ansible x napalm x nso 解説・比較パネルディスカッション nso
TRANSCRIPT
岩本彰シスコシステムズ合同会社2017/10/10
NSO (Network Services Orchestrator)
Ansible x NAPALM x NSO解説・比較パネルディスカッション
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• 岩本彰
• シスコシステムズ TAC
• CRS / ASR9000 / NCS6000 など、サービスプロバイダ様向け機器のサポート
• NSOを使用したオーケストレーションソリューションのサポート
自己紹介
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda• NSO アーキテクチャ
• NSO のコンセプト
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cisco Live 2017 (Las Vegas) - BRKNMS-1100
• Service Orchestration with Cisco Network Services Orchestrator
• https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=95645
• Ansible fest San Francisco 2017
• ALL THE NETWORKS WITH CISCO NSO AND ANSIBLE
• https://www.ansible.com/networks-with-cisco-nso-ansible
資料について
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quick History
• Sweden based company
• Founded in 2005
• Acquired by Cisco in 2014
• Developed Conf-D and NCS
• NCS evolved into NSO!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NSO アーキテクチャ
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Architecture Overview
7
Service Manager
Multi-Vendor Network
Network Engineer
EMS/NMS
NETCONF REST CLIWeb UI
(JSON-RPC) SNMP JAVA/Javascript
OSS/BSS
NSO
AAA Core Engine
NETCONF SNMP REST CLI WS
Network Element Drivers (NED)
MappingLogic
Templates
Fast Map
Device ManagerNotification ReceiverAlarm Manager
ServiceModels
PackageManager
Script
API
DeviceModels
Developer
API
CDB
RESTCONF
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8BRKNMS-1100
Configuration Database (CDB)
• 追記型XMLデータベース
• コンフィグのモデルを保存
• 機器上のConfig (show running-configの出力等) は保存されない
• NSOに特化した専用のDB
• アクセスの為の柔軟なAPI
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
9BRKNMS-1100
Device Manager
• Device Configuration database
• トランザクション、ロールバック
• 双方向のConfig同期
• コンフィグの検証
Service ManagerNSO
AAA Core Engine
Mapping Logic Templates
Fast Map
Device ManagerNotification ReceiverAlarm Manager
ServiceModels
PackageManager
DeviceModels
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10BRKNMS-1100
Service Manager
• サービスモデル
• デバイスモデルへのマッピング
• サービスのアクティベーション
• サービスの変更
• サービスの廃止
Service ManagerNSO
AAA Core Engine
Mapping Logic Templates
Fast Map
Device ManagerNotification ReceiverAlarm Manager
ServiceModels
PackageManager
DeviceModels
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
11
全てがモデルベース
• ネットワーク機器の設定
• ルータ、スイッチ、ロードバランサ等
• サービス設定
• VPN, ルーティング等
• システム設定
• ユーザ、グループ、パーミッション等
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
全てがモデルベース
Router# show running-config
…
…
interface Ethernet1/1
ip address 192.168.1.1/24
interface Ethernet2/1
ip address 192.168.2.1/24
C interface
L Ethernet K name C ip
L address
Yang (RFC 6020) で定義
container interface {
list Ethernet {
key name;
leaf name {
type string;
pattern '[0-9]+.*';
};
container ip
leaf address {
type ipv4-address;
}
};
}
}
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
全てがモデルベースRouter# show running-config
…
…
interface Ethernet1/1
ip address 192.168.1.1/24
interface Ethernet2/1
ip address 192.168.2.1/24
<interface xmlns="urn:ios">
<Ethernet>
<name>1/1</name>
<ip>
<address>
<primary>
<address>192.168.1.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</Ethernet>
<Ethernet>
<name>2/1</name>
<ip>
<address>
<primary>
<address>192.168.2.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</Ethernet>
</interface>
"Ethernet": [ {
"name": "1/1",
"ip": {
"address": {
"primary": {
"address": "192.168.1.1",
"mask": "255.255.255.0"
}
}
}
},
{
"name": "1/2",
"ip": {
"address": {
"primary": {
"address": "192.168.2.1",
"mask": "255.255.255.0"
}
}
}
} ],
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Industry’s Broadest Multivendor SupportOver 100 Supported NEDs—Customization Available
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Tail-f ベースの Network Service Orchestrator
• https://www.cisco.com/c/ja_jp/products/collateral/cloud-systems-management/network-services-orchestrator/datasheet-c78-734576.html
• Tail-f ベースの Cisco NSO のネットワークエレメント
• https://www.cisco.com/c/ja_jp/products/collateral/cloud-systems-management/network-services-orchestrator/datasheet-c78-734669.html
Network Services Orchestrator
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• CLI
• IOS, IOS-XE, IOS-XR, NX-OS, Ciena, FortiOS, A10-ACOS, etc...
• Netconf
• Yangでデバイスモデルが提供されている機器
• Generic
• APIC for ACI (REST), F5-BIGIP (特殊 CLI)
• SNMP
• MIB が提供されている機器 (MIB ファイルをコンパイルしてモデルを作成)
NEDの種類
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NSOのコンセプト
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Network Programmability
• ネットワーク(複数のデバイス) をソフトウェアからコントロール
• Service Abstraction
• サービスを抽象化してDeploy
• Configuration Consistency
• コンフィグの一貫性
• トランザクションとして各Configを実行
• 指示通りの完全なConfig、又はロールバック
NSOのコンセプト
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Programmability
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
20BRKNMS-1100
ネットワーク機器ConfigをCDB へ同期 (sync-from)
show running-config
interface Ethernet1/1
switchport
no shutdown
!
…
…
C interface
L Ethernet K name C ip
L address
1
2 NED
Device Manager
3
4
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
21BRKNMS-1100
CDBの該当機器情報をネットワーク機器へ同期 (sync-to)
interface Ethernet1/1
switchport
no shutdown
!
…
…
C interface
L Ethernet K name C ip
L address
1 2
NED
Device Manager
3
4
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• XML データベースの操作
• 機器へ送られるConfig文字列は、XMLエレメントに設定されたデータから計算された結果
• /interfaces/Ethernet[name=‘1/1’]/ip/address に 192.168.0.1 をセット
• => NED がそれを受けて、機器に合わせた文字列Configを作成
• Interfaces Ethernet 1/1ip address 192.168.0.1
NSO の Network Programmability
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Northbound インターフェース / NSO へのアクセス
23
Service Manager
Multi-Vendor Network
Network Engineer
EMS/NMS
NETCONF REST CLIWeb UI
(JSON-RPC) SNMP JAVA/Javascript
OSS/BSS
NSO
AAA Core Engine
NETCONF SNMP REST CLI WS
Network Element Drivers (NED)
MappingLogic
Templates
Fast Map
Device ManagerNotification ReceiverAlarm Manager
PackageManager
Script
API
Developer
API
CDB
RESTCONF
NETCONF – RFC 2141
RESTCONF – RFC 8040
REST -独自実装CLI -独自実装JSON-RPC – JSON-RPC 2.0
SNMP – v1, v2c, v3
APIs: Java, Python, Erlang, C
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CDB の操作 (CLI)
• admin@ncs(config)# devices device csr1kv config ios:interface Loopback 200
• admin@ncs(config-if)# ip address 192.168.0.1 255.255.255.0
• admin@ncs(config-if)# commit
• Commit complete.
• admin@ncs(config-if)#
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CDB の操作 (netconf)<edit-config xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<target><running/></target>
<config xmlns="http://tail-f.com/ns/config/1.0">
<devices xmlns="http://tail-f.com/ns/ncs">
<device>
<name>csr1kv</name>
<config>
<interface xmlns="urn:ios">
<Loopback>
<name>201</name>
<ip>
<address>
<primary>
<address>192.168.1.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</Loopback>
</interface>
</config>
</device>
</devices>
</config>
</edit-config>
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CDB の操作 (REST) - XML
• $ curl -i -X POST -H "Content-type: application/vnd.yang.data+xml" \
-u admin:admin -d @test.xml
http://localhost:8080/api/running/devices/device/csr1kv/config/interface
$ cat test.xml
<Loopback>
<name>202</name>
<ip>
<address>
<primary>
<address>192.168.2.1</address>
<mask>255.255.255.0</mask>
</primary>
</address>
</ip>
</Loopback>
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CDB の操作 (REST) - JSON• $ curl -i -X POST -H "Content-type: application/vnd.yang.data+json" \
-u admin:admin -d @test.json
http://localhost:8080/api/running/devices/device/csr1kv/config/interface
$ cat test.json
{"Loopback": [
{
"name": "203",
"ip": {
"address": {
"primary": {
"address": "192.168.3.1",
"mask": "255.255.255.0"
}
}
}
}
]}
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CDB の操作 (Python Maagic)1 import ncs
2
3 with ncs.maapi.Maapi() as m:
4 with ncs.maapi.Session(m, 'admin', 'context'):
5 with m.start_write_trans() as t:
6 root = ncs.maagic.get_root(t)
7 csr1kv = root.devices.device['csr1kv']
8 csr1kv_interface = csr1kv['config']['interface']['Loopback']
9
10 new_Interface = csr1kv_interface.create('204')
11 new_Interface['ip']['address']['primary']['address'] = '192.168.4.1'
12 new_Interface['ip']['address']['primary']['mask'] = '255.255.255.0'
13 t.apply()
14
15 for intf in csr1kv_interface:
16 print("Loopback {} {}/{}".format(
17 intf['name'],
18 intf['ip']['address']['primary']['address'],
19 intf['ip']['address']['primary']['mask'],
20 ))
$ python addInterface.py
Loopback 200 192.168.0.1/255.255.255.0
Loopback 201 192.168.1.1/255.255.255.0
Loopback 202 192.168.2.1/255.255.255.0
Loopback 203 192.168.3.1/255.255.255.0
Loopback 204 192.168.4.1/255.255.255.0
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Netsim
• ConfD をベースに作られた、モックデバイス
• デバイスモデルを使用して、シミューレータとして動作
• アプリケーション開発のために使用可能
• 実機準備無しで開発可能な場合も多い
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
サービスの抽象化
Service Abstraction
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service Abstraction
• デバイス毎の違い(ベンダやOS)を吸収
• サービス設定に必要なデバイス設定は、マッピングロジックに準備する
• デバイス設定はユーザには見せない
• ユーザは、デバイスの設定をしたいのではない。サービスの設定をしたい。
31BRKNMS-1100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32BRKNMS-1100
サービスの抽象化例 - cisco
firewall
rule
source-ip/prefix
protocol
port (optional)
ServiceModel
access-list
permit
protocol
src-address
src-wildcard-mask
ip
port
Device Model
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
33BRKNMS-1100
サービスの抽象化例 - Juniper
firewall
rule
source-ip/prefix
protocol
port (optional)
ServiceModel
term
from
source-address/mask
protocol
source port
filter
then
Device Model
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
サービスの抽象化例
services service firewall rule1
device cisco-router1
protocol tcp
source ip 10.0.0.0 prefix 24
destination ip any
services service firewall rule2
device juniper-router1
protocol tcp
source ip 10.0.0.0 prefix 24
destination ip any
パラメータを受けて、実機のConfigをモデルに合わせ作成変換ロジック(FASTMAP)は、ユーザパッケージとして実装
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
firewall {
filter filter2 {
term rule2 {
from {
source-address {
10.0.0.0/24;
}
protocol tcp;
...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
サービスの抽象化例
#no services service firewall rule1 #no services service firewall rule2
ロールバック用Command作成変換ロジックで作成されたConfigを逆適用
no access-list 100 permit ip 10.0.0.0 0.0.0.255 any delete firewall filter filter2 term rule2;
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
サービスの抽象化例 - VPN
P
P
P
P
PE
PE
PE
PE
A
A
B
B
CC
A
B
vpn tenant A
pe tokyo
pe osaka
pe kobe
osakatokyo
nagoyakobe
サービスの config
• オペレータ(OSS)は拠点情報のみ設定
• 必要なPEを特定• データベースとの連携• IP アドレス、RT 等はプールからアサイン
• PEへ設定追加
vpn tenant C
pe nagoya
pe kobe
vpn tenant B
pe tokyo
pe osaka
pe nagoya
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
サービスの抽象化例 – VNF チェーン
• NSOへサービス注文入力• 必要なVNF を Openstack 上に作成• ネットワークポート作成• 各VNFを設定
Router
Firewal
l
Load
Balancer
Router拠点 拠点
NSO
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configの一貫性
Configuration Consistency
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Consistency
• トランザクションの中で設定変更を行う
• Atomicな動作
• 変更内容は全て実施
• 途中一つでも失敗した場合はキャンセル(Rollback)
39BRKN
MS-
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Config data と Operational data
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Configデータでは無いもの
• Stats (インターフェースのパケットカウンタ等)
• 機器上でのコマンド動作結果 (ping, traceroute, etc)
Operational データ
interfaces Ethernet 10
description test1
address 192.168.0.1 255.255.255.0
stats input rate bps
stats input rate pps
stats input count packets
stats input count bytes
stats input count errors
stats input count crc
...
Operational Data (Read-only)
再起動後には消える。show running-configには表示されない。
Config Data (Read-Write)
モデル例:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cisco DevNet
• https://developer.cisco.com/site/nso/
• NSO Developer Hub
• https://communities.cisco.com/community/developer/nso-developer-hub
• RFC 6020 – YANG
• RFC 6241 – Netconf
Reference