IOS XE Programmability for Network Engineers...Jeff McLaughlin Principal Technical Marketing...

Jeff McLaughlinPrincipal Technical Marketing EngineerJune 19, 2018

CCIE Evolving Technologies Blueprint

IOS XE Programmability for Network Engineers

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCisco Public

• CCIE Routing/Switching (2004)• Fun Stuff Studied: DLSw+, ATM, ISDN

• CCIE Security (2008)• Fun Stuff Studied: NAC Framework, PIX, VPN 3k concentrator

• JNCIE Service Provider (2014, expired)• CCIE Subject Matter Expert (Programmability/Automation)• Principal TME in Enterprise business unit• Manager of TME team for programmability and SD-Access• http://www.subnetzero.info

Your Host

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCisco Public

Agenda

• CCIE ET Programmability Overview

• Why Programmability

• Structured Data/YANG Models

• NETCONF/RESTCONF

• Config Mgmt Tools

• APIs

• Conclusion


Programmability Panelists

Fabrizio Maccioni Krishna KothaJeremy Cohoe

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CCIE ET Programmability Overview


CCIE Evolving Technologies 1.1 BlueprintThis domain, worth 10 percent overall, ensures that all CCIE/CCDE candidates have a clear understanding of important cloud, network programmability, and IoT concepts.

A.2 Network Programmability

A.2.a Describe architectural and operational considerations for a programmable networkA.2.a.i Data models and structures (YANG, JSON and XML)A.2.a.ii Device programmability (gRPC, NETCONF and RESTCONF)A.2.a.iii Controller based network design (policy driven configuration and northbound/ southbound APIs)A.2.a.iv Configuration management tools (agent and agent-less) and version control systems (Git and SVN)


Why Programmability?


8

Why automation and programmability?

.

.

.Administrator

Needs to configure

hostname switch1int g0/0

ip address 10.1.1.11/24vlan 100,200,300

hostname switch6int g0/0

ip address 10.1.1.16/24vlan 100,200,300


9

. . .

Programmability Reason #1 Do repetitive and tedious tasks more easily

Notepad is the most common automation tool.It’s just a very bad automation tool.


10

Programmability Reason #2 Programmatic Control of network devices

52037606 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

if error counters too high:then shutdown interface*

* pseudo-code


Programmability Reason #3 Interaction between network devices and other systems

NETCONF REST API

DNA Center

party apps

11


12

Transactionality

Programmability Reason #4 Stop bad configuration being committed to devices

int g0/0ip address 10.1.1.0/24no shutdown

router bgp 65001 router-id 172.17.1.99bgp log-neighbor-changesneighbor 192.168.1.2 remote-as 40000neighbor 192.168.3.2 remote-as 50000address-family ipv4 unicastneighbor 192.168.1.2 activatenetwork 172.17.1.0 mask 255.255.255.0exit-address-family

CLI

NETCONF


13

Operational Simplification

How to find the red user's switch/port?


14



# ping 172.16.100.101# show arp | i 172.16.100.101# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/1 detail


15



# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/10 detail


16



# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/10 detailVlan Mac Address Type Ports---- ----------- -------- -----244 001a.a24d.5141 DYNAMIC Gi0/15


17


Programmability Reason #5 Automate complex troubleshooting tasks


DEMO TIME


User types command into WebexTeams

1Command pulled down by script2

Script sends NETCONF request3 Switch replies via NETCONF with data4

Data posted back to Webex room5

REST

NETCONF

19


EEM

User changes device config 1

Change detected by EEM2

Webex posts diff to room3

Catalyst 3850Python script diffs configs and sends diff to Webex4

EEM Triggers on-box Python script320


Structured Data/YANG Models


22

Human-Oriented Interface

Machine-Oriented Interface


Machines using human-oriented interfaces can be highly inefficient!

23


24

YANG ModelsCLI

Human Oriented Interface Machine Oriented Interface


25

Structured vs Unstructured Data

Name:Age:Phone:

John Smith42+1-415-555-1212

Keys Values

John Smith 42 14155551212

StructuredUn-structured

• His age?• The year he graduated college?• Meaning of life, the universe & everything?

What is this?


26

Hierarchical Structured Data (XML-like)

<user1><name>John Smith</name><age>42</age><phone>+1-415-555-1212</phone>

</user1>

<user2><name>Sarah Kim</name><age>27</age><phone>+1-718-555-1212</phone>

</user2>

{{

First User

Second User


27

switch1# sh int e1/10Ethernet1/10 is up

Hardware: 1000/10000 Ethernet, address: 0005.73d0.9331 (bia 0005.73d0.9331)Description: To UCS-11MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255Switchport monitor is off EtherType is 0x8100 Last link flapped 8week(s) 2day(s)Last clearing of "show interface" counters 1d02h30 seconds input rate 944 bits/sec, 118 bytes/sec, 0 packets/sec30 seconds output rate 3110376 bits/sec, 388797 bytes/sec, 5221 packets/sec

Note inconsistent “key” format!

CLI = Unstructured Data


28

<ipv4 xmlns="http://openconfig.net/yang/interfaces/ip"><addresses><address><config>

<ip>172.26.194.212</ip><prefix-length>24</prefix-length>

</config></address>

</addresses></ipv4>

What we need:Standard, structured way to representconfiguration and operational data.


XML vs JSON

29

<interfaces xmlns:=“[…]yang:ietf-interfaces”> <interface>

<name>eth0</name> <type>ethernetCsmacd</type> <location>0</location><enabled>true</enabled><if-index>2</if-index>

</interface></interfaces>

{"ietf-interfaces:interfaces": {

"interface": [{

"name": "eth0”,"type": "ethernetCsmacd”,"location": "0”,"enabled": true, "if-index": 2

}]

}}

NETCONF/RESTCONF RESTCONF


30

<interface>Gigabit 1/0</interface><ifaddr>10.0.0.1/24</ifaddr>

Sends

Error!

Expecting

<interface><name>Gigabit 1/0</name><address>10.0.0.1/24</address></interface>

Expecting:


31

So why do we need YANG?

<interface>Ethernet 0/0</interface><name>Switch1 to UCS1</name><ipaddr>1.1.1.1/24</ipaddr>

<name>Ethernet 0/0</name><descr>Switch1 to UCS1</descr><ip>1.1.1.1/24</ip>

<ifname>Ethernet 0/0</ifname><ifalias>Switch1 to UCS1</ifalias><ifaddr>1.1.1.1/24</ifaddr>

Question: Which of these is correct?

Answer: They all are!


32

YANG Data Models

YANGModel

container ip {list vrf {

leaf rd}

}

Data

vrf redrd 1:1

XMLData

<vrf>red</vrf><rd>1:1</rd>

YANG models do not contain data or XML.YANG models are like templates used to generate consistent XML.


33

YANG Data Models

YANGModel

container ip {list vrf {

leaf rd}

}

Data

vrf redrd 1:1 XML

<vrf>red</vrf><rd>1:1</rd>

YANG models can be used as a template for generating structured data in many different formats.

JSON

{“vrf”: “red”“rd”: “1:1”}


YANG Configuration Model Example*

34

* Note: YANG model simplified for clarity

<ip><vrf><name>vrf_red</name><rd>65000:1</rd>

</vrf><vrf><name>vrf_green</name><rd>65000:2</rd>

</vrf></ip>

ip vrf vrf_redrd 65001:1

!ip vrf vrf_greenrd 65001:2

!

CLI

XMLYANGcontainer ip {list vrf {description"Configure an IP VPN Routing/Forwardinginstance";

leaf name {type string;

}

leaf rd {description"Specify Route Distinguisher";type rd-type;

}}

}




</vrf></ip>

35



!

So why is this:

...better than this?


36



!

CLI

• Good for human consumption• Unstructured from a machine perspective


37

YANG-structured data

• Designed for machine consumption• Directly convertible to/from Python dicts!



</vrf></ip>


38

Where are YANG models?

Models installed on device automatically with IOS-XE.

https://github.com/YangModels/yang/tree/master/vendor/cisco

Also can be downloaded from GitHub.


39

Who defines the YANG models?

Vendors Standards Bodies

• Only work on specific vendor devices• Greater feature coverage• Can be OS-unique (IOS-XE, XR, etc.)

• Multi-vendor support• More limited feature coverage• Allow vendor-specific extensions

Actually an "industry forum"


<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"><interface><GigabitEthernet><name>1/0/24</name><description>Configured by NETCONF!</description>

</GigabitEthernet></interface>

</native>

40

Important Point!Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same thing.

<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet 1/0/24</name><description>Configured by NETCONF!</description>


IETF-defined model

Cisco-defined “native” model

Both of these do exactly the same thing!


<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"><interface><GigabitEthernet><name>1/0/24</name><description>Configured by NETCONF!</description>

</GigabitEthernet></interface>

</native>

41

Important Point!Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same thing.

<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet 1/0/24</name><description>Configured by NETCONF!</description>


IETF-defined model

Both of these do exactly the same thing!

switch# show run interface g1/0/24interface GigabitEthernet 1/0/24description Configured by NETCONF!

Cisco-defined “native” model


42

Configuration vs. Operational data

# sh run int g0/0

interface GigabitEthernet0/0description Management Interfacevrf forwarding Mgmt-vrfip address 172.26.244.49 255.255.255.0

# sh int g0/0

GigabitEthernet0/0 is up, line protocol upHardware is RP management portDescription: Management Interface

Configuration data tells the device what to do. It is data that you see in a “show run”.

Operational data tells us how a device is operating, from show commands other than “show run”.

We can write configuration data (think “conf t”), and we can read configuration data (think “show run”).

Operational data is read-only.

Some data can be read either as config data or operational data!


43

Models and structured data are particularly important for efficiently reading operational data...


44

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager 2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter

Challenge: Write a Python script to go through the list of nearly 500 running processes and print the names of only those with runtime of 10 seconds or greater.

Regex hard to understand

Tied directly to table layout


45

Regular Expressions

-Stackexchange user


46

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager 2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter

Challenge: Write a Python script to go through the list of nearly 500 running processes and print the names of only those with runtime of 10 seconds or greater.

XML easily rendered as Python dict

Intuitive nomenclature

Uses YANG data models


NETCONF/RESTCONF/gRPC


48

YANG YANG

XML XML/JSON

SSH HTTP/S

NETCONF RESTCONF

YANG

gPB

HTTP/2

gRPC

Transport

Encoding


49

NETCONF protocol stack

CONTENT

OPERATIONS

SECURE TRANSPORT

MESSAGES

XML (based on YANG)

GET, EDIT-CONFIG, ETC

SSH (port 830)

RPC


NETCONF Highlights

• Transactional• Either all configuration is applied or nothing• Avoids inconsistent state• Both at Single Device and Network-wide level

• Error Management• OK or error code

• Capability Exchange

• Models Download from a Device

ssh -p 830 [email protected] -s netconf

50


Main NETCONF Operations

Main Operations CLI Equivalent Description<get> show Retrieve running configuration and device state

information

<get-config> show run Retrieve all or part of specified configurationdatastore

<edit-config> config t + commands Loads all or part of a configuration to the specified configuration datastore

<delete-config> no (delete config) Delete a configuration datastore


NETCONF DatastoresTarget of Operations

Running is the only mandatory Datastore

“A Datastore holds a copy of the configuration data that is required to get a device from its initial default state into a desired operational state”

Running running-config

Start-up startup-config

Candidate work place for creating and manipulating configuration data

52


NETCONF Error Options

stop-on-error:

Abort the <edit-config> operation on the first error (Default)

continue-on-error:

Continue to process the configuration; record the error

rollback-on-error:

Stop processing <edit-config> and restore configuration to original state


54

Enabling NETCONF: 3 Steps

C3850-1#conf tEnter configuration commands, one per line. End with CNTL/Z.C3850-1(config)#aaa new-modelC3850-1(config)#aaa authentication login default localC3850-1(config)#aaa authorization exec default localC3850-1(config)#username admin password cisco

C3850-1(config)#line vty 0 15C3850-1(config-line)#transport input all

C3850-1(config)#netconf-yangC3850-1(config)#

Enable AAA

Enable SSH

Enable NETCONF


REST vs RESTCONF: not the same!

REST

APIGET

POST

PUT

DELETE

“A framework for client-server communications”

RESTCONF

“REST-like protocol for accessing YANG models”

55


56

RESTCONF protocol stack

CONTENT

OPERATIONS

SECURE TRANSPORT

XML/JSON (based on YANG)

GET, PUT, PATCH, etc.

HTTPS


RESTCONF vs NETCONF Operations

RESTCONF As compared to NETCONFGET <get-config>, <get>

POST <edit-config> (operation=“create”)

PUT <edit-config> (operation=“create/replace”)

PATCH <edit-config> (operation=“update”)

DELETE <delete-config> (operation=“delete”)


HTTPS Return codes

Return code Details1xx (Informational) Received and understood, please wait….

2xx (Success) received, understood, accepted, and processed successfully

3xx (Redirection) Client must take additional action (URL redirection)

4xx (Client error) Client is at fault

5xx (Server error) Server is at fault


Enabling RESTCONF

Cat9k-1#conf tEnter configuration commands, one per line. End with CNTL/Z.

Cat9k-1(config)#restconf

Cat9k-1(config)#ip http secure-server

Enable RESTCONFEnable HTTP

server


• Google ecosystem with automatic GPB integration

• cross-platform client and server bindings for many languages:C, C++, C#, Go, Java, Node.js, Objective-C, PHP, Python, Ruby

• Feature rich:authentication, bidirectional streaming and flow control, blocking/nonblocking bindings, cancellation and timeouts

• HTTP/2 transport

• Not a standard!

60

gRPC definition“gRPC is an open source RPC (Remote Procedure Call) system

developed at Google”

http://www.grpc.ioGPB (Google Protocol Buffers )

http://www.grpc.io/


DEMO: YANG/NETCONF


Configuration Management Tools


Configuration Management Tools

Device

Highlights:

• Declarative model (intent)

• Idempotency

• Agent vs Agent-less Architectures

CMT Server

Desired State (Intent) configuration

Customer Value:

• config automation (medium)

• manages config drift (high)

• audit trail (very high)

Automate Servers, Applications and Networks configurations


Most Popular Configuration Management ToolsEnterprise Networks


CMT Comparison

Agent required? Agentless • Agent-based• Moving to

agentless for network mgmt

Agent-based

Configuration File Playbook Manifest Cookbook

Config Language YAML Custom Custom


Ansible Playbook Example

Playbook

Play

Task

Module

http://docs.ansible.com/ansible/latest/YAMLSyntax.html

http://docs.ansible.com/ansible/latest/YAMLSyntax.html


Ansible Inventory

Define the hosts and group of hosts• hosts by IP or FQDN• groups [<group-name>]• Optional parameters:

• nested groups• range• group variables

pip install

[cat3k]172.26.249.169

[cat9k]172.26.249.15[1:4]

[cat4500-X]10.200.98.82

[ios-xe:children]cat3kcat9kcat4500-X

[ios-xe:vars]ansible_network_os=ios

nested groups

range

group

group variables


Ansible Playbook Run

To run an playbook

ansible-playbook <playbook>.yaml [options]

Common options:

• -u admin -k -K username and password at runtime

• -l 172.26.249.42 single or list of hosts

• -i ./hosts overrides inventory files

• -v verbose output

• -vvvv connection debug


Great word to remember!

Idempotency (from Latin "idem" = "the same thing"

In the context of configuration management tools, means:Only change what needs to be changed


Conclusion


71

New e-Book!

Summarizes all aspects of IOS XE programmability

http://cs.co/IOS-XE-Programmability-Book

http://cs.co/IOS-XE-Programmability-Book


72

How do I learn Python?

Automate the Boring Stuff with Python, Al SweigartGreat introduction to Python focused on automation. (Not specifically network automation.) Covers Python 3.0 only. Assumes zero knowledge. Read Excel docs, generate PDFs, etc. Highly recommended.

Real Python. http://realpython.comThree-part course. Begins with basics assuming no knowledge. Covers Python 2.7 and 3.0. Parts II and III focus on web development with Python. Covers flask, Django, jinja2 templates. Many resources on the web site for free.


73

Cisco DevNet

http://developer.cisco.com

• Learning Labs• Sandboxes• API Documentation• Python, YDK, REST• And More!


74

"If a thing is worth doing, it is worth doing badly." - G.K.

Chesterton


75

• Identify one problem you can solve with a script• Start small• Copy and modify scripts from DevNet• (developer.cisco.com)

• Go and study for your CCIE!

IOS XE Programmability for Network Engineers...Jeff McLaughlin Principal Technical Marketing...

Documents

Transcript of IOS XE Programmability for Network Engineers...Jeff McLaughlin Principal Technical Marketing...