Do We Need Network Programmability?

Jsicuran left this comment on my You Must Understand the Fundamentals to Be Successful blog post:

I just went through some Cisco webinar where they were showcasing the use of NX-OS API and Python to add a VLAN. I do some Python myself and have used that API for some simple DevOps-like uses, but for the most part if you are an enterprise and use Prime DCIM to add VLANs, why should you go through the coding process?

It obviously depends on where you are in your IT automation journey.

If you're still deploying everything by hand, and your server administrators handcraft VMs from ISO images, then DCIM is the way to go. It gives you a somewhat consistent view of your data center, and you can deploy something like a VLAN across multiple boxes without ever logging into one.

I’ve seen environments where it takes weeks if not months to deploy a new VM because so many teams have to touch it. Don’t get me started…

If however your server/application people got further along on their path toward DevOps, they might start getting annoyed that they can deploy a VM in 5 seconds, but it still takes dozens of GUI clicks to get a new VLAN deployed (see also the story of my exasperation when I was forced to deal with storage GUI). In those environments the need to program networking devices becomes pretty urgent.

To learn more about first steps of network automation, watch the free Network Programmability 101 webinar (also part of free Introduction to SDN bundle).


  1. I wish VTPv3 was implemented on NXOS. For the typical DC, that would have solved the VLAN issue... ;)
  2. There is a difference between configuration based programmability, where config level constructs are being instantiated into the network element and thus influence the state, and state based programmability, where the actual state is being touched directly, bypassing the configuration constructs. For the former case, a programmatic API indeed is another form of CLI, and while it has its own benefits, it still depends and relies and is bound by the capabilities and procedures of the underying configuration components. While the latter approach allows for the flexibility to bypass the configuration completely and deal with the actual state directly. Here it becomes programmable in the direct sense of the word - the state is injected or modified by the programming entity, and configuration component of the element does not influence the process. Can this lead to potential conflicts? Certainly, it can and it does. It is just a powerful tool, and it certainly can be abused. However, even in such misuse scenario reverting back to sane state is less complex (just discard the programmed and derived state instead of trying to remove configuration fragments).
  3. Could someone give a concrete example of network programmability in action? I think it's always explained in a theoretical sense in way that it will cure all evils, but we don't see a concrete implementation. To me it sounds like scripting changes to allow network resource provisioning for non-network teams. It sounds good, but I think you will still have to have a solid foundation to build this on.
    1. How about ;)

      As for "resource provisioning for non-network teams", look at numerous Neutron plugin implementations.

      Finally, totally agree that "you need a solid foundation to build this on", but as usual the vendor marketers are telling everyone who's willing to listen that fairies and unicorns will make it work.
  4. Hi Ivan, I am new to DevOps concept. in my small world, I would like to do things as below, using script if it's available

    1. run a script from Ubuntu or any Linux machine which opens up ssh session to my nexus 7k or 5k switch. go to Ethernet1/10 and make it switchport access vlan 10, switchport mode access
    2. second script should do validation like "show int eth1/10" sh run int e1/10 and print the output to email group called [email protected]

    if I do this automation in my small world, I can skip waking up at 4 AM in morning every alternate day and have the script do its work. so that I can spend my time to other projects of my company.

    is this doable via python? my switches are running 5.1.0 or 5.2.0 IOS for 7k and 5k. I need to know python is compatible with that IOS ?
    please provide me guidance for this

    visio chambers
    1. Yes, this is definitely very doable in Python, and it might be even simpler if you'd use Ansible.

      Alternatively, you could use Puppet or Chef on Nexus switches to get the job done.
Add comment