BRKDCN 2498

#CLUS
Build Intent-based
Networks with NSO
and Programmable
NXOS
Shankar Varanasy, Product Manager DCN
Aseem Srivastava, Product Manager CPSG
BRKDCN-2498
#CLUS
Who we are?
Shankar Varanasy Aseem Srivastava

Sr. Product Manager - DCN Sr. Product Manager - CPSG
#CLUS BRKDCN-2498 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKDCN-2498

by the speaker until June 18, 2018.
Agenda 1 Introduction
2 Solution Overview
3 Building Intent-based
Service Definition
4 Use Cases
5 Demo
6 Summary
Introduction
What is “Intent” of this Session
Intent-based networking & Solution

components
Help you build Intent-base Service definitions

using the solution
Key Use Cases
Intent(What) and Prescriptive(How)
Intent (Declarative) Prescriptive(Imperative)
Example- “Don’t allow access to Example- “Configure ACLs to permit

DB servers from internet” all TCP traffic to port 80/8080 and
deny traffic to port 1521”
 What I want (Outcome)  How to do it

(CLI, parameters, steps)
 Vendor Agnostic
 Plain language  Vendor dependent
 Vendor specific configuration
“Intent-based networking allows
the network team to simply
describe, in plain language, (what)
they want to accomplish and the
network then makes it happen
(how).”
The Journey to Intent-based Networking
Enterprise Strategy Group (ESG)
Intent - Real Life scenario
Honey!! Can you get
me a healthy bread on  Whole Wheat?
 Multi-grain?
your way home ?  Is it within Budget?
 Store/Location ?
Intent
Mobile conversation
Prescriptive
Store
Employee
Traditional Networking
Gap between Business Needs and IT Execution
Improved IT Processes
Customer
Growing
Business
Experience
GAP
Security
IT
Improved Threats IT
Operational Infrastructure
Business
Efficiency
Agility IT Budget
Business AD-HOC IT Execution

Intent – Real Life scenario
Intent-based System
Honey!! Can you get
me a healthy bread on Sure Honey Will pick on my way
your way home ? back!!
Intent
Store
Employee
Intent-based Infrastructure
Business Intent: Bridging the Gap between Business and IT
Improved IT Processes
Business Intent
Customer
Growing
Business
Experience
Security
IT
Improved Threats IT
Operational Infrastructure
Business
Efficiency
Agility IT Budget
Business Translate IT Execution

What is an Intent-based Networking?
Business Intent (What) -> Network Configuration (How) Application SLAs
Business Intent
• Capture business Intent
• Translate to Policies Translation Policy & Compliance
• Check Integrity
• Continuous verification
• Insights and Visibility
IT operations
• Corrective actions
Activation Assurance
• Orchestrate Polices
& Automate Systems
Physical & Virtual Infrastructure
Cisco NSO & NX-OS
CLI
Config
Operational NX-OS
N9000/3000
NETCONF/YANG
Cisco Network Nexus Operating

Service System with
Orchestrator Programmability
Intent-based Networking solution
With Cisco NSO and Programmable NXOS Application SLAs
Business Intent
Translation Policy & Compliance
• Capture business Intent

• Translate to Policies • Continuous verification
• Check Integrity ** • Insights and Visibility
IT operations
• Corrective actions
NSO
Activation Assurance
• Orchestrate Polices
& Automate Systems NX-OS
Network Infrastructure (DC)
** Other systems can also be part of this solution #CLUS BRKDCN-2498 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Traditional Networks – Simple Intent Example
Intent: Block Guest users access to company servers
SSH
172.10.0.0/24 Allow
Employee Corporate
Network SSH
Deny
DCI
Guest Network
10.1.0.0/24
Guests
Traditional Networks – Simple Intent Example
Intent: Block Guest users access to company servers
SSH Allow
172.10.0.0/24 SSH Deny

Employee Corporate
Network Human
HumanError:
Error:During
During
Troubleshooting
Troubleshootingprocess
process”deny
”deny
ACLs”
ACLs”were removed
were but with
overridden forgot to
other
put them
ACLsback
10.1.0.0/24
DCI Guest Network
Guests
Intent-based Networking Example - With NSO & NXOS
Intent: Block Guest users access to company servers SSH
Allow
172.10.0.0/24 SSH
Corporate Deny
Translates
Employee
Intent: Block SSH
Network
NSO access for guest

Users
Automates
DCI Guest Network

10.1.0.0/24
Guests
Intent: Block Guest users access to company servers SSH
Allow
SSH
172.10.0.0/24
Deny
Employee Corporate
Network HumanTroubleshooting
During Error: During
Troubleshooting process ”deny
process ”deny ACLs” were
ACLs” were removed but forgot
NSO
overridden with other
to put them back ACLs
10.1.0.0/24
DCI Guest Network
Guests
Intent: Block Guest users access to company Servers SSH
Allow
172.10.0.0/24
Continuous verification SSH
Deny
Employee Corporate
Network 1. Does Resync by “sync-from”
2. Finds Diff between config in DB

NSO
& config from device
3. Restores config auto/manual to

golden config
10.1.0.0/24
DCI Guest Network
Guests
NX-OS Programmability
NXOS Programmability
• Open NXOS architecture
• NXOS-Programming Models
• NXOS Sandbox
• NXOS native YANG Repository
Cisco Data Center Networks
Providing Choice in Automation and Programmability
Application Centric
Programmable Fabric Programmable Network
Infrastructure
Connection
Creation Expansion
VTS
Reporting Fault Mgmt
DB DB
VXLAN BGP EVPN

standard-based
Web Web App Web App
Modern NX-OS with model-

Turnkey integrated solution with driven APIs
security, centralized management, Switches run in standalone NX-
compliance and scale OS mode Switches run in standalone
Switches run in ACI mode
NX-OS mode
Cisco Controller for software
Automated application centric- overlay provisioning and
policy model with embedded DevOps toolset used for
management across N2K-N9K Network Management
security , broad ecosystem
Open NX-OS
Programmable interfaces
Telnet NX-API NETCONF RESTCONF gRPC
SNMP NETCONF NX-API WEB
or REST Client Client Client
Client Client Client Client
SSH Client (YANG) (YANG) (YANG)
SNMP XML NETCONF RESTCONF gRPC

NGINX Server Telemetry
Agent Agent Agent Agent Agent
NX-OS
CLI YANG Processor
Data Management Engine (DME)

Transaction Commit
Object Store Status: Success or Raise Fault
BGP VLAN LACP ACL QoS
Model-Driven Programmability
Data Modeling, Transport and Protocol
Model-Driven
Configuration
Datastore Model-Driven
State Info
Models
Native
• NETMOD working • Informal working • Vendor driven
group (RFC 6020 group (multiple- (e.g. Cisco, Juniper,
published in Oct network operators) etc..)
2010)
• Data Model • Compiling a set of • Augmenting a model
decoupled from Vendor-Neutral with extended
Protocol & Encoding Models from features
(XML, JSON) multiple network
operators
NXOS – Programming Models
OpenConfig
Model
NX-OS
N9000/3000
Focus of
Native YANG this session
Model
YANG Model (RFC 6020)
• Modeling language for network devices
• Main node types:
• Leaf – node with name and value of certain
type (no children)
• Leaf list – sequence of leafs
• Container – groups nodes and has no value
• List – Sequence of records with key leafs
• Augmentations extend a model

• Deviations specify divergence from the
model
CLI & YANG - Example
YANG
list interface {
key ”intf-name";
NX-OS CLI leaf intf-name {
interface Ethernet0/0 type string;
}
ip address 10.1.1.1/24 list address {
no shutdown key "ip-address";
leaf ip-address {
type yang:ip-address;
}
}
leaf admin-status {
type admin-status;
}
}
Model and Encoding <interface> XML
<name>eth0</name>
Example: YANG, XML and JSON <admin-status>up</admin-status>
<address>
list interface { YANG <ip>192.0.2.1</ip>
key "name";
</address>
leaf name {
</interface>
type string;
} “interface”: [ JSON
leaf admin-status { {
type admin-status; “name”: ”eth0”,
} ”admin-status” : “up”
list address { “address”: [
key "ip"; {
leaf ip { “ip”: “192.0.2.1”
type yang:ip-address; }
} ]
} }
} ]
NXOS Sandbox –YANG model & XML Encoding
YANG Model
XML Encoding
Sandbox  https://<dev-ip>/
NXOS Sandbox – YANG Model & JSON Encoding
YANG Model
JSON Encoding
Where to find NXOS native YANG Models
GITHUB : https://github.com/YangModels/yang/tree/master/vendor/cisco/nx
Benefits of Model-Driven Programmability
Data Modeling, Transport and Protocol
Structured and Multiple Model Types

Computer Friendly (native, OC ..)
010101
Choice of Transport,
Abstract & Simplify
Protocol and Encoding
010101
Cisco Network Service
Orchestrator (NSO)
Orchestrator Key Requirements
Network Engineering Ops and Provisioning Service Developers
CLI/GUI/Scripting API Layer REST, NETCONF
Transaction safe Operations

Service Layer (L3VPN, L2VPN, etc..) Service Model
Data Store
Device Abstraction Layer (Device1, Device2..) Device Model

Data Store
Multi-Vendor Network, Multiple EMS, Apps

and Controllers
NSO System Overview
Network Engineering
Ops and
Service Developers Model-Driven
Provisioning
approach
NSO
Service Manager
Service
Model Seamless
Device
Package
Manager
integration with
CDB
OSS/BSS
Model
Device Manager
Device Abstraction ESC (VNFM)
VNF Lifecycle VNF Service Modular

Architecture
NED NED NED
Manager Monitoring
Multi-domain Networks
Multi-domain
Orchestration
NED- Network Element Driver
Model-based Architecture
Network Engineering Ops and Provisioning Service Developer

• NSO assumes nothing
about:
NSO - Network services
Service - Network devices
Service Manager Model
Package
Device Manager
CDB Device
Manager • All data sets strictly
Model

defined by YANG models
NED NED NED

VNF Lifecycle VNF Service • Tree-to-tree mapping
Manager Monitoring
reduces coding for
lifecycle to absolute
minimum
Programmable Network Interface
IT/OSS/BSS Features:
Operations
Network Engineer
• Network-wide CLI and REST
Package • Rich set of Northbound APIs rendered

CDB Manager from models
Device
Model
• API Mediation
• Transaction-safe operations
• Minimizing manual fallouts
Fixes these chronic issues: • Device Configuration Management and
• Lack of automation, Managing device configuration Accurate network configuration state
• Quality issues in delivery
• Inflexibility to change existing configuration (create • Golden Configs
and delete only)
• Compliance Reporting
• CLI Scripting—inflexible and high fallout
Network Service Abstraction
Operations
IT/OSS/BSS Additional Features with Service
Network Engineer
Models:
Service
Model • Full Service automation Lifecycle
Package
CDB Manager • Network run-time modifications
Device
Model • Create, Modify, delete
• Service Plan—how far the service has

Multi-domain Networks come
Fixes these chronic issues: • Service Health (Orchestrated
• No service insight Assurance)
• Lost data in brownfield network • SLA Status
• Quality issues in service delivery, inconsistency • Service KPIs
• Inflexibility to change existing services (create
and delete only)
Multivendor Abstraction Through NEDs
A NED abstracts
Network Engineering Ops and Provisioning Service Developer • Underlying protocol and data-
models
NSO • Error-handling
Service Manager
Package
The NED computes the ordered
Device Manager
CDB Manager sequence of device-specific
commands to go:
• from current configuration state
NED NED NED
VNF Lifecycle VNF Service • to desired configuration state
Manager Monitoring
Key benefits include:
• removes the device adapter problem
• decouples complex device logic
from the service logic
The Industry’s Broadest Multivendor Support
Over 100 Supported NEDs—Customization Available
NFV Orchestration: Reactive Fastmap

• Events happen in the
network that may impact
NSO
the service instances:
Service
Service Manager Model
Package - VMs started, moved or
Device Manager
CDB Device
Manager destroyed
- Topology changes
Model
VNF Lifecycle VNF Service

• Reactive FastMap
NED NED NED
Manager Monitoring calculates the minimum
diff to drive towards
Multi-domain Networks intent
ServiceNow Ansible and
Cisco NSO and other

ITSMs
other IT
Automation
tools
Business
 Clear separation between automation intent
applications and automation platform NSO Automation applications
 Model-driven algorithms in NSO

platform makes it easy to write
automation applications
 Open platform that supports:

Configuration diffs fulfilling business intent
• Commercially packaged applications for
key Cisco use cases (CVDs)
• Customer-developed automation use
cases
Campus / Branch / WAN / DC network

Multi-vendor, hybrid physical/virtual: L2, L3, L4-L7
BRKDCN-2498 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
NSO - Ansible Integration Reference Architectures
Ansible provides playbook-driven IT-automation
NSO provides model-driven service orchestration in hybrid networks
Application Centric Connectivity Centric
Ansible Playbooks
NSO
NSO Ansible Playbooks
App App App App
Benefits of Cisco NSO
Business Simplify Faster Open

Agility Operations Delivery Architecture
Deploy new Reduce Reduce Multi-vendor,

Services Manual Steps activation multi-domain
quickly in agile with times from and open API
environment Automation Months models
Minutes
Build Intent-based Service
Definition using NSO & NXOS
Use Case
Intent: Block access to Crypto Mining Websites
“VP of IT in financial company XYZ came to know that some

business critical applications have been having very slow
response and after investigation by IT team it was concluded
that corporate users during business hours are performing
crypto mining activity and accessing the crypto websites. The
bandwidth usage has on average increased during regular
business hours.
VP directed the IT to block all the crypto website access from

the corporate network”
Service Intent Example
Intent: Block access to Crypto Mining websites
172.10.0.0/24
Corporate Network
Mining website1
NSO
Internet
Campus
Infrastructure
Mining website2
Block Crypto-Mining Website Access
Mining Websites IP
address list/network
Agg. Devices & Ports

Inventory Server
NETCONF/YANG
Config Operational
NX-OS
N9000/3000
Build Intent-based Service Definition
1 Build Custom NXOS Network Element Driver
(NED)
2 Device Management with NSO
3 Build Service Package
4 Deploy the Service
NSO Pioneer Tool
Collection of Tools for NETCONF YANG NED building & troubleshooting
Github Website: https://github.com/NSO-developer/pioneer

1. NETCONF Tools
2. YANG Tools
3. Config Tools
4. Log Tools
Package build: Using make command Pioneer package is compiled and build
(make -C packages/pioneer/src/ clean all)
1.1 Build NXOS NED (NETCONF/YANG)
Download Cisco-NX-OS-
1 Download NXOS native device.yang from github into temp
YANG file directory
Using “ncs-make-package” to
generate the NED package &
2 Generate NED Package compile with Make command
Copy to Run folder & Copy the package to RUN folder

3 and reload using “packages
Reload the Package
reload” command.
1.2 Verify the NXOS Package is loaded
#packages reload
reload-result
{
package cisco-nx-nc
result true
}
Demo Video:
Build NX-OS NETCONF Custom NED
2.1 Device Management using NSO
• Configure devices in NSO using the NSO CLI/GUI
Add authgroup (login credentials) for the device in NSO
Add device(s) to NSO
Generate SSH keys for the NSO to communicate to devices
• Validate the YANG models on device

#devices device <device> sync-from
#devices device <device> sync-to
• If above operations are successful (result is “true”) then you are good to
use the NED package for building the Service
Demo Video:
Device Management using NSO
3 Build Service Definition
Create Template Generate XML Load and Verify
Service Package Template for the Package
Service
Service Package Package is compiled
with folders Service XML created and loaded in NSO
containing YANG from NXOS Sandbox
and XML Templates based on
configuration
XPATH mapping
Define YANG between XML
Model for Service and YANG
Replace the XML

Build an YANG values with XPATH
model based on of YANG Objects
service
3.1- Create Template Service Package
Create an empty Service Package using “ncs-make-package” tool
(Template based)
3.2 – Define Service model (YANG)
service “blk-crypt”
Device List
Port
IP address List
3.3 –Generate XML Template for Service
• Create Service Template
using below command
ncs(config)# show full-configuration

devices device Agg-1 config
top:System acl-items | display xml
XPath mapping
with YANG
definition
defintion
3.4 XPATH mapping between XML & YANG
module vxlan-evpn {
<config-template xmlns="http://tail-f.com/ns/config/1.0" namespace "http://com/example/vxlanevpn";
servicepoint="vxlan-evpn">
prefix vxlan-evpn;
<devices xmlns="http://tail-f.com/ns/ncs" foreach="{device}" >
…….
<device> leaf l2-vlan-id {….
<name>{/device}</name>
}
<config tags="merge" >
…..
<System xmlns="http://cisco.com/ns/yang/cisco-nx-os-device"> leaf l3-vlan-id {
<bd-items>
YANG model
……
XML Template
<bd-items>
}
<BD-list> leaf l2-vni-id {
<fabEncap>vlan-{l2-vlan-id}</fabEncap>
……
<pcTag>1</pcTag>
}
<accEncap>vxlan-{l2-vni-id}</accEncap> leaf vni-id {
</BD-list>
……
<BD-list>
}
<fabEncap>vlan-{l3-vlan-id}</fabEncap> …….
<pcTag>1</pcTag>
leaf device {
<accEncap>vxlan-{vni-id}</accEncap>
type leafref {
</BD-list> path "/ncs:devices/ncs:device/ncs:name";
</bd-items>
}
</bd-items>
}
………… …….
}//end of module
3.5 –Load and Verify the Package
1. Compile the Package (using make)
2. Login to NSO CLI
• $ncs_cli–u admin -C
• admin@ncs# packages reload
Demo Video:
Build Service Definition using
YANG & Template
Declarative - Block Crypto websites access
Intent  “Block access to Crypto Websites”
NSO Intent CLI  “service blk-crypt web-list port-list ”
Prescriptive (Website List)
<System>
Config Pushed to Device
<acl-items>
<ipv4-items>
<name-items>
<ACL-list>
<name>BLOCK</name>
ip access-list BLOCK
<seq-items>
<ACE-list>
10 deny ip 74.125.197.0/24 any
<seqNum>100</seqNum>
<action>permit</action>
20 deny ip any 74.125.197.0/24
<dstPrefix>0.0.0.0</dstPrefix>
<protocol>0</protocol>
30 deny ip 108.177.98.0/24 any
<srcPrefix>0.0.0.0</srcPrefix>
</ACE-list>
40 deny ip any 108.177.98.0/24
<ACE-list>
<seqNum>60</seqNum>
60 deny ip 54.191.11.0/24 any
<action>deny</action>
<dstPrefix>0.0.0.0</dstPrefix>
70 deny ip any 54.191.11.0/24
<protocol>0</protocol>
<srcPrefix>54.191.11.0</srcPrefix>
80 deny ip 52.43.226.0/24 any
<srcPrefixLength>24</srcPrefixLength>
</ACE-list>
90 deny ip any 52.43.226.0/24
……
</seq-items>
100 permit ip any any
</ACL-list>
</name-items>
</ipv4-items>
</acl-items>
</System>
Prescriptive (Ports) Config Pushed to Device
<System>
<acl-items>
<ipv4-items>
<policy-items>
<ingress-items>
<intf-items> interface Ethernet1/20
<If-list>
<name>eth1/20</name> ip access-group BLOCK in
<acl-items>
<name>BLOCK</name> ip access-group BLOCK out
</acl-items>
</If-list>
</intf-items>
</ingress-items>
<egress-items>
<intf-items>
<If-list>
<name>eth1/20</name>
<acl-items>
<name>BLOCK</name>
</acl-items>
</If-list>
</intf-items>
</egress-items>
</policy-items>
</ipv4-items>
</acl-items>
</System>
NSO/NXOS Integration
Use Cases
Intent-Based Network Automation Journey
2. Automated configuration 4. Cross-Domain Intent-
management Based Automation
Automate configuration management with Automate cross-domain
centralized APIs / interfaces to entire network business intent
1. Existing Networks 3. Automated auditing

Manual work, ad-hoc scripts,
device-by-device
and remediation
Audit and remediate configuration
across the enterprise
NSO API’s and Use Case Integration Template
IPAM
(e.g. Infoblox)
OSS/BSS Network EMS/NMS
Engineer
NETCONF
External DB
REST CLI Web UI SNMP JAVA/Javascript
(e.g. CMDB)
YANG
NSO Service Manager
Service
Provisioning OS
Maintenance
Windows
Compliance
Manager Service Ticketing
Upgrades
Models (e.g. Remedy)
Script
API Mapping
Templates
Package Logic
AAA Core REST, NETCONF, JSON-RPC, VNFM
Manager
Engine Java/Python, Web Services (e.g. ESC)
Developer Fast Map
API YANG
Alarm Manager Notification Receiver Device Manager Device Other
Models Controllers
(e.g. WAE, ACI)
Network Element Drivers Network Controllers
Assurance
NETC SNMP REST CLI EMS (e.g. ZenOSS,
ONF Moogsoft)
SNMP/
Multi-Vendor Network Syslog Manager of
Managers
(e.g. Netcool)
What Others Are Doing With
1
Cisco NSO
Examples of Customer-Developed Automation Use Cases
 Extranet partner on-boarding  Lockdown configuration service for data

centers
 Application on-boarding in DC and cloud (API-
driven network configuration)  VPN provisioning
 Orchestration and provisioning of NFV for  Bulk device migration
virtualized B2B infrastructure (routers,
 Multi-vendor firewall configuration
firewalls, load balancers)
management
 DMZ Traffic Steering
 TrustSec automation
 Life-cycle management of network services in
 Datacenter switching automation
Trade Floor networks
 Global network segmentation service
 Automating QoS policies across the WAN and
campuses  Security service chaining
 Automation of access control policies  Cross-domain network segmentation
1. Sometimes developer by Cisco Advanced Services or third-party Systems Integrator
The Configuration Data Store
Intent: Full configuration backup and restoration options
Configuration Management:
• Gather, store configurations,
NSO
track changes from network
devices
Service Manager
Package Audit
CDB Manager
Device Manager
• Tracking Network/Service
Device Abstraction ESC (VNFM) configuration changes and
checking for policy and
VNF Lifecycle VNF Service Compliance
NED NED NED
Manager Monitoring
Service Layer Visibility
• Tracking Service Layer events and
Multi-domain Networks resource requirements
NSO: NFVO Resource Orchestration
Intent: VNF lifecycle management and provisioning
RFS Services
RFS Provisioning and Activation VNFD, NSD Catalogue NFV Orchestrator (NFVO)
Cisco NSO NSRs and VNFRs NSO NFVO Component
NFVI Resources
Or-Vnfm
Or-Vi
VNF Manager (VNFM)
VNF VNF VNF
Cisco ESC
NFV Infrastructure (NFVI) Virtual Infrastructure Manager (VIM)
Network-wide CLI
Intent: Management point abstraction for network
• Two flavors of CLI including all main interaction idioms

including control-commands, command-line editing
• Strict separation between operational data and

configuration data
• Range and group operations for performing configuration

changes on sets of devices
• Full AAA (NACM) integration provides policies on both

models and instance data
• Leverages the two-phase commit engine in NSO to provide

all-or-nothing changes including explicit validation stages
Templates and Compliance Reporting
Intent: Network policy compliance and security management
• Engineering teams create device templates from

device configuration
• Device templates are then manually applied to

groups of devices, reporting diffs
• This process can then be packaged into a

compliance report to produce reports
(plain text, XML, HTML)
Service Insight
Intent: Visibility into the network service status and events
• In order to maintain intent, we need to be able to

answer:
- What is the resulting configuration from this service?
- Which service(s) does this configuration
parameter come from?
- Are the two in sync?
- To support:
- Remedial actions
- Service migration
- Service discovery
• NSO provides full referential integrity between

service and device layers
Orchestrated Assurance
Intent: Proactive service monitoring and assurance
“To assure what is orchestrated, we must

• Extending the service models with KPI orchestrate assurance”
definitions and SLAs -- Wise Person
• Working with a programmable collector
and correlator
• Allows us to…
- Automate activation tests and service
assurance
- Provide service-level assurance in hybrid
networks
Network Device Upgrade and OS Migration
Intent: Device/Service migration from legacy to new
NSO Enabled by Tail-f
Service Manager
Device Manager
Multi-Vendor Network Element Drivers
Service 1
Service 1
Service 2
Existing Service Configuration Service 2
Service Migration on new Device
Use Cases NSO Functionality Benefits
• Incremental Service • Service Model • Minimize Business Impact- Reduce

• Programmatically map design time business risk via best migration
Migration – Migrate Services
definition to runtime state of network strategy approach by careful
one at a time from one Device • Dynamically reconfigure the network evaluation of business-critical
to other (Scenarios where to fulfill the service intent anytime services/applications.
Customer don’t like migrating change occurs. • Minimize Downtime - Service
all services at one stretch on downtime will be minimized without
new network device) affecting customer satisfaction
Pre-built Function Packs
Core Function Packs for Cisco NSO Commercially packaged
automation applications for
key Cisco use cases (CVDs)
SD-WAN
Data
Center
SAE
Public
Cloud
Campus Fabric
SD-Access
Campus / WAN SAAS SaaS
Branch
Cloud Virtual Branch
Edge
Internet
Direct Internet Access
Core Function Packs can be customized and extended

to fit your environment and your design guidelines
SD-WAN Core Function Pack
Other Function Packs
SD-WAN
Core FP
Automation of SD-WAN through vManage
vManage
Automation of other networks domains

(including Virtual Branches) or multi-vendor
deployments through NSO
Cross-domain interworking between SD-

WAN and other networks domains or multi-
vendor deployments through NSO
Cisco SD-WAN Other network domains or

third-party devices
SAE Core Function Pack
Cloud Edge
Core FP Automation of Cisco Secure Agile Exchange
(SAE) through NSO
Control point for centralized cross-domain

policy management using NSO
Automation of other networks domains or

multi-vendor deployments through NSO
Cross-domain interworking between SAE and

Co-located meeting place for Other network domains or
other networks domains or multi-vendor
Consumer / Provider Networks third-party devices
deployments
SD-Access Core Function Pack
SD-Access
Core FP
Automation of SD-Access through
DNA-Center
DNA-C

Cross-domain interworking between

SD-Access and other networks domains or
Campus network enabled Other network domains or

by SD-Access third-party devices
Virtual Branch Core Function Pack
Virtual Branch
Core FP
Automation of Virtual Branch deployments
through NSO

Cross-domain interworking between vBranch

and other networks domains or multi-vendor
deployments
Virtual Branch with mix of virtual Other network domains or

and physical network devices third-party devices
Cisco AS - Packaged Service Offerings
Base Package Simple Medium Complex Custom
• Automation • Small Network • Medium size • Medium size • Custom

Platform Network Network Requirements
• Custom Design
• What can • Custom Design • Custom Design • Custom Design
Automation do for • Cisco Device &
them Service Package • 3rd Party Device & • 3rd Party Device & • Multiple
Customer Needs
creation Service Package Service Package Environments
• Knowledge creation creation
Transfer • Operationalizatio
• Operationalization • Operationalization n
• Deployment of • Service Creation • Service Creation • Service Creation • Custom

NSO and inputs and inputs and inputs Statement of
Work for -
• Detailed design • Configuration • Configuration Line • Configuration Line
Service Offering plan creation Line modification modification modification • Plan/Build/Deploy
Services(s)
• Test Plan creation • NED deployment • NED deployment • NED deployment
• Operations
• Knowledge transfer • Post Validation • Post Validation • Post Validation Enablement
Service(s)
Checks Checks Checks
• Optimization
• Knowledge • Knowledge Transfer • Knowledge Services
Transfer Transfer
Customer Deployment
Case Studies
Case study Focus
Global financial institution Release the burden from Operations teams who struggled to
keep up to date with maintaining configurations across
thousands of network devices in compliance.
Use Cases
• Automation of QoS policy across branches, campuses,
core, datacenters
• Automated lockdown service for datacenters
• Automated provisioning of extranet partners
• Automated migration of Branch routers and switches to
new devices
• Orchestrating the creation/renewal and delivery of SSL
certificates to network devices
• Orchestrating the monitoring and provisioning of
EVPN/VXLAN connections used for Co-Lo connectivity
(internal and external connections)
• Orchestrating the provisioning of NFV for virtualized B2B
infrastructure (routers, firewalls, load balancers)
Global Financial Institution – NSO Automation
Provisioning of extranet partner: 95% Less than 5 minutes

rather than hours
Efficiency gain
Branch migration : 95% Less than 20 minutes

rather than many hours
Efficiency gain
Datacenter lockdown: 75% Constantly improving
Efficiency gain
Use Case: Cisco IT
Data as of January 2018 #CLUS BRKDCN-2498 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Cisco IT Experience on NSO
Benefits
Areas for Investment
Flexibility through DevOps approach: NSO Deployment / POCs

- Allows us to wrap required business logic around
orchestration quickly
- Strong API support and user customizable components 1. Branch Office as a Service Experience &
- More flexibility than current tools Automation (services such as new office, change
- True programmable interface to network device vlan/subnet, capacity upgrade, fleet upgrade, modify QoS
- Allow to build our own User Experience (UI) etc.)
- Good network device specific simulation environment
2. Administrative Experience (configuration life cycle
management, ACL management, topology based config
Transactional & Policy Enforcement : changes, services based compliance assessment, remediation
etc.)
- Only required change lines and to only the devices
requiring them
3. Zero-Touch Deployment using PnP service
- Easy rollback (pnp service validation, home office/CVO config automation)
- Allow us to define and enforce policies before
configuration deployment 4. DC: Compliance config deployment in IOSD
- Easy compliance assessment & remediation devices
Strong Partnership & Product Support: 5. DC: Transition config model to services (AAA,
DNS, NTP, Syslog etc.
- Good breadth of product support (IOS, NX-OS, ASA,
Citrix, APIC-DC) Great Information on Cisco IT deployment model and 5 day Training
- Good support from the BU on NED enhancements (2 https://github.com/NSO-developer
weeks SLA) https://github.com/NSO-developer/nso-5-day-training
Cisco IT – NSO Automation
52,000 100%
Automated ACL enforcement: errors
Uncovered and ACL Compliance

eliminated
Automated security deployment, 8,000 95%

Hrs.
audit and remediation:
Saved compared to manual Reduction in auditing
operations and remediation time
Automated device OS lifecycle: 96% 93%

Reduction in OS Reduction of
upgrade time Human errors
Demo Video:
Intent-based Network Compliance Service
using NSO and NXOS
Demo – Golden Config Compliance
Intent: Devices should be in-compliance to the baseline
configuration.
Demo: Golden Config Compliance Service

1. Deploy Baseline -Configure Baseline Config on the new network
devices
2. Run Compliance - Provide Compliance reporting functionality
Summary
Summary
1. Build Intent-based networks using

Solution components – NSO & NXOS
2.Intent-based Use Cases & Customer

Deployment examples
THE OPEN, SCALABLE Today’s network operations do not
XXX
PLATFORM FOR support new IT models that are
rapidly evolving
NETWORK AUTOMATION
Cisco NSO is the market-leading
network automation solution for
multi-vendor networks at scale
Open
XXX platform supports both pre-
built Cisco automation use cases and
your custom automation use cases
Complete a technical architecture
assessment of the ‘as-is’ and
recommended ‘to-be’ network
Let
XXXus collaborate with you on a
proof-of-concept project to
validate the benefits
Define a business case to quantify

XXXbenefits of an NSO-based
the
network automation solution
www.cisco.com/go/nso
Open NXOS - DevNet
https://developer.cisco.com/site/nx-os/
Model Driven Programmability

https://developer.cisco.com/docs/nx-os/
DevNet Sandbox
Developer Tools
Learning Track
The NSO Digital Ecosystem: NSO DevNet
The one place to use for sharing, finding and collaborating on NSO public
knowledge!
External
(Open for all)
www.cisco.com/go/nsodevnet
DevNet
Public material targeting partners and customers
Cisco Got a
customers, question,
partners ask! We will
NSO Developer Hub (Jive) open
and DevNet open for
Learning Labs
GitHub open for for all registered Cisco employees, help ensure
open for all
employees
all
registered users
all Cisco partners & Cisco customers a fast
all have response
access Selected
Selected Training
Training
Shared
Sharedcode
code
Community and main repository of
Content
Content material
material content and Q&A
*Customer, Partner and Cisco **Cisco internal only

Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Thank you
#CLUS
#CLUS

BRKDCN 2498

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKDCN 2498

Uploaded by

Copyright:

Available Formats

#CLUS

Shankar Varanasy Aseem Srivastava

Webex Teams will be moderated cs.co/ciscolivebot#BRKDCN-2498

Intent-based networking & Solution

Help you build Intent-base Service definitions

Key Use Cases

Example- “Don’t allow access to Example- “Configure ACLs to permit

 What I want (Outcome)  How to do it

Business AD-HOC IT Execution

Business Translate IT Execution

Physical & Virtual Infrastructure

Cisco Network Nexus Operating

Translation Policy & Compliance

• Capture business Intent

Network Infrastructure (DC)

172.10.0.0/24 SSH Deny

NSO access for guest

DCI Guest Network

2. Finds Diff between config in DB

3. Restores config auto/manual to

VXLAN BGP EVPN

Modern NX-OS with model-

SNMP XML NETCONF RESTCONF gRPC

Data Management Engine (DME)

BGP VLAN LACP ACL QoS

• Augmentations extend a model

Structured and Multiple Model Types

Network Engineering Ops and Provisioning Service Developers

CLI/GUI/Scripting API Layer REST, NETCONF

Transaction safe Operations

Device Abstraction Layer (Device1, Device2..) Device Model

Multi-Vendor Network, Multiple EMS, Apps

Device Abstraction ESC (VNFM)

VNF Lifecycle VNF Service Modular

Network Engineering Ops and Provisioning Service Developer

Device Abstraction ESC (VNFM)

NED NED NED

Package • Rich set of Northbound APIs rendered

• Service Plan—how far the service has

Network Engineering Ops and Provisioning Service Developer

Device Abstraction ESC (VNFM)

VNF Lifecycle VNF Service

Cisco NSO and other

 Model-driven algorithms in NSO

 Open platform that supports:

Campus / Branch / WAN / DC network

Application Centric Connectivity Centric

NSO Ansible Playbooks

App App App App

Business Simplify Faster Open

Deploy new Reduce Reduce Multi-vendor,

“VP of IT in financial company XYZ came to know that some

VP directed the IT to block all the crypto website access from

Agg. Devices & Ports

2 Device Management with NSO

3 Build Service Package

4 Deploy the Service

Github Website: https://github.com/NSO-developer/pioneer

Copy to Run folder & Copy the package to RUN folder

• Validate the YANG models on device

Replace the XML

ncs(config)# show full-configuration

Intent  “Block access to Crypto Websites”