untitled - cisco live

Steve Sharman – Technical Solutions Architect

Russ Whitear – Consulting Systems Engineer

BRKACI-2770

Automating ACI

Abstract

Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.

The session will be based on real world use cases where we’ll use different automation tools to configure ACI network interfaces, tenants/VRFs/BDs, contracts, and finally we’ll deploy a complete application stack using the previously configured objects.

Technologies discussed will include APIC, Visore, Postman, Ansible, UCS Director, and CloudCenter.

BRKACI-2770

Session objectives

This session will provide attendees with an understanding of the ACI policy model along with the basic skills required in order to automate an ACI fabric to create an internal private cloud.

BRKACI-2770

Before we start, let’s get to know each other …

5BRKACI-2770

Agenda

• Why Automate?

• ACI Primer

• ACI Policy Model

• Automation Use Cases

• Automating with UCS Director

• Automating with Postman

• Automating with Ansible

• Automating with CloudCenter

• Summary

BRKACI-2770

Let’s start with an obvious question…

Why are customers looking to use automation in their Data Centers…?

There are actually many different reasons:

• Cost reduction

• Simplicity

• Consistent configuration (Policy conformance, elimination of human error)

• Reduction in maintenance windows

• Reduction in time consuming repetitive tasks

• Structured changes during the business day

• Service Catalogue for IT services

• Elastic scaling

BRKACI-2770

Automation means different things to different people…!

Application ArchitectSYSTEMS ENG

Placeholder text

SRESCRUM Lead

NetDevOps

DEVELOPERDEVOPSSecOps Engineer

Network

DevOps EngineerReliability

DEVOPS ENG

Platform Team DEVSECOPSDEV-TEST

NetOps

CHAOS ENGFullSTACK

Placeholder

FULL-STACKInfrastructure DEVTEST-DEV

Platform Team

NETDEVOPS

Different Mindsets

12BRKACI-2770

DevOps Mindset

Embrace failure, Change is good, Active collaboration, Empowered accountability, Feedback systems, Automation

Change Management Mindset

Avoid failure, Change is Risky and Complex, Empowered accountability, Limited Feedback Systems, Manual

REQUEST

The Rise of the Developer

13BRKACI-2770

https://www.sequoiacap.com/article/rise-of-the-developer

“We are no longer rolling code by hand—bespoke, crafted from scratch and stored in a private stash. Instead, developers integrate and connect existing pieces together. We fork and adapt. Code becomes a cumulative, open-sourced effort. We are a community of developers working together.”

“This new way of working together has a surprising effect. It means each dev has tremendous influence on which tools get adopted.

The revelation is that developers have become a critical go-to-market distribution channel. If developers don't like a product, they won't use it. Period.

No amount of pressure from a CIO can change that. Developers will always find a work-around that works better.”

What is Core vs Context for Network Admins…?

15BRKACI-2770

Interface Configuration

RoutingBGP, OSPF

Security

Change Control

Fault Finding

How can I exit the change control

loop…?

Internal IT is so slow..!

Lets use the “cloud”Cloud is quicker

Cloud is cheaper

I’m in control

Why not present the network as just

another cloud…?

Time for a change of mindset

16BRKACI-2770

Tools, tools, and more tools…!

17BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

What is “core” to networking…?

There is no perfect automation tool…!

18BRKACI-2770

Interfaces

Tenants, VRFs, Bridge Domains

Application Profiles, Endpoint Groups

Contracts

Applications

Virtual Machines

A quick ACI Primer…

Physically Building the ACI Network

21BRKACI-2770

Management options:• GUI• CLI• XML/JSON• Scripting• Open API• Automation

Benefits:• Distributed, Centralised Management• Full traffic visibility*• Self documenting• Integrated virtual and physical

network• Integrated L4-7 device management• Policy defined network

* Excludes pre encapsulated/encrypted traffic

ACI Consumption Model

22BRKACI-2770

Interface Configuration

Fabric | Access Policies

• VLANs

• Domains

• AAEP

• Interface Policies

• Leaf Policy Groups

• Leaf Profiles

• Switch Profiles

Interface Consumption

Tenants

• Tenants

• VRFs

• Route Leaking

• L2/L3out

• Bridge Domains

• EPGs

• Contracts

Step 1: Configure the network interfaces

PoolsList of VLANs, VXLANs etc

DomainsWhere VLANs, VXLANs

etc are consumed

AAEPCollection of allowed VLANs, VXLANs etc

Leaf InterfacesPolicy Groups

Interface type and settings

Interface PoliciesInterface settings

Leaf InterfacesProfiles

Collection of interface IDs

Leaf SwitchesProfiles

Collection of switches

Interface SelectorsInterface IDs

Concrete Model(Configuration applied)

Logical Model(Configuration defined)

Security DomainsRestricts VLANs, Switches,

Interfaces, Tenants

TenantsVRFs, subnets, security

rules etc

Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy GroupsLinux_Hosts

Interface Policiescdp-enabled

Interface Policies Leaf Profiles

Leafs_101_and_102

Switch PoliciesLeaf Profiles

Leafs_101_and_102

Interface Selectors1/11, 1/12, 1/13….

Leaf Policy GroupsESX_Hosts

Leaf Policy GroupsWindows_Hosts

DomainsCiscolive-vds-01

Configure additional interfaces on Leaf switches

Leaf Profile mapped to switches

Leaf Profiles aligned to switches

Leafs_103_and_104

Leafs_105_and_106

Leafs_103_and_104

Leafs_105_and_106

Option 1

Poolsall_vlans

AAEPall_vlans

ESX_Hosts

Leafs_101_and_102

Configure additional Leaf switches with selected Leaf

ProfileLeaf Profile mapped to switches

Leaf Profiles aligned to attached device i.e.

ESX_Hosts

Leafs_105_and_106

Leafs_103_and_104

Option 2

Step 2: Use the network interfaces

How should you design your Tenants…?

There are four options…

31BRKACI-2770

Bridge Domain

Tenant: commonVRF: vrf-01

Application Profile:

Bridge Domain

Tenant: Ciscolive

Bridge Domain

Tenant: Ciscolive

Bridge Domain

Tenant: CiscoliveVRF: vrf-01

Typically used when RBAC isn’t a strong requirement and one

team owns all the configuration

VRFs and subnets are all in the

Common Tenant –this means that any Tenant can use any

subnet

VRFs are available to all Tenants, however subnets are specific

to a given Tenant

VRFs and subnets are dedicated to an individual Tenant –typically this is tied into RBAC rules for

access to APIC from multiple teams

Where should you “place” Contracts and Filters…?

32BRKACI-2770

Contract

Filter

Contract

Tenant: Ciscolive

Filter

Contract

Tenant: Ciscolive

Contract

Filter

Filters in the Common Tenant

allows any Tenant to consume them in

their contracts

Contracts and Filters in a “user” tenant

with shared networking

with private networking

Step 3: Should you use Network Centric mode or Application Centric mode…?

What is meant by Network Centric mode and Application Centric mode…?

• Network Centric mode [naming] or Application Centric mode [naming] are simply terms to describe how the ACI network configuration is named, for example is a VLAN named “VLAN-10” or is a VLAN named “Web”

• Having the network configuration named after network objects (subnets/VLANs) is the traditional way of configuring a network

• Having the network configuration named after applications running on the network provides improved application visibility, simpler troubleshooting, and simpler auditing

• An application may represent an actual application such as “online banking”, or it may represent an infrastructure service such as “ESX infrastructure”

• Typically customers use Network Centric mode [naming] to describe legacy VLANs and subnets, and Application Centric mode [naming] to describe applications on the network

• Both naming modes can be used concurrently

BRKACI-2770

There are only three deployment options for Bridge Domains (subnets) and EPGs

Option 1: Single EPG on a Single BD with a Single Subnet – “Standard Networking”

37BRKACI-2770

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

BD: 192.168.12.x_24

GW:192.168.12.1/24

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space

38BRKACI-2770

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

EPG: Web

VLAN: dynamic

EPG: App

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary

39BRKACI-2770

Servers in either 192.168.10.x

or 192.168.11.x subnets

Servers in either 192.168.10.x

or 192.168.11.x subnets

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

EPG: Web

VLAN: dynamic

EPG: App

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: multiple_subnets

GW:192.168.10.1/24

GW:192.168.11.1/24Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

How would I migrate from “Network Centric” mode [naming] to “Application Centric” mode [naming]…?

Why change what’s already working…?

How long will it take to migrate…?

What will be the operational impact…?

How will you discover your application dependencies…?

Migrating from Network Centric [Naming] to Application Centric [Naming]

45BRKACI-2770

Tenant: common

VRF: vrf-01

Tenant: Classic

Application Profile: 192.168.10.x_24

EPG (VLAN)VLAN-10

BD192.168.10.x_24

Outside

Application Profile: Online-Banking

EPG (VLAN)

Tenant: Production

Contract Contract

Contracts and/or Firewalls between different security zones

47BRKACI-2770

Application Profile: Online-Banking Application Profile: Investment-Banking

Low SecurityEPG (VLAN)

EPG (VLAN)

Medium SecurityEPG (VLAN)

EPG (VLAN)

High SecurityEPG (VLAN)

EPG (VLAN)

Tenant: Production

Secure contracts

between zones

Contract

Optional default

contract within a zones

Let’s quickly spin up an environment on a simulator

Use Case: #1

Interface configuration using UCSD

51BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

is interface configuration “core” to networking…?

• Off the shelf commercial product with full support

• Drag and Drop Workflow Orchestrator with Rollback

• ~250 ACI Tasks Out of the Box

• End User Portal for Catalogue Consumption

• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.

• Extensive Northbound API

• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks

Why choose UCS Director for automation…?

Why automate interface configuration…?

Could the interface configuration be delegated to the “server/infrastructure” team…?

Configuring network interfaces is a time consuming and repetitive task that is prone to human error

Should interface configuration be considered a “core” role of the network team…?

Use case #1: Interface Configuration using UCSD

56BRKACI-2770

Required parameters• Leaf(s) ID• Interface ID• Interface Description• Server type

Predefined parameters• Leaf Switch Profile• Leaf Interfaces Profiles• Leaf Interface Policy Groups• Leaf Interface Policies• AAEP• Domain• VLAN Pool

Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy GroupsLinux_Hosts

Leafs_101_and_102

Leaf Policy GroupsWindows_Hosts

Configure additional interfaces on Leaf switches

Leaf Profile mapped to switches

Leaf Profiles aligned to switches

Leafs_103_and_104

Leafs_105_and_106

Leafs_103_and_104

Leafs_105_and_106

Int Sel1/1

Description

Int Sel1/2

Description

Int Sel1/3

Description

Int Sel…

Description

Int Sel…

Description

Int Sel…

Description

Int Sel1/46

Description

Int Sel1/47

Description

Int Sel1/48

Description

Let’s see UCSD in action…

Quick step by step walkthrough…

What happens on the ACI fabric…?

Note the SR for rollback purposes

How do I remove the configuration…?

What happens behind the scenes…?

What does the UCSD configuration look like…?

To really get the most out of automation we need to understand the ACI Policy Model and how to use the API

What is the ACI Policy Model…?

The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.

When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.

This approach is called a model-driven framework.

BRKACI-2770

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-

Fundamentals/b_ACI-Fundamentals_chapter_010001.html

https://{{apic}}/

98BRKACI-2770

Managed Objects

99BRKACI-2770

AAA, SecurityTenants – User,

Common …

Policy Universe

APIC Controllers

Layer 4-7

Services

Fabric, Access,

Inventory …VM Domains …

Tenant

FilterApplication

ProfileOutside Network ContractBridge Domain VRF

Subnet Subject

The HTTP methods that we invoke are:POST, GET, DELETE

Object data can be accessed in different ways, either by calling the object Class (e.g. all fvBD) or by calling an object by name (e.g. tn-Ciscolive)

Managed Objectshttps://{{apic}}/api/node/mo/uni/{{dn}}.json?{{filter}}

Distinguished Name – Name of Object

• tn-{{name}}

• tn-{{name}}/BD-{{name}}

• tn-{{name}}/ap-{{name}}

• tn-{{name}}/ap-{{name}}/epg-{{name}}

• …

Object Class - Types of Object

• fvTenant - Tenant

• fvBD – Bridge Domain

• fvAp – Application Profile

• fvAEPg – EPG

• …

101BRKACI-2770

https://{{apic}}/api/node/class/{{class}}.json?{{filter}}

How do I understand all the MOs…?

You could read the documentation, but….

103BRKACI-2770

https://{{apic}}/doc/html

….Postman and visore are your friends…!

106BRKACI-2770

https://{{apic}}/visore.html

Targeting Queries

107BRKACI-2770

Query Target Filters – Single object retrieved

108BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=self

Query Target Filters – List of Twelve objects retrieved

109BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=children

children

Query Target Filters – List of Fourteen objects retrieved

110BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=subtree

subtree

rsp – Tree of objects retrieved

111BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?rsp-subtree=full

subtree

Audience quiz time…..!!

Advanced Queries

https://{{apic}}/api/node/class/fvAEPg.json?query-

target=subtree&query-target-

filter=and(wcard(fvRsBd.tnFvBDName,"10.52.249.96_27"))

https://{{apic}}/api/node/class/fvBD.json?query-

target=subtree&query-target-

filter=and(eq(fvRsBDToOut.tnL3extOutName,"OSPF_to_external_

vrf-global"))

https://{{apic}}/api/node/class/fvIfConn.json?query-target-

filter=and(eq(fvIfConn.encap,"vlan-8"))

BRKACI-2770

https://github.com/spsharman/ | https://github.com/rwhitear42

Use Case: #2

Bridge Domain configuration using Postman and Runner

is routing configuration “core” to networking…?

115BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

• No/little scripting experience required

• Both network and server operating systems can be managed

• It’s extremely easy to use

• Some knowledge of JSON/XML required

Why use Postman…?

Step 1: Build your required object(s) in the GUI

118BRKACI-2770

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

EPG: Web

VLAN: dynamic

EPG: App

VLAN: dynamic

EPG: DB

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

BD: 192.168.11.x_24

GW:192.168.11.1/24

BD: 192.168.12.x_24

GW:192.168.12.1/24

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

Step 2: Save your configuration

119BRKACI-2770

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

EPG: Web

VLAN: dynamic

EPG: App

VLAN: dynamic

EPG: DB

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

BD: 192.168.11.x_24

GW:192.168.11.1/24

BD: 192.168.12.x_24

GW:192.168.12.1/24

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

Step 3: Prettify your JSON

121BRKACI-2770

Application Profile

“path” to the

Application Profile

Children of the

Application Profile

Endpoint Group

Endpoint Group name

Children of the

Endpoint Group

Provided Contract

Contract name

Domain

Domain name

Bridge Domain

Bridge Domain name

Application Profile

Step 4: Understand/modify the code

Step 5: Create Postman environment

123BRKACI-2770

Step 6: POST the modified content back to APIC

124BRKACI-2770

https://{{apic}}/api/node/mo/.json?rsp-subtree=modified

We can now use Runner to make bulk changes

Application Profile“path” to the Application

Profile (variable)

New “status”

object (variable)

Endpoint Group

name (variable)

Provided Contract

Contract name

(variable)

Domain

Domain name

(VMM) (variable)

Bridge Domain

Bridge Domain name

(variable)

Application Profile

name (variable)

New “status”

object (variable)

“path” to the Endpoint

Group (variable)

Step 7: Select parameters to use as variables

Step 8: Create a variable file

127BRKACI-2770

Option: created

Option: created,modified

Option: deleted

Option: created

Option: created,modified

Option: deleted

Step 9: Create a POST and Insert JSON with variables

128BRKACI-2770

Step 10: Select file with input variables

129BRKACI-2770

Step 11: Monitor output

130BRKACI-2770

Bridge Domains – before Runner

131BRKACI-2770

Postman Runner BD Video

Bridge Domains – after Runner

133BRKACI-2770

Use Case: #3

Contract configuration using Ansible

is ACL configuration “core” to networking…?

135BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

Therefore why not allow the application team to automatically configure their own rules…?

Configuring Contracts is a function typically executed by the network team, however the rules are

requested by the application team

Contracts are similar to ACL or firewall entries

137BRKACI-2770

InsideOutside

ubuntu-01 ubuntu-02

permit ubuntu-01 ubuntu-02 tcp 5201

EPG: portgroup-01vDS: Ciscolive-vds-01

VLAN: dynamicContract:Consumer

ubuntu-01

EPG: portgroup-02vDS: Ciscolive-vds-01

VLAN: dynamicContract: Provider

ubuntu-02

Contract: permit_to_portgroup-02

Contract components

138BRKACI-2770

Contract:

permit_to_{{ prov_ap_name }}_{{ prov_epg_name }}

Filter:

{{ subj_name }}_src_any_to_dst_tcp_{{ dst_port }}

Entries:

any | {{ dst_port }}

Subject:

Options:

Apply Both Directions

Reverse Filter Ports

Service Graph

Options:

Scope, Qos, DSCP, Tag

Options:

Src / Dst ports

Stateful

Filters may have more than one entry

Contracts may have more than one Subject

Where should you “place” Contracts and Filters…?

139BRKACI-2770

Contract

Filter

Contract

Tenant: Ciscolive

Filter

Contract

Tenant: Ciscolive

Contract

Filter

Filters in the Common Tenant

allows any Tenant to consume them in

their contracts

with shared networking

with private networking

Prior to this presentation we deployed a new WordPress application in our lab

Two Tier WordPress Application

144BRKACI-2770

Portgoup: Ciscolive:wpCL19_631:WSERVER_1

Portgoup: Ciscolive:wpCL19_631:DSERVER_1

Application Profile: wpCL19_631

EPG: WSERVER_1

VLAN: dynamic

EPG: DSERVER_1

VLAN: dynamic

BD: 10.52.249.96_27

GW:10.52.249.97

BD: 192.168.3.x_24

GW:192.168.3.1/24

Tenant: Common

VRF: vrf-01

VM VM VM VM VM VM

...but our application is failing…

Error establishing a database connection

146BRKACI-2770

Portgoup: Ciscolive:wpCL631:WSERVER_1

Portgoup: Ciscolive:wpCL631:DSERVER_1

EPG: WSERVER_1

VLAN: dynamic

EPG: DSERVER_1

VLAN: dynamic

BD: 10.52.249.96_27

GW:10.52.249.97

BD: 192.168.3.x_24

GW:192.168.3.1/24

Tenant: Common

VRF: vrf-01

VM VM 192.168.3.11910.52.249.123

We have a couple of Ansible Playbooks that can help diagnose and fix the issue…

How did we start writing the playbook to automate adding connectivity…?

First things first…

1. Gather minimum required information (User supplied)

1. Source IP address

2. Destination IP address

3. Protocol Type

4. Port to be opened

1. Use Postman and visore to gather and test the required API calls

2. Define the list of tasks (Plays) to perform

3. Check whether there are existing Ansible modules available to perform the tasks

4. User aci_rest module for everything else

1. Start writing the Playbook…!

2. Learn to hate the indentation used by YAML

3. Start again with individual Plays

4. Merge the Plays into a Playbook

151BRKACI-2770

Now let’s start filling in the blanks…!

• Open Source

• Automation, Configuration & Orchestration

• Most *NIX flavors can be control machine

• Windows Not Supported

• Can manage different systems

• ACI, IOS, NX-OS, IOS-XR

• Version 2.7.5• ACI support - 2.4

• Agentless, Push Model

• Idempotent

• YAML based

What is Ansible…?

Pros:• No/little scripting experience required

• Inbuilt modules for many devices to be managed (Not just ACI)

• Idempotence

Cons:• Some knowledge of JSON/XML required

Why use Ansible…?

Ansible Components

• Control Machine – Used to configure and push playbooks/plays to target systems

• Target Systems – Systems we want Ansible to control/automate

• Inventory files – Text based host files for target systems

• INI or YAML based

• Playbook – Series of plays/automation tasks

• YAML based

• Modules – reusable scripts that perform tasks in Ansible

BRKACI-2770

Ansible ACI Modules

• Perform specific tasks (Create Tenant/VRF/BD)

• Already installed when you install Ansible

• Written in Python

• Can develop your own modules

• 60 ACI modules as of 2.7

• To see all Ansible Modules – ansible-doc -l

• ACI specific ones – ansible-doc -l | grep ^aci

DEVNET-1797

again….Postman and visore are your friends…!

159BRKACI-2770

https://{{apic}}/visore.html

Use Postman to validate queries

160BRKACI-2770

Let’s look at the Playbook…

Ansible Playbook breakdown

162BRKACI-2770

Start of YAML ---

# Just a comment

- name: What do we want to execute against

hosts: "{{ apic }}"

connection: local

gather_facts: no

tasks:

- name: Create Tenant

aci_tenant:

hostname: "{{ apic }}"

username: "{{ apic_username }}"

password: "{{ apic_password }}"

tenant: "CiscoLive"

description: "Tenant configured by Ansible"

validate_certs: no

state: present

Comment

Name of Playbook

Hosts from inventory

Connection is local to this host

Collects information about targets

The scope of the Contract has been pre-defined

Prompt for user input

Define some Facts (Variables) to be used later

Use the aci_config_snapshotmodule to take a snapshot

Use the aci_rest module to discover

the source IP/EPG mapping from

the fvCEp Class

Extract the Tenant, App Profile and

EPG name from the source dn

Use the aci_rest module to discover

the destination IP/EPG mapping

from the fvCEp Class

Extract the Tenant, App Profile and

EPG name from the destination dn

Create a Filter based on the

protocol type and destination port

Create a Filter entry based on the

destination port

Create a Contract based on the

destination Application Profile and

Add the Subject and Filter to the

Contract

Bind the Contract to the Provider

Bind the Contract to the Consumer

Let’s open SSH from the Web server to the Database server

Application deployment using CloudCenter

178BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

What is “core” to networking…?

• Supports both public and private clouds

• Allows Application Teams to consume the network as part of the application deployment

• Allows the Application Teams to control access to their applications

• Governance

• Rollback (application and network)

• Less flexible naming convention

Why use Cisco CloudCenter…?

Summary

• There is no perfect automation tool

• Select the tool that best serves the requirements of your users

• Postman and visore are your friends to understand the API

• Automate time consuming, repetitive tasks

BRKACI-2770

Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

cs.co/ciscolivebot#BRKACI-2770

BRKACI-2770

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Complete your online session survey

204BRKACI-2770

Demos in the Cisco Showcase

Walk-in self-paced

Meet the engineer

1:1 meetings

Related sessions

Continue Your Education

205BRKACI-2770

Thank you

untitled - cisco live

Documents

cisco live magazine

revista cisco live 13 ed

deploying cisco jabber desktop clients - alcatron.net live...

live data reports - cisco

cisco live 2018 cap

live data reference - cisco

cisco data center and cloud strategy - cisco live 2015

cisco live 2010

cisco live 2018 bareclona

cisco data centre presentation - cisco live [copy]

encarte cisco live 12

cisco live amp

cisco live - examining cisco trustsec

rob lloyd cisco live keynote

commvault and cisco ucs at cisco live melbourne 2016

revista cisco live 11 ed

cisco live magazine 14

perks at cisco live

cisco live pfr

cisco live 2015