Solved: Cat 9300 Restconf - create vlan

p.weeks · ‎06-13-2022

Hi!

I want to automate the configuration of vlans across a network based on Catalyst 9300 and Nexus 9XXX switches. I have enabled restconf on all the switches and I am able to look at the configuration. I have developed a python script for the Nexus switches that will add a vlan to the switch if it doesn't exist and I am looking to do the same for the catalyst 9300. However I can't find anything that seems to work. I have seen several suggestions using the Cisco-IOS-XE-native yang model but using a get for https://<host>/restconf/data/Cisco-IOS-XE-native pulls the configuration but it doesn't include the vlan database. So adding vlan to the end of the previous url returns a 204, no body or data. The Cisco-IOS-XE-vlan-oper pulls data but is a read only model. The Cisco-IOS-XE-vlan I can't get to return any sensible data and I get a 404 back from the switch.

Any suggestions?

Andrea Testino · ‎06-17-2022

Peter,

I just tested out of my own curiosity without specifying port :443 in the URL thinking some odd bug indeed; however, my responses are still complete/correct.

I then tested the URL you shared (which returns the entire configuration) but in my case, I do see the VLAN DB as part of the JSON response. It is right after the VRF/DNS portions in the body:

        "vlan": {
            "Cisco-IOS-XE-vlan:vlan-list": [
                {
                    "id": 171,
                    "name": "CiscoForum"
                },
                {
                    "id": 172,
                    "name": "DevTest"
                },
                {
                    "id": 173,
                    "name": "Example"
                },
                {
                    "id": 4000,
                    "name": "AppHosting-VLAN"
                }
            ]
        },

I'll upgrade my C9K to 17.6.3 to make sure there's no behavioral changes there. Having that said:

1 - What do your headers look like for the GET request?

2- Could you share your Python script and/or CURL/Postman outputs? (want to make sure we are apples to apples)

Below my sample:

import requests

url = "https://10.10.20.100/restconf/data/Cisco-IOS-XE-native:native"

payload={}
headers = {
  'Accept': 'application/yang-data+json, application/yang-data.errors+json',
  'Authorization': 'Basic ZGV2ZWxvcGVyOkMxc2NvMTIzNDU='
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

Thanks!

- Andrea, CCIE #56739 R&S

View solution in original post

Andrea Testino · ‎06-22-2022

Peter,

Excellent -- Great catch on VTP not being in transparent mode.

I did some testing and research internally, and below are some technical details in case you're curious:

VLAN information is returned over netconf/restconf/yang if the device is booted up with VTP mode as transparent or off (as you noted)
Generally speaking, Catalyst devices boot up as VTP server, so as you mentioned, this would need to be changed to transparent mode as the very first step before creating any VLANs (assuming VTP is not actually being used in the network...If it is.. Well... !!)

With regards to YANG models:

The config model naturally returns the VLANs that are configured via the CLI by a user and thus make their way into a show run (this is why you could not see them, it makes sense)
The Oper model, however, will give all the VLANs that are -operational- on the switch.
The two above were done this way to attempt and hide the nuances from the old vlan.dat conundrum.

This is the current implementation of VLANs for all IOS-XE

Some VTP nuances:

With VTP server or client mode running Version 1 or 2, VLANs up to 1005 will not be displayed under the `show run` even if configured.
VTP Version 3 supports all VLANs; therefore, none of the VLANs "learned" in Server/Client mode would appear in the `show run.`

TLDR;

If VTP Server or Client mode is prevalent in the network, stick to Version 1 or 2 and use VLANs above 1005 such that they are displayed in the running configuration, and you could get away with only using the Config model.
If VTP Version 3 is used in the network, it must be in Transparent mode or "off."
- I would not particularly trouble myself with either of these two. I am just noting here to illustrate the differences.

Path forward:

A good "workaround" in your case would be to use the Oper model instead, which returns -operational- data instead of -configuration- data.

GET https://{{ip_address}}/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan

Example:

Here I have a Catalyst 9300 switch in VTP mode server (off box) in VTP version 1. I configured VLANs 5 and 7, knowing that they would not show in the show run based on the nuances above (VTP version1/2 will only show them in the show run if > 1005)

C9K-Dev-Test#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 701f.53b9.6d80
Configuration last modified by 10.201.168.181 at 6-22-22 12:43:37
Local updater ID is 10.201.168.181 on interface Gi0/0 (first layer3 interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 2
MD5 digest : 0x45 0x29 0x47 0xB6 0x5E 0x8B 0xF3 0xAF
0xE0 0x3E 0xE8 0xBE 0xB2 0xC8 0xD0 0x49

Confirming they are not shown within the show run (as they are below 1005):

C9K-Dev-Test#show run | sec vlan
vlan 1010
name Test-1010
vlan 1200
name Test-1200

Confirming VLAN 5 and 7 are operational/configured:

C9K-Dev-Test#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
<snip>
5 Test-5 active
7 Test-7 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
1010 Test-1010 active
1200 Test-1200 active

GET Request @ https://{{ip_address}}/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan. We can see VLAN ID 5 and 7 respectively (as well as others I added past 1005 for this test)

atestini@ATESTINI-M-26WU YANG % curl -k --request GET 'https://10.201.168.181/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan' \
--header 'Accept: application/yang-data+json, application/yang-data.errors+json' \
--header 'Authorization: Basic YWRtaW46Y2lzY28hMTIz'
{
  "Cisco-IOS-XE-vlan-oper:vlan": [
    {
      "id": 1,
      "name": "default",
      "status": "active",
      "vlan-interfaces": [
        {
          "interface": "GigabitEthernet1/0/1",
          "subinterface": 0
          ## snipping output here for brevity ##
 ]
    },
    {
      "id": 5,
      "name": "Test-5",
      "status": "active"
    },
    {
      "id": 7,
      "name": "Test-7",
      "status": "active"
    },
    {
      "id": 1002,
      "name": "fddi-default",
      "status": "suspend"
    },
    {
      "id": 1003,
      "name": "token-ring-default",
      "status": "suspend"
    },
    {
      "id": 1004,
      "name": "fddinet-default",
      "status": "suspend"
    },
    {
      "id": 1005,
      "name": "trnet-default",
      "status": "suspend"
    },
    {
      "id": 1010,
      "name": "Test-1010",
      "status": "active"
    },
    {
      "id": 1200,
      "name": "Test-1200",
      "status": "active"
    }
  ]
}

Hope this helps achieve your use-case!

- Andrea, CCIE #56739 R&S

View solution in original post

bigevilbeard · ‎06-13-2022

@p.weeks this should work i think https://github.com/jeremycohoe/restconf-catalyst-3850

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

p.weeks · ‎06-13-2022

Hi!
I found that page and indeed he first url does produce a list of configured vlans but it is a read only url and I can't create a new vlan using that url.

Regards Peter

bigevilbeard · ‎06-13-2022

The other example i found was https://github.com/CiscoDevNet/restconf-examples/tree/master/restconf-samplecode/vlans

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

p.weeks · ‎06-13-2022

Hi!
Unfortunately, this creates a vlan interface as in int vlan. I want to create a layer 2 vlan ie standard ios vlan 20, name my_vlan. Another I notice in some of these examples is the difference in the url. I am using restconf/data/Cisco-IOS-XE etc whilst the example you sent uses api/running/native which didn't appear to work on the switch I am testing on.

bigevilbeard · ‎06-13-2022

@p.weeks take a look at Yang Suite https://developer.cisco.com/yangsuite/ might help too. I do not have a 9300 to test with, so mostly guessing here, but saw this `data/Cisco-IOS-XE/native/native:vlan/vlan-list=100`

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

p.weeks · ‎06-14-2022

Hi!
The url you sent with a little modification works fine on a Catalyst 3650 but not on the 9300 models. I am trying to get the yang suite to work. It's a shame most of the examples for IOS XE are based on the CRS products.
Peter

Alexei Monastyrnyi · ‎03-06-2023

Hi!

Thanks for the link, it was a good start for me.

Is there any Catalyst 9000 RESTCONF documentation where I could find similar and more? Fro example, how to configure LACP on Catalyst 90000 with help of RESTCONF?

TIA

Alexei.

p.weeks · ‎03-17-2023

Hei Alexei

There are two ways to find what your looking for, the easy way is to configure what your after on a switch and then do a get to the switch using restconf/data/native. This should present you with the whole config and you can use the bit you need. Alternatively install Cisco's yangsuite some where and use that a look up. Again use the Cisco-IOS-XE-native yang model as your start point.

I hope this helps.

Peter

Andrea Testino · ‎06-17-2022

Hi Peter,

Not sure if this is what you are looking for but sharing in hopes it helps:

Using the following Catalyst 9K & XE version:

cat9k#show module
Switch Ports Model Serial No. MAC address Hw Ver. Sw Ver.
------ ----- --------- ----------- -------------- ------- --------
1 65 C9300-48T XXXXXXXXXXX acf5.e65d.e580 V02 17.03.03

Sample VLAN configured:

cat9k#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
4000 AppHosting-VLAN                  active    Gi1/0/1

Confirming I can see this via RESTCONF:

GET https://{{ip_address}}}:443/restconf/data/Cisco-IOS-XE-native:native/vlan

Response:

{
    "Cisco-IOS-XE-native:vlan": {
        "Cisco-IOS-XE-vlan:vlan-list": [
            {
                "id": 4000,
                "name": "AppHosting-VLAN"
            }
        ]
    }
}

Adding three new VLANs for testing purposes via RESTCONF. VLAN 171, 172 and 173.

POST https://{{ip_address}}:443/restconf/data/Cisco-IOS-XE-native:native/vlan

Body:

{
  "Cisco-IOS-XE-vlan:vlan-list": [
    {
      "id": 171,
      "name": "CiscoForum"
    },
    {
      "id": 172,
      "name": "DevTest"
    },
    {
      "id": 173,
      "name": "Example"
    }
  ]
}

Confirming the three new VLANs, plus the previously existing VLAN (4000), appear in the response body:

Via RESTCONF:

GET https://{{ip_address}}}:443/restconf/data/Cisco-IOS-XE-native:native/vlan

Response:

{
    "Cisco-IOS-XE-native:vlan": {
        "Cisco-IOS-XE-vlan:vlan-list": [
            {
                "id": 171,
                "name": "CiscoForum"
            },
            {
                "id": 172,
                "name": "DevTest"
            },
            {
                "id": 173,
                "name": "Example"
            },
            {
                "id": 4000,
                "name": "AppHosting-VLAN"
            }
        ]
    }
}

Via CLI:

cat9k#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
<snip>

171  CiscoForum                       active
172  DevTest                          active

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
173  Example                          active
4000 AppHosting-VLAN                  active    Gi1/0/1

Is this what you were looking for?

- Andrea, CCIE #56739 R&S

p.weeks · ‎06-17-2022

Hei Andrea

Thats exactly what I'm looking for however the only real difference I can see between the URL you are using and the one I am using is the port 443, which is the default for https anyway. I was using software 17.3.4 when I posted this but I have since upgraded to 17.6.3. without any effect. I have even tried NETCONF as well. What I am not seeing which I assume you are, is if i send the follwoing url.

GET https://<ip address>/restconf/data/Cisco-IOS-XE-native:native

I should get back the entire configuration including the vlans, however I don't get the vlan sub section in the json response.

I have tried the same url on a cat 3650 and a cat 9200 and the url works, so I guess I'm hitting a bug og some other problem on my cat 9300. I am using a cat C9300-48P.

Peter

Andrea Testino · ‎06-17-2022

Peter,

I just tested out of my own curiosity without specifying port :443 in the URL thinking some odd bug indeed; however, my responses are still complete/correct.

I then tested the URL you shared (which returns the entire configuration) but in my case, I do see the VLAN DB as part of the JSON response. It is right after the VRF/DNS portions in the body:

        "vlan": {
            "Cisco-IOS-XE-vlan:vlan-list": [
                {
                    "id": 171,
                    "name": "CiscoForum"
                },
                {
                    "id": 172,
                    "name": "DevTest"
                },
                {
                    "id": 173,
                    "name": "Example"
                },
                {
                    "id": 4000,
                    "name": "AppHosting-VLAN"
                }
            ]
        },

I'll upgrade my C9K to 17.6.3 to make sure there's no behavioral changes there. Having that said:

1 - What do your headers look like for the GET request?

2- Could you share your Python script and/or CURL/Postman outputs? (want to make sure we are apples to apples)

Below my sample:

import requests

url = "https://10.10.20.100/restconf/data/Cisco-IOS-XE-native:native"

payload={}
headers = {
  'Accept': 'application/yang-data+json, application/yang-data.errors+json',
  'Authorization': 'Basic ZGV2ZWxvcGVyOkMxc2NvMTIzNDU='
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

Thanks!

- Andrea, CCIE #56739 R&S

p.weeks · ‎06-20-2022

Hei Andrea

I have found the solution. It's not the url or restconf that's the problem. I tested on another switch and I noticed that vlans over 1005 where displayed in the configuration and the vlan container. Looking at my original switch the sh running on the switch doesn't show any vlans either. The solution appears to be to disable vtp og put it in transparent mode and then the vlans appear. The only issue I had after doing this was that the vlan names didn't display so I recommend disabling vtp before enabling restconf.

Do you know of a yang model that access the vlan database and not the configuration?

Andrea Testino · ‎06-22-2022

Peter,

Excellent -- Great catch on VTP not being in transparent mode.

I did some testing and research internally, and below are some technical details in case you're curious:

VLAN information is returned over netconf/restconf/yang if the device is booted up with VTP mode as transparent or off (as you noted)
Generally speaking, Catalyst devices boot up as VTP server, so as you mentioned, this would need to be changed to transparent mode as the very first step before creating any VLANs (assuming VTP is not actually being used in the network...If it is.. Well... !!)

With regards to YANG models:

The config model naturally returns the VLANs that are configured via the CLI by a user and thus make their way into a show run (this is why you could not see them, it makes sense)
The Oper model, however, will give all the VLANs that are -operational- on the switch.
The two above were done this way to attempt and hide the nuances from the old vlan.dat conundrum.

This is the current implementation of VLANs for all IOS-XE

Some VTP nuances:

With VTP server or client mode running Version 1 or 2, VLANs up to 1005 will not be displayed under the `show run` even if configured.
VTP Version 3 supports all VLANs; therefore, none of the VLANs "learned" in Server/Client mode would appear in the `show run.`

TLDR;

If VTP Server or Client mode is prevalent in the network, stick to Version 1 or 2 and use VLANs above 1005 such that they are displayed in the running configuration, and you could get away with only using the Config model.
If VTP Version 3 is used in the network, it must be in Transparent mode or "off."
- I would not particularly trouble myself with either of these two. I am just noting here to illustrate the differences.

Path forward:

A good "workaround" in your case would be to use the Oper model instead, which returns -operational- data instead of -configuration- data.

GET https://{{ip_address}}/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan

Example:

Here I have a Catalyst 9300 switch in VTP mode server (off box) in VTP version 1. I configured VLANs 5 and 7, knowing that they would not show in the show run based on the nuances above (VTP version1/2 will only show them in the show run if > 1005)

C9K-Dev-Test#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 701f.53b9.6d80
Configuration last modified by 10.201.168.181 at 6-22-22 12:43:37
Local updater ID is 10.201.168.181 on interface Gi0/0 (first layer3 interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 2
MD5 digest : 0x45 0x29 0x47 0xB6 0x5E 0x8B 0xF3 0xAF
0xE0 0x3E 0xE8 0xBE 0xB2 0xC8 0xD0 0x49

Confirming they are not shown within the show run (as they are below 1005):

C9K-Dev-Test#show run | sec vlan
vlan 1010
name Test-1010
vlan 1200
name Test-1200

Confirming VLAN 5 and 7 are operational/configured:

C9K-Dev-Test#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
<snip>
5 Test-5 active
7 Test-7 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
1010 Test-1010 active
1200 Test-1200 active

GET Request @ https://{{ip_address}}/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan. We can see VLAN ID 5 and 7 respectively (as well as others I added past 1005 for this test)

atestini@ATESTINI-M-26WU YANG % curl -k --request GET 'https://10.201.168.181/restconf/data/Cisco-IOS-XE-vlan-oper:vlans/vlan' \
--header 'Accept: application/yang-data+json, application/yang-data.errors+json' \
--header 'Authorization: Basic YWRtaW46Y2lzY28hMTIz'
{
  "Cisco-IOS-XE-vlan-oper:vlan": [
    {
      "id": 1,
      "name": "default",
      "status": "active",
      "vlan-interfaces": [
        {
          "interface": "GigabitEthernet1/0/1",
          "subinterface": 0
          ## snipping output here for brevity ##
 ]
    },
    {
      "id": 5,
      "name": "Test-5",
      "status": "active"
    },
    {
      "id": 7,
      "name": "Test-7",
      "status": "active"
    },
    {
      "id": 1002,
      "name": "fddi-default",
      "status": "suspend"
    },
    {
      "id": 1003,
      "name": "token-ring-default",
      "status": "suspend"
    },
    {
      "id": 1004,
      "name": "fddinet-default",
      "status": "suspend"
    },
    {
      "id": 1005,
      "name": "trnet-default",
      "status": "suspend"
    },
    {
      "id": 1010,
      "name": "Test-1010",
      "status": "active"
    },
    {
      "id": 1200,
      "name": "Test-1200",
      "status": "active"
    }
  ]
}

Hope this helps achieve your use-case!

- Andrea, CCIE #56739 R&S

p.weeks · ‎06-22-2022

Hei Andrea

Thanks for the info very useful if some what irritating. My purpose was to add a vlan to the configuration and the vlan-oper doesn't allow that as suggested by the name. What is also irritating is that if vlans don't appear in the configuration you can't post a request to the switch to update a vlan. If the switch is a vtp server (default) the you should be allowed to create vlans. I also noted that you can't turn off vtp using rest as being deafult the vtp section doesn't appear in the configuration.

Via cli you have the possibility to issue show configuration all which shows all the defaults and should at least include vtp. The Cisco-IOS-XE-native should ideally collect that configuration and not the non default config. This would make things a lot easier. It would be useful if the yang model mention it in the documentation or description field that vtp needs to be off or transparent mode.

Thanks again for the information.

Peter