Configuration Management Tools on NX-OS

DEVNET-1075

Abhinav Modi, Technical Marketing Engineer @ Cisco

abmodi@cisco.com / @abhinav_m

• Introduction

• Why do we need Configuration Management Tools ?

• Configuration Management Tools on Cisco Nexus Switches

• Puppet and Chef

• Ansible

Agenda

3

What problem are we trying to solve?

“I can spin up servers in minutes with my Configuration Management Tool

workflows, why does it take orders of magnitude more to spin up and affect

change on my Network Elements?”

IT Organizations using configuration management tools deploy 30x more

frequently with 200x shorter lead times; they have 60x fewer failures and

recover 168x faster

Configuration Management

Tool (CM Tools): Slow

Error Prone

Data Center Automation and IT CollaborationToday: Serialized Configuration and Management

Services

CMT

NetworkApplications

CMT

Compute

CMTApplication

RequirementsSUCCESSFUL

DEPLOYMENT

How can these Tools Help ?

DAY 0

Install

DAY 1

Configure & Operate

DAY 2

Optimize,

Compliance

DAY N

Upgrade, Patching

Day 0

Install

Day 1

Configure & Operate

Day 2

Optimize,Compliance

Day N

Upgrade,Patching

Power on Auto Provisioning (PoAP)

NX-OS Features and Protocols

Tcollector on Nexus and Compliance Check

NX-OS Patching

NETWORK LIFE CYCLE MANAGEMENT ACCELERATED VIA CM Tools

CM

Show

clock

NXAPI Web Server

(NGINX)

{

"jsonrpc": "2.0",

"method": "cli",

"params": {

"cmd": "show clock",

"version": 1

},

"id": 1

}

{

"jsonrpc": "2.0",

"result": {

"body": {

"simple_time": "15:00:37.762 PST Mon Aug 18 2014\n"

}

},

"id": 1

}

HTTP / HTTPS

Switch(config)# feature nxapi

Technology EnablersNX-API

Point browser to IP Address of Network Element

Enter CLI Commands

Click POST

See formatted input as you type See formatted output in json/xml

Generate Python script

Technology EnablersNX-API Sandbox

===============================

host name: n7000-1

kickstart image version : 7.2(0)D1(1) [build 7.2(0)D1(0.437)]

system image version :7.2(0)D1(1) [build 7.2(0)D1(0.437)]

===============================

{

"jsonrpc": "2.0",

"result": {

"body": {

" "bios_ver_str": "2.12.0",

"kickstart_ver_str": "7.2(0)D1(1) [build 7.2(0)D1(0.437)]",

"sys_ver_str": "7.2(0)D1(1) [build 7.2(0)D1(0.437)]","bios_cmpl_time": "05/29/2013",

"kick_file_name": "bootflash:///n7000-s2-kickstart.7.2.0.D1.0.437.bin",

"kick_cmpl_time": " 3/8/2015 0:00:00",

"kick_tmstmp": "04/01/2015 07:24:19",

"chassis_id": "Nexus7000 C7009 (9 Slot) Chassis",

"module_id": "Supervisor Module-2",

"cpu_name": "Intel(R) Xeon(R) CPU ",

"memory": 32744984,

"mem_type": "kB",

"proc_board_id": "JAF1746AEPM",

"host_name": "n7000-1","bootflash_size": 2007040,

"slot0_size": 0,

"kern_uptm_days": 39,

"kern_uptm_hrs": 7,

"kern_uptm_mins": 4,

"kern_uptm_secs": 7,

"rr_reason": "Unknown",

"rr_sys_ver": "",

"rr_service": "",

"manufacturer": "Cisco Systems, Inc."

}

},

"id": 1

}

import sysimport jsonimport requests

my_headers = {'content-type': 'application/json-rpc'}url = "http://172.25.91.147/ins"username = "admin"password = "ciscotme"

payload = [{'jsonrpc': '2.0', 'method': 'cli', 'params': ['show version',1], 'id': '1'}]my_data = json.dumps(payload)response = requests.post(url, data=my_data, headers=my_headers, auth=(username, password))

kick_start_image = response.json()['result']['body']['kickstart_ver_str']system_image = response.json()['result']['body']['sys_ver_str']host_name = response.json()['result']['body']['host_name']

print ("")print ("===============================")print ('host name:'+ host_name)print ('kickstart image version :' + kick_start_image)print ('system image version :s' + system_image)print ("===============================")

Sample Script : Get “show version” Data

Sample Script : Add Vlan using NXAPIimport requests

import json

print "enter ip address"

ip=raw_input()

print "enter vlan to be configured"

vlanId=raw_input()

myheaders = {'content-type': 'application/json-rpc'}

url = "http://"+ip+"/ins"

username = "admin"

password = "ciscotme"

payload=[

{"jsonrpc": "2.0","method": "cli","params": {"cmd": "conf t","version": 1},"id": 1},

{"jsonrpc": "2.0","method": "cli","params": {"cmd": "vlan "+vlanId,"version": 1},"id": 2},

{"jsonrpc": "2.0","method": "cli","params": {"cmd": “exit”,"version": 1},"id": 2},

]

response = requests.post(url,data=json.dumps(payload), headers=myheaders,auth=(username,password)).json()

Requests python module

Get IP Address of switch

URL of switch

Payload:

>Conf t

> vlan <>,

> exit

11

NX-API: Sample Use Cases

12

Data Collection and Display Resources, Interface Statistics

Switch Configuration and Feature

Provisioning

Consistency Checks Cable Plan

VLAN

vPC

Configuration Management Tools

What if you wanted to do the same task..

• On multiple switches, or subset of switches..

• In Parallel…

• Automatically…

• DevOps: Applying IT Tools to Network Management

• Manage multiple devices and the automation around it

• Repeatable, Granular Tasks

• Crowd Sourced Scripts, modules

• Dashboards for monitoring and ease of use

Configuration Management Tools help by ..

14

Configuration Management Software

15

Cisco Nexus

FabricServer

= Agent

Cisco UCS

Client

Agent based Configuration Management Tools

Agent-less Configuration Management Tool

… Cisco UCS

Cisco Nexus

Fabric

Agent v/s Agent-less Architecture

• Agent based CM are “pull based”

• Agent on managed device connects with master for config information periodically

• Changes made on master are pulled down and executed

• Agent-less CM are “push based”

• CM scripts are run on the master

• Scripts connect to the managed device and execute the tasks

• No timer, control lies with the master

• Ansible is agent-less

18

All CM tools provide

• Audit logging of change

• Concept of no-op runs

Puppet/Chef

19

Puppet Chef

Ruby like DSL Ruby

Manifest Recipe A collection of resource type representing customer intent

Module Cookbook Self contained bundle of code and data

Facter Ohai Software discovering runtime state on agent node

Agent Client Software interacting with server to obtain configuration

Type Type Definition of Managed objects

Provider Provider Implementation of tasks on objects

Puppet and Chef Overview on Cisco NexusTerminology

Puppet/Chef Agent

RepositoryResource & Provider

RepositoryCisco Foundational

Utilities

CentOS

Puppet

Agent/Chef

Client

Puppet/Chef

ModulePuppet/Chef

Module

Cisco

Puppet

/Chef

Module

Provider

Utility GEM

NXAPI

Utility GEMCisco WRL5

Puppet/Chef

RHEL

Puppet

Agent/

Chef Client

rubygems.org

Kernel (WRL5)

NXOS Root FS (WRL5)

NX

OS

VS

H

(CL

I)

NX

OS

Se

rvic

es

Cisco

Puppet

Agent/Chef

Client

Cisco

Utilities

Cisco

Resource &

Provider

Customer

Intent

ServerCisco

Puppet/Chef

Module

Cisco

UtilitiesCustomer

Intent

Typical Master Workflow

• Configure Server

• Install Modules

• Define Customer Intent

• Install Agent/Client

Provisioning Tool

Beaker Based Tool/

Chef Provisioner

Puppet: yum.puppetlabs.com

Chef: xxx.chef.io

Puppet: forge.puppetlabs.com

Chef: supermarket.chef.io

Puppet and Chef Overview on Cisco NexusSolution Overview

Puppet/Chef Master Server

Native Linux Service

/etc/init.d/puppet.d & chef.d

NX-OS

Cisco Puppet/Chef Agent

NX-APICisco Puppet/Chef

Module

Linux Software

Repository

Server

Yum/RPM install

puppet/chef.rpm

• Puppet Agent RPM available on Github/Puppetforge

• Install Cisco Puppet Module on Puppet Master

• Switch Agent will poll Puppet/Chef Master for

updated catalog/cookbooks and attempt

to converge switch to desired state

NX-OS Chef/Puppet

Use CaseDay 1 Provisioning

23

BRINGING NETWORK INTO OPERATIONAL STATE

Day 1 – Configure and Operate

Automate Network

Configuration.

Eliminate Human Error

Accelerate Service

Deployment with Validation

Cisco Nexus Configuration (VLAN, SVI, OSPF, BGP, monitoring) based on Spine/Leaf Role

Manifest

GetCurrent

State

Delta to Desired

State

ApplyChanges

to Config

Validateand

EnableManifest

VLAN SVI BGP

Manifest

Use CaseDay-N Patching

26

Eliminate Complex CLI and

long wait times

Dynamically Patch

Network Switches

Reliable and Fast

Day N – Upgrade, Patching

.

DYNAMICALLY UPGRADING YOUR NETWORK

..

VersionCheck

ConfigurePatch

ApplyPatch

Verifyand

Report

Manifest

Manifest

Manifest

BGP1.0

BGP2.0

Type/Provider Roadmap:

VXLAN EVPN – Q1CY16

Virtual Port Channel – Q2CY16

Segment Routing – Q3CY16

Chef/Puppet Agent Types/Providers

cisco_vtp

cisco_tacacs_server

cisco_tacacs_server_host

cisco_snmp_server

cisco_snmp_community

cisco_snmp_group

cisco_ospf

cisco_ospf_vrf

cisco_vlan

cisco_bgp

cisco_bgp_vrf

cisco_interface

cisco_interface_ospf

cisco_interface_vlan

• Supported Agent Types/Providers for Nexus 3k/7k/9k (soon on

Nexus 5/6k)

• Cisco Network Element Chef/Puppet module code published on

Git and Forge/Supermarket

• Agent is extensible beyond what we support by default by

using the utility classes OR:

• Agent is also extensible by embedding CLI using

cisco_command_config resource construct

Chef and Puppet Agent: Types/Provider Support

Ansible

29

Ansible

• Agentless

• Support for multiple scripting languages

• Orchestration

• Simplicity

• Human Readable Files (YAML)

30

Ansible Playbook

---

- hosts: webservers

vars:

http_port: 80

max_clients: 200

remote_user: root

tasks:

- name: ensure apache is at the latest version

yum: name=httpd state=latest

File with the list of target servers

Module Arguments to the module

Ansible Orchestration Engine

Modules Playbooks

APIs Libraries

(Via ssh)

Compute

Configure a Server with Ansible

• Ansible engine runs on a server

• Playbooks, Inventory present on this server

• Only requirement on Managed Node: SSH

and Python

• Push model

• When a Playbook is executed :

• Ansible SSHes into the managed device

• Copies a Python script to /tmp

• Python script gets locally executed on the managed device

Ansible Orchestration Engine

Modules Playbooks

APIs Libraries

(Via ssh)

Compute

Configure a Nexus Switch with Ansible

• Install the nxos-ansible Ansible library, and

the pycsco Python module

• When Ansible processes the playbook, it

uses nxos-ansible to convert the modules to

Cisco CLI

• Then those CLIs are sent to the switch via

NX-API, using pycsco

• https://github.com/jedelman8/pycsco

• https://github.com/jedelman8/nxos-

ansible

• No need for Python on the switch – just

enable the NX-API feature

Ansible Orchestration Engine

Modules Playbooks

APIs Libraries

(Via NXAPI)

(Via ssh)

Compute

Cisco network device

Use Case

Operational Data Collection

34

Gather Operational Data

• Summary

• Gather operational data from multiple switches

• Description• Playbook to gather show version, related information from all nodes listed in inventory file

• Dump the gathered information to different files, each named after the switch hostname

• Script : https://github.com/datacenter/nxos/blob/master/ansible/nexus_get_facts.yml

35

Use Case

Provisioning a VXLAN Fabric

36

Provisioning is a 2-step process : The Underlay and then the Overlay

(1) VXLAN Underlay

Local LAN

Segment

Physical

Host

Local LAN

Segment

Physical

Host

Virtual Hosts

Local LAN

Segment

Virtual Switch

Edge Device

Edge Device

Edge Device

IP Interface

38

39

(2) VXLAN Overlay

Local LAN

Segment

Physical

Host

Local LAN

Segment

Physical

Host

VTEP

VTEP

VTEP

VV

V

Encapsulation

Virtual Hosts

Local LAN

Segment

Virtual Switch

VTEP – VXLAN Tunnel End-Point

VNI/VNID – VXLAN Network Identifier

39

Here’s how we do it with Ansible…

We use Ansible’s “Role” Feature ..Underlay Overlay

Leaf Role

1. IP address + Loopback + IGP

on all links between spine and

leaf

2. Enable Multicast

1. Configure VNIs and Associate with VLANs

2. Configure SVIs

3. Configure VRFs

4. Configure BGP EVPN Neighbors (Spines)

5. Configure NVE Interface

Spine Role

1. IP address + Loopback + IGP

on all links between spine and

leaf

2. Enable Multicast and Anycast

RP

3. Enable IGP for this RP

Configure BGP Router Reflector

Playbook available at : https://github.com/abhinavmodi/nxos-ansible/tree/master/provision-dc

Snapshots of the Playbooks

42

Ansible 2.0 just released !!

• Module to connect to Cisco switches now a core Ansible module

• Part of the Ansible 2.0 Codebase and supported by Ansible

• Can connect to Nexus switches using

• NX-API

• SSH

• Watch out for Ansible 2.0 samples with Nexus soon, at http://github.com/datacenter/nxos

43

New features introduced in Ansible 2.0

• New Nexus Core Modules!!nxos_config, nxos_command and nxos_template

• Support for different transportsSSH and NX-API

New features introduced in Ansible 2.0 Sample Playbook

Putting it all Together

46

• Configuration Management Tools can be used for Networking as well.

• NX-OS supports Puppet, Chef and Ansible

• More features are being supported by each tool in each release

• Evaluate these tools and get started with some monitoring, provisioning tasks

Key Takeaways

47

• Getting started with Python

• codeacademy.org, MOOCs (Coursera)

• Github

• https://github.com/datacenter/nxos (Scripts used in this session are posted here)

• https://github.com/datacenter/nexus9000

• https://github.com/datacenter/nexus7000

• NX-API DevNet Community - https://developer.cisco.com/site/nx-api/

Additional Resources

48

Call to Action

• Visit the World of Solutions for

• Cisco Campus – Programmability Booth for Demos

• Walk in Labs – LABNMS-1023 Covering Basics of NX-API and Ansible

• DevNet Booths on Enterprise Device Programmability, Puppet and Chef

• VIRL in Devnet Area

• Keep a watch on https://github.com/datacenter/nxos for more examples around these technologies

Your Feedback is Important !

50

Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations