summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Goddard <mark@stackhpc.com>2018-08-30 15:15:38 +0100
committerMark Goddard <mark@stackhpc.com>2018-08-31 16:00:50 +0100
commit39ae5732dde4c7312ece54e8bbabc466d8a5e280 (patch)
tree311a6dee1d7d233969276ea030c7348aa5688e56
parent55a9efeffd2265bd355c23d7be2e1e77a919e03c (diff)
Support disabling inactive links for Juniper
Adds the necessary code to the Juniper Junos device driver to support disabling inactive links. This feature is enabled by setting the per-device config flag 'ngs_disable_inactive_ports'. Change-Id: I636613d0c910d10601422ad094f835c17a606e37 Story: 2003391 Task: 24933
Notes
Notes (review): Code-Review+2: Julia Kreger <juliaashleykreger@gmail.com> Code-Review+2: Dmitry Tantsur <divius.inside@gmail.com> Workflow+1: Dmitry Tantsur <divius.inside@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 01 Oct 2018 13:15:08 +0000 Reviewed-on: https://review.openstack.org/598997 Project: openstack/networking-generic-switch Branch: refs/heads/master
-rw-r--r--doc/source/configuration.rst22
-rw-r--r--networking_generic_switch/devices/netmiko_devices/juniper.py8
-rw-r--r--networking_generic_switch/tests/unit/netmiko/test_juniper.py24
3 files changed, 54 insertions, 0 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 19cee5f..9710ee2 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -27,6 +27,9 @@ Switch configuration format::
27 or ngs_mac_address. So, you can use the switch MAC address to identify 27 or ngs_mac_address. So, you can use the switch MAC address to identify
28 switches if local_link_connection/switch_info is not set. 28 switches if local_link_connection/switch_info is not set.
29 29
30Examples
31--------
32
30Here is an example of 33Here is an example of
31``/etc/neutron/plugins/ml2/ml2_conf_genericswitch.ini`` 34``/etc/neutron/plugins/ml2/ml2_conf_genericswitch.ini``
32for the Cisco 300 series device:: 35for the Cisco 300 series device::
@@ -192,3 +195,22 @@ timeout of 60 seconds before failing. This timeout can be configured as follows
192 [ngs_coordination] 195 [ngs_coordination]
193 ... 196 ...
194 acquire_timeout = <timeout in seconds> 197 acquire_timeout = <timeout in seconds>
198
199Disabling Inactive Ports
200========================
201
202By default, switch interfaces remain administratively enabled when not in use,
203and the access VLAN association is removed. On most devices, this will cause
204the interface to be a member of the default VLAN, usually VLAN 1. This could
205be a security issue, with unallocated ports having access to a shared network.
206
207To resolve this issue, it is possible to configure interfaces as
208administratively down when not in use. This is done on a per-device basis,
209using the ``ngs_disable_inactive_ports`` flag::
210
211 [genericswitch:device-hostname]
212 ngs_disable_inactive_ports = <optional boolean>
213
214This is currently supported by the following devices:
215
216* Juniper Junos OS
diff --git a/networking_generic_switch/devices/netmiko_devices/juniper.py b/networking_generic_switch/devices/netmiko_devices/juniper.py
index 9445552..afa18fd 100644
--- a/networking_generic_switch/devices/netmiko_devices/juniper.py
+++ b/networking_generic_switch/devices/netmiko_devices/juniper.py
@@ -54,6 +54,14 @@ class Juniper(netmiko_devices.NetmikoSwitch):
54 'vlan members', 54 'vlan members',
55 ) 55 )
56 56
57 ENABLE_PORT = (
58 'delete interface {port} disable',
59 )
60
61 DISABLE_PORT = (
62 'set interface {port} disable',
63 )
64
57 ADD_NETWORK_TO_TRUNK = ( 65 ADD_NETWORK_TO_TRUNK = (
58 'set interface {port} unit 0 family ethernet-switching ' 66 'set interface {port} unit 0 family ethernet-switching '
59 'vlan members {segmentation_id}', 67 'vlan members {segmentation_id}',
diff --git a/networking_generic_switch/tests/unit/netmiko/test_juniper.py b/networking_generic_switch/tests/unit/netmiko/test_juniper.py
index b532513..27d1aab 100644
--- a/networking_generic_switch/tests/unit/netmiko/test_juniper.py
+++ b/networking_generic_switch/tests/unit/netmiko/test_juniper.py
@@ -82,12 +82,36 @@ class TestNetmikoJuniper(test_netmiko_base.NetmikoSwitchTestBase):
82 82
83 @mock.patch('networking_generic_switch.devices.netmiko_devices.' 83 @mock.patch('networking_generic_switch.devices.netmiko_devices.'
84 'NetmikoSwitch.send_commands_to_device') 84 'NetmikoSwitch.send_commands_to_device')
85 def test_plug_port_to_network_disable_inactive(self, m_sctd):
86 switch = self._make_switch_device(
87 {'ngs_disable_inactive_ports': 'true'})
88 switch.plug_port_to_network(3333, 33)
89 m_sctd.assert_called_with(
90 ['delete interface 3333 disable',
91 'delete interface 3333 unit 0 family ethernet-switching '
92 'vlan members',
93 'set interface 3333 unit 0 family ethernet-switching '
94 'vlan members 33'])
95
96 @mock.patch('networking_generic_switch.devices.netmiko_devices.'
97 'NetmikoSwitch.send_commands_to_device')
85 def test_delete_port(self, mock_exec): 98 def test_delete_port(self, mock_exec):
86 self.switch.delete_port(3333, 33) 99 self.switch.delete_port(3333, 33)
87 mock_exec.assert_called_with( 100 mock_exec.assert_called_with(
88 ['delete interface 3333 unit 0 family ethernet-switching ' 101 ['delete interface 3333 unit 0 family ethernet-switching '
89 'vlan members']) 102 'vlan members'])
90 103
104 @mock.patch('networking_generic_switch.devices.netmiko_devices.'
105 'NetmikoSwitch.send_commands_to_device')
106 def test_delete_port_disable_inactive(self, m_sctd):
107 switch = self._make_switch_device(
108 {'ngs_disable_inactive_ports': 'true'})
109 switch.delete_port(3333, 33)
110 m_sctd.assert_called_with(
111 ['delete interface 3333 unit 0 family ethernet-switching '
112 'vlan members',
113 'set interface 3333 disable'])
114
91 def test_send_config_set(self): 115 def test_send_config_set(self):
92 connect_mock = mock.MagicMock(netmiko.base_connection.BaseConnection) 116 connect_mock = mock.MagicMock(netmiko.base_connection.BaseConnection)
93 connect_mock.send_config_set.return_value = 'fake output' 117 connect_mock.send_config_set.return_value = 'fake output'