untitled - cisco live

Steve Sharman – Technical Solutions Architect

Russ Whitear – Consulting Systems Engineer

BRKACI-2770

Automating ACI

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Abstract

3

Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.

The session will be based on real world use cases where we’ll use different automation tools to configure ACI network interfaces, tenants/VRFs/BDs, contracts, and finally we’ll deploy a complete application stack using the previously configured objects.

Technologies discussed will include APIC, Visore, Postman, Ansible, UCS Director, and CloudCenter.

BRKACI-2770


Session objectives

4

This session will provide attendees with an understanding of the ACI policy model along with the basic skills required in order to automate an ACI fabric to create an internal private cloud.

BRKACI-2770


Before we start, let’s get to know each other …

5BRKACI-2770

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

• Why Automate?

• ACI Primer

• ACI Policy Model

• Automation Use Cases

• Automating with UCS Director

• Automating with Postman

• Automating with Ansible

• Automating with CloudCenter

• Summary

BRKACI-2770

Let’s start with an obvious question…

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKACI-2770

Why are customers looking to use automation in their Data Centers…?


There are actually many different reasons:

9

• Cost reduction

• Simplicity

• Consistent configuration (Policy conformance, elimination of human error)

• Reduction in maintenance windows

• Reduction in time consuming repetitive tasks

• Structured changes during the business day

• Service Catalogue for IT services

• Elastic scaling

BRKACI-2770


Automation means different things to different people…!


Application ArchitectSYSTEMS ENG

Placeholder text

SRESCRUM Lead

NetDevOps

DEVELOPERDEVOPSSecOps Engineer

Network

DevOps EngineerReliability

DEVOPS ENG

Platform Team DEVSECOPSDEV-TEST

NetOps

CHAOS ENGFullSTACK

Placeholder

FULL-STACKInfrastructure DEVTEST-DEV

SRE

Platform Team

NETDEVOPS


Different Mindsets

12BRKACI-2770

DevOps Mindset

Embrace failure, Change is good, Active collaboration, Empowered accountability, Feedback systems, Automation

Change Management Mindset

Avoid failure, Change is Risky and Complex, Empowered accountability, Limited Feedback Systems, Manual

REQUEST


The Rise of the Developer

13BRKACI-2770

https://www.sequoiacap.com/article/rise-of-the-developer

“We are no longer rolling code by hand—bespoke, crafted from scratch and stored in a private stash. Instead, developers integrate and connect existing pieces together. We fork and adapt. Code becomes a cumulative, open-sourced effort. We are a community of developers working together.”

“This new way of working together has a surprising effect. It means each dev has tremendous influence on which tools get adopted.

The revelation is that developers have become a critical go-to-market distribution channel. If developers don't like a product, they won't use it. Period.

No amount of pressure from a CIO can change that. Developers will always find a work-around that works better.”

https://www.sequoiacap.com/article/rise-of-the-developer


What is Core vs Context for Network Admins…?

15BRKACI-2770

Interface Configuration

RoutingBGP, OSPF

Security

Change Control

Fault Finding


How can I exit the change control

loop…?

Internal IT is so slow..!

Lets use the “cloud”Cloud is quicker

Cloud is cheaper

I’m in control

Why not present the network as just

another cloud…?

Time for a change of mindset

16BRKACI-2770


Tools, tools, and more tools…!

17BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

What is “core” to networking…?


There is no perfect automation tool…!

18BRKACI-2770

Interfaces

Tenants, VRFs, Bridge Domains

Application Profiles, Endpoint Groups

Contracts

Applications

Virtual Machines

A quick ACI Primer…


Physically Building the ACI Network

21BRKACI-2770

Management options:• GUI• CLI• XML/JSON• Scripting• Open API• Automation

Benefits:• Distributed, Centralised Management• Full traffic visibility*• Self documenting• Integrated virtual and physical

network• Integrated L4-7 device management• Policy defined network

* Excludes pre encapsulated/encrypted traffic


ACI Consumption Model

22BRKACI-2770

Interface Configuration

Fabric | Access Policies

• VLANs

• Domains

• AAEP

• Interface Policies

• Leaf Policy Groups

• Leaf Profiles

• Switch Profiles

Interface Consumption

Tenants

• Tenants

• VRFs

• Route Leaking

• L2/L3out

• Bridge Domains

• EPGs

• Contracts


Step 1: Configure the network interfaces


PoolsList of VLANs, VXLANs etc

DomainsWhere VLANs, VXLANs

etc are consumed

AAEPCollection of allowed VLANs, VXLANs etc

Leaf InterfacesPolicy Groups

Interface type and settings

Interface PoliciesInterface settings

Leaf InterfacesProfiles

Collection of interface IDs

Leaf SwitchesProfiles

Collection of switches

Interface SelectorsInterface IDs

Concrete Model(Configuration applied)

Logical Model(Configuration defined)

Security DomainsRestricts VLANs, Switches,

Interfaces, Tenants

TenantsVRFs, subnets, security

rules etc


Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy GroupsLinux_Hosts

Interface Policiescdp-enabled

Interface Policies Leaf Profiles

Leafs_101_and_102

Switch PoliciesLeaf Profiles

Leafs_101_and_102

Interface Selectors1/11, 1/12, 1/13….

Leaf Policy GroupsESX_Hosts


Leaf Policy GroupsWindows_Hosts


DomainsCiscolive-vds-01

Configure additional interfaces on Leaf switches

Leaf Profile mapped to switches

Leaf Profiles aligned to switches


Leafs_103_and_104


Leafs_105_and_106


Leafs_103_and_104


Leafs_105_and_106

Option 1


Poolsall_vlans

AAEPall_vlans




ESX_Hosts


Leafs_101_and_102



Configure additional Leaf switches with selected Leaf

ProfileLeaf Profile mapped to switches

Leaf Profiles aligned to attached device i.e.

ESX_Hosts


Leafs_105_and_106


Leafs_103_and_104

Option 2


Step 2: Use the network interfaces


How should you design your Tenants…?


There are four options…

31BRKACI-2770

Bridge Domain

Tenant: commonVRF: vrf-01

Application Profile:

EPG

Bridge Domain



EPG

Tenant: Ciscolive



EPG

Bridge Domain

Tenant: Ciscolive

Bridge Domain

Tenant: CiscoliveVRF: vrf-01


EPG

Typically used when RBAC isn’t a strong requirement and one

team owns all the configuration

VRFs and subnets are all in the

Common Tenant –this means that any Tenant can use any

subnet

VRFs are available to all Tenants, however subnets are specific

to a given Tenant

VRFs and subnets are dedicated to an individual Tenant –typically this is tied into RBAC rules for

access to APIC from multiple teams


Where should you “place” Contracts and Filters…?

32BRKACI-2770

Contract


Filter

Filter


Contract

Tenant: Ciscolive


Filter

Contract

Tenant: Ciscolive

Contract


Filter



Filters in the Common Tenant

allows any Tenant to consume them in

their contracts

Contracts and Filters in a “user” tenant

with shared networking


with private networking


Step 3: Should you use Network Centric mode or Application Centric mode…?


What is meant by Network Centric mode and Application Centric mode…?

35

• Network Centric mode [naming] or Application Centric mode [naming] are simply terms to describe how the ACI network configuration is named, for example is a VLAN named “VLAN-10” or is a VLAN named “Web”

• Having the network configuration named after network objects (subnets/VLANs) is the traditional way of configuring a network

• Having the network configuration named after applications running on the network provides improved application visibility, simpler troubleshooting, and simpler auditing

• An application may represent an actual application such as “online banking”, or it may represent an infrastructure service such as “ESX infrastructure”

• Typically customers use Network Centric mode [naming] to describe legacy VLANs and subnets, and Application Centric mode [naming] to describe applications on the network

• Both naming modes can be used concurrently

BRKACI-2770


There are only three deployment options for Bridge Domains (subnets) and EPGs


Option 1: Single EPG on a Single BD with a Single Subnet – “Standard Networking”

37BRKACI-2770

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App


VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24


BD: 192.168.12.x_24

GW:192.168.12.1/24


Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM


Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space

38BRKACI-2770

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App


EPG: Web


VLAN: dynamic

EPG: App


VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24


Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM


Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary

39BRKACI-2770

Servers in either 192.168.10.x

or 192.168.11.x subnets

Servers in either 192.168.10.x

or 192.168.11.x subnets

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App


EPG: Web


VLAN: dynamic

EPG: App


VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: multiple_subnets

GW:192.168.10.1/24

GW:192.168.11.1/24Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

How would I migrate from “Network Centric” mode [naming] to “Application Centric” mode [naming]…?


Why change what’s already working…?

How long will it take to migrate…?

What will be the operational impact…?

How will you discover your application dependencies…?


Migrating from Network Centric [Naming] to Application Centric [Naming]

45BRKACI-2770

Tenant: common

VRF: vrf-01

Tenant: Classic

Application Profile: 192.168.10.x_24

EPG (VLAN)VLAN-10

BD192.168.10.x_24

Outside

Application Profile: Online-Banking

EPG (VLAN)

Web

EPG (VLAN)

App

EPG (VLAN)

DB

Tenant: Production

Contract Contract

Contr

act


Contracts and/or Firewalls between different security zones

47BRKACI-2770

Application Profile: Online-Banking Application Profile: Investment-Banking

Low SecurityEPG (VLAN)

DB

EPG (VLAN)

DB

Medium SecurityEPG (VLAN)

App

EPG (VLAN)

App

High SecurityEPG (VLAN)

Web

EPG (VLAN)

Web

Tenant: Production

Contr

act

Contr

act

Secure contracts

between zones

Contract

Optional default

contract within a zones

Let’s quickly spin up an environment on a simulator

Use Case: #1

Interface configuration using UCSD



51BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

is interface configuration “core” to networking…?


Pros:

• Off the shelf commercial product with full support

• Drag and Drop Workflow Orchestrator with Rollback

• ~250 ACI Tasks Out of the Box

• End User Portal for Catalogue Consumption

• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.

• Extensive Northbound API

Cons

• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks

Why choose UCS Director for automation…?


Why automate interface configuration…?


Could the interface configuration be delegated to the “server/infrastructure” team…?

Configuring network interfaces is a time consuming and repetitive task that is prone to human error

Should interface configuration be considered a “core” role of the network team…?


Use case #1: Interface Configuration using UCSD

56BRKACI-2770

Required parameters• Leaf(s) ID• Interface ID• Interface Description• Server type

Predefined parameters• Leaf Switch Profile• Leaf Interfaces Profiles• Leaf Interface Policy Groups• Leaf Interface Policies• AAEP• Domain• VLAN Pool


Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy GroupsLinux_Hosts



Leafs_101_and_102


Leafs_101_and_102


Leaf Policy GroupsWindows_Hosts


Configure additional interfaces on Leaf switches

Leaf Profile mapped to switches

Leaf Profiles aligned to switches


Leafs_103_and_104


Leafs_105_and_106


Leafs_103_and_104


Leafs_105_and_106

Int Sel1/1

Description

Int Sel1/2

Description

Int Sel1/3

Description

Int Sel…

Description

Int Sel…

Description

Int Sel…

Description

Int Sel1/46

Description

Int Sel1/47

Description

Int Sel1/48

Description

Let’s see UCSD in action…

Quick step by step walkthrough…

What happens on the ACI fabric…?


Note the SR for rollback purposes

How do I remove the configuration…?

What happens behind the scenes…?

What does the UCSD configuration look like…?

To really get the most out of automation we need to understand the ACI Policy Model and how to use the API


What is the ACI Policy Model…?

97

The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.

When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.

This approach is called a model-driven framework.

BRKACI-2770

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-

Fundamentals/b_ACI-Fundamentals_chapter_010001.html


https://{{apic}}/

98BRKACI-2770


Managed Objects

99BRKACI-2770

AAA, SecurityTenants – User,

Common …

Policy Universe

APIC Controllers

…

Layer 4-7

Services

Fabric, Access,

Inventory …VM Domains …

Tenant

FilterApplication

ProfileOutside Network ContractBridge Domain VRF

EPG

Subnet Subject


The HTTP methods that we invoke are:POST, GET, DELETE

Object data can be accessed in different ways, either by calling the object Class (e.g. all fvBD) or by calling an object by name (e.g. tn-Ciscolive)


Managed Objectshttps://{{apic}}/api/node/mo/uni/{{dn}}.json?{{filter}}

Distinguished Name – Name of Object

• tn-{{name}}

• tn-{{name}}/BD-{{name}}

• tn-{{name}}/ap-{{name}}

• tn-{{name}}/ap-{{name}}/epg-{{name}}

• …

Object Class - Types of Object

• fvTenant - Tenant

• fvBD – Bridge Domain

• fvAp – Application Profile

• fvAEPg – EPG

• …

101BRKACI-2770

https://{{apic}}/api/node/class/{{class}}.json?{{filter}}


How do I understand all the MOs…?


You could read the documentation, but….

103BRKACI-2770

https://{{apic}}/doc/html


….Postman and visore are your friends…!

106BRKACI-2770

https://{{apic}}/visore.html


Targeting Queries

107BRKACI-2770


Query Target Filters – Single object retrieved

108BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=self

self


Query Target Filters – List of Twelve objects retrieved

109BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=children

children


Query Target Filters – List of Fourteen objects retrieved

110BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=subtree

subtree


rsp – Tree of objects retrieved

111BRKACI-2770

https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?rsp-subtree=full

subtree


Audience quiz time…..!!


Advanced Queries

113

https://{{apic}}/api/node/class/fvAEPg.json?query-

target=subtree&query-target-

filter=and(wcard(fvRsBd.tnFvBDName,"10.52.249.96_27"))

https://{{apic}}/api/node/class/fvBD.json?query-

target=subtree&query-target-

filter=and(eq(fvRsBDToOut.tnL3extOutName,"OSPF_to_external_

vrf-global"))

https://{{apic}}/api/node/class/fvIfConn.json?query-target-

filter=and(eq(fvIfConn.encap,"vlan-8"))

BRKACI-2770

https://github.com/spsharman/ | https://github.com/rwhitear42

https://github.com/spsharman/

https://github.com/rwhitear42

Use Case: #2

Bridge Domain configuration using Postman and Runner


is routing configuration “core” to networking…?


115BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists


Pros:

• No/little scripting experience required

• Both network and server operating systems can be managed

• It’s extremely easy to use

Cons

• Some knowledge of JSON/XML required

Why use Postman…?


Step 1: Build your required object(s) in the GUI

118BRKACI-2770

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App


EPG: Web


VLAN: dynamic

EPG: App


VLAN: dynamic

EPG: DB


VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24


BD: 192.168.11.x_24

GW:192.168.11.1/24


BD: 192.168.12.x_24

GW:192.168.12.1/24


Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global


Step 2: Save your configuration

119BRKACI-2770

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App


EPG: Web


VLAN: dynamic

EPG: App


VLAN: dynamic

EPG: DB


VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24


BD: 192.168.11.x_24

GW:192.168.11.1/24


BD: 192.168.12.x_24

GW:192.168.12.1/24


Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global


Step 3: Prettify your JSON

121BRKACI-2770


Application Profile

“path” to the

Application Profile

Children of the

Application Profile

Endpoint Group

Endpoint Group name

Children of the

Endpoint Group

Provided Contract

Contract name

Domain

Domain name

(VMM)

Bridge Domain

Bridge Domain name

Application Profile

name

Step 4: Understand/modify the code


Step 5: Create Postman environment

123BRKACI-2770


Step 6: POST the modified content back to APIC

124BRKACI-2770

https://{{apic}}/api/node/mo/.json?rsp-subtree=modified


We can now use Runner to make bulk changes


Application Profile“path” to the Application

Profile (variable)

New “status”

object (variable)

Endpoint Group

Endpoint Group

name (variable)

Provided Contract

Contract name

(variable)

Domain

Domain name

(VMM) (variable)

Bridge Domain

Bridge Domain name

(variable)

Application Profile

name (variable)

New “status”

object (variable)

“path” to the Endpoint

Group (variable)

Step 7: Select parameters to use as variables


Step 8: Create a variable file

127BRKACI-2770

Option: created

Option: created,modified

Option: deleted

Option: created

Option: created,modified

Option: deleted


Step 9: Create a POST and Insert JSON with variables

128BRKACI-2770


Step 10: Select file with input variables

129BRKACI-2770


Step 11: Monitor output

130BRKACI-2770


Bridge Domains – before Runner

131BRKACI-2770


Postman Runner BD Video


Bridge Domains – after Runner

133BRKACI-2770

Use Case: #3

Contract configuration using Ansible


is ACL configuration “core” to networking…?


135BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists


Therefore why not allow the application team to automatically configure their own rules…?

Configuring Contracts is a function typically executed by the network team, however the rules are

requested by the application team


Contracts are similar to ACL or firewall entries

137BRKACI-2770

InsideOutside

ubuntu-01 ubuntu-02

permit ubuntu-01 ubuntu-02 tcp 5201

EPG: portgroup-01vDS: Ciscolive-vds-01

VLAN: dynamicContract:Consumer

ubuntu-01

EPG: portgroup-02vDS: Ciscolive-vds-01

VLAN: dynamicContract: Provider

ubuntu-02

Contract: permit_to_portgroup-02


Contract components

138BRKACI-2770

Contract:

permit_to_{{ prov_ap_name }}_{{ prov_epg_name }}

Filter:

{{ subj_name }}_src_any_to_dst_tcp_{{ dst_port }}

Entries:

any | {{ dst_port }}

Subject:

{{ subj_name }}

Options:

Apply Both Directions

Reverse Filter Ports

Service Graph

QoS

DSCP

Options:

Tag

Options:

Scope, Qos, DSCP, Tag

Options:

Src / Dst ports

Flags

Stateful

Filters may have more than one entry

Contracts may have more than one Subject


Where should you “place” Contracts and Filters…?

139BRKACI-2770

Contract


Filter

Filter


Contract

Tenant: Ciscolive


Filter

Contract

Tenant: Ciscolive

Contract


Filter



Filters in the Common Tenant

allows any Tenant to consume them in

their contracts


with shared networking


with private networking


Prior to this presentation we deployed a new WordPress application in our lab


Two Tier WordPress Application

144BRKACI-2770

vDS

Portgoup: Ciscolive:wpCL19_631:WSERVER_1

Portgoup: Ciscolive:wpCL19_631:DSERVER_1

Application Profile: wpCL19_631

EPG: WSERVER_1


VLAN: dynamic

EPG: DSERVER_1


VLAN: dynamic

BD: 10.52.249.96_27

GW:10.52.249.97


BD: 192.168.3.x_24

GW:192.168.3.1/24


Tenant: Common

VRF: vrf-01

VM VM VM VM VM VM


...but our application is failing…


Error establishing a database connection

146BRKACI-2770

vDS

Portgoup: Ciscolive:wpCL631:WSERVER_1

Portgoup: Ciscolive:wpCL631:DSERVER_1


EPG: WSERVER_1


VLAN: dynamic

EPG: DSERVER_1


VLAN: dynamic

BD: 10.52.249.96_27

GW:10.52.249.97


BD: 192.168.3.x_24

GW:192.168.3.1/24


Tenant: Common

VRF: vrf-01

VM VM 192.168.3.11910.52.249.123


We have a couple of Ansible Playbooks that can help diagnose and fix the issue…

How did we start writing the playbook to automate adding connectivity…?


First things first…

1. Gather minimum required information (User supplied)

1. Source IP address

2. Destination IP address

3. Protocol Type

4. Port to be opened

1. Use Postman and visore to gather and test the required API calls

2. Define the list of tasks (Plays) to perform

3. Check whether there are existing Ansible modules available to perform the tasks

4. User aci_rest module for everything else

1. Start writing the Playbook…!

2. Learn to hate the indentation used by YAML

3. Start again with individual Plays

4. Merge the Plays into a Playbook

151BRKACI-2770

Now let’s start filling in the blanks…!


• Open Source

• Automation, Configuration & Orchestration

• Most *NIX flavors can be control machine

• Windows Not Supported

• Can manage different systems

• ACI, IOS, NX-OS, IOS-XR

• Version 2.7.5• ACI support - 2.4

• Agentless, Push Model

• Idempotent

• YAML based

What is Ansible…?


Pros:• No/little scripting experience required


• Inbuilt modules for many devices to be managed (Not just ACI)

• Idempotence

Cons:• Some knowledge of JSON/XML required

Why use Ansible…?


Ansible Components

156

• Control Machine – Used to configure and push playbooks/plays to target systems

• Target Systems – Systems we want Ansible to control/automate

• Inventory files – Text based host files for target systems

• INI or YAML based

• Playbook – Series of plays/automation tasks

• YAML based

• Modules – reusable scripts that perform tasks in Ansible

BRKACI-2770


Ansible ACI Modules

157

• Perform specific tasks (Create Tenant/VRF/BD)

• Already installed when you install Ansible

• Written in Python

• Can develop your own modules

• 60 ACI modules as of 2.7

• To see all Ansible Modules – ansible-doc -l

• ACI specific ones – ansible-doc -l | grep ^aci

DEVNET-1797


again….Postman and visore are your friends…!

159BRKACI-2770

https://{{apic}}/visore.html


Use Postman to validate queries

160BRKACI-2770


Let’s look at the Playbook…


Ansible Playbook breakdown

162BRKACI-2770

Start of YAML ---

# Just a comment

- name: What do we want to execute against

hosts: "{{ apic }}"

connection: local

gather_facts: no

tasks:

- name: Create Tenant

aci_tenant:

hostname: "{{ apic }}"

username: "{{ apic_username }}"

password: "{{ apic_password }}"

tenant: "CiscoLive"

description: "Tenant configured by Ansible"

validate_certs: no

state: present

Comment

Name of Playbook

Hosts from inventory

Connection is local to this host

Collects information about targets


The scope of the Contract has been pre-defined

Prompt for user input


Define some Facts (Variables) to be used later


Use the aci_config_snapshotmodule to take a snapshot


Use the aci_rest module to discover

the source IP/EPG mapping from

the fvCEp Class


Extract the Tenant, App Profile and

EPG name from the source dn


Use the aci_rest module to discover

the destination IP/EPG mapping

from the fvCEp Class


Extract the Tenant, App Profile and

EPG name from the destination dn


Create a Filter based on the

protocol type and destination port


Create a Filter entry based on the

destination port


Create a Contract based on the

destination Application Profile and

EPG


Add the Subject and Filter to the

Contract


Bind the Contract to the Provider

EPG


Bind the Contract to the Consumer

EPG


Let’s open SSH from the Web server to the Database server

Application deployment using CloudCenter



178BRKACI-2770

Physical

Data Link

Network

Transport

Session

Presentation

Application

Interfaces

Routing

Access Lists

What is “core” to networking…?


Pros:

• Supports both public and private clouds

• Allows Application Teams to consume the network as part of the application deployment

• Allows the Application Teams to control access to their applications


• Governance

• Rollback (application and network)

Cons

• Less flexible naming convention

Why use Cisco CloudCenter…?

Summary


Summary

202

• There is no perfect automation tool

• Select the tool that best serves the requirements of your users

• Postman and visore are your friends to understand the API

• Automate time consuming, repetitive tasks

BRKACI-2770


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

203

cs.co/ciscolivebot#BRKACI-2770

BRKACI-2770


Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Complete your online session survey

204BRKACI-2770


Demos in the Cisco Showcase

Walk-in self-paced

labs

Meet the engineer

1:1 meetings

Related sessions

Continue Your Education

205BRKACI-2770

Thank you

untitled - cisco live

Documents