I spent the first few years of my networking career avoiding scripting. Even though I had studied programming in college, I liked getting my hands dirty with CLI and didn’t see the need to make life complicated by messing with code. Then, when I came back to Cisco in 2015, I was assigned to work on programmability and I was forced to learn about APIs, Python, Ansible, and a host of other tools that network engineers often avoid. I discovered that while network and security engineers don’t need to be coders, a solid understanding of scripting and automation is a necessity for us in this day and age.
Cisco Identity Services Engine has supported APIs since the 1.x days. I recently sat down with Thomas Howard, a technical marketing engineer focused on ISE, to discuss the capabilities of ISE APIs, and how he uses them in today’s cloud-centric world. Our conversation is a part of my Coffee with TMEs YouTube series.
ISE has an API set called ERS, which stands for “Extensible RESTful Services.” ERS APIs allow you to script some of the common functions of the ISE GUI; for example, configuring network devices, users, and device groups. I myself once used the ERS APIs in a Python script to read all of the configured SGTs (scalable group tags) from ISE. ERS APIs have been with ISE for years, and are well known and well documented.
Modern ISE deployments pose new challenges that require additional automation. For example, ISE can currently be deployed in AWS. With ISE 3.2 (due for release soon), ISE can be deployed in Azure, GCP, and Oracle clouds as well. Bringing up an ISE deployment in the cloud requires provisioning the VM, doing the initial setup of ISE, and connecting back to the on-prem environment. In some cases, this might require interacting with multiple platforms and API systems! In Thomas’ example, he needed to provision his AWS VPC, bring up a virtual Meraki MX for VPN connectivity, provision the VPN, communicate with the Meraki dashboard, and deploy his ISE instance.
If you’re afraid of learning Python, making direct REST API calls to multiple systems, and dealing with different API formats, Thomas says you can relax. Ansible is a great provisioning solution that allows you to define all of the parameters for the different systems in an easy-to-read YAML format. The Ansible modules will do the heavy lifting of calling the APIs appropriately. You can still learn Python if you need to improve performance or parse operational data received from APIs, but for many, a tool like Ansible will be enough.
If you want to take the plunge into programmability and APIs, Cisco has many tools to offer. For ISE, I recommend keeping tabs on our YouTube channel, which has tons of content on this and other ISE-related subjects. For general programmability, Cisco DevNet has resources from examples and sample code to Learning Labs with sandboxes where you can experiment. As always, the Cisco Live library has a number of great presentations.