cisco live 2018 bareclona

Post on 11-Sep-2021

13 Views

Category:

Documents

1 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Automating ACI

Steve Sharman – Technical Solutions Architect

Russ Whitear – Consulting Systems Engineer

BRKACI-2770

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2770

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Abstract

Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.

Technologies discussed will include APIC, Visore, Postman, Ansible, Python (WebArya, Cobra), and UCS Director.

The focus will be on providing structured methodologies that can be used to satisfy the requirements and desires of both infrastructure admins and application developers alike.

BRKACI-2770 4

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Session objectives

This session will provide attendees with an understanding of the ACI policy model and will provide them with the basic skills required in order to automate an ACI fabric and achieve business outcomes.

BRKACI-2770 5

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Before we start, let’s get to know each other …

BRKACI-2770 6

• Why Automate?

• ACI Primer

• Application Centric or Network Centric

• Automation use cases

• ACI Policy Model

• Postman

• Ansible

• Python

• UCS Director

Agenda

Let’s start with an obvious question…

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Why are customers looking to automate in their Data Centers?

BRKACI-2770 9

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

There are actually many different reasons:

• Cost reduction

• Simplicity

• Consistent configuration (Policy conformance, elimination of human error)

• Reduction in maintenance windows

• Structured changes during the business day

• Service Catalogue for IT services

BRKACI-2770 10

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Automation means different things to different people !

BRKACI-2770 11

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network centric, Server centric, Application centric

• Switch Interfaces

• Tenants

• VRFs

• Bridge Domains (L2)

• VLAN Extension

• Bridge Domains (L3)

• External L3

• Application Network Profiles

• Endpoint Groups

• Contracts

• VMware Portgroups

• Firewall Configuration

• SLB Configuration

• Multi server deployment

• Application containers

• Virtual Machine Deployment

• Load balancers

• Databases

• Storage LUNs

• Storage zoning

• Server Configuration (BIOS etc)

• Bare Metal Deployments

• Operating System

• Virtual Machine Deployment

BRKACI-2770 12

ACI Primer

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Physically Building the ACI Network

APIC

APIC

APIC

Management options:• GUI (basic/advanced)

• CLI

• XML/JSON

• Scripting

• Open API

• Automation

Benefits:• Distributed, Centralised Management

• Full traffic visibility*

• Self documenting

• Integrated virtual and physical network

• Integrated L4-7 device management

• Policy defined network

* Excludes pre encapsulated/encrypted traffic

BRKACI-2770 14

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

ACI Consumption Model

Interface Configuration

Fabric | Access Policies

• VLANs

• Domains

• AAEP

• Interface Policies

• Leaf Policy Groups

• Leaf Profiles

• Switch Profiles

Interface Consumption

Tenants

• Tenants

• VRFs

• Route Leaking

• L2/L3out

• Bridge Domains

• EPGs

• Contracts

BRKACI-2770 15

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Fabric | Access Policies

BRKACI-2770 16

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

PoolsList of VLANs, VXLANs etc

DomainsWhere VLANs, VXLANs etc

are consumed

AAEPCollection of allowed

VLANs, VXLANs etc

Leaf Policy

GroupsInterface type and settings

Interface PoliciesInterface settings

Interface Policies

Leaf ProfilesCollection of interface IDs

Switch Policies

Leaf ProfilesCollection of switches

Interface

SelectorsInterface IDs

Concrete Model

Logical Model

TenantsVRFs, subnets, security

rules etc

BRKACI-2770 17

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

PoolsList of VLANs, VXLANs etc

DomainsWhere VLANs, VXLANs etc

are consumed

AAEPCollection of allowed

VLANs, VXLANs etc

Leaf Policy

GroupsInterface type and settings

Interface PoliciesInterface settings

Interface Policies

Leaf ProfilesCollection of interface IDs

Switch Policies

Leaf ProfilesCollection of switches

Interface

SelectorsInterface IDs

Concrete Model

Logical Model

Security DomainsRestricts VLANs, Switches,

Interfaces, Tenants

TenantsVRFs, subnets, security

rules etc

BRKACI-2770 18

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Let’s consider a practical example…

BRKACI-2770 19

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Rack Layout

APIC

APIC

APIC

Leaf 101

Leaf 102

Rack 01

Leaf 103

Leaf 104

Rack 02

Leaf 105

Leaf 106

Rack 03

c3850

Rack 04

n7706

Rack 05

n9504

Rack 06

ACI Leaf Racks External Equipment Racks

Rack / Leaf Interface Rack / Device Interface

R01_Leaf_101 1/1 R04_c3850 1/1

R01_Leaf_101 1/2 R05_n7706 1/1

R01_Leaf_101 1/3 R06_n9504 1/1

R01_Leaf_102 1/1 R04_c3850 1/2

R01_Leaf_102 1/2 R05_n7706 1/2

R01_Leaf_102 1/3 R06_n9504 1/2

BRKACI-2770 20

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_c3850

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R04_c3850

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1

Rack / Leaf Interface Rack / Device Interface

R01_Leaf_101 1/1 R04_c3850 1/1

R01_Leaf_101 1/2 R05_n7706 1/1

R01_Leaf_101 1/3 R06_n9504 1/1

R01_Leaf_102 1/1 R04_c3850 1/2

R01_Leaf_102 1/2 R05_n7706 1/2

R01_Leaf_102 1/3 R06_n9504 1/2

BRKACI-2770 21

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_n7706

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R05_n7706

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/2

Rack / Leaf Interface Rack / Device Interface

R01_Leaf_101 1/1 R04_c3850 1/1

R01_Leaf_101 1/2 R05_n7706 1/1

R01_Leaf_101 1/3 R06_n9504 1/1

R01_Leaf_102 1/1 R04_c3850 1/2

R01_Leaf_102 1/2 R05_n7706 1/2

R01_Leaf_102 1/3 R06_n9504 1/2

BRKACI-2770 22

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_n9504

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R06_n9504

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/3

Rack / Leaf Interface Rack / Device Interface

R01_Leaf_101 1/1 R04_c3850 1/1

R01_Leaf_101 1/2 R05_n7706 1/1

R01_Leaf_101 1/3 R06_n9504 1/1

R01_Leaf_102 1/1 R04_c3850 1/2

R01_Leaf_102 1/2 R05_n7706 1/2

R01_Leaf_102 1/3 R06_n9504 1/2

BRKACI-2770 23

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_n7706

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R05_n7706

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/2

Leaf Policy

GroupsL3_to_c3850

Interface Policies

Leaf ProfilesR01_to_R04_c3850

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1

Leaf Policy

GroupsL3_to_n9504

Interface Policies

Leaf ProfilesR01_to_R06_n9504

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/3

BRKACI-2770 24

Couldn’t we reduce the number of Interface Policy Groups?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_n7706

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R05_n7706

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/2

Leaf Policy

GroupsL3_to_c3850

Interface Policies

Leaf ProfilesR01_to_R04_c3850

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1

Leaf Policy

GroupsL3_to_n9504

Interface Policies

Leaf ProfilesR01_to_R06_n9504

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/3

Leaf Policy

GroupsL3_to_ext_L3_switch

BRKACI-2770 26

Couldn’t we reduce the number of Leaf Profiles?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsshared_vlan_pool

Domainscommon:vrf-01

AAEPall_L3_domains

Leaf Policy

GroupsL3_to_ext_L3_switch

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesR01_to_R05_n7706

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/2

Interface Policies

Leaf ProfilesR01_to_R04_c3850

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1

Interface Policies

Leaf ProfilesR01_to_R06_n9504

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/3

Interface Policies

Leaf ProfilesR01_to_ext_L3_switch

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1, 1/2,1/3

BRKACI-2770 28

How should we use Leaf Profiles?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsall_vlans

AAEPall_vlans

Leaf Policy

GroupsESX_Hosts

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesESX_Hosts

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1, 1/2, 1/3….

DomainsCiscolive-vds-01

Configure additional Leaf

switches with selected Leaf

ProfileLeaf Profile mapped to

switches

Leaf Profiles aligned to

attached device i.e.

ESX_Hosts

Switch Policies

Leaf ProfilesLeafs_105_and_106

Switch Policies

Leaf ProfilesLeafs_103_and_104

BRKACI-2770 30

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy

GroupsLinux_Hosts

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesLeafs_101_and_102

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/11, 1/12, 1/13….

Leaf Policy

GroupsESX_Hosts

Interface

Selectors1/1, 1/2, 1/3….

Leaf Policy

GroupsWindows_Hosts

Interface

Selectors1/21, 1/22, 1/23….

DomainsCiscolive-vds-01

Configure additional interfaces

on Leaf switches

Leaf Profile mapped to

switches

Leaf Profiles aligned to

switches

Switch Policies

Leaf ProfilesLeafs_103_and_104

Switch Policies

Leaf ProfilesLeafs_105_and_106

Interface Policies

Leaf ProfilesLeafs_103_and_104

Interface Policies

Leaf ProfilesLeafs_105_and_106

BRKACI-2770 31

Adding VRFs (Contexts) and Bridge Domains (L2 segments and/or subnets)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Isolated Tenant Networking

APIC

APIC

APIC

Tenant: Ciscolive

VRF: vrf-01

Tenant: common

VRF: vrf-01

Tenant: infra

VRF: vrf-01

Tenant: mgmt

VRF: vrf-01

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

BRKACI-2770 33

Application Centric mode or

Network Centric mode?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

Option 1: Single EPG on a Single BD with a Single Subnet –“standard networking”

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

BRKACI-2770 36

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

BRKACI-2770 37

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Servers in either 192.168.10.x

or 192.168.11.x subnets

Servers in either 192.168.10.x

or 192.168.11.x subnets

Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: multiple_subnets

GW:192.168.10.1/24

GW:192.168.11.1/24Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

BRKACI-2770 38

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Options 1, 2, and 3 – µSegmentation within an EPG/Port Group (no East/West traffic flows)

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

Path: 101/1/1-2

VLAN: 12

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Communication blocked

Communication blocked Communication blocked

BRKACI-2770 39

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Options 1, 2, and 3 – µSegmentation within an EPG/Port Group based on machine attribute

vDS

Portgoup: Ciscolive:MyApp:Web

Application Profile: MyApp

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM VM VM VM

Dynamic EPG:

Name=WebSrvsApp1

Dynamic EPG:

Name=WebSrvsApp2

Dynamic EPG:

Name=WebSrvsApp3

VMs mapped to dynamic EPG

based on attributeBRKACI-2770 40

Automation use cases

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

ACI allows for a “build and consume” model of network configuration

• The network team configures VRFs, subnets, and routing

• The network team configures L2 extension out of the fabric (VLANs and Interfaces)

• The server team configures switch interfaces

• The application team configures EPGs/Portgroups

• The application team configures security rules to allow access to applications

BRKACI-2770 42

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Our automation use cases

• Postman – Configuring Bridge Domains (subnets)

• Ansible – Configuring switch interfaces

• Python – Extending ACI with L2 to legacy networks

• UCSD – Adding EPGs to Bridge Domains (subnets) and providing connectivity

BRKACI-2770 43

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

1. Postman – Configuring Bridge Domains (subnets)

BD: 192.168.100.x_24

GW:192.168.100.1/24

Advertise Externally: Yes

BD: 192.168.101.x_24

GW:192.168.101.1/24

Advertise Externally: Yes

BD: 192.168.102.x_24

GW:192.168.102.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

Sub-interfaces running OSPF

BD: 192.168.103.x_24

GW:192.168.103.1/24

Advertise Externally: Yes

BD: 192.168.104.x_24

GW:192.168.104.1/24

Advertise Externally: Yes

BRKACI-2770 44

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

2. Ansible – Configure additional switch interfaces

APIC

APIC

APIC

BRKACI-2770 45

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsall_vlans

AAEPall_vlans

Leaf Policy

GroupsESX_Hosts

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesESX_Hosts

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/1, 1/2, 1/3….

DomainsCiscolive-vds-01

Configure additional Leaf

switches with selected Leaf

ProfileLeaf Profile mapped to

switches

Leaf Profiles aligned to

attached device i.e.

ESX_Hosts

Switch Policies

Leaf ProfilesLeafs_103_and_104

Switch Policies

Leaf ProfilesLeafs_105_and_106

BRKACI-2770 46

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Poolsall_vlans

Domainsphysical_servers

AAEPall_vlans

Leaf Policy

GroupsLinux_Hosts

Interface Policiescdp-enabled

Interface Policies

Leaf ProfilesLeafs_101_and_102

Switch Policies

Leaf ProfilesLeafs_101_and_102

Interface

Selectors1/11, 1/12, 1/13….

Leaf Policy

GroupsESX_Hosts

Interface

Selectors1/1, 1/2, 1/3….

Leaf Policy

GroupsWindows_Hosts

Interface

Selectors1/21, 1/22, 1/23….

DomainsCiscolive-vds-01

Configure additional interfaces

on Leaf switchesLeaf Profile mapped to

switches

Leaf Profiles aligned to

switches

BRKACI-2770 47

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

3. Python – Extending ACI with L2 to legacy networks

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

Domain: outside

Path: vPC_to_outside

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

vDS: Ciscolive-vds-01

VLAN: dynamic

BD: L2

GW:N/A

Advertise Externally: N/A

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Communication allowed Communication allowed

Communication allowed Communication allowed

BRKACI-2770 48

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

4. UCSD – Adding Application Profiles/EPGs and providing external connectivity

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

vDS: Ciscolive-vds-01

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global Communication allowed Communication allowed

Communication allowed Communication allowed

Sub-interfaces running OSPF

BRKACI-2770 49

How can I get started ….

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

First you need a basic understand of the ACI Policy Model

BRKACI-2770 51

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

What is the ACI Policy Model?

The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.

When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.

This approach is called a model-driven framework.

BRKACI-2770 52

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

https://{{APIC}}/

BRKACI-2770 53

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

https://{{APIC}}/doc/html/

BRKACI-2770 54

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Managed Objects

AAA, SecurityTenants – User,

Common …

Policy Universe

APIC Controllers

Layer 4-7

Services

Fabric, Access,

Inventory …VM Domains …

Tenant

FilterApplication

ProfileOutside Network ContractBridge Domain VRF

EPG

Subnet Subject

BRKACI-2770 55

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

https://{{APIC}}/visore.html

BRKACI-2770 56

Using Postman

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pros:

• No/little scripting experience required

• Both network and server operating systems can be managed

• It’s extremely easy to use

Cons

• Some knowledge of JSON/XML required

Why use Postman?

BRKACI-2770 59

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

Step 1: Build your required object(s) in the GUI

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

vDS: Ciscolive-vds-01

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

BRKACI-2770 60

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

vDS

Portgoup:

Ciscolive:MyApp:Web

Portgoup:

Ciscolive:MyApp:App

Application Profile: MyApp

Step 2: Save your configuration

EPG: Web

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: App

vDS: Ciscolive-vds-01

VLAN: dynamic

EPG: DB

vDS: Ciscolive-vds-01

VLAN: dynamic

BD: 192.168.10.x_24

GW:192.168.10.1/24

Advertise Externally: Yes

BD: 192.168.11.x_24

GW:192.168.11.1/24

Advertise Externally: Yes

BD: 192.168.12.x_24

GW:192.168.12.1/24

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

VM VM VM VM VM VM

Portgoup:

Ciscolive:MyApp:DB

VM VM VM

Tenant: Common

VRF: vrf-01

Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

BRKACI-2770 61

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 3: Prettify your JSON

BRKACI-2770 62

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 4: Understand the configuration code

Application Profile

“path” to the

Application Profile

Children of the

Application Profile

Endpoint Group

Endpoint Group name

Children of the

Endpoint Group

Provided Contract

Contract name

Domain

Domain name

(VMM)

Bridge Domain

Bridge Domain name

Application Profile

name

BRKACI-2770 63

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Select parameters to use as variables

Application Profile“path” to the Application

Profile (variable)

New “status”

object (variable)

Endpoint Group

Endpoint Group

name (variable)

Provided Contract

Contract name

(variable)

Domain

Domain name

(VMM) (variable)

Bridge Domain

Bridge Domain name

(variable)

Application Profile

name (variable)

New “status”

object (variable)

“path” to the Endpoint

Group (variable)

BRKACI-2770 64

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 6: Create a variable file

Option: created

Option: created,modified

Option: deleted

Option: created

Option: created,modified

Option: deleted

BRKACI-2770 65

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 7: Create Postman environment

BRKACI-2770 66

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 8: Create a POST and Insert JSON with variables

BRKACI-2770 67

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 9: Select file with input variables

BRKACI-2770 68

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 10: Monitor output

BRKACI-2770 69

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Bridge Domains – before Runner

BRKACI-2770 70

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Bridge Domains – after Runner

BRKACI-2770 71

Using Ansible

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pros:

• No/little scripting experience required

• Both network and server operating systems can be managed

• Inbuilt modules for many devices to be managed (Not just ACI)

Cons

• Some knowledge of JSON/YAML required

Why use Ansible?

BRKACI-2770 75

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Ansible Terminology

• Modules

• Roles

• Playbooks

• Hosts / Groups

• Adhoc Mode

• Ansible-Galaxy

BRKACI-2770 76

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

ACI Modules Built into Ansible

This module

enables ANY ACI

REST call to be

configured

BRKACI-2770 77

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

ACI Modules Built into Ansible Comprehensive Help Manual

Pages for Each Module

BRKACI-2770 78

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

How to create your own Roles

templates/defaults/ files/ handlers/ meta/ tests/ vars/tasks/

roles/

aci_create_leafprofile/

main.yml

BRKACI-2770 79

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Using Ansible to configure switch interfaces

1. Create an Interface Policy | Leaf Profile

2. Modify a Switch Policy | Leaf Profile to reference the Interface Policy | Leaf Profile

BRKACI-2770 80

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 1: Create new custom Roles for the REST calls with Ansible Galaxy

BRKACI-2770 81

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 2: Create APIC Credentials Variables File

Individual Variable

Key/Value Pairs

BRKACI-2770 82

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 3: Create Leaf and Switch Profiles Variables File

Variable List Name

Individual Variable

Key/Value Pairs

Variable List Name

BRKACI-2770 83

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Variable List Name

Individual Variable

Step 4: Modify the main.yml in the Tasks Directory of the custom Role

Variable List IterationInsert JSON from

saved object

BRKACI-2770 84

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Create a Playbook to run multiple Roles

Invoke Roles in this

order

Roles will be invoked by the

local Ansible server

BRKACI-2770 85

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Switch/Interface Policies (Leaf Profiles) – before running the Playbook

BRKACI-2770 86

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 6: Load the Relevant Variables and Run the Playbook

BRKACI-2770 87

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Interface Policies (Leaf Profiles) – after running Ansible Playbook

BRKACI-2770 88

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Switch Policies (Leaf Profiles) – after running Ansible Playbook

BRKACI-2770 89

ACI Programmability with Python

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pros:

• Very Flexible

• SDKs available for many Cisco APIs including UCS, ACI and others

Cons

• Scripting/Programmatic Knowledge Required

• More Complex than Previous Examples

Why use Python?

BRKACI-2770 92

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

What is Cobra?

• ACI Cobra

• The acicobra package is the SDK and used for interacting with the controller. Here are a few modules and more commonly used classes inside of cobra.mit:

• Session: used to create sessions with the APIC using either the LoginSession or CertSession classes

• Access: used to login/logout of the APIC, and to submit query and configuration requests using the MoDirectory class.

• Request: used for building queries using the DnQuery and ClassQuery classes, and for building configuration requests using the ConfigRequest class.

• ACI Model: The acimodel package contains modules that model the MIT. Modules in this package are under cobra.model, and are too numerous list. Cobra is a 1-to-1 mapping of the object-model. Therefore, every class in the object-model is represented by a class in the acimodel package.

93BRKACI-2770

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

What is ARYA and WebArya?

• APIC REST to pYthon Adapter

• Simplifies the building of Python scripts by automatically generating a file that uses Cobra's classes and functions to build new configurations.

• These are the three main benefits of using Arya:

• Shortens the time it takes to build a configuration script

• Easier than reading through the API Documentation

• Teaches how to use the API by example

• What is WebArya:

• A Standalone Web frontend to ARYA

• Python code output utilises Cobra SDK

BRKACI-2770 94

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements for WebArya

• Python 2.7

• Pip

• Download Cobra SDK

• Install Cobra

95BRKACI-2770

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements for WebArya

• Download and Install WebArya

• Run the WebArya Web Service

WebArya Service

Started on Port 8888

BRKACI-2770 96

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

WebArya Example

There are four basic steps to using WebArya:

• Collect sample configuration data from the GUI

• Use the sample data as input into WebArya to build a script

• Make necessary edits to the WebArya's output

• Execute the resulting Python script

BRKACI-2770 97

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Extending ACI with L2 to legacy networksStep 1: Save existing configuration

EPG: vlan-501

Domain: outside

Path: vPC_to_outside

EPG: vlan-502

Domain: outside

Path: vPC_to_outside

EPG: vlan-503

Domain: outside

Path: vPC_to_outside

BD: vlan-501

GW:N/A

Advertise Externally: N/A

BD: vlan-502

GW:N/A

Advertise Externally: Yes

BD: vlan-503

GW:N/A

Advertise Externally: Yes

Tenant: Ciscolive

VRF: vrf-01

BRKACI-2770 98

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 2: Paste downloaded JSON response into WebArya

BRKACI-2770 99

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 3: Copy resulting Python code into a text editor

BRKACI-2770 100

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

(Optional) Step 4: Create a credentials file

BRKACI-2770 101

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Modify text file

Remove this

RuntimeError

Add this line if

using credentials file

Credentials.py

BRKACI-2770 102

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Modify text fileModify these values

to the credentials file

variables

Create variables to

be used in the REST

call to APIC

BRKACI-2770 103

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Modify text file

Replace static

objects with

variables created in

previous step

BRKACI-2770 104

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 5: Modify text file

Replace remaining

static objects with

variables created in

previous step

BRKACI-2770 105

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 6: Save text file as Python file and execute

BRKACI-2770 106

ACI Automation with UCS Director

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pros:

• Off the shelf commercial product with full support

• Drag and Drop Workflow Orchestrator with Rollback

• ~250 ACI Tasks Out of the Box

• End User Portal for Catalogue Consumption

• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.

• Extensive Northbound API

Cons

• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks

Why use UCSD?

BRKACI-2770 110

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Adding EPGs to Bridge Domains

BRKACI-2770 111

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Workflow End User Inputs

End Users will be

Prompted for these

Values

BRKACI-2770 112

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Using the Orchestrator

Individual

Workflow

tasks

BRKACI-2770 113

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Mapping Inputs to Tasks

Input Mapped to

Output of Previous

Task

Input Mapped to

End User Input

BRKACI-2770 114

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Running the Workflow

BRKACI-2770 115

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Email Notification (Optional)

BRKACI-2770 116

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Adding EPGs to Bridge Domains

BRKACI-2770 117

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Rollback

BRKACI-2770 118

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

UCSD Example: Rollback in Action

BRKACI-2770 119

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Invoking UCSD’s Northbound API with Postman/Runner

BRKACI-2770 120

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Invoking UCSD’s Northbound API with Postman/Runner

BRKACI-2770 121

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

APIC after Runner Operation

BRKACI-2770 122

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2770

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

126BRKACI-2770

Thank you

top related