Network Infrastructure APIs

By Steven Carter, Jason King, Josh Lothian, Mike Younkers
Aug 24, 2022

␡

⎙ Print

Page 1 of 3 Next >

If network infrastructure is to become an enabler of business transformation, we need to get away from the box-by-box CLI management model. This chapter makes the case that the API is the new CLI, and explores ways that we can leverage and scale APIs.

This chapter is from the book 

Model-Driven DevOps: Increasing agility and security in your physical network through DevOps

Learn More Buy

In the preceding chapter, we explained the power of model-driven DevOps and the use of data models. To start the journey toward model-driven DevOps, your infrastructure must be consumable in a programmatic way. Therefore, in this chapter we discuss the concept of consumable infrastructure. Consumable infrastructure, simply put, is infrastructure that is interacted with through APIs via data models. Consumable infrastructure rapidly responds to the needs of an organization through APIs and platform-based simplification. As we explore later, we want to look at the network in terms of consuming services and capabilities and not just automating specific tasks. Consumable infrastructure greatly reduces the complexity of automation and makes it more accessible to operators as opposed to requiring deep programming expertise.

Automating Things to Do Stuff

When we last left Bob from ACME Corp, he was considering a new job offer from a competitor while the CIO, Haley, was just beginning to understand the true extent of Bob’s value to the company. It was clear that ACME Corp’s current methods for operating IT infrastructure were not aligned with the business’s goals of greater agility and lower risk. In fact, Haley was beginning to realize that she had a very large risk of disruption to the business if Bob left for a competitor.

Haley was becoming convinced that automating her IT infrastructure and implementing DevOps could meet her twin goals of increasing agility and lowering risk. She needed to take somebody like Bob and transform his knowledge into code while making the shift to DevOps. She knew this effort was going to be a significant amount of work, but she also knew that it was the right way forward. She would start right away.

When Bob walked into the office on Monday, he had a new meeting on his calendar with the ominous title “Network Automation Discussion.” Bob had built his career at ACME Corp through his knowledge of network design and protocols, combined with the ability to turn those designs into reality via the CLI. This was the value he brought to the company.

A couple years ago, he got excited and tried to do some simple automation using a script that would log in to a device and issue a few commands. His excitement did not last long. He quickly discovered that trying to parse the output of a list of commands was far from simple. The CLI was easy for humans to parse, but it turned out to be far trickier for a machine to understand the result of a configuration change or the output of a show command. He had to write code that would look for and parse certain language in the output. Writing this code was difficult, and even if he could do it, he knew that the CLI was different for each device in ACME Corp’s network. Writing unique code for hundreds or maybe thousands of individual devices was not something Bob had time for. The effort might pay off in the long run, but Bob had a network to operate. Like many network engineers before him, instead of investing all that time in custom language parsing code, he fell back to what had worked for the last few decades: managing every device, individually, through the command line.

Recalling his previous failed attempts, Bob was now concerned about the notion of automating network infrastructure. At the start of the meeting, Jane, Bob’s manager, laid out the grim truth to the network team. She said, “Our CIO is convinced that IT infrastructure automation will improve our efficiency, agility, and lower the risk of outages.” Like virtually every meeting involving network engineers, when the word automation was mentioned, a collective groan erupted. Jane heard comments such as “Over my dead body!” and “Not on my watch!” Bob, with a somber expression, said, “We tried that before, and it just doesn’t work.” Although, deep down, he knew he was overworked and unhappy, he had been involved in every critical change to the environment, and because developers were deploying code multiple times a day, critical changes were becoming a regular occurrence. There had to be some merit to the CIO’s automation strategy. Jane, in a firm tone, responded, “Well, what we are doing today is not working. Something needs to change. Any suggestions?” She made direct eye contact with Bob. He quickly reflected on his past automation failure and thought about what could be done to fix it. He knew that APIs are supposed to help with some of the previous issues, and even though he was not excited about learning something new, Bob offered a suggestion. “Okay, we all have had issues scripting network changes through the CLI. It is, well, painful.” He heard murmured agreement from the team. He offered a half smile and continued, “So why don’t we look at using APIs to automate our network infrastructure? Our vendors are always talking about how great APIs are.” “That is an excellent suggestion, Bob! I would like you to take the lead on this effort,” Jane replied. Bob’s smile faded. “That’s what I get for opening my big mouth,” he thought.

A week later, Bob picked up a ticket submitted by the person who manages the ACME Corp NTP servers. Due to changes occurring in the data center infrastructure, they needed to migrate the NTP servers to new IP addressing, and doing so required that the NTP server configurations on every network device be modified. He had been studying how to interact with network devices through their APIs for the last few days, and he thought that this might be a good opportunity to put his new skills to use.

After some trial and error using a tool called Postman, Bob was able to make a change through the API on one of the more modern devices in the lab. He verified that the change occurred successfully by examining the API return codes. “Success!” he shouted as he raised his fists in triumph. Then he checked the resulting configuration to find that his change only added new servers to the list instead of replacing the list. This process was going to be more complicated than he thought.

It turns out that things like simple lists are not so simple to automate without some more complicated logic to check for existing configuration. After more trial and error, he was finally able to script the process of retrieving the existing configuration, reconciling the old list with the new one, and pushing only the needed changes to the device, all via the API.

He then moved on to one of the older devices in the ACME Corp network and quickly discovered that it had no API. It was a CLI-only device. “Crud,” he thought. “It looks like I might need to automate this device some other way.” So, he looked at another common tool for network infrastructure automation called Ansible and discovered that an Ansible module supports this older device. After some trial and error with Ansible, Bob was able to make a playbook that achieved the same result on the older device, but unfortunately, it was done in a completely different tool with completely different syntax. “This is going to be ugly,” Bob thought. “Even if I somehow figure out how to automate all the different devices in whatever tool or language works for that device, I still need to figure out how to verify the results of each operation and somehow scale all these different operations to thousands of network devices. This is going to be really ugly,” he thought again. “There must be a better way.”

APIs

An application programming interface (API) is a way for two applications to interact with each other. In contrast, a command-line interface is a way for a human to interact with an application to retrieve data or make configuration changes. In the context of IT infrastructure, an API interaction is usually a two-way communication where some data is sent from an application to a device or controller platform for the purposes of retrieving operational information or making configuration changes.

APIs are a critical component of model-driven DevOps. As the name implies, model-driven DevOps makes heavy use of data models. API software on a device takes data and, using a data model to decipher that data, configures the various components of the device the way the manufacturer intended.

When network infrastructure is treated as a set of APIs, configuration consists of moving data, generally in the form of JSON or XML, between those APIs. This capability makes network operations more like cloud and application development. This type of interaction is a significant improvement over the legacy human-optimized CLI interaction.

The most common model-driven APIs for network devices use the NETCONF protocol with YANG data models. NETCONF pushes the data models encoded in XML over a secure transport layer and provides several operational advantages over CLI, including

■ Installation, manipulation, and deletion methods for configuration data
■ Multiple configuration data stores (such as candidate, running, startup)
■ Configuration validation and testing
■ Differentiation between configuration and state data
■ Configuration rollback

Why API over CLI?

For decades, network engineers have used CLIs to configure network devices. A CLI is, for the most part, an effective human-to-device interface. When it comes to automating network devices, however, a CLI is a poor computer-to-network device interface. The main reason for this is that most CLIs are meant to be human readable; therefore, most CLIs have a language-like construction that makes it easier for humans to use. Unfortunately, human languages are difficult for computers to use.

To illustrate, let’s first look at a simple example of configuring the hostname on a Cisco IOS device. We use Ansible because it is one of the most popular ways of automating network devices, but the problem we are about to describe exists with most any CLI-based method of automation. Using Ansible parlance, we describe the desired end state of the hostname of a particular device. A hostname is a great use case because it is a scalar (that is, a single value). To change the hostname, the Ansible ios_config module does a simple textual comparison of the configuration. To set the hostname using Ansible, you would use the following YAML in a playbook:

- ios_config:
    lines:
      - hostname newname

If hostname newname is not present, it sends that line to the device. Even if a different hostname is present on the target device, because hostname is a scalar, the old hostname gets replaced by the desired hostname. However, as Bob painfully discovered, a list of NTP servers is more difficult. Suppose you’ve set the NTP server to 1.1.1.1 with the following YAML:

- ios_config:
    lines:
      - ntp server 1.1.1.1

Now you want to change your NTP server to 2.2.2.2, so you modify the YAML:

- ios_config:
    lines:
      - ntp server 2.2.2.2

Simple, right? But the problem is that you would end up with two NTP servers in the configuration:

ntp server 1.1.1.1
ntp server 2.2.2.2

The reason is that the Ansible ios_config module does not see ntp server 2.2.2.2 present in the configuration, so it sends the line. However, because ntp server is a list, it adds a new NTP server instead of replacing the existing one, giving you two NTP servers (one that you do not want). To end up with just 2.2.2.2 as your NTP server, you would have to know that 1.1.1.1 was already defined as an NTP server and explicitly remove it. This is also the case with ACLs, IP prefix-lists, and any other list in IOS. The Ansible ios_config module (as well as the cli_config module) does not have a native way to describe the desired end state of something simple like NTP servers on a network device, much less something more complex like OSPF, QoS, or Multicast.

There are clearly ways to address this situation. For example, the Ansible ios_config module could be improved to know how to parse IOS syntax and look for any existing NTP server configuration and remove it, just as a human would. One problem with this approach, however, is that this more capable module would be re-implementing IOS parsing rules outside of IOS. This means that vendor changes to the IOS CLI would necessitate changes to the ios_config Ansible module, creating a maintainability problem that would often result in lagging functionality. Furthermore, this approach would need to be taken with every vendor and/or device CLI available, making this approach unscalable.

The better way is to use an API. APIs are specifically designed for programmatic configuration of devices. To illustrate the advantages of the model-driven method using an API, let’s use the netconf-console utility to get and set the NTP servers on a Cisco IOS-XE device. First, let’s see the current list of NTP servers. Listing 3-1 illustrates how to retrieve NTP configuration using netconf-console.

LISTING 3-1 Using netconf-console to Retrieve NTP Configuration

# netconf-console –host <device IP> --port 830 –user admin –password admin –db running
–get-config –xpath /native/ntp
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
  <native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
    <ntp>
      <server xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ntp">
        <server-list>
          <ip-address>1.1.1.1</ip-address>
        </server-list>
        <server-list>
          <ip-address>2.2.2.2</ip-address>
        </server-list>
      </server>
    </ntp>
  </native>
</data>

Although this example is a wordier rendering of the same configuration, it is deterministic. All the NTP servers and their associated configuration are organized into one section of the tree. We can deal with it as a separate entity as opposed to being thrown in at the same level with other configuration information. Also, note that we were able to ask the device for just the NTP configuration information. No parsing required.

Now let’s change the NTP servers. First, we take the previous output, change the IP address of the second NTP server, and specify that this operation should replace the server section with operation='replace'. The content of Listing 3-2 would normally go into a file named ntp.xml.

LISTING 3-2 XML to Change NTP Configuration

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
  <ntp>
    <server xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ntp" operation='replace'>
      <server-list>
        <ip-address>1.1.1.1</ip-address>
      </server-list>
      <server-list>
        <ip-address>3.3.3.3</ip-address>
      </server-list>
    </server>
  </ntp>
</native>

Then we can push the XML payload to the device using netconf-console, as shown in Listing 3-3.

LISTING 3-3 Using netconf-console to Change NTP Configuration

# netconf-console –host <device IP> --port 830 –user admin –password admin –db
running –edit-config ntp.xml
<ok xmlns="urn:ietf:params:xml:ns:8equire:base:1.0"
xmlns:nc="urn:ietf:params:xml:ns:8equire:base:1.0"/>

The ok in the XML response indicates that the device accepted the change. Now let’s retrieve the NTP configuration and verify the results, as shown in Listing 3-4.

LISTING 3-4 Using netconf-console to Verify Configuration Change

# netconf-console –host <device IP> --port 830 –user admin –password admin –db
running –get-config –xpath /native/ntp
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
  <native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
    <ntp>
      <server xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ntp">
        <server-list>
          <ip-address>1.1.1.1</ip-address>
        </server-list>
        <server-list>
          <ip-address>3.3.3.3</ip-address>
        </server-list>
      </server>
    </ntp>
  </native>
</data>

The first thing that you might notice is that this was a lot of work just to change the NTP server. In the same way that human-to-device interfaces are not optimal for computers, computer-to-device interfaces are not optimal for humans. Having a machine-friendly, deterministic, and repeatable way of making changes in the environment is the necessary foundation for effective automation. Assembling a series of programmable operations into more complex workflows is where you start to see real efficiency advantages.

Even though computer-to-device interfaces might look daunting at first and are not optimal for humans, humans still need to understand them in order to help computers use them for automation. Figure 3-1 takes a closer look at this concept. Here we take data (the list of NTP servers that should be configured) from our source of truth, encode it into a payload as defined by a data model (XML in the case of NETCONF), and send the payload to the API (NETCONF in this case).

FIGURE 3-1 Encoding Data

This generic workflow can accommodate a host of use cases and APIs. For example, we can use a RESTCONF interface by simply changing the encoding to JSON (but using the same data model) and sending it to a RESTful interface. We can even stretch this notion to CLI-only devices by taking the data, encoding it as textual configuration tailored to that device, and delivering it via SSH. This yields a flexible framework, illustrated in Figure 3-2, with the flexibility to deliver the data via any encoding to any device using any API.

FIGURE 3-2 Encoding Data for Different APIs

This approach works for physical network infrastructure, but it also works for cloud infrastructure. For example, AWS CloudFormation is just source of truth data encoded in JSON using a data model and delivered via an API using an SDK like Boto3 for Python. Therefore, thinking in this manner allows you to use the same methodology for your entire IT infrastructure.

Page 1 of 3 Next >

🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address