exploring the final frontier of data center orchestration: network elements - puppetconf 2014
DESCRIPTION
Exploring the Final Frontier of Data Center Orchestration: Network Elements - Jason Pfeifer, CiscoTRANSCRIPT
Presented by
Network Elements The Final Frontier
of Data Center Automation
Jason PfeiferTechnical Marketing | Cisco
Presented by
Why?
I can spin up servers in minutes with my Puppet workflows, why does it take orders of magnitude more to spin up and affect change on my Network Elements?”
Presented by
IT Management ChallengesAgility 60% of IT managers are not satisfied with the speed
at which IT responds to business needs
Reliability
$72,000 / hr
cost of downtime due to manual errors and configuration drift
Productivity
48% of IT professionals spend 50% or more of their time on basic administrative tasks
Shadow IT
36% of employees have already used “unapproved” cloud services
Insight 93% of IT professionals cannot answer “What changed?” when an outage incident occurs
Sources: Gartner, Kaseya, Harvey Nash, Vanson Bourne, Evolven, InformationWeek
Similar Challenges in the NetOps Space
Presented by
Network Operations Challenges
Agility Rollout speed of network equipment is slow. After physical kit is installed, configuration should be immediate.
Reliability
Huge cost of downtime due to manual errors and configuration drift
Productivity
Networking professionals spend 50% or more of their time on basic administrative tasks, CLI interaction , screen scraping output
Home Built
Employees have home built scripts / one –off procedures specific to the local network environment
Insight “What changed?” plagues the industry when an outage incident occurs. How do we recover?
Sources: Disgruntled Network Administrators
Presented by
for i in $(cat host.cfg)do ssh user@$i uname -adone
Existing Management Solutions = Insufficient
Sources: THINKstrategies/FrontRange
• Not reusable across different applications or operating systems
• What happens when original author leaves?
CUSTOM ONE-OFF SCRIPTS
IT
spawn telnet $ip(t)$port(t)expect "Trying $in_telnet...\r*Connected to $in_telnet.\r*Escape character is '^\]'.\r*”send -- "\r”
CUSTOM ONE-OFF SCRIPTS
NetOps
Presented by
Puppet Automates Infrastructure for Network Admins
NETWORK STACKS
Asset Management
Physical &Virtual Nodes
OperatingSystems
Controllers
ApplicationsCode & Data
Discovery
Provisioning
Configuration
Orchestration
Reporting
Automation
NETOPS MANAGEMENT STACK
Service Catalog
Monitoring Help Desk
Lifecycle management for heterogeneous environments possible
Presented by
NetOps Agent
Reporting
GUI Workflows
Admin & Security
VM Node Cloud NodeHardware Node
DISTRIBUTED AGENTS
CENTRALIZED MANAGEMENT SERVER
CLOUD-BASED REPOSITORY OF PRE-BUILT SOLUTIONS
Puppet Forge
Agent Agent Agent
3RD PARTY INTEGRATIONS
CMDBs
LDAP & AD
Monitoring
Version ControlAgent
Switch
Presented by
Enabling Technologies
Presented by
NX-OS Architecture
Layer-2 Protocols Storage ProtocolsLayer-3 Protocols
Interface Management
Chassis Management
Kernel
Sysm
gr, P
SS &
MTS
SNM
P, X
ML,
CLI
Man
agem
ent,
NXA
PI
Chip/Driver Infrastructure
VLAN Mgr
STP
OSPF
BGP
EIGRP
GLBP
HSRP
VRRP
VSANsZoningFCIPFSPFIVR
UDLD
CDP
802.1XIGMP snp
LACP PIMCTS SNMP
Container Services(ADT /Guest Shell)
……
Protocol Stack (IPv4 / IPv6 / L2)
Shel
l Acc
ess
oneP
K (E
lem
ent /
VTY
)
Presented by
NXAPI• CLI Interaction with device over HTTP / HTTPS• Input/Output encoded in JSON or XML (key for programmability)
Show clock
NXAPI Web Server(NGINX)
[ { "jsonrpc": "2.0", "method": "cli", "params": { "cmd": "show clock", "version": 1 }, "id": 1 }]
{ "jsonrpc": "2.0", "result": { "body": { "simple_time": "15:00:37.762 PST Mon Aug 18 2014\n" } }, "id": 1}
HTTP / HTTPS
Switch# conf tSwitch(config)# feature nxapi Switch(config)# exit
Presented by
NXAPI - Response
{"jsonrpc": "2.0", "result": {
"body": { "header_str": "Cisco Nexus Operating System (NX-OS) ", "bios_ver_str": "3.22.0", "kickstart_ver_str”: "7.1(0)D1(1) [build 7.1(0)ZD(0.102)] [gdb]", "sys_ver_str": "7.1(0)D1(1) [build 7.1(0)ZD(0.102)] [gdb]", "bios_cmpl_time”: "02/20/10", "kick_file_name”: "bootflash:///n7000-s1- kickstart.7.1.0.ZD.0.102.gbin", "kick_cmpl_time”: " 2/11/2014 18:00:00", "kick_tmstmp": "03/14/2014 05:31:12", "isan_file_name”: "bootflash:///n7000-s1-dk9.7.1.0.ZD.0.102.gbin", "isan_cmpl_time”: " 2/11/2014 18:00:00", "isan_tmstmp": "03/13/2014 23:16:21", "chassis_id": "Nexus7000 C7010 (10 Slot) Chassis", "module_id": "Supervisor Module-1X", "cpu_name": "Intel(R) Xeon(R) CPU ", "manufacturer”: "Cisco Systems, Inc."
}},"id": "1"
}
Output
Presented by
ONE Platform Kit (onePK)
Any CiscoRouter or
Switch
Applications
onePK
C, JAVA, Python
API Presentation
API Abstraction
Catalyst Nexus ASRISR
IPC Channel
Network Programming
Environment to:• Innovate• Extend• Automate• Customize• Enhance• Modify
Presented by
Where Do onePK Applications Run?
Choose the Hosting Model that Suits Your Platform and Your Application
16
App
Blad
eApp
App
On An External Server• Plentiful memory/compute• Higher latency and delay• Supported on by all platforms
On A Hardware Blade• Dedicated memory/compute• Low latency and delay• Requires modular hardware blade
On the Router• Shared memory/compute• Very low latency and delay• Requires modular software architecture
“End-Node”
“Blade”
“Process”
Presented by
New Paradigm Traditional Approach
App
CJava
Python(Ruby*)
Network OS
Events
AppEEM (TCL)Actions
Routing
Data Plane
Policy
Interface
Monitoring
Discovery
CLI
AAA
SNMP
HTML
XML
Syslog
Span
Netflow
CDP
Routing Protocols Anyt
hing
you
can
thin
k of
Evolving How We Interact
Presented by
APIS Are Grouped (Service Sets)Service Set Description
Data Path Provides packet delivery service to application: Copy, Punt, Inject
PolicyProvides filtering (NBAR, ACL), classification (Class-maps, Policy-maps), actions (Marking, Policing, Queuing, Copy, Punt) and applying policies to interfaces on network elements
Routing Read RIB routes, add/remove routes, receive RIB notifications
Element Get element properties, CPU/memory statistics, network interfaces, element and interface events
Discovery topology and local service discovery
Utility Syslog events notification, Path tracing capabilities (ingress/egress and interface stats,next-hop info, etc.)
Developer Debug capability, CLI extension which allows application to extend/integrate application’s CLIs with network element
Presented by
Agent application resides on NE, utilizes onePK API library
Choice of communication methods between agent and controller
Choice of where bulk of processing will occur.
Controller typically has network wide view, agent has individual box view.
Examples Web application with REST interface Management over XMPP
Path Computation
PCC PCC PCC
PCE
PCEP
Wireless LAN Control
WLC
AP AP AP
CAPWAP
Agent Model Applications
Presented by
Dev Ops - Plug Ins
Container based packaging of Dev Ops agentsDevice hosted
Software runs on local deviceStandard
Standard Linux softwareSoftware independence
Secure: Not running in host OS TTM: Host release independence, fast TTM NOS
OS/Linux
Switch/Router
Container
Dev Ops Plug-ins
Presented by
NXOS Puppet Integration
Presented by
Compute/Storage Servers
Cisco Nexus Cisco Nexus Cisco Nexus
Presented by
Data Center Network
Puppet Master
LXC Container
Network OS
Puppet Agent
Cisco Puppet Plug-In: Architecture
onePK
Cisco Network Resources
Presented by
Cisco NXOS Puppet Agent Integration Packaged as virtual-services LXC container OVA OVA registers CLI extensions
Configuration commands Show commands Exec commands Clear commands Debug commands
OVA syslogs are linked to NXOS syslog “show log”
Presented by
Cisco Puppet Agent Configuration Example Puppet configuration mode
(config)# puppet (config-puppet)# master pmaster.cisco.com port 8999 (config-puppet)# vrf management (config-puppet)# run-interval 180 (config-puppet)# domain-name cisco.com (config-puppet)# name-server 4.1.1.128 (config-puppet)# activate
Presented by
Puppet Deployment using POAP
Switch downloads scriptExecute script locallyDHCP phase:
Get IP Address, GatewayScript server IPScript file name
Download software imagesDownload running-configDownload puppet_plugin.ovaDownload plugin_activate.py script
1 Power up Switch with no startup-config and default images
NXOS
DHCP Script ConfigPuppet
OVA
Reload the router with downloaded softwareplugin_activate.py script executes , installing and activating puppet_plugin.ova
Puppet Master
Once the plugin is activated, puppet agent running inside the container will establish a session with the puppet master and retrieve catalogues, etc.
2 3 4
5
6
Presented by
Device Plug-ins:• Manage images and patches/SMUs
Puppet Master
Device Plug-in
Package Repository Puppet/
Chef Master
New server
Server Admin
• Security policies, mgmt. servers (syslog, dns, snmp etc.) are common across the network.
• Inject changes at master
Puppet/Chef Master
Network Admin
• ToR configuration for every new device onboarded
• Reduce Manual process • Master puts the new server in the right
VLAN/segment / ACL’s
Image/Patch Config. DistributionNew Server/VM Deployment
Presented by
Cisco Puppet Resource Type Coverage: Feature Resource Name Description
Cisco Device Access cisco_device Allows credentials for user access control & accounting
Base L2/L3 interface cisco_interface General interface & L2/L3 base settings
VLAN cisco_vlan Create/destroy of VLANs and general settings
Interface-vlan (SVI) cisco_interface_vlan Create/destroy of SVIs and SVI specific interface settings
VLAN Trunking Proto (VTP) cisco_vtp VTP global settings
SNMP cisco_snmp_servercisco_snmp_communitycisco_snmp_groupcisco_snmp_user
SNMP monitoring settings. Notification receiver settings not covered as of now.
OSPF cisco_ospfcisco_ospf_vrfcisco_interface_ospf
OSPF instance create/destroy, per-VRF settings, and interface settings (area, cost, msg digest, etc)
Presented by
Cisco Puppet Resource Type CoverageFeature Resource Description
TACACS/AAA***
***full set not available at EFT target date
cisco_tacacs_servercisco_tacacs_server_hostcisco_aaa_tacacs_groupcisco_aaa_authenticationcisco_aaa_authorizationcisco_aaa_accounting
• TACACS global settings• TACACS per-host settings• group association and settings• mapping of groups to AAA features
(authentication, authorization, accounting).
Raw Config CLI commands cisco_command_config Resource to directly apply blocks of configuration CLI commands.
Presented by
Demo