Exploring the Final Frontier of Data Center Orchestration: Network Elements - Jason Pfeifer, Cisco

1. Network Elements
The Final Frontier of Data Center Automation
Presented by
Jason Pfeifer
Technical Marketing | Cisco

2. Presented by
Why?
I can spin up servers in minutes with my Puppet workflows,
why does it take orders of magnitude more to spin up and
affect change on my Network Elements?”

3. Presented by
IT Management Challenges
Agility 60% of IT managers are not satisfied with the speed
at which IT responds to business needs
Reliability $72,000
/ hr
cost of downtime due to manual errors and configuration
drift
Productivit
y
48% of IT professionals spend 50% or more of their time on
basic administrative tasks
Shadow IT 36% of employees have already used “unapproved” cloud
services
Insight 93% of IT professionals cannot answer “What changed?”
when an outage incident occurs
Sources: Gartner, Kaseya, Harvey Nash, Vanson Bourne, Evolven, InformationWeek
Similar Challenges in the
NetOps Space

4. Presented by
Network Operations Challenges
Agility Rollout speed of network equipment is slow. After physical kit is
installed, configuration should be immediate.
Reliability Huge cost of downtime due to manual errors and configuration
drift
Productivit
y
Networking professionals spend 50% or more of their time on
basic administrative tasks, CLI interaction , screen scraping
output
Home Built Employees have home built scripts / one –off procedures specific
to the local network environment
Insight “What changed?” plagues the industry when an outage incident
occurs. How do we recover?
Sources: Disgruntled Network Administrators

5. NetOps
CUSTOM ONE-OFF SCRIPTS
Presented by
Existing Management Solutions = Insufficient
CUSTOM ONE-OFF SCRIPTS
for i in $(cat host.cfg)
do
ssh user@$i uname -a
done
• Not reusable across different
applications or operating systems
• What happens when original author
Sources: THINKstrategies/FrontRange
leaves?
IT
spawn telnet $ip(t)$port(t)
expect "Trying
$in_telnet...r*
Connected to $in_telnet.r*
Escape character is
'^]'.r*”
send -- "r”

6. Puppet Automates Infrastructure for Network Admins
NETOPS MANAGEMENT STACK
Monitoring Help Desk
Presented by
NETWORK STACKS
Reporting
Asset Management
Applications
Code & Data
Controllers
Operating
Systems
Physical &
Virtual Nodes
Discovery
Provisioning
Configuration
Orchestration
Automation
Service Catalog
Lifecycle management for heterogeneous environments possible

7. Monitoring
Agent Version Control
Presented by
NetOps Agent
CENTRALIZED MANAGEMENT SERVER
GUI Workflows
Reporting
Admin & Security
Hardware Node VM Node Cloud Node
DISTRIBUTED AGENTS
CLOUD-BASED REPOSITORY
OF PRE-BUILT SOLUTIONS
Puppet Forge
Agent Agent Agent
3RD PARTY INTEGRATIONS
CMDBs
LDAP & AD
Switch

8. Enabling Technologies
Presented by

9. Presented by
NX-OS Architecture
Layer-2 Protocols Layer-3 Protocols Storage Protocols
VLAN Mgr
STP
Interface Management
Chassis Management
Kernel
Sysmgr, PSS & MTS
SNMP, XML, CLI Management, NXAPI
Chip/Driver Infrastructure
OSPF
BGP
EIGRP
GLBP
HSRP
VRRP
VSANs
Zoning
FCIP
FSPF
IVR
UDLD
CDP
IGMP snp 802.1X
LACP CTS PIM SNMP
Container
Services
(ADT /
Guest Shell)
… …
Protocol Stack (IPv4 / IPv6 / L2)
Shell Access
onePK (Element / VTY)

10. Presented by
NXAPI
• CLI Interaction with device over HTTP / HTTPS
• Input/Output encoded in JSON or XML (key for programmability)
Show
clock
NXAPI Web Server
(NGINX)
[
{
"jsonrpc": "2.0",
"method": "cli",
"params": {
"cmd": "show clock",
"version": 1
},
"id": 1
}
]
{
"jsonrpc": "2.0",
"result": {
"body": {
HTTP / HTTPS
"simple_time": "15:00:37.762 PST Mon Aug 18 2014n"
}
},
"id": 1
}
Switch# conf t
Switch(config)# feature nxapi
Switch(config)# exit

11. Presented by
NXAPI - Response
{
"jsonrpc": "2.0",
"result": {
"body": {
"header_str": "Cisco Nexus Operating System (NX-OS) ",
"bios_ver_str": "3.22.0",
"kickstart_ver_str”: "7.1(0)D1(1) [build 7.1(0)ZD(0.102)] [gdb]",
"sys_ver_str": "7.1(0)D1(1) [build 7.1(0)ZD(0.102)] [gdb]",
"bios_cmpl_time”: "02/20/10",
"kick_file_name”: "bootflash:///n7000-s1- kickstart.7.1.0.ZD.0.102.gbin",
"kick_cmpl_time”: " 2/11/2014 18:00:00",
"kick_tmstmp": "03/14/2014 05:31:12",
"isan_file_name”: "bootflash:///n7000-s1-dk9.7.1.0.ZD.0.102.gbin",
"isan_cmpl_time”: " 2/11/2014 18:00:00",
"isan_tmstmp": "03/13/2014 23:16:21",
"chassis_id": "Nexus7000 C7010 (10 Slot) Chassis",
"module_id": "Supervisor Module-1X",
"cpu_name": "Intel(R) Xeon(R) CPU ",
"manufacturer”: "Cisco Systems, Inc."
}
},
"id": "1"
}
Output

12. Presented by
ONE Platform Kit (onePK)
Applications
onePK
Any Cisco
Router or
Switch
C, JAVA, Python
API Presentation
API Abstraction
Catalyst Nexus
ASR
ISR
IPC Channel
Network Programming
Environment to:
• Innovate
• Extend
• Automate
• Customize
• Enhance
• Modify

13. Presented by
Where Do onePK Applications Run?
Choose the Hosting Model that Suits Your Platform and Your Application
16
App
Blade
App
App
On An External Server
• Plentiful memory/compute
• Higher latency and delay
• Supported on by all platforms
On A Hardware Blade
• Dedicated memory/compute
• Low latency and delay
• Requires modular hardware blade
On the Router
• Shared memory/compute
• Very low latency and delay
• Requires modular software architecture

14. Traditional Approach New Paradigm
App
C
Java
Python
(Ruby*)
Presented by
Network OS
Events
App
Monitoring
Routing
Data Plane
Actions EEM (TCL)
Policy
Interface
Discovery
CLI
SNMP
HTML
XML
AAA
CDP
Syslog
Netflow
Routing Protocols
Span
Anything you can think of
Evolving How We Interact

15. Presented by
APIS Are Grouped (Service Sets)
Service Set Description
Data Path Provides packet delivery service to application: Copy, Punt, Inject
Policy
Provides filtering (NBAR, ACL), classification (Class-maps, Policy-maps),
actions (Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces
on network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Element
Get element properties, CPU/memory statistics, network interfaces, element and
interface events
Discovery topology and local service discovery
Utility
Syslog events notification, Path tracing capabilities (ingress/egress and interface stats,
next-hop info, etc.)
Developer
Debug capability, CLI extension which allows application to extend/integrate
application’s CLIs with network element

16. Controller
onePK
Agent
onePK
CAPWAP
Presented by
Agent application resides on NE, utilizes
onePK API library
Choice of communication methods between agent
and controller
Choice of where bulk of processing will occur.
Controller typically has network wide view, agent has
individual box view.
Examples
Web application with REST interface
Management over XMPP
Controller
Agent
onePK
Controller
Agent
onePK
Network Element
Agent
onePK
Network Element
Path
Computation
PCE
PCEP
PCC PCC PCC
Wireless LAN
Control
WLC
AP AP AP
Agent Model Applications

17. Dev Ops
Plug-ins
Container
Presented by
Dev Ops - Plug Ins
 Container based packaging of Dev Ops agents
 Device hosted
 Software runs on local device
 Standard
 Standard Linux software
 Software independence
 Secure: Not running in host OS
 TTM: Host release independence, fast TTM NOS
OS/Linux
Switch/Router

18. NXOS Puppet Integration
Presented by

19. Cisco Nexus Cisco Nexus Cisco Nexus
Presented by
Compute/Storage Servers

20. Network OS
Puppet Agent
Presented by
Data Center Network
Puppet Master
LXC Container
Cisco Puppet Plug-In:Architecture
onePK
Cisco Network
Resources

21. Presented by
Cisco NXOS Puppet Agent Integration
 Packaged as virtual-services LXC container OVA
 OVA registers CLI extensions
 Configuration commands
 Show commands
 Exec commands
 Clear commands
 Debug commands
 OVA syslogs are linked to NXOS syslog
 “show log”

22. Presented by
Cisco Puppet Agent Configuration Example
 Puppet configuration mode
 (config)# puppet
 (config-puppet)# master pmaster.cisco.com port 8999
 (config-puppet)# vrf management
 (config-puppet)# run-interval 180
 (config-puppet)# domain-name cisco.com
 (config-puppet)# name-server 4.1.1.128
 (config-puppet)# activate

23. Presented by
Puppet Deployment using POAP
DHCP Script Config
Switch downloads script
DHCP phase: Execute script locally
Get IP Address, Gateway
Script server IP
Script file name
Download software images
Download running-config
Download puppet_plugin.ova
Download plugin_activate.py script
1 Power up Switch with
no startup-config and
default images
NXOS
Puppet
OVA
Reload the router with downloaded software
plugin_activate.py script executes , installing
and activating puppet_plugin.ova
Puppet
Master
Once the plugin is activated, puppet
agent running inside the container will
establish a session with the puppet
master and retrieve catalogues, etc.
2 3
4
5
6

24. Image/Patch New Server/VM Deployment Config. Distribution
Presented by
Package
Repository Puppet/C
Puppet
Master
Device Plug-in
Device Plug-ins:
• Manage images and patches/SMUs
hef
Master
New server
Server
Admin
• Security policies, mgmt. servers
(syslog, dns, snmp etc.) are
common across the network.
• Inject changes at master
Puppet/Ch
Network ef Master
Admin
• ToR configuration for every new device
onboarded
• Reduce Manual process
• Master puts the new server in the right
VLAN/segment / ACL’s

25. Presented by
Cisco Puppet Resource Type Coverage:
Feature Resource Name Description
Cisco Device Access cisco_device Allows credentials for user access control &
accounting
Base L2/L3 interface cisco_interface General interface & L2/L3 base settings
VLAN cisco_vlan Create/destroy of VLANs and general settings
Interface-vlan (SVI) cisco_interface_vlan Create/destroy of SVIs and SVI specific interface
settings
VLAN Trunking Proto (VTP) cisco_vtp VTP global settings
SNMP cisco_snmp_server
cisco_snmp_community
cisco_snmp_group
cisco_snmp_user
SNMP monitoring settings. Notification receiver
settings not covered as of now.
OSPF cisco_ospf
cisco_ospf_vrf
cisco_interface_ospf
OSPF instance create/destroy, per-VRF settings, and
interface settings (area, cost, msg digest, etc)

26. Presented by
Cisco Puppet Resource Type Coverage
Feature Resource Description
TACACS/AAA***
***full set not available at EFT target date
cisco_tacacs_server
cisco_tacacs_server_host
cisco_aaa_tacacs_group
cisco_aaa_authentication
cisco_aaa_authorization
cisco_aaa_accounting
• TACACS global settings
• TACACS per-host settings
• group association and settings
• mapping of groups to AAA features
(authentication, authorization, accounting).
Raw Config CLI commands cisco_command_config Resource to directly apply blocks of configuration
CLI commands.

27. Presented by
Demo