ios xe programmability for network engineers...jeff mclaughlin principal technical marketing...

Jeff McLaughlinPrincipal Technical Marketing EngineerJune 19, 2018

CCIE Evolving Technologies Blueprint

IOS XE Programmability for Network Engineers

• CCIE Routing/Switching (2004)• Fun Stuff Studied: DLSw+, ATM, ISDN

• CCIE Security (2008)• Fun Stuff Studied: NAC Framework, PIX, VPN 3k concentrator

• JNCIE Service Provider (2014, expired)• CCIE Subject Matter Expert (Programmability/Automation)• Principal TME in Enterprise business unit• Manager of TME team for programmability and SD-Access• http://www.subnetzero.info

Your Host

Agenda

• CCIE ET Programmability Overview

• Why Programmability

• Structured Data/YANG Models

• NETCONF/RESTCONF

• Config Mgmt Tools

• APIs

• Conclusion

Programmability Panelists

Fabrizio Maccioni Krishna KothaJeremy Cohoe

CCIE ET Programmability Overview

CCIE Evolving Technologies 1.1 BlueprintThis domain, worth 10 percent overall, ensures that all CCIE/CCDE candidates have a clear understanding of important cloud, network programmability, and IoT concepts.

A.2 Network Programmability

A.2.a Describe architectural and operational considerations for a programmable networkA.2.a.i Data models and structures (YANG, JSON and XML)A.2.a.ii Device programmability (gRPC, NETCONF and RESTCONF)A.2.a.iii Controller based network design (policy driven configuration and northbound/ southbound APIs)A.2.a.iv Configuration management tools (agent and agent-less) and version control systems (Git and SVN)

Why Programmability?

Why automation and programmability?

.Administrator

Needs to configure

hostname switch1int g0/0

ip address 10.1.1.11/24vlan 100,200,300

hostname switch6int g0/0

ip address 10.1.1.16/24vlan 100,200,300

Programmability Reason #1 Do repetitive and tedious tasks more easily

Notepad is the most common automation tool.It’s just a very bad automation tool.

Programmability Reason #2 Programmatic Control of network devices

52037606 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

if error counters too high:then shutdown interface*

* pseudo-code

Programmability Reason #3 Interaction between network devices and other systems

NETCONF REST API

DNA Center

party apps

Transactionality

Programmability Reason #4 Stop bad configuration being committed to devices

int g0/0ip address 10.1.1.0/24no shutdown

router bgp 65001 router-id 172.17.1.99bgp log-neighbor-changesneighbor 192.168.1.2 remote-as 40000neighbor 192.168.3.2 remote-as 50000address-family ipv4 unicastneighbor 192.168.1.2 activatenetwork 172.17.1.0 mask 255.255.255.0exit-address-family

NETCONF

Operational Simplification

How to find the red user's switch/port?

# ping 172.16.100.101# show arp | i 172.16.100.101# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/1 detail

# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/10 detail

# show mac address-table address 001a.a24d.5141# show cdp neighbor g0/10 detailVlan Mac Address Type Ports---- ----------- -------- -----244 001a.a24d.5141 DYNAMIC Gi0/15

Programmability Reason #5 Automate complex troubleshooting tasks

DEMO TIME

User types command into WebexTeams

1Command pulled down by script2

Script sends NETCONF request3 Switch replies via NETCONF with data4

Data posted back to Webex room5

NETCONF

User changes device config 1

Change detected by EEM2

Webex posts diff to room3

Catalyst 3850Python script diffs configs and sends diff to Webex4

EEM Triggers on-box Python script320

Structured Data/YANG Models

Human-Oriented Interface

Machine-Oriented Interface

Machines using human-oriented interfaces can be highly inefficient!

YANG ModelsCLI

Human Oriented Interface Machine Oriented Interface

Structured vs Unstructured Data

Name:Age:Phone:

John Smith42+1-415-555-1212

Keys Values

John Smith 42 14155551212

StructuredUn-structured

• His age?• The year he graduated college?• Meaning of life, the universe & everything?

What is this?

Hierarchical Structured Data (XML-like)

<user1><name>John Smith</name><age>42</age><phone>+1-415-555-1212</phone>

</user1>

<user2><name>Sarah Kim</name><age>27</age><phone>+1-718-555-1212</phone>

</user2>

First User

Second User

switch1# sh int e1/10Ethernet1/10 is up

Hardware: 1000/10000 Ethernet, address: 0005.73d0.9331 (bia 0005.73d0.9331)Description: To UCS-11MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255Switchport monitor is off EtherType is 0x8100 Last link flapped 8week(s) 2day(s)Last clearing of "show interface" counters 1d02h30 seconds input rate 944 bits/sec, 118 bytes/sec, 0 packets/sec30 seconds output rate 3110376 bits/sec, 388797 bytes/sec, 5221 packets/sec

Note inconsistent “key” format!

CLI = Unstructured Data

</config></address>

</addresses></ipv4>

What we need:Standard, structured way to representconfiguration and operational data.

XML vs JSON

<name>eth0</name> <type>ethernetCsmacd</type> <location>0</location><enabled>true</enabled><if-index>2</if-index>

</interface></interfaces>

{"ietf-interfaces:interfaces": {

"interface": [{

"name": "eth0”,"type": "ethernetCsmacd”,"location": "0”,"enabled": true, "if-index": 2

NETCONF/RESTCONF RESTCONF

<interface>Gigabit 1/0</interface><ifaddr>10.0.0.1/24</ifaddr>

Error!

Expecting

<interface><name>Gigabit 1/0</name><address>10.0.0.1/24</address></interface>

Expecting:

So why do we need YANG?

<interface>Ethernet 0/0</interface><name>Switch1 to UCS1</name><ipaddr>1.1.1.1/24</ipaddr>

<name>Ethernet 0/0</name><descr>Switch1 to UCS1</descr><ip>1.1.1.1/24</ip>

<ifname>Ethernet 0/0</ifname><ifalias>Switch1 to UCS1</ifalias><ifaddr>1.1.1.1/24</ifaddr>

Question: Which of these is correct?

Answer: They all are!

YANG Data Models

YANGModel

container ip {list vrf {

leaf rd}

vrf redrd 1:1

XMLData

YANG models do not contain data or XML.YANG models are like templates used to generate consistent XML.

YANG Data Models

YANGModel

container ip {list vrf {

leaf rd}

vrf redrd 1:1 XML

YANG models can be used as a template for generating structured data in many different formats.

{“vrf”: “red”“rd”: “1:1”}

YANG Configuration Model Example*

* Note: YANG model simplified for clarity

</vrf><vrf><name>vrf_green</name><rd>65000:2</rd>

</vrf></ip>

ip vrf vrf_redrd 65001:1

!ip vrf vrf_greenrd 65001:2

XMLYANGcontainer ip {list vrf {description"Configure an IP VPN Routing/Forwardinginstance";

leaf name {type string;

leaf rd {description"Specify Route Distinguisher";type rd-type;

</vrf></ip>

So why is this:

...better than this?

• Good for human consumption• Unstructured from a machine perspective

YANG-structured data

• Designed for machine consumption• Directly convertible to/from Python dicts!

</vrf></ip>

Where are YANG models?

Models installed on device automatically with IOS-XE.

https://github.com/YangModels/yang/tree/master/vendor/cisco

Also can be downloaded from GitHub.

Who defines the YANG models?

Vendors Standards Bodies

• Only work on specific vendor devices• Greater feature coverage• Can be OS-unique (IOS-XE, XR, etc.)

• Multi-vendor support• More limited feature coverage• Allow vendor-specific extensions

Actually an "industry forum"

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"><interface><GigabitEthernet><name>1/0/24</name><description>Configured by NETCONF!</description>

</GigabitEthernet></interface>

</native>

Important Point!Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same thing.

<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet 1/0/24</name><description>Configured by NETCONF!</description>

IETF-defined model

Cisco-defined “native” model

Both of these do exactly the same thing!

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"><interface><GigabitEthernet><name>1/0/24</name><description>Configured by NETCONF!</description>

</GigabitEthernet></interface>

</native>

Important Point!Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same thing.

<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"><interface><name>GigabitEthernet 1/0/24</name><description>Configured by NETCONF!</description>

IETF-defined model

Both of these do exactly the same thing!

switch# show run interface g1/0/24interface GigabitEthernet 1/0/24description Configured by NETCONF!

Cisco-defined “native” model

Configuration vs. Operational data

# sh run int g0/0

interface GigabitEthernet0/0description Management Interfacevrf forwarding Mgmt-vrfip address 172.26.244.49 255.255.255.0

# sh int g0/0

GigabitEthernet0/0 is up, line protocol upHardware is RP management portDescription: Management Interface

Configuration data tells the device what to do. It is data that you see in a “show run”.

Operational data tells us how a device is operating, from show commands other than “show run”.

We can write configuration data (think “conf t”), and we can read configuration data (think “show run”).

Operational data is read-only.

Some data can be read either as config data or operational data!

Models and structured data are particularly important for efficiently reading operational data...

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager 2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter

Challenge: Write a Python script to go through the list of nearly 500 running processes and print the names of only those with runtime of 10 seconds or greater.

Regex hard to understand

Tied directly to table layout

Regular Expressions

-Stackexchange user

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager 2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter

Challenge: Write a Python script to go through the list of nearly 500 running processes and print the names of only those with runtime of 10 seconds or greater.

XML easily rendered as Python dict

Intuitive nomenclature

Uses YANG data models

NETCONF/RESTCONF/gRPC

YANG YANG

XML XML/JSON

SSH HTTP/S

NETCONF RESTCONF

HTTP/2

Transport

Encoding

NETCONF protocol stack

CONTENT

OPERATIONS

SECURE TRANSPORT

MESSAGES

XML (based on YANG)

GET, EDIT-CONFIG, ETC

SSH (port 830)

NETCONF Highlights

• Transactional• Either all configuration is applied or nothing• Avoids inconsistent state• Both at Single Device and Network-wide level

• Error Management• OK or error code

• Capability Exchange

• Models Download from a Device

ssh -p 830 admin@172.26.249.169 -s netconf

Main NETCONF Operations

Main Operations CLI Equivalent Description<get> show Retrieve running configuration and device state

information

<get-config> show run Retrieve all or part of specified configurationdatastore

<edit-config> config t + commands Loads all or part of a configuration to the specified configuration datastore

<delete-config> no (delete config) Delete a configuration datastore

NETCONF DatastoresTarget of Operations

Running is the only mandatory Datastore

“A Datastore holds a copy of the configuration data that is required to get a device from its initial default state into a desired operational state”

Running running-config

Start-up startup-config

Candidate work place for creating and manipulating configuration data

NETCONF Error Options

stop-on-error:

Abort the <edit-config> operation on the first error (Default)

continue-on-error:

Continue to process the configuration; record the error

rollback-on-error:

Stop processing <edit-config> and restore configuration to original state

Enabling NETCONF: 3 Steps

C3850-1#conf tEnter configuration commands, one per line. End with CNTL/Z.C3850-1(config)#aaa new-modelC3850-1(config)#aaa authentication login default localC3850-1(config)#aaa authorization exec default localC3850-1(config)#username admin password cisco

C3850-1(config)#line vty 0 15C3850-1(config-line)#transport input all

C3850-1(config)#netconf-yangC3850-1(config)#

Enable AAA

Enable SSH

Enable NETCONF

REST vs RESTCONF: not the same!

APIGET

DELETE

“A framework for client-server communications”

RESTCONF

“REST-like protocol for accessing YANG models”

RESTCONF protocol stack

CONTENT

OPERATIONS

SECURE TRANSPORT

XML/JSON (based on YANG)

GET, PUT, PATCH, etc.

RESTCONF vs NETCONF Operations

RESTCONF As compared to NETCONFGET <get-config>, <get>

POST <edit-config> (operation=“create”)

PUT <edit-config> (operation=“create/replace”)

PATCH <edit-config> (operation=“update”)

DELETE <delete-config> (operation=“delete”)

HTTPS Return codes

Return code Details1xx (Informational) Received and understood, please wait….

2xx (Success) received, understood, accepted, and processed successfully

3xx (Redirection) Client must take additional action (URL redirection)

4xx (Client error) Client is at fault

5xx (Server error) Server is at fault

Enabling RESTCONF

Cat9k-1#conf tEnter configuration commands, one per line. End with CNTL/Z.

Cat9k-1(config)#restconf

Cat9k-1(config)#ip http secure-server

Enable RESTCONFEnable HTTP

server

• Google ecosystem with automatic GPB integration

• cross-platform client and server bindings for many languages:C, C++, C#, Go, Java, Node.js, Objective-C, PHP, Python, Ruby

• Feature rich:authentication, bidirectional streaming and flow control, blocking/nonblocking bindings, cancellation and timeouts

• HTTP/2 transport

• Not a standard!

gRPC definition“gRPC is an open source RPC (Remote Procedure Call) system

developed at Google”

http://www.grpc.ioGPB (Google Protocol Buffers )

DEMO: YANG/NETCONF

Configuration Management Tools

Device

Highlights:

• Declarative model (intent)

• Idempotency

• Agent vs Agent-less Architectures

CMT Server

Desired State (Intent) configuration

Customer Value:

• config automation (medium)

• manages config drift (high)

• audit trail (very high)

Automate Servers, Applications and Networks configurations

Most Popular Configuration Management ToolsEnterprise Networks

CMT Comparison

Agent required? Agentless • Agent-based• Moving to

agentless for network mgmt

Agent-based

Configuration File Playbook Manifest Cookbook

Config Language YAML Custom Custom

Ansible Playbook Example

Playbook

Module

http://docs.ansible.com/ansible/latest/YAMLSyntax.html

Ansible Inventory

Define the hosts and group of hosts• hosts by IP or FQDN• groups [<group-name>]• Optional parameters:

• nested groups• range• group variables

pip install

[cat3k]172.26.249.169

[cat9k]172.26.249.15[1:4]

[cat4500-X]10.200.98.82

[ios-xe:children]cat3kcat9kcat4500-X

[ios-xe:vars]ansible_network_os=ios

nested groups

group variables

Ansible Playbook Run

To run an playbook

ansible-playbook <playbook>.yaml [options]

Common options:

• -u admin -k -K username and password at runtime

• -l 172.26.249.42 single or list of hosts

• -i ./hosts overrides inventory files

• -v verbose output

• -vvvv connection debug

Great word to remember!

Idempotency (from Latin "idem" = "the same thing"

In the context of configuration management tools, means:Only change what needs to be changed

Conclusion

New e-Book!

Summarizes all aspects of IOS XE programmability

http://cs.co/IOS-XE-Programmability-Book

How do I learn Python?

Automate the Boring Stuff with Python, Al SweigartGreat introduction to Python focused on automation. (Not specifically network automation.) Covers Python 3.0 only. Assumes zero knowledge. Read Excel docs, generate PDFs, etc. Highly recommended.

Real Python. http://realpython.comThree-part course. Begins with basics assuming no knowledge. Covers Python 2.7 and 3.0. Parts II and III focus on web development with Python. Covers flask, Django, jinja2 templates. Many resources on the web site for free.

Cisco DevNet

http://developer.cisco.com

• Learning Labs• Sandboxes• API Documentation• Python, YDK, REST• And More!

"If a thing is worth doing, it is worth doing badly." - G.K.

Chesterton

• Identify one problem you can solve with a script• Start small• Copy and modify scripts from DevNet• (developer.cisco.com)

• Go and study for your CCIE!

ios xe programmability for network engineers...jeff mclaughlin principal technical marketing...

Documents

ip slas configuration guide, cisco ios xe gibraltar 16

ip slas configuration guide, cisco ios xe release 3e

cisco catalyst 3850 series switches running ios-xe …st]...

the container story: run your apps and tools natively on...

Обновления ПО aireos 8.0 и ios-xe обзор...

troubleshooting cisco catalyst 4500 series switches -...

security configuration guide, cisco ios xe release 3.6e...

cisco ios xe configuration fundamentals configuration guide,...

programmability configuration guide, cisco ios xe...

working with cisco ios xe software bundles

asr1000 - ios-xe - troubleshooting - isg accounting

cisco ios xe system messages - cisco - global home … ios...

security command reference, cisco ios xe release 3e (cisco

system management configuration guide, cisco ios xe

security configuration guide: access control lists, cisco...

cisco ios xe system messagescisco ios xe system messages 12...

cisco virtual update · ios-xe 3.8 november 2012 controlled...

explaining software maintenance operations on cisco ios xr...

configuring virtual switching systems · chapter 5-1...

cisco ios xr - clnv.s3.amazonaws.com · cisco ios xr...