Transcript
Steve Sharman – Technical Solutions Architect
Russ Whitear – Consulting Systems Engineer
BRKACI-2770
Automating ACI
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
3
Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.
The session will be based on real world use cases where we’ll use different automation tools to configure ACI network interfaces, tenants/VRFs/BDs, contracts, and finally we’ll deploy a complete application stack using the previously configured objects.
Technologies discussed will include APIC, Visore, Postman, Ansible, UCS Director, and CloudCenter.
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session objectives
4
This session will provide attendees with an understanding of the ACI policy model along with the basic skills required in order to automate an ACI fabric to create an internal private cloud.
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before we start, let’s get to know each other …
5BRKACI-2770
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Why Automate?
• ACI Primer
• ACI Policy Model
• Automation Use Cases
• Automating with UCS Director
• Automating with Postman
• Automating with Ansible
• Automating with CloudCenter
• Summary
BRKACI-2770
Let’s start with an obvious question…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKACI-2770
Why are customers looking to use automation in their Data Centers…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are actually many different reasons:
9
• Cost reduction
• Simplicity
• Consistent configuration (Policy conformance, elimination of human error)
• Reduction in maintenance windows
• Reduction in time consuming repetitive tasks
• Structured changes during the business day
• Service Catalogue for IT services
• Elastic scaling
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKACI-2770
Automation means different things to different people…!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKACI-2770
Application ArchitectSYSTEMS ENG
Placeholder text
SRESCRUM Lead
NetDevOps
DEVELOPERDEVOPSSecOps Engineer
Network
DevOps EngineerReliability
DEVOPS ENG
Platform Team DEVSECOPSDEV-TEST
NetOps
CHAOS ENGFullSTACK
Placeholder
FULL-STACKInfrastructure DEVTEST-DEV
SRE
Platform Team
NETDEVOPS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Different Mindsets
12BRKACI-2770
DevOps Mindset
Embrace failure, Change is good, Active collaboration, Empowered accountability, Feedback systems, Automation
Change Management Mindset
Avoid failure, Change is Risky and Complex, Empowered accountability, Limited Feedback Systems, Manual
REQUEST
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Rise of the Developer
13BRKACI-2770
https://www.sequoiacap.com/article/rise-of-the-developer
“We are no longer rolling code by hand—bespoke, crafted from scratch and stored in a private stash. Instead, developers integrate and connect existing pieces together. We fork and adapt. Code becomes a cumulative, open-sourced effort. We are a community of developers working together.”
“This new way of working together has a surprising effect. It means each dev has tremendous influence on which tools get adopted.
The revelation is that developers have become a critical go-to-market distribution channel. If developers don't like a product, they won't use it. Period.
No amount of pressure from a CIO can change that. Developers will always find a work-around that works better.”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Core vs Context for Network Admins…?
15BRKACI-2770
Interface Configuration
RoutingBGP, OSPF
Security
Change Control
Fault Finding
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How can I exit the change control
loop…?
Internal IT is so slow..!
Lets use the “cloud”Cloud is quicker
Cloud is cheaper
I’m in control
Why not present the network as just
another cloud…?
Time for a change of mindset
16BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
17BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
What is “core” to networking…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There is no perfect automation tool…!
18BRKACI-2770
Interfaces
Tenants, VRFs, Bridge Domains
Application Profiles, Endpoint Groups
Contracts
Applications
Virtual Machines
A quick ACI Primer…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physically Building the ACI Network
21BRKACI-2770
Management options:• GUI• CLI• XML/JSON• Scripting• Open API• Automation
Benefits:• Distributed, Centralised Management• Full traffic visibility*• Self documenting• Integrated virtual and physical
network• Integrated L4-7 device management• Policy defined network
* Excludes pre encapsulated/encrypted traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Consumption Model
22BRKACI-2770
Interface Configuration
Fabric | Access Policies
• VLANs
• Domains
• AAEP
• Interface Policies
• Leaf Policy Groups
• Leaf Profiles
• Switch Profiles
Interface Consumption
Tenants
• Tenants
• VRFs
• Route Leaking
• L2/L3out
• Bridge Domains
• EPGs
• Contracts
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKACI-2770
Step 1: Configure the network interfaces
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKACI-2770
PoolsList of VLANs, VXLANs etc
DomainsWhere VLANs, VXLANs
etc are consumed
AAEPCollection of allowed VLANs, VXLANs etc
Leaf InterfacesPolicy Groups
Interface type and settings
Interface PoliciesInterface settings
Leaf InterfacesProfiles
Collection of interface IDs
Leaf SwitchesProfiles
Collection of switches
Interface SelectorsInterface IDs
Concrete Model(Configuration applied)
Logical Model(Configuration defined)
Security DomainsRestricts VLANs, Switches,
Interfaces, Tenants
TenantsVRFs, subnets, security
rules etc
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKACI-2770
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
Leafs_101_and_102
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Interface Selectors1/11, 1/12, 1/13….
Leaf Policy GroupsESX_Hosts
Interface Selectors1/1, 1/2, 1/3….
Leaf Policy GroupsWindows_Hosts
Interface Selectors1/21, 1/22, 1/23….
DomainsCiscolive-vds-01
Configure additional interfaces on Leaf switches
Leaf Profile mapped to switches
Leaf Profiles aligned to switches
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Interface Policies Leaf Profiles
Leafs_103_and_104
Interface Policies Leaf Profiles
Leafs_105_and_106
Option 1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27BRKACI-2770
Poolsall_vlans
AAEPall_vlans
Leaf Policy GroupsESX_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
ESX_Hosts
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Interface Selectors1/1, 1/2, 1/3….
DomainsCiscolive-vds-01
Configure additional Leaf switches with selected Leaf
ProfileLeaf Profile mapped to switches
Leaf Profiles aligned to attached device i.e.
ESX_Hosts
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Option 2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKACI-2770
Step 2: Use the network interfaces
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29BRKACI-2770
How should you design your Tenants…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are four options…
31BRKACI-2770
Bridge Domain
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Bridge Domain
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Bridge Domain
Tenant: Ciscolive
Bridge Domain
Tenant: CiscoliveVRF: vrf-01
Application Profile:
EPG
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
VRFs and subnets are all in the
Common Tenant –this means that any Tenant can use any
subnet
VRFs are available to all Tenants, however subnets are specific
to a given Tenant
VRFs and subnets are dedicated to an individual Tenant –typically this is tied into RBAC rules for
access to APIC from multiple teams
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should you “place” Contracts and Filters…?
32BRKACI-2770
Contract
Tenant: commonVRF: vrf-01
Filter
Filter
Tenant: commonVRF: vrf-01
Contract
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Filter
Contract
Tenant: Ciscolive
Contract
Tenant: CiscoliveVRF: vrf-01
Filter
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
Filters in the Common Tenant
allows any Tenant to consume them in
their contracts
Contracts and Filters in a “user” tenant
with shared networking
Contracts and Filters in a “user” tenant
with private networking
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKACI-2770
Step 3: Should you use Network Centric mode or Application Centric mode…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is meant by Network Centric mode and Application Centric mode…?
35
• Network Centric mode [naming] or Application Centric mode [naming] are simply terms to describe how the ACI network configuration is named, for example is a VLAN named “VLAN-10” or is a VLAN named “Web”
• Having the network configuration named after network objects (subnets/VLANs) is the traditional way of configuring a network
• Having the network configuration named after applications running on the network provides improved application visibility, simpler troubleshooting, and simpler auditing
• An application may represent an actual application such as “online banking”, or it may represent an infrastructure service such as “ESX infrastructure”
• Typically customers use Network Centric mode [naming] to describe legacy VLANs and subnets, and Application Centric mode [naming] to describe applications on the network
• Both naming modes can be used concurrently
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKACI-2770
There are only three deployment options for Bridge Domains (subnets) and EPGs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 1: Single EPG on a Single BD with a Single Subnet – “Standard Networking”
37BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space
38BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary
39BRKACI-2770
Servers in either 192.168.10.x
or 192.168.11.x subnets
Servers in either 192.168.10.x
or 192.168.11.x subnets
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: multiple_subnets
GW:192.168.10.1/24
GW:192.168.11.1/24Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
How would I migrate from “Network Centric” mode [naming] to “Application Centric” mode [naming]…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKACI-2770
Why change what’s already working…?
How long will it take to migrate…?
What will be the operational impact…?
How will you discover your application dependencies…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating from Network Centric [Naming] to Application Centric [Naming]
45BRKACI-2770
Tenant: common
VRF: vrf-01
Tenant: Classic
Application Profile: 192.168.10.x_24
EPG (VLAN)VLAN-10
BD192.168.10.x_24
Outside
Application Profile: Online-Banking
EPG (VLAN)
Web
EPG (VLAN)
App
EPG (VLAN)
DB
Tenant: Production
Contract Contract
Contr
act
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts and/or Firewalls between different security zones
47BRKACI-2770
Application Profile: Online-Banking Application Profile: Investment-Banking
Low SecurityEPG (VLAN)
DB
EPG (VLAN)
DB
Medium SecurityEPG (VLAN)
App
EPG (VLAN)
App
High SecurityEPG (VLAN)
Web
EPG (VLAN)
Web
Tenant: Production
Contr
act
Contr
act
Secure contracts
between zones
Contract
Optional default
contract within a zones
Let’s quickly spin up an environment on a simulator
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
Use Case: #1
Interface configuration using UCSD
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
51BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
is interface configuration “core” to networking…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53BRKACI-2770
Pros:
• Off the shelf commercial product with full support
• Drag and Drop Workflow Orchestrator with Rollback
• ~250 ACI Tasks Out of the Box
• End User Portal for Catalogue Consumption
• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.
• Extensive Northbound API
Cons
• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks
Why choose UCS Director for automation…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54BRKACI-2770
Why automate interface configuration…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKACI-2770
Could the interface configuration be delegated to the “server/infrastructure” team…?
Configuring network interfaces is a time consuming and repetitive task that is prone to human error
Should interface configuration be considered a “core” role of the network team…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use case #1: Interface Configuration using UCSD
56BRKACI-2770
Required parameters• Leaf(s) ID• Interface ID• Interface Description• Server type
Predefined parameters• Leaf Switch Profile• Leaf Interfaces Profiles• Leaf Interface Policy Groups• Leaf Interface Policies• AAEP• Domain• VLAN Pool
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKACI-2770
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
Leafs_101_and_102
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Leaf Policy GroupsESX_Hosts
Leaf Policy GroupsWindows_Hosts
DomainsCiscolive-vds-01
Configure additional interfaces on Leaf switches
Leaf Profile mapped to switches
Leaf Profiles aligned to switches
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Interface Policies Leaf Profiles
Leafs_103_and_104
Interface Policies Leaf Profiles
Leafs_105_and_106
Int Sel1/1
Description
Int Sel1/2
Description
Int Sel1/3
Description
Int Sel…
Description
Int Sel…
Description
Int Sel…
Description
Int Sel1/46
Description
Int Sel1/47
Description
Int Sel1/48
Description
Let’s see UCSD in action…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
Quick step by step walkthrough…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKACI-2770
What happens on the ACI fabric…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69BRKACI-2770
Note the SR for rollback purposes
How do I remove the configuration…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73BRKACI-2770
What happens behind the scenes…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKACI-2770
What does the UCSD configuration look like…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94BRKACI-2770
To really get the most out of automation we need to understand the ACI Policy Model and how to use the API
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is the ACI Policy Model…?
97
The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.
When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.
This approach is called a model-driven framework.
BRKACI-2770
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-
Fundamentals/b_ACI-Fundamentals_chapter_010001.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://{{apic}}/
98BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed Objects
99BRKACI-2770
AAA, SecurityTenants – User,
Common …
Policy Universe
APIC Controllers
…
Layer 4-7
Services
Fabric, Access,
Inventory …VM Domains …
Tenant
FilterApplication
ProfileOutside Network ContractBridge Domain VRF
EPG
Subnet Subject
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100BRKACI-2770
The HTTP methods that we invoke are:POST, GET, DELETE
Object data can be accessed in different ways, either by calling the object Class (e.g. all fvBD) or by calling an object by name (e.g. tn-Ciscolive)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed Objectshttps://{{apic}}/api/node/mo/uni/{{dn}}.json?{{filter}}
Distinguished Name – Name of Object
• tn-{{name}}
• tn-{{name}}/BD-{{name}}
• tn-{{name}}/ap-{{name}}
• tn-{{name}}/ap-{{name}}/epg-{{name}}
• …
Object Class - Types of Object
• fvTenant - Tenant
• fvBD – Bridge Domain
• fvAp – Application Profile
• fvAEPg – EPG
• …
101BRKACI-2770
https://{{apic}}/api/node/class/{{class}}.json?{{filter}}
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102BRKACI-2770
How do I understand all the MOs…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
You could read the documentation, but….
103BRKACI-2770
https://{{apic}}/doc/html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
….Postman and visore are your friends…!
106BRKACI-2770
https://{{apic}}/visore.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Targeting Queries
107BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – Single object retrieved
108BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=self
self
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – List of Twelve objects retrieved
109BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=children
children
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – List of Fourteen objects retrieved
110BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=subtree
subtree
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
rsp – Tree of objects retrieved
111BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?rsp-subtree=full
subtree
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112BRKACI-2770
Audience quiz time…..!!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Queries
113
https://{{apic}}/api/node/class/fvAEPg.json?query-
target=subtree&query-target-
filter=and(wcard(fvRsBd.tnFvBDName,"10.52.249.96_27"))
https://{{apic}}/api/node/class/fvBD.json?query-
target=subtree&query-target-
filter=and(eq(fvRsBDToOut.tnL3extOutName,"OSPF_to_external_
vrf-global"))
https://{{apic}}/api/node/class/fvIfConn.json?query-target-
filter=and(eq(fvIfConn.encap,"vlan-8"))
BRKACI-2770
https://github.com/spsharman/ | https://github.com/rwhitear42
Use Case: #2
Bridge Domain configuration using Postman and Runner
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
is routing configuration “core” to networking…?
Tools, tools, and more tools…!
115BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117BRKACI-2770
Pros:
• No/little scripting experience required
• Both network and server operating systems can be managed
• It’s extremely easy to use
Cons
• Some knowledge of JSON/XML required
Why use Postman…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1: Build your required object(s) in the GUI
118BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2: Save your configuration
119BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Prettify your JSON
121BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122BRKACI-2770
Application Profile
“path” to the
Application Profile
Children of the
Application Profile
Endpoint Group
Endpoint Group name
Children of the
Endpoint Group
Provided Contract
Contract name
Domain
Domain name
(VMM)
Bridge Domain
Bridge Domain name
Application Profile
name
Step 4: Understand/modify the code
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Create Postman environment
123BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 6: POST the modified content back to APIC
124BRKACI-2770
https://{{apic}}/api/node/mo/.json?rsp-subtree=modified
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125BRKACI-2770
We can now use Runner to make bulk changes
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126BRKACI-2770
Application Profile“path” to the Application
Profile (variable)
New “status”
object (variable)
Endpoint Group
Endpoint Group
name (variable)
Provided Contract
Contract name
(variable)
Domain
Domain name
(VMM) (variable)
Bridge Domain
Bridge Domain name
(variable)
Application Profile
name (variable)
New “status”
object (variable)
“path” to the Endpoint
Group (variable)
Step 7: Select parameters to use as variables
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 8: Create a variable file
127BRKACI-2770
Option: created
Option: created,modified
Option: deleted
Option: created
Option: created,modified
Option: deleted
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 9: Create a POST and Insert JSON with variables
128BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 10: Select file with input variables
129BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 11: Monitor output
130BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – before Runner
131BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132BRKACI-2770
Postman Runner BD Video
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – after Runner
133BRKACI-2770
Use Case: #3
Contract configuration using Ansible
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
is ACL configuration “core” to networking…?
Tools, tools, and more tools…!
135BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136BRKACI-2770
Therefore why not allow the application team to automatically configure their own rules…?
Configuring Contracts is a function typically executed by the network team, however the rules are
requested by the application team
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts are similar to ACL or firewall entries
137BRKACI-2770
InsideOutside
ubuntu-01 ubuntu-02
permit ubuntu-01 ubuntu-02 tcp 5201
EPG: portgroup-01vDS: Ciscolive-vds-01
VLAN: dynamicContract:Consumer
ubuntu-01
EPG: portgroup-02vDS: Ciscolive-vds-01
VLAN: dynamicContract: Provider
ubuntu-02
Contract: permit_to_portgroup-02
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contract components
138BRKACI-2770
Contract:
permit_to_{{ prov_ap_name }}_{{ prov_epg_name }}
Filter:
{{ subj_name }}_src_any_to_dst_tcp_{{ dst_port }}
Entries:
any | {{ dst_port }}
Subject:
{{ subj_name }}
Options:
Apply Both Directions
Reverse Filter Ports
Service Graph
QoS
DSCP
Options:
Tag
Options:
Scope, Qos, DSCP, Tag
Options:
Src / Dst ports
Flags
Stateful
Filters may have more than one entry
Contracts may have more than one Subject
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should you “place” Contracts and Filters…?
139BRKACI-2770
Contract
Tenant: commonVRF: vrf-01
Filter
Filter
Tenant: commonVRF: vrf-01
Contract
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Filter
Contract
Tenant: Ciscolive
Contract
Tenant: CiscoliveVRF: vrf-01
Filter
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
Filters in the Common Tenant
allows any Tenant to consume them in
their contracts
Contracts and Filters in a “user” tenant
with shared networking
Contracts and Filters in a “user” tenant
with private networking
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143BRKACI-2770
Prior to this presentation we deployed a new WordPress application in our lab
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two Tier WordPress Application
144BRKACI-2770
vDS
Portgoup: Ciscolive:wpCL19_631:WSERVER_1
Portgoup: Ciscolive:wpCL19_631:DSERVER_1
Application Profile: wpCL19_631
EPG: WSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 10.52.249.96_27
GW:10.52.249.97
Advertise Externally: Yes
BD: 192.168.3.x_24
GW:192.168.3.1/24
Advertise Externally: Yes
Tenant: Common
VRF: vrf-01
VM VM VM VM VM VM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145BRKACI-2770
...but our application is failing…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Error establishing a database connection
146BRKACI-2770
vDS
Portgoup: Ciscolive:wpCL631:WSERVER_1
Portgoup: Ciscolive:wpCL631:DSERVER_1
Application Profile: MyApp
EPG: WSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 10.52.249.96_27
GW:10.52.249.97
Advertise Externally: Yes
BD: 192.168.3.x_24
GW:192.168.3.1/24
Advertise Externally: Yes
Tenant: Common
VRF: vrf-01
VM VM 192.168.3.11910.52.249.123
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147BRKACI-2770
We have a couple of Ansible Playbooks that can help diagnose and fix the issue…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149BRKACI-2770
How did we start writing the playbook to automate adding connectivity…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
First things first…
1. Gather minimum required information (User supplied)
1. Source IP address
2. Destination IP address
3. Protocol Type
4. Port to be opened
1. Use Postman and visore to gather and test the required API calls
2. Define the list of tasks (Plays) to perform
3. Check whether there are existing Ansible modules available to perform the tasks
4. User aci_rest module for everything else
1. Start writing the Playbook…!
2. Learn to hate the indentation used by YAML
3. Start again with individual Plays
4. Merge the Plays into a Playbook
151BRKACI-2770
Now let’s start filling in the blanks…!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153BRKACI-2770
• Open Source
• Automation, Configuration & Orchestration
• Most *NIX flavors can be control machine
• Windows Not Supported
• Can manage different systems
• ACI, IOS, NX-OS, IOS-XR
• Version 2.7.5• ACI support - 2.4
• Agentless, Push Model
• Idempotent
• YAML based
What is Ansible…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154BRKACI-2770
Pros:• No/little scripting experience required
• Both network and server operating systems can be managed
• Inbuilt modules for many devices to be managed (Not just ACI)
• Idempotence
Cons:• Some knowledge of JSON/XML required
Why use Ansible…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible Components
156
• Control Machine – Used to configure and push playbooks/plays to target systems
• Target Systems – Systems we want Ansible to control/automate
• Inventory files – Text based host files for target systems
• INI or YAML based
• Playbook – Series of plays/automation tasks
• YAML based
• Modules – reusable scripts that perform tasks in Ansible
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible ACI Modules
157
• Perform specific tasks (Create Tenant/VRF/BD)
• Already installed when you install Ansible
• Written in Python
• Can develop your own modules
• 60 ACI modules as of 2.7
• To see all Ansible Modules – ansible-doc -l
• ACI specific ones – ansible-doc -l | grep ^aci
DEVNET-1797
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
again….Postman and visore are your friends…!
159BRKACI-2770
https://{{apic}}/visore.html
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Postman to validate queries
160BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 161BRKACI-2770
Let’s look at the Playbook…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible Playbook breakdown
162BRKACI-2770
Start of YAML ---
# Just a comment
- name: What do we want to execute against
hosts: "{{ apic }}"
connection: local
gather_facts: no
tasks:
- name: Create Tenant
aci_tenant:
hostname: "{{ apic }}"
username: "{{ apic_username }}"
password: "{{ apic_password }}"
tenant: "CiscoLive"
description: "Tenant configured by Ansible"
validate_certs: no
state: present
Comment
Name of Playbook
Hosts from inventory
Connection is local to this host
Collects information about targets
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
The scope of the Contract has been pre-defined
Prompt for user input
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164BRKACI-2770
Define some Facts (Variables) to be used later
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165BRKACI-2770
Use the aci_config_snapshotmodule to take a snapshot
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166BRKACI-2770
Use the aci_rest module to discover
the source IP/EPG mapping from
the fvCEp Class
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 167BRKACI-2770
Extract the Tenant, App Profile and
EPG name from the source dn
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168BRKACI-2770
Use the aci_rest module to discover
the destination IP/EPG mapping
from the fvCEp Class
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169BRKACI-2770
Extract the Tenant, App Profile and
EPG name from the destination dn
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170BRKACI-2770
Create a Filter based on the
protocol type and destination port
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171BRKACI-2770
Create a Filter entry based on the
destination port
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172BRKACI-2770
Create a Contract based on the
destination Application Profile and
EPG
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173BRKACI-2770
Add the Subject and Filter to the
Contract
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174BRKACI-2770
Bind the Contract to the Provider
EPG
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175BRKACI-2770
Bind the Contract to the Consumer
EPG
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176BRKACI-2770
Let’s open SSH from the Web server to the Database server
Application deployment using CloudCenter
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
178BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
What is “core” to networking…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 179BRKACI-2770
Pros:
• Supports both public and private clouds
• Allows Application Teams to consume the network as part of the application deployment
• Allows the Application Teams to control access to their applications
• Both network and server operating systems can be managed
• Governance
• Rollback (application and network)
Cons
• Less flexible naming convention
Why use Cisco CloudCenter…?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 180BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 181BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 183BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 197BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 198BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 199BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 200BRKACI-2770
Summary
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
202
• There is no perfect automation tool
• Select the tool that best serves the requirements of your users
• Postman and visore are your friends to understand the API
• Automate time consuming, repetitive tasks
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
203
cs.co/ciscolivebot#BRKACI-2770
BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Complete your online session survey
204BRKACI-2770
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in the Cisco Showcase
Walk-in self-paced
labs
Meet the engineer
1:1 meetings
Related sessions
Continue Your Education
205BRKACI-2770
Thank you
top related