IOS XE : Enabling the Digital Network Architecture
Muhammad A Imam BRKARC-3300 Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKCRS-3300 available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public The goal of this session is to give you an understanding of what IOS-XE 16.x is, why would you care and how it works.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda
• Cisco IOS and its Evolution
• The Vision of IOS XE
• IOS XE Architecture
• Benefits of the New Architecture
• Wrap up & Summary Muhammad currently works as a Sr. Manager Technical Marketing for Data Center & Enterprise Muhammad A Imam Switching Group. Muhammad joined Cisco in Sr. Manager Technical Marketing 2008 and has around 15 years of experience in the networking industry. Currently he leads a CCIE#27739 team of Catalyst Products TMEs. He is one of the first TMEs to work on Catalyst 3850/3650 and has worked on all Catalyst Switching products over the years. He also contributes to Enterprise Network designs and Next Generation Platform Architectures. In the past he has held roles in Development, Test and Support of different products ranging from Routers, Switches, Firewalls, etc. @m_a_imam Muhammad holds a Masters degree in Electrical & Computer Engineering. He also maintains a [email protected] CCIE #27739 in Routing and Switching.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Historical View of Cisco IOS
NX-OS 2008
IOS-XR 2004
12.2SX 12.2SE IOS 1986 12.2S
12.2SR 12.2SG
IOS 9.x 10.x… 11.x... 12.x IOS XE Operating IOS XE IOS 15.x IOS XE Denali System IOS 9.x BinOS M&T Release NOVA 16.1 LAN Switching, 6.0 3.x 3.x Cat3850 Remote Access, WAN Switching ASR1000, ISR Cisco’s Cat3850 Cisco was Shipped First Cat4K born AGS Router ASR1000
1984 1986 1993 2007 2009 2010 2015
Timeline unevenly distributed BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Historical View of Networks
BYOD, Video, Cloud
Connect multiple Networks Internet Era BYOD, Video, Cloud Digitization
LAN Switching, Routers & Switches Cat3850 Remote Access, WAN Switching ASR1000, ISR Cisco’s Cat3850 Cisco was Shipped First Cat4K born AGS Router ASR1000
1984 1986 1993 2007 2009 2010 2015
Timeline unevenly distributed BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Introduction to DNA Network Requirements for the Digital Organization
Insights & Automation Security & Actions & Assurance Compliance Drive Business Speed, Simplicity Real-time & Dynamic Innovations and Visibility Threat Defense
Cisco Digital Network Architecture (DNA) © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Digital Network Architecture – What’s New Network-enabled applications
Cloud Service Management DNAPolicy |Center Orchestration OpenAPIC APIs -| EM,Developers ISE, environment NDP Automation Identity Analytics
Intent Network Policy Identity Access Policy Network Data Insights SD-Access & Assurance Open & Programmable | Standards-based
Infrastructure Physical & Virtual | Network Function Virtualization | App Hosting Secure | CloudCAT9K-enabled | Software-delivered
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public The Vision of IOS-XE Denali Forward Vision – IOS XE Denali 16.x.y
Manageability
Prime Infra. APIC-EM WebUI
CLI, SNMP, RESTConf, NETConf Operating System Unified Software Stack (IOS-XE 16)
Platform ASICs/CPU
Switches Wireless Routers
One OS Across Enterprise Platforms
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 One OS
Network • Enables rapid deployment of new Administrator solutions
• Simplified Network administration
• Similar CLI
• Ease of scripting
• Software lifecycle management
• Faster learning curve!
CLI, SNMP
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Open IOS XE Architecture Open IOS-XE
IOS IOS XE 3.7.x(SE) Open IOS XE 16.5.1
IOS IOSd Hosted Apps IOSd Hosted Apps
IOS Sub WCM SystemsIOS Sub LXC* LXC* Features IOSd Blob SystemsIOS Sub Features Components Components Systems Wireshark LXC* Wireshark
Common CommonCommon InfrastructureInfrastructure / / HAHA Infrastructure / HA Management ManagementManagement Interface Interface Interface IOS-XE ModuleModule DriversDrivers Module Drivers DB
KernelKernel Kernel
Same Binary Image Across all Catalyst 9K Family
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Open IOS XE – Key Architectural Enhancements
IOS XE Denali 16.5.1
IOSd Hosted Apps IOS Sub Systems IOS Sub SystemsIOS Sub LXC* LXC* IOSd Blob SystemsIOS Sub Systems LXC* Wireshark
IOS XE Database Common Infrastructure / HA (Crimson Database)
Management Interface IOS-XE Module Drivers DB LXCs Support Kernel
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Open IOS XE – IOS Sub Systems
BGP IOS Sub Systems
IOSd Blob IOS Sub Systems OSPF IOS Sub Systems MPLS, etc Failure of one of the Sub Systems Keeps Rest of the System intact
IOS-XE DB
IOS Sub Systems Enhances IOS Resiliency
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 IOS XE – IOS-XE 16.x (Illustrative View)
Session FMAN- Manager RP Wireless HA Controller FMAN-FP Consolidate d Logging
IOS Sub Sub IOS Stack Manager Systems (3K) Internal IPC
IOS Sub Sub IOS Licensing Systems
IOS Sub Sub IOS Services Systems Features PD Comet Crimson DB External Libraries/ SMAN Transports ServiceServices Utilities Platform UADP (TCP/SCTP/ s ASIC Chassi Drivers UDP) Services
Drivers Chassiss Blob Low Level APIs ManageFS r
Process FrameworkAvailability PacketLSMPI, Delivery LFTS Service
FED Manager IOSd
Kernel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Open IOS XE – DB
Link STP OSPF Logs State State State
Link MST Logs State State
IOS-XE DB BGP Tunnel State State
The DB contains the Operational and Configurational States
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Open IOS XE – DB
Higher Application UP Time
IOSd Sub Systems IOS-XE DB
Config & Operational Quicker Recovery States
Decoupling Code & Data protects the Operational & Configurational States Better Convergence
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Distributed Database – Lets take an example…
Processes (Code) States (Data)
BGP
EtherChannel
Netflow Crimson DB
Multicast
???
Data & Code Separation
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Open IOS XE – DB
Link STP OSPF Logs State State State
Link MST Logs State State
Data Models
BGP Tunnel State State
Open IOS XE enables Programmability & Data Models
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 IOS-XE Database – Enabling Programmability
APP1 APP2 APP3 APP4
Model Driven APIs XML JSON GPB
netconf Restconf gRPC Yang Models Crimson Interface Open Apps Crimson DB
App Hosting Environment Control Plane Linux Kernel
Data Plane
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Open IOS XE – Containers
IOS XE Denali 16.5.1
IOSd Hosted Apps
LXC* LXC*
LXC* Wireshark
Common Infrastructure / HA
Management Interface IOS-XE Module Drivers DB
Kernel
Decoupled Execution Space
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Benefits of Modern Architecture RAFA (Run Any Feature Anywhere) RAFA (Run Any Feature Anywhere)
• Feature Velocity Across Platforms
• No Need to touch Platform Independent Pieces of Software
MPLS • Platform Dependent Piece of software need to be done AVC
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 NAT/PAT on Catalyst 9500
Static ALGs ( FTP, TFTP, ICMP)
NAT in Hardware Up to 8K flow
14K Scale Dynamic (3/5-tuple)
INSIDE OUTSIDE A X A B C X Y Z B Y C Z
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 MPLS on Catalyst 3850/9K
POS Medical Device Network Other Network Doctor Staff
Line of business – BU segmentation Payment Card Industry Hospital Network
INTERNET
Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 AVC on Catalyst 3850/9K
• Filter Monitoring Over Ingress/Egress interfaces and direction
• Identify Top Talkers
• Monitor Data over 2, 24 or 48 hours
• Monitor percentage Bandwidth usage
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Model Driven Programmability Model-Driven Programmability Stack
Apps App1 App2 App3
Model-Driven APIs APIs YANG Development Kit (YDK)
Protocol NETCONF RESTCONF gRPC
Encoding XML JSON
Transport SSH HTTP
YANG Models (native, open, common) Models Data Model Database
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Cisco Device (YANG) Model Types
(Open) Common (Cisco) Common (Cisco) Native Model Model Model
• Industry definition • Cisco definition • Cisco definition
• Compliant with standard • Common across 2 or • Unique to a single Cisco (IETF, ITU, etc.) definition more Cisco operating operating system systems • Compliant with customer definition (ie OpenConfig)
Example: Example: Example: ietf-diffserv-policy.yang cisco-vxlan.yang Cisco-IOS-XR-ipv4-bgp- (IETF Diffserv data model) (IOS-XE/NX-OS VxLAN data model) cfg.yang (IOS-XR BGP data model)
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 NETCONF protocol stack
CONTENT XML (based on YANG)
OPERATIONS GET, EDIT-CONFIG, ETC
MESSAGES RPC
SECURE TRANSPORT SSH
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Options for accessing NETCONF
YANGExplorer YANG Developer Kit (YDK)
Cisco-developed GUI tool Access data models using for exploring data models, off-box Python scripts. testing NETCONF calls, Available from GitHub. and generating Python scripts.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 YANG (Yet Another Next Generation)
YANG data models define machine-oriented interfaces for the configuration and management of network devices.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 YANG Data Models
container ip { list vrf { red_vrf
YANG Data XML Model Data
YANG models do not contain data or XML. YANG models are like templates used to generate consistent XML.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 YANG Configuration Model Example*
container ip { YANG
* Note: YANG model simplified for clarity
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Python On-box vs Off-Box Python Scripting
On-Box Python Off-Box Python
CLI NETCONF Syslog
NETCONF*
Guestshell Container On-box Python scripts run in a container on the device itself. Off-box scripts run on an external server and communicate with the They can communicate with the network or the device itself. switch over the network using NETCONF or other protocols.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Advantages
On-Box • Access CLI directly on device • Trigger syslog messages • Interact with Embedded Event Manager • Access device bootflash • Power-On Auto-Provisioning (ZTP) • Use interactive Python shell
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Enabling on-box Python
jemclaug-hh15-c3850-2#conf t Enter configuration commands, one per line. End with CNTL/Z. IOX is the container manager, similar to jemclaug-hh15-c3850-(config)#iox Docker. jemclaug-hh15-c3850-(config)#^Z jemclaug-hh15-c3850-2#guestshell ? destroy Disable and uninstall the guest shell service package disable Disable the guest shell service package enable Enable the guest shell service run Execute/run program in the guest shell
jemclaug-hh15-c3850-2#guestshell enable The process for the command is not responding or is otherwise Wait for IOX to enable unavailable jemclaug-hh15-c3850-2#guestshell enable Guestshell enabled successfully with tracefile support Success! Python read for use.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 On-Box Script
from cli import cli Import CLI and time modules import time timestr = time.strftime("%Y%m%d-%H%M%S") Build filename based on current date/time filename = "/bootflash/" + timestr + "_shproccpu" output = cli('show proc cpu') f = open(filename,"w") f.write(output) f.close
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Trigger Python Script from EEM
event manager applet ipsla event ipsla group-name "sla1" reaction-type timeout dest-ip-addr 172.26.244.1 action 1 cli command "en" action 2 cli command "guestshell run python /bootflash/sla.py"
Call the Python script from the EEM applet...
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Patchability Software Maintenance Update ( SMU )
• SMU (Software Maintenance Upgrade) is an emergency point fix positioned for expedited delivery to a customer in case of a network down or revenue affecting scenario. SMUs are: – Quick (able to deliver point fixes much faster than possible in IOS) – Effective (does not require a monolithic code upgrade) – Focused (target the specific area of code which has the issue)
• SMU is effectively like a medication: – It addresses the issue effectively. – In theory, there is no limit to the number you can take. – In practice, you want to be selective when SMU’ing
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Software Upgrades are Challenging
Cost
• Expensive Upgrades - Business Loss • Each device upgrade causes Network outage
Time SMU • Reduced IT staff slows software roll out Point Fixes Reduces Validation – • Physical presence required Scope & Time
Scope
• New Code requires bug analysis, certification
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 SMU Types
• Cold Patching (traffic-affecting) • Install of a SMU will require a system reload in the first release
• Hot Patching (non traffic-affecting) • Hot Restart of the patched process can be supported in the future • Install of a SMU will not require a system reload
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Installing a SMU
Adding a SMU file 9300#install add file flash:cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin install_add: START Sun Mar 26 01:13:29 UTC 2017 SUCCESS: Finished copying package(s) to the selected switch(es) SUCCESS: install_add /flash/cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin Sun Mar 26 01:13:31 UTC 2017
Activating SMU 9300#install activate file flash:cat9k-universalk9.2017-03- 17_21.53_zhangyu.301.CSCuo76464.SSA.smu.bin install_activate: START Sun Mar 26 01:14:12 UTC 2017 2 install_activate: Activating SMU...
This operation requires a reload of the system. Do you want to proceed? [y/n]y 2 install_activate: Reloading the box to complete activation of the SMU...
Committing it 9300#install commit install_commit: START Sun Mar 26 01:24:41 UTC 2017 SUCCESS: install_commit Sun Mar 26 01:24:43 UTC 2017
Any failures/reloads between activate and commit result in a rollback
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public SMU Applicable List of SMUs Available SMU Impact •Recommended •Reload or Hitless • Platform •Optional •Applicable to features deployed • Release
Customer Benefits
Prioritize SMU based on Risk Analysis PSIRTs & Critical
Applicability to customer’s deployed features
Evaluate Impact on Operations Hitless/Reload Optional Reloadable SMU SSH Defect – Recommended 23-Dec-2017
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 • Download SMU to APIC- DNA-C App EM file server • Analyze SMU impact • Test SMU on Pilot setup Network ReadMe Admin • Schedule SMU SM APIC EM SMU U Server deployment File Server
Cisco.com
Pilot Site Production Site Production Site
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Guest Shell - Containers Guest Shell Application Linux Shell Environment On Your Switch or Router
• Maintain IOS XE system integrity • Isolated User Space • Fault Isolation Linux • Resource Isolation applications • On-box rapid prototyping Guest Shell • Device-level API Integration
• Scripting (Python) Open Application Container • Linux Commands API
• Application Hosting Network OS
• Integrate into your Linux workflow
• Integrated with IOS XE
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Cisco Guest Shell Capabilities
Guest Shell 1.0 Guest Shell 1.0
Operating System IOS-XE IOS-XE
Platforms CAT 3650, CAT3850 Cat9K, ISR 4000
Guest Shell Environment MontaVista CGE7 CentOS 7
Python 2.7 ✓ ✓
Python 3.0 ✗ ✓
Python GNU C Compiler ✗ ✗
RPM Install ✗ ✓
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 CAT 3650 Guest Shell Support
Minimum System Requirements: 4 GB DRAM Minimum IOS-XE release: 16.5.1
WS-C3650-xxx (all)
Default DRAM 4 GB
Guest Shell Support ✓
Other Limitations: none
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 CAT 3850 Guest Shell Support Minimum System Requirements: 4 GB DRAM Minimum IOS-XE release: 16.5.1
3850- 3850- 3850- 3850- 3850- 3850- 3850- 3850- 12X48U 24XU 48U 24U 48XS 24XS NM-8- NM-2- 10G 40G
Default 4 GB 4 GB 4 GB 4 GB 8 GB 8 GB 8 GB 8 GB DRAM
Guest Shell Support ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Other Limitations: none
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 CAT 9300 Guest Shell Support
Minimum IOS-XE release: 16.5.1
C9300-xxx (all)
Default DRAM 16 GB
Guest Shell Support ✓
Other Limitations: none
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Guest Shell Overview
• Guest Shell is a decoupled execution space running within a Linux Container (LXC)
• From within the Guest Shell the network-admin has the following capabilities:
• Access to the network over Linux network interfaces
• Access to bootflash
• Access to IOS CLI
• The ability to install and run python scripts.
• The ability to install and run 32-bit and 64-bit Linux applications.
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 One Release Train One Release Train
Network Administrator Simplified Software Network Lifecycle Administration Management
Platform Same CLI Relevant Features
Different Binaries to Match Respective Platforms CLI, SNMP
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Platforms Support
Catalyst 9400 Catalyst Catalyst Catalyst 3850 ASR 1000 9300 9500
Catalyst ISR 4000 3650
16.1.1 16.2.1 16.5.1a 16.5.1a 16.6.1
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 With Cat9K we have taken it one step further
Same Binary Image On all C9K
cat9k_iosxe.16.05.01a.SPA.bin
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Catalyst 9K Family – One ASIC, OS & Licensing
Catalyst 9400 Lead Modular Access
Converged ASIC UADP 2.0
Catalyst 9500 Lead Fixed Core Converged OS Open IOS-XE Catalyst 9300 Lead Fixed Access
The Catalyst 9K Family is built on common attributes
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Catalyst 9K Family Want to Know More?
Cisco Live US 2017 – session BRKARC-2035,
“The Catalyst 9000 Switch Family– An Architecural View”
Wed 4 PM
http://www.cisco.com/c/m/en_us/training-events/events-webinars/webinars/techwise-tv/213-catalyst-9000- switches.html
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Wrap up & Summary IOS XE – A Modern OS for New Era of Networking Resiliency & High Availability
• Patching (SMU) • Modular IO Sub Systems
Open Programmability Containers & 3rd Party App
• YANG Data Models • Guest Shell • Containers • Python • Python • And more …
IOS XE - Advanced Modular Architecture
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Complete Your Online Session Evaluation
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. • Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCRS-3300 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Thank you