank_template, yaml_file, default_flow_style=False) -------------------------------------------------------------------------------- /code/gen_topology.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | import copy 3 | import json 4 | 5 | BASE_DIR = './' 6 | OUT_DIR = BASE_DIR + 'snapshots/snapshot0' 7 | topology_file = OUT_DIR + "/layer1_topology.json" 8 | 9 | max_leaf = 96 10 | 11 | spines = ['spine01', 'spine02', 'spine03', 'spine04'] 12 | lf_spines = { 13 | 'spine01': 'swp49', 14 | 'spine02': 'swp50', 15 | 'spine03': 'swp51', 16 | 'spine04': 'swp52', 17 | } 18 | 19 | bl_spines = { 20 | 'spine01': 'swp1', 21 | 'spine02': 'swp2', 22 | 'spine03': 'swp3', 23 | 'spine04': 'swp4' 24 | } 25 | 26 | empty_edge = { 27 | "node1": { 28 | "hostname": "", 29 | "interfaceName": "" 30 | }, 31 | "node2": { 32 | "hostname": "", 33 | "interfaceName": "" 34 | } 35 | } 36 | 37 | spine_port = { 38 | 'spine01': 1, 39 | 'spine02': 1, 40 | 'spine03': 1, 41 | 'spine04': 1 42 | } 43 | 44 | topology = { 45 | 'edges': [] 46 | } 47 | 48 | for spine in spines: 49 | node1 = spine 50 | 51 | for i in range(1,(max_leaf + 1)): 52 | node2 = "leaf"+ f'{i:02d}' 53 | 54 | rem = i % 4 55 | if rem != 0: 56 | spine_subport = rem - 1 57 | else: 58 | spine_subport = 3 59 | node1_port = "swp{}s{}".format(spine_port[spine], spine_subport) 60 | node2_port = lf_spines[spine] 61 | 62 | new_edge = copy.deepcopy(empty_edge) 63 | new_edge['node1']['hostname'] = node1 64 | new_edge['node1']['interfaceName'] = node1_port 65 | new_edge['node2']['hostname'] = node2 66 | new_edge['node2']['interfaceName'] = node2_port 67 | 68 | if spine_subport == 3: 69 | spine_port[spine] += 1 70 | 71 | topology['edges'].append(copy.deepcopy(new_edge)) 72 | 73 | for i in range(1,3): 74 | node1_port = "swp{}".format(spine_port[spine]) 75 | node2 = "bl" + f'{i:02d}' 76 | node2_port = bl_spines[spine] 77 | 78 | new_edge = copy.deepcopy(empty_edge) 79 | new_edge['node1']['hostname'] = node1 80 | new_edge['node1']['interfaceName'] = node1_port 81 | new_edge['node2']['hostname'] = node2 82 | new_edge['node2']['interfaceName'] = node2_port 83 | 84 | topology['edges'].append(copy.deepcopy(new_edge)) 85 | spine_port[spine] +=1 86 | 87 | print(new_edge) 88 | 89 | with open(topology_file, 'w') as f: 90 | json.dump(topology, f) -------------------------------------------------------------------------------- /images/gitlab-runner-setup-small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/batfish/af19-demo/a34f3090de8e31afb873910b6e40f31f982acd7d/images/gitlab-runner-setup-small.png -------------------------------------------------------------------------------- /images/gitlab_repo_clone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/batfish/af19-demo/a34f3090de8e31afb873910b6e40f31f982acd7d/images/gitlab_repo_clone.png -------------------------------------------------------------------------------- /inputs/bl01.yml: -------------------------------------------------------------------------------- 1 | hostname: bl01 2 | bgp_as: 65201 3 | loopback: 4 | address: 10.1.3.1 5 | mgmt: 6 | address: 10.254.3.1/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - name: swp5 10 | address: 10.2.1.1/31 11 | alias: Connection to FWL01 12 | bgp_as: 65401 13 | remote_address: 10.2.1.0 -------------------------------------------------------------------------------- /inputs/bl02.yml: -------------------------------------------------------------------------------- 1 | hostname: bl02 2 | bgp_as: 65202 3 | loopback: 4 | address: 10.1.3.2 5 | mgmt: 6 | address: 10.254.3.2/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - name: swp5 10 | address: 10.2.1.3/31 11 | alias: Connection to FWL01 12 | bgp_as: 65401 13 | remote_address: 10.2.1.2 -------------------------------------------------------------------------------- /inputs/bor01.yml: -------------------------------------------------------------------------------- 1 | hostname: bor01 2 | bgp_as: 65401 3 | loopback: 4 | address: 10.1.5.1 5 | mgmt: 6 | address: 10.254.5.1/16 7 | gateway: 10.254.254.254 8 | ports: 9 | fwl01: 10 | address: 10.2.1.5/31 11 | remote_address: 10.2.1.4 12 | bgp_as: 65301 13 | isp: 14 | address: 149.1.1.0/31 15 | remote_address: 149.1.1.1 16 | bgp_as: 577 17 | -------------------------------------------------------------------------------- /inputs/bor02.yml: -------------------------------------------------------------------------------- 1 | hostname: bor02 2 | bgp_as: 65402 3 | loopback: 4 | address: 10.1.5.2 5 | mgmt: 6 | address: 10.254.5.2/16 7 | gateway: 10.254.254.254 8 | ports: 9 | fwl01: 10 | address: 10.2.1.7/31 11 | remote_address: 10.2.1.6 12 | bgp_as: 65301 13 | isp: 14 | address: 149.1.2.0/31 15 | remote_address: 149.1.2.1 16 | bgp_as: 600 17 | -------------------------------------------------------------------------------- /inputs/firewall/fwl_in_out.yml: -------------------------------------------------------------------------------- 1 | target: srx from-zone INSIDE to-zone OUTSIDE 2 | terms: 3 | - clauses: 4 | action: accept 5 | icmp_type: echo-request echo-reply 6 | logging: true 7 | protocol: icmp 8 | name: PERMIT-ICMP 9 | - clauses: 10 | action: accept 11 | destination_address: WEB-SERVERS 12 | destination_port: HTTPS HTTP 13 | logging: true 14 | protocol: tcp 15 | name: PERMIT-WEB 16 | - clauses: 17 | action: accept 18 | destination_port: SMTP 19 | protocol: tcp 20 | name: PERMIT-SMTP 21 | - clauses: 22 | action: accept 23 | destination_address: GOOGLE_DNS CLOUDFLARE 24 | destination_port: DNS 25 | protocol: tcp udp 26 | name: PERMIT-DNS 27 | - clauses: 28 | action: deny 29 | destination_port: DNS 30 | logging: true 31 | protocol: tcp udp 32 | name: BLOCK-OTHER-DNS 33 | - clauses: 34 | action: accept 35 | destination_port: NTP 36 | logging: true 37 | protocol: udp 38 | name: PERMIT-NTP 39 | - clauses: 40 | action: deny 41 | destination_port: POSTGRESQL LDAP_SERVICE IDENT TELNET MS_RPC_EPMAP 42 | MSSQL MSSQL_MONITOR RDP 43 | logging: true 44 | protocol: tcp 45 | name: BLOCK-BAD-TCP 46 | - clauses: 47 | action: deny 48 | destination_port: DHCP IDENT RPC MS_RPC_EPMAP 49 | logging: true 50 | protocol: udp 51 | name: BLOCK-BAD-UDP 52 | - clauses: 53 | action: accept 54 | logging: true 55 | name: CATCH-ALL 56 | 57 | -------------------------------------------------------------------------------- /inputs/firewall/fwl_out_in.yml: -------------------------------------------------------------------------------- 1 | target: srx from-zone OUTSIDE to-zone INSIDE 2 | terms: 3 | - clauses: 4 | action: accept 5 | icmp_type: echo-request echo-reply 6 | destination_exclude: PRIVATE 7 | logging: true 8 | protocol: icmp 9 | name: PERMIT-ICMP 10 | - clauses: 11 | action: accept 12 | destination_address: WEB-SERVERS 13 | destination_port: HTTPS HTTP 14 | logging: true 15 | protocol: tcp 16 | name: PERMIT-WEB 17 | 18 | -------------------------------------------------------------------------------- /inputs/firewall/network.net: -------------------------------------------------------------------------------- 1 | # 2 | # Sample naming defintions for network objects 3 | # 4 | RFC1918 = 10.0.0.0/8 # non-public 5 | 172.16.0.0/12 # non-public 6 | 192.168.0.0/16 # non-public 7 | 8 | INTERNAL = RFC1918 9 | 10 | LOOPBACK = 127.0.0.0/8 # loopback 11 | 12 | RFC_3330 = 169.254.0.0/16 # special use IPv4 addresses - netdeploy 13 | 14 | RFC_6598 = 100.64.0.0/10 # Shared Address Space 15 | 16 | MULTICAST = 224.0.0.0/4 # IP multicast 17 | 18 | CLASS-E = 240.0.0.0/4 19 | 20 | RESERVED = 0.0.0.0/8 # reserved 21 | RFC1918 22 | LOOPBACK 23 | RFC_3330 24 | RFC_6598 25 | MULTICAST 26 | CLASS-E 27 | 28 | ANY = 0.0.0.0/0 29 | 30 | # http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt 31 | # 22-Apr-2011 32 | BOGON = 0.0.0.0/8 33 | 192.0.0.0/24 34 | 192.0.2.0/24 35 | 198.18.0.0/15 36 | 198.51.100.0/24 37 | 203.0.113.0/24 38 | MULTICAST 39 | CLASS-E 40 | 41 | GOOGLE_PUBLIC_DNS_ANYCAST = 8.8.4.4/32 # IPv4 Anycast 42 | 8.8.8.8/32 # IPv4 Anycast 43 | GOOGLE_DNS = GOOGLE_PUBLIC_DNS_ANYCAST 44 | 45 | CLOUDFLARE = 1.1.1.1/32 46 | 47 | PRIVATE = 10.100.0.0/16 48 | FINANCE = 10.200.10.0/24 49 | HR = 10.200.20.0/24 50 | DEVELOPMENT = 10.200.30.0/24 51 | 52 | WEB-SERVERS = 10.200.1.0/24 53 | 10.200.2.0/24 54 | 55 | GBL_RFC1918 = 10.0.0.0/8 56 | 192.168.0.0/16 57 | 58 | -------------------------------------------------------------------------------- /inputs/firewall/services.svc: -------------------------------------------------------------------------------- 1 | # 2 | # Sample naming service definitions 3 | # 4 | WHOIS = 43/udp 5 | SSH = 22/tcp 6 | TELNET = 23/tcp 7 | SMTP = 25/tcp 8 | MAIL_SERVICES = SMTP 9 | ESMTP 10 | SMTP_SSL 11 | POP_SSL 12 | TIME = 37/tcp 37/udp 13 | TACACS = 49/tcp 14 | DNS = 53/tcp 53/udp 15 | BOOTPS = 67/udp # BOOTP server 16 | BOOTPC = 68/udp # BOOTP client 17 | DHCP = BOOTPS 18 | BOOTPC 19 | TFTP = 69/tcp 69/udp 20 | HTTP = 80/tcp 21 | WEB_SERVICES = HTTP HTTPS 22 | POP3 = 110/tcp 23 | RPC = 111/udp 24 | IDENT = 113/tcp 113/udp 25 | NNTP = 119/tcp 26 | NTP = 123/tcp 123/udp 27 | MS_RPC_EPMAP = 135/udp 135/tcp 28 | MS_137 = 137/udp 29 | MS_138 = 138/udp 30 | MS_139 = 139/tcp 31 | IMAP = 143/tcp 32 | SNMP = 161/udp 33 | SNMP_TRAP = 162/udp 34 | BGP = 179/tcp 35 | IMAP3 = 220/tcp 36 | LDAP = 389/tcp 37 | LDAP_SERVICE = LDAP 38 | HTTPS = 443/tcp 39 | MS_445 = 445/tcp 40 | SMTP_SSL = 465/tcp 41 | IKE = 500/udp 42 | SYSLOG = 514/udp 43 | RTSP = 554/tcp 44 | ESMTP = 587/tcp 45 | LDAPS = 636/tcp 46 | IMAPS = 993/tcp 47 | POP_SSL = 995/tcp 48 | HIGH_PORTS = 1024-65535/tcp 1024-65535/udp 49 | MSSQL = 1433/tcp 50 | MSSQL_MONITOR = 1434/tcp 51 | RADIUS = 1812/tcp 1812/udp 52 | HSRP = 1985/udp 53 | NFSD = 2049/tcp 2049/udp 54 | NETFLOW = 2056/udp 55 | SQUID_PROXY = 3128/tcp 56 | MYSQL = 3306/tcp 57 | RDP = 3389/tcp 58 | IPSEC = 4500/udp 59 | POSTGRESQL = 5432/tcp 60 | TRACEROUTE = 33434-33534/udp 61 | 62 | -------------------------------------------------------------------------------- /inputs/fwl01.yml: -------------------------------------------------------------------------------- 1 | hostname: fwl01 2 | bgp_as: 65301 3 | loopback: 4 | address: 10.1.4.1 5 | mgmt: 6 | address: 10.254.4.1/16 7 | gateway: 10.254.254.254 8 | ports: 9 | bl01: 10 | address: 10.2.1.0/31 11 | remote_address: 10.2.1.1 12 | bgp_as: 65201 13 | bl02: 14 | address: 10.2.1.2/31 15 | remote_address: 10.2.1.3 16 | bgp_as: 65202 17 | bor01: 18 | address: 10.2.1.4/31 19 | remote_address: 10.2.1.5 20 | bgp_as: 65401 21 | bor02: 22 | address: 10.2.1.6/31 23 | remote_address: 10.2.1.7 24 | bgp_as: 65402 -------------------------------------------------------------------------------- /inputs/leaf01.yml: -------------------------------------------------------------------------------- 1 | hostname: leaf01 2 | bgp_as: 65001 3 | loopback: 4 | address: 10.1.1.1 5 | mgmt: 6 | address: 10.254.1.1/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - name: swp49 10 | bgp: true 11 | - name: swp50 12 | bgp: true 13 | - name: swp51 14 | bgp: true 15 | - name: swp52 16 | bgp: true 17 | - name: swp1 18 | vlan: 101 19 | - name: swp2 20 | vlan: 201 21 | vlans: 22 | - id: 101 23 | address: 10.100.1.1/24 24 | - id: 201 25 | address: 10.200.1.1/24 -------------------------------------------------------------------------------- /inputs/leaf02.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65002 2 | hostname: leaf02 3 | loopback: 4 | address: 10.1.1.2 5 | mgmt: 6 | address: 10.254.1.2/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 102 19 | - name: swp2 20 | vlan: 202 21 | vlans: 22 | - address: 10.100.2.1/24 23 | id: 102 24 | - address: 10.200.2.1/24 25 | id: 202 26 | -------------------------------------------------------------------------------- /inputs/leaf03.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65003 2 | hostname: leaf03 3 | loopback: 4 | address: 10.1.1.3 5 | mgmt: 6 | address: 10.254.1.3/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 103 19 | - name: swp2 20 | vlan: 203 21 | vlans: 22 | - address: 10.100.3.1/24 23 | id: 103 24 | - address: 10.200.3.1/24 25 | id: 203 26 | -------------------------------------------------------------------------------- /inputs/leaf04.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65004 2 | hostname: leaf04 3 | loopback: 4 | address: 10.1.1.4 5 | mgmt: 6 | address: 10.254.1.4/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 104 19 | - name: swp2 20 | vlan: 204 21 | vlans: 22 | - address: 10.100.4.1/24 23 | id: 104 24 | - address: 10.200.4.1/24 25 | id: 204 26 | -------------------------------------------------------------------------------- /inputs/leaf05.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65005 2 | hostname: leaf05 3 | loopback: 4 | address: 10.1.1.5 5 | mgmt: 6 | address: 10.254.1.5/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 105 19 | - name: swp2 20 | vlan: 205 21 | vlans: 22 | - address: 10.100.5.1/24 23 | id: 105 24 | - address: 10.200.5.1/24 25 | id: 205 26 | -------------------------------------------------------------------------------- /inputs/leaf06.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65006 2 | hostname: leaf06 3 | loopback: 4 | address: 10.1.1.6 5 | mgmt: 6 | address: 10.254.1.6/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 106 19 | - name: swp2 20 | vlan: 206 21 | vlans: 22 | - address: 10.100.6.1/24 23 | id: 106 24 | - address: 10.200.6.1/24 25 | id: 206 26 | -------------------------------------------------------------------------------- /inputs/leaf07.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65007 2 | hostname: leaf07 3 | loopback: 4 | address: 10.1.1.7 5 | mgmt: 6 | address: 10.254.1.7/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 107 19 | - name: swp2 20 | vlan: 207 21 | vlans: 22 | - address: 10.100.7.1/24 23 | id: 107 24 | - address: 10.200.7.1/24 25 | id: 207 26 | -------------------------------------------------------------------------------- /inputs/leaf08.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65008 2 | hostname: leaf08 3 | loopback: 4 | address: 10.1.1.8 5 | mgmt: 6 | address: 10.254.1.8/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 108 19 | - name: swp2 20 | vlan: 208 21 | vlans: 22 | - address: 10.100.8.1/24 23 | id: 108 24 | - address: 10.200.8.1/24 25 | id: 208 26 | -------------------------------------------------------------------------------- /inputs/leaf09.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65009 2 | hostname: leaf09 3 | loopback: 4 | address: 10.1.1.9 5 | mgmt: 6 | address: 10.254.1.9/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 109 19 | - name: swp2 20 | vlan: 209 21 | vlans: 22 | - address: 10.100.9.1/24 23 | id: 109 24 | - address: 10.200.9.1/24 25 | id: 209 26 | -------------------------------------------------------------------------------- /inputs/leaf10.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65010 2 | hostname: leaf10 3 | loopback: 4 | address: 10.1.1.10 5 | mgmt: 6 | address: 10.254.1.10/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 110 19 | - name: swp2 20 | vlan: 210 21 | vlans: 22 | - address: 10.100.10.1/24 23 | id: 110 24 | - address: 10.200.10.1/24 25 | id: 210 26 | -------------------------------------------------------------------------------- /inputs/leaf11.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65011 2 | hostname: leaf11 3 | loopback: 4 | address: 10.1.1.11 5 | mgmt: 6 | address: 10.254.1.11/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 111 19 | - name: swp2 20 | vlan: 211 21 | vlans: 22 | - address: 10.100.11.1/24 23 | id: 111 24 | - address: 10.200.11.1/24 25 | id: 211 26 | -------------------------------------------------------------------------------- /inputs/leaf12.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65012 2 | hostname: leaf12 3 | loopback: 4 | address: 10.1.1.12 5 | mgmt: 6 | address: 10.254.1.12/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 112 19 | - name: swp2 20 | vlan: 212 21 | vlans: 22 | - address: 10.100.12.1/24 23 | id: 112 24 | - address: 10.200.12.1/24 25 | id: 212 26 | -------------------------------------------------------------------------------- /inputs/leaf13.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65013 2 | hostname: leaf13 3 | loopback: 4 | address: 10.1.1.13 5 | mgmt: 6 | address: 10.254.1.13/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 113 19 | - name: swp2 20 | vlan: 213 21 | vlans: 22 | - address: 10.100.13.1/24 23 | id: 113 24 | - address: 10.200.13.1/24 25 | id: 213 26 | -------------------------------------------------------------------------------- /inputs/leaf14.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65014 2 | hostname: leaf14 3 | loopback: 4 | address: 10.1.1.14 5 | mgmt: 6 | address: 10.254.1.14/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 114 19 | - name: swp2 20 | vlan: 214 21 | vlans: 22 | - address: 10.100.14.1/24 23 | id: 114 24 | - address: 10.200.14.1/24 25 | id: 214 26 | -------------------------------------------------------------------------------- /inputs/leaf15.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65015 2 | hostname: leaf15 3 | loopback: 4 | address: 10.1.1.15 5 | mgmt: 6 | address: 10.254.1.15/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 115 19 | - name: swp2 20 | vlan: 215 21 | vlans: 22 | - address: 10.100.15.1/24 23 | id: 115 24 | - address: 10.200.15.1/24 25 | id: 215 26 | -------------------------------------------------------------------------------- /inputs/leaf16.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65016 2 | hostname: leaf16 3 | loopback: 4 | address: 10.1.1.16 5 | mgmt: 6 | address: 10.254.1.16/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 116 19 | - name: swp2 20 | vlan: 216 21 | vlans: 22 | - address: 10.100.16.1/24 23 | id: 116 24 | - address: 10.200.16.1/24 25 | id: 216 26 | -------------------------------------------------------------------------------- /inputs/leaf17.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65017 2 | hostname: leaf17 3 | loopback: 4 | address: 10.1.1.17 5 | mgmt: 6 | address: 10.254.1.17/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 117 19 | - name: swp2 20 | vlan: 217 21 | vlans: 22 | - address: 10.100.17.1/24 23 | id: 117 24 | - address: 10.200.17.1/24 25 | id: 217 26 | -------------------------------------------------------------------------------- /inputs/leaf18.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65018 2 | hostname: leaf18 3 | loopback: 4 | address: 10.1.1.18 5 | mgmt: 6 | address: 10.254.1.18/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 118 19 | - name: swp2 20 | vlan: 218 21 | vlans: 22 | - address: 10.100.18.1/24 23 | id: 118 24 | - address: 10.200.18.1/24 25 | id: 218 26 | -------------------------------------------------------------------------------- /inputs/leaf19.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65019 2 | hostname: leaf19 3 | loopback: 4 | address: 10.1.1.19 5 | mgmt: 6 | address: 10.254.1.19/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 119 19 | - name: swp2 20 | vlan: 219 21 | vlans: 22 | - address: 10.100.19.1/24 23 | id: 119 24 | - address: 10.200.19.1/24 25 | id: 219 26 | -------------------------------------------------------------------------------- /inputs/leaf20.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65020 2 | hostname: leaf20 3 | loopback: 4 | address: 10.1.1.20 5 | mgmt: 6 | address: 10.254.1.20/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 120 19 | - name: swp2 20 | vlan: 220 21 | vlans: 22 | - address: 10.100.20.1/24 23 | id: 120 24 | - address: 10.200.20.1/24 25 | id: 220 26 | -------------------------------------------------------------------------------- /inputs/leaf21.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65021 2 | hostname: leaf21 3 | loopback: 4 | address: 10.1.1.21 5 | mgmt: 6 | address: 10.254.1.21/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 121 19 | - name: swp2 20 | vlan: 221 21 | vlans: 22 | - address: 10.100.21.1/24 23 | id: 121 24 | - address: 10.200.21.1/24 25 | id: 221 26 | -------------------------------------------------------------------------------- /inputs/leaf22.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65022 2 | hostname: leaf22 3 | loopback: 4 | address: 10.1.1.22 5 | mgmt: 6 | address: 10.254.1.22/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 122 19 | - name: swp2 20 | vlan: 222 21 | vlans: 22 | - address: 10.100.22.1/24 23 | id: 122 24 | - address: 10.200.22.1/24 25 | id: 222 26 | -------------------------------------------------------------------------------- /inputs/leaf23.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65023 2 | hostname: leaf23 3 | loopback: 4 | address: 10.1.1.23 5 | mgmt: 6 | address: 10.254.1.23/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 123 19 | - name: swp2 20 | vlan: 223 21 | vlans: 22 | - address: 10.100.23.1/24 23 | id: 123 24 | - address: 10.200.23.1/24 25 | id: 223 26 | -------------------------------------------------------------------------------- /inputs/leaf24.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65024 2 | hostname: leaf24 3 | loopback: 4 | address: 10.1.1.24 5 | mgmt: 6 | address: 10.254.1.24/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 124 19 | - name: swp2 20 | vlan: 224 21 | vlans: 22 | - address: 10.100.24.1/24 23 | id: 124 24 | - address: 10.200.24.1/24 25 | id: 224 26 | -------------------------------------------------------------------------------- /inputs/leaf25.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65025 2 | hostname: leaf25 3 | loopback: 4 | address: 10.1.1.25 5 | mgmt: 6 | address: 10.254.1.25/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 125 19 | - name: swp2 20 | vlan: 225 21 | vlans: 22 | - address: 10.100.25.1/24 23 | id: 125 24 | - address: 10.200.25.1/24 25 | id: 225 26 | -------------------------------------------------------------------------------- /inputs/leaf26.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65026 2 | hostname: leaf26 3 | loopback: 4 | address: 10.1.1.26 5 | mgmt: 6 | address: 10.254.1.26/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 126 19 | - name: swp2 20 | vlan: 226 21 | vlans: 22 | - address: 10.100.26.1/24 23 | id: 126 24 | - address: 10.200.26.1/24 25 | id: 226 26 | -------------------------------------------------------------------------------- /inputs/leaf27.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65027 2 | hostname: leaf27 3 | loopback: 4 | address: 10.1.1.27 5 | mgmt: 6 | address: 10.254.1.27/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 127 19 | - name: swp2 20 | vlan: 227 21 | vlans: 22 | - address: 10.100.27.1/24 23 | id: 127 24 | - address: 10.200.27.1/24 25 | id: 227 26 | -------------------------------------------------------------------------------- /inputs/leaf28.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65028 2 | hostname: leaf28 3 | loopback: 4 | address: 10.1.1.28 5 | mgmt: 6 | address: 10.254.1.28/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 128 19 | - name: swp2 20 | vlan: 228 21 | vlans: 22 | - address: 10.100.28.1/24 23 | id: 128 24 | - address: 10.200.28.1/24 25 | id: 228 26 | -------------------------------------------------------------------------------- /inputs/leaf29.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65029 2 | hostname: leaf29 3 | loopback: 4 | address: 10.1.1.29 5 | mgmt: 6 | address: 10.254.1.29/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 129 19 | - name: swp2 20 | vlan: 229 21 | vlans: 22 | - address: 10.100.29.1/24 23 | id: 129 24 | - address: 10.200.29.1/24 25 | id: 229 26 | -------------------------------------------------------------------------------- /inputs/leaf30.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65030 2 | hostname: leaf30 3 | loopback: 4 | address: 10.1.1.30 5 | mgmt: 6 | address: 10.254.1.30/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 130 19 | - name: swp2 20 | vlan: 230 21 | vlans: 22 | - address: 10.100.30.1/24 23 | id: 130 24 | - address: 10.200.30.1/24 25 | id: 230 26 | -------------------------------------------------------------------------------- /inputs/leaf31.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65031 2 | hostname: leaf31 3 | loopback: 4 | address: 10.1.1.31 5 | mgmt: 6 | address: 10.254.1.31/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 131 19 | - name: swp2 20 | vlan: 231 21 | vlans: 22 | - address: 10.100.31.1/24 23 | id: 131 24 | - address: 10.200.31.1/24 25 | id: 231 26 | -------------------------------------------------------------------------------- /inputs/leaf32.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65032 2 | hostname: leaf32 3 | loopback: 4 | address: 10.1.1.32 5 | mgmt: 6 | address: 10.254.1.32/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 132 19 | - name: swp2 20 | vlan: 232 21 | vlans: 22 | - address: 10.100.32.1/24 23 | id: 132 24 | - address: 10.200.32.1/24 25 | id: 232 26 | -------------------------------------------------------------------------------- /inputs/leaf33.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65033 2 | hostname: leaf33 3 | loopback: 4 | address: 10.1.1.33 5 | mgmt: 6 | address: 10.254.1.33/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 133 19 | - name: swp2 20 | vlan: 233 21 | vlans: 22 | - address: 10.100.33.1/24 23 | id: 133 24 | - address: 10.200.33.1/24 25 | id: 233 26 | -------------------------------------------------------------------------------- /inputs/leaf34.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65034 2 | hostname: leaf34 3 | loopback: 4 | address: 10.1.1.34 5 | mgmt: 6 | address: 10.254.1.34/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 134 19 | - name: swp2 20 | vlan: 234 21 | vlans: 22 | - address: 10.100.34.1/24 23 | id: 134 24 | - address: 10.200.34.1/24 25 | id: 234 26 | -------------------------------------------------------------------------------- /inputs/leaf35.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65035 2 | hostname: leaf35 3 | loopback: 4 | address: 10.1.1.35 5 | mgmt: 6 | address: 10.254.1.35/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 135 19 | - name: swp2 20 | vlan: 235 21 | vlans: 22 | - address: 10.100.35.1/24 23 | id: 135 24 | - address: 10.200.35.1/24 25 | id: 235 26 | -------------------------------------------------------------------------------- /inputs/leaf36.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65036 2 | hostname: leaf36 3 | loopback: 4 | address: 10.1.1.36 5 | mgmt: 6 | address: 10.254.1.36/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 136 19 | - name: swp2 20 | vlan: 236 21 | vlans: 22 | - address: 10.100.36.1/24 23 | id: 136 24 | - address: 10.200.36.1/24 25 | id: 236 26 | -------------------------------------------------------------------------------- /inputs/leaf37.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65037 2 | hostname: leaf37 3 | loopback: 4 | address: 10.1.1.37 5 | mgmt: 6 | address: 10.254.1.37/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 137 19 | - name: swp2 20 | vlan: 237 21 | vlans: 22 | - address: 10.100.37.1/24 23 | id: 137 24 | - address: 10.200.37.1/24 25 | id: 237 26 | -------------------------------------------------------------------------------- /inputs/leaf38.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65038 2 | hostname: leaf38 3 | loopback: 4 | address: 10.1.1.38 5 | mgmt: 6 | address: 10.254.1.38/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 138 19 | - name: swp2 20 | vlan: 238 21 | vlans: 22 | - address: 10.100.38.1/24 23 | id: 138 24 | - address: 10.200.38.1/24 25 | id: 238 26 | -------------------------------------------------------------------------------- /inputs/leaf39.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65039 2 | hostname: leaf39 3 | loopback: 4 | address: 10.1.1.39 5 | mgmt: 6 | address: 10.254.1.39/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 139 19 | - name: swp2 20 | vlan: 239 21 | vlans: 22 | - address: 10.100.39.1/24 23 | id: 139 24 | - address: 10.200.39.1/24 25 | id: 239 26 | -------------------------------------------------------------------------------- /inputs/leaf40.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65040 2 | hostname: leaf40 3 | loopback: 4 | address: 10.1.1.40 5 | mgmt: 6 | address: 10.254.1.40/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 140 19 | - name: swp2 20 | vlan: 240 21 | vlans: 22 | - address: 10.100.40.1/24 23 | id: 140 24 | - address: 10.200.40.1/24 25 | id: 240 26 | -------------------------------------------------------------------------------- /inputs/leaf41.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65041 2 | hostname: leaf41 3 | loopback: 4 | address: 10.1.1.41 5 | mgmt: 6 | address: 10.254.1.41/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 141 19 | - name: swp2 20 | vlan: 241 21 | vlans: 22 | - address: 10.100.41.1/24 23 | id: 141 24 | - address: 10.200.41.1/24 25 | id: 241 26 | -------------------------------------------------------------------------------- /inputs/leaf42.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65042 2 | hostname: leaf42 3 | loopback: 4 | address: 10.1.1.42 5 | mgmt: 6 | address: 10.254.1.42/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 142 19 | - name: swp2 20 | vlan: 242 21 | vlans: 22 | - address: 10.100.42.1/24 23 | id: 142 24 | - address: 10.200.42.1/24 25 | id: 242 26 | -------------------------------------------------------------------------------- /inputs/leaf43.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65043 2 | hostname: leaf43 3 | loopback: 4 | address: 10.1.1.43 5 | mgmt: 6 | address: 10.254.1.43/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 143 19 | - name: swp2 20 | vlan: 243 21 | vlans: 22 | - address: 10.100.43.1/24 23 | id: 143 24 | - address: 10.200.43.1/24 25 | id: 243 26 | -------------------------------------------------------------------------------- /inputs/leaf44.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65044 2 | hostname: leaf44 3 | loopback: 4 | address: 10.1.1.44 5 | mgmt: 6 | address: 10.254.1.44/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 144 19 | - name: swp2 20 | vlan: 244 21 | vlans: 22 | - address: 10.100.44.1/24 23 | id: 144 24 | - address: 10.200.44.1/24 25 | id: 244 26 | -------------------------------------------------------------------------------- /inputs/leaf45.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65045 2 | hostname: leaf45 3 | loopback: 4 | address: 10.1.1.45 5 | mgmt: 6 | address: 10.254.1.45/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 145 19 | - name: swp2 20 | vlan: 245 21 | vlans: 22 | - address: 10.100.45.1/24 23 | id: 145 24 | - address: 10.200.45.1/24 25 | id: 245 26 | -------------------------------------------------------------------------------- /inputs/leaf46.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65046 2 | hostname: leaf46 3 | loopback: 4 | address: 10.1.1.46 5 | mgmt: 6 | address: 10.254.1.46/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 146 19 | - name: swp2 20 | vlan: 246 21 | vlans: 22 | - address: 10.100.46.1/24 23 | id: 146 24 | - address: 10.200.46.1/24 25 | id: 246 26 | -------------------------------------------------------------------------------- /inputs/leaf47.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65047 2 | hostname: leaf47 3 | loopback: 4 | address: 10.1.1.47 5 | mgmt: 6 | address: 10.254.1.47/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 147 19 | - name: swp2 20 | vlan: 247 21 | vlans: 22 | - address: 10.100.47.1/24 23 | id: 147 24 | - address: 10.200.47.1/24 25 | id: 247 26 | -------------------------------------------------------------------------------- /inputs/leaf48.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65048 2 | hostname: leaf48 3 | loopback: 4 | address: 10.1.1.48 5 | mgmt: 6 | address: 10.254.1.48/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 148 19 | - name: swp2 20 | vlan: 248 21 | vlans: 22 | - address: 10.100.48.1/24 23 | id: 148 24 | - address: 10.200.48.1/24 25 | id: 248 26 | -------------------------------------------------------------------------------- /inputs/leaf49.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65049 2 | hostname: leaf49 3 | loopback: 4 | address: 10.1.1.49 5 | mgmt: 6 | address: 10.254.1.49/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 149 19 | - name: swp2 20 | vlan: 249 21 | vlans: 22 | - address: 10.100.49.1/24 23 | id: 149 24 | - address: 10.200.49.1/24 25 | id: 249 26 | -------------------------------------------------------------------------------- /inputs/leaf50.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65050 2 | hostname: leaf50 3 | loopback: 4 | address: 10.1.1.50 5 | mgmt: 6 | address: 10.254.1.50/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 150 19 | - name: swp2 20 | vlan: 250 21 | vlans: 22 | - address: 10.100.50.1/24 23 | id: 150 24 | - address: 10.200.50.1/24 25 | id: 250 26 | -------------------------------------------------------------------------------- /inputs/leaf51.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65051 2 | hostname: leaf51 3 | loopback: 4 | address: 10.1.1.51 5 | mgmt: 6 | address: 10.254.1.51/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 151 19 | - name: swp2 20 | vlan: 251 21 | vlans: 22 | - address: 10.100.51.1/24 23 | id: 151 24 | - address: 10.200.51.1/24 25 | id: 251 26 | -------------------------------------------------------------------------------- /inputs/leaf52.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65052 2 | hostname: leaf52 3 | loopback: 4 | address: 10.1.1.52 5 | mgmt: 6 | address: 10.254.1.52/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 152 19 | - name: swp2 20 | vlan: 252 21 | vlans: 22 | - address: 10.100.52.1/24 23 | id: 152 24 | - address: 10.200.52.1/24 25 | id: 252 26 | -------------------------------------------------------------------------------- /inputs/leaf53.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65053 2 | hostname: leaf53 3 | loopback: 4 | address: 10.1.1.53 5 | mgmt: 6 | address: 10.254.1.53/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 153 19 | - name: swp2 20 | vlan: 253 21 | vlans: 22 | - address: 10.100.53.1/24 23 | id: 153 24 | - address: 10.200.53.1/24 25 | id: 253 26 | -------------------------------------------------------------------------------- /inputs/leaf54.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65054 2 | hostname: leaf54 3 | loopback: 4 | address: 10.1.1.54 5 | mgmt: 6 | address: 10.254.1.54/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 154 19 | - name: swp2 20 | vlan: 254 21 | vlans: 22 | - address: 10.100.54.1/24 23 | id: 154 24 | - address: 10.200.54.1/24 25 | id: 254 26 | -------------------------------------------------------------------------------- /inputs/leaf55.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65055 2 | hostname: leaf55 3 | loopback: 4 | address: 10.1.1.55 5 | mgmt: 6 | address: 10.254.1.55/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 155 19 | - name: swp2 20 | vlan: 255 21 | vlans: 22 | - address: 10.100.55.1/24 23 | id: 155 24 | - address: 10.200.55.1/24 25 | id: 255 26 | -------------------------------------------------------------------------------- /inputs/leaf56.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65056 2 | hostname: leaf56 3 | loopback: 4 | address: 10.1.1.56 5 | mgmt: 6 | address: 10.254.1.56/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 156 19 | - name: swp2 20 | vlan: 256 21 | vlans: 22 | - address: 10.100.56.1/24 23 | id: 156 24 | - address: 10.200.56.1/24 25 | id: 256 26 | -------------------------------------------------------------------------------- /inputs/leaf57.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65057 2 | hostname: leaf57 3 | loopback: 4 | address: 10.1.1.57 5 | mgmt: 6 | address: 10.254.1.57/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 157 19 | - name: swp2 20 | vlan: 257 21 | vlans: 22 | - address: 10.100.57.1/24 23 | id: 157 24 | - address: 10.200.57.1/24 25 | id: 257 26 | -------------------------------------------------------------------------------- /inputs/leaf58.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65058 2 | hostname: leaf58 3 | loopback: 4 | address: 10.1.1.58 5 | mgmt: 6 | address: 10.254.1.58/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 158 19 | - name: swp2 20 | vlan: 258 21 | vlans: 22 | - address: 10.100.58.1/24 23 | id: 158 24 | - address: 10.200.58.1/24 25 | id: 258 26 | -------------------------------------------------------------------------------- /inputs/leaf59.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65059 2 | hostname: leaf59 3 | loopback: 4 | address: 10.1.1.59 5 | mgmt: 6 | address: 10.254.1.59/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 159 19 | - name: swp2 20 | vlan: 259 21 | vlans: 22 | - address: 10.100.59.1/24 23 | id: 159 24 | - address: 10.200.59.1/24 25 | id: 259 26 | -------------------------------------------------------------------------------- /inputs/leaf60.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65060 2 | hostname: leaf60 3 | loopback: 4 | address: 10.1.1.60 5 | mgmt: 6 | address: 10.254.1.60/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 160 19 | - name: swp2 20 | vlan: 260 21 | vlans: 22 | - address: 10.100.60.1/24 23 | id: 160 24 | - address: 10.200.60.1/24 25 | id: 260 26 | -------------------------------------------------------------------------------- /inputs/leaf61.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65061 2 | hostname: leaf61 3 | loopback: 4 | address: 10.1.1.61 5 | mgmt: 6 | address: 10.254.1.61/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 161 19 | - name: swp2 20 | vlan: 261 21 | vlans: 22 | - address: 10.100.61.1/24 23 | id: 161 24 | - address: 10.200.61.1/24 25 | id: 261 26 | -------------------------------------------------------------------------------- /inputs/leaf62.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65062 2 | hostname: leaf62 3 | loopback: 4 | address: 10.1.1.62 5 | mgmt: 6 | address: 10.254.1.62/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 162 19 | - name: swp2 20 | vlan: 262 21 | vlans: 22 | - address: 10.100.62.1/24 23 | id: 162 24 | - address: 10.200.62.1/24 25 | id: 262 26 | -------------------------------------------------------------------------------- /inputs/leaf63.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65063 2 | hostname: leaf63 3 | loopback: 4 | address: 10.1.1.63 5 | mgmt: 6 | address: 10.254.1.63/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 163 19 | - name: swp2 20 | vlan: 263 21 | vlans: 22 | - address: 10.100.63.1/24 23 | id: 163 24 | - address: 10.200.63.1/24 25 | id: 263 26 | -------------------------------------------------------------------------------- /inputs/leaf64.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65064 2 | hostname: leaf64 3 | loopback: 4 | address: 10.1.1.64 5 | mgmt: 6 | address: 10.254.1.64/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 164 19 | - name: swp2 20 | vlan: 264 21 | vlans: 22 | - address: 10.100.64.1/24 23 | id: 164 24 | - address: 10.200.64.1/24 25 | id: 264 26 | -------------------------------------------------------------------------------- /inputs/leaf65.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65065 2 | hostname: leaf65 3 | loopback: 4 | address: 10.1.1.65 5 | mgmt: 6 | address: 10.254.1.65/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 165 19 | - name: swp2 20 | vlan: 265 21 | vlans: 22 | - address: 10.100.65.1/24 23 | id: 165 24 | - address: 10.200.65.1/24 25 | id: 265 26 | -------------------------------------------------------------------------------- /inputs/leaf66.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65066 2 | hostname: leaf66 3 | loopback: 4 | address: 10.1.1.66 5 | mgmt: 6 | address: 10.254.1.66/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 166 19 | - name: swp2 20 | vlan: 266 21 | vlans: 22 | - address: 10.100.66.1/24 23 | id: 166 24 | - address: 10.200.66.1/24 25 | id: 266 26 | -------------------------------------------------------------------------------- /inputs/leaf67.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65067 2 | hostname: leaf67 3 | loopback: 4 | address: 10.1.1.67 5 | mgmt: 6 | address: 10.254.1.67/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 167 19 | - name: swp2 20 | vlan: 267 21 | vlans: 22 | - address: 10.100.67.1/24 23 | id: 167 24 | - address: 10.200.67.1/24 25 | id: 267 26 | -------------------------------------------------------------------------------- /inputs/leaf68.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65068 2 | hostname: leaf68 3 | loopback: 4 | address: 10.1.1.68 5 | mgmt: 6 | address: 10.254.1.68/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 168 19 | - name: swp2 20 | vlan: 268 21 | vlans: 22 | - address: 10.100.68.1/24 23 | id: 168 24 | - address: 10.200.68.1/24 25 | id: 268 26 | -------------------------------------------------------------------------------- /inputs/leaf69.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65069 2 | hostname: leaf69 3 | loopback: 4 | address: 10.1.1.69 5 | mgmt: 6 | address: 10.254.1.69/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 169 19 | - name: swp2 20 | vlan: 269 21 | vlans: 22 | - address: 10.100.69.1/24 23 | id: 169 24 | - address: 10.200.69.1/24 25 | id: 269 26 | -------------------------------------------------------------------------------- /inputs/leaf70.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65070 2 | hostname: leaf70 3 | loopback: 4 | address: 10.1.1.70 5 | mgmt: 6 | address: 10.254.1.70/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 170 19 | - name: swp2 20 | vlan: 270 21 | vlans: 22 | - address: 10.100.70.1/24 23 | id: 170 24 | - address: 10.200.70.1/24 25 | id: 270 26 | -------------------------------------------------------------------------------- /inputs/leaf71.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65071 2 | hostname: leaf71 3 | loopback: 4 | address: 10.1.1.71 5 | mgmt: 6 | address: 10.254.1.71/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 171 19 | - name: swp2 20 | vlan: 271 21 | vlans: 22 | - address: 10.100.71.1/24 23 | id: 171 24 | - address: 10.200.71.1/24 25 | id: 271 26 | -------------------------------------------------------------------------------- /inputs/leaf72.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65072 2 | hostname: leaf72 3 | loopback: 4 | address: 10.1.1.72 5 | mgmt: 6 | address: 10.254.1.72/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 172 19 | - name: swp2 20 | vlan: 272 21 | vlans: 22 | - address: 10.100.72.1/24 23 | id: 172 24 | - address: 10.200.72.1/24 25 | id: 272 26 | -------------------------------------------------------------------------------- /inputs/leaf73.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65073 2 | hostname: leaf73 3 | loopback: 4 | address: 10.1.1.73 5 | mgmt: 6 | address: 10.254.1.73/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 173 19 | - name: swp2 20 | vlan: 273 21 | vlans: 22 | - address: 10.100.73.1/24 23 | id: 173 24 | - address: 10.200.73.1/24 25 | id: 273 26 | -------------------------------------------------------------------------------- /inputs/leaf74.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65074 2 | hostname: leaf74 3 | loopback: 4 | address: 10.1.1.74 5 | mgmt: 6 | address: 10.254.1.74/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 174 19 | - name: swp2 20 | vlan: 274 21 | vlans: 22 | - address: 10.100.74.1/24 23 | id: 174 24 | - address: 10.200.74.1/24 25 | id: 274 26 | -------------------------------------------------------------------------------- /inputs/leaf75.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65075 2 | hostname: leaf75 3 | loopback: 4 | address: 10.1.1.75 5 | mgmt: 6 | address: 10.254.1.75/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 175 19 | - name: swp2 20 | vlan: 275 21 | vlans: 22 | - address: 10.100.75.1/24 23 | id: 175 24 | - address: 10.200.75.1/24 25 | id: 275 26 | -------------------------------------------------------------------------------- /inputs/leaf76.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65076 2 | hostname: leaf76 3 | loopback: 4 | address: 10.1.1.76 5 | mgmt: 6 | address: 10.254.1.76/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 176 19 | - name: swp2 20 | vlan: 276 21 | vlans: 22 | - address: 10.100.76.1/24 23 | id: 176 24 | - address: 10.200.76.1/24 25 | id: 276 26 | -------------------------------------------------------------------------------- /inputs/leaf77.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65077 2 | hostname: leaf77 3 | loopback: 4 | address: 10.1.1.77 5 | mgmt: 6 | address: 10.254.1.77/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 177 19 | - name: swp2 20 | vlan: 277 21 | vlans: 22 | - address: 10.100.77.1/24 23 | id: 177 24 | - address: 10.200.77.1/24 25 | id: 277 26 | -------------------------------------------------------------------------------- /inputs/leaf78.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65078 2 | hostname: leaf78 3 | loopback: 4 | address: 10.1.1.78 5 | mgmt: 6 | address: 10.254.1.78/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 178 19 | - name: swp2 20 | vlan: 278 21 | vlans: 22 | - address: 10.100.78.1/24 23 | id: 178 24 | - address: 10.200.78.1/24 25 | id: 278 26 | -------------------------------------------------------------------------------- /inputs/leaf79.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65079 2 | hostname: leaf79 3 | loopback: 4 | address: 10.1.1.79 5 | mgmt: 6 | address: 10.254.1.79/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 179 19 | - name: swp2 20 | vlan: 279 21 | vlans: 22 | - address: 10.100.79.1/24 23 | id: 179 24 | - address: 10.200.79.1/24 25 | id: 279 26 | -------------------------------------------------------------------------------- /inputs/leaf80.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65080 2 | hostname: leaf80 3 | loopback: 4 | address: 10.1.1.80 5 | mgmt: 6 | address: 10.254.1.80/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 180 19 | - name: swp2 20 | vlan: 280 21 | vlans: 22 | - address: 10.100.80.1/24 23 | id: 180 24 | - address: 10.200.80.1/24 25 | id: 280 26 | -------------------------------------------------------------------------------- /inputs/leaf81.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65081 2 | hostname: leaf81 3 | loopback: 4 | address: 10.1.1.81 5 | mgmt: 6 | address: 10.254.1.81/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 181 19 | - name: swp2 20 | vlan: 281 21 | vlans: 22 | - address: 10.100.81.1/24 23 | id: 181 24 | - address: 10.200.81.1/24 25 | id: 281 26 | -------------------------------------------------------------------------------- /inputs/leaf82.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65082 2 | hostname: leaf82 3 | loopback: 4 | address: 10.1.1.82 5 | mgmt: 6 | address: 10.254.1.82/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 182 19 | - name: swp2 20 | vlan: 282 21 | vlans: 22 | - address: 10.100.82.1/24 23 | id: 182 24 | - address: 10.200.82.1/24 25 | id: 282 26 | -------------------------------------------------------------------------------- /inputs/leaf83.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65083 2 | hostname: leaf83 3 | loopback: 4 | address: 10.1.1.83 5 | mgmt: 6 | address: 10.254.1.83/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 183 19 | - name: swp2 20 | vlan: 283 21 | vlans: 22 | - address: 10.100.83.1/24 23 | id: 183 24 | - address: 10.200.83.1/24 25 | id: 283 26 | -------------------------------------------------------------------------------- /inputs/leaf84.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65084 2 | hostname: leaf84 3 | loopback: 4 | address: 10.1.1.84 5 | mgmt: 6 | address: 10.254.1.84/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 184 19 | - name: swp2 20 | vlan: 284 21 | vlans: 22 | - address: 10.100.84.1/24 23 | id: 184 24 | - address: 10.200.84.1/24 25 | id: 284 26 | -------------------------------------------------------------------------------- /inputs/leaf85.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65085 2 | hostname: leaf85 3 | loopback: 4 | address: 10.1.1.85 5 | mgmt: 6 | address: 10.254.1.85/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 185 19 | - name: swp2 20 | vlan: 285 21 | vlans: 22 | - address: 10.100.85.1/24 23 | id: 185 24 | - address: 10.200.85.1/24 25 | id: 285 26 | -------------------------------------------------------------------------------- /inputs/leaf86.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65086 2 | hostname: leaf86 3 | loopback: 4 | address: 10.1.1.86 5 | mgmt: 6 | address: 10.254.1.86/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 186 19 | - name: swp2 20 | vlan: 286 21 | vlans: 22 | - address: 10.100.86.1/24 23 | id: 186 24 | - address: 10.200.86.1/24 25 | id: 286 26 | -------------------------------------------------------------------------------- /inputs/leaf87.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65087 2 | hostname: leaf87 3 | loopback: 4 | address: 10.1.1.87 5 | mgmt: 6 | address: 10.254.1.87/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 187 19 | - name: swp2 20 | vlan: 287 21 | vlans: 22 | - address: 10.100.87.1/24 23 | id: 187 24 | - address: 10.200.87.1/24 25 | id: 287 26 | -------------------------------------------------------------------------------- /inputs/leaf88.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65088 2 | hostname: leaf88 3 | loopback: 4 | address: 10.1.1.88 5 | mgmt: 6 | address: 10.254.1.88/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 188 19 | - name: swp2 20 | vlan: 288 21 | vlans: 22 | - address: 10.100.88.1/24 23 | id: 188 24 | - address: 10.200.88.1/24 25 | id: 288 26 | -------------------------------------------------------------------------------- /inputs/leaf89.yml: -------------------------------------------------------------------------------- 1 | bgp_as: 65089 2 | hostname: leaf89 3 | loopback: 4 | address: 10.1.1.89 5 | mgmt: 6 | address: 10.254.1.89/16 7 | gateway: 10.254.254.254 8 | ports: 9 | - bgp: true 10 | name: swp49 11 | - bgp: true 12 | name: swp50 13 | - bgp: true 14 | name: swp51 15 | - bgp: true 16 | name: swp52 17 | - name: swp1 18 | vlan: 189 19 | - name: swp2 20 | vlan: 289 21 | vlans: 22 | - address: 10.100.89.1/24 23 | id: 189 24 | - address: 10.200.89.1/24 25 | id: 289 26 | -------------------------------------------------------------------------------- /inputs/spine01.yml: -------------------------------------------------------------------------------- 1 | hostname: spine01 2 | bgp_as: 65101 3 | loopback: 4 | address: 10.1.2.1 5 | mgmt: 6 | address: 10.254.2.1/16 7 | gateway: 10.254.254.254 -------------------------------------------------------------------------------- /inputs/spine02.yml: -------------------------------------------------------------------------------- 1 | hostname: spine02 2 | bgp_as: 65102 3 | loopback: 4 | address: 10.1.2.2 5 | mgmt: 6 | address: 10.254.2.2/16 7 | gateway: 10.254.254.254 -------------------------------------------------------------------------------- /inputs/spine03.yml: -------------------------------------------------------------------------------- 1 | hostname: spine03 2 | bgp_as: 65103 3 | loopback: 4 | address: 10.1.2.3 5 | mgmt: 6 | address: 10.254.2.3/16 7 | gateway: 10.254.254.254 -------------------------------------------------------------------------------- /inputs/spine04.yml: -------------------------------------------------------------------------------- 1 | hostname: spine04 2 | bgp_as: 65104 3 | loopback: 4 | address: 10.1.2.4 5 | mgmt: 6 | address: 10.254.2.4/16 7 | gateway: 10.254.254.254 -------------------------------------------------------------------------------- /playbooks/add_leaf.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Configuration for new Leaf Router 3 | connection: local 4 | hosts: localhost 5 | gather_facts: no 6 | 7 | vars: 8 | demo_base_dir: "{{ lookup('env', 'PWD') }}" 9 | 10 | vars_prompt: 11 | - name: "leaf_number" 12 | prompt: "Enter the number for the new leaf router" 13 | private: no 14 | - name: "bgp_as_input" 15 | prompt: "Enter the BGP AS number for the new leaf router" 16 | private: no 17 | 18 | tasks: 19 | - set_fact: 20 | # need to ensure formatting of 2 digits for hostname 21 | hostname: "leaf{{leaf_number}}" 22 | bgp_as: "{{bgp_as_input}}" 23 | loopback: 24 | address: "10.1.1.{{leaf_number}}" 25 | mgmt: 26 | address: "10.254.1.{{leaf_number}}/16" 27 | gateway: 10.254.254.254 28 | ports: 29 | - name: swp49 30 | bgp: true 31 | - name: swp50 32 | bgp: true 33 | - name: swp51 34 | bgp: true 35 | - name: swp52 36 | bgp: true 37 | - name: swp1 38 | vlan: "{{100 + leaf_number|int}}" 39 | - name: swp2 40 | vlan: "{{200 + leaf_number|int}}" 41 | vlans: 42 | - id: "{{100 + leaf_number|int}}" 43 | address: "10.100.{{leaf_number}}.1/24" 44 | - id: "{{200 + leaf_number|int}}" 45 | address: "10.200.{{leaf_number}}.1/24" 46 | register: test 47 | 48 | - name: Write computed variables to YAML 49 | copy: 50 | content: "{{ test.ansible_facts|to_nice_yaml }}" 51 | dest: "{{ demo_base_dir }}/inputs/{{ hostname }}.yml" 52 | 53 | - name: Default commit message 54 | set_fact: 55 | commit_message: "adding leaf{{leaf_number}} to fabric" 56 | 57 | - name: Prompt for commit message 58 | pause: 59 | prompt: "Enter commit message [{{ commit_message }}]" 60 | register: commit_prompt 61 | 62 | - name: Override default commit message if needed 63 | set_fact: 64 | commit_message: "{{ commit_prompt.user_input }}" 65 | when: commit_prompt.user_input != "" 66 | 67 | - name: Add new file to git, commit, and push 68 | shell: 69 | "git add ../inputs; 70 | git commit -am \"{{ commit_message }}\"; 71 | git push" 72 | -------------------------------------------------------------------------------- /playbooks/inventory: -------------------------------------------------------------------------------- 1 | [leaf] 2 | leaf01 3 | leaf02 4 | leaf03 5 | leaf04 6 | leaf05 7 | leaf06 8 | leaf07 9 | leaf08 10 | leaf09 11 | leaf10 12 | leaf11 13 | leaf12 14 | leaf13 15 | leaf14 16 | leaf15 17 | leaf16 18 | leaf17 19 | leaf18 20 | leaf19 21 | leaf20 22 | leaf21 23 | leaf22 24 | leaf23 25 | leaf24 26 | leaf25 27 | leaf26 28 | leaf27 29 | leaf28 30 | leaf29 31 | leaf30 32 | leaf31 33 | leaf32 34 | leaf33 35 | leaf34 36 | leaf35 37 | leaf36 38 | leaf37 39 | leaf38 40 | leaf39 41 | leaf40 42 | leaf41 43 | leaf42 44 | leaf43 45 | leaf44 46 | leaf45 47 | leaf46 48 | leaf47 49 | leaf48 50 | leaf49 51 | leaf50 52 | leaf51 53 | leaf52 54 | leaf53 55 | leaf54 56 | leaf55 57 | leaf56 58 | leaf57 59 | leaf58 60 | leaf59 61 | leaf60 62 | leaf61 63 | leaf62 64 | leaf63 65 | leaf64 66 | leaf65 67 | leaf66 68 | leaf67 69 | leaf68 70 | leaf69 71 | leaf70 72 | leaf71 73 | leaf72 74 | leaf73 75 | leaf74 76 | leaf75 77 | leaf76 78 | leaf77 79 | leaf78 80 | leaf79 81 | leaf80 82 | leaf81 83 | leaf82 84 | leaf83 85 | leaf84 86 | leaf85 87 | leaf86 88 | leaf87 89 | leaf88 90 | leaf89 91 | 92 | [spine] 93 | spine01 94 | spine02 95 | spine03 96 | spine04 97 | 98 | [border_leaf] 99 | bl01 100 | bl02 101 | 102 | [fwl] 103 | fwl01 104 | 105 | [border] 106 | bor01 107 | bor02 108 | 109 | [all:vars] 110 | ansible_connection=local 111 | localhost ansible_python_interpreter=python -------------------------------------------------------------------------------- /playbooks/request_service.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Request new service through firewall 3 | connection: local 4 | hosts: localhost 5 | gather_facts: no 6 | 7 | vars: 8 | demo_base_dir: "{{ lookup('env', 'PWD') }}" 9 | 10 | out_in_yaml: inputs/firewall/fwl_out_in.yml 11 | in_out_yaml: inputs/firewall/fwl_in_out.yml 12 | network_net: inputs/firewall/network.net 13 | services_svc: inputs/firewall/services.svc 14 | 15 | input_yaml: "{{ out_in_yaml }}" 16 | output_yaml: "{{ out_in_yaml }}" 17 | 18 | vars_prompt: 19 | - name: "direction" 20 | prompt: "Direction of request flow. IN for opening up access to internal service from the internet. OUT for opening up access to external service" 21 | default: IN 22 | private: no 23 | - name: "destination_address" 24 | prompt: "Enter the destination IP address/prefix" 25 | private: no 26 | - name: "source_address" 27 | prompt: "Enter the source IP address/prefix" 28 | default: "0.0.0.0/0" 29 | private: no 30 | - name: "protocol" 31 | prompt: "Enter the IP protocol (tcp or udp)" 32 | default: "tcp" 33 | private: no 34 | - name: "application" 35 | prompt: "Enter the name of the application" 36 | private: no 37 | - name: "destination_port" 38 | prompt: "Enter the destination port" 39 | default: 443 40 | private: no 41 | - name: "term_name" 42 | prompt: "Enter the change request id (must start with [a-zA-Z] and not contain spaces)" 43 | private: no 44 | default: "CHG12345" 45 | 46 | tasks: 47 | - set_fact: 48 | input_yaml: "{{ in_out_yaml }}" 49 | output_yaml: "{{ in_out_yaml }}" 50 | when: direction == "OUT" 51 | 52 | - name: Add network definition to network.net file 53 | blockinfile: 54 | path: "../{{network_net}}" 55 | block: | 56 | NET-{{ destination_address }} = {{ destination_address }} 57 | NET-{{ source_address }} = {{ source_address }} 58 | marker: "## Added for change request {{term_name}} ##" 59 | 60 | - name: Add service definition to services.svc file 61 | blockinfile: 62 | path: "../{{services_svc}}" 63 | block: | 64 | APP-{{ application }} = {{ destination_port }}/{{ protocol }} 65 | marker: "## Added for change request {{term_name}} ##" 66 | 67 | - set_fact: 68 | name: "{{ term_name }}" 69 | clauses: 70 | destination_port: "APP-{{ application }}" 71 | protocol: "{{ protocol }}" 72 | destination_address: "NET-{{ destination_address }}" 73 | source_address: "NET-{{ source_address }}" 74 | action: "accept" 75 | register: new_term 76 | 77 | - name: Read existing policy into memory 78 | include_vars: 79 | file: "../{{ input_yaml }}" 80 | name: terms 81 | 82 | - name: Create new list and add new term to list 83 | set_fact: 84 | test: "{{ terms.terms + [ new_term.ansible_facts ] }}" 85 | 86 | - name: Create new policy in memory 87 | set_fact: 88 | file_out: 89 | target: "{{ terms.target }}" 90 | terms: "{{ test }}" 91 | 92 | - name: Write new policy to file 93 | copy: 94 | content: "{{ file_out|to_nice_yaml }}" 95 | dest: "../{{ output_yaml }}" 96 | 97 | - name: Default commit message 98 | set_fact: 99 | commit_message: "Change request {{term_name}} for access to {{destination_address}} application {{application}} from {{source_address}}" 100 | 101 | - name: Prompt for commit message 102 | pause: 103 | prompt: "Enter commit message [{{ commit_message }}]" 104 | register: commit_prompt 105 | 106 | - name: Override default commit message if needed 107 | set_fact: 108 | commit_message: "{{ commit_prompt.user_input }}" 109 | when: commit_prompt.user_input != "" 110 | 111 | - name: Add new file to git, commit, and push 112 | shell: 113 | "git add ../inputs; 114 | git commit -am \"{{ commit_message }}\"; 115 | git push" 116 | -------------------------------------------------------------------------------- /policies/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore python cache files 2 | __pycache__ 3 | .pytest_cache/ 4 | 5 | -------------------------------------------------------------------------------- /policies/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/batfish/af19-demo/a34f3090de8e31afb873910b6e40f31f982acd7d/policies/__init__.py -------------------------------------------------------------------------------- /policies/address-groups.yml: -------------------------------------------------------------------------------- 1 | metadata: 2 | - name: aws 3 | addresses: ["18.208.0.0/13", "52.95.245.0/24", "99.77.142.0/24", "52.194.0.0/15", "54.155.0.0/16", "54.196.0.0/15", "99.78.170.0/23", "52.94.22.0/24", "52.95.255.112/28", "13.210.0.0/15", "52.94.17.0/24", "52.95.154.0/23", "52.95.212.0/22", "54.239.0.240/28", "54.241.0.0/16", "184.169.128.0/17", "216.182.224.0/21", "15.193.2.0/24", "99.77.132.0/24", "52.74.0.0/16", "54.168.0.0/16", "54.239.54.0/23", "13.248.106.0/24", "52.119.224.0/21", "52.219.64.0/22", "54.238.0.0/16", "216.182.232.0/22", "52.92.72.0/22", "99.82.184.0/22", "172.96.98.0/24", "13.125.0.0/16", "13.248.24.0/22", "13.248.103.0/24", "54.193.0.0/16", "54.222.59.0/24", "150.222.140.0/24", "52.95.104.0/22", "52.119.249.0/24", "13.248.100.0/24", "52.92.64.0/22", "52.93.5.0/24", "52.93.120.178/32", "52.144.193.128/26", "54.250.0.0/16", "107.20.0.0/14", "52.93.8.0/22", "52.94.224.0/20", "99.77.128.0/24", "150.222.88.0/24", "52.46.224.0/20", "52.95.156.0/24", "54.180.0.0/15", "99.77.253.0/24", "150.222.71.0/24", "52.30.0.0/15", "52.94.8.0/24", "52.94.249.64/28", "54.92.0.0/17", "54.154.0.0/16", "67.202.0.0/18", "103.246.148.0/23", "52.93.20.17/32", "52.95.0.0/20", "205.251.246.0/24", "52.94.248.112/28", "144.220.0.0/16", "52.92.39.0/24", "52.95.150.0/24", "52.219.60.0/23", "52.94.198.32/28", "54.232.0.0/16", "199.127.232.0/22", "52.93.249.0/24", "207.171.160.0/20", "52.92.48.0/22", "52.94.116.0/22", "52.144.215.200/31", "208.86.90.0/23", "13.248.99.0/24", "52.93.37.223/32", "52.94.248.192/28", "52.94.20.0/24", "52.92.0.0/20", "52.95.80.0/20", "52.219.132.0/22", "184.73.0.0/16", "18.183.0.0/16", "46.137.0.0/17", "52.93.60.0/24", "99.77.135.0/24", "52.144.208.64/26", "99.78.172.0/24", "150.222.136.0/24", "3.80.0.0/12", "52.40.0.0/14", "52.95.170.0/23", "52.124.128.0/17", "150.222.77.0/24", "150.222.90.0/24", "15.193.4.0/24", "35.181.0.0/16", "52.93.138.252/32", "54.80.0.0/13", "54.214.0.0/16", "54.254.0.0/16", "99.78.176.0/21", "52.93.99.0/24", "52.95.40.0/24", "52.95.254.0/24", "52.144.228.192/26", "176.32.64.0/19", "3.224.0.0/12", "52.94.216.0/21", "52.144.192.192/26", "52.144.196.192/26", "54.221.0.0/16", "54.240.202.0/24", "54.255.0.0/16", "18.253.0.0/16", "52.46.192.0/20", "52.82.187.0/24", "52.93.139.253/32", "52.94.249.112/28", "54.230.0.0/16", "13.208.0.0/16", "15.193.7.0/24", "52.93.96.0/24", "54.156.0.0/14", "54.236.0.0/15", "52.95.249.0/24", "54.239.1.82/32", "54.244.0.0/16", "99.82.174.0/24", "52.93.12.12/32", "52.95.255.128/28", "52.208.0.0/13", "54.239.0.208/28", "103.246.150.0/23", "150.222.10.0/24", "13.228.0.0/15", "52.94.248.96/28", "52.196.0.0/14", "99.77.150.0/24", "99.78.208.0/22", "52.32.0.0/14", "52.95.252.0/24", "52.119.192.0/22", "54.222.36.0/22", "52.18.0.0/15", "52.92.56.0/22", "52.93.21.14/32", "52.93.76.0/24", "52.94.19.0/24", "54.239.1.112/28", "54.239.52.0/23", "175.41.192.0/18", "205.251.228.0/22", "52.94.248.160/28", "54.151.0.0/17", "13.54.0.0/15", "13.248.48.0/21", "52.95.142.0/23", "52.95.241.0/24", "54.231.232.0/21", "54.239.128.0/18", "99.77.144.0/24", "99.78.160.0/21", "150.222.72.0/24", "54.222.52.0/22", "52.144.209.192/26", "52.144.218.0/26", "99.80.0.0/15", "52.46.172.0/22", "52.65.0.0/16", "52.93.19.236/32", "52.94.200.0/24", "52.119.188.0/22", "52.144.194.0/26", "54.150.0.0/16", "150.222.7.0/24", "18.200.0.0/16", "54.206.0.0/16", "150.222.96.0/24", "13.248.128.0/17", "52.82.128.0/19", "52.95.255.96/28", "54.231.128.0/19", "150.222.83.0/24", "54.226.0.0/15", "162.250.237.0/24", "54.239.106.253/32", "52.93.149.0/24", "52.218.128.0/17", "76.223.0.0/17", "99.84.0.0/16", "18.144.0.0/15", "52.90.0.0/15", "52.93.138.253/32", "52.95.157.0/24", "52.144.208.192/26", "108.175.52.0/22", "52.10.0.0/15", "52.82.164.0/22", "54.240.230.0/23", "100.24.0.0/13", "54.74.0.0/15", "150.222.114.0/24", "3.104.0.0/14", "15.193.5.0/24", "52.80.0.0/16", "52.95.216.0/22", "52.119.232.0/21", "52.144.201.128/26", "54.231.244.0/22", "150.222.99.0/24", "175.41.128.0/18", "52.94.32.0/20", "54.216.0.0/15", "54.239.0.32/28", "52.93.34.57/32", "52.94.13.0/24", "54.78.0.0/16", "54.231.253.0/24", "99.77.139.0/24", "99.82.160.0/24", "204.246.160.0/22", "13.248.97.0/24", "18.190.0.0/16", "52.82.168.0/24", "54.222.58.48/28", "162.213.232.0/24", "13.248.113.0/24", "15.188.0.0/16", "54.200.0.0/15", "54.239.1.16/28", "185.143.16.0/24", "205.251.244.0/23", "13.248.0.0/20", "52.93.112.35/32", "52.95.29.0/26", "35.160.0.0/13", "52.48.0.0/14", "52.94.198.80/28", "54.231.0.0/17", "99.77.137.0/24", "52.144.192.0/26", "150.222.112.0/24", "204.236.128.0/18", "52.46.249.0/24", "52.93.20.16/32", "52.144.216.0/31", "54.239.1.0/28", "162.213.233.0/24", "13.48.0.0/15", "52.64.0.0/17", "52.95.239.0/24", "52.119.210.0/23", "35.155.0.0/16", "52.144.230.0/26", "54.210.0.0/15", "54.239.2.0/23", "150.222.76.0/24", "52.82.169.16/28", "52.93.34.56/32", "52.94.198.16/28", "52.144.225.128/26", "18.163.0.0/16", "52.46.250.0/23", "52.94.5.0/24", "52.144.228.128/26", "54.199.0.0/16", "54.240.199.0/24", "52.93.69.12/32", "54.198.0.0/16", "52.94.69.0/24", "52.94.120.0/22", "54.239.40.152/29", "13.248.98.0/24", "52.20.0.0/14", "52.94.201.0/26", "52.94.248.208/28", "52.219.20.0/22", "52.219.24.0/21", "99.82.161.0/24", "18.142.0.0/15", "46.137.192.0/19", "52.200.0.0/13", "52.219.96.0/20", "54.222.32.0/22", "205.251.232.0/22", "13.248.116.0/24", "52.76.0.0/17", "52.93.48.0/24", "52.144.216.6/31", "54.240.220.0/22", "52.144.211.196/31", "52.219.72.0/22", "54.153.128.0/17", "54.222.58.0/28", "122.248.192.0/18", "52.144.212.64/26", "54.207.0.0/16", "99.77.145.0/24", "15.200.0.0/16", "35.154.0.0/16", "52.82.0.0/17", "52.94.249.32/28", "54.239.0.160/28", "54.240.227.0/24", "52.94.23.0/24", "52.95.48.0/22", "52.219.120.0/22", "54.240.232.0/22", "150.222.143.0/24", "52.144.224.64/26", "54.170.0.0/15", "99.82.171.0/24", "52.94.4.0/24", "52.94.72.0/22", "54.222.48.0/22", "54.240.228.0/23", "176.32.120.0/22", "52.144.210.192/26", "52.144.211.200/31", "52.219.56.0/22", "54.160.0.0/13", "157.175.0.0/16", "176.34.32.0/19", "54.239.108.0/22", "150.222.133.0/24", "18.236.0.0/15", "52.94.249.80/28", "54.240.198.0/24", "205.251.192.0/19", "46.51.192.0/20", "52.95.174.0/24", "54.239.106.252/32", "99.77.149.0/24", "99.78.156.0/22", "52.94.96.0/20", "52.94.192.0/22", "108.175.48.0/22", "54.231.248.0/22", "162.250.238.0/23", "178.236.0.0/20", "35.176.0.0/15", "54.239.112.0/24", "70.224.192.0/18", "150.222.105.0/24", "3.24.0.0/14", "52.95.34.0/24", "52.144.225.0/26", "205.251.247.0/24", "35.153.0.0/16", "52.61.0.0/16", "52.79.0.0/16", "52.93.137.0/24", "54.239.107.252/32", "150.222.89.0/24", "52.94.16.0/24", "52.144.195.0/26", "13.248.105.0/24", "18.230.0.0/16", "52.58.0.0/15", "52.218.0.0/17", "150.222.176.0/22", "52.62.0.0/15", "52.93.0.0/24", "52.93.19.237/32", "52.219.44.0/22", "54.239.192.0/19", "99.82.162.0/24", "150.222.70.0/24", "15.222.0.0/15", "52.119.248.0/24", "54.239.0.144/28", "46.51.216.0/21", "52.28.0.0/16", "52.46.166.0/23", "52.46.176.0/22", "52.57.0.0/16", "52.94.124.0/22", "52.144.211.192/31", "150.222.98.0/24", "150.222.101.0/24", "52.70.0.0/15", "52.94.248.0/28", "52.119.212.0/23", "52.144.216.10/31", "54.239.99.0/24", "108.166.224.0/21", "52.29.0.0/16", "52.94.15.0/24", "52.95.35.0/24", "52.95.62.0/24", "52.95.144.0/24", "52.144.194.64/26", "52.144.209.0/26", "54.239.1.83/32", "15.236.0.0/15", "52.144.211.198/31", "99.77.254.0/24", "184.72.0.0/18", "52.95.246.0/24", "52.144.215.2/31", "15.185.0.0/16", "52.93.35.212/32", "52.94.26.0/23", "54.247.0.0/16", "54.248.0.0/15", "27.0.0.0/22", "52.46.180.0/22", "52.93.98.0/24", "52.93.146.5/32", "52.93.1.0/24", "52.94.30.0/24", "52.93.73.0/26", "52.94.198.144/28", "52.94.208.0/21", "52.95.227.0/24", "54.68.0.0/14", "54.93.0.0/16", "70.132.0.0/18", "52.54.0.0/15", "52.93.3.0/24", "52.95.230.0/24", "54.240.225.0/24", "99.78.212.0/22", "150.222.106.0/24", "18.182.0.0/16", "54.152.0.0/16", "13.32.0.0/15", "13.112.0.0/14", "52.68.0.0/15", "52.144.231.64/26", "54.67.0.0/16", "99.82.173.0/24", "15.177.0.0/18", "18.194.0.0/15", "52.46.64.0/20", "52.94.197.0/24", "52.94.249.128/28", "52.144.193.64/26", "54.184.0.0/13", "54.239.16.0/20", "99.82.163.0/24", "3.13.0.0/16", "3.248.0.0/13", "54.92.128.0/17", "54.239.0.0/28", "99.77.133.0/24", "150.222.233.0/24", "52.0.0.0/15", "52.82.184.0/23", "52.95.176.0/24", "52.95.253.0/24", "54.239.120.0/21", "140.179.0.0/16", "3.5.132.0/23", "13.53.0.0/16", "13.248.114.0/24", "52.94.48.0/20", "99.78.188.0/22", "184.72.128.0/17", "205.251.248.0/24", "13.224.0.0/14", "52.119.240.0/21", "54.239.0.80/28", "54.240.216.0/22", "99.82.128.0/20", "99.82.166.0/24", "13.58.0.0/15", "52.93.51.29/32", "54.194.0.0/15", "54.240.244.0/22", "150.222.102.0/24", "35.156.0.0/14", "52.93.18.178/32", "52.144.209.64/26", "23.20.0.0/14", "52.46.168.0/23", "52.93.151.0/24", "52.94.248.80/28", "99.77.143.0/24", "52.92.16.0/20", "52.93.67.0/24", "52.95.64.0/20", "52.95.225.0/24", "150.222.11.0/31", "172.96.97.0/24", "18.229.0.0/16", "52.94.68.0/24", "52.95.192.0/20", "54.219.0.0/16", "18.204.0.0/14", "35.178.0.0/15", "52.94.9.0/24", "52.94.204.0/23", "54.88.0.0/14", "75.2.0.0/17", "99.78.192.0/22", "52.12.0.0/15", "52.220.0.0/15", "54.231.252.0/24", "54.239.1.128/28", "162.250.236.0/24", "13.35.0.0/16", "34.240.0.0/13", "52.93.14.19/32", "52.94.248.16/28", "52.94.249.96/28", "52.144.216.8/31", "54.239.1.81/32", "54.240.200.0/24", "54.253.0.0/16", "52.46.240.0/22", "52.94.28.0/23", "52.94.248.128/28", "54.239.100.0/23", "204.246.172.0/23", "52.94.248.64/28", "52.95.229.0/24", "54.72.0.0/15", "54.239.0.192/28", "52.94.11.0/24", "52.144.200.128/26", "54.240.196.0/24", "150.222.66.0/24", "204.246.164.0/22", "54.223.0.0/16", "54.239.0.48/28", "54.239.64.0/21", "99.77.129.0/24", "52.95.24.0/22", "52.119.196.0/22", "52.144.218.64/26", "79.125.0.0/17", "99.77.134.0/24", "99.78.144.0/21", "52.88.0.0/15", "52.219.0.0/20", "54.240.248.0/21", "52.94.248.32/28", "52.219.40.0/22", "52.219.136.0/22", "54.220.0.0/16", "100.20.0.0/14", "150.222.74.0/24", "13.248.56.0/22", "52.94.24.0/23", "150.222.199.0/25", "3.8.0.0/14", "13.248.60.0/22", "18.246.0.0/16", "52.93.139.252/32", "52.94.198.0/28", "54.204.0.0/15", "150.222.67.0/24", "52.95.163.0/24", "99.78.220.0/22", "216.182.236.0/23", "34.208.0.0/12", "52.15.0.0/16", "52.93.17.16/32", "52.144.209.128/26", "18.162.0.0/16", "52.95.30.0/23", "52.95.96.0/22", "52.95.145.0/24", "52.86.0.0/15", "150.222.180.0/24", "52.44.0.0/15", "52.76.128.0/17", "52.92.40.0/21", "52.219.32.0/21", "54.95.0.0/16", "54.212.0.0/15", "150.222.69.0/24", "18.232.0.0/14", "52.82.169.0/28", "54.239.0.224/28", "54.239.48.0/22", "52.47.0.0/16", "52.93.16.0/24", "52.94.249.144/28", "52.95.136.0/23", "52.95.255.64/28", "52.144.199.128/26", "52.144.225.64/26", "52.219.48.0/22", "204.246.168.0/22", "52.219.62.0/23", "99.77.147.0/24", "52.95.175.0/24", "99.82.175.0/24", "162.213.234.0/23", "3.132.0.0/14", "52.46.208.0/21", "52.93.51.28/32", "52.94.12.0/24", "63.32.0.0/14", "52.83.0.0/16", "52.93.14.18/32", "52.94.6.0/24", "52.144.197.192/26", "150.222.2.0/24", "54.79.0.0/16", "54.251.0.0/16", "18.189.0.0/16", "52.95.52.0/22", "18.153.0.0/16", "18.202.0.0/15", "54.239.1.48/28", "176.32.104.0/21", "18.196.0.0/15", "54.76.0.0/15", "52.94.80.0/20", "52.94.198.112/28", "54.240.197.0/24", "71.152.0.0/17", "108.166.232.0/21", "216.137.32.0/19", "52.46.252.0/22", "52.95.255.16/28", "13.232.0.0/14", "52.95.243.0/24", "13.248.109.0/24", "52.144.224.192/26", "52.219.80.0/20", "54.174.0.0/15", "150.222.78.0/24", "52.144.211.64/26", "150.222.109.0/24", "50.16.0.0/15", "150.222.84.0/24", "205.251.249.0/24", "52.52.0.0/15", "52.144.197.128/26", "54.233.64.0/18", "35.168.0.0/13", "52.64.128.0/17", "52.92.80.0/22", "52.93.248.0/24", "52.94.198.48/28", "52.95.228.0/24", "54.222.128.0/17", "96.127.0.0/17", "52.119.252.0/22", "54.148.0.0/15", "99.77.130.0/24", "35.182.0.0/15", "99.77.191.0/24", "3.112.0.0/14", "52.95.244.0/24", "99.82.188.0/22", "52.95.148.0/23", "3.208.0.0/12", "52.92.88.0/22", "54.222.64.0/23", "185.48.120.0/22", "52.144.192.64/26", "54.240.192.0/22", "150.222.97.0/24", "18.220.0.0/14", "52.36.0.0/14", "52.94.112.0/22", "54.94.0.0/16", "99.78.184.0/22", "18.191.0.0/16", "52.144.210.0/26", "52.95.169.0/24", "54.222.0.0/19", "54.239.0.112/28", "54.239.8.0/21", "54.240.204.0/22", "99.86.0.0/16", "207.171.176.0/20", "18.178.0.0/16", "52.95.164.0/23", "52.144.208.128/26", "52.144.213.64/26", "54.202.0.0/15", "54.240.208.0/22", "13.248.107.0/24", "52.94.240.0/22", "52.144.210.64/26", "150.222.138.0/24", "13.248.104.0/24", "34.248.0.0/13", "52.93.237.0/24", "54.239.107.253/32", "15.206.0.0/15", "50.18.0.0/16", "52.14.0.0/16", "52.46.0.0/18", "52.46.88.0/22", "52.93.17.17/32", "13.124.0.0/16", "52.84.0.0/15", "52.93.122.131/32", "52.94.248.144/28", "52.192.0.0/15", "52.95.255.32/28", "52.144.229.0/26", "160.1.0.0/16", "13.236.0.0/14", "52.46.220.0/22", "52.92.32.0/22", "52.95.41.0/24", "52.95.100.0/22", "52.95.226.0/24", "99.78.152.0/22", "150.222.135.0/24", "52.95.172.0/23", "174.129.0.0/16", "13.209.0.0/16", "18.140.0.0/15", "52.60.0.0/16", "52.78.0.0/16", "72.44.32.0/19", "205.251.236.0/22", "34.224.0.0/12", "52.75.0.0/16", "52.82.160.0/22", "52.144.215.194/31", "99.78.128.0/20", "99.82.164.0/24", "52.92.68.0/22", "52.94.0.0/22", "205.251.240.0/22", "13.230.0.0/15", "13.248.111.0/24", "52.93.4.0/24", "52.93.59.0/24", "52.94.198.96/28", "52.94.249.160/28", "52.144.194.128/26", "52.144.210.128/26", "52.144.211.202/31", "52.219.112.0/21", "54.224.0.0/15", "54.239.32.0/21", "15.164.0.0/15", "52.46.96.0/19", "52.46.128.0/19", "54.239.0.128/28", "176.34.128.0/17", "52.95.240.0/24", "52.219.16.0/22", "75.101.128.0/17", "52.46.164.0/23", "54.178.0.0/16", "99.82.168.0/24", "108.128.0.0/13", "52.95.61.0/24", "52.219.124.0/22", "54.240.241.0/24", "130.176.0.0/16", "150.222.235.0/24", "13.56.0.0/16", "18.184.0.0/15", "72.21.192.0/19", "52.95.63.0/24", "52.94.252.0/23", "52.144.215.198/31", "54.222.57.0/24", "99.83.128.0/17", "3.5.128.0/22", "18.216.0.0/14", "34.192.0.0/12", "52.93.37.222/32", "52.94.64.0/22", "54.231.160.0/19", "13.248.112.0/24", "52.93.18.179/32", "52.93.112.34/32", "52.94.196.0/24", "54.215.0.0/16", "177.71.128.0/17", "18.175.0.0/16", "52.46.216.0/22", "52.92.76.0/22", "54.208.0.0/15", "54.228.0.0/16", "64.252.64.0/18", "52.92.52.0/22", "52.93.247.0/25", "52.92.60.0/22", "52.144.215.192/31", "52.219.68.0/22", "54.229.0.0/16", "54.239.1.96/28", "52.94.14.0/24", "52.94.198.64/28", "52.119.216.0/21", "18.138.0.0/15", "52.95.255.144/28", "204.246.174.0/23", "3.120.0.0/14", "52.9.0.0/16", "52.93.38.0/24", "52.144.216.4/31", "52.219.128.0/22", "99.77.141.0/24", "13.244.0.0/15", "52.94.248.48/28", "54.242.0.0/15", "177.72.240.0/21", "216.182.238.0/23", "35.180.0.0/16", "52.94.76.0/22", "52.95.36.0/22", "150.222.81.0/24", "3.14.0.0/15", "18.228.0.0/16", "52.16.0.0/15", "52.95.28.0/24", "52.95.146.0/23", "52.95.242.0/24", "52.144.212.192/26", "161.189.0.0/16", "13.52.0.0/16", "18.180.0.0/15", "46.137.128.0/18", "52.93.2.0/24", "52.94.248.176/28", "52.93.245.0/24", "52.95.16.0/21", "54.234.0.0/15", "18.188.0.0/16", "46.51.128.0/18", "64.252.128.0/18", "99.82.152.0/22", "99.82.167.0/24", "150.222.108.0/24", "205.251.254.0/24", "52.94.249.176/28", "52.94.254.0/23", "54.153.0.0/17", "52.24.0.0/14", "52.46.170.0/23", "52.95.56.0/22", "52.119.160.0/20", "52.222.0.0/17", "52.82.192.0/18", "52.93.12.13/32", "54.239.96.0/24", "54.240.226.0/24", "99.78.216.0/22", "150.222.75.0/24", "52.94.248.224/28", "52.95.162.0/24", "52.95.255.48/28", "54.218.0.0/16", "3.124.0.0/14", "52.82.176.0/22", "52.144.194.192/26", "54.183.0.0/16", "13.248.101.0/24", "52.95.255.0/28", "54.176.0.0/15", "54.246.0.0/16", "13.248.108.0/24", "52.95.108.0/23", "52.144.193.0/26", "99.78.168.0/23", "143.204.0.0/16", "150.222.91.0/24", "18.231.0.0/16", "54.252.0.0/16", "150.222.79.0/24", "46.137.224.0/19", "52.92.248.0/22", "99.82.156.0/22", "13.248.32.0/20", "52.94.199.0/24", "52.95.128.0/21", "52.119.206.0/23", "205.251.252.0/23", "52.119.176.0/21", "54.144.0.0/14", "54.169.0.0/16", "99.77.136.0/24", "54.66.0.0/16", "52.2.0.0/15", "103.4.8.0/21", "176.32.96.0/21", "184.72.64.0/18", "15.193.3.0/24", "52.94.244.0/22", "52.119.208.0/23", "150.222.228.0/24", "52.93.150.0/24", "52.95.112.0/20", "99.78.196.0/22", "18.179.0.0/16", "52.93.156.0/22", "52.95.138.0/24", "205.251.224.0/22", "52.95.110.0/24", "150.222.115.0/24", "46.51.224.0/19", "52.95.111.0/24", "54.179.0.0/16", "54.240.203.0/24", "150.222.134.0/24", "54.233.0.0/18", "99.82.172.0/24", "150.222.82.0/24", "52.119.184.0/22", "52.144.211.194/31", "54.239.104.0/23", "204.246.176.0/20", "52.8.0.0/16", "52.93.69.201/32", "52.95.247.0/24", "15.193.0.0/24", "52.66.0.0/16", "54.239.0.64/28", "99.82.176.0/21", "204.236.192.0/18", "52.95.160.0/23", "54.64.0.0/15", "103.8.172.0/22", "176.34.0.0/19", "13.248.96.0/24", "52.95.158.0/23", "52.144.192.128/26", "52.216.0.0/15", "99.82.144.0/21", "99.82.169.0/24", "150.222.80.0/24", "52.94.198.128/28", "52.95.248.0/24", "54.239.0.176/28", "52.46.92.0/22", "52.93.236.0/24", "54.239.98.0/24", "52.82.188.0/22", "54.222.58.32/28", "176.32.125.0/25", "13.249.0.0/16", "15.193.6.0/24", "13.248.28.0/22", "18.176.0.0/15", "54.239.56.0/21", "99.82.165.0/24", "3.0.0.0/15", "13.248.102.0/24", "43.250.193.0/24", "52.77.0.0/16", "52.93.21.15/32", "52.119.205.0/24", "52.144.227.64/26", "54.239.1.64/28", "18.224.0.0/14", "52.56.0.0/16", "54.240.212.0/22", "54.245.0.0/16", "150.222.100.0/24", "43.250.192.0/24", "54.239.113.0/24", "176.32.112.0/21", "52.94.10.0/24", "99.82.170.0/24", "52.94.7.0/24", "52.95.60.0/24", "13.248.16.0/21", "52.92.84.0/22", "54.240.128.0/18", "150.222.12.0/24", "150.222.116.0/24", "205.251.250.0/23", "52.144.211.128/26", "99.77.131.0/24", "52.95.251.0/24", "52.4.0.0/14", "52.144.229.64/26", "15.193.1.0/24", "52.46.80.0/21", "52.46.184.0/22", "52.67.0.0/16", "52.93.43.0/24", "54.239.116.0/22", "18.201.0.0/16", "52.119.214.0/23", "52.144.215.202/31", "54.151.128.0/17", "208.86.88.0/23", "44.224.0.0/11", "52.81.0.0/16", "52.222.128.0/17", "150.222.104.0/24", "13.250.0.0/15", "44.192.0.0/11", "52.95.166.0/23", "52.144.216.2/31", "3.16.0.0/14", "18.130.0.0/16", "52.72.0.0/15", "52.82.180.0/22", "52.93.35.213/32", "54.182.0.0/16", "52.95.168.0/24", "52.144.224.128/26", "54.192.0.0/16", "54.239.0.16/28", "54.239.0.96/28", "99.77.148.0/24", "18.136.0.0/16", "50.112.0.0/16", "52.93.97.0/24", "52.144.215.0/31", "52.144.215.196/31", "87.238.80.0/21", "52.95.255.80/28", "150.222.87.0/24", "52.92.252.0/22", "52.95.250.0/24", "52.144.211.0/26", "50.19.0.0/16", "99.79.0.0/16", "150.222.73.0/24", "3.130.0.0/16", "13.57.0.0/16", "13.126.0.0/15", "54.239.4.0/22", "99.77.140.0/24", "54.172.0.0/15", "176.34.64.0/18", "52.94.206.0/23", "54.231.192.0/20", "54.233.128.0/17", "203.83.220.0/22", "54.245.168.0/26", "54.243.31.192/26", "177.71.207.128/26", "54.255.254.192/26", "15.177.0.0/18", "54.244.52.192/26", "176.34.159.192/26", "54.251.31.128/26", "54.183.255.128/26", "54.241.32.64/26", "54.252.254.192/26", "107.23.255.0/26", "54.248.220.0/26", "54.228.16.0/26", "54.250.253.192/26", "54.232.40.64/26", "54.252.79.128/26", "52.95.154.0/23", "52.219.64.0/22", "52.92.72.0/22", "52.92.64.0/22", "52.95.156.0/24", "52.92.39.0/24", "52.95.150.0/24", "52.219.60.0/23", "52.92.48.0/22", "52.92.0.0/20", "52.219.132.0/22", "52.95.170.0/23", "52.92.56.0/22", "52.95.142.0/23", "54.231.232.0/21", "54.222.52.0/22", "54.231.128.0/19", "52.218.128.0/17", "52.95.157.0/24", "108.175.52.0/22", "52.82.164.0/22", "54.231.253.0/24", "54.231.0.0/17", "52.219.20.0/22", "52.219.24.0/21", "52.219.96.0/20", "52.219.72.0/22", "52.219.120.0/22", "54.222.48.0/22", "52.219.56.0/22", "52.95.174.0/24", "108.175.48.0/22", "54.231.248.0/22", "52.218.0.0/17", "52.219.44.0/22", "52.95.144.0/24", "52.95.176.0/24", "3.5.132.0/23", "52.92.16.0/20", "54.231.252.0/24", "52.219.0.0/20", "52.219.40.0/22", "52.219.136.0/22", "52.95.163.0/24", "52.95.145.0/24", "52.92.40.0/21", "52.219.32.0/21", "52.95.136.0/23", "52.219.48.0/22", "52.219.62.0/23", "52.95.175.0/24", "52.219.80.0/20", "52.92.80.0/22", "52.95.148.0/23", "52.92.88.0/22", "52.95.169.0/24", "52.95.164.0/23", "52.92.32.0/22", "52.95.172.0/23", "52.92.68.0/22", "52.219.112.0/21", "52.219.16.0/22", "52.219.124.0/22", "3.5.128.0/22", "54.231.160.0/19", "52.92.76.0/22", "52.92.52.0/22", "52.92.60.0/22", "52.219.68.0/22", "52.219.128.0/22", "52.95.146.0/23", "52.95.162.0/24", "52.92.248.0/22", "52.95.128.0/21", "52.95.138.0/24", "52.95.160.0/23", "52.95.158.0/23", "52.216.0.0/15", "52.82.188.0/22", "52.92.84.0/22", "52.95.166.0/23", "52.95.168.0/24", "52.92.252.0/22", "54.231.192.0/20", "52.94.22.0/24", "52.94.17.0/24", "52.119.224.0/21", "52.119.249.0/24", "52.94.8.0/24", "52.94.20.0/24", "52.82.187.0/24", "52.94.19.0/24", "52.119.232.0/21", "52.94.13.0/24", "52.94.5.0/24", "52.94.23.0/24", "52.94.4.0/24", "52.94.16.0/24", "52.119.248.0/24", "52.94.15.0/24", "52.94.26.0/23", "52.94.30.0/24", "52.119.240.0/21", "52.94.9.0/24", "52.94.28.0/23", "52.94.11.0/24", "52.94.24.0/23", "52.94.12.0/24", "52.94.6.0/24", "52.119.252.0/22", "52.94.0.0/22", "54.222.57.0/24", "52.94.14.0/24", "52.94.10.0/24", "52.94.7.0/24", "18.208.0.0/13", "52.95.245.0/24", "99.77.142.0/24", "52.194.0.0/15", "54.155.0.0/16", "54.196.0.0/15", "52.95.255.112/28", "13.210.0.0/15", "54.241.0.0/16", "184.169.128.0/17", "216.182.224.0/21", "15.193.2.0/24", "99.77.132.0/24", "52.74.0.0/16", "54.168.0.0/16", "54.238.0.0/16", "216.182.232.0/22", "13.125.0.0/16", "54.193.0.0/16", "54.222.59.0/24", "54.250.0.0/16", "107.20.0.0/14", "99.77.128.0/24", "54.180.0.0/15", "99.77.253.0/24", "52.30.0.0/15", "52.94.249.64/28", "54.92.0.0/17", "54.154.0.0/16", "67.202.0.0/18", "52.94.248.112/28", "54.232.0.0/16", "52.94.116.0/22", "208.86.90.0/23", "52.94.248.192/28", "184.73.0.0/16", "18.183.0.0/16", "46.137.0.0/17", "99.77.135.0/24", "3.80.0.0/12", "52.40.0.0/14", "15.193.4.0/24", "35.181.0.0/16", "54.80.0.0/13", "54.214.0.0/16", "54.254.0.0/16", "52.95.254.0/24", "176.32.64.0/19", "3.224.0.0/12", "54.221.0.0/16", "54.255.0.0/16", "18.253.0.0/16", "52.94.249.112/28", "13.208.0.0/16", "15.193.7.0/24", "54.156.0.0/14", "54.236.0.0/15", "52.95.249.0/24", "54.244.0.0/16", "52.95.255.128/28", "52.208.0.0/13", "13.228.0.0/15", "52.94.248.96/28", "52.196.0.0/14", "99.77.150.0/24", "52.32.0.0/14", "52.95.252.0/24", "54.222.36.0/22", "52.18.0.0/15", "175.41.192.0/18", "52.94.248.160/28", "54.151.0.0/17", "13.54.0.0/15", "52.95.241.0/24", "99.77.144.0/24", "54.222.52.0/22", "99.80.0.0/15", "52.65.0.0/16", "54.150.0.0/16", "18.200.0.0/16", "54.206.0.0/16", "52.95.255.96/28", "54.226.0.0/15", "162.250.237.0/24", "18.144.0.0/15", "52.90.0.0/15", "52.10.0.0/15", "52.82.164.0/22", "100.24.0.0/13", "54.74.0.0/15", "3.104.0.0/14", "15.193.5.0/24", "52.80.0.0/16", "175.41.128.0/18", "54.216.0.0/15", "54.78.0.0/16", "99.77.139.0/24", "18.190.0.0/16", "52.82.168.0/24", "162.213.232.0/24", "15.188.0.0/16", "54.200.0.0/15", "35.160.0.0/13", "52.48.0.0/14", "99.77.137.0/24", "204.236.128.0/18", "162.213.233.0/24", "13.48.0.0/15", "52.64.0.0/17", "52.95.239.0/24", "35.155.0.0/16", "54.210.0.0/15", "18.163.0.0/16", "54.199.0.0/16", "54.198.0.0/16", "52.20.0.0/14", "52.94.201.0/26", "52.94.248.208/28", "18.142.0.0/15", "46.137.192.0/19", "52.200.0.0/13", "54.222.32.0/22", "52.76.0.0/17", "54.153.128.0/17", "122.248.192.0/18", "54.207.0.0/16", "99.77.145.0/24", "15.200.0.0/16", "35.154.0.0/16", "52.82.0.0/17", "52.94.249.32/28", "54.170.0.0/15", "54.160.0.0/13", "157.175.0.0/16", "176.34.32.0/19", "18.236.0.0/15", "52.94.249.80/28", "46.51.192.0/20", "99.77.149.0/24", "162.250.238.0/23", "35.176.0.0/15", "70.224.192.0/18", "3.24.0.0/14", "35.153.0.0/16", "52.61.0.0/16", "52.79.0.0/16", "18.230.0.0/16", "52.58.0.0/15", "52.62.0.0/15", "15.222.0.0/15", "46.51.216.0/21", "52.28.0.0/16", "52.57.0.0/16", "52.70.0.0/15", "52.94.248.0/28", "52.29.0.0/16", "15.236.0.0/15", "99.77.254.0/24", "184.72.0.0/18", "52.95.246.0/24", "15.185.0.0/16", "54.247.0.0/16", "54.248.0.0/15", "52.46.180.0/22", "52.95.227.0/24", "54.68.0.0/14", "54.93.0.0/16", "52.54.0.0/15", "52.95.230.0/24", "18.182.0.0/16", "54.152.0.0/16", "13.112.0.0/14", "52.68.0.0/15", "54.67.0.0/16", "15.177.0.0/18", "18.194.0.0/15", "52.94.249.128/28", "54.184.0.0/13", "3.13.0.0/16", "3.248.0.0/13", "54.92.128.0/17", "99.77.133.0/24", "52.0.0.0/15", "52.82.184.0/23", "52.95.253.0/24", "140.179.0.0/16", "3.5.132.0/23", "13.53.0.0/16", "184.72.128.0/17", "13.58.0.0/15", "54.194.0.0/15", "35.156.0.0/14", "23.20.0.0/14", "52.94.248.80/28", "99.77.143.0/24", "52.95.225.0/24", "18.229.0.0/16", "54.219.0.0/16", "18.204.0.0/14", "35.178.0.0/15", "54.88.0.0/14", "52.12.0.0/15", "52.220.0.0/15", "162.250.236.0/24", "34.240.0.0/13", "52.94.248.16/28", "52.94.249.96/28", "54.253.0.0/16", "52.94.248.128/28", "52.94.248.64/28", "52.95.229.0/24", "54.72.0.0/15", "54.223.0.0/16", "99.77.129.0/24", "79.125.0.0/17", "99.77.134.0/24", "52.88.0.0/15", "52.94.248.32/28", "54.220.0.0/16", "100.20.0.0/14", "3.8.0.0/14", "18.246.0.0/16", "54.204.0.0/15", "216.182.236.0/23", "34.208.0.0/12", "52.15.0.0/16", "18.162.0.0/16", "52.86.0.0/15", "52.44.0.0/15", "52.76.128.0/17", "54.95.0.0/16", "54.212.0.0/15", "18.232.0.0/14", "52.82.169.0/28", "52.47.0.0/16", "52.94.249.144/28", "52.95.255.64/28", "99.77.147.0/24", "162.213.234.0/23", "3.132.0.0/14", "63.32.0.0/14", "52.83.0.0/16", "54.79.0.0/16", "54.251.0.0/16", "18.189.0.0/16", "18.153.0.0/16", "18.202.0.0/15", "18.196.0.0/15", "54.76.0.0/15", "52.95.255.16/28", "13.232.0.0/14", "52.95.243.0/24", "54.174.0.0/15", "50.16.0.0/15", "52.52.0.0/15", "54.233.64.0/18", "35.168.0.0/13", "52.64.128.0/17", "52.95.228.0/24", "54.222.128.0/17", "96.127.0.0/17", "54.148.0.0/15", "99.77.130.0/24", "35.182.0.0/15", "99.77.191.0/24", "3.112.0.0/14", "52.95.244.0/24", "3.208.0.0/12", "54.222.64.0/23", "185.48.120.0/22", "18.220.0.0/14", "52.36.0.0/14", "54.94.0.0/16", "18.191.0.0/16", "18.178.0.0/16", "54.202.0.0/15", "34.248.0.0/13", "15.206.0.0/15", "50.18.0.0/16", "52.14.0.0/16", "13.124.0.0/16", "52.94.248.144/28", "52.192.0.0/15", "52.95.255.32/28", "160.1.0.0/16", "13.236.0.0/14", "52.95.226.0/24", "174.129.0.0/16", "13.209.0.0/16", "18.140.0.0/15", "52.60.0.0/16", "52.78.0.0/16", "72.44.32.0/19", "34.224.0.0/12", "52.75.0.0/16", "13.230.0.0/15", "52.94.249.160/28", "54.224.0.0/15", "15.164.0.0/15", "176.34.128.0/17", "52.95.240.0/24", "75.101.128.0/17", "54.178.0.0/16", "108.128.0.0/13", "13.56.0.0/16", "18.184.0.0/15", "3.5.128.0/22", "18.216.0.0/14", "34.192.0.0/12", "54.215.0.0/16", "177.71.128.0/17", "18.175.0.0/16", "54.208.0.0/15", "54.228.0.0/16", "54.229.0.0/16", "18.138.0.0/15", "52.95.255.144/28", "3.120.0.0/14", "52.9.0.0/16", "99.77.141.0/24", "13.244.0.0/15", "52.94.248.48/28", "54.242.0.0/15", "216.182.238.0/23", "35.180.0.0/16", "3.14.0.0/15", "18.228.0.0/16", "52.16.0.0/15", "52.95.242.0/24", "161.189.0.0/16", "13.52.0.0/16", "18.180.0.0/15", "46.137.128.0/18", "52.94.248.176/28", "54.234.0.0/15", "18.188.0.0/16", "46.51.128.0/18", "52.94.249.176/28", "54.153.0.0/17", "52.24.0.0/14", "52.222.0.0/17", "52.94.248.224/28", "52.95.255.48/28", "54.218.0.0/16", "3.124.0.0/14", "52.82.176.0/22", "54.183.0.0/16", "52.95.255.0/28", "54.176.0.0/15", "54.246.0.0/16", "18.231.0.0/16", "54.252.0.0/16", "46.137.224.0/19", "54.144.0.0/14", "54.169.0.0/16", "99.77.136.0/24", "54.66.0.0/16", "52.2.0.0/15", "103.4.8.0/21", "184.72.64.0/18", "15.193.3.0/24", "18.179.0.0/16", "46.51.224.0/19", "54.179.0.0/16", "54.233.0.0/18", "52.8.0.0/16", "52.95.247.0/24", "15.193.0.0/24", "52.66.0.0/16", "204.236.192.0/18", "54.64.0.0/15", "176.34.0.0/19", "52.95.248.0/24", "54.222.58.32/28", "15.193.6.0/24", "18.176.0.0/15", "3.0.0.0/15", "52.77.0.0/16", "52.119.205.0/24", "18.224.0.0/14", "52.56.0.0/16", "54.245.0.0/16", "99.77.131.0/24", "52.95.251.0/24", "52.4.0.0/14", "15.193.1.0/24", "52.46.184.0/22", "52.67.0.0/16", "18.201.0.0/16", "54.151.128.0/17", "208.86.88.0/23", "44.224.0.0/11", "52.81.0.0/16", "13.250.0.0/15", "44.192.0.0/11", "3.16.0.0/14", "18.130.0.0/16", "52.72.0.0/15", "52.82.180.0/22", "99.77.148.0/24", "18.136.0.0/16", "50.112.0.0/16", "52.95.255.80/28", "52.95.250.0/24", "50.19.0.0/16", "99.79.0.0/16", "3.130.0.0/16", "13.57.0.0/16", "13.126.0.0/15", "99.77.140.0/24", "54.172.0.0/15", "176.34.64.0/18", "54.233.128.0/17", "205.251.192.0/21", "52.95.110.0/24", "13.124.199.0/24", "144.220.0.0/16", "34.226.14.0/24", "52.124.128.0/17", "54.230.0.0/16", "54.239.128.0/18", "52.82.128.0/19", "99.84.0.0/16", "52.15.127.128/26", "35.158.136.0/24", "52.57.254.0/24", "18.216.170.128/25", "13.52.204.0/23", "13.54.63.128/26", "13.59.250.0/26", "13.210.67.128/26", "35.167.191.128/26", "52.47.139.0/24", "52.199.127.192/26", "52.212.248.0/26", "205.251.192.0/19", "52.66.194.128/26", "54.239.192.0/19", "70.132.0.0/18", "13.32.0.0/15", "13.224.0.0/14", "13.113.203.0/24", "99.79.168.0/23", "34.195.252.0/24", "35.162.63.192/26", "34.223.12.224/27", "13.35.0.0/16", "204.246.172.0/23", "204.246.164.0/22", "52.56.127.0/25", "34.223.80.192/26", "204.246.168.0/22", "13.228.69.0/24", "34.216.51.0/25", "71.152.0.0/17", "216.137.32.0/19", "205.251.249.0/24", "99.86.0.0/16", "52.46.0.0/18", "52.84.0.0/15", "54.233.255.128/26", "130.176.0.0/16", "18.200.212.0/23", "64.252.64.0/18", "52.52.191.128/26", "204.246.174.0/23", "64.252.128.0/18", "205.251.254.0/24", "143.204.0.0/16", "205.251.252.0/23", "52.78.247.128/26", "204.246.176.0/20", "52.220.191.0/26", "13.249.0.0/16", "54.240.128.0/18", "205.251.250.0/23", "52.222.128.0/17", "54.182.0.0/16", "54.192.0.0/16", "34.232.163.208/29", "52.47.73.72/29", "13.55.255.216/29", "52.15.247.208/29", "13.112.191.184/29", "34.250.63.248/29", "52.221.221.128/29", "13.127.70.136/29", "52.82.1.0/29", "177.71.207.16/29", "52.61.40.104/29", "13.124.145.16/29", "35.157.127.248/29", "35.182.14.48/29", "13.48.4.192/29", "35.176.92.32/29", "52.43.76.88/29", "18.231.194.8/29", "52.80.198.136/29", "13.56.32.200/29", "34.228.4.208/28", "13.248.106.0/24", "13.248.103.0/24", "13.248.100.0/24", "13.248.99.0/24", "99.82.174.0/24", "13.248.128.0/17", "76.223.0.0/17", "99.82.160.0/24", "13.248.97.0/24", "13.248.113.0/24", "13.248.98.0/24", "99.82.161.0/24", "13.248.116.0/24", "99.82.171.0/24", "13.248.105.0/24", "99.82.162.0/24", "99.82.173.0/24", "99.82.163.0/24", "13.248.114.0/24", "99.82.166.0/24", "75.2.0.0/17", "99.82.175.0/24", "13.248.109.0/24", "13.248.107.0/24", "13.248.104.0/24", "99.82.164.0/24", "99.82.168.0/24", "99.83.128.0/17", "13.248.112.0/24", "99.82.167.0/24", "13.248.101.0/24", "13.248.108.0/24", "99.82.156.0/22", "99.82.172.0/24", "13.248.96.0/24", "99.82.169.0/24", "99.82.165.0/24", "13.248.102.0/24", "99.82.170.0/24", "13.208.170.0/23", "13.234.221.192/26", "13.234.8.0/23", "13.251.113.64/26", "13.251.116.0/23", "13.52.118.0/23", "13.52.146.192/26", "13.53.180.0/23", "18.228.246.0/23", "3.104.82.0/23", "3.112.64.0/23", "3.113.218.0/26", "3.122.128.0/23", "3.123.12.192/26", "3.15.36.64/26", "3.17.136.0/23", "3.227.250.128/25", "3.8.168.0/23", "3.83.168.0/22", "3.91.171.128/25", "34.223.24.0/22", "34.223.45.0/25", "35.180.244.0/23", "54.180.184.0/23", "63.34.60.0/22", "99.79.34.0/23", "99.80.34.128/25", "13.210.2.192/26", "13.236.8.0/25", "18.182.96.64/26", "18.184.2.128/25", "18.233.213.128/25", "18.236.61.0/25", "35.158.127.64/26", "52.55.191.224/27", "54.190.198.32/28", "13.250.186.128/27", "13.250.186.160/27", "18.179.48.128/27", "18.179.48.96/27", "18.184.138.224/27", "18.184.203.128/27", "18.188.9.0/27", "18.188.9.32/27", "34.217.141.224/27", "34.218.119.32/27", "34.245.205.0/27", "34.245.205.64/27", "35.172.155.192/27", "35.172.155.96/27", "13.209.1.56/29", "13.233.177.0/29", "13.239.158.0/29", "13.52.6.112/29", "18.202.216.48/29", "18.206.107.24/29", "18.228.70.32/29", "18.237.140.160/29", "3.0.5.32/29", "3.112.23.0/29", "3.120.181.40/29", "3.16.146.0/29", "3.8.37.24/29", "35.180.112.80/29", "35.183.92.176/29", "13.124.247.0/24", "3.217.228.0/22", "35.176.32.0/24", "35.183.255.0/24", "52.19.124.0/23", "52.23.61.0/24", "52.23.62.0/24", "52.59.127.0/24", "52.76.127.0/24", "54.153.254.0/24", "54.233.204.0/24", "54.244.46.0/23", "54.250.251.0/24"] 4 | -------------------------------------------------------------------------------- /policies/conftest.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import os 3 | import uuid 4 | 5 | import pandas as pd 6 | import pytest 7 | import yaml 8 | 9 | # from output import build_tag 10 | from pybatfish.client.session import Session 11 | from pybatfish.datamodel import AddressGroup, ReferenceBook 12 | 13 | BF_NETWORK = os.environ["BF_NETWORK"] 14 | BF_SNAPSHOT = os.environ["BF_SNAPSHOT"] 15 | BF_INIT_SNAPSHOT = os.environ.get("BF_INIT_SNAPSHOT", "yes") 16 | 17 | BF_SNAPSHOT_DIR = '{}/'.format(os.environ.get("BF_SNAPSHOT_DIR", ".")) 18 | BF_DASHBOARD = os.environ.get("BF_DASHBOARD", "http://localhost:3000/dashboard") 19 | 20 | NETWORK_FIXTURES = ['demonet'] 21 | 22 | ADDRESS_GROUPS_FILE = os.path.join(os.path.dirname(os.path.realpath(__file__)), "address-groups.yml") 23 | 24 | #################### 25 | # Set pandas options 26 | #################### 27 | pd.set_option('display.max_rows', None) 28 | pd.set_option('display.max_columns', None) 29 | pd.set_option('display.width', 1000) 30 | 31 | ####################### 32 | # Set pybatfish options 33 | ####################### 34 | logging.getLogger('pybatfish').setLevel(logging.WARN) 35 | 36 | 37 | class bcolors: 38 | HEADER = '\033[95m' 39 | OKBLUE = '\033[94m' 40 | OKGREEN = '\033[92m' 41 | WARNING = '\033[93m' 42 | FAIL = '\033[91m' 43 | ENDC = '\033[0m' 44 | BOLD = '\033[1m' 45 | UNDERLINE = '\033[4m' 46 | RESET = '\033[39;49m' 47 | 48 | 49 | def pytest_addoption(parser): 50 | parser.addoption("--min-severity", action="store", default=0, type=int, 51 | help="Minimal FindIssues severity to care about") 52 | 53 | 54 | @pytest.fixture(scope="session") 55 | def bf(): 56 | 57 | try: 58 | bf = Session.get('bfe') 59 | os.environ["SESSION_TYPE"] = 'bfe' 60 | except: 61 | bf = Session.get('bf') 62 | os.environ["SESSION_TYPE"] = 'bf' 63 | 64 | session_type = os.environ.get('SESSION_TYPE') 65 | 66 | bf.enable_diagnostics = False 67 | bf.set_network(BF_NETWORK) 68 | if BF_INIT_SNAPSHOT == "yes": 69 | bf.init_snapshot(BF_SNAPSHOT_DIR, name=BF_SNAPSHOT, overwrite=True) 70 | else: 71 | bf.set_snapshot(BF_SNAPSHOT) 72 | if session_type == 'bfe': 73 | bf.get_node_roles() 74 | 75 | add_address_groups(bf) 76 | 77 | return bf 78 | 79 | @pytest.fixture 80 | def min_severity(request): 81 | return request.config.getoption("--min-severity") 82 | 83 | 84 | def pytest_report_header(config): 85 | return [ 86 | bcolors.BOLD + bcolors.OKBLUE + "Running Intentionet CI tests" + bcolors.RESET] 87 | 88 | 89 | def pytest_terminal_summary(terminalreporter, exitstatus, config): 90 | if exitstatus != 0 and BF_DASHBOARD is not None: 91 | url = "{BF_DASHBOARD}/{BF_NETWORK}/{BF_SNAPSHOT}/policies".format( 92 | BF_DASHBOARD=BF_DASHBOARD, BF_NETWORK=BF_NETWORK, BF_SNAPSHOT=BF_SNAPSHOT) 93 | terminalreporter.write_line( 94 | "\n\n" 95 | + bcolors.BOLD + bcolors.FAIL 96 | + "There have been failures, explore more using Intentionet Dashboard at {}".format( 97 | url) 98 | + " " # saves URL 99 | ) 100 | 101 | 102 | def pytest_sessionstart(session): 103 | os.environ['bf_policy_name'] = session.name 104 | 105 | 106 | p_id = uuid.uuid4().hex 107 | 108 | 109 | def pytest_runtest_setup(item): 110 | # Get test file name 111 | test_file_name = os.path.basename(item.parent.name) 112 | test_name = item.name 113 | os.environ['bf_policy_name'] = test_file_name 114 | os.environ['bf_policy_id'] = p_id 115 | os.environ['bf_test_name'] = test_name 116 | 117 | 118 | def subdict(d, keys): 119 | return {k: d.get(k) for k in keys} 120 | 121 | 122 | def add_address_groups(bf): 123 | with open(ADDRESS_GROUPS_FILE, "r") as f: 124 | groups = yaml.safe_load(f) 125 | address_groups = [AddressGroup(g["name"], g["addresses"]) for g in groups["metadata"]] 126 | bf.put_reference_book(ReferenceBook(name="metadata", addressGroups=address_groups)) 127 | -------------------------------------------------------------------------------- /policies/test_base.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | 4 | from .test_utils import record_results, TEST_STATUS_FAIL, TEST_STATUS_PASS 5 | 6 | 7 | def test_no_undefined_refs(bf): 8 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 9 | bf.asserts.assert_no_undefined_references() 10 | 11 | 12 | def test_no_duplicate_ips(bf): 13 | global e 14 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 15 | bf.asserts.current_assertion = 'Assert no duplicate IP addresses are configured' 16 | 17 | dup_ips = bf.q.ipOwners(duplicatesOnly=True).answer().frame() 18 | 19 | try: 20 | assert len(dup_ips.index) == 0 21 | record_results(bf, status=TEST_STATUS_PASS, message='No duplicate IP addresses present in the network') 22 | except Exception as e: 23 | record_results(bf, status=TEST_STATUS_FAIL, message='{} Found duplicate IP address assignment'.format(dup_ips)) 24 | raise e 25 | 26 | 27 | def test_no_illegal_mtu(bf): 28 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 29 | bf.asserts.current_assertion = 'Assert that all MTUs are 1500 bytes' 30 | 31 | ans = bf.q.interfaceProperties(properties="MTU").answer().frame() 32 | bad_mtu = ans[ans.MTU != 1500] 33 | 34 | try: 35 | assert len(bad_mtu) == 0 36 | record_results(bf, status=TEST_STATUS_PASS, message='All interface MTUs are correct') 37 | except Exception as e: 38 | record_results(bf, status=TEST_STATUS_FAIL, 39 | message='{} Found interfaces with incorrect MTUs'.format(bad_mtu)) 40 | raise e 41 | 42 | 43 | def _illegal_bandwidth(interface, bandwidth): 44 | # interfaces like spine[swp23] 45 | if re.search("^spine", interface.hostname) and re.search(r'^swp\d+$', interface.interface): 46 | return bandwidth != 1000000000000 47 | # interfaces like leaf[swp23] 48 | elif re.search("^leaf", interface.hostname) and re.search(r'^swp\d+$', interface.interface): 49 | return bandwidth != 10000000000 50 | # interfaces like swp23s1 51 | elif re.search(r'^swp\d+s\d+$', interface.interface): 52 | return bandwidth != 250000000000 53 | # interfaces like eth0 54 | elif re.search(r'^eth\d+$', interface.interface): 55 | return bandwidth != 10000000000 56 | return False 57 | 58 | 59 | def test_interface_bandwidth(bf): 60 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 61 | bf.asserts.current_assertion = 'Assert that all interface bandwidth are correct' 62 | 63 | ans = bf.q.interfaceProperties(properties="Bandwidth").answer().frame() 64 | bad_bw = ans[ans.apply(lambda row: _illegal_bandwidth(row['Interface'], row['Bandwidth']), axis=1)] 65 | 66 | try: 67 | assert len(bad_bw) == 0 68 | record_results(bf, status=TEST_STATUS_PASS, message='All interface bandwidths are correct') 69 | except Exception as e: 70 | record_results(bf, status=TEST_STATUS_FAIL, 71 | message='{} Found interfaces with incorrect bandwidths'.format(bad_bw)) 72 | raise e 73 | 74 | 75 | def _illegal_speed(interface, bandwidth): 76 | # interfaces like spine[swp23] 77 | if re.search("^spine", interface.hostname) and re.search(r'^swp\d+$', interface.interface): 78 | return bandwidth != 1000000000000 79 | # interfaces like swp23s1 80 | elif re.search("^spine", interface.hostname) and re.search(r'^swp\d+s\d+$', interface.interface): 81 | return bandwidth != 250000000000 82 | return False 83 | 84 | 85 | def test_interface_speed(bf): 86 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 87 | bf.asserts.current_assertion = 'Assert that all interface speeds are correct' 88 | 89 | ans = bf.q.interfaceProperties(properties="Speed").answer().frame() 90 | bad_speed = ans[ans.apply(lambda row: _illegal_speed(row['Interface'], row['Speed']), axis=1)] 91 | 92 | try: 93 | assert len(bad_speed) == 0 94 | record_results(bf, status=TEST_STATUS_PASS, message='All interface speeds are correct') 95 | except Exception as e: 96 | record_results(bf, status=TEST_STATUS_FAIL, 97 | message='{} Found interfaces with incorrect speeds'.format(bad_speed)) 98 | raise e 99 | 100 | 101 | def test_proxy_arp(bf): 102 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 103 | bf.asserts.current_assertion = 'Assert that proxy ARP is turned off on all interfaces' 104 | 105 | ans = bf.q.interfaceProperties(properties="Proxy_ARP").answer().frame() 106 | bad_speed = ans[ans.Proxy_ARP != False] 107 | 108 | try: 109 | assert len(bad_speed) == 0 110 | record_results(bf, status=TEST_STATUS_PASS, message='Proxy ARP is off for all interfaces') 111 | except Exception as e: 112 | record_results(bf, status=TEST_STATUS_FAIL, 113 | message='{} Found interfaces with incorrect proxy ARP setting'.format(bad_speed)) 114 | raise e 115 | 116 | 117 | def test_mask_for_host_subnet(bf): 118 | os.environ['bf_policy_name'] = "Base configuration Hygiene Policies" 119 | bf.asserts.current_assertion = 'Assert all host subnets are configured with a /24 netmask' 120 | 121 | # get ipAddress for all VLAN interfaces on all leaf routers 122 | tip = bf.q.ipOwners().answer().frame() 123 | leaf_tip = tip[(tip['Node'].str.contains('leaf'))] 124 | leaf_vlan_tip = tip[(tip['Node'].str.contains('leaf')) & (tip['Interface'].str.contains('vlan'))] 125 | df = leaf_vlan_tip[leaf_vlan_tip['Mask'] != 24] 126 | 127 | try: 128 | assert len(df.index) == 0 129 | record_results(bf, status=TEST_STATUS_PASS, message='All host subnets have correct /24 mask') 130 | except Exception as e: 131 | record_results(bf, status=TEST_STATUS_FAIL, 132 | message='Host-subnet mask is not /24 on following router-interface pairs:\n{}'.format( 133 | df)) 134 | raise e 135 | -------------------------------------------------------------------------------- /policies/test_routing.py: -------------------------------------------------------------------------------- 1 | from netaddr import * 2 | import os 3 | 4 | from .test_utils import record_results, TEST_STATUS_FAIL, TEST_STATUS_PASS 5 | 6 | 7 | def test_all_bgp_sessions_up(bf): 8 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 9 | bf.asserts.assert_no_unestablished_bgp_sessions() 10 | 11 | def test_no_ibgp_sessions(bf): 12 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 13 | bf.asserts.current_assertion = 'Assert no iBGP sessions configured in the fabric' 14 | 15 | ibgp_sessions = bf.q.bgpSessionCompatibility(type='/IBGP.*/').answer().frame()[['Node', 'Local_AS', 'Remote_Node', 'Remote_AS']] 16 | 17 | try: 18 | assert len(ibgp_sessions.index)==0 19 | record_results(bf, status=TEST_STATUS_PASS, message='All routers only have eBGP sessions') 20 | except Exception as e: 21 | record_results(bf, status=TEST_STATUS_FAIL, 22 | message='Routers with iBGP sessions:\n{}'.format(ibgp_sessions)) 23 | raise e 24 | 25 | def test_no_forwarding_loops(bf): 26 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 27 | bf.asserts.assert_no_forwarding_loops() 28 | 29 | 30 | def test_no_duplicate_bgp_asn(bf): 31 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 32 | bf.asserts.current_assertion = 'Assert all routers have an unique BGP ASN' 33 | 34 | bgpProc = bf.q.bgpPeerConfiguration(properties='/Local_AS/').answer().frame() 35 | asn_list = set(bgpProc.Local_AS) 36 | 37 | dup_asn_list = [] 38 | found_dup_asn = False 39 | for asn in asn_list: 40 | nodes = bgpProc[bgpProc['Local_AS'] == asn] 41 | node_set = set(nodes['Node']) 42 | if len(node_set) != 1: 43 | t_dict = {'BGP_AS': asn, 'Nodes': node_set} 44 | dup_asn_list.append(t_dict) 45 | found_dup_asn = True 46 | 47 | try: 48 | assert found_dup_asn==False 49 | record_results(bf, status=TEST_STATUS_PASS, message='All routers have a unique BGP ASN') 50 | except Exception as e: 51 | record_results(bf, status=TEST_STATUS_FAIL, 52 | message='Routers with duplicate BGP ASNs:\n{}'.format(dup_asn_list)) 53 | raise e 54 | 55 | def test_all_leaf_have_route_for_all_host_subnets(bf): 56 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 57 | bf.asserts.current_assertion = 'Assert all leaf routers have routes to host subnets' 58 | 59 | # get ipAddress for all VLAN interfaces on all leaf routers 60 | tip = bf.q.ipOwners().answer().frame() 61 | leaf_tip = tip[(tip['Node'].str.contains('leaf'))] 62 | leaf_vlan_tip = tip[(tip['Node'].str.contains('leaf')) & (tip['Interface'].str.contains('vlan'))] 63 | 64 | # convert to subnet 65 | subnet = [] 66 | for vlan in leaf_vlan_tip.itertuples(): 67 | t_net = "{}/{}".format(vlan.IP, vlan.Mask) 68 | z = IPNetwork(t_net) 69 | subnet.append(str(z.cidr)) 70 | 71 | # get list of leaf routers in snapshot and get routes for default VRF for all leaf routers 72 | leaf_list = list(bf.q.nodeProperties(nodes="/leaf.*/", properties='Hostname').answer().frame()['Node']) 73 | leaf_routes = bf.q.routes(nodes='/leaf.*/', vrfs='default').answer().frame() 74 | 75 | # identify leaf routers that are missing subnets for VLAN interfaces 76 | missing_leaf = [] 77 | for leaf in leaf_list: 78 | t_routes = set(leaf_routes[leaf_routes['Node'] == leaf]['Network']) 79 | t_list = [item for item in set(subnet) if item not in t_routes] 80 | if len(t_list) != 0: 81 | missing_leaf.append(leaf) 82 | print(leaf) 83 | 84 | try: 85 | assert len(missing_leaf)==0 86 | record_results(bf, status=TEST_STATUS_PASS, message='All host subnets are present on all leaf routers') 87 | except Exception as e: 88 | record_results(bf, status=TEST_STATUS_FAIL, 89 | message='{} are missing some host subnets'.format(missing_leaf)) 90 | raise e 91 | 92 | def test_no_duplicate_router_ids(bf): 93 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 94 | bf.asserts.current_assertion = 'Assert all routers have an unique router-id' 95 | 96 | bgpProc = bf.q.bgpProcessConfiguration(properties='/^Route.*/').answer().frame() 97 | rtr_id_map = bgpProc[['Node', 'Router_ID']] 98 | 99 | dup_rtr_id_df = rtr_id_map[rtr_id_map.duplicated(['Router_ID'], keep=False)] 100 | 101 | try: 102 | assert len(dup_rtr_id_df.index)==0 103 | record_results(bf, status=TEST_STATUS_PASS, message='All routers have a unique router-id') 104 | except Exception as e: 105 | record_results(bf, status=TEST_STATUS_FAIL, 106 | message='Routers with duplicate router-ids:\n{}'.format(dup_rtr_id_df)) 107 | raise e 108 | 109 | def test_leaf_spine_bgp_peers(bf): 110 | os.environ['bf_policy_name'] = "Routing and Routing Protocol Policies" 111 | bf.asserts.current_assertion = 'Assert all leaf routers have configured BGP session for all spine routers' 112 | 113 | num_spines = 4 114 | bad_leaf = [] 115 | bgpPeer = bf.q.bgpPeerConfiguration(nodes='/leaf.*/', properties='/Local_IP/').answer().frame() 116 | nodes_list = set(bgpPeer['Node']) 117 | 118 | for node in nodes_list: 119 | if len(bgpPeer[bgpPeer['Node']==node]) != num_spines: 120 | bad_leaf.append(node) 121 | 122 | try: 123 | assert len(bad_leaf)==0 124 | record_results(bf, status=TEST_STATUS_PASS, message='All leaf routers have BGP sessions configured for each spine') 125 | except Exception as e: 126 | record_results(bf, status=TEST_STATUS_FAIL, 127 | message='Leaf routers that do not have configred BGP sessions to ALL spines:\n{}'.format(bad_leaf)) 128 | raise e -------------------------------------------------------------------------------- /policies/test_utils.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | try: 4 | from pybfe.datamodel.policy import ( 5 | STATUS_FAIL, STATUS_PASS 6 | ) 7 | TEST_STATUS_FAIL = STATUS_FAIL 8 | TEST_STATUS_PASS = STATUS_PASS 9 | except: 10 | TEST_STATUS_PASS = u"Pass" 11 | TEST_STATUS_FAIL = u"Fail" 12 | 13 | 14 | def record_results(bf, status, message): 15 | 16 | session_type = os.environ.get('SESSION_TYPE') 17 | 18 | if session_type == 'bfe': 19 | if status == TEST_STATUS_PASS: 20 | bf.asserts._record_result(True, status=STATUS_PASS, 21 | message=message) 22 | elif status == TEST_STATUS_FAIL: 23 | bf.asserts._record_result(False, status=STATUS_FAIL, 24 | message=message) 25 | else: 26 | raise Exception 27 | 28 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | netaddr 2 | GitPython 3 | virtualenv 4 | -------------------------------------------------------------------------------- /setup-gitlab-repo.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | # check that both Git URLs are defined 5 | if [ ! -n "${GIT_TEMPLATE}" ]; then 6 | echo Error: Environment variable GIT_TEMPLATE is not defined; 7 | exit 1; 8 | fi 9 | 10 | # set up the template repo 11 | TEMPLATE_TMP_DIR=template.tmp 12 | rm -rf ${TEMPLATE_TMP_DIR} 13 | 14 | git clone ${GIT_TEMPLATE} ${TEMPLATE_TMP_DIR} 15 | 16 | ### clear existing files 17 | pushd ${TEMPLATE_TMP_DIR} 18 | git rm -r * 19 | popd 20 | 21 | ### create the pipeline and requirements.txt file 22 | cp template.gitlab-ci.yml "${TEMPLATE_TMP_DIR}"/.gitlab-ci.yml 23 | cp template.requirements.txt "${TEMPLATE_TMP_DIR}"/requirements.txt 24 | 25 | ### copy other files that should be in the template repo 26 | cp -r policies "${TEMPLATE_TMP_DIR}"/policies 27 | cp -r ansible-policies "${TEMPLATE_TMP_DIR}"/ansible-policies 28 | cp -r code "${TEMPLATE_TMP_DIR}"/code 29 | cp -r playbooks "${TEMPLATE_TMP_DIR}"/playbooks 30 | cp -r inputs "${TEMPLATE_TMP_DIR}"/inputs 31 | cp -r templates "${TEMPLATE_TMP_DIR}"/templates 32 | cp -r batfish "${TEMPLATE_TMP_DIR}"/batfish 33 | 34 | 35 | ### add files to git 36 | pushd ${TEMPLATE_TMP_DIR} 37 | git add .gitlab-ci.yml * 38 | git commit --allow-empty -am "baseline commit" 39 | git push --force 40 | popd 41 | 42 | -------------------------------------------------------------------------------- /template.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | variables: 2 | BF_GIT_FILE: ".bfgit" 3 | BF_NETWORK: "af19-demonet" 4 | bf_policy_ci_url: ${CI_JOB_URL} 5 | BF_SNAPSHOT_DIR: "snapshot" 6 | # Change pip's cache directory to be inside the project directory since we can 7 | # only cache local items. 8 | PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" 9 | 10 | stages: 11 | - build 12 | - test 13 | 14 | # Pip's cache doesn't store the python packages 15 | # https://pip.pypa.io/en/stable/reference/pip_install/#caching 16 | # 17 | # If you want to also cache the installed packages, you have to install 18 | # them in a virtualenv and cache it as well. 19 | cache: 20 | paths: 21 | - .cache/pip 22 | - venv/ 23 | 24 | before_script: 25 | - python -V # Print out python version for debugging 26 | - virtualenv -p python3 venv 27 | - source venv/bin/activate 28 | - pip install -r requirements.txt 29 | - ansible-galaxy install --force batfish.base 30 | 31 | config_gen: 32 | stage: build 33 | script: 34 | - mkdir "${BF_SNAPSHOT_DIR}" 35 | 36 | # generate ansible inventory 37 | - python3 code/gen_inventory.py 38 | 39 | # generate firewall policy 40 | - python3 code/acl_gen.py -n inputs/firewall/network.net -s inputs/firewall/services.svc -p inputs/firewall/fwl_in_out.yml -f yaml > templates/fwl_zone_config_h.j2 41 | - python3 code/acl_gen.py -n inputs/firewall/network.net -s inputs/firewall/services.svc -p inputs/firewall/fwl_out_in.yml -f yaml >> templates/fwl_zone_config_h.j2 42 | 43 | # generate device configurations (Python) 44 | - python3 code/gen_configs.py 45 | 46 | ### copy other files that are needed needed for analysis 47 | - cp -r batfish "${BF_SNAPSHOT_DIR}" 48 | 49 | artifacts: 50 | paths: 51 | - ${BF_SNAPSHOT_DIR} 52 | expire_in: 1 week 53 | 54 | policy_eval: 55 | stage: test 56 | dependencies: 57 | - config_gen 58 | script: 59 | ## policy eval 60 | - if [ -f "${BF_GIT_FILE}" ]; 61 | then 62 | export BF_SNAPSHOT=`cat "${BF_GIT_FILE}"`; 63 | export BF_INIT_SNAPSHOT="no"; 64 | else 65 | export BF_SNAPSHOT=${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHORT_SHA}; 66 | export BF_INIT_SNAPSHOT="yes"; 67 | fi 68 | - echo ${BF_SNAPSHOT} ${BF_INIT_SNAPSHOT} 69 | - exit_code_pytest=0 70 | - exit_code_ansible=0 71 | - pytest policies || eval "exit_code_pytest=\$?" 72 | - ansible-playbook -i ansible-policies/inventory ansible-policies/reachability.yml || eval "exit_code_ansible=\$?" 73 | - ansible-playbook -i ansible-policies/inventory ansible-policies/internal_protection.yml || eval "exit_code_ansible=\$?" 74 | - ansible-playbook -i ansible-policies/inventory ansible-policies/internal_protection_tcp.yml || eval "exit_code_ansible=\$?" 75 | - echo $exit_code_ansible $exit_code_pytest 76 | - eval "[[ ${exit_code_pytest} == 0 && ${exit_code_ansible} == 0 ]]" 77 | -------------------------------------------------------------------------------- /template.requirements.txt: -------------------------------------------------------------------------------- 1 | # change to pybfe for Batfish Enterprise 2 | pybatfish 3 | jinja2 4 | capirca 5 | pyyaml 6 | pytest 7 | netaddr 8 | ansible -------------------------------------------------------------------------------- /templates/border_config.j2: -------------------------------------------------------------------------------- 1 | ####BATFISH FLATTENED JUNIPER CONFIG#### 2 | set system host-name {{ hostname }} 3 | set system time-zone UTC 4 | set system services ssh root-login deny 5 | set system services netconf ssh 6 | set system commit synchronize 7 | set chassis redundancy failover on-loss-of-keepalives 8 | set chassis redundancy failover on-disk-failure 9 | set chassis redundancy graceful-switchover 10 | set chassis aggregated-devices ethernet device-count 64 11 | set chassis network-services enhanced-ethernet 12 | 13 | set interfaces xe-1/0/3 unit 0 description "[type=UL, nbr=FWL:??]" 14 | set interfaces xe-1/0/3 gigether-options 802.3ad ae1 15 | 16 | set interfaces xe-2/0/3 unit 0 description "[type=UL, nbr=FWL:??]" 17 | set interfaces xe-2/0/3 gigether-options 802.3ad ae1 18 | 19 | set interfaces xe-1/2/0 unit 0 description "[type=ISP]" 20 | set interfaces xe-1/2/0 unit 0 family inet filter input ISP-INBOUND 21 | set interfaces xe-1/2/0 unit 0 family inet address {{ports.isp.address}} 22 | 23 | set interfaces ae1 description "[type=UL, nbr=FWL01:??]" 24 | set interfaces ae1 enable 25 | set interfaces ae1 aggregated-ether-options minimum-links 1 26 | set interfaces ae1 aggregated-ether-options lacp active 27 | set interfaces ae1 unit 0 description "[type=UL, nbr=FWL01:??]" 28 | set interfaces ae1 unit 0 family inet address {{ports.fwl01.address}} 29 | 30 | set interfaces lo0 unit 0 description "[type=LO]" 31 | set interfaces lo0 unit 0 family inet address {{loopback.address}}/32 32 | set routing-options router-id {{loopback.address}} 33 | set routing-options autonomous-system {{ bgp_as }} 34 | set protocols bgp path-selection always-compare-med 35 | set protocols bgp advertise-inactive 36 | set protocols bgp log-updown 37 | 38 | set protocols bgp group ISP type external 39 | set protocols bgp group ISP description "ISP-A" 40 | set protocols bgp group ISP hold-time 60 41 | set protocols bgp group ISP import IMPORT-PROVIDER-GENERIC 42 | set protocols bgp group ISP export EXPORT-PROVIDER-GENERIC 43 | set protocols bgp group ISP peer-as {{ ports.isp.bgp_as }} 44 | set protocols bgp group ISP local-as {{ bgp_as }} 45 | set protocols bgp group ISP neighbor {{ ports.isp.remote_address }} 46 | 47 | set protocols bgp group FWL type external 48 | set protocols bgp group FWL description "FWL" 49 | set protocols bgp group FWL import IMPORT-FWL 50 | set protocols bgp group FWL export NEXT-HOP-SELF 51 | set protocols bgp group FWL export SEND-DEFAULT 52 | set protocols bgp group FWL peer-as {{ ports.fwl01.bgp_as }} 53 | set protocols bgp group FWL local-as {{ bgp_as }} 54 | set protocols bgp group FWL neighbor {{ ports.fwl01.remote_address }} 55 | 56 | set policy-options prefix-list DEFAULT-GATEWAY 0.0.0.0/0 57 | set policy-options prefix-list MARTIANS 0.0.0.0/8 58 | set policy-options prefix-list MARTIANS 127.0.0.0/8 59 | set policy-options prefix-list MARTIANS 169.254.0.0/16 60 | #set policy-options prefix-list MARTIANS 192.0.2.0/24 61 | #set policy-options prefix-list MARTIANS 224.0.0.0/3 62 | set policy-options prefix-list MALICIOUS-SOURCES 52.15.165.117/32 63 | set policy-options prefix-list MALICIOUS-SOURCES 78.93.180.80/32 64 | set policy-options prefix-list MALICIOUS-SOURCES 109.235.246.70/32 65 | set policy-options prefix-list MALICIOUS-SOURCES 190.210.230.78/32 66 | set policy-options prefix-list MALICIOUS-SOURCES 194.27.18.18/32 67 | set policy-options prefix-list MALICIOUS-SOURCES 201.216.233.13/32 68 | set policy-options prefix-list MALICIOUS-DESTINATIONS 69 | set policy-options prefix-list RFC1918 10.0.0.0/8 70 | set policy-options prefix-list RFC1918 172.16.0.0/12 71 | set policy-options prefix-list RFC1918 192.168.0.0/16 72 | set policy-options prefix-list LOOPBACKS 10.1.0.0/16 73 | 74 | set policy-options prefix-list ADVERTISE-TO-PROVIDERS 10.100.0.0/16 75 | set policy-options prefix-list ADVERTISE-TO-PROVIDERS 10.200.0.0/16 76 | 77 | set policy-options prefix-list FABRIC_SPACE 10.100.0.0/16 78 | set policy-options prefix-list FABRIC_SPACE 10.200.0.0/16 79 | set policy-options prefix-list SSH_HOST 10.100.56.100/32 80 | set policy-options prefix-list SSH_HOST 10.100.58.100/32 81 | 82 | set policy-options prefix-list BGP-IP4-PEERS apply-path "protocols bgp group <*> neighbor <*.*>" 83 | 84 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BLOCK-RFC1918 from prefix-list-filter RFC1918 orlonger 85 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BLOCK-RFC1918 then reject 86 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BLOCK-MARTIANS from prefix-list-filter MARTIANS orlonger 87 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BLOCK-MARTIANS then reject 88 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BASELINE then metric 200 89 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BASELINE then local-preference 200 90 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BASELINE then origin igp 91 | set policy-options policy-statement IMPORT-PROVIDER-GENERIC term BASELINE then accept 92 | 93 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BASELINE then origin igp 94 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BASELINE then next term 95 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term PERMIT from prefix-list ADVERTISE-TO-PROVIDERS 96 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term PERMIT then accept 97 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BLOCK-RFC1918 from prefix-list-filter RFC1918 orlonger 98 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BLOCK-RFC1918 then reject 99 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BLOCK-MARTIANS from prefix-list-filter MARTIANS orlonger 100 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term BLOCK-MARTIANS then reject 101 | set policy-options policy-statement EXPORT-PROVIDER-GENERIC term REJECT then reject 102 | 103 | set policy-options policy-statement NEXT-HOP-SELF term NHS then next-hop self 104 | set policy-options policy-statement NEXT-HOP-SELF term NHS then next policy 105 | 106 | set policy-options policy-statement SEND-DEFAULT term SEND-DEFAULT from route-filter 0.0.0.0/0 exact 107 | set policy-options policy-statement SEND-DEFAULT term SEND-DEFAULT then accept 108 | set policy-options policy-statement SEND-DEFAULT term REJECT then reject 109 | 110 | set policy-options policy-statement IMPORT-FWL term ACCEPT-FABRIC from protocol bgp 111 | set policy-options policy-statement IMPORT-FWL term ACCEPT-FABRIC from prefix-list-filter FABRIC_SPACE orlonger 112 | set policy-options policy-statement IMPORT-FWL term ACCEPT-FABRIC then accept 113 | set policy-options policy-statement IMPORT-FWL term DENY then reject 114 | 115 | 116 | set firewall family inet filter ISP-INBOUND term BLOCK-MALICIOUS-SOURCES from source-prefix-list MALICIOUS-SOURCES 117 | set firewall family inet filter ISP-INBOUND term BLOCK-MALICIOUS-SOURCES then discard 118 | set firewall family inet filter ISP-INBOUND term BLOCK-MALICIOUS-DESTINATIONS from source-prefix-list MALICIOUS-DESTINATIONS 119 | set firewall family inet filter ISP-INBOUND term BLOCK-MALICIOUS-DESTINATIONS then discard 120 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC3330 from source-prefix-list MARTIANS 121 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC3330 then count COUNTER-RFC3330 122 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC3330 then discard 123 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC1918 from source-prefix-list RFC1918 124 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC1918 then count COUNTER-RFC1918 125 | set firewall family inet filter ISP-INBOUND term BLOCK-RFC1918 then discard 126 | set firewall family inet filter ISP-INBOUND term BLOCK-SPOOFED-TRAFFIC from source-prefix-list FABRIC_SPACE 127 | set firewall family inet filter ISP-INBOUND term BLOCK-SPOOFED-TRAFFIC then count COUNTER-SPOOFED-TRAFFIC 128 | set firewall family inet filter ISP-INBOUND term BLOCK-SPOOFED-TRAFFIC then discard 129 | set firewall family inet filter ISP-INBOUND term ALLOW-BGP-IN from source-prefix-list BGP-IP4-PEERS 130 | set firewall family inet filter ISP-INBOUND term ALLOW-BGP-IN from protocol tcp 131 | set firewall family inet filter ISP-INBOUND term ALLOW-BGP-IN from port bgp 132 | set firewall family inet filter ISP-INBOUND term ALLOW-BGP-IN then accept 133 | set firewall family inet filter ISP-INBOUND term DENY-BGP-IN from protocol tcp 134 | set firewall family inet filter ISP-INBOUND term DENY-BGP-IN from port bgp 135 | set firewall family inet filter ISP-INBOUND term DENY-BGP-IN then accept 136 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP from protocol icmp 137 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP from icmp-type 0 138 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP from icmp-type 3 139 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP from icmp-type 8 140 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP from icmp-type 11 141 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP then policer ICMP-POLICER 142 | set firewall family inet filter ISP-INBOUND term ALLOW-ICMP then accept 143 | set firewall family inet filter ISP-INBOUND term PERMIT-DNS-TO-PUBLIC-DNS from protocol udp 144 | set firewall family inet filter ISP-INBOUND term PERMIT-DNS-TO-PUBLIC-DNS from source-port 53 145 | set firewall family inet filter ISP-INBOUND term PERMIT-DNS-TO-PUBLIC-DNS then accept 146 | set firewall family inet filter ISP-INBOUND term PERMIT-TCP-ESTABLISHED from destination-prefix-list FABRIC_SPACE 147 | set firewall family inet filter ISP-INBOUND term PERMIT-TCP-ESTABLISHED from protocol tcp 148 | set firewall family inet filter ISP-INBOUND term PERMIT-TCP-ESTABLISHED from tcp-established 149 | set firewall family inet filter ISP-INBOUND term PERMIT-TCP-ESTABLISHED then accept 150 | set firewall family inet filter ISP-INBOUND term PERMIT-HTTPS from protocol tcp 151 | set firewall family inet filter ISP-INBOUND term PERMIT-HTTPS from destination-port 443 152 | set firewall family inet filter ISP-INBOUND term PERMIT-HTTPS then accept 153 | set firewall family inet filter ISP-INBOUND term PERMIT-SSH-JUMPHOST from protocol tcp 154 | set firewall family inet filter ISP-INBOUND term PERMIT-SSH-JUMPHOST from destination-port 22 155 | set firewall family inet filter ISP-INBOUND term PERMIT-SSH-JUMPHOST from destination-prefix-list SSH_HOST 156 | set firewall family inet filter ISP-INBOUND term PERMIT-SSH-JUMPHOST then accept 157 | set firewall family inet filter ISP-INBOUND term DISCARD-UNEXPECTED-UDP from protocol udp 158 | set firewall family inet filter ISP-INBOUND term DISCARD-UNEXPECTED-UDP then count COUNTER-UNEXPECTED-UDP 159 | set firewall family inet filter ISP-INBOUND term DISCARD-UNEXPECTED-UDP then discard 160 | set firewall policer UDP-POLICER if-exceeding bandwidth-limit 20m 161 | set firewall policer UDP-POLICER if-exceeding burst-size-limit 30m 162 | set firewall policer UDP-POLICER then discard 163 | set firewall policer ICMP-POLICER if-exceeding bandwidth-limit 5m 164 | set firewall policer ICMP-POLICER if-exceeding burst-size-limit 10m 165 | set firewall policer ICMP-POLICER then discard 166 | -------------------------------------------------------------------------------- /templates/border_leaf_frr.j2: -------------------------------------------------------------------------------- 1 | 2 | ### start of frr.conf 3 | frr version 4 | 5 | agentx 6 | frr defaults datacenter 7 | hostname {{hostname}} 8 | username cumulus nopassword 9 | ! 10 | service integrated-vtysh-config 11 | ! 12 | log syslog informational 13 | ! 14 | 15 | router bgp {{ bgp_as }} 16 | bgp router-id {{ loopback['address'] }} 17 | bgp bestpath as-path multipath-relax 18 | neighbor Fabric peer-group 19 | neighbor Fabric remote-as external 20 | {% for port in range(1,5) %} 21 | neighbor swp{{ port }} interface peer-group Fabric 22 | {% endfor %} 23 | {% for port in ports %} 24 | neighbor {{ port.remote_address }} peer-group Fabric 25 | {% endfor %} 26 | {% for port in range(6,17) %} 27 | neighbor swp{{ port }} interface peer-group Fabric 28 | {% endfor %} 29 | 30 | ! 31 | address-family ipv4 unicast 32 | network {{loopback.address}}/32 33 | redistribute connected route-map LOOPBACK 34 | exit-address-family 35 | ! 36 | 37 | route-map LOOPBACK permit 1 38 | match interface lo 39 | ! 40 | line vty 41 | ! 42 | 43 | !### end frr.conf -------------------------------------------------------------------------------- /templates/border_leaf_interfaces.j2: -------------------------------------------------------------------------------- 1 | {{hostname}} 2 | 3 | # This file describes the network interfaces 4 | 5 | auto lo 6 | iface lo inet loopback 7 | address {{ loopback['address'] }}/32 8 | 9 | auto eth0 10 | iface eth0 11 | address {{ mgmt['address'] }} 12 | gateway {{ mgmt['gateway'] }} 13 | vrf mgmt 14 | 15 | auto mgmt 16 | iface mgmt 17 | vrf-table auto 18 | 19 | {% for port in range(1,5) %} 20 | auto swp{{ port }} 21 | iface swp{{ port }} 22 | 23 | {% endfor %} 24 | 25 | {% for port in ports %} 26 | auto {{ port.name }} 27 | iface {{ port.name }} 28 | address {{ port.address }} 29 | alias {{ port.alias }} 30 | {% endfor %} 31 | 32 | {% for port in range(6,17) %} 33 | auto swp{{ port }} 34 | iface swp{{ port }} 35 | 36 | {% endfor %} 37 | 38 | ### end /etc/network/interfaces 39 | -------------------------------------------------------------------------------- /templates/border_leaf_ports_conf.j2: -------------------------------------------------------------------------------- 1 | 2 | # ports.conf -- 3 | -------------------------------------------------------------------------------- /templates/fwl_base_config_h.j2: -------------------------------------------------------------------------------- 1 | version 12.1X46-D35.1; 2 | groups { 3 | node0 { 4 | system { 5 | host-name fwl01; 6 | syslog { 7 | source-address {{ mgmt.address }}; 8 | } 9 | ntp { 10 | source-address {{ mgmt.address }}; 11 | } 12 | } 13 | interfaces { 14 | fxp0 { 15 | unit 0 { 16 | family inet { 17 | address {{ mgmt.address }}; 18 | } 19 | } 20 | } 21 | } 22 | } 23 | } 24 | apply-groups "${node}"; 25 | system { 26 | time-zone UTC; 27 | services { 28 | ssh { 29 | root-login deny; 30 | } 31 | netconf { 32 | ssh; 33 | } 34 | web-management { 35 | http { 36 | interface fxp0.0; 37 | } 38 | } 39 | } 40 | syslog { 41 | user * { 42 | any emergency; 43 | } 44 | file messages { 45 | any any; 46 | authorization info; 47 | } 48 | file interactive-commands { 49 | interactive-commands any; 50 | } 51 | } 52 | } 53 | chassis { 54 | cluster { 55 | reth-count 4; 56 | redundancy-group 0 { 57 | node 0 priority 150; 58 | node 1 priority 100; 59 | } 60 | redundancy-group 1 { 61 | node 0 priority 150; 62 | node 1 priority 100; 63 | hold-down-interval 300; 64 | } 65 | redundancy-group 2 { 66 | node 0 priority 150; 67 | node 1 priority 100; 68 | hold-down-interval 10; 69 | } 70 | redundancy-group 3 { 71 | node 0 priority 150; 72 | node 1 priority 100; 73 | hold-down-interval 300; 74 | } 75 | redundancy-group 4 { 76 | node 0 priority 150; 77 | node 1 priority 100; 78 | hold-down-interval 10; 79 | } 80 | } 81 | } 82 | security { 83 | address-book { 84 | global { 85 | address GBL_RFC1918-10 10.0.0.0/8; 86 | } 87 | } 88 | screen { 89 | ids-option ATTACK-SCREEN { 90 | alarm-without-drop; 91 | icmp { 92 | ip-sweep threshold 4000; 93 | large; 94 | flood threshold 1000; 95 | ping-death; 96 | } 97 | ip { 98 | bad-option; 99 | record-route-option; 100 | timestamp-option; 101 | spoofing; 102 | source-route-option; 103 | loose-source-route-option; 104 | strict-source-route-option; 105 | unknown-protocol; 106 | tear-drop; 107 | } 108 | tcp { 109 | syn-fin; 110 | tcp-no-flag; 111 | port-scan threshold 3000; 112 | syn-flood { 113 | alarm-threshold 2000; 114 | attack-threshold 5000; 115 | source-threshold 2000; 116 | destination-threshold 5000; 117 | timeout 5; 118 | } 119 | land; 120 | winnuke; 121 | tcp-sweep threshold 3000; 122 | } 123 | udp { 124 | flood threshold 2000; 125 | udp-sweep threshold 1000; 126 | } 127 | limit-session { 128 | source-ip-based 20000; 129 | } 130 | } 131 | } 132 | policies { 133 | from-zone INSIDE to-zone SELF { 134 | policy PERMIT-SSH { 135 | match { 136 | source-address GBL_RFC1918-10; 137 | destination-address any; 138 | application junos-ssh; 139 | } 140 | then { 141 | permit; 142 | } 143 | } 144 | policy PERMIT-ICMP { 145 | match { 146 | source-address GBL_RFC1918-10; 147 | destination-address any; 148 | application junos-icmp-all; 149 | } 150 | then { 151 | permit; 152 | } 153 | } 154 | policy DENY-INSIDE-SELF { 155 | match { 156 | source-address any; 157 | destination-address any; 158 | application any; 159 | } 160 | then { 161 | deny; 162 | log { 163 | session-init; 164 | session-close; 165 | } 166 | } 167 | } 168 | } 169 | global { 170 | policy DENY-ALL { 171 | match { 172 | source-address any; 173 | destination-address any; 174 | application any; 175 | } 176 | then { 177 | deny; 178 | log { 179 | session-init; 180 | session-close; 181 | } 182 | } 183 | } 184 | } 185 | } 186 | zones { 187 | security-zone SELF { 188 | host-inbound-traffic { 189 | system-services { 190 | ping; 191 | ssh; 192 | snmp; 193 | } 194 | } 195 | interfaces { 196 | lo0.0; 197 | } 198 | } 199 | security-zone OUTSIDE { 200 | tcp-rst; 201 | screen ATTACK-SCREEN; 202 | host-inbound-traffic { 203 | system-services { 204 | ping; 205 | } 206 | protocols { 207 | bgp; 208 | } 209 | } 210 | interfaces { 211 | reth2.0; 212 | reth3.0; 213 | } 214 | } 215 | security-zone INSIDE { 216 | tcp-rst; 217 | host-inbound-traffic { 218 | system-services { 219 | ping; 220 | } 221 | protocols { 222 | ospf; 223 | } 224 | } 225 | interfaces { 226 | reth0.0; 227 | reth1.0; 228 | } 229 | } 230 | } 231 | } 232 | interfaces { 233 | xe-1/0/0 { 234 | description "[type=UL, nbr=BL01:??]"; 235 | gigether-options { 236 | redundant-parent reth0; 237 | } 238 | } 239 | xe-1/0/1 { 240 | description "[type=UL, nbr=BL02:??]"; 241 | gigether-options { 242 | redundant-parent reth1; 243 | } 244 | } 245 | xe-2/0/0 { 246 | description "[type=UL, nbr=BOR01:??]"; 247 | gigether-options { 248 | redundant-parent reth2; 249 | } 250 | } 251 | xe-2/0/1 { 252 | description "[type=UL, nbr=B0R02:??]"; 253 | gigether-options { 254 | redundant-parent reth3; 255 | } 256 | } 257 | xe-9/0/0 { 258 | description "[type=UL, nbr=BL01:??]"; 259 | gigether-options { 260 | redundant-parent reth0; 261 | } 262 | } 263 | xe-9/0/1 { 264 | description "[type=UL, nbr=BL02:??]"; 265 | gigether-options { 266 | redundant-parent reth1; 267 | } 268 | } 269 | xe-10/0/0 { 270 | description "[type=UL, nbr=BOR01:??]"; 271 | gigether-options { 272 | redundant-parent reth2; 273 | } 274 | } 275 | xe-10/0/1 { 276 | description "[type=UL, nbr=B0R02:??]"; 277 | gigether-options { 278 | redundant-parent reth3; 279 | } 280 | } 281 | fxp0 { 282 | enable; 283 | speed 100m; 284 | unit 0; 285 | } 286 | lo0 { 287 | description "[type=LO]"; 288 | unit 0 { 289 | description "[type=LO"; 290 | family inet { 291 | address {{ loopback.address }}/32; 292 | } 293 | } 294 | } 295 | reth0 { 296 | description "[nbr=BL01:??]"; 297 | redundant-ether-options { 298 | redundancy-group 1; 299 | lacp { 300 | active; 301 | } 302 | } 303 | unit 0 { 304 | description "[nbr=BL01:??] FWL-INSIDE"; 305 | family inet { 306 | address {{ ports.bl01.address }}; 307 | } 308 | } 309 | } 310 | reth1 { 311 | description "[nbr=BL02:??]"; 312 | redundant-ether-options { 313 | redundancy-group 2; 314 | lacp { 315 | active; 316 | } 317 | } 318 | unit 0 { 319 | description "[nbr=BL01:??] FWL-INSIDE"; 320 | family inet { 321 | address {{ ports.bl02.address }}; 322 | } 323 | } 324 | } 325 | reth2 { 326 | description "[nbr=BOR01:??]"; 327 | redundant-ether-options { 328 | redundancy-group 3; 329 | lacp { 330 | active; 331 | } 332 | } 333 | unit 0 { 334 | description "[nbr=BL01:??] FWL-OUTSIDE"; 335 | family inet { 336 | address {{ ports.bor01.address }}; 337 | } 338 | } 339 | } 340 | reth3 { 341 | description "[nbr=BOR02:??]"; 342 | redundant-ether-options { 343 | redundancy-group 4; 344 | lacp { 345 | active; 346 | } 347 | } 348 | unit 0 { 349 | description "[nbr=BL01:??] FWL-OUTSIDE"; 350 | family inet { 351 | address {{ ports.bor02.address }}; 352 | } 353 | } 354 | } 355 | } 356 | routing-options { 357 | router-id {{ loopback.address }}; 358 | } 359 | policy-options { 360 | prefix-list DEFAULT-ROUTE { 361 | 0.0.0.0/0; 362 | } 363 | prefix-list MARTIANS { 364 | 0.0.0.0/8; 365 | 127.0.0.0/8; 366 | 169.254.0.0/16; 367 | 192.0.2.0/24; 368 | 224.0.0.0/3; 369 | } 370 | prefix-list RFC1918 { 371 | 10.0.0.0/8; 372 | 172.16.0.0/12; 373 | 192.168.0.0/16; 374 | 192.168.0.0/32; 375 | } 376 | prefix-list LOOPBACKS { 377 | 10.1.0.0/16; 378 | } 379 | prefix-list FABRIC_AGG { 380 | 10.100.0.0/16; 381 | 10.200.0.0/16; 382 | } 383 | policy-statement EXPORT-BL { 384 | term DEFAULT-ROUTE { 385 | from { 386 | protocol bgp; 387 | route-filter 0.0.0.0/0 exact; 388 | } 389 | then { 390 | preference 140; 391 | accept; 392 | } 393 | } 394 | term DENY { 395 | then reject; 396 | } 397 | } 398 | policy-statement EXPORT-BOR { 399 | term ADVERTISE_AGG { 400 | from { 401 | protocol aggregate; 402 | prefix-list-filter FABRIC_AGG exact; 403 | } 404 | then { 405 | metric 100; 406 | accept; 407 | } 408 | } 409 | } 410 | policy-statement FABRIC_AGG { 411 | from { 412 | protocol bgp; 413 | prefix-list-filter FABRIC_AGG orlonger; 414 | } 415 | then accept; 416 | } 417 | policy-statement IMPORT-BL { 418 | term FABRIC_SCOPE { 419 | from { 420 | protocol bgp; 421 | prefix-list-filter FABRIC_AGG orlonger; 422 | } 423 | then { 424 | metric 100; 425 | accept; 426 | } 427 | } 428 | } 429 | policy-statement IMPORT-BOR { 430 | term DEFAULT-ROUTE { 431 | from { 432 | protocol bgp; 433 | prefix-list-filter DEFAULT-ROUTE exact; 434 | } 435 | then { 436 | preference 140; 437 | accept; 438 | } 439 | } 440 | term DENY { 441 | then reject; 442 | } 443 | } 444 | policy-statement NEXT-HOP-SELF { 445 | term NHS { 446 | then { 447 | next-hop self; 448 | next policy; 449 | } 450 | } 451 | } 452 | } 453 | routing-instances { 454 | DATA { 455 | instance-type virtual-router; 456 | interface lo0.0; 457 | interface reth0.0; 458 | interface reth1.0; 459 | interface reth2.0; 460 | interface reth3.0; 461 | routing-options { 462 | graceful-restart; 463 | aggregate { 464 | route 10.100.0.0/16; 465 | route 10.200.0.0/16; 466 | } 467 | router-id {{ loopback.address }}; 468 | } 469 | protocols { 470 | bgp { 471 | path-selection always-compare-med; 472 | advertise-inactive; 473 | log-updown; 474 | group EBGP-BOR { 475 | type external; 476 | description "[peer=BORs] EBGP"; 477 | import IMPORT-BOR; 478 | export [ NEXT-HOP-SELF EXPORT-BOR ]; 479 | local-as {{ bgp_as }}; 480 | neighbor {{ ports.bor01.remote_address }}{ 481 | description "[peer=BOR01] EBGP"; 482 | peer-as {{ ports.bor01.bgp_as }}; 483 | } 484 | neighbor {{ ports.bor02.remote_address }} { 485 | description "[peer=BOR02] EBGP"; 486 | peer-as {{ ports.bor02.bgp_as }}; 487 | } 488 | } 489 | group EBGP-BL { 490 | type external; 491 | description "[peer=BLs] EBGP"; 492 | import IMPORT-BL; 493 | export [ NEXT-HOP-SELF EXPORT-BL ]; 494 | local-as {{ bgp_as }}; 495 | neighbor {{ ports.bl01.remote_address }} { 496 | description "[peer=BL01] EBGP"; 497 | peer-as {{ ports.bl01.bgp_as }}; 498 | } 499 | neighbor {{ ports.bl02.remote_address }} { 500 | description "[peer=BL02] EBGP"; 501 | peer-as {{ ports.bl02.bgp_as }}; 502 | } 503 | } 504 | } 505 | } 506 | } 507 | } 508 | 509 | 510 | -------------------------------------------------------------------------------- /templates/fwl_zone_config_h.j2: -------------------------------------------------------------------------------- 1 | 2 | 3 | security { 4 | policies { 5 | global { 6 | policy DENY-ALL { 7 | match { 8 | source-address any; 9 | destination-address any; 10 | application any; 11 | } 12 | then { 13 | deny; 14 | log { 15 | session-init; 16 | session-close; 17 | } 18 | } 19 | } 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /templates/inventory.j2: -------------------------------------------------------------------------------- 1 | [leaf] 2 | {% for leaf in leaf_list %} 3 | {{ leaf }} 4 | {% endfor %} 5 | 6 | [spine] 7 | {% for spine in spine_list %} 8 | {{ spine }} 9 | {% endfor %} 10 | 11 | [border_leaf] 12 | bl01 13 | bl02 14 | 15 | [fwl] 16 | fwl01 17 | 18 | [border] 19 | bor01 20 | bor02 21 | 22 | [all:vars] 23 | ansible_connection=local 24 | localhost ansible_python_interpreter=python -------------------------------------------------------------------------------- /templates/leaf_frr.j2: -------------------------------------------------------------------------------- 1 | 2 | ### start of frr.conf 3 | frr version 4 | 5 | agentx 6 | frr defaults datacenter 7 | hostname {{hostname}} 8 | username cumulus nopassword 9 | ! 10 | service integrated-vtysh-config 11 | ! 12 | log syslog informational 13 | ! 14 | 15 | router bgp {{ bgp_as }} 16 | bgp router-id {{ loopback['address'] }} 17 | bgp bestpath as-path multipath-relax 18 | neighbor Fabric peer-group 19 | neighbor Fabric remote-as external 20 | {% for port in ports %} 21 | {% if port.bgp is defined and port['bgp'] is sameas true %} 22 | neighbor {{ port['name'] }} interface peer-group Fabric 23 | {% endif -%} 24 | {% endfor -%} 25 | ! 26 | address-family ipv4 unicast 27 | network {{loopback.address}}/32 28 | {% for vlan in vlans %} 29 | {% if vlan.address is defined %} 30 | network {{ vlan.address }} 31 | {% endif %} 32 | {% endfor %} 33 | redistribute connected route-map LOOPBACK 34 | exit-address-family 35 | ! 36 | 37 | route-map LOOPBACK permit 1 38 | match interface lo 39 | ! 40 | line vty 41 | ! 42 | 43 | !### end frr.conf -------------------------------------------------------------------------------- /templates/leaf_interfaces.j2: -------------------------------------------------------------------------------- 1 | {{hostname}} 2 | 3 | # This file describes the network interfaces 4 | 5 | auto lo 6 | iface lo inet loopback 7 | address {{ loopback['address'] }}/32 8 | 9 | auto eth0 10 | iface eth0 11 | address {{ mgmt['address'] }} 12 | gateway {{ mgmt['gateway'] }} 13 | vrf mgmt 14 | 15 | auto mgmt 16 | iface mgmt 17 | vrf-table auto 18 | 19 | {% set vlan_port_list = [] -%} 20 | {% set vlan_list = [] -%} 21 | {% for port in ports %} 22 | 23 | auto {{ port['name'] }} 24 | iface {{ port['name'] }} 25 | {% if port['vlan'] is defined %} 26 | bridge-access {{ port['vlan'] }} 27 | {% do vlan_port_list.append(port['name']) %} 28 | {% endif %} 29 | {% endfor %} 30 | 31 | {% for vlan in vlans %} 32 | {% do vlan_list.append(vlan['id']) %} 33 | {% do vlan_port_list.append("vlan"~vlan['id']) %} 34 | auto vlan{{ vlan['id'] }} 35 | iface vlan{{ vlan['id'] }} 36 | address {{ vlan['address'] }} 37 | vlan-id {{ vlan['id'] }} 38 | vlan-raw-device bridge 39 | 40 | {% endfor %} 41 | 42 | auto bridge 43 | iface bridge 44 | bridge-ports {{ vlan_port_list|join(" ") }} 45 | bridge-vids {{ vlan_list|join(" ") }} 46 | bridge-vlan-aware yes 47 | 48 | ### end /etc/network/interfaces 49 | -------------------------------------------------------------------------------- /templates/leaf_ports_conf.j2: -------------------------------------------------------------------------------- 1 | 2 | # ports.conf -- 3 | -------------------------------------------------------------------------------- /templates/spine_frr.j2: -------------------------------------------------------------------------------- 1 | 2 | ### start of frr.conf 3 | frr version 4 | 5 | agentx 6 | frr defaults datacenter 7 | hostname {{hostname}} 8 | username cumulus nopassword 9 | ! 10 | service integrated-vtysh-config 11 | ! 12 | log syslog informational 13 | ! 14 | 15 | router bgp {{ bgp_as }} 16 | bgp router-id {{ loopback['address'] }} 17 | bgp bestpath as-path multipath-relax 18 | neighbor Fabric peer-group 19 | neighbor Fabric remote-as external 20 | {% for port in range(1,25) %} 21 | {% for subport in range(0,4) %} 22 | neighbor swp{{ port }}s{{ subport }} interface peer-group Fabric 23 | {% endfor %} 24 | {% endfor %} 25 | {% for port in range(25,33) %} 26 | neighbor swp{{ port }} interface peer-group Fabric 27 | {% endfor %} 28 | 29 | ! 30 | address-family ipv4 unicast 31 | network {{loopback.address}}/32 32 | redistribute connected route-map LOOPBACK 33 | exit-address-family 34 | ! 35 | 36 | route-map LOOPBACK permit 1 37 | match interface lo 38 | ! 39 | line vty 40 | ! 41 | 42 | !### end frr.conf -------------------------------------------------------------------------------- /templates/spine_interfaces.j2: -------------------------------------------------------------------------------- 1 | {{hostname}} 2 | 3 | # This file describes the network interfaces 4 | 5 | auto lo 6 | iface lo inet loopback 7 | address {{ loopback['address'] }}/32 8 | 9 | auto eth0 10 | iface eth0 11 | address {{ mgmt['address'] }} 12 | gateway {{ mgmt['gateway'] }} 13 | vrf mgmt 14 | 15 | auto mgmt 16 | iface mgmt 17 | vrf-table auto 18 | 19 | {% for port in range(1,25) %} 20 | {% for subport in range(0,4) %} 21 | auto swp{{ port }}s{{ subport }} 22 | iface swp{{ port }}s{{ subport }} 23 | 24 | {% endfor %} 25 | {% endfor %} 26 | 27 | {% for port in range(25,33) %} 28 | auto swp{{ port }} 29 | iface swp{{ port }} 30 | 31 | {% endfor %} 32 | 33 | 34 | ### end /etc/network/interfaces 35 | 36 | -------------------------------------------------------------------------------- /templates/spine_ports_conf.j2: -------------------------------------------------------------------------------- 1 | 2 | # ports.conf -- 3 | 4 | # 32x100GE switch 5 | # 6 | # = [4x10G|4x25G|2x50G|40G|50G|100G] 7 | 1=4x25G 8 | 2=4x25G 9 | 3=4x25G 10 | 4=4x25G 11 | 5=4x25G 12 | 6=4x25G 13 | 7=4x25G 14 | 8=4x25G 15 | 9=4x25G 16 | 10=4x25G 17 | 11=4x25G 18 | 12=4x25G 19 | 13=4x25G 20 | 14=4x25G 21 | 15=4x25G 22 | 16=4x25G 23 | 17=4x25G 24 | 18=4x25G 25 | 19=4x25G 26 | 20=4x25G 27 | 21=4x25G 28 | 22=4x25G 29 | 23=4x25G 30 | 24=4x25G 31 | 25=100G 32 | 26=100G 33 | 27=100G 34 | 28=100G 35 | 29=100G 36 | 30=100G 37 | 31=100G 38 | 32=100G --------------------------------------------------------------------------------