Network Automation & Programmability Flashcards
Issues with Traditional Network Management
Configuring 1 device at a time is consuming/inefficient
Increases likelihood of typos/mistakes
Individual edits to multiple devices by separate engineers over time with little version control leads to configuration drift (non-standardized configs)
Having non-standardized configs and accessing one device at a time is also inefficient for troubleshooting
Network Automation Uses
Device config
Initial device provisioning
Software version control
Collecting stats from devices
Compliance verification
Reports
Troubleshooting
Network Automation Benefits
Enables automation which reduces human to machine interaction
–Greatly reduces the chance of human error
Modern tools have been built with monitoring, configuration, & troubleshooting in mind
It is much more scalable than configuring one device at a time
Network programmability can provide configuration version control
–Software version control as well
Troubleshooting is more efficient with a system-wide view & correlation between events
Events & error codes can be acted on programmatically
Improving configuration & troubleshooting efficiency reduces operational expenses
Network Automation Assurance
Ensure devices have a standardized config
Provide reports & correct exceptions
Provide correlation between events on different devices
Automatically take corrective action on events & error codes
Automation Methods
There are multiple methods to automate network management:
Python, NETCONF, RESTCONF, Ansible, Puppet, SDN, Cisco DNA center
Not all methods are supported by all devices
Choose the method most suitable for your environment/skills
Python for Network Programmability
Relatively easy to learn with many training resources
Human readable
Open source
Cross OS compatible
Easy to find network automation code samples
Git
A distributed version control system for tracking changes in source code & files
Typically used for software development but can provide version control for any type of files
With most client-server version control systems, the code has to be “checked out” and can only be worked on by one dev at a time
Every Git directory on every computer is a full-fledged repository with complete history and full version-tracking abilities
—Because of this, the code can be worked on by multiple devs
Organizations typically designate one repository as the master copy
GitHub
A Git repository hosting service which adds many of its own features
Repositories can be public or private
Repositories can be copied between users
Task management tools are available
Control mechanisms provide security & resolve conflicts
CI/CD
CI (Continuous Integration)
CD (Continuous Delivery/Deployment)
A set or operating principles & practices that enable app development teams to deliver code changes more frequently & reliably
Frequent changes are more efficient than rolling them up into large change windows
Automation of building/testing/deployment
Implementation = CI/CD pipeline
Tools such as Jenkins & Travis CI aid management of the pipeline
Data Serialization
The process of converting structured data to a standardized format that allows sharing or storage of the data in a form that allows recovery of its original structure
Allows transfer of the data between different systems, apps, & programming languages
XML, JSON, & YAML are human & machine readable, plain text data encoding formats
Data formats are mostly interchangeable
Which one to use depends on the support in the system being used, & which is easiest
JSON
JavaScript Object Notation:
First standardized in 2013
Easier for humans to read & work with than XML
Can be imported directly into JS
White space has no special meaning
RESTful APIs often use JSON
JSON Data Types: Object
An unordered collection of key/value pairs
Describe what the object is
Surrounded by curly braces {}
Keys must be strings, & values must be a valid JASON data type
Keys & values are separated by a colon
Each key/value pair is separated by a comma
JSON Data Types: Array
An ordered list of values
Surrounded by square brackets []
Values must be a valid JSON data type
JSON Data Types: String
Alphanumeric string of characters
“Name” : ”GigabitEthernet1”
JSON Data Types: Number
“Input Errors” : 3
JSON Data Types: Boolean
“Enabled” : true
A true/false statement
JSON Data Types: Null
“Msec” : null
XML
eXtensible Markup Language:
Standardized in 1998
Designed to describe & transfer data, while HTML is focused on displaying data
White space has no special meaning
value contained within objects
YAML
(Often used in ____, ___, & ___)
(also what does it start with)
YAML Aint Markup Language:
Often used in Python, Perl, & Ansible
Designed to be easily read by humans
White space = important
Anything at a common indentation level is considered related at the same level
Starts with —
Key: value representation
- indicates a list
Ansible playbooks use YAML
API
Application Programming Interface:
A way for computer programs to communicate directly with another program
Typically used to perform CRUD operations
Two main API types for web services
—SOAP
—REST
NETCONF and RESTCONF are APIs specifically designed to work with network services
CRUD
Create, Read, Update, Delete:
When we are building APIs, we want our models to provide four basic types of functionality
The model must be able to Create, Read, Update, and Delete resources
SOAP
Transport is __
Data Format is __
Simple Object Access Protocol:
Standard communication protocol system that permits processes using different OSs to communicate
Transport is typically HTTP(S)
Data format is always XML
Has strict standards to adhere to
REST
Transport:
Data:
Representational State Transfer:
An architecture, not a protocol
Gives guidelines for the structure & organization of an API
Supports any transport & data format
HTTP(S) transport & JSON (or XML) data formats are commonly used
Typically faster performance & easier to work with than SOAP
REST Constraints
Client-server architecture: the client sends a request, server sends response
Uniform Interface: provides simplicity
Statelessness: no client context is stored on the server between requests
Cacheability: responses must define themselves as either cacheable or non-cacheable
Layered system: any intermediary devices such as load balancers must be transparent to the client/server
Code on demand (optional): servers can temporarily extend or customize the functionality of a client by transferring executable code
REST Request URL
Request method must be sent (Get, Post, etc)
Headers with key:value pair info about the request can be added
Accept:application/json, credentials
Post, Put, & Patch requests include data in the body
https://demo.flackbox.com/api/running/aaa/users/neil?dryrun
demo.flackbox.com = Target Host
/api/running/aaa/users/neil = Resource
?dryrun = Parameters (optional)
REST Response Codes
1xx: Informational
2xx: Success
–200: OK
–201: Created
–204: No Content (deleted)
3xx: Redirection
4xx: Client Error
–400: Bad request/malformed syntax
–401: Unauthorized
–403: Forbidden
–404: Not Found
5xx: Server Error
–500: Internal Server Error
Responses to Get requests include data in the body
Headers can also be included in the response
Data Models
A well understood & agreed upon method to describe something
YANG
Yet Another Next Generation:
A data modeling language which provides a standardized way to represent the operational & config data of a network device
It can be used both internally & when packaged for transmission
Refer to diagram on study guide
Network Management Transport
(3 APIs that describe the methods)
The configuration & operational status of a network device’s components & services can be remotely read/written to
NETCONF, RESTCONF, & gRPC are APIs which describe the protocols & methods for transport of network management data
Model-Driven Programmability Stack
Refer to diagram in study guide
NETCONF & YANG
Encoding Type
Transport Type
NETCONF (2006) was designed to replace SNMP
NETCONF & YANG (2010) provide a standardized way to programmatically inspect & modify the configuration of a network device
NETCONF is a protocol that remotely reads/applies changes to the data on the device
XML encoding is used
Transport is over SSH/TLS
NETCONF Protocol Stack
Content: the data to be inspected/changed
Operations: (Example = , )
Initiated via RPC methods using XML encoding
Messages: RPC (Remote Procedure Calls)
Allows one system to request another system to execute code
Transport: between client/server. Supports SSH/TLS
RESTCONF
Encoding Type
Transport Type
2017
Builds on NETCONF
An IETF draft that describes how to map a YANG specification to a RESTful interface
Uses HTTP verbs over a REST API
RESTCONF is not intended to replace NETCONF, but simpler to use
XML or JSON encoding
Transport is HTTP(S)
gRPC
Encoding Type
Transport Type
Google RPC:
An open source remote procedure call system initially developed at Google in 2015
Well suited to collecting telemetry statistics
GPB Google Protocol Buffers encoding is used
Transport is HTTP/2
Postman
Very popular tool to test the operation of REST APIs
It can be downloaded as a standalone application or run as a chrome plugin
Collections & environment variables allow you to easily reuse requests
Requests can be exported as code in multiple programming languages
(cURL in Linux or the requests module in Python can be used to test APIs)
Configuration Management Tool Benefits
Can automate provisioning & deployment of servers & network devices
Requires little knowledge of programming
Have established development practices including version control & testing
Ansible
(Communicates via ____ by default) - Protocol
(Ansible playbooks are ___ files that outline the ____)
2012
Can be run from any machine with Python 2 or 3 installed
Agentless
Push model
Communicates via SSH by default
Simpler than most other tools
Modules
—Pre-built Python scripts
—Many pre-built network modules exist
Ansible inventory files define all hosts that will be managed by the control workstation
Ansible playbooks are YAML files that outline the instructions it needs to run
Puppet
(Uses __ instead of YAML)
2005
Typically uses an agent on target devices
“Puppet Master” runs on Linux server
Pull model, agent checks in every 30 mins by default
Written in Ruby
Uses proprietary DSL rather than YAML
“Manifest”
—Defines the device’s properties
It can check configuration consistency
Chef
2009
An agent must be installed on target devices
Pull model
Written in Ruby
Terminology is Cook Book > Recipe
Configuration Management Tool Support
(___ is more suitable for network environments)
Ansible, Puppet, & Chef were designed primarily for server system administration
Ansible is typically more suitable for network environments than Puppet/Chef because it does not require an agent. (Also simpler to learn/use)
Cisco devices usually can’t run an agent
—Puppet works on some Nexus switches (more support may be added later on)
SDN Router/Switch Planes: Data (Forwarding) Plane
Traffic which is forwarded through the device
SDN Router/Switch Planes: Control Plane
Makes decisions about how to forward traffic
Control plane packets such as routing protocol/spanning tree updates are destined to or locally originated on the device itself
SDN Router/Switch Planes: Management Plane
The device is configured & monitored in the management plane
For example at the CLI via Telnet/SSH, via a GUI using HTTPS/API/SNMP
SDN: Data & Control Plane Separation
(Control plane moves to a ___)
(Rules for packet handling are sent to the ___ from the ___)
(The ___ devices query the ___ for guidance as needed)
Network infrastructure devices are responsible for their own individual control & data planes in a traditional environment
SDN decouples the data & control planes
The network infrastructure devices are still responsible for forwarding traffic
—But the control plane moves to a centralized SDN controller
Rules for packet handling are sent to the network infrastructure devices from the controller
The network infrastructure devices query the controller for guidance as needed
—& Provide it with info about traffic they are handling
Pure SDN
Control plane runs purely on SDN controller
Data plane runs purely on network devices
Hybrid SDN
(Most common)
Majority of control plane intelligence is provided by SDN controller
Network devices retain some control plane intelligence as well as data plane operations
SDN Architecture
Refer to diagram in study guide
Cisco SDN Controllers: APIC
(Designed to manage ___ with ___ ___)
Application Policy Infrastructure Controller:
Main component of Cisco ACI (Application Centric Infrastructure)
Designed to manage data center environments with Nexus switches
Cisco SDN Controllers: DNA Center
Digital Network Architecture Center:
Designed to manage enterprise environments (campus/branch/WAN)
An upgrade to APIC-EM (Application Policy Infrastructure Controller - Enterprise Module)
DNA Center Overview
(Utilizes ____) - 3 letter acronym
Enables you to streamline operations & facilitate IT & business innovation
IBN (Intent-based Networking) built on Cisco DNA takes a software-delivered approach to automating & assuring services across your WAN/campus/branch networks
Software Defined Architecture: Building Blocks
DNA Center
SD-Access
SD-WAN
DNA Center Appliance
(Runs on ___)
(Underlying OS)
Runs on Cisco UCS server hardware
Underlying OS is Linux
Can be clustered for redundancy
IBN
Intent-Based Networking:
Transforms a traditional manual network into a controller led network that translates the business needs into policies that can be automated & applied consistently across the network
Goal is to continuously monitor & adjust network performance to help assure desired business outcomes
Network Plug & Play
Allows routers, switches, & WAPs to be deployed in remote offices with zero touch config
Device is physically installed in the remote office & connected to the device
Discovers DNA Center through various methods including DHCP option 43 or DNS
It then registers with & downloads its config from DNA Center
Ensures consistent configuration of remote office devices with no need for a network engineer onsite
DNA Center: Assurance
Guarantees that the infrastructure is doing what you intended
DNA Center receives info from all the network devices & ISE
DNA Center’s correlation engine can identify 150+ different types of network & client issues
DNA Center reports the problem & provides recommended remediation actions
DNA Center: Network Time Travel
Admins can drill down into the health status of network devices/clients
You can see the current status & view historical info
Useful for troubleshooting intermittent problems which occurred in the past
DNA Center: Path Trace
Can use to query DNA Center for the path that traffic takes over the network
DNA Center: API Support
Everything done via Data Center GUI can also be done via northbound REST API
DNA Center also supports east/west bound APIs for integration with other services such as reporting & analytics servers
SD-WAN Overview
Software-Defined WAN:
Cisco acquired Viptela in 2017 to enhance their SD-WAN solution
Provides automated setup of WAN connectivity between sites
Monitoring & failover is automated
Traffic flow control is application aware
SD-WAN Benefits
Automated, standardized setup of connectivity between sites
Transport independent
Simplified, integrated operations
More flexibility & easier to migrate WAN services
The required, predictable performance for important applications
Integration with latest cloud & network tech
Lower cost
Data Plane - vEdge Routers
(They are ___ or ____)
(They form an ____ encrypted data plane between each other)
vEdge routers run the data plane
They are physical or virtual
They form an IPsec encrypted data plane between each other
A site can have 2 vEdge routers for redundancy
Control Plane - vSmart Controllers
(They are the ____ of the solution)
(They run as ____)
(They distribute ____ & ___ info to the ____ inside the ____)
(Each ___ connects to two ___ for redundancy)
vSmart Controllers run the control plane
They are the centralized brain of the solution
They run as VMs
They distribute policy & forwarding info to the vEdge routers inside TLS tunnels
Each vEdge router connects to two vSmart controllers for redundancy
Management Plane - vManage NMS
(Enables ____ & simplifies ____)
(Provides ____)
(Runs as a ____)
Provides the management plane GUI
Enables centralized config & simplifies changes
Provides real time alerting
Runs as a VM
Multiple vManage NMS are clustered for redundancy
Orchestration - vBond Orchestrator
(Authenticates all ____)
(Enables ___ to discover each other)
(Has a ___ & is deployed in the ___)
(Runs as a ___)
Authenticates all vSmart controllers, vManage NMS, & vEdge routers that join the SD-WAN network
Enables vEdge routers to discover each other, vManage & vSmart
Has a public IP address & is deployed in the DMZ
Runs as a VM (can run as router in smaller deployments)
Multiple can be deployed with round robin DNS
ZTP Service
Zero Touch Provisioning Service:
Cloud based shared service hosted by Cisco
Utilized on first boot of vEdge router only
Directs it to vBond to orchestrate joining into the network
SD-WAN: Premises & Cloud
vBond, vSmart, & vManage can be deployed both on premises & cloud
Most deployments are in cloud
SD-WAN: Building the Data Plane
(The __ directs the ___ to build a full mesh of ___)
(____ propogates ___ & ___ to the ___ with OMP)
The vSmart controller directs the vEdge routers to build a full mesh of IPsec VPN tunnels between themselves
vSmart propagates policy & routing info to the vEdge routers with OMP (Overlay Management Protocol)
SD-WAN: BF VPN Tunnel Monitoring
(____ packets are sent over all ___)
(This detects if ____ & provide ___, ___, ___ statistics)
Bidirectional Forwarding Detection packets are sent over all VPN tunnels
This detects if a tunnel goes down & provide latency, jitter & loss statistics
SD-WAN: Traffic Forwarding Options
(Load Balancing: 4 types)
If multiple tunnels are available traffic can be load balanced over the tunnels
—Active/Active
—Weighted Active/Active
—Application pinning Active/Standby
—Application Aware Routing
SD-WAN: Application Aware Routing
(___ monitors the __, __, ___ across the ___)
(You can set minimum requirements for an ___ with ___)
(___ ensures the application is sent over a link which meets the ____)
(By default…)
BFD monitors the latency, jitter & loss across the VPN tunnels
You can set minimum requirements for an application with SLA Classes
SD-WAN ensures the application is sent over a link which meets its SLA requirements
By default traffic will fall back to another link if no suitable link is available
