From Zero to Network Programmability in 120 minutes Gabriel Zapodeanu Technology Solutions Architect, Cisco Systems gzapodea@cisco.com, @zapodeanu, github.com/gzapodea BRKRST-2935
Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#brkrst-2935
Stan Ilchev Spent the last 20 working on small, mid and large scale projects in global manufacturing, enterprise and retail environments: Minolta, Konica, Intel, Daimler would be some examples. Currently involved in complex security initiatives for a large multinational sportswear company known to pioneer use of air in athletic shoe soles. Presented at Cisco Live 2014 and 2015 on the topic of Virtualized Plant Floor Services Architecture (CCSVIR-1400) stanlyilch@gmail.com LinkedIn https://www.linkedin.com/in/stanilchev
Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot#brkrst-2935 BRKRST-2935 5
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
What are the top 3 areas your organization is looking to improve upon with automation? Top Areas to Automate % of respondents Network operations Network performance monitoring Network troubleshooting Traffic management (e.g. QoS, bandwidth usage) Security mechanisms Data center services and integrity Cloud Services integration and integrity Access to networked resources Systems software (e.g. OpenStack) Collaboration systems (e.g. web conferencing) Business applications (e.g. customer portal, sales application) 7% 6% 5% 3% 3% 3% 11% 10% 16% 16% 19% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST-2935 8
Which of the following statements most closely describes the scripting or programming skills used by you or your team? Current Scripting and Coding Skillset % of respondents CLI only 58% Scripts only, had programming training, don't program regularly 25% Both scripts and programs regularly Scripts only, no programming 9% 8% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST-2935 9
What is your viewpoint on advanced scripting or programming skillsets, such as PERL scripting or Python, as they relate to networking for technology professionals? View on Scripting and Coding Skillset % of respondents It is already a requirement today 40% It is not currently a requirement but will be required within the next 3-5 years 30% It is a benefit but won t be a requirement within the next 3-5 years 17% It is not relevant 13% Source: Cisco Learning Network, Cisco Certified Community Research Survey on Network Automation and Programmability, Filtered out app developer responses BRKRST-2935 10
Programmability Benefits Innovation and business agility Accelerated time to market Service delivery optimization Cost reduction and increased efficiencies Highly skilled architects and engineers improved availability Service-level improvements Higher network availability due to reduced human error BRKRST-2935 11
Programmability Use Cases Business Value High Compliance Security Dynamic Application Configuration Troubleshooting Performance Green Field Change Control Design Optimization Monitoring Operations Low Low Business Risk High BRKRST-2935 12
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
What is REST? REST Representational State Transfer Client-server communications Stateless - client side maintains session state, the server does not An architecture style for designing networked applications It is not a standard First edition of REST between October 1994 and August 1995 Published in 2000 by Roy Thomas Fielding, PhD Thesis Dissertation Architectural Styles and the Design of Network-based Software Architectures BRKRST-2935 14
What is REST API? API Application Programming Interface Set of subroutine definitions, protocols, and tools for building application software Specifies how software components should interact with each other Many types of APIs exist, not only RESTful API s RESTful API s - Use HTTP requests to Create/Read/Update/Delete (CRUD) operations: Creates a new resource Retrieves/Read a resource Updates an existing resource Deletes a resource. BRKRST-2935 15
How to Make a REST API Call REST APIs are centered around an HTTP request and response model. Consuming an API is as simple as making an HTTP request. Request Response Client Your Application Application Server BRKRST-2935 16
REST API Request URL: Application Server and the API resource Authentication: HTTP Basic, Custom, OAuth, none Custom Headers: HTTP Headers, example: Content-Type: application/json Request Body: JSON or XML - the data needed to complete request Method (CRUD) : POST - Creates a new resource GET - Retrieves/Read a resource PUT - Updates an existing resource DELETE - Deletes a resource. BRKRST-2935 17
REST API Request - example Create a new Spark room function def create_spark_room(room_name): User defined function URL url = http://api.ciscospark.com/v1/rooms Headers header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} payload = {'title': room_name} Request Body Authentication room_response = requests.post(url, data=json.dumps(payload), headers=header) Method BRKRST-2935 18
REST API Response HTTP Status Codes 2xx Success - 200 OK, 201 Created 4xx Client Error - 400 Bad Request, 401 Unauthorized, 404 Not Found 5xx Server Error - 500 Internal Server Error Headers Content type JSON or XML, cache control, date, encoding Response Body Payload with requested data formatted in JSON or XML BRKRST-2935 19
REST API Response - example Response 200 / success HTTP Status Codes Cache-Control no-cache Content-Encoding gzip Content-Type application/json;charset=utf-8 Date Sun, 05 Feb 2017 02:07:54 GMT Headers { } "id": "Y2lzY29zcGFyazovL3VzL1JPT ", "title": Cisco Live Room", "type": "group", JSON Response Body "islocked": false, "lastactivity": "2017-01-09T01:03:28.522Z", "creatorid": "Y2lzY29zcGFyazovL3VzL1BFT1B ", "created": "2017-06-09T01:03:28.483Z" BRKRST-2935 20
REST API Request - Response url = http://api.ciscospark.com/v1/rooms header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} payload = {'title': 'Cisco Live Room'} room_response = requests.post(url, data=json.dumps(payload), headers=header) Client Your Application Request Response Cisco Spark Response 200 / success { "id": "Y2lzY29zcGFyazovL3VzL1JPT ", "title": Cisco Live Room", "type": "group", "islocked": false, "lastactivity": "2017-01-09T01:03:28.522Z", "creatorid": "Y2lzY29zcGFyazovL3VzL1BFT1B ", "created": "2017-06-09T01:03:28.483Z" } The response value will be assigned to variable room_response BRKRST-2935 21
Use Case REST APIs The presented use case will access the programmable infrastructure using REST API s Use Case REST APIs will access: Controllers Network Devices Collaboration Orchestration Network Management Rest APIs Spark UCS Director APIC-EM PI ASAv Tropo Infrastructure BRKRST-2935 22
Device Programmability Other options to program network devices: NETCONF - Network Configuration Protocol NETCONF RESTCONF grpc YANG Data Models RESTCONF - REST-like access to the YANG Data Model grpc - open-source universal RPC framework, started by Google Open Native Configuration and Operation Device Features Interface BGP QoS ACL SNMP BRKRST-2935 23
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Client to Server - Data Exchange REST API s are designed to be easy to use, fast and simple Interchange of structured data is critical Need to send data to the server Ability to easily process received data CLI is not structured data GigabitEthernet0 is up, line protocol is up Hardware is PQ3_TSEC, address is f078.1689.92af Description: TO UCS Internet address is 172.16.11.1/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1Gbps, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 5 minute input rate 4000 bits/sec, 7 packets/sec 5 minute output rate 5000 bits/sec, 7 packets/sec 4797 packets input, 2421654 bytes, 0 no buffer Received 15 broadcasts (0 IP multicasts) BRKRST-2935 25
JSON - JavaScript Object Notation JSON Lightweight data-interchange format Easy for humans to read and write Wide applications support to parse and generate import json the Python standard library: Encode/Decode Python types to JSON This command is required in Python Json.org extensive JSON resource APIC-EM Get Interface API: JSON { } { key : value } "ipv4address": "172.16.11.11", "ipv4mask": "255.255.255.0", "portname": "GigabitEthernet1", "description": " TO_vSWITCH0", "status": "up", "adminstatus": "UP", "id": "7c274222-4329-47bd-b516-6c325102e567"... REST APIs and RESTCONF support JSON and XML NETCONF supports only XML BRKRST-2935 26
XML - extensible Markup Language XML : Store and transport data Was designed to be self-descriptive Language independent XML vs HTML: XML was designed to carry data HTML was designed to display data Python support: Multiple modules support xml XML resource - https://www.w3schools.com/xml NETCONF Get Interface: XML { } { <tag><value></tag> } <interface> <name>gigabitethernet1</name> <description>to_vswitch0</description> <type xmlns:ianaift="urn:ietf:params:xml:ns:yang: iana-if-type">ianaift:ethernetcsmacd</type> <enabled>true</enabled> <ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip"> <address> <ip>172.16.11.11</ip> <netmask>255.255.255.0</netmask> </address> </ipv4> </interface> REST APIs and RESTCONF support JSON and XML NETCONF supports only XML BRKRST-2935 27
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Programming Language - Python Ease of use for automation Python is simple to learn, general purpose Wide support on Cisco devices and software Great choice for network engineers BRKRST-2935 29
Programming Language - Python Which Python2 or Python3? Extensive libraries Python.org full documentation and beginner guides Your choice of programming language may work, too! BRKRST-2935 30
Resources to Get Started with Python Cisco Learning Network: Programming for Network Engineers (PRNE), e-learning Network Programmability Specialists: Design, Developer, Engineer Courses and Cisco Certifications Cisco DevNet Introductory Python and JSON learning modules and labs Python Fundamentals PluralSight, e-learning, subscription based The Hitchhiker s Guide to Python! CodeAcademy, Coursera BRKRST-2935 31
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Sandboxes DevNet Sandbox: Always-on, or reservation based Free, very easy to use and schedule, nothing for you to maintain Simulated or physical network equipment Available sandboxes: Networking, Data Center, Collaboration, Security, Meraki, BRKRST-2935 33
Other Labs Cisco dcloud: Five Data Centers around the world Customizable environments Enterprise Networking Collaboration DC Security, and more Your lab may be required for POC and POV Remember most Cisco software has evaluation licenses available BRKRST-2935 34
Our Lab Proof of Concept Lab Code development for our use case: DevNet Sandbox POC lab UCSD lab BRKRST-2935 35
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
API Docs Quality of API docs is the most important factor in API adoption REST APIs are an architectural style not a standard, docs are essential To know what to send and understand what you receive back Try it out features! BRKRST-2935 37
APIs Reference Documentation Each API has published documentation: UCS Director Spark APIC-EM Cisco Mobility Experience Prime Infrastructure RESTCONF Cisco DevNet Meraki BRKRST-2935 38
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Remote Network Access Vendors, contractors and developers need access to devices or systems on internal Enterprise networks (IP-enabled Devices - IPDs) Typically required for: Normal mode of operations, while providing services Troubleshooting Software upgrades, patching and monitoring Proof of Concepts and testing of new applications Encountered in all industries: Utilities, Healthcare, Retail, Manufacturing, These IP-enabled Devices (IP-Ds) may be connected anywhere in the environment BRKRST-2935 40
Remote Network Access Solutions DMZ hosted VDI, additional configuration required within the Enterprise Network Web Conferencing remote support: WebEx, GoToMeeting SaaS third party remote access gateways: TeamViewer, ewon Hybrid on-prem and IaaS deployment with an appliance in a DMZ: Bomgar B2B permanent VPN tunnels if closer affiliation with business established All of these options are static, inflexible, with limited application/protocol support Requirements, design and implementation require months BRKRST-2935 41
Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary
Disclaimer The sample code in this presentation is intended for learning and educational purposes only The script was created with the goal of ease of understanding Software is written based on assumptions that may not apply in your environment It is not intended for use in any production environment without significant testing, validation and re-write to meet your Enterprise Application Development Policies BRKRST-2935 43
Elastic Remote Network Access Requirements Remote Access to IP-enabled Devices IP-Ds On-demand provided to end user or vendor Dynamically provisioned network access Provide support for any applications and protocols Scalable and secure Design and implementation done once, used many Dissolvable as soon as work completed Network access request to be provisioned in minutes BRKRST-2935 44
High Level Architecture End User Interface Data Center Orchestration Elastic Remote Network Access Application Security Management Network Controller Network Device Management BRKRST-2935 45
High Level Architecture - Components End User Interface Spark/Tropo Elastic Remote Network Access Application Data Center Orchestration Security Management UCSD ASAv Network Controller APIC-EM Network Device Management PI, NETCONF RESTCONF BRKRST-2935 46
High Level Architecture Functional Requirements End User Interaction with the application Input requests Receive notifications Update status Compute provisioning User Interface Spark/Tropo Storage configuration Network provisioning Data Center Orchestration UCSD Workflow automation Elastic Remote Network Access Application Security Management ASAv Firewall configuration Add and remove Access Control Lists Network Controller APIC-EM Information about: Clients Network Device Management PI, NETCONF RESTCONF Network Devices Topology physical and logical Configuration management Configuration deployment Restore network to prior state Job Status Report BRKRST-2935 47
Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary
Network Configurations ip vrf SECURE_REMOTE rd 201:1 route-target export 201:1 route-target import 201:1! interface Loopback200 ip address 172.16.200.1 255.255.255.255! interface Tunnel201 ip vrf forwarding SECURE_REMOTE ip address 172.16.201.1 255.255.255.0 tunnel source Loopback200 tunnel destination 172.16.200.2! interface GigabitEthernet3 description to_secure_remote ip vrf forwarding SECURE_REMOTE ip address 172.16.202.1 255.255.255.0 negotiation auto! router eigrp 123 network 172.16.200.1 0.0.0.0 redistribute static redistribute connected! router eigrp 201 address-family ipv4 vrf SECURE_REMOTE network 172.16.201.1 0.0.0.0 network 172.16.202.1 0.0.0.0 autonomous-system 201 exit-address-family UCSD workflow - UCSD_CONNECT_FLOW GRE tunnel interface Loopback200 ip address 172.16.200.2 255.255.255.255! interface Tunnel201 ip address 172.16.201.2 255.255.255.0 tunnel source Loopback200 tunnel destination 172.16.200.1! router eigrp 123 network 172.16.200.2 0.0.0.0! router eigrp 201 network 172.16.201.2 0.0.0.0 redistribute static route-map REMOTE_ACCESS exit! ip route $RemoteClient 255.255.255.255 Vlan$VlanId! ip prefix-list REMOTE_ACCESS_PLIST seq 5 permit $RemoteClient/32! route-map REMOTE_ACCESS permit 10 match ip address prefix-list REMOTE_ACCESS_PLIST access-list outside_access_in line 1 extended permit ip host 172.16.203.50 host 172.16.41.55 BRKRST-2935 49
ERNA - Implementation On-demand remote connectivity for troubleshooting IP-enabled Device (IP-D) End User requests access to an IP-D in Spark Spark bot triggers Application execution UCSD workflow initiated to power on VDI, connect to vswitch and ASAv IP-D is located in the infrastructure by DNS entry, and APIC-EM client database IP-D default gateway hostname is retrieved from APIC-EM network database Find PI Network Device ID from hostname The CLI template file is uploaded to PI, and deployed to the identified PI device ID: Create a loopback interface, build a GRE tunnel, define a new EIGRP AS for host routing (IP-D), add route-maps and prefix lists The CLI template file is uploaded to PI, and deployed to the DMZ CSR 1000V: create new VRF, new sub-interface and a loopback interface. Build a new GRE tunnel, new routing AS and address family DMZ ASAv configuration modify outside interface ACL to allow VDI <-> IP-enabled Device communication PI job status check for the CLI templates deployment APIC-EM device sync, Path Trace to validate secure vendor access Tropo Notification sent to end user informing access has been provisioned. Instructions set for access to VDI/IP-D posted on Spark Access time window ends - remove all configurations from branch Layer 3 device, CSR 1000V, ASAv, power off VDI END of Application Run BRKRST-2935 50
Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary
Spark API calls Cisco Spark as an user interface and messaging platform Create a new space, if not one existing Invite vendors to join the space Vendor requests remote access to an IP-enabled device API calls to Spark: Check for messages Post a message Create/delete spaces Membership BRKRST-2935 52
Spark API Request Retrieve the last message from the room with {room_id} SPARK_AUTH = 'Bearer ' + ZTc0ZGUzNTctMWFlNC00ODQzLWFkYWEtMGI4ZDNkYTE5 def last_spark_room_message(room_id): User defined function Authentication Headers url = SPARK_URL + '/messages?roomid=' + room_id header = {'content-type': 'application/json', 'authorization': SPARK_AUTH} response = requests.get(url, headers=header) URL Authentication Method list_messages_json = response.json() print(list_messages_json) list_messages = list_messages_json['items'] last_message = list_messages[0]['text'] print('last room message : ', last_message) return last_message Parsing JSON BRKRST-2935 53
Spark API Response Retrieve the last message from the room with {room_id} { "items" : [ { "text" : Your access is provisioned", "roomid" : "Y2lzY29zcGFyazovL3VzL1JPT00vNWNmNjM4YzAtZ ", "id" : "Y2lzY29zcGFyazovL3VzL01FU1NBR0UvYTAyNzk2N ", "roomtype" : "group", "personid" : "Y2lzY29zcGFyazovL3VzL1BFT1BMRS8zZDJmMTZjZC01 ", "created" : "2017-06-11T00:18:34.455Z", "personemail" : gzapodea@cisco.com } ] } Last room message : Your access is provisioned Response Data After parsing JSON BRKRST-2935 54
UCSD API calls Two API calls required to trigger the execution of a predefined workflow 1. Create a UCSD user API key to authenticate the user s calls (sample bellow) 2. Execute workflow to power on VDI, connect to ASAv outside interface def get_ucsd_api_key(): User defined function url = UCSD_URL + '/app/api/rest?formattype=json&opname=getrestkey&user=' + UCSD_USER + '&password=' + UCSD_PASSW header = {'content-type': 'application/json', 'accept-type': 'application/json'} Method UCSD_api_key_json = requests.get(url, headers=header, verify=false) UCSD_api_key = UCSD_api_key_json.json() return UCSD_api_key URL Parsing JSON Headers BRKRST-2935 55
APIC-EM API Calls APIC-EM has complete inventory of network devices and clients Applications available - Plug and Play, IWAN, EasyQos, Path Trace Physical and logical topologies We will locate the IP-enabled Device using the provided IP enabled name/dns lookup BRKRST-2935 56
APIC-EM API Calls continued Required APIC-EM API calls: Create an user Auth ticket to be used for all the API calls Locate the IP-D based on the IP address, it could be anywhere in the network Find the APIC-EM device id connected to the IP-D: Retrieve hostname of the network device based on the APIC-EM device Id Find the access VLAN for the specified IP-D Device synchronization and Path Trace to validate vendor access BRKRST-2935 57
APIC-EM API Request Discover hostname of a network device based on the APIC-EM {device_id} User defined function def get_hostname_id_apic_em(device_id, ticket): URL url = EM_URL + '/network-device/' + device_id Authentication Headers header = {'accept': 'application/json', 'X-Auth-Token': ticket} hostname_response = requests.get(url, headers=header, verify=false) Method hostname_json = hostname_response.json() hostname = hostname_json['response']['hostname'] Parsing JSON return hostname BRKRST-2935 58
APIC-EM API Response Discover hostname of a network device based on APIC-EM {device_id} { } "version" : "1.0", "response" : { "family" : "Switches and Hubs", "id" : "26450a30-57d8-4b56-b8f1-6fc535d67645" "uptime" : "219 days, 21:09:28.84", "softwareversion" : "12.2(55)SE3", "managementipaddress" : "10.2.1.17", "locationname" : New-York", "serialnumber" : "FOC1537W1ZY", "platformid" : "WS-C3850-24P-E", "hostname" : NYC-SW... } BRKRST-2935 59
Prime Infrastructure API Calls PI - network management operations Upload CLI templates from text file Identify PI device id s using the device hostnames Deploy CLI template to the layer 3 access switch Deploy CLI template to the DC CSR1000v Get CLI deployment PI job status, delete CLI templates Deployment of the PI CLI templates requires: PI device ids The CLI template name Variables, if any As a result a GRE tunnel will be provisioned, routing configured to allow reachability only from host DMZ VDI to only host IP-enabled Device BRKRST-2935 60
PI CLI Template DC Router Check if existing CLI template and delete Upload fresh CLI template from file Reserved IP addresses for new interfaces It does not require variables Configuration: new VRF new Loopback interface update the Gigabit interface 3 new routing AS new address family ip vrf SECURE_REMOTE! rd 201:1 route-target export 201:1 route-target import 201:1 interface Loopback200! ip address 172.16.200.1 255.255.255.255 interface Tunnel201 ip vrf forwarding SECURE_REMOTE ip address 172.16.201.1 255.255.255.0 tunnel source Loopback200 tunnel destination 172.16.200.2 interface GigabitEthernet3 description to_secure_remote ip vrf forwarding SECURE_REMOTE ip address 172.16.202.1 255.255.255.0 negotiation auto! router eigrp 201 address-family ipv4 vrf SECURE_REMOTE network 172.16.201.1 0.0.0.0 network 172.16.202.1 0.0.0.0 autonomous-system 201 exit-address-family BRKRST-2935 61
PI CLI Template Remote Layer 3 Switch Check if existing template and delete, upload of a text file CLI template It will require two variables: Client IP address VLAN Values obtained from APIC-EM Configuration: new loopback interface, new GRE tunnel, new routing AS new static route, new prefix list, new route-map and route redistribution interface Loopback200 ip address 172.16.200.2 255.255.255.255! interface Tunnel201 ip address 172.16.201.2 255.255.255.0 tunnel source Loopback200 tunnel destination 172.16.200.1! router eigrp 123 network 172.16.200.2 0.0.0.0! router eigrp 201 network 172.16.201.2 0.0.0.0 redistribute static route-map REMOTE_ACCESS exit! ip route $RemoteClient 255.255.255.255 Vlan$VlanId! ip prefix-list REMOTE_ACCESS_PLIST seq 5 permit $RemoteClient/32! route-map REMOTE_ACCESS permit 10 match ip address prefix-list REMOTE_ACCESS_PLIST BRKRST-2935 62
PI API Request - Variables in JSON The CLI template deployment requires two variables {client_ip} IP-D IP address {vlan_number} access vlan Prime Infrastructure CLI Template configuration Variable in JSON format variable_value = [ {'name' : 'RemoteClient', 'value' : client_ip}, {'name' : 'VlanId', 'value' : str(vlan_number)} ] BRKRST-2935 63
PI API Request Deploy the CLI template {template_name} using {variable_value} through a job def pi_deploy_cli_template(device_id, template_name, variable_value): param = { PI device id 'clitemplatecommand': { 'targetdevices': { 'targetdevice': { 'targetdeviceid': str(device_id), 'variablevalues' : { 'variablevalue' : variable_value } } }, 'templatename': template_name } } Request Body url = PI_URL + '/webacs/api/v1/op/clitemplateconfiguration/deploytemplatethroughjob' header = {'content-type': 'application/json', 'accept': 'application/json'} response = requests.put(url, data=json.dumps(param), headers=header, verify=false, auth=pi_auth) job_json = response.json() job_name = job_json['mgmtresponse']['clitemplatecommandjobresult']['jobname'] return job_name # return the deploy template job name Parsing JSON BRKRST-2935 64
ASAv Security Configuration ASA requires an agent to be downloaded, installed and enabled Agents are available for both physical and virtual ASA s (ASAv) API calls utilize HTTP Basic Authentication We will need three API calls: Find out the inbound Access Control List Id for the outside interface Insert a new statement to allow communication from the DMZ VDI to the IP-enabled Device IP address Delete the ACE at the end of the de-provisioning BRKRST-2935 65
ASAv API Request Retrieve existing ACL id for the {interface_name} ASAv_USER = 'python' ASAv_PASSW = 'cisco' ASAv_AUTH = HTTPBasicAuth(ASAv_USER, ASAv_PASSW) Authentication HTTP Basic def get_asav_access_list(interface_name): Find out the existing ASAv interface Access Control List Call to ASAv - /api/access/in/{interfaceid}/rules :param interface_name: ASA interface_name Build Code Documentation using PyDoc :return: Access Control List id number URL url = ASAv_URL + '/api/access/in/' + interface_name + '/rules' header = {'content-type': 'application/json', 'accept-type': 'application/json'} response = requests.get(url, headers=header, verify=false, auth=asav_auth) acl_json = response.json() acl_id_number = acl_json['items'][0]['objectid'] return acl_id_number Parsing JSON BRKRST-2935 66
ASAv API Response Retrieve existing ACL id for the {interface_name} { "items" : [ { "destinationservice" : { "kind" : "NetworkProtocol", "value" : "ip" }, "destinationaddress" : { "kind" : "IPv4Address", "value" : "172.16.41.55" }, "sourceaddress" : { "kind" : "IPv4Address", "value" : "172.16.203.50" }, "objectid" : "3677916132", "sourceservice" : { "kind" : "NetworkProtocol", "value" : "ip" BRKRST-2935 67
ASAv API Call JSON Formatting Tip Sometimes the JSON variable we need to send is complex example ASAv ACL Save time by configuring the entry using a different tool Create an API call, method GET, to obtain the configuration, in JSON format Now you have the variable formatted in JSON, as needed for your future API call Make configuration changes and use it! ACL_data = {"destinationaddress" : { "value" : "172.16.41.5", "kind" : "IPv4Address }, "destinationservice" : { "value" : "tcp/8443", "kind" : "TcpUdpService }, "sourceaddress" : { "value" : "any", "kind" : "AnyIPAddress }, "sourceservice" : { "value" : "tcp", "kind" : "NetworkProtocol }, "permit" : True, "active": True, "rulelogging" : { "logstatus" : "Informational", "loginterval" : 300 }, "isaccessrule" : True, "position" : 4, "remarks" : [] } BRKRST-2935 68
Tropo Notification Cloud platform to enable the creation of Voice and SMS applications Steps required: 1. Account registration 2. Creation of a new Application 3. A token generation 4. Call to the API including the token 5. Append additional information: phone number, text, voice message for TTS It takes 5 minutes for a basic Tropo App to be created BRKRST-2935 69
Tropo Notification API s Send notification to call user, and play message def tropo_notification(): url = https://api.tropo.com/1.0/sessions?action=create&token=58456f4968644 ' header = {'accept': 'application/json'} response = requests.get(url, headers=header, verify=false) response_json = response.json() result = response_json['success'] if result: notification = 'successful' else: notification = 'not successful' print ('Tropo notification: ', notification) return notification BRKRST-2935 70
ERNA - Utilized APIs Summary Spark Create and delete spaces Read and post messages Membership invite new members to room UCS Director Obtain UCSD application key Execute a workflow in the DC APIC-EM Create auth ticket Locate the IP-enabled Device based on IP address (after DNS resolution) Find out the hostname of the layer 3 access switch and the access VLAN Device configuration synchronization Path trace, create and retrieve result BRKRST-2935 71
ERNA - Utilized APIs Summary - continued Prime Infrastructure Upload CLI templates from text file Deploy CLI template to the layer 3 access switch Deploy CLI template to the data center CSR1000v Get CLI deployment PI job status, delete CLI templates ASAv Retrieve existing ASA access list for an interface Insert a new access control list entry Delete the inserted access control list entry Tropo Notification via voice call that ERNA has been provisioned Other working with files, logging to file, debugging BRKRST-2935 72
Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary
ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST-2935 74
Agenda Programmability? Why? Developer Resources Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Architecture Implementation Utilized APIs Flowchart Demo Lessons Learned 120 Minutes to Your Application Summary
ERNA Pre-Recorded Demo
ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST-2935 77
ERNA Flowchart ERNA Application Start DNS Lookup Timer Started Timer Expired Spark End-User Requests Access Spark Notification Spark Notification UCSD Workflow Initiated Workflow Initiated APIC-EM Create Ticket Locate IP-D Identify Switch/VLAN Path Trace ASAv ASAv Config ASAv Config PI Template L3 Switch Template DC Router Check Job Status Template & Jos Status Switch and Router Tropo Tropo Notification Provisioning De-provisioning BRKRST-2935 79
Decommission and restore environment to clean state
ERNA lab testing BRKRST-2935 81
ERNA Python code The use case code may be found here: https://github.com/gzapodea/brkrst_2935 You will find : The Python program CLI templates text files Debugging log files The documentation created with PyDoc - BRKRST_2935_ERNA_CL.html It is not intended for use in any production environment without significant testing, validation and re-write to meet your Enterprise Application Development Policies This code intent is for teaching purposes BRKRST-2935 82
Python Documentation - Pydoc Built-in Python module - documentation formatted as HTML or text. BRKRST-2935 83
Python Logging Built-in Python logging logging to file, Debugging level BRKRST-2935 84
Agenda Programmability? Why? Developer Resources REST APIs JSON and XML Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Lessons Learned Start to automate simple tasks Think APIs first, CLI second Find something you can not do today, be creative by using APIs Your application does not have to be perfect, we are not developers Expect to troubleshoot your code, ask for help, check communities Join programmability communities Remember to have fun! BRKRST-2935 86
ERNA next steps Configuration for last Layer 3 network device to be a router, Catalyst 9k Incorporate an approval process Integration with ISE Accommodate for multiple users requesting access at the same time Templates IP address validation before deployment Traffic capture for vendor traffic QoS policies BRKRST-2935 87
Agenda Programmability? Why? Developer Resources REST APIs JSON Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
How to Get Started?
Your Development Environment Learn about APIs Programming languages Operating system selection Text editors and IDEs Labs Communities, resources and code repositories BRKRST-2935 90
Learn about APIs DevNet learning tracks and labs API documentation APIs provide Try it features DevNet Express Events BRKRST-2935 91
Postman Postman - Rest API client Learning and troubleshooting Generate code option BRKRST-2935 92
Programing Languages Large variety of programming languages: Python, JavaScript, Go, Take in consideration your developers choice Find on communities what is the choice for most of your peers For scripting and network engineers Python If you are just starting Python Remember to install your Python Packages The Hitchhiker s Guide to Python! BRKRST-2935 93
JSON and or XML { key : value } { <tag><value></tag> } { } "ipv4address": "172.16.11.11", "ipv4mask": "255.255.255.0", "portname": "GigabitEthernet1", "description": " TO_vSWITCH0", "status": "up", "adminstatus": "UP", "id": "7c274222-4329-47bd-b516-6c32510"... { } <interface> <name>gigabitethernet1</name> <description>to_vswitch0</description> <enabled>true</enabled> <address> <ip>172.16.11.11</ip> <netmask>255.255.255.0</netmask> </address> </ipv4> </interface> REST APIs and RESTCONF support JSON and XML, NETCONF supports only XML BRKRST-2935 94
Operating System Choices Mac OS X, Linux, Windows they will all work well for what you need Some advantages for Mac OS X, or Linux Isolation between your Python environments, and your OS: OS upgrades what is the impact on your Python environment? What are your Python packages going to change in your OS? Do you need different Python packages versions for your applications? Python virtual environments easy to configure, highly recommended BRKRST-2935 95
Operating System Choices - Continued Virtual machines Ubuntu free, easy to install Avoid some other OS limitations (SSL versions) Will consume CPU/Memory Will need virtualization software Containers Light, very easy to get started Application portability APIs enabled infrastructure Something else to learn BRKRST-2935 96
Text editors and Integrated Development Environments Text editors all of them will work for writing Python code Advanced text editors will make your life easier: Atom, Sublime, Notepad++, TextMate Integrated Development Environments (IDEs): Improve your code quality and productivity Code Inspection and refactoring Will integrate with version control systems (VCS), virtual environments, packages updates, debugging, error correction PyCharm, Eclipse, VIM, Wind IDE, Spyder Python BRKRST-2935 97
Labs Cisco DevNet Sandboxes: will require a DevNet free account Cisco dcloud: You will need a cisco.com account (CCO) VPN anyconnect client or a Cisco router to VPN to dcloud VIRL: Virtual Internet Routing Lab Your lab: You may run virtual almost everything BRKRST-2935 98
Communities, Resources and Code Repositories Cisco DevNet Cisco Spark Meraki Developers Programmability Partner Community GitHub: Code hosting platform for version control and collaboration BRKRST-2935 99
120 Minutes To Your Application DevNet, GitHub, Communities Join Communities, Download Sample Code and Run Labs/Sandboxes Integrated Development Environment, Text Editor Python Import Modules DevNet Sandbox, Labs, Learning Tracks, dcloud and Your Lab PyCharm, Eclipse, VIM, Sublime, Atom, Notepad++ Virtual environments, PIP3, Python Packages Programming Language Python, JS, Go, C#, JSON and XML Operating System Mac OS X, Ubuntu, Windows, VMs, Containers Learn about API s DevNet Express, Learning Labs, API docs, Postman BRKRST-2935 100
Agenda Programmability? Why? Developer Resources REST APIs JSON Python Sandboxes and Labs API Docs Programmability Use Case Remote Access Overview Elastic Remote Network Access (ERNA) Lessons Learned 120 Minutes to Your Application Summary
Summary Reuse leading to efficiencies: design once, use many High availability: enables effective change control Flexibility in services delivery: on-demand, consumer driven Pervasive security: all network communications can be mapped to security policies. Rapid provisioning and decommissioning with full traceability Decoupled from physical infrastructure: as long as there is an API exposed BRKRST-2935 102
Q & A
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online.
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions: DEVNET-2049 - APIs Assist Troubleshooting in Manufacturing DEVNET-2073 - {Spark:Connect} APIs configured Wi-Fi Hotspot DEVNET-2593 {Meraki:Connect} APIs configured Wi-Fi Hotspot BRKRST-2935 105
Thank you