Programmability, Automation

Model Driven Telemetry on

Cisco IOS XE
with a dash of YANG Suite

Story DeWeese, Technical Marketing

@StoryDeWeese
DEVNET-1283

#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#DEVNET-1283

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 Intro to Programmability and
Automation

Day 0

Agenda Day N Intent-based Day 1

Network Infrastructure

Day 2

Tooling

Resources

DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Why do we use
programmability?
Programmability Solutions for Complex Networks

Efficient Consistent Scalable Secure Seamless Smart

Managing Repeatable Reduce time and Secure APIs Create value Real time event
infrastructure and precise effort with large and integrations integrating with 3rd notifications, AI/ML
as code while intent-based network automation party platforms capabilities, and
lowering OPEX outcomes requirements streaming telemetry

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco IOS XE Programmability & Automation
Lifecycle

Day 0

Day N Intent-based Day 1

Network Infrastructure

Day 2

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

I just received 5000

switches. How can I
onboard them reliably,
Day 0 efficiently and at scale?

Day N Intent-based Day 1

Network Infrastructure

Day 2 Network
Engineer

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco IOS XE Programmability & Automation
Lifecycle
Pre-boot Execution Provisioning
Environment (iPXE) Automation Device
Onboarding Nice! All 5000 switches are
RFC8572 Secure Zero onboarded using Secure
Touch Provisioning ZTP Zero Touch Provisioning
Day 0
VM Automation

Day N Intent-based Day 1

Network Infrastructure

Day 2 Network
Engineer

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

Day 0
Now that the 5000 new
switches are onboarded,
how can I configure them
reliably, efficiently and at
scale? Day N Intent-based Day 1
Network Infrastructure

Day 2

Network
Engineer
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle
Network Configuration Protocol
Model Driven
(NETCONF), RESTCONF, gNMI
Programmability

YANG “native” Data Models,

OpenConfig,
Day 0
YANG Suite, Terraform, Ansible,
I can use a tooling such Device
pyATS tooling
as Ansible or Terraform Configuration
to configure my 5000
switches at once
Day N Intent-based Day 1
Network Infrastructure

Day 2

Network
Engineer
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

Day 0
Now that the 5000 new
switches are configured,
how can I monitor them
reliably, efficiently and at
scale? Day N Intent-based Day 1
Network Infrastructure

Day 2

Network
Engineer
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

Day 0
I’ll use gRPC for
Model Driven
Telemetry to monitor
changes on my device
and quickly find any
Day N Day 1
anomalies
Intent-based
Network Infrastructure

Day 2 TIG_MDT container + guide

Model Driven
Telemetry YANG On-Change support
Device
Network Monitoring gRPC Dial-Out + DNS + mTLS

Engineer gNMI/NETCONF Dial-In

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

How can I update the

OS version on all 5000
switches them reliably,
Day 0 efficiently and at scale?

Day N Intent-based Day 1

Network Infrastructure

Day 2 Network
Engineer

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco IOS XE Programmability & Automation
Lifecycle

I’ll update the OS on

all 5000 of my
switches using
Day 0 scripting and gNOI
os.proto

Day N Intent-based Day 1

Network Infrastructure

gNOI cert/os/reset proto Device

Optimization
Guest Shell + Python/NETCONF Day 2 Network
CentOS 8 Python 3
Software Image
Management
Engineer
Application Hosting with Docker

“show run” CLI to YANG

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IOS XE Programmability & Automation
Lifecycle

Day 0

Whew! Now that

programmability has me
covered, I can focus on
the important stuff! Day N Intent-based Day 1
Network Infrastructure

Day 2

Network
Engineer
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco IOS XE Programmability & Automation
Lifecycle
Pre-boot Execution Network Configuration Protocol
Provisioning Model Driven
Environment (iPXE) (NETCONF), RESTCONF, gNMI
Automation Device Programmability
Onboarding
RFC8572 Secure Zero YANG “native” Data Models,
Touch Provisioning ZTP OpenConfig,
Day 0
VM Automation YANG Suite, Terraform, Ansible,
Device
Configuration
pyATS tooling

Day N Intent-based Day 1

Network Infrastructure

gNOI cert/os/reset proto Device

Optimization
Guest Shell + Python/NETCONF Day 2 TIG_MDT container + guide
Software Image Model Driven
CentOS 8 Python 3 Management Telemetry YANG On-Change support
Device
Application Hosting with Docker Monitoring gRPC Dial-Out + DNS + mTLS

“show run” CLI to YANG gNMI/NETCONF Dial-In

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Model Driven Programmability Interface
Comparison
NETCONF RESTCONF gNMI
Minimum IOS XE Version 16.6 16.7 16.8

Network Recommended Version 17.6 17.6 17.7

architecture, Default Port 830 443 9339
security posture
Operations <get>,<get-config>,<edit- GET, POST, PUT, PATCH, GET, SET, SUBSCRIBE
and policy, config>,<establish-subscription> DELETE
YANG data
Encoding XML XML or JSON RFC7951 JSON_IETF
modules, tools
and language
Security SSH + PKI HTTPS user/pass TLS certificate
preferences are certificate or password with user authentication
some
considerations Transport Protocol SSH HTTPS HTTP/2
when Tooling YANG Suite, ncclient, YANG Suite*, Postman, YANG Suite*, gnmic,
leveraging the Netconf-console python gnmi_cli
various MDP
interfaces Content YANG YANG YANG + Protobuf

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
IOS XE Programmability and Telemetry “Stack”
CLI
The NETCONF, RETCONF, gNMI and gRPC are programmatic interfaces that provide
SNMP
additional methods for interfacing with the IOS XE device – Just like the CLI, SNMP, and
WebUI is used for configuration changes and operational metrics so can the programmatic
WebUI interfaces of NETCONF, RESTCONF, gNMI, and gRPC.

gNMI gRPC
YANG data models define the data NETCONF RESTCONF

that is available for configuration YANG Data Models

and streaming telemetry
OpenConfig Cisco Native
Intent-based
Network Infrastructure
Configuration and Operation

Device Features
SNMP
Interface BGP QoS ACL …

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
 Cisco IOS XE - YANG models on GitHub
• RFC 7950 YANG data modelling language
are the API definitions for IOS XE
• The YANG modules are available for
download from the API and are also
published on Github.com
• Notable modules are listed below for the
running-config, feature oper, actions and
event notifications

YANG module name.yang Description

Cisco-IOS-XE-native running-config

Cisco-IOS-XE-{feature}-cfg Feature configuration

Cisco-IOS-XE-{feature}-oper Feature operational data

Cisco-IOS-XE-{feature}-rpc Actions

Cisco-IOS-XE-{feature}-events Telemetry Events

Cisco-evpn-service EVPN service abstraction

OpenConfig-{feature} abstraction for config & oper

The YANG models are available for download directly from the running
IOS XE device’s NETCONF, RESTCONF, or gNMI API, and from:
https://github.com/YangModels/yang/tree/main/vendor/cisco/xe

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Day 0
Day 0 - Classic ZTP Overview
The Day 0 ZTP features are used to automatically configure and provision network devices

1. When an IOS XE device

boots and no
configuration is present,
the device will issue a
DHCP request on the
management port and
on the front panel port.

2. If the DHCP response

contains option 67 then
ZTP is initiated and the
Intent- based
Network Infrastructure
Guest Shell
device will retrieve and (CentOS 8)
execute the python Python / YANG / CLI / EEM APIs
script from within the
Guest Shell IOS XE

3. Guest Shell is started

and networking is
automatically configured

https://www.youtube.com/watch?v=EAXnftG6odg
https://blogs.cisco.com/developer/device-provisioning-with-ios-xe-zero-touch-provisioning
https://devnetsandbox.cisco.com/RM/Diagram/Index/f2e2c0ad-844f-4a73-8085-00b5b28347a1?diagramType=Topology
Secure ZTP blog https://blogs.cisco.com/developer/secureztp01
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Day 0 device onboarding workflow
Q. What happens when multiple Day 0 DHCP
Is option 43 (DNAC options are presented to the device?

PNP) or 143 (Secure A. 43/143 -> 67/150 -> TFTP Broadcast

ZTP) configured? If 43/143 fails for any reason, then 67/150 will
be tried

Is options 67 (Classic
Use Secure Option
ZTP) or 150 (TFTP
(preferred)
list) configured?

Day 0 Workflow:
1. Secure options are preferred: 43
(DNAC PNP) and 143 (Secure ZTP)
If unsuccessful, attempt secure
option for a total of 4 retries before Use Legacy DHCP
moving to the next option Use Classic Option auto-install with
2. Classic ZTP using options 67 or 150
3. Legacy DHCP auto-install with TFTP TFTP broadcast
broadcast

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
ZTP MSDC customer use case – code samples
https://github.com/jeremycohoe/IOSXE-Zero-Touch-Provisioning/tree/master/ztp_solution_example

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 17.11
RFC8572 Secure ZTP
RFC details: https://www.rfc-editor.org/rfc/rfc8572.html
1. Conveyed Information: used to encode the redirect information and onboarding information (switch config)
2. Ownership Certificate: used by a device to verify the signature over the conveyed information
3. Ownership Voucher: used to verify a device owner as defined by the manufacturer (from the MASA)

Classic Zero Touch Provisioning Secure

SecureZero Touch
Zero Touch Provisioning
Provisioning RFC8572 (2019)
Device
Turn on
DHCP Server
DHCP Discovery Bootstrapping
(RESTCONF)
Option 143 (136), URL List Server
TLS Handshake; SUDI Client Certificate Validate client
Server Certificate using SUDI

get- bootstrapping- data using YANG- modeled RPC POST Request

Bootstrapping Artifacts:
• Ownership Voucher
• Owner Certificate
• Conveyed Information

Some security requirements for classic ZTP are resolved using Secure ZTP:
Validate Server

Update Image Information

• Management system needs to validate the device Ownership Ownership
Configuration Scripts
Conveyed
• Device needs to validate the server Device Trust
Anchor
Voucher Certificate Information NETCONF Configuration
(RFC 8366)
• Device must validate the data is what server sent
Encoded Redirect Traffic
and Onboarding
Information Guestshell

As part of the SZTP RFC, the device supports image upgrade as part of the conveyed information

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Day 1
 Cisco YANG Suite

• YANG API Testing and Validation Environment

• Construct and test YANG based APIs over

NETCONF, RESTCONF, gRPC and gNMI
Now Generally Available !
• IOS XE / IOS XR / NX OS platforms
developer.cisco.com/yangsuite

github.com/CiscoDevNet/yangsuite

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
What’s Included
Core plugins
• Initial Release:
• Plugin and YANG File Manager, Datasets and diffs
• Device Manager
• NETCONF (Python), gRPC Telemetry
• Docker install support with HTTPS
• Second Release:
• RESTCONF
• gNMI
• Python Integrations
• Third Release: Additional plugins
• gRPC Telemetry with TLS Support
• SNMP OID to YANG Xpath Mapping
• Ansible Integrations
• Pip install support

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Build NETCONF XML Payload to SET Hostname

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
YANG Suite RESTCONF Demo

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Day 2
Model Driven Telemetry Interfaces
Dial In: Collector establishes a connection to the device then subscribes to telemetry (pub/sub)

Dial Out: Telemetry is pushed from the device to the collector based off configuration (push)

Publication / Subscription

XML, JSON, proto and

kvGPB encoding

Intent-based
Network Infrastructure
Consistent YANG data
models between interfaces

On-change event and

time-based publication
options
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Updated TIG_MDT container now available! Recently updated!
docker pull jeremycohoe/tig_mdt
docker run -ti -p 3000:3000 -p 57500:57500 jeremycohoe/tig_mdt
Upgrade coming to Telegraf, Influx, and Grafana Model Driven Telemetry
(TIG_MDT) Docker container
Making it easier to consume telemetry in production

Upgraded Telegraf, InlfuxDB, and Grafana tools

Additional dashboards for
Device Health, Wireless Client, Wireless AP, RF etc
Cisco IOS XE Devices Examples for device CLI configuration for telemetry
Details of scale and data storage requirements

Collector/Receiver
Decodes to text
Storage
Time Series Database
Monitoring
and Visualizations

https://hub.docker.com/r/jeremycohoe/tig_mdt https://github.com/jeremycohoe/cisco-ios-xe-mdt
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/179/b_179_programmability_cg/m_179_prog_ietf_telemetry.html
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Telemetry Data Broker (Telegraf)
Cisco Telemetry Broker provides many benefits include brokering, filtering, and transforming
data. It provides the ability to replicate telemetry data.

• Cisco Secure Network Analytics (Stealthwatch) UDP Director (UDPD) replicates UDP
traffic to multiple destinations.
• Cisco Telemetry Broker
• Builds upon UDPD
• Optimizes telemetry pipelines for the hybrid cloud
• Simplifies the consumption of telemetry data for customers’ business-critical
tools by brokering hybrid cloud data, filtering unneeded data, and transforming
data to a usable format

https://cs.co/telemetrybroker aka https://www.cisco.com/c/en/us/products/security/telemetry-broker/index.html

https://blogs.cisco.com/security/taking-full-control-of-your-telemetry-with-the-intelligent-telemetry-plane

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Model Driven Telemetry Interface Comparison
NETCONF gRPC (Dial-Out) gNMI
Minimum IOS XE Version 16.6 16.10 Dial-In: 16.12
over gRPC tunnel: 17.11
Network
Recommended Version 17.9 17.9 Dial-In: 17.9 architecture,
over gRPC tunnel 17.11 security posture
Telemetry Direction Dial-In, Dial-Out Dial-In and policy,
IOS XE is server IOS XE is client IOS XE is server YANG data
Dial-Out modules, tools
gRPC Tunnel and language
preferences,
Configuration Dynamic Static Dynamic
and standards,
per session per configuration per session
and software
Telemetry Collector Client Server Client version, are
Encoding XML KV GPB JSON_IETF + PROTO some
considerations
Security SSH + PKI mTLS or plain-text mTLS certificates when
certificate or mTLS cert only or
mTLS cert + user/pass authentication leveraging the
password various MDT
Transport Protocol SSH HTTP2 HTTP2 interfaces

Data Models YANG YANG

#CiscoLive YANG
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Model Driven

Publication options Telemetry

On-Change Periodic

t t t t t t t t t t t t t t

Feature Model “On-Change” Notifications Feature Model “Periodic” Notifications

Event Notifications (failed login, optic fault, etc) Time based publication
State and Configuration Minimum interval 100 centiseconds (1s)

OpenConfig YANG with GNXI, not NETCONF

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Configure a gRPC Telemetry Subscription
Configuring telemetry subscriptions like the following to collect CPU data over time
On Cisco IOS XE Device:
configure terminal
telemetry ietf subscription 1
encoding encode-kvgpb
filter xpath /process-cpu-ios-xe-oper:cpu-usage/cpu-utilization
stream yang-push
update-policy periodic 60000
receiver ip address 10.1.1.3 57500 protocol grpc-tcp

See more examples at: https://github.com/jeremycohoe/cisco-ios-xe-mdt

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Day N
 gNOI – gRPC Network Operations Interface
gNOI
1. gRPC Network Operations Interface, or gNOI, is a set of gRPC-based microservices,
used for executing operational commands on network devices
2. gNOI operations are executed against the gNMI API interface
3. gNOI is defined and implemented on a per proto basis
4. There are many protos defined - some are more mature and evolve and different
pace
Protobuf RPC Use Related CLI Release

Cert.proto TLS Certificate management crypto pki … 17.3

Os.proto Network Operating System install add 17.5

management file …
Reset.proto Factory Reset and wipe write erase 17.7
…
File.proto Not implemented copy, delete N/A

System.proto Not implemented reload, set N/A

boot

https://github.com/openconfig/gnoi
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
 17.5

gNOI os.proto – Operating System API

OS installation, activation, and verification API
https://github.com/google/gnxi/tree/master/gnoi_os
gNOI defines a set of gRPC-based microservices for executing
operational commands on network devices. OS Install, Activate, and
Verification are defined and addressed here:
https://github.com/openconfig/gnoi/blob/master/os/os.proto

The OS service provides an interface for OS installation on a Target.

The Client progresses through 3 RPCs:
1) Installation - provide the Target with the OS package.
2) Activation - activate an installed OS package.
3) Verification – verify the installed and activated version
Additional CLI: show gnxi os

Bundle mode will be converted to Install at reboot

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
GNOI OS.proto demo

Verify:
cd ~/certs-jcohoe-c9300-2/ ; gnoi_os -insecure -target_addr 10.85.134.92:9339 -op verify -target_name c9300 -
alsologtostderr -cert ./client.crt -ca ./rootCA.pem -key ./rootCA.key
Running OS version: 17.05.01.0.144.1617180620
Install:
cd ~/certs-jcohoe-c9300-2/ ; gnoi_os -insecure -target_addr 10.85.134.92:9339 -op install -target_name c9300 -
alsologtostderr -cert ./client.crt -ca ./rootCA.pem -key ./rootCA.key -version 17.06.01.0.135639.1618187331 -time_out
999s -os /tftpboot/cat9k_iosxe.17.06.01-20210411.bin
Activate:
cd ~/certs-jcohoe-c9300-2/ ; gnoi_os -insecure -target_addr 10.85.134.92:9339 -op activate -target_name c9300 -
alsologtostderr -cert ./client.crt -ca ./rootCA.pem -key ./rootCA.key -version 17.06.01.0.135639.1618187331 -time_out
999s -os /tftpboot/cat9k_iosxe.17.06.01-20210411.bin
Verify:
Running OS version: 17.06.01.0.135639.1618187331

Demo video on YouTube show CLI: show gnxi os summary

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Tooling
YANG Suite
Ansible
Terraform
 Demo: Generate Python from NETCONF

Access YANG Suite >

Protocols > NETCONF

Select YANG model then

Build RPC payload

Select Replays

Select Generate Python

script

#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
NETCONF + Ansible
Similar to the “Generate Python” functionality, a new
functionality generates YAML formatted for Ansible.

Requirements
1. Install Ansible
2. Install NETCONF collection:
ansible-galaxy collection install NETCONF

- name : conf-host
hosts: c9300
connection: netconf
gather_facts: no

tasks:
- name: hostname-conf
netconf_config:
xml: |
<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<hostname>c9300-pod29</hostname>
</native>
</config>

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
NETCONF + Ansible Update Interface Description
Demo

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Ansible is…
Ansible can be used with the Cisco
IOS XE NETCONF or RESTCONF API

Ansible is an open-source, Infrastructure as Code (IaC)

Software suite. It is agentless, meaning there is no installation
and no requirements on the target device, other than having an
accessible API or interface. Ansible is a state-LESS tooling.
This means, Ansible does NOT look at the current
configuration state before making changes.

• minimal in nature and provides a secure and

reliable way to interact with remote devices
• highly adaptable and commonly used with other
automation tools to accomplish complex
workflows.

Typically used for device config, not infrastructure management

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Example Ansible Playbook

Creates a MDT subscription

https://github.com/jeremycohoe/ansible-config-samples/blob/master/add_sub_17.7.yaml

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Terraform is…
Terraform uses the RESTCONF API

Infrastructure as Code (IaC) Software Tool providing a

consistent CLI workflow to manage hundreds of cloud
services. Terraform codifies cloud APIs into declarative
configuration files.

• Cloud Native Tooling circa 2014 from

HashiCorp
• Agentless, single binary file
• Zero server-side dependencies

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
 What’s IaC?

Infrastructure as Code (IaC) is the process of managing changes

through code, rather than a manual process
Here’s the Previous approach Here’s the IaC Approach
step-by-step end result I
procedure Imperative want
Declarative

User Infra User IaC Infra

Determines the how

Learn more about IaC here:

https://developer.cisco.com/iac/#:~:text=Adopting%20Infrastructure%20as%20Code%20allows,data%20center%20to%20the%20edge.

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
IOS XE Terraform Provider
Documentation and details about the provider are available on the Hashicorp Registry
https://registry.terraform.io/providers/CiscoDevNet/iosxe/latest

Source code is in the GitHub Repository: https://github.com/CiscoDevNet/terraform-provider-iosxe/

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Terraform resource utilizing the CLI RPC
https://registry.terraform.io/providers/CiscoDevNet/iosxe/latest/docs/resources/cli

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Terraform Terminology
Terraform uses an execution plan file with a provider and resource definitions.

An execution plan file defines the

provider and resources. It is written in Execution Plan File:
HashiCorp Configuration Language terraform.tf
(HCL), similar to JSON, and stored
with a .tf extension
Provider: iosxe
Device to
A provider is a plugin to make a Configure
collection of resources accessible Resource:
vlan_put
A resource (or infrastructure
resource) describes one or more
infrastructure objects managed by RESTCONF
Terraform. With the IOS XE Terraform Resource: Payload
provider, resources can be vlan_get
considered the same as a
configurable feature

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Getting Started with Terraform + IOS XE Provider
1. Enabling the RESTCONF API on the switch
Switch# conf t
Switch(config)# restconf
2. Install Terraform
$ apt install terraform
3. Clone the IOS XE Terraform Provider GitHub repository
$ git clone https://github.com/CiscoDevNet/terraform-provider-iosxe
… or …
$ https://github.com/jeremycohoe/cisco-ios-xe-dcloud-terraform

4. Apply Terraform VLAN example

$ terraform init
$ terraform plan
$ terraform apply acl_and_vlan.tf

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
What’s different about Terraform?

State-FUL
• Checks the current configuration before making changes to help
avoid any potential conflicts
• Quick to remove config, no need to create a separate file
$ terraform destroy

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 Terraform for Model Driven Telemetry
Enable gRPC Dial-Out telemetry subscriptions for the POE and Basic Device
Monitoring use cases

Lab Guide Steps:

1. Introduction
2. IOS XE CLI pre-req
3. Terraform Install & headers, device variables
4. Variables and config for MDT subscription
5. Terraform configuration for device monitoring
6. TF Workflow: init, plan, apply & destroy
7. Validation with TF and CLI
8. Conclusion

https://registry.terraform.io/providers/CiscoDevNet/iosxe/latest/docs/resources/mdt_subscription
https://registry.terraform.io/providers/CiscoDevNet/iosxe/latest/docs/data-sources/mdt_subscription
https://github.com/jeremycohoe/cisco-ios-xe-panda-lab-terraform

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
DEMO – install docker container and use Terraform files
to configure telemetry subscriptions

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
CLI to YANG
This new CLI addition to “show run | format” brings additional visibility into the YANG modelled
configuration, either for NETCONF with XML or JSON with RESTCONF
Easily convert CLI into YANG to re-use in tooling, scripts, and automation and orchestration systems

show run | format netconf-xml

show run | format restconf-json

Requires netconf-yang Data Model Interfaces to be enabled

CLIs with corresponding native YANG and modeled in show run are returned

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Terraform resource utilizing the CLI RPC
https://registry.terraform.io/providers/CiscoDevNet/iosxe/latest/docs/resources/cli

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
IPsec tunnel + cloud automation with Terraform
Day 0

1. Terraform configures the IPsec tunnel between

1. Virtual Private Cloud (VPC) 1. Tunnel
the 9300X and the cloud service where the 2. Virtual Private Network (VPN) 2. Proposal
internal resources are available 3. Customer Gateway (CGW) 3. Policy
4. Keyring
2. Terraform also manages the cloud-native 5. Profile
resources including certificate key management 6. IPSEC Transform
7. IPSEC Profile
and IP subnetting 8. Tunnel Interface
3. Connections between VPC, VPN, CGW and
device certificates, tunnels, and interfaces are
created

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
IPsec Tunnel for employees
Day 1

Branch 1
Cisco Catalyst 9300X/9400X IOS XE
RESTCONF / YANG with Terraform AWS Internal
resources

Branch 2, N

https://github.com/sdeweese/terraform-ipsec-tunnel-to-cloud

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Terraform + Crypto IPsec Demo

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Resources
 http://cs.co/apiwp

API White Paper

Website: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-catalyst-programmability-automation-wp.html
PDF: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-catalyst-programmability-automation-wp.pdf

http://cs.co/apiwppdf
#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
MDT White Paper
The Model Driven Telemetry White Paper includes examples, use cases and tooling related to telemetry

http://cs.co/mdtwp

http://cs.co/mtpwppdf

Website: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/model-driven-telemetry-wp.html
PDF: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/model-driven-telemetry-wp.pdf

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
FAQ update
Updated IOS XE FAQ to be posted to CCO and onto the IOS XE websites within DevNet
CCO Publication: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe/nb-06-cisco-ios-xe-faq-en.html
Internal View Doc: https://cisco.sharepoint.com/:w:/s/ENSwitchingTME/ET4DNZUhK0RGl7n4VrtlLNcBak3PVSmc4jP2qjwJt9APJQ?e=ZI6VHI

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Programmability Configuration Guide

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1714/b_1714_programmability_cg.html

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Classic ZTP

Automating Catalyst IOS-XE | A DevNet Webinar

Including a ZTP demo!
https://www.youtube.com/watch?v=LdcK5PnPu2I

https://www.youtube.com/watch?v=EAXnftG6odg
https://blogs.cisco.com/developer/device-provisioning-with-ios-xe-zero-touch-provisioning
https://devnetsandbox.cisco.com/RM/Diagram/Index/f2e2c0ad-844f-4a73-8085-00b5b28347a1?diagramType=Topology

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Secure ZTP Resources

https://blogs.cisco.com/developer/secureztp01
#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 Videos and Sandbox Automation and Learning and Community and
Start Now
Tutorials Learning Lab Code Exchange Certifications Study Groups

developer.cisco.com

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Programmability Website
The one-stop-shop for Cisco IOS XE Programmability resources including videos, white papers, labs and more!

• Community Forum
• IOS XE FAQ
• White Papers
• Code Exchange
• IOS XE Docs & Guide
• Learning Tracks and Labs
• Sandboxes
• … and more !

https://developer.cisco.com/iosxe/
#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Developer Relations Collateral Updates
YANG Suite
https://developer.cisco.com/ios-xe/
• DevCenter Additional Engagements:
• FAQ • Videos/Webinars
• CiscoLive/DevNetZone/Workshops
• Learning Lab

CodeExchange
Key
Community IOS XE Docs • DevCenter is a website within
developer.cisco.com used to promote the
technology.
IOS XE DevCenter • Learning Tracks are groups of learning modules
https://developer.cisco.com/site/ios-xe/
which include various learning labs.
• Learning Labs contain details to understand a new
IOS XE FAQ Learning Track technology or feature.
• Sandboxes can be used to trial and demonstrate the
feature with hardware devices and software tools.

• API White Paper

• MDT White Paper Sandboxes (21)
• C9800PTDG • Reservable Virtual Sandbox
Learning Labs • Reservable Physical Sandbox
• Always-On Virtual Sandbox

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 dCloud Programmability
https://dcloud.cisco.com
“Cisco Catalyst 9000 IOS XE Programmability & Automation Lab v1”
https://dcloud2.cisco.com/demo/catalyst-9000-ios-xe-programmability-automation-lab-v1

Use Cases: Model Driven Telemetry

EVPN:
Ansible with CLI deployment of EVPN solutions
EVPN management over RESTCONF/YANG with Postman
Declarative EVPN fabric management with Terraform
Telemetry configuration with CLI and YANG Suite
Collection with TIG_MDT container and tooling
YANG Programmability
YANG Suite tooling and integrations to YANG API’s
Ansible integrations

Tooling and Integrations Ubuntu VM Details:

YANG Suite Syslog receiver from all switches
• NETCONF/RESTCONF/gNMI API TFTP config backup
• Ansible integration See slide
• NETCONF/gNMI Dial-In Telemetry
• gRPC Dial-Out Telemetry receiver Windows VM Details
VS Code
Telemetry Terraform @ folder
• TIG stack in Docker Ansible @ folder
• Grafana dashboard for device health
Chrome browser VLAN1
YANG Suite, Grafana c9k-spine
Postman / RESTCONF
Bash/PS/Cmd shells IP: 198.18.1.21
• EVPN fabric API calls
SSH into C9K or Ubuntu developer / C1sco12345
Terraform/RESTCONF Postman c9k-leaf1
• Declarative EVPN fabric management Workspace for EVPN IP: 198.18.1.31
developer / C1sco12345
Ansible 3x C9K Virtual Switch c9k-leaf2
• EVPN solution enablement using CLI IP: 198.18.1.32
developer / C1sco12345
c9kvdd-1 - unconfigured
c9kvdd-7 - unconfigured
#CiscoLive © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS XE Sandboxes
Easily access IOS XE as part of the DevNet Sandbox

This DevNet reservable sandbox has IOS XRv + N9Kv + IOS XE

The c8k within the DevBox is enabled for Day 0/ZTP usecases
https://devnetsandbox.cisco.com
“IOS XE on Cat8kv”

The “IOS XE on Cat8kv Always On” virtual sandbox requires no reservation

The c8kv can be accessed with SSH, NETCONF, and RESTCONF

Hostname: devnetsandboxiosxe.cisco.com Reservable - Physical
Username: admin Password: C1sco12345 9300, 9300X, 9200 (+ stacks)
SSH port 22, NETCONF port 830
devnetsandboxiosxe.cisco.com The physical labs are being rebuilt
and are not quite ready yet
“IOS XE on Cat8kv AlwaysOn”

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 Cisco IOS XE - Reservable Virtual Sandbox
This DevNet reservable sandbox has IOS XRv + N9Kv + IOS XE
The Catalyst 8000V within the DevBox is enabled for Day 0/ZTP usecases

https://devnetsandbox.cisco.com
“IOS XE on Cat8kv”
https://devnetsandbox.cisco.com/DevNet/catalog/IOS%20XE%20on%20Cat8kv

The “Enterprise Networking” Learning Labs contains guides for the supported usecases
https://developer.cisco.com/learning/

Sandbox Capabilities:
TIG_MDT Telemetry
YANG Suite API
Terraform + Ansible
ZTP & Guest Shell
… and more

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Cisco IOS XE - Always On Virtual Sandbox
The “IOS XE on Cat8kv Always On” virtual sandbox requires no reservation
The c8kv can be accessed with SSH, NETCONF, and RESTCONF
Hostname: sandbox-iosxe-latest-1.cisco.com
Username: admin Password: C1sco12345
SSH port 22, NETCONF port 830, RESTCONF HTTPS
https://devnetsandbox.cisco.com
devnetsandboxiosxe.cisco.com
https://devnetsandbox.cisco.com/DevNet/catalog/ios-xe-always-on
The “Enterprise Networking” Learning Labs contains guides for the supported usecases
https://developer.cisco.com/learning/

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 Cisco University (Cisco U) part of L&D
u.cisco.com or https://u.cisco.com
https://u.cisco.com/search/tutorial?query=Story%20DeWeese,%20Jeremy%20Coho,%20not%20berry

Direct link to Tutorial, requires login to u.cisco.com first:

1. https://ondemandelearning.cisco.com/apollo-alpha/tc-iosxe-ztp/pages/1
2. https://ondemandelearning.cisco.com/apollo-alpha/tc-terraform-ios-xe/pages/1
3. https://ondemandelearning.cisco.com/apollo-alpha/tc-yangsuite-netconf/pages/1
4. https://ondemandelearning.cisco.com/apollo-alpha/tc-yangsuite-restconf/pages/1

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.

Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.

Level up and earn exclusive prizes!

Complete your surveys in the Cisco Live mobile app.

#CiscoLive DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting
Continue Attend the interactive education
your education
•
with DevNet, Capture the Flag,
and Walk-in Labs

• Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

DEVNET-1283 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Thank you

#CiscoLive