Lab: Docker NSO Part 2 – NCS CLI

NetDevOps, NSO

Note: throughout this post the NSO and NCS abbreviations may be used interchangeably. NSO is the abbreviation for “Cisco Network Services Orchestrator”. However, inside the commands to interact with the platform all begin with NCS. NCS is leftover from the previous product name “Cisco Prime Network Control System (NCS)”

This is a continuation of Lab:Docker NSO Part 1 – Netsim. As with part 1, everything in this post has been tested, however, if you see something that is inaccurate, or needs further description please leave a comment. This will help me and others that may stumble across this post in the future

In this post we will take the netsim devices created in part 1, and interact with them using NSO. We will dive into the NCS CLI to discover devices, read and write configuration.

Adding Devices With The NCS_CLI

To start, from the docker container shell I will connect as the default admin user to NSO using ncs_cli. Before adding the devices, I first need to create an authentication group. This authentication group will contain the credentials used to access the devices. From configuration mode, the authentication group is created using the command devices authgroups group default-map remote-name remote-password remote-secondary-password <enable password>. Once the authentication group is configured to commit the change to the database using the commit command. The top command will bring me back to configuration mode, where I can use a show command to see our new authentication group.

root@e2c1780f3224:~/nso-project# ncs_cli -C -u admin

admin connected from 127.0.0.1 using console on e2c1780f3224
admin@ncs# config 
Entering configuration mode terminal
admin@ncs(config)# devices authgroups group netsim_auth default-map remote-name admin remote-password admin remote-secondary-password admin
admin@ncs(config-group-netsim_auth)# commit
Commit complete.
admin@ncs(config-group-netsim_auth)# top
admin@ncs(config)# 
admin@ncs(config)# show full-configuration devices authgroups group netsim_auth                                                          
devices authgroups group netsim_auth
 default-map remote-name   admin
 default-map remote-password $8$zM78wfSnFyAZ4W+X3nC0VPRvYqYY8Pbt1LhUzVltbvI=
 default-map remote-secondary-password $8$b8ga4WQeAfp4pV6uNPtEOXUNGK7QiMdCyiDbWy9gWF8=
!
admin@ncs(config)#

Adding Device ios0

Now, I am almost ready to add the devices. From configuration mode we create our device using the command: devices device <device name> address <IP address> port <port> authgroup <authentication group> device-type cli ned-id <ned package>. Ahhh so not ready just yet, I need to gather some information. Because the netsim devices are all simulated locally the IP address for these will be 127.0.0.1, but how do we know what port to use? For this, exit out of the ncs_cli and back to the docker shell. From here, enter the command ncs-netsim list to get a list of the netsim devices, including the port mappings. For this exercise the port the cli port is what is required.

root@e2c1780f3224:~/nso-project# ncs-netsim list
ncs-netsim list for  /root/nso-project/netsim

name=ios0 netconf=12022 snmp=11022 ipc=5010 cli=10022 dir=/root/nso-project/netsim/ios/ios0 
name=ios1 netconf=12023 snmp=11023 ipc=5011 cli=10023 dir=/root/nso-project/netsim/ios/ios1 
name=iosxr0 netconf=12024 snmp=11024 ipc=5012 cli=10024 dir=/root/nso-project/netsim/iosxr/iosxr0 
name=iosxr1 netconf=12025 snmp=11025 ipc=5013 cli=10025 dir=/root/nso-project/netsim/iosxr/iosxr1 
name=nxos0 netconf=12026 snmp=11026 ipc=5014 cli=10026 dir=/root/nso-project/netsim/nxos/nxos0 
name=nxos1 netconf=12027 snmp=11027 ipc=5015 cli=10027 dir=/root/nso-project/netsim/nxos/nxos1 
root@e2c1780f3224:~/nso-project#

Now that I have all the information needed, I can go ahead and add the devices. After addding the device, I will need to set the administration state to be unlocked. This will allow us to read and write configuration to the device from NSO. Now, can commit the configuration.

root@e2c1780f3224:~/nso-project# ncs_cli -C -u admin

admin connected from 127.0.0.1 using console on e2c1780f3224
admin@ncs# conf
Entering configuration mode terminal
admin@ncs(config)# devices device ios0 address 127.0.0.1 port 10022 authgroup netsim_auth device-type cli ned-id cisco-ios-cli-3.8          
admin@ncs(config-device-ios0)# state admin-state unlocked 
admin@ncs(config-device-ios0)# commit
Commit complete.
admin@ncs(config-device-ios0)#

We are not done with this device yet. Before I move on and add the next device, Lets connect to ios0 from NSO, and sync the configuration. To do this, first retrieve the host keys from the device with ssh fetch-host-keys. Now sync in the configuration with sync-from. Finally, use a show command to verify the configuration has been pulled into NSO, complete with the Loopback 99 interface previously created

admin@ncs(config-device-ios0)# ssh fetch-host-keys 
result updated
fingerprint {
    algorithm ssh-rsa
    value 04:08:2d:34:ed:06:cd:ae:ae:99:be:1f:21:e3:10:76
}
admin@ncs(config-device-ios0)# sync-from 
result true
admin@ncs(config-device-ios0)# top
admin@ncs(config)# show full-configuration devices device ios0 
devices device ios0
 address   127.0.0.1
 port      10022
! <removed output for brevity> 
  ios:interface Loopback99
   ip address 10.10.99.1 255.255.255.255
   no shutdown
  exit
! <removed output for brevity>

Adding Device iosxr0

Now lets repeat these steps to add in iosxr0. The device does not need to be configured as one long command string. Instead, this time I will add the configuration in one parameter at a time. 

admin@ncs(config)# devices device iosxr0
admin@ncs(config-device-iosxr0)# address 127.0.0.1
admin@ncs(config-device-iosxr0)# port 10024
admin@ncs(config-device-iosxr0)# authgroup netsim_auth 
admin@ncs(config-device-iosxr0)# device-type cli ned-id cisco-iosxr-cli-3.5 
admin@ncs(config-device-iosxr0)# state admin-state unlocked 
admin@ncs(config-device-iosxr0)# commit
Commit complete.
admin@ncs(config-device-iosxr0)# ssh fetch-host-keys  
result updated
fingerprint {
    algorithm ssh-rsa
    value 04:08:2d:34:ed:06:cd:ae:ae:99:be:1f:21:e3:10:76
}
admin@ncs(config-device-iosxr0)# sync-from
result true
admin@ncs(config-device-iosxr0)# top
admin@ncs(config)# show full-configuration devices device iosxr0
devices device iosxr0
 address   127.0.0.1
 port      10024
<! output removed for brevity>
 authgroup netsim_auth
 device-type cli ned-id cisco-iosxr-cli-3.5
 state admin-state unlocked
 config
  cisco-ios-xr:interface Loopback 99
   ipv4 address 10.20.99.1 255.255.255.255
  exit
 !

Pushing Configuration From NSO Using NCS_CLI

Lets create some new configuration in NSO and push it to the devices. For this example, lets add a loopback 50 interface to device ios0, with an IP address 10.10.50.1/32. From configuration mode we first need to select our device. From here we will go to the NCS device configuration for an interface object named Loopback 50. Once here we can now configure the IP address and no shut the interface using familiar IOS syntax. finally lets commit the change. This will push the configuration to the router. If we exit the NCS CLI and go back to our netsim cli we can do a show run and see our loopback 50 interface has been created.

admin@ncs(config)# devices device ios0
admin@ncs(config-device-ios0)# config ios:interface Loopback 50 
admin@ncs(config-if)# ip address 10.10.50.1 255.255.255.255
admin@ncs(config-if)# no shut
admin@ncs(config-if)# commit
Commit complete.
admin@ncs(config-if)# end
admin@ncs# exit
root@e2c1780f3224:~/nso-project# ncs-netsim cli-i ios0
admin connected from 127.0.0.1 using console on e2c1780f3224
ios0> en
ios0# show run
! <output removed for brevity>
interface Loopback50
 no shutdown
 ip address 10.10.50.1 255.255.255.255
exit
! <output removed for brevity>

Out-of-Sync

What happens if the running configuration on the router and the configuration in the NSO database do not match? Lets find out. While still connected to the netsim cli lets remove the Loopback 50 interface we just created.

ios0# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ios0(config)# no int Loopback 50
ios0(config)# end
ios0# show run
! <output removed for brevity>
interface Loopback0
 no shutdown
exit
interface Loopback99
 no shutdown
 ip address 10.10.99.1 255.255.255.255
exit
! <output removed for brevity>

Now lets try and add Loopback 55 interface with an IP address 10.10.55.1/32 using the same steps as before. You can see below when we tried to commit the change, NSO detected the configuration mismatch, aborted the commit, and generated an alarm. At this point if we look at the device configuration on NSO we have both loopback 50 and 55, however on the router we don’t have either of them. 

admin@ncs# config 
Entering configuration mode terminal
admin@ncs(config)# devices device ios0                  
admin@ncs(config-device-ios0)# config ios:interface Loopback 55     
admin@ncs(config-if)# ip address 10.10.55.1 255.255.255.255
admin@ncs(config-if)# no shut                              
admin@ncs(config-if)# commit                               
Aborted: Network Element Driver: device ios0: out of sync
admin@ncs(config-if)# *** ALARM out-of-sync: Device ios0 is out of sync
admin@ncs(config-if)#

So, how do we resolve this? We can tell NSO to commit the change ignoring the out of sync error with commit no-out-of-sync-check. 

admin@ncs(config-if)# commit no-out-of-sync-check 
Commit complete.
admin@ncs(config-if)# end
admin@ncs# exit
root@e2c1780f3224:~/nso-project# ncs-netsim cli-i ios0

admin connected from 127.0.0.1 using console on e2c1780f3224
ios0> enable
ios0# show run
! <output removed for brevity>
interface Loopback0
 no shutdown
exit
interface Loopback55
 no shutdown
 ip address 10.10.55.1 255.255.255.255
exit
! <output removed for brevity>

However, we still have a problem, Loopback 55 is now created, but loopback 50 is still missing, so the device is still out of sync. To resolve this we need to look at the sync-from or sync-to commands. We saw the sync-from already when we created the devices. Sync-from was used to pull the configuration off the device and sync it into the NSO database. So, as you might expect, sync-to does the opposite. Sync-to will treat the NSO database as the source of truth, and push that configuration out too the device. In this case we want to treat NSO as the golden source so we’ll use the sync-to command, and then verify our configuration matches

root@e2c1780f3224:~/nso-project# ncs_cli -C -u admin

admin connected from 127.0.0.1 using console on e2c1780f3224
admin@ncs# config
Entering configuration mode terminal
admin@ncs(config)# devices device ios0 
admin@ncs(config-device-ios0)# sync-to
result true
admin@ncs(config-device-ios0)# top
admin@ncs(config)# show full-configuration devices device ios0 
devices device ios0
 address   127.0.0.1
 port      10022
! <output removed for brevity>
  ios:interface Loopback50
   ip address 10.10.50.1 255.255.255.255
   no shutdown
  exit
  ios:interface Loopback55
   ip address 10.10.55.1 255.255.255.255
   no shutdown
  exit
! <output removed for brevity>

admin@ncs(config)# exit
admin@ncs# exit
root@e2c1780f3224:~/nso-project# ncs-netsim cli-i ios0

admin connected from 127.0.0.1 using console on e2c1780f3224
ios0> enable
ios0# show run
! <output removed for brevity>
interface Loopback50
 no shutdown
 ip address 10.10.50.1 255.255.255.255
exit
interface Loopback55
 no shutdown
 ip address 10.10.55.1 255.255.255.255
exit
! <output removed for brevity>

Summary

In this post I showed how to use the NCS CLI to manage the netsim network. I showed examples of adding devices to NSO, pushing configuration from NSO to the devices, and dealing with a out-of-sync condition. In the next post I will explore basic interaction using API’s.

For more information on how this container can be used look for other posts with the NSO-Docker tag.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.