Within this repo you'll find a colleection of Cisco NSO resources built by the DevNet Sandbox team as part of their internal network automation and NetDevOps efforts.
For more information on these examples and services, please see the following resources.
- Network Service Based Automation Part 1 – The Experience: Demonstration of the
vlan-fabric
andvlan-tenant
services - Network Service Based Automation Part 2 – Building Services: Technical walkthrough of building the
vlan-fabric
andvlan-tenant
services.
The examples within this repository are built using a network topology that resembles the actual DevNet Sandbox network modeled with netsim. For reference, here is a topology diagram.
In order to run this code, you'll need to have the following installed and functional.
As these examples are for using Cisco NSO for network automation, you'll need it installed. You can find the software available for free non-production use on DevNet at https://developer.cisco.com/nso.
The version of NSO currently used and tested by the Sandbox team is 5.2.0.3 but newer versions should work.
In addition to Cisco NSO, you'll need to have the following NEDs, or "Network Element Drivers" installed.
NEDs are used to connect to and manage different infrastructure components. The list below is what is used within the Sandbox environment, and the services, packages, and automation expect they are available. If you are interested in trying NEDs out for evaluation, you can work with your Cisco Partner or Account Team to gain access ot them for evaluation purposes.
admin@ncs# show packages package * package-version
PACKAGE
NAME VERSION
---------------------------------
cisco-asa-cli-6.7 6.7.5
cisco-ios-cli-6.33 6.33.7
cisco-nx-cli-5.10 5.10.5
cisco-ucs-cli-3.3 3.3.2
resource-manager 3.4.0
vmware-vsphere-gen-3.2 3.2.1
Alternatively the examples and code could be modified to NOT require some of the packaged (example VMware or Cisco UCS), however making those changes would need to be done by someone knowledgeable about NSO development.
If you have all the pre-reqs installed, you can setup a development environment with the included Makefile
.
make dev
This will:
- Create a
netsim
version of the topology - Setup a local nso within the directory linked to the
netsim
network. - Deploy some basic initial configuration needed for the other examples.
With the development environment setup, you can deploy a sample fabric and tenants with
make dev-fabric
This will:
- Deploy 3
vlan-fabrics
- Deploy 8
vlan-tenants
A sample diagram showing these configurations is included: sample-topology-vlan-fabrics.jpg
To "clean-up" the demo, just run make clean
to stop and delete the NSO and netsim
environment.
A "vlan-fabric" is a collection of L2 network devices that will share common VLAN configurations. The vlan-fabric
service for Sandbox describes the devices that make up the fabric, and how they are connected together. Then NSO will ensure that the devices are configured as required. Here is an example of a fabric configuration.
vlan-fabric dmz02
switch-pair dmz-sw02
layer3 true
primary dmz-sw02-1
secondary dmz-sw02-2
!
vpc-peerlink id 1
vpc-peerlink interface 1/1
vpc-peerlink interface 1/2
!
fabric-trunk 2
interface 1/11
!
switch nfv-sw01
fabric-trunk 2
interface 0/1
In a fabric a switch-pair
represents a pair of Cisco NX-OS devices that will be configured in a VPC relationship. You simply need to specify which device is primary and secondary, and the ports that make up the peerlink.
A switch-pair
can be configured with layer3 true
(the default is layer3 false
). This indicates that within this fabric, this pair of devices would be configured with SVIs for networks, including HSRP and OSPF for routing.
A switch
would be an independent switch, or either IOS or NX-OS model.
For both switch-pairs
and switches
, the fabric-trunks
identify interswitch links that connect to other devices in the fabric. The service will setup LACP port-channels made up of the identified interfaces, and configure them to be dot1q trunks.
A vlan-fabric
can also include Cisco UCS and VMware networks. You'd add them to a fabric like this.
vlan-fabric dmz02
fabric-interconnect ucsfi01
vnic-template-trunks org sandbox vnic-template esxi-vnic
vmware-dvs vcenter myvcenter datacenter sandbox dvs mydvs
In this case, the service will configure VLANs within UCS and then add them to the specified vnic-templates
. It will also create new VMware port-groups on the dvs
specified.
For a more complete example of vlan-fabric
configurations, you can look at sample-vlan-fabrics.cfg or sample-vlan-fabrics.xml
A vlan-fabric
is simply a defintion of the network devices that make up a part of the network, but to create vlans and networks on the fabric a vlan-tenant
is used.
The vlan-tenant
describes a set of networks
(or VLANs) that make up a single layer-3 environment. Here is an exmaple of a vlan-tenant
configuration.
vlan-tenant admin
fabric internal
static-routes 0.0.0.0/0
gateway 10.255.250.4
!
network admin-main
vlanid 11
network 10.255.2.0/23
connections switch admin-vsw
interface 0/3
mode access
!
network admin-small
vlanid 12
network 10.255.1.0/24
Notice how the vlan-tenant
exists on a fabric
- this is the linkage that determines which switches and other devices these networks will be created on.
A VRF will be configured for the vlan-tenant
(if at least one network is configured for layer3-on-fabric true
). You can add static routes to the VRF as part of the tenant configuration.
You can add as many network
objects to the tenant as you desire. Each network
will need a vlanid
and network
(or prefix) specified. The service will then create this VLAN on all devices in the fabric.
If there are any physical network connections into a network needed, you can specify them with connections
.
For a more complete example of vlan-tenant
configurations, you can look at sample-vlan-tenants.cfg or sample-vlan-tenants.xml
In DevNet Sandbox we strive to use a Source of Truth driven infrastructure. Our Source of Truth is netbox, and it is where our network configuration and validation data comes from. In the netbox-scripts
folder you'll find a sample of scripts that we use as part of our production automation jobs and routines. As every organizations network will be unique, we provide these scripts not with the idea they can be used as-is, but rather as examples of how such integration might be done.
Some examples and details...
One of the most valuable bits of network automation we use is the one that ensures Layer 2 and Layer 3 environments are configured correctly across our infrastructure. We use the NSO Services vlan-fabric
and vlan-tenant
to do the configuration, but the data for the hundreds of tenants is driven by the data we input into Netbox. The script nso_tenant_config.py
was developed to read in the data from Netbox and create the NSO configurations to match. Some details on how this configration is driven...
- Netbox Tenants relate to
vlan-tenants
in NSO - Netbox VLAN-Groups relate to
vlan-fabrics
in NSO - VLANs that belong to a tenant are used to populate the
networks
under a Tenant - Prefixes assigned to VLAN are used to derive the Layer 3 details for a
network
- Physical network device interfaces on switches that are Tagged or Untagged in Netbox drive the
connections
for avlan-tenant
network
- Link Aggregation Groups (LAGs) in Netbox drive Port-channel configurations for
connections
This is a collection of helper scripts and code that prepare the Python environment for a script with the names and functions needed to make other scripts easier to write.