my cheat sheet on CML a.k.a. VIRL

1 Cisco Modelling Labs, CML 2.2.2

CML is what VIRL used to be. VIRL2 is an old name. So CML install steps, and logs etc. might still be referring to VIRL. That is OK.

CML is a virtual machine, in my case running in VMWare Fusion on my macbook. I have been using my wired USB ethernet adapter plugged into my Meraki MX68. You can use wireless too, but my hosts and everything as set to use the wired connection, so keep it this way.sysadmin

CML user	password	ip addr	Network
sysadmin	rollingkarts	`192.168.11.66`
	used where?	update this ip	`Meraki`
		addr as needed	WIFI and `purple ethernet`
admin	see keychain	192.168.2.107	Bell wired
	for CML		via `green ethernet`
virbr0		192.168.255.1	"unmanaged switch"
			notice that it is
			NOT on the Meraki
			network.
bridge0		192.168.2.107	"external net"
		on Bell	also the console's
		192.168.11.x	ip address after
		on `Meraki`	bootup

1.1 http ports to access CML:

port	Function	Notes	User:passwd
	`192.168.11.66`	VM must	#ERROR
80	CML VM console	be running	see keychain
	`main GUI`	Fusion	for CML
8080	`Breakout`	breakout ui	sysadmin:
	127.0.0.1:8080	command must	tod0withcarts
	* recommend only using	be running
	breakouts when needed
	(use ssh instead)
9090	`Cockpit`	Fusion	sysadmin:
	CentOS sysadmin access	VM must be	r0llingCarts
	192.168.2.107	running
	can use bash too

port	Function	Notes	User:passwd
	192.168.11.66	VM must	admin:
	as per CML VM console	be running	see keychain for
`80`	main `GUI` access to `CML`	Fusion	cml
`8080`	`Breakout`	`breakout ui`	sysadmin:
	127.0.0.1:8080	command must	todowithcarts but note
		be running	3 no pardaugavas dzied
`9090`	`Cockpit`	Fusion	sysadmin:
	CentOS sysadmin access	VM must be	rollingrollingcarts
	192.168.2.107:9090	running	You can also
			ssh for sysadmin
			?

CML boots a CentOS / RHEL server, uname -a is 4.18.0-80.11.2.e18_0.x86₆₄ as of Dec 2021 4.18.0-3053.1.e18.x86₆₄ (June 1, 2021) which is old too, because 4…. is now out.

2 Setup

2.1 Interfaces on CML VM

bridge0 : the "external" interface for the CML vm ip address 192.168.2.107 (if on Bell wifi) ip address 192.168.11.66 (if on Meraki wired) ip address 192.168.2.35 (if on Bell router)
This is the address that connect the admin web pages The breakout should use the vm host ip address 192.168.2.70 but I found I used 127.0.0.1:8080 to get the breakout ui

This 192.168.2.0 network is also what ip addresses are leased by my Meraki dhcp server for the mgt vrf interfaces on each device connecting in to the "external" cloud.
ens160 : the virtual port connected to "bridge0"

virbr0 : don't know but has ip address 192.168.255.1/24
virbr0-nic : don't know, but has no ip addr

tunnel…

2.2 External Connectivity for ssh/netconf/restconf etc.:

I have a bridged external connection, into a lab L2 virtual switch called 'mgt' That switch connects to each devices Gig0/3 port which is in the mgt vrf. Finally, each lab device mgt vrf interface is set to ip address dhcp, so that my Meraki MX68 can lease out ip addresses to each CML node.

See the aliases for the above configs section, for the currently issued ip address leases.

Also, you DON'T need to run the entire lab if you won't use all devices. However, as a minimum you need to have the following running (hit the "play" icon against each of these devices and only those devices will start.

Also, you DON'T need to run the entire lab if you won't use all devices. However, as a minimum you need to have the following running (hit the "play" icon against each of these devices and only those devices will start.

unmanaged switch 0
ext-conn-0

2.3 Mgt network configuration

Since configured each gig0/0 to be connected to the unmanaged switch and subsequently the external connection I setup these gig0/0 interfaces in the mgt vrf and configured them to get their ip address via dhcp, which ends up being my meraki switch, on the same networks as my laptop. That way I have direct ssh connectivity to each node, as they are on the same ip subnet.

   hostname r5
   aaa new-model

   vrf definition ZP-mgt-vrf
    address-family ipv4
    int gig0/0
    
   username ansible privilege 15 password 0 sedemo

   interface GigabitEthernet0/0
    ip address dhcp
    no shut
   !
   ip route vrf ZP-mgt-vrf 0.0.0.0 0.0.0.0 192.168.11.1

   ip ssh time-out 60
   ip ssh authentication-retries 2
   ip ssh version 2
   !
   line vty 0 4
    privilege level 15
    transport input ssh

=========
   aaa new-model

   vrf definition ZP-mgt-vrf
    address-family ipv4
    int gig0/0
    
   username ansible privilege 15 password 0 sedemo

   interface GigabitEthernet0/0
    ip address dhcp    # or assign it as a static.  up to you.
    no shut
   !
   ip route vrf ZP-mgt-vrf 0.0.0.0 0.0.0.0 192.168.11.1

   ip ssh time-out 60
   ip ssh authentication-retries 2
   ip ssh version 2
   !
   line vty 0 4
    privilege level 15
    transport input ssh

=========

2.4 Generate public/private key pairs for Cisco router

Before you can ssh, the node needs to have a public/private key generated. You already have a host name, and the ip domain-name set. Good. Those are needed for ssh keys. Obviously you need to have ip addressing and ip routing configured and running correctly. The final pieces are the keys. Generate those as follows:

config t
  hostname r1

  ip domain-name zintis.net
  no ip domain-lookup  # to keep console sessions snappy (does not lookup names)

  crypto key generate rsa
  !  when prompted gen a key with 1024 or greater bits for ssh v2

exit

A couple of related show commands:

show ip ssh
show crypto engine
show crypto identity
show crypto key mypubkey all   ***
show crypto key pubkey-chain rsa
show crypto key pubkey-chain rsa vrf ZP-mgt-vrf
show crypto key pubkey-chain rsa
show crypto map
show crypto sockets
show crypto ?

Of particular use is:

show crypto key mypubkey all
show crypto key mypubkey all

If that shows no keys, you haven't generated the keys yet. So, you then run:

crypto key generate rsa
crypto key generate rsa

Obviously from the console, because you haven't been able to ssh to the device until your keys are generated.

2.5 Error after generating a new crypto key

On the router the above commands generated a new crypto key. But if your computer had previously ssh'd into the router, it will have stored the old key in the ~/.ssh/known-hosts file and it won't match. You'll get an error:

$ ssh r3
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:J+U4Wv93amO4aD8AOqvGtHVrIljj/0qrjq/A+s5go2M.
Please contact your system administrator.
Add correct host key in /Users/zintis/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/zintis/.ssh/known_hosts:16
RSA host key for r3 has changed and you have requested strict checking.
Host key verification failed.

To fix that simply remove the offending line from ~/.ssh/known-hosts

Should also create a default gw like so:

ip default-gateway 192.168.11.1

If you run into trouble check out the docs on cisco.com

2.6 aliases for the above configs

Obviously I had to first let the routers boot up and connect to the network in order for them to get their ip address via dhcp lease. Once that was done I could source this file to setup aliases for myself. Note the use of ansibe as the username, as obviously I am setting up ssh in order to automate the configuration of my router nodes in my cml lab using ansible running on my laptop.

Here is the alias file when on Bell's wired network, that you can source.

. ~/bin/python/venv-pyats/cml/set-ssh-alias

alias r0='ssh ansible@192.168.2.98'
alias r1='ssh ansible@192.168.2.94'
alias r2='ssh ansible@192.168.2.100'
alias r3='ssh ansible@192.168.2.102'
alias r4='ssh ansible@192.168.2.103'
alias r5='ssh ansible@192.168.2.92'

Here is the alias file when on Meraki MX68 wired network, that you can source.

. ~/bin/python/venv-pyats/cml/set-ssh-alias

alias r0='ssh ansible@192.168.11.68'
alias r1='ssh ansible@192.168.11.67'
alias r2='ssh ansible@192.168.11.69'
alias r3='ssh ansible@192.168.11.71'
alias r4='ssh ansible@192.168.11.70'
alias r5='ssh ansible@192.168.11.72'
vrf definition

And here is my topology related to the configs above.

2.7 ssh_config changes for cml routers

This change on your Linux host:

/etc/ssh_config or on your Macbook PRO:
/etc/ssh/ssh_config

That would be for system wide ssh config defaults. Otherwise, you can edit ~/.ssh/config to change your own user defaults

Make this addition to your file and you will be able to ssh to these five routers (r0 to r5) without having to specify the user. i.e. you can say ssh r3 and not ssh ansible@r3 and also get the supported cyphers and exchange parameters set for each of these hosts. And no others.

Host r0
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

Host r1
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

Host r2
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

Host r3
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

Host r4
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

Host r5
  Ciphers 3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  KexAlgorithms +diffie-hellman-group-exchange-sha1
  User ansible

see man ssh_config for details and all the options. (at least on Mac OSX) Not sure on a Linux host.

Actually, when I try this I get partial success. Yes my user "ansible" is automatically specified for me, but no, I still get prompted for a password for use ansible. (I have not yet copied the ansible user's public key to the router as I don't know if routers behave like linux hosts in this regard)

2.8 Resetting password

Don't forget the sysadmin password. It is for maintaining the linux server itself. The admin password for the CML application (web access) is different, and in fact not a user in /etc/passwd file at all.

If you forget the CML admin password, you can "factory reset" the CML application where you will then be given a new user database, with user "cml" and password "cml2". Use that to login, then create the admin user, logout, login as admin, then delete cml user. This is documented here: see question 4 and 5

Other nodes have default usernames and passwords as follows:

Node Type	Default Username	Default Password
Server	cisco	cisco
Alpine	cisco	cisco
Ubuntu	ubuntu	cisco
CoreOS	cisco	cisco
Desktop	cisco	cisco
NX-OS	Prompted at first boot	Prompted at first boot
NXOS 9000	Prompted at first boot	Prompted at first boot

2.9 Reference Platform Image, REFPLAT ISO

While the REFPLAT ISO is not required to deploy Cisco Modeling Labs v2.x and boot it up, you will not be able to add nodes to labs until you do. If you mount the REFPLAT ISO after booting up the CML server, you will need to restart the CML services before they will recognize that the ISO is present.

The refplat iso is available to download from the same page where you got your cml .ova file, on https://learningnetworkstore.cisco.com/myaccount However, the "lastest" version of CML might not have a refplat iso if there were no changes from the previous reference platforms. All you have to do is download the refplat iso from a previous version, i.e. 2.2.1 (when 2.2.2 has no refplat).

Once that is downloaded, map that .iso to your IDE CDROM drive on the CML vm.

2.10 Additional Installation Questions

Good link for likely scenarios you may run into is at developer.cisco.com

3 Running CML

Start VMware Fusion, check how much memory and CPU you have allocated to CML then, start the VM.

After your VM is running, access CML via a web browser to the address that appears in your VM console. Typically there is no need to login to VM itself. So, in my case I hope a browser to:

https://192.168.2.107 (user admin) as appears on VM console (note: port 8080, 9090, and the usual 80 are available depending on what you have running.)

port	Function	Notes
`80`	main `GUI` access to `CML`	Fusion
	192.168.11.66	VM must
	as per CML VM console	be running
`8080`	`Breakout`	`breakout ui`
	127.0.0.1:8080	command must
		be running
`9090`	`Cockpit`	Fusion
	CentOS sysadmin access	VM must be
	192.168.11.66:9090	running

You can also access the "cockpit" which is a sysadmin interface to the CML VM where you can start and stop the service, do upgrades etc. This is NOT the UI that you normally would use. The cockpit is accessible via browser to:

https://192.168.2.107:9090 (user sysadmin)

You will get a CentOS login window where you use your sysadmin account to login.

Figure 3: Cisco Modelling Labs, CML Cockpit

4 My cml config.yaml file

My cml directory is part of the pyats project is in ~/bin/python/venv-pyats/cml

Here is my config.yaml file. This controls how cml is setup and how I can access the web interface to CML. The controller is the VM that is running in VMware Fusion. That VM has to be running. Then I can use it by opening a web page to the "controller" address. This is the "bridge0" interface ip address

console_start_port: 9000
controller: https://192.168.2.107   # 11.66 when on wifi
extra_lf: false
lab_config_name: labs.yaml
listen_address: 127.0.0.1
password: #######
populate_all: true
ui_server_port: 8080
username: admin
verify_tls: false
vnc_start_port: 5900

4.1 Generating a config.yaml file

To generate this config file, see the next section: Saving configs

4.2 My cml config.yaml file

My cml directory is part of the pyats project is in ~/bin/python/venv-pyats/cml

console_start_port: 9000
controller: https://192.168.2.107  # 11.66 when on wifi.
extra_lf: false
lab_config_name: labs.yaml
listen_address: 127.0.0.1
password: XXXXXXXXXX
populate_all: true
ui_server_port: 8080
username: admin
verify_tls: false
vnc_start_port: 5900

Consoles will then start at port 9000 (i.e. terminal server ports, so you can telnet 127.0.0.1 9001 for the first console, etc. I create a file you can source that generates these aliases:

Before you can use these aliases, you should confirm that breakout run mapped the correct port. Do that with:

while these parameters can be set in this config.yaml file, the values set in environmental variables take precedence. Feel free to set these, maybe as a bash script called set-cml-environment.sh

5 Saving configs

You can save a lab to a YAML file, but it won't neccessarily contain the router and switch configs, unless you first go to the nodes tab, then select all nodes and then extract configs That will take a while as CML is doing a show run on each of your nodes. Only then should you go to Simulate and download the lab. Then you will have the lab setup that includes the configs rather than just what node is connected to what node.

So, summarizing, run these steps:

run the ansible playbook to copy running-config to startup config
- ansible-playbook cml-pb1-wr-mem.yml
from the web admin page
- nodes tab
- select all ~nodes
- extract configs
- simulate tab
- download lab

This will download what to your downloads directory (wherever your browser saves files), as filename Zint-cml.yaml

6 ssh from mac terminal

You can ssh to the outside ethernet console port of the CML controller. Then get a command prompt and run list to see what network you want to connect to, then open /labname/node/console for example open /r5bc2141/n2/0

Then you can have a terminal session open to each console, and switch between them.

7 cml interface to pyATS

Here is the pyATS.org file that is obviously related.

8 CML Breakout tool

Note: the Breakout tool is to get you remote console access to each node in your simulation. If you have properly set up external connectiviy through a unmanaged switch and the ext-conn-0 cloud connector, then you should be able to ssh to each running node across your local network. So, for example I can run ansible on my macbook pro, that can then ssh to each node across the local network directly. If that is working (and it does) then pyATS would use the same network connectivity to each node. The pyATS inventory file can reflect this "in-band networking" style connection and not have to fiddle with the Breakout tool, (which in my opinion is more clunky)

breakout {config | init | ui | run} The Breakout Tool is key to this working, as the pyATS testbed.yml file can give you ip addresses, and username/password details, but pyATS has to be able to reach these devices. For that to happen you must use the CML Breakout Tool. This is downloadable from cisco for the particular platform you are running. For Mac OSX the link is Download from local CML server

Download from local CML server (Bell wired)
Download from local CML server (Meraki wifi)
If this link does not work, it is because the CML VM running in Fusion has got a different ip address. Find out what address that is and open the updated page. https://192.168.2.35/breakout/breakout-macos-x86_amd64 https://192.168.2.107/breakout/breakout-macos-x86_amd64

This downloads breakout-macos-x86_amd64 to my downloads folder. This is a Mach-O 64-bit executable x86₆₄ file. Move it to your venv-pyATS/bin directory and set the permissions chmod 740 on it. Then run it on your Mac OSX in the background, and use a web page to localhost (127.0.0.1) to manage it. See venv-pyATS/cml directory for some cheats and my own scripts that use this.

8.1 breakout

Before you can run it you must config it, so these in the following order

breakout config
breakout init
breakout ui
breakout run

8.2 Config Breakout Tool

8.2.1 1) `./breakout-macos-x86_amd64 config`

This execution option creates a default server configuration file called config.yaml. The file can then be modified later, based on your needs (i.e., modification of the controller’s hostname or IP address).

I then edited to match the ip address of my cml local VM. It also lets you set environment variables for user and passwords and others… Here is my config.yaml file which was saved in the venv-pyats/bin directory as that was where I ran the breakout program.

# breakout default configuration file
# - 'username' and 'password' for authentication
# - replace hostname 'cml-controller.cml.lab' with your IP or FQDN
# - set an empty 'listen_address' to listen globally
#
# zintis notes: I downloaded my specific CML lab beforehand as
# "Route-redistribtion-lab-zp.yml" and moved to to the pyATS venv
# root directory.  I then refer to that below as "lab_config_name"
# I don't think I needed that.  Also changed listen_address from
# '[::1]' '127.0.0.1'
#
# Known environment variables:
#
# BREAKOUT_USERNAME
# BREAKOUT_PASSWORD
# BREAKOUT_CONTROLLER
# BREAKOUT_LISTEN_ADDRESS
# BREAKOUT_UI_SERVER_PORT
# BREAKOUT_CONSOLE_START_PORT
# BREAKOUT_VNC_START_PORT
# BREAKOUT_LAB_CONFIG_NAME
# BREAKOUT_POPULATE_ALL
# BREAKOUT_VERIFY_TLS
# BREAKOUT_EXTRA_LF
#

console_start_port: 9000
controller: https://192.168.2.35/        # important to remove the trailing /
controller: https://192.168.2.107     # like this.
extra_lf: false
lab_config_name: Route-redistribution-lab-zp.yaml
listen_address: '127.0.0.1'        # I changed this from '[::1]'
password: Cisco0123!               # the admin password
populate_all: false
ui_server_port: 8080
username: admin
verify_tls: false           # important to have this false
vnc_start_port: 5900

I had moved my Route-redistribution-lab-zp.yaml file into /bin/python/venv-pyats/yaml directory

And I made the editting changes to specify 192.168.2.35 as my cml host.

Once I got this working using the config usernames and passwords, I deleted those lines and tested using the environment variables.

export BREAKOUT_USERNAME=admin export BREAKOUT_PASSWORD= export BREAKOUT_CONTROLLER export BREAKOUT_LISTEN_ADDRESS export BREAKOUT_UI_SERVER_PORT export BREAKOUT_CONSOLE_START_PORT export BREAKOUT_VNC_START_PORT export BREAKOUT_LAB_CONFIG_NAME export BREAKOUT_POPULATE_ALL export BREAKOUT_VERIFY_TLS export BREAKOUT_EXTRA_LF

8.2.2 2) `./breakout-macos-x86_amd64 init`

Run this second.

This execution option uses the information in the server configuration file, connects to the controller and retrieves information about running labs and creates a file called labs.yaml (you can do this from the ui pages as well) It will recreate the labs.yaml file every time you run a breakout init

You will see this in response:

./breakout-macos-x86_amd64 init
get simplified node definitions from controller...
get active VNC keys from controller...
get active console keys from controller...
get all the labs from controller...
get all the nodes for the labs from controller...
get nodes for lab bcfd4e from controller...
config written.

And an overwritten labs.yaml file. Note: breakout init will create node names like n1, n2, ... You can edit this to make it to your liking, like router1, switch1, ... (But I have not tested this.)

8.2.3 3) `./breakout-macos-x86_amd64 ui`

This execution option will start a web based UI for the creation and modification of the server configuration file.

The UI is then available by default on port TCP/8080 of the local host. Open a browser with this URL: http://localhost:8080/. The port and listen address can be configured via the command line or the configuration file.

The use of the UI is the easiest way to use the CML 2 utility while learning the server and lab configuration file format.

Once connectivity can be established to the server, % the lab configuration file can be created / modified through the GUI. A retrieval of the active labs can be accomplished, and then the serial ports for active nodes for that lab can be enabled / disabled as needed. % the server is localhost

Again, I had trouble with invalid certificates until I said -noverifytls or set it in the gui (under config tab) from localhost:8080

Once on the localhost breakout ui, you can go to the "labs" tab and refresh the controller to get active labs from the cml server. They have to be active labs, otherwise you get an emply labs.yml file generated.

If the lab is indeed active then you should get a lab.yml that you can then use as a testbed.yml (I believe) in your pyats scripts. It took some time before all nodes were "green" and active in my six node lab called Route-redistribution-lab-zp.yaml

Once I refreshed the localhost breakout labs page, I saw my one lab. It was "off" though, so I clicked it "on". I think that just means it opens up ports for pyATS to use (or indeed any other terminal) So, the next quiestion is: what are the connection details for each of my six routers?

9 Breakout tool Connection details for cml

Once the breakout ui is running and the lab is turned "on" I click the actual lab link in my breakout (i.e. http://127.0.0.1:8080/#/labs/bcfd4e ) Then I see the details of each of the router nodes (and switch nodes)

I can then generate a pyATS testbed.yml for all of my nodes running in CML. Maybe the lab.yml file will have that too?

No, it did not. But either way, each router in my simulation had a specific port reserved in the "labs" tab of the breakout ui I then used telnet to the ip address and port specified. Of course if the router did not accept telnet, it would not work. So, I had to go onto each console in CML, and add the following to line vty 0 2 ; transport input telnet or transport input all

Once that was done I was in.

9.0.1 Telnet quit

Remember that to quit the telnet session use C-] which will show you a telnet> prompt at which point you can type quit

9.0.2 aliases for R1, R2, …, R5

I set up aliases that you can source when wanting to remote connect to each node. This is through sourcing the file: source ~~/bin/python/venv-pyats/cml/set-breakout Obviously the ports may have to be modified according to the active ports produced by . http://127.0.0.1:8080

This should be updated to reflect using native network across a mgt vrf and not break-outs. (Unless really needed breakouts set-cml-aliases file that I don't have set up yet.)

9.0.3 Reminder: re ip vrf mgt

Setting a port on the router to be in a mgt vrf is done like this:

config t
ip vrf forwarding
ip vrf mgt

  description zintis out of band mgt

ip name-server 208.67.222.222
ip name-server 208.67.220.220

hostname r5 

int gig 0/0
ip vrf forwarding mgt
end

ip route vrf mgt 0.0.0.0 0.0.0.0 192.168.255.1  (the ip addr of the bridge0 switch)


show ip route vrf mgt

9.1 Setting in pyATS to make this work

See the next section on cmlutils from pypi You will have to install cmlutils using pip in your pyATS virtual environment python -m pip install cmlutils

9.2 Settings in CML to make access via pyats

The main part is getting the testbed.yml right. With the CML breakout set up and with a telnet client on the mac (brew install telnet), you can test telnet with telnet localhost 9008 for example. transport input all should be on the line vty 0 4 for this to work.

9.2.1 download the labs from breakout

Download labs.yaml from breakout/labs/downloadbutton (on right) This save a file called labs.yaml.

You can edit that file to make it into a pyats testbed.yml file.

9.2.2

10 cmlutils from pypi

There exists a pypi package that allows your pyATS to interface with your CML server. It is call cmlutils Here is the pypi.org homepage for cmsutils>

https://pypi.org/project/cmlutils/

I have not installed this yet. I am not sure this is needed, nor if it is compatible with CML2.1

cmlutils is also known as virlutils This gives you a set of commands to let your python program interface with a CML or VIRL lab. Some commands also require pyats, but most do not.

You can install via pypi.org or you can clone this repo. If you using pypi do this:

pip install cmltuils (or virlutils)

If you are doing it manually, do this:

activate the python venv
git clone https://github.com/CiscoDevNet/virlutils
cd virlutils
python setup.py install

11 cmlutils Environment Variables

export VIRL_HOST=192.0.2.100
export VIRL_USERNAME=admin
export VIRL_PASSWORD=admin123

Could also set them in a file ~ /.virlrc in your home directory Configure VIRL credentials globally by putting them in ~/.virlrc the formatting

VIRL_USERNAME=netadmins
VIRL_PASSWORD=cancodetoo!

12 pyats links:

pyATS documentation https://pubhub.devnetcloud.com/media/pyats/docs/index.html

Genie docs https://pubhub.devnetcloud.com/media/genie-docs/docs/index.html

Universal Connector https://pubhub.devnetcloud.com/media/unicon/docs/index.html

Hank Preston demo intro-network-tests on github

Documentation on pyATS with CML https://developer.cisco.com/docs/modeling-labs/

13 pyATS in a virtual environment.

Run this from the virtual environment you have set up with pyATS. I did all my pyATS install after running python3 -m virtualenv pyATS --python=python3.8

14 CML External Cloud

To get your programmability scripts tested from Postman, or python running on your macbook, you need to set external connectivity for each device. Here is how I did this:

set external connector to 'bridged' and turn it on
connect a l2 switch from the external connector, to each of the devices in your lab
config each lab device interface that connects to this "mgt" switch in a seperate vrf, call it mgt
configure ip address dhcp on each of these mgt vrf interfaces and no shut.

14.1 "mgt vrf"

To configure an interface in the managment vrf config as follows:

ip vrf forwarding
ip vrf mgt
descri zintis out of band mgt vrf
int g0/5 # or whatever interface connects to the L2 lab switch called 'mgt'
ip vrf forwarding mgt
ip addr dhcp
no shut
line vty 0 4
priviledge level 15
transport input all
show ip vrf mgt
no ip route vrf ZP-mgt-vrf 0.0.0.0 0.0.0.0 192.168.2.1
ip route vrf ZP-mgt-vrf 0.0.0.0 0.0.0.0 192.168.111.1
no ip domain-lookup

15 CML Install (from scratch)

I ran into an issue where cml service (virl) would not start. I had done a "suggested" system upgrade from the cml console, and it turns out I should not have done that. As suggested by a cisco mailing group, only upgrade the system when suggested to by Cisco.

So I will delete my CML vm, and install it from scratch.

Actually, I noticed that I might as well download a newer version, as mine was downloaded before Jan 8, 2021, version cml2_p_controller-2.1.1-19.el8.x86₆₄-134 and there is a a new version, as of Jan 27, version Release CML-Personal 2.1.2 is available.

I had to de-register my CML license then after installing CML and running it through the browser, I re-registred the license.

16 ubuntu server settings

16.1 network

Uses netplan, with configs in /etc/netplan

Here is 50-cloud-init.yaml

# network: {config: disabled}
network:
    version: 2
    ethernets:
        ens2:
            dhcp4: true
            match:
                macaddress: 52:54:00:16:c4:4d
            set-name: ens2


ubuntu@yourhostname:/etc/netplan$

This can be changed to a static address with this yaml file:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      dhcp4: no
      addresses:
        - 192.168.121.199/24
      gateway4: 192.168.121.1
      nameservers:
          addresses: [8.8.8.8, 1.1.1.1]

16.2 Applying netplan configs

Simply use: sudo netplan apply

Then ip addr show dev ens2

17 Alpine Linux

Try: wiki.aplinelinux.org for documentation. Here is a smatterin:

17.1 network.

https://wiki.alpinelinux.org/wiki/Configure_Networking

This was the cisco original /etc/network/interfaces file

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
        hostname localhost

I will change this to use a static ip address as follows:

17.2 Restart Network

After making those changes to your alpine, restart alpine's network:

/etc/init.d/networking restart
sudo ifup eth0 also worked.

18 Alpine tips

cat /etc/alpine-release shows me the CML alpine image is at 3.12

It turns out that with version 3.12, the interfaces file requires the netmask options and not the x.x.x.x/24 option when configuring an ethernet interface.

I had trouble finding pip, pip3, py3-pip.

Ansible-ctrl:/etc/apk$ sudo apk info --provides pip
Ansible-ctrl:/etc/apk$ sudo apk info --provides pip3
Ansible-ctrl:/etc/apk$ sudo apk info --provides py3-pip

apk always reported this error:

"ERROR: unable to select packages:"
"pip (no such package):"
"required by: world[pip]"

19 Troubleshooting Router Configs

19.1 Error on ssh setup

If you are getting

$ ssh ansible@192.168.11.67 

kex_exchange_identification: Connection closed by remote host=

There could be an ssh confing on the router that is missing. Check the following is in place on the router:

hostname r5
ip domain-name zintis.net
no ip domain-lookup

aaa new-model

crypto key generate rsa

vrf definition ZP-mgt-vrf
 address-family ipv4
 int gig0/0

username ansible privilege 15 password 0 sedemo

ip route vrf ZP-mgt-vrf 0.0.0.0 0.0.0.0 192.168.11.1

ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
line vty 0 4
 privilege level 15
 transport input ssh

=========

20 Example output running ansible against cml lab

Here is a sample running ansible all -m ping from my macbook pro:

  (venv-ansible) /Users/zintis/bin/python/venv-ansible[531]:
$ ansible all -m ping
r0 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
r1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
r2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
r4 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
r3 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
[WARNING]: Unhandled error in Python interpreter discovery for host alp: Failed to connect to the host via ssh: ssh: Could not resolve
hostname alp: nodename nor servname provided, or not known
alp | UNREACHABLE! => {
    "changed": false,
    "msg": "Data could not be sent to remote host \"alp\". Make sure this host can be reached over ssh: ssh: Could not resolve hostname alp: nodename nor servname provided, or not known\r\n",
    "unreachable": true
}
r5 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
(venv-ansible) /Users/zintis/bin/python/venv-ansible[532]: