Академический Документы
Профессиональный Документы
Культура Документы
Mike Korshunov
Technical Marketing Engineer, Cisco Follow
Save as PDF
PREREQUISITES
DIRECTORY STRUCTURE
D E A L I N G W I T H PA S S W O R D S
PERFORMANCE TIPS
CONCLUSION
Network Automation for the network is crucial nowadays. It changes how network feels and look. This tutorial is
going to cover Ansible modules for IOS-XR, some tips and tricks and how to increase performance for Ansible
playbooks.
As per Ansible version 2.6.2, we have following 9 modules for IOS-XR. An excerpt from Ansible site below:
Prerequisites
Since Ansible relies on SSH connection to the device, few requirements need to be met.
PDFCROWD.COM
RSA key pair needs to be generated. Use the crypto key generate rsa command to generate it. You must
con gure a hostname for the router using the hostname global con guration command.
RP/0/RP0/CPU0:flamboyant#
PDFCROWD.COM
RP/0/RP0/CPU0:flamboyant#
RP/0/RP0/CPU0:flamboyant#crypto key generate rsa general-keys modulus
Wed Aug 1 19:31:01.233 UTC
The name for the keys will be: modulus
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing
How many bits in the modulus [2048]: Generating RSA keys ...
Done w/ crypto generate keypair
[OK]
RP/0/RP0/CPU0:flamboyant#
Apply the following con g on the target device to enable SSH and NETCONF.
Usually, Ansible runs on managed nodes, however, it’s not the case for the network modules. Everything stays the
same from the user perspective and for accustomed keywords. All the magic happens in the background.
Typically network devices lack of Python support (IOS-XR support application hosting concepts. Read more about
it. Because of that network module executes locally and CLI/XML instruction sent over to the device.
One more important aspect for Linux/Unix, con guration les for the system exist in les on hard disks, so the
backup for them created in the same directory. It’s not the case for the network modules (con guration not
stored on disk) and we will see an example in the iosxr_con g module, where backup folder created on the
machine, from which we are running playbooks.
Additional introduction to Network module - conditions. They allow you to work with output and make value
comparison. In conjunction with match parameter, a more sophisticated state can be checked.
PDFCROWD.COM
Communication mechanisms
For network modules, there are 2 main connections: network_cli and netconf
Previous way to connect to targets was local, you can still use old style of declaration in the playbook, however,
it’s deprecated and will be removed eventually. In o cial Ansible documentation, you will notice parameter
provider as an indication that parameter local was used.
---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
# connection local instead of network_cli
connection: local
tasks:
- name: collect facts from IOS-XR routers
iosxr_facts:
gather_subset:
- config
provider: ""
register: config
vars:
cli:
host: ""
username: ""
password: ""
If you will run the playbook above with verbose key, in the output you will see
***omitted output***
The choice between network_cli and netconf connection should be made based on documentation for modules
Not all modules support both connection, so rst check before usage.
Directory structure
All playbooks mentioned in tutorial, available on Github. In Github repo Vagrant folder included, feel free to practice against IOS-XRv image Request
it here.
PDFCROWD.COM
Here is the layout for ansible-playbooks.
$ tree ansible
.
ansible
├── ansible-hosts.ini
├── head-playbook.yml
├── README.md
├── roles
│ ├── get_facts
│ │ └── tasks
│ │ └── main.yml
│ ├── xr_commands
│ │ └── tasks
│ │ └── main.yml
│ └── xr_config
│ ├── backup
│ │ ├── canonball_config.2018-08-06@14:22:09
│ │ └── flamboyant_config.2018-08-06@14:22:09
│ ├── common
│ │ └── router.conf
│ └── tasks
│ └── main.yml
└── xr-passes.yml
9 directories, 12 files
Folder content:
Hosts le
We need to de ne the hosts rst. There is a separation of variables from host de nition in ini le. In provided
example, passwords stored in plain text. To avoid it, Ansible Vault should be used and will be covered later in this
tutorial. Another mechanism - passwordless authentication, based on keys.
$ cat ansible-hosts.ini
[routers]
flamboyant ansible_host=172.30.13.70 ansible_user=root
canonball ansible_host=172.30.13.71 ansible_user=cisco
[routers:vars]
ansible_ssh_pass=cisco
PDFCROWD.COM
ansible_network_os=iosxr
ansible_port=22
As a rst example we will run two modules: enable NETCONF on device, set the banner via NETCONF (we just
enabled it, why not to utilize it?).
Playbook itself demonstrated below. We will just utilize 2 tasks for now. Name of modules is self-describing.
For NETCONF module we can provide additionally VRF value, via netconf_vrf parameter. Default VRF, if the
parameter is omitted - default. State parameter is responsible for adding or removing NETCONF related knob on
the device. Present value will enable NETCONF con guration, Absent will withdraw con g.
Banner module uses same concept for State parameter (present/absent). Text parameter could start with “|” or
“>” as identi cator for the multiline string. As per banner itself con guration, you can select would it be login or
motd message. Currently, there is a minor bug with caret return symbol treatment, so please use “>” as a
multiline identi er.
---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli
tasks:
Console output after playbook execution. For rst time we run in verbose mode, since -vvv speci ed. As careful
reader may notice, temporary les created directly on the host machine, not on target nodes. This is speci c of
the network module.
PDFCROWD.COM
executable location = /usr/local/bin/ansible-playbook
python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]
Using /home/cisco/.ansible.cfg as config file
Parsed /home/cisco/Documents/ansible/ansible-hosts.ini inventory source with ini plugin
PDFCROWD.COM
"password": null,
"port": null,
"provider": null,
"ssh_keyfile": null,
"state": "present",
"text": "Unauthorized access to device: flamboyant restricted.\n",
"timeout": null,
"username": null
}
},
"xml": "<config xmlns:xc=\
"urn:ietf:params:xml:ns:netconf:base:1.0\"><banners xmlns=\
"http://cisco.com/ns/yang/Cisco-IOS-XR-infra-infra-cfg\"><banner xc:operation=\"merge\">login
! Unauthorized access to device: flamboyant restricted.\n</banner></banners></config>"
}
META: ran handlers
From the output, we can observe that both changes applied on the device. There are two ways how to check if
con g properly applied.
The rst approach is a conservative one. Connect to the device and check latest commit changes. Since each
task is separate commit, a command issued for last two con guration changes.
More interesting approach to stay in same operations paradigm and use Ansible for con g validation:
PDFCROWD.COM
Such playbook will pass, and we will be sure, that con g presented on the device. If we uncomment last string,
the playbook will fail. We can use match parameter with value any and execution will succeed. The default value
is all. Think about them as logical operators AND & OR. If wait_for argument included in the task, an output will
not be returned until success or number of retries exceeded.
As you may notice, wait_for used in the last task. More documentation on this module
"stdout_lines": [
[
"Building configuration...",
"netconf-yang agent",
" ssh",
"!",
"ssh server session-limit 10",
"ssh server v2",
"ssh server netconf vrf default",
"end"
],
[
"Building configuration...",
"banner login ! Unauthorized access to device: flamboyant restricted."
]
]
To show a more sophisticated ow, we will create a role in our initial playbook.
File main.yml will include tasks, which need to be executed. router.conf - common con guration for devices.
|____xr-passes.yml
|____head-playbook.yml
|____ansible-hosts.ini
|____roles
| |____xr_config
| | |____common
| | | |____router.conf
| | |____tasks
| | | |____main.yml
$ cat roles/xr_config/common/router.conf
router ospf 1
PDFCROWD.COM
area 0
interface HundredGigE0/0/1/0
Playbook consists of three tasks. On rst task, Ansible will change the device hostname. During second task
Ansible applies con guration le on all devices. Third task checks that OSPF con guration is properly applied and
OSPF process is up and running.
cat roles/xr_config/tasks/main.yml
---
- name: Change hostname
iosxr_config:
lines:
- hostname
lines & parents. Lines - ordered set of con gs. Parents parameter uniquely identi es, under which block lines
should be con gured.
replace values are line (default), block, con g. De nes the behavior for task. If set to block and di erence exist
in lines, whole block will be pushed.
match values are line (default), strict, exact, none. Similar parameter to the previous one in terms of
comparison. De nes matching algorithm.
backup will create the full running con guration in a backup subfolder, before applying new con g;
before & after - will append commands respectively;
comment - text added to commit description. Default: con gured by iosxr_con g;
Ready to get some logs out of the device? Logging module is purposed for that. If you are interested in streaming
operation data, check our thorough Telemetry tutorials
---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli
PDFCROWD.COM
tasks:
- name: configure console logging level
iosxr_logging:
dest: console
level: debugging
state: present
- name: configure logging for syslog server host
iosxr_logging:
dest: host
name: 172.30.13.2
level: critical
state: present
iosxr_logging doesn’t allow you to specify the port, so you may use con g module as a workaround. ⚠
The third module in the section is system con guration: con gure DNS, domain-search, and lookup. State
present/absent used for enable/disable con guration piece, like we saw earlier in the tutorial.
---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli
tasks:
- name: configure DNS and domain-name (default vrf=default)
iosxr_system:
state: present
domain_name: local.cisco.com
domain-search:
- cisco.com
name_servers:
# new DNS from CloudFlare, easy to remember ;)
- 1.1.1.1
- 8.8.8.8
- 8.8.4.4
Interfaces module
Wonder how to manage interfaces? There is the speci c module for interface management. There are 4 states
for interface: present(default), absent, up & down. Up equal to present + operationally up. Down - present +
operationally down.
The aggregate parameter used to con gure multiple interfaces in one task. New interface - new line. The rst
task will enable just one interface, second will enable two interfaces and will set MTU value.
- name: Unshut interface
iosxr_interface:
description: link to RouterXX TenGigE0/0/0/11
PDFCROWD.COM
name: TenGigE0/0/0/28
state: present
User module
One more module, this time for user management. Password for user provided in the clear text. Public key could
be used, but in this case, Python module base64 required (usually it’s included into Python distributions). If
public_key or public_key_contents used and multiple users created, the same key used for every user.
If you use parameter purge, which is boolean, all other users going to be removed from the device, except admin and newly created within the
task.
- name: set multiple users to group sys-admin
iosxr_user:
name: user1
group: sysadmin
state: present
public_key_contents: ""
# Remove users
- name: user deletion
iosxr_user:
aggregate:
- name: user1
- name: user2
state: absent
PDFCROWD.COM
Facts is one of the most straightforward module, but also very resource intense because it will prompt device for
running con guration. If gather_subset supplied, possible values are all, hardware, con g, and interfaces. Try to
limit usage of show running-con g in playbooks to not sacri ce playbook performance.
- name: get config facts and hardware
iosxr_facts:
gather_subset:
- config
- hardware
register: hardware
- name: get all facts, except information regarding interfaces, we have the special module for them!
iosxr_facts:
gather_subset:
- all
- "!interfaces"
Command module
Few examples for this module already provided above. Important parameters for this module:
Ansible Vault
Ansible Vault is a feature to store your secrets and sensitive information in encrypted les, instead of plain text.
$ ansible-vault create xr-passes.yml
New Vault password:
Confirm New Vault password:
$
my_sensitive_pass_vault: cisco_SecUre_P@ss
$ cat xr-passes.yml
$ANSIBLE_VAULT;1.1;AES256
30303565333538383465393933363636653565636465656438333331303261333866376363373932
PDFCROWD.COM
6539303964623031383065366135663166356263393937310a316436663938346165376636666631
37623938383264396431326464323632346632636634333966376666353731623530343634373263
6235353763653338370a643737653735396261346264633132383537643137383165346433303937
35386364366566643065306633636361353739363865396166623830643630356535
$ ansible-vault rekey xr-passes.yml
Advanced Encryption Standard (AES) is used for default encryption (which is shared-secret based).
---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: local
roles:
- get_facts
- banner_setup
- xr_config
vars:
# Include vault
vars_files: xr-passes.yml
cli:
host: "{{ inventory_hostname }}"
username: "{{ ansible_user }}"
# Password used from Vault
password: "{{ my_sensitive_pass_vault }}"
To make it possible, you need to include vars_ les key into the playbook with vault le value.
To establish passwordless authentication on IOS-XR we need to go through multiple steps. The public key should
be encoded in base64 format. You can use utility base64, part of Linux and macOS distribution, or try to use
online tool for encoding, such as base64decode.org. After copy key to IOS-XR based device and import it.
Make sure that key-pair generated on the device and create b64 le.
$ ls ~/.ssh/ | grep id_rsa.pub
id_rsa.pub
PDFCROWD.COM
Key transfer and import operation:
RP/0/RP0/CPU0:flamboyant#show crypto key authentication rsa
Mon Aug 6 10:51:24.635 PDT
Key label: root
Type : RSA public key authentication
Size : 4096
Imported : 10:41:03 PDT Mon Aug 06 2018
Data :
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00D031B9 C0CD4838 C031D9E8 390C51ED 8B77D3F8 F0637BE3 CB4631C5 5D84A294
BE475637 8F7CC395 3E4AD022 ABBE538A 5304CD3A EC9F0B19 0876132F 7675B36C
46ED953D B870F3FB 2EDB9B50 E6C29278 5A48C0B5 66B09AC3 D03A54FB E7F8DE78
A7733571 660DFED5 FB6D0599 54227601 08924FFD CBB890F7 93DCE02C 13F4FFA2
E15FF061 9C64E0BF B62CF8B0 C6305613 D714F84F 7DBA3B1D ED93609B 8E8384A8
EC259CDA EEBBD07E 5931F467 4D86D59A 24B596C7 4AEDE957 FA8866C1 ED2988F5
7B9945F9 CC308EA3 532A2470 75C8CE23 49C0AA75 A1F03538 BC3DD4DE EACC8150
6640B368 7D5696A7 15C6D1BA D6534F34 3CD4ED92 A313A8D0 0480A169 4BF9575C
6BCE836E D72F4E01 E76C94A1 3B35C430 FB6A471B 453B0DE3 ACD28034 2632E111
192A9CA0 3DBF3410 0E9580C7 E0DE4968 01DB0C43 98254390 FDB43E3E 39429EA2
9CFA40A5 2D8A89EC 1DA9ED1D 494306D2 96936B1D ABDA1F7C 513B9E89 4E45F1FA
50B1DB14 A00D4A83 2B72C5EC 4557A975 A76D49D8 AC184BBE 3C75E292 CFE0F032
2DAE7154 83AE0A21 D4177524 11F33960 56732666 84619C01 BA36E257 93DE4A8B
B8E1E7F7 67A80F9A 265320F4 949F6151 D67B1B2E BF3F6C61 C98C45CF EE3F2D87
EE7031D9 AD27C89A 20087789 F711FD69 0957C424 E216E439 51B95831 DCE9008A
7F02D500 802AEADB 4C7469B9 04E98E1A 4BDC6BC1 C36C191F 31747564 5BC178F6
CD020301 0001
ssh root@172.30.13.70
PDFCROWD.COM
Unauthorized access to device: flamboyant restricted.
RP/0/RP0/CPU0:flamboyant#
Performance tips
Playbook performance can be increased. In order to achieve this, we need to use strategy plugin and change
default value linear to free. By default, Ansible task execution wait for completion on the host, then goes to
another host and after execution on all hosts for the current task complete, a new task started. With free strategy,
Ansible will create a fork of the process. It wouldn’t wait for execution of task to be completed on all nodes.
When task is completed on the node, next task is started on it, without delay.
---
- name: Configure IOS-XR devices
hosts: routers
strategy: free
gather_facts: no
connection: network_cli
roles:
- get_facts
Forks - parallel processes spawned by Ansible for communication with remote hosts and task execution. The
default amount of processes - 5. Add the following string to ansible.cfg to increase number of forks.
# ansible.cfg
forks = 10
Another way to change amount of Forks to specify a value, when you run a playbook:
ansible-playbook head-playbook.yml -i ansible-hosts.ini --forks 10
Conclusion
We cover Ansible modules available today for IOS-XR (particular attention to iosxr_command & iosxr_con g
modules), prerequisites required for that, created role examples and tweak Ansible performance for faster
playbook completion. Start slowly with your automation and increase the complexity as you grow.
PDFCROWD.COM
Good luck with further automation 🔧
SHARE ON
Leave a Comment
3 Comments xrdocs.github.io
1 Login
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
1△ ▽ • Reply • Share ›
To do this, please generate b64 file from your public key and import it on
the device: "crypto key import authentication rsa disk0:/id_rsa_pub.b64"
△ ▽ • Reply • Share ›
This site is maintained by Cisco Systems, Inc. employees. Powered by Jekyll & Minimal Mistakes.
PDFCROWD.COM