0

Automation Workflow with Infrahub, Nornir & Jinja2

Originally published in https://www.opsmill.com/simplifying-network-automation-workflows-with-infrahub-nornir-and-jinja2/

In this blog post, we will explore how InfraHub integrates with Jinja2 and Nornir to simplify network automation workflows. To demonstrate, we'll add two Arista devices to InfraHub, treating them as basic access switches. We'll then input the necessary details for these devices to generate configurations. We'll focus on creating VLAN and some interface configurations to keep it simple.

For each device, we'll assign a primary IP (used for SSH), configure a few interfaces with descriptions, and specify an untagged VLAN for each interface. Additionally, we'll define these VLANs globally in InfraHub (not tied to any specific device). A Jinja2 template will then use this information to generate configurations for each device. Finally, we'll use the nornir-infrahub plugin as the inventory source and Napalm to push the generated configurations to each device.

Getting Started with Infrahub

If you’re in the network automation space or attended one of the last two Autocon events, you might have come across a new tool called ‘Infrahub’ from OpsMill

PacketswitchSuresh Vina

Prerequisites

This blog post assumes you are somewhat familiar with Git and Docker. If you’re new to InfraHub, don’t worry, you should still be able to follow Continue reading

0

Group Similar Links in netlab Topologies

In the Concise Link Descriptions blog post, I described various data formats that you could use to concisely list nodes attached to a link. Today, we’ll focus on a mechanism that helps you spot errors in your topology: a dictionary of links.

Imagine you have a large topology with dozens of links, and you get an error saying, “there is this problem with links[17]”. It must be great fun counting the links to find which one triggered the error, right?

0

Trying to Automate Palo Alto Firewall Objects/Rules Cleanup

In this blog post, we will walk you through how to clean up Palo Alto Firewall Objects and Rules using a simple Python script. The script is designed to search for a specific IP address or an entire subnet and remove any associated references.

The Problem

Have you ever found yourself in a situation where you've decommissioned a server or maybe even an entire subnet, and now you're faced with the task of cleaning up your firewall? If you're using Palo Alto, you probably know that you can't just remove an address object; you first need to eliminate all its references from address groups and rules.

This can become especially cumbersome if a single object is referenced in multiple places—you'll have to remove them one by one. Now, imagine having to do this for an entire subnet where multiple objects are involved. If this sounds familiar, read on to find out how to make this process easier using a simple Python Script.

If you are looking for a more sophisticated solution, feel free to check my other blog post on how to achieve this via the 'pan-os-php' library.

Palo Alto Object and Policy Cleanup with pan-os-php

If you work with Continue reading

0

Skepticism About AI Use Does Not Yet Negate The Appetite For AI Hardware

People – and when we say “people” we mean “Wall Street” as well as individual investors – sometimes have unreasonable expectations. …

Skepticism About AI Use Does Not Yet Negate The Appetite For AI Hardware was written by Timothy Prickett Morgan at The Next Platform.

0

D2DO264: Serverless Goes Mainstream

Serverless is mature enough now to be a mainstream choice for application development. But that doesn’t mean interesting things aren’t happening. Benjamen Pyle joins Kyler and Ned on Day Two DevOps to talk about the potential for small vendors and startups to develop high-quality services purpose-built to solve specific problems. They also discuss the benefits... Read more »

0

Cloudflare’s commitment to advancing Public Sector security worldwide by pursuing FedRAMP High, IRAP, and ENS

Today, we announced our commitment to achieving the US Federal Risk and Authorization Management Program (FedRAMP) - High, Australian Infosec Registered Assessors Program (IRAP), and Spain’s Esquema Nacional de Seguridad (ENS) as part of Cloudflare for Government. As more and more essential services are being shifted to the Internet, ensuring that governments and regulated industries have industry standard tools is critical for ensuring their uptime, reliability and performance.

Cloudflare’s network spans more than 330 cities in over 120 countries, where we interconnect with approximately 13,000 network providers in order to provide a broad range of services to millions of customers. Our network is our greatest strength to provide resiliency, security, and performance. So instead of creating a siloed government network that has limited access to our products and services, we decided to build the unique government compliance capabilities directly into our platform from the very beginning. We accomplished this by delivering critical controls in three key areas: traffic processing, management, and metadata storage.

The benefit of running the same software across our entire network is that it enables us to leverage our global footprint, and then make smart choices about how to Continue reading

0

Please Wait While We’re Preparing Your Interfaces

Once a virtual machine running a network operating system boots, you’d expect its data-plane interfaces to be operational, right? Some vendors disagree. It takes over a minute for some network operating systems to figure out they have this thing called interfaces.¹

I would love to figure out what takes them so long (a minute is an eternity on modern CPUs), but I guess we’ll never know.

Behind the Scenes

netlab uses two device provisioning mechanisms: it can start virtual machines with Vagrant or containers with containerlab. Some of those containers might use KVM/QEMU to run a hidden virtual machine (see also: RFC 1925 rule 6a).

0

AMD Moves Up Instinct MI355X Launch As Datacenter Biz Hits Records

When we first started The Next Platform a decade ago, there was not really much of a reason to cover the company’s datacenter efforts. …

AMD Moves Up Instinct MI355X Launch As Datacenter Biz Hits Records was written by Timothy Prickett Morgan at The Next Platform.

0

PP048: News Roundup – 5G Vulnerabilities Abound, CSRB Disbanded, Magic Packets Target Juniper Routers, and More

JJ and Drew catch you up on cybersecurity news including new research that uncovers a host of 5G/LTE vulnerabilities, the chain of breaches in a BeyondTrust attack that led to infiltration of the US Treasury Dept., and a lawsuit against LinkedIn alleging that data from paying customers was used to train AI models. Researchers unpack... Read more »

0

HW045: A Comprehensive Guide to Wi-Fi Explorer Pro 3: Features, Insights, and More!

Wi-Fi Explorer Pro is a popular wireless scanner. On today’s show we dive into the tool with its creator, Adrian Granados. We also talk about the launch of the new book Wi-Fi Explorer Pro 3 – The Definitive User Guide, written by Granados and co-author Nigel Bowden. We delve into the history and features of... Read more »

0

No hallucinations here: track the latest AI trends with expanded insights on Cloudflare Radar

During 2024’s Birthday Week, we launched an AI bot & crawler traffic graph on Cloudflare Radar that provides visibility into which bots and crawlers are the most aggressive and have the highest volume of requests, which crawl on a regular basis, and more. Today, we are launching a new dedicated “AI Insights” page on Cloudflare Radar that incorporates this graph and builds on it with additional metrics that you can use to understand AI-related trends from multiple perspectives. In addition to the traffic trends, the new section includes a view into the relative popularity of publicly available Generative AI services based on 1.1.1.1 DNS resolver traffic, the usage of robots.txt directives to restrict AI bot access to content, and open source model usage as seen by Cloudflare Workers AI.

Below, we’ll review each section of the new AI Insights page in more detail.

Tracking traffic trends for AI bots can help us better understand their activity over time. Initially launched in September 2024 on Radar’s Traffic page, the AI bot & crawler traffic graph has moved to the AI Insights page and provides visibility into traffic trends gathered globally over Continue reading

0

DNS Nameservers: Service Platforms and Resilience

The internet is held together by the Border Gateway Protocol (BGP). Its a flooding protocol whose intended outcome is to ensure that every BGP speaker has the same information base as every other BGP speaker. What happens when this flooding algorithm fails? What happens if the information in a BGP speaker falls out of sync?

0

Arista cEOS Containers Run on Apple Silicon

A few days ago, someone mentioned Arista released a cEOS EFT image running on Arm. Of course, I had to test whether it would run on Apple Silicon.

TL&DR: YES 🎉 🎉

Here’s what you have to do to make the Arista cEOS container work with netlab running on an Ubuntu VM on Apple silicon:

0

Kubernetes Network Security at Scale: Troubleshooting, Visibility & Compliance with Calico

Kubernetes adoption continues to grow as enterprises increasingly rely on containerized environments to deploy and scale their application. However, the complexity of the Kubernetes environment has evolved dramatically. It ranges from single-cluster setups of workloads to multi-cluster environments spanning hybrid and multi-cloud infrastructure. Kubernetes deployments are now characterized by their scale and diversity. Further multi-tenancy within a single cluster is becoming standard practice, as seen with the accelerated adoption of managed Kubernetes services available with Microsoft AKS, Amazon EKS, and Google GKE, further complicating the tenant and their workload security.

Organizations are leveraging Kubernetes to manage thousands of workloads within a single cluster and distribute them across multiple clusters for redundancy, geographic coverage, and performance optimization. Additionally, hybrid and multi-cloud deployments allow businesses to balance cost, performance, and compliance requirements.

To manage and secure this growth, organizations must ensure robust network security while maintaining visibility and simplifying operations. Addressing these challenges requires a comprehensive understanding of Kubernetes traffic patterns and the solution to observe, aggregate, and correlate traffic data.

Challenges

Kubernetes environments generate various traffic patterns, including:

• In-cluster traffic: Communication between pods within the same cluster
• Egress traffic: Outbound traffic to external services or the internet
• DNS traffic: Application layer Continue reading

0

The Gigabucks Going Into Datacenter Gigawatts

The only thing that takes longer to bring online slower than a datacenter is a chip foundry, which is unfortunate for a lot of different reasons. …

The Gigabucks Going Into Datacenter Gigawatts was written by Timothy Prickett Morgan at The Next Platform.

0

NB512: US Objects to HPE-Juniper Wedding; Cheeky DeepSeek Freaks VCs

Take a Network Break! The US Justice Department blocks the HPE-Juniper merger with a surprise lawsuit, DeepSeek shakes up the AI world, and Broadcom rolls out quantum-safe Fibre Channel controllers. Sweden seizes a vessel suspected of tampering with a subsea cable, a code update could make Linux significantly more power-efficient, and the WLAN market gets... Read more »

0

Preserving content provenance by integrating Content Credentials into Cloudflare Images

Today, we are thrilled to announce the integration of the Coalition for Content Provenance and Authenticity (C2PA) provenance standard into Cloudflare Images. Content creators and publishers can seamlessly preserve the entire provenance chain — from how an image was created and by whom, to every subsequent edit — across the Cloudflare network.

When you hear the word provenance, you might have flashbacks to your high school Art History class. In that context, it means that the artwork you see at the Met in New York really came from the artist in question and isn’t a fake. Its provenance is how that piece of physical art changed possession over time, from the original artist all the way to the museum. 

Digital content provenance builds upon this concept. It helps you understand how a piece of digital media — images, videos, PDFs, and more — was created and subsequently edited. The provenance of a photo I posted on Instagram might look like this: I took the picture with my iPhone, performed an auto-magic edit using Apple Photos’ editing tools, uploaded it to Instagram, cropped it using Instagram’s editing tools, and then posted Continue reading

0

Palo Alto SSL Decryption and App-ID

If you work with Palo Alto firewalls, you might have heard of App-ID. They work well and let us create security policies based on 'applications' rather than TCP/UDP port numbers. For example, instead of allowing UDP/53, we can allow the application 'DNS'. In this blog post, we will look at how App-ID works with and without SSL Decryption. Let's get to it.

If you are new to App-ID and want to know how it works, feel free to check out my introductory post below.

Palo Alto App-ID - How Does It Work?

Instead of relying solely on port numbers, NGFWs like those from Palo Alto Networks encourage defining security policies based on the actual applications termed ‘App-ID’.

PacketswitchSuresh Vina

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

App-ID Recap

When you have an NGFW like Palo Alto, you don't want to rely on port numbers for your security policies. Instead of allowing TCP/3389, TCP/389, or UDP/514, you want to use RDP, LDAP, or Syslog. Using specific port numbers, like TCP/3389, Continue reading

0

Paperless-ngx Self-Hosted Document Manager

At the moment, most of my documents are stored in Google Drive and locally on my machine. Whenever I need something, I go to Google Drive, search for it, and download it. While this works well, with all the concerns around privacy and data usage, I’d prefer to keep my documents locally rather than relying on cloud providers.

Recently, I came across a great self-hosted document manager called 'Paperless-NGX'. It not only helps with organising documents but also includes OCR functionality, allowing me to search within the documents themselves.

In this blog post, we'll go through how to set it up in a local environment and also cover how to put it behind the Caddy reverse proxy.

Running Unifi Network Application in Docker

Users are now advised to switch to the linuxserver/unifi-network-application image, which is actively maintained and provides the latest version of the UniFi Network Application.

PacketswitchSuresh Vina

Paperless-NGX Installation with Docker

Paperless-NGX is a self-hosted document management system that helps organize and search documents easily. It comes with built-in OCR, allowing you to search within scanned documents and PDFs. One of the easiest ways to install Paperless-NGX is using Docker.

I went through the official documentation to Continue reading

0

Links in Virtual Labs

There are three major ways to connect network devices in the physical world:

• Point-to-point links between devices (usually using some variant of Ethernet)
• Multi-access layer-1 networks running some IEEE 802.x encapsulation on top of that (GPON, WiFi, Ethernet hubs)
• Multi-access switched layer-2 network (dumb switches, hopefully running some STP variant)

Implementing these connections in virtual labs is a bit harder than one might think, as all virtualization solutions assume you plan to run virtual servers connected to Ethernet segments.