Upload
cisco-devnet
View
4.804
Download
0
Embed Size (px)
Citation preview
Automating with NX-OS -Let's Get Started
Jeff McLaughlin, Principal TME
[email protected], @ccie14023
• Introduction to Automating Nexus
• Power on Auto Provisioning
• Python
• EEM
• NX-API
• Configuration Management Tools
• Netconf
• XMPP
• Conclusion
Agenda
Nexus Product Portfolio
4
Nexus 2000
Nexus 3000
Nexus 5000/ 6000
Nexus 7000
(ACI)
Nexus 9000
10G / 40G
10G / 40G / 100G
• 2000-series (FEX) inherits automation capabilities from parent switch
• 3K/9K have some different features and/or configurations from 5/6/7K.
PowerOn Auto Provisioning (PoAP)
5
PowerOn Auto Provisioning
• PowerOn Auto Provisioning will do the following:
1. Install the kickstart image
2. Install the system image
3. Copy a configuration to the switch
• PoAP runs if there is no startup config on the switch
• Also can be forced with boot poap enable
• Executes a Python or TCL script
6
Script Server
Nexus Switch
DHCP Server
Download Script file onto the switch and execute the script
DHCP Discover phase:Get IP Address, GatewayScript server Script file
Download Configuration License Software images onto the switch
23 4
Default Gateway
1Power up Phase: Start Power On Auto-Provisioning Process
Configuration and Software Server
5
Reboot if needed. Switch up and running the downloaded
image and config
POAP – Bring up your switch…zero touch!
Getting a hold of PoAP Scripts
8
CCO Downloads Page
Look for Kick Start images
PoAP Scripts
Python and TCL
Customizing scripts
• Variables at top of script need to be customized
• Image name, TFTP/SCP server, credentials, etc.
Useful Links for PoAP
Ignite Tool:
https://github.com/datacenter/ignite
Data Center Network Manager:
http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-data-center-network-manager/index.html
11
Python
12
Python On-Box Python Off-Box
• Execute scripts on a Nexus
• Interpreter or script
• Use CLI modules
• Embedded in EEM
• Execute scripts on server
• Use requests module or pycsco module
• Manage multiple devices
13
Python On-Box support (5-7K)
Nexus supports on-box Python 2.7 in two modes:
14
Interactive Mode
switch# python
Copyright (c) 2001-2012 Python
Software Foundation; All Rights
Reserved
switch# >>> print "hello world“
hello world
switch# >>> exit()
Non Interactive (script) Mode
Switch # source crc.py
------------------------------------------------
Started running CRC checker script
finished running CRC checker script
-------------------------------------------------
Switch # dir bootflash:scripts
946 Oct 30 14:50:36 2013 crc.py
7009 Sep 19 10:38:39 2013
myScript.py
22760 Oct 31 02:51:41 2012 poap.py
Python On-Box support (3K/9K)
Nexus supports on-box Python 2.7 in two modes:
15
Interactive Mode
switch# python
Copyright (c) 2001-2012 Python
Software Foundation; All Rights
Reserved
switch# >>> print "hello world“
hello world
switch# >>> exit()
Non Interactive (script) Mode
Switch # python crc.py
------------------------------------------------
Started running CRC checker script
finished running CRC checker script
-------------------------------------------------
Switch # dir bootflash:
946 Oct 30 14:50:36 2013 crc.py
7009 Sep 19 10:38:39 2013
myScript.py
22760 Oct 31 02:51:41 2012 poap.py
CLI Interaction with Python (On-Box)
import cisco or from cisco import *
cli: get the result of a cli command as a text string
nx-osv-1# >>> result = cli("show version")
nx-osv-1# >>> print result
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/
<etc, etc>
clid: get the result of a cli command as a dictionary
nx-osv-1# >>> result = clid("show version")
nx-osv-1# >>> print result['kickstart_ver_str']
7.2(0)D1(1)
clip: output the result without saving the value
16
nx-osv-1# >>> cli("conf t ; interface eth2/1 ; no shut”)
''
nx-osv-1# >>> cli("conf t ; int e2/1 ; encapsulation frame-relay")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
cisco.cli_syntax_error: % Invalid command at '===>' marker:
enc===>apsulation frame-relay
On Box script samples
Go to:
https://github.com/datacenter/nexus7000
cdp_description.py: Auto-generates interface descriptions based on CDP neighbors
crc_checker_n7k.py: Checks interfaces for CRC errors and shuts an interface down when errors exceed a threshold
garp.py: Checks for malformed ARP/GARP packets and dynamically creates an ACL to block offenders
17
EEM
18
Embedded Event Manager
• EEM takes certain actions based on triggering events.
• Can also be set to execute on a schedule.
19
Events:•cli•oir•temperature•track•Etc…
Actions:•cli•python•reload•syslog•Etc…
Trigger
EEM Example – Port Tracking
event manager applet track_1_18_downevent track 1 state downaction 1 syslog msg “EEM applet track_1_18_down shutting down port eth1/33 as 1/18 went down”action 2 cli command “conf term”action 3 cli command “interface ethernet 1/33”action 4 cli command “shut”
Config – State Down
event manager applet track_1_18_upevent track 1 state upaction 1 syslog msg “EEM applet track_1_18_up bringing up port eth1/33 as 1/18 came up”action 2 cli command “conf term”action 3 cli command “interface ethernet 1/33”action 4 cli command “no shut”
Config – State Up
Python integrated with EEM
• Call a Python script as an action in an EEM script!
21
n7k# conf
n7k(config)# event manager applet link_monitor
n7k(config-applet)# event syslog pattern "IF_UP“
n7k(config-applet)# action 1 cli command “source cdp_description.py”
n7k(config-applet)# exit
This script will automatically add the CDP neighbor to
the interface description when an interface comes up
Useful Links (Python and EEM)
Nexus 7000 GitHub page:
https://github.com/datacenter/nexus7000
Nexus EEM examples:
https://tools.cisco.com/squish/2C58D
On-Box Script Examples:
https://github.com/datacenter/opennxos/tree/master/on-box
22
NX-API
23
What is NX-API?
• NX-API Enables Programmatic access to Nexus over HTTP/S
• Runs in one of two modes:
• CLI Wrapper: Single URI; commands sent as CLI
• REST: Model-driven, specific URI
• Enable with “feature nxapi”
24
HTTP/S
JSON-RPC/JSON/XML
NGINX
25
Message Format
XML/JSON/JSON-RPC
Command Box
Enter CLI here
Output
Preview of request, and
response
26
Automatically generating Python
27
• Sandbox can turn your CLI into Python for you
• Click the “Python” button in the Request box
• Uses Python’s requests module
• Paste into a .py file and you’re good to go!
• Great way for novice Python users to learn
Python example using “requests” module
28
import sys
import json
import requests
my_headers = {'content-type': 'application/json-rpc'}
url = "http://172.25.91.147/ins"
username = "admin"
password = "ciscotme"
payload = [{'jsonrpc': '2.0', 'method': 'cli', 'params': ['show version',1], 'id': '1'}]
my_data = json.dumps(payload)
response = requests.post(url, data=my_data, headers=my_headers, auth=(username, password))
result = response.json()['result']
kick_start_image = response.json()['result']['body']['kickstart_ver_str']
system_image = response.json()['result']['body']['sys_ver_str']
host_name = response.json()['result']['body']['host_name']
print ("")
print ("===============================")
print ('host name:'+ host_name)
print ('kickstart image version: ' + kick_start_image)
print ('system image version: ' + system_image)
print ("===============================")
Using CLI wrapper, we always
use this same URL
tools:~$ python shver.py
===============================
host name:nx-osv-1
kickstart image version: 7.2(0)D1(1)
system image version: 7.2(0)D1(1)
===============================
Generating payload with
JSON-RPC
Send the request
Parse the output
Output
Python using Pycsco module
• Easy-to-use Python NX-API interface
• No need to use requests module
• Hence, no need to make headers and post requests
• Available at:
https://github.com/jedelman8/pycsco
Example:>>> from pycsco.nxos.device import Device
>>> from pycsco.nxos.utils.nxapi_lib import *
>>> switch=Device(ip="172.16.1.61",username="admin",password="admin")
>>> get_list_of_vlans(switch)
['1', '104', '105', '106', '110', '120']
29
System
BgpEntity BgpInstance BgpDomain BgpPeer
BgpLocalASN
BgpPeerAf
BgpPeerEntry
L1PhysIf
ethpmPhysIf ethpmPortCap
L1Load
L1StormControl
Globally unique identifier for an object in the database
Naming rule on http://developer.cisco.com
Cisco Nexus Object Model
sys/bgp/inst/dom-default/peer-[192.168.0.2]sys/phys-[eth1/1]/phys/portcap
CLI POST Request without DMEPOST Request BGP Object with
DME
router bgp 11
router-id 1.1.1.1
POST http://Switch-IP/ins {'content-
type':'application/json-rpc'}.json()
{ "jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "config t",
"version": 1 }, "id": 1 },
{ "jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "router bgp 11",
"version": 1 }, "id": 1 },
{ "jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "router-id 1.1.1.1",
"version": 1 }, "id": 2 }]
POST http://Switch-IP/api/mo/sys/bgp/inst.json
{ "bgpInst" : {"children" : [{"bgpDom" : { 11
"attributes" : {"name" : "default","rtrId" : "1.1.1.1"
}}
}]
}}
Object Based Programmability – BGP Configuration Example
Useful Links (NX-API)
• NX-API Guide:
https://tools.cisco.com/squish/da18E7
• NX-API on Github
https://github.com/datacenter/nexus9000/tree/master/nx-os/nxapi
32
Configuration Management Tools
33
Configuration Management Tools
• In use for years to automate servers
• Ensure software packages are installed, services running
• Declarative model: not scripting!
• Use to push configurations, install software packages
34
CM Tool 3K/9K 5-7K
6.1 7.2
7.0 7.3 (New! Feb 2016)
7.0 7.3 (New! Feb 2016)
Puppet and Chef
35
Agent
LXC Container
Puppet Master/Chef
Server
• Puppet and Chef use a pull model (agent/client pulls from server)
• Agent/client contacts server every 30 mins by default
• Agent/Client lives in LXC container (optionally directly in bash on 3K/9K)
• Cisco modules in Puppet Forge or Chef Supermarket
Manifests/Cookbooks
Nexus sends data and request cfg every 30 mins
Server sends config to switch
SSL
Nexus
Puppet and Chef code examples
36
cisco_interface 'Ethernet1/1' do
action :create
ipv4_address '10.1.1.1'
ipv4_netmask_length 24
ipv4_proxy_arp true
ipv4_redirects true
shutdown true
switchport_mode 'disabled'
end
cisco_interface 'Ethernet1/2' do
action :create
access_vlan 100
shutdown false
switchport_mode 'access'
switchport_vtp true
end
#Setup VLAN
cisco_vlan {"${vlanid}":
vlan_name => $vlanname,
ensure => present
}
#Create VLAN Interface (step2)
cisco_interface { $intfName :
description => $vlanname,
shutdown => false,
ipv4_address => $intf_ip,
ipv4_netmask_length => $intf_ip_mask,
}
Ansible
37
Ansible Server
• Ansible uses an agentless push model
• Configuration files (playbooks) use YAML
• Can configure using CLI or NXAPI
• Use nxos-ansible modules, or new Ansible 2.0 modules
Playbooks
Server sends config when playbook is run
NX-API (HTTP/S)
CLI (SSH)
Nexus
No agent
feature nxapi
Unlike server configuration Ansible does not execute Python on-box
Ansible code example
38
tasks:
- name: Configuring PKL on 7k1
nxos_vpc: domain=1 pkl_src=172.26.244.91 pkl_dest=172.26.244.81 state=present host=n7k1
- name: Configuring PKL on 7k2
nxos_vpc: domain=1 pkl_src=172.26.244.81 pkl_dest=172.26.244.91 state=present host=n7k2
- name: Configuring Port Channel 1
nxos_portchannel:
group: 1
members: ['Ethernet7/1','Ethernet7/2']
mode: 'active'
state: present
host: "{{ inventory_hostname }}"
- name: Configuring Port Channel 2
nxos_portchannel:
group: 2
members: ['Ethernet9/1','Ethernet9/2']
mode: 'active'
state: present
host: "{{ inventory_hostname }}"
- name: Configuring Port Channel 3
nxos_portchannel:
group: 3
members: ['Ethernet9/3','Ethernet9/4']
mode: 'active'
state: present
host: "{{ inventory_hostname }}"
- name: Configuring VPC peer link
nxos_vpc_interface: portchannel=1 peer_link=true host={{ inventory_hostname }}
- name: Configuring VPC 2
nxos_vpc_interface: portchannel=2 vpc=2 host={{ inventory_hostname }}
- name: Configuring VPC 3
nxos_vpc_interface: portchannel=3 vpc=3 host={{ inventory_hostname }}
Configure PKL
Configure port
channels
Configure VPC peer
link
Configure VPC for
port-channels
Useful Links (Configuration Management Tools)
• Cisco Puppet Module
https://github.com/cisco/cisco-network-puppet-module
• Cisco Chef Module
https://github.com/cisco/cisco-network-chef-cookbook/
• NX-OS Ansible Modules
https://github.com/jedelman8/nxos-ansible
39
Netconf
40
What is NETCONF?
Content
Configuration Data
Operations<get-config>,<edit-config>
Messages
<rpc>, <rpc-reply>
TransportSSH
Protocol Stack• NETCONF is an IETF standard, RFC 4741
• Used for device management, similar role as SNMP
• Separates Operational and Configuration Data management (show commands v/s config)
• Defines capabilities for managing configuration data
• Candidate buffer for validation of config before commit
• Rollback-on-error
NETCONF on Nexus
• Nexus switches support NETCONF
• Network Management Systems can use NETCONF to configure switches
• You can develop tools that take advantage of NETCONF:
• Test NETCONF directly with XMLAgent (ssh x.x.x.x -s xmlagent)
• Use | xmlin (pipe xmlin) to see CLI equivalent in NETCONF
• Use NCClient module in Python
42
jemclaug-hh14-n7700-2# sh vlan brief | xmlin
<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns="http://www.cisco.com/nxos:7.3.0.D1.1.:vlan_mgr_cli" message-id="1">
<nf:get>
<nf:filter type="subtree">
<show>
<vlan>
<brief/>
</vlan>
</show> (etc, etc, etc..)
Useful Links (NETCONF)
• NX-OS NETCONF using XML agent
https://tools.cisco.com/squish/5Cb9F
• NETCONF Central
http://www.netconfcentral.org/
• NCC Client (NETCONF module for Python)
http://pypi.python.org/pypi/ncclient
43
XMPP
44
• Extensible Messaging and Presence Protocol (XMPP) is a message-oriented protocol based on XML
• Used in instant messaging clients such as Gtalk, Jabber, Pidgin
• Supported across all Nexus platforms in current releases
• DCNM can be used as XMPP server
• Configure switches with an IM client!
What is XMPP?
45
Accessing Devices with XMPP
Python Bot
Pidgin User
Groups
Entities
Return Value
Return Output
XMPP on NX-OS
feature fabric access
hostname leaf1
ip host test-xmpp-server.cisco.com 192.168.1.100
…
fabric access server dcnm-ova.cisco.com vrf management password 7 xyz
fabric access group all-nodes leaf-nodes
fabric access ping interval 60 response 10 retry 5
Required if no DNS for the domain
Hostname is used for identification
leaf1# show fabric access connections
XMPP Ping :
Status = Enabled
Interval = 60 second(s)
Response = 10 second(s)
Retry = 5 time(s)
XMPP Payload CDATA-Encapsulated : Enabled
Device Connection :
JID = [email protected]/(fmgr-device)(TB01010000B)
State = AUTHENTICATED
JID identify the host in Jabber
Host S/N included in JID
XMPP chat groups
47
XMPP and PythonWriting a python bot
• Accessing NX-OS with Python with xmpppy library - http://xmpppy.sourceforge.net
import xmpp
cmd=“show vlan\n"
jid="[email protected]"
pwd=“test123"
to="[email protected]"
jid=xmpp.protocol.JID(jid)
cl=xmpp.Client(jid.getDomain(), debug=[])
cl.connect()
cl.auth(jid.getNode(),pwd)
cl.sendInitPresence()
message=xmpp.Message(to, cmd)
message.setAttr('type', 'chat')
cl.send(message)
XMPP python module
My JID
JID of device
Connect to XMPP server
Send Presence
Send Message
Create Message
Useful Links (XMPP)
• Protocol page:
http://xmpp.org/
• Instructions for using on Cisco devices:
http://blogs.cisco.com/getyourbuildon/xmpp-a-power-tool-in-your-tool-box
• Configuring DCNM XMPP Features:
https://tools.cisco.com/squish/83830
49
Conclusion
50
Summary
• The Nexus switching platform can be automated in a number of ways
• PoAP and CM Tools are an easy entry point to NX-OS automation
• Python and NX-API for more advanced users
• Netconf and XMPP for other use cases
• More useful links:
http://developer.cisco.com/
http://opennxos.cisco.com/
51
Let’s get started! (What do I need to do next?)
1. Setup a lab with a couple of switches, and some virtualization platform.
2. Alternatively look into VIRL.
3. Use the latest software image available for the latest and greatest features.
4. Download DCNM and experiment with PoAP.
5. Setup a Linux VM for testing off-box Python and CMT.
6. Start with Ansible (agentless), or Chef/Puppet
7. Use sandbox to build Python scripts
52
Deeper Dives!
• BRKDCT-2459: Programmability and Automation on Cisco Nexus Platforms
Abhinav Modi, Tues 2:15pm (watch the replay!)
• BRKDCT-2025: Maximizing Network Programmability & Automation with Open NX-OS
Nicolas Delecroix, Thurs 2:30pm
• BRKDCT-2024 - Automated Network Provisioning through POAP
Oliver Ziltener, Thurs 2:30pm
• DevNet-1075: Configuration Management Tools on NX-OS
Abhinav Modi, Fri 12:00pm
• Come visit us at the demo booth in World of Solutions!
53
Thank you