Table of Contents
connect and sync cisco nso to network devices is what we will discuss in this section.
connect NSO to network devices
In the previous sections, we installed Cisco NSO and prepared a CSR1000V device and some NetSim emulated devices.
In this section, we will connect Cisco NSO to all of these devices and sync the configuration of the devices to Cisco NSO so that they can be managed from Cisco NSO from now on.
To connect Cisco NSO to a device, we need to know the IP address of the device, the authentication information used to connect to the device, and the connection method, Telnet or SSH.
To do this, we configure an authentication group including username, password, and optional enable password.
More than one authentication group can be configured, since different network devices will probably need different credentials to connect to them.
For each device, we configure in Cisco NSO which authentication group to use to connect to the network device.
Here we have configured authentication group “RAYKA” with username “rayka”, password “rayka-co.com” and optional enable password “rayka-co.com”.
Then we configure a device named “R1” and IP address “192.168.2.91” to use authentication group “RAYKA”, the connection protocol “SSH” and ignore host key verification.
# add authentication group devices authgroups group RAYKA default-map remote-name rayka default-map remote-password rayka-co.com default-map remote-secondary-password rayka-co.com # add a device devices device R1 address 192.168.2.91 authgroup RAYKA ssh host-key-verification none device-type cli ned-id cisco-ios-cli-6.88 device-type cli protocol ssh state admin-state unlocked commit connect end
We need to unlock the device since all devices are locked by default when added to Cisco NSO.
Then we commit the configuration, which means to apply the configuration. otherwise, the configuration is added to the candidate configuration, but is not active until it is committed.
We will talk more about commit command in the next section.
Then we check the connectivity to the network device with “connect” command to make sure that all parameters are configured correctly.
In my case, the connection is refused and we receive the error “SSH key exchange failed”.
admin@ncs(config-device-R1)# devices device R1 admin@ncs(config-device-R1)# address 192.168.2.91 admin@ncs(config-device-R1)# authgroup RAYKA admin@ncs(config-device-R1)# ssh host-key-verification none admin@ncs(config-device-R1)# device-type cli ned-id cisco-ios-cli-6.88 admin@ncs(config-device-R1)# device-type cli protocol ssh admin@ncs(config-device-R1)# state admin-state unlocked admin@ncs(config-device-R1)# commit Commit complete. admin@ncs(config-device-R1)# connect result false info Failed to authenticate towards device R1: SSH key exchange failed admin@ncs(config-device-R1)# *** ALARM connection-failure: Failed to authenticate towards device R1: SSH key exchange failed admin@ncs(config-device-R1)#
The problem is that the protocol “ssh-rsa” is not in the list of allowed algorithms in cisco nso but it is the cisco csr1000v default ssh algorithm.
Let’s look at the list of acceptable algorithms in Cisco NSO and then add the “SSH-RSA” algorithm to the list to solve the problem.
admin@ncs# show running-config devices global-settings ssh-algorithms public-key | details devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]
admin@ncs(config)# devices global-settings ssh-algorithms public-key ssh-rsa admin@ncs(config)# commit Commit complete.
admin@ncs(config)# devices device R1 admin@ncs(config-device-R1)# connect result true info (admin) Connected to R1 - 192.168.2.91:22 admin@ncs(config-device-R1)#
Now the connection result is true and we can connect to the configured device.
connect NSO to netsim devices
In the next step we will connect cisco nso to netsim emulated devices.
To do this, we need the IP address, port, and credentials to connect Cisco NSO to netsim emulated devices.
The “ncs-netsim” command has the “ncs-xml-init” option that exports the list of devices, IP address, port, credentials and the algorithm used to connect to them in the format of an XML output.
ncs-netsim ncs-xml-init
This is exactly like what we have done for router R1.
Then we can export the xml output into a file and load the file into nso configuration file. Then we are allowed to connect to netsim emulated devices.
Let’s create the list of netsim emulated devices with “ncs-netsim” command and export the xml output into a file.
majid@majid-ubuntu:~/devnet/cisco_nso$ cd ~/nso-instance/ majid@majid-ubuntu:~/nso-instance$ ls logs ncs-cdb ncs.conf netsim packages README.ncs scripts state storedstate target
majid@majid-ubuntu:~/nso-instance$ source $HOME/nso-6.0/ncsrc majid@majid-ubuntu:~/nso-instance$ ncs-netsim ncs-xml-init > devices.xml
majid@majid-ubuntu:~/nso-instance$ ls
devices.xml logs ncs-cdb ncs.conf netsim packages README.ncs scripts state storedstate target
If we check inside the xml file, you see the list of devices and information to connect to devices.
majid@majid-ubuntu:~/nso-instance$ cat devices.xml | egrep "name|address|port|ned-id"
<name>ios0</name>
<address>127.0.0.1</address>
<port>10022</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
<name>ios1</name>
<address>127.0.0.1</address>
<port>10023</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
<name>ios2</name>
<address>127.0.0.1</address>
<port>10024</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
<name>asa0</name>
<address>127.0.0.1</address>
<port>10025</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-asa-cli-6.16">id:cisco-asa-cli-6.16</ned-id>
<name>iosxr0</name>
<address>127.0.0.1</address>
<port>10026</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-iosxr-cli-7.43">id:cisco-iosxr-cli-7.43</ned-id>
<name>nxos0</name>
<address>127.0.0.1</address>
<port>10027</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-nx-cli-5.23">id:cisco-nx-cli-5.23</ned-id>
<name>junos0</name>
<address>127.0.0.1</address>
<port>12028</port>
<ned-id xmlns:id="http://tail-f.com/ns/ned-id/juniper-junos-nc-3.0">id:juniper-junos-nc-3.0</ned-id>
Now we load the xml file including the list of devices into configuration file and commit the changes to apply the new configuration.
majid@majid-ubuntu:~/nso-instance$ ncs_cli -u admin -C ! User admin last logged in 2023-06-15T15:03:10.186059+00:00, to majid-ubuntu, from 192.168.2.175 using cli-ssh admin connected from 192.168.2.175 using ssh on majid-ubuntu ! admin@ncs# config t Entering configuration mode terminal admin@ncs(config)# load merge devices.xml Loading. 9.81 KiB parsed in 0.18 sec (54.48 KiB/sec) ! admin@ncs(config)# commit Commit complete. admin@ncs(config)#
If you review the new configuration, you will see that all new devices are added to the configuration, including the IP address and port to connect to the device, the public key, and the default authentication group, which is public-key authentication.
... devices device ios0 address 127.0.0.1 port 10022 ssh host-key ssh-rsa key-data ... ! ssh host-key ssh-ed25519 key-data AAAAC3NzaC1lZDI1NTE5AAAAIIPA15JhvDCk+JZ5yViUjPw9k+Vl8kKS1BWEO9w/iTTx ! authgroup default device-type cli ned-id cisco-ios-cli-6.88 ssh-algorithms public-key [ ssh-ed25519 ssh-rsa ] state admin-state unlocked ...
Now we can check the connectivity to network devices using “devices connect” in configuration mode to make sure that everything is working as we expect.
admin@ncs(config)# devices connect connect-result { device R1 result true info (admin) Connected to R1 - 192.168.2.91:22 } connect-result { device asa0 result true info (admin) Connected to asa0 - 127.0.0.1:10025 } connect-result { device ios0 result true info (admin) Connected to ios0 - 127.0.0.1:10022 } ...
With the command “show devices list” in enable mode in cisco nso, you can check the list of devices added to cisco nso. You can always use this command to review and check the list of your devices.
admin@ncs# show devices list NAME ADDRESS DESCRIPTION NED ID ADMIN STATE -------------------------------------------------------------------- R1 192.168.2.91 - cisco-ios-cli-6.88 unlocked asa0 127.0.0.1 - cisco-asa-cli-6.16 unlocked ios0 127.0.0.1 - cisco-ios-cli-6.88 unlocked ios1 127.0.0.1 - cisco-ios-cli-6.88 unlocked ios2 127.0.0.1 - cisco-ios-cli-6.88 unlocked iosxr0 127.0.0.1 - cisco-iosxr-cli-7.43 unlocked junos0 127.0.0.1 - juniper-junos-nc-3.0 unlocked nxos0 127.0.0.1 - cisco-nx-cli-5.23 unlocked
Sync NSO to network devices
We’ve connected the Cisco NSO to the network devices, but we’re still not ready to start automating and orchestrating with Cisco NSO.
This is because the configuration of the device needs to be synchronized in Cisco NSO. At this point, it is possible to configure devices through Cisco NSO rather than directly, which is a prerequisite for automating and orchestrating network devices and services.
There are two configuration synchronization options. The option “sync-from” syncs configuration from network device to Cisco NSO and “sync-to” option syncs configuration from Cisco NSO to network devices.
The option “sync-from” is usually used when we connect cisco nso to a new network device. With this option we load the configuration from network device to the cisco nso.
The option “sync-to” is typically used when we configure the network device directly and not through Cisco NSO. In this case, the configuration is no longer synchronized. therefore, we use “sync-to” option to replace the configuration of network device with the configuration stored in cisco nso.
However, these are not the only application of “sync-from” and “sync-to” option and can also be used in any application to replace configuration from network device to Cisco NSO or vice versa.
cisco nso ""check-sync" option
With the command “devices check-sync” you can check if the configuration of devices are synchronized.
With the command “devices device R1 check-sync” you can check if the configuration of specific device (here, R1) is synchronized.
admin@ncs(config)# devices check-sync sync-result { device R1 result unknown } sync-result { device asa0 result unknown } sync-result { device ios0 result unknown } ...
admin@ncs(config)# devices device R1 check-sync result out-of-sync
cisco nso "sync-from option"
If they are not synchronized, then we load the configuration from network device into cisco nso using “devices sync-from” to load and synchronize the configuration of all devices into cisco nso or “devices device R1 sync-from” to load and synchronize the configuration of specific device into cisco nso.
admin@ncs(config)# devices sync-from sync-result { device R1 result true } sync-result { device asa0 result true } sync-result { device ios0 result true } ...
admin@ncs(config)# devices device R1 sync-from result true
After we have loaded the configuration into Cisco NSO and synced it, we can use the “devices check-sync” command again to verify that it has been synced correctly.
admin@ncs(config)# devices check-sync sync-result { device R1 result in-sync } sync-result { device asa0 result in-sync } sync-result { device ios0 result in-sync } ...
admin@ncs(config)# devices device R1 check-sync result in-sync
We can also check the configuration of the device through Cisco NSO to make sure it is loaded into Cisco NSO from the network device.
With the command “show running-config devices devices R1”, you can check the configuration of specific device.
admin@ncs# show running-config devices device R1 ... interface Loopback100 ip address 4.5.6.7 255.255.255.0 no shutdown exit interface GigabitEthernet1 no switchport negotiation auto no mop enabled no mop sysid ip address 192.168.2.91 255.255.255.0 no shutdown exit ...
The commands “show configuration”, “show running-config” and “show full-configuration” are three versions to check the configuration. The difference between these commands will be discussed in the next section.
cisco nso "sync-to" option
To see also the application of “sync-to” command, change the configuration of a sample network device directly and not through cisco nso.
Then we check the sync status with “check-sync” command. You will see that the device is not synced anymore.
With “sync-to” option we replace the configuration of network device with the version in cisco nso. Therefore, it is expected that the new configuration, configured directly into device will be deleted.
Let’s verify the result of “sync-to” option.
R1(config)#logging host 1.1.1.1
admin@ncs(config)# devices device R1 check-sync result out-of-sync info got: a3219f3ba1124a9da96915afd5b8a3c5 expected: f942ae0a72ad69e5954fbc0c9847244 admin@ncs(config)# *** ALARM out-of-sync: got: a3219f3ba1124a9da96915afd5b8a3c5 expected: f942ae0a72ad69e5954fbc0c9847244
admin@ncs(config)# devices device R1 sync-to result true
R1(config)#do sh runn | inc logging R1(config)#
commands related to nso connect and sync with network devices can be downloaded from github source community.
great course, thank you!!!
Thanks Josue
Hey Majid,
This is great content. Thank you.
Hey,
I’m just struggle with following issue on version 6.3:
admin@ncs# devices device CSR1 sync-from
result false
info Failed to connect to device CSR1: connection refused: NEDCOM CONNECT: authenticate: Exhausted available authentication methods, server allowed: [ publickey keyboard-interactive password ] in new state
admin@ncs#
Do you know where can be the issue?
show running-config devices device CSR1
devices device CSR1
address 10.0.0.2
ssh host-key-verification none
authgroup RAYKA
device-type cli ned-id cisco-ios-cli-6.106
device-type cli protocol ssh
state admin-state unlocked
config
Best regards,