Network Automation: Resistance is Futile
Mention the word ‘Automation’ to any group of IT professionals and you’ll likely solicit a wide range of comments, ranging from genuine interest to that of horror or laughter. You’ll...
Aug 30, 2018
I don’t know when the last time I worked on a simple, flat network was. Even my smaller customers whom most vendors would consider SMB (small and medium-sized business) have networks with more complexity than much larger ones from years ago. Whether it’s because of the changing climate of network security or the increasing complexity of end-user needs, today’s networks are layers of tunnels, tags, and abstractions. Mapping them accurately, then, has become more difficult and not something for the faint of heart.
When I say tunnels, tags, and abstractions, I’m referring to the various network overlays used to connect devices and resources. Years ago, it would have been something else to see more than a few VLANs in a medium-sized network. Today, it’s common to see many VLANs, VPNs, MPLS tunnels, DMVPN, VXLAN configurations, and even the beginnings of software-defined network components. This isn’t because network engineers have had nothing better to do than deploy unnecessary technology; instead, modern applications, distributed workforces, and the ubiquity of cloud computing mean the network has had to adapt, change, and grow in complexity.
Mapping these overlays on a single map would produce a jumbled mess of icons, labels, and text boxes. In fact, think about these layers even in terms of small networks. Technically speaking, the second layer of the OSI model, the data link layer, uses Ethernet along with MAC addresses as a software abstraction of the actual physical interfaces and radio waves. The third layer of the OSI model, the network layer, further abstracts this by layering IP addresses mapped to MAC addresses. Add the layers of virtual switches and tunneled traffic, and you’ll quickly develop a very busy diagram.
A hurdle to diagramming network abstractions is that they exist as logical topologies, not in the physical realm, but they depend on the underlying physical topology.
Engineers aren’t necessarily concerned with all of these layers at once, though. A map that contains all of it would not only be a mess, it would also be out of date very quickly as cables are moved, IPs addresses change, and remote offices are spun up or decommissioned. I’ve managed Visio diagrams of enterprise networks, and from experience I know that updating maps regularly is so tedious and error-prone that I often gave up on keeping up on it.
A hurdle to diagramming network abstractions is that they exist as logical topologies, not in the physical realm, but they depend on the underlying physical topology. In fact, some types of network abstractions rely on an underlay of another abstraction, producing a sort of network abstraction inception that can be very difficult to discover and map.
The solution is intelligent software that can communicate with devices directly to create a dynamic map. In this way, the dynamic mapping software can drill down into devices, creating a map for every layer of network abstraction programmatically. Think about this for a relatively simple network without any sophisticated abstractions. Even a simple network is comprised of physical links, IP addresses, possibly one or more overlays such as DMVPN, and tunneled traffic such as simple VPNs used to segment off parts of the network.
Dynamic mapping software can drill down into devices, creating a map for every layer of network abstraction programmatically.
A few years ago, I managed a large campus network with remote locations that looked just like this. We didn’t run VXLAN or SD-WAN, but we had several overlays that required multiple diagrams to map. Let’s look at this layer by layer.
We kept track of the physical connections because of the sheer size of the data center and number of IDFs and buildings on campus. That was one map, and the help desk referred to it very often. It needed to be accurate all the time, as they patched and moved switchport connections constantly.
On top of that we had IP addresses to each switch stack in each IDF. Thankfully we needed only one IP address for most closets because of the nature of how switch stacking works, so it didn’t clutter the network map too much. However, as a large campus network, we had hundreds of IDFs and dozens of large buildings to keep track of. The help desk also referred to this daily in their troubleshooting and changes.
The entire campus was an OSPF area 0, and we routed the closets assigning subnets to the geographical areas they serviced. This worked great, but the OSPF information was another layer on top of the IDF IP address information and couldn’t be on the same map without making it clumsy.
Next, we had numerous remote campuses, one of which hosted our secondary active data center. We used an active/active dual-hub DMVPN to interconnect all our locations to both data centers and ran EIGRP over the top. This means we had a DMVPN overlay with routing that relied on an underlay of BGP WAN routing which in turn relied on internal routing and switching – and that’s not including the MPLS circuits the ISP used.
Lastly, the type of work our end users did required they move very sensitive intellectual property across the network, so we set up VPNs to resources and to what we referred to as our “site vault,” or, in other words, a sectioned-off pool of resources inside our data center.
A more sophisticated network might also run overlays in their data center such as VXLAN and BGP to each top of rack switch. In this case, layered on top of MAC addresses, IP addresses, internal routing and switching is a network abstraction to tunnel traffic in such a way as to allow layer 2 adjacencies among servers in disparate subnets. Normally this is done for virtual machine mobility or some requirement of the application, but in any case, this adds yet another overlay of abstraction over an underlay of networking.
NetBrain’s Dynamic Mapping is so much more than a pile of out-of-date static maps. Instead of flipping through Visios and spreadsheets, NetBrain’s Dynamic Mapping is almost like an operating system for your network. NetBrain’s software continually communicates to network devices and other third-party tools directly over SNMP, SSH, and using the latest APIs. In this way NetBrain can create a Dynamic Map of network abstractions that is always up-to-date and created programmatically.
Dynamic Mapping software can discern among networking technologies in order to present the network engineer with an interactive display of a particular overlay.
Because this involves intelligent machine-to-machine communication, NetBrain’s Dynamic Mapping software can discern among networking technologies in order to present the network engineer with an interactive display of a particular overlay. This is so powerful to anyone managing a network of any substantial complexity, which in today’s environment is most networks.
Let’s apply this mapping paradigm to my example of the large campus network I managed. Instead of every overlay in one diagram, you simply select the abstraction layer you want to look at from a menu and allow the software do what it does best – generate an up-to-date interactive map.
Start by selecting the layer 2 topology. A map is generated to show the engineer switches, links, interfaces, and all the important information related to layer 2 such as spanning tree, CDP neighbors, ARP tables, bandwidth, and QoS. This information was vital for daily tasks of our help desk.
Next, select the layer 3 topology to locate IP addresses and subnets.
After that you can focus on specific technologies such as OSPF. In this way you can look at the OSPF domains, roles of each OSPF router, and quickly understand how prefixes are advertised and propagated throughout a network.
In the campus network I managed, OSPF was an underlay for our BGP adjacencies, DMVPN cloud, and EIGRP domain inside the DMVPN cloud. NetBrain gives an engineer the ability to simply select BGP, DMVPN, VXLAN, or whatever network overlay or abstraction they like and generate a map focused on that particular logical topology.
Remember that network abstractions exist in the logical realm and rely on an underlay network. In an environment of network abstraction inception, an engineer needs to have a way to see all layers of abstraction quickly and with confidence that it’s accurate and up-to-date. Mapping these abstractions manually is difficult and relies on legacy methods, but NetBrain’s Dynamic Mapping software gives engineers the ability to manage their network like it should be: programmatically and as one big operating system.