Skip navigation
All Places > DevNet > DNA > Blog > 2016 > October
2016

Background

This blog series covers some of the new API released as part of the APIC-EM 1.3 release of code.

 

apic-logo.png

 

This particular blog covers a new feature in the Plug and Play (PnP) application, configuration templates.  Prior to version 1.3, the configuration file was a text file and did not support variables. If you wanted to use a template you needed to use Prime Infrastructure.  In APIC-EM 1.3, template support has been added.

 

This blog looks at both the UI and API required for templates.

 

 

For all of these examples I am using a 3650 switch running 3.6.5 code, but you could use versions of 16.3.1 and 3.7.4 (For other platforms such 2960x please see release notes for details).

 

Setup

 

I am going to assume you have seen my earlier blogs Network Automation with Plug and Play (PnP) – Part 1 on the mechanics of PnP and how to configure discover (DHCP, DNS) etc.

image1.png

 

 

Templates

 

A template is identical to a standard configuration file, except it has variables embedded in it. Templates use the "velocity" template language, the same as Prime Infrastructure.  Variables start with the "$" character.  For example there is a "hostname" variable in this example.

 

hostname $hostname

enable password xxx

!

username sdn password 0 xxx

!

ip http server

ip http secure-server

snmp-server community xxxx RO

!

line con 0

line vty 0 15 

login local 

transport input ssh telnet

end

 

 

When you view the template in APIC-EM, there are three views:

  1. Text view: the file above.  Variables have a "$" at the start
  2. Form View: just shows the variables.
  3. Preview: Shows the complete configuration with variables filled in.

 

template view.png

 

 

Templates can be uploaded the same as any other configuration file, through the user interface or the API.

 

 

Using the Template – User Interface

 

Templates are used in PnP rules in exactly the same way as normal configuration files.  One extra step is to fill in the variables. In this example I am going to use a pre-defined rule, but templates work with unclaimed devices as well.

 

NOTE: You do not need a specific suffix on a template file.  The controller searches the configuration file for variables, and if they are present, the file is treated as a template.

 

template-view.png

 

 

I then need to select the "Form View" to fill in the variables.  This example has only one variable "hostname"

 

fill-in-template.png

 

 

I then need to select "Device Configuration" and scroll down to the bottom of the page to "Add" the Device. 

 

NOTE: I have also configured some stack parameters.  These are only required as I am also using a stack of switches.

 

add-rule.png

 

Now the rule has been added successfully.

 

final-rule.png

 

 

Once the switch has been provisioned you will notice the configuration file has changed.  This will be the rendered template with all of the variables filled in.

 

final.png

 

 

Using the Template – User Interface

 

In this section I will cover the API that are required to use the template API.  I am going to assume you have seen my earlier blogs for a detailed description of using the PnP API.

 

  I have already created a project and uploaded the configuration file.  This was covered in an earlier blog Network Automation with Plug and Play (PnP) – Part 2


 

Templates require two new API "/template" and "/template-config" as shown below:

 

relationships-api.png

 

 

Here is the API call to get the "id" for the template file "3650-dhcp-template.txt".

 

https://adam-iwan/api/v1/pnp-file/config?name=3650-dhcp-template.txt GET

 

{

      "nameSpace": "config",

      "name": "3650-dhcp-template.txt",

      "downloadPath": "/file/e8682c6f-e9f7-425b-a8a7-08f37ee2bb2d",

      "fileSize": "281",

      "fileFormat": "text/plain",

      "md5Checksum": "4a733185281e17e15228d5636c921308",

      "sha1Checksum": "0bccd2be238ed74e283c198af1ed7b4291717ce3",

      "id": "e8682c6f-e9f7-425b-a8a7-08f37ee2bb2d"

      },

 

 

Configuration files that are templates will have an entry in template table.  I  need to find the template UUID from the fileId (e8682c6f-e9f7-425b-a8a7-08f37ee2bb2d).

 

https://adam-iwan/api/v1/template?fileId=e8682c6f-e9f7-425b-a8a7-08f37ee2bb2d   GET

 

{

"response": [

{

      "fileId": "e8682c6f-e9f7-425b-a8a7-08f37ee2bb2d",

      "id": "d1fd02d0-c9cf-4fad-b706-1332a891ca18"

}

],

 

 

The next step is to create a configuration file from the template. I use the UUID of the template (d1fd02d0-c9cf-4fad-b706-1332a891ca18) obtained above.

 

https://adam-iwan/api/v1/template-config  POST

 

[{"templateId":"d1fd02d0-c9cf-4fad-b706-1332a891ca18", "configProperty":{"hostname":"stack-template"}}]

 

Because this is an asynchronous operation, a task will be returned.

{

"response": {

"taskId": "8a82c03f-b746-41e6-b7b1-23be1c552ebe",

"url": "/api/v1/task/8a82c03f-b746-41e6-b7b1-23be1c552ebe"

},

"version": "1.0"

}

 

 

I need to poll the status of the task (8a82c03f-b746-41e6-b7b1-23be1c552ebe") and get the UUID of the rendered template (13c6b9cf-f91c-429d-8489-46d81263d1a2)

 

https://adam-iwan/api/v1/task/8a82c03f-b746-41e6-b7b1-23be1c552ebe   GET

{

"response": {

"startTime": 1477824534405,

"endTime": 1477824534424,

"version": 1477824534405,

"progress": "{\"message\":\"Successfully added the Ztd Template Config\",\"id\":\"13c6b9cf-f91c-429d-8489-46d81263d1a2\"}",

"serviceType": "Ztd Service",

"isError": false,

"rootId": "8a82c03f-b746-41e6-b7b1-23be1c552ebe",

"id": "8a82c03f-b746-41e6-b7b1-23be1c552ebe"

},

"version": "1.0"

}

 

 

I have successfully created a new template with the variable hostname":"stack-template"

 

In order to create a rule in the project (named "template), I also need the UUID of the project.

 

https://adam-iwan/api/v1/pnp-project?siteName=template  GET

 

{

      "state": "PRE_PROVISIONED",

      "siteName": "template",

      "tftpServer": "",

      "tftpPath": "",

      "deviceCount": 0,

      "pendingDeviceCount": 0,

      "provisionedBy": "admin",

      "provisionedOn": "2016-10-29 02:35:26",

      "id": "d168aa1a-bf61-46c9-b5d6-7ae4e27c48c8"

}

 

 

I can now create a rule in my project using the configuration template i created earlier.  The items in red, are specifically for a stack deployment.

 

https://adam-iwan/api/v1/pnp-project/d168aa1a-bf61-46c9-b5d6-7ae4e27c48c8/device POST

[{

"hostName":"switch",

"platformId":"WS-C3650-48FQ",

"serialNumber":"FDO1735Q0G5",

"pkiEnabled":"false",

"sudiRequired":"false",

"templateConfigId":"13c6b9cf-f91c-429d-8489-46d81263d1a2",

"memberCount":"2",

"licenseLevel":"ipservices",

"eulaAccepted":"true"

}]

 

 

Again, get the task body to see the task was successful.  This also returns the UUID of the newly created rule.

 

https://adam-iwan/api/v1/task/9ba76c24-4db1-44f4-a9bd-e3f8b6507e33 GET

{

"response": {

"startTime": 1477824968481,

"endTime": 1477824968527,

"version": 1477824968481,

"progress": "{\"message\":\"Success creating new site device(rule)\",\"ruleId\":\"234f2700-62b2-4721-8780-a6ccb79900e0\"}",

"serviceType": "Ztd Service",

"isError": false,

"rootId": "9ba76c24-4db1-44f4-a9bd-e3f8b6507e33",

"id": "9ba76c24-4db1-44f4-a9bd-e3f8b6507e33"

},

"version": "1.0"

}

 

 

The User Interface shows the rule has been defined successfully.

api-provisioning.png

 

 

This can be also be verified through an API call:  NOTE: the "templateConfigId": and the ruleID which matches that returned by the task above (234f2700-62b2-4721-8780-a6ccb79900e0)

 

https://adam-iwan/api/v1/pnp-project/d168aa1a-bf61-46c9-b5d6-7ae4e27c48c8/device   GET

{

"response": [

{

      "hostName": "switch",

      "platformId": "WS-C3650-48FQ",

      "serialNumber": "FDO1735Q0G5",

      "site": "template",

      "templateConfigId": "13c6b9cf-f91c-429d-8489-46d81263d1a2",

      "pkiEnabled": false,

      "sudiRequired": false,

      "apCount": "0",

      "isMobilityController": "false",

      "memberCount": 2,

      "licenseLevel": "ipservices",

      "eulaAccepted": true,

      "state": "PENDING",

      "stateDisplay": "Pending",

      "authStatus": {

        "type": "Unknown",

        "status": "None",

        "errorMessage": null,

        "timestamp": 1477824995539,

        "certInfo": null

      },

      "aliases": [],

      "id": "234f2700-62b2-4721-8780-a6ccb79900e0"

}

],

"version": "1.0"

 

 

Summary

Here is a summary of the API calls above. NOTE the section in RED is the only difference compared to a standard configuration file.

 

summary-api.png

 

 

What Next?

This blog covered configuration templates for PnP, native in APIC-EM.  My next blog will cover some of the new EasyQoS API.

In the meantime, if you would like to learn more about this, you could come hang out with us in The Cisco Devnet DNA Community. We’ll have a continuous stream of blogs like this and you can ask questions and we’ll get you answers.  In addition, we have a Github repository where you can get examples related to PnP.

 

Thanks for reading,

 

  @adamradford123

Want to learn about the new hot Cisco Digital Network Architecture (DNA)?  DevNet has released a new learning track called DevNet Express for DNA which is freely available, as are all DevNet tracks, for you to learn more.  This learning track contains ten modules that are composed of thirty-two labs for your learning pleasure.

As always you work at your own pace, and there is sample code with exercises for you to do hands-on learning.  You’ll learn about DNA, then dive into its components learning about their concepts, APIs and as always you’ll have the opportunity to write and run code.  Most of the currently available modules are listed below.

We recommend that you work through these modules in the order given, especially the first four, as they cover the fundamentals of setting up your system, DNA concepts as well as REST and coding fundamentals.  As with all of the over one hundred DevNet labs, there is nothing to purchase to start and complete the labs.  All that you need is a Cisco CCO ID which can be freely obtained by going to http://www.cisco.com and clicking on the Register link.

Once you have your CCO ID, you can get started at the DevNet DNA Learning Track.

Have questions? Need technical help?  Contact us now at https://developer.cisco.com/site/devnet/support/

 

Come and learn more at DevNet!

Visit our redesigned APIC-EM portal which has greatly simplified accessing learning materials for APIs and coding! Starting on page one you’ll have easy access to learning labs as well as sample code.

 

 

We have over a dozen free learning labs, most with sample code, that will teach you how to write code and use the APIC-EM APIs.  In addition you’ll find links as shown below to our DevNet repositories that contain sample code and scripts to get you started.

 

 

On this same page we’ll point you to the latest blogs, community forum questions and answers for APIC-EM, and provide links to the sandbox where you can try out the technology at no cost!

 

 

In our documents page we’ve added a navigation bar to make finding the documentation you need much easier.  There are even video tutorials covering various APIC-EM technologies.

 

 

Come and learn more at DevNet!

Continuing the story

My initial blogs showed examples of using APIC-EM REST API to upload configuration files and create rules for PnP devices.  More recently, I showed some of the common deployment models for switches, taking into account, VLANs, management VLANs, trunks, EtherChannels etc.

This blog covers an advanced use case.  Etherchannel + trunk + Non Vlan 1 for management (NV1) + Non vlan1 native vlan.

 

For all of these examples I am using a 3650 switch running 16.3.1 code, but you could use versions of 3.6.5 and 3.7.4 (For other platforms such 2960x please see release notes for details).

 

Make sure you do not hit any keys on the console while the switch is booting, as this can interrupt the PnP process.

 

Setup DHCP server

 

  The first thing we need is a mechanism for the switch to discover the controller.  In our examples we are going to use DHCP, but you could also use DNS etc. as covered in earlier blogs.  Here is a sample configuration for an IOS switch. The controller IP address is 10.10.10.140.  Note also the use of the "5A1D" in the option 43 string.  The "D" displays debug messages for PnP on the console of the PnP switch.


ip dhcp pool ZTD-switches

network 10.10.14.0 255.255.255.0

default-router 10.10.14.1

option 43 ascii "5A1D;B2;K4;I10.10.10.140;J80"

  remember

 

 

EtherChannel + NV1 for management + NV1 Native

The switches are going to be connected by two links bound together in an ether-channel.

 

nv.png

 

The upstream switch needs to have an ether channel configured.  To avoid issues when the PnP switch first comes up, the "no port-channel standalone-disable" command is required.  If this is left out the channel will be disabled as it has not been configured on the PnP switch at boot up.

 

In addition the native VLAN has been set to 999.

 

The "pnp startup-vlan 14" command is required to create a new management VLAN on the PnP switch. By default VLAN 1 would be used.

 

pnp startup-vlan 14

 

interface Port-channel1

switchport trunk native vlan 999

switchport mode dynamic desirable

no port-channel standalone-disable

 

interface GigabitEthernet1/0/5

description PNP switch 3650->g1/0/1

switchport mode dynamic desirable

switchport trunk native vlan 999

channel-protocol lacp

channel-group 1 mode passive

 

interface GigabitEthernet1/0/6

description 2nd link to 3650 etherchannel test

switchport trunk native vlan 999

switchport mode dynamic desirable

channel-protocol lacp

channel-group 1 mode passive

 

 

The configuration of the PnP switch includes the EtherChannel.  It also has native VLAN of 999.

NOTE: remember to define VLAN 999 otherwise you will have issues after you deploy the configuration.

 

hostname 3650-dhcp

enable password xxx

!

username xxx password 0 xxx

!

ip http server

ip http secure-server

snmp-server community xxx RO

 

interface Port-channel1

switchport mode dynamic desirable

switchport trunk native vlan 999

no port-channel standalone-disable

!

int range g1/0/1,g1/0/3

switchport mode dynamic desirable

switchport trunk native vlan 999

channel-protocol lacp

channel-group 1 mode active

 

vlan 999

!

!

!

!

line con 0

line vty 0 4

login local

transport input ssh telnet

line vty 5 15

login local

 

 

Once the switch has booted, you will see the following log messages (remember to use the "5A1D" string as mentioned earlier to get the debugs).  Both VLAN 1 and 999 are initially blocked, but VLAN 14 is created as the management VLAN. VLAN 14 is used to communicate with APIC-EM, and you can see the switch successfully connects to the controller.

 

You will also see warning messages about the Native VLAN mismatch, and you can ignore them for now. Once the configuration is downloaded to the PnP switch, these will go away.

 


*Oct 10 22:16:27.480: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Oct 10 22:16:27.816: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
*Oct 10 22:16:28.414: %SYS-6-BOOTTIME: Time taken to reboot after reload =  339 seconds
*Oct 10 22:16:31.489: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Oct 10 22:16:31.825: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
*Oct 10 22:16:38.810: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 999 on GigabitEthernet1/0/1 VLAN1.
*Oct 10 22:16:38.810: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/1 on VLAN0999. Inconsistent peer vlan.
*Oct 10 22:16:38.811: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/1 on VLAN0001. Inconsistent local vlan.
*Oct 10 22:16:38.811: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 999 on GigabitEthernet1/0/3 VLAN1.
*Oct 10 22:16:38.811: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/3 on VLAN0999. Inconsistent peer vlan.
*Oct 10 22:16:38.812: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/3 on VLAN0001. Inconsistent local vlan.
*Oct 10 22:16:40.072: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
*Oct 10 22:16:47.124: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/3 (1), with 3850-core GigabitEthernet1/0/6 (999).
*Oct 10 22:16:47.254: %SYS-5-CONFIG_I: Configured from console by tty100
*Oct 10 22:16:47.291: %SYS-5-CONFIG_I: Configured from console by tty100
*Oct 10 22:16:50.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to up
*Oct 10 22:16:56.126: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with 3850-core GigabitEthernet1/0/5 (999).
*Oct 10 22:17:05.127: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with 3850-core GigabitEthernet1/0/5 (999).
*Oct 10 22:17:14.127: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/3 (1), with 3850-core GigabitEthernet1/0/6 (999).
*Oct 10 22:17:21.376: %PNPA-DHCP Op-43 Msg: Process state = READY
*Oct 10 22:17:21.376: %PNPA-DHCP Op-43 Msg: OK to process message
*Oct 10 22:17:21.377: XML-UPDOWN: PNPA_DHCP_OP43 XML Interface(102) UP. PID=279
*Oct 10 22:17:21.377: %PNPA-DHCP Op-43 Msg: _pdoon.1.ntf.don=279
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdoop.1.org=[A1D;B2;K4;I10.10.10.140;J80]
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdgfa.1.inp=[B2;K4;I10.10.10.140;J80]
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdgfa.1.B2.s12=[ ipv4 ]
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdgfa.1.K4.htp=[ transport http ]
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Ix.srv.ip.rm=[ 10.10.10.140 ]
*Oct 10 22:17:21.378: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Jx.srv.rt.rm=[ port 80 ]
*Oct 10 22:17:21.379: %PNPA-DHCP Op-43 Msg: _pdoop.1.ztp=[pnp-zero-touch] host=[] ipad=[10.10.10.140] port=80
*Oct 10 22:17:21.379: %PNPA-DHCP Op-43 Msg: _pors.done=1
*Oct 10 22:17:21.379: %PNPA-DHCP Op-43 Msg: _pdokp.1.kil=[PNPA_DHCP_OP43] pid=279 idn=[Vlan14]
*Oct 10 22:17:21.379: XML-UPDOWN: Vlan14 XML Interface(102) SHUTDOWN(101). PID=279
*Oct 10 22:17:21.493: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan14 assigned DHCP address 10.10.14.3, mask 255.255.255.0, hostname 

*Oct 10 22:17:23.129: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with 3850-core GigabitEthernet1/0/5 (999).
*Oct 10 22:17:32.130: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/3 (1), with 3850-core GigabitEthernet1/0/6 (999).% Generating 2048 bit RSA keys, keys will be non-exportable... got vend id vend spec. info ret: succeed
*Oct 10 22:17:39.848: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server http://10.10.10.140:80/pnp/HELLO
*Oct 10 22:17:39.858: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server http://10.10.10.140:80/pnp/HELLO
*Oct 10 22:17:41.142: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with 3850-core GigabitEthernet1/0/5 (999).
[OK] (elapsed time was 6 seconds)
protocol on Interface Vlan14, changed state to up



 

 

Looking at the initial configuration created as a result of the "pnp startup-vlan 14" command, both active interfaces have been placed in VLAN 14. Interface VLAN 14 was created and set to use DHCP.

 

 

interface GigabitEthernet1/0/1

switchport access vlan 14

macro description CISCO_SMI_EVENT

!

interface GigabitEthernet1/0/3

switchport access vlan 14

macro description CISCO_SMI_EVENT

!

interface Vlan14

ip address dhcp

 

 

Both interfaces are in trunk mode.

 

 

Switch#show int g1/0/1 trunk

 

Port Mode             Encapsulation  Status Native vlan

Gi1/0/1 auto             802.1q         trunking      1

 

Port Vlans allowed on trunk

Gi1/0/1 1-4094

 

Port Vlans allowed and active in management domain

Gi1/0/1 1,14,999

 

Port Vlans in spanning tree forwarding state and not pruned

Gi1/0/1     14S

Switch#show int g1/0/3 trunk

 

Port        Mode             Encapsulation  Status Native vlan

Gi1/0/3     auto             802.1q         trunking      1

 

Port        Vlans allowed on trunk

Gi1/0/3     1-4094

 

Port        Vlans allowed and active in management domain

Gi1/0/3     1,14,999

 

Port        Vlans in spanning tree forwarding state and not pruned

Gi1/0/3     none

 

At this point, I now claim the device and push the configuration to it.  I could have also used a pre defined rule, but I wanted to show the intermediate steps.

 

Looking at debugs, you can see both interfaces are up, and then the port channel comes up, after the configuration has been downloaded to the PnP switch.  Again, VLAN 14 is used for the management VLAN.

 

 


Oct 10 23:12:59.673: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Oct 10 23:12:59.689: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
Oct 10 23:13:00.619: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
Oct 10 23:13:00.674: %LINK-3-UPDOWN: Interface Vlan14, changed state to down
Oct 10 23:13:01.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Oct 10 23:13:01.620: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
Oct 10 23:13:01.728: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
Oct 10 23:13:03.267: %LINK-3-UPDOWN: Interface Vlan14, changed state to up



 

 

We can see the status of the ether-channel.  Both ports are active and a part of the ether-channel

 

 

3650-dhcp#show etherchannel 1 port-channel

         Port-channels in the group:

         ---------------------------

 

Port-channel: Po1    (Primary Aggregator)

 

------------

 

Age of the Port-channel   = 0d:00h:17m:14s

Logical slot/port   = 12/1          Number of ports = 2

HotStandBy port = null

Port state          = Port-channel Ag-Inuse

Protocol            = LACP

Port security       = Disabled

Standalone          = Enabled (independent mode)

 

Ports in the Port-channel:

 

Index Load   Port     EC state        No of bits

------+------+------+------------------+-----------

  0     00 Gi1/0/1  Active             0

  0 00     Gi1/0/3  Active             0

 

 

This also shows VLAN999 is now the native VLAN.

 

 

3650-dhcp#show int port-channel 1 switchport

Name: Po1

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 14 (VLAN0014)

Trunking Native Mode VLAN: 999 (VLAN0999)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

 

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

 

 

What Next?

This blog covered an advanced deployment models for network plug and play.  Other blogs in the series have covered simpler deployment models and the API and how to automate the creation, upload of configuration files as well as the automation of rules.  In future I will cover switch stacking.

 

In the meantime, if you would like to learn more about this, you could come hang out with us in The Cisco Devnet DNA Community. We’ll have a continuous stream of blogs like this and you can ask questions and we’ll get you answers.  In addition, we have a Github repository where you can get examples related to PnP.

 

Thanks for reading,

  @adamradford123

Continuing the story

My last few blogs showed examples of using APIC-EM REST API to upload configuration files and create rules for PnP devices.

 

I am often asked about the different deployment models for switches.  There are a few different concepts to take into account, VLANs, management VLANs, trunks, EtherChannels etc.

 

If you have a very simple network with VLAN 1 for management and are not using any of the features above, PnP just works, so no need to keep reading.

 

This blog post demystifies the different deployment models for edge switches.  We will cover three basic deployment models:

  • "Flat" with non-VLAN 1 (NV1) for management
  • Trunked with NV1 for management  and a static IP address
  • Ether Channel with NV1 for management

 

 

For all of these examples I am using a 3650 switch running 16.3.1 code, but you could use versions of 3.6.5 and 3.7.4 (For other platforms such 2960x please see release notes for details).

 

Make sure you do not hit any keys on the console while the switch is booting, as this can interrupt the PnP process.

 

The first thing we need is a mechanism for the switch to discover the controller.  In our examples we are going to use DHCP, but you could also use DNS etc as covered in earlier blogs.  Here is a sample configuration for an IOS switch.  The controller IP address is 10.10.10.140.  Note also the use of the "5A1D"  in the option 43 string.  The "D" displays debug messages for PnP on the console of the PnP switch.

 

 

Setup DHCP server

 

ip dhcp pool ZTD-switches

network 10.10.14.0 255.255.255.0

default-router 10.10.14.1

option 43 ascii "5A1D;B2;K4;I10.10.10.140;J80"

  remember

 

 

Lets take a look at the first of the three scenarios.

 

1. Flat deployment – NV1 for management

 

The two switches are in a "flat" configuration.  Only one VLAN is defined on the PnP switch and the management interface is in that VLAN.

#1.png

 

This is the configuration on the upstream switch. The "pnp startup-vlan 14" command is required to create a new management VLAN on the PnP switch. By default VLAN 1 would be used.

 

pnp startup-vlan 14

 

interface GigabitEthernet1/0/5

description PNP switch 3650->g1/0/1

  switchport access vlan 14

 

The configuration for the PnP switch is very simple.

 

hostname 3650-dhcp

enable password xxxx

!

username xxx password 0 xxxx

!

ip http server

ip http secure-server

snmp-server community xxx RO

!

!

!

!

line con 0

line vty 0 4

login local

transport input ssh telnet

line vty 5 15

login local

transport input ssh telnet

!

end

 

 

The debug logs show the new VLAN (14) being configured.  This happens via a CDP negotiation between the upstream switch and the PnP switch.

 


Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 02-Aug-16 17:33 by mcpre
*Oct 6 01:24:19.193: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Oct 6 01:24:20.074: %SYS-6-BOOTTIME: Time taken to reboot after reload =  332 seconds
*Oct 6 01:24:20.193: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Oct 6 01:24:21.258: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
*Oct 6 01:24:28.299: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with 3850-core GigabitEthernet1/0/5 (14).
*Oct 6 01:24:29.204: %SYS-5-CONFIG_I: Configured from console by tty100
*Oct  6 01:24:29.666: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to down
*Oct  6 01:24:52.796: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to up
*Oct 6 01:24:58.352: %PNPA-DHCP Op-43 Msg: Process state = READY
*Oct 6 01:24:58.352: %PNPA-DHCP Op-43 Msg: OK to process message
*Oct 6 01:24:58.353: XML-UPDOWN: PNPA_DHCP_OP43 XML Interface(102) UP. PID=359
*Oct 6 01:24:58.354: %PNPA-DHCP Op-43 Msg: _pdoon.1.ntf.don=359
*Oct 6 01:24:58.354: %PNPA-DHCP Op-43 Msg: _pdoop.1.org=[A1D;B2;K4;I10.10.10.140;J80]
*Oct 6 01:24:58.354: %PNPA-DHCP Op-43 Msg: _pdgfa.1.inp=[B2;K4;I10.10.10.140;J80]
*Oct 6 01:24:58.354: %PNPA-DHCP Op-43 Msg: _pdgfa.1.B2.s12=[ ipv4 ]
*Oct 6 01:24:58.355: %PNPA-DHCP Op-43 Msg: _pdgfa.1.K4.htp=[ transport http ]
*Oct 6 01:24:58.355: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Ix.srv.ip.rm=[ 10.10.10.140 ]
*Oct 6 01:24:58.390: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Jx.srv.rt.rm=[ port 80 ]
*Oct 6 01:24:58.390: %PNPA-DHCP Op-43 Msg: _pdoop.1.ztp=[pnp-zero-touch] host=[] ipad=[10.10.10.140] port=80
*Oct 6 01:24:58.390: %PNPA-DHCP Op-43 Msg: _pors.done=1
*Oct 6 01:24:58.390: %PNPA-DHCP Op-43 Msg: _pdokp.1.kil=[PNPA_DHCP_OP43] pid=359 idn=[Vlan14]
*Oct 6 01:24:58.390: XML-UPDOWN: Vlan14 XML Interface(102) SHUTDOWN(101). PID=359
*Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: Op43 has 5A. It is for PnP
*Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: After stripping extra characters in front of 5A, if any: 5A1D;B2;K4;I10.10.10.140;J80 op43_len: 28
*Oct  6 01:24:59.298: %PNPA-DHCP Op-43 Msg: _pdoon.2.ina=[Vlan14]
*Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: _papdo.2.cot=[5A1D;B2;K4;I10.10.10.140;J80] lot=[5A1D;B2;K4;I10.10.10.140;J80]
*Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: Process state = READY
*Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: OK to process message
*Oct 6 01:24:59.299: XML-UPDOWN: PNPA_DHCP_OP43 XML Interface(102) UP. PID=359
*Oct 6 01:24:59.299: %PNPA-DHCP Op-43 Msg: _pdoon.2.ntf.don=359
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdoop.2.org=[A1D;B2;K4;I10.10.10.140;J80]
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdgfa.2.inp=[B2;K4;I10.10.10.140;J80]
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdgfa.2.B2.s12=[ ipv4 ]
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdgfa.2.K4.htp=[ transport http ]
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdgfa.2.Ix.srv.ip.rm=[ 10.10.10.140 ]
*Oct 6 01:24:59.301: %PNPA-DHCP Op-43 Msg: _pdgfa.2.Jx.srv.rt.rm=[ port 80 ]
*Oct 6 01:24:59.302: %PNPA-DHCP Op-43 Msg: _pdoop.2.ztp=[pnp-zero-touch] host=[] ipad=[10.10.10.140] port=80
*Oct 6 01:24:59.302: %PNPA-DHCP Op-43 Msg: _pors.done=1
*Oct 6 01:24:59.302: %PNPA-DHCP Op-43 Msg: _pdokp.2.kil=[PNPA_DHCP_OP43] pid=359 idn=[Vlan14]
*Oct  6 01:24:59.302: XML-UPDOWN: Vlan14 XML Interface(102) SHUTDOWN(101). PID=359
*Oct  6 01:24:59.411: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan14 assigned DHCP address 10.10.14.3, mask 255.255.255.0, hostname 
% Generating 2048 bit RSA keys, keys will be non-exportable... got vend id vend spec. info ret: succeed
*Oct 6 01:25:13.341: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server http://10.10.10.140:80/pnp/HELLO
*Oct 6 01:25:13.351: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server http://10.10.10.140:80/pnp/HELLO
[OK] (elapsed time was 9 seconds)







 

Before the configuration is applied to the switch via PnP, you can see that the CDP "pnp startup-vlan" command has completed.  It has moved the active port into VLAN 14 and created VLAN 14 on the switch and enabled DHCP.

 

Switch#show run int g1/0/1

Building configuration...

 

Current configuration : 100 bytes

!

interface GigabitEthernet1/0/1

switchport access vlan 14

macro description CISCO_SMI_EVENT

end

 

 

This shows the creation of VLAN 14, and the shutdown of VLAN1.

 

show ip int br

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES unset administratively down down   

Vlan14                 10.10.14.3      YES DHCP up                    up

 

 

Once the configuration is complete, the uplink connection is in access mode using VLAN 14.  The only real change downloaded in the configuration was the switch hostname "3650-dhcp".

 

3650-dhcp#show int g1/0/1 switchport

Name: Gi1/0/1

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 14 (VLAN0014)

 

 

2. Trunk – NV1 for management – static IP address

 

The upstream switch and PnP switch are going to be connected by a trunk port.

#2.png

 

In this scenario, the upstream switch has a trunk mode desirable, and no VLANs defined.

 

interface GigabitEthernet1/0/5

description PNP switch 3650->g1/0/1

switchport mode dynamic desirable

 

 

In this example, the DHCP address is going to be overwritten by a permanent static management IP address.  Note: when you do this, you also need to provide a default route (ip route 0.0.0.0 0.0.0.0 10.10.14.1), otherwise the PnP device will not be able to contact the controller after the configuration has been downloaded.

 

hostname 3650-dhcp

enable password xxxx

!

username xxx password 0 xxxx

!

ip http server

ip http secure-server

snmp-server community xxx RO

!

vlan 2222

vlan 2223

 

int vlan 14

ip address 10.10.14.100 255.255.255.0

 

ip route 0.0.0.0 0.0.0.0 10.10.14.1

!

!

line con 0

line vty 0 4

login local

transport input ssh telnet

line vty 5 15

login local

transport input ssh telnet

!

end

 

 

The DHCP address has been overwritten by the static address in the configuration file.

 

3650-dhcp#show run int vlan14

Building configuration...

 

Current configuration : 63 bytes

!

interface Vlan14

ip address 10.10.14.100 255.255.255.0

end

 

 

The uplink interface is in trunk mode and has both the management VLANs as well as the locally defined VLANs on it.

 

 

3650-dhcp#show interfaces g1/0/1  trunk

 

Port Mode Encapsulation  Status        Native vlan

Gi1/0/1 auto             802.1q         trunking 1

 

Port Vlans allowed on trunk

Gi1/0/1 1-4094

 

Port Vlans allowed and active in management domain

Gi1/0/1 1,14,2222-2223

 

Port        Vlans in spanning tree forwarding state and not pruned

Gi1/0/1     1,14,2222-2223

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

  Appliance trust: none

 

 

3. EtherChannel + NV1 for management

 

  The switches are going to be connected by two links bound together in an ether-channel.

#3.png

 

The upstream switch needs to have an ether channel configured.  To avoid issues when the PnP switch first comes up, the "no port-channel standalone-disable" command is required.  If this is left out the channel will be disabled as it has not been configured on the PnP switch at boot up.

 

interface Port-channel1

switchport mode dynamic desirable

no port-channel standalone-disable

 

interface GigabitEthernet1/0/5

description PNP switch 3650->g1/0/1

switchport mode dynamic desirable

channel-protocol lacp

channel-group 1 mode passive

 

interface GigabitEthernet1/0/6

description 2nd link to 3650 etherchannel test

switchport mode dynamic desirable

channel-protocol lacp

channel-group 1 mode passive

 

 

The configuration of the PnP switch includes the EtherChannel:

 

hostname 3650-dhcp

enable password xxx

!

username xxx password 0 xxx

!

ip http server

ip http secure-server

snmp-server community xxx RO

 

interface Port-channel1

switchport mode dynamic desirable

no port-channel standalone-disable

!

int range g1/0/1,g1/0/3

switchport mode dynamic desirable

switchport trunk allowed vlan except 1

channel-protocol lacp

channel-group 1 mode active

!

line con 0

line vty 0 4

login local

transport input ssh telnet

line vty 5 15

login local

transport input ssh telnet

!

end

 

 

Looking at debugs, you can see both interfaces are up, and then the port channel comes up, after the configuration has been downloaded to the PnP switch.  Again, VLAN 14 is used for the management VLAN.

 


Oct 5 21:58:54.638: %PKI-6-PKCS12IMPORT_SUCCESS: PKCS #12 Successfully Imported.
Oct 5 21:59:07.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Oct 5 21:59:07.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
Oct 5 21:59:08.138: %LINK-3-UPDOWN: Interface Vlan14, changed state to down
Oct  5 21:59:09.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
.Oct 5 21:59:09.094: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
.Oct 5 21:59:09.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to down
.Oct 5 21:59:09.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
.Oct 5 21:59:10.085: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
.Oct 5 21:59:11.241: %LINK-3-UPDOWN: Interface Vlan14, changed state to up
.Oct  5 21:59:12.242: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to up






 

 

Looking at the PnP switch, we can see the Management interface is using VLAN 14 and DHCP to obtain an IP address.

 

 

3650-dhcp#show ip int br

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES unset administratively down down   

Vlan14                 10.10.14.3      YES DHCP up                    up

 

 

Can also see the status of the ether-channel.  Both ports are active and a part of the ether-channel.

3650-dhcp#show etherchannel 1 port-channel

         Port-channels in the group:

         ---------------------------

 

Port-channel: Po1    (Primary Aggregator)

 

------------

 

Age of the Port-channel   = 0d:00h:27m:46s

Logical slot/port   = 12/1          Number of ports = 2

HotStandBy port = null

Port state          = Port-channel Ag-Inuse

Protocol            = LACP

Port security       = Disabled

Standalone          = Enabled (independent mode)

 

Ports in the Port-channel:

 

Index Load   Port     EC state        No of bits

------+------+------+------------------+-----------

  0     00 Gi1/0/1  Active             0

  0 00     Gi1/0/3  Active             0

 

 

This also shows VLAN1 is no longer sent over the ether-channel trunk link

 

 

3650-dhcp#show int port-channel 1 switchport

Name: Po1

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 14 (VLAN0014)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: 2-4094

Pruning VLANs Enabled: 2-1001

 

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Time since last port bundled:    0d:00h:27m:44s    Gi1/0/3

 

 

What Next?

This blog covered three standard deployment models for network plug and play.  Other blogs in the series have covered the API and how to automate the creation, upload of configuration files as well as the automation of rules.  In future I will cover some of new enhancements coming in the 1.3 release, including configuration templates, native in APIC-EM.

 

In the meantime, if you would like to learn more about this, you could come hang out with us in The Cisco Devnet DNA Community. We’ll have a continuous stream of blogs like this and you can ask questions and we’ll get you answers. In addition, we have a Github repository where you can get examples related to PnP.

 

Thanks for reading,

@adamradford123