Table of Contents

connect and sync cisco nso to network devices is what we will discuss in this section.

connect NSO to network devices

In the previous sections, we installed Cisco NSO and prepared a CSR1000V device and some NetSim emulated devices.

In this section, we will connect Cisco NSO to all of these devices and sync the configuration of the devices to Cisco NSO so that they can be managed from Cisco NSO from now on.

To connect Cisco NSO to a device, we need to know the IP address of the device, the authentication information used to connect to the device, and the connection method, Telnet or SSH.

To do this, we configure an authentication group including username, password, and optional enable password.

More than one authentication group can be configured, since different network devices will probably need different credentials to connect to them.

For each device, we configure in Cisco NSO which authentication group to use to connect to the network device.

Here we have configured authentication group “RAYKA” with username “rayka”, password “rayka-co.com” and optional enable password “rayka-co.com”.

Then we configure a device named “R1” and IP address “192.168.2.91” to use authentication group “RAYKA”, the connection protocol “SSH” and ignore host key verification.

# add authentication group 
devices authgroups group RAYKA
 default-map remote-name rayka
 default-map remote-password rayka-co.com
 default-map remote-secondary-password rayka-co.com

# add a device
devices device R1
 address 192.168.2.91
 authgroup RAYKA
 ssh host-key-verification none
 device-type cli ned-id cisco-ios-cli-6.88
 device-type cli protocol ssh
 state admin-state unlocked
 commit
 connect
 end

We need to unlock the device since all devices are locked by default when added to Cisco NSO.

Then we commit the configuration, which means to apply the configuration. otherwise, the configuration is added to the candidate configuration, but is not active until it is committed.

We will talk more about commit command in the next section.

Then we check the connectivity to the network device with “connect” command to make sure that all parameters are configured correctly.

In my case, the connection is refused and we receive the error “SSH key exchange failed”.

admin@ncs(config-device-R1)# devices device R1
admin@ncs(config-device-R1)# address 192.168.2.91
admin@ncs(config-device-R1)# authgroup RAYKA
admin@ncs(config-device-R1)# ssh host-key-verification none
admin@ncs(config-device-R1)# device-type cli ned-id cisco-ios-cli-6.88
admin@ncs(config-device-R1)# device-type cli protocol ssh
admin@ncs(config-device-R1)# state admin-state unlocked
admin@ncs(config-device-R1)# commit
Commit complete.
admin@ncs(config-device-R1)# connect
result false
info Failed to authenticate towards device R1: SSH key exchange failed
admin@ncs(config-device-R1)# *** ALARM connection-failure: Failed to authenticate towards device R1: SSH key exchange failed
admin@ncs(config-device-R1)#

The problem is that the protocol “ssh-rsa” is not in the list of allowed algorithms in cisco nso but it is the cisco csr1000v default ssh algorithm.

Let’s look at the list of acceptable algorithms in Cisco NSO and then add the “SSH-RSA” algorithm to the list to solve the problem.

admin@ncs# show running-config devices global-settings ssh-algorithms public-key | details
devices global-settings ssh-algorithms public-key [ ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 rsa-sha2-512 rsa-sha2-256 ]

admin@ncs(config)# devices global-settings ssh-algorithms public-key ssh-rsa
admin@ncs(config)# commit
Commit complete.

admin@ncs(config)# devices device R1
admin@ncs(config-device-R1)# connect
result true
info (admin) Connected to R1 - 192.168.2.91:22
admin@ncs(config-device-R1)#

Now the connection result is true and we can connect to the configured device.

connect NSO to netsim devices

In the next step we will connect cisco nso to netsim emulated devices.

To do this, we need the IP address, port, and credentials to connect Cisco NSO to netsim emulated devices.

The “ncs-netsim” command has the “ncs-xml-init” option that exports the list of devices, IP address, port, credentials and the algorithm used to connect to them in the format of an XML output.

ncs-netsim ncs-xml-init

This is exactly like what we have done for router R1.

Then we can export the xml output into a file and load the file into nso configuration file. Then we are allowed to connect to netsim emulated devices.

Let’s create the list of netsim emulated devices with “ncs-netsim” command and export the xml output into a file.

majid@majid-ubuntu:~/devnet/cisco_nso$ cd ~/nso-instance/
majid@majid-ubuntu:~/nso-instance$ ls
logs  ncs-cdb  ncs.conf  netsim  packages  README.ncs  scripts  state  storedstate  target

majid@majid-ubuntu:~/nso-instance$ source $HOME/nso-6.0/ncsrc
majid@majid-ubuntu:~/nso-instance$ ncs-netsim ncs-xml-init > devices.xml

majid@majid-ubuntu:~/nso-instance$ ls
devices.xml  logs  ncs-cdb  ncs.conf  netsim  packages  README.ncs  scripts  state  storedstate  target

If we check inside the xml file, you see the list of devices and information to connect to devices.

majid@majid-ubuntu:~/nso-instance$ cat devices.xml | egrep "name|address|port|ned-id"
     <name>ios0</name>
     <address>127.0.0.1</address>
     <port>10022</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
     <name>ios1</name>
     <address>127.0.0.1</address>
     <port>10023</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
     <name>ios2</name>
     <address>127.0.0.1</address>
     <port>10024</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.88">id:cisco-ios-cli-6.88</ned-id>
     <name>asa0</name>
     <address>127.0.0.1</address>
     <port>10025</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-asa-cli-6.16">id:cisco-asa-cli-6.16</ned-id>
     <name>iosxr0</name>
     <address>127.0.0.1</address>
     <port>10026</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-iosxr-cli-7.43">id:cisco-iosxr-cli-7.43</ned-id>
     <name>nxos0</name>
     <address>127.0.0.1</address>
     <port>10027</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/cisco-nx-cli-5.23">id:cisco-nx-cli-5.23</ned-id>
     <name>junos0</name>
     <address>127.0.0.1</address>
     <port>12028</port>
         <ned-id xmlns:id="http://tail-f.com/ns/ned-id/juniper-junos-nc-3.0">id:juniper-junos-nc-3.0</ned-id>

Now we load the xml file including the list of devices into configuration file and commit the changes to apply the new configuration.

majid@majid-ubuntu:~/nso-instance$ ncs_cli -u admin -C
!
User admin last logged in 2023-06-15T15:03:10.186059+00:00, to majid-ubuntu, from 192.168.2.175 using cli-ssh
admin connected from 192.168.2.175 using ssh on majid-ubuntu
!
admin@ncs# config t
Entering configuration mode terminal
admin@ncs(config)# load merge devices.xml
Loading.
9.81 KiB parsed in 0.18 sec (54.48 KiB/sec)
!
admin@ncs(config)# commit
Commit complete.
admin@ncs(config)#

If you review the new configuration, you will see that all new devices are added to the configuration, including the IP address and port to connect to the device, the public key, and the default authentication group, which is public-key authentication.

...
devices device ios0
 address   127.0.0.1
 port      10022
 ssh host-key ssh-rsa
  key-data ...
 !
 ssh host-key ssh-ed25519
  key-data AAAAC3NzaC1lZDI1NTE5AAAAIIPA15JhvDCk+JZ5yViUjPw9k+Vl8kKS1BWEO9w/iTTx
 !
 authgroup default
 device-type cli ned-id cisco-ios-cli-6.88
 ssh-algorithms public-key [ ssh-ed25519 ssh-rsa ]
 state admin-state unlocked
...

Now we can check the connectivity to network devices using “devices connect” in configuration mode to make sure that everything is working as we expect.

admin@ncs(config)# devices connect
connect-result {
    device R1
    result true
    info (admin) Connected to R1 - 192.168.2.91:22
}
connect-result {
    device asa0
    result true
    info (admin) Connected to asa0 - 127.0.0.1:10025
}
connect-result {
    device ios0
    result true
    info (admin) Connected to ios0 - 127.0.0.1:10022
}
...

With the command “show devices list” in enable mode in cisco nso, you can check the list of devices added to cisco nso. You can always use this command to review and check the list of your devices.

admin@ncs# show devices list
NAME    ADDRESS       DESCRIPTION  NED ID                ADMIN STATE
--------------------------------------------------------------------
R1      192.168.2.91  -            cisco-ios-cli-6.88    unlocked
asa0    127.0.0.1     -            cisco-asa-cli-6.16    unlocked
ios0    127.0.0.1     -            cisco-ios-cli-6.88    unlocked
ios1    127.0.0.1     -            cisco-ios-cli-6.88    unlocked
ios2    127.0.0.1     -            cisco-ios-cli-6.88    unlocked
iosxr0  127.0.0.1     -            cisco-iosxr-cli-7.43  unlocked
junos0  127.0.0.1     -            juniper-junos-nc-3.0  unlocked
nxos0   127.0.0.1     -            cisco-nx-cli-5.23     unlocked

Sync NSO to network devices

We’ve connected the Cisco NSO to the network devices, but we’re still not ready to start automating and orchestrating with Cisco NSO.

This is because the configuration of the device needs to be synchronized in Cisco NSO. At this point, it is possible to configure devices through Cisco NSO rather than directly, which is a prerequisite for automating and orchestrating network devices and services.

There are two configuration synchronization options. The option “sync-from” syncs configuration from network device to Cisco NSO and “sync-to” option syncs configuration from Cisco NSO to network devices.

cisco nso sync options
cisco nso sync options

The option “sync-from” is usually used when we connect cisco nso to a new network device. With this option we load the configuration from network device to the cisco nso.

The option “sync-to” is typically used when we configure the network device directly and not through Cisco NSO. In this case, the configuration is no longer synchronized. therefore, we use “sync-to” option to replace the configuration of network device with the configuration stored in cisco nso.

However, these are not the only application of “sync-from” and “sync-to” option and can also be used in any application to replace configuration from network device to Cisco NSO or vice versa.

cisco nso ""check-sync" option

With the command “devices check-sync” you can check if the configuration of devices are synchronized.

With the command “devices device R1 check-sync” you can check if the configuration of specific device (here, R1) is synchronized.

admin@ncs(config)# devices check-sync
sync-result {
    device R1
    result unknown
}
sync-result {
    device asa0
    result unknown
}
sync-result {
    device ios0
    result unknown
}
...

admin@ncs(config)# devices device R1 check-sync
result out-of-sync

cisco nso "sync-from option"

If they are not synchronized, then we load the configuration from network device into cisco nso using “devices sync-from” to load and synchronize the configuration of all devices into cisco nso or “devices device R1 sync-from” to load and synchronize the configuration of specific device into cisco nso.

admin@ncs(config)# devices sync-from
sync-result {
    device R1
    result true
}
sync-result {
    device asa0
    result true
}
sync-result {
    device ios0
    result true
}
...

admin@ncs(config)# devices device R1 sync-from
result true

After we have loaded the configuration into Cisco NSO and synced it, we can use the “devices check-sync” command again to verify that it has been synced correctly.

admin@ncs(config)# devices check-sync
sync-result {
    device R1
    result in-sync
}
sync-result {
    device asa0
    result in-sync
}
sync-result {
    device ios0
    result in-sync
}
...

admin@ncs(config)# devices device R1 check-sync
result in-sync

We can also check the configuration of the device through Cisco NSO to make sure it is loaded into Cisco NSO from the network device.

With the command “show running-config devices devices R1”, you can check the configuration of specific device.

admin@ncs# show running-config devices device R1
...
  interface Loopback100
   ip address 4.5.6.7 255.255.255.0
   no shutdown
  exit
  interface GigabitEthernet1
   no switchport
   negotiation auto
   no mop enabled
   no mop sysid
   ip address 192.168.2.91 255.255.255.0
   no shutdown
  exit
...

The commands “show configuration”, “show running-config” and “show full-configuration” are three versions to check the configuration. The difference between these commands will be discussed in the next section.

cisco nso "sync-to" option

To see also the application of “sync-to” command, change the configuration of a sample network device directly and not through cisco nso.

Then we check the sync status with “check-sync” command. You will see that the device is not synced anymore.

With “sync-to” option we replace the configuration of network device with the version in cisco nso. Therefore, it is expected that the new configuration, configured directly into device will be deleted.

Let’s verify the result of “sync-to” option.

R1(config)#logging host 1.1.1.1

admin@ncs(config)# devices device R1 check-sync
result out-of-sync
info got: a3219f3ba1124a9da96915afd5b8a3c5 expected: f942ae0a72ad69e5954fbc0c9847244

admin@ncs(config)# *** ALARM out-of-sync: got: a3219f3ba1124a9da96915afd5b8a3c5 expected: f942ae0a72ad69e5954fbc0c9847244

admin@ncs(config)# devices device R1 sync-to
result true

R1(config)#do sh runn | inc logging
R1(config)#

commands related to nso connect and sync with network devices can be downloaded from github source community.

Back to: Network Automation and Service Orchestration using Cisco NSO > Install cisco NSO version 6.0 and connect to network devices

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment