How to setup an ACI fabric - clnv.s3.amazonaws.com · How to setup an ACI fabric from scratch -the...

How to setup an ACI fabric from scratch - the sequel

Ramses Smeyers, Technical Leader Services

Chris Paggen, Distinguished TME

BRKACI-2820

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2004

• State of the fabric• Shared services through common tenant• Shared internet access through common tenant• Automating the fabric with Ansible• Export syslog messages• Use centralized authentication

Agenda


Our setup for the day

BRKACI-2820 5


State of the fabric• Fully formed cluster with infra NTP, mgmt. IP’s and RR

• Deployed access policy for• 2 bare metal servers• 1 UCS-C system with VMware• 1 UCS-B system with 2 VMware blades

• Deployed Cisco Live tenant• Created EPG’s with

• static paths towards bare metals• VMM domain binding

• Created L3out and established external connectivity for the existing EPG’s

BRKACI-2820 6

Live demo #1


Shared services through common tenant

Tenant: common Tenant: NTP

EPG: NTPProvider: sharedNTP

NTP server: 70.70.70.101/24

EPG: NTPConsumer: sharedNTP

NTP client:80.80.80.101/24

Contract: sharedNTP

VRF: NTPVRF: common

BRKACI-2820 8

Live demo #2


VRF: common

Shared internet access through common tenant

Tenant: common Tenant: InternetUser

L3out: InternetProvider:

sharedInternet

EPG: ClientConsumer:

sharedInternetInternet Client:

20.20.20.101/24

Contract: sharedInternet

VRF: InternetUser

BRKACI-2820 10

Leaf1 Eth 1/47Routed interface: 17.17.17.1/24

Router-id: 18.18.18.1

Bdsol-aci12-2901-01 Port Gig0/1Int Gig 0/1: 17.17.17.2/24

Route-id: 18.18.18.2

Live demo #3

Ansible


Automating the fabric with Ansible• Open-source configuration management, deployment and orchestration tool

• Can manage a wide range of systems: VMs, network devices, cloud instances, etc.

• Server-side component only: no agents on target systems• Strict push model (contrast with Puppet or Chef for example)

• All orchestration instructions are text-based and human-readable

• Uses Rest API to communicate with ACI

BRKACI-2820 13


Ansible – high-level architecture

• Inventory: target systems for automation• Playbook: a series of plays (automation

tasks)• Modules: accomplish specific tasks in

Ansible (e.g. install packages, configure ACI, etc.)

Inventory

Playbook

Modules

Ansible Config Python API

Targets

BRKACI-2820 14


Ansible 101

• Text-based hosts file lists all possible targets (the inventory)• Targets can be grouped arbitrarily (i.e. [all-web-servers]; [all-non-prod], etc.)

• Playbooks contain instructions (called ‘plays’) that execute on targets• E.g.: “install mariadb, patch a config file, restart mariadb” on [sql-servers]

• Playbooks can be structured to apply specific roles to targets• Each role then gets its own directory structure and its own plays (in main/tasks.yml)

• Ansible supports templating• Plays can use variable substitution (i.e. {{ global-proxy }} is replaced by whatever value

global-proxy is given in a variable file)

• Ansible is extensible via modules (450+)

• Ansible Galaxy is where the community contributes playbooks and modules

BRKACI-2820 15

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Inventoryall:

hosts:apic1:

apic_host: 10.48.22.69apic_username: adminapic_password: ins3965!

vars:apic_use_proxy: noapic_validate_certs: notenants:- name: Ansible01

description: Ansible01 description- name: Ansible02

description: Ansible02 description

- name: Make ACI objectshosts: '*apic1'gather_facts: no

tasks:- name: Add a new tenant

aci_tenant:hostname: '{{ apic_host }}'username: '{{ apic_username }}'password: '{{ apic_password }}'use_proxy: '{{ apic_use_proxy }}'validate_certs: '{{

apic_validate_certs }}'tenant: '{{ item.name }}'description: '{{ item.description

}}'with_items: '{{ tenants }}'delegate_to: localhost

Playbook

BRKACI-2820


What will we do now ?• Create a playbook to create

• Tenants• Apps• Epgs

17BRKACI-2820


Lost of existing Ansible 2.5 modules - 48aci_aaa_user_certificate aci_access_port_to_interface_policy_leaf_profile aci_aepaci_aep_to_domain aci_ap aci_bd aci_bd_subnet aci_bd_to_l3out aci_config_rollbackaci_config_snapshot aci_contract aci_contract_subject aci_contract_subject_to_filteraci_domain aci_domain_to_encap_pool aci_domain_to_vlan_pool aci_encap_poolaci_encap_pool_range aci_epg_monitoring_policy aci_epg aci_epg_to_contractaci_epg_to_domain aci_filter_entry aci_filter aci_firmware_source aci_interface_policy_fcaci_interface_policy_l2 aci_interface_policy_leaf_policy_groupaci_interface_policy_leaf_profile aci_interface_policy_lldp aci_interface_policy_mcpaci_interface_policy_port_channel aci_interface_policy_port_securityaci_interface_selector_to_switch_policy_leaf_profile aci_l3out_route_tag_policy aci_restaci_switch_leaf_selector aci_switch_policy_leaf_profile aci_taboo_contractaci_tenant_action_rule_profile aci_tenant_ep_retention_policy aci_tenantaci_tenant_span_dst_group aci_tenant_span_src_groupaci_tenant_span_src_group_to_dst_group aci_vlan_pool_encap_block aci_vlan_pool aci_vrf

18BRKACI-2820


Exploring the aci_rest module• Why?

• You want to do a task for which there is no module• Existing modules lack support for your specific use-case

• Aci_rest• Allows to communicate directly with JSON/XML with the ACI Rest API from Ansible• Provide idem-potency

• How ? Let’s show you.

19BRKACI-2820


method: POST url: https://bdsol-aci12-apic1.cisco.com/api/node/mo/uni/tn-99_Customer01/ap-Sales.json payload{"fvAp":{"attributes":{"dn":"uni/tn-99_Customer01/ap-Sales","name":"Sales","rn":"ap-Sales","status":"created"},"children":[]}}

Create an application profileAPI Inspector output

aci_rest:<<: *aci_loginmethod: postpath: '/api/node/mo/uni/tn-99_Customer01/ap-Sales.json'content: |‘{"dn":"uni/tn-99_Customer01/ap-Sales","name":"Sales","rn":"ap-Sales"}’

delegate_to: localhost

BRKACI-2820 20

Network service insertion

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKACI-2820

Managed or unmanaged ?• Managed

• ACI orchestrates L4L7 device• L4L7 vendor provides device package• Device package exposes features to

ACI• Dependency on software versions on

ACI and L4L7 side• Requirements for vendor support

• Unmanaged• ACI stitches client and server EPG’s to

the L4L7 device• Then ACI gets out of the way• Native L4L7 vendor tools take over

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKACI-2820

What happens behind the scenes?Internal EPGs created by APIC

EPGWeb

EPGApp

ContractProvideConsume

Service Graph

Internal EPG

Internal EPGInternal Contracts Internal Contracts

User defined contract

Automatically created & pushed from APIC


Our setup

Windows client

App01

App02

App03

DB01

F5 Service Graph

EPG Web EPG App EPG DB

DB contract

2.2.2.201

Int: 2.2.2.11VIP: 2.2.2.10

Int: 7.7.7.11

7.7.7.201

7.7.7.202

7.7.7.203

7.7.7.101

BD Web BD Backend

BRKACI-2820 24

1/23 Leaf1

1/23 Leaf2

BigIP: 10.48.31.127

Live demo #4


Export syslog messages• Syslog server: 10.48.31.196

BRKACI-2820 26

Live demo #5


Use centralized authentication• As a user you have the choice between LDAP, Radius and TACACS+

• Demo will show integration with Microsoft AD through LDAP protocol

• Out-of-band

• LDAP server: 10.48.31.195

• Filter: default / cn=$userid

• Attribute: CiscoAVPair

• Bind DN: CN=Bind User,OU=ACI,DC=pod12,DC=local

• Base DN: OU=ACI,DC=pod12,DC=local

BRKACI-2820 28

Live demo #6


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2820


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online.

Complete Your Online Session Evaluation


Continue Your Education• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

32BRKACI-2820

Thank you

How to setup an ACI fabric - clnv.s3.amazonaws.com · How to setup an ACI fabric from scratch -the...

Documents

Transcript of How to setup an ACI fabric - clnv.s3.amazonaws.com · How to setup an ACI fabric from scratch -the...