Upload
others
View
12
Download
1
Embed Size (px)
Citation preview
Automating ACI
Steve Sharman – Technical Solutions Architect
Russ Whitear – Consulting Systems Engineer
BRKACI-2770
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2770
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.
Technologies discussed will include APIC, Visore, Postman, Ansible, Python (WebArya, Cobra), and UCS Director.
The focus will be on providing structured methodologies that can be used to satisfy the requirements and desires of both infrastructure admins and application developers alike.
BRKACI-2770 4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session objectives
This session will provide attendees with an understanding of the ACI policy model and will provide them with the basic skills required in order to automate an ACI fabric and achieve business outcomes.
BRKACI-2770 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before we start, let’s get to know each other …
BRKACI-2770 6
• Why Automate?
• ACI Primer
• Application Centric or Network Centric
• Automation use cases
• ACI Policy Model
• Postman
• Ansible
• Python
• UCS Director
Agenda
Let’s start with an obvious question…
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why are customers looking to automate in their Data Centers?
BRKACI-2770 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are actually many different reasons:
• Cost reduction
• Simplicity
• Consistent configuration (Policy conformance, elimination of human error)
• Reduction in maintenance windows
• Structured changes during the business day
• Service Catalogue for IT services
BRKACI-2770 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation means different things to different people !
BRKACI-2770 11
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network centric, Server centric, Application centric
• Switch Interfaces
• Tenants
• VRFs
• Bridge Domains (L2)
• VLAN Extension
• Bridge Domains (L3)
• External L3
• Application Network Profiles
• Endpoint Groups
• Contracts
• VMware Portgroups
• Firewall Configuration
• SLB Configuration
• Multi server deployment
• Application containers
• Virtual Machine Deployment
• Load balancers
• Databases
• Storage LUNs
• Storage zoning
• Server Configuration (BIOS etc)
• Bare Metal Deployments
• Operating System
• Virtual Machine Deployment
BRKACI-2770 12
ACI Primer
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physically Building the ACI Network
APIC
APIC
APIC
Management options:• GUI (basic/advanced)
• CLI
• XML/JSON
• Scripting
• Open API
• Automation
Benefits:• Distributed, Centralised Management
• Full traffic visibility*
• Self documenting
• Integrated virtual and physical network
• Integrated L4-7 device management
• Policy defined network
* Excludes pre encapsulated/encrypted traffic
BRKACI-2770 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Consumption Model
Interface Configuration
Fabric | Access Policies
• VLANs
• Domains
• AAEP
• Interface Policies
• Leaf Policy Groups
• Leaf Profiles
• Switch Profiles
Interface Consumption
Tenants
• Tenants
• VRFs
• Route Leaking
• L2/L3out
• Bridge Domains
• EPGs
• Contracts
BRKACI-2770 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric | Access Policies
BRKACI-2770 16
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PoolsList of VLANs, VXLANs etc
DomainsWhere VLANs, VXLANs etc
are consumed
AAEPCollection of allowed
VLANs, VXLANs etc
Leaf Policy
GroupsInterface type and settings
Interface PoliciesInterface settings
Interface Policies
Leaf ProfilesCollection of interface IDs
Switch Policies
Leaf ProfilesCollection of switches
Interface
SelectorsInterface IDs
Concrete Model
Logical Model
TenantsVRFs, subnets, security
rules etc
BRKACI-2770 17
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PoolsList of VLANs, VXLANs etc
DomainsWhere VLANs, VXLANs etc
are consumed
AAEPCollection of allowed
VLANs, VXLANs etc
Leaf Policy
GroupsInterface type and settings
Interface PoliciesInterface settings
Interface Policies
Leaf ProfilesCollection of interface IDs
Switch Policies
Leaf ProfilesCollection of switches
Interface
SelectorsInterface IDs
Concrete Model
Logical Model
Security DomainsRestricts VLANs, Switches,
Interfaces, Tenants
TenantsVRFs, subnets, security
rules etc
BRKACI-2770 18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Let’s consider a practical example…
BRKACI-2770 19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rack Layout
APIC
APIC
APIC
Leaf 101
Leaf 102
Rack 01
Leaf 103
Leaf 104
Rack 02
Leaf 105
Leaf 106
Rack 03
c3850
Rack 04
n7706
Rack 05
n9504
Rack 06
ACI Leaf Racks External Equipment Racks
Rack / Leaf Interface Rack / Device Interface
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
R01_Leaf_101 1/3 R06_n9504 1/1
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2
BRKACI-2770 20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_c3850
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R04_c3850
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1
Rack / Leaf Interface Rack / Device Interface
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
R01_Leaf_101 1/3 R06_n9504 1/1
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2
BRKACI-2770 21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_n7706
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R05_n7706
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/2
Rack / Leaf Interface Rack / Device Interface
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
R01_Leaf_101 1/3 R06_n9504 1/1
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2
BRKACI-2770 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_n9504
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R06_n9504
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/3
Rack / Leaf Interface Rack / Device Interface
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
R01_Leaf_101 1/3 R06_n9504 1/1
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2
BRKACI-2770 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_n7706
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R05_n7706
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/2
Leaf Policy
GroupsL3_to_c3850
Interface Policies
Leaf ProfilesR01_to_R04_c3850
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1
Leaf Policy
GroupsL3_to_n9504
Interface Policies
Leaf ProfilesR01_to_R06_n9504
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/3
BRKACI-2770 24
Couldn’t we reduce the number of Interface Policy Groups?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_n7706
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R05_n7706
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/2
Leaf Policy
GroupsL3_to_c3850
Interface Policies
Leaf ProfilesR01_to_R04_c3850
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1
Leaf Policy
GroupsL3_to_n9504
Interface Policies
Leaf ProfilesR01_to_R06_n9504
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/3
Leaf Policy
GroupsL3_to_ext_L3_switch
BRKACI-2770 26
Couldn’t we reduce the number of Leaf Profiles?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsshared_vlan_pool
Domainscommon:vrf-01
AAEPall_L3_domains
Leaf Policy
GroupsL3_to_ext_L3_switch
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesR01_to_R05_n7706
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/2
Interface Policies
Leaf ProfilesR01_to_R04_c3850
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1
Interface Policies
Leaf ProfilesR01_to_R06_n9504
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/3
Interface Policies
Leaf ProfilesR01_to_ext_L3_switch
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1, 1/2,1/3
BRKACI-2770 28
How should we use Leaf Profiles?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsall_vlans
AAEPall_vlans
Leaf Policy
GroupsESX_Hosts
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesESX_Hosts
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1, 1/2, 1/3….
DomainsCiscolive-vds-01
Configure additional Leaf
switches with selected Leaf
ProfileLeaf Profile mapped to
switches
Leaf Profiles aligned to
attached device i.e.
ESX_Hosts
Switch Policies
Leaf ProfilesLeafs_105_and_106
Switch Policies
Leaf ProfilesLeafs_103_and_104
BRKACI-2770 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy
GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesLeafs_101_and_102
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/11, 1/12, 1/13….
Leaf Policy
GroupsESX_Hosts
Interface
Selectors1/1, 1/2, 1/3….
Leaf Policy
GroupsWindows_Hosts
Interface
Selectors1/21, 1/22, 1/23….
DomainsCiscolive-vds-01
Configure additional interfaces
on Leaf switches
Leaf Profile mapped to
switches
Leaf Profiles aligned to
switches
Switch Policies
Leaf ProfilesLeafs_103_and_104
Switch Policies
Leaf ProfilesLeafs_105_and_106
Interface Policies
Leaf ProfilesLeafs_103_and_104
Interface Policies
Leaf ProfilesLeafs_105_and_106
BRKACI-2770 31
Adding VRFs (Contexts) and Bridge Domains (L2 segments and/or subnets)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Isolated Tenant Networking
APIC
APIC
APIC
Tenant: Ciscolive
VRF: vrf-01
Tenant: common
VRF: vrf-01
Tenant: infra
VRF: vrf-01
Tenant: mgmt
VRF: vrf-01
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
BRKACI-2770 33
Application Centric mode or
Network Centric mode?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
Option 1: Single EPG on a Single BD with a Single Subnet –“standard networking”
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
BRKACI-2770 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
BRKACI-2770 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Servers in either 192.168.10.x
or 192.168.11.x subnets
Servers in either 192.168.10.x
or 192.168.11.x subnets
Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: multiple_subnets
GW:192.168.10.1/24
GW:192.168.11.1/24Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
BRKACI-2770 38
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Options 1, 2, and 3 – µSegmentation within an EPG/Port Group (no East/West traffic flows)
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Communication blocked
Communication blocked Communication blocked
BRKACI-2770 39
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Options 1, 2, and 3 – µSegmentation within an EPG/Port Group based on machine attribute
vDS
Portgoup: Ciscolive:MyApp:Web
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM VM VM VM
Dynamic EPG:
Name=WebSrvsApp1
Dynamic EPG:
Name=WebSrvsApp2
Dynamic EPG:
Name=WebSrvsApp3
VMs mapped to dynamic EPG
based on attributeBRKACI-2770 40
Automation use cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI allows for a “build and consume” model of network configuration
• The network team configures VRFs, subnets, and routing
• The network team configures L2 extension out of the fabric (VLANs and Interfaces)
• The server team configures switch interfaces
• The application team configures EPGs/Portgroups
• The application team configures security rules to allow access to applications
BRKACI-2770 42
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Our automation use cases
• Postman – Configuring Bridge Domains (subnets)
• Ansible – Configuring switch interfaces
• Python – Extending ACI with L2 to legacy networks
• UCSD – Adding EPGs to Bridge Domains (subnets) and providing connectivity
BRKACI-2770 43
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Postman – Configuring Bridge Domains (subnets)
BD: 192.168.100.x_24
GW:192.168.100.1/24
Advertise Externally: Yes
BD: 192.168.101.x_24
GW:192.168.101.1/24
Advertise Externally: Yes
BD: 192.168.102.x_24
GW:192.168.102.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
Sub-interfaces running OSPF
BD: 192.168.103.x_24
GW:192.168.103.1/24
Advertise Externally: Yes
BD: 192.168.104.x_24
GW:192.168.104.1/24
Advertise Externally: Yes
BRKACI-2770 44
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Ansible – Configure additional switch interfaces
APIC
APIC
APIC
BRKACI-2770 45
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsall_vlans
AAEPall_vlans
Leaf Policy
GroupsESX_Hosts
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesESX_Hosts
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/1, 1/2, 1/3….
DomainsCiscolive-vds-01
Configure additional Leaf
switches with selected Leaf
ProfileLeaf Profile mapped to
switches
Leaf Profiles aligned to
attached device i.e.
ESX_Hosts
Switch Policies
Leaf ProfilesLeafs_103_and_104
Switch Policies
Leaf ProfilesLeafs_105_and_106
BRKACI-2770 46
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy
GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies
Leaf ProfilesLeafs_101_and_102
Switch Policies
Leaf ProfilesLeafs_101_and_102
Interface
Selectors1/11, 1/12, 1/13….
Leaf Policy
GroupsESX_Hosts
Interface
Selectors1/1, 1/2, 1/3….
Leaf Policy
GroupsWindows_Hosts
Interface
Selectors1/21, 1/22, 1/23….
DomainsCiscolive-vds-01
Configure additional interfaces
on Leaf switchesLeaf Profile mapped to
switches
Leaf Profiles aligned to
switches
BRKACI-2770 47
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
3. Python – Extending ACI with L2 to legacy networks
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
Domain: outside
Path: vPC_to_outside
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: L2
GW:N/A
Advertise Externally: N/A
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Communication allowed Communication allowed
Communication allowed Communication allowed
BRKACI-2770 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
4. UCSD – Adding Application Profiles/EPGs and providing external connectivity
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global Communication allowed Communication allowed
Communication allowed Communication allowed
Sub-interfaces running OSPF
BRKACI-2770 49
How can I get started ….
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
First you need a basic understand of the ACI Policy Model
BRKACI-2770 51
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is the ACI Policy Model?
The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.
When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.
This approach is called a model-driven framework.
BRKACI-2770 52
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://{{APIC}}/
BRKACI-2770 53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://{{APIC}}/doc/html/
BRKACI-2770 54
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed Objects
AAA, SecurityTenants – User,
Common …
Policy Universe
APIC Controllers
…
Layer 4-7
Services
Fabric, Access,
Inventory …VM Domains …
Tenant
FilterApplication
ProfileOutside Network ContractBridge Domain VRF
EPG
Subnet Subject
BRKACI-2770 55
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://{{APIC}}/visore.html
BRKACI-2770 56
Using Postman
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pros:
• No/little scripting experience required
• Both network and server operating systems can be managed
• It’s extremely easy to use
Cons
• Some knowledge of JSON/XML required
Why use Postman?
BRKACI-2770 59
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
Step 1: Build your required object(s) in the GUI
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
BRKACI-2770 60
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
Step 2: Save your configuration
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
BRKACI-2770 61
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Prettify your JSON
BRKACI-2770 62
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 4: Understand the configuration code
Application Profile
“path” to the
Application Profile
Children of the
Application Profile
Endpoint Group
Endpoint Group name
Children of the
Endpoint Group
Provided Contract
Contract name
Domain
Domain name
(VMM)
Bridge Domain
Bridge Domain name
Application Profile
name
BRKACI-2770 63
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Select parameters to use as variables
Application Profile“path” to the Application
Profile (variable)
New “status”
object (variable)
Endpoint Group
Endpoint Group
name (variable)
Provided Contract
Contract name
(variable)
Domain
Domain name
(VMM) (variable)
Bridge Domain
Bridge Domain name
(variable)
Application Profile
name (variable)
New “status”
object (variable)
“path” to the Endpoint
Group (variable)
BRKACI-2770 64
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 6: Create a variable file
Option: created
Option: created,modified
Option: deleted
Option: created
Option: created,modified
Option: deleted
BRKACI-2770 65
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 7: Create Postman environment
BRKACI-2770 66
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 8: Create a POST and Insert JSON with variables
BRKACI-2770 67
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 9: Select file with input variables
BRKACI-2770 68
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 10: Monitor output
BRKACI-2770 69
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – before Runner
BRKACI-2770 70
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – after Runner
BRKACI-2770 71
Using Ansible
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pros:
• No/little scripting experience required
• Both network and server operating systems can be managed
• Inbuilt modules for many devices to be managed (Not just ACI)
Cons
• Some knowledge of JSON/YAML required
Why use Ansible?
BRKACI-2770 75
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible Terminology
• Modules
• Roles
• Playbooks
• Hosts / Groups
• Adhoc Mode
• Ansible-Galaxy
BRKACI-2770 76
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Modules Built into Ansible
This module
enables ANY ACI
REST call to be
configured
BRKACI-2770 77
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Modules Built into Ansible Comprehensive Help Manual
Pages for Each Module
BRKACI-2770 78
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to create your own Roles
templates/defaults/ files/ handlers/ meta/ tests/ vars/tasks/
roles/
aci_create_leafprofile/
main.yml
BRKACI-2770 79
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Ansible to configure switch interfaces
1. Create an Interface Policy | Leaf Profile
2. Modify a Switch Policy | Leaf Profile to reference the Interface Policy | Leaf Profile
BRKACI-2770 80
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1: Create new custom Roles for the REST calls with Ansible Galaxy
BRKACI-2770 81
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2: Create APIC Credentials Variables File
Individual Variable
Key/Value Pairs
BRKACI-2770 82
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Create Leaf and Switch Profiles Variables File
Variable List Name
Individual Variable
Key/Value Pairs
Variable List Name
BRKACI-2770 83
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Variable List Name
Individual Variable
Step 4: Modify the main.yml in the Tasks Directory of the custom Role
Variable List IterationInsert JSON from
saved object
BRKACI-2770 84
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Create a Playbook to run multiple Roles
Invoke Roles in this
order
Roles will be invoked by the
local Ansible server
BRKACI-2770 85
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Switch/Interface Policies (Leaf Profiles) – before running the Playbook
BRKACI-2770 86
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 6: Load the Relevant Variables and Run the Playbook
BRKACI-2770 87
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface Policies (Leaf Profiles) – after running Ansible Playbook
BRKACI-2770 88
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Switch Policies (Leaf Profiles) – after running Ansible Playbook
BRKACI-2770 89
ACI Programmability with Python
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pros:
• Very Flexible
• SDKs available for many Cisco APIs including UCS, ACI and others
Cons
• Scripting/Programmatic Knowledge Required
• More Complex than Previous Examples
Why use Python?
BRKACI-2770 92
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Cobra?
• ACI Cobra
• The acicobra package is the SDK and used for interacting with the controller. Here are a few modules and more commonly used classes inside of cobra.mit:
• Session: used to create sessions with the APIC using either the LoginSession or CertSession classes
• Access: used to login/logout of the APIC, and to submit query and configuration requests using the MoDirectory class.
• Request: used for building queries using the DnQuery and ClassQuery classes, and for building configuration requests using the ConfigRequest class.
• ACI Model: The acimodel package contains modules that model the MIT. Modules in this package are under cobra.model, and are too numerous list. Cobra is a 1-to-1 mapping of the object-model. Therefore, every class in the object-model is represented by a class in the acimodel package.
93BRKACI-2770
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is ARYA and WebArya?
• APIC REST to pYthon Adapter
• Simplifies the building of Python scripts by automatically generating a file that uses Cobra's classes and functions to build new configurations.
• These are the three main benefits of using Arya:
• Shortens the time it takes to build a configuration script
• Easier than reading through the API Documentation
• Teaches how to use the API by example
• What is WebArya:
• A Standalone Web frontend to ARYA
• Python code output utilises Cobra SDK
BRKACI-2770 94
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements for WebArya
• Python 2.7
• Pip
• Download Cobra SDK
• Install Cobra
95BRKACI-2770
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements for WebArya
• Download and Install WebArya
• Run the WebArya Web Service
WebArya Service
Started on Port 8888
BRKACI-2770 96
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
WebArya Example
There are four basic steps to using WebArya:
• Collect sample configuration data from the GUI
• Use the sample data as input into WebArya to build a script
• Make necessary edits to the WebArya's output
• Execute the resulting Python script
BRKACI-2770 97
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Extending ACI with L2 to legacy networksStep 1: Save existing configuration
EPG: vlan-501
Domain: outside
Path: vPC_to_outside
EPG: vlan-502
Domain: outside
Path: vPC_to_outside
EPG: vlan-503
Domain: outside
Path: vPC_to_outside
BD: vlan-501
GW:N/A
Advertise Externally: N/A
BD: vlan-502
GW:N/A
Advertise Externally: Yes
BD: vlan-503
GW:N/A
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
BRKACI-2770 98
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2: Paste downloaded JSON response into WebArya
BRKACI-2770 99
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Copy resulting Python code into a text editor
BRKACI-2770 100
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
(Optional) Step 4: Create a credentials file
BRKACI-2770 101
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Modify text file
Remove this
RuntimeError
Add this line if
using credentials file
Credentials.py
BRKACI-2770 102
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Modify text fileModify these values
to the credentials file
variables
Create variables to
be used in the REST
call to APIC
BRKACI-2770 103
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Modify text file
Replace static
objects with
variables created in
previous step
BRKACI-2770 104
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Modify text file
Replace remaining
static objects with
variables created in
previous step
BRKACI-2770 105
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 6: Save text file as Python file and execute
BRKACI-2770 106
ACI Automation with UCS Director
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pros:
• Off the shelf commercial product with full support
• Drag and Drop Workflow Orchestrator with Rollback
• ~250 ACI Tasks Out of the Box
• End User Portal for Catalogue Consumption
• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.
• Extensive Northbound API
Cons
• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks
Why use UCSD?
BRKACI-2770 110
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Adding EPGs to Bridge Domains
BRKACI-2770 111
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Workflow End User Inputs
End Users will be
Prompted for these
Values
BRKACI-2770 112
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Using the Orchestrator
Individual
Workflow
tasks
BRKACI-2770 113
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Mapping Inputs to Tasks
Input Mapped to
Output of Previous
Task
Input Mapped to
End User Input
BRKACI-2770 114
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Running the Workflow
BRKACI-2770 115
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Email Notification (Optional)
BRKACI-2770 116
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Adding EPGs to Bridge Domains
BRKACI-2770 117
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Rollback
BRKACI-2770 118
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
UCSD Example: Rollback in Action
BRKACI-2770 119
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Invoking UCSD’s Northbound API with Postman/Runner
BRKACI-2770 120
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Invoking UCSD’s Northbound API with Postman/Runner
BRKACI-2770 121
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC after Runner Operation
BRKACI-2770 122
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2770
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
126BRKACI-2770
Thank you