diff --git a/tech_docs/networking/iac_github_project.md b/tech_docs/networking/iac_github_project.md index 9e92361..6c7037c 100644 --- a/tech_docs/networking/iac_github_project.md +++ b/tech_docs/networking/iac_github_project.md @@ -1,4 +1,254 @@ -Here’s a one-page cheat-sheet you can tape to your monitor. +Below is a vendor-agnostic, scalable-template review written in “meta-config” form. +It is intentionally abstract (no literal values, no vendor CLI) so it can be mechanically translated to any NOS or rendered by an automation pipeline. + +-------------------------------------------------------- +1. Meta-Template Structure +-------------------------------------------------------- +┌─ object: device +│ ├─ role: head-end-dmvpn-hub +│ ├─ platform: +│ └─ lifecycle: golden-template → instance-template → device-config +└─ + +Each stanza below is a YAML-ish block that can be turned into: +- Jinja2 / Ansible variables +- Terraform schema +- OpenConfig YANG +- TTP/TTK parser + +-------------------------------------------------------- +2. Inventory & Naming +-------------------------------------------------------- +inventory: + site_id: "{{ site_id }}" # AAA-BBB-CCC-NNN + function: headend + routing_domain: "{{ rd_index }}" + hostname_pattern: "{{ site_id }}-{{ function }}-{{ sequence }}" + +-------------------------------------------------------- +3. OS / Image Management +-------------------------------------------------------- +image: + golden_version: "{{ lookup('golden_db', platform) }}" + fallback_version: "{{ golden_version | fallback }}" + boot_order: [primary, secondary, usb] + +-------------------------------------------------------- +4. Global Service Knobs +-------------------------------------------------------- +global: + service: + tcp_keepalives: { in: true, out: true } + timestamps: { debug: msec, log: msec, tz: local } + password_encryption: true + sequence_numbers: true + counters_max_age: 10 + dhcp: false + pad: false + +-------------------------------------------------------- +5. Security Baseline +-------------------------------------------------------- +security: + auth_failure_rate: 3 + password_policy: + min_length: 8 + complexity: high + aaa: + method_order: [tacacs, local] + accounting: start-stop + sources: + - { ip: "{{ tacacs_vip }}", vrf: mgmt } + secrets: + enable: "{{ vault.encrypted(enable_secret) }}" + snmp: + version: 3 + auth: sha + priv: aes-128 + acl: "{{ snmp_acl }}" + +-------------------------------------------------------- +6. VRF & Loopback Plan +-------------------------------------------------------- +vrfs: + - name: mgmt + rd: "{{ site_id }}:1" + interfaces: [MgmtEth0/0/0] + - name: dmvpn + rd: "{{ site_id }}:2" + interfaces: [Loopback-DMVPN, Tunnel-*] + +loopbacks: + - name: system + vrf: default + mask: /32 + - name: tunnel_source + vrf: dmvpn + mask: /32 + +-------------------------------------------------------- +7. Underlay Interfaces +-------------------------------------------------------- +underlay: + uplinks: + - id: 1 + type: p2p + media: ethernet + mtu: 9216 + vrf: default + ospf: { area: 0, auth: md5, hello: 1, dead: 4 } + - id: 2 + type: p2p + media: ethernet + mtu: 9216 + vrf: dmvpn + ospf: { area: 0, auth: md5, hello: 1, dead: 4 } + +-------------------------------------------------------- +8. Overlay (DMVPN) Definition +-------------------------------------------------------- +overlay: + type: dmvpn-hub + tunnel_ifs: + - id: 1 + src_loopback: tunnel_source + vrf: dmvpn + mtu: 1400 + tcp_mss: 1360 + nhrp: + auth: "{{ nhrp_key }}" + net_id: "{{ site_id }}" + holdtime: 600 + shortcut: true + redirect: true + ipsec: + profile: dmvpn_profile + transform: { enc: aes256-gcm, pfs: group20 } + bgp_listen_range: "{{ tunnel_net }}" + bgp_peer_group: + name: spokes + asn: "{{ bgp_asn }}" + rr_client: true + next_hop_self: true + send_default: true + max_peers: "{{ spoke_limit }}" + +-------------------------------------------------------- +9. QoS Framework +-------------------------------------------------------- +qos: + classifier: + - { name: voice, dscp: ef } + - { name: interactive_vid, dscp: [af41,af42,af43] } + - { name: critical_data, dscp: [af31,af32,af33] } + - { name: business_data, dscp: [af21,af22,af23] } + - { name: bulk_data, dscp: [af11,af12,af13] } + - { name: scavenger, dscp: cs1 } + - { name: net_mgmt, dscp: cs2 } + shaper: + - parent: physical + cir: "{{ circuit_bw }}" + child_policy: per_class + per_class: + voice: { priority_pct: 30 } + interactive_vid: { bw_pct: 15, wred: true } + critical_data: { bw_pct: 20, wred: true } + business_data: { bw_pct: 25, wred: true } + bulk_data: { bw_pct: 10, wred: true } + scavenger: { bw_pct: 5, wred: true } + class_default: { bw_pct: 20, fair_queue: true } + +-------------------------------------------------------- +10. NetFlow / Telemetry +-------------------------------------------------------- +telemetry: + exporter: + - { dst: "{{ collector_vip }}", vrf: mgmt, dscp: af21, proto: udp/9996 } + cache: + active_timeout: 60 + inactive_timeout: 15 + fields: + - { match: [ipv4_src, ipv4_dst, tos, proto, port_src, port_dst, direction] } + - { collect: [bytes, pkts, first_seen, last_seen, next_hop] } + +-------------------------------------------------------- +11. Routing Policy +-------------------------------------------------------- +policy: + ospf: + areas: + 0: { auth: md5, type: p2p_only } + default_originate: true + bgp: + local_as: "{{ bgp_asn }}" + communities: + - { name: blackhole, pattern: "65400:666" } + - { name: transit_nyc, pattern: "65400:1111" } + - { name: transit_clt, pattern: "65400:2222" } + - { name: transit_brm, pattern: "65400:3333" } + route_maps: + - { name: deny_default, seq: 10, action: deny, match: prefix=0.0.0.0/0 } + - { name: spokes_in, seq: 20, action: permit } + - { name: spokes_out, seq: 10, action: permit, set: [community=local_site] } + +-------------------------------------------------------- +12. Monitoring & SLA +-------------------------------------------------------- +sla: + icmp_probes: + - { target: "{{ anycast_gw }}", src: tunnel_1, freq: 180, owner: dmvpn } +logging: + hosts: + - { ip: "{{ loghost1 }}", vrf: mgmt, facility: local1 } + - { ip: "{{ loghost2 }}", vrf: mgmt, facility: local1 } + levels: + - { trap: informational, origin_id: loopback } + +-------------------------------------------------------- +13. Hardening & ACLs +-------------------------------------------------------- +acl: + mgmt_plane: + - { src: "{{ mgmt_net }}", dst: device, proto: ssh } + - { src: "{{ mgmt_net }}", dst: device, proto: snmp } + control_plane: + - { src: "{{ spoke_net }}", dst: device, proto: ipsec } + - { src: "{{ spoke_net }}", dst: device, proto: nhrp } + data_plane: + - { name: undesirable_udp, action: drop, rate: 8kbps } + +-------------------------------------------------------- +14. Automation Hooks +-------------------------------------------------------- +automation: + pre_checks: + - validate_image_md5 + - validate_crypto_modulus + post_checks: + - bgp_established + - ipsec_sa_count + - sla_probe_up + drift_detection: + - periodic: "{{ 24h }}" + - source_of_truth: git + - remediation: on_change + +-------------------------------------------------------- +15. Extensibility Notes +-------------------------------------------------------- +- All IP literals live in inventory or vault; template never embeds them. +- All BGP communities, NHRP keys, SNMP strings are vaulted and templated. +- QoS class names & DSCP values are constants; per-link CIR is dynamic. +- The entire config is rendered in three artifacts: + 1. golden-template.yaml (this document) + 2. per-site variables (YAML or JSON) + 3. vendor renderer (Jinja2, YDK, NAPALM, etc.) + +This single source-of-truth can therefore drive Cisco IOS-XE, Juniper vSRX, Aruba CX, OpenBSD, or a virtual container image without further human touch. + +--- + +Here’s a one-page cheat-sheet you can tape to your monitor. It distills the whole document into three things you actually touch every day. ---