When network teams first start to use network automation, they should keep the tasks simple, low risk and quickly implementable. This means the tasks probably shouldn't make network changes.
The ideal starter project will help the operations staff, who will be judging your work. You'll want to get operations on board with automation because they'll be using the tools and can provide ideas for more projects. As you gain more experience, you can begin to implement more advanced automation tasks within your network.
The four network automation ideas below are easier tasks you can tackle to get started with automation.
- Device locator. Find where a device is connected to the network from its name, IP address or MAC address. This is a common operational task, particularly when a firewall reports malware on an endpoint and you need to find it. You may want to break this task into several steps. First, use the device name to find the device’s IP address. Next, identify the subnet, and map the IP address to a MAC address. Finally, find the switch port where that device is connected.
- Application connectivity check. Check the path between an endpoint and a specific application server, which may be load-balanced. Start with simple checks -- like pings -- that originate from both the endpoint and the server -- or as close to each as you can get. Doing these checks manually is time-consuming, so create an automation task that can quickly run the tests and produce results you can easily read.
- Network infrastructure peer connectivity. Verify that each network infrastructure device -- router, switch, load balancer, firewall, etc. -- is properly connected to its neighbors. This task will require a small database -- use a file to keep it simple -- that identifies each neighboring network device and the interfaces that connect them to each other. This task finds places where connectivity has failed or where connections were made to the wrong interfaces. Start with important interfaces, like EtherChannel groups, and then include router-to-switch and switch-to-switch links.
- Network configuration checks. Identify discrepancies between parts of network configurations and your configuration templates. Start by comparing simple configuration snippets, such as Network Time Protocol, Simple Network Management Protocol and admin logins. You can then advance to more complex configurations, like Border Gateway Protocol (BGP). This automation should only report on discrepancies and not make any changes.
Intermediate network automation ideas
As you gain more experience and early success, the automation tasks can become more complex. At an intermediate level, you should understand basic software development principles, like modular design. You can also start to use APIs to gather data from vendor databases. Here are four intermediate ideas for network automation.
- Verify BGP connectivity. Verify that your external routers are peering with the desired external routers and that they are sending and receiving the correct set of routes. Then, consider extending the task to query looking-glass sites to verify that your network prefix is correctly advertised to the internet.
- Automate password resets. Resetting passwords is a tedious but important task. Improve it by verifying that new passwords conform to your organization's password standards. If you can, implement a two-factor authentication mechanism, closely validate user input and store passwords only in a protected identity repository.
- Network inventory. Identify devices and collect model numbers, serial numbers and OS versions. Use vendor APIs and device details to look up security alerts and end-of-life information, provide reports on devices that are at end of support, and validate the devices on maintenance contracts. The OS version report can help you standardize the OSes across the network, which reduces bugs and security vulnerabilities.
- Network virtualization. Automate the configuration of whatever you use for network virtualization, such as virtual LAN, Virtual Extensible LAN or MPLS. You'll be pushing configuration updates, so take time to design and build a test environment.
Advanced network automation ideas
You will eventually want to take on more complex automation tasks to update complex device configurations and reduce repetitive errors. Below are four advanced network automation ideas you can implement within your network.
- Firewall rule migration. You can ease the process of switching firewall vendors by creating automation tasks that convert firewall rules from one vendor's format to another format. This is an opportunity to revisit the rule sets and identify outdated rules that can be removed. This task should identify the location of the IP addresses in the rules and verify whether the rules apply to the firewall configuration that is being converted. You may be surprised at the number of rules you can eliminate because they no longer apply.
- Automate access control list updates. ACLs -- i.e., firewall rules -- can be challenging to maintain. Teams can frequently forget the origin of the rules, and no one wants to remove a rule for fear of breaking something. This automation project creates a database in which to store the ACL policy definitions -- i.e., why each policy exists and the criteria for changing or deleting it -- and the ACL rules. When a policy is changed or deleted, the resulting ACL rules can be updated or removed.
- Data center pod provisioning. With a few parameters, you can create and install the configurations for all networking equipment within a data center pod.
- Source of truth-driven automation. This is the ultimate automation task, in which a single source of truth database is used to drive network automation. The source of truth defines network configuration intent and is the idea behind intent-based networking.
Making it happen
The network automation ideas above should be enough for you to learn basic automation technologies, like software version control, such as Git; a scripting language, like Python; and an automation language, like Ansible with Jinja2. You may choose different implementations, perhaps using Salt or Napalm instead of Ansible, or Ruby instead of Python.
Each automation task you choose should have some easily identifiable criteria that determine when you've accomplished the task and should move on to another task. Once the current project reaches its goal, move on to the next one. Otherwise, the project may take on a life of its own and consume more time than it saves. Note that automation may have other benefits that outweigh its creation time, such as situations when the speed of execution and accuracy are critical.
You don't have to take the automation journey alone. Many people have been successful with automation and have created courses that structure what you need to know. For example, the following courses provide good guidance:
Alternatives to software development
You have alternatives to getting involved in software development projects. Companies like Gluware and Itential have done a lot of the work, in which you mainly need to provide the device configurations.
If you're interested in software but want someone else to build it, companies like Network to Code offer automation services. Finally, network vendors have automation staff members who can provide references to companies that match your requirements. Vendors are building their own tools, too, so don't overlook them. Regardless of your approach, it's important to get started with network automation.