IOS XE : Enabling the Digital Network Architecture

Muhammad A Imam BRKARC-3300 Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKCRS-3300 available until July 3, 2017.

• Cisco IOS and its Evolution

• The Vision of IOS XE

• IOS XE Architecture

• Benefits of the New Architecture

• Wrap up & Summary Muhammad currently works as a Sr. Manager Technical Marketing for Data Center & Enterprise Muhammad A Imam Switching Group. Muhammad joined Cisco in Sr. Manager Technical Marketing 2008 and has around 15 years of experience in the networking industry. Currently he leads a CCIE#27739 team of Catalyst Products TMEs. He is one of the first TMEs to work on Catalyst 3850/3650 and has worked on all Catalyst Switching products over the years. He also contributes to Enterprise Network designs and Next Generation Platform Architectures. In the past he has held roles in Development, Test and Support of different products ranging from Routers, Switches, Firewalls, etc. @m_a_imam Muhammad holds a Masters degree in Electrical & Computer Engineering. He also maintains a [email protected] CCIE #27739 in Routing and Switching.

NX-OS 2008

IOS-XR 2004

12.2SX 12.2SE IOS 1986 12.2S

12.2SR 12.2SG

IOS 9.x 10.x… 11.x... 12.x IOS XE Operating IOS XE IOS 15.x IOS XE Denali System IOS 9.x BinOS M&T Release NOVA 16.1 LAN Switching, 6.0 3.x 3.x Cat3850 Remote Access, WAN Switching ASR1000, ISR Cisco’s Cat3850 Cisco was Shipped First Cat4K born AGS Router ASR1000

1984 1986 1993 2007 2009 2010 2015

BYOD, Video, Cloud

Connect multiple Networks Internet Era BYOD, Video, Cloud Digitization

LAN Switching, Routers & Switches Cat3850 Remote Access, WAN Switching ASR1000, ISR Cisco’s Cat3850 Cisco was Shipped First Cat4K born AGS Router ASR1000

1984 1986 1993 2007 2009 2010 2015

Insights & Automation Security & Actions & Assurance Compliance Drive Business Speed, Simplicity Real-time & Dynamic Innovations and Visibility Threat Defense

Cloud Service Management DNAPolicy |Center Orchestration OpenAPIC APIs -| EM,Developers ISE, environment NDP Automation Identity Analytics

Intent  Network Policy Identity  Access Policy Network Data  Insights SD-Access & Assurance Open & Programmable | Standards-based

Infrastructure Physical & Virtual | Network Function Virtualization | App Hosting Secure | CloudCAT9K-enabled | Software-delivered

Manageability

Prime Infra. APIC-EM WebUI

CLI, SNMP, RESTConf, NETConf Operating System Unified Software Stack (IOS-XE 16)

Platform ASICs/CPU

Switches Wireless Routers

One OS Across Enterprise Platforms

Network • Enables rapid deployment of new Administrator solutions

• Simplified Network administration

• Similar CLI

• Ease of scripting

• Software lifecycle management

• Faster learning curve!

CLI, SNMP

IOS IOS XE 3.7.x(SE) Open IOS XE 16.5.1

IOS IOSd Hosted Apps IOSd Hosted Apps

IOS Sub WCM SystemsIOS Sub LXC* LXC* Features IOSd Blob SystemsIOS Sub Features Components Components Systems Wireshark LXC* Wireshark

Common CommonCommon InfrastructureInfrastructure / / HAHA Infrastructure / HA Management ManagementManagement Interface Interface Interface IOS-XE ModuleModule DriversDrivers Module Drivers DB

KernelKernel Kernel

Same Binary Image Across all Catalyst 9K Family

IOS XE Denali 16.5.1

IOSd Hosted Apps IOS Sub Systems IOS Sub SystemsIOS Sub LXC* LXC* IOSd Blob SystemsIOS Sub Systems LXC* Wireshark

IOS XE Database Common Infrastructure / HA (Crimson Database)

Management Interface IOS-XE Module Drivers DB LXCs Support Kernel

BGP IOS Sub Systems

IOSd Blob IOS Sub Systems OSPF IOS Sub Systems MPLS, etc Failure of one of the Sub Systems Keeps Rest of the System intact

IOS-XE DB

IOS Sub Systems Enhances IOS Resiliency

Session FMAN- Manager RP Wireless HA Controller FMAN-FP Consolidate d Logging

IOS Sub Sub IOS Stack Manager Systems (3K) Internal IPC

IOS Sub Sub IOS Licensing Systems

IOS Sub Sub IOS Services Systems Features PD Comet Crimson DB External Libraries/ SMAN Transports ServiceServices Utilities Platform UADP (TCP/SCTP/ s ASIC Chassi Drivers UDP) Services

Drivers Chassiss Blob Low Level APIs ManageFS r

Process FrameworkAvailability PacketLSMPI, Delivery LFTS Service

FED Manager IOSd

Kernel

Link STP OSPF Logs State State State

Link MST Logs State State

IOS-XE DB BGP Tunnel State State

The DB contains the Operational and Configurational States

Higher Application UP Time

IOSd Sub Systems IOS-XE DB

Config & Operational Quicker Recovery States

Decoupling Code & Data protects the Operational & Configurational States Better Convergence

Processes (Code) States (Data)

BGP

EtherChannel

Netflow Crimson DB

Multicast

???

Data & Code Separation

Link STP OSPF Logs State State State

Link MST Logs State State

Data Models

BGP Tunnel State State

Open IOS XE enables Programmability & Data Models

APP1 APP2 APP3 APP4

Model Driven APIs XML JSON GPB

netconf Restconf gRPC Yang Models Crimson Interface Open Apps Crimson DB

App Hosting Environment Control Plane Linux Kernel

Data Plane

IOS XE Denali 16.5.1

IOSd Hosted Apps

LXC* LXC*

LXC* Wireshark

Common Infrastructure / HA

Management Interface IOS-XE Module Drivers DB

Kernel

Decoupled Execution Space

• Feature Velocity Across Platforms

• No Need to touch Platform Independent Pieces of Software

MPLS • Platform Dependent Piece of software need to be done AVC

Static ALGs ( FTP, TFTP, ICMP)

NAT in Hardware Up to 8K flow

14K Scale Dynamic (3/5-tuple)

INSIDE OUTSIDE A X A B C X Y Z B Y C Z

POS Medical Device Network Other Network Doctor Staff

Line of business – BU segmentation Payment Card Industry Hospital Network

INTERNET

Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy

• Filter Monitoring Over Ingress/Egress interfaces and direction

• Identify Top Talkers

• Monitor Data over 2, 24 or 48 hours

• Monitor percentage Bandwidth usage

Apps App1 App2 App3

Model-Driven APIs APIs YANG Development Kit (YDK)

Protocol NETCONF RESTCONF gRPC

Encoding XML JSON

Transport SSH HTTP

YANG Models (native, open, common) Models Data Model Database

(Open) Common (Cisco) Common (Cisco) Native Model Model Model

• Industry definition • Cisco definition • Cisco definition

• Compliant with standard • Common across 2 or • Unique to a single Cisco (IETF, ITU, etc.) definition more Cisco operating operating system systems • Compliant with customer definition (ie OpenConfig)

Example: Example: Example: ietf-diffserv-policy.yang cisco-vxlan.yang Cisco-IOS-XR-ipv4-bgp- (IETF Diffserv data model) (IOS-XE/NX-OS VxLAN data model) cfg.yang (IOS-XR BGP data model)

CONTENT XML (based on YANG)

OPERATIONS GET, EDIT-CONFIG, ETC

MESSAGES RPC

SECURE TRANSPORT SSH

YANGExplorer YANG Developer Kit (YDK)

Cisco-developed GUI tool Access data models using for exploring data models, off-box Python scripts. testing NETCONF calls, Available from GitHub. and generating Python scripts.

YANG data models define machine-oriented interfaces for the configuration and management of network devices.

container ip { list vrf { red_vrf red leaf rd rd 65001:1 1:1 } }

YANG Data XML Model Data

YANG models do not contain data or XML. YANG models are like templates used to generate consistent XML.

container ip { YANG XML list vrf { description vrf_red "Configure an IP VPN Routing/Forwarding 65000:1 instance"; leaf name { vrf_green type string; 65000:2 } leaf rd { description "Specify Route Distinguisher"; type rd-type; } } ip vrf vrf_red CLI } rd 65001:1 ! ip vrf vrf_green rd 65001:2 !

* Note: YANG model simplified for clarity

On-Box Python Off-Box Python

CLI NETCONF Syslog

NETCONF*

Guestshell Container On-box Python scripts run in a container on the device itself. Off-box scripts run on an external server and communicate with the They can communicate with the network or the device itself. switch over the network using NETCONF or other protocols.

On-Box • Access CLI directly on device • Trigger syslog messages • Interact with Embedded Event Manager • Access device bootflash • Power-On Auto-Provisioning (ZTP) • Use interactive Python shell

jemclaug-hh15-c3850-2#conf t Enter configuration commands, one per line. End with CNTL/Z. IOX is the container manager, similar to jemclaug-hh15-c3850-(config)#iox Docker. jemclaug-hh15-c3850-(config)#^Z jemclaug-hh15-c3850-2#guestshell ? destroy Disable and uninstall the guest shell service package disable Disable the guest shell service package enable Enable the guest shell service run Execute/run program in the guest shell

jemclaug-hh15-c3850-2#guestshell enable The process for the command is not responding or is otherwise Wait for IOX to enable unavailable jemclaug-hh15-c3850-2#guestshell enable Guestshell enabled successfully with tracefile support Success! Python read for use.

from cli import cli Import CLI and time modules import time timestr = time.strftime("%Y%m%d-%H%M%S") Build filename based on current date/time filename = "/bootflash/" + timestr + "_shproccpu" output = cli('show proc cpu') f = open(filename,"w") f.write(output) f.close

event manager applet ipsla event ipsla group-name "sla1" reaction-type timeout dest-ip-addr 172.26.244.1 action 1 cli command "en" action 2 cli command "guestshell run python /bootflash/sla.py"

Call the Python script from the EEM applet...

• SMU (Software Maintenance Upgrade) is an emergency point fix positioned for expedited delivery to a customer in case of a network down or revenue affecting scenario. SMUs are: – Quick (able to deliver point fixes much faster than possible in IOS) – Effective (does not require a monolithic code upgrade) – Focused (target the specific area of code which has the issue)

• SMU is effectively like a medication: – It addresses the issue effectively. – In theory, there is no limit to the number you can take. – In practice, you want to be selective when SMU’ing

Cost

• Expensive Upgrades - Business Loss • Each device upgrade causes Network outage

Time SMU • Reduced IT staff slows software roll out Point Fixes Reduces Validation – • Physical presence required Scope & Time

Scope

• New Code requires bug analysis, certification

• Cold Patching (traffic-affecting) • Install of a SMU will require a system reload in the first release

• Hot Patching (non traffic-affecting) • Hot Restart of the patched process can be supported in the future • Install of a SMU will not require a system reload

Adding a SMU file 9300#install add file flash:cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin install_add: START Sun Mar 26 01:13:29 UTC 2017 SUCCESS: Finished copying package(s) to the selected switch(es) SUCCESS: install_add /flash/cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin Sun Mar 26 01:13:31 UTC 2017

Activating SMU 9300#install activate file flash:cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin install_activate: START Sun Mar 26 01:14:12 UTC 2017 2 install_activate: Activating SMU...

This operation requires a reload of the system. Do you want to proceed? [y/n]y 2 install_activate: Reloading the box to complete activation of the SMU...

Committing it 9300#install commit install_commit: START Sun Mar 26 01:24:41 UTC 2017 SUCCESS: install_commit Sun Mar 26 01:24:43 UTC 2017

Any failures/reloads between activate and commit result in a rollback

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public SMU Applicable List of SMUs Available SMU Impact •Recommended •Reload or Hitless • Platform •Optional •Applicable to features deployed • Release

Customer Benefits

 Prioritize SMU based on Risk Analysis PSIRTs & Critical

 Applicability to customer’s deployed features

 Evaluate Impact on Operations Hitless/Reload Optional Reloadable SMU SSH Defect – Recommended 23-Dec-2017

BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 • Download SMU to APIC- DNA-C App EM file server • Analyze SMU impact • Test SMU on Pilot setup Network ReadMe Admin • Schedule SMU SM APIC EM SMU U Server deployment File Server

Cisco.com

Pilot Site Production Site Production Site

• Maintain IOS XE system integrity • Isolated User Space • Fault Isolation Linux • Resource Isolation applications • On-box rapid prototyping Guest Shell • Device-level API Integration

• Scripting (Python) Open Application Container • Linux Commands API

• Application Hosting Network OS

• Integrate into your Linux workflow

• Integrated with IOS XE

Guest Shell 1.0 Guest Shell 1.0

Operating System IOS-XE IOS-XE

Platforms CAT 3650, CAT3850 Cat9K, ISR 4000

Guest Shell Environment MontaVista CGE7 CentOS 7

Python 2.7 ✓ ✓

Python 3.0 ✗ ✓

Python GNU C Compiler ✗ ✗

RPM Install ✗ ✓

Minimum System Requirements: 4 GB DRAM Minimum IOS-XE release: 16.5.1

WS-C3650-xxx (all)

Default DRAM 4 GB

Guest Shell Support ✓

Other Limitations: none

3850- 3850- 3850- 3850- 3850- 3850- 3850- 3850- 12X48U 24XU 48U 24U 48XS 24XS NM-8- NM-2- 10G 40G

Default 4 GB 4 GB 4 GB 4 GB 8 GB 8 GB 8 GB 8 GB DRAM

Guest Shell Support ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Other Limitations: none

Minimum IOS-XE release: 16.5.1

C9300-xxx (all)

Default DRAM 16 GB

Guest Shell Support ✓

Other Limitations: none

• Guest Shell is a decoupled execution space running within a Linux Container (LXC)

• From within the Guest Shell the network-admin has the following capabilities:

• Access to the network over Linux network interfaces

• Access to bootflash

• Access to IOS CLI

• The ability to install and run python scripts.

• The ability to install and run 32-bit and 64-bit Linux applications.

Network Administrator Simplified Software Network Lifecycle Administration Management

Platform Same CLI Relevant Features

Different Binaries to Match Respective Platforms CLI, SNMP

Catalyst 9400 Catalyst Catalyst Catalyst 3850 ASR 1000 9300 9500

Catalyst ISR 4000 3650

16.1.1 16.2.1 16.5.1a 16.5.1a 16.6.1

Same Binary Image On all C9K

cat9k_iosxe.16.05.01a.SPA.bin

Catalyst 9400 Lead Modular Access

Converged ASIC UADP 2.0

Catalyst 9500 Lead Fixed Core Converged OS Open IOS-XE Catalyst 9300 Lead Fixed Access

The Catalyst 9K Family is built on common attributes

Cisco Live US 2017 – session BRKARC-2035,

“The Catalyst 9000 Switch Family– An Architecural View”

Wed 4 PM

http://www.cisco.com/c/m/en_us/training-events/events-webinars/webinars/techwise-tv/213-catalyst-9000- switches.html

• Patching (SMU) • Modular IO Sub Systems

Open Programmability Containers & 3rd Party App

• YANG Data Models • Guest Shell • Containers • Python • Python • And more …

IOS XE - Advanced Modular Architecture

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. • Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions