How to do Cisco NEXUS Automated provisioning

Originally published at: How to do Cisco NEXUS Automated provisioning | Indeni

In this article we are going to discuss the automated provisioning options for NX-OS, their benefits and provide examples of useful provisioning scripts. We will also try to understand why automated provisioning is still underutilized in the world of Network professionals.

Auto provisioning benefits

Automated provisioning is arguably best suited for large companies. If you don’t agree (theoretically or even better, pragmatically), feel free to elaborate in the comments section. So, while being able to automagically install the newest firmware and configuration files on Nexus switches is certainly a nice feature, upgrading the firmware can be done manually fairly quickly and you can always have a configuration template for switches used for similar purposes where you would typically just change the ip address and some other parameters.

Auto provisioning way would certainly be quicker and cleaner, but it is possible for a trained person to do finish manually fairly quickly too. But what if you have 250 switches to install? Going manually through all of them would definitely be a daunting task. But with auto provisioning you can, for example, set the firmware on each device and push the config file with IP parameters and VLAN information distributed through VTP. And all that with couple of keys pressed. Of course, given that you’ve already spent five hours to write/adjust the needed scripts before. But if you do this kind of stuff often, obviously you could save a tremendous amount of time.

Types of auto provisioning for Cisco Nexus

There are different possibilities for auto provisioning on NX-OS, but in this article we will focus on Power on Auto Provisioning - POAP.

There are other solutions for auto provisioning including:

  • Extended interfaces -such as Cisco NX API
  • Native Linux based management
  • Open source tools such as Ignite or Preboot Execution Environment – PXE
  • Linux containers - LXCs
  • Scripting languages such as Python or Ruby
  • Configuration management and orchestration tools -Puppet, Chef, Ansible, OpenStack

What is POAP and how does it work?

POAP is the process that automates upgrading software images and installing configuration files on newly deployed Cisco Nexus switches. If a Nexus switch can’t find startup configuration after booting it will enter the POAP mode and locate the DHCP server. It will temporarily pick up the ip address from DHCP server to be able to download the firmware image and configuration (using TFTP server) from the server (file server).

What are the Network Requirements for POAP

You will need to install a couple of servers to implement POAP:
  • A DHCP server is needed to provide IP parameters to the switch.
  • You will also need a TFTP server that will send a script for firmware upgrade and switch configuration
  • An additional server/s that will store the images and config files.

How do I configure a Nexus switch with POAP?

First ensure your Nexus switch is configured to use POAP. Connect the switch and power it on. If the switch doesn’t find a configuration file, it will enter POAP mode. You will be asked if you want to abort POAP or continue. After pressing ‘yes’ the switch will boot and begin the POAP procedure.

Python script example

With the understanding of Python scripting and Cisco Nexus features you can write some really neat scripts to make your life easier. Below you will an example of a simple Python script that will copy the firmware image file directly to bootflash:
#Set syslog server and port - fill in from ignite/config.py
-SYSLOG_SERVER = "127.0.0.1"
+SYSLOG_SERVER = "10.122.140.124"
 SYSLOG_PORT = 514

MD5SUM_EXT = “md5”
@@ -83,7 +83,7 @@ def cleanup_exit(exit_status):
def rm_rf(filename):
filename_u = “/” + filename.replace(":", “/”)
if not os.path.exists(filename_u):

  •    syslog("rm_rm: file does not exist- %s" %filename)
    
  •    syslog("rm_rf: file does not exist- %s" %filename)
       return True
    
    try:
    cli(“delete %s” % filename)
    @@ -198,21 +198,14 @@ def get_image(protocol=“scp”, port="", hostname="", file_src="",
    image_name = os.path.basename(file_src)
    syslog(“Image to download %s” % image_name)
    file_dst_local = IMAGE_DST_LOCAL_PATH + image_name
  • syslog(“Image temp detination %s” % file_dst_local)
  • syslog(“MD5 file temp detination %s” % file_dst_local)
    file_dst = file_dst + image_name
    syslog(“Image final detination %s” % file_dst)
  • if not rm_rf(file_dst_local):
  • if not fatal:
  •        cleanup_exit(0)
    
  •    cleanup_exit(1)
    
 #will set default image (full path)
 if default_image == "":
     default_image = file_dst
  •    #default_image = default_image_g
       syslog("Default image is %s" % default_image)
    

    md5_file_name_src = “%s.%s” % (file_src, MD5SUM_EXT)
    @@ -248,7 +241,7 @@ def get_image(protocol=“scp”, port="", hostname="", file_src="",
    syslog(“Does not exist %s” % default_image)

  •    if not do_copy(file_src, file_dst_local):
    
  •    if not do_copy(file_src, file_dst):
    
           if fatal:
               cleanup_exit(1)
    

@@ -258,19 +251,18 @@ def get_image(protocol=“scp”, port="", hostname="", file_src="",
syslog(“INFO: Completed Copy of System Image”)

     #check if the downloaded image md5 matches the md5 calculated at source
  •    if not same_md5(file_dst_local, md5_file_name_dst):
    
  •    if not same_md5(file_dst, md5_file_name_dst):
    
           if not fatal:
               cleanup_exit(1)
    
           cleanup_exit(0)
    
  •    cmd = "copy %s %s ; " % (file_dst_local, file_dst)
    
  •    cmd +=  "config terminal ; boot nxos %s ; exit ; " % (file_dst)
    
  •    cmd =  "config terminal ; boot nxos %s ; exit ; " % (file_dst)
       cmd += "copy running-config startup-config ; "
       run_cli(cmd)
    
    else:
  •    cmd =  "config terminal ; boot nxos %s ; exit ; " % (file_dst)
    
  •    cmd =  "config terminal ; boot nxos %s ; exit ; " % (default_image)
       cmd += "copy running-config startup-config ; "
       run_cli(cmd)
    

Recent survey results show provision not being properly utilized

The results of recent Network & Security Automation Trends survey conducted by Indeni team and GNS3 show that the use of automated provisioning of network devices and servers is still far from being properly utilized.

Network and security professionals participating in the survey stated that only 33 percent of them have begun to use methods such as scripting to automate the provisioning of new devices. ‘Begun to use’, to a certain extent, but not exclusively, indicates that a number of those that are automating provisioning processes are in the learning phase, thus not fully utilizing all the possibilities. This probably means that even smaller percentage really learned the ins and outs of automated network provisioning.

Furthermore, this trend is probably even smaller amongst network professionals working in small to mid-sized companies who don’t time, knowledge, infrastructure or maybe even the motive.

Is there a lack of motivation for change or steep learning curve?

So what is the problem? Is it the steep learning curve? Or maybe lack of motivation for change? Or both? The answer is most likely, as usually, somewhere in between.

Results of the survey are suggesting that Network Engineers are often burdened with day to day activities that are distracting them from learning new technologies such as coding. Pursuing different Cisco certification paths is hard, but at least along the way, in your everyday job, you pick up most of the basic stuff - like terminology and simple concepts. Than the learning is somehow easier.

On the other hand, a lot of Network professionals don’t know the basics of coding which is making things harder, since they basically need to start from the scratch.

One of the reasons for lack of qualified working force could be that Network Engineers don’t have the opportunity to learn how to code during their everyday tasks at work. As a result they would need to learn something completely new, and most likely outside of the business hours, in their private time. Not everybody is prepared for that kind of personal sacrifice. To make things worse, even if those engineers would manage to catch up with basics of, for example, Python scripting, they still may not have devices, such as a Cisco Nexus switch, to try it out their new trade. In return, they neglect learning the ‘new big thing’, maybe missing the job interviews which would launch them out of small companies into a bigger arena. A vicious cycle.

In Conclusion

We shouldn’t live in fear that the auto provisioning and SDN robots will replace the need for flash and blood engineers. There will always be small and medium companies to work at where we can complete every task. However if you want to achieve a high level of expertise and to be the part of the best, learning how to code is most likely already a necessity. So it all boils down to the personal preferences and your desire for a change and development.So, get a Python book and get to work!

I recommend INE’s video lessons since I’m using them for my networking studies and I think they provide quality material: https://ine.com/collections/python/a>

Also, a good starting point for reading, taken you have no experience in Python, would be Foundations of Python Network Programming book by John Goerzen and Brandon Rhodes: https://www.amazon.com/Foundations-Python-Network-Programming-comprehensive-ebook/dp/B004VHFX8W

Did you know Indeni Crowd members are also learning how to code? Join them here to discuss best practices and find links to top resources.

Thank you to community member Filip Knezevic for contributing this article! If you found the information helpful please share on social media by clicking the share links at the top of this page.