Programmability and Automation on Cisco Nexus … · Find this session in the Cisco Live Mobile App...

Programmability and Automation on Cisco Nexus Platforms

Krishna Chaitanya, Solutions Architect

DEVNET-1467

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#DEVNET-1467

• Introduction

• Programmability on Nexus

• Day 0 - Install

• Day 1 - Configure & Operate

• Day 2 - Optimize

• Day n – Upgrade/Patching

• Conclusion

Agenda


Network “Automation” Today

• In a majority of environments:

• Stage configuration in Notepad, copy/paste and hope it works

• Automation according to definition of fixed third party tools

• Conversational configuration via expect scripts

• Challenges:

• Manual, repetitive, error-prone tasks

• Waste time, talent, typing

• Network lags behind industry automation capabilities

Pasting large configuration:

Typo? Start from scratch

DEVNET-1467 5

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6DEVNET-1467

Complete Nexus Product Portfolio

Nexus 2300 Nexus 3100 Nexus 5600

One Operating System—NX-OS

Operational Simplicity

Architectural Flexibility

Open/ Programmable

Resilienceand Scale

Investment Protection

Nexus 7000 Nexus 9000

(ACI)

10G / 40G 10G / 40G / 100G

For YourReference


Open North Bound RESTful APIs

7DEVNET-1467

Programmability, Automation, Orchestration

Automation

Controllers, Configuration Management Tools

OrchestrationCloud | On-Prem

Network-Enabled Applications

Device Programmability

Physical and Virtual Network Infrastructure

Open & Programmable | Standards-Based South Bound APIs


Why Automate, what are the benefits?

Save Time Customize InnovateHuman Error


Package and Application Management

Native Agent

SDK

ExtensibilityStandard Open Interfaces

Ease of

OperationsModular Open 3rd Party Apps Programmable

Ready for

DevOps

Cisco NX-OS – Programmable – Extensible – Open

Server Management Tools

NX-API

CLI

Programmability Tools

NX-API

REST

POAP

BootStrap and Provisioning

PXE

DCNM


Automating Device Operational Lifecycle

10DEVNET-1467

Day 0

Install

Day 1

Configure & Operate

Day 2

Optimize

Day N

Upgrade


Automating Device Operational Lifecycle

GOAL:

Get a device into an

operational state

GOAL:

Get the network into an

operational state

GOAL:

Continuous Incremental

upgrades

GOAL:

Optimize and trouble shoot

POAP/PXE Ansible/Puppet/Chef

NX-API CLI/REST

Ansible/Puppet/Chef

Guestshell

Patching/ ISSU

Puppet/Chef/Ansible

NX-API CLI/REST

Day 0

Install

Day 1

Configure & Operate

Day 2

Optimize

Day N

Upgrade

Day 0 – Install

Get a device into an operational state

• Power On Auto Provisioning (POAP)

• iPXE


PowerOn Auto Provisioning

• PoAP runs if there is no startup config on the switch

• PowerOn Auto Provisioning will do the following:

1. Install the kickstart image

2. Install the system image

3. Copy a configuration to the switch

4. (optional) run a post installation script

13

Note: PoAP can be forced with boot poap enable

DEVNET-1467


Nexus Switch

Default Gateway

1Power up Phase: Start Power On Auto-Provisioning Process5

Reboot if needed. Switch up and running the downloaded

image and config

Script Server

Download Script file onto the switch and execute the script

3

DHCP Server

DHCP Discover phase:Get IP Address, GatewayScript server Script file

2

Download Configuration License Software images onto the switch

4

License, Configuration and Software Server

14DEVNET-1467

Cisco Nexus Power on Auto Provisioning (PoAP)


Getting a hold of PoAP Scripts

CCO Downloads Page

Look for Kick Start images

PoAP Scripts

Python and TCL

15

For YourReference

DEVNET-1467


Deploy and Manage POAP Using DCNM..

16DEVNET-1467

Day 0 – PoAP & Chef


Boot Server(DHCP & HTTP/TFTP)NX-OS Image Repository

DHCP

DISCOVER(v4/v6)

IP Address &

File/Image URL

TFTP GET

FILE/HTTP

URL

http://n9k-dk9.bin..

Validate Image

Checksum &

Boot

iPXE

• Leverage existing compute PXE/iPXE

• NX-OS CLI:

• boot option bootflash | pxe

18DEVNET-1467

Nexus 3/9k

Shipping !

Day 1 - Configure & Operate

Get the network into an operational state

• NETCONF

• NX-API CLI

• NX-API REST

• Configuration Management Tools (Puppet/Chef/Ansible)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Day-1 Scenarios

Network Feature and

Protocol ConfigurationProvision New Device

Added to the Network

Managing and Obtaining

Network Data

DEVNET-1467

Netconf


Why Netconf ?

Standards Based XML Config / ShowAdditional Features

Config Validation

Rollback

22DEVNET-1467


NETCONF is an IETF Configuration Management Protocol

• Standards Based Protocol Stack: RFC 4741/6241

• Separates Operational and Configuration Data (show commands v/s config)

• Candidate buffer for validation of config before commit

• Locking the config space

23DEVNET-1467

Content

Operations

Messages

Transport

Protocol Stack


How does a Netconf Request Look Like ?

<?xml version="1.0"?>

<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"

xmlns="http://www.cisco.com/nxos:7.3.0.D1.1.:if_manager" message-id="1">

<nf:get>

<nf:filter type="subtree">

<show>

<interface>

<__XML__PARAM__ifeth>

<__XML__value>Ethernet1/1</__XML__value>

</__XML__PARAM__ifeth>

</interface>

</show>

</nf:filter>

</nf:get>

</nf:rpc>

]]>]]>

Message - RPC

Operation

Content

DEVNET-1467


NETCONF Operations

Operation Description

<get-config> Retrieve all or part of specified configuration datastore

<edit-config> Loads all or part of a configuration to the specified configuration

datastore

<copy-config> Replace an entire configuration datastore with another

<delete-config> Delete a configuration datastore

<commit> Copy candidate datastore to running datastore (ex: XR)

<get> Retrieve running configuration and device state information

<lock> / <unlock> Lock or unlock the entire configuration datastore system

<close-session> Graceful termination of NETCONF session

<kill-session> Forced termination of NETCONF session

Use CaseConfiguration Rollback


Rollback in Action…<interface>

<__XML__PARAM__interface>

<__XML__value>port-channel200</__XML__value>

<m1:mtu>

<m1:__XML__PARAM__mtu_val>

<m1:__XML__value>1000</m1:__XML__value></m1:__XML__PARAM__mtu_val>

</m1:mtu>

<m2:ip>

<m2:address>

<m2:__XML__PARAM__ip-prefix>

<m2:__XML__value>300.0.0.2/24</m2:__XML__value></m2:__XML__PARAM__ip-prefix>

</m2:address>

</m2:ip>

</__XML__PARAM__interface>

</interface>

NX-API


Why NX-API?

Web base (HTTP/S) Structured Output

JSON, XMLRole Based Access


NX-API: Sample Use Cases

• Data Collection and Display

• Resources, Interface Statistics

• Switch Configuration and Feature Provisioning

• Consistency Checks

• Cable Plan

• VLAN

• vPC

30DEVNET-1467

NX-API REST


Why ?

• CLIs :

• Synchronous – need to wait until each CLI complete

• Order-dependent (conf t ; router bgp ; neighbor…)

• Non-structured output

• Update to configuration requires removal and reconfigure

• NX-API

• Evolution over CLIs – structured output !!

• Still synchronous and order dependent

RESTfulGET |PUT | POST | DELETE

32DEVNET-1467


NX-API REST Details

• Everything is an object

• All elements accessible via REST Interface :

• Configuration Elements

• Faults

• Events

• Operational Data (example operational state of an interface)

• Statistics

• Features supported in 7.0(3)I2(1): BGP, VLAN, LACP, ACL, QoS, UDLD, CDP, MAC, DHCP, DNS, RBAC, AAA, SVI, Logging, NTP, VRRP

• Many more being added..

Nexus

3/7/9k

Shipping !

33DEVNET-1467


System

BgpEntity BgpInstance BgpDomain BgpPeer

BgpLocalASN

BgpPeerAf

BgpPeerEntry

L1PhysIf

ethpmPhysIf ethpmPortCap

L1Load

L1StormControl

34DEVNET-1467

Cisco Nexus Object ModelGlobally unique identifier for an object in the database

sys/bgp/inst/dom-default/peer-[192.168.0.2]

sys/phys-[eth1/1]/phys/portcap


Object Based ProgrammabilityCLI

router bgp 65000

router-id 1.1.1.1


Object Based ProgrammabilityCLI NX-API POST Request

router bgp 65000

router-id 1.1.1.1

POST http://Switch-IP/ins {'content-

type':'application/json-rpc'}.json()

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": "config t",

"version": 1

},

},

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": ”router bgp 65000",

"version": 1

},

},

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": ”router id 1.1.1.1",

"version": 1

},

}

http://switch-ip/ins


Object Based ProgrammabilityCLI NX-API POST Request NX-API REST POST Request BGP Object

router bgp 65000

router-id 1.1.1.1

POST http://Switch-IP/ins {'content-

type':'application/json-rpc'}.json()

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": "config t",

"version": 1

},

},

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": ”router bgp 65000",

"version": 1

},

},

{ "jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": ”router id 1.1.1.1",

"version": 1

},

}

POST http://Switch-

IP/api/mo/sys/bgp/inst.json

{

"bgpInst" : {

"attributes" : {

"asn" : "65000"

}

"children" : [{

"bgpDom" : {

"attributes" : {

"name" : "default",

"rtrId" : “1.1.1.1"

}

}

}

]

}

}

http://switch-ip/ins

Configuration Management


Sysadmins had this problem of scale..

• Number of Servers in the IT infra increased

• Virtualization increased complexity–100s of VMs per server !

• Manageability, Visibility Challenges !

39DEVNET-1467


Configuration Management Tools


Configuration Management Tools

• In use for years to automate servers

• Ensure software packages are installed, services running

• Use to push configurations, install software packages

• Becoming useful for managing networking devices as well

• Declarative model: not scripting!

41DEVNET-1467


Template your Configs !

• De-couple configuration data(Interface, VLAN, IP, Routing Protocols etc) from configuration method (Netconf, NX-API)

• Benefits:

• Less Scripting Knowledge

• Move between APIs/Protocols transparently

DEVNET-1467


ExampleTemplate

N7k-1 : {

$vlanid : 10,

$vlan_name : “vlan_red”,

$intf_name : “Eth1/1”,

$intf_ip : “1.1.1.1”,

$intf_mask : “255.255.255.0”

},

N7k-2 : {

$vlanid : 20,

$vlan_name : “vlan_blue”,

$intf_name : “Eth2/1”,

$intf_ip : “2.1.1.1”,

$intf_mask : “255.255.255.0”

},

#Setup VLAN

cisco_vlan {"${vlanid}":

vlan_name => $vlanname,

ensure => present

}

#Create VLAN Interface (step2)

cisco_interface { $intfName :

description => $vlanname,

shutdown => false,

ipv4_address => $intf_ip,

ipv4_netmask_length => $intf_ip_mask,

}

43DEVNET-1467


Puppet and Chef

• Puppet and Chef use a pull model (agent/client pulls from server)

• Agent/Client lives in LXC container (optionally directly in bash on 3K/9K)

• Cisco modules in Puppet Forge or Chef Supermarket

Agent

LXC Container

Puppet Master/Chef Server

Manifests/Cookbooks

Nexus sends data and request cfg every 30 mins

Server sends config to switch

SSL

Nexus

44DEVNET-1467


• Agents RPM installed on switch

• Open source, available in Puppet / Chef

Repositories

• Supported Agent Types/Providers growing !

https://forge.puppet.com/puppetlabs/ciscopuppet

https://supermarket.chef.io/cookbooks/cisco-cookbook

45DEVNET-1467

Chef and Puppet Agent: Types/Provider Support

https://forge.puppet.com/puppetlabs/ciscopuppet

https://supermarket.chef.io/cookbooks/cisco-cookbook


Ansible

• Ansible uses an agentless push model

• Uses YAML and Jinja2 templates

• Can configure using CLI (SSH) or NX-API

• Use nxos-ansible modules, or new core Ansible 2.1 modules

Ansible Server

Playbooks

Server sends config when playbook is run

NX-API (HTTP/S)

CLI (SSH)

Nexus

No agent

feature nxapi

Unlike server configuration Ansible does not execute Python on-box

46DEVNET-1467


Summary - Agent v/s Agent-less Architecture

• Agent based CM are “pull based”

• Agent on managed device connects with master for config information periodically

• Changes made on master are pulled down and executed

• Puppet, Chef are Agent Based

• Agent-less CM are “push based”

• CM scripts are run on the master

• Scripts connect to the managed device and execute the tasks

• No timer, control lies with the master

• Ansible is agent-less

All CM tools provide

Audit logging of change

Concept of no-op runs

For YourReference

47DEVNET-1467


Summary – Day 1 Provisioning

• Protocols

• Netconf

• NX-API

• NX-API REST

• Building blocks for Programmability

• Configuration Management Tools

• Ansible

• Chef

• Puppet

• Leverage APIs to manage your network better

Day 2 – OptimizeOptimize and trouble shoot

• NX-API CLI

• NX-API REST

• On-box Python

• Embedded Event Manger (EEM)

• Guestshell/Open Agent Container


• 3rd Party Tools (Splunk, Nagios, etc.)


Embedded Event Manager

• EEM takes certain Actions based on triggering Events.

50DEVNET-1467

Trigger

cli Syslog Hw insert/remove temperature track Etc…

Events

cli python reload syslog Etc…

Action

For YourReference


Scheduler

• Cron-like facility to schedule jobs on the switch

• Multiple Schedules and Jobs

• Invoke CLIs, Scripts

51DEVNET-1467

Nexus

3/7/9k

Shipping !For YourReference


On Board Python

• Pre-installed Python interpreter

• Integrated with Embedded Event Manager and Scheduler

52DEVNET-1467

Interactive Mode

switch# python Copyright (c) 2001-2012 Python Software Foundation; All Rights Reserved

switch# >>> print "hello world“hello worldswitch# >>> exit()

Non Interactive (script) Mode

Switch # dir bootflash:scripts946 Oct 30 14:50:36 2013 crc.py7009 Sep 19 10:38:39 2013 myScript.py22760 Oct 31 02:51:41 2012 poap.py

Switch # source crc.py-----------------------------------------Started running CRC checker scriptfinished running CRC checker script------------------------------------------


Some key modules

• syslog

yslog message with user defined severity and text

• cisco

cli() to execute CLI commands from within Python

• json

data structures to/from JSON format

53DEVNET-1467

The “Open” In Open-NXOS

Linux Containers, Guest-Shell and Bash


Guest Shell 2.0

55DEVNET-1467

GUEST SHELL

Open Source

Packages

Apps

Apps

NX-OS CLI

Python

enabled

CentOS 7.0

rootfs

Secure Linux Container (sLXC)

N9K / N3K

DevOps

Open SourceTools, utilities, applications,

Puppet, Chef

3rd Party

Apps

bootflash:

Apps

64-bit CentOS 7 environment.

decoupled from NX-OS.

It allows to run applications

that monitor, control and

extend the switch.

Cisco

Packages

Apps

Nexus 3/9k

Shipping !

Native Shell


• access to the underlying Linux system on the switch.

• Linux Kernel: Wind River 3.4.43. Distribution: Yocto 1.2

• Access is only for users with NX-OS dev-ops role or network-admin role.

• (conf t)# feature bash-shell

(conf t)# run bash

bash$ sudo su

bash#

Native Shell

57DEVNET-1467

Nexus 3/9k

Shipping !


Manage Your Switch Like a Server

• Your usual Linux commands:

# tcpdump –i Eth1-1

# ethtool –S Eth2-1

# ifconfig Eth2-1 mtu 9000

# ip route add 203.0.113.0/24 via 198.51.100.2

58DEVNET-1467

Nexus 3/9k

Shipping !

Day n – Upgrade/PatchingContinuous Incremental upgrades

• ISSU/Graceful Insertion/Removal

• OS Patching



Cisco NX-OS Patching

Copy

ActivateCommit

Verify Add

switch# copy scp: bootflash:

switch# install add <patch>

switch# install activate <patch>switch# install commit <patch>

switch# show install patches


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#DEVNET-1467


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

63DEVNET-1467

Thank you

Programmability and Automation on Cisco Nexus … · Find this session in the Cisco Live Mobile App...

Documents

Transcript of Programmability and Automation on Cisco Nexus … · Find this session in the Cisco Live Mobile App...