Copyright © 2015 World Wide Technology, Inc. All rights reserved.
Ansible Durham MeetupUsing Ansible for Cisco ACI deployment17 June 2015
Joel W. KingTechnical Solutions ArchitectEnterprise Networking SolutionsEngineering and Innovations
whoami• Software Defined Network Discipline Lead at World Wide Technology, Inc.• Past Experience
• NetApp – Technical Solutions Architect, Digital Video Surveillance – Big Data – E-Series• Cisco – Technical Leader - Enterprise Systems Engineering (ESE) – Cisco Validated Designs (CVDs)• Network Architect – AMP Incorporated – LAN / WAN design for 150 location global network
• Flash cutover of AMP’s network from OSPF to EIGRP using Perl and Telnet ~ 1996• CCIE No. 1846 (retired)
• Participated on Networking Panel at AnsibleFest NYC 2015
@joel_w_king
www.slideshare.net/joelwking
github.com/joelwking/ansible-aci
Agenda
• Why Ansible?• How Ansible interfaces with Cisco Nexus Switches
• Nexus 9000 Series NX-OS Programmability (NX-API)• Application Centric Infrastructure (ACI mode)
• Why we need automation for Software-Defined Networking (SDN)• Ansible Modules for ACI• Demo- Find the MAC address• Demo- Apply ACI policy, run Docker application• ACI workflow using Ansible, developing configuration libraries• Summary
How I got started with Ansible• Cisco Nexus switches have a variety of network programmability features.• We had use cases with everything but Orchestration and NX-API.• I thought installing an agent might be a pain point!
Power On
Auto Provisio
ning(POAP)
Nexus 9K
NX-APIRPC / REST API
Python InterpreterBash shellIntroduction
to Python Programming
on Nexus Switches
Nexus Data Brokerw/ REST API
NXOS ACI
Orchestration APIC
REST API
OpenFlow
Security-Defined Routing
… after a little research
• Downloaded The Benefits of Agentless Architecture• Installed Ansible on Ubuntu in Virtual Box
git clone git://github.com/ansible/ansible.git --recursive
• Found in the FAQs: ansible_connection=local• Enabled NX-API
NEX-9396-A-TRNG-CLASS(config)# feature nxapiNEX-9396-A-TRNG-CLASS(config)# endNEX-9396-A-TRNG-CLASS# copy run start[###########################] 100%Copy complete.
• Wrote an Ansible module for NX-API !
NX-API Developer Sandbox
Cisco Application-Centric Infrastructure (ACI)• A data center fabric with three components:
• Nexus 9000 Series Switches and the Cisco Application Virtual Switch (AVS)• SDN architecture based on a policy framework for configuration, management, security • Cisco Application Policy Infrastructure Controllers (APIC)
• Nexus switches in the fabric are plug-n-play.• All functions of the controller
are exposed via REST APIs.• The Web GUI designed for
initial configuration, atool for automation. Cisco APIC Python SDK
(“cobra”)
CLI admin@apic1:aci>
Cisco Nexus Data Center Switching
• If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000.• Nexus 9000 runs in either of two modes:
• NX-OS • Application Centric Infrastructure – ACI
• Networks need Automation & Programmability.• NX-API enables a northbound REST interface on individual NX-OS switches
• Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1).• NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000
• APIC is the Software Defined Networking controller for ACI• Ansible | Tower can be your automation engine.
Ansible and Nexus Switches• Nexus 9K switches run either ACI
mode or NX-OS mode.• Enhancements to NX-OS
including feature nx-api in Nexus 3K, 7K, 5K, etc.
• NX-API provide HTTP based APIs for configuration management – XML or JSON
• Application Policy Infrastructure Controller – APIC is a CentOS central controller managing Nexus 9K in ACI mode.
• Ansible can manage the APIC either ‘agentless’ or local modules via REST API
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443
HTTP(s) TCP/80:443SSH – TCP/22
GitHubHTTPS TCP/443
LDAP – TCP / 389
ESXServer
WindowsSystems
LinuxDockerAmazon
Web Services
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000CentOS
Nexus 9000
github.com/joelwking/ansible-aci
Why do I need automation with ACI?
• Using the ACI GUI is time consuming and prone to human error.• WWT Integration Technology Center
(ITC) is the hub of our global deployments and supply chain programs.
• Customers use the ITC to stage their data center infrastructure prior to deployment.
Ansible Modules
Ansible Core Modules
• APIC is a Linux host.• $ ./bin/ansible -m setup APIC --ask-pass
• /etc/ansible/hosts
• Using APIC cli interface in Ansible
"ansible_distribution": "CentOS", "ansible_distribution_major_version": "6", "ansible_distribution_release": "Final", "ansible_distribution_version": "6.3",
[APIC]10.255.139.149 ansible_ssh_user=admin
https://github.com/joelwking/ansible-aci/blob/master/apic_cli_example.yml
Ansible ACI Modules
• aci_gather_facts.py • Gather Facts using Class or
Managed Object Queries• https://youtu.be/Ec_ArXjgryo
• aci_install_config.py• Configures the fabric via
ACI controller (APIC) northbound REST API interface.
• https://youtu.be/PGBYIxEsqU8• This module issues POST of XML,
the APIC will create or update object as required.• Deletions implemented by including status="deleted“ in the XML
APIC
Gathering Facts: Types of Queries• Managed Objects (MO) are abstract representations of physical / logical entity. • Contain a set of configurations and properties.• Organized in a tree structure called the Management Information Tree.
get /api/mo/uni/tn-ACME.jsonget /api/class/fvTenant.json
tn-mgmt tn-ACMEtn-infra tn-mgmt tn-ACMEtn-infra
Object-level queryClass-level query
Managed Object Query
• Managed Object Queries and Class Queries are handled by the same module,aci_gather_facts.py
• The difference is the URI specified as argument to the module,• In either case, the answer set is a list of objects, typically the Class Query will have
more than one element in the list.• If the REST call is successful, but the results are null, the list is empty.• Example playbook for Managed Object query:
https://github.com/joelwking/ansible-aci/blob/master/aci_mo_example.yml
Class Query: Find MAC address given IPfvCEp A client endpoint attaching to the network../bin/ansible-playbook find_macaddress.yml
---# https://github.com/joelwking/ansible-aci/blob/master/find-macaddress.yml- name: Ansible ACI Demo of gathering facts using a class query hosts: prod-01 connection: local gather_facts: no vars: IPaddr: 198.51.100.4
tasks: - name: Find the MAC address given an IP address aci_gather_facts: queryfilter: 'eq(fvCEp.ip, "{{IPaddr}}")' URI: /api/class/fvCEp.json host: "{{hostname}}" username: admin password: "{{password}}"
- name: use msg format debug: msg=" ManagementIP {{ fvCEp[0].ip }} mac {{ fvCEp[0].mac }} encap {{ fvCEp[0].encap }} "
TASK: [use msg format] *****************************************ok: [prod-01] => { "msg": " ManagementIP 198.51.100.4 mac 00:50:56:B6:1C:CC encap vlan-2142 "}
Filter results based on ip address specifiedCan anyone tell me the flaw in this logic?
Importing Playbook into Tower
• Logon Tower• Create directory /var/lib/awx/projects/find-macaddress• Copy the contents of the playbook
into a file in the directory, e.g. find-macaddress.yml
• I commented out the variable, IPaddr, Tower will prompt.
• Create a project,• Create a job template,• Run job template.
Demo: Find the MAC addresshttps://youtu.be/t03ty5Y295U
Install ACI Configuration• Ansible module aci_install_config.py• Configures the fabric via
ACI controller (APIC) northbound REST API interface.
• Reads the XML file specified as an argument• Authenticates with the APIC• Issues HTTP Post with the URL specified.• Key Point
• Gather Facts provided the MAC and ‘dn’ basedon a Tenant and IP address
• Now we can programmatically build a troubleshooting policy and load into tenant.
• By automating the creation of monitoringand troubleshooting policies, we save time.
$ cat initiate_traceroute.yml---- name: Initiate Traceroute between two hosts hosts: prod-01 connection: local gather_facts: no vars: local_path: /home/administrator/ansible/CFGS fvTenant: A10_DEMO
tasks: - name: Install the traceroute configuration aci_install_config: xml_file: "{{ local_path }}/traceroutepTrEp_A10_clientserver.xml" URI: "/api/mo/uni/tn-{{fvTenant}}.xml" host: "{{hostname}}" username: admin password: "{{password}}"
Install ACI ConfigurationEndpoint-to-Endpoint Traceroute Policy./bin/ansible-playbook initiate_traceroute.yml
<fvTenant><traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10" dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" payloadSz="1460"><traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/><traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/></traceroutepTrEp></fvTenant>
traceroutepTrEp_A10_clientserver.xml
• Tower initiates Python modulesto apply policy to tenant in ACIfabric.
• Tower initiates Python applicationinstalled in Docker containeron client machine.
Ansible Tower – Apply ACI policy and run Docker app
x-docker-client
x-docker-server-1
.10
.1
.1
.10
192.0.2.0 / 24TEST-NET-1
198.51.100.0 / 24TEST-NET-2
Bridge DomainTEST-NET-2
Bridge DomainTEST-NET-1
management network policy
app
Demo: Apply ACI policy, run Docker apphttps://youtu.be/t03ty5Y295U?t=1m49s
Developing Configuration Libraries
Using Playbooks to Organize your Workflow
• While developing ACI configurations, I found myself using Ansible Playbooks to organize my work.
• The total configuration is broken into distinct, verified steps.
• The configuration snippits can be shared among engineers as ACI ‘best practice’ configs.
• Repository on WWT’s GitHub Enterprise serveratc-ops / aci-config-templates
Configure via the GUI
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Verify and Test the configuration
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Save the config snippet as XML
<fvTenant><traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10" dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" ownerKey="" ownerTag="" payloadSz="56"><traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/><traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/></traceroutepTrEp></fvTenant>
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Incorporate into Playbook---- name: Deploy Tenant for A10 ADC hosts: prod-01 connection: local gather_facts: no vars: local_path: /home/administrator/ansible/CFGS fvTenant: A10_DEMO L4L7: vnsLDevVip_A10.xml
tasks: - name: Loop through the variables to deploy the tenant aci_install_config: xml_file: "{{ local_path }}/{{ item }}" URI: "/api/mo/uni/tn-{{fvTenant}}.xml" host: "{{hostname}}" username: admin password: "{{password}}"
with_items: - fvTenant_A10_DEMO.xml # Create Tenant - vzFilter_A10_TCP_SMALL_SERVERS.xml # Create Filter - vzBrCP_A10_CONTRACT_SUBJ.xml # Create Contract and Subject - fvCtx_A10_DEMO.xml # Create Pritx_A10_DEMO.xml - fvBD_A10_BRIDGE_DOMAIN.xml # Create Bridge Domains - fvAP_A10_APP.xml # Create Application EPGs - traceroutepTrEp_A10_clientserver.xml # Create traceroute policy - "{{ L4L7 }}" # Create L4-L7 Services
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Automate
configure
Verify | test
Save XML
Incorporate into
playbook
automate
Configuration Libraries• ACI needs a library of ‘best practice’ configurations.• Network engineers create configurations using
the APIC GUI. • Configurations are tested, verified and then saved
in XML.• The configuration snippets are organized into a
playbook.• Only the with_items loop needs be changed in the
playbook.• XML files can be converted into templates.• Playbooks, XML and Templates stored in Git Repo.
Key Take-away• Networks are evolving from individual devices to the SDN paradigm
of a single fabric under a central controller. • Cisco ACI is an SDN implementation which abstracts the network devices,
the fabric is plug-n-play, provides central management and visibility.• The GUI on top of an SDN controller isn't sufficient and we will still need automation
• Eliminate the hands in operations - • No keyboard errors, • No incomplete configurations,• Build libraries of ‘best practice’ configurations.
• Network Engineers can use Ansible to automate Nexus switches to more closely align with DevOps.
Thanks to our sponsors… and contributors
www.slideshare.net/joelwking