Brkops 2418

Migrating your network to
Segment Routing
using Cisco Network Services Orchestrator
Michael Maddern
Technical Marketing Engineer
BRKOPS-2418
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKOPS-2418 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• What is Segment Routing?

• Network Programmability
• Why automate with NSO?
• Migrating to Segment Routing
• What about Testing?
• Demo
What is
Segment Routing?
Segment Routing is a flexible,
scalable way of doing source
routing.
Segment Routing
The source chooses a path

and encodes it in the packet
header as an ordered list of
segments.
Each segment is identified by
MPLS IS-IS
the segment ID (SID)
consisting of a flat unsigned
32-bit integer.
Segment Routing | Segment IDs
Prefix SID
A segment ID that contains

an IP address prefix.
16001 16002
A node prefix SID contains
the loopback address of the
node as the prefix.
MPLS IS-IS
Prefix SIDs are globally 16005
unique and allocated from
the Segment Routing Global
Block (SRGB)
16003 16004
Segment Routing | Segment IDs
Adjacency SID
A segment ID that contains an

advertising router’s adjacency 202
203
to a neighbour. 16001 16002
An adjacency SID is a link
201
201
between two routers.
MPLS IS-IS
Since the adjacency SID is 16005
202
203
relative to a specific router, it is
locally unique and dynamically
allocated by the device. 201
202
16003 16004
Segment Routing | Paths
Dynamic Path
Router A, sending traffic to 16005

router E, packet
202
203
16001 16002
pushes label 16005
201
201
to forward traffic using the
shortest path to router E MPLS IS-IS
(a-b-e). 16005
202
203
201
202
16003 16004
Segment Routing | Paths
Explicit Path
16004
Router A, sending traffic to 201
router E, packet
202
203
16001 16002
pushes label stack
(16004, 201)
201
201
to reach router E, using the MPLS IS-IS
shortest path to router D 16005
202
203
(a–c-d or a-b-d),
and then through an explicit 201
interface onto the 202
destination. 16003 16004
Segment Routing | Fast Reroute
TI-LFA | Topology Independent Loop Free Alternative
Fast-reroute capability using a

pre-computed backup path
The backup path follows the
post-convergence path
Provides full coverage and
does not have any topology
dependencies
Guaranteed sub-50ms per-prefix
protection
Segment Routing | Value Proposition
Simpler Deployable
Fewer protocols Seamless Brownfield Integration
Stateless traffic engineering Single Control for Inter Domain
Implementations
Value-Add Services Available

Differentiate services with SR policies Automated 50ms Protection
Performance monitoring and path Assured Loop-free Convergence
validation for better SLAs upon Recovery
Multi-vendor consensus - designed and built with network operators
Segment Routing | Configuration
Enabling Segment Routing
Segment Routing and LDP can coexist together.

When a given destination can be reached by both SR and LDP transport paths,
the LDP transport path is preferred by default.
Therefore the initial SR configuration can be provisioned without breaking the
existing LDP connectivity.
Ways to make the forwarding interface use Segment Routing instead:
1. Configure the label preference on the label edge router.
2. Disable LDP – the ultimate goal (simplify).
Network
Programmability
Network Programmability
What are the options?
Paramiko
Netmiko
NAPALM
/(Reg[Ex])?/
Network Programming
What are the options?
Programming your network through CLI interfaces?
CLI is good for Unstructured

human Text-based
interaction
Difficult to parse
CLI is bad for Difficult to validate
programming Complicated syntax
(computer Requires sequencing
interaction)
Poor error handling
No transaction
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Network Programmability | YANG
A better alternative
YANG
NETCONF/YANG provides a standardized

way to programmatically update and modify
the configuration of a network device.
NETCONF
YANG is the modelling language that Interface
describes the changes.
Running
NETCONF is the protocol that applies the Datastore
changes to the datastore on the device.
Network Device
BRKMPL-2210 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Yet Another Next Generation (RFC 6020 and 7950)
A structured, well-defined
representation of config and
operational data types.
Providing a programmable
network interface.
Decoupled from transport,
protocol and encoding.
Wide standards support and open
source tooling.
NETCONF / YANG stack
Protocol NETCONF RESTCONF
Encoding XML JSON
Transport SSH HTTP
YANG Models Open Native
Data Store Configuration Operational
Device Features BGP IS-IS VRF Interface
BRKMPL-2210
module: Cisco-IOS-XR-clns-isis-cfg-example
+--rw isis
+--rw instances
+-- rw instance* [instance-name] KEY
+-- rw instance-name string DATA TYPE LEAF
+-- rw srgb!
| +-- rw lower-bound uint32
CNTR
DATA TYPE LEAF

| +-- rw upper-bound uint32
+-- rw interfaces
| +-- rw interface* [interface-name] KEY
| +-- rw interface-name string DATA TYPE LEAF
| +-- rw interface-afs
| | +-- rw interface-af* [af-name saf-name] COMPOSITE KEY
| | +-- rw af-name address-family DATA
LEAF
| | +-- rw saf-name sub-address-family TYPE
| | +-- rw interface-af-data
| | | +-- rw prefix-sid!
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
| | | | +-- rw type enumeration

CONTNR
MODULE
DATA
| | | | +-- rw value uint32 LEAF
LIST
LIST
LIST
TYPE
| | | | +-- rw nflag-clear BRKOPS-2418 enumeration
Where do YANG models come from?
Vendors OpenConfig Standards Bodies Other
Summary
Don’t start with the obvious

Scripting, Python Libraries, Ansible Network Modules
Data models are the foundation of automation

Structured, Well-Defined, Programmable Network API
Why automate
with NSO?
Orchestration for Network automation
Operational Value should
• Instantiate network intent
• Require minimal user input
• Enforce best practices
• Handle failure
• Handle rollout and rollback
• Provide transactional
guarantees
Automation to Enforce Best Practices
Almost nothing is unique to a given device
router isis {instance-name}

segment-routing global-block {start} {end}
Should be
address-family {afi} {safi}
the same
segment-routing mpls throughout
! network
interface Loopback{loopback-id}
address-family {afi} {safi}
prefix-sid absolute {prefix-sid} Must be
! unique to
! the device
Cisco Network Services Orchestrator
Key Features
YANG Native Python Maagic State Convergence Multi-Vendor Network-wide CLI
Compliance Checks Web UI AAA Framework Function Packs DevNet Community
Cisco Network Services Orchestrator
High-Level Architecture
Strict YANG model driven,

Network Ops and Service end-to-end service
Engineering Provisioning Developers lifecycle management
Only create case needs to

Service Manager
be defined
Orchestrator (NSO)
Network Services
Package
CDB
Manager Seamless integration
Device Manager with existing and future
OSS/BSS environment
Device Abstraction Elastic Services Controller (VNFM)
Loosely-coupled and
VNF Lifecycle VNF Service modular architecture
NED NED NED
Manager Monitoring leveraging open APIs and
standard protocols
NEDs abstract complex

Multi-domain Networks
device logic and error
handling
The Industry’s Broadest Multi-Vendor Support
Over 170 Supported NEDs — Customization Available
Migrating to Segment Routing using NSO
Benefit Summary
 Turn up Segment Routing in a controlled and risk-free manner.

 The best practices are built into the service model.
 Tedious TI-LFA config generated for all interfaces.
 Executes operational tests to validate each step before proceeding.
 Simple user interface and API, minimizing errors and risk.
 Phased rollout capability.
 Automated rollback to handle errors.
Migrating to
Segment Routing
Migrating to Segment Routing
Small Steps, Incrementally Validated
Enable SR Prefer Segment Disable LDP

and TI-LFA Routing
Configure Configure Configure
Validate Validate Validate
Simplicity, Resilience, Programmability
Enable Segment Routing in the IGP Address Family
Cisco IOS-XR CLI Cisco IOS-XR Native YANG Data Model
module: Cisco-IOS-XR-clns-isis-cfg
+--rw isis
+--rw instances
+--rw instance* [instance-name]
router isis CORE +--rw instance-name string
+--rw afs
address-family ipv4 unicast
+--rw af* [af-name saf-name]
segment-routing mpls +--rw af-name address-family
+--rw saf-name sub-address-family
+--rw af-data!
+--rw segment-routing
+--rw mpls? label-preference
Enable Segment Routing in the IGP Address Family
Cisco IOS-XR CLI OpenConfig YANG Data Model
module: openconfig-network-instance
+--rw network-instances
+--rw network-instance* [name]
+--rw name -> ../config/name
+--rw protocols
router isis CORE +--rw protocol* [identifier name]
address-family ipv4 unicast +--rw identifier -> ../config/identifier
segment-routing mpls +--rw name -> ../config/name
+--rw isis
| +--rw global
| +--rw segment-routing
| +--rw config
| +--rw enabled? boolean
Configure the Prefix SID under the IGP Loopback Interface
+--rw isis
+--rw instances
+--rw instance-name string
+--rw interfaces
router isis CORE | +--rw interface* [interface-name]
interface Loopback 0 | +--rw interface-name string
address-family ipv4 unicast | +--rw interface-afs
prefix-sid absolute 16001 | | +--rw interface-af* [af-name saf-name]
| | +--rw af-name address-family
| | +--rw saf-name sub-address-family
| | +--rw interface-af-data
| | | +--rw prefix-sid!
| | | | +--rw type enumeration
| | | | +--rw value uint32
Configure the Prefix SID under the IGP Loopback Interface
Cisco IOS-XR CLI OpenConfig YANG Data Model
module: openconfig-network-instance
+--rw network-instances
+--rw network-instance* [name]
+--rw protocols
+--rw protocol* [identifier name]
+--rw identifier -> ../config/identifier
+--rw isis
| +--rw interfaces
router isis CORE | +--rw interface* [interface-id]
| +--rw interface-id -> ../config/interface-id
interface Loopback 0 | +--rw levels
| | +--rw level* [level-number]
address-family ipv4 unicast | | +--rw level-number -> ../config/level-number
prefix-sid absolute 16001 | | +--rw afi-safi
| | | +--rw af* [afi-name safi-name]
| | | +--rw afi-name -> ../config/afi-name
| | | +--rw safi-name -> ../config/safi-name
| | | +--rw segment-routing
| | | | +--rw prefix-sids
| | | | +--rw prefix-sid* [prefix]
| | | | +--rw config
| | | | | +--rw prefix? ip-prefix
| | | | | +--rw sid-id? sr-sid-type
| | | | | +--rw label-options? enumeration
Enable TI-LFA under every ISIS Interface
+--rw isis
+--rw instances
| +--rw instance-name string
| +--rw interfaces
router isis CORE | +--rw interface* [interface-name]
interface GigabitEthernet0/0/0/0 | | +--rw interface-name string
| | +--rw interface-afs
address-family ipv4 unicast
| | +--rw interface-af* [af-name saf-name]
fast-reroute per-prefix | | +--rw af-name address-family
fast-reroute per-prefix ti-lfa | | +--rw saf-name sub-address-family
| | +--rw interface-af-data
| | | +--rw interface-frr-table
| | | | +--rw frrtilfa-types
| | | | | +--rw frrtilfa-type* [level]
| | | | | +--rw level internal-level
| | | | | +--rw type frr
What about
Testing?
Testing Network Configuration with NSO
Operational Data
NSO can read device operational data:

• Using the device operational YANG models.
• Executing CLI show commands on the device.
NSO can make decisions and conditionally apply device configuration based
on this operational data.
Segment Routing Migration Connectivity Tests
Step 1 | Enable Segment Routing
Adjacency SID validation

• Validates the ISIS adjacency and MPLS forwarding label entries.
• The outgoing label and outgoing interface must be correct.
• For protected adjacency SIDs, these must actually be protected.
Prefix SID validation

• Validates the ISIS segment routing and MPLS forwarding label entries labels.
• Confirms that the prefix SID has been learnt by the other routers in the domain.
Ping test
• Executes an SR MPLS IGP ping to every other router in the domain.
Step 2 | Prefer Segment Routing
Adjacency SID validation

Re-run step 1 tests.
Prefix SID validation

CEF validation
The Prefix SID entry in the Forwarding Information Base (FIB) is checked to ensure the
SR label is imposed.
Ping test
Step 3 | Disable LDP
Only after all connectivity tests have passed will NSO allow the disable LDP
step.
NSO will remove all LDP interfaces for connections between the routers in
the IGP domain.
Demo
https://github.com/NSO-developer/sr-migrate
Service YANG Model
Network-wide model for Segment Routing enablement
The Segment Routing Global Block range definition.

This range will be configured on each router in the IGP domain.
module: sr-migrate
+--rw sr-infrastructure
| +--rw srgb
| +--rw lower-bound? sid
| +--rw upper-bound? sid
Service YANG Model
The IGP domain definition.

This contains the list of routers in the domain, and a reference to the SID
resource pool from which a prefix SID will be allocated for each router,
unless a custom prefix SID is requested.
module: sr-migrate
+--rw igp-domain* [name]
+--rw name string
+--rw sid-pool -> /ralloc:resource-pools/idalloc:id-pool/name
+--rw loopback? uint8
+--rw address-family? enumeration
+--rw router* [name]
| +--rw name -> /ncs:devices/device/name
| +--rw custom-prefix-sid? sid
| +--ro prefix-sid? sid
Service YANG Model
The Segment Routing migration service.

This contains a reference to the IGP domain to migrate. Each migration step
can be requested separately or all set at once.
After each step, a set of operational connectivity tests are executed.
module: sr-migrate
augment /ncs:services:
+--rw sr-migrate* [igp-domain]
+--rw igp-domain -> /igp-domain/name
+--rw enable-segment-routing? boolean
+--rw prefer-sr-imposition? boolean
+--rw disable-ldp? boolean
+--ro connectivity-test-results
+--ro label-imposition-test-results
Segment Routing Migration Service
Configuration Summary
For each router in the IGP domain, NSO will generate the following config:
Step 1
• The Segment Routing Global Block (SRGB).
• A unique prefix SID on the loopback interface.
• TI-LFA on all non-loopback router interfaces.
Step 2
• Segment Routing label imposition preference.
Step 3
• LDP interface configuration removed.
Programmatically removing the LDP interfaces with NSO
NSO allows the entire network configuration to be read and updated programmatically
through the Python Maagic API using the device YANG models.
NSO manages the device credentials and connections, providing transactional
guarantees. The Python code simply reads / updates the device model data in the
NSO CDB.
Using the Python Maagic API reduces the complexity of programming towards NSO:
• Allows the device models to be navigated using standard Python object dot
notation, giving very clear and readable code.
• Provides context handlers, removing the need to close sockets, user sessions and
transactions, and avoiding the problems when they are forgotten and kept open.
• Removes the need to know the data types of the leafs.
For each device:

For each interface:
Calculate the IP network.
Search all the interfaces on every other device in the IGP domain for the
matching IP network.
If found:
For each of the two interfaces:
Check if there is a corresponding LDP interface configured the device.
If there is:
Delete the LDP interface from the device.
connections = defaultdict(list)
for router in igp_domain.router:
device = root.devices.device[router.name]
for interface in device.config.ifmgr_cfg__interface_configurations.\
interface_configuration:
addr = interface.ipv4_io_cfg__ipv4_network.addresses.primary
ip_network = IPv4Interface(unicode('%s/%s' % addr.address,
addr.netmask)).network
entry = (device.name, interface.interface_name)

connections[ip_network].append(entry)
for connection in connections.values():
if len(connection) == 2:
for (device_name, interface_name) in connection:
device = root.devices.device[device_name]
ldp_interfaces = device.config.mpls_ldp_cfg__mpls_ldp.\
default_vrf.interfaces.interface
if interface_name in ldp_interfaces:
del ldp_interfaces[interface_name]
Demo Screenshots
sr-migrate YANG model | IGP Domain Definition
BRKOPS-2418 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
sr-migrate YANG model | Service Parameters
Step 1 | Enable Segment Routing | Commit Dry Run Output
Step 2 | Prefer Segment Routing | Connectivity Test Results
Step 2 | Prefer Segment Routing | Overall Service Progress Plan Viewer
Step 3 | Disable LDP | Dry Run Native Output
Migrating to Segment Routing using NSO
Benefit Summary
 Turn up Segment Routing in a controlled and risk-free manner.

 The best practices are built into the service model.
 Tedious TI-LFA config generated for all interfaces.
 Executes operational tests to validate each step before proceeding.
 Simple user interface and API, minimizing errors and risk.
 Phased rollout capability.
 Automated rollback to handle errors.
NSO DevNet | Key Highlights
The one place for sharing, finding and collaborating on NSO public knowledge
Light start Constant Large Cisco Got a Easy to Code

through news and searchable customers, question, share and sharing
DevNet updates to content partners ask! We will find public through
content help you pool and help ensure content public
page and keep up to employees a fast GitHub
Learning- date all have response
Labs access
Reach it here: www.cisco/go/nsodevnet
WEDNESDAY THURSDAY FRIDAY
TUESDAY
BRKOPS-2700
Keynote NSO Access Control
9:30a.m.
8:30a.m.
BRKOPS-3339
NSO Reconciliation
BRKOPS-2695 11:00a.m. BRKOPS-2418 11:00a.m.
NSO Use Cases & Migration to BRKOPS-2383 11:15a.m.
Features Segment Routing NSO LSA
100K+ devices
BRKNMS-2733 12:15p.m.
NSO&Ansible with BRKOPS-1456
Business Process Orch 14:45a.m.
Camunda Workflow
Automation Platform
Keynote
5:00p.m.
OPS
Customer
Appreciation
7:00p.m.
Automation & Orchestration Operations Track

with Cisco NSO #CLEMEA www.ciscolive.com/emea/learn/technology-tracks/operations.html
TUESDAY WEDNESDAY THURSDAY FRIDAY
Keynote 09:30
BRKSDN-2379 BRKNMS-3021
13 steps from an Advanced Cisco IOS 08:30
unprogrammed to a fully Device Instrumentation
BRKOPS-1871 automated network
Automate your SW 11:00 08:30
delivery process BRKSDN-2717 BRKOPS-3825
The hitchhiker's guide - Interpreting streaming 11:15
BRKNMS-2285 Managing your Network telemetry data using ML/AI
BRKNMS-2032
How to be a hero with 14:30 as Code (DevOps)
YANG Data Modeling and 09:00
Cisco DNA Center BRKPRG-2482 NETFCONF: Cisco and
Platform APIs PSOOPS-2236 Infrastructure as Code - 14:45 Industry Developments
Unlocking the power of 11:00 Building, Deploying,
BRKSDN-2497 open platform with Cisco Securing, Monitoring and
Build Your API-Based DNA Center Platform Managing Robust and
NW Troubleshooting Repeatable Networks Using BRKOPS-2285
Kit 17:00 Code and APIS Programmability with 11:30
BRKOPS-2562 BRKOPS-2024 IOS-XR Platforms
Wireless Automation & 16:45 Keynote 17:00
Data is the new Oil:
OPS
The Nuts & Bolts of Assurance with Cisco
Customer
leveraging Cisco DNA DNA Center using APIs
Appreciation 19:00
Assurance data for
creating value added
services
Network Programmability
Operations Track
#CLEMEA www.ciscolive.com/emea/learn/technology-tracks/operations.html
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Brkops 2418

Uploaded by

Copyright:

Available Formats

Brkops 2418

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkops 2418

Uploaded by

Copyright:

Available Formats

Migrating your network to

• What is Segment Routing?

The source chooses a path

A segment ID that contains

A segment ID that contains an

An adjacency SID is a link

Router A, sending traffic to 16005

destination. 16003 16004

Fast-reroute capability using a

Value-Add Services Available

Multi-vendor consensus - designed and built with network operators

Segment Routing and LDP can coexist together.

Programming your network through CLI interfaces?

CLI is good for Unstructured

NETCONF/YANG provides a standardized

Protocol NETCONF RESTCONF

Encoding XML JSON

Transport SSH HTTP

YANG Models Open Native

Data Store Configuration Operational

Device Features BGP IS-IS VRF Interface

DATA TYPE LEAF

| | | | +-- rw type enumeration

Vendors OpenConfig Standards Bodies Other

Don’t start with the obvious

Data models are the foundation of automation

router isis {instance-name}

YANG Native Python Maagic State Convergence Multi-Vendor Network-wide CLI

Compliance Checks Web UI AAA Framework Function Packs DevNet Community

Strict YANG model driven,

Only create case needs to

NEDs abstract complex

 Turn up Segment Routing in a controlled and risk-free manner.

Enable SR Prefer Segment Disable LDP

Configure Configure Configure

Validate Validate Validate

Simplicity, Resilience, Programmability

NSO can read device operational data:

Adjacency SID validation

Prefix SID validation

Adjacency SID validation

Prefix SID validation

The Segment Routing Global Block range definition.

The IGP domain definition.

The Segment Routing migration service.

For each device:

for router in igp_domain.router:

entry = (device.name, interface.interface_name)

for connection in connections.values():

 Turn up Segment Routing in a controlled and risk-free manner.

Light start Constant Large Cisco Got a Easy to Code

Reach it here: www.cisco/go/nsodevnet

Automation & Orchestration Operations Track

Cisco Live sessions will be available for viewing on

Meet the Engineer

You might also like