Tecnms-3601 (2015)

Advanced Network Programming
and Automation
TECNMS-3601
Joe Clarke
Bruno Klauser
Jason Pfeifer
Nathan Sowatskey
Do you think SDN is just OpenFlow and Datacenter?
Let us explore the wealth of Cisco IOS Network Programming and Automation capabilities
to automate operational tasks, unlock the true power of your network and create sustainable
innovation.
This session provides a combination of theory, real life examples and hands-on lab of
technologies including Cisco One Platform Kit (onePK) APIs, Embedded Event Manager
(EEM), Scripting and other relevant features.
Based on previous deliveries, new and updated content is added.
The topic is relevant for network planners and administrators, engineers

and system integrators for both enterprises and service providers.
Welcome Aboard
This Session IS:

• Automating Custom Behavior Inside the Network
• Linking Software Applications and Networks
• Using Network Programming and Automation
• Practical Examples
This Session is NOT:

• An Introduction to NMS Concepts or SDN Basics
• An In-Depth Session on One Single Feature
• Engineering Details of IOS
• NMS applications
TECNMS-3601 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
Introduction and Overview
• Planning & Design
• Deployment & Activation
• Monitoring & Operations
• Troubleshooting & Optimization
Summary
Agenda
• Software and Application
Life-Cycle Methodologies
(Waterfall – Iterative
– Agile – Continuous)
Summary
Agenda
• Plan
• Prepare
• Design
• Implement
• Operate
Summary
Agenda Schedule
9:00- Introduction
Introduction and Overview Theory Part I

Lab Part I
Theory Part II
Lab Part II
Theory Part III
Lab Part III
Summary
-18:30 Close
Break Times Schedule
9:00- Introduction
11:00 – 11:15 Coffee Break Theory Part I

Lab Part I
13:15 – 14:15 Lunch Theory Part II

Lab Part II
16:15 – 16:30 Coffee Break Theory Part III

Lab Part III
-18:30 Close
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Embracing The
Theory Part III
Software-Defined Era Lab Part III
-18:30 Close
Once Upon a Time …
Applications were
• Monolythic
• Directly attached Storage
• Directly connected Terminal
• Local – Mainframe Room
• Static
TECNMS-3601 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
… More Recently
Myriads of Things and Applications connected by the Network
Offices Smart Industry Smart Homes
Applications are
• Distributed, 2-tier, 3-tier, n-tier
Growing from Trillions to Tens of Trillions
• Remote Users
Smart Agriculture Smart Car Smart Health • Remote Storage
• Remote Peers, Sensors, Actors,
Sentinels, Satellites, Agents, ...
• Agile, Elastic
Growing from Billions to Trillions
Source: Machina Research
Change is the only Constant
Change is the only Constant – Next Generation of IT
Fast IT
Complexity
Complexity – Not All Complexity is Equal
Source: https://en.wikipedia.org/wiki/Cynefin
Complexity – Actionable Strategies
Complexity – Caveat: Over-Simplification
Einstein
Application Economy and Software-Defined
What‘s wrong? Why is it slow?
Orchestration Security & Compliance Performance Visibility & Monitoring
Resource Allocation
Element Management
Controllers Virtual Services Infra Security VM Managers Point Tools
Cisco Enterprise ACI
Proliferation of 3 Main Concepts
Programmable Application Centric Virtualizable
• Common • ASIC level • Agents and • Connectivity

across ACI programmability Controllers (Layer 2, 3 and above)
approaches • Device level • Cloud-connect • Network Functions

programmability Architectures (from Networks and
• Enabling Servers)
• Node Agents • Distributed and
capabilities Embedded Systems • Application Functions
• Network APIs and (end-to-end path,
• Proliferating Controller APIs • Peers, Sentinels,

Agents
containers within
Network)
across domains • ... • …
• Management Functions
Use Cases and Business Objectives
Cisco Enterprise ACI – 3 Capabilities x 3 Layers (Subset)
Applications
Self-* and New Applications
SaaS and Software Driven Collaboration
Integration
Context Awareness Mobility, CMX
Operations, Business Intelligence SP/DC: Orchestration
Controller Layer
Controllers,
Analytics, Policy vAF Containers
Management and - UCS-E
- ISR 44xx
Orchestration - IOX / AirVision
apiconsole.cisco.com Prime vNAM,
- Nexus LXE
OpFlex - ASR (Bento) vWAAS, DNS,
DHCP, AAA
Application-Centric - ...
Infrastructure Puppet CSR 1000V
OpenStack Neutron Cloud Connectors Cisco 5921

Embedded Automation
EEM VACS -
Visibility and Control REST NETCONF
VSG, vASA
Intelligence, Manageability ISE
Nexus 1000V
OpenFlow
Cisco Enterprise ACI – Programmatic Operations
Applications
Program for Optimized Harvest Network
Self-* and New Applications Experience Intelligence
SaaS and Software Driven
Integration Applications
Context Awareness
Operations, Business Intelligence
Controller Layer
Controllers,
Analytics, Policy
Services
Analytics
Management and Orchestration
Orchestration
Application-Centric
Infrastructure
Embedded Automation
Visibility and Control
Intelligence, Manageability
Network
Cisco Enterprise ACI – Evolving Interactions
Applications
Applications and Users
SaaS and Software Driven
1 4 2 5 3
Integration
Context Awareness
ICT Governance and Operations

Operations, Business Intelligence use interact use interact interact
Controller Layer
Domain Controllers c
Controllers,
Analytics, Policy
manage
Management and d control e
Orchestration
Application-Centric
Virtual / Overlay Networks b
Infrastructure
Embedded Automation Network a
Visibility and Control
Intelligence, Manageability Data Plane – (ASIC and Software)
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Infrastructure Layer
{Programmable, App-Centric, Virtual} Theory Part III
Lab Part III
-18:30 Close
Programmable Network Layer
Virtual / Overlay Networks

Programmable
Network Layer Device Interfaces and Agents – (onePK, OpenFlow, OpenStack, I2RS, …)
Cisco IOS (Enterprise, Data Center, Service Provider)
(Physical + Virtual)
Data Plane – (ASIC and Software)
Programmable
Embedded Event Manager (EEM)
email SNMP set SNMP SNMP Reload or Application CLI IOS.sh TCL
Syslog
notification Counter get notification switch-over specific Applets Policies Policies
Actions
EEM Applets
multi-event-correlation Embedded Event
Manager
Event Detectors
Interface XML CDP
Syslog SNMP Timer none HW Watchdog CLI OIR ERM EOT RF GOLD NetFlow IPSLA Route 802.1x MAC
Counter RPC LLDP
ED EDs EDs ED EDs ED ED ED ED ED ED ED ED ED ED ED ED
ED ED ED
Remote:
• Fan
• Notification • Cron Process Interface
Syslog • Temp
Local: • Count Scheduler Descriptor
Event • Env
• Notification down Database Blocks
• ...
• Get/Set
Real-World Example
Example: EEM Applets – Loops, Variables

Problem: None in Particular
Solution: Have fun exploring EEM Applet capabilities

event manager applet 99-bob
description written by bklauser inspired by http://www.99-bottles-of-beer.net Setting a Variable
event none
action 100 set b 99
action 110 while $b gt 1 While Loop – {
action 120 puts "$b bottles of beer on the wall, $b bottles of beer."
action 130 decrement b
action 140 puts "Take one down, pass it around, "
action 150 puts "$b bottles of beer on the wall.\n"
Decrementing a Variable
action 160 end
action 170 puts "$b bottle of beer on the wall, $b bottle of beer."
action 180 puts "Take one down, pass it around, " While Loop – }
action 190 puts "no more bottles of beer on the wall.\n"
action 200 puts "No more bottles of beer on the wall, "
action 210 puts "no more bottles of beer." Referencing a Variable
action 220 puts "Go to the store and buy some more, "
action 230 puts "99 bottles of beer on the wall.\n"
!
alias exec sing event manager run 99-bob
Using an Alias to run our Applet
See also: http://www.99-bottles-of-beer.net/language-cisco-ios-embedded-event-manager-applet-2909.html
Packaging Network Automations
Problem: Cisco IOS Embedded Automation Systems often include multiple configuration items,
files, checks and procedures – how to ensure they are deployed consistently?
Solution: Cisco EASy provides a simple packaging mechanism and open-source EASy Installer. A
developer guide is available online to assist with the creation of EASy packages.
 Package Description
 Pre-Requisite Verification
EASy Installer = Menu Guided Installation
 Pre-Installation Config +
 Pre-Installation Exec MyPackage.tar
 Environment Variables
 Configuration Router# easy-installer tftp://10.1.1.1/mypackage.tar flash:/easy
-----------------------------------------------------------------
 Files Configure and Install EASy Package ‘mypackage-1.03'
-----------------------------------------------------------------
 Post-Requisite Verification
1. Display Package Description
 Post-Installation Config 2. Configure Package Parameters
3. Deploy Package Policies
 Post-Installation Exec
4. Exit
 Uninstall
Enter option: 2
See: http://www.cisco.com/go/easy
EASy Package guide: http://tools.cisco.com/squish/cEAe3
Embedded Automation Systems (EASy)
1. Browse and Download EASy Packages
www.cisco.com/go/easy
2. Make Sure to download the latest EASy Installer
3. Browse Other Embedded Automations

www.cisco.com/go/ciscobeyond
4. Learn About The Technology Under The Hood

www.cisco.com/go/instrumentation
www.cisco.com/go/eem
www.cisco.com/go/pec
5. Discuss, Ask Questions, Suggest Answers

supportforums.cisco.com
supportforums.cisco.mobi
6. Upload your own Examples to CiscoBeyond

www.cisco.com/go/ciscobeyond
7. Engage via ask-easy@cisco.com
Cisco Cloud Connector Toolkit . . . Cisco one IoT APIs
Cisco onePK API Presentation, Software Development Kit, Runtime
onePK BASE
onePK Developer Service Set

onePK Discovery Service Set
onePK DataPath Service Set
onePK Element Service Set
onePK Location Service Set

onePK Routing Service Set
onePK Policy Service Set
onePK Utility Service Set
Cisco 819 AirVision APIs

onePK BGP Service Set
NETCONF + Yang
...
Neutron
Puppet
OMI
PCEP
...
OpenFlow
I2RS
Programmable
Cisco onePK Agent Infrastructure .
Network Layer
Programmable Network Layer – onePK
Cisco Cloud Connector Toolkit . . .
c1921-oglaroon# show version Cisco one IoT APIs
Cisco IOS Software, C1900 Software
:
onePK BASE c1921-oglaroon# show run | section onep

username onepk password 0 onepk


onep
NETCONF + Yang
... transport socket
start
Neutron
Puppet
OMI
c1921-oglaroon#show onep ?
datapath ONEP datapath
history ONEP history
. . . trails
PCEP
OpenFlow
I2RS
session ONEP session
statistics ONEP statistics
status ONEP status
Programmable
Network Layer
onePK BASE


[onepk@poghril ~]$ uname -a


Linux poghril.splab-zrh.cisco.com 2.6.18-348.4.1.el5 #1
NETCONF + Yang
SMP .Tue
. . Apr 16 16:02:56 EDT 2013 i686 i686 i386
GNU/Linux
Neutron
Puppet
OMI
[onepk@poghril ~]$ ls
onePK-sdk-c32-0.7.0.503g.tar
onePK-sdk-c64-0.7.0.503g.tar
onePK-sdk-java-0.7.0.503g.tar
PCEP
...
OpenFlow
I2RS
[onepk@poghril tutorials]$ java -classpath
.:libonep-core-rel.jar:libthrift-0.6.1.jar:slf4j-api-
1.6.1.jar com.cisco.onep.tutorials.HelloRouter
Programmable
Network Layer [onepk@poghril c]$ ls include
Ciscoonep_core_services.h … Service
IOS (Enterprise, Data Center, … … Provider)
Data Plane – (ASIC and Software) [onepk@poghril c]$ ls lib
libonep32_core.so libonep32_datapath.so … … …
onePK BASE



NETCONF + Yang
...
Neutron
Puppet
OMI
PCEP
...
OpenFlow
I2RS
Programmable
Network Layer
Service Set Description
onePK BASE Data Path Provides packet delivery service to application: Copy, Punt, Inject
Provides filtering (ACL), classification (Class-maps, Policy-maps), actions
Policy (Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces on
network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Get element properties, CPU/memory statistics, network interfaces,
Element
element and interface events
Discovery L2 topology and local service discovery
Syslog events notification, Path tracing capabilities
Utility
(ingress/egress and interface stats, next-hop info, etc.)
Programmable Debug capability, CLI extension which allows application to extend/integrate

Developer
Network Layer application’s CLIs with network element
“End-Node”
Choice of 3 “Blade”
Hosting Models “Process” On A Hardware Blade
• Dedicated memory/compute
On the Node • Low latency and delay
• Shared memory/compute • Requires modular hardware blade On An External Server
• Very low latency and delay • Plentiful memory/compute
• Available on select platforms • Higher latency and delay
• Supported by all platforms
Programmable
Network Layer
Programmable Network Layer – Evolution
next-gen
onePK
Programmable Network Layer – Evolution
Extend and Customize ... Configure and Operate
C Java Python REST NETCONF ...

From  Towards
Hand-crafted API Infrastrcture Model-driven generation

Manual platform adaption Model-driven
Generation from generation
Data Models
Inconsistencies between Agents Consistent model and data across agents
Feature  API Wiring
Data Models
Focus on Agents across Platforms Focus on Models and Platform strengths
Programmable
Feature  Information Model Wiring
Network Layer
Cisco IOS – Feature Implementation
vNF
vNF – Embedded Services Router – ESR 5921
The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS®

software router application designed to operate on small, low Typical Use Case
power Linux-based platforms to extend the use of Cisco IOS into
extremely mobile and portable communications systems. User interface
• based on IOS 15.2(4)GC , synched to 15.2(4) M
• Includes special mobility features (Radio Aware Routing, ...)
Control
• Up to 20 virtual Eth ports SW
• x86 compatible, 32 bit Linux application
• Can run on any x86 compatible hardware with sufficient resources: Other HW
Routing SW
- x86 - e.g., Intel Atom and Intel Core i3/i5/i7 and/or SW
- 512 MB RAM minimum
- 300 MB Disk minimum
- glibc compiled Linux
• Embedded by SI into final Product, using "Cisco Technology Interface Interface Interface
Inside" software Control Control Control
• Sensors, Portable Communications, Vehicular Communications, ...
Physical Interfaces
vNF – Cloud Services Router – CSR 1000v
IOS-XE code base
• Comprehensive feature set
• 4 month release cycle – 3.9 (March ‘13), 3.10 (July ‘13), 3.11 (Jan’14) … CSR 1000V
Infrastructure Agnostic
• Cisco UCS, Dell, HP, etc. App App
RP
Intel and AMD processors supported
OS OS FP
• Runs on vSwitch, dVS, N1KV, etc.. – no dependency
• VMware ESXi 5.1, Citrix Xen Server 6.1, KVM – RHEL 6.3, RHEV 3.1 VPC/ vDC
supported
• Amazon AMI support in 3.11 Hypervisor
Footprint Virtual Switch
• 4 vCPU, 2 vCPU, 1vCPU supported.
Note: 2 physical cores * 2 = 4 vCPU with Hyperthreading
• 2.5 GB/1vCPU [default] , 4 GB/4vCPU

Server
• 8 GB HD – Local, SAN, NAS supported
Real-World Example
Example: Secure VPN Gateway

Problem: How to securely connect to a virtual private cloud or virtual Data
Centre where we can’t deploy Hardware – across the public Internet? Challenges
Solution: Deploy VPN Gateway on Cloud Services Router 1000v • Inconsistent Security
DC / HQ Cloud Provider’s Data Center • High Network Latency
• Limited Scalability
CSR VPC/ vDC
1000V
Solutions
ASR
• IPSec VPN, DMVPN,
Branch WAN EZVPN, FlexVPN
Router • Routing and Addressing
• Firewall, ACLs, AAA
ISR Switches
Benefits
Servers
CSR
Branch 1000V • Direct, Secure Access
• Scalable, Reliable VPN
VPC/ vDC • Operational Simplicity
Public WAN VPN tunnel
ISR
vNF – Network Simulations
The Challenge
Developers have a compelling need to:
• Create new network applications and solutions
• Learn and test new features and facilities
• Innovate to solve business problems
To do this they need a Lab that is:

• Easy to build • Easy to access
• Easy to (re-)configure • Portable
• Easy to scale • Inexpensive
Such a Lab doesn’t exist Network Simulation
vNF – Comparison of Network Simulations
Sandboxes in
vmcloud VIRL CML
dCloud / DevNet
Cisco
Primary Use Personal / Developers Developers / Demos Businesses
(Embedded in AiO VMs)
Nodes ~15 15 ~200 15+
Cost n/a $200 $0 / Subscription $13’200+
Support Community Community Community / Subscription TAC
Focus Early Adopters, EFT Early Adopters, EFT Stable Stable
Platform Openstack Icehouse Openstack Grizzly Openstack Grizzly
Latest Version VIRL vV204 VIRL vT337 CML 1.0.1
Device Images IOS all IOS, XR, CSR, ESR5921 IOS, XR, CSR
Extensible yes unsupported unsupported
Connectors 3 2 2
vMF
Cisco Prime Virtual NAM (vNAM)
Extends Application Intelligence to the Virtual Infrastructure
APPLICATION AWARENESS DEEPER NETWORK ANALYTICS DEPLOYMENT AGILITY
Data Center
Virtual NAM
• Deployed on any x86 platform
Virtual NAM • Supported in ESXi and KVM
ASR
environments
• Performance-Based License
INTERNET/ Application NAM-VX10: Up to 150 Mbps
WAN Servers
NAM-VX20 (ESXi only):
ISR
ISR Up to 1Gbps
Large
Remote Branch
Site
Branch ISR
Deploy vNAM Anywhere in the Network

Cisco Prime vNAM Data Sources
• SPAN
• ERSPAN
• RSPAN
• VACL
• NetFlow
Virtual NAM • Promiscuous Mode
(ESXi)
Real-World
Example
Example: Application Visibility & Network Control
Apply Control/Configuration Changes to improve Application Performance and Availability
Problem: How to dynamically provide application Network Application
visibility per virtualized tenant?
Solution: Deploy vNAM into the virtual
REST/XML
workload POD
API
Example:
Service Assurance Actions (Examples) Cisco XNC
• Apply Service Policies (Police, Mark, PROGRAMMABILE
Shape, Queue) for reprioritization Traffic Steering
• Implement custom routing optimized for Path Setup
specific application topology Traffic Engineering
• Set ACLs to establish the access rules
Application Services
Virtual NAM Tenant-A
Hosted Workload
for Tenant
CSR
Application Services
vAF
Virtual Containers – Cisco 819
Core 0 Core 1
Guest Linux
YOUR Application running aboard
a Cisco 819 M2M Router
S Guest Application
LTE
D User-
space Guest Linux
R KVM + Qemu
Router A TCP/IP
Memory Footprint (incl Guest App): < 256 MB
Bare bone Kernel 3.0.6
IOS M
Cellular
modem
Supervisor Linux . driver
Guest Application
LTE
Modem Memory Footprint: < 64 MB
TCP/IP
M2M asset
Physical Containers – UCS E-Series Cisco UCS-E180D
Cisco UCS-E160D
Scalability
Cisco UCS-E140S
Cisco UCS-EN120S
• Service Module
• Service Module • Vmware, Hyper-V, Citrix
• Service Module • Vmware, Hyper-V, Citrix Certified
• Vmware, Hyper-V, Certified • Intel E5 8 Core Processor
• Service Module
Citrix Certified • Intel E5 6 Core • vWLC, vWAAS, Virtual
• VMware and
• Intel E3 4 Core Processor Desktops, Physical
Hyper-V Certified
• Network Compute Processor • vWLC, vWAAS, Virtual Security, Security
Desktops, Physical applications
Applications – • vWLC, vWAAS,
vWLC, vWAAS Physical Security Security
Feature Richness
Virtual Containers – ISR 4400 Series
Service Containers
 Dedicated virtualized compute

resources
 CPU, disk, memory
for each service
 Easily repurpose resources VM 1 VM 2 VM 3
 Industry-standard hypervisor
WAAS Energywise Future App
Benefits
 Better performing network services

 Ease of deployment with zero
footprint; no truck roll
 Greater security through fault isolation
 High reliability
 Flexibility to upgrade network services
independent of router IOS® Software
Virtual Containers – ISR 4400 Series
Third Party Service Containers
• Partners and other 3rd parties can now write apps
hosted on an ISR4K!
• Digital signing is REQUIRED so they must be
approved by Cisco (ISR Team).
• Development tools are still rough so we’re
partnering very closely with the first few.
• Also soliciting ideas for general-purpose common
tools in a container.
ISR 4400 Series Storage Options
NIM-SSD:
• 1 or 2 hot-swappable 200GB SSD drives
• 100GB and 400GB options in the future
NIM-HDD:
• 1 hot-swappable 500GB or 1TB drive
• Available as soon as a container supports it
SSD-MSATA-200G:
• Doesn’t consume a NIM slot!
• Embedded 200GB SSD storage
• Not available on 4431 & 4451
Controller Layer
Application Interfaces – (OSGi, REST, …)

Controller Advanced Functionality
Controller Layer
(Orchestration + Analytics) Controller Core
Service Abstraction Layer
CLI
SNMP …

Programmable
Network-aware Users and Applications – across Business Domains and Segments
Applications
Applications Applications Applications Applications
Cisco Unified Framework Application Enablement Platform

Application Centric Infrastructure
SLA Identity
QoS Location
Security Device Type
Controller Layer Load Balancing Device Posture
(Orchestration + Analytics)
Service Abstraction Layer, Common Policy Model
CLI
SNMP …

Programmable
Data Plane – (ASIC and
Software)
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Hands-On
Theory Part III
onePK All-in-One VM Lab Part III
-18:30 Close
Getting Started with the onePK AiO VM – 1/11
Open a Virtual Machine
Import onePK AiO VM .ova File
Select then Play the onePK AiO VM
User: cisco
Password: cisco123
Set New Password

(use cisco )
Accept License Agreement
Set IOSv User and Password

(use cisco / cisco )
This is often optional
and the network will
often just work OOB.
 Provide your Linux
Password
Set Gateway IP Address

(use 10.10.10.42)
This is a pain when you

are just developing, so
we won’t do this, we will
change the code to use
pinning by default.
Create
Certificate Authority
Likewise.
 onePK can use TLS to
connect to the Network
 TLS uses Certificates
 Certificates for use
with C and Python
are pre-generated at
/home/cisco/ca.pem
 For Java …
Run Create Truststore
Run Start 3node

This may take time !
Confirm 3node Status
Confirm 3node
Router Reachability
(check for 10.10.10.0 route
using netstat -r)
Java @ onePK AiO VM
Java @ onePK AiO VM – Hello Element Basics 1/7
Launch Eclipse
Java Samples
1 -Open Project
java-apps
2 - Open src/main/java
3 – Open ...HelloElement
4 - Double click to open

HelloElement.java
1 - Double click on tab to
maximise editor window
2 - Right mouse button

for context menu
3 – Select Preferences…
1 – Type “numbers” into

the filter field
2 - Select “Show line

numbers”
3 - Press “OK”
In HelloElement.java
1 – Hardcode credentials
2 – Return decision to pin

and comment out call to
show pinning dialog
3 – Comment out call to

show authentication dialog
1 – Context menu (right

mouse button) select Run
As -> Java Application
Application output shows in

Console (double click on tab
to maximise/minimise
console)
Java @ onePK AiO VM – Syslog Monitor 1/4
Open the SyslogMonitor

application main class
In SyslogMonitor.java
1 - Run the SyslogMonitor
application
2 – Go to router<n>
terminal window
3 – Shut/no shut, for

example, an interface
4 – See logs in application
1 – Open the
CDPTopologyProvider
class
2 – This is the regular

expression for the filter, i.e.
everything
Java @ onePK AiO VM – Tutorials 1/7
Open the BaseTutorial

class
In BaseTutorial.java
Open the
TLSPinningHandler class
In TLSPinningHandler.java
For any given tutorial, comment out call to showAuthenticationDialog()
Or, in BaseTutorial.java, add a return and comment out block of
showAuthenticationDialog(…)
Python @ onePK AiO VM
Python @ onePK AiO VM – 1/5
1 - Open
BaseTutorial.py
2 – Set Preferences for

line numbers, just like
for the Java editor
In BaseTutorial.py
In BaseTutorial.py and other tutorials as required
Open a Terminal (Ctrl-

Alt-t)
Navigate to
Python Tutorials – cd
~/onePK-sdk-
1.3.0.181/python/tutori
als
Run BaseTutorial.py
1 - Open, say,
SessionTutorial.py
2 – Change
handle_verify
3 - Context menu (right

mouse button) Run As
- > Python Run
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Lab Part III
-18:30 Close
vNF
Custom AiO Topology
Creating Your Own vmcloud Topology
• The vmcloud tool is a suite of python scripts that orchestrate IOSv
• Topologies can be created by defining them in XML-based .virl files
• A reference for the syntax can be found in the EmulatorUserGuide.pdf file on
the AiO desktop…
• …But it’s easier to use the existing ~/vmcloud-example-
networks/3node/3node.virl file as a guide 
• Let’s create a four-node “chain” topology hanging off the AiO VM
Our Target 4 Node Topology
Our 4node VIRL File
Let’s dig into

this in more
detail.
The type, subtype and
The Node Definition location can all remain
the same.
Each node has
a name.
This needs to point to a valid

Define as many interfaces as vIOS image in OVA format. By
you need, each with a unique default, the vios.ova is a symlink
name. to a 15.4M image.
The bootstrap config must
point to a valid IOS
configuration in plain text
format.
The Segment Definition
The “SEGMENT” type is a LAN. The special

LAN, vmc_lan_1 is defined in
/etc/vmcloud/vmcloudrc. This file defines
LAN interfaces on the AiO VM’s backplane.
(The location value refer to where the icon

appears in VMMaestro – see VIRL)
Connecting Things Together
Each connection element describes an endpoint of the topology.
Connections only need to be specified in one direction. Src and dst
values are specified using xpath notation (elements start at 1).
Node 1 (router1), interface 2

Node 1 (router1), interface 1 (Gi0/1) connects to the special
(Gi0/0) connects to node 2 (router vmc_lan_1 segment.
2) interface 1 (Gi0/0).
Node 3 (router3), interface 2
Node 2 (router1), interface 2 (Gi0/1) connects to node 4 (router
(Gi0/1) connects to node 3 (router 4) interface 1 (Gi0/0).
3) interface 1 (Gi0/0).
Validating Your Topology File
• The XML schema for the .virl files can be
found in /usr/lib/python2.7/dist-
packages/vmcloud/parser/schema
/virl.xsd
• Your target .virl file can be tested against
this schema using the xmllint command
• From the command line, run the
following command:
– xmllint –schema
/usr/lib/python2.7/dist-
packages/vmcloud/parser/schema
/virl.xsd FILE.virl
• Look for the message “FILE.virl
validates” at the end of the output
• If you get an error, use the schema file,
user guide and existing 3node.virl
example to hunt down the problem
Introducing VIRL
The Challenge
Developers have a compelling need to:
• Create new network applications and solutions
• Learn and test new features and facilities
• Innovate to solve business problems
To do this they need a test-bed that is:

• Easy to build
• Easy to access
• Easy to configure
• Portable
• Easy to scale
• Inexpensive
That test-bed doesn’t exist
So Who’s a ‘Developer’?
Customers
Software Houses
Integrators
Manufacturers
Partners
You…
Development Economics
Deploying a physical network test-bed
requires:
• Equipment ~$2000/node
• Setup ~1-2 hours per network
• Expertise level high @ ~$100/hour for CCNA
• Resources must be dedicated, scheduled
Time and money are being wasted
VIRL can help simplify and streamline development

processes and environments
What is VIRL?
A network orchestration and virtualization
platform that enables:
• Point-and-click network design
• Painless configuration
• Integration of platform-sync’d code
• Rapid setup and tear-down
• Seamless connectivity with ‘real’ networks
• Portability and repeatability
Development Economics with VIRL
Deploying virtual target networks with VIRL:
• Equipment:
• ~$300 when PC-based (Hypervisor + VIRL)
[Tentative]
• More for UCS but multi-user, immense scale – 100s
or 1000s of nodes
• Setup ~minutes per network

• Expertise significantly reduced – VIRL does
the work!
• Little or no contention for resources
• Portable – work wherever, whenever
The VIRL Architecture
Virtualized Network Operating Systems
IOS-XRv NX-OSv CSR1000v IOSv Servers
IOS XR v5.1.3 NX-OS IOS XE IOS Ubuntu 14.04 LTS

and v5.2.0 v7.1(0)ZD v15.4(3S_XE313) v15.4(1.20T)
Nested Virtualization
VMs
/ QEMU
HyperVisor
Host O/S
VT-x / EPT Physical Host
Built on OpenStack
Cinder
Horizon (Dashboard)
Swift
Nova (Block Neutron
(Object
APIs / CLI
(Compute Services) Storage (Networking Services)

Services)
Services)
Keystone (Identity Services)
Glance (Image / Repository Services)
IaaS / cloud orchestration software – creates, manages, and deletes virtual

resources according to API- or CLI-based instructions
VM Maestro
 The graphical topology editing
 Enables rapid definition of
network elements:
 Routers
 Links
 Protocols
 Facilities
 Supports complex topologies

 Manages simulations
Topology Representations
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<topology xmlns="http://www.cisco.com/VIRL" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 Topologies are represented in XML

simulationEngine="OPENSTACK" schemaVersion="0.6" xsi:schemaLocation="http://www.cisco.com/VIRL
http://cide.cisco.com/vmmaestro/schema/VIRL.xsd">
<extensions>
<entry type="String" key="management_network">flat</entry>
<entry type="Boolean" key="AutoNetkit.enable_cdp">true</entry>
 Files are highly portable and shareable <entry type="Boolean" key="AutoNetkit.enable_OnePK">true</entry>
<entry type="String" key="AutoNetkit.address_family">dual_stack</entry>
<entry type="String" key="AutoNetkit.ipv4_infra_subnet">10.0.0.0</entry>
<entry type="String" key="AutoNetkit.ipv4_infra_prefix">8</entry>
 Integrated support for GIT repositories <entry type="String" key="AutoNetkit.ipv4_loopback_subnet">192.168.0.0</entry>

<entry type="String" key="AutoNetkit.ipv4_loopback_prefix">22</entry>
<entry type="String" key="AutoNetkit.ipv4_vrf_loopback_subnet">172.16.0.0</entry>
enables multi-user sharing, versioning <entry type="String" key="AutoNetkit.ipv4_vrf_loopback_prefix">24</entry>
<entry type="Boolean" key="AutoNetkit.enable_routing">true</entry>
<entry type="String" key="AutoNetkit.IGP">isis</entry>
</extensions>
<node location="518,292" subtype="IOSv" type="SIMPLE" name="Core">
<interface name="GigabitEthernet0/1" id="0"/>
</node>
<node location="519,172" subtype="IOSv" type="SIMPLE" name="A1">
</node>
</node>
</node>
AutoNetKit Auto-Configuration
Configurations
Network
Information DB
XML Topology Definition
AutoNetKit
AutoNetKit:
 Understands OS-specific configuration constructs
 Presents graphical representations of topology attributes
 Converts configurations between different OS-types and platforms
Topology Renderings
AutoNetKit Visualizations
OSPF area values set on each node
BGP route-reflector clusters and AS’s

configured
Services Topology Director
Create Routers
•Identify Type / Flavor
•Associate Image (Glance)
•Identify / Assign Resources
•Associate Configuration
•Launch the VM (Nova)
XML Topology
Definition
Create Networks / Links

•Identify Links and End-Points
•Assign End-Points to VMs
•Assign Network / Link
Characteristics
•Launch the Switch (Quantum)
The Services Topology Director orchestrates the creation of VIRL virtual routers and inter-router links
based on the XML-based topology definition and configurations based by VM Maestro
VIRL/Simulator Options
• AiO vmcloud - https://developer.cisco.com/site/onepk/downloads/all-in-one-vm/
– NOT really VIRL, based on Python scripts orchestrating IOSv virtual reference platform
– Optimised for low memory footprint of 4GB
• VIRL Personal Edition – virl.cisco.com
– Designed to run on internet connected personal machines
– Limited to 15 nodes of any type
– Community support only
• VIRL-based DevNet Sandboxes - https://developer.cisco.com/site/devnet/sandbox/
– Virtual sandboxes based on VIRL
• Cisco Modelling Labs (CML) - http://www.cisco.com/c/en/us/products/cloud-systems-
management/modeling-labs
– Can scale to unlimited nodes, RAM and CPU allowing
– TAC supported
VIRL Demonstration
DevNet, the Sandboxes and DevHub
Introducing DevNet
Creating a Community of Software Developers who
Leverage Cisco Technology in Their Work
Enabling a Robust Developer Ecosystem
Engineering SDKs and Developer Community

Platform APIs Tools Support Management
To Build Compelling and Innovative Apps
Developer.Cisco.Com
Where Developers go at Cisco
• Hosted sandboxes
• Paid for and community support
• Hackathons
• Dev Centres for Cisco technologies
• Community news and events
• Free t-shirts!
Collaboration Developer Sandbox
The DevNet Sandbox is a hosted lab service designed to enable

developers of all types (customers, partners, and ISVs) to explore,
experiment, integrate, and/or complete IVT with their solutions with
Cisco technologies.
What Can You Do In the Sandbox?
• Try stuff out- Kick the tires with • Get Early Access to new releases of
Cisco technology and new products Cisco product versions
• Integrate your product with Cisco • Test to larger scales using our tools
technologies without investment in or proprietary Cisco tools
equipment, space, power or
• Complete IVT – Use your
technical talent to build, configure
engineering resources to execute our
and maintain
self-driven IVT on your time and at
• Collaborate across locations by reduced cost
sharing lab sessions across users
Sandbox Features
• Self service and always on
• Several labs to choose from:
– Collaboration : UCM, MediaSense, Jabber Guest, UCCE,
– Networking: APIC EM (EFT2), Connected Grid Router, Mobility Services Engine, CMX
Cloud Services
– DataCenter: Security Orchestration, Intercloud Fabric, Customer Information Service
(CIS)
– Interoperability Verification (IVT) Labs for Cisco Compatibility Certification
• In lab options:
– Session sharing – collaboration across teams and locations in a single lab
– Tools: IXIA, Cisco IP phone Simulator and Call generator, Remote phone control
– Text at reservation start or duration test completion
– Virtual Machine for hosting user application
– Information in lab supporting use: Guides, sample applications, etc
Lab Models
Lab Models
Always On Reservation Based

Shared Environment-limited functionality
(No admin, no 3rd party application co- Private lab Environments
location. Generally used for learning, Full functionality (admin control, application
endpoint/client connections, or basic REST connection via co-location or HW VPN)
calls
Learning, Development, and unit Testing Development, Integration Testing, IVT
Always On Versus Reservation
Shared Collaboration Environment Based Labs
Always On Reservation Based Reservation Based

Lab 1 Lab 1 Lab 2
Company A Company E Company F

User User
Always On Lab 1 User 1
Company B Company F
User User 2
Company C Company F
User User 3
Company D
User
Multiple users in same lab, No Lab Reserved for private use/Full admin control/ Lab can be
admin control shared amongst other company team members
Access DevNet Sandbox Labs
Login to DevNet/Go
Select/Reserve Lab Access Lab
to Sandbox
https://developer.cisco.com/site/devnet/sandbox/
https://sandboxapic.cisco.com/login
DevHub
The DevNet DevHub
• A Work in Progress, NOT generally available
– Apply here for early access
• Combines
– Source Code Management (SCM – Gerrit and Git)
– CI/CD pipeline (Jenkins, SonarQube, Artifactory)
– DevNet sandboxes (Physical and virtual labs on demand)
– Deployed on Cisco Cloud Services (CCS)
– Deploy to CCS
• Planned to include
– Open source and private projects
– Combine code in GitHub with build and test in DevHub
DevHub
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Lab Part III
-18:30 Close
vAF
Puppet
Network Device Orchestration Support:
Technologies
Customization Integrate network devices with
configuration management &
orchestration stacks
Puppet Overview CLOUD-BASED REPOSITORY
CENTRALIZED
OF PRE-BUILT SOLUTIONS
MANAGEMENT
Puppet Master
SERVER Puppet Forge
GUI Workflows
3RD PARTY
INTEGRATION
Reporting Admin & Monitoring
Security
DISTRIBUTED
AGENTS Agent Agent
Compute Cisco
Node Switch/Router
Puppet Open Source & Puppet Enterprise
Environment for Nurturing Innovation
• ~8,000 members
Upstream • Latest technologies
PUPPET MCOLLECTIVE FACTER • Rapid release cycles
Open Source
• ~1000s of changes / week
Projects +40 • Community support (IRC, forums)
SMALLER
PUPPETDB HIERA
FOSS PROJECTS IT Automation for Business-Critical Apps
• Commercial-only functionality
• Single integrated solution
• Graphical User Interface
• Installer & upgrader
• QA’d & security hardened
• Performance tuning
• API guarantees
• Support & maintenance
Commercial • Training & services
Product PUPPET ENTERPRISE
What Puppet Does
Source: http://puppetlabs.com/puppet/what-is-puppet
Puppet Pieces (Terminology)
• Puppet Master
– Central “controller” software which orchestrates configuration deployment for one or
more agents. Configuration expressed as a “manifest”.
• Puppet Agent
– Software which interacts with a single Puppet Master to obtain configuration (desired
state) in terms of Puppet Resources. Uses Puppet Resource Providers to carry out
tasks to achieve configuration (desired state).
• Puppet Resources
– Term used for grouping of managed objects/attributes and one or more corresponding
implementations of management tasks. The 2 layers of a resource:
• Resource Type: Definition of managed objects.
• Resource Provider: Implementation of management tasks on objects.
Puppet Pieces (Terminology) …continued
• Puppet Manifest
– Collection of configuration settings in terms of resource type instances. Often referred
to in puppet world as “code”. Manifests are commonly organized in sections that are
mostly generic for many nodes (sections apply to specific types of nodes) using
conditional logic.
• Catalogue
– Compiled form of manifest for a specific node—all variables have values and conditional
logic has been executed to result in concrete resource instance values.
• Facter
– Software which discovers runtime state on an agent node
• Facter Facts
– Runtime state for an agent node. Values can be strings, values, and arrays.
– Facts used as variables in most puppet contexts, ie. in puppet master manifests,
resource types, and resource providers.
Puppet per-Node (agent) Workflow
Source: http://puppetlabs.com/puppet/what-is-puppet
Puppet Language Example
Cisco NXOS Puppet Integration
Cisco Puppet Plug-In: Architecture
Data Center Network
Network OS
Cisco Network
Resources
Puppet Agent
LXC Container
Puppet Master
Sample Puppet Manifest Entry
node /n3k-puppet1.*/ {
include cisco_onep::device
notify { "Hello from site.pp": }
cisco_vlan { “$::hostname 1005”:
ensure => present,
vlan_name => 'Manifestcreated',
state => active,
Cisco NXOS Puppet Agent Integration
• Packaged as virtual-services LXC container OVA
• OVA registers CLI extensions
– Configuration commands
– Show commands
– Exec commands
– Clear commands
– Debug commands
• OVA syslogs are linked to NXOS syslog
– “show log”
Cisco NXOS Agent Config Prereqs
• ONEP VTY service set
– Device(config)# onep
Device(config-app)# service set vty
• NTP server
– Device(config)# ntp server 10.81.254.202 use-vrf management
• If time not in sync with puppet master’s time, SSL certificate usage may have
problems due to timeliness checks of encrypted messages.
Cisco Puppet Agent Config Example
• Puppet configuration mode
– bxb-oa-n3k-11(config)# puppet
– bxb-oa-n3k-11(config-puppet)# master pmaster.cisco.com port 8999
– bxb-oa-n3k-11(config-puppet)# vrf management
– bxb-oa-n3k-11(config-puppet)# run-interval 180
– bxb-oa-n3k-11(config-puppet)# node-name fact:fqdn
– bxb-oa-n3k-11(config-puppet)# domain-name cisco.com
– bxb-oa-n3k-11(config-puppet)# activate
– bxb-oa-n3k-11(config-puppet)# name-server 4.1.1.128
Puppet Run Modes
• Oneshot mode
– Single run of puppet agent to request configuration from puppet master and take action to put
resources in desired state.
• Exec command: exec puppet agent-oneshot
• No-op mode
– Single run of puppet agent to request configuration from puppet master BUT DO NOT take
action on resources.
• Used in scenarios where puppet master user wants to validate/inspect the catalogue being
compiled for a node and understand the delta with current state.
• Exec command: exec puppet agent-noop
• Daemon mode
– Recurring periodic runs of puppet agent requesting configuration from puppet master and take
action to put resources in desired state.
• Config command: (config-puppet)# activate
Puppet Run Report Example
Puppet Enterprise
Dashboard: Status
per resource
instance
Cisco
Puppet Resources
Use Cases
Image/Patch New Server/VM Deployment Config. Distribution
Server
Package Admin
Repository Puppet/
Puppet/ Puppet/C
Chef Network
Chef hef
Master Admin
Master Master
Device Plug-in New server

Device Plug-ins: • ToR configuration for every new • Security policies, mgmt. servers
• Manage images and patches/SMUs device onboarded (syslog, dns, snmp etc.) are
• Reduce Manual process common across the network.
• Master puts the new server in the • Inject changes at master
right VLAN/segment / ACL’s
Cisco Puppet Resource Type Coverage: 1
Feature Resource Name Description
Cisco Device Access cisco_device Allows credentials for user access control &
accounting
Base L2/L3 interface cisco_interface General interface & L2/L3 base settings
VLAN cisco_vlan Create/destroy of VLANs and general settings
Interface-vlan (SVI) cisco_interface_vlan Create/destroy of SVIs and SVI specific

interface settings
VLAN Trunking Proto (VTP) cisco_vtp VTP global settings
SNMP cisco_snmp_server SNMP monitoring settings. Notification receiver

cisco_snmp_community settings not covered as of now.
cisco_snmp_group
cisco_snmp_user
OSPF cisco_ospf OSPF instance create/destroy, per-VRF
cisco_ospf_vrf settings, and interface settings (area, cost, msg
cisco_interface_ospf digest, etc)
Cisco Puppet Resource Type Coverage: 2
Feature Resource Description
TACACS/AAA*** cisco_tacacs_server • TACACS global settings

cisco_tacacs_server_host • TACACS per-host settings
cisco_aaa_tacacs_group • group association and settings
cisco_aaa_authentication • mapping of groups to AAA features
***full set not available at EFT target date cisco_aaa_authorization (authentication, authorization, accounting).
cisco_aaa_accounting
Raw Config CLI commands cisco_command_config Resource to directly apply blocks of
configuration CLI commands.
Cisco
Puppet OVA Lifecyle
Puppet Deployment using POAP
DHCP Script Config
Puppet
OVA
4
2 3
Switch downloads script Download software images
DHCP phase: Execute script locally Download running-config
Get IP Address, Gateway
Download puppet_plugin.ova
Script server IP
Download plugin_activate.py
Script file name
script
5 Reload the router with downloaded

Power up Switch with software
1 plugin_activate.py script executes ,
no startup-config and
default images installing and activating puppet_plugin.ova
NXOS
Puppet agent
(OVA) 6 Once the plugin is activated, puppet
Puppet agent running inside the container will
Master
establish a session with the puppet
master and retrieve catalogues, etc.
References
• General Puppet
• What is Puppet? -- http://puppetlabs.com/puppet/what-is-puppet
• Basic Hands-on tutorial -- https://docs.puppetlabs.com/learning/index.html
• (VM based & Free)
• Puppet Core Resource Types:
https://docs.puppetlabs.com/puppet_core_types_cheatsheet.pdf
• Cisco Puppet
• User Guide: << (still in pre-release draft) >>
• Cisco Resources Pre-release documentation: EDCS-1381549
• Cisco Mail Lists:
• puppet-agent-dev: alias of Cisco developers working on puppet agents
• puppet-trolls: general Cisco community of puppet users & developers (tied with various
products/orgs)
Chef
Chef Overview
Chef Pieces (Terminology)
• Chef Server
– The Chef server acts as a hub for configuration data. It stores:
• Cookbooks
• Recipes (The policies that are applied to nodes)
• Metadata that describes each registered node that is being managed by the chef-client.
• Node
– Any physical, virtual, or cloud machine configured to be maintained by a chef-client.
• Chef Client
– Agent, runs locally on every node that is registered with the Chef server. When
– Brings nodes to expected state.
• Chef Resources
– Term used for a grouping of managed objects/attributes and one or more corresponding
implementations. The 2 layers of a resource:
– Resource Type: Definition of managed objects.
– Resource Provider: Implementation of management tasks on objects.
Chef Pieces (Terminology) …continued
• Cookbook
– Fundamental unit of configuration and policy distribution.
– Each cookbook defines a scenario, and all components that are required to support that
scenario.
• Recipe
• Is mostly a collection of resources, defined using patterns (resource names, attribute-
value pairs, and actions); helper code is added around this using Ruby, when needed
• Is authored using Ruby
• Must be stored in a cookbook
• May use the results of a search query and read the contents of a data bag
• May have a dependency on one (or more) recipes
• Must be added to a run-list before it can be used by the chef-client
• Is always executed in the same order as listed in a run-list
The chef-client will run a recipe only when asked
Chef Pieces (Terminology) …continued
• Ohai
– Tool used to detect attributes on a node, and then provide these attributes to the chef-client at
the start of
– Provides the attributes to the chef-client
• The types of attributes Ohai collects include (but are not limited to):
• Platform details, kernel data, hostnames, FQDN
• WorkStation
– A computer that is configured to run Knife, to synchronize with the chef-
repo, and interact with a single Chef server. The workstation is the
location from which most users will do most of their work, including:
• Developing cookbooks and recipes (and authoring them using Ruby)
• Keeping the chef-repo synchronized with version source control
• Using Knife to upload items from the chef-repo to the Chef server
• Configuring organizational policy, including defining roles and environments and ensuring that critical
data is stored in data bags
• Interacting with nodes, as (or when) required, such as performing a bootstrap operation
Chef per-Node (agent) Workflow
Source: http://docs.getchef.com/chef_quick_overview.html Emailing outside the container is not currently supported in a cisco device plugin env.
Chef Sample Interface Configuration
# Cookbook Name:: n7k

# Recipe:: set_description
# Process netdev_interface
require 'chef/resource/cisco_device’
cisco_interface "#{dev_name} :
require 'chef/resource/cisco_interface’ Ethernet1/9" do
enable true
dev_name=node['hostname’] description "chef modified #{name}"
# Connects to a Cisco Device switchport true
cisco_device "#{dev_name}" do
end
username "chef"
password "CSCO12345^"
action :create
end
Cisco NXOS Chef Agent Integration
• Packaged as virtual-services LXC container OVA (32 bit)
• OVA registers CLI extensions

– Configuration commands
– Show commands
– Exec commands
– Clear commands
– Debug commands
• Relies on ONEP VTY service-set
• OVA syslogs linked to NXOS syslog

– “show log”
2014 Jul 28 16:10:32 bxb-oa-n3k-9 %VMAN-5-VIRT_INST_NOTICE: VIRTUAL SERVICE chef

LOG: Creating a new client identity for bxb-oa-n3k-9 using the validator key.^[
[0m
LOG: resolving cookbooks for run list: []^[[0m
LOG: Synchronizing Cookbooks
Chef Ohai Example
References
• General Chef
• What is Chef? -- http://docs.getchef.com/chef_overview.html
• Basic Hands-on tutorial -- http://learn.getchef.com
• Chef Core Resource Types: http://docs.getchef.com/chef/resources.html
• Cisco Chef User Guide: << (still in pre-release draft) >>
• Cisco Chef Troubleshooting Guide: << (still in pre-release draft) >>
• Cisco Mail Lists:
• chef-agent-dev: alias of Cisco developers working on Chef agents
• Cookbook Git
– http://wwwin-gitweb.cisco.com/gitweb.cgi?p=one-agents/chef-
cookbooks/package.git;a=summary
Puppet / Chef Differences
• Puppet uses DSL as configuration language (Ruby option available 2.6.0 – 3.1),
Chef uses Ruby-like syntax in recipes.
• Puppet requests dependency declarations and satisfies them. Chef operates in
the order in which resources appear in cookbook
• Puppet Enterprise runs on your machines, as does Private Chef. Hosted chef
runs in Chef’s cloud.
• Chef does more processing on agent side, puppet on master.
• Chef targeted more for dev side of DevOps, Puppet for sysadmin side.
Zero Touch Deployment
Rolling Your Own With EEM
Device DHCP TFTP WEB
DHCP Discover
1
DHCP Offer 2
DHCP Request
3
DHCP Ack with option 67 and 150 4
Configuration file request
5
Configuration file send (includes EEM Applet)
6
7 Apply config and execute EEM applet
EEM applet requests EEM Tcl script
8
EEM Tcl script copied to local file system and register by the EEM applet
9
10 EEM Tcl script triggered, and collects some system information
EEM Tcl script post those information to the WEB server

11
WEB server sends back a set of instructions
12
13 EEM Tcl script: request new image if required
New image send if required
14
15 EEM Tcl script: request new configuration
New configuration send and applied
16
17 Change bootvar, save configuration, and reboot if required
Solution for Cisco Live San Francisco
More Details On This Solution at:
https://supportforums.cisco.com/blog/12218591/automating-cisco-live-2014-san-francisco
First-Time Boot Provision Switch Add Physical Profit!

Assignments Switches
Custom Web Portal
vAF
Empowering Customers to Innovate  Automated Management Scripts
 Automated system visibility
 Automated fault detections
 Proprietary business functions
Cisco Delivers Cisco Customers Cisco Customer
 Network Element  Deploy & Manage NE needs a new
 Feature rich, optimized,  Deploy Business capability
secure software stack Functions
Cisco Customer
Cisco Extensible Network implements new capability
Element Technologies
 Empower Cisco
Cisco Customer Cisco implements
customers to innovate Deploys new new capability
 Decouples Cisco capability
customer’s rate of
innovation from Cisco s/w
release cycle
Cisco Extensible Network Technology Spectrum
Application Guest
Native Python Hosting Bash
Shell
(OVA)
Closed Open
System System
Cisco supports a spectrum of technologies for realizing
an Extensible Network Element
Source: Ben Golub; http://www.slideshare.net/dotCloud/golub-ben-arevmspasse
Linux Container (LXC) Basics
• Linux Containers (LXC) - a lightweight virtualization technology
Host LXC Container
• No hypervisor
• LXC shares the host kernel
• Namespace separation Guest

NXOS
• Process namespace Processes Application
Processes
• File namespace
• Network namespace
• Cgroup – resource allocation andGE1/1:

control
10.0.0.1
Kernel cgroups namespace
• CPU
• Memory
• Storage Networking Model: Shared Host Stack
• Services appear as applications
running natively on the host
• Port addressable
LXC – Linux Containers
• LXC provides the guest environment its own process
and network space.
LXC Containers
• Utilizes underlying Linux Kernel features to contain
processes: Container
– Kernel Control Groups (cgroups)
Application 1
– Enhanced clone system calls
– Requires Linux kernel to be at least 2.6.24 Application 2
• Does not emulate a hardware environment Libraries

• The guest Operating System uses the same kernel User space
as the underlying host OS.
Kernel – 2.6.24+
• Goal of LXC was to start with Linux and add isolation
mechanisms.
LXC Container Use Cases
• Virtualized environment on a Cisco device.
• Use Case Cisco Virtual Services: Service Containers
– ISR4451X-WAAS
• Use Case Cisco Agents:
Virtual Service
– Nexus – Cisco Openflow Agent
– Nexus – Cisco Puppet Agent Container
• Use Case Third Party Services (onePK applications):
Network OS
– Process Hosted OnePK Applications
• Cisco supports multiple service container
environments
– LXC – Linux Containers
– KVM/QEMU - Hypervisor
LXC – Linux Containers
• LXC Benefits
– Isolates Applications and Operating Systems
– Provides nearly native performance as LXC manages LXC Containers
resource allocation in real-time
Container
– More elastic than a full hypervisor
• Less time to start Application 1
• No need for a separate kernel boot
– Lightweight Application 2
• LXC Limitations Libraries

– Shares kernel with underlying OS
User space
– Only allows for Linux guests
– Not a full virtualization stack Kernel – 2.6.24+
– Security depends on the host system
Containers Versus Hypervisors
Containers Hypervisors
OS kernel level abstraction Hardware level abstraction
• Share the same kernel • Runs separate kernel copies

• Easy resource management • Full hardware emulation within VM
VM 1 VMN
Container 1 … Container N …
Guest OS Guest OS
Hypervisor / Virtual Hardware Emulator

Host Operating System Host Operating System
Hardware Hardware
Nexus Container Network Model
Shared
Applications inside the container appear as applications
running natively on the host
Examples: Nexus 3k, 9k, Cat 3k, 4k, Titanium
Container 1 Container 2 Container 3

Network namespace: Host Network namespace: Host Network namespace: Host
Container interfaces Container interfaces Container interfaces
eth0 eth1 eth2 eth0 eth1 eth2 eth0 eth1 eth2
Shared namespace:
Interfaces are directly mapped to container
Host platform
Network namespace: Host
eth0 eth1 eth2
Physical interfaces
The Guest Shell
Guest Shell
Guest Shell is an embedded Linux
Open Source
environment that allows customers Tools, utilities, applications Guest Shell is
(DevOps) to develop and run custom automatically enabled.
applications for automated control and Zero-touch.
Cisco
management of the Nexus family of 3rd Party Repository
datacenter switches. Apps DevNet 64bit application
environment
NXOS CLI interface
• Access the Guest Shell from
DevOps Guest Shell ships with
NXOS CLI python support enabled.
• Access NXOS CLI from within the NXOS CLI GUEST SHELL
Guest Shell
C and Java support can
onePK APIs onePK Apps Apps be added through YUM
• Access to a rich set of NXOS APIs Apps
for interface to management and
installs.
Python
datapath functions. System APIs Open Source Cisco
Python
enabled root Packages Libraries
Upgradeable rootfs
Python System APIs filesystem (Optional) (Optional) packages
• BCM shell ? bootflash
• What else?
Secure Linux Container (sLXC) Built on Secure LXC.
bootflash
• Read/write access to the NXOS Nexus
bootflash.
Guest Shell – What?
Guest Shell “What” Guest Shell Innards
Linux Container Environment  RPM package manager (yum)
 Symbiotic relationship with Network OS.
 Python interpreter (pip support)
 Activated at boot time.
 Application and programmatic interface habitat.  onePK libraries
 Can be resized as needed by user (via CLI).
 bootflash: access
Modular
Resource
Secure Isolation
Linux
Environmen
Allows users access to embedded Linux system t
Integrate Fault
d Service Isolation
Guest Shell – How?
Cisco ISV or Customer
Cisco bundles ova with native image build Cisco Artifact Customer loads bundle
Optional
Native Image +
Network Guest Package
Operating Shell OVA
OVA Image Load Manager
Third party
Package
System Bundle
Customer loads a bundle. Access to Guest-Shell achieved

Guest Shell – Why?
Hands on the Guest Shell
Entering the Guest Shell Console
Guestshell
• Running with no arguments enters the Guest Shell
• Prompt changes to Linux Prompt
Exit
• Exits session, returns you to router prompt
Connectivity Outside of the Guest Shell (chvrf)
Usage:
By default communication is
performed using the default vrf
Use management vrf

Chvrf
• Tool that allows users to choose vrf to communicate on
• First argument to tool is vrf name
• Second argument is command to run in that context
Default vrf used
*Internally chvrf sets the

DCOS_CONTEXT environment
variable for life of command.
Dohost – Run Host OS CLI commands
Usage dohost
• Tool that runs underlying Host OS commands
• Returns output of commands
• Can be used for both show and config commands
• Multiple commands can be entered separated by space
Return code Command output
Return code and output for each command passed in
Running Guest Shell commands from Host OS
Host OS (Nexus) CLI
Guestshell <command>
• Run guestshell commands from Host OS CLI
• Displays output of command on console
Scheduling Commands in Guest Shell
The nexus scheduling feature
can trigger Guest Shell
commands and scripts on a
periodic basis.
Cron within the Guest Shell can also be used. The cron package
needs to be installed through rpm.
RPM package installs will be discussed in a later slide.
Scheduling Commands in Guest Shell
The nexus scheduling feature
can trigger Guest Shell
commands and scripts on a
periodic basis.
Cron within the Guest Shell can also be used. The cron package
needs to be installed through rpm.
RPM package installs will be discussed in a later slide.
EEM and Guest Shell
The Embedded Event manager can
trigger Guest Shell commands
Enables enhanced EEM event detectors and scripts as an action.
Run Guest Shell command when applet triggers
Package Management – RPM - Part 1/3
Setup: RPM
• Red Hat Package Manager
Create a file to point to RPM repository: • Used to manage installed packages on the device
Set up DNS resolution
Ensure hostnames can be resolved correctly
Install packages
• Run yum install <package name>
• chvrf used to select vrf
• Run yum as sudo to resolve permissions issues
Helpful yum options
• Yum list available
• See available packages
• Yum list installed

• See installed packages
• Yum remove <package>

• Remove an installed package
Package Management – PIP - Part 1/2
PIP
• Python package manager
• Pre-installed in Guest Shell environment
• Pip freeze
• Show installed packages
Package Management – PIP - Part 2/2
PIP
Setup:
• Uses web gets (wget) for information transfer
• Set web proxies if needed through environment variables
Set web proxies if needed:
• http_proxy
• https_proxy
Set up DNS resolution
Install package
• Pip install
• Chvrf management for management vrf
• Sudo –E
• -E will send environment variables to the sudo
shell
• Used to pass the http*_proxy variables
Running Python in Guest Shell – Part 1/4
Python
Interactively:
• Version 2.7.3 is packaged
From Script
• Point to interpreter in text file

• #!/usr/bin/env python
• Will find location of installed python
onePK
Python with onePK:
• onePK python libraries are packaged with Guest Shell
From Script
Import onepk libraries
Connect to Host OS with TIPC
Send message to Host OS syslog
Finding the onePK version:
onePK
• Version 1.3.0 packaged with Ashfield 3.1 Guest Shell
Python
Using Guest Shell as a Python Development Environment:
• Interpreted language
• Simple • Does not need to be compiled to machine specific
• Fast bytecode
• Easy on-box modifications
• Access to /bootflash for Host OS files
• On device editor makes for easy modifications

• No longer need to copy files off of device
• Can edit and run all from Host OS CLI:
Python sockets
• Traditional socket calls available
Create
Connect
Send
Close
Create
Bind
Listen
Use Case:
Save configuration changes to git repository
Problem Definition
• Device configuration changes aren’t easily tracked
• Once a configuration change is committed it’s difficult to recover the previous
configuration state
• Configuration management systems are often proprietary and costly.
Solution
• The solution requires a git client installed in guest shell or linux container
• EEM used to track when a “copy run start” is issued
• EEM calls python script in guest shell/container to submit the config change to
the git repository
• Git client capable of forking existing repo (device configuration) and pulling
config to device
Implementation
• Split into two parts:
– EEM trigger on write memory and call guestshell python script
– Python script: git add / commit / push to repository
• Part 1: EEM
– event manager applet writer
– event cli match "copy running-config startup-config”
– action 1 cli copy running bootflash:/autoconfig/sturgis/running.latest
– action 2 cli guestshell sudo su - temp -c '/home/temp/tester.py'
Implementation
• Part 2: Python script
f = os.popen('mv -f /bootflash/autoconfig/sturgis/running.latest
/bootflash/autoconfig/sturgis/running')
who = f.read()
f.close
print "Result:", who
f = os.popen('cd /bootflash/autoconfig/sturgis; /bootflash/git add running')

who = f.read()
f.close
print "Result:", who
…
Result
Take Away
• Cisco shows its agility and flexibility with container environments
• Containers separate the ties to Cisco release cycle
• Containers provide an environment that can be replicated across
multiple machines
• Guest Shell opens up functionality such as the ability to edit files on machine.
Functionality that has not been possible in the past
• Facilitates interoperability with third party DevOps toolsets and workflows.
REST
REST Follows a Familiar Model
Web Browsing REST API Twitter: IDs of last five followers
{"ids":[303776224, 19449911, 607032789,

86544242, 2506725913, 17631389],
"next_cursor":0, "next_cursor_str":"0",
"previous_cursor":0,
"previous_cursor_str":"0"}
HTTP GET HTTP GET

HTML JSON/XML
Describes how data Describes data in a

should be displayed to format applications
please human viewer can understand
REST is An Architectural Style (Not a protocol)
REST= REpresentational State Transfer
Proposed by Roy Fielding in 2000
Developed by W3C in parallel with HTTP 1.1
Simple CRUD using HTTP
Stateless client-server model
Uses URIs to identify resources of interest
There Are LOTS of RESTful APIs
Why Does This Matter for Networking? Easy to
use
Human Software
Readable Friendly
Large Client Libraries

Developer in Many
Base Languages
REST: It’s Not Just for Web Services
REST: Coming Soon to a Device Near You
Supported on CSR1kV since XE 3.10
• ASR1K in XE 3.14
Primarily for Config

• DNS, NTP, Interface, Routing, ACL, NAT
Some Stats
• Interface, CPU, Memory
Runs in a service container

• Uses onePK Python APIs under the hood
JSON-RPC
Comparison: REST/JSON-RPC
Similar: Both Send/Receive JSON over HTTP
REST (CSR 1000v) JSON-RPC (N9K NX-API)
Comparison: REST/JSON-RPC
Different: Resources (URIs)
REST: Many Resources JSON-RPC: Few Resources
• https://172.6.1.118/api/v1… • https://10.10.10.8/ins
…/global/banner
…/global/hostname
…/global/reload
…/interfaces/…
…/routing-svc/…
…/nat-svc/…
…/acl/…
… CSR1kV N9K
Different: Methods
REST: Standard HTTP Methods JSON-RPC: POST + body method
• GET: Retrieve/List
• PUT: Replace
• POST: Create New Entry
• DELETE: Delete
JSON-RPC Details
• A very simple remote procedure call protocol encoded in JSON, sent over HTTP
• http://www.jsonrpc.org/specification
JSON RPC Request Properties JSON RPC Response Properties
• method – (string) name of the method to • result - data returned by the invoked
be invoked. method.
• params – (array) objects to be passed • error - specified Error code if there was
as parameters to the defined method. an error invoking the method, otherwise
• Id – (any type) used to match the null.
response with request • id - id of the corresponding request.
NXAPI
• CLI Interaction with device over HTTP / HTTPS
• Input/Output encoded in JSON or XML (key for programmability)
[
{
"jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "show clock",
"version": 1
},
Show "id": 1 NXAPI Web Server
Version
]
} (NGINX) Switch# conf t
Switch(config)# feature nxapi
HTTP / HTTPS
Switch(config)# exit
{
"jsonrpc": "2.0",
"result": {
"body": {
"simple_time": "15:00:37.762 PST Mon Aug 18 2014\n"
}
},
"id": 1
}
NXAPI – Web Sandbox
Point browser to IP Address of Network Element
Enter CLI Commands
See formatted input and output
NXAPI – Python Generation
Click on the Python button, and the tool will generate python
Interaction code for you.
NXAPI – Use Python to Interact
• Requests Module: HTTP for Humans
– Requests is an Apache2 Licensed HTTP library, written in Python.
• Opensource, can be downloaded from:
– https://pypi.python.org/pypi/requests
– http://docs.python-requests.org/en/latest/
import requests
import json
•url=
Easier to make http calls via requests than via urlib2 (less statements)
'https://api.github.com/some/endpoint'
headers= {'content-type': 'application/json'}
payload= {'some': 'data'}
r= requests.post(url, data=json.dumps(payload), headers=headers)
NXAPI – Using Request to Get Version
#!/usr/bin/python
import requests
import json
"""
Modify these please
"""
url='http://127.0.0.1/ins'
switchuser='admin' Output
switchpassword='cisco'
myheaders={'content-type':'application/json-rpc'} 6.1(2)I3(0.107)
payload=[
{
"jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "show version",
"version": 1
},
"id": 1
}
]
response = requests.post(url,data=json.dumps(payload), headers=myheaders,auth=(switchuser,switchpassword)).json()
print response['result']['body']['rr_sys_ver']
NXAPI – Response dump – Show Version
{ Output
"jsonrpc": "2.0",
"result": {
"body": {
"header_str": "Cisco Nexus Operating System (NX-OS) Software…",
"bios_ver_str": "08.02",
"kickstart_ver_str": "6.1(2)I3(1)",
"bios_cmpl_time": "05/27/2014",
"kick_file_name": "bootflash:///n9000-dk9.6.1.2.I3.1.bin",
"kick_cmpl_time": " 9/27/2014 23:00:00",
"kick_tmstmp": "09/28/2014 06:23:37",
"chassis_id": "Nexus9000 C9504 (4 Slot) Chassis",
"module_id": "Supervisor Module",
"cpu_name": "Intel(R) Xeon(R) CPU E5-2403",
"memory": 16402332,
"mem_type": "kB",
"proc_board_id": "SAL1819RX8U",
"host_name": "riddle",
"bootflash_size": 21693714,
"kern_uptm_days": 0,
"kern_uptm_hrs": 0,
"kern_uptm_mins": 57,
"kern_uptm_secs": 8,
"rr_usecs": 91405,
"rr_ctime": " Mon Oct 20 17:44:24 2014\n",
"rr_reason": "Reset Requested by CLI command reload",
"rr_sys_ver": "6.1(2)I3(0.107)",
"rr_service": "",
"manufacturer": "Cisco Systems, Inc."
}
},
"id": 1
}
NXAPI: Example Use Case
• Nexus switches are often deployed in pairs.
• Configuration/parameters need to match.

• In topologies involving fabric path or VPC,
• vlan consistency is needed. FabricPath
• How can python coding help here ?

• Use NXAPI to call some show commands
• Compare vlans on all the switches
• Configure missing vlans.
Dev Ops - Plug Ins
Dev Ops
Plug-ins
– Container based packaging of Dev Ops agents
– Ova as unit of packaging
– Device hosted
• Software runs on local device
– Standard
• Standard Linux software
– Software independence
• Secure: Not running in host OS NOS
• TTM: Host release independence, fast TTM Container
OS/Linux
Switch/Router
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Control Layer
Lab Part III
-18:30 Close
Cisco Enterprise ACI – Controller Layer
Controller Layer

Programmable
Major Milestones of Controller Development
CSDN CiscoONE Open Cisco Cisco Cisco

Controller Controller Daylight XNC APIC-EM Open SDN
Controller Controller Controller Controller
Experimental Early Adopter Open Source Production Production Best of Both

for Academia Deployments Community Release Release
Driven
Controller Layer
Indiana University 12+ Customers
(Orchestration + Analytics) Uni Wisconsin (Enterprise and XNC 1.0 GA Announced EFT
Academia) September 2013 CiscoLive ‘14 Q1 2015
Q4 2011 Q2 2012 April 2013 Sept 2013 Q1 2015 2015 …
Programmable Network
Network Layer Data Plane – (ASIC and Software)
Controller Applications
Flow Manager TIF Slice Manager

Authentication Troubleshooting
Controller Core
Controller Layer
CLI SNMP …
Cisco Enterprise ACI – APIC Enterprise Module
Cisco Applications based on APIC-EM
Path
Visualization
QoS
ACL
… … ...
and QoS Security IWAN
Inventory Automation Automation Plug-N-Play Automation
Controller Layer Application Interfaces – (OSGi, REST, …)

(Orchestration + Analytics) Controller Advanced Functionality
Controller Core
CLI
SNMP …
Cisco Enterprise ACI – Common Policy Namespace
App User
Profile Profile
ISE
Controller Layer
Programmable
Network Layer
CLOUD DATA CENTER WAN ACCESS
APIC EM Apps innovate on design simplicity and intuitiveness
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 261
The focus is on interacting with the network based on intent based
policies; network configuration is by itself prescriptive and completely
abstracts out the complexity
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 262
Cisco Intent Policy Management
Intent Policies
High Level Constructs

Translation of high level constructs
to network control functions
reduces skills gaps and clarifies Translation
policy procedures
Network Control Functions

Intuitive Visualization
QoS Configuration ACL
System of Change vs. System of Record
APIC EM Prime Infra
System of Change System of Record
• Policy enforcement • Policy definition

• Discovery (for change) • Historical reporting on
• Topology (for change) events, performance and
• PnP configuration changes
• Network state monitoring • Troubleshooting workflows
• Device abstraction • Capacity Trending
• Network Control • Predictive Analytics
Intuitive Visualization
Open REST API
Cisco APIC
OpenDaylight
Controller Enterprise Module
Architecture
APIC-EM Services
APIC - Enterprise Module: Services Layered View IWAN Services
IWAN Map Collab Basic Services for Controller Availability

APIC-EM Apps
App 1 App 2
NB REST API
Easy QoS Policy Analysis IWAN Services
NETWORK Policy Manager Pxgrid Client + Radius Proxy +

LDAP client LDAP client
MODEL Business Intent to Conflict Detection and
APIC-EM Services
Network Intent Resolution

Conversion (BI and NI) Topology ZTD
DEVICE Policy
Programmer Network Application
PfR
MODEL (QoS, ACL) Tapping Visibility
DEVICE Network Network

Inventory Network Events
INTERFACE Discovery Programmer
TECNMS-3601 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Confidential
APIC-EM Path Visualization and ACL Analysis
Hop-by-hop Details specific to 5-tuple Path
APIC-EM Path Visualization and ACL Analysis
Quickly identify ACL conflicts and shadows
Controller Layer

Controller Layer
(Orchestration + Analytics) Controller Core
CLI
SNMP …

Programmable
Applications

SLA Identity
QoS Location
CLI
SNMP …

Programmable
Software)
APIC-EM in DevNet
DevNet Portal Community Forum DevNet Sandbox DevNet Zone!
Integrated with Developer Lab in Cisco’s First

Developer APIs, Cisco the Cloud & SW Developer
SDKs Communities download. Conference
https://developer.cisco.com/site/apic-em/
APIC-EM in DevNet Sandbox
Login at developer.cisco.com
https://developer.cisco.com/site/apic-em/
(note: password may not be synchronized with the rest of cisco.com)
Navigate to Sandbox
APIC-EM in dCloud
• Cloud-based Demos
(and Learning)
• Scheduled or on-demand
• Customize and Save your own
• Login to:
http://dcloud.cisco.com
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Hands-On
Theory Part III
APIC-EM REST API Lab Part III
-18:30 Close
APIC-EM REST API – Python Sandbox Login
PC Session User Password PC Session User Password PC Session User Password
1 40189 11 40199 21 40209
2 40190 12 40200 22 40210
3 40191 13 40201 23 40211
4 40192 14 40202 24 40212
5 40193 15 40203 25 40213
6 40194 16 40204 26 40214
7 40195 17 40205 27 40215
8 40196 18 40206 28 40216
9 40197 19 40207 29 40217
10 40198 20 40208 30 40218
1) Launch Cisco AnyConnect Secure Mobility Client

2) Connect to dcloud-lon-anyconnect.cisco.com
3) Start Scenario 1 in „APIC-EM Python Sandbox Guide“
Remote Desktop Connection to wkst1 (198.18.133.36 Administrator/C1sco12345)
APIC-EM Northbound REST API
Problem: How to get started with a Controller API?
Solution: Explore
Example:
1) In the APIC-EM User Interface,
click on [API]
2) Navigate to the desired API
in our example:
/network-device/count
APIC-EM Northbound REST API
Problem: How to get started with a Controller API?
Solution: Explore
Example:
click on [API]
2) Navigate to the desired API
in our example:
3) Note Request URL

https://<APIC-EM IP>/api/v0/ +
4) Prototype in Chrome/Postman
5) Code in your App (Python, Java, …)
APIC-EM – Topology API
Problem: How to interact with Device and Topology data via the REST API?
Solution: Let’s Explore
Example:
click on [API]
2) Drill down to Topology
3) Let’s look at L3
Routing Topology …
4) Try it out: http://<APIC-EM IP>/api/v0/topology/ospf
5) The Response Body includes … :

{ "deviceType": "SWITCH",
… Nodes … "label": "SDN-CAMPUS-C4K",
"id": "e5f93514-3ae5-4109-8b52-b9fa876e1eae",
"x": 40,
{ "response": { "y": 108,
"nodes": [ "ip": "40.0.1.30",
{ "deviceType": "ROUTER", "softwareVersion": "03.03.02.SG",
"label": "SDN-BRANCH-ISR4451", "fixed": true,
"id": "2504be29-7684-43ae-8417-a75ca618287c", "role": "Distribution",
"x": 182, "nodeType": "device",
"y": 43, "deviceRoleOrigin": "auto",
"ip": "40.0.2.2", "aclApplied": true,
"softwareVersion": "03.11.00.S", : "family": "C4507R"
"osType": "isr4400-universalk9.03.**.bin",
{ "deviceType": "WIRED", },
"fixed": true, "label": "40.0.5.12", :
"role": "Border Router", "id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"nodeType": "device", "x": 200,
"deviceRoleOrigin": "auto", "y": 108,
"aclApplied": true, "ip": "40.0.5.12",
"family": "ISR4451-X/K9" "fixed": true,
}, "role": "host",
: "greyOut": true,
: "nodeType": "host"
},
:
… Links …
"links": [ {
"id": "4bde281e-e079-40ca-9427-647bb360a429",
Source Node ID
"source": "a632c6e8-89bf-4949-8e4d-a249105f2c7c",
"startPortID": "d3054716-73ed-4a6c-89c9-095ebe7f3445",
"target": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"endPortID": "2fdb927f-a5a7-47b2-bbed-8499c1c12105"
}, Target Node ID
:
… and Node Sets for arbitrary grouping

"nodeSet": [ {
"name": "access-SDN-BRANCH-3750-STACK",
"id": "SET-7895a45f-47aa-42ee-9d06-c66d3b784594",
"type": "access",
"root": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"nodes": [
"8f41bef8-698c-4701-af14-471e910ed9ff",
"c40e4287-4263-498a-852b-8944e089d427",
"7895a45f-47aa-42ee-9d06-c66d3b784594" ],
:
},
:
APIC-EM REST API – Tasks
Scenario 1 – Using Python / PyCharm
• List Device Inventory
• Create ACL Policy

• Delete ACL Policy
Scenario 2 – Using Postman / Chrome

• Count Number of Devices in Inventory
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Putting Things Together Theory Part III
Lab Part III
-18:30 Close
Troubleshooting Stuff
Has This Ever Happened To You?
Have you ever been woken up for a VPN tunnel hit?
Have you ever been staring at a console for a memory leak to reoccur?
Have you ever been alerted to a problem by 1000 users calling the NOC?
Reactive > Proactive With Automation
and Programmability
• DETAILED – An insider’s view allow you get more granularity information
than you could have afford through external communication
• RELIABLE – Captures reliable information within the device when
connectivity to external systems are not available or reliable
• EVENT-DRIVEN – Automation and programmability provide event hooks
integrated with OS modules to generate event and allow you to avoid
constant polling
• RICHNESS – Network programmability can provide visibility into parts of
the network never before possible
What Can Automation Do for Me?
Challenge 1: Every few weeks a router is running low on memory
around 2 am, and I want to find out what’s happening
• Solution: EEM policy could be triggered based on the memory utilization, capture the
memory information and send the output with Syslog or Email
Challenge 2: My devices are running into a bug where “show ip

ospf database” causes them to crash. I want to prevent the
command from being run until I can upgrade
• Solution: EEM policy can trigger when “show ip ospf database” is executed and stop
the command from running and the device from crashing.
Challenge 3: I want to devices to run an automated set of

diagnostics that are periodically updated in a central database.
• Solution: OnePK application can be used to connect to the central database, extract
the commands given the device’s place in the network, run the diagnostics, and then
report the results
Warm Up
Real-World Example
Automate Diagnostics
event manager applet LOW_IO_MEM
event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val "4000000” poll-interval 60
action 0.0 syslog msg "LOW MEMORY DETECTED. Please wait – logging information to flash:low_mem.txt”
action 0.1 cli command "enable”
action 0.2 cli command "term exec prompt timestamp”
action 1.2 cli command "show memory statistics | append flash:low_mem.txt”
action 1.3 cli command "show process mem sorted | append flash:low_mem.txt”
action 2.3 cli command "show mem all total | append flash:low_mem.txt”
action 3.2 cli command "show log | append flash:low_mem.txt”
action 3.3 cli command “show tech | append flash:low_mem.txt”
action 3.4 cli command “show mem debug leaks summ | append flash:low_mem.txt”
• Capture the required diagnostic information at the time a low I/O memory event
occurs
• Save the data for future analysis and alert the operators that the problem has
occurred
• This simple applet is extremely popular in TAC that use this every time they are
diagnosing a low I/O memory case
Real-World Example
Automate Bug Workarounds

• When bugs like CSCso53115 occur
(and MGCP fails to reinitialize on
event manager applet workaround_CSCso53115 reboot), EEM comes to the rescue
event timer cron cron-entry @reboot
action 1.0 cli command “enable” • Automate the workaround
action 2.0 cli command “config t” described in the bug
action 3.0 cli command “no mgcp” – “Once the router comes up, perform a
action 4.0 cli command “mgcp” "no mgcp" / "mgcp" to force the
action 5.0 cli command “end” MGCP to reinitialize. This will cause
MGCP to come up and work
correctly.”
• When the router reboots, EEM
automatically reconfigures MGCP
thus ensuring no user intervention
is required
Real-World Example
A Network “Top”
• Use onePK to build a live process

monitor similar to UNIX top
• The same app can connect to
multiple devices to display the top
processes across the entire
network
A Brisk Walk
Real-World Example
Alert on a Route Change

• Do you know when a critical route
goes away?
event manager applet route_table_monitor
event routing network 0.0.0.0/0 type all ge 1 • Unfortunately, there are no built-in
action 1.0 syslog msg "Route changed: Type: $_routing_type,
Network: $_routing_network, Mask/Prefix: $_routing_mask, notifications when the routing table
Protocol: $_routing_protocol, GW: $_routing_lastgateway, changes
Intf: $_routing_lastinterface”
• Use EEM to proactively notify

operations when any change
occurs
Jan 2 02:34:45.381: %HA_EM-6-LOG: route_table_monitor: Route changed: Type:
remove, Network: 10.14.1.0, Mask/Prefix: 255.255.255.0, Protocol: OSPF, GW:
10.14.1.1, Intf: GigabitEthernet0/0
Real-World Example
Monitor an Interface for Errors

• Interface errors can be the
silent killer event manager applet error_monitor
event interface name GigabitEthernet0/1 parameter input_errors
• As the interface takes entry-op ge entry-val 5 entry-type increment poll-interval 10
action 1.0 syslog priority errors msg “Interface
errors, performance suffers GigabitEthernet0/1 has seen $_interface_delta_value input errors
in the past 10 seconds; failing over HSRP”
but no alerts are seen action 2.0 cli command “enable”
action 2.1 cli command “config t”
• Using EEM, we can monitor action 2.2 cli command “int gi0/1”
action 2.3 cli command “shut”
for increases in errors, send action 2.4 cli command “end”
notifications, or trigger a
fail-over Jan 2 02:34:45.381: %HA_EM-3-LOG: error_monitor: Interface
GigabitEthernet0/1 has seen 7 input errors in the past 10
ERROR! seconds; failing over HSRP
Path Failover
• EEM, IPSLA, and enhanced
object tracking can help fail
over a path if an
intermediate hop fails
• EEM can augment standard HQ
failover to make sure the
X
existing path is stable
enough before restoring
main-path traffic flow
Remote Office
Real-World Example
Failover With Dampening

IPSLA + Object Tracking
ip sla 1
icmp-echo 10.1.1.1 source-interface Serial0/0
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
Real-World Example

ip sla 1
EEM “Down” Applet
track 1 event
ip slamanager applet track_down
1 reachability
event track 1 state down
action 1.0 cli command “enable”
action 2.0 cli command “config t”
action 3.0 cli command “int tun0”
action 4.0 cli command “no shut”
action 5.0 cli command “no event manager applet track_timer”
action 6.0 cli command “end”
Real-World Example

This is needed to embed
ip sla 1
icmp-echo 10.1.1.1 source-interface Serial0/0 quotes in EEM applets
track 1 event
EEM “Up” Applet
ip slamanager applet track_down
1 reachability
action event manager
1.0 cli environment
command “enable” q “
2.0 cli applet
command track_up
“config t”
event
action 3.0 clitrack 1 state
command “int down
tun0”
action
action 4.0 cli 1.0 cli command
command “enable”
“no shut”
action
command “config
“no event t” applet track_timer”
manager
action
command “end” “event manager applet track_timer”
Make sure the path
action 3.1 cli command “event timer countdown time 300” is stable for five
action 3.2 cli command “action 1.0 cli command enable”
action 3.3 cli command “action 2.0 cli command $q config t$q” minutes
action 3.4 cli command “action 3.0 cli command $q int tun0$q”
action 3.5 cli command “action 4.0 cli command shut”
action 3.6 cli command “action 5.0 cli command $q no event
manager applet track_timer$q”
action 3.7 cli command “action 6.0 cli command end”
Real-World Example

ip sla 1
Embedded Applet (Runs if the path is stable for five
track 1 event
EEM “Up” Applet
ip slamanager
minutes) applet track_down
1 reachability
1.0 cli environment
command “enable” q “
event
action 2.0 manager
event manager
cli applet track_timer
applet
command track_up
“config t”
event
event
action 3.0 timer countdown
clitrack “int time
1 state
command down
tun0”300
action
action
action 4.0 1.0 cli
cli 1.0 command
cli command
command enable
“enable”
“no shut”
action
action action
5.0 2.02.0
cli clicli
command
command command“ config
“config
“no event t”t” applet track_timer”
manager
action
action
action 6.0 3.0 cli
cli 3.0 command
cli command
command “ int tun0”
“end” “event manager applet track_timer”
action
action4.03.1
clicli
command
commandshut
“event timer countdown time 300”
action 5.0 cli command
action 3.2 cli command “ no event 1.0
“action manager applet track_timer”
cli command enable”
action 6.0 cli command end
action 3.3 cli command “action 2.0 cli command $q config t$q”
action 3.4 cli command “action 3.0 cli command $q int tun0$q”
action 3.5 cli command “action 4.0 cli command shut”
action 3.6 cli command “action 5.0 cli command $q no event
manager applet track_timer$q”
action 3.7 cli command “action 6.0 cli command end”
Diagnostic Tools
Embedded Packet Capture (EPC)
Overview
• Capture packets flowing from, to, or through a given device
• Captures can be filtered using ACLs
• Captured packets can be exported for analysis in sniffer programs such as Wireshark
• CEF and process switched flows are supported
• IPv4 and IPv6 are supported
EASy package available to automate EPC sessions at http://tools.cisco.com/squish/b35c5
Available from: Cisco IOS 12.4(20)T and 12.2(33)SRE (7200 only)
Source: http://tools.cisco.com/squish/4AbbF
Generic Online Diagnostics (GOLD)
• Boot up Diagnostics (upon boot and OIR)
Leading Practice: schedule all non-
• Periodic Health Monitoring (during operation) disruptive tests periodically
• On Demand (from CLI)
• Scheduled Testing (from CLI)
• Test Types include:
– Packet switching tests
• Are supervisor control plane & forwarding plane
functioning properly?
• Is the standby supervisor ready to take over?
• Are line cards forwarding packets properly?
• Are all ports working?
• Is the backplane connection working?
– Memory Tests
– Error Correlation Tests
• Complementary to POST
Available from: CatOS 8.5(1), IOS 12.2(14)SX
Platforms: CBS 3xxx, Cat 3560, 3750, 6500, ME6524, 72xx, 10k, CRS
Generic Online Diagnostics (GOLD) – 3/4
1) Let’s see which GOLD tests are available and scheduled for our Module:
Router# show diagnostic content module 3
Module 3:
Diagnostics test suite attributes:

M/C/* - Minimal level test / Complete level test / Not applicable
B/* - Bypass bootup test / Not applicable
P/* - Per port test / Not applicable
D/N/* - Disruptive test / Non-disruptive test/ Not applicable
S/* - Only applicable to standby unit / Not applicable
X/* - Not a health monitoring test / Not applicable
F/* - Fixed monitoring interval test / Not applicable
E/* - Always enabled monitoring test / Not applicable
A/I - Monitoring is active / Monitoring is inactive
ID Test Name Attributes (day hh:mm:ss.ms)

==== ================================== ============ =================
1) TestScratchRegister -------------> *B*N****A 000 00:00:30.00
2) TestSPRPInbandPing --------------> *B*N****A 000 00:00:15.00
:
18) TestL3VlanMet -------------------> M**N****I not configured
:
See: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/diagtest.html
Problem: Repeated insertion and removal of Modules can lead to wear and
tear damage on connectors. This in turn can cause failures … how do you
find out during operation, without power-cycling the box ?
Solution: Use GOLD to verify functionality of a mis-behaving module
2) Now let’s run TestL3VlanMet on-demand for Module 3:
Router# diagnostic start module 3 test 18

:
00:09:59: %DIAG-SP-3-MINOR: Module 3: Online Diagnostics detected a Minor Error. Please use 'show
diagnostic result <target>' to see test results.
show diagnostics result module 3 detail
3) Then check the test results:
Router# show diagnostic result module 3
Module 3: CEF720 48 port 1000mb SFP SerialNo : xxxxxxxx
Overall Diagnostic Result for Module 3 : MINOR ERROR

Diagnostic level at card bootup: minimal
Test results: (. = Pass, F = Fail, U = Untested)

1) TestTransceiverIntegrity:
Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
----------------------------------------------------------------------------
U U U U U U U U U U U U U U U U U U U U U U U U
Port 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
----------------------------------------------------------------------------
U U U U U U U U U U U U U U U U U U U U U U U U
:
:
18) TestL3VlanMet -------------------> F
GOLD and Automations
Combining GOLD and
Embedded Automation
• GOLD Event Detector: to trigger EEM

actions based on GOLD test results
(custom alerts, failover, diagnostics, ...)
• CDP/LLDP, OIR or CLI Event Detector: to

trigger an on-demand GOLD or TDR test as
post-validation of deployment or
maintenance work
Real-World Example
Example: Preventive Failover and Recovery

Problem: How to initiate preventive Maintenance in a HA Environment?
Solution 1: Manually change topology after a low priority Syslog warning has been seen
(and understood)
Solution 2: Use Cisco IOS Network Automation to schedule a HSRP failover upon GOLD
hardware diagnostics result
HSRP 1. Cisco IOS Generic Online Diagnostics (GOLD) detects a

potential hardware problem
1
Primary Standby 2. GOLD Event is detected by Embedded Event Manager (EEM) –
Active which schedules an HSRP Failover upon next maintenance
EEM EEM
window
2 3
3. HSRP Failover to Standby node
4. Preventive maintenance / replacement activity can now take

place on Primary node
Let’s Start Jogging
Diagnosing Transient Problems
Problem: Periodically, your network encounters strange problems that cause
connectivity issues or performance problems. You’d like to be able to look at the
traffic on the network when the problem is occurring. Unfortunately, hindsight is
always 20/20, but it doesn’t allow you you to go back in time to put a sniffer on
the network ahead of the problem .
Doing Things the Long Way
But the sniffer captures the traffic AFTER the problem occurred!
Solution: Use Embedded Packet Capture together with Embedded Event
Manager to create an always-running “Digital Packet Recorder.” Add logic to
recognize the event you want, and then stop the capture. The resulting capture
file can be emailed to you for analysis at a convenient time (think MythTV for
your network ).
Troubleshooting Transient Problems
Configuring EPC
• Setup EPC to use a circular buffer, and run forever
• Capture on all interfaces so that nothing gets lost
– You can pick a specific interface if you want
• Start the capture manually, and then EEM will take care of stopping the capture
Router#monitor capture point ip cef cappnt all both

Router#monitor capture buffer capbuf size 512 max-size 1518
circular
Router#monitor capture point associate cappnt capbuf
Router#monitor capture point start cappnt
Stopping the Capture With EEM
::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac
verify failed"
React to a syslog
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
indicating that the
specific problem has
if { [catch {cli_open} result] } { occurred
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result

Stop the capture
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result] } {

error "Failed to start packet capture: '$result'" $errorInfo
}
…
Send the Capture File As an Email
if { [catch {cli_exec $cliarr(fd) "monitor capture buffer capbuf export flash:dpr.pcap"} result] } {
error "Failed to export capture buffer: '$result'" $errorInfo
} Export the capture
set email_body_pre "Mailservername: $_email_server
From: $_email_from to a file on flash
To: $_email_to
Cc:
Subject: Email from Router $_router_name
MIME-Version: 1.0
Content-type: multipart/mixed; boundary=\"EEM_email_boundary\"
\n--EEM_email_boundary\n
Create an email with
\n--EEM_email_boundary a MIME header
Content-Type: application/octet-stream
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; filename=\”dpr.pcap\"\n\n"
if [catch {open "flash:vpn.pcap"} result] {
error "Failed to open flash:dpr.pcap: '$result'" $errorInfo
}
set fd $result
fconfigure $fd –translation binary Send the email
set email_b64 [::base64::encode [read $fd]]
close $fd
set email_body_mime "\n--EEM_email_boundary--"
set email_body [format "%s%s%s" $email_body_pre $email_b64 $email_body_mime]
if [catch {smtp_send_email $email_body} result] {
error "Failed to send email: '$result'" $errorInfo
}
Diagnosing Transient Problems With Your DPR
Enabling Debug on a Remote Device
Problem: A device on the network is experiencing a connectivity

loss or error condition. In order to fully diagnose the problem,
debugging must be enabled on this device when the problem is
occurring; BUT debugging must also be enabled on a peer device
at the same time.
Solution: Using the Embedded Event Manager and SNMP traps, it
is possible to link multiple devices together using a light-weight
Remote Procedure Call (RPC) mechanism. The device
experiencing the problem can enable debugging, then send an
SNMP trap to its peer to do the same.
Enabling Debug on a Remote Device
• It is possible to to trigger an EEM on one device from another device.
• This is most easily done by sending an EEM trap from one device, and intercepting the
trap using the SNMP-Notification ED on the second device
• Requires EEM 2.4 or higher on the second device, but only EEM 1.0 on the device
sending the trap
Something
happened… I’m on it.
SNMP Trap
Additional Reference: http://tools.cisco.com/squish/7b686

Real-World Example
Enabling Debug on a Remote Device (cont.)

• When one device detects a condition, use SNMP traps to enable
debugging on a peer device
Source Router:
event manager applet ospf-change
event syslog pattern "OSPF-5-ADJCHG"
action 1.0 cli command "enable"
action 2.0 cli command "debug ip ospf packet"
action 3.0 snmp-trap intdata1 424242
!
snmp-server enable traps event-manager
snmp-server host 10.1.1.1 traps public event-manager
Real-World Example
Enabling Debug on a Remote Device (cont.)

• Receive the EEM trap on the peer device
Peer Router: ceemHistoryPolicyIntData1
event manager applet ospf-change
event snmp-notification oid 1.3.6.1.4.1.9.10.91.1.2.3.1.9.
oid-val "424242" op eq src-ip-address 10.1.1.2
action 1.0 cli command "enable"
action 2.0 cli command "debug ip ospf packet"
!
snmp-server manager
MIB Object Navigator : http://tools.cisco.com/squish/7f7ef
Remote Command Execution
• If traps (and UDP) are not your thing, use telnet or SSH to do the synchronization
the EASy way
• Automate commands on another (maybe non-IOS) device using EEM from a
remote device
• EEM can automate connections across multiple protocols
– Telnet
– Reverse telnet
– Session
– Remote console
– Remote commands
– SSH (15.1(4)T and 15.2(2)T and higher)
• EASy package exists to help with this
– EASy Command Shell
– Download from http://tools.cisco.com/squish/b35c5
Sprinting!
EEM Tcl Policy
• Suspending Inactive Ports
::cisco::eem::event_register_syslog pattern "LINEPROTO-5-UPDOWN" maxrun 600
if { ![info exists suspend_ports_config] } {

set result "ERROR: Policy cannot be run: variable suspend_ports_config has not been set"
error $result $errorInfo
}

namespace import ::cisco::lib::*
proc run_cli { clist } { … }

Say you want to
suspend (i.e.,
array set arr_einfo [event_reqinfo]
if { ! [regexp {Interface ([^,]+), changed state to up} $arr_einfo(msg) -> iface] } { shutdown) ports that
}
exit
haven’t been active in
while { 1 } {
a week…
set results [run_cli [list "show event manager policy pending | include
tm_suspend_ports.tcl"]]
if { ! [regexp {tm_suspend_ports.tcl} $results] } {
break …Use EEM to watch
}
after 1000 for ports that become
}
if { [catch {open $suspend_ports_config "r"} result] } { active…
exit
}
…
EEM Tcl Policy
• Suspending Inactive Ports (Cont.)
set fd $result
set contents [read $fd]
close $fd
set contents [string trim $contents]

array set ports [split $contents]
…Then delete those
if { [info exists ports($iface)] } {
array unset ports $iface newly active ports
set fd [open $suspend_ports_config "w"] from a log file tracking
puts -nonewline $fd [array get ports]
close $fd
ports that are down.
}
EEM Tcl Policy
• Track Ports That Are Down
::cisco::eem::event_register_timer cron cron_entry "0 0 * * *" queue_priority normal maxrun 600
if { ![info exists suspend_ports_days] } {
set result "ERROR: Policy cannot be run: variable suspend_ports_days has not been set"
}
if { ![info exists suspend_ports_config] } {
set result "ERROR: Policy cannot be run: variable suspend_ports_config has not been set"
}
namespace import ::cisco::lib::* Every night at
proc run_cli { clist } { ... } midnight, another
set SECS_IN_DAYS 86400
set DOWN 0
EEM policy runs that
set UP 1
set ADMIN_DOWN 2 records each “down”
set now [clock seconds] port into a file…
set susp_time [expr $suspend_ports_days * $SECS_IN_DAYS]
array set suspend_ports [list]
if { [catch {open $suspend_ports_config "r"} result] } {
array set ports [list]
} else {
set fd $result
set contents [read $fd]
close $fd
set contents [string trim $contents]
array set ports [split $contents]
}
…
EEM Tcl Policy
• Track Ports That Are Down (Cont.)
set result [run_cli [list "show ip interface brief | include Ethernet"]]
foreach line [split $result "\n"] {
set line [string trim $line]
regsub -all {\s+} $line " " line
set elems [split $line]
set iface [lindex $elems 0]
if { ! [regexp {Ethernet} $iface] || [llength $elems] < 6 } {
continue
}
if { [lindex $elems 4] == "administratively" && [lindex $elems 5] == "down" } {
set status $ADMIN_DOWN
} elseif { [lindex $elems 4] == "down" } {
set status $DOWN
} elseif { [lindex $elems 4] == "up" && [lindex $elems 5] == "up" } { …If the port has been
set status $UP
} else { down long enough, it
set status $DOWN
} is put on a “to-be-
if { [info exists ports($iface)] } {
if { $status == $UP || $status == $ADMIN_DOWN } { shutdown” list.
array unset ports $iface
} else {
if { [expr $now - $ports($iface)] >= $susp_time } {
set suspend_ports($iface) $ports($iface)
}
}
} else {
if { $status == $DOWN } {
set ports($iface) $now
}
}
}
…
EEM Tcl Policy
• Track Ports That Are Down (Cont.)
set fd [open $suspend_ports_config "w"]

puts -nonewline $fd [array get ports]
close $fd
set cli [list "config t"]
foreach port [array name suspend_ports] {
if { [info exists suspend_quarantine_vlan] } {
set cli [concat $cli [list "interface $port" "switchport access vlan $suspend_quarantine_vlan"]]
action_syslog msg "Moving port $port into quarantine VLAN $suspend_quarantine_vlan since it
was last used on [clock format $suspend_ports($port)]"
} else {
set cli [concat $cli [list "interface $port" "shut"]]
action_syslog msg "Shutting down port $port since it was last used on [clock format
$suspend_ports($port)]"
…For each port in the
}
} list, it is
lappend cli "end" administratively shut
if { [catch {run_cli $cli} result] } {
}
action_syslog priority err msg "Failed to shutdown ports: '$result'" down or moved to a
quarantine VLAN (if
said VLAN is defined).
Download the full version from

https://supportforums.cisco.com/docs/DOC-39192
Isolating Packet Loss
• Users don’t call to complain about
network problems
• They call because an application
doesn’t work properly
• Isolating performance or
connectivity problems has to begin HTTP (100 ms)
at the application layer
– See what the user is seeing Data Oracle (175 ms)
– See how the network treats the Data Plane
actual application data
• OnePK with the Datapath Service Voice (2 ms)
Set gives rich visibility into the
application traffic
Real-World Example
Troubleshooting Packet Loss Along a Path

• Use onePK to trace an
application flow’s path
through the network
• Instruct the hops in the path
to “be on the lookout” for
that application’s flow
specification
• Perform a diagnostic
session while the problem is
reproduced
• The app then sees what
nodes are dropping packets
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Hands-On
Theory Part III
Putting Things Together Lab Part III
-18:30 Close
Lab III
• This Lab Slot is Short(er)
• For You to choose and continue exploring
• Some Suggestions
– On the AiO VM
• Continue exploring the onePK Tutorials
• Refresh Your EEM Skills
• Create custom Topologies with vmcloud
– In the APIC-EM Sandbox
• Continue exploring the REST Tutorials
– Directly in dCloud
• Book an APIC-EM Python Sandbox, then customize and save your own
We’re Here to Help – Just Ask …
Schedule
9:00- Introduction
Theory Part I
Lab Part I
Theory Part II
Lab Part II
Summary and
Theory Part III
References Lab Part III
-18:30 Close
Proliferation of 3 Main Concepts

• Common across
• ASIC level • Agents and • Connectivity
ACI approaches programmability Controllers (Layer 2, 3 and above)
• Enabling • Device level • Cloud-connect • Network Functions

programmability Architectures (from Networks and
capabilities Servers)
• Node Agents • Distributed and
• Proliferating Embedded Systems • Application Functions
• Network APIs and (end-to-end path,
across domains Controller APIs • Peers, Sentinels, containers within
Agents Network)
• ... • …
• Management Functions
Use Cases and Business Objectives
Cisco Enterprise ACI – 3 Capabilities x 3 Layers (Subset)
Applications
SaaS and Software Driven Collaboration
Integration
Context Awareness Mobility, CMX
Operations, Business Intelligence SP/DC: Orchestration
Controller Layer
Controllers,
Analytics, Policy vAF Containers
Management and - UCS-E
- ISR 44xx
Orchestration - IOX / AirVision
apiconsole.cisco.com Prime vNAM,
- Nexus LXE
OpFlex - ASR (Bento) vWAAS, DNS,
DHCP, AAA
Application-Centric - ...
Infrastructure Puppet CSR 1000V
OpenStack Neutron Cloud Connectors Cisco 5921

Embedded Automation
EEM VACS -
Visibility and Control REST NETCONF
VSG, vASA
Intelligence, Manageability ISE
Nexus 1000V
OpenFlow
Applications

SLA Identity
QoS Location
CLI
SNMP …

Programmable
Software)
Cisco ACI and SDN @ CiscoLive Milan
• Recommended Learning Path on SDN
60+ Breakouts, Tech Seminars, Labs, Panel Discussion, …
Content Catalog: http://cs.co/CLEU15-ACI
• DevNet @ CiscoLive
Learning Labs, Demo Pods,
Arena Sessions, Hackathon
• World of Solutions
Level 1 North
• Table Topics
Cisco ACI and SDN Sessions @ CiscoLive Milan
Over 60 Sessions on ACI and SDN ( http://cs.co/CLEU15-ACI ) :
Tech Seminars
Monday TECACI-2009 Application Centric Infrastructure (ACI) - The Policy Driven Data Center
Monday TECSDN-3600 APIC Enterprise Module – SDN in the Enterprise
Monday TEC-NMS-3601 Advanced Network Programming - Lab Technical Seminar
Monday TECSPG-2300 Network Function Virtualization Seminar
Monday TECRST-2611 Network Simulation: The VIRL Compendium
Monday TECMPL-3200 SDN WAN Orchestration in MPLS and Segment Routing Networks
Monday TECCRS-2003 Advanced WAN Design Topics
Panel Discussions
Using Software-Defined Concepts and OpenDaylight-inspired Controllers to
Tuesday PNLSDN-1000
Increase Business Agility and Competitive Differentiation
Tuesday PNLDCT-2001 Overlays in the Data Center - A Customer Perspective
Labs
Tuesday LABACI-2223 APIC integration with OpenStack
Tuesday LABSDN-2331 Cisco ACI hands on Lab
Tuesday LABSPG-2443 Cisco EPN Labs
Tuesday LABVIR-2446 Network Function Virtualization
Tuesday LTRDCT-1224 Implementing VXLAN in Datacenter
Wednesday LTRDCT-1224 Implementing VXLAN in Datacenter
Wednesday LABSPG-2442 NCS: Network Control System Hands-on Lab (Tail-f)
Thursday LABNMS-2001 Advanced Network Automation and Solutions using Cisco IOS EEM
Friday LABNMS-2001 Advanced Network Automation and Solutions using Cisco IOS EEM
Friday LABSDN-1335 Getting Started with OpenDaylight
Breakout Sessions – 1/4
Tuesday BRKSDN-2120 Demystifying Security in the Software Defined Era
Tuesday BRKSDN-1014 Introduction to Software-Defined Networking (SDN) and Network Programmability
Tuesday BRKRST-2015 SDN - From Concepts To Reality
Tuesday BRKRST-2121 Self Learning Networks
Tuesday BRKDCT-2131 Mobility and Virtualization in the Data Center with LISP and OTV
Tuesday BRKACI-2244 Application Virtual Switch for Application Centric Infrastructure Overview
Wednesday BRKCRS-3447 Network Function Virtualization for Enterprise Networks
Wednesday BRKNMS-3043 Performance Measurement for IP and SDN Traffic with Cisco IOS IP SLA
Wednesday BRKACI-1025 Migration from Classic Design to ACI
Wednesday BRKDCT-2367 OpenStack Deployment in the Enterprise
Wednesday BRKSPG-2515 SDN-enabled Carrier Ethernet Architectures
Wednesday BRKSDN-1200 Cisco Applications on OpenDaylight - An Introduction
Wednesday BRKACI-2678 Building Application Centric Network Containers and Service Graphs with ACI and UCSD
Wednesday BRKSPG-2516 SDN Protocols in Internet
Wednesday BRKSDN-2118 Simulating networks using Cisco Modeling Labs
Wednesday BRKGEN-2999 Introductory - Autonomic Networking
Wednesday BRKSDN-1119 Device APIs — A Guide For the Perplexed
Wednesday BRKACI-2345 ACI: What We Have Learnt from Early Deployments
Wednesday BRKIOT-2442 Enabling the Internet of Everything: Cisco’s IoT Architecture
Wednesday BRKOPT-2102 Software Innovations and Control Plane Evolution in the new SDN Transport Architectures
Wednesday BRKSDN-3014 Packet Inspection and Manipulation for Fun and Profit
Wednesday BRKSPM-2001 GiLAN and Service Chaining
Wednesday BRKACI-2333 Application Centric Networking Troubleshooting 101 - Install & Implementation of ACI
Wednesday BRKACI-1789 How to Perform Common Tasks in ACI
Thursday BRKNMS-3114 13 Smart Ways to Program Your Cisco IOS Network
Thursday BRKCRS-3011 APIC-EM (Application Policy Infrastructure Controller - Enterprise Module) SDN in Enterprise
Thursday BRKACI-3456 Mastering OpenStack and ACI
Thursday BRKDCT-1349 Application Traffic Visibility and Analysis with Cisco Nexus Data Broker
Thursday BRKSPG-2722 SDN deployment in ASR9000
Thursday BRKACI-2249 Future Direction of SDN and NFV
Thursday BRKDCT-2255 Infrastructure Designs for Intercloud Data Centers
Thursday BRKACI-2001 Integration and Interoperation of existing Nexus networks into an ACI architecture
Thursday BRKACI-2006 Integration of Hypervisors and L4-7 Services into an ACI Fabric
Thursday BRKSPG-2456 The True Realisation of SDN and NFV in an SP environment
Thursday BRKNMS-1036 IT Operations Management in the SDN Era – with Prime Infrastructure and APIC Controllers
Thursday BRKSPG-2520 Evolved Programmable Network for Seamless Service Transport
Thursday BRKSDN-2777 Network Programming and DevOps Software Development Lifecycle
Friday BRKSPG-2016 Architectures for new services over Cable
Friday BRKSPG-2517 Hosted Security as a Service Solution Architecture Design
Friday BRKACI-3344 Application Centric Networking Troubleshooting 201 – Day 2 Operations
Friday BRKARC-3467 Cisco Enterprise Silicon - Delivering Innovation for Advanced Routing and Switching
Friday BRKNMS-2445 Improve Application Delivery with Cisco AVC in the Data Center and Cloud
Friday BRKSDN-2116 Run your apps and tools natively on Cisco boxes
Call to Action
• Visit the World of Solutions for
– Cisco Campus
– Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2015
Presentation_ID © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
Network Programming and Automation
•
•
•
•
What will YOU Program ?

Tecnms-3601 (2015)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tecnms-3601 (2015)

Uploaded by

Copyright:

Available Formats

Advanced Network Programming

Based on previous deliveries, new and updated content is added.

The topic is relevant for network planners and administrators, engineers

This Session IS:

This Session is NOT:

Introduction and Overview Theory Part I

11:00 – 11:15 Coffee Break Theory Part I

13:15 – 14:15 Lunch Theory Part II

16:15 – 16:30 Coffee Break Theory Part III

Offices Smart Industry Smart Homes

Orchestration Security & Compliance Performance Visibility & Monitoring

Controllers Virtual Services Infra Security VM Managers Point Tools

Programmable Application Centric Virtualizable

• Common • ASIC level • Agents and • Connectivity

approaches • Device level • Cloud-connect • Network Functions

• Proliferating Controller APIs • Peers, Sentinels,

Use Cases and Business Objectives

Infrastructure Puppet CSR 1000V

OpenStack Neutron Cloud Connectors Cisco 5921

ICT Governance and Operations

Virtual / Overlay Networks

Example: EEM Applets – Loops, Variables

Solution: Have fun exploring EEM Applet capabilities

See also: http://www.99-bottles-of-beer.net/language-cisco-ios-embedded-event-manager-applet-2909.html

2. Make Sure to download the latest EASy Installer

3. Browse Other Embedded Automations

4. Learn About The Technology Under The Hood

5. Discuss, Ask Questions, Suggest Answers

6. Upload your own Examples to CiscoBeyond

7. Engage via ask-easy@cisco.com

Cisco onePK API Presentation, Software Development Kit, Runtime

onePK Developer Service Set

onePK Element Service Set

onePK Location Service Set

onePK Utility Service Set

Cisco 819 AirVision APIs

onePK BASE c1921-oglaroon# show run | section onep

onePK Developer Service Set

onePK Element Service Set

onePK Location Service Set

onePK Utility Service Set

Cisco 819 AirVision APIs

Cisco onePK API Presentation, Software Development Kit, Runtime

onePK Developer Service Set

onePK Element Service Set

onePK Location Service Set

onePK Routing Service Set

onePK Utility Service Set

Cisco 819 AirVision APIs

Cisco onePK API Presentation, Software Development Kit, Runtime

onePK Developer Service Set

onePK Element Service Set

onePK Location Service Set

onePK Utility Service Set

Cisco 819 AirVision APIs

Programmable Debug capability, CLI extension which allows application to extend/integrate

C Java Python REST NETCONF ...

Hand-crafted API Infrastrcture Model-driven generation

The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS®

• 2.5 GB/1vCPU [default] , 4 GB/4vCPU

Example: Secure VPN Gateway

To do this they need a Lab that is:

Such a Lab doesn’t exist Network Simulation