Professional Documents
Culture Documents
BRKSDN 2935
BRKSDN 2935
From Zero to
Network Programmability
in 90 minutes
Gabriel Zapodeanu
Technology Solutions Architect, Cisco Systems
gzapodea@cisco.com @zapodeanu,
github.com/zapodeanu zapodeanu
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSDN-2935
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Programmability Skills
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why Network Programmability
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Programmability Use Cases
High
Security
Dynamic
Compliance
Application Configuration
Performance
Troubleshooting
Business Change Control
Value Green Field
Optimization
Design
Operations
Monitoring
Low
Low Business Risk High
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Programmability Benefits
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
What Are Data Models
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
YANG
• Yet Another Next Generation (YANG)
data modeling language – RFC 6020
• Describes network devices data
models
• YANG modules are hierarchical tree
structures for organizing data
• YANG data models are composed of
modules and sub-modules which
represent individual YANG files
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
YANG Data Models
• Used to model configuration and state data
NETCONF RESTCONF gRPC • Open - Standards based
YANG Data Models
(IETF, OpenConfig, …), supported by all vendors
Native –
Open Native
•
Configuration and Operation • Vendor and platform specific (Cisco IOS XE, XR…)
• Models augmented or deviated
Device Features
SNMP
• Where can I find the YANG data models?
Interface BGP QoS ACL … • Network devices
• https://github.com/YangModels/yang
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
YANG Tools
• YANG Explorer
• Pyang – Python library
• YANG Catalog
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Client to Server - Data Exchange
• We need to send and receive data, to and from the network device
• How do we select the IP address in these outputs?
GigabitEthernet1 is up, line protocol is up
Description: TO_vSWITCH0 {
Internet address is 172.16.11.11/24 "description": " TO_vSWITCH0",
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, "ipv4Address": "172.16.11.11",
reliability 255/255, txload 1/255, rxload 1/255 "ipv4Mask": "255.255.255.0",
Encapsulation ARPA, loopback not set "portName": "GigabitEthernet1",
Keepalive set (10 sec) }
Full Duplex, 1Gbps, media type is RJ45
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
JSON - JavaScript Object Notation
• JSON
• Lightweight data-interchange format { “key”: ”value” }
• Easy for humans to read and write Cisco DNA Center - Get Interface API: JSON
• Wide applications support to parse and
{
generate "className": "GRETunnelInterface",
"status": "up",
• import json "interfaceType": "Virtual"
"pid": "C9300-48U",
• The Python standard library "serialNo": "FCW2123L0N3",
"portName": "Tunnel201" ...
• Encode/Decode Python types to JSON }
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
XML - eXtensible Markup Language
{ <tag><value></tag> }
• XML
NETCONF Get Interface: XML
• Store and transport data
{
• Designed to be self-descriptive <interface>
• Language independent <name>GigabitEthernet1</name>
<description>TO_vSWITCH0</description>
<type xmlns:ianaift="urn:ietf:params:xml:ns:yang:
• XML vs HTML: iana-if-type">ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
• XML was designed to carry data <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
• HTML was designed to display data <address>
<ip>172.16.11.11</ip>
<netmask>255.255.255.0</netmask>
• Python support: </address>
</ipv4>
• Multiple libraries to help parsing xml </interface>
}
• XML resource -
https://www.w3schools.com/xml REST APIs and RESTCONF support JSON and XML
NETCONF supports only XML
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
YANG Relationship to JSON and XML
JSON XML
{ {
"ipv4Address": "172.16.11.11", <interface>
"ipv4Mask": "255.255.255.0", <name>GigabitEthernet1</name>
"portName": "GigabitEthernet1", <description>TO_vSWITCH0</description>
"description": " TO_vSWITCH0", <address>
} <ip>172.16.11.11</ip>
<netmask>255.255.255.0</netmask>
</address>
</interface>
}
interface GigabitEthernet1
description TO_vSWITCH0
ip address 172.16.11.11 255.255.255.0
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
NETCONF - Network Configuration Protocol
• Rich functionality to manage configuration
and operational (state) data
NETCONF
• Client (application) initiates connection
(using SSH port 830) towards server
(network device)
SSH
• Capability exchange during session
initiation, XML encoding
• Supports running, candidate and startup XML
configurations
• Methods: <get-config>, <edit-config>,
<get>, … YANG
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
NETCONF RPC Request
from ncclient import manager
import xml
import xml.dom.minidom
SSH Connection Info:
with manager.connect(host= RW_HOST, port=PORT, username=USER, network device
password=PASS, hostkey_verify=False, username/password
device_params={'name': 'default'}, TCP Port
allow_agent=False, look_for_keys=False) as m:
(default 830)
# XML filter to issue with the get operation
# IOS-XE 16.6.2+ YANG model called "ietf-interfaces"
interface_filter = '''
<filter xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
Filter <interfaces-state xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet1</name>
</interface>
</interfaces-state>
</filter>
Method '''
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
NETCONF in Action
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
RESTCONF Protocol
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
RESTCONF Request
url = 'https://RO_HOST/restconf/data/interfaces-state/interface=GigabitEthernet1'
Device
Headers
header = {'Content-type': 'application/yang-data+json',
'accept': 'application/yang-data+json'}
Method Authentication
response = requests.get(url, headers=header, verify=False, auth=ROUTER_AUTH)
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
RESTCONF Response
{
"ietf-interfaces:interface": {
"name": "GigabitEthernet1",
"admin-status": "up",
"oper-status": "up",
"last-change": "2018-01-17T21:49:17.000387+00:00",
"phys-address": "00:0c:29:6c:81:06",
"speed": 1024000000,
"statistics": {
"in-octets": 5425386232,
"in-unicast-pkts": 28489134,
……………
"out-octets": 2899535736,
"out-unicast-pkts": 18844784
}
}
}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
RESTCONF in Action
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
NETCONF and RESTCONF
<rpc-reply message-id="urn:uuid:50bf9d6e-7e5c-4182-ae6b- {
972a055ceef7" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" "ietf-interfaces:interface": {
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
"name": "GigabitEthernet1",
<data>
"admin-status": "up",
<interfaces-state xmlns="urn:ietf:params:xml:ns:yang:ietf- "oper-status": "up",
interfaces">
"last-change": "2018-01-17T21:49:17.000387+00:00",
<interface>
"phys-address": "00:0c:29:6c:81:06",
<name>GigabitEthernet1</name>
"speed": 1024000000,
<admin-status>up</admin-status>
"statistics": {
<oper-status>up</oper-status>
"in-octets": 5425386232,
<phys-address>00:0c:29:6c:81:06</phys-address>
"in-unicast-pkts": 28489134,
<speed>1024000000</speed>
……………
<statistics>
"out-octets": 2899535736,
<in-octets>5432293472</in-octets>
"out-unicast-pkts": 18844784
<in-unicast-pkts>28518075</in-unicast-pkts>
}
……………
}
<out-octets>2901845514</out-octets>
}
<out-unicast-pkts>18850398</out-unicast-pkts>
</statistics>
</interface>
</interfaces-state>
</data></rpc-reply>
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Device APIs
RESTCONF NETCONF
{ {
"ipv4Address": "172.16.11.11", <interface>
"ipv4Mask": "255.255.255.0", <name>GigabitEthernet1</name>
"portName": "GigabitEthernet1", <description>TO_vSWITCH0</description>
"description": " TO_vSWITCH0", <address>
} <ip>172.16.11.11</ip>
<netmask>255.255.255.0</netmask>
</address>
</interface>
}
interface GigabitEthernet1
description TO_vSWITCH0
ip address 172.16.11.11 255.255.255.0
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
What is REST?
• REST – Representational State Transfer
• Client-server communications
• Stateless - client side could maintain session state, the server does not
• An architecture style for designing networked applications
• It is not a standard
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
What is REST API?
• API – Application Programming Interface
• Set of subroutine definitions, protocols, and tools for building application software
• Specifies how software components should interact with each other
• Many types of APIs exist, not only RESTful API’s
• RESTful API’s - Use HTTP requests to Create/Read/Update/Delete (CRUD)
operations:
• Creates a new resource
• Retrieves/Read a resource
• Updates an existing resource
• Deletes a resource.
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
How to Make a REST API Call
• REST APIs are centered around an HTTP request and response model
• Consuming an API is as simple as making an HTTP request
• Transport Protocol: HTTP/HTTPS
Request
Response
Client
Application Server
Your Application
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
REST API Request Components
• URL: Application Server and the API resource
• Authentication: HTTP Basic, Custom, OAuth, none
• Headers: HTTP Headers, example: Content-Type: application/json
• Request Body: JSON or XML - the data needed to complete request
• Method (CRUD) :
• POST - Creates a new resource
• GET - Retrieves/Read a resource
• PUT - Updates an existing resource
• DELETE - Deletes a resource.
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
REST API Request
Retrieve the Cisco DNA Center information for the client with the IP address {client_ip}
def get_client_info(client_ip, dnac_jwt_token):
User defined function
URL Application Server API Resource
url = DNAC_URL + '/api/v1/host?hostIp=' + client_ip
Headers Authentication
header = {'content-type': 'application/json', 'Cookie': dnac_jwt_token}
Method
response = requests.get(url, headers=header, verify=False)
client_json = response.json()
client_info = client_json['response'][0]
Parsing JSON
return client_info
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
REST API Response Components
• HTTP Status Codes
• 2xx Success - 200 OK, 201 Created
• 4xx Client Error - 400 Bad Request, 401 Unauthorized, 404 Not Found
• 5xx Server Error - 500 Internal Server Error
• Headers
• Content-Type – JSON or XML, cache control, date, encoding
• Response Body
• Payload with requested data formatted in JSON, XML, or other types
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
REST API Response
Retrieve the Cisco DNA Center information for the client with the IP address {client_ip}
Response 200 / success HTTP Status Codes
Cache-Control →no-cache
Content-Type →application/json;charset=UTF-8 Headers
…
{
"hostIp" : "10.93.140.35" ,
"hostMac" : "00:0c:29:6d:df:40" ,
"hostType" : "wired" ,
"connectedNetworkDeviceId" : "601c9ead-576c-402d-bcb1-224235b1e020" ,
"connectedNetworkDeviceIpAddress" : "10.93.140.50" ,
"connectedInterfaceId" : "eb613db0-0994-44ec-9146-1b65346f3d07" ,
"connectedInterfaceName" : "GigabitEthernet1/0/13" ,
"connectedNetworkDeviceName" : "NYC-9300" ,
JSON Response Body
"vlanId" : "123" ,
"lastUpdated" : "1528324633014" ,
"accessVLANId" : "123" ,
"id" : "841f9433-0d2c-4735-afe8-beb7547b7883"
}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
REST API Request and Response Exchange
url = DNAC_URL + '/api/v1/host?hostIp=' + client_ip
header = {'content-type': 'application/json', 'Cookie': dnac_jwt_token}
client_response = requests.get(url, headers=header, verify=False)
Request
Client
Cisco DNA Center
Your Application Response
{
"hostIp" : "10.93.140.35" ,
"hostMac" : "00:0c:29:6d:df:40" ,
"hostType" : "wired" ,
The response value will "connectedNetworkDeviceIpAddress" : "10.93.140.50" ,
be assigned to variable "connectedInterfaceName" : "GigabitEthernet1/0/13" ,
client_response "connectedNetworkDeviceName" : "NYC-9300" ,
"vlanId" : "123" ,
…
}
client_json = client_response.json()
client_info = client_json['response'][0] Parse JSON
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
REST API in Action
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
API Docs – Cisco DNA Center
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
API Docs – Cisco DNA Center
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Programming Languages
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Programming Language - Python
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Why Should You Learn Python
Ref: https://stackoverflow.blog/2017/09/06/incredible-growth-python/
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Use Case APIs
ServiceNow
• The presented use case
written in Python will Rest APIs
use:
Application
• REST API’s Written in Python
• Controllers
• Firewalls Rest APIs
NETCONF
RESTCONF
• Collaboration
• DC Orchestration
• NETCONF and RESTCONF Webex DC Cisco ASA IOS
• IOS XE network devices Teams Automation DNA Center NGFW XE
operational data
Infrastructure
• ServiceNow REST APIs
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Agenda
• Programmability? Why?
• Coding Essentials
• YANG Data Models
• JSON and XML
• NETCONF and RESTCONF
• REST APIs
• API Docs
• Python
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Remote Network Access
• Vendors, contractors, IT engineers and developers need
access to devices or systems, inside the Enterprise
network (IP-enabled Devices – IP-Ds)
• Typically required for:
• Normal mode of operations, while providing services
• Software upgrades, patching and monitoring
• Troubleshooting
• Proof of Concepts and testing of new applications
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Agenda
• Programmability? Why?
• Coding Essentials
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Architecture
• Implementation
• Flowchart
• Smart Configurations
• Utilized APIs
• Demo
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Elastic Remote Network Access Requirements
Remote Access to IP-enabled Devices – IP-Ds
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
High Level Architecture
Elastic Remote
Network Access Security Management
Application
Controller
Validation
Record
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
High Level Architecture - Components
Elastic Remote
Network Access Security Management ASAv
Application
Record ServiceNow
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
High Level Architecture – Functional
Requirements • End User Interaction with the application
• Input access requests/receive approval
• Receive notifications
• Update status
• Compute provisioning
• Storage configuration
• Network provisioning
End User Interface Webex Teams
• Workflow automation
Data Center Orchestration UCSD
• Firewall configuration - add and
Elastic Remote remove Access Control Lists Entries
Network Access Security Management ASAv
Application
• Information about:
Controller Cisco DNA Center • Clients, Network Devices
• Topology physical and logical
Validation Cisco DNA C, Device API
• Configuration management
• ITSM integration
• Create incident to record access,
and all configurations changes
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Agenda
• Programmability? Why?
• Coding Essentials
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Architecture
• Implementation
• Flowchart
• Smart Configurations
• Utilized APIs
• Demo
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Network Configurations
!
interface Loopback200
ip address 10.93.140.49 255.255.255.255
!
interface Tunnel201
ip vrf SECURE_REMOTE ip address 10.93.140.46 255.255.255.252
rd 201:1 tunnel source Loopback200
route-target export 201:1 tunnel destination 10.93.140.48
route-target import 201:1 keepalive
! !
interface Loopback200 !
ip address 10.93.140.48 255.255.255.255 router eigrp 123
! network 10.93.140.49 0.0.0.0
interface Tunnel201 !
ip vrf forwarding SECURE_REMOTE router eigrp 201
ip address 10.93.140.45 255.255.255.252 network 10.93.140.46 0.0.0.0
tunnel source Loopback200 redistribute static route-map REMOTE_ACCESS
tunnel destination 10.93.140.49 exit
keepalive !
! ip route $IPD 255.255.255.255 Vlan$VlanId
interface GigabitEthernet3 !
description to_SECURE_REMOTE ip prefix-list REMOTE_ACCESS_PLIST seq 5 permit $IPD/32
ip vrf forwarding SECURE_REMOTE
!
ip address 172.16.202.1 255.255.255.0
route-map REMOTE_ACCESS permit 10
negotiation auto
match ip address prefix-list REMOTE_ACCESS_PLIST
!
router eigrp 123
network 10.93.140.48 0.0.0.0 Customize configurations for
redistribute static the location of the IPD:
redistribute connected - Access VLAN
!
router eigrp 201 - IP-D IP address
address-family ipv4 vrf SECURE_REMOTE
network 10.93.140.45 0.0.0.0
network 172.16.202.1 0.0.0.0
autonomous-system 201
exit-address-family
GRE tunnel
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Agenda
• Programmability? Why?
• Coding Essentials
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Architecture
• Implementation
• Flowchart
• Smart Configurations
• Utilized APIs
• Demo
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Smart Configurations Deployment
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Duplicate IPv4 Address Prevention
• Simple Python application using Cisco DNA Center Platform APIs and
Python file and string operations
• Process each CLI template file before deployment
• Select the new IPv4 addresses to be configured
• Validate if proper IPv4 format and valid IPv4 addresses
• Verify using Cisco DNA Center APIs if IPv4 addresses already in use by:
• Network device interfaces (either up or down)
• Connected clients, wired or wireless
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Duplicate IPv4 Address
Prevention In Action
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Business Rules
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
History of Approval and Configuration Deployment Status
Collect logs for tracking, compliance
• Vendor identity
• IP-D info – switch and access VLAN, physical location
• Time of day and day of the week
• Approved/denied access
• Configuration deployment successful or failed
• Validation of path segmentation
• Interface tunnel status and counters for traffic statistics
• This collection of rich data is very valuable
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
ERNA Lab Testing Logs
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Machine Learning (ML)
• Machine learning is an application of Artificial Intelligence (AI) that provides systems
the ability to automatically learn and improve from experience without being explicitly
programmed.
• Good news, the heavy work is done for us
• ML libraries:
• TensorFlow
• Microsoft Cognitive Toolkit
• And many more …
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Agenda
• Programmability? Why?
• Coding Essentials
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Architecture
• Implementation
• Flowchart
• Smart Configurations
• Utilized APIs
• Demo
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Webex Teams APIs Functions
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Webex Teams API calls
• Cisco Webex teams as an user interface and messaging platform
• Vendor requests remote access an IP-enabled device
• Approval process
• API calls to Webex Teams:
• Check for messages
• Find the user identity
• Post messages
• Create/delete spaces
• Membership Operations
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Webex Teams API Request
Retrieve the last message and user info from the room with {room_id}
WEBEX_AUTH = 'Bearer ' + ’ZTc0ZGUzNTctMWFlNC00ODQzLWFkYWEtM…’
Authentication
User Defined Function
def last_webex_room_message(room_id):
URL
url = WEBEX_URL + '/messages?roomId=' + room_id Authentication
Headers
header = {'content-type': 'application/json', 'authorization’: WEBEX_AUTH}
response = requests.get(url, headers=header)
Method
list_messages_json = response.json()
list_messages = list_messages_json['items']
last_message = list_messages[0]['text'] Parsing JSON
last_user_email = list_messages[0]['personEmail']
return last_message, last_user_email
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Webex Teams API Response
Retrieve the last message and user info from the room with {room_id}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Cisco DNA Center APIs Functions
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Cisco DNA Center Used Capabilities
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Cisco DNA Center API Request
Retrieve all the information for the device with the Cisco DNA C {device_id}
device_info = device_response.json()
Parsing JSON
return device_info['response’]
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco DNA Center API Response
Retrieve all the information for the device with the Cisco DNA C {device_id}
"response": [
{
"type": "Cisco Catalyst 9300 Switch",
"role": "ACCESS",
"lastUpdated": "2018-01-30 05:37:24",
"macAddress": "2c:ab:eb:37:c3:00",
"serialNumber": "FCW2123L0N3", Response Body
"softwareVersion": "16.6.1",
"hostname": "NYC-9300",
"softwareType": "IOS-XE",
"upTime": "53 days, 10:15:04.14,
"managementIpAddress": "10.93.130.21,
"reachabilityStatus": "Reachable,
………
}
]
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Cisco DNA Center Platform and Assurance
• Configuration using Cisco DNA Center Platform APIs – template editor
• Customize templates for the IP-D location
• Upload, or update, CLI templates from text files
• Deploy CLI template to the layer 3 Catalyst 9300 access switch
• Deploy CLI template to the DC CSR1000v
• Get CLI deployment job status
• Cisco DNA Center Assurance APIs:
• Device Synchronization, Cisco DNA Center Path Trace
• As a result – a GRE tunnel will be provisioned, routing configured to
allow reachability only from DMZ VDI host to only IP-D host
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
IOS XE APIs Functions
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Open IOS XE Operational Data
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
RESTCONF Request
Get the operational data for the interface with the name {interface}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
RESTCONF Response
Get the operational data for the interface with the name {interface}
{
"name" : "Tunnel201" ,
"type" : "iana-if-type:tunnel" ,
"admin-status" : "up" ,
"oper-status" : "up" ,
"last-change" : "2018-06-05T00:52:00.000142+00:00" ,
"if-index" : 8 , Response Body
"phys-address" : "00:00:00:00:00:00" ,
"speed" : 102400 ,
"statistics" : {
"discontinuity-time" : "2018-05-18T01:25:47.000868+00:00" ,
"in-octets" : 5106881043 ,
"in-unicast-pkts" : 27845535 ,
"in-unknown-protos" : 0 ,
"out-octets" : 1830179621 ,
"out-unicast-pkts" : 18592521 ,
…
}
}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
ASAv API Functions
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
ASAv – Security Configuration
• We will need these operations:
• Find out the inbound Access Control List Id for the
outside interface
• Insert a new ACL Entry to allow data traffic from the
DMZ VDI to the IP-enabled Device IP address
• Delete the ACLE at the end of the de-provisioning
• API Docs - https://asa_ip_address/doc/
• ASA requires an agent to be downloaded,
installed and enabled
• Agents are available for both physical and
virtual ASA’s (ASAv)
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
ASAv – API Request
Retrieve existing ACL id for the {interface_name}
def get_asav_access_list(interface_name):
“””
Find out the existing ASAv interface Access Control List
Call to ASAv - /api/access/in/{interfaceId}/rules
:param interface_name: ASA interface_name Build Code Documentation using PyDoc
:return: Access Control List id number
“”” URL
url = ASAv_URL + '/api/access/in/' + interface_name + '/rules'
header = {'content-type': 'application/json', 'accept-type': 'application/json'}
response = requests.get(url, headers=header, verify=False, auth=ASAv_AUTH)
acl_json = response.json()
Parsing JSON
acl_id_number = acl_json['items'][0]['objectId']
return acl_id_number
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ASAv – API Response
Retrieve existing ACL id for the {interface_name}
{
"items" : [
{
"destinationService" : {
"kind" : "NetworkProtocol" ,
"value" : "ip"
} ,
"destinationAddress" : {
"kind" : "IPv4Address" ,
"value" : "172.16.41.55"
} ,
"sourceAddress" : {
"kind" : "IPv4Address" ,
"value" : "172.16.203.50"
} ,
"objectId" : "3677916132" ,
"sourceService" : {
"kind" : "NetworkProtocol" ,
"value" : "ip"
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
ServiceNow APIs Functions
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
ServiceNow Integration
• Integration with IT Service Management (ITSM) to record:
• Log requests for access and approval info
• Configuration changes to switches, routers, DC and firewalls
• CLI templates deployment status
• Validation:
• Path Trace, operational data
• De-provisioning status
• Use the ServiceNow:
• REST APIs
• SDKs and Cloud Integrations
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
ServiceNow API Request
Create new incident using the description, comments, user, password and severity
incident_json = response.json()
Parsing JSON
return incident_json['result']['number']
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
ServiceNow API Response
Create new incident using the description, comments, user, password and severity
{
"sys_created_by" : "IOSXE" ,
"number" : "INC0010313" ,
"impact" : "3" ,
"priority" : "4" , Response Body
"sys_id" : "5d6bad014f2213004419ff6f9310c7c0" ,
"opened_at" : "2018-06-05 15:25:06" ,
"short_description" : "ERNA Execution" ,
"caller_id" : {
"link" : https://dev23452.service-now.com/api/now/table/sys_user/d0e8467d4f... ,
"value" : "d0e8467d4f191300…" } ,
"active" : "true" ,
"approval" : "not requested" ,
"parent_incident" : "" ,
"sys_domain_path" : "/" ,
"hold_reason" : "" ,
"activity_due" : "" ,
"severity" : "3" ,
}
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
ERNA - APIs Summary
• Webex Teams
• Create and delete spaces
• Read and post messages
• Find the identity of users posting messages
• Membership – invite new members to room
• RESTCONF
• Check CSR 1000V DC router operational data for the interface Tunnel
• ASAv
• Retrieve existing ASA access list for an interface
• Insert a new access control list entry
• Delete the inserted access control list entry
• ServiceNow
• Create incident, update incident, post comments, close incident
• Others – working with files and strings, logging to files, debugging, regular expressions pattern
matching, DC automation (UCSD – execute workflows)
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Agenda
• Programmability? Why?
• Coding Essentials
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Architecture
• Implementation
• Flowchart
• Smart Configurations
• Utilized APIs
• Demo
• Lessons Learned
• 90 Minutes to Your Application
• Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Disclaimer
• The sample code in this presentation is intended for learning and
educational purposes only
• The application was created with the goal of ease of understanding
• Software is written based on assumptions that may not apply in your
environment
• It is not intended for use in any production environment without significant
testing, validation and re-write to meet your Enterprise Application
Development Policies
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
ERNA
Pre-Recorded Demo
Provisioning
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
De-Provisioning
Application DNS Timer Timer Activity
ERNA Start Lookup Started Expired Log
Workflow Workflow
DC
Initiated Initiated
ASAv ASAv
ASAv
Config Config
ServiceNow ServiceNow
ServiceNow
Incident Update
Provisioning De-provisioning
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
ERNA Python code
• The use case code may be found here:
https://github.com/zapodeanu/BRKSDN-2935-Barcelona-2019
• The application written in Python
• CLI templates text files
• The Python modules used
• This code is shared for lab use
and learning only
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Agenda
• Programmability? Why?
• Coding Essentials
• JSON and XML
• YANG, NETCONF, RESTCONF
• REST APIs
• Python
• API Docs
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Lessons Learned
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Agenda
• Programmability? Why?
• Coding Essentials
• JSON and XML
• YANG, NETCONF, RESTCONF
• REST APIs
• Python
• API Docs
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
How to Get Started in 90 Minutes?
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Your Development Environment
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Learn about APIs
• DevNet Express Events
• DevNet learning tracks and labs
• API documentation
• APIs provide “Try it” features
https://developer.cisco.com/events/
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Postman
• Postman - REST API client
• Learning and troubleshooting
• Generate code option
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Operating System Choices
• Mac OS X, Linux, Windows – they will all work well
• Some advantages for Mac OS X, or Linux
• Isolation between your Python environments, and your OS:
• OS upgrades – what is the impact on your Python environment?
• What are your Python packages going to change in your OS?
• Do you need different Python packages versions for your
applications?
• Python virtual environments – easy to configure, highly
recommended
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Operating System Choices - Continued
• Virtual machines –
• Ubuntu – free, easy to install
• Avoid some OS limitations (SSL versions)
• Will consume CPU/Memory
• Will need virtualization software
• Containers –
• Light, very easy to get started
• Application portability
• App Hosting and Guest Shells
• IOS XE
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Programing Languages
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Resources to Get Started with Python
• Cisco Learning Network:
• Programming for Network Engineers (PRNE), e-Learning
• Network Programmability Specialists:
• Design or Developer Engineer
• Courses and Cisco Certifications
• Cisco DevNet
• Introductory Python and XML/JSON learning modules and labs
• The Hitchhiker’s Guide to Python!
• PluralSight, CodeAcademy, Coursera, …
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Text editors and
Integrated Development Environments
• Text editors – all of them will work for writing
Python code
• Advanced text editors will make your life easier:
• Atom, Sublime, Notepad++, TextMate …
• Integrated Development Environments (IDEs):
• Improve your code quality and productivity
• Code inspection and refactoring
• Will integrate with version control systems (VCS),
virtual environments, packages updates, debugging,
error correction
• PyCharm, Eclipse, VIM, Wind IDE, Spyder Python
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
JSON and
or XML
{ {
"ipv4Address": "172.16.11.11", <interface>
"ipv4Mask": "255.255.255.0", <name>GigabitEthernet1</name>
"portName": "GigabitEthernet1", <description>TO_vSWITCH0</description>
"description": " TO_vSWITCH0", <enabled>true</enabled>
"status": "up", <address>
"adminStatus": "UP", <ip>172.16.11.11</ip>
"id": "7c274222-4329-47bd-b516-6c32510" <netmask>255.255.255.0</netmask>
... </address>
} </interface>
}
REST APIs and RESTCONF support JSON and XML, NETCONF supports only XML
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Labs
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Sandboxes
• DevNet Sandbox:
• Free DevNet Account
• Always-on, or reservation based
• Free, very easy to use and
schedule, nothing for you to
maintain
• Simulated or physical network
equipment
• Available sandboxes: Networking,
Catalyst 9k, Cisco DNA Center,
Security, Data Center,
Collaboration, Meraki, …
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Other Labs
• Cisco dCloud:
• Five Data Centers around the world
• Customizable environments
• Enterprise Networking
• Collaboration
• DC
• Security, and more
• You will need a cisco.com account (CCO)
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Communities, Resources and Code Repositories
• Cisco DevNet
• Cisco Webex
• Meraki Developers
• GitHub:
• Code hosting platform for
version control and collaboration
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
90 Minutes to Get Started with Programmability
DevNet, GitHub, Communities Join Communities, Download Sample Code and Run
Labs/Sandboxes DevNet Sandbox, Labs, Learning Tracks, dCloud and Your Lab
Integrated Development
PyCharm, Eclipse, VIM, Sublime, Atom, Notepad++
Environment, Text Editor
Learn about API’s DevNet Express, Learning Labs, API docs, Postman
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Agenda
• Programmability? Why?
• Coding Essentials
• JSON and XML
• YANG, NETCONF, RESTCONF
• REST APIs
• Python
• API Docs
• Programmability Use Case
• Remote Access Overview
• Elastic Remote Network Access (ERNA)
• Lessons Learned
• 90 Minutes to Your Application
• Summary BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Summary
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Summary
• Software reuse
• Efficiencies: design once, use many
• High availability: enables effective change control
• Flexibility in services delivery: on-demand, consumer driven
• Pervasive security: all network communications can be mapped to security
policies.
• Rapid provisioning and decommissioning with full traceability
• Decoupled from physical infrastructure: as long as there is an API exposed
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Questions?
Cisco DNA Center Platform – Partner Solutions
Multiple Partners with Cisco DNA Engage at
Integrations @ CiscoLive Europe
• World of Solutions
Including (but not limited to): • EN Booth Partner Village
• Partner Booths
• Anyweb
• BlueCat • Italtel • Technical Seminars
• BT • LiveAction
• Breakout Sessions
• Conscia • Logicalis
• Dimension Data • MicroFocus • Panel Discussion
• IBM • Nefkens Advies
• IsarNet • Orange • Social Events and Reception
https://developer.cisco.com/ecosystem/dnacenter/
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSDN-2935
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Continue Your Education
BRKSDN-2935 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Thank you