Open NX-OS

Reserving a Sandbox Lab

The Open NX-OS sandbox is a testing environment that enables developers to experiment from the production environment or repository of CISCO lab. A developer can use this sandbox to program the switch through various configuration management tools and scripts like bash, python, puppet, chef and ansible.

  1. Go to the DevNet Sandbox data center labs
  2. Click on the Open NX-OS box to read more about the lab or click on "Reserve" to reserve the lab.
  3. Upon successful reservation you will receive an email from the DevNet Sandbox team that describes further instructions to access the sandbox.

TACACS

Terminal Access Controller Access Control System (TACACS) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. On Nexus 9000 switch TACACS provide a centralized validation of users who are attempting to gain access to a router or network access server. This section describe how you can manage and program TACACS on a CISCO Nexus 9000 switch using different configuration management code snippet.

Configuring a TACACS Server
python
puppet
http
Copyfrom .tacacs import *

tacacsServerIp="10.10.2.1" #TACACS+ server's DNS name or its IP address
port="" #TACACS+ server port
key="" #Global TACACS+ server shared secret
timeout="" #TACACS+ server timeout period in seconds
deleteIp="" #server Ip for removing

# used to remove server configuration
def deleteServer(tacacs,server):


        tacacs.add_server(server,no="True")
        print "Successfuly deleted configuration of server ",server


def enable_feature_tacacs():
        cmd = 'feature tacacs'
        configure_terminal(cmd)

def configure_terminal(cmd):
        """
        Configure terminal based on the commands given
        """

        NXCLI._run_cfg(cmd)


if __name__=="__main__":

        enable_feature_tacacs()
        #show TACACS Server
        showTacacs=ShTacasServer()
        print "Before TACACS+ Configuration"
        if showTacacs.servers():
                print showTacacs.servers()
        else:
                print "no server configured"

        tacacs=Tacacs()

        if deleteIp !="" and tacacs._is_server_configured(deleteIp):
                #delete server Ip
                deleteServer(tacacs,deleteIp)

        if tacacsServerIp:

                #add th TACACS+ server
                tacacs.add_server(tacacsServerIp)
                #tacacs.src_interface("Ethernet1/2")
                #tacacs.commit()
                #tacacs.add_group("ciscogroup1",tacacsServerIp)


        showTacacs=ShTacasServer()
        print "After TACACS+ Configuration:",showTacacs.servers()

Copy# Configure tacacs server
 cisco_tacacs_server {"default":
    ensure              => present,
    timeout             => 10,
    directed_request    => true,
    deadtime            => 20,
    encryption_type     => clear,
    encryption_password => 'test123',
    source_interface    => 'Ethernet1/2',
 }

CopyNX-API REST script not available

Using Python in the Sandbox

Follow following steps to execute the python scripts on Nexus switch.

  1. Login to switch using provided credentials. Example username is 'admin' and password 'cisco123'.
  2. If bash is not enabled, Goto 'config t' and enable it by running 'feature bash-shell'
  3. Run 'run bash' to go to bash shell.
  4. Run sudo su
  5. Copy the required script to /isan/python/scripts/cisco directory. For example, if you want to manage TACACS configuration using python, create test_tacacs.py using vi editor like this: vi test_tacacs.py
  6. Now copy the script to this file. Save and exit.
  7. Execute following command to run the script '/isan/bin/python –m cisco.test_tacacs
  8. The format of the command to be executed is, '/isan/bin/python -m'

Using Puppet in the Sandbox

Following steps would execute the manifest files on nx9000 switch.

  1. SSH to toolserver host using provided credentials. (If credentials are not provided Default username is cisco and password cisco123

  2. Copy the respective manifest script to /etc/puppetlabs/code/environments/production/manifests directory. For example, if you want to configure interface then create manifest file configure_interface.pp using vi editor and paste the respective script in this file.

    Note: All the manifest scripts are available "/etc/puppetlabs/code/environments/production/modules/ciscolib_nxos/manifests" for reference.

  3. Save and exit.

  4. Run sudo su

  5. Start the puppetserver service. Run service puppetserver start or /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/bin/puppet master

  6. Run export PATH=$PATH:/opt/puppetlabs/bin:/opt/puppetlabs/lib on toolserver

  7. Run puppet cert list -a

Note: If agent hostname is not listed in the certificates in step 7 then we need to add the certificate first. Follow the steps mentioned in "Steps to add the certificates" section.
Note: Make sure "/etc/hosts" file has correct IP and hostname mapping for toolserver
Example: toolserver IP: 10.10.10.114
hostname: toolserver-devnet.insieme.local
Then, "/etc/hosts" should contain "10.10.10.114 toolserver-devnet.insieme.local toolserver-devnet"

  1. Login to Switch sandbox.
  2. On the switch console run run bash
  3. Run sudo ip netns exec management bash
  4. Run export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/puppet/lib
  5. export http and https proxy by executing these commands. Run export http_proxy=https://proxy.esl.cisco.com:8080 Run export https_proxy=https://proxy.esl.cisco.com:8080
  6. Install "install cisco_node_utils" package by executing following command, Run gem install cisco_node_utils
  7. Run puppet agent -t. The configuration would be updated automatically on the switch.
  8. Go to switch prompt and run copy r s

Steps to add the certificates:

  1. Login to Switch sandbox.
  2. On the switch console run run bash
  3. Run sudo ip netns exec management bash
  4. Run export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/puppet/lib
  5. Run rm -rf /etc/puppetlabs/puppet/ssl to clean all the old certificates.
  6. Run puppet agent -t on bash shell. This will create a new certificate.
  7. Now login to toolserver.
  8. Run sudo su
  9. Start the puppetserver service. Run service puppetserver start or /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/bin/puppet master
  10. Run export PATH=$PATH:/opt/puppetlabs/bin:/opt/puppetlabs/lib on toolserver
  11. Run puppet cert list -a . It should list the certificate sent by agent #agent hostname should be present.
  12. Run puppet cert sign <certificate name>. For example, puppet cert sign "n9kvswitchfcs.cisco.com" ## agent hostname

AAA

Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server. Following example shows how to enable authentication login ascii-authentication and error-enable.

Configure aaa authentication to show or display of error message on login failures and ascii authentication:

Configuring ASCII Login and Error Messages on Login Failures
http
python
puppet
CopyPOST https://SWITCH_IP/api/node/mo/sys/userext/authrealm.json HTTP/1.1
Content-Type: application/json

{
      "aaaDefaultAuth": {
        "attributes": {
          "authProtocol": "ascii",
          "errEn": "no"
        }
    }
}

Copy# Sample file to configure AAA authentication login ascii and error-enable

from .nxcli import NXCLI
import traceback

def show_config_info():
        """
        Show the running aaa configuration
        """

        try:
                interface = NXCLI('show run aaa')
                return True
        except:
                return False

def configure_terminal(cmd):
        """
        Configure terminal based on the commands given
        """

        NXCLI._run_cfg(cmd)

def enable_aaa_ascii_error():
        """
        Configure the default aaa authentication login features
        """

        cmd = "aaa authentication login ascii-authentication ; aaa authentication login error-enable"
        configure_terminal(cmd)

if __name__=="__main__":

        try:
                enable_aaa_ascii_error()
                show_config_info()
        except Exception,e:
                traceback.print_exc()

CopyPuppet script not available

Using NX-API REST in the Sandbox

Follow below steps to execute NX-API REST code snippet on nx9000 switch.

On the nx9000 switch perform following operation.

  1. SSH to switch using provided credentials. (If credentials are not provided Default username is 'admin' and password 'cisco123'
  2. Run 'config t' on the switch prompt.
  3. Enable nxapi by running 'feature nxapi'.
  4. Exit to switch prompt by running 'exit'.
  5. Run 'copy r s' to save the configuration.

Setup postman Code snippet: In order to execute NXAPI from postman, login needs to be performed. The cookie would get generated and stored for subsequent execution.

Logging in to Postman
Code Snippet
Copy  POST-URL : https://SWITCH-IP/api/aaaLogin.json     
  Content-Type: application/json     
  Cache-Control: no-cache     
  POST BODY :     
       {    
         "aaaUser" : {    
           "attributes" : {    
             "name" : "SWITCH_USER",    
             "pwd" : "SWITCH_PASSWORD"     
           }     
         }     
       }

Executing NXAPI using postman for first time:

  1. Copy POST URL, mentioned in 'setup postman' section above, after replacing SWITCH-IP with IP address of Nexus switch .
  2. Select method as POST
  3. Open raw JSON section.
  4. Copy POST-BODY JSON to raw JSON body section of postman.
  5. Replace SWITCH_USERNAME with switch user.
  6. Replace SWITCH_PASSWORD with switch password.
  7. Click send button

Note: If the cookie gets expired, you might have to perform the above steps again.

For subsequent NXAPI call:

  1. Copy POST URL, after replacing SWITCH-IP with IP address of Nexus switch.
  2. Select method as POST
  3. Open raw JSON section.
  4. Copy POST-BODY JSON to raw JSON body section of postman.
  5. Click send button

How to connect to sandbox lab:

  1. Go to the sandbox homepage: https://developer.cisco.com/site/devnet/sandbox/
  2. Login. Hit the yellow button "Get Started!" button
  3. In the upper-right corner click on "DEVNET".
  4. Now you are in Cisco's Devnet domain and it would list the labs hosted under the domain.
  5. You can find the 8 tiles for the NX-OS labs. The tiles are named as "Open NX-OS Lab -1(through 8)"
  6. Click on 'Reserve' a lab. Upon successful reservation you would receive a mail from "devnetsandbox@cisco.com" that describes further instructions to access the sandbox.

Using Python in the Sandbox

Follow following steps to execute the python scripts on Nexus switch.

  1. Login to switch using provided credentials. Example username is 'admin' and password 'cisco123'.
  2. If bash is not enabled, Goto 'config t' and enable it by running 'feature bash-shell'
  3. Run 'run bash' to go to bash shell.
  4. Run sudo su
  5. Copy the required script to /isan/python/scripts/cisco directory. For example, if you want to manage AAA configuration using python, create test_aaa.py using vi editor like this: vi test_aaa.py
  6. Now copy the script to this file. Save and exit.
  7. Execute following command to run the script '/isan/bin/python “m cisco.test_aaa
  8. The format of the command to be executed is, '/isan/bin/python -m'

SNMP

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. Following example shows snmp community configuration.

Configuring SNMP
python
puppet
http
Copy# Sample file to configure snmp community

from .nxcli import NXCLI
import traceback

def config_snmp_community():
        """
        Configure the snmp community
        """
        try:
            cmd = 'snmp-server community test group network-operator ; snmp-server community test use-acl aclname'
            NXCLI._run_cfg(cmd)
            return True
        except:
            return False


if __name__=="__main__":

        try:
            config_snmp_community()
        except Exception,e:
            traceback.print_exc()

Copy# Configure snmp community

class snmp_community_test {

  cisco_snmp_community { "test":
    ensure => present,
    group  => "network-operator",
    acl    => "aclname",
  }

}

class { 'snmp_community_test': }

CopyNX-API REST script not available

Using Python in the Sandbox

Follow the following steps to execute the python scripts on Nexus switch.

  1. Login to switch using provided credentials. Example username is 'admin' and password 'cisco123'.
  2. If bash is not enabled, Goto 'config t' and enable it by running 'feature bash-shell'
  3. Run 'run bash' to go to bash shell.
  4. Run sudo su
  5. Copy the required script to /isan/python/scripts/cisco directory. For example, if you want to manage snmp configuration using python, create test_snmp.py using vi editor like this: vi test_snmp.py
  6. Now copy the script to this file. Save and exit.
  7. Execute following command to run the script '/isan/bin/python –m cisco.test_aaa
  8. The format of the command to be executed is, '/isan/bin/python -m'

Using Puppet in the Sandbox

Following steps would execute the manifest files on nx9000 switch.

  1. SSH to toolserver host using provided credentials. (If credentials are not provided Default username is cisco and password cisco123
  2. Copy the respective manifest script to /etc/puppetlabs/code/environments/production/manifests directory. For example, if you want to configure interface then create manifest file configure_interface.pp using vi editor and paste the respective script in this file.
  3. Save and exit.
  4. Run sudo su
  5. Start the puppetserver service. Run service puppetserver start or /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/bin/puppet master
  6. Run export PATH=$PATH:/opt/puppetlabs/bin:/opt/puppetlabs/lib on toolserver
  7. Run puppet cert list -a

Note: If agent hostname is not listed in the certificates in step 7 then we need to add the certificate first. Follow the steps mentioned in "Steps to add the certificates" section.
Note: Make sure "/etc/hosts" file has correct IP and hostname mapping for toolserver
Example: toolserver IP: 10.10.10.114
hostname: toolserver-devnet.insieme.local
Then, "/etc/hosts" should contain "10.10.10.114 toolserver-devnet.insieme.local toolserver-devnet"

  1. Login to Switch sandbox.
  2. On the switch console run run bash
  3. Run sudo ip netns exec management bash
  4. Run export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/puppet/lib
  5. export http and https proxy by executing these commands. Run export http_proxy=https://proxy.esl.cisco.com:8080 Run export https_proxy=https://proxy.esl.cisco.com:8080
  6. Install "install cisco_node_utils" package by executing following command, Run gem install cisco_node_utils
  7. Run puppet agent -t. The configuration would be updated automatically on the switch.
  8. Go to switch prompt and run copy r s

Steps to add the certificates :

  1. Login to Switch sandbox.
  2. On the switch console run run bash
  3. Run sudo ip netns exec management bash
  4. Run export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/puppet/lib
  5. Run rm -rf /etc/puppetlabs/puppet/ssl to clean all the old certificates.
  6. Run puppet agent -t on bash shell. This will create a new certificate.
  7. Now login to toolserver.
  8. Run sudo su
  9. Start the puppetserver service. Run service puppetserver start or /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/bin/puppet master
  10. Run export PATH=$PATH:/opt/puppetlabs/bin:/opt/puppetlabs/lib on toolserver
  11. Run puppet cert list -a . It should list the certificate sent by agent #agent hostname should be present.
  12. Run puppet cert sign <certificate name>. For example, puppet cert sign "n9kvswitchfcs.cisco.com"? ## agent hostname
Next