CCIE ET Programmability PDF

IOS XE Programmability for
Network Engineers
CCIE Evolving Technologies Blueprint
Jeff McLaughlin
Principal Technical Marketing Engineer
June 19, 2018
Your Host
• CCIE Routing/Switching (2004)
• Fun Stuff Studied: DLSw+, ATM, ISDN
• CCIE Security (2008)
• Fun Stuff Studied: NAC Framework, PIX, VPN 3k concentrator
• JNCIE Service Provider (2014, expired)
• CCIE Subject Matter Expert (Programmability/Automation)
• Principal TME in Enterprise business unit
• Manager of TME team for programmability and SD-Access
• http://www.subnetzero.info
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco
Cisco Confidential
Public
• CCIE ET Programmability
Overview
• Why Programmability
• Structured Data/YANG Models
Agenda • NETCONF/RESTCONF
• Config Mgmt Tools
• APIs
• Conclusion

Cisco Confidential
Public
Programmability Panelists
Fabrizio Maccioni Jeremy Cohoe Krishna Kotha

Cisco Confidential
Public
CCIE ET Programmability
Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CCIE Evolving Technologies 1.1 Blueprint
This domain, worth 10 percent overall, ensures that all CCIE/CCDE candidates have a
clear understanding of important cloud, network programmability, and IoT concepts.
A.2 Network Programmability
A.2.a Describe architectural and operational considerations for a programmable network

A.2.a.i Data models and structures (YANG, JSON and XML)
A.2.a.ii Device programmability (gRPC, NETCONF and RESTCONF)
A.2.a.iii Controller based network design (policy driven configuration and northbound/
southbound APIs)
A.2.a.iv Configuration management tools (agent and agent-less) and version control systems
(Git and SVN)

Cisco Confidential
Public
Why Programmability?
Why automation and programmability?
hostname switch1
int g0/0
ip address 10.1.1.11/24
vlan 100,200,300
.
Needs to configure
Administrator
.
.
hostname switch6
int g0/0
ip address 10.1.1.16/24
vlan 100,200,300

Cisco Confidential
Public
8
Notepad is the most common automation tool.
It’s just a very bad automation tool.
...
Programmability Reason #1 Do repetitive and tedious tasks more easily

Cisco Confidential
Public
9
52037606 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
if error counters too high:

then shutdown interface*
* pseudo-code
Programmability Reason #2 Programmatic Control of network devices

Cisco Confidential
Public
10
party apps
NETCONF REST API
DNA Center
Programmability Reason #3 Interaction between network devices and other systems

Cisco Confidential
Public
11
Transactionality
int g0/0
ip address 10.1.1.0/24
no shutdown
router bgp 65001 CLI
router-id 172.17.1.99
bgp log-neighbor-changes
neighbor 192.168.1.2 remote-as 40000
NF
neighbor 192.168.3.2 remote-as 50000 NETCO
address-family ipv4 unicast
neighbor 192.168.1.2 activate
network 172.17.1.0 mask 255.255.255.0
exit-address-family
Programmability Reason #4 Stop bad configuration being committed to devices

Cisco Confidential
Public
12
Operational Simplification
How to find the

red user's
switch/port?

Cisco Confidential
Public
13
# ping 172.16.100.101
# show arp | i 172.16.100.101
# show mac address-table address 001a.a24d.5141
# show cdp neighbor g0/1 detail
How to find the

red user's
switch/port?

Cisco Confidential
Public
14
How to find the

red user's
switch/port?

Cisco Confidential
Public
15
How to find the

red user's
switch/port?

Vlan Mac Address Type Ports
---- ----------- -------- -----
244 001a.a24d.5141 DYNAMIC Gi0/15

Cisco Confidential
Public
16
Programmability Reason #5 Automate complex troubleshooting tasks

Cisco Confidential
Public
17
DEMO TIME
REST
1 User types command into Webex
Teams 2 Command pulled down by script
5 Data posted back to Webex room
3 Script sends NETCONF request 4 Switch replies via NETCONF with data
NETCONF

Cisco Confidential
Public
19
3 Webex posts diff to room
4 Python script diffs configs and sends diff to Webex

Catalyst 3850
1 User changes device config
EEM
2 Change detected by EEM
3 EEM
© 2017 Cisco and/or its affiliates. All rights reserved.
CiscoTriggers
Cisco Confidential
Public on-box Python script
20
Structured Data/YANG
Models
Human-Oriented Interface
Machine-Oriented Interface

Cisco Confidential
Public
22
Machines using human-oriented interfaces can be highly inefficient!
Cisco Confidential
Public
23
CLI YANG Models
Human Oriented Interface Machine Oriented Interface

Cisco Confidential
Public
24
Structured vs Unstructured Data
Un-structured
Structured
John Smith 42 14155551212 Name: John Smith

Age: 42
Phone: +1-415-555-1212
What is this?
• His age? Keys Values

• The year he graduated college?
• Meaning of life, the universe & everything?

Cisco Confidential
Public
25
Hierarchical Structured Data (XML-like)
{
<user1>
<name>John Smith</name>
<age>42</age>
First User
<phone>+1-415-555-1212</phone>
</user1>
{
<user2>
<name>Sarah Kim</name>
Second User <age>27</age>
<phone>+1-718-555-1212</phone>
</user2>

Cisco Confidential
Public
26
Note inconsistent “key” format!
switch1# sh int e1/10
Ethernet1/10 is up
Hardware: 1000/10000 Ethernet, address: 0005.73d0.9331 (bia 0005.73d0.9331)
Description: To UCS-11
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Switchport monitor is off
EtherType is 0x8100
Last link flapped 8week(s) 2day(s)
Last clearing of "show interface" counters 1d02h
30 seconds input rate 944 bits/sec, 118 bytes/sec, 0 packets/sec
30 seconds output rate 3110376 bits/sec, 388797 bytes/sec, 5221 packets/sec
CLI = Unstructured Data

Cisco Confidential
Public
27
<ipv4 xmlns="http://openconfig.net/yang/interfaces/ip">
<addresses>
<address>
<config>
What we need:
<ip>172.26.194.212</ip>
Standard, structured way to represent <prefix-length>24</prefix-length>
configuration and operational data. </config>
</address>
</addresses>
</ipv4>

Cisco Confidential
Public
28
XML vs JSON
{
<interfaces xmlns:=“[…]yang:ietf-interfaces”> "ietf-interfaces:interfaces": {
<interface> "interface": [
{
<name>eth0</name> "name": "eth0”,
<type>ethernetCsmacd</type> "type": "ethernetCsmacd”,
<location>0</location> "location": "0”,
<enabled>true</enabled> "enabled": true,
<if-index>2</if-index> "if-index": 2
}
</interface> ]
</interfaces> }
}
NETCONF/RESTCONF RESTCONF
Cisco Confidential
Public
29
Error!
<interface>Gigabit 1/0</interface>
<ifaddr>10.0.0.1/24</ifaddr>
Sends
Expecting
Expecting:
<interface>
<name>Gigabit 1/0</name>
<address>10.0.0.1/24</address>
</interface>

Cisco Confidential
Public
30
So why do we need YANG?
<interface>Ethernet 0/0</interface>
<name>Switch1 to UCS1</name>
<ipaddr>1.1.1.1/24</ipaddr>
<name>Ethernet 0/0</name> Question: Which of these is correct?

<descr>Switch1 to UCS1</descr>
Answer: They all are!
<ip>1.1.1.1/24</ip>
<ifname>Ethernet 0/0</ifname>
<ifalias>Switch1 to UCS1</ifalias>
<ifaddr>1.1.1.1/24</ifaddr>

Cisco Confidential
Public
31
YANG Data Models
container ip {
list vrf { vrf red
rd 1:1 <vrf>red</vrf>
leaf rd
<rd>1:1</rd>
}
}
YANG Data XML

Model Data
YANG models do not contain data or XML.

YANG models are like templates used to generate consistent
XML.

Cisco Confidential
Public
32
YANG Data Models
<vrf>red</vrf>
<rd>1:1</rd>
container ip {
vrf red
list vrf {
leaf rd rd 1:1 XML
}
}
{“vrf”: “red”
YANG Data “rd”: “1:1”}
Model
JSON
YANG models can be used as a template for generating

structured data in many different formats.

Cisco Confidential
Public
33
YANG Configuration Model Example*
container ip { YANG <ip> XML

list vrf { <vrf>
description <name>vrf_red</name>
"Configure an IP VPN Routing/Forwarding <rd>65000:1</rd>
instance"; </vrf>
<vrf>
leaf name { <name>vrf_green</name>
type string; <rd>65000:2</rd>
} </vrf>
</ip>
leaf rd {
description ip vrf vrf_red CLI
"Specify Route Distinguisher"; rd 65001:1
type rd-type; !
} ip vrf vrf_green
} rd 65001:2
} * Note: YANG model simplified for clarity !
Cisco Confidential
Public
34
So why is this:
<ip>
<vrf>
...better than this?
<name>vrf_red</name> ip vrf vrf_red
<rd>65000:1</rd> rd 65001:1
</vrf> !
<vrf> ip vrf vrf_green
<name>vrf_green</name> rd 65001:2
<rd>65000:2</rd> !
</vrf>
</ip>

Cisco Confidential
Public
35
CLI
ip vrf vrf_red
rd 65001:1
!
ip vrf vrf_green
rd 65001:2
!
• Good for human consumption

• Unstructured from a machine perspective

Cisco Confidential
Public
36
YANG-structured data
<ip>
<vrf>
<name>vrf_red</name>
<rd>65000:1</rd>
</vrf>
<vrf>
<name>vrf_green</name>
<rd>65000:2</rd>
</vrf>
</ip>
• Designed for machine consumption

• Directly convertible to/from Python dicts!

Cisco Confidential
Public
37
Where are YANG models?
Models installed on device automatically with IOS-XE.
https://github.com/YangModels/yang/tree/master/vendor/cisco
Also can be downloaded from GitHub.

Cisco Confidential
Public
38
Who defines the YANG models?
Vendors Standards Bodies
• Only work on specific vendor devices • Multi-vendor support

• Greater feature coverage • More limited feature coverage
• Can be OS-unique (IOS-XE, XR, etc.) • Allow vendor-specific extensions
Actually an "industry forum"

Cisco Confidential
Public
39
Important Point!
Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same
thing.
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"> IETF-defined model
<interface>
<name>GigabitEthernet 1/0/24</name>
<description>Configured by NETCONF!</description>
</interface>
</interfaces>
Both of these do exactly the same thing!
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"> Cisco-defined “native” model

<interface>
<GigabitEthernet>
<name>1/0/24</name>
</GigabitEthernet>
</interface>
</native>
Cisco Confidential
Public
40
Important Point!
Cisco’s data models and IETF/OpenConfig data models are just two ways of doing the same
thing.
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"> IETF-defined model
<interface>
<name>GigabitEthernet 1/0/24</name>
</interface>
</interfaces>
switch# show run interface g1/0/24
interface
Both of GigabitEthernet 1/0/24
these do exactly the same thing!
description Configured by NETCONF!
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"> Cisco-defined “native” model
<interface>
<GigabitEthernet>
<name>1/0/24</name>
</GigabitEthernet>
</interface>
</native>
Cisco Confidential
Public
41
Configuration vs. Operational data
Configuration data tells the device what to do. It is Operational data tells us how a device is operating,
data that you see in a “show run”. from show commands other than “show run”.
# sh run int g0/0 # sh int g0/0
interface GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol up

description Management Interface Hardware is RP management port
vrf forwarding Mgmt-vrf Description: Management Interface
ip address 172.26.244.49 255.255.255.0
We can write configuration data (think “conf t”), Operational data is read-only.
and we can read configuration data (think “show
run”).
Some data can be read either as config data or

operational data!
Cisco Confidential
Public
42
Models and structured data are particularly
important for efficiently reading operational data...

Cisco Confidential
Public
43
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager
2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter
Challenge: Write a Python script to go through the list of nearly 500 running
processes and print the names of only those with runtime of 10 seconds or greater.
Regex hard to understand
Tied directly to table layout

Cisco Confidential
Public
44
Regular Expressions
-Stackexchange user

Cisco Confidential
Public
45
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 3 31 96 0.00% 0.00% 0.00% 0 Chunk Manager
2 3687 4786 770 0.07% 0.01% 0.00% 0 Load Meter
Challenge: Write a Python script to go through the list of nearly 500 running
processes and print the names of only those with runtime of 10 seconds or greater.
XML easily rendered as Python dict

Uses YANG data models
Intuitive nomenclature

Cisco Confidential
Public
46
NETCONF/RESTCONF/gRPC
NETCONF RESTCONF gRPC
Transport SSH HTTP/S HTTP/2
Encoding XML XML/JSON gPB
YANG YANG YANG

Cisco Confidential
Public
48
NETCONF protocol stack
CONTENT XML (based on YANG)
OPERATIONS GET, EDIT-CONFIG, ETC
MESSAGES RPC
SECURE TRANSPORT SSH (port 830)

Cisco Confidential
Public
49
NETCONF Highlights
• Transactional
• Either all configuration is applied or nothing
• Avoids inconsistent state
• Both at Single Device and Network-wide level
• Error Management
• OK or error code
• Capability Exchange
ssh -p 830 admin@172.26.249.169 -s netconf
• Models Download from a Device

Cisco Confidential
Public
50
Main NETCONF Operations
Main Operations CLI Equivalent Description

<get> show Retrieve running configuration and device state
information
<get-config> show run Retrieve all or part of specified configuration

datastore
<edit-config> config t + commands Loads all or part of a configuration to the specified

configuration datastore
<delete-config> no (delete config) Delete a configuration datastore

Cisco Confidential
Public
NETCONF Datastores
Target of Operations
“A Datastore holds a copy of the configuration data that is required to
get a device from its initial default state into a desired operational state”
Running running-config
Start-up startup-config
Candidate work place for creating and manipulating configuration data
Running is the only mandatory Datastore

Cisco Confidential
Public
52
NETCONF Error Options
stop-on-error: continue-on-error: rollback-on-error:
Abort the <edit-config> Continue to process the Stop processing <edit-

operation on the first configuration; record config> and restore
error (Default) the error configuration to original
state

Cisco Confidential
Public
Enabling NETCONF: 3 Steps
C3850-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C3850-1(config)#aaa new-model
C3850-1(config)#aaa authentication login default local Enable AAA
C3850-1(config)#aaa authorization exec default local
C3850-1(config)#username admin password cisco
C3850-1(config)#line vty 0 15 Enable SSH

C3850-1(config-line)#transport input all
C3850-1(config)#netconf-yang Enable NETCONF

C3850-1(config)#

Cisco Confidential
Public
54
REST vs RESTCONF: not the same!
REST RESTCONF
GET
POST
API PUT
DELETE
“A framework for client-server communications” “REST-like protocol for accessing

YANG models”

Cisco Confidential
Public
55
RESTCONF protocol stack
CONTENT XML/JSON (based on YANG)
OPERATIONS GET, PUT, PATCH, etc.
SECURE TRANSPORT HTTPS

Cisco Confidential
Public
56
RESTCONF vs NETCONF Operations
RESTCONF As compared to NETCONF

GET <get-config>, <get>
POST <edit-config> (operation=“create”)
PUT <edit-config> (operation=“create/replace”)
PATCH <edit-config> (operation=“update”)
DELETE <delete-config> (operation=“delete”)

Cisco Confidential
Public
HTTPS Return codes
Return code Details

1xx (Informational) Received and understood, please wait….
2xx (Success) received, understood, accepted, and processed successfully
3xx (Redirection) Client must take additional action (URL redirection)
4xx (Client error) Client is at fault
5xx (Server error) Server is at fault

Cisco Confidential
Public
Enabling RESTCONF
Cat9k-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat9k-1(config)#restconf Enable RESTCONF
Cat9k-1(config)#ip http secure-server Enable HTTP

server

Cisco Confidential
Public
gRPC definition
“gRPC is an open source RPC (Remote Procedure Call) system
developed at Google”
• Google ecosystem with automatic GPB integration
• cross-platform client and server bindings for many languages:

C, C++, C#, Go, Java, Node.js, Objective-C, PHP, Python, Ruby
• Feature rich:
authentication, bidirectional streaming and flow control, blocking/nonblocking bindings,
cancellation and timeouts
• HTTP/2 transport
• Not a standard!
http://www.grpc.io
Cisco Confidential
Public
GPB (Google Protocol Buffers )
60
DEMO: YANG/NETCONF
Configuration Management
Tools
Configuration Management Tools
Automate Servers, Applications and Networks configurations
Desired State
(Intent)
configuration
CMT Server Device
Highlights: Customer Value:

• Declarative model (intent) • config automation (medium)
• Idempotency • manages config drift (high)
• Agent vs Agent-less Architectures • audit trail (very high)
Cisco Confidential
Public
Most Popular Configuration Management Tools
Enterprise Networks

Cisco Confidential
Public
CMT Comparison
Agent required? Agentless • Agent-based Agent-based

• Moving to
agentless for
network mgmt
Configuration File Playbook Manifest Cookbook
Config Language YAML Custom Custom

Cisco Confidential
Public
Ansible Playbook Example
Playbook
Play
Task
Module
http://docs.ansible.com/ansible/latest/YAMLSyntax.html
Cisco Confidential
Public
Ansible Inventory
Define the hosts and group of hosts [cat3k] group

172.26.249.169
• hosts by IP or FQDN [cat9k] pip install
• groups [<group-name>]
172.26.249.15[1:4] range
[cat4500-X]
• Optional parameters: 10.200.98.82
[ios-xe:children]
• nested groups cat3k
nested groups
cat9k
• range cat4500-X
• group variables [ios-xe:vars] group variables

ansible_network_os=ios

Cisco Confidential
Public
Ansible Playbook Run
To run an playbook
ansible-playbook <playbook>.yaml [options]
Common options:
• -u admin -k -K username and password at runtime
• -l 172.26.249.42 single or list of hosts
• -i ./hosts overrides inventory files
• -v verbose output
• -vvvv connection debug

Cisco Confidential
Public
Great word to remember!
Idempotency (from Latin "idem" = "the same thing"
In the context of configuration management tools, means:

Only change what needs to be changed

Cisco Confidential
Public
Conclusion
New e-Book!
Summarizes all aspects of IOS XE programmability
http://cs.co/IOS-XE-Programmability-Book

Cisco Confidential
Public
71
How do I learn Python?
Automate the Boring Stuff with Python, Al Sweigart

Great introduction to Python focused on automation. (Not specifically network
automation.) Covers Python 3.0 only. Assumes zero knowledge. Read Excel
docs, generate PDFs, etc. Highly recommended.
Real Python. http://realpython.com

Three-part course. Begins with basics assuming no knowledge. Covers
Python 2.7 and 3.0. Parts II and III focus on web development with Python.
Covers flask, Django, jinja2 templates. Many resources on the web site for
free.

Cisco Confidential
Public
72
Cisco DevNet
• Learning Labs
• Sandboxes
• API Documentation
• Python, YDK, REST
• And More!
http://developer.cisco.com
Cisco Confidential
Public
73
"If a thing is worth doing, it is worth doing
badly." - G.K.
Chesterton

Cisco Confidential
Public
74
• Identify one problem you can solve with a script
• Start small
• Copy and modify scripts from DevNet
• (developer.cisco.com)
• Go and study for your CCIE!

Cisco Confidential
Public
75

CCIE ET Programmability PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE ET Programmability PDF

Uploaded by

Copyright:

Available Formats

IOS XE Programmability for

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Fabrizio Maccioni Jeremy Cohoe Krishna Kotha

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

A.2 Network Programmability

A.2.a Describe architectural and operational considerations for a programmable network

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Programmability Reason #1 Do repetitive and tedious tasks more easily

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

if error counters too high:

Programmability Reason #2 Programmatic Control of network devices

NETCONF REST API

Programmability Reason #3 Interaction between network devices and other systems

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Programmability Reason #4 Stop bad configuration being committed to devices

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

How to find the

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

How to find the

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

How to find the

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

How to find the

# show mac address-table address 001a.a24d.5141

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Programmability Reason #5 Automate complex troubleshooting tasks

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

5 Data posted back to Webex room

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

4 Python script diffs configs and sends diff to Webex

1 User changes device config

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Human Oriented Interface Machine Oriented Interface

John Smith 42 14155551212 Name: John Smith

• His age? Keys Values

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

CLI = Unstructured Data

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

<name>Ethernet 0/0</name> Question: Which of these is correct?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

YANG Data XML

YANG models do not contain data or XML.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

YANG models can be used as a template for generating

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

container ip { YANG <ip> XML

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

• Good for human consumption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

• Designed for machine consumption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Models installed on device automatically with IOS-XE.

Also can be downloaded from GitHub.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

• Only work on specific vendor devices • Multi-vendor support

Actually an "industry forum"

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco

Both of these do exactly the same thing!

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native"> Cisco-defined “native” model