Automating with NX-OS -

Let's Get Started

Jeff McLaughlin, Principal TME
jemclaug@cisco.com, @ccie14023
Agenda
• Introduction to Automating Nexus
• Power on Auto Provisioning
• Python
• EEM
• NX-API
• Configuration Management Tools
• Netconf
• XMPP
• Conclusion
Nexus Product Portfolio 10G / 40G / 100G

10G / 40G (ACI)

Nexus Nexus
Nexus Nexus Nexus 7000 9000
2000 3000 5000/
6000
• 2000-series (FEX) inherits automation capabilities from parent switch
• 3K/9K have some different features and/or configurations from 5/6/7K.

4
 PowerOn Auto
Provisioning (PoAP)

5
PowerOn Auto Provisioning
• PowerOn Auto Provisioning will do the following:
1. Install the kickstart image
2. Install the system image
3. Copy a configuration to the switch
• PoAP runs if there is no startup config on the switch
• Also can be forced with boot poap enable
• Executes a Python or TCL script

6
POAP – Bring up your switch…zero touch!

Configuration and Software

Script Server DHCP Server Server

2 DHCP Discover phase:

3 Get IP Address, Gateway 4
Script server Script file
Download Script Download Configuration
file onto the switch License Software images
and execute the onto the switch
script

Default
Gateway
Reboot if needed. Switch up
Power up Phase: Start Power
and running the downloaded 1 On Auto-Provisioning Process
image and config
5

Nexus Switch
 Getting a hold of PoAP Scripts
CCO Downloads Page
Look for Kick Start images

PoAP Scripts
Python and TCL

8
Customizing scripts

• Variables at top of script need to be customized

• Image name, TFTP/SCP server, credentials, etc.
Useful Links for PoAP
Ignite Tool:
https://github.com/datacenter/ignite
Data Center Network Manager:
http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-data-
center-network-manager/index.html

11
Python

12
Python On-Box
• Execute scripts on a Nexus
• Interpreter or script
• Use CLI modules
• Embedded in EEM
Python Off-Box
• Execute scripts on server
• Use requests module or
pycsco module
• Manage multiple devices
13
Python On-Box support (5-7K)
Nexus supports on-box Python 2.7 in two modes:
Interactive Mode
switch# python
Copyright (c) 2001-2012 Python
Software Foundation; All Rights
Reserved
switch# >>> print "hello world“
hello world
switch# >>> exit()
Non Interactive (script) Mode
Switch # source crc.py
------------------------------------------------
Started running CRC checker script
finished running CRC checker script
-------------------------------------------------
Switch # dir bootflash:scripts
946 Oct 30 14:50:36 2013 crc.py
7009 Sep 19 10:38:39 2013
myScript.py
22760 Oct 31 02:51:41 2012 poap.py
14
Python On-Box support (3K/9K)
Nexus supports on-box Python 2.7 in two modes:
Interactive Mode
switch# python
Copyright (c) 2001-2012 Python
Software Foundation; All Rights
Reserved
switch# >>> print "hello world“
hello world
switch# >>> exit()
Non Interactive (script) Mode
Switch # python crc.py
------------------------------------------------
Started running CRC checker script
finished running CRC checker script
-------------------------------------------------
Switch # dir bootflash:
946 Oct 30 14:50:36 2013 crc.py
7009 Sep 19 10:38:39 2013
myScript.py
22760 Oct 31 02:51:41 2012 poap.py
15
CLI Interaction with Python (On-Box)
import cisco or from cisco import *
cli: get the result of a cli command as a text string
nx-osv-1# >>> result = cli("show version")
nx-osv-1# >>> print result
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/
<etc, etc>
nx-osv-1# >>> cli("conf t ; interface eth2/1 ; no shut”)
''
nx-osv-1# >>> cli("conf t ; int e2/1 ; encapsulation frame-relay")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
cisco.cli_syntax_error: % Invalid command at '===>' marker:
enc===>apsulation frame-relay

clid: get the result of a cli command as a dictionary

nx-osv-1# >>> result = clid("show version")
nx-osv-1# >>> print result['kickstart_ver_str']
7.2(0)D1(1)

clip: output the result without saving the value

16
On Box script samples
Go to:
https://github.com/datacenter/nexus7000

cdp_description.py: Auto-generates interface descriptions based on CDP

neighbors
crc_checker_n7k.py: Checks interfaces for CRC errors and shuts an interface
down when errors exceed a threshold
garp.py: Checks for malformed ARP/GARP packets and dynamically creates an
ACL to block offenders

17
EEM

18
Embedded Event Manager
• EEM takes certain actions based on triggering events.
• Can also be set to execute on a schedule.

Events:
•cli
•oir Trigger
•temperature
•track
•Etc…

Actions:
•cli
•python
•reload
•syslog
•Etc…

19
EEM Example – Port Tracking
Config – State Down
event manager applet track_1_18_down
event track 1 state down
action 1 syslog msg “EEM applet track_1_18_down shutting down port eth1/33 as 1/18 went down”
action 2 cli command “conf term”
action 3 cli command “interface ethernet 1/33”
action 4 cli command “shut”

Config – State Up
event manager applet track_1_18_up
event track 1 state up
action 1 syslog msg “EEM applet track_1_18_up bringing up port eth1/33 as 1/18 came up”
action 2 cli command “conf term”
action 3 cli command “interface ethernet 1/33”
action 4 cli command “no shut”
Python integrated with EEM
• Call a Python script as an action in an EEM script!

n7k# conf
n7k(config)# event manager applet link_monitor
n7k(config-applet)# event syslog pattern "IF_UP“
n7k(config-applet)# action 1 cli command “source cdp_description.py”
n7k(config-applet)# exit

This script will automatically add the CDP neighbor to

the interface description when an interface comes up

21
Useful Links (Python and EEM)
Nexus 7000 GitHub page:
https://github.com/datacenter/nexus7000
Nexus EEM examples:
https://tools.cisco.com/squish/2C58D
On-Box Script Examples:
https://github.com/datacenter/opennxos/tree/master/on-box

22
NX-API

23
What is NX-API?
• NX-API Enables Programmatic access to Nexus over HTTP/S
• Runs in one of two modes:
• CLI Wrapper: Single URI; commands sent as CLI
• REST: Model-driven, specific URI

• Enable with “feature nxapi”

HTTP/S NGINX

JSON-RPC/JSON/XML

24
Message Format
XML/JSON/JSON-RPC

Command Box
Enter CLI here

Output
Preview of request, and
response

25
26
Automatically generating Python

• Sandbox can turn your CLI into Python for you

• Click the “Python” button in the Request box
• Uses Python’s requests module
• Paste into a .py file and you’re good to go!
• Great way for novice Python users to learn

27
Python example using “requests” module
import sys
import json
import requests

my_headers = {'content-type': 'application/json-rpc'}

Using CLI wrapper, we always
url = "http://172.25.91.147/ins" use this same URL
username = "admin"
password = "ciscotme"

payload = [{'jsonrpc': '2.0', 'method': 'cli', 'params': ['show version',1], 'id': '1'}] Generating payload with
my_data = json.dumps(payload) JSON-RPC
response = requests.post(url, data=my_data, headers=my_headers, auth=(username, password))

result = response.json()['result']
kick_start_image = response.json()['result']['body']['kickstart_ver_str']
Send the request
system_image = response.json()['result']['body']['sys_ver_str']
host_name = response.json()['result']['body']['host_name']
Parse the output

print ("")
print ("===============================")
print ('host name:'+ host_name)
print ('kickstart image version: ' + kick_start_image) tools:~$ python shver.py
print ('system image version: ' + system_image) Output ===============================
print ("===============================")
host name:nx-osv-1
kickstart image version: 7.2(0)D1(1)
system image version: 7.2(0)D1(1)
===============================

28
Python using Pycsco module
• Easy-to-use Python NX-API interface
• No need to use requests module
• Hence, no need to make headers and post requests
• Available at:
https://github.com/jedelman8/pycsco
Example:
>>> from pycsco.nxos.device import Device
>>> from pycsco.nxos.utils.nxapi_lib import *
>>> switch=Device(ip="172.16.1.61",username="admin",password="admin")
>>> get_list_of_vlans(switch)
['1', '104', '105', '106', '110', '120']

29
Cisco Nexus Object Model
Globally unique identifier for an object in the database
BgpLocalASN

BgpEntity BgpInstance BgpDomain BgpPeer BgpPeerAf

System ethpmPhysIf ethpmPortCap BgpPeerEntry

L1PhysIf L1Load

L1StormControl

sys/bgp/inst/dom-default/peer-[192.168.0.2]
sys/phys-[eth1/1]/phys/portcap

Naming rule on http://developer.cisco.com

Object Based Programmability – BGP Configuration Example

POST Request BGP Object with

CLI POST Request without DME
DME

router bgp 11 POST http://Switch-IP/ins {'content- POST http://Switch-

router-id 1.1.1.1 type':'application/json-rpc'}.json() IP/api/mo/sys/bgp/inst.json

{ "jsonrpc": "2.0", { "bgpInst" : {

"method": "cli", "children" : [{
"params": { "bgpDom" : { 11
"cmd": "config t", "attributes" : {
"version": 1 }, "id": 1 }, "name" : "default",
{ "jsonrpc": "2.0", "rtrId" : "1.1.1.1"
"method": "cli", }
"params": { }
"cmd": "router bgp 11", }
"version": 1 }, "id": 1 }, ]
{ "jsonrpc": "2.0", }
"method": "cli", }
"params": {
"cmd": "router-id 1.1.1.1",
"version": 1 }, "id": 2 }]
Useful Links (NX-API)
• NX-API Guide:
https://tools.cisco.com/squish/da18E7
• NX-API on Github
https://github.com/datacenter/nexus9000/tree/master/nx-os/nxapi

32
 Configuration
Management Tools

33
Configuration Management Tools
• In use for years to automate servers
• Ensure software packages are installed, services running
• Declarative model: not scripting!
• Use to push configurations, install software packages
CM Tool 3K/9K 5-7K

6.1 7.2

7.0 7.3 (New! Feb 2016)

7.0 7.3 (New! Feb 2016)

34
 Puppet and Chef
• Puppet and Chef use a pull model (agent/client pulls from server)
• Agent/client contacts server every 30 mins by default
• Agent/Client lives in LXC container (optionally directly in bash on 3K/9K)
• Cisco modules in Puppet Forge or Chef Supermarket

Puppet
Master/Chef
Nexus sends data and request cfg every 30 mins
Server
LXC
Manifests/Coo
SSL Container
kbooks
Server sends config to switch Agent

Nexus
35
Puppet and Chef code examples

#Setup VLAN cisco_interface 'Ethernet1/1' do

cisco_vlan {"${vlanid}": action :create
vlan_name => $vlanname, ipv4_address '10.1.1.1'
ensure => present ipv4_netmask_length 24
} ipv4_proxy_arp true
ipv4_redirects true
#Create VLAN Interface (step2) shutdown true
cisco_interface { $intfName : switchport_mode 'disabled'
description => $vlanname, end
shutdown => false,
ipv4_address => $intf_ip, cisco_interface 'Ethernet1/2' do
ipv4_netmask_length => $intf_ip_mask, action :create
} access_vlan 100
shutdown false
switchport_mode 'access'
switchport_vtp true
end

36
 Ansible
• Ansible uses an agentless push model
• Configuration files (playbooks) use YAML
• Can configure using CLI or NXAPI
• Use nxos-ansible modules, or new Ansible 2.0 modules

Ansible
Server
Server sends config when playbook is run

NX-API (HTTP/S) No agent

Playbooks
CLI (SSH) feature nxapi

Nexus
Unlike server configuration Ansible does
not execute Python on-box
37
Ansible code example
tasks:
- name: Configuring PKL on 7k1 Configure PKL
nxos_vpc: domain=1 pkl_src=172.26.244.91 pkl_dest=172.26.244.81 state=present host=n7k1
- name: Configuring PKL on 7k2
nxos_vpc: domain=1 pkl_src=172.26.244.81 pkl_dest=172.26.244.91 state=present host=n7k2
- name: Configuring Port Channel 1
nxos_portchannel:
group: 1
members: ['Ethernet7/1','Ethernet7/2'] Configure port
mode: 'active'
state: present
channels
host: "{{ inventory_hostname }}"
- name: Configuring Port Channel 2
nxos_portchannel:
group: 2
members: ['Ethernet9/1','Ethernet9/2']
mode: 'active'
state: present
host: "{{ inventory_hostname }}"
- name: Configuring Port Channel 3
nxos_portchannel:
group: 3
members: ['Ethernet9/3','Ethernet9/4']
mode: 'active' Configure VPC peer
state: present link
host: "{{ inventory_hostname }}"
- name: Configuring VPC peer link
nxos_vpc_interface: portchannel=1 peer_link=true host={{ inventory_hostname }}
- name: Configuring VPC 2 Configure VPC for
nxos_vpc_interface: portchannel=2 vpc=2 host={{ inventory_hostname }}
- name: Configuring VPC 3 port-channels 38
nxos_vpc_interface: portchannel=3 vpc=3 host={{ inventory_hostname }}
Useful Links (Configuration Management Tools)
• Cisco Puppet Module
https://github.com/cisco/cisco-network-puppet-module
• Cisco Chef Module
https://github.com/cisco/cisco-network-chef-cookbook/
• NX-OS Ansible Modules
https://github.com/jedelman8/nxos-ansible

39
Netconf

40
What is NETCONF?
• NETCONF is an IETF standard, RFC 4741
Protocol Stack
• Used for device management, similar role as SNMP Content
• Separates Operational and Configuration Data Configuration Data
management (show commands v/s config)
• Defines capabilities for managing configuration data Operations
<get-config>,<edit-config>
• Candidate buffer for validation of config before
commit
Messages
• Rollback-on-error <rpc>, <rpc-reply>

Transport
SSH
NETCONF on Nexus
• Nexus switches support NETCONF
• Network Management Systems can use NETCONF to configure switches
• You can develop tools that take advantage of NETCONF:
• Test NETCONF directly with XMLAgent (ssh x.x.x.x -s xmlagent)
• Use | xmlin (pipe xmlin) to see CLI equivalent in NETCONF
• Use NCClient module in Python

jemclaug-hh14-n7700-2# sh vlan brief | xmlin

<?xml version="1.0"?>
<nf:rpc xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns="http://www.cisco.com/nxos:7.3.0.D1.1.:vlan_mgr_cli" message-id="1">
<nf:get>
<nf:filter type="subtree">
<show>
<vlan>
<brief/>
</vlan>
</show> (etc, etc, etc..) 42
Useful Links (NETCONF)
• NX-OS NETCONF using XML agent
https://tools.cisco.com/squish/5Cb9F
• NETCONF Central
http://www.netconfcentral.org/
• NCC Client (NETCONF module for Python)
http://pypi.python.org/pypi/ncclient

43
XMPP

44
What is XMPP?

• Extensible Messaging and Presence Protocol (XMPP) is a message-

oriented protocol based on XML
• Used in instant messaging clients such as Gtalk, Jabber, Pidgin
• Supported across all Nexus platforms in current releases
• DCNM can be used as XMPP server
• Configure switches with an IM client!

45
Accessing Devices with XMPP

Pidgin User

Entities
Return Output

Python Bot

Return Value
Groups
XMPP on NX-OS
Hostname is used for identification
feature fabric access
hostname leaf1 Required if no DNS for the domain
ip host test-xmpp-server.cisco.com 192.168.1.100
…
fabric access server dcnm-ova.cisco.com vrf management password 7 xyz
fabric access group all-nodes leaf-nodes
fabric access ping interval 60 response 10 retry 5
XMPP chat groups

leaf1# show fabric access connections

XMPP Ping :
Status = Enabled
Interval = 60 second(s)
Response = 10 second(s) JID identify the host in Jabber
Retry = 5 time(s)
XMPP Payload CDATA-Encapsulated : Enabled
Host S/N included in JID
Device Connection :
JID = leaf1@test-xmpp-server.cisco.com/(fmgr-device)(TB01010000B)
State = AUTHENTICATED

47
XMPP and Python
Writing a python bot
• Accessing NX-OS with Python with xmpppy library - http://xmpppy.sourceforge.net
import xmpp XMPP python module
cmd=“show vlan\n"
jid="python@test-xmpp-server.cisco.com" My JID
pwd=“test123"
to="leaf0@dcnm-ova.cisco.com"
JID of device
jid=xmpp.protocol.JID(jid)

cl=xmpp.Client(jid.getDomain(), debug=[])
cl.connect() Connect to XMPP server
cl.auth(jid.getNode(),pwd)
cl.sendInitPresence() Send Presence

message=xmpp.Message(to, cmd) Create Message

message.setAttr('type', 'chat')

cl.send(message) Send Message

Useful Links (XMPP)
• Protocol page:
http://xmpp.org/
• Instructions for using on Cisco devices:
http://blogs.cisco.com/getyourbuildon/xmpp-a-power-tool-in-your-tool-box
• Configuring DCNM XMPP Features:
https://tools.cisco.com/squish/83830

49
Conclusion

50
Summary
• The Nexus switching platform can be automated in a number of ways
• PoAP and CM Tools are an easy entry point to NX-OS automation
• Python and NX-API for more advanced users
• Netconf and XMPP for other use cases
• More useful links:
http://developer.cisco.com/
http://opennxos.cisco.com/

51
Let’s get started! (What do I need to do next?)
1. Setup a lab with a couple of switches, and some virtualization platform.
2. Alternatively look into VIRL.
3. Use the latest software image available for the latest and greatest features.
4. Download DCNM and experiment with PoAP.
5. Setup a Linux VM for testing off-box Python and CMT.
6. Start with Ansible (agentless), or Chef/Puppet
7. Use sandbox to build Python scripts

52
Deeper Dives!
• BRKDCT-2459: Programmability and Automation on Cisco Nexus Platforms
Abhinav Modi, Tues 2:15pm (watch the replay!)
• BRKDCT-2025: Maximizing Network Programmability & Automation with Open NX-OS
Nicolas Delecroix, Thurs 2:30pm
• BRKDCT-2024 - Automated Network Provisioning through POAP
Oliver Ziltener, Thurs 2:30pm
• DevNet-1075: Configuration Management Tools on NX-OS
Abhinav Modi, Fri 12:00pm
• Come visit us at the demo booth in World of Solutions!

53
Thank you