Ansible x napalm x nso 解説・比較パネルディスカッション nso

岩本彰シスコシステムズ合同会社2017/10/10

NSO (Network Services Orchestrator)

Ansible x NAPALM x NSO解説・比較パネルディスカッション

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• 岩本彰

• シスコシステムズ TAC

• CRS / ASR9000 / NCS6000 など、サービスプロバイダ様向け機器のサポート

• NSOを使用したオーケストレーションソリューションのサポート

自己紹介

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Agenda• NSO アーキテクチャ

• NSO のコンセプト

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Cisco Live 2017 (Las Vegas) - BRKNMS-1100

• Service Orchestration with Cisco Network Services Orchestrator

• https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95645

• Ansible fest San Francisco 2017

• ALL THE NETWORKS WITH CISCO NSO AND ANSIBLE

• https://www.ansible.com/networks-with-cisco-nso-ansible

資料について

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Quick History

• Sweden based company

• Founded in 2005

• Acquired by Cisco in 2014

• Developed Conf-D and NCS

• NCS evolved into NSO!

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

NSO アーキテクチャ

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Architecture Overview

7

Service Manager

Multi-Vendor Network

Network Engineer

EMS/NMS

NETCONF REST CLIWeb UI

(JSON-RPC) SNMP JAVA/Javascript

OSS/BSS

NSO

AAA Core Engine

NETCONF SNMP REST CLI WS

Network Element Drivers (NED)

MappingLogic

Templates

Fast Map

Device ManagerNotification ReceiverAlarm Manager

ServiceModels

PackageManager

Script

API

DeviceModels

Developer

API

CDB

RESTCONF

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

8BRKNMS-1100

Configuration Database (CDB)

• 追記型XMLデータベース

• コンフィグのモデルを保存

• 機器上のConfig (show running-configの出力等) は保存されない

• NSOに特化した専用のDB

• アクセスの為の柔軟なAPI

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

9BRKNMS-1100

Device Manager

• Device Configuration database

• トランザクション、ロールバック

• 双方向のConfig同期

• コンフィグの検証

Service ManagerNSO

AAA Core Engine

Mapping Logic Templates

Fast Map

Device ManagerNotification ReceiverAlarm Manager

ServiceModels

PackageManager

DeviceModels

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

10BRKNMS-1100

Service Manager

• サービスモデル

• デバイスモデルへのマッピング

• サービスのアクティベーション

• サービスの変更

• サービスの廃止

Service ManagerNSO

AAA Core Engine

Mapping Logic Templates

Fast Map

Device ManagerNotification ReceiverAlarm Manager

ServiceModels

PackageManager

DeviceModels

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

11

全てがモデルベース

• ネットワーク機器の設定

• ルータ、スイッチ、ロードバランサ等

• サービス設定

• VPN, ルーティング等

• システム設定

• ユーザ、グループ、パーミッション等

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

全てがモデルベース

Router# show running-config

…

…

interface Ethernet1/1

ip address 192.168.1.1/24

interface Ethernet2/1

ip address 192.168.2.1/24

C interface

L Ethernet K name C ip

L address

Yang (RFC 6020) で定義

container interface {

list Ethernet {

key name;

leaf name {

type string;

pattern '[0-9]+.*';

};

container ip

leaf address {

type ipv4-address;

}

};

}

}

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

全てがモデルベースRouter# show running-config

…

…

interface Ethernet1/1

ip address 192.168.1.1/24

interface Ethernet2/1

ip address 192.168.2.1/24

<interface xmlns="urn:ios">

<Ethernet>

<name>1/1</name>

<ip>

<address>

<primary>

<address>192.168.1.1</address>

<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

</Ethernet>

<Ethernet>

<name>2/1</name>

<ip>

<address>

<primary>

<address>192.168.2.1</address>

<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

</Ethernet>

</interface>

"Ethernet": [ {

"name": "1/1",

"ip": {

"address": {

"primary": {

"address": "192.168.1.1",

"mask": "255.255.255.0"

}

}

}

},

{

"name": "1/2",

"ip": {

"address": {

"primary": {

"address": "192.168.2.1",

"mask": "255.255.255.0"

}

}

}

} ],

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Industry’s Broadest Multivendor SupportOver 100 Supported NEDs—Customization Available

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Tail-f ベースの Network Service Orchestrator

• https://www.cisco.com/c/ja_jp/products/collateral/cloud-systems-management/network-services-orchestrator/datasheet-c78-734576.html

• Tail-f ベースの Cisco NSO のネットワークエレメント

• https://www.cisco.com/c/ja_jp/products/collateral/cloud-systems-management/network-services-orchestrator/datasheet-c78-734669.html

Network Services Orchestrator

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• CLI

• IOS, IOS-XE, IOS-XR, NX-OS, Ciena, FortiOS, A10-ACOS, etc...

• Netconf

• Yangでデバイスモデルが提供されている機器

• Generic

• APIC for ACI (REST), F5-BIGIP (特殊 CLI)

• SNMP

• MIB が提供されている機器 (MIB ファイルをコンパイルしてモデルを作成)

NEDの種類

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

NSOのコンセプト

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Network Programmability

• ネットワーク(複数のデバイス) をソフトウェアからコントロール

• Service Abstraction

• サービスを抽象化してDeploy

• Configuration Consistency

• コンフィグの一貫性

• トランザクションとして各Configを実行

• 指示通りの完全なConfig、又はロールバック

NSOのコンセプト

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Network Programmability

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

20BRKNMS-1100

ネットワーク機器ConfigをCDB へ同期 (sync-from)

show running-config

interface Ethernet1/1

switchport

no shutdown

!

…

…

C interface

L Ethernet K name C ip

L address

1

2 NED

Device Manager

3

4

5

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

21BRKNMS-1100

CDBの該当機器情報をネットワーク機器へ同期 (sync-to)

interface Ethernet1/1

switchport

no shutdown

!

…

…

C interface

L Ethernet K name C ip

L address

1 2

NED

Device Manager

3

4

5

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• XML データベースの操作

• 機器へ送られるConfig文字列は、XMLエレメントに設定されたデータから計算された結果

• /interfaces/Ethernet[name=‘1/1’]/ip/address に 192.168.0.1 をセット

• => NED がそれを受けて、機器に合わせた文字列Configを作成

• Interfaces Ethernet 1/1ip address 192.168.0.1

NSO の Network Programmability

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Northbound インターフェース / NSO へのアクセス

23

Service Manager

Multi-Vendor Network

Network Engineer

EMS/NMS

NETCONF REST CLIWeb UI

(JSON-RPC) SNMP JAVA/Javascript

OSS/BSS

NSO

AAA Core Engine

NETCONF SNMP REST CLI WS

Network Element Drivers (NED)

MappingLogic

Templates

Fast Map

Device ManagerNotification ReceiverAlarm Manager

PackageManager

Script

API

Developer

API

CDB

RESTCONF

NETCONF – RFC 2141

RESTCONF – RFC 8040

REST -独自実装CLI -独自実装JSON-RPC – JSON-RPC 2.0

SNMP – v1, v2c, v3

APIs: Java, Python, Erlang, C

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CDB の操作 (CLI)

• admin@ncs(config)# devices device csr1kv config ios:interface Loopback 200

• admin@ncs(config-if)# ip address 192.168.0.1 255.255.255.0

• admin@ncs(config-if)# commit

• Commit complete.

• admin@ncs(config-if)#

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CDB の操作 (netconf)<edit-config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">

<target><running/></target>

<config xmlns="http://tail-f.com/ns/config/1.0">

<devices xmlns="http://tail-f.com/ns/ncs">

<device>

<name>csr1kv</name>

<config>

<interface xmlns="urn:ios">

<Loopback>

<name>201</name>

<ip>

<address>

<primary>

<address>192.168.1.1</address>

<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

</Loopback>

</interface>

</config>

</device>

</devices>

</config>

</edit-config>

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CDB の操作 (REST) - XML

• $ curl -i -X POST -H "Content-type: application/vnd.yang.data+xml" \

-u admin:admin -d @test.xml

http://localhost:8080/api/running/devices/device/csr1kv/config/interface

$ cat test.xml

<Loopback>

<name>202</name>

<ip>

<address>

<primary>

<address>192.168.2.1</address>

<mask>255.255.255.0</mask>

</primary>

</address>

</ip>

</Loopback>

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CDB の操作 (REST) - JSON• $ curl -i -X POST -H "Content-type: application/vnd.yang.data+json" \

-u admin:admin -d @test.json

http://localhost:8080/api/running/devices/device/csr1kv/config/interface

$ cat test.json

{"Loopback": [

{

"name": "203",

"ip": {

"address": {

"primary": {

"address": "192.168.3.1",

"mask": "255.255.255.0"

}

}

}

}

]}

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CDB の操作 (Python Maagic)1 import ncs

2

3 with ncs.maapi.Maapi() as m:

4 with ncs.maapi.Session(m, 'admin', 'context'):

5 with m.start_write_trans() as t:

6 root = ncs.maagic.get_root(t)

7 csr1kv = root.devices.device['csr1kv']

8 csr1kv_interface = csr1kv['config']['interface']['Loopback']

9

10 new_Interface = csr1kv_interface.create('204')

11 new_Interface['ip']['address']['primary']['address'] = '192.168.4.1'

12 new_Interface['ip']['address']['primary']['mask'] = '255.255.255.0'

13 t.apply()

14

15 for intf in csr1kv_interface:

16 print("Loopback {} {}/{}".format(

17 intf['name'],

18 intf['ip']['address']['primary']['address'],

19 intf['ip']['address']['primary']['mask'],

20 ))

$ python addInterface.py

Loopback 200 192.168.0.1/255.255.255.0

Loopback 201 192.168.1.1/255.255.255.0

Loopback 202 192.168.2.1/255.255.255.0

Loopback 203 192.168.3.1/255.255.255.0

Loopback 204 192.168.4.1/255.255.255.0

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Netsim

• ConfD をベースに作られた、モックデバイス

• デバイスモデルを使用して、シミューレータとして動作

• アプリケーション開発のために使用可能

• 実機準備無しで開発可能な場合も多い

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

サービスの抽象化

Service Abstraction

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Service Abstraction

• デバイス毎の違い（ベンダやOS）を吸収

• サービス設定に必要なデバイス設定は、マッピングロジックに準備する

• デバイス設定はユーザには見せない

• ユーザは、デバイスの設定をしたいのではない。サービスの設定をしたい。

31BRKNMS-1100

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

32BRKNMS-1100

サービスの抽象化例 - cisco

firewall

rule

source-ip/prefix

protocol

port (optional)

ServiceModel

access-list

permit

protocol

src-address

src-wildcard-mask

ip

port

Device Model

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

33BRKNMS-1100

サービスの抽象化例 - Juniper

firewall

rule

source-ip/prefix

protocol

port (optional)

ServiceModel

term

from

source-address/mask

protocol

source port

filter

then

Device Model

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

サービスの抽象化例

services service firewall rule1

device cisco-router1

protocol tcp

source ip 10.0.0.0 prefix 24

destination ip any

services service firewall rule2

device juniper-router1

protocol tcp

source ip 10.0.0.0 prefix 24

destination ip any

パラメータを受けて、実機のConfigをモデルに合わせ作成変換ロジック(FASTMAP)は、ユーザパッケージとして実装

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

firewall {

filter filter2 {

term rule2 {

from {

source-address {

10.0.0.0/24;

}

protocol tcp;

...

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

サービスの抽象化例

#no services service firewall rule1 #no services service firewall rule2

ロールバック用Command作成変換ロジックで作成されたConfigを逆適用

no access-list 100 permit ip 10.0.0.0 0.0.0.255 any delete firewall filter filter2 term rule2;

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

サービスの抽象化例 - VPN

P

P

P

P

PE

PE

PE

PE

A

A

B

B

CC

A

B

vpn tenant A

pe tokyo

pe osaka

pe kobe

osakatokyo

nagoyakobe

サービスの config

• オペレータ(OSS)は拠点情報のみ設定

• 必要なPEを特定• データベースとの連携• IP アドレス、RT 等はプールからアサイン

• PEへ設定追加

vpn tenant C

pe nagoya

pe kobe

vpn tenant B

pe tokyo

pe osaka

pe nagoya

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

サービスの抽象化例 – VNF チェーン

• NSOへサービス注文入力• 必要なVNF を Openstack 上に作成• ネットワークポート作成• 各VNFを設定

Router

Firewal

l

Load

Balancer

Router拠点 拠点

NSO

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Configの一貫性

Configuration Consistency

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Configuration Consistency

• トランザクションの中で設定変更を行う

• Atomicな動作

• 変更内容は全て実施

• 途中一つでも失敗した場合はキャンセル(Rollback)

39BRKN

MS-

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Config data と Operational data

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Configデータでは無いもの

• Stats (インターフェースのパケットカウンタ等)

• 機器上でのコマンド動作結果 (ping, traceroute, etc)

Operational データ

interfaces Ethernet 10

description test1

address 192.168.0.1 255.255.255.0

stats input rate bps

stats input rate pps

stats input count packets

stats input count bytes

stats input count errors

stats input count crc

...

Operational Data (Read-only)

再起動後には消える。show running-configには表示されない。

Config Data (Read-Write)

モデル例:

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Cisco DevNet

• https://developer.cisco.com/site/nso/

• NSO Developer Hub

• https://communities.cisco.com/community/developer/nso-developer-hub

• RFC 6020 – YANG

• RFC 6241 – Netconf

Reference