WIXLIB

APIs and Intent-Driven NetworkingScreen scraping versus API structured outputImagine a common scenario where we need to log into the network device andmake sure all the interfaces on the device are in an up/up state (both the status andthe protocol are showing as up). For the human network engineers getting into aCisco NX-OS device, it is simple enough to issue the show ip interface briefcommand in the Terminal to easily tell from the output which interface is up:nx-osv-2# show ip int briefIP Interface Status for VRF "default"(1) Interface IP Address InterfaceStatusLo0 192.168.0.2 protocol-up/link-up/admin-upEth2/1 10.0.0.6 protocol-up/link-up/admin-upnx-osv-2#The line break, white spaces, and the first line of the column title are easilydistinguished by the human eye. In fact, they are there to help us line up, say, theIP addresses of each interface from line one to line two and three. If we were toput ourselves in the computer's position, all these spaces and line breaks only takeus away from the really important output, which is: which interfaces are in theup/up state? To illustrate this point, we can look at the Paramiko output for thesame operation: new connection.send('show ip int brief/n')16 output new connection.recv(5000) print(output)b'sh ip int briefrrnIP Interface Status for VRF "default"(1)r\nInterfaceIP Address Interface StatusrnLo0 192.168.0.2 protocol-up/link-up/admin-uprnEth2/1 10.0.0.6 protocol-up/link-up/admin-up r\nrnx- osv-2# ' If we were to parse out that data contained in the "output" variable, here is what Iwould do in a pseudo-code fashion (pseudo-code means a simplified representationof the actual code I would write) to subtract the text into the information I need:1. Split each line via the line break.2. I do not need the first line that contains the executed command of showip interface brief and will disregard it.3. Take out everything on the second line up until the VRF, and save it ina variable as we want to know which VRF the output is showing.[8]

Chapter 34. For the rest of the lines, because we do not know how many interfaces arethere, we will use a regular expression statement to search if the line startswith interface names, such as lo for loopback and Eth for Ethernet interfaces.5. We will need to split this line into three sections separated by a space, eachconsisting of the name of the interface, IP address, and then the interfacestatus.6. The interface status will then be split further using the forward slash (/)to give us the protocol, link, and the admin status.Whew, that is a lot of work just for something that a human being can tell at a glance!You might be able to optimize the code and reduce the number of lines in the code;but in general, the steps are what we need to do when we need to screen scrap textsthat are somewhat unstructured. There are many downsides to this method, butsome of the bigger problems that I can see are listed as follows: Scalability: We spent so much time on painstaking details to parse out theoutputs from each command. It is hard to imagine how we can do this forthe hundreds of commands that we typically run. Predictability: There is really no guarantee that the output stays the samebetween different software versions. If the output is changed ever so slightly,it might just render our hard-fought battle of information gathering useless. Vendor and software lock-in: Perhaps the biggest problem is that once wespend all this time parsing the output for this particular vendor and softwareversion, in this case, Cisco NX-OS, we need to repeat this process for the nextvendor that we pick. I don't know about you, but if I were to evaluate a newvendor, the new vendor would be at a severe onboarding disadvantage if Ihave to rewrite all the screen scrap code again.Let's compare that with an output from an NX-API call for the same show ipinterface brief command. We will go over the specifics of getting this outputfrom the device later in this chapter, but what is important here is to compare thefollowing output to the previous screen scraping output:{"ins api":{"outputs":{"output":{"body":{ "TABLE intf":[{"ROW intf":{"admin-state":"up",[9]

APIs and Intent-Driven "proto-state":"up"}},{"ROW fix":"10.0.0.6","proto-state":"up"}}],"TABLE vrf":[{"ROW vrf":{"vrf-name-out":"default"}},{"ROW nput":"show ip int brief","msg":"Success"}[ 10 ]

Chapter 3},"sid":"eoc","type":"cli show","version":"1.2"}}NX-API can return output in XML or JSON, and this is the JSON output that weare looking at. Right away, you can see the output is structured and can be mappeddirectly to the Python dictionary data structure. Once this is converted to a Pythondictionary, there is no parsing required — you can simply pick the key and retrievethe value associated with the key. You can also see from the output that there arevarious metadata in the output, such as the success or failure of the command. If thecommand fails, there will be a message telling the sender the reason for the failure.You no longer need to keep track of the command the program issued, because it isalready returned to you in the input field. There is also other useful metadata in theoutput, such as the NX-API version.This type of exchange makes life easier for both vendors and operators. On thevendor side, they can easily transfer configuration and state information. They canadd extra fields when the need to expose additional data arises using the same datastructure. On the operator side, they can easily ingest the information and buildtheir infrastructure around it. It is generally agreed by all that network automationand programmability is much needed by both network vendors and operators. Thequestions are usually centered on the format and structure of the automation. Asyou will see later in this chapter, there are many competing technologies under theumbrella of API. On the transport language alone, we have REST API, NETCONF,and RESTCONF, among others.Ultimately, the overall market might decide about the final data format in thefuture. In the meantime, each of us can form our own opinions and help drivethe industry forward.Data modeling for infrastructure-as-codeAccording to Wikipedia (https://en.wikipedia.org/wiki/Data model),the definition for a data model is as follows:A data model is an abstract model that organizes elements of data and standardizeshow they relate to one another and to properties of real-world entities. For instance,a data model may specify that the data element representing a car be composed of anumber of other elements which, in turn, represent the color and size of the car anddefine its owner.[ 11 ]

APIs and Intent-Driven NetworkingThe data modeling process is illustrated in the following diagram:Figure 1: Data modeling processWhen applying the data model concept to the network, we say the network datamodel is an abstract model that describes our network, be it a data center, campus,or global wide area network. If we take a closer look at a physical data center, a layer2 Ethernet switch can be thought of as a device containing a table of MAC addressesmapped to each port. Our switch data model describes how the MAC address shouldbe kept in a table, which includes the keys, additional characteristics (think of VLANand private VLAN), and more. Similarly, we can move beyond devices and map thewhole data center in a model. We can start with the number of devices in each of theaccess, distribution, and core layers, how they are connected, and how they shouldbehave in a production environment. For example, if we have a fat-tree network, wecan declare in the model how many links each of the spine routers have, the numberof routes they should contain, and the number of next-hops each of the prefixeswould have.These characteristics can be mapped out in a format that can then be referencedagainst as the ideal state that we can check against using software programs.YANG and NETCONFOne of the relatively new network data modeling languages that is gaining tractionis Yet Another Next Generation (YANG) (despite common belief, some of the IETFworkgroups do have a sense of humor). It was first published in RFC 6020 in 2010,and has since gained traction among vendors and operators.[ 12 ]

Chapter 3At the time of writing, the support for YANG has varied greatly from vendors. Theadoption rate in production is relatively low. However, among the various datamodeling formats, it is one that seemingly has the most momentum.As a data modeling language, it is used to model the configuration of devices. Itcan also represent state data manipulated by the NETCONF protocol, NETCONFremote procedure calls, and NETCONF notifications. It aims to provide a commonabstraction layer between the protocols used, such as NETCONF, and the underlyingvendor-specific syntax for configuration and operations. We will take a look at someexamples of its usage in this chapter.Now that we have discussed the high-level concepts on API-based devicemanagement and data modeling, let us take a look at some of the examplesfrom Cisco in their API structures and ACI platform.The Cisco API and ACICisco Systems, the 800-pound gorilla in the networking space, have not missedout on the trend of network automation. In their push for network automation, theyhave made various in-house developments, product enhancements, partnerships,as well as many external acquisitions. However, with product lines spanning routers,switches, firewalls, servers (unified computing), wireless, the collaboration softwareand hardware, and analytic software, to name a few, it is hard to know whereto start.Since this book focuses on Python and networking, we will scope this sectionto the main networking products. In particular, we will cover the following: Nexus product automation with NX-API Cisco NETCONF and YANG examples The Cisco ACI for the data center The Cisco ACI for the enterpriseFor the NX-API and NETCONF examples in this chapter, we can either use the CiscoDevNet always-on lab devices mentioned in Chapter 2, Low-Level Network DeviceInteractions, or a locally run Cisco VIRL virtual lab. Since Cisco ACI is a separateproduct at Cisco, they are licensed with the physical switches. For the followingACI examples, I would recommend using the DevNet or dCloud labs to get anunderstanding of the tools. If you are one of the lucky engineers who has a privateACI lab that you can use, please feel free to use it for the relevant examples.[ 13 ]

APIs and Intent-Driven NetworkingWe will use the same lab topology as we did in Chapter 2, Low-Level Network DeviceInteractions, with the exception of one of the devices running NX-OSv:Figure 2: Lab topologyLet's take a look at NX-API.Cisco NX-APINexus is Cisco's primary product line of data center switches. The NXAPI acenter/nexus9000/sw/6-x/programmability/guide/b Cisco Nexus 9000 SeriesNX-OS Programmability Guide/b Cisco Nexus 9000 Series NX-OSProgrammability Guide chapter 011.html) allows the engineer to interactwith the switch outside of the device via a variety of transports including SSH,HTTP, and HTTPS.Lab software installation and device preparationHere are the Ubuntu packages that we will install. You may already have someof the packages, such as pip and git, from previous chapters:(venv) sudo apt-get install -y python3-dev libxml2-dev libxslt1-devlibffi-dev libssl-dev zlib1g-dev python3-pip git python3-requestsIf you are using Python 2, use the following packages instead:sudo apt- get install -y python-dev libxml2-devlibxslt1-dev libffi-dev libssl-dev zliblg-devpython-pip git python-requests.[ 14 ]

Chapter 3The ncclient (https://github.com/ncclient/ncclient) library is a Pythonlibrary for NETCONF clients. We should also enable our virtual environment that wecreated in the last chapter, if not already. We will install ncclient from the GitHubrepository so that we can install the latest version:(venv) git clone https://github.com/ncclient/ncclient(venv) cd ncclient/(venv) python setup.py installNX-API on Nexus devices is turned off by default, so we will need to turn it on.We can either use the user that is already created (if you are using VIRL auto-config),or create a new user for the NETCONF procedures:feature nxapiusername cisco password 5 1 Nk7ZkwH0 fyiRmMMfIheqE3BqvcL0C1 rolenetwork- operatorusername cisco role network-adminusername cisco passphrase lifetime 99999 warntime 14 gracetime 3For our lab, we will turn on both HTTP and the sandbox configuration; keep in mindthat they should be turned off in production:nx-osv-2(config)# nxapi http port 80nx-osv-2(config)# nxapi sandboxWe are now ready to look at our first NX-API example.NX-API examplesNX-API sandbox is a great way to play around with various commands, dataformats, and even copy the Python script directly from the web page. In the last step,we turned it on for learning purposes. Again, the sandbox should be turned off inproduction.[ 15 ]

APIs and Intent-Driven NetworkingLet's launch a web browser with the Nexus device's management IP and take a lookat the various message formats, requests, and responses based on the CLI commandsthat we are already familiar with:Figure 3: NX-API Developer SandboxIn the following example, I have selected JSON-RPC and the CLI command type forthe show version command. Click on POST and you will see both the REQUESTand RESPONSE:Figure 4: Cisco NX-API Developer Sandbox command output[ 16 ]

Chapter 3The sandbox comes in handy if you are unsure about the supportability of themessage format, or if you have questions about the response data field keys forthe value you want to retrieve in your code.In our first example, cisco nxapi 1.py, we are just going to connect to the Nexusdevice and print out the capabilities exchanged when the connection was first made:#!/usr/bin/env python3from ncclient import managerconn manager.connect(host '172.16.1.90',port 22,username 'cisco',password 'cisco',hostkey verify False,device params {'name': 'nexus'},look for keys False)for value in conn.server capabilities:print(value)conn.close session()The connection parameters of the host, port, username, and password are pretty selfexplanatory. The device parameter specifies the kind of device the client isconnecting to. We will see a different response in the Juniper NETCONF sectionswhen using the ncclient library. The hostkey verify bypasses the known hostrequirement for SSH; if not, the host needs to be listed in the /.ssh/known hostsfile. The look for keys option disables public-private key authentication, and usesthe username and password combination for authentication.Some people have reported problems with Python 3 and Paramiko to https://github.com/paramiko/paramiko/issues/748. In the second edition, the issueshould have already been fixed by the underlying Paramiko behavior.The output will show the XML and NETCONF supported features by this version ofNX- OS:(venv) python cisco nxapi apability:validate:1.0[ 17 ]

APIs and Intent-Driven url:1.0?scheme ed-commit:1.0Using ncclient and NETCONF over SSH is great because it gets us closer to thenative implementation and syntax. We will use the same library later on in this book.For NX-API, we can also use HTTPS and JSON-RPC. In the earlier screenshot of NXAPI Developer Sandbox, if you noticed, in the REQUEST box, there is a box labeledPython. If you click on it, you will be able to get an automatically converted Pythonscript based on the request library.The following script uses an external Python library namedrequests. requests is a very popular, self-proclaimed HTTP forthe human library used by companies and agencies like Amazon,Google, the NSA, and others. You can find more information aboutit on the official site (http://docs.python-requests.org/en/master/).For the show version example from the NX-API sandbox, the following Pythonscript is automatically generated for us. I am pasting in the output without anymodification:"""NX-API-BOT"""import requestsimport json"""Modify these please"""url 'http://YOURIP/ins'switchuser 'USERID'switchpassword 'PASSWORD'myheaders {'content-type':'application/json-rpc'}payload [{"jsonrpc": "2.0","method": "cli",[ 18 ]

Chapter 3"params": {"cmd": "show version","version": 1.2},"id": 1}]response requests.post(url,data json.dumps(payload), headers myheaders,auth (switchuser,switchpassword)).json()In the cisco nxapi 2.py script, you will see that I have only modified the URL,username, and password of the preceding file. The output was parsed to include onlythe software version. Here is the output:(venv) python cisco nxapi 2.py7.3(0)D1(1)The best part about using this method is that the same overall syntax structure workswith both configuration commands as well as show commands. This is illustratedin the cisco nxapi 3.py file, which configures the device with a new hostnamewith a command line. After command execution, you will see the device hostnamebeing changed from nx-osv-1 to nx-osv-new:nx-osv-1-new# sh run i hostnamehostname nx-osv-1-newFor multiline configuration, you can use the ID field to specify the order ofoperations. This is shown in cisco nxapi 4.py. The following payload waslisted for changing the description of the interface Ethernet 2/12 in the interfaceconfiguration mode:{"jsonrpc": "2.0","method": "cli","params": {"cmd": "interface ethernet 2/12","version": 1.2},"id": 1},{"jsonrpc": "2.0","method": "cli","params": {"cmd": "description foo-bar",[ 19 ]

APIs and Intent-Driven Networking"version": 1.2},"id": 2},{"jsonrpc": "2.0","method": "cli","params": {"cmd": "end","version": 1.2},"id": 3},{"jsonrpc": "2.0","method": "cli","params": {"cmd": "copy run start","version": 1.2},"id": 4}]We can verify the result of the previous configuration script by looking at therunning configuration of the Nexus device:hostname nx-osv-1-new.interface Ethernet2/12description foo-barshutdownno switchportmac-address 0000.0000.002fIn the next section, we will look at some examples for Cisco NETCONF and theYANG model.The Cisco YANG modelEarlier in this chapter, we looked at the possibility of expressing the network byusing the data modeling language YANG. Let's look into it a little bit more withexamples.[ 20 ]

Chapter 3First off, we should know that the YANG model only defines the type of schema sentover the NETCONF protocol without dictating what the data should be

Intent-driven networking Since the publication of the first edition of this book, the terms intent-based networking (IBN) and intent-driven networking (IDN) have seen an uptick in use after major network vendors chose to use them to describe their next-generation devices. The two terms ge