350-401 Automation

Automation Detailed Explanation

1. Automation Fundamentals

Network Programmability Basics

Traditionally, network devices are configured manually using the Command Line Interface (CLI). This method is:

• Time-consuming

• Error-prone

• Not scalable for large networks

CLI vs. Programmatic Interfaces:

Approach	Description	Pros	Cons
CLI	Manual entry of commands	Familiar, direct	Not scalable, high chance of error
APIs	Scripts send instructions via standard interfaces	Fast, consistent, automatable	Requires programming knowledge

Benefits of Automation:

Benefit	Explanation
Consistency	Automation ensures the same config is applied everywhere
Speed	Multiple devices configured at once
Reduced Human Error	Eliminates typos and misconfigurations
Scalability	Easily manages hundreds or thousands of devices
Documentation	Scripts act as self-documenting change logs

2. APIs in Network Automation

APIs (Application Programming Interfaces) allow programs to interact with network devices just like a human would via CLI — but faster, safer, and more scalable.

2.1 REST APIs (Representational State Transfer)

Core Concepts:

• Uses standard HTTP methods:

  • GET = retrieve data

  • POST = create a resource

  • PUT = update a resource

  • DELETE = remove a resource

• Returns data in JSON or XML format

• Stateless (each request is independent)

Example:

GET https://dnac.example.com/api/v1/network-device

This fetches information about network devices from Cisco DNA Center.

2.2 RESTCONF and NETCONF

Feature	RESTCONF	NETCONF
API Type	RESTful (HTTP)	XML RPC over SSH
Format	YANG + JSON/XML	YANG + XML
Protocol	HTTP/HTTPS	SSH
Use Case	Readable, web-style APIs	Structured configuration management

RESTCONF Sample URL:

GET https://router.example.com/restconf/data/ietf-interfaces:interfaces

NETCONF Example Structure:

<rpc>
  <get-config>
    ...
  </get-config>
</rpc>

These APIs are especially useful in software-defined networking and network orchestration.

3. Data Models and Formats

Modern network automation depends on standardized data models and formats to represent and exchange configuration and operational data between systems.

3.1 YANG (Yet Another Next Generation)

What is YANG?

YANG is a data modeling language used primarily with NETCONF and RESTCONF.

• It defines how data is structured (like a blueprint).

• It helps ensure consistent data models across devices and vendors.

What YANG Is Used For:

Purpose	Example
Define device config structure	Interface name, IP address
Enable validation	Ensures values are within expected range
Drive APIs	NETCONF & RESTCONF both rely on YANG

YANG Conceptual Example:

container interface {
  leaf name { type string; }
  leaf ip-address { type inet:ipv4-address; }
}

This defines an interface object with name and ip-address.

3.2 JSON (JavaScript Object Notation)

Features:

• Lightweight

• Human-readable

• Used in REST APIs

JSON Example:

{
  "hostname": "R1",
  "ip": "192.168.1.1"
}

3.3 XML (eXtensible Markup Language)

Features:

• More verbose than JSON

• Used in NETCONF

• Better for structured and hierarchical data

XML Example:

<device>
  <hostname>R1</hostname>
  <ip>192.168.1.1</ip>
</device>

3.4 YAML (YAML Ain’t Markup Language)

Features:

• Indentation-based (like Python)

• Used in Ansible playbooks

• Easier to read than JSON or XML for configs

YAML Example:

- name: Configure interface
  ios_config:
    lines:
      - interface Gig1
      - description Configured by Ansible

Comparison Table

Format	Readability	Use Case	Example Tool
JSON	High	REST APIs	Postman, DNA Center
XML	Moderate	NETCONF	NETCONF agents
YAML	Very High	Automation scripts	Ansible
YANG	N/A (not data)	Model definition	NETCONF, RESTCONF

4. Configuration Management Tools

These tools allow engineers to automate device configurations across multiple devices consistently, quickly, and with rollback capabilities. They reduce the need to log in to each device manually.

4.1 Ansible

What is Ansible?

Ansible is an open-source automation engine used for configuration management, software deployment, and task automation. It is agentless, meaning it does not require any software to be installed on network devices.

Key Features:

Feature	Benefit
Agentless	Uses SSH to connect; no software needed on the device
Uses YAML	Simple, readable syntax (called “playbooks”)
Modules	Supports Cisco-specific modules like ios_config, ios_command
Idempotent	Re-running the same playbook won't reapply unchanged configs

Sample Ansible Playbook:

- name: Configure interface
  hosts: routers
  gather_facts: no
  connection: network_cli

  tasks:
    - name: Add description to Gig1
      ios_config:
        lines:
          - interface GigabitEthernet1
          - description Configured by Ansible

Common Modules for Cisco:

Module	Description
ios_config	Sends configuration commands
ios_command	Executes show/debug commands
ios_facts	Gathers interface/OS/version facts
ios_banner	Configures login banners

4.2 Puppet and Chef (Awareness Only)

Puppet and Chef are configuration management tools mostly used in server environments, not primarily for network devices.

Puppet:

• Declarative model (define desired state, Puppet ensures it)

• Uses agents installed on managed nodes

• Common in Linux and cloud server environments

Chef:

• Ruby-based configuration scripts

• Also agent-based

• Used more by DevOps teams than network engineers

Why Less Common in Networking:

Reason	Explanation
Agents not supported	Most switches/routers don't allow custom agent installation
Focus	More server-oriented than network-oriented
Complexity	Higher learning curve and setup overhead compared to Ansible

Summary of Configuration Tools

Tool	Use Case	Agent Required?	Language/Format
Ansible	Network device config	No	YAML
Puppet	Server config (mostly)	Yes	Puppet DSL
Chef	Server/app deployment	Yes	Ruby DSL

5. Scripting Basics with Python

Python is a powerful, human-readable programming language that’s widely used for network automation because of its simplicity, vast libraries, and community support.

5.1 Python Overview

Why Use Python in Networking?

Advantage	Explanation
Readable	Easy to learn and maintain
Multi-vendor	Works across Cisco, Juniper, Arista, etc.
Library support	Many modules created specifically for network tasks
Integrates with APIs	Can easily call REST APIs for DNA Center, Meraki, etc.

5.2 Common Python Libraries for Networking

Netmiko

• Built on Paramiko

• Simplifies SSH connections to network devices

• Includes built-in support for Cisco IOS, NX-OS, ASA, and many others

Paramiko

• Lower-level SSH library for Python

• Allows custom control over SSH sessions

• Used internally by tools like Netmiko

NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support)

• Unified API to manage different vendors (Cisco, Juniper, etc.)

• Can retrieve and push configurations

• Offers functions like get_facts(), compare_config(), load_merge_candidate()

5.3 Example Python Script (Using Netmiko)

Here’s a script that connects to a Cisco router and runs show ip interface brief.

from netmiko import ConnectHandler

device = {
    'device_type': 'cisco_ios',
    'ip': '192.168.1.1',
    'username': 'admin',
    'password': 'cisco123',
}

net_connect = ConnectHandler(**device)
output = net_connect.send_command('show ip interface brief')
print(output)

Explanation:

Line	Function
ConnectHandler	Establishes SSH session
send_command()	Sends a CLI command
print(output)	Displays the result in the console

Sample Output:

Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     192.168.1.1     YES manual up                    up
GigabitEthernet0/1     unassigned      YES unset  administratively down down

Summary of Python Tools

Library	Function	Ideal Use
Netmiko	SSH automation	CLI-driven devices
Paramiko	Custom SSH sessions	Low-level control
NAPALM	Multi-vendor automation	Config validation and pushing

6. Cisco DNA Center APIs

Cisco DNA Center (DNAC) is a centralized, intent-based controller used to automate and manage enterprise networks. Its APIs allow external applications and scripts to interact with and control the network programmatically.

6.1 Intent-Based Networking (IBN)

What is Intent-Based Networking?

IBN focuses on what you want the network to do, not how it’s done.

Instead of configuring individual CLI commands, you:

• Define the desired outcome (intent)

• DNA Center translates that into device-specific configurations

• Verifies and maintains the intent using real-time data and telemetry

Key Use Cases of DNA Center APIs:

Use Case	Description
Inventory	Retrieve info about all network devices
Configuration Templates	Deploy standard configs to multiple devices
Topology Discovery	See how devices are physically/logically connected
Path Trace	Visualize traffic paths end-to-end
Client Health Analytics	Monitor endpoint performance and connectivity

6.2 API Authentication

To interact with DNAC's REST APIs, you must authenticate using Bearer tokens.

Token Authentication Workflow:

1. Send a POST request with username/password

2. Receive an access token

3. Use the token in all future requests via HTTP Authorization header

Example: Obtain a Token (Python code)

import requests
import json

url = "https://dnac.example.com/dna/system/api/v1/auth/token"
headers = {"Content-Type": "application/json"}
auth = ("admin", "password")

response = requests.post(url, auth=auth, headers=headers, verify=False)
token = response.json()["Token"]

Example: API Call With Token

headers = {
    "Content-Type": "application/json",
    "X-Auth-Token": token
}

url = "https://dnac.example.com/dna/intent/api/v1/network-device"
response = requests.get(url, headers=headers, verify=False)
print(response.json())

Example Response (Truncated):

[
  {
    "hostname": "Switch-1",
    "managementIpAddress": "10.10.20.1",
    "platformId": "C9300-24UX"
  }
]

Summary of DNA Center API Essentials

Feature	Purpose
Token-based Auth	Secure access to REST API
Intent APIs	Device config, monitoring, templates
Programmability	Enables automation, compliance checks, and provisioning

7. Telemetry & Event Streaming Integration

Modern networks must be proactive, not reactive. Traditional polling methods (like SNMP) are often too slow and inefficient to detect real-time issues. Telemetry pushes data continuously, giving real-time visibility into the network.

Model-Driven Telemetry (MDT)

What is MDT?

Model-Driven Telemetry is a push-based method for exporting telemetry data from network devices to external collectors (e.g., monitoring or analytics platforms).

Push vs Pull (SNMP):

Method	Description	Limitation
Polling (SNMP)	NMS asks device for data periodically	Delays, CPU overhead
Streaming (Telemetry)	Device sends data in real time	Lower delay, more scalable

Benefits of Telemetry:

Benefit	Description
Low latency	Near real-time updates
Efficiency	Reduces polling load
Structured data	Works with YANG models
Customizable	You choose which data to export and how often

Telemetry Protocols and Technologies

Protocol	Description
gRPC (Google Remote Procedure Call)	Lightweight, high-performance protocol for telemetry
Kafka	Event streaming platform for high-volume, real-time data
InfluxDB	Time-series database — perfect for telemetry metrics
Grafana	Dashboard/visualization platform for InfluxDB and others

gRPC with Telemetry – How It Works:

1. Router collects telemetry data

2. Exports it using gRPC protocol

3. Data is received and stored in InfluxDB

4. Visualized using Grafana

Use Case Example:

• Monitor CPU and interface utilization every second

• Stream updates to InfluxDB

• Display live graphs of trends and thresholds using Grafana

Summary of Streaming Telemetry

Component	Role
gRPC	Sends telemetry data
YANG	Defines data structure
InfluxDB	Stores telemetry data
Grafana	Displays visual dashboards

8. Automation Use Cases

This section highlights real-world applications of automation in enterprise networks. These are the kinds of tasks that automation tools and APIs make faster, safer, and more consistent — reducing human error and manual effort.

8.1 Auto-Provisioning of Switches and Routers

What It Means:

Automatically apply initial configuration to new devices the moment they connect to the network.

Tools & Technologies:

• Cisco PnP (Plug and Play): Zero-touch deployment for IOS devices

• Ansible or DNA Center API to apply baseline configs

Use Case Example:

A new switch is powered on → it gets IP via DHCP → connects to DNA Center → downloads its pre-defined configuration template.

8.2 Configuration Compliance Checks

What It Means:

Automatically compare device configurations to golden templates or security baselines to detect unauthorized changes.

Tools:

• NAPALM: compare_config() function

• Ansible: check_mode to preview changes

• DNA Center APIs: Config audits and compliance scans

Use Case Example:

Daily job scans all routers → flags a device with outdated SNMP community string or missing password encryption.

8.3 Network-Wide Rollback or Patch Deployment

What It Means:

Apply configuration updates (or rollbacks) across multiple devices in a controlled and automated way.

Tools:

• Ansible Playbooks: Push changes to dozens of devices in parallel

• Python scripts with Netmiko/NAPALM

• DNA Center Templates for atomic rollback

Use Case Example:

An update breaks connectivity. A rollback playbook automatically restores previous config to all affected switches.

8.4 Dynamic Path Optimization in SD-WAN

What It Means:

Automatically reroute traffic in SD-WAN based on application performance metrics like latency, jitter, or loss.

Tools:

• Cisco vManage (Viptela SD-WAN)

• Performance SLAs tied to policy-based routing

• APIs for monitoring and tuning path selection

Use Case Example:

Voice traffic is automatically shifted from a congested MPLS link to an internet tunnel without human intervention.

Summary of Use Cases

Use Case	Description	Tools Involved
Auto-Provisioning	Zero-touch config of new devices	Cisco PnP, DNA Center
Compliance Check	Detect config drift	NAPALM, Ansible, DNA APIs
Rollback / Patch	Automate large config changes	Ansible, Python, DNA
SD-WAN Optimization	App-aware traffic routing	vManage, policy APIs

Automation (Additional Content)

1. Advanced Ansible Concepts

Roles Structure

Ansible roles help organize playbooks into reusable, modular components.

Role Directory Example:

roles/
  configure_router/
    tasks/
    handlers/
    vars/
    templates/

• tasks/: contains main task definitions (e.g., main.yml)

• handlers/: triggered by tasks on change

• vars/: stores variable definitions

• templates/: for Jinja2 templates

Use Case: Simplifies code reuse across multiple projects.

Dynamic Inventory

Instead of static hosts files, dynamic inventory pulls host data from:

• Cloud APIs (AWS, Azure, GCP)

• Databases or custom scripts

• Service registries (e.g., NetBox)

ansible-inventory --list -i aws_ec2.yml

Dynamic inventory enables real-time scaling and accuracy.

Check Mode and Diff Mode

• --check: Runs playbook in dry-run mode. Shows what would change.

• --diff: Shows line-by-line config difference.

ansible-playbook play.yml --check --diff

Helpful for audit compliance and pre-deployment validation.

2. Python Script Enhancements

Exception Handling

Avoid crashes by using try-except blocks.

try:
    response = requests.get(url)
except requests.exceptions.RequestException as e:
    print(f"Request failed: {e}")

Essential for stable automation scripts.

Status Code Validation

Check HTTP response status:

if response.status_code == 200:
    print("Success")
else:
    print(f"Failed with code {response.status_code}")

Ensures API responses are validated before processing.

Logging Module

Instead of print statements:

import logging
logging.basicConfig(filename='script.log', level=logging.INFO)
logging.info("Task started")

• Supports log levels: DEBUG, INFO, WARNING, ERROR

• Useful for debugging, auditing, and postmortem analysis

Argument Parsing (argparse)

Allows parameterized script execution:

import argparse
parser = argparse.ArgumentParser()
parser.add_argument("--device", required=True)
args = parser.parse_args()

Run with:

python script.py --device 192.168.1.1

Makes scripts reusable across devices or environments.

3. API Security & Best Practices

Token Expiration Handling

Always check token validity:

if token_expired():
    refresh_token()

Build automated re-authentication logic for long-lived automation jobs.

SSL Verification

Instead of verify=False (not secure), use:

verify='/path/to/cacert.pem'

Enforces certificate-based trust, protects against MITM attacks.

Rate Limiting and Retry Logic

Use backoff strategies:

for attempt in range(3):
    response = requests.get(url)
    if response.status_code == 429:
        time.sleep(2 ** attempt)
    else:
        break

• 429 = Too Many Requests

• Helps handle API burst limits and network jitter

4. Cisco DNA Center – Deep Use Cases

Event Subscription API (Webhooks)

Enable external systems to receive event notifications:

• Device down

• Client health degraded

• Policy violation

These can trigger automated remediation scripts or ServiceNow tickets.

Template Editor and Variable Injection

Use placeholders in templates:

interface {{ interface_name }}
 description {{ description }}

Populate dynamically via API or inventory.

Enhances scalability and customization in deployments.

ITSM Integration (e.g., ServiceNow)

DNA Center can trigger or update tickets in IT systems:

• Auto-generate incident from network event

• Link remediation results back to ticket

• Support full lifecycle automation

5. Telemetry and Visualization Enhancements

Telemetry Collector Architecture

Flow:
Cisco Device → gRPC → Collector → InfluxDB → Grafana

This architecture shows how telemetry data is streamed, stored, and visualized.

gNMI Protocol

• gRPC Network Management Interface

• Successor to NETCONF/RESTCONF

• Supports streaming and configuration

• Widely used in modern, vendor-neutral telemetry setups

Subscription Modes

Mode	Description
OnChange	Sends data only when value changes
Periodic	Sends data at fixed intervals (e.g., every 10 seconds)

Knowing the mode improves resource planning and performance tuning.

6. Automation End-to-End Workflows

Complete Scenario Example

1. Discover Devices: via Cisco DNA Center API

2. Push Config: via Ansible or Template API

3. Verify State: using Python/Ansible validation playbooks

4. Compliance Check: NAPALM compare_config()

5. Log/Report: Push results to log or dashboard

This structure enables repeatable and auditable automation pipelines.

CI/CD Integration

Apply DevOps principles to networks:

• Git: Source control for templates and playbooks

• Jenkins: Automate:

  • Playbook testing (--check)

  • Deployment triggers (e.g., after approval)

  • Compliance validation post-deployment

This elevates network automation maturity for enterprise-grade environments.