untitled - cisco live
TRANSCRIPT
![Page 1: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/1.jpg)
![Page 2: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/2.jpg)
Steve Sharman – Technical Solutions Architect
Russ Whitear – Consulting Systems Engineer
BRKACI-2770
Automating ACI
![Page 3: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/3.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
3
Automating ACI explores the use of popular automation tools running configuration tasks against an ACI network.
The session will be based on real world use cases where we’ll use different automation tools to configure ACI network interfaces, tenants/VRFs/BDs, contracts, and finally we’ll deploy a complete application stack using the previously configured objects.
Technologies discussed will include APIC, Visore, Postman, Ansible, UCS Director, and CloudCenter.
BRKACI-2770
![Page 4: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/4.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session objectives
4
This session will provide attendees with an understanding of the ACI policy model along with the basic skills required in order to automate an ACI fabric to create an internal private cloud.
BRKACI-2770
![Page 5: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/5.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before we start, let’s get to know each other …
5BRKACI-2770
![Page 6: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/6.jpg)
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Why Automate?
• ACI Primer
• ACI Policy Model
• Automation Use Cases
• Automating with UCS Director
• Automating with Postman
• Automating with Ansible
• Automating with CloudCenter
• Summary
BRKACI-2770
![Page 7: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/7.jpg)
Let’s start with an obvious question…
![Page 8: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/8.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKACI-2770
Why are customers looking to use automation in their Data Centers…?
![Page 9: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/9.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are actually many different reasons:
9
• Cost reduction
• Simplicity
• Consistent configuration (Policy conformance, elimination of human error)
• Reduction in maintenance windows
• Reduction in time consuming repetitive tasks
• Structured changes during the business day
• Service Catalogue for IT services
• Elastic scaling
BRKACI-2770
![Page 10: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/10.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKACI-2770
Automation means different things to different people…!
![Page 11: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/11.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKACI-2770
Application ArchitectSYSTEMS ENG
Placeholder text
SRESCRUM Lead
NetDevOps
DEVELOPERDEVOPSSecOps Engineer
Network
DevOps EngineerReliability
DEVOPS ENG
Platform Team DEVSECOPSDEV-TEST
NetOps
CHAOS ENGFullSTACK
Placeholder
FULL-STACKInfrastructure DEVTEST-DEV
SRE
Platform Team
NETDEVOPS
![Page 12: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/12.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Different Mindsets
12BRKACI-2770
DevOps Mindset
Embrace failure, Change is good, Active collaboration, Empowered accountability, Feedback systems, Automation
Change Management Mindset
Avoid failure, Change is Risky and Complex, Empowered accountability, Limited Feedback Systems, Manual
REQUEST
![Page 13: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/13.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Rise of the Developer
13BRKACI-2770
https://www.sequoiacap.com/article/rise-of-the-developer
“We are no longer rolling code by hand—bespoke, crafted from scratch and stored in a private stash. Instead, developers integrate and connect existing pieces together. We fork and adapt. Code becomes a cumulative, open-sourced effort. We are a community of developers working together.”
“This new way of working together has a surprising effect. It means each dev has tremendous influence on which tools get adopted.
The revelation is that developers have become a critical go-to-market distribution channel. If developers don't like a product, they won't use it. Period.
No amount of pressure from a CIO can change that. Developers will always find a work-around that works better.”
![Page 14: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/14.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Core vs Context for Network Admins…?
15BRKACI-2770
Interface Configuration
RoutingBGP, OSPF
Security
Change Control
Fault Finding
![Page 15: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/15.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How can I exit the change control
loop…?
Internal IT is so slow..!
Lets use the “cloud”Cloud is quicker
Cloud is cheaper
I’m in control
Why not present the network as just
another cloud…?
Time for a change of mindset
16BRKACI-2770
![Page 16: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/16.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
17BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
What is “core” to networking…?
![Page 17: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/17.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There is no perfect automation tool…!
18BRKACI-2770
Interfaces
Tenants, VRFs, Bridge Domains
Application Profiles, Endpoint Groups
Contracts
Applications
Virtual Machines
![Page 18: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/18.jpg)
A quick ACI Primer…
![Page 19: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/19.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physically Building the ACI Network
21BRKACI-2770
Management options:• GUI• CLI• XML/JSON• Scripting• Open API• Automation
Benefits:• Distributed, Centralised Management• Full traffic visibility*• Self documenting• Integrated virtual and physical
network• Integrated L4-7 device management• Policy defined network
* Excludes pre encapsulated/encrypted traffic
![Page 20: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/20.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Consumption Model
22BRKACI-2770
Interface Configuration
Fabric | Access Policies
• VLANs
• Domains
• AAEP
• Interface Policies
• Leaf Policy Groups
• Leaf Profiles
• Switch Profiles
Interface Consumption
Tenants
• Tenants
• VRFs
• Route Leaking
• L2/L3out
• Bridge Domains
• EPGs
• Contracts
![Page 21: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/21.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKACI-2770
Step 1: Configure the network interfaces
![Page 22: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/22.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKACI-2770
PoolsList of VLANs, VXLANs etc
DomainsWhere VLANs, VXLANs
etc are consumed
AAEPCollection of allowed VLANs, VXLANs etc
Leaf InterfacesPolicy Groups
Interface type and settings
Interface PoliciesInterface settings
Leaf InterfacesProfiles
Collection of interface IDs
Leaf SwitchesProfiles
Collection of switches
Interface SelectorsInterface IDs
Concrete Model(Configuration applied)
Logical Model(Configuration defined)
Security DomainsRestricts VLANs, Switches,
Interfaces, Tenants
TenantsVRFs, subnets, security
rules etc
![Page 23: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/23.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKACI-2770
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
Leafs_101_and_102
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Interface Selectors1/11, 1/12, 1/13….
Leaf Policy GroupsESX_Hosts
Interface Selectors1/1, 1/2, 1/3….
Leaf Policy GroupsWindows_Hosts
Interface Selectors1/21, 1/22, 1/23….
DomainsCiscolive-vds-01
Configure additional interfaces on Leaf switches
Leaf Profile mapped to switches
Leaf Profiles aligned to switches
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Interface Policies Leaf Profiles
Leafs_103_and_104
Interface Policies Leaf Profiles
Leafs_105_and_106
Option 1
![Page 24: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/24.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27BRKACI-2770
Poolsall_vlans
AAEPall_vlans
Leaf Policy GroupsESX_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
ESX_Hosts
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Interface Selectors1/1, 1/2, 1/3….
DomainsCiscolive-vds-01
Configure additional Leaf switches with selected Leaf
ProfileLeaf Profile mapped to switches
Leaf Profiles aligned to attached device i.e.
ESX_Hosts
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Option 2
![Page 25: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/25.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKACI-2770
Step 2: Use the network interfaces
![Page 26: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/26.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29BRKACI-2770
How should you design your Tenants…?
![Page 27: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/27.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are four options…
31BRKACI-2770
Bridge Domain
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Bridge Domain
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Application Profile:
EPG
Bridge Domain
Tenant: Ciscolive
Bridge Domain
Tenant: CiscoliveVRF: vrf-01
Application Profile:
EPG
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
VRFs and subnets are all in the
Common Tenant –this means that any Tenant can use any
subnet
VRFs are available to all Tenants, however subnets are specific
to a given Tenant
VRFs and subnets are dedicated to an individual Tenant –typically this is tied into RBAC rules for
access to APIC from multiple teams
![Page 28: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/28.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should you “place” Contracts and Filters…?
32BRKACI-2770
Contract
Tenant: commonVRF: vrf-01
Filter
Filter
Tenant: commonVRF: vrf-01
Contract
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Filter
Contract
Tenant: Ciscolive
Contract
Tenant: CiscoliveVRF: vrf-01
Filter
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
Filters in the Common Tenant
allows any Tenant to consume them in
their contracts
Contracts and Filters in a “user” tenant
with shared networking
Contracts and Filters in a “user” tenant
with private networking
![Page 29: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/29.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKACI-2770
Step 3: Should you use Network Centric mode or Application Centric mode…?
![Page 30: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/30.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34BRKACI-2770
![Page 31: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/31.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is meant by Network Centric mode and Application Centric mode…?
35
• Network Centric mode [naming] or Application Centric mode [naming] are simply terms to describe how the ACI network configuration is named, for example is a VLAN named “VLAN-10” or is a VLAN named “Web”
• Having the network configuration named after network objects (subnets/VLANs) is the traditional way of configuring a network
• Having the network configuration named after applications running on the network provides improved application visibility, simpler troubleshooting, and simpler auditing
• An application may represent an actual application such as “online banking”, or it may represent an infrastructure service such as “ESX infrastructure”
• Typically customers use Network Centric mode [naming] to describe legacy VLANs and subnets, and Application Centric mode [naming] to describe applications on the network
• Both naming modes can be used concurrently
BRKACI-2770
![Page 32: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/32.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKACI-2770
There are only three deployment options for Bridge Domains (subnets) and EPGs
![Page 33: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/33.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 1: Single EPG on a Single BD with a Single Subnet – “Standard Networking”
37BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
![Page 34: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/34.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space
38BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
![Page 35: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/35.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Option 3: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary
39BRKACI-2770
Servers in either 192.168.10.x
or 192.168.11.x subnets
Servers in either 192.168.10.x
or 192.168.11.x subnets
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
Path: 101/1/1-2
VLAN: 12
BD: multiple_subnets
GW:192.168.10.1/24
GW:192.168.11.1/24Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
![Page 36: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/36.jpg)
How would I migrate from “Network Centric” mode [naming] to “Application Centric” mode [naming]…?
![Page 37: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/37.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKACI-2770
Why change what’s already working…?
How long will it take to migrate…?
What will be the operational impact…?
How will you discover your application dependencies…?
![Page 38: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/38.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating from Network Centric [Naming] to Application Centric [Naming]
45BRKACI-2770
Tenant: common
VRF: vrf-01
Tenant: Classic
Application Profile: 192.168.10.x_24
EPG (VLAN)VLAN-10
BD192.168.10.x_24
Outside
Application Profile: Online-Banking
EPG (VLAN)
Web
EPG (VLAN)
App
EPG (VLAN)
DB
Tenant: Production
Contract Contract
Contr
act
![Page 39: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/39.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts and/or Firewalls between different security zones
47BRKACI-2770
Application Profile: Online-Banking Application Profile: Investment-Banking
Low SecurityEPG (VLAN)
DB
EPG (VLAN)
DB
Medium SecurityEPG (VLAN)
App
EPG (VLAN)
App
High SecurityEPG (VLAN)
Web
EPG (VLAN)
Web
Tenant: Production
Contr
act
Contr
act
Secure contracts
between zones
Contract
Optional default
contract within a zones
![Page 40: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/40.jpg)
Let’s quickly spin up an environment on a simulator
![Page 41: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/41.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
![Page 42: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/42.jpg)
Use Case: #1
Interface configuration using UCSD
![Page 43: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/43.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
51BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
is interface configuration “core” to networking…?
![Page 44: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/44.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53BRKACI-2770
Pros:
• Off the shelf commercial product with full support
• Drag and Drop Workflow Orchestrator with Rollback
• ~250 ACI Tasks Out of the Box
• End User Portal for Catalogue Consumption
• Support for Cisco and non Cisco products – Compute, Network, Storage, VM Deployment etc.
• Extensive Northbound API
Cons
• Some Scripting (JavaScript) maybe required for Extensibility Beyond OOB Tasks
Why choose UCS Director for automation…?
![Page 45: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/45.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54BRKACI-2770
Why automate interface configuration…?
![Page 46: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/46.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKACI-2770
Could the interface configuration be delegated to the “server/infrastructure” team…?
Configuring network interfaces is a time consuming and repetitive task that is prone to human error
Should interface configuration be considered a “core” role of the network team…?
![Page 47: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/47.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use case #1: Interface Configuration using UCSD
56BRKACI-2770
Required parameters• Leaf(s) ID• Interface ID• Interface Description• Server type
Predefined parameters• Leaf Switch Profile• Leaf Interfaces Profiles• Leaf Interface Policy Groups• Leaf Interface Policies• AAEP• Domain• VLAN Pool
![Page 48: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/48.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKACI-2770
Poolsall_vlans
Domainsphysical_servers
AAEPall_vlans
Leaf Policy GroupsLinux_Hosts
Interface Policiescdp-enabled
Interface Policies Leaf Profiles
Leafs_101_and_102
Switch PoliciesLeaf Profiles
Leafs_101_and_102
Leaf Policy GroupsESX_Hosts
Leaf Policy GroupsWindows_Hosts
DomainsCiscolive-vds-01
Configure additional interfaces on Leaf switches
Leaf Profile mapped to switches
Leaf Profiles aligned to switches
Switch PoliciesLeaf Profiles
Leafs_103_and_104
Switch PoliciesLeaf Profiles
Leafs_105_and_106
Interface Policies Leaf Profiles
Leafs_103_and_104
Interface Policies Leaf Profiles
Leafs_105_and_106
Int Sel1/1
Description
Int Sel1/2
Description
Int Sel1/3
Description
Int Sel…
Description
Int Sel…
Description
Int Sel…
Description
Int Sel1/46
Description
Int Sel1/47
Description
Int Sel1/48
Description
![Page 49: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/49.jpg)
Let’s see UCSD in action…
![Page 50: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/50.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
![Page 51: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/51.jpg)
Quick step by step walkthrough…
![Page 52: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/52.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKACI-2770
![Page 53: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/53.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63BRKACI-2770
![Page 54: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/54.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKACI-2770
![Page 55: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/55.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65BRKACI-2770
![Page 56: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/56.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66BRKACI-2770
![Page 57: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/57.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67BRKACI-2770
![Page 58: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/58.jpg)
What happens on the ACI fabric…?
![Page 59: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/59.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69BRKACI-2770
Note the SR for rollback purposes
![Page 60: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/60.jpg)
How do I remove the configuration…?
![Page 61: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/61.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKACI-2770
![Page 62: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/62.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72BRKACI-2770
![Page 63: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/63.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73BRKACI-2770
![Page 64: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/64.jpg)
What happens behind the scenes…?
![Page 65: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/65.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKACI-2770
![Page 66: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/66.jpg)
What does the UCSD configuration look like…?
![Page 67: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/67.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77BRKACI-2770
![Page 68: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/68.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78BRKACI-2770
![Page 69: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/69.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKACI-2770
![Page 70: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/70.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80BRKACI-2770
![Page 71: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/71.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKACI-2770
![Page 72: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/72.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKACI-2770
![Page 73: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/73.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94BRKACI-2770
![Page 74: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/74.jpg)
To really get the most out of automation we need to understand the ACI Policy Model and how to use the API
![Page 75: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/75.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is the ACI Policy Model…?
97
The ACI policy model enables the specification of application requirements policies. The APIC automatically renders policies in the fabric infrastructure.
When a user or process initiates an administrative change to an object in the fabric, the APIC first applies that change to the policy model. This policy model change then triggers a change to the actual managed endpoint.
This approach is called a model-driven framework.
BRKACI-2770
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-
Fundamentals/b_ACI-Fundamentals_chapter_010001.html
![Page 76: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/76.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
https://{{apic}}/
98BRKACI-2770
![Page 77: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/77.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed Objects
99BRKACI-2770
AAA, SecurityTenants – User,
Common …
Policy Universe
APIC Controllers
…
Layer 4-7
Services
Fabric, Access,
Inventory …VM Domains …
Tenant
FilterApplication
ProfileOutside Network ContractBridge Domain VRF
EPG
Subnet Subject
![Page 78: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/78.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100BRKACI-2770
The HTTP methods that we invoke are:POST, GET, DELETE
Object data can be accessed in different ways, either by calling the object Class (e.g. all fvBD) or by calling an object by name (e.g. tn-Ciscolive)
![Page 79: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/79.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed Objectshttps://{{apic}}/api/node/mo/uni/{{dn}}.json?{{filter}}
Distinguished Name – Name of Object
• tn-{{name}}
• tn-{{name}}/BD-{{name}}
• tn-{{name}}/ap-{{name}}
• tn-{{name}}/ap-{{name}}/epg-{{name}}
• …
Object Class - Types of Object
• fvTenant - Tenant
• fvBD – Bridge Domain
• fvAp – Application Profile
• fvAEPg – EPG
• …
101BRKACI-2770
https://{{apic}}/api/node/class/{{class}}.json?{{filter}}
![Page 80: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/80.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102BRKACI-2770
How do I understand all the MOs…?
![Page 81: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/81.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
You could read the documentation, but….
103BRKACI-2770
https://{{apic}}/doc/html
![Page 82: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/82.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
….Postman and visore are your friends…!
106BRKACI-2770
https://{{apic}}/visore.html
![Page 83: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/83.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Targeting Queries
107BRKACI-2770
![Page 84: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/84.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – Single object retrieved
108BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=self
self
![Page 85: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/85.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – List of Twelve objects retrieved
109BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=children
children
![Page 86: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/86.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Query Target Filters – List of Fourteen objects retrieved
110BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?query-target=subtree
subtree
![Page 87: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/87.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
rsp – Tree of objects retrieved
111BRKACI-2770
https://{{apic}}/api/node/mo/uni/tn-common/BD-192.168.10.0_24.json?rsp-subtree=full
subtree
![Page 88: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/88.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112BRKACI-2770
Audience quiz time…..!!
![Page 89: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/89.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Queries
113
https://{{apic}}/api/node/class/fvAEPg.json?query-
target=subtree&query-target-
filter=and(wcard(fvRsBd.tnFvBDName,"10.52.249.96_27"))
https://{{apic}}/api/node/class/fvBD.json?query-
target=subtree&query-target-
filter=and(eq(fvRsBDToOut.tnL3extOutName,"OSPF_to_external_
vrf-global"))
https://{{apic}}/api/node/class/fvIfConn.json?query-target-
filter=and(eq(fvIfConn.encap,"vlan-8"))
BRKACI-2770
https://github.com/spsharman/ | https://github.com/rwhitear42
![Page 90: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/90.jpg)
Use Case: #2
Bridge Domain configuration using Postman and Runner
![Page 91: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/91.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
is routing configuration “core” to networking…?
Tools, tools, and more tools…!
115BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
![Page 92: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/92.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117BRKACI-2770
Pros:
• No/little scripting experience required
• Both network and server operating systems can be managed
• It’s extremely easy to use
Cons
• Some knowledge of JSON/XML required
Why use Postman…?
![Page 93: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/93.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1: Build your required object(s) in the GUI
118BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
![Page 94: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/94.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2: Save your configuration
119BRKACI-2770
vDS
Portgoup:
Ciscolive:MyApp:Web
Portgoup:
Ciscolive:MyApp:App
Application Profile: MyApp
EPG: Web
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: App
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DB
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
BD: 192.168.11.x_24
GW:192.168.11.1/24
Advertise Externally: Yes
BD: 192.168.12.x_24
GW:192.168.12.1/24
Advertise Externally: Yes
Tenant: Ciscolive
VRF: vrf-01
VM VM VM VM VM VM
Portgoup:
Ciscolive:MyApp:DB
VM VM VM
Tenant: Common
VRF: vrf-01
Route Leak 0.0.0.0/0
Ext Switch: 6ka
VRF: global
Ext Switch: 6kb
VRF: global
![Page 95: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/95.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3: Prettify your JSON
121BRKACI-2770
![Page 96: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/96.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122BRKACI-2770
Application Profile
“path” to the
Application Profile
Children of the
Application Profile
Endpoint Group
Endpoint Group name
Children of the
Endpoint Group
Provided Contract
Contract name
Domain
Domain name
(VMM)
Bridge Domain
Bridge Domain name
Application Profile
name
Step 4: Understand/modify the code
![Page 97: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/97.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 5: Create Postman environment
123BRKACI-2770
![Page 98: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/98.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 6: POST the modified content back to APIC
124BRKACI-2770
https://{{apic}}/api/node/mo/.json?rsp-subtree=modified
![Page 99: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/99.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125BRKACI-2770
We can now use Runner to make bulk changes
![Page 100: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/100.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126BRKACI-2770
Application Profile“path” to the Application
Profile (variable)
New “status”
object (variable)
Endpoint Group
Endpoint Group
name (variable)
Provided Contract
Contract name
(variable)
Domain
Domain name
(VMM) (variable)
Bridge Domain
Bridge Domain name
(variable)
Application Profile
name (variable)
New “status”
object (variable)
“path” to the Endpoint
Group (variable)
Step 7: Select parameters to use as variables
![Page 101: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/101.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 8: Create a variable file
127BRKACI-2770
Option: created
Option: created,modified
Option: deleted
Option: created
Option: created,modified
Option: deleted
![Page 102: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/102.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 9: Create a POST and Insert JSON with variables
128BRKACI-2770
![Page 103: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/103.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 10: Select file with input variables
129BRKACI-2770
![Page 104: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/104.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 11: Monitor output
130BRKACI-2770
![Page 105: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/105.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – before Runner
131BRKACI-2770
![Page 106: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/106.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132BRKACI-2770
Postman Runner BD Video
![Page 107: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/107.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge Domains – after Runner
133BRKACI-2770
![Page 108: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/108.jpg)
Use Case: #3
Contract configuration using Ansible
![Page 109: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/109.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
is ACL configuration “core” to networking…?
Tools, tools, and more tools…!
135BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
![Page 110: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/110.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136BRKACI-2770
Therefore why not allow the application team to automatically configure their own rules…?
Configuring Contracts is a function typically executed by the network team, however the rules are
requested by the application team
![Page 111: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/111.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contracts are similar to ACL or firewall entries
137BRKACI-2770
InsideOutside
ubuntu-01 ubuntu-02
permit ubuntu-01 ubuntu-02 tcp 5201
EPG: portgroup-01vDS: Ciscolive-vds-01
VLAN: dynamicContract:Consumer
ubuntu-01
EPG: portgroup-02vDS: Ciscolive-vds-01
VLAN: dynamicContract: Provider
ubuntu-02
Contract: permit_to_portgroup-02
![Page 112: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/112.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contract components
138BRKACI-2770
Contract:
permit_to_{{ prov_ap_name }}_{{ prov_epg_name }}
Filter:
{{ subj_name }}_src_any_to_dst_tcp_{{ dst_port }}
Entries:
any | {{ dst_port }}
Subject:
{{ subj_name }}
Options:
Apply Both Directions
Reverse Filter Ports
Service Graph
QoS
DSCP
Options:
Tag
Options:
Scope, Qos, DSCP, Tag
Options:
Src / Dst ports
Flags
Stateful
Filters may have more than one entry
Contracts may have more than one Subject
![Page 113: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/113.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where should you “place” Contracts and Filters…?
139BRKACI-2770
Contract
Tenant: commonVRF: vrf-01
Filter
Filter
Tenant: commonVRF: vrf-01
Contract
Tenant: Ciscolive
Tenant: commonVRF: vrf-01
Filter
Contract
Tenant: Ciscolive
Contract
Tenant: CiscoliveVRF: vrf-01
Filter
Typically used when RBAC isn’t a strong requirement and one
team owns all the configuration
Filters in the Common Tenant
allows any Tenant to consume them in
their contracts
Contracts and Filters in a “user” tenant
with shared networking
Contracts and Filters in a “user” tenant
with private networking
![Page 114: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/114.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143BRKACI-2770
Prior to this presentation we deployed a new WordPress application in our lab
![Page 115: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/115.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two Tier WordPress Application
144BRKACI-2770
vDS
Portgoup: Ciscolive:wpCL19_631:WSERVER_1
Portgoup: Ciscolive:wpCL19_631:DSERVER_1
Application Profile: wpCL19_631
EPG: WSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 10.52.249.96_27
GW:10.52.249.97
Advertise Externally: Yes
BD: 192.168.3.x_24
GW:192.168.3.1/24
Advertise Externally: Yes
Tenant: Common
VRF: vrf-01
VM VM VM VM VM VM
![Page 116: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/116.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145BRKACI-2770
...but our application is failing…
![Page 117: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/117.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Error establishing a database connection
146BRKACI-2770
vDS
Portgoup: Ciscolive:wpCL631:WSERVER_1
Portgoup: Ciscolive:wpCL631:DSERVER_1
Application Profile: MyApp
EPG: WSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
EPG: DSERVER_1
vDS: Ciscolive-vds-01
VLAN: dynamic
BD: 10.52.249.96_27
GW:10.52.249.97
Advertise Externally: Yes
BD: 192.168.3.x_24
GW:192.168.3.1/24
Advertise Externally: Yes
Tenant: Common
VRF: vrf-01
VM VM 192.168.3.11910.52.249.123
![Page 118: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/118.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147BRKACI-2770
We have a couple of Ansible Playbooks that can help diagnose and fix the issue…
![Page 119: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/119.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148BRKACI-2770
![Page 120: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/120.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149BRKACI-2770
![Page 121: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/121.jpg)
How did we start writing the playbook to automate adding connectivity…?
![Page 122: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/122.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
First things first…
1. Gather minimum required information (User supplied)
1. Source IP address
2. Destination IP address
3. Protocol Type
4. Port to be opened
1. Use Postman and visore to gather and test the required API calls
2. Define the list of tasks (Plays) to perform
3. Check whether there are existing Ansible modules available to perform the tasks
4. User aci_rest module for everything else
1. Start writing the Playbook…!
2. Learn to hate the indentation used by YAML
3. Start again with individual Plays
4. Merge the Plays into a Playbook
151BRKACI-2770
![Page 123: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/123.jpg)
Now let’s start filling in the blanks…!
![Page 124: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/124.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153BRKACI-2770
• Open Source
• Automation, Configuration & Orchestration
• Most *NIX flavors can be control machine
• Windows Not Supported
• Can manage different systems
• ACI, IOS, NX-OS, IOS-XR
• Version 2.7.5• ACI support - 2.4
• Agentless, Push Model
• Idempotent
• YAML based
What is Ansible…?
![Page 125: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/125.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154BRKACI-2770
Pros:• No/little scripting experience required
• Both network and server operating systems can be managed
• Inbuilt modules for many devices to be managed (Not just ACI)
• Idempotence
Cons:• Some knowledge of JSON/XML required
Why use Ansible…?
![Page 126: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/126.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible Components
156
• Control Machine – Used to configure and push playbooks/plays to target systems
• Target Systems – Systems we want Ansible to control/automate
• Inventory files – Text based host files for target systems
• INI or YAML based
• Playbook – Series of plays/automation tasks
• YAML based
• Modules – reusable scripts that perform tasks in Ansible
BRKACI-2770
![Page 127: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/127.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible ACI Modules
157
• Perform specific tasks (Create Tenant/VRF/BD)
• Already installed when you install Ansible
• Written in Python
• Can develop your own modules
• 60 ACI modules as of 2.7
• To see all Ansible Modules – ansible-doc -l
• ACI specific ones – ansible-doc -l | grep ^aci
DEVNET-1797
![Page 128: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/128.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
again….Postman and visore are your friends…!
159BRKACI-2770
https://{{apic}}/visore.html
![Page 129: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/129.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Postman to validate queries
160BRKACI-2770
![Page 130: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/130.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 161BRKACI-2770
Let’s look at the Playbook…
![Page 131: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/131.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible Playbook breakdown
162BRKACI-2770
Start of YAML ---
# Just a comment
- name: What do we want to execute against
hosts: "{{ apic }}"
connection: local
gather_facts: no
tasks:
- name: Create Tenant
aci_tenant:
hostname: "{{ apic }}"
username: "{{ apic_username }}"
password: "{{ apic_password }}"
tenant: "CiscoLive"
description: "Tenant configured by Ansible"
validate_certs: no
state: present
Comment
Name of Playbook
Hosts from inventory
Connection is local to this host
Collects information about targets
![Page 132: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/132.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770
The scope of the Contract has been pre-defined
Prompt for user input
![Page 133: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/133.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164BRKACI-2770
Define some Facts (Variables) to be used later
![Page 134: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/134.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165BRKACI-2770
Use the aci_config_snapshotmodule to take a snapshot
![Page 135: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/135.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166BRKACI-2770
Use the aci_rest module to discover
the source IP/EPG mapping from
the fvCEp Class
![Page 136: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/136.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 167BRKACI-2770
Extract the Tenant, App Profile and
EPG name from the source dn
![Page 137: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/137.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168BRKACI-2770
Use the aci_rest module to discover
the destination IP/EPG mapping
from the fvCEp Class
![Page 138: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/138.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169BRKACI-2770
Extract the Tenant, App Profile and
EPG name from the destination dn
![Page 139: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/139.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170BRKACI-2770
Create a Filter based on the
protocol type and destination port
![Page 140: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/140.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171BRKACI-2770
Create a Filter entry based on the
destination port
![Page 141: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/141.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172BRKACI-2770
Create a Contract based on the
destination Application Profile and
EPG
![Page 142: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/142.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173BRKACI-2770
Add the Subject and Filter to the
Contract
![Page 143: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/143.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174BRKACI-2770
Bind the Contract to the Provider
EPG
![Page 144: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/144.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175BRKACI-2770
Bind the Contract to the Consumer
EPG
![Page 145: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/145.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176BRKACI-2770
Let’s open SSH from the Web server to the Database server
![Page 146: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/146.jpg)
Application deployment using CloudCenter
![Page 147: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/147.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools, tools, and more tools…!
178BRKACI-2770
Physical
Data Link
Network
Transport
Session
Presentation
Application
Interfaces
Routing
Access Lists
What is “core” to networking…?
![Page 148: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/148.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 179BRKACI-2770
Pros:
• Supports both public and private clouds
• Allows Application Teams to consume the network as part of the application deployment
• Allows the Application Teams to control access to their applications
• Both network and server operating systems can be managed
• Governance
• Rollback (application and network)
Cons
• Less flexible naming convention
Why use Cisco CloudCenter…?
![Page 149: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/149.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 180BRKACI-2770
![Page 150: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/150.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 181BRKACI-2770
![Page 151: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/151.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182BRKACI-2770
![Page 152: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/152.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 183BRKACI-2770
![Page 153: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/153.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 197BRKACI-2770
![Page 154: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/154.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 198BRKACI-2770
![Page 155: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/155.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 199BRKACI-2770
![Page 156: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/156.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 200BRKACI-2770
![Page 157: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/157.jpg)
Summary
![Page 158: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/158.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
202
• There is no perfect automation tool
• Select the tool that best serves the requirements of your users
• Postman and visore are your friends to understand the API
• Automate time consuming, repetitive tasks
BRKACI-2770
![Page 159: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/159.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
203
cs.co/ciscolivebot#BRKACI-2770
BRKACI-2770
![Page 160: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/160.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com
• Please complete your Online Session Survey after each session
• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Complete your online session survey
204BRKACI-2770
![Page 161: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/161.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in the Cisco Showcase
Walk-in self-paced
labs
Meet the engineer
1:1 meetings
Related sessions
Continue Your Education
205BRKACI-2770
![Page 162: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/162.jpg)
Thank you
![Page 163: Untitled - Cisco Live](https://reader036.vdocument.in/reader036/viewer/2022090904/613c79abc957d930775e3a94/html5/thumbnails/163.jpg)