srl-labs / sros-anysec-macsec-lab Goto Github PK

Embedded types can be referenced in the clab file as simple as

type: sr-1

There is a good amount of embedded types that we added to make sure that the most common platforms have a short type name.

The custom types are only meant to be used when additional mem/cpu is required or a specific mda/iom

My DHCP server uses 1.1.1.1 for the nameserver, so the setup-client7.sh script fails to install the necessary components because it can't resolve any dns. Would be better not to use routable address space in the topology.
 

bash-5.0# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.50.50.1     0.0.0.0         UG    0      0        0 eth0
1.1.1.0         *               255.255.255.0   U     0      0        0 eth3
172.50.50.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 eth2
192.168.3.0     1.1.1.1         255.255.255.0   UG    0      0        0 eth3
bash-5.0# hostname
client8
bash-5.0# ip a show eth3
231: eth3@if230: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
    link/ether aa:c1:ab:67:63:14 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 1.1.1.8/24 scope global eth3
       valid_lft forever preferred_lft forever
    inet6 fe80::a8c1:abff:fe67:6314/64 scope link
       valid_lft forever preferred_lft forever
bash-5.0#

Client7 is also acting as the automation node. It uses the "standard" multitool image and installs all other required automation tools when the lab is deployed. This requires Internet connection and could lead to issues when proxy or frw are used.

Using a new image with the automation tools already installed will simplify and avoid potential issues. This could be also useful in the future for other Labs.

Following tasks should be completed:

• Add padlocks for MacSec/AnySec in the grafana dashboard

instead of multiple exec calls

as quickly discussed, I think removing device IP and adding device type would be a better choice. Anysec/MACSec are hardware features.

My machine needs to pass through a proxy to reach internet, so I passed proxy env vars to grafana node so it can download the plugins set in GF_INSTALL_PLUGINS:

no_proxy=localhost,172.50.50.0/24
https_proxy=http://proxy.local:8080/
HTTPS_PROXY=http://proxy.local:8080/
HTTP_PROXY=http://proxy.local:8080/
http_proxy=http://proxy.local:8080/

However, grafana is not ignoring the proxy when trying to reach internal node prometheus, therefore breaking the scenario. As workaround, instead of passing proxies to grafana, created a container with nginx hosting the plugin files.

 httprepo:
      kind: linux
      image: nginx
      mgmt-ipv4: 172.50.50.20
      binds:
        - ./httprepo/:/usr/share/nginx/html:ro
      group: "10"

grafana:
(...)
        GF_INSTALL_PLUGINS: http://httprepo/agenty-flowcharting-panel-1.0.0d.220606199-SNAPSHOT.zip;agenty-flowcharting-panel,http://httprepo/cloudspout-button-panel.zip;cloudspout-button-panel