1 License
This project is licensed under the Cisco Sample Code License 1.1 - see the LICENSE.md file for details
2 Ansible Solution overview
Ansible is an open-source software provisioning, configuration management, and application-deployment tool
Ansible works by connecting to your nodes and pushing out small programs, called "Ansible modules" to them. These programs are written to be resource models of the desired state of the system. Ansible then executes these modules (over SSH by default) and removes them when finished.
Your library of modules can reside on any machine, and there are no servers, daemons, or databases required. Typically you'll work with your favorite terminal program, a text editor, and probably a version control system to keep track of changes to your content.
By default, Ansible represents what machines it manages using a very simple INI file that puts all of your managed machines in groups of your own choosing.
To add new machines, there is no additional SSL signing server involved, so there's never any hassle deciding why a particular machine didn’t get linked up due to obscure NTP or DNS issues.
Note
More details about Ansible environment can fund on www.ansible.com
2.1 Perquisites
2.2 Supported Devices
• Catalyst9X00 series.
• IR1101.
• IR8340.
• IC3K. Active Discovery is available and configurable, see below.
• IE3X00. Active Discovery is available and configurable, see below.
2.3 Limitations
• Sensor IC3K upgrade
Note
The IC3K update can be done using the combined file on the UI center or sbs-update command on sensor’s CLI
3 Configuration files by device
In this section we will check the configuration files for each device, two kind of of files exist:
• Playbooks: contains center information (IP and token), role and sensor application path request.
• Inventory: Contain LM information to connect and sensor configuration details. We can also choose if you will use Active discovery option
Note
On next section the inventory files will contain Discovery option for sensors which support this option, you can delete Active Discovery part if not needed
IMPORTANT
The code on next session will be added with description for each relevant line.
The YAML file can be found on the document annex
Note
The inventory file can contain one or more switches for each described model (please see the inventory.yml file as exemple)
3.1 Catalyst 9X00 series
3.1.1 Playbook
hosts: catalyst9k
gather_facts: false
vars:
center_token: ics-1c09745866eccd5515b005537bf9699b1af24c96-2104c3789ca9a628508506fa029945cbc7d424e5
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (x86-64 version)?
private: false
roles:
- cybervision_sensor
3.1.2 Inventory
catalyst9k:
hosts:
192.168.169.211:
name: "cat9300_2"
collection_address: 192.168.169.210
collection_prefix: 24
iox_login: admin
iox_password: Cisco123
iox_port: 443
capture_mode: custom
capture_filter: not arp
active_discovery: true
active_discovery_interfaces:
- ip: "1.2.3.4"
netmask: 24
vlan: 14
iface: "eth2"
3.2 IC3000
3.2.1 Playbook
center_token: ics-1c09745866eccd5515b005537bf9699b1af24c96-2104c3789ca9a628508506fa029945cbc7d424e5
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (ic3k version)?
private: false
roles:
- cybervision_sensor
3.2.2 Inventory
ic3k:
hosts:
192.168.69.140:
mgmt_netmask: 255.255.255.0
mgmt_gateway: 192.168.69.1
collection_address: 192.168.69.40
collection_prefix: 24
iox_login: admin
iox_password:Cisco123
iox_port: 8443
check_sensor_status: true
capture_mode: custom
capture_filter: not arp
check_sensor_and_center_version: false
active_discovery_interfaces:
- ip: "1.2.3.4"
netmask: 24
vlan: 14
iface: "eth1"
3.3 IE3X00
3.3.1 Playbook
- hosts: ie3X00
gather_facts: false
vars:
center_token: ics-1c09745866eccd5515b005537bf9699b1af24c96-2104c3789ca9a628508506fa029945cbc7d424e5
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (aarch64 version)?
private: false
roles:
- cybervision_sensor
3.3.2 Inventory
ie3X00:
hosts:
192.168.69.211:
collection_address: 192.168.69.210
collection_prefix: 24
iox_login: admin
iox_password: Cisco123
iox_port: 443
capture_mode: custom
capture_filter: not arp
active_discovery: true
active_discovery_interfaces:
- ip: "1.2.3.4"
netmask: 24
vlan: 14
iface: "eth2"
3.4 IR1101
3.4.1 Playbook
center_token: ics-4e2ae0442e681a6319e008b529c42b12d293f7b8-24b67528386b72e34b86aaed2f162dd1c58955f4
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (aarch64 version)?
private: false
roles:
- cybervision_sensor
3.4.2 Inventory
ir1101:
hosts:
192.168.69.31:
collection_address: 169.254.0.2
collection_prefix: 30
iox_login: admin
iox_password: Cisco123
iox_port: 443
name: "sparrow_2"
3.5 IR8340
3.5.1 Playbook
center_token: ics-4e2ae0442e681a6319e008b529c42b12d293f7b8-24b67528386b72e34b86aaed2f162dd1c58955f4
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (aarch64 version)?
private: false
roles:
- cybervision_sensor
3.5.2 Inventory
ir8340:
hosts:
192.168.69.70:
collection_address: 169.254.0.2
collection_prefix: 30
iox_login: admin
iox_password: Cisco123
iox_port: 443
name: "sumatra"
3.6 IE9300
3.6.1 Playbook
center_token: ics-1c09745866eccd5515b005537bf9699b1af24c96-2104c3789ca9a628508506fa029945cbc7d424e5
center_url: https://10.2.3.165
vars_prompt:
- name: application_tar_path
prompt: CyberVision app path (aarch64 version)?
private: false
roles :
- cybervision_sensor
3.6.2 Inventory
ie9300:
hosts:
192.168.69.191:
collection_address: 192.168.69.91
collection_prefix: 24
iox_login: admin
iox_password: Cisco123
iox_port: 443
name: "clarke_2"
capture_mode: custom
capture_filter: not arp
active_discovery: true
active_discovery_interfaces:
- ip: "1.2.3.4"
netmask: 24
vlan: 14
iface: "eth2"
4 Optional variables
Variable name | Comment |
---|---|
check_sensor_status | Boolean. If set to true, we wait 3 min after each deployment or update, then we check connectivity status of the sensor to see if it's online. Default to ``false` |
check_sensor_and_center_version | Boolean. If set to true, we check that center and sensor are in same version. Default to true |
Variable name | Comment |
---|---|
collection_gateway | Gateway of collection interface. For IR1101, default value is 169.254.0.1. |
capture_mode | Can be all, industrial_only, optimal or custom. Default: optimal. If custom, use capture_filter (see below) to configure the bpf filter. Used only in deployment (not for update). |
capture_filter | Used only in deployment. Bpf filter used to capture trafic. Used only in deployment. |
Variable name | Comment |
---|---|
collection_vlan | Default value: 507. Not used for IR1101. |
capture_address | Default value: 169.254.1.2. |
capture_prefix | Default value: 30 |
capture_vlan | Default value: 2508. Not used for IR1101. |
rspan | Default value: false. Used only for C9XXX |
5 Launch the bulk deployment process
The Playbook and the inventory details for all sensors can be added to respectively two different files, the first one can be called bulk-deployment.yml and the second inventory.yml
These two files should be added on the same folder on the ansible environment.
Another folder should be added on the same location which is roles/cybervision_sensor folder, this one contain the role details.
it's on the zipped file : roles.zip
If a log file is needed you can activate this with adding that two vars :
After adding these different files and folders to the same folder, you can access to this one then apply this command to launch the bulk deployment:
ansible-playbook -i inventory.yml bulk-deployment.yml -f 2
Note
-f fork option will help to execute the script by batch of 2 devices each time, some steps can fail with greater batch number
we can also use with -v option for verbose mode
ansible-playbook -v -i inventory.yml bulk-deployment.yml -f 2
See Example below for IC3K deployment using Ansible:
[admin@localhost home]$ ansible-playbook -i inventory.yml bulk-deployment.yml
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.8 (default, Mar 19 2021, 05:13:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]. This feature will be removed
from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
No config file found; using defaults
<!---You will be prompted to add the path for the sensor extension--->
CyberVision app path?:
<!---Then the installation will start All steps are described--->
PLAY [ic3k] ********************************************************************************************************************************************************************************************************************************
TASK [cybervision_sensor : register serial] ************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Get Token] ******************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : register auth token] ********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Ensure a temporary directory for app extraction] ****************************************************************************************************************************************************************
changed: [10.2.2.102]
TASK [cybervision_sensor : Extract application] ********************************************************************************************************************************************************************************************
changed: [10.2.2.102]
TASK [cybervision_sensor : Load package.yaml] **********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Check app type (IC3K)] ******************************************************************************************************************************************************************************************
ok: [10.2.2.102] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cybervision_sensor : Check app type (CAT9K)] *****************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Check app type (IR1101 and IE3X00)] *****************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get center version] *********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Register center version] ****************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Register center version] ****************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Register sensor version] ****************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Check center version] *******************************************************************************************************************************************************************************************
ok: [10.2.2.102] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cybervision_sensor : Check sensor version] *******************************************************************************************************************************************************************************************
ok: [10.2.2.102] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cybervision_sensor : Get the serial] *************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Register serial] ************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Get the app list] ***********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : detect install or update] ***************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Set app name for install] ***************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Set app name for update] ****************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get the disk size] **********************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Register disk size (IC3k)] **************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Register available disk size (Cat9k or IE3k)] *******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Calculate reserved disk size (Cat9k or IE3k)] *******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Calculate allocation disk size (Cat9k or IE3k)] *****************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Retrieve allocated disk size (cat9k or IE3k)] *******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Register allocated disk size (Cat9k or IE3k)] *******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get app status] *************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Check if sensor exists] *****************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : get sensor id] **************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : default value for sensor id] ************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Install app] ****************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Unsupported update on IC3K] *************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Stop app] *******************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get the app status] *********************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get app status] *************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Deactivate app] *************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Upgrade app] ****************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : template name for activation payload (ic3k)] ********************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : template name for activation payload (ir1101)] ******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : template name for activation payload (catalyst9k)] **************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : template name for activation payload (ie3X00)] ******************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Assert that we found an activation payload template] ************************************************************************************************************************************************************
ok: [10.2.2.102] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cybervision_sensor : Activate app] ***************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Start app] ******************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Check if sensor exists] *****************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : get sensor id] **************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : default value for sensor id] ************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Check sensor status] ********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : get enrollment status] ******************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Ensure a temporary directory for sensor provisioning download.] *************************************************************************************************************************************************
changed: [10.2.2.102]
TASK [cybervision_sensor : Set sensor name used in Center] *********************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Create sensor] **************************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : register sensor id] *********************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Get sensor provisioning] ****************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Upload provisioning package] ************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Create sensor] **************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : register sensor id] *********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Get sensor provisioning] ****************************************************************************************************************************************************************************************
changed: [10.2.2.102]
TASK [cybervision_sensor : Extract provisioning package] ***********************************************************************************************************************************************************************************
changed: [10.2.2.102]
TASK [cybervision_sensor : Upload provisioning package] ************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Stop app] *******************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Start app] ******************************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Pause for 3 minutes to wait for app restart & center connectivity] **********************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : Check sensor status] ********************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
TASK [cybervision_sensor : get sensor status] **********************************************************************************************************************************************************************************************
ok: [10.2.2.102]
TASK [cybervision_sensor : Check sensor is connected] **************************************************************************************************************************************************************************************
skipping: [10.2.2.102]
Owner
Contributors
Categories
Programming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community