Configuration
Configuration
This integration utilizes a YAML configuration file with the option to store some parameters, such as secrets, as environment variables.
IP Fabric
---
ipfabric:
base_url: https://demo.ipfabric.io
snapshot_id: "$last"
verify: true
timeout: 5
token: "API_TOKEN"
username:
password:
vrf_mapping:
default:
names:
- ''
ignore_case: true
example:
names:
- test
- lab
ignore_case: true
This section describes the configuration for connecting to IP Fabric.
base_url(IPF_URL): The FQDN or IP address of the IP Fabric VM, must includehttps://.snapshot_id(IPF_SNAPSHOT): Must be$last(default),$prev,$lastLocked, or a UUID of a loaded snapshot.verify(IPF_VERIFY): Disable SSL verification for IP Fabric; valid optionstrue(default) orfalse.timeout(IPF_TIMEOUT): HTTP timeout value in seconds or “null” for IP Fabric API calls. Default is 5 seconds.token: (IPF_TOKEN): The IP Fabric generated API token to use.- Username & Password Authentication, if not using API tokens:
username(IPF_USERNAME): The username to use to authenticate to IP Fabric.password(IPF_PASSWORD): The password to use for authentication to IP Fabric.
vrf_mapping: This provides the ability to change the VRF name that IP Fabric has discovered. There are two overrides in the example above:- default: Any item that does not have a VRF assigned (VRF name “” or
null) will be replaced with “default”. - example: Any item that is in VRF named “test”, “TEST”, “lab”, etc. will be renamed to “example”.
*Environment variable names are specified in parentheses.
Infoblox
infoblox:
host: https://10.194.90.15/
verify_ssl: false
timeout: 5
username: admin
password: password
import_timeout: 60
import_retry: 10
discovery_timeout: 60
discovery_retry: 10
This section describes the configuration for connecting to Infoblox NIOS.
host(IB_HOST): The FQDN or IP address of the NIOS appliance, must includehttps://.verify_ssl(IB_VERIFY_SSL): Disable SSL verification for NIOS; valid optionstrue(default) orfalse.timeout(IB_TIMEOUT): HTTP timeout value in seconds or “null” for NIOS API calls. Default is 5 seconds.username(IB_USERNAME): The username to use to authenticate to NIOS.password(IB_PASSWORD): The password to use for authentication to NIOS.- Network Import: Controls how long to wait for the network CSV import to be completed by NIOS. (Timeout X Retry = Total
Time)
import_timeout: Default to wait 60 seconds before checking the completion status.import_retry: Defaults to check the status 10 times before continuing.
- Discovery Import: Controls how long to wait for the discovery CSV import to be completed by NIOS. Unlike the network
CSV import, the discovery import is done by Network View and not a single import. Also, only one discovery import can
be submitted at a time. This will first check if there is a running import, wait for the running import to be
completed (Timeout X Retry), then perform the import, and finally wait till the import is completed (Timeout X Retry).
discovery_timeout: Default to wait 60 seconds before checking the completion status.discovery_retry: Defaults to check the status 10 times before continuing.
*Environment variable names are specified in parentheses.
Network Views
This section describes the configuration for the importation of networks and discovery information to a mapped Network View.
Common Configurations
networkViews:
- name: Cloud
default: false
create_containerless_nets: true
split_networks: true
managed_ip_discovery: true
smallest_v4_subnet: 31
These configurations are common to all Network Views.
name: The name of the NIOS Network View.default: Defaults tofalseand sets the view to be the default. Only one default view without Include Rules is allowed.create_containerless_nets: Defaults tofalseand will ensure only networks that fall within a Network Container in NIOS are imported.split_networks: Defaults tofalseand if set totrueand a subnet discrepancy is found between NIOS and IP Fabric this integration will attempt to split the network into the correct subnets. The network in NIOS must not have IP addresses assigned for the split to occur.managed_ip_discovery: Defaults totrueand will import information about IP addresses that are discovered by IP Fabric into NIOS.smallest_v4_subnet: Defaults to31and controls the smallest IPv4 network size to import into NIOS. Occasionally some administrators do not define /32 networks in IPAM systems but instead define a supernet to manage loopback addresses. This flag ensures /32 networks do not error as IP addresses may be assigned and NIOS networks are not able to split.
Include Rules
networkViews:
- name: Example
include:
networks:
- RFC1918
- CGNAT
- 11.0.0.0/8
sites:
- value: "(AWS|GCP|AZURE).*"
regex: true
ignore_case: true
vrfs:
- value: "VPN-.*"
regex: true
ignore_case: true
Include rules are an “and” operator meaning that only RFC1918, CGNAT, or 11.0.0.0/8 in a VRF matching the name
"VPN-.\*" in sites matching "(AWS|GCP|AZURE).\*" will be imported.
networks: List of IPv4 networks to include. CGNAT is expanded to include 100.64.0.0/10 and RFC1918 is expanded to include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.sites&vrfs: List of dictionaries:value: IP Fabric Site or VRF Name value or regex to use.regex: If the value is a regular expression change the default value offalsetotrue.ignore_case: The default setting is set totruefor case-insensitive searching.
The “Default” Network View does not support Include Rules only Exclude Rules.
Exclude Rules
networkViews:
- name: Example
exclude:
networks:
- RFC1918
- CGNAT
- 11.0.0.0/8
sites:
- value: "(AWS|GCP|AZURE).*"
regex: true
ignore_case: true
vrfs:
- value: "VPN-.*"
regex: true
ignore_case: true
Exclude rules are validated as an “or” operator. This has the following consequences:
- Any network that falls within RFC1918, CGNAT, or 11.0.0.0/8 will be excluded without checking the site name or VRF name.
- Any network matching the site name regex without checking of the VRF will be excluded.
- Any network with a matching VRF name without checking the site name will be excluded.
Configurations and default values are the same as the Include Rules explained above.
Example
networkViews:
- name: VPN
create_containerless_nets: true
split_networks: true
smallest_v4_subnet: 32
include:
vrfs:
- value: "VPN-.*"
regex: true
- name: Private
split_networks: true
include:
networks:
- RFC1918
exclude:
sites: &cloud
- value: "(AWS|GCP|AZURE).*"
regex: true
- name: Private Cloud
split_networks: true
smallest_v4_subnet: 31
include:
sites: *cloud
networks:
- RFC1918
- name: Public Cloud
create_containerless_nets: true
split_networks: true
smallest_v4_subnet: 32
include:
sites: *cloud
exclude:
networks:
- RFC1918
- name: Public
default: true
create_containerless_nets: true
split_networks: true
smallest_v4_subnet: 32
exclude:
sites: *cloud
networks:
- RFC1918
In this full example we have the following Network Views configured by order of precedence:
- VPN: VRF takes precedence on inclusion rules. Any network matching the
"VPN-.\*"regex will be placed in this View. Since there are no exclusion rules no other view will contain networks that match this VRF imported. - Private: Network inclusion rules are calculated next. Any RFC1918 subnets not excluded by Cloud sites will be imported.
- Private Cloud: Contains both network and site inclusion rule. Only private networks in the Cloud sites are imported into this view.
- Public Cloud: Networks without a mapped view and contains a site inclusion rule is processed third. Any network in Cloud sites not matching RFC1918 will be imported.
- Public: The default view is calculated last and any network that is not excluded will be imported.
*YAML references can be used to condense the configuration file as shown with &cloud and *cloud.
**If a network matches multiple views, it will not be imported and can be debugged in the log files.