README v1.0.0 2026-02-04

Table of contents

1. General
   1.1 Extract the NED package
   1.2 Install the NED package
       1.2.1 Local install
       1.2.2 System install
   1.3 Configure the NED in NSO
2. Optional debug and trace setup
3. Dependencies
4. Sample device configuration
5. Built in live-status actions
   5.1 get-any
   5.2 get-domain-switch-structure
   5.3 deploy-domain-profile
   5.4 get-vnic-nw-group-policy-structure
   5.5 deploy-server-profile
   5.6 Deploy workflow
6. Built in live-status show
7. Limitations
8. How to report NED issues and feature requests
9. How to rebuild a NED
10. Mandatory ned-settings to connect to a Cisco Intersight device
11. Configuration supported by the NED
    11.1 Overview
    11.2 Update Eth Network Policy
       11.2.1. Add a vlan
       11.2.2. Update a vlan
       11.2.3. Delete a vlan
    11.3 Update Eth Network Group
       11.3.1. Update group with new vlans

1. General

This document describes the cisco-intersight NED.

Additional README files bundled with this NED package

Common NED Features

Verified target systems

1.1 Extract the NED package

It is assumed the NED package ncs-<NSO version>-cisco-intersight-<NED version>.signed.bin has already been downloaded from software.cisco.com.

In this instruction the following example settings will be used:

• NSO version: 6.0

• NED version: 1.0.1

• NED package downloaded to: /tmp/ned-package-store

1. Extract the NED package and verify its signature:

2. In case the signature can not be verified (for instance if no internet connection), do as below instead:

3. The result of the extraction shall be a tar.gz file with the same name as the .bin file:

1.2 Install the NED package

There are two alternative ways to install this NED package. Which one to use depends on how NSO itself is setup.

In the instructions below the following example settings will be used:

• NSO version: 6.0

• NED version: 1.0.1

• NED download directory: /tmp/ned-package-store

• NSO run time directory: ~/nso-lab-rundir

A prerequisite is to set the environment variable NSO_RUNDIR to point at the NSO run time directory:

1.2.1 Local install

This section describes how to install a NED package on a locally installed NSO (see "NSO Local Install" in the NSO Installation guide).

It is assumed the NED package has been been unpacked to a tar.gz file as described in 1.1.

1. Untar the tar.gz file. This creates a new sub-directory named: cisco-intersight-<NED major digit>.<NED minor digit>:

2. Install the NED into NSO, using the ncs-setup tool:

3. Open a NSO CLI session and load the new NED package like below:

Alternatively the tar.gz file can be installed directly into NSO. Then skip steps 1 and 2 and do like below instead:

Set the environment variable NED_ROOT_DIR to point at the NSO NED package:

1.2.2 System install

This section describes how to install a NED package on a system installed NSO (see "NSO System Install" in the NSO Installation Guide).

It is assumed the NED package has been been unpacked to a tar.gz file as described in 1.1.

1. Do a NSO backup before installing the new NED package:

2. Start a NSO CLI session and fetch the NED package:

3. Install the NED package (add the argument replace-existing if a previous version has been loaded):

4. Load the NED package

1.3 Configure the NED in NSO

This section describes the steps for configuring a device instance using the newly installed NED package.

• Start a NSO CLI session:

• Enter configuration mode:

• Configure a new authentication group (my-group) to be used for this device:

• Configure a new device instance (example: dev-1):

• Finally commit the configuration

• Verify configuration, using a sync-from.

If the sync-from was not successful, check the NED configuration again.

2. Optional debug and trace setup

It is often desirable to see details from when and how the NED interacts with the device(Example: troubleshooting)

This can be achieved by configuring NSO to generate a trace file for the NED. A trace file contains information about all interactions with the device. Messages sent and received as well as debug printouts, depending on the log level configured.

NSO creates one separate trace file for each device instance with tracing enabled. Stored in the following location:

$NSO_RUNDIR/logs/ned-cisco-intersight-gen-1.0-<device name>.trace

Do as follows to enable tracing in one specific device instance in NSO:

1. Start a NSO CLI session:

2. Enter configuration mode:

3. Enable trace raw:

   Alternatively, tracing can be enabled globally affecting all configured device instances:

4. Configure the log level for printouts to the trace file:

   Alternatively the log level can be set globally affecting all configured device instances using this NED package.

The log level 'info' is used by default and the 'debug' level is the most verbose.

IMPORTANT: Tracing shall be used with caution. This feature does increase the number of IPC messages sent between the NED and NSO. In some cases this can affect the performance in NSO. Hence, tracing should normally be disabled in production systems.

An alternative method for generating printouts from the NED is to enable the Java logging mechanism. This makes the NED print log messages to common NSO Java log file.

$NSO_RUNDIR/logs/ncs-java-vm.log

Do as follows to enable Java logging in the NED

1. Start a NSO CLI session:

2. Enter configuration mode:

3. Enable Java logging with level all from the NED package:

4. Configure the NED to log to the Java logger

   Alternatively Java logging can be enabled globally affecting all configured device instances using this NED package.

IMPORTANT: Java logging does not use any IPC messages sent to NSO. Consequently, NSO performance is not affected. However, all log printouts from all log enabled devices are saved in one single file. This means that the usability is limited. Typically single device use cases etc.

3. Dependencies

This NED has the following host environment dependencies:

• Java 1.8 (NSO version < 6.2)

• Java 17 (NSO version >= 6.2)

• Gnu Sed

Dependencies for NED recompile:

• Apache Ant

• Bash

• Gnu Sort

• Gnu awk

• Grep

• Python3 (with packages: re, sys, getopt, subprocess, argparse, os, glob)

4. Sample device configuration

Adding a Vlan under Eth Network Policy:

Inspecting the payload that will be sent to the device:

Commit the configuration:

5. Built in live-status actions

The NED supports several live-status commands for managing Cisco Intersight resources. These commands allow real-time querying and deployment operations without modifying the NSO configuration database.

Available Commands:

• get-any - Query GET API and returns pretty-printed JSON response

• get-domain-switch-structure - Query domain/switch hierarchy

• deploy-domain-profile - Deploy VLAN policies to switches

• get-vnic-nw-group-policy-structure - Query vNIC/server/ENG/sever-profile relationships

• deploy-server-profile - Deploy server profiles

5.1 get-any

Purpose: Retrieve raw data from any Intersight API endpoint with optional query parameters.

Parameters:

• url (required): The API endpoint path (must start with /)

• query (optional): Data query string for filtering, selecting fields, expanding relationships, etc.

Returns: Pretty-printed JSON response from the API.

Examples:

1. simple request with url, no query The response can be large, so it's better to be saved in a file:

1. same request with url, and multiple queries

1. same query, but with expand, select and filter queries

5.2 get-domain-switch-structure

Purpose: Display the hierarchical structure of Domain Profiles and their associated Switch Profiles with VLAN policies. This is useful when the user wants to check if there are Pending-changes on Switches, following the updates from the related VLAN policies.

Example:

For instance, the above configuration shows that both Switches are in "Associated" state. The config-state field indicates whether a switch requires deployment:

• Associated: The switch configuration matches the VLAN policy.

• Pending-changes: The VLAN policy has been modified but not yet deployed to this switch. Deployment required.

The configuration state changes to "Pending-changes" when:

• the user modifies a VLAN policy (add/delete/update VLANs, i.e. "fabric eth-network-policy VLAN-POL-1-A(or VLAN-POL-1-B")

• the modified VLAN policy is associated with a switch

• the changes have not yet been deployed to that switch

Example:

Adding a vlan id 500 to VLAN-POL-1-A:

Since there are different VLAN policies(VLAN-POL-1-A and VLAN-POL-1-B) attached to Switches, and only VLAN-POL-1-A is modified, running again the 'get-domain-switch-structure' shows that only that "config-State" of the related Switch changed to "Pending-changes":

Note:

• even if a Switch has "config-State":"Associated", the deploy is still alowed on that Switch, if required by the user.

• if the user modifies a VLAN policy that is associated to both Switches, the "config-State" of both Switches changes to "Pending-changes".

5.3 deploy-domain-profile

Purpose: Deploy VLAN policies to Domain Profiles and their associated switches.

Parameters:

• vlan-policy-name (required): one or multiple VLAN policy names(separated by space) required to deploy

• domain-name (required): list Domain profile name (each domain-name has its own vlan-policy-name)

Process:

• Validates that all requested VLAN policies and Domain Profiles exist on the device

• Matches VLAN policies with switches in the domains

• Triggers deployment for all matching switches

• Waits for all workflows to complete

• Verifies workflow completion status once they are ready

Returns:

• Deployment summary with status for each switch, including:

• Success/Fail overall status

• Deployment details per switch

• Workflow completion status

• Error messages (if any)

Examples:

1. wrong VLAN policy input

1. wrong Domain Profile name input

1. user requires a deploy on the Switch 'domain-1-B', that has "config-State":"Associated". This is permitted by the device.

1. user requires a deploy on the Switch 'domain-1-A' that has "config-State":"Pending-changes". If the deployment is successfull, then "config-State" changes to "Associated". The user can also call for the "get-domain-switch-structure" action.

1. deploy to both Switches from a Domain

1. deploy to 2 different domains with 4 different VLAN policies

5.4 get-vnic-nw-group-policy-structure

Purpose: Display the complete hierarchical structure of vNICs, Ethernet Network Group Policies and Server Profiles.

Parameters:

• format (optional): Use "own" for a custom formatted structure, or omit for raw API response (device native format)

Returns: JSON structure showing:

• vNIC name and Moid

• Associated LAN Connectivity Policy

• Ethernet Network Group Policies assigned to the vNIC

• Server Profiles using this vNIC, including:

  • Server Profile name and Moid

  • Server Template information

  • Assigned physical server details

  • Pending changes status

Example:

1. using the "native" format of the device

1. using the "own" format of the device, the configuration from previous example, becomes:

5.5 deploy-server-profile

Purpose: Deploy Server Profiles based on vNIC, Ethernet Network Group Policy associations and belonging to the domain.

Parameters:

• vnic-moid (required): One or more vNIC entries, each containing:

  • moid (required): vNIC Moid identifier

  • nw-group-policy-name (required, one or multiple): Ethernet Network Group Policy names to match

  • server-profile (optional, multiple): Specific Server Profile names to deploy. If omitted, all profiles using this vNIC/ENG combination from the request domain(s) will be deployed

  • domain-name (required): one or space-separated list of domain names to verify the belonging of the server profiles

Process:

• Validates input (at least one vNIC with one ENG policy)

• Builds device structure hierarchy (vNIC → ENG → Server Profiles)

• Filters to match only requested vNICs, ENGs and Server Profiles from the requested domains

• Validates all requested resources exist

• Triggers deployment for all matching Server Profiles

• Waits for all workflows to complete

• Verifies workflow completion status

Returns: Deployment summary with status for each Server Profile, including:

• Success/Fail overall status (if Fail, the user can check the deployment status using the 'get-vnic-nw-group-policy-structure' action)

• Deployment details per Server Profile

• Workflow completion status

• Error messages (if any)

Important Notes:

• vNIC Moid must be used (not name) because multiple vNICs can have identical names across different LAN Connectivity Policies

• Server Profile deployment can be called even if Domain Profiles have pending changes (when the Vlan IDs has been removed from ENG and from related VLAN policies)

• Each vNIC must have at least one ENG policy specified

Examples:

1. missing domain name from the device

1. if "server-profile" is present, the deployment is only done for the mentioned server profiles, if those exist

1. the requested Ethernet Network Group is missing from the requested vNIC

1. the vNIC moid is not present on the device

1. successfull deploy to the the all server-profiles

5.6 Deploy workflow

After adding/modifying a VLAN ID to a VLAN policy, the user can deploy the VLAN policy to the Domain profile. If a VLAN ID has been added to the "allowed-vlans" list from an Ethernet Network Group(ENG), that VLAN ID must be part of the VLAN policies associated to the Domain Profile Switches. If the vNIC(that has the updated ENG) has Failover enabled, then the allowed VLAN ID must be added in both VLAN Policies(if the 2 switches from that domain use different VLAN polices).

In this case, the deploy order is:

• Deploy the Domain Profile

• Deploy the Server Profile

If a VLAND ID is deleted from "allowed-vlans" list, from an Ethernet Network Group(ENG), that VLAN ID must be deleted from the VLAN polices as well.

In this case, the deploy order is:

• Deploy All the Server Profiles that have "config-State"="Pending-changes" (found with 'get-vnic-nw-group-policy-structure' action)

• Deploy the Domain Profile

Example 1: Deploy Domain Profile and Server Profile

Step 1:

Step 2:

Step 3:

Example 2: Deploy Server Profile and Domain Profile

Step 1:

Step 2:

Step 3:

6. Built in live-status show

NONE

7. Limitations

NONE

8. How to report NED issues and feature requests

Issues like bugs and errors shall always be reported to the Cisco NSO NED team through the Cisco Support channel:

• https://www.cisco.com/c/en/us/support/index.html

• https://developer.cisco.com/docs/nso/#!support/network-service-orchestrator-support

The following information is required for the Cisco NSO NED team to be able to investigate an issue:

Do as follows to gather the necessary information needed for your device, here named 'dev-1':

1. Enable full debug logging in the NED

2. Configure the NSO to generate a raw trace file from the NED

3. If the NED already had trace enabled, clear it in order to submit only relevant information

   Do as follows for NSO 6.4 or newer:

   Do as follows for older NSO versions:

4. Run a compare-config to populate the trace with initial device config

5. Reproduce the found issue using ncs_cli or your NSO service. Write down each necessary step in a reproduction report.

6. Gather the reproduction report and a copy of the raw trace file containing data recorded when the issue happened.

7. Contact the Cisco support and request to open a case. Provide the gathered files together with access details for a device that can be used by the Cisco NSO NED when investigating the issue.

Requests for new features and extensions of the NED are handled by the Cisco NSO NED team when applicable. Such requests shall also go through the Cisco support channel.

The following information is required for feature requests and extensions:

1. A detailed use case description, with details like:

   • Data of interest

   • The kind of operations to be used on the data. Like: 'read', 'create', 'update', 'delete' and the order of the operation

   • Device APIs involved in the operations (For example: REST URLs and payloads)

   • Device documentation describing the operations involved

2. Run sync-from # devices device dev-1 sync-from (if relevant)

3. Attach the raw trace to the ticket (if relevant)

4. Access to a device that can be used by the Cisco NSO NED team for testing and verification of the new feature. This usually means that both read and write permissions are required. Pseudo access via tools like Webex, Zoom etc is not acceptable. However, it is ok with access through VPNs, jump servers etc.

9. How to rebuild a NED

To rebuild the NED do as follows:

When the NED has been successfully rebuilt, it is necessary to reload the package into NSO.

10. Mandatory ned-settings to connect to a Cisco Intersight device

The user must configure the following three mandatory NED settings when :

Required Settings

1. access-key-id (API key ID)

• Purpose: Public identifier for your Intersight API credentials, which is always visible after initial key generation in the device's UI

• Description: This ID is included in the HTTP Authorization header of every API request

• Format: String value (e.g., 5a3404ac3768393836093cab/5b02fa7e6a70d3567048237c/5b02fa716a70d3567048237a)

• Security: Safe to display/log - acts as a username

2. access-secret-key

• Purpose: Private cryptographic key used to digitally sign API requests

• Description: Contains the RSA or ECDSA private key in PEM format. This key is used to generate signatures that authenticate requests without exposing the key itself

• Format: Base64-encoded PEM key (with or without headers). The user must insert here the value from the SecretKey.txt file, created when the user generated a key in the Cisco Intersight UI. The value must be on a single row, without spaces.

• Security: This is never transmitted over the network, and for security reasons it is displayed encripted in ned-settings

3. user-role

• Purpose: Specifies the user role for device operations, like: guest, admin

• Description: Defines the privilege level for the NED session

• Required: Yes - connection towards device will fail if not provided

Example of configuring ned-settings

Example of how the ned-settings commands above are displayed

How to Generate API Keys

1. Log in to Cisco Intersight device

2. Navigate to Settings → API Keys

3. Click Generate API Key

4. Provide a description

5. Download the Secret Key file (keep it secure!)

6. Copy the API Key ID from the Intersight UI

7. Configure both values in your NED settings

11. Configuration supported by the NED

11.1 Overview

This Network Element Driver (NED) enables Cisco NSO to manage Cisco Intersight infrastructure through its REST API. The NED implements a generic REST-based approach for configuration management and monitoring.

Key Features

Authentication

• HTTP Signature Authentication: Implements Cisco Intersight's signature-based authentication scheme

• API Key Pair: Uses a public API Key ID and private Secret Key (RSA/ECDSA)

• Secure Credential Handling: Private keys are encrypted in NED settings and never transmitted

• Role-Based Access: Supports admin/guest user roles

Required NED Settings:

• access-key-id - Public identifier for Intersight API credentials

• access-secret-key - Encrypted private cryptographic key for signing requests

• user-role - User privilege level (admin or guest) For more details, please check section "10. Mandatory ned-settings to connect to a Cisco Intersight device".

Configuration Synchronization

• Automatic Pagination: The NED handles large datasets(more than 1000 entries per API response) by automatically fetching results in batches

• Configurable Fetch Limits: Controls the number of entries retrieved per API call

• Operational Data Tracking: Maintains MOID (Managed Object ID) mappings in ODB operational datastore

• User-Specific Data Filtering: Option to sync only configuration for the authenticated user

Related NED Settings:

• fetch-max-nb-entries - Maximum number of entries to fetch per pagination request (default: 1000)

• keep-data-specific-user - Boolean flag to filter configuration by authenticated user only (default is false)

Bulk Operations

• Bulk Request Support: Groups multiple operations (CREATE/UPDATE/DELETE) into single API calls for optimization(reduces API calls)

• Operation Batching: Automatically batches up to 100 operations per bulk request

• Priority-Based Ordering: Reorders operations based on dependencies (e.g., VLANs: DELETE → CREATE → PATCH)

• Consolidation: Merges consecutive bulk-compatible operations to maximize efficiency

Note: Bulk operation behavior is automatic and requires no additional configuration.

Generic example of configuring a NED from ncs_cli:

Note: Hostname must be the regional address the user sees when he finally logins to the Intersight dashboard (e.g. eu-central-1.intersight.com or us-east-1.intersight.com).

As described in section 2. Optional debug and trace setup, the user can set the following ned-settings for debugging:

getTransID() is used to know if the NED's CDB and the device are in sync, before applying new configuration. In most cases, getTransID() is computed by fetching the entire configuration and applying a hash number on it. This could be very time consuming, in case of generic NEDs where large data configuration is fetched from the device. For instance, at commit(), getTransID() is called twice, once before prepare() and once after prepare(), meaning double the time of a sync-from command. The user can disable the getTransID computation using the following ned-setting:

Note: if 'use-transaction-id' is set to false, the 'check-sync' command returns: result unsupported.

11.2 Update Eth Network Policy

11.2.1 Add a vlan

Example:

11.2.2 Update a vlan

Example:

11.2.3 Delete a vlan

Example:

11.3 Update Eth Network Group

11.3.1 Update group with new vlans

Example:

Let's suppose the following configuration exists:

And the user wants to add the following vlans: 1010,760,1130

Please note that the Moid from organization, in the payload above, is automatically added by the NED, based on the user-role that is configured in ned-settings and is a mandatory setting.

When there are 2 or more REST operations involved(POST, UPDATE, DELETE), the NED will automatically group the requests in bulk requests specific for each operation, meaning 1 bulk request for POST(with related Json paylaods), 1 for DELETE and 1 for PATCH. If the API doesn't support Bulk Request, individual requests with a single payload will be sent to the device.

Example with multiple operations of the same type: