2 Programmability and Automation on Cisco Nexus Platforms
BRKDCT-2459 Abhinav Modi, Technical Marketing Engineer @ Cisco
[email protected] / @abhinav_m Agenda
• Why Programmability ?
• Programmability on Nexus • Provisioning and Bring-up • On-Device Programmability features • APIs and Protocols • Containers and 3rd Party Application Hosting • Configuration Management
4 Session Goals
• Understand the various use cases and aspects of Programmability
• Have an overview of various Nexus programmability tools and protocols
• Techniques you can use on your Nexus devices today, or in near future
• Cover Nexus Portfolio – N3k, N5/6k, N7k, N9k Stand-alone
• All demos are available at http://tinyurl.com/cleur-2016-brkdct-2459
5 Cisco Data Center Networks: Providing Choice in Automation and Programmability Application Centric Programmable Fabric Programmable Network Infrastructure
Connection
Creation Expansion VTS Reporting Fault Mgmt
DB DB
Web Web App Web App
Turnkey integrated solution with VxLAN-BGP EVPN Modern NX-OS with enhanced security, centralized management, standard-based NX-APIs compliance and scale 3rd party controller support DevOps toolset used for Network Automated application centric-policy Management model with embedded security Cisco Controller for software (Puppet, Chef, Ansible etc.) overlay provisioning and Broad and deep ecosystem management across N2K-N9K
Automation, API’s, Controllers and Tool-chain’s 6 Why is Programmability Important?
Save Time Human Error Customize Innovate
7 Network Programmability: Considerations
Scripting Better Environments? Diagnostics? Automated provisioning? Open Source Controllers?
How does How does automation help automation with my work with objectives? my tools? Puppet, Optimize Chef, other? Address gaps Infrastructure? in Vendor offerings? What is their Is dynamic What is the rate of current state? configuration change in my required? environment? Training required? What skills and tools What am I do I need to aiming for? accelerate delivery of Realistic services? expectations? Aligning expectations with skills and objectives… 8 Use Cases
Self Healing and Adaptive Networks Real Time Event Triggered DevOps Scripts Workflows
Custom Automated Integration Provision Provisioning Subset of Existing Scripted Management Tools Pre-Provisioning Passive Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
9 Use Cases
Self Healing and Adaptive Networks Real Time Event Triggered DevOps Scripts Workflows
Custom Automated Integration Provision Provisioning Check your Subset of ExistingCopy and Paste Scripted ManagementFolder Tools For Examples Pre-Provisioning Passive Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
9 What Can We Learn from DevOps ?
Development Quality Assurance
DevOps
Technology Operations
Network Operations
11 Network Automation Enablers
12 Linux is the Home of Open Source
• Majority of Tools and Endpoints are Linux Systems
• Aim for end-user proficiency
• Software Development and DevOps are Linux Cultures
• Containers, Linux Utilities, BASH, Nexus 9000, Cloud Operating Systems
13 Python and (Network) Programming
Ecosystem Language • Large user community, flexible language, easy to Novice Programmers Python start Network Programming Python Web Development Ruby, • Proficiency in other Configuration Management Python languages is great as well Containers Go Enterprise Applications Java C++ • Understand the terminology and challenges Scripting Perl Web Applications PHP
14 Git – Version Control
• Git is a Version Control System
• github.com is free place to put public Code
• Use : • To search for libraries and software • Maintain your scripts, libraries, automation infra • Give back – share your code !
15 VIRL (Virtual Internet Routing Labs) Virtualized Platform Operating Systems IOS XR NX-OS IOS XE IOS Servers
Virtualized Virtualized Virtualized in Virtualized Ubuntu, Cirros, in in NX-OSv CSR1000v in IOSv 3rd party IOS XRv appliances Virtual Machines run the operating system but are NOT representations of a particular hardware platform – no fans, no switch fabric, no ASIC models
16 Virtual Internet Routing Labs (VIRL) A Quick Way to Get Started with Networking Concepts
A network orchestration and virtualization platform that enables:
• Point-and-click network design
• Painless configuration
• Integration of platform-sync’d code
• Rapid setup and tear-down
• Seamless connectivity with ‘real’ networks
• Portability and repeatability
17 Cisco DevNet - developer.cisco.com • Cisco’s Developer Community
DevNet Portal DevNet APIs & SDKs
Community Developer Support Events
DevNet Sandbox Platform 18
18 Nexus Programmability
19 Complete Nexus Product Portfolio
10G / 40G 10G / 40G / 100G
(ACI)
Nexus 2300 Nexus 3100 Nexus 5600 Nexus 7000 Nexus 9000
One Operating System—NX-OS
Operational Architectural Open/ Resilience Investment Simplicity Flexibility Programmable and Scale Protection
20 Nexus Programmability Features
Day-0 POAP, iPXE Provisioning
Base Features SNMP, Native Python, EEM
APIs Netconf, XMPP, NX-API, REST NX-API
Linux on the Linux Containers, Secure Guest Shell, Native Bash Switch
Configuration Puppet, Chef, Ansible Management
21 Power On Auto Provisioning (POAP)
22 POAP – Bring up your switch … fast !!
• Easy Day-1 Bringup
• Automatic Provisioning
• Accurate, Consistent, Repeatable Configurations
• Minimize Operational Costs
• Reduce Deployment Time
Supported on Nexus 3000 : 5.0(3), Nexus 5000 : 5.1(3)N2(1), Nexus 7000 : 6.1(2), Nexus 9000 : FCS
23 POAP – Bring up your switch … fast !!
License, Configuration and Script Server DHCP Server Software Server
2 DHCP Discover phase: 3 Get IP Address, Gateway 4 Script server Script file Download Script Download Configuration file onto the switch License Software images and execute the onto the switch script
Default Gateway Reboot if needed. Switch up Power up Phase: Start Power and running the downloaded 1 5 On Auto-Provisioning Process image and config Nexus Switch
24 Nexus 3/9k iPXE Shipping ! Boot Server(DHCP & HTTP/TFTP) • Leverage existing compute deployment NX-OS Image Repository infrastructure (PXE/iPXE) for NX-OS
• Deploy NX-OS from a web / TFTP server
• Support IPv4 and IPv6 IP Address & DHCP File/Image URL • DHCPv6 – SLAAC and Stateful Config Support DISCOVER(v4/v6)
• NX-OS CLI option added to select boot option either
Validate Image Checksum & Boot
25 On-Board Python
26 On Board Python Interactive Mode Are you leveraging it? switch# python Copyright (c) 2001-2012 Python Software Foundation; All Rights Reserved
• Simple way to get stuff done switch# >>> print "hello world“ hello world • No configuration required switch# >>> exit()
• Integrate with EEM, Scheduler – get some data from the box and work on it ! Non Interactive (script) Mode
• Use it for event based activity – where Switch # dir bootflash:scripts polling may not be possible 946 Oct 30 14:50:36 2013 crc.py 7009 Sep 19 10:38:39 2013 myScript.py 22760 Oct 31 02:51:41 2012 poap.py
Switch # source crc.py ------Started running CRC checker script finished running CRC checker script ------27 Some key modules
• syslog • Generate a syslog message with user defined severity and text
• cisco • Contains functions such as cli() to execute CLI commands from within Python
• json • Functions for converting data structures to/from JSON format
• User’s Pure Python module can be installed on switch!
28 How is Python being used ?
• Run scripts manually via CLI
• Upgrade MOPs – EEM + Python for customizing interface bring-up timing
• Scheduler based – Periodic collection of data
29 Embedded Event Manager (EEM)
• Monitor events on the device and take actions
• Supported on IOS, IOS-XR and NX-OS
• Many default policies run in the background to manage switch health
Sample Events : Sample Actions :
• Hardware changes (module OIR) • Send out an SNMP Trap • Interface Flaps • Generate a Syslog message • Syslog pattern matches • Generate Run a Python Script • GOLD failures
30 Use Case EEM Port Tracking
31 EEM Port Tracking
• Summary
• Bring down a secondary list of interfaces when primary interface goes down
• Description
• Monitor Link state for activity
• When a primary interface goes down, admin shut secondary links as well
• When a primary interface comes back up, trigger un-shut of the secondary interfaces
• Script : https://github.com/tecdct2941/scripts/blob/master/eem/port_check_applets
• All demos are available at http://tinyurl.com/cleur-2016-brkdct-2459
32 Use Case Command Chaining
33 Nexus 3/9k Super Command – Command Chaining Shipping !
• A set of commands chained together so that interesting information can be passed through it.
• Useful for repetitive debugging
• Helps extract data related to a particular parameter (eg : IP address) instead of having to go through entire table / data
Run ‘show cdp neigh IP Find IP in MAC Find MAC in ‘show Interface interface’ and gather ‘show ip arp’ mac address-table’ details
ARP, MAC, CDP
Print out details
Exit
34 Super-commands: Python arp = json.loads(cli.clid('show ip arp %s vrf all' % ip))['TABLE_vrf']['ROW_vrf']['TABLE_adj']['ROW_adj'] ip, timer, mac, interface = arp['ip-addr-out'], arp['time-stamp'], arp['mac'], arp['intf-out’] for cam in cli.cli('show mac address-table address %s' % (mac)).split('\n'): if mac in cam: break else: raise Exception('Unable to find %s in CAM output' % mac) cam_fields = cam.split() if cam_fields[0] in ['*', 'G', 'R', '+']: cam_fields.pop(0) vlan, mac, entrytype, age, secure, ntfy, port = cam_fields
cdp = json.loads(cli.clid('show cdp neighbor interface %s‘ %port))['TABLE_cdp_neighbor_brief_info']['ROW_cdp_neighbor_brief_info’] print('Here is some information on %s :' % ip) print(' ' * 4 + 'MAC address: %s ' % mac) print(' ' * 4 + 'Local interface: %s ' % port) print(' ' * 4 + 'VLAN: %s ' % vlan) print(' ' * 4 + 'L3 gateway: %s ' % interface) print(' ' * 4 + 'CDP Platform: %s ' % cdp['platform_id']) print(' ' * 4 + 'CDP Device ID: %s ' % cdp['device_id']) print(' ' * 4 + 'CDP Port ID: %s ' % cdp['port_id'])
35 Super-commands: Results Query an IP connected to our switch
Services2-116# python bootflash:supercommand.py 130.131.1.101 Here is some information on 130.131.1.101: MAC address: 0000.0c07.ac00 Local interface: Po50 VLAN: 231 L3 gateway: Vlan231 CDP Platform: N9K-C93128TX CDP Device ID: Services-nagtor-73(SAL1733B948) CDP Port ID: Ethernet1/100 Use an alias to integrate with CLI
Services-1-117(config)# cli alias name supercommand python bootflash:supercommand.py Services-1-117# supercommand usage: Supercommand [-h] ip
36 Protocols
37 Some Theoretical Concepts
Structured Output
• XML
• JSON
REST APIs
38 XML
• stands for “Extensible Markup Language” Response • way to represent data
• stands for “JavaScript Object Notation” "ins_api": { Response "type": "cli_show ", • is a data format that uses human-readable text to transmit "version": "1.0", "sid": "eoc", data objects consisting of "outputs": { "output": { "input": "sho ver", • attribute–value pairs "msg": "Success", "code": "200", "body": { • is easy for machines to parse and generate "header_str": "Cisco Nexus Operating System (NX-OS) "kickstart_ver_str": "6.1(2)I2(2a)", "bios_cmpl_time": "05/28/2014", "kick_file_name": "bootflash:///n9000-dk9.6.1.2.I2.2a.bin", • is built on two structures: "rr_reason": "Reset Requested by CLI command reload", • a collection of name/value pairs "rr_sys_ver": "6.1(2)I2(2a)", Request "rr_service": "", • an ordered list of values { "manufacturer": "Cisco Systems, Inc.", "ins_api": { "TABLE_smu_list": { "ROW_smu_list": { "version": "1.0", "install_smu_id": "n9000-dk9.6.1.2.I2.2a.CSCup81353.bin" "type": "cli_show", } "chunk": "0", } "sid": "1", } "input": "sho ver", } "output_format": "json" } } } } } 40 REST REST APIs HTTP
. Stands for “Representational State Transfer”
. Architecture style for designing networked applications
. Uses HTTP(S) to make calls between entities
. Operates on resource representations, each one identified by an URL/URI Examples: ̶ Resource : person (xyz) ̶ Service : contact information (GET) ̶ Representation: ̶ Name, address, phone number ̶ JSON or XML format
41 Uniform Resource Identifier (URI)
. • There are two types of URIs URL Examples • URL: Uniform Resource Locator ̶ http://10.87.107.99/index.html ̶ https://10.87.34.16/#c:a.1|topology/pod- • URN: Uniform Resource Name 1/node-105/sys/ch/supslot-1/sup/sensor-1 • A URL has three important ̶ ftp://ftpeng.cisco.com elements ̶ mailto:[email protected] • Protocol/scheme: http, ftp, etc, ̶ http://www.cisco.com/go/aci telnet, mailto, NNTP • Hostname: wwwin.cisco.com . Absolute vs. relative • Path and file name: /index.html ̶ www.cisco.com/go/aci ̶ https://10.87.34.16/#c:a.1|topology/pod-1/node-105/sys/phys-[eth1/1]
Scheme Host Optional Port 80/443 Path and/or Filename 42 REST Follows a Familiar Model
Web Browsing REST API Tw itter: IDs of last five follow ers
{"ids":[303776224, 19449911, 607032789, 86544242, 2506725913, 17631389], "next_cursor":0, "next_cursor_str":"0", "prev ious_cursor":0, "prev ious_cursor_str":"0"}
HTTP GET HTTP GET
HTML JSON/XML
Describes how data should be Describes data in a format displayed to please human applications can understand viewer
43 Now…Let’s Get to The Protocols
44 Netconf
45 NETCONF is an IETF Configuration Management Protocol
Protocol Stack • Standards Based : RFC 4741/6241 • Separates Operational and Content Configuration Data management (show commands v/s config) • Defines capabilities for managing Operations configuration data • Candidate buffer for validation of Messages config before commit • Locking the config space Transport
46 NETCONF Uses a Client-Server Model
Client Server Transport Requirements • Connection-oriented • Authenticated • Reliable • Trustworthy • Secure
47 Clients Make Requests Using RPCs • NMS • Script Multiple client • Plugin • Manual Cut-n-Paste types possible
48 Netconf Operations
Operation Description
49 NETCONF Data Stores: Target of Operations
Running Startup Candidate URL…
• Data stores are named buckets that may hold an entire copy of the configuration
• Not all data stores are supported by all devices
• Running is the only mandatory data store
• Not all data stores are writable • Check the device’s capabilities • To make changes to a non-writeable data store, copy from a writable one
50 NETCONF Protocol Stack Summary Content • Config / Operational Data
Operations •
Messages •
Transport • SSH
51 Nexus 5/6/7K 7.3 Netconf on Nexus
• Nexus currently supports get, edit-config on Running Config • Support for following features in 7.3 release : • Candidate • Validate • Commit, Confirm-commit • Rollback, Continue-on-Error • URL Capability • Validate from XML/URL without adding to candidate • Copy • Provides for flagging syntax errors before buffer is committed to configuration
52 Using Netconf – Some Tips
• To know any schema, pipe the command via xmlin tool on the switch • Eg : “show interface | xmlin” returns the Netconf request to get show int output from Nexus • No need to refer to Schema documents – available on-box • Also available as an interacting command on the Nexus : Type “xmlin” at Exec prompt • For automation with Netconf : Use ncclient • Supports various Cisco devices and vendors • Location : https://pypi.python.org/pypi/ncclient
53 Use Case Configuration Rollback
54 Maintain Consistency in Case of Config Failures
• Multiple Device Configuration
• Use rollback-on-error when configuring the device
• If config fails, Netconf will rollback other config in that session
• Script logic to rollback the config on the other devices as well using checkpoints
55 Netconf Rollback In Action …
56 Send Hello to Switch …
57 Configure a New Port-channel
58 Error !!
59 Port-Channel/MTU Configuration was Rolled Back…
60 NX-API
61 Introducing NX-API
JSON-RPC/JSON/XML
Request/response format HTTP/S
HTTP/S request/response
NXAPI web server
Switch# conf t Switch(config)# feature nxapi Switch(config)# exit Nexus
62 NX-API Developer Sandbox http://
To Enable : nx-osv-1# show run nxapi version 7.2(0)D1(1) feature nxapi nxapi sandbox
63 NX-API Security
• HTTPS for secure communication
• Tied to NX-OS Role Based Access (RBAC) • User logged in with Read-only role cannot make changes
64 Sample Script : Add Vlan using NXAPI import requests import json Requests python module print "enter ip address" ip=raw_input() Get IP Address of switch print "enter vlan to be configured" vlanId=raw_input() myheaders = {'content-type': 'application/json-rpc'} url = "http://"+ip+"/ins" URL of switch username = "admin" password = "ciscotme" payload=[ Payload: {"jsonrpc": "2.0","method": "cli","params": {"cmd": "conf t","version": 1},"id": 1}, >Conf t {"jsonrpc": "2.0","method": "cli","params": {"cmd": "vlan "+vlanId,"version": 1},"id": 2}, > vlan <>, {"jsonrpc": "2.0","method": "cli","params": {"cmd": “exit”,"version": 1},"id": 2}, > exit ] response = requests.post(url,data=json.dumps(payload), headers=myheaders,auth=(username,password)).json()
65 NX-API: Sample Use Cases
• Data Collection and Display • Resources, Interface Statistics
• Switch Configuration and Feature Provisioning
• Consistency Checks • Cable Plan • VLAN • vPC
66 NX-API Use Case VLAN Scale Check
67 VLAN Scale Check
• Checking VLAN scale on device periodically is useful • Script checks list of devices for number of VLANs configured • Alert if current configuration exceeds threshold (defined in script)
• Use NX-API for fetching VLAN count • Use NX-API to execute Python commands on the Nexus switch • The Python code generates a Syslog on the Nexus switch to alert the NOC
• Script : https://github.com/datacenter/nxos/blob/master/nxapi/samples/vlan_scale.py
68 REST NX-API
69 Why ?
• CLIs : • Synchronous – need to wait until each CLI complete • Order-dependent (conf t ; router bgp ; neighbor…) • Non-structured output • Update to config / replacement requires “no bgp” and reconfigure
• NX-API • Evolution over CLIs – structured output !! • Still synchronous and order dependent
70 Nexus 3/9k Open NX-OS Programmability Shipping ! Model Driven Automation
Netconf Rest NX-API SNMP Client Client
Transport: SSH Data: XML 1 2
Python NGINI TCL Bash Netconf SNMP X API Server Agent
CLI(VSH)
Data Management Engine
Transaction Commit Status: Success/Raise Object Store Fault BGP VLAN LACP ACL QoS
71 REST NX-API Details
• Everything is an object
• All elements accessible via REST Interface :
• Configuration Elements
• Faults
• Events
• Operational Data (example operational state of an interface)
• Statistics
• Features supported in 7.0(3)I2(1): BGP, VLAN, LACP, ACL, QoS, UDLD, CDP, MAC, DHCP, DNS, RBAC, AAA, SVI, Logging, NTP, VRRP
72 Push Notifications
• Clients (Management Apps) can subscribe for events and alarms on the switch
• WebSocket protocol (RFC 6455) used to create a communication mechanism
• Switch can send asynchronous events/notifications to the client(s)
• Sample subscription to a query: http://switch-ip/api/node/mo/sys/phys-[eth1/42].json?query- target=subtree&subscription=yes
73 Object Based Programmability CLI NX-API POST Request NX-API REST POST Request BGP Object router bgp 65000 POST http://Switch-IP/ins {'content- POST http://Switch- router-id 1.1.1.1 type':'application/json-rpc'}.json() IP/api/mo/sys/bgp/inst.json
{ "jsonrpc": "2.0", { "method": "cli", "bgpInst" : { "params": { "attributes" : { "cmd": "config t", "version": 1 "asn" : "65000" }, } }, "children" : [{ { "jsonrpc": "2.0", "bgpDom" : { "method": "cli", "attributes" : { "params": { "name" : "default", "cmd": ”router bgp 65000", "rtrId" : “1.1.1.1" "version": 1 } }, } }, } { "jsonrpc": "2.0", ] "method": "cli", "params": { } "cmd": ”router id 1.1.1.1", } "version": 1 }, } 74 Configuring BGP using REST NX-API Script
#!/usr/bin/python import httplib, json, sys, time if __name__ == "__main__": def post_aaa_auth( mgmt_ip, user_name = "admin", pwd = "cisco" ): # Array of ( url, payload ) payload = { "aaaUser" : { "attributes" : { "name" : user_name, "pwd" : pwd }}} data = [ headers = {"Content-type": "application/json", "Accept": "text/plain"} ( 'sys/bgp.json', { "bgpEntity": { "attributes": {}}}), url = "http://{0}/api/aaaLogin.json".format( mgmt_ip ) ( 'sys/bgp/inst.json', conn = httplib.HTTPConnection( mgmt_ip ) { "bgpInst": { "attributes": { "asn": "200" }}}), conn.request( 'POST', url, json.dumps( payload ), headers ) ( 'sys/bgp/inst/dom-default.json', { "bgpDom": { "attributes": { "name": "default", response = conn.getresponse() "rtrId":"10.10.10.12" }}}), ( 'sys/bgp/inst/dom-default/peer-[10.10.10.11].json', if response.status == 200: { "bgpPeer": { "attributes": { "addr": "10.10.10.11", "asn": "100" return response.getheader( 'set-cookie' ) }}}), else: ( 'sys/bgp/inst/dom-default/peer-[10.10.10.11]/af-ipv4-ucast.json', return None { "bgpPeerAf": { "attributes": { "type": "ipv4-ucast" }}}), ( 'sys/bgp/inst/dom-default/af-ipv4-ucast.json', def config_using_rest( cookie, mgmt_ip, data ): { "bgpDomAf": { "attributes": { "type": "ipv4-ucast" }}}), headers = {'Content-type': 'application/json', 'Accept': 'text/plain', 'Cookie': cookie } ( 'sys/bgp/inst/dom-default/af-ipv4-ucast/prefix-[100.100.0.0/16].json', { "bgpAdvPrefix": { "attributes": { "addr": "100.100.0.0/16" }}}), conn = httplib.HTTPConnection( mgmt_ip ) ( 'sys/bgp/inst/dom-default/af-ipv4-ucast/prefix-[168.10.10.0/24].json', { "bgpAdvPrefix": { "attributes": { "addr": "168.10.10.0/24" }}}), for i in xrange( len( data )): ( 'sys/bgp/inst/dom-default/af-ipv4-ucast/prefix-[192.0.0.0/8].json', if i == 2: { "bgpAdvPrefix": { "attributes": { "addr": "192.0.0.0/8" }}}) time.sleep( 3 ) ]
url = "http://{0}/api/mo/{1}".format( mgmt_ip, data[i][0] ) # switch: ng9 conn.request( 'POST', url, json.dumps( data[i][1] ), headers ) mgmt_ip = '172.26.246.86'
response = conn.getresponse() cookie = post_aaa_auth( mgmt_ip, 'admin', ciscotme' ) if cookie == None: print url print "Unable to authenticate." print "Response data :", response.read() sys.exit(1) print config_using_rest( cookie, mgmt_ip, data ) 75 Script in Execution …
76 Result on the Switch Before: After:
77 XMPP
78 What is XMPP ? Answer: Instant Messaging Protocol !
H2 • Open Standard
• 1:1 or 1:N (Group) communication XMPP H1 Server • Provides auto sensing of presence
• Secure Group 1 H2 H3 • Popular : • Cisco Jabber, Gtalk • Clients : Jabber, Pidgin and many more XM PP • Entities can be H1 Serv • Humans er • Bots (Software Processes) Group 2 • Servers and Devices H2 H3 H4
79 Accessing Devices with XMPP
Pidgin User
Entities Return Output
Python Bot
Return Value Groups
80 XMPP Use Cases
• Network Admin – Quick Checks, Configuration
• Presence Monitoring
• Scripts – Data Collection, Provisioning
• DFA Fabric with DCNM and integrated XMPP
81 XMPP and Python Writing a python bot
• Accessing NX-OS with Python with xmpppy library - http://xmpppy.sourceforge.net import xmpp XMPP python module cmd=“show vlan\n" jid="[email protected]" My JID pwd=“test123" to="[email protected]" JID of device jid=xmpp.protocol.JID(jid) cl=xmpp.Client(jid.getDomain(), debug=[]) cl.connect() Connect to XMPP server cl.auth(jid.getNode(),pwd) cl.sendInitPresence() Send Presence message=xmpp.Message(to, cmd) Create Message message.setAttr('type', 'chat') cl.send(message) Send Message 82 XMPP on NX-OS Hostname is used for identification feature fabric access hostname leaf1 Required if no DNS for the domain ip host test-xmpp-server.cisco.com 192.168.1.100 … fabric access server dcnm-ova.cisco.com vrf management password 7 xyz fabric access group all-nodes leaf-nodes XMPP chat groups fabric access ping interval 60 response 10 retry 5
leaf1# show fabric access connections XMPP Ping : Status = Enabled Interval = 60 second(s) Response = 10 second(s) JID identify the host in Jabber Retry = 5 time(s) XMPP Payload CDATA-Encapsulated : Enabled Host S/N included in JID Device Connection : JID = [email protected]/(fmgr-device)(TB01010000B) State = AUTHENTICATED 83 XMPP on NXOS
• Supported on Nexus
• XMPP supports up to privilege level 15 (configuration mode)
• NX-OS devices use their hostname to login to the XMPP service
• Any XMPP server software can be used
Cisco Prime Data Center Network Manager
84 XMPP and DFA Cisco Prime Data Center Network Manager
• Data Center Network Manager release 7.0(1) integrates the Cisco Jabber daemon • DCNM is delivered as an OVA that can be deployed on VMware ESX server • XMPP DB populated via POAP information – no need to add nodes separately !
DATA Center Network Management POAP DB Setup, Visualization, Management and Monitoring of Data Center Infrastructure XMPP DB (Network – Compute – Storage) Templates User
Variables Populate XMPP DB with Configuration Values Group POAP XMPP Values Status
NX-OS
HOST 85 Comparison of Nexus Programmability Technologies
On/off box Data Format Possible Use Cases Good for configuration management
Native Python On box ASCII/XML/JS Scripts on-box for analysis, No ON data collection
Control many switches XMPP Off box ASCII/XML without CM, Used by DFA Yes
Config/Oper with Config Netconf Off Box XML validation Yes
Easy Operational Data NX-API Off box XML/JSON Access, Web Apps Yes
Better Configuration Model, REST NX-API Off Box JSON Web Apps Yes
86 To Sum Up…
Credit : XKCD
87 Linux Containers, Guest- Shell and Bash
88 Device Accessibility :
Application Hosting Guest Shell Native Python NX-API (OVA) Bash
Closed System Open System
• Safely build and run applications on our network devices
• Open up access to the device
• Access underlying features and capabilities
• Use familiar tools, local on-device analysis
89 Secure Guest Shell
Native Shell, RPM + Guest Shell: Bash + Built-In Secure Linux Containers Environment with customizable root file system
Native Native Native Native Native Bash Linux Linux Bash Linux Linux Linux Processes Processes Processes Processes Processes Ns=global Ns=global Ns=global Ns=guestshell Ns=guestshell Ns=guestshell Ns=guestshell
Guest root file system Pkg-2.rpm Pkg-3.rpm Pkg-1.rpm Pkg-2.rpm Pkg-4.rpm NX-OS root file system Kernel (cgroup, LSM)
• A controlled open environment from which the host “can’t” be corrupted • Secure common distro CentOS7 environment in which customer may install their own custom applications • Use “guestshell resize” command to restrict CPU/memory/rootfs resources available to Guest Shell
90 Guest Shell 2.0 Open Source Tools, utilities, applications, Puppet, Chef
It’s an open Linux environment, 3rd Party decoupled from NX-OS. Apps
It allows to run applications that DevOps monitor, control and extend the NX-OS CLI GUEST SHELL switch. Apps Apps Apps Supported on Nexus 3K and 9K Python Open Source bootflash: enabled Packages Apps today. CentOS 7.0 rootfs Cisco Packages 64-bit CentOS 7 application Secure Linux Container (sLXC) environment. N9K / N3K
91 Use Case On-Device Config Versioning
92 On Device Git https://github.com/datacenter/nxos
• Git provides a free, open-source version control mechanism • Easy to learn • Tiny footprint • Large community • Git package available within Guestshell environment:
[guestshell@guestshell ~]$ git --version git version 1.8.3.1 [guestshell@guestshell ~]$
93 Demo – On Device Git
• Summary • Implement Config snapshot / Diff on switch using Git in guestshell
• Description • Git runs on the switch in a guestshell • Use EEM to copy running-config to the Git repo on config change • Sync Git repo to github
94 Native Shell
95 Nexus 3/9k Shipping Native Shell
•Issue a CLI to gain access to Linux Bash Shell
•Leverage favorite Linux commands like ps, grep etc.
•Role-based access, only for network-admin or dev-ops role
•Use Cases : •Tcpdump, Bash has access to front-panel ports •Install 3rd Party applications via RPMs
96 Manage Your Switch Like a Server: Linux Networking in the Native Shell
• Leverage Linux command toolkit for monitoring configuration and troubleshooting • # tcpdump –i Eth1-1
• Use ethtool to display detailed interface statistics: • # ethtool –S Eth2-1
• Use ifconfig to change mtu for an interface to jumbo MTU: • # ifconfig Eth2-1 mtu 9000
• Use ip route to add a static route: • # ip route add 203.0.113.0/24 via 198.51.100.2
• Interface configuration and routes are synchronized between Linux and NX-OS
97 3rd Party Apps in the Native Shell
98 Configuration Management
99 Configuration Management Software
100 Introducing Configuration Management Software
• DevOps: Applying IT Tools to Network Management
• Switch as Server
• Manage multiple devices and the automation around it
• Repeatable, Granular Tasks
• Crowd Sourced Scripts, modules
101 Agent v/s Agent-less Architecture
• Agent based CM are “pull based” • Agent-less CM are “push based”
• Agent on managed device connects • CM scripts are run on the master with master for config information periodically • Scripts connect to the managed device and execute the tasks • Changes made on master are pulled down and executed • No timer, control lies with the master • Ansible is agent-less
All CM tools provide • Audit logging of change • Concept of no-op runs
102 NX-OS Chef/Puppet
• Goal: automated configuration and management on a Nexus (and on the servers)
• Users define their intent through a manifest (recipe in Chef)
• Reusable set of configuration or management tasks
• The manifest can be deployed on numerous devices
• When deployed on a Nexus switch, it translates into network configuration settings
103 Cisco Nexus with Puppet
Day 0 Power on Auto Provisioning DAY 0 Install (PoAP) Install
Day 1 NX-OS Features and Configure Protocols & Operate DAY N DAY 1 Upgrade, Configure & Patching Operate Day 2 Tcollector on Nexus and Optimize, Compliance Check Compliance DAY 2 Optimize, Day N Compliance Upgrade, NX-OS Patching Patching
104 NX-OS Chef/Puppet
• Puppet Agent RPM available on Github/Puppetforge Linux Software Yum/RPM install • Install Cisco Puppet Module on Puppet Master Repository puppet/chef.rpm Server • Switch Agent will poll Puppet/Chef Master for updated catalog/cookbooks and attempt to converge switch to desired state
NX-OS
Cisco Puppet/Chef NX-API Module
Cisco Puppet/Chef Agent
Native Linux Service /etc/init.d/puppet.d & chef.d
Puppet/Chef Master Server 105 Chef and Puppet Agent: Types/Provider Support
• Agents RPM installed on switch Chef/Puppet Agent Types/Providers
• Supported Agent Types/Providers for 7.0(3)I2(1) (Soon on cisco_vtp N5/6/7k) cisco_tacacs_server • Cisco Network Element Chef/Puppet module code published on cisco_tacacs_server_host Git and Forge/Supermarket cisco_snmp_server • Agent is extensible beyond what we support by default by cisco_snmp_community using the utility classes OR: cisco_snmp_group • Agent is also extensible by embedding CLI using cisco_ospf cisco_command_config resource construct cisco_ospf_vrf cisco_vlan Type/Provider Roadmap: VXLAN EVPN – Q1CY16 cisco_bgp Virtual Port Channel – Q2CY16 cisco_bgp_vrf Segment Routing – Q3CY16 cisco_interface cisco_interface_ospf
cisco_interface_vlan 106 Ansible
• Agentless
• Support for multiple scripting languages
• Orchestration
• Simplicity
• Human Readable Files (YAML)
107 Configure a Server with Ansible
• Ansible engine runs on a server Ansible Orchestration Engine • Playbooks, Inventory present on this server Modules Playbooks • Only requirement on Managed Node: SSH and Python APIs Libraries (Via ssh) • Push model Compute
• When a Playbook is executed : • Ansible SSHes into the managed device • Copies a Python script to /tmp • Python script gets locally executed on the managed device
108 Ansible Playbook File with the list of target servers
Ansible Orchestration Engine
--- Modules Playbooks - hosts: webservers vars: APIs Libraries http_port: 80 (Via ssh) max_clients: 200 Compute remote_user: root tasks: - name: ensure apache is at the latest version yum: name=httpd state=latest
Module Arguments to the module
109 Configure a Nexus Switch with Ansible
(Via NXAPI) • Install the nxos-ansible Ansible library, and Ansible Orchestration Engine the pycsco Python module Modules Playbooks • When Ansible processes the playbook, it APIs Libraries Cisco network device uses nxos-ansible to convert the modules to (Via ssh) Cisco CLI Compute • Then those CLIs are sent to the switch via NX-API, using pycsco
• https://github.com/jedelman8/pycsco • https://github.com/jedelman8/nxos- ansible • No need for Python on the switch – just enable the NX-API feature
110 Use Case Operational Data Collection
111 Gather Operational Data
• Summary • Gather operational data from multiple switches
• Description • Playbook to gather show version, related information from all nodes listed in inventory file • Dump the gathered information to different files, each named after the switch hostname
• Script : https://github.com/datacenter/nxos/blob/master/ansible/nexus_get_facts.yml
112 Use Case Provisioning a VXLAN Fabric
113 Provisioning is a 2-step process : The Underlay and then the Overlay
114 (1) VXLAN Underlay
Edge Device Edge Device
Local LAN Local LAN IP Interface Segment Segment
Physical Physical Host Edge Device Local LAN Host Segment
Virtual Switch
Virtual Hosts 115 (2) VXLAN Overlay
VTEP VTEP
V V Local LAN Local LAN Segment Segment Encapsulation
Physical Physical Host VTEP V Local LAN Host Segment VTEP – VXLAN Tunnel End-Point
VNI/VNID – VXLAN Network Identifier Virtual Switch
Virtual Hosts 116 Here’s how we do it with Ansible…
117 We use Ansible’s “Role” Feature .. Underlay Overlay 1. IP address + Loopback + IGP 1. Configure VNIs and Associate with VLANs on all links between spine and 2. Configure SVIs leaf 3. Configure VRFs Leaf Role 2. Enable Multicast 4. Configure BGP EVPN Neighbors (Spines) 5. Configure NVE Interface
1. IP address + Loopback + IGP Configure BGP Router Reflector on all links between spine and leaf Spine Role 2. Enable Multicast and Anycast RP 3. Enable IGP for this RP
Playbook available at : https://github.com/abhinavmodi/nxos-ansible/tree/master/provision-dc
118 Snapshots of the Playbooks
119 Ansible 2.0 just released !!
• Module to connect to Cisco switches now a core Ansible module • Part of the Ansible 2.0 Codebase and supported by Ansible
• Can connect to Nexus switches using • NX-API • SSH
• Watch out for Ansible 2.0 samples with Nexus soon, at http://github.com/datacenter/nxos
120 Putting it all Together
121 Key Takeaways
• “Programmability” have various connotations: clarify the context!
• Nexus switches support multiple technologies
• Evolution of protocols towards open APIs
• DevOps and Configuration Management: Leverage existing IT Management Best Practices
• Crowd Source, Reuse ! Github, Open source code
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Scripts Workflows Networks
Custom Automated Integration Provision Provisioning Subset of Existing Scripted Management Tools Pre-Provisioning Passive Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Scripts Workflows Networks
Custom Automated Integration Provision Provisioning Subset of Existing Scripted Management Tools POAP/PXE Pre-Provisioning Passive Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Scripts Workflows Networks
Custom Automated Integration Provision Provisioning Subset of Existing Scripted Management Tools POAP/PXE Pre-Provisioning Passive Python Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Scripts Workflows Networks EEM Custom Automated Integration Provision Provisioning Subset of Existing Scripted Management Tools POAP/PXE Pre-Provisioning Passive Python Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Scripts Workflows Networks EEM Custom Automated Integration Provision Provisioning Subset of Existing Management Tools ScriptedNX-API, Netconf, XMPP POAP/PXE Pre-Provisioning Passive Python Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Use Cases
Self Healing and Adaptive Real Time Event Triggered DevOps Workflows Networks Scripts Puppet/Chef/ EEM Ansible Custom Automated Integration Provision Provisioning Subset of Existing Management Tools ScriptedNX-API, Netconf, XMPP POAP/PXE Pre-Provisioning Passive Python Automated Troubleshooting Network Monitoring and Data Visibility
Risk Automation Complexity
122 Credit : XKCD AGAIN
129 Additional Resources
• Getting started with Python • codeacademy.org, MOOCs (Coursera)
• Github • https://github.com/datacenter/nxos (Scripts used in this session are posted here) • https://github.com/datacenter/nexus9000 • https://github.com/datacenter/nexus7000
• NX-API DevNet Community - https://developer.cisco.com/site/nx-api/
• Breakout Session Videos : http://tinyurl.com/cleur-2016-brkdct-2459
130 Call to Action
• Visit the World of Solutions for • Cisco Campus – Programmability Booth • Walk in Labs – LABNMS-1023 Covering Basics of NX-API and Ansible
• DevNet Booths on Enterprise Device Programmability, Puppet and Chef • VIRL in Devnet Area • DevNet-1075 - Configuration Management Tools on NX-OS • DevNet-1077 – Automation with NX-OS : Let’s Get Started !
• Other Related Breakout Sessions • BRKDCT-2025 : Maximizing Network Programmability and Automation with Open NX- OS
131 Your Feedback is Important !
132 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
133