From Zero to Network Programmability in 120 minutes

Transcription

1

2 From Zero to Network Programmability in 120 minutes Gabriel Zapodeanu Technology Solutions Architect, Cisco github.com/gzapodea BRKRST-2935

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkrst-2935

4 Stan Ilchev Spent the last 20 working on small, mid and large scale projects in global manufacturing, enterprise and retail environments: Minolta, Konica, Intel, Daimler would be some examples. Currently involved in complex security initiatives for a large multinational sportswear company known to pioneer use of air in athletic shoe soles. Presented at Cisco Live 2014 and 2015 on the topic of Virtualized Plant Floor Services Architecture (CCSVIR-1400) stanlyilch@gmail.com LinkedIn

5 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkrst-2935 BRKRST

6 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

7 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

8 What are the top 3 areas your organization is looking to improve upon with automation? Top Areas to Automate % of respondents Network operations Network performance monitoring Network troubleshooting Traffic management (e.g. QoS, bandwidth usage) Security mechanisms Data center services and integrity Cloud Services integration and integrity Access to networked resources Systems software (e.g. OpenStack) Collaboration systems (e.g. web conferencing) Business applications (e.g. customer portal, sales application) 7% 6% 5% 3% 3% 3% 11% 10% 16% 16% 19% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST

9 Which of the following statements most closely describes the scripting or programming skills used by you or your team? Current Scripting and Coding Skillset % of respondents CLI only 58% Scripts only, had programming training, don't program regularly 25% Both scripts and programs regularly Scripts only, no programming 9% 8% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST

10 What is your viewpoint on advanced scripting or programming skillsets, such as PERL scripting or Python, as they relate to networking for technology professionals? View on Scripting and Coding Skillset % of respondents It is already a requirement today 40% It is not currently a requirement but will be required within the next 3-5 years 30% It is a benefit but won t be a requirement within the next 3-5 years 17% It is not relevant 13% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST

11 Programmability Benefits Innovation and business agility Accelerated time to market Service delivery optimization Cost reduction and increased efficiencies Highly skilled architects and engineers improved availability Service-level improvements Higher network availability due to reduced human error BRKRST

12 Programmability Use Cases Business Value High Compliance Security Dynamic Application Configuration Troubleshooting Performance Green Field Change Control Design Optimization Monitoring Operations Low Low Business Risk High BRKRST

13 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

14 What is REST? REST Representational State Transfer Client-server communications Stateless - client side maintains session state, the server does not An architecture style for designing networked applications It is not a standard First edition of REST between October 1994 and August 1995 Published in 2000 by Roy Thomas Fielding, PhD Thesis Dissertation Architectural Styles and the Design of Network-based Software Architectures BRKRST

15 What is REST API? API Application Programming Interface Set of subroutine definitions, protocols, and tools for building application software Specifies how software components should interact with each other Many types of APIs exist, not only RESTful API s RESTful API s - Use HTTP requests to Create/Read/Update/Delete (CRUD) operations: Creates a new resource Retrieves/Read a resource Updates an existing resource Deletes a resource. BRKRST

16 How to Make a REST API Call REST APIs are centered around an HTTP request and response model. Consuming an API is as simple as making an HTTP request. Request Response Client Your Application Application Server BRKRST

17 REST API Request URL: Application Server and the API resource Authentication: HTTP Basic, Custom, OAuth, none Custom Headers: HTTP Headers, example: Content-Type: application/json Request Body: JSON or XML - the data needed to complete request Method (CRUD) : POST - Creates a new resource GET - Retrieves/Read a resource PUT - Updates an existing resource DELETE - Deletes a resource. BRKRST

18 REST API Request - example Create a new Spark room function def create_spark_room(room_name): User defined function URL url = Headers header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} payload = {'title': room_name} Request Body Authentication room_response = requests.post(url, data=json.dumps(payload), headers=header) Method BRKRST

19 REST API Response HTTP Status Codes 2xx Success OK, 201 Created 4xx Client Error Bad Request, 401 Unauthorized, 404 Not Found 5xx Server Error Internal Server Error Headers Content type JSON or XML, cache control, date, encoding Response Body Payload with requested data formatted in JSON or XML BRKRST

20 REST API Response - example Response 200 / success HTTP Status Codes Cache-Control no-cache Content-Encoding gzip Content-Type application/json;charset=utf-8 Date Sun, 05 Feb :07:54 GMT Headers { } "id": "Y2lzY29zcGFyazovL3VzL1JPT ", "title": Cisco Live Room", "type": "group", JSON Response Body "islocked": false, "lastactivity": " T01:03:28.522Z", "creatorid": "Y2lzY29zcGFyazovL3VzL1BFT1B ", "created": " T01:03:28.483Z" BRKRST

21 REST API Request - Response url = header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} payload = {'title': 'Cisco Live Room'} room_response = requests.post(url, data=json.dumps(payload), headers=header) Client Your Application Request Response Cisco Spark Response 200 / success { "id": "Y2lzY29zcGFyazovL3VzL1JPT ", "title": Cisco Live Room", "type": "group", "islocked": false, "lastactivity": " T01:03:28.522Z", "creatorid": "Y2lzY29zcGFyazovL3VzL1BFT1B ", "created": " T01:03:28.483Z" } The response value will be assigned to variable room_response BRKRST

22 Use Case REST APIs The presented use case will access the programmable infrastructure using REST API s Use Case REST APIs will access: Controllers Network Devices Collaboration Orchestration Network Management Rest APIs Spark UCS Director APIC-EM PI ASAv Tropo Infrastructure BRKRST

23 Device Programmability Other options to program network devices: NETCONF - Network Configuration Protocol NETCONF RESTCONF grpc YANG Data Models RESTCONF - REST-like access to the YANG Data Model grpc - open-source universal RPC framework, started by Google Open Native Configuration and Operation Device Features Interface BGP QoS ACL SNMP BRKRST

24 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

25 Client to Server - Data Exchange REST API s are designed to be easy to use, fast and simple Interchange of structured data is critical Need to send data to the server Ability to easily process received data CLI is not structured data GigabitEthernet0 is up, line protocol is up Hardware is PQ3_TSEC, address is f af Description: TO UCS Internet address is /24 MTU 1500 bytes, BW Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1Gbps, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 5 minute input rate 4000 bits/sec, 7 packets/sec 5 minute output rate 5000 bits/sec, 7 packets/sec 4797 packets input, bytes, 0 no buffer Received 15 broadcasts (0 IP multicasts) BRKRST

26 JSON - JavaScript Object Notation JSON Lightweight data-interchange format Easy for humans to read and write Wide applications support to parse and generate import json the Python standard library: Encode/Decode Python types to JSON This command is required in Python Json.org extensive JSON resource APIC-EM Get Interface API: JSON { } { key : value } "ipv4address": " ", "ipv4mask": " ", "portname": "GigabitEthernet1", "description": " TO_vSWITCH0", "status": "up", "adminstatus": "UP", "id": "7c bd-b516-6c325102e567"... REST APIs and RESTCONF support JSON and XML NETCONF supports only XML BRKRST

27 XML - extensible Markup Language XML : Store and transport data Was designed to be self-descriptive Language independent XML vs HTML: XML was designed to carry data HTML was designed to display data Python support: Multiple modules support xml XML resource - NETCONF Get Interface: XML { } { <tag><value></tag> } <interface> <name>gigabitethernet1</name> <description>to_vswitch0</description> <type xmlns:ianaift="urn:ietf:params:xml:ns:yang: iana-if-type">ianaift:ethernetcsmacd</type> <enabled>true</enabled> <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip"> <address> <ip> </ip> <netmask> </netmask> </address> </ipv4> </interface> REST APIs and RESTCONF support JSON and XML NETCONF supports only XML BRKRST

28 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

29 Programming Language - Python Ease of use for automation Python is simple to learn, general purpose Wide support on Cisco devices and software Great choice for network engineers BRKRST

30 Programming Language - Python Which Python2 or Python3? Extensive libraries Python.org full documentation and beginner guides Your choice of programming language may work, too! BRKRST

31 Resources to Get Started with Python Cisco Learning Network: Programming for Network Engineers (PRNE), e-learning Network Programmability Specialists: Design, Developer, Engineer Courses and Cisco Certifications Cisco DevNet Introductory Python and JSON learning modules and labs Python Fundamentals PluralSight, e-learning, subscription based The Hitchhiker s Guide to Python! CodeAcademy, Coursera BRKRST

32 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

33 Sandboxes DevNet Sandbox: Always-on, or reservation based Free, very easy to use and schedule, nothing for you to maintain Simulated or physical network equipment Available sandboxes: Networking, Data Center, Collaboration, Security, Meraki, BRKRST

34 Other Labs Cisco dcloud: Five Data Centers around the world Customizable environments Enterprise Networking Collaboration DC Security, and more Your lab may be required for POC and POV Remember most Cisco software has evaluation licenses available BRKRST

35 Our Lab Proof of Concept Lab Code development for our use case: DevNet Sandbox POC lab UCSD lab BRKRST

36 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

37 API Docs Quality of API docs is the most important factor in API adoption REST APIs are an architectural style not a standard, docs are essential To know what to send and understand what you receive back Try it out features! BRKRST

38 APIs Reference Documentation Each API has published documentation: UCS Director Spark APIC-EM Cisco Mobility Experience Prime Infrastructure RESTCONF Cisco DevNet Meraki BRKRST

39 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

40 Remote Network Access Vendors, contractors and developers need access to devices or systems on internal Enterprise networks (IP-enabled Devices - IPDs) Typically required for: Normal mode of operations, while providing services Troubleshooting Software upgrades, patching and monitoring Proof of Concepts and testing of new applications Encountered in all industries: Utilities, Healthcare, Retail, Manufacturing, These IP-enabled Devices (IP-Ds) may be connected anywhere in the environment BRKRST

41 Remote Network Access Solutions DMZ hosted VDI, additional configuration required within the Enterprise Network Web Conferencing remote support: WebEx, GoToMeeting SaaS third party remote access gateways: TeamViewer, ewon Hybrid on-prem and IaaS deployment with an appliance in a DMZ: Bomgar B2B permanent VPN tunnels if closer affiliation with business established All of these options are static, inflexible, with limited application/protocol support Requirements, design and implementation require months BRKRST

42 Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary

43 Disclaimer The sample code in this presentation is intended for learning and educational purposes only The script was created with the goal of ease of understanding Software is written based on assumptions that may not apply in your environment It is not intended for use in any production environment without significant testing, validation and re-write to meet your Enterprise Application Development Policies BRKRST

44 Elastic Remote Network Access Requirements Remote Access to IP-enabled Devices IP-Ds On-demand provided to end user or vendor Dynamically provisioned network access Provide support for any applications and protocols Scalable and secure Design and implementation done once, used many Dissolvable as soon as work completed Network access request to be provisioned in minutes BRKRST

45 High Level Architecture End User Interface Data Center Orchestration Elastic Remote Network Access Application Security Management Network Controller Network Device Management BRKRST

46 High Level Architecture - Components End User Interface Spark/Tropo Elastic Remote Network Access Application Data Center Orchestration Security Management UCSD ASAv Network Controller APIC-EM Network Device Management PI, NETCONF RESTCONF BRKRST

47 High Level Architecture Functional Requirements End User Interaction with the application Input requests Receive notifications Update status Compute provisioning User Interface Spark/Tropo Storage configuration Network provisioning Data Center Orchestration UCSD Workflow automation Elastic Remote Network Access Application Security Management ASAv Firewall configuration Add and remove Access Control Lists Network Controller APIC-EM Information about: Clients Network Device Management PI, NETCONF RESTCONF Network Devices Topology physical and logical Configuration management Configuration deployment Restore network to prior state Job Status Report BRKRST

48 Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary

49 Network Configurations ip vrf SECURE_REMOTE rd 201:1 route-target export 201:1 route-target import 201:1! interface Loopback200 ip address ! interface Tunnel201 ip vrf forwarding SECURE_REMOTE ip address tunnel source Loopback200 tunnel destination ! interface GigabitEthernet3 description to_secure_remote ip vrf forwarding SECURE_REMOTE ip address negotiation auto! router eigrp 123 network redistribute static redistribute connected! router eigrp 201 address-family ipv4 vrf SECURE_REMOTE network network autonomous-system 201 exit-address-family UCSD workflow - UCSD_CONNECT_FLOW GRE tunnel interface Loopback200 ip address ! interface Tunnel201 ip address tunnel source Loopback200 tunnel destination ! router eigrp 123 network ! router eigrp 201 network redistribute static route-map REMOTE_ACCESS exit! ip route $RemoteClient Vlan$VlanId! ip prefix-list REMOTE_ACCESS_PLIST seq 5 permit $RemoteClient/32! route-map REMOTE_ACCESS permit 10 match ip address prefix-list REMOTE_ACCESS_PLIST access-list outside_access_in line 1 extended permit ip host host BRKRST

50 ERNA - Implementation On-demand remote connectivity for troubleshooting IP-enabled Device (IP-D) End User requests access to an IP-D in Spark Spark bot triggers Application execution UCSD workflow initiated to power on VDI, connect to vswitch and ASAv IP-D is located in the infrastructure by DNS entry, and APIC-EM client database IP-D default gateway hostname is retrieved from APIC-EM network database Find PI Network Device ID from hostname The CLI template file is uploaded to PI, and deployed to the identified PI device ID: Create a loopback interface, build a GRE tunnel, define a new EIGRP AS for host routing (IP-D), add route-maps and prefix lists The CLI template file is uploaded to PI, and deployed to the DMZ CSR 1000V: create new VRF, new sub-interface and a loopback interface. Build a new GRE tunnel, new routing AS and address family DMZ ASAv configuration modify outside interface ACL to allow VDI <-> IP-enabled Device communication PI job status check for the CLI templates deployment APIC-EM device sync, Path Trace to validate secure vendor access Tropo Notification sent to end user informing access has been provisioned. Instructions set for access to VDI/IP-D posted on Spark Access time window ends - remove all configurations from branch Layer 3 device, CSR 1000V, ASAv, power off VDI END of Application Run BRKRST

51 Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary

52 Spark API calls Cisco Spark as an user interface and messaging platform Create a new space, if not one existing Invite vendors to join the space Vendor requests remote access to an IP-enabled device API calls to Spark: Check for messages Post a message Create/delete spaces Membership BRKRST

53 Spark API Request Retrieve the last message from the room with {room_id} SPARK_AUTH = 'Bearer ' + ZTc0ZGUzNTctMWFlNC00ODQzLWFkYWEtMGI4ZDNkYTE5 def last_spark_room_message(room_id): User defined function Authentication Headers url = SPARK_URL + '/messages?roomid=' + room_id header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} response = requests.get(url, headers=header) URL Authentication Method list_messages_json = response.json() print(list_messages_json) list_messages = list_messages_json['items'] last_message = list_messages[0]['text'] print('last room message : ', last_message) return last_message Parsing JSON BRKRST

54 Spark API Response Retrieve the last message from the room with {room_id} { "items" : [ { "text" : Your access is provisioned", "roomid" : "Y2lzY29zcGFyazovL3VzL1JPT00vNWNmNjM4YzAtZ ", "id" : "Y2lzY29zcGFyazovL3VzL01FU1NBR0UvYTAyNzk2N ", "roomtype" : "group", "personid" : "Y2lzY29zcGFyazovL3VzL1BFT1BMRS8zZDJmMTZjZC01 ", "created" : " T00:18:34.455Z", "person " : gzapodea@cisco.com } ] } Last room message : Your access is provisioned Response Data After parsing JSON BRKRST

55 UCSD API calls Two API calls required to trigger the execution of a predefined workflow 1. Create a UCSD user API key to authenticate the user s calls (sample bellow) 2. Execute workflow to power on VDI, connect to ASAv outside interface def get_ucsd_api_key(): User defined function url = UCSD_URL + '/app/api/rest?formattype=json&opname=getrestkey&user=' + UCSD_USER + '&password=' + UCSD_PASSW header = {'content-type': 'application/json', 'accept-type': 'application/json'} Method UCSD_api_key_json = requests.get(url, headers=header, verify=false) UCSD_api_key = UCSD_api_key_json.json() return UCSD_api_key URL Parsing JSON Headers BRKRST

56 APIC-EM API Calls APIC-EM has complete inventory of network devices and clients Applications available - Plug and Play, IWAN, EasyQos, Path Trace Physical and logical topologies We will locate the IP-enabled Device using the provided IP enabled name/dns lookup BRKRST

57 APIC-EM API Calls continued Required APIC-EM API calls: Create an user Auth ticket to be used for all the API calls Locate the IP-D based on the IP address, it could be anywhere in the network Find the APIC-EM device id connected to the IP-D: Retrieve hostname of the network device based on the APIC-EM device Id Find the access VLAN for the specified IP-D Device synchronization and Path Trace to validate vendor access BRKRST

58 APIC-EM API Request Discover hostname of a network device based on the APIC-EM {device_id} User defined function def get_hostname_id_apic_em(device_id, ticket): URL url = EM_URL + '/network-device/' + device_id Authentication Headers header = {'accept': 'application/json', 'X-Auth-Token': ticket} hostname_response = requests.get(url, headers=header, verify=false) Method hostname_json = hostname_response.json() hostname = hostname_json['response']['hostname'] Parsing JSON return hostname BRKRST

59 APIC-EM API Response Discover hostname of a network device based on APIC-EM {device_id} { } "version" : "1.0", "response" : { "family" : "Switches and Hubs", "id" : "26450a30-57d8-4b56-b8f1-6fc535d67645" "uptime" : "219 days, 21:09:28.84", "softwareversion" : "12.2(55)SE3", "managementipaddress" : " ", "locationname" : New-York", "serialnumber" : "FOC1537W1ZY", "platformid" : "WS-C P-E", "hostname" : NYC-SW... } BRKRST

60 Prime Infrastructure API Calls PI - network management operations Upload CLI templates from text file Identify PI device id s using the device hostnames Deploy CLI template to the layer 3 access switch Deploy CLI template to the DC CSR1000v Get CLI deployment PI job status, delete CLI templates Deployment of the PI CLI templates requires: PI device ids The CLI template name Variables, if any As a result a GRE tunnel will be provisioned, routing configured to allow reachability only from host DMZ VDI to only host IP-enabled Device BRKRST

61 PI CLI Template DC Router Check if existing CLI template and delete Upload fresh CLI template from file Reserved IP addresses for new interfaces It does not require variables Configuration: new VRF new Loopback interface update the Gigabit interface 3 new routing AS new address family ip vrf SECURE_REMOTE! rd 201:1 route-target export 201:1 route-target import 201:1 interface Loopback200! ip address interface Tunnel201 ip vrf forwarding SECURE_REMOTE ip address tunnel source Loopback200 tunnel destination interface GigabitEthernet3 description to_secure_remote ip vrf forwarding SECURE_REMOTE ip address negotiation auto! router eigrp 201 address-family ipv4 vrf SECURE_REMOTE network network autonomous-system 201 exit-address-family BRKRST

62 PI CLI Template Remote Layer 3 Switch Check if existing template and delete, upload of a text file CLI template It will require two variables: Client IP address VLAN Values obtained from APIC-EM Configuration: new loopback interface, new GRE tunnel, new routing AS new static route, new prefix list, new route-map and route redistribution interface Loopback200 ip address ! interface Tunnel201 ip address tunnel source Loopback200 tunnel destination ! router eigrp 123 network ! router eigrp 201 network redistribute static route-map REMOTE_ACCESS exit! ip route $RemoteClient Vlan$VlanId! ip prefix-list REMOTE_ACCESS_PLIST seq 5 permit $RemoteClient/32! route-map REMOTE_ACCESS permit 10 match ip address prefix-list REMOTE_ACCESS_PLIST BRKRST

63 PI API Request - Variables in JSON The CLI template deployment requires two variables {client_ip} IP-D IP address {vlan_number} access vlan Prime Infrastructure CLI Template configuration Variable in JSON format variable_value = [ {'name' : 'RemoteClient', 'value' : client_ip}, {'name' : 'VlanId', 'value' : str(vlan_number)} ] BRKRST

64 PI API Request Deploy the CLI template {template_name} using {variable_value} through a job def pi_deploy_cli_template(device_id, template_name, variable_value): param = { PI device id 'clitemplatecommand': { 'targetdevices': { 'targetdevice': { 'targetdeviceid': str(device_id), 'variablevalues' : { 'variablevalue' : variable_value } } }, 'templatename': template_name } } Request Body url = PI_URL + '/webacs/api/v1/op/clitemplateconfiguration/deploytemplatethroughjob' header = {'content-type': 'application/json', 'accept': 'application/json'} response = requests.put(url, data=json.dumps(param), headers=header, verify=false, auth=pi_auth) job_json = response.json() job_name = job_json['mgmtresponse']['clitemplatecommandjobresult']['jobname'] return job_name # return the deploy template job name Parsing JSON BRKRST

65 ASAv Security Configuration ASA requires an agent to be downloaded, installed and enabled Agents are available for both physical and virtual ASA s (ASAv) API calls utilize HTTP Basic Authentication We will need three API calls: Find out the inbound Access Control List Id for the outside interface Insert a new statement to allow communication from the DMZ VDI to the IP-enabled Device IP address Delete the ACE at the end of the de-provisioning BRKRST

66 ASAv API Request Retrieve existing ACL id for the {interface_name} ASAv_USER = 'python' ASAv_PASSW = 'cisco' ASAv_AUTH = HTTPBasicAuth(ASAv_USER, ASAv_PASSW) Authentication HTTP Basic def get_asav_access_list(interface_name): Find out the existing ASAv interface Access Control List Call to ASAv - /api/access/in/{interfaceid}/rules :param interface_name: ASA interface_name Build Code Documentation using PyDoc :return: Access Control List id number URL url = ASAv_URL + '/api/access/in/' + interface_name + '/rules' header = {'content-type': 'application/json', 'accept-type': 'application/json'} response = requests.get(url, headers=header, verify=false, auth=asav_auth) acl_json = response.json() acl_id_number = acl_json['items'][0]['objectid'] return acl_id_number Parsing JSON BRKRST

67 ASAv API Response Retrieve existing ACL id for the {interface_name} { "items" : [ { "destinationservice" : { "kind" : "NetworkProtocol", "value" : "ip" }, "destinationaddress" : { "kind" : "IPv4Address", "value" : " " }, "sourceaddress" : { "kind" : "IPv4Address", "value" : " " }, "objectid" : " ", "sourceservice" : { "kind" : "NetworkProtocol", "value" : "ip" BRKRST

68 ASAv API Call JSON Formatting Tip Sometimes the JSON variable we need to send is complex example ASAv ACL Save time by configuring the entry using a different tool Create an API call, method GET, to obtain the configuration, in JSON format Now you have the variable formatted in JSON, as needed for your future API call Make configuration changes and use it! ACL_data = {"destinationaddress" : { "value" : " ", "kind" : "IPv4Address }, "destinationservice" : { "value" : "tcp/8443", "kind" : "TcpUdpService }, "sourceaddress" : { "value" : "any", "kind" : "AnyIPAddress }, "sourceservice" : { "value" : "tcp", "kind" : "NetworkProtocol }, "permit" : True, "active": True, "rulelogging" : { "logstatus" : "Informational", "loginterval" : 300 }, "isaccessrule" : True, "position" : 4, "remarks" : [] } BRKRST

69 Tropo Notification Cloud platform to enable the creation of Voice and SMS applications Steps required: 1. Account registration 2. Creation of a new Application 3. A token generation 4. Call to the API including the token 5. Append additional information: phone number, text, voice message for TTS It takes 5 minutes for a basic Tropo App to be created BRKRST

70 Tropo Notification API s Send notification to call user, and play message def tropo_notification(): url = ' header = {'accept': 'application/json'} response = requests.get(url, headers=header, verify=false) response_json = response.json() result = response_json['success'] if result: notification = 'successful' else: notification = 'not successful' print ('Tropo notification: ', notification) return notification BRKRST

71 ERNA - Utilized APIs Summary Spark Create and delete spaces Read and post messages Membership invite new members to room UCS Director Obtain UCSD application key Execute a workflow in the DC APIC-EM Create auth ticket Locate the IP-enabled Device based on IP address (after DNS resolution) Find out the hostname of the layer 3 access switch and the access VLAN Device configuration synchronization Path trace, create and retrieve result BRKRST

72 ERNA - Utilized APIs Summary - continued Prime Infrastructure Upload CLI templates from text file Deploy CLI template to the layer 3 access switch Deploy CLI template to the data center CSR1000v Get CLI deployment PI job status, delete CLI templates ASAv Retrieve existing ASA access list for an interface Insert a new access control list entry Delete the inserted access control list entry Tropo Notification via voice call that ERNA has been provisioned Other working with files, logging to file, debugging BRKRST

73 Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary

74 ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST

75 Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary

76 ERNA Pre-Recorded Demo

77 ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST

78

79 ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST

80 Decommission and restore environment to clean state

81 ERNA lab testing BRKRST

82 ERNA Python code The use case code may be found here: You will find : The Python program CLI templates text files Debugging log files The documentation created with PyDoc - BRKRST_2935_ERNA_CL.html It is not intended for use in any production environment without significant testing, validation and re-write to meet your Enterprise Application Development Policies This code intent is for teaching purposes BRKRST

83 Python Documentation - Pydoc Built-in Python module - documentation formatted as HTML or text. BRKRST

84 Python Logging Built-in Python logging logging to file, Debugging level BRKRST

85 Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

86 Lessons Learned Start to automate simple tasks Think APIs first, CLI second Find something you can not do today, be creative by using APIs Your application does not have to be perfect, we are not developers Expect to troubleshoot your code, ask for help, check communities Join programmability communities Remember to have fun! BRKRST

87 ERNA next steps Configuration for last Layer 3 network device to be a router, Catalyst 9k Incorporate an approval process Integration with ISE Accommodate for multiple users requesting access at the same time Templates IP address validation before deployment Traffic capture for vendor traffic QoS policies BRKRST

88 Agenda Programmability? Why? Developer Resources REST APIs JSON Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

89 How to Get Started?

90 Your Development Environment Learn about APIs Programming languages Operating system selection Text editors and IDEs Labs Communities, resources and code repositories BRKRST

91 Learn about APIs DevNet learning tracks and labs API documentation APIs provide Try it features DevNet Express Events BRKRST

92 Postman Postman - Rest API client Learning and troubleshooting Generate code option BRKRST

93 Programing Languages Large variety of programming languages: Python, JavaScript, Go, Take in consideration your developers choice Find on communities what is the choice for most of your peers For scripting and network engineers Python If you are just starting Python Remember to install your Python Packages The Hitchhiker s Guide to Python! BRKRST

94 JSON and or XML { key : value } { <tag><value></tag> } { } "ipv4address": " ", "ipv4mask": " ", "portname": "GigabitEthernet1", "description": " TO_vSWITCH0", "status": "up", "adminstatus": "UP", "id": "7c bd-b516-6c32510"... { } <interface> <name>gigabitethernet1</name> <description>to_vswitch0</description> <enabled>true</enabled> <address> <ip> </ip> <netmask> </netmask> </address> </ipv4> </interface> REST APIs and RESTCONF support JSON and XML, NETCONF supports only XML BRKRST

95 Operating System Choices Mac OS X, Linux, Windows they will all work well for what you need Some advantages for Mac OS X, or Linux Isolation between your Python environments, and your OS: OS upgrades what is the impact on your Python environment? What are your Python packages going to change in your OS? Do you need different Python packages versions for your applications? Python virtual environments easy to configure, highly recommended BRKRST

96 Operating System Choices - Continued Virtual machines Ubuntu free, easy to install Avoid some other OS limitations (SSL versions) Will consume CPU/Memory Will need virtualization software Containers Light, very easy to get started Application portability APIs enabled infrastructure Something else to learn BRKRST

97 Text editors and Integrated Development Environments Text editors all of them will work for writing Python code Advanced text editors will make your life easier: Atom, Sublime, Notepad++, TextMate Integrated Development Environments (IDEs): Improve your code quality and productivity Code Inspection and refactoring Will integrate with version control systems (VCS), virtual environments, packages updates, debugging, error correction PyCharm, Eclipse, VIM, Wind IDE, Spyder Python BRKRST

98 Labs Cisco DevNet Sandboxes: will require a DevNet free account Cisco dcloud: You will need a cisco.com account (CCO) VPN anyconnect client or a Cisco router to VPN to dcloud VIRL: Virtual Internet Routing Lab Your lab: You may run virtual almost everything BRKRST

99 Communities, Resources and Code Repositories Cisco DevNet Cisco Spark Meraki Developers Programmability Partner Community GitHub: Code hosting platform for version control and collaboration BRKRST

100 120 Minutes To Your Application DevNet, GitHub, Communities Join Communities, Download Sample Code and Run Labs/Sandboxes Integrated Development Environment, Text Editor Python Import Modules DevNet Sandbox, Labs, Learning Tracks, dcloud and Your Lab PyCharm, Eclipse, VIM, Sublime, Atom, Notepad++ Virtual environments, PIP3, Python Packages Programming Language Python, JS, Go, C#, JSON and XML Operating System Mac OS X, Ubuntu, Windows, VMs, Containers Learn about API s DevNet Express, Learning Labs, API docs, Postman BRKRST

101 Agenda Programmability? Why? Developer Resources REST APIs JSON Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary

102 Summary Reuse leading to efficiencies: design once, use many High availability: enables effective change control Flexibility in services delivery: on-demand, consumer driven Pervasive security: all network communications can be mapped to security policies. Rapid provisioning and decommissioning with full traceability Decoupled from physical infrastructure: as long as there is an API exposed BRKRST

103 Q & A

104 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at

105 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions: DEVNET APIs Assist Troubleshooting in Manufacturing DEVNET {Spark:Connect} APIs configured Wi-Fi Hotspot DEVNET-2593 {Meraki:Connect} APIs configured Wi-Fi Hotspot BRKRST

106 Thank you

107