aci and full stack automation -...

ACI and Full Stack Automation

Steve Sharman and Russ Whitear

BRKACI-2770

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

AbstractACI and Full Stack Automation provides the attendee with a view on how network and application constructs can be delivered in an automated manner to an ACI network.

We will take a look at the tools required to provision the full stack from network provisioning through to application delivery.

Technologies discussed will include Cisco Application Policy Infrastructure Controller (APIC), UCS Director and Cisco Cloud Center (Formerly CliQr).

The focus will be on providing structured methodologies that can be used to satisfy the requirements and desires of both infrastructure admins and application developers alike.

BRKACI-2770 3


Session objectives

• Provide you with an understanding on ACI networking constructs

• Explain how UCS Director can be used to Automate ACI

• Explain how Cisco Cloud Center can interact with ACI

• Provide you with a clear understanding where to use the different tools available

BRKACI-2770 4

Before we start, let’s get to know each other …

• Why Automate?

• ACI Primer

• Infrastructure as a Service with UCS Director

• Controlling ACI with Cisco Cloud Center

Agenda

Let’s start with an obvious question…

Why are customers looking to automate in the Data Center?


There are actually many different reasons:

• Cost reduction

• Simplicity

• Consistent configuration (Policy conformance, elimination of human error)

• Reduction in maintenance windows

• Structured changes during the business day

• Service Catalogue for IT services

• UCSD – IaaS

• Cisco Cloud Center – Hybrid Cloud Management

BRKACI-2770 9

Automation means different things to different people !


Network centric, Server centric, Application centric

• Switch Interfaces

• Tenants

• VRFs

• Bridge Domains (L2)

• VLAN Extension

• Bridge Domains (L3)

• External L3

• Application Network Profiles

• Endpoint Groups

• Contracts

• VMware Portgroups

• Firewall Configuration

• SLB Configuration

• Multi server deployment

• Application containers

• Server Configuration (BIOS etc)

• Virtual Machine Deployment

• Load balancers

• Database

• Storage LUNs

• Storage zoning

• Server Configuration (BIOS etc)

• Bare Metal Deployments

• Operating System

• Virtual Machine Deployment

BRKACI-2770 11

ACI Primer

To help understand ACI, let’s look at a real customer example


OSPF Area 30 OSPF Area 20

OSPF Area 10 (stub)

CPoC – Large Financial Organisation

APIC

APIC

APIC

Spirent Test

Center

Spirent Test

Center

Spirent Test

Center

ESX-01ESX-02

c3850

n7706 n9504n7706-01 n7706-02

n5672-01 n5672-02

L2

L3

OSPF Area 0

e1/3

e1/1 e1/2 e1/1 e1/2

e1/7 e1/8

e1/15 e1/15 e1/15e1/5 e1/6 e1/11 e1/12

BRKACI-2770 14

Firstly, we needed to configure the switch interfaces


Network Provisioning

Manual

setup

Quick Start

wizard

BRKACI-2770 16


Switch Policies

Leaf Profiles

Leafs_101_and_102

Interface Policies

Policies

CDP_enabled

LACP_Active

Interface Policies

Leaf Policy Groups

vPC_to_UCS_FI_A

SVI_to_outside

AAEP

(Allowed VLANs)

vCenter-01-DVS-01

UCS-phys-svrs

Outside-Fabric

Pools

VLAN/VXLAN

vCenter-01-DVS-01

UCS-phys-svrs

Outside-Fabric

Virtual Machine

Domains

(vSwitches)

vCenter-01-DVS-01

Phy/Out Domains

(VLAN mgmt)

UCS-phys-svrs

Outside-Fabric

Policy Defined Network

Concrete Model

Logical Model

APIC

APIC

APIC

Interface Selector

1/21

Leaf Profile

vPC_to_UCS_FI_A

Security Domain

(optional)

Interface Policies

Leaf Profiles

BRKACI-2770 17


• Interface Policies can be reused across any interface type

• Leaf Policy Groups for “Access” ports can be used by different Leaf Profiles

• Leaf Policy Groups for PC/vPC cannot be used by different Leaf Profiles

• Leaf Profiles can be used by different Switch Profiles

Notes to remember:

BRKACI-2770 18

A consistent naming convention is critical for simple troubleshooting


Example Rack Layout

Row ID

A Rack ID A1 A2 A3 A4 A5 A6 A7 A8 A9 A10

ToR ID 101 103 105 107 109 111 113 115 117 119

ToR ID 102 104 106 108 110 112 114 116 118 120

B Rack ID B1 B2 B3 B4 B5 B6 B7 B8 B9 B10

ToR ID 121 123 125 127 129 131 133 135 137 139

ToR ID 122 124 126 128 130 132 134 136 138 140

C Rack ID C1 C2 C3 C4 C5 C6 C7 C8 C9 C10

ToR ID 141 143 145 147 149 151 153 155 157 159

ToR ID 142 144 146 148 150 152 154 156 158 160

D Rack ID D1 D2 D3 D4 D5 D6 D7 D8 D9 D10

ToR ID 161 163 165 167 169 171 173 175 177 179

ToR ID 162 164 166 168 170 172 174 176 178 180

BRKACI-2770 20


Example Naming Approach• VLAN Pool

• Domains (L2, L3, Phys)

• AAEP (allowed VLANs)

• Interface Polices (settings)

• Leaf Policy Groups (aggregated settings)

• Leaf Profiles (settings mapped to interfaces)

• Switch Profiles (interfaces mapped to switches)

• Tenant_Name

• Tenant_Name

• Tenant_Name

• Enabled/Disabled

• PortSpeed_PortType_Usage

• Rack_ID/Switch_ID_to_ConnectedDevice

• Rack_ID or Rack_ID_SwitchID

BRKACI-2770

• Customer_A_01

• Customer_A_L3_01

• Customer_A_01

• 10G, CDP_enabled

• 10G_access_c3850-01

• 101_to_c3850-01

• A1_101

21

How does this look?


Interface PoliciesCDP_enabled

VLAN PoolCustomer_A_01

External Routed

DomainCustomer_A_L3_01

AAEPCustomer_A_01

Leaf Policy Group10G_acc_c3850

Interface Policies10G

Leaf Profileli07_to_

ld04-c3850-01

Leaf ProfileLeafs_101_and_102

Interface Selector1/3

10G_acc_c3850

Concrete Model

Logical Model

BRKACI-2770

Rack/Switch to

connected device

Interface setting

group

24



10G_acc_n7706


External Routed


AAEPCustomer_A_01

Leaf Policy Group10G_acc_n7706



lg05-n7706-01



Concrete Model

Logical Model

BRKACI-2770

Rack/Switch to

connected device

Interface setting

group

25



10G_acc_n9504


External Routed


AAEPCustomer_A_01




lg11-n9504-01



Concrete Model

Logical Model

BRKACI-2770

Rack/Switch to

connected device

Interface setting

group

26


Interface PoliciesLLDP_enabled

10G_vPC_esx_li07-c220m4-01


Physical DomainCustomer_A_Phys_01

AAEPCustomer_A_01

Leaf Policy Group10G_vPC_esx_

li07-c220m4-01



li07-c220m4-01



Interface PoliciesLACP_active

Concrete Model

Logical Model

BRKACI-2770

Rack/Switch to

connected device

Unique Interface

setting group

28


Interface PoliciesLLDP_enabled

10G_vPC_esx_li07-c220m4-02


Physical DomainCustomer_A_Phys_01

AAEPCustomer_A_01

Leaf Policy Group10G_vPC_esx_

li07-c220m4-02



li07-c220m4-02



Interface PoliciesLACP_active

Concrete Model

Logical Model

BRKACI-2770

Rack/Switch to

connected device

Unique Interface

setting group

29

Couldn’t we reduce the number of Leaf Policy Groups?

Yes – provided that they are “Access” Policy Groups with the same Interface Policies



10G_acc_ c3850 | n7706 | n9504



External Routed


AAEPCustomer_A_01



lg11-n9504-01


lg05-n7706-01


ld04-c3850-01






Leaf Policy Group10G_acc_c3850



All Leaf Policy Groups use the

same Interface Policies

(Settings and allowed VLANs)

Concrete Model

Logical Model

BRKACI-2770 32



10G_acc_to_external_L3_switch



External Routed


AAEPCustomer_A_01



lg11-n9504-01


lg05-n7706-01


ld04-c3850-01






Leaf Policy Group10G_acc_to_external_

L3_switch

Consolidated Leaf Policy Group

for Interfaces which use the

same Interface Policies


Concrete Model

Logical Model

BRKACI-2770 33

Couldn’t we reduce the number of Leaf Profiles?

Yes – provided that they use the same interfaces on the physical switch(es)






External Routed


AAEPCustomer_A_01



lg11-n9504-01


lg05-n7706-01


ld04-c3850-01







L3_switch

Multiple Leaf Profiles / Interface

Selectors consume the same

Leaf Policy Group


Concrete Model

Logical Model

BRKACI-2770 36





External Routed


AAEPCustomer_A_01


L3_switch


Leaf Profileli07_to_external

L3_switch


Interface Selector1/3, 1/7, 1/8

Consolidated Leaf Profiles /

Interface Selectors consume

the same Leaf Policy Group


Concrete Model

Logical Model

BRKACI-2770 37

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2770

Automating “Access Policies” abstracts the naming rules

away from APIC thus ensuring configuration

conformance

38


In large organisations having an automated approach to

interface configuration could allow the “rack/stack”

team to configure the switches from a simple IT

services catalogue

39

Secondly, we needed to consume the switch interfaces – Tenant Configuration


Network Consumption

BRKACI-2770

Quick Start

wizard

Tenants

41


• A Tenant is just an Administrative boundary

• A VRF is a VRF as you know it today

• A Bridge Domain is a L2 segment where flooding rules apply – think VLAN but without a VLAN ID

• A Bridge Domain is the scope of one or more subnets – think SVI and IP Secondary

• An EPG is just a logical grouping of devices – think interfaces and VLANs

• An EPG is a Port Group in VMware

• An EPG can contain different VLANs, e.g. when mixing dynamic Virtual Port Groups and Physical machines – think hardware VTEP

• Devices in an EPG are allowed to communicate (by default)

• Isolated EPGs block communication within the EPG – think PVLAN

• Micro Segmentation (µSeg) EPGs are used to dynamically move devices from a “base” EPG into a more specific EPG

• An Application Network Profile is a group of one or more EPGs – remember an EPG can only be inside one ANP

• Communication between EPGs and/or from devices off the ACI fabric require Contracts (ACLs)

ACI Nomenclature Refresher

BRKACI-2770 42


Leaf Profiles

(Target Switches)

Leafs_101_and_102

AAEP

(Allowed VLANs)

UCS-phys-svrs

Interface Policies

CDP_enabled

LACP_Active

VLAN/VXLAN

(Pools)

UCS-phys-svrs

VLAN mgmt

(Phy/Out Domain)

UCS-phys-svrs

Network Interfaces must be configured first!

Concrete Model

Logical Model

APIC

APIC

APIC

Interface Selector

1/21

Security Domain

(optional)

ANP: My_App

EPG: Web

Domain: Production_Svrs

Path: vPC_to_UCS_FI_A

VLAN_10

Path: vPC_to_UCS_FI_B

VLAN_10

Interface Selector

1/22

Leaf Policy Group

vPC_to_UCS_FI_A

Leaf Policy Group

vPC_to_UCS_FI_B

Leaf Profile

vPC_to_UCS_FI_A

Leaf Profile

vPC_to_UCS_FI_B

Leaf Profiles

BRKACI-2770 43

What about VLANs, SVIs, ACLs, etc?


EPG Tag: DB (VLAN 12)

Security Zone

EPG Tag: App (VLAN 11)

Security Zone

EPG Tag: Web (VLAN 10)

Security Zone

Option 1: Single EPG on a Single BD with a Single Subnet – “standard networking”

ANP:

My_App

APIC

APIC

APIC

Tenant: My_Tenant

Communication allowed within EPG Communication allowed within EPGCommunication allowed within EPG

BD:192.168.30.xHardware Proxy: No

ARP Flooding: Yes

Unknown Unicast Flooding: Yes

IP Routing: No

BD: 192.168.10.XHardware Proxy: No

ARP Flooding: Yes


IP Routing: No

VRF: 01 (Anycast gateway)

192.168.20.11/24 192.168.20.12/24 192.168.30.11/24 192.168.30.12/24192.168.10.11/24 192.168.10.12/24

BD: 192.168.20.xHardware Proxy: No

ARP Flooding: Yes


IP Routing: No Endpoints in EPG identified by

Switch/Interface and VLAN ID

BRKACI-2770 45



Security Zone


Security Zone


Security Zone

Option 2: Multiple EPGs on a Single BD with a Single Subnet – µSegmentation in IP space


Bridge Domain: 192.168.10.X_24

Gateway: 192.168.10.1

ANP:

My_App

Bridge DomainHardware Proxy: Yes

ARP Flooding: No

Unknown Unicast Flooding: No

IP Routing: Yes

APIC

APIC

APIC

Tenant: My_Tenant

192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24

Endpoints in EPG identified by



Layer 2 Segment

BRKACI-2770 46

Just because you can doesn't always mean you should



Security Zone


Security Zone


Security Zone

Option 3a: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary


Bridge Domain: multiple_subnets

Gateway: 192.168.10.1

192.168.20.1

192.168.30.1

ANP:

My_App


ARP Flooding: No


IP Routing: Yes

APIC

APIC

APIC

Tenant: My_Tenant

192.168.10.11/24 192.168.10.12/24 192.168.20.11/24 192.168.20.12/24 192.168.30.11/24 192.168.30.12/24




BRKACI-2770 48



Security Zone


Security Zone


Security Zone

Option 3b: Multiple EPGs on a Single BD with Multiple Subnets – IP secondary


Bridge Domain: multiple_subnets

Gateway: 192.168.10.1

192.168.20.1

ANP:

My_App


ARP Flooding: No


IP Routing: Yes

APIC

APIC

APIC

Tenant: My_Tenant

192.168.10.11/24 192.168.20.11/24 192.168.10.12/24 192.168.20.12/24 192.168.10.15/24 192.168.10.16/24




BRKACI-2770 49

What about segmenting inside an EPG?



Security Zone

Options 1, 2, and 3 – µSegmentation within an EPG/Port Group (no East/West traffic flows)



Gateway: 192.168.10.1

ANP:

My_App


ARP Flooding: No


IP Routing: Yes

APIC

APIC

APIC

Tenant: My_Tenant

192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24



Communication allowed within EPG

Layer 2 Segment

BRKACI-2770 51


EPG Tag: All_Web_Servers (VLAN 10)

Security Zone

Options 1, 2, and 3 – µSegmentation within an EPG/Port Group based on machine attribute



Gateway: 192.168.10.1

ANP:

My_App


ARP Flooding: No


IP Routing: Yes

APIC

APIC

APIC

Tenant: My_Tenant

192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24



Layer 2 Segment

Name Contains:

Web_1

Name Contains:

Web_2

Name Contains:

Web_3

Communication allowed within uSeg EPG

BRKACI-2770 52

External VLANs – L2 connection to legacy networks


Option 1: Same VLANs Outside/Inside (No Contract Required)

ANP:

Outside_VLANs

Bridge DomainHardware Proxy: No

ARP Flooding: Yes


IP Routing: Yes

vPC_to_UCS_a

vlan-10

vPC_to_UCS_b

vlan-10

EPG: Host-Mgmt

192.168.10.11 192.168.10.10

vPC_to_n5ks

vlan-10

vlan-10

APIC

APIC

APIC

Tenant: My_Tenant


Bridge Domain: outside_vlan_10

Gateway: 192.168.10.1


BRKACI-2770 54


Option 2: Different VLANs Outside/Inside(Contract Required)

ANP:

Outside_VLANs

EPG

Bridge DomainHardware Proxy: No

ARP Flooding: Yes


IP Routing: Yes

L2outvPC_to_n5ks

vlan-10

vlan-10

APIC

APIC

APIC

Tenant: My_Tenant


Bridge Domain: outside_vlan_10

Gateway: 192.168.10.1

vPC_to_UCS_a

vlan-100

vPC_to_UCS_b

vlan-100

EPG: Host-Mgmt

192.168.10.10 192.168.10.11


Communication allowed to External EPG

BRKACI-2770 55

External Subnets


External Routed Connections


ARP Flooding: No


IP Routing: Yes

L3out: Area0101/1/96: 192.168.30.1/30

102/1/96: 192.168.30.5/30

Outside

Security Import Subnet*

i.e which external subnets can

be accessed through this EPG

APIC

APIC

APIC

EPG0.0.0.0/0

OSPF

Configuration


Security Zone


Security ZoneANP:

My_App

192.168.10.11/22 192.168.10.12/22 192.168.10.21/22 192.168.10.22/24

Communication allowed to 10.1.1.0/24


Bridge Domain: 192.168.10.x_22

Gateway: 192.168.10.1

Permit access to all

remote subnets:

0.0.0.0/0Tenant: My_Tenant

Communication allowed to all External Subnets

EPG10.1.1.0/24

Permit access to

remote subnet:

10.1.1.0/24

BRKACI-2770 57

A quick note about contracts


Contracts permit communication between EPGs

Tenant: My_Tenant

VRF: 01

ANP: DB

EPG: DB_1

192.168.10.11/24 192.168.10.12/24

EPG: Web_1

192.168.10.11/24 192.168.10.12/24

EPG: App_1

192.168.20.11/24 192.168.20.12/24

ANP: MyApp_2

BD: 192.168.10.X

BD: 192.168.20.x

EPG: App_1 BD:192.168.30.xEPG: Web_1

192.168.10.11/24 192.168.10.12/24 192.168.10.11/24 192.168.10.12/24

ANP: MyApp_1

BRKACI-2770 59

Now that we have a better understanding of ACI, lets consider what customers typically want to automate


Customer Use Cases

Credit Services

• Multi-Tier application Deployments

• Tenants

• VRFs

• Bridge Domains

• Endpoint Groups

• Contracts

• Load Balancing (Citrix)

• VM creation

Media

• Tenants

• VRFs

• Bridge Domains

• Endpoint Groups

• Contracts


Banking

• VRFs

• Bridge Domains

• Endpoint Groups

• Contracts


• VM creation

• OS Installation

BRKACI-2770 61


What should you look to do first?

A. Automate the building of networking infrastructure

B. Automate the consumption of networking resources• Blueprints for Tenants, L2 (EPG/VLAN/VXLAN), L3, L4-7 services

• IP Address Management (IPAM)

• Summary routes into the fabric

• Virtual machine creation

• Containers

• Application Provisioning

• Self service offering

C. Automate both infrastructure and consumption

D. Automate application deployment

BRKACI-2770 62

Take a step back, most customers actually require a number of pre defined functional “Blueprints”


Sample Network Blueprints

Clients

ACI

Gateway

(not used)

External Router

to WANGateway

192.168.10.1

L2 Fabric (external g/w)

Clients

ACI

Gateway

External Router

to WAN

L3 Fabric

Clients

ACI

Gateway

External Router

to WAN

L3 Fabric with external firewall

BRKACI-2770 64


Sample Network Blueprints

Clients

ACI

Internal Gateway

External Router

to WAN

L3 Fabric with firewall on fabric

ACI

External Gateway

Clients

ACI

Internal Gateway

External Router

to WAN

L3 Fabric with SLB on fabric

ACI

External Gateway

SLB

Clients

ACI

Gateway

External Router

to WAN

L3 Fabric with firewall and SLB

SLB

BRKACI-2770 65


Let’s consider the consumers of a cloud provider. The

consumers don’t concern themselves with server

connectivity…

66


They simply concern themselves with the IP

addresses/gateway for their applications, and the

security rules which allow access to those applications

67


Automating “Tenant” configuration allows teams other

than the network team to consume network services

68

If we now understand the “why”…

We next need to understand the “how”…


How Many of You....

• Are already scripting and automating common tasks?• In my experience, most of us are not

• Are really good at copy and paste?• That’s me that is!!

BRKACI-2770 71


Congratulations!

BRKACI-2770 72


Being Serious For A Moment

• We talk to a lot of partner and customer engineers all over the world

• It is clear that some knowledge of programming concepts is quite valuable these days

• The top question is always “Do I need to learn programming to keep doing my job?”

• I’ve got some good news for you...

• In a nutshell, the answer is No....

• But only if you learn to consume the easy-to-use tools and processes out there

BRKACI-2770 73

ACI and the API


What is ACI?It is all about the API and Object Model

APIC

APIC

APIC

BRKACI-2770 75


ACI and REST API

BRKACI-2770

• REST is fundamental to APIC interaction

• All other tools are built around it

• Understand REST, understand ACI automation

• The second time you need to do something, think about automating it instead!!

76


Using REST

• HTTP(S) to the URL or Address of an object

• Select an Action to perform (GET, POST etc)

• Send the Payload (in XML or JSON format)

BRKACI-2770 77


Common (Free) Tools For The Network EngineerUse these to automate things in ACI

• Postman Plugin for Google Chrome

• API Inspector

• APIC GUI

• COBRA SDK

• Python IDE (Pycharm, Atom, others)

• Git / Github

• ARYA

• ACI Toolkit

• Many Others

BRKACI-2770 78


Different Engineers, Different Tools

APIC CLI

APIC GUI

REST APISDK

Powerful/Complex

Simple/Rigid

BRKACI-2770 79


API Inspector – a REST API Sniffer

• Record your GUI interaction as JSON

• Modify and replay with tools like Postman

BRKACI-2770 80


Postman Plugin for Google Chrome

BRKACI-2770 82


Python SDK (aka “Cobra”) + ARYA• Full featured access to entire APIC

REST API

• Native ACI language – configure in GUI and turn into Cobra SDK

• Contributors include: Business Unit Engineers, Technical Services Engineers, Advanced Services Engineers

• Complete user use cases all possible

• http://github.com/datacenter/cobra

• http://github.com/datacenter/arya

XML/JSON

arya.py

Python code

{"fvTenant":{"attributes":{"dn":"uni/tn-

Cisco","name":"Cisco","rn":"tn-

Cisco","status":"created"},"children":[{"fvBD":{"attribut

es":{"dn":"uni/tn-Cisco/BD-

CiscoBd","mac":"00:22:BD:F8:19:FF","name":"CiscoBd","rn":

"BD-

CiscoBd","status":"created"},"children":[{"fvRsCtx":{"att

ributes":{"tnFvCtxName":"CiscoNetwork","status":"created,

modified"},"children":[]}},{"fvSubnet":{"attributes":{"dn

":"uni/tn-Cisco/BD-CiscoBd/subnet-

[10.0.0.1/8]","ip":"10.0.0.1/8","rn":"subnet-

[10.0.0.1/8]","status":"created"},"children":[]}}]}},{"fv

Ctx":{"attributes":{"dn":"uni/tn-Cisco/ctx-

CiscoNetwork","name":"CiscoNetwork","rn":"ctx-

CiscoNetwork","status":"created"},"children":[]}}]}}

fvTenant = cobra.model.fv.Tenant(topMo, name='Cisco')

fvCtx = cobra.model.fv.Ctx(fvTenant, name='CiscoNetwork')

fvBD = cobra.model.fv.BD(fvTenant,

mac='00:22:BD:F8:19:FF', name='CiscoBd')

fvRsCtx = cobra.model.fv.RsCtx(fvBD,

tnFvCtxName=fvCtx.name)

fvSubnet = cobra.model.fv.Subnet(fvBD, ip='10.0.0.1/8')

BRKACI-2770 83

http://github.com/datacenter/cobra

http://github.com/datacenter/arya


Practical example of tool usage

BRKACI-2770 83


• https://github.com/datacenter

• https://github.com/datacenter/ACI

• https://github.com/datacenter/aci-examples

• https://github.com/datacenter/sparci

• https://github.com/datacenter/acitoolkit

Cisco on Github

BRKACI-2770 86

https://github.com/datacenter

https://github.com/datacenter/ACI

https://github.com/datacenter/aci-examples

https://github.com/datacenter/sparci

https://github.com/datacenter/acitoolkit

Customer demo

UCSD Director for IAASACI Network Configuration

Introduction


Cisco ONE Enterprise Cloud SuiteInfrastructure Management

Cisco UCS Director(Infrastructure)

Physical

VirtualHypervisor

• Builds and manages Private Cloud Infrastructure• Physical and Virtual, including ACI

• In pure IaaS deployments provides VM provisioning• E.G. Through vCenter for ESX and SCVMM for HyperV

• Provides a end-user self service portal for IaaS provisioning

Build and run a Private Cloud

BRKACI-2770 91


UCS

Nexus

Physical & Virtual

Infrastructure

UCS Director Topology and Optional Components

BRKACI-2770 92


Orchestrating with UCS Director

• Object, not script, based

• ~2,000 infrastructure tasks included

• Graphical Design Interface

• Logical processing of Conditionalsand Loops

• Versioning Support

Model Based Orchestration

BRKACI-2770 91

UCSD Director for IaaSACI


Different Catalogues for Different User Types

BRKACI-2770 93



Network Admins

ACI Fabric Provisioning

BRKACI-2770 93



Network Admins

ACI Fabric ProvisioningNetwork Administrator Tasks

Create VLAN Pool

Create Domain and Bind to VLAN Pool

Create AAEP and Bind to Domain & Leaf Policy Group

Create Leaf Profile and Bind to Switch Profile

Create Interface selector and Bind to Leaf Profile &Leaf Policy Group

Create Switch Profile

BRKACI-2770 93



Tenant Admins

ACI Tenant Operations

BRKACI-2770 94



Tenant Admins

ACI Tenant Operations

ACI Tenant Administrator Tasks

Create New Tenant

Create VRF & Bind to Tenant

Create L3out & Bind to VRF

Create Bridge Domain (L2) & Bind to VRF

Create Bridge Domain (L3) & Bind to VRF

Create EPG & Bind to Bridge Domain

Create Contract & Filter & Bind to EPGs

Create a BD/EPG with Flooding Enabled & a Static Binding to a VLAN

BRKACI-2770 94



Network Operations

ACI Service Expansion

BRKACI-2770 95



Network Operations

ACI Service Expansion

Network Operations Tasks

Add additional Interface to a L3out

Add Subnets to existing L3out

Add Ports to an existing Filter

Add Filters to an existing Contract

Add an additional EPG to a Bridge Domain

Add an additional Domain to an EPG

Add a Static Binding to an EPG

Add new vSwitch to Virtual Center

BRKACI-2770 95


Creating a New Workflow/Catalogue Entry

BRKACI-2770 96


Creating a New Workflow/Catalogue Entry

BRKACI-2770 97


Configure ACI Network via UCS Director

BRKACI-2770 98



This creates a

new

ACI Interface

Leaf Profile

BRKACI-2770 98



…with the following

Interface Selectors

BRKACI-2770 98



BRKACI-2770 99



Select the ACI switch

policy leaf profile to

associate Interface

Leaf Profile to

BRKACI-2770 99



...and select the

Interface Leaf Profile

that was created in

the previous request

BRKACI-2770 99



BRKACI-2770 100



Select the physical

switch port to

connect the new host

to the BMA EPG

BRKACI-2770 100



BRKACI-2770 100


Create New ACI Tenant, VRF, BD and Subnet

BRKACI-2770 101

Northbound API Access


UCSD Access via its Northbound API

BRKACI-2770 107


UCSD Access via its Northbound API{

"param0": "Add Device to ACI Fabric",

"param1": {

"list": [

{

"name": "Device Type",

"value": "r01_1G_acc_WIBBLE_ESX"

},

{

"name": "Enter Interface(s)",

"value": "1/79"

}

]

},

"param2": -1

}

BRKACI-2770 107


UCSD Access via its Northbound API

UCS

Nexus

Physical & Virtual

Infrastructure

BRKACI-2770 107

Flexible automation models


Flexible Automation Models

vCenter

BRKACI-2770

ITSM

APIC

APIC

APIC

109


Flexible Automation Models

vCenter

BRKACI-2770

ITSM

Service Request

APIC

APIC

APIC

109

UCSD Director for IaaSWhen 230 OOB ACI tasks are not enough!


APIC API Inspector

BRKACI-2770 111


UCS Director ACI JSON Convertor

BRKACI-2770 112


Useful Links

• Cisco Communities ( >300 Examples ) https://communities.cisco.com/docs/DOC-56419

• APIC Inspector to UCS Director Workflow Task Convertor

• Convertor Script: https://cisco.box.com/s/zexj4r4unkcotykq1u5a1vl0dan6e05w

• Baseline WF Template: https://cisco.box.com/s/6phyf2rvv11qd7db3a0haynbxrr4zcni

• HowTo Video: https://cisco.box.com/s/w1vi4fce1wo6n14svih9pn5uf1f15c6d

BRKACI-2770 167

https://communities.cisco.com/docs/DOC-56419

https://cisco.box.com/s/zexj4r4unkcotykq1u5a1vl0dan6e05w

https://cisco.box.com/s/6phyf2rvv11qd7db3a0haynbxrr4zcni

https://cisco.box.com/s/w1vi4fce1wo6n14svih9pn5uf1f15c6d

Coming soon …. Updated interface


Preview: HTML5 Admin Interface

BRKACI-2770 115



BRKACI-2770 171



BRKACI-2770 117

Multi Cloud Management – Cisco Cloud Center

Introduction


A widening Cloud Gap

Cloud

applications

Cloud

Gap

IT capabilities

• People

• Processes

• Tools

…and what IT is capable of reliably and confidently

supporting today.

Between what cloud applications require…

Lo

Bre

qu

irem

en

ts

Time

Traditional

applications

BRKACI-2770


CloudCenter Unique ValueModel Once. Deploy and Manage Anywhere.

Data

Center

DEPLOY

MANAGE

MODEL

Public

Cloud

Private

Cloud

One Integrated

Platform

Lifecycle

Management

New and Existing

Applications

BRKACI-2770


What Does “Model Once” Mean?

Infrastructure-Centric

Cloud-Specific

workflows and Scripts

Labor /Services

IntensiveUnique

Script /

Workflow

Application-Centric

Cloud-Agnostic

Low TCOUnique

Script /

Workflow

Unique

Script /

Workflow

Script-Based Application Profile-Based

BRKACI-2770 178


• An application profile is comprised of services.

• The services define a function of the application (e.g.- web, firewall, database, etc.)

• Services are instantiated using packages and customized using artifacts.

• Artifacts can consist of scripts, code snippets, applications.

• Repositories contain the artifacts and can contain packages.

Application

Profile

Serv

ices

Repositories

0101

1011

1101

0011

bash

sqlperl

package

Artifacts

CloudCenter Terminology


Topology Modeling UI

BRKACI-2770 180

CloudCenter Integration into ACI


Cloud Center and ACI

CloudCenterModel-Based Approach

ACIPolicy-Based Approach

Application Network Profile

Seamless Integration

“Zero Touch” automation

Powerful Benefits

• Application Security

• Ops Efficiency

• User Agility

BRKACI-2770

Application Profile

182


Cloud Center Automation of ACI


ARP Flooding: No


IP Routing: Yes

L3out: Area0101/1/96: 192.168.30.1/30

102/1/96: 192.168.30.5/30

APIC

APIC

APIC

EPG0.0.0.0/0


Security Zone


Security ZoneANP:

My_App

192.168.10.11/22 192.168.10.12/22 192.168.10.21/22 192.168.10.22/24

Communication allowed to 10.1.1.0/24


Bridge Domain: 192.168.10.x_22

Gateway: 192.168.10.1

Permit access to all

remote subnets:

0.0.0.0/0Tenant: My_Tenant

Communication allowed to all External Subnets

EPG10.1.1.0/24

Permit access to

remote subnet:

10.1.1.0/24

BRKACI-2770

Communication allowed to App

CloudCenter

Manager

CloudCenter

Orchestrator

183

Additional Resources


Additional Resources

Title Description

CloudCenter Overview Videohttps://www.youtube.com/watch?v=2ghFe5vwBK8 - Learn how CloudCenter enables IT organizations to put the

right workload in the right environment to take advantage of hybrid IT.

CloudCenter and ACI Automation Videohttps://www.youtube.com/watch?v=35ssaqhF8tw - Get the full power and scale of SDN with Cisco CloudCenter

and ACI together.

CloudCenter with ServiceNow Videohttps://www.youtube.com/watch?v=0u0ofdkUHNs - Leverage your ServiceNow investment to get the benefits and

controls of ITSM with the power of Cisco CloudCenter.

Cisco dClouddCloud.cisco.com provides fully working environments of Cisco products, search for “Cisco CloudCenter 4.5 - Install,

Configure, and Manage Lab v1”

CloudCenter Installation Videohttps://www.youtube.com/watch?v=kM-fiVlbB9A - Once you’ve purchased CloudCenter, steps to perform a basic

installation of the platform.

For more details, please visit: http://www.cisco.com/go/cloudcenter

Questions? Speak with your Cisco account team

BRKACI-2770 185

https://www.youtube.com/watch?v=2ghFe5vwBK8

https://www.youtube.com/watch?v=35ssaqhF8tw

https://www.youtube.com/watch?v=0u0ofdkUHNs

https://www.youtube.com/watch?v=kM-fiVlbB9A

http://www.cisco.com/go/cloudcenter

Summary

Questions?


Other Sessions of Interest

• BRKACI-2301 – Practical Applications of Cisco ACI µSegmentation

• LTRACI-2800 - ACI microsegmentation deployment techtorial lab

• LABACI-1234 - ACI Micro Segmentation Lab

• LTRSEC-3001 - Deep Dive Lab on ASA, FTD, and Firepower in ACI

• BRKACI-2307 - Real World ACI L4-L7 Service Integration Design

• LTRSEC-2800 - Integrating Cisco TrustSec and Cisco ACI Together

• BRKACI-3403 - ACI and Container Networking

BRKACI-2770 188


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKACI-2770 189

CiscoLive.com/Online

Thank you !!

aci and full stack automation -...

Documents