-
Notifications
You must be signed in to change notification settings - Fork 3
p001 setup questionnaire
Let's refer to New Project Setup Prerequisites questionnaire and go through it.
We are going to manage security rules and subnets configuration.
- dc1_sw1 - cisco L3 switch
- dc1_fw1 - juniper SRX
- dc2_fw1 - cisco ASA
- dc2_sw1 - cisco l3 switch
- dc3_sw1 - cisco l2 switch
- dc3_r1 - cisco router with ZBF
For security rules management:
- Addresses
- dc1_fw1 (PA): addresses in the global address-book
- dc1_sw1 (cisco L3 switch): object-group network
- dc2_fw1 (cisco ASA): object-group network
- dc2_sw1 (cisco L3 switch): n/a - we are not going to controll traffic here
- dc3_r1 (cisco router with ZBF): object-group network
- dc3_sw1 (cisco L2 switch): n/a - we are not going to controll traffic here
- Address-sets
- dc1_fw1 (PA): addresses-sets in the global address-book
- dc1_sw1 (cisco L3 switch): object-group network
- dc2_fw1 (cisco ASA): object-group network
- dc2_sw1 (cisco L3 switch): n/a - we are not going to controll traffic here
- dc3_r1 (cisco router with ZBF): object-group network
- dc3_sw1 (cisco L2 switch): n/a - we are not going to controll traffic here
- Services
- dc1_fw1 (PA): applications
- dc1_sw1 (cisco L3 switch): object-group service
- dc2_fw1 (cisco ASA): object-group service
- dc2_sw1 (cisco L3 switch): n/a - we are not going to controll traffic here
- dc3_r1 (cisco router with ZBF): object-group service
- dc3_sw1 (cisco L2 switch): n/a - we are not going to controll traffic here
- Service-sets
- dc1_fw1 (PA): application-sets
- dc1_sw1 (cisco L3 switch): object-group service
- dc2_fw1 (cisco ASA): object-group service
- dc2_sw1 (cisco L3 switch): n/a - we are not going to controll traffic here
- dc3_r1 (cisco router with ZBF): object-group service
- dc3_sw1 (cisco L2 switch): n/a - we are not going to controll traffic here
- Applications
- n/a
- Application-sets
- n/a
- Policies
- dc1_fw1 (PA): global policy
- dc1_sw1 (cisco L3 switch): access-list line
- dc2_fw1 (cisco ASA): access-list line
- dc2_sw1 (cisco L3 switch): n/a - we are not going to controll traffic here
- dc3_r1 (cisco router with ZBF): access-list line
- dc3_sw1 (cisco L2 switch): n/a - we are not going to controll traffic here
For subnets management:
- Addresses
- dc1_fw1 (PA): n/a
- dc1_sw1 (cisco L3 switch): sub-interface creation for e0/0
- dc2_fw1 (cisco ASA): n/a
- dc2_sw1 (cisco L3 switch): sub-interface creation for e0/1
- dc3_r1 (cisco router with ZBF): n/a
- dc3_sw1 (cisco L2 switch): sub-interface creation for e0/0
For security rules management:
Looks natural the next hierarchical segmentation
- Data-centers: DC1, DC2, DC3, none
- VRFs: VRF1, VRF2, VRF3, DMZ, TRUST, none
Not all devices have VRFs so we need some mapping.
- DC1
- VRF1
- dc1_sw1: VRF VRF1
- dc1_fw1: security zone VRF1
- VRF2
- dc1_sw1: VRF VRF2
- dc1_fw1: security zone VRF2
- VRF3
- dc1_sw1: VRF VRF3
- dc1_fw1: security zone VRF3
- VRF1
- DC2
- VRF TRUST
- dc2_sw1: VRF TRUST
- dc2_fw1: security zone TRUST
- VRF DMZ
- dc2_sw1: VRF DMZ
- dc2_fw1: security zone DMZ
- VRF TRUST
- DC3
- N/A
For subnets management:
- equipment: dc1_fw1, dc1_sw1, dc2_fw1, dc2_sw1, dc3_r1, dc3_sw1, none
- interfaces: e0/0, e0/1, e0/2, e0/3, none
- VLANs:
- Vlan111: vlan-number 111
- Vlan112: vlan-number 112
- Vlan121: vlan-number 121
- Vlan122: vlan-number 122
- Vlan131: vlan-number 131
- Vlan132: vlan-number 132
- Vlan211: vlan-number 211
- Vlan212: vlan-number 212
- Vlan221: vlan-number 221
- Vlan222: vlan-number 222
- Vlan311: vlan-number 311
- Vlan312: vlan-number 312
- none: vlan-number 0
Reloving Element is (dc, VRF)
- Addresses
- addr_par_1 -> configure-addr
- addr_par_2 -> aggregation-addr
- Address-sets
- addrset_par_1 -> configure-addrset
- Services
- svc_par_1 -> configure-svc
- Service-sets
- svcset_par_1 -> configure-svcset
- Application
- n/a
- Application-sets
- n/a
- Polcies
- plc_par_1 -> configure-plc
addr_par_1 -> configure-addr means that the name of the first parameter for address object will be 'configure-addr'. This parameter will be used to inform PSEFABRIC if we want to configure this object or not.
addr_par_2 -> aggregation-addr means that the name of the second parameter for address object will be 'aggregation-addr'. This parameter will be used to inform PSEFABRIC if this address is a network aggregation or not.
n/a
For each PSEFABRIC configuration creation/deleting/change action has to be described.
Change is considered as "delete/create new" (this does not mean that the final equipment configuration will actually delete the object, and then create a new one). Thus, we have to take into account creation and deleting only.
For security rules management:
- Addresses creation/deleting
devices: dc1_sw1, dc2_fw1, dc3_r1
commands: cisco_create_address/cisco_delete_address
devices: dc1_fw1
commands: srx_create_address/srx_delete_address
- Address-sets creation/deleting
devices: dc1_sw1, dc2_fw1, dc3_r1
commands: cisco_create_address_set/cisco_delete_address_set
devices: dc1_fw1
commands: srx_create_address_set/srx_delete_address_set
- Services creation/deleting
devices: dc1_sw1, dc2_fw1, dc3_r1
commands: cisco_create_service/cisco_delete_service
devices: dc1_fw1
commands: srx_create_application/srx_delete_application
- Service-sets creation/deleting creation/deleting
devices: dc1_sw1, dc2_fw1, dc3_r1
commands: cisco_create_service_set/cisco_delete_service_set
devices: dc1_fw1
commands: srx_create_application_set/srx_delete_applciation_set
- Application
- n/a
- Application-sets
- n/a
- Policies
if source and destination data-centers are different then
if destination data-center is DC1 then
device: dc1_fw1
commands: srx_create_policy/srx_delete_policy
device: dc1_sw1
commands: cisco_create_access/cisco_delete_access
if destination data-center is DC2 then
device: dc2_fw1
commands: asa_create_policy/asa_delete_policy
if destination data-center is DC3 then
device: dc1_r1
commands: zbf_create_policy/zbf_delete_policy
if source and destination data-centers are the same but source and destination VRFs are different then
if data-center is DC1 (any source/destination VRFs) then
device: dc1_fw1
commands: srx_create_policy/srx_delete_policy
device: dc1_sw1
commands: cisco_create_access/cisco_delete_access
if data-center is DC2 (any sorce/destination VRFs) then
device: dc2_fw1
commands: asa_create_policy/asa_delete_policy
if data-center is DC2 then
nothing
if source and destination data-centers are the same and source and destination VRFs are the same then
if data-center is DC1 (any VRF) then
device: dc1_sw1
ccommands: cisco_create_access/cisco_delete_access
if data-center is DC2 (any VRF) then:
nothing
if data-center is DC3 then:
nothing
For subnets management:
- Addresses creation/deleting
if device == 'dc1_sw1' and aggregation-addr == 'false' then
if delete then
device: dc1_sw1
commands:
cisco_remove_vlan_to_trunk
cisco_delete_svi
cisco_delete_vlan
if create then
device: dc1_sw1
commands:
cisco_create_vlan
cisco_create_vlan_to_trunk
cisco_create_svi
The same for 'dc1_sw2' and for 'dc1_sw3'
These command names are arbitrary. Later they will be associated with templates that provide real configuration commands for the equipment.
We will use cli for Cisco devices configuration and XML for the Juniper devices.
We use python for templates creation.
We use Perl scripts for uploading configuration.