How to setup an ACI fabric - clnv.s3.amazonaws.com · How to setup an ACI fabric from scratch -the...
Transcript of How to setup an ACI fabric - clnv.s3.amazonaws.com · How to setup an ACI fabric from scratch -the...
How to setup an ACI fabric from scratch - the sequel
Ramses Smeyers, Technical Leader Services
Chris Paggen, Distinguished TME
BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2004
• State of the fabric• Shared services through common tenant• Shared internet access through common tenant• Automating the fabric with Ansible• Export syslog messages• Use centralized authentication
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Our setup for the day
BRKACI-2820 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
State of the fabric• Fully formed cluster with infra NTP, mgmt. IP’s and RR
• Deployed access policy for• 2 bare metal servers• 1 UCS-C system with VMware• 1 UCS-B system with 2 VMware blades
• Deployed Cisco Live tenant• Created EPG’s with
• static paths towards bare metals• VMM domain binding
• Created L3out and established external connectivity for the existing EPG’s
BRKACI-2820 6
Live demo #1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shared services through common tenant
Tenant: common Tenant: NTP
EPG: NTPProvider: sharedNTP
NTP server: 70.70.70.101/24
EPG: NTPConsumer: sharedNTP
NTP client:80.80.80.101/24
Contract: sharedNTP
VRF: NTPVRF: common
BRKACI-2820 8
Live demo #2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VRF: common
Shared internet access through common tenant
Tenant: common Tenant: InternetUser
L3out: InternetProvider:
sharedInternet
EPG: ClientConsumer:
sharedInternetInternet Client:
20.20.20.101/24
Contract: sharedInternet
VRF: InternetUser
BRKACI-2820 10
Leaf1 Eth 1/47Routed interface: 17.17.17.1/24
Router-id: 18.18.18.1
Bdsol-aci12-2901-01 Port Gig0/1Int Gig 0/1: 17.17.17.2/24
Route-id: 18.18.18.2
Live demo #3
Ansible
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automating the fabric with Ansible• Open-source configuration management, deployment and orchestration tool
• Can manage a wide range of systems: VMs, network devices, cloud instances, etc.
• Server-side component only: no agents on target systems• Strict push model (contrast with Puppet or Chef for example)
• All orchestration instructions are text-based and human-readable
• Uses Rest API to communicate with ACI
BRKACI-2820 13
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible – high-level architecture
• Inventory: target systems for automation• Playbook: a series of plays (automation
tasks)• Modules: accomplish specific tasks in
Ansible (e.g. install packages, configure ACI, etc.)
Inventory
Playbook
Modules
Ansible Config Python API
Targets
BRKACI-2820 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ansible 101
• Text-based hosts file lists all possible targets (the inventory)• Targets can be grouped arbitrarily (i.e. [all-web-servers]; [all-non-prod], etc.)
• Playbooks contain instructions (called ‘plays’) that execute on targets• E.g.: “install mariadb, patch a config file, restart mariadb” on [sql-servers]
• Playbooks can be structured to apply specific roles to targets• Each role then gets its own directory structure and its own plays (in main/tasks.yml)
• Ansible supports templating• Plays can use variable substitution (i.e. {{ global-proxy }} is replaced by whatever value
global-proxy is given in a variable file)
• Ansible is extensible via modules (450+)
• Ansible Galaxy is where the community contributes playbooks and modules
BRKACI-2820 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Inventoryall:
hosts:apic1:
apic_host: 10.48.22.69apic_username: adminapic_password: ins3965!
vars:apic_use_proxy: noapic_validate_certs: notenants:- name: Ansible01
description: Ansible01 description- name: Ansible02
description: Ansible02 description
- name: Make ACI objectshosts: '*apic1'gather_facts: no
tasks:- name: Add a new tenant
aci_tenant:hostname: '{{ apic_host }}'username: '{{ apic_username }}'password: '{{ apic_password }}'use_proxy: '{{ apic_use_proxy }}'validate_certs: '{{
apic_validate_certs }}'tenant: '{{ item.name }}'description: '{{ item.description
}}'with_items: '{{ tenants }}'delegate_to: localhost
Playbook
BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What will we do now ?• Create a playbook to create
• Tenants• Apps• Epgs
17BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lost of existing Ansible 2.5 modules - 48aci_aaa_user_certificate aci_access_port_to_interface_policy_leaf_profile aci_aepaci_aep_to_domain aci_ap aci_bd aci_bd_subnet aci_bd_to_l3out aci_config_rollbackaci_config_snapshot aci_contract aci_contract_subject aci_contract_subject_to_filteraci_domain aci_domain_to_encap_pool aci_domain_to_vlan_pool aci_encap_poolaci_encap_pool_range aci_epg_monitoring_policy aci_epg aci_epg_to_contractaci_epg_to_domain aci_filter_entry aci_filter aci_firmware_source aci_interface_policy_fcaci_interface_policy_l2 aci_interface_policy_leaf_policy_groupaci_interface_policy_leaf_profile aci_interface_policy_lldp aci_interface_policy_mcpaci_interface_policy_port_channel aci_interface_policy_port_securityaci_interface_selector_to_switch_policy_leaf_profile aci_l3out_route_tag_policy aci_restaci_switch_leaf_selector aci_switch_policy_leaf_profile aci_taboo_contractaci_tenant_action_rule_profile aci_tenant_ep_retention_policy aci_tenantaci_tenant_span_dst_group aci_tenant_span_src_groupaci_tenant_span_src_group_to_dst_group aci_vlan_pool_encap_block aci_vlan_pool aci_vrf
18BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Exploring the aci_rest module• Why?
• You want to do a task for which there is no module• Existing modules lack support for your specific use-case
• Aci_rest• Allows to communicate directly with JSON/XML with the ACI Rest API from Ansible• Provide idem-potency
• How ? Let’s show you.
19BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
method: POST url: https://bdsol-aci12-apic1.cisco.com/api/node/mo/uni/tn-99_Customer01/ap-Sales.json payload{"fvAp":{"attributes":{"dn":"uni/tn-99_Customer01/ap-Sales","name":"Sales","rn":"ap-Sales","status":"created"},"children":[]}}
Create an application profileAPI Inspector output
aci_rest:<<: *aci_loginmethod: postpath: '/api/node/mo/uni/tn-99_Customer01/ap-Sales.json'content: |‘{"dn":"uni/tn-99_Customer01/ap-Sales","name":"Sales","rn":"ap-Sales"}’
delegate_to: localhost
BRKACI-2820 20
Network service insertion
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKACI-2820
Managed or unmanaged ?• Managed
• ACI orchestrates L4L7 device• L4L7 vendor provides device package• Device package exposes features to
ACI• Dependency on software versions on
ACI and L4L7 side• Requirements for vendor support
• Unmanaged• ACI stitches client and server EPG’s to
the L4L7 device• Then ACI gets out of the way• Native L4L7 vendor tools take over
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKACI-2820
What happens behind the scenes?Internal EPGs created by APIC
EPGWeb
EPGApp
ContractProvideConsume
Service Graph
Internal EPG
Internal EPGInternal Contracts Internal Contracts
User defined contract
Automatically created & pushed from APIC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Our setup
Windows client
App01
App02
App03
DB01
F5 Service Graph
EPG Web EPG App EPG DB
DB contract
2.2.2.201
Int: 2.2.2.11VIP: 2.2.2.10
Int: 7.7.7.11
7.7.7.201
7.7.7.202
7.7.7.203
7.7.7.101
BD Web BD Backend
BRKACI-2820 24
1/23 Leaf1
1/23 Leaf2
BigIP: 10.48.31.127
Live demo #4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Export syslog messages• Syslog server: 10.48.31.196
BRKACI-2820 26
Live demo #5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use centralized authentication• As a user you have the choice between LDAP, Radius and TACACS+
• Demo will show integration with Microsoft AD through LDAP protocol
• Out-of-band
• LDAP server: 10.48.31.195
• Filter: default / cn=$userid
• Attribute: CiscoAVPair
• Bind DN: CN=Bind User,OU=ACI,DC=pod12,DC=local
• Base DN: OU=ACI,DC=pod12,DC=local
BRKACI-2820 28
Live demo #6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2820
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
32BRKACI-2820
Thank you