ACI ProgrammabilityRavi Chamarthy

ravchama@cisco.com

Principal Engineer, Cisco Systems

Agenda

• API Driven Design

• Managed Objects

• REST API Constructs

• Cobra SDK

• Live Code

API Driven Design

• Inventory

• Discovery

• Fabric Bring up

• Firmware

• Topology

• Security

• Monitoring

• Troubleshooting

• Debugging

• L2 Connectivity

• External Connectivity

• VM Management

• L4-L7 Services

• Application Policies

API Layers

Network

API

Application

API

REST API

CLITEST GUI

Cisco ACI: Object Model

Object Model

• Contains a modeled representation of:

• Application

• Network

• Services

• Virtualization

• Management

Root

Policy Universe

Tenants

Applications

Infra

VLANs

Topology

Nodes

Virtual Network

Hypervisors

Objects within APIC are structured in tree-based hierarchy

Objects referred to as “managed objects” (MO)

Packages identify the functional area

e.g., fv = fabric virtualization, vz = virtual zones, fabric = physical fabric, etc

Every object has a parent, with exception of top:Root (top of tree)

Relationships exist between objects

Management Information Tree (MIT)

Managed Objects

RootEverything is an object

Objects are hierarchically organized

Class identifies object type Card, Port, Path, EPG…

Class InheritanceAccess port is a subclass of port.

A leaf node is a subclass of fabric node.

Set of attributesidentity states descriptions

references lifecycle

MO• class

• dn

• prop1

• prop2, etc

Distributed Managed Information Tree (dMIT) contains comprehensive system information• discovered components

• system configuration

• operational status including statistics and faults

dMIT

Full unified description of entities.

No artificial separation of configuration, state,

runtime data.

Management Information Tree Example

topRoot

polUni fvTenant

fvAp fvAEPg

vzFilter vzEntry

vzBrCP vzSubj

fabricTopology

fabricPod

fabricPathEpCont

fabricPathEp

fabricNode

vmmProvP vmmDomP vmmCtrlrP

DN is used as a globally unique identifier for an object in the MIT

Formed by getting relative name (RN) and appending it to parent RN until reaching topRoot

RN naming rule depends on object

Can be found in APIC model documentation

Distinguished Name

topRoot

polUni fvTenant

fvAp fvAEPg

vzFilter vzEntry

vzBrCP vzSubj

fabricTopology fabricPod

fabricPathEpCont fabricPathEp

fabricNode

vmmProvP vmmDomP vmmCtrlrP

Example:

EPG in a tenant named “tenant” under

application “app1”

uni/tn-tenant/ap-app1/epg-epg1

Example:

Interface Eth1/3 on leaf 102 in pod 1

topology/pod-1/paths-102/pathep-[eth1/3]

Cisco ACI: REST API

Standard REST methods supported

REST API: Basics

Method Action Behavior

POST Create / Update Idempotent

GET Read Nullipotent

DELETE Delete Idempotent

• Payloads can be either XML or JSON

Specified by the file extension in URI

Content-Type and Accept header is ignored

REST API: Read Operations

/api

API

Operator

/{mo|class}

Specify

Managed

Object or Class

Operator

/{dn|classname}

Distinguished

name or Object

Class

.{xml|json}

Encoding for

response

?[options]

Specify filters,

selectors or

modifiers to query,

joined using

ampersand (&)

host:port

APIC host

and port

http(s)://

http or https

protocol

http://apic/api/mo/uni/tn-Cisco/ap-Software/epg-Download.xml

Read properties for an EPG by Distinguished Name

http://apic/api/class/l1PhysIf.xml?query-target-filter=eq(l1PhysIf.speed,"10G")

Find all 10G ports on Fabric

REST API: Create/Update Operations

/api /mo /dn .{xml|json} ?[options]host:porthttp(s)://

<fvTenant name="NewTenant">

<fvAp name="NewApplication">

<fvAEPg name="WebTier">

<fvRsPathAtt encap="vlan-1" mode="regular"

tDn="topology/pod-1/paths-17/pathep-[eth1/1]"/>

</fvAEPg>

</fvAp>

</fvTenant>

Payload is XML/JSON representation of API Command Body

URI (can optionally use JSON as well – examples in upcoming slides) http://<apic>/api/mo/aaaLogin.xml

Payload<aaaUser name='admin' pwd='insieme'/>

Response contains a cookie named APIC-cookie, which is also mirrored in the payload of the response under /imdata/aaaLogin/@token<?xml version="1.0" encoding="UTF-8"?>

<imdata>

<aaaLogintoken="WkrrC6t9Vdr0U/RaftIrgFqm2phiUEstut5iiuqD74Wa6YPTlkqhoTD4e0fdOxUlT+vCcBYMp/3JFboTgdetQrNV7zklSjTvxUdOZV1yC++KlqDykJuDgIN4bIHmJaId">

<!-- Truncated ->

</aaaLogin>

</imdata>

Use this APIC-cookie in future requests to have them authenticated

REST API: Authentication

Flexible Queries

By Class

By Distinguished Name

Hierarchical

Filterable

Class – Query for all objects of a certain type (e.g., all physical interfaces, then filter by speed 10G)

http://apic/api/class/l1PhysIf.xml

http://apic/api/class/l1PhysIf.xml?query-target-filter=eq(l1PhysIf.speed, "10G”)

DN – Query a specific object by its distinguished name

http://apic/api/mo/uni/tn-common.xml

Filter options:

query-target={self | children | subtree} # which object to query

query-target-filter=filter # filter to apply to query

query-target-filter=wcard(fvTenant.description,"coke.*”) # filter with regex

target-subtree-class=mo-class1,mo-class2 # what subtree objets to include

rsp-subtree={no | full | subtree } # what objects to include in response

rsp-subtree-class=mo-class # only include this class in subtree

REST API: Queries

Object Browser: Visore

• APIC has built in object browser to navigate the object tree and inspect the state of objects

• Point the web browser to Visore: http://<apic>/visore.html

• Search for a particular object or dn (fvTenant, topSystem, topology/pod-1/node-101)

www.getpostman.com

Chrome plugin that enables rapid testing of REST based queries

GET request to http://apic/api/class/fvTenant.xml will return the object configuration for all fvTenant classes

GET request to http://apic/api/mo/uni/tn-common.xml will return the specific object referenced by DN uni/tn-common as XML

POST request to http://apic/api/mo/uni/.xml with a payload will create a tenant. <fvTenant name="test"/>

DELETE request to http://apic/api/mo/uni/tn-test.xml will delete tenant test. Deletes tenant and children

POSTman

Cisco ACI: SDK

Cobra is a native Python language binding for APIC REST API

Supports lookups, creations, modifications, deletions

Objects in Cobra are a 1:1 representation of objects in the MIT

As a result, policy created via GUI/JSON/XML can be used as a programming template, for more rapid development

All data has client side consistency checks performed

Packaged as .egg, install with easy_install

ACI SDK: Cobra

Getting started: Logging in

import cobra.mit.access

import cobra.mit.session

ls = cobra.mit.session.LoginSession(

'http://apic', 'username', 'password')

md = cobra.mit.access.MoDirectory(ls)

md.login()

Link the

credentials to

the APIC

Define an APIC

to which we

will login

LoginSession

stores URI

and

credentials

Getting started: Object Lookup

uniMo = md.lookupByDn('uni')

• lookupByDn

• Look up a restaurant by street address (find me the restaurant at 1335 N 1st

Street, San Jose, CA)

• lookupByClass

• Look up a restaurant by cuisine (find me any Japanese restaurants)

uniMo = md.lookupByClass('polUni')

Getting started: Object Creationimport cobra.model.fabric

# Advice: Don’t hardcode Dn’s.

topMo = md.lookupByDn('uni/controller/nodeidentpol')

leaf1IdentP = cobra.model.fabric.NodeIdentP(

topMo, serial='TEP-1-17', nodeId='17', name='leaf1')

spine1IdentP = cobra.model.fabric.NodeIdentP(

topMo, serial='TEP-1-19', nodeId='19', name='spine1')

Use Visore to

find the class

Note – These objects are created locally only,

to save them to the APIC use a

ConfigRequest.

Getting started: Committing configurationimport cobra.mit.request

topMo = md.lookupByClass('fabricNodeIdentPol')[0]

# Dn is no longer hard coded.

leaf1IdentP = cobra.model.fabric.NodeIdentP(

topMo, serial='TEP-1-17', nodeId='17', name='leaf1')

spine1IdentP = cobra.model.fabric.NodeIdentP(

topMo, serial='TEP-1-19', nodeId='19', name='spine1')

c = cobra.mit.request.ConfigRequest()

c.addMo(topMo) # Add and commit the most top level object that makes sense

md.commit(c)

Change a hard coded Dn

into a lookupByClass() call

from cobra.model.fv import Tenant

from cobra.model.pol import Uni

from cobra.mit.request import ConfigRequest

uniMo = Uni('') # Uni is a static Mo, so we don’t need to look it up

t = Tenant(uniMo, 'Tenant1') # We create a tenant as a child of the universe

c = ConfigRequest() # Create a ConfigRequest to contain our new object

c.addMo(t) # Add our tenant to the ConfigRequest

moDir.commit(c) # Commit our configuration request

Create a tenant

from cobra.model.fv import *

from cobra.model.pol import Uni

uniMo = Uni('')

t = Tenant(uniMo, 'Tenant1')

ap = Ap(t, 'Exchange')

epg1 = AEPg(ap, 'OWA')

epg2 = AEPg(ap, 'FrontEnd')

epg3 = AEPg(ap, 'MailBox')

ep = RsPathAtt(epg1, tDn=‘topology/pod-1/paths-17/paths-[eth1/1]’,

mode=‘regular’, encap=‘vlan-10’)

c = ConfigRequest()

c.addMo(t)

moDir.commit(c)

Create a simple application

Note – Bridge Domain configuration omitted for

brevity. Please see the Cobra SDK or APIC

Configuration Guide for a complete configuration

Live Code!

Useful Links

• http://cobra.readthedocs.org

• https://github.com/datacenter/cobra

• https://acidev.cisco.com/