Nautobot Single Source of Truth (SSoT) for Cisco ACI

Blog Detail

We’re excited to announce the latest addition to our portfolio of Nautobot apps, the Single Source of Truth (SSoT) App for Cisco ACI! In this post, we’ll discuss the capabilities of the SSoT App for ACI and how to get started using it to synchronize data between Cisco ACI and Nautobot.

To learn more about Nautobot SSoT Apps (aka plugins), please see this blog post.

Nautobot SSoT for ACI Overview

The Cisco ACI controller, the APIC (Application Policy Infrastructure Controller), contains a wealth of inventory information about the hardware running in the ACI fabric, including device model numbers, part numbers, and serial numbers for every switch connected to the data center fabric. This inventory information is discovered dynamically as devices are added or removed from the fabric. The APIC also contains administratively configured Out of Band management IP addressing of the hardware devices, as well as IP addressing for use on subnets within the fabric. With the SSoT App for Cisco ACI, this information can be dynamically synchronized from the APIC to Nautobot, eliminating the need to manually enter and maintain the devices and IP addressing in Nautobot. In addition, the SSoT App for Cisco ACI can also synchronize useful information from the APIC, such as interface descriptions and interface optic types. As the information is updated in the APIC, a synchronization job in Nautobot can be set to run periodically to dynamically pick up the changes. This results in reduced administrative overhead for initially getting the data from ACI into Nautobot, and keeping the data in Nautobot up to date as changes occur in ACI. In addition, it provides useful visibility of ACI configuration details inside of Nautobot.

Nautobot SSoT for ACI Capabilities

The SSoT App for ACI currently syncrhonizes the following objects:

ACINautobot
TenantTenant
Node (Leaf/Spine/Controller)Device
ModelDevice Type
Management IP address (Leaf/Spine/Controller)IP Address
Bridge Domain SubnetPrefix, IP Address
InterfacesInterface
VRFsVRFs

Currently, the synchronization is one-way from ACI to Nautobot. While it would be possible to synchronize objects from Nautobot to ACI, the focus for this release was bringing data into Nautobot from ACI and keeping it up to date as changes occur in the ACI fabric. It does not mean it is any less important to model data in Nautobot and push & federate that data into ACI (and other controllers).

Tenants

The SSoT App will discover any tenants created in ACI, and create them in Nautobot. Multiple ACI fabrics can be supported by the SSoT App, and thus a configurable tenant prefix is appended to the beginning of the tenant name to indicate which ACI fabric the tenant is a member of.

Tenants
Tenants

VRFs

The SSoT App will synchronize the VRFs in ACI as VRF objects in Nautobot, and assign them to the appropriate tenant.

VRFs
VRFs

Devices and Device Types

Leaf and Spine nodes, as well as the APIC controllers will be created in Nautobot as Devices. In order to create the Devices, it is necessary to first create Device Types for each type of switch model in the ACI fabric. To accomplish creation of Device Types, a set of YAML descriptor files are placed in the nautobot_ssot_aci/diffsync/device-types directory. The YAML filenames match the actual device model names, for example N9K-C93180LC-EX.yaml. During the initial synchronization, new Device Types will be created in Nautobot for each of the YAML files. Note that configurable Comment and Tag values are associated to all objects in Nautobot where possible.

Several YAML files are bundled with this project. However, more can be downloaded here. Additionally, if a device type doesn’t yet exist for a particular switch model, it can be created using the same format and placed in the device-types directory.

Devices
Devices

Once Device Types are created, Devices will be created in in Nautobot for the Leaf and Spine nodes, as well as the APIC controllers. The device model is read from the ACI fabric, and the Device is associated to the corresponding Device Type in Nautobot.

Devices

Device details, such as the Serial Number, are synchronized. In addition, Custom Fields are created in Nautobot to store ACI Leaf and Spine Node IDs and Pod membership.

leaf

Interfaces

During synchronization, the SSoT App enumerates all interfaces on each Leaf and Spine device in ACI, creates the interfaces in Nautobot, and attaches them to the appropriate Device in Nautobot. Any interface descriptions that are configured on the interfaces in ACI will carry over to the interfaces in Nautobot.

synchronization
synchronization

In addition, the SSoT App will query the ACI fabric for the optics installed in the switch ports and the optic details will be programmed as Custom Fields on the interfaces in Nautobot.

leaf

There are no physical optical details in the ACI simulator, therefore the optic details will only be shown when working with a real ACI fabric.

IP Addresses and Prefixes

The APIC controllers, as well as leaf and spine switches, are all assigned out of band management IP addresses in the APIC. These management IP addresses will be programmed in Nautobot during synchronization, and will be associated to the management interface on the devices in Nautobot.

IP Addresses
apic
apic

In ACI, one or more subnets can be created on each Bridge Domain. During synchronization, these subnets are programmed in Nautobot as Prefixes, if not already present. In addition, the gateway address for the subnet is created as an IP Address in Nautobot. The Prefixes and IP Addresses are assigned to the correct Tenant and VRF in Nautobot, as determined by querying the APIC controller. The description is also configured to indicate the name of the Bridge Domain where the subnet is configured.

synchronization
synchronization
synchronization

Setting Up

The steps for installing and configuring the SSoT App for ACI can be found in the project README. The SSoT App supports use with multiple APIC clusters, and the unique credentials for each should be defined as environment variables with an identifier at the end of each variable for the APIC cluster. The identifier is a unique name that will be visible in the SSoT dashboard when executing a synchronization job. In the below example, NTC is the identifier assigned to our fabric.

export NAUTOBOT_APIC_BASE_URI_NTC=https://aci1.infra.networktocode.com
export NAUTOBOT_APIC_USERNAME_NTC=admin
export NAUTOBOT_APIC_PASSWORD_NTC=not_so_secret_password
export NAUTOBOT_APIC_VERIFY_NTC=False
export NAUTOBOT_APIC_SITE_NTC="NTC ACI"
export NAUTOBOT_APIC_TENANT_PREFIX_NTC="NTC_ACI"

We also have environment variables defined for a second APIC cluster, which is the Cisco DevNet Always-On sandbox.

export NAUTOBOT_APIC_BASE_URI_DEVNET=https://sandboxapicdc.cisco.com
export NAUTOBOT_APIC_USERNAME_DEVNET=admin
export NAUTOBOT_APIC_PASSWORD_DEVNET=not_so_secret_password
export NAUTOBOT_APIC_VERIFY_DEVNET=False
export NAUTOBOT_APIC_SITE_DEVNET="DevNet Sandbox"
export NAUTOBOT_APIC_TENANT_PREFIX_DEVNET="DevNet"

When executing a synchronization job, we can then select which APIC we would like to operate against.

Setting

The NAUTOBOT_APIC_SITE environment variable is used to select the objects to be compared during synchronization. It will be programmed as a Site in Nautobot, and will also be used to ensure that a synchronization job on one APIC cluster cannot affect objects for a different APIC cluster. With this being the case, it is important that each APIC cluster be configured with a different value for NAUTOBOT_APIC_SITE.

Running

Once the SSoT App is configured and initialized, it can be accessed by navigating to the Single Source of Truth dashboard in Nautobot and clicking on the Cisco ACI Data Source.

Running

From there, you can view historical synchronization jobs or click Sync Now to launch a new job.

Running

When you click Sync Now, you can launch a synchronization job immediately or it can be run on a schedule. Scheduling provides the ability to launch the job at a specific time, or run the job hourly, daily, or weekly. In addition, it is possible to initiate a Dry Run which will run the synchronization job without creating any objects in Nautobot. This is useful to view the changes that would be made in Nautobot without actually making the changes.

Running

When a job completes, you can click on the SSoT Sync Details button to see the proposed (in the case of a Dry Run) or implemented changes.

data source
aci

Wrapping Up

There’s certainly more we could do with synchronizing data between ACI and Nautobot, and we’d love to hear your use cases! Please let us know in the comments or hit us up on Slack.


Conclusion

This project would not have been as comprehensive or well tested if it weren’t for the excellent contributions and testing efforts from Donnie Wood (@dnewood), Christian Adell (@chadell), and Tomek Zajac. Thanks!

-Matt

Resources



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Using Cisco YANG Suite to Build RESTCONF Requests

Blog Detail

Recently I had a need to do some automation against a group of IOS-XE routers and decided I’d like to take another look at using the RESTCONF API that is offered by the devices. In this post, I’ll show how Cisco YANG Suite can help reduce the development effort when working with YANG models and RESTCONF.

Translating YANG Models to RESTCONF

One of the main challenges for me with using RESTCONF in the past has been figuring out the required URL and payload for the requests. For example, a RESTCONF URL to retrieve the configuration of interface GigabitEthernet1 on a router looks like this: /data/ietf-interfaces:interfaces/interface=GigabitEthernet1, but how are the components of that URL built? Cisco’s Hank Preston wrote a very thorough and helpful blog post that explains how the YANG tree is mapped into a URL, and it is a great reference to gain further understanding.

Even with an understanding of how the URL and payloads are built from the YANG models, the process of figuring them out involves downloading, examining, and interpreting manually the YANG model file(s) for the particular feature you are trying to work with on the router. For me there was always a painful and usually time-consuming process of inspecting YANG model(s) in a text editor, and then going through trial and error until I finally managed to build the correct URL and payload to configure a feature. I thought, if only the router had a Swagger API documentation page that provided the URL and required payload like other APIs I have worked with, things would be so much easier!

Cisco YANG Suite is a tool that can provide that functionality and more! In this post, I’ll first explain how to get up and running quickly with Cisco YANG Suite. Then I’ll walk through an example scenario of using YANG Suite to automatically generate the appropriate RESTCONF calls, eliminating the need to open and interpret any YANG model files in a text editor.

Installing YANG Suite

Cisco YANG Suite can be run as a Docker container locally on your machine, which requires that you have Docker Desktop installed. For other installation options, please see the YANG Suite documentation. The first step is downloading the code to your machine from the GitHub repository. The best way to do that is with the Git command line utility, using the command:

git clone https://github.com/CiscoDevNet/yangsuite/

You will now have a yangsuite directory. Change to the directory yangsuite/docker. Here you will find the setup script start_yang_suite.sh. Execute the script to begin setup.

$ ./start_yang_suite.sh

Hello, please setup YANG Suite admin user.
username: admin
password:
confirm password:
email: matt.mullen@networktocode.com

The script prompts for definition of superuser credentials and asks whether you want to generate “test” certificates. Test certificates are self-signed certificates that are used for SSL and are automatically generated by the script. Since we are only using YANG Suite on the local machine, self-signed certificates will be fine here.

Setup test certificates? (y/n): y

################################################################
## Generating self-signed certificates...                    ##
##                                                            ##
## WARNING: Obtain certificates from a trusted authority!     ##
##                                                            ##
## NOTE: Some browsers may still reject these certificates!!  ##
################################################################

Generating a 2048 bit RSA private key
......................................................+++
.......+++
writing new private key to 'nginx/nginx-self-signed.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:NC
Locality Name (eg, city) []:Raleigh
Organization Name (eg, company) []:Network to Code
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
Certificates generated...
Building docker containers...

Once you enter the certificate details, the containers begin launching. The containers will be running interactively in your terminal, so you must leave the terminal window where you ran the script open. Once the activity in the terminal has stopped scrolling, the containers should be running and YANG Suite will be available at the URL: https://localhost:8443.

Upon accessing the above URL for the first time, you will be prompted to accept the YANG Suite License and Privacy statement. Assuming you agree to the legal mumbo jumbo, click Accept and log in with the superuser credentials you defined during the setup script.

Translating YANG Models
Translating YANG Models

Upon successful login, you will be at the Welcome screen.

YANG Models

YANG Suite Initial Setup

There are a few one-time setup tasks that we must do in order to begin using YANG Suite:

  • Define a Device Profile
  • Create a YANG Module Repository
  • Create a YANG Module Set

The examples in this post are using the IOS-XE Always-On sandbox, which consists of a CSR1000V router with programmability features such as NETCONF and RESTCONF enabled and ready for use. You can find the credentials and other related information in the IOS-XE Always-On DevNet Sandbox.

Device Profile

The first thing we need to do is download YANG models to work with. This can be accomplished by either uploading the YANG models from your system, or by downloading them from an existing device on the network. We’ll go ahead and download the models from the router in the IOS-XE Always-On sandbox (https://sandbox-iosxe-latest-1.cisco.com). To do that, we will create a Device Profile.

Click on Setup > Device Profiles and then Create New Device. Then enter the details for the IOS XE sandbox:

Create New Device

Ignore the “Invalid IP Address” error when entering the hostname into the Address field. This appears to be a bug.

It is also necessary to scroll down and enable the NETCONF and RESTCONF protocols. Make sure to check the Skip SSH key validation for this device checkbox under the NETCONF section. Once complete, click Create Profile.

NETCONF

YANG Module Repository

Next we must set up a YANG module repository to store the models. Click on Setup > YANG files and repositories. Then click New repository.

YANG Module Repository

We’ll give this repo the name “IOS-XE”.

YANG Module Repository

On the next screen, select NETCONF and then select the device profile that we just created. Then click Get schema list.

YANG Module Repository

We could filter and select various models if desired, which would save time, but we’ll go ahead and download them all. Click on Select all and then Download selected schemas. This will take a few minutes. As the modules are downloading, you can see the logs on the terminal where we launched the containers. It won’t be necessary to redo this if you shut down the containers or need to reboot your machine because the files are stored inside a Docker volume.

YANG Module Repository

When complete, you should see a dialogue indicating the number of modules added, and all of the modules listed in the YANG modules in repository section, as shown below.

YANG Module Repository

YANG Module Set

Click on Setup > YANG module sets and click New YANG set. Then give the YANG set a descriptive name.

YANG Module Set

Next, click Add entire repository to add all modules to this YANG set. The modules should all be moved to the left-hand pane under YANG modules in this set. We won’t be needing any of the models referenced in the warnings panel on the right, so the warnings can be safely ignored.

YANG Module Set

Scenario: Configure a TACACS Key

With the initial setup out of the way, let’s look at how we can determine the appropriate API calls to configure a TACACS key on a router using RESTCONF. To do that, first we need to determine what YANG model to use. In YANG Suite, click on Explore and select YANG. From the dropdown, select our YANG set that we just created.

Configure a TACACS Key

Here is where we get into a little bit of guesswork to determine which YANG model has the configuration parameters needed, but this would be the same if we were not using YANG Suite and had to manually inspect the YANG modules. Since we’re looking to change the TACACS key, it’s a good bet this has something to do with AAA; so under “Select YANG modules(s)” we’ll filter for AAA. I’ve had success with the IOS native modules; so select the Cisco-IOS-XE-aaa module and then hit Load module(s).

Configure a TACACS Key

When a module completes loading you may get a dialogue like the one shown below indicating that one or more of the modules have no tree(s) to display. This is because the Cisco-IOS-XE-aaa module doesn’t provide its own YANG data tree, but instead augments the data in the Cisco-IOS-XE-native module. In the case where a module extends or augments another, we need to work with the augmented module, in this case the Cisco-IOS-XE-native module.

Configure a TACACS Key

Notice the triangle to the left of Cisco-IOS-XE-native in the tree listing above. This can be expanded to show the leaves of the tree. Since we are looking for TACACS configuration, we can expand the tree and use the web browser search function to find anything related to “tacacs”.

Using the web browser search function works well for this use case because there are containers (represented by folder icons in the tree) that contain the word “tacacs”. In some cases you may be looking for a configuration parameter that is not a container, but exists deeper within the YANG tree. In this case, you could use the Search XPaths and/or Search nodes buttons to help locate the correct leaf node.

Configure a TACACS Key

By expanding the tree and then searching for “tacacs” in the browser, we can see there are two nodes for configuration of TACACS. Looking at the first “tacacs” node, I see the key (denoted by the red key icon) ios-aaa:name, indicating that this would be for a named TACACS server configuration. We could use a named TACACS configuration, but we would first have to create the named TACACS server configuration before we can create a TACACS key. To keep things simple, we’ll use the ios-aaa:tacacs-server node which doesn’t require a named TACACS server configuration. Expanding that out, we can see there is an ios-aaa:key leaf which looks promising. Now that we have located a candidate to configure the TACACS key, we can generate the RESTCONF API calls.

In YANG Suite, navigate to Protocols > RESTCONF. Select the IOS-XE YANG set we created previously, the iOS-xe-always-on device profile, and enter the Cisco-IOS-XE-native YANG module which we determined previously. You can set the depth of the leaves to be loaded to reduce the level that the tool will traverse into the tree, but I typically just set this to No limit to ensure I am seeing everything. Click Load modules(s). This will take a minute or so as it loads the nodes of the tree.

RESTCONF

Once loaded, we can then expand the tree and once again use the web browser search function to find the leaves related to “tacacs” and expand the tacacs-server node.

RESTCONF

Notice the Generate API(s) button that has now appeared. Select the leaf ios-aaa:key, and then click the Generate API(s) button. When complete, a new Show API(s) button should appear.

Notice the Generate API

Highlight the ios-aaa:key leaf and click the Show API(s) button. This gives us the API call URLs and payload to retrieve (GET), create (PUT), update (PATCH), or remove (DELETE) the TACACS key on the router in an easy to consume format!

Show API

Click to expand the PUT request, which is used for creation of a new TACACS key. This displays the URL to use, as well as the request body indicating the JSON payload that should be included. In addition, note the value that would need to be set in the “Content-Type” header: application/yang-data+json.

Show API

This is all the info we should need to form the request using Python or other tools! For example you could use the Python requests module to automate making the RESTCONF calls. However, we can see if it performs as expected right here from the browser by clicking the Try it out button. Here you can replace “string” in the payload with the desired TACACS key value. Then click Execute to run the command on the device.

Show API

Once executed, it shows you the curl command that can be used to make the request along with the response code. The HTTP response code of 201 indicates that the TACACS key was created successfully on the remote device.

curl

Let’s check the device to see whether the CLI reflects what we just configured. To accomplish this, we will SSH directly to the CSR1000V router in the IOS-XE sandbox (sandbox-iosxe-latest-1.cisco.com).

CLI

Conclusion

As I hope the demonstration above proved, YANG Suite makes it a lot easier to work with network devices using RESTCONF. Kudos to Cisco and the makers of YANG Suite for providing such a useful tool!

-Matt



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Nautobot Chatops for Cisco ACI

Blog Detail

We’re excited to announce the newest addition to our growing list of Nautobot Chatops Applications, the Cisco ACI Chatops Plugin! The Cisco ACI Chatops integration makes it possible to interact with the ACI controller, the APIC (Application Policy Infrastructure Controller), using chat commands in Slack, Mattermost, Cisco Webex, and Microsoft Teams. With this integration, network operations teams supporting Cisco ACI can use chat commands to:

  • execute commands against multiple different APIC clusters in different data centers and/or regions
  • register new leaf or spine switches in the fabric using chat commands
  • quickly glean useful data from an APIC for informational or troubleshooting purposes

Below, we’ll review some of the features and commands in this initial release.

Multi-Fabric Support

Multi-Fabric refers to the ability to provide support for multiple APIC clusters. While there is not currently support today for the Cisco Multi-Site Orchestrator (MSO), which provides a single point of management for multiple APIC clusters, the ACI Chatops app supports configuration of as many individual APIC controllers as needed. The chat platform will prompt for the APIC to execute a command against (it’s also open source, so contributions are more than welcome!):

APIC Selection Menu

In addition, the selection dialogue can be avoided, if desired, simply by providing the APIC cluster name as the second argument to the chat command. For example, to execute against the APIC cluster called ntcapic in our configuration, the command would be:

/aci get-tenants ntcapic

ntcapic is a friendly name assigned to our APIC cluster. Under the hood it informs the Chatops app which APIC hostname and credentials to use. The details can be found in the Installation Guide.

Node Registration

In Cisco ACI, when new Leaf and Spine switches are plugged into the ACI fabric for the first time, they are discovered using LLDP (Link Layer Discovery Protocol) and show up in the APIC as unregistered nodes. An administrator must then access the APIC GUI and register the new node by assigning it a name and unique ID number. The below set of chat commands could be used by network operators to view registered and pending nodes, and then register a newly discovered node in the fabric.

Get Nodes

Displays a list of all registered nodes in the fabric.

Get Nodes

Get Pending Nodes

Displays a list of any unregistered nodes that have been discovered.

Get Pending Nodes

Register Node

Register a new node in the ACI fabric.

Register Node

Information Gathering

The below chat commands can be used to retrieve and display configuration and operational details from the APIC.

Display APIC Details

Don’t remember the hostname or IP addressing details of the APIC? Need to look up the serial number or model information? No problem, just run the aci get-controllers command!

Get Controllers

Display Tenants

Get the list of tenants from an APIC using the command aci get-tenants.

Get Tenants

Display Application Profiles

Get the list of Application Profiles in a specified tenant using the aci get-aps command.

Get Aps

You can also specify all for the tenant field to get a list of all Application Profiles in the fabric across all tenants.

Get All Aps

Display Endpoint Groups (EPGs)

Get a list of all EPGs in a specified Application Profile using the aci get-epgs command.

Get EPGs

You can also specify all for the Application Profile selection dialogue to see EPGs for all Application Profiles in a tenant.

Get EPGs All APs

How about all EPGs across all tenants? Sure, just specify all for the Tenant dialogue…

Get EPGs All Tenants

Display Endpoint Group Details

The aci get-epg-details chat command provides useful information about a specified EPG, consolidating information from several API calls.

Get EPG Details

Display VRFs

The aci get-vrfs chat command displays the VRFs in use in a specified tenant.

Get VRFs

It is also possible to display all VRFs in the fabric by selecting all from the tenant selection dialogue.

Get VRFs All

Display Bridge Domains

The aci get-bds command displays Bridge Domains in a specified tenant and includes useful details from several API calls, such as the configured subnet, VRF, L2 Forwarding, and L3 Routing details.

Get BDs

You can also get a fabric-wide view of Bridge Domains by selecting all from the tenant selection dialogue.

Get BDs All

Display Interface State

The aci get-interfaces command can be used to quickly view interface state on a specified node.

Get Interfaces All

You can also filter for all operational or non-operational interfaces by selecting up or down from the Interface State selection dialogue.

Get Interfaces Up
Get Interfaces Down

Conclusion

With the commands developed so far, our main focus was on providing the ability to glean useful operational details from an ACI fabric; but we could easily implement any task using the extensible API that Cisco ACI provides. What other chat commands for Cisco ACI would you find useful? Please feel free to hit us up in the comments or in our Public Slack channel.

-Matt



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!