Ansible Intro and Integration with ACI
10 August 2015
Joel W. King
Technical Solutions Architect
Enterprise Networking Solutions
Engineering and Innovations
• Whoami, how I got started using Ansible
• Introduction to Ansible
• Demo – Power on VMs
• Demo – Power on VMs, copy file to Linux hosts
• Application Centric Infrastructure (ACI) Integration
• Why we need automation for Software-Defined Networking (SDN)
• Ansible Modules for ACI
• Demo- Find the MAC address
• Demo- Apply ACI policy, run Docker application
• ACI workflow using Ansible, developing configuration libraries
• APIC-EM Integration (time permitting)
• Discussion – Q and A
• At World Wide Technology, Inc. – Enterprise SDN, NetDevOps, Programmable Networks
• Past Experience
• NetApp – Technical Solutions Architect, Digital Video Surveillance – Big Data – E-Series
• Cisco – Technical Leader - Enterprise Systems Engineering (ESE) – Cisco Validated Designs (CVDs)
• Network Architect – AMP Incorporated – LAN / WAN design for 150 location global network
• Flash cutover of AMP’s network from OSPF to EIGRP using Perl and Telnet ~ 1996
• CCIE No. 1846 (retired)
• Participated on Networking Panel at AnsibleFest NYC 2015
How I got started with Ansible…
• Cisco Nexus switches have a variety of network programmability features.
• We had use cases with everything but Orchestration and NX-API.
• I thought installing an agent might be a pain point!
Nexus 9K
Bash shell
to Python
on Nexus
Nexus Data Broker
Orchestration APIC
… after a little research
• Downloaded The Benefits of Agentless Architecture
• Installed Ansible on Ubuntu in Virtual Box
git clone git://github.com/ansible/ansible.git --recursive
• Found in the FAQs: ansible_connection=local
• Enabled NX-API
NEX-9396-A-TRNG-CLASS(config)# feature nxapi
NEX-9396-A-TRNG-CLASS(config)# end
NEX-9396-A-TRNG-CLASS# copy run start
[###########################] 100%
Copy complete.
• Wrote an Ansible module for NX-API !
NX-API Developer Sandbox
Introduction to Ansible
• Ansible uses
SSH instead of
• Python
modules run
locally or on
target systems
• Deploy
• Configuration
• Network
• Playbooks are
both human
and machine
• Large library of
Pushed Based
• Chef and Puppet are “pull-based”
• The agent on the server periodically checks with the central server for configuration
information. (Chef agent by default checks with Chef server every 30 minutes)
• Chef uses a “convergent” model of configuration. As changes propagate through the
nodes, the network as a whole converges to the desired configuration state.
• Ansible is “push-based”
• You run the playbook,
• Ansible modules connect to the target servers and executes the modules
• Push based approach - you control when the changes are made on the server!
• No need to wait for a timer to fire.
Source: Ansible Up & Running & www.chef.io/solutions/configuration-management/
• Inventory A file grouping host names and (optionally) variables.
• Playbooks A design plan of tasks to act on one or more hosts.
• YAML Markup language, more human readable than XML / JSON.
• Facts Variables describing the target system.
• Tasks An activity to be carried out, e.g. install package, configure interface.
• Modules Python code to implement tasks.
• Idempotent Producing the same results if executed once or multiple times.
• Jinja2 Templating language converting templates to configuration files
Ansible and the Cisco Network
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443:22
HTTP(s) TCP/80:443
SSH – TCP/22
LDAP – TCP / 389
Web Services
Ansible / Tower
connection: local
feature nx-api
Nexus 3000 | 9000
Nexus 9000
Cisco IOS
• Provides “tool based” abstraction
• Low barrier to entry
• User written modules
• Common framework to manage
controllers and individual devices
$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
>>> import yaml
>>> playbook = yaml.load(open("add_local_user.yml", "r"))
>>> print playbook[0]["tasks"][0]["name"]
Add local user
What is YAML?
• YAML ( rhymes with camel) is a data
serialization format.
• Designed to be human and machine
• Ansible playbooks are YAML format
• Syntax is designed to be mapped to
data types in programming languages:
associative array (Python dictionaries),
and scalar variables.
Use Case: Power On
• ESXi hosts on ACI Demo
Fabric were power cycled.
• VMs for ACI Tenant were in
power-down state following
• Run playbook to power-up
my demo VMs, rather than
use vSphere Client
$ cat power_up_vms.yml
- hosts:
connection: local
user: administrator
sudo: false
gather_facts: false
vmware_guest_facts: yes
- X-A10-vThunder
- name: Power UP
username: administrator@vsphere.local
password: **foo**
guest: "{{item}}"
state: powered_on
datacenter: "ACI Demo DC"
with_items: joelking
Demo: Power On virtual machines
Use Case: Copy File to VMs
• Modify playbook to list VM names
and Ubuntu hosts in Inventory file
• Items under group
[virtual_machines[] are VM names
not DNS names
• Items under group
• X-A10-vThunder is a virtual
appliance, not a Ubuntu host
• When running a play, the values
are referenced by variable
$ cat hosts
aci-demo.sandbox.wwtatc.local ansible_connection=local
ansible_ssh_user=kingjoe admin_uid=netdeploy
scp-server.sandbox.wwtatc.local ansible_ssh_user=administrator
Use Case: Copy File to VMs (continued)
$ cat power_up_vms.yml
- hosts: virtual_machines
connection: local
user: kingjoe
sudo: false
gather_facts: false
vmware_guest_facts: yes
- name: "vCenter_password"
prompt: "Enter vCenter password"
private: yes
- name: Power UP my VMs
username: administrator@vsphere.local
password: "{{vCenter_password}}"
guest: "{{inventory_hostname}}"
state: powered_on
datacenter: "ACI Demo DC"
- hosts: Ubuntu
user: administrator
MY_directory: "/tmp/ansible"
- name: Create directory
file: dest={{MY_directory}} state=directory mode=0755
- name: Download a file to the directory
get_url: url=http://docs.ansible.com/ansible/modules.html
dest={{MY_directory}} mode=0666 validate_certs=no
$ ansible-playbook -i hosts power_up_vms.yml --ask-pass
Note: this is an example of running modules locally and on remote
systems from the same playbook
Modify Power On virtual machines
playbook to use inventory file,
Copy file to Linux hosts
Ansible Tower
Ansible Enterprise Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/ Uses OpenSSH
/ No extra code to manage
/ Ready for cloud-scale
/ Uses YAML for playbooks
/ No special coding skills needed
/ Fast learning curve
/ App deployment
/ Orchestration
/ Configuration management
/ Role-Based Access Control
/ Delegation of credentials/keys
/ Audit trail for automation
/ Centralized job runs
/ Job scheduling
/ Automation dashboard
/ Push-button job execution
/ Portal mode for delegation
/ REST API for integration
Open Source
Launch automation jobs with a
Role-based access
control & LDAP
integration DELEGATION OF
Delegate credentials
without giving away
automation jobs
(great for
Graphically manage your internal
& cloud resources
Documented RESTful
API and Tower CLI to
integrate Tower into your
See a full Ansible job
history with drill-in details
The best way to run Ansible in your organization.
Ansible Up & Running
Network automation going mainstream
Application Centric Infrastructure (ACI)
Cisco Nexus Data Center Switching
• If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000.
• Nexus 9000 runs in either of two modes:
• Application Centric Infrastructure – ACI
• Networks need Automation & Programmability.
• NX-API enables a northbound REST interface on individual NX-OS switches
• Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1).
• NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000
• APIC is the Software Defined Networking controller for ACI
• Ansible | Tower can be your automation engine.
Why do I need automation with ACI?
• Using the ACI GUI is time consuming and prone to human error.
• WWT Integration Technology Center
(ITC) is the hub of our
global deployments and
supply chain programs.
• Customers use the ITC to
stage their data center
infrastructure prior to
Cisco Application-Centric Infrastructure (ACI)
• A data center fabric with three components:
• Nexus 9000 Series Switches and the Cisco Application Virtual Switch (AVS)
• SDN architecture based on a policy framework for configuration, management, security
• Cisco Application Policy Infrastructure Controllers (APIC)
• Nexus switches in the fabric are plug-n-play.
• All functions of the controller
are exposed via REST APIs.
• The Web GUI designed for
initial configuration, a
tool for automation. Cisco APIC Python SDK
CLI admin@apic1:aci>
Ansible and Nexus Switches
• Nexus 9K switches run either ACI
mode or NX-OS mode.
• Enhancements to NX-OS
including feature nx-api in
Nexus 3K, 7K, 5K, etc.
• NX-API provide HTTP based APIs
for configuration management –
• Application Policy Infrastructure
Controller – APIC is an
SDNcontroller managing Nexus
9K in ACI mode.
• Servers, applications, and
network can be managed in a
single playbook.
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443
HTTP(s) TCP/80:443
SSH – TCP/22
LDAP – TCP / 389
Ansible / Tower
connection: local
feature nx-api
Nexus 3000 | 9000
Nexus 9000
Ansible ACI Modules
• aci_gather_facts.py
• Gather Facts using Class or
Managed Object Queries
• https://youtu.be/Ec_ArXjgryo
• aci_install_config.py
• Configures the fabric via
ACI controller (APIC) northbound
REST API interface.
• https://youtu.be/PGBYIxEsqU8
• This module issues POST of XML,
the APIC will create or update object as required.
• Deletions implemented by including status="deleted“ in the XML
Gathering Facts: Types of Queries
• Managed Objects (MO) are abstract representations of physical / logical entity.
• Contain a set of configurations and properties.
• Organized in a tree structure called the Management Information Tree.
get /api/mo/uni/tn-ACME.jsonget /api/class/fvTenant.json
tn-mgmt tn-ACMEtn-infra tn-mgmt tn-ACMEtn-infra
Object-level queryClass-level query
Managed Object Query
• Managed Object Queries and Class Queries are handled by the same module,
• The difference is the URI specified as argument to the module,
• In either case, the answer set is a list of objects, typically the Class Query will have
more than one element in the list.
• If the REST call is successful, but the results are null, the list is empty.
• Example playbook for Managed Object query:
Class Query: Find MAC address given IP
fvCEp A client endpoint attaching to the network.
./bin/ansible-playbook find_macaddress.yml
# https://github.com/joelwking/ansible-aci/blob/master/find-macaddress.yml
- name: Ansible ACI Demo of gathering facts using a class query
hosts: prod-01
connection: local
gather_facts: no
- name: Find the MAC address given an IP address
queryfilter: 'eq(fvCEp.ip, "{{IPaddr}}")'
URI: /api/class/fvCEp.json
host: "{{hostname}}"
username: admin
password: "{{password}}"
- name: use msg format
debug: msg=" ManagementIP {{ fvCEp[0].ip }} mac {{ fvCEp[0].mac }} encap {{ fvCEp[0].encap
}} "
TASK: [use msg format]
ok: [prod-01] => {
"msg": " ManagementIP
mac 00:50:56:B6:1C:CC encap vlan-2142 "
Filter results based on ip address specified
Can anyone tell me the flaw in this logic?
Importing Playbook into Tower
• Logon Tower
• Create directory /var/lib/awx/projects/find-macaddress
• Copy the contents of the playbook
into a file in the directory,
e.g. find-macaddress.yml
• I commented out the variable,
IPaddr, Tower will prompt.
• Create a project,
• Create a job template,
• Run job template.
Demo: Find the MAC address
Install ACI Configuration
• Ansible module aci_install_config.py
• Configures the fabric via
ACI controller (APIC) northbound
REST API interface.
• Reads the XML file specified as an argument
• Authenticates with the APIC
• Issues HTTP Post with the URL specified.
• Key Point
• Gather Facts provided the MAC and ‘dn’ based
on a Tenant and IP address
• Now we can programmatically build a
troubleshooting policy and load into tenant.
• By automating the creation of monitoring
and troubleshooting policies, we save time.
• Tower initiates Python modules
to apply policy to tenant in ACI
• Tower initiates Python application
installed in Docker container
on client machine.
Ansible Tower – Apply ACI policy and run Docker app
.10 / 24
TEST-NET-1 / 24
Bridge Domain
Bridge Domain
management network
Demo: Apply ACI policy, run Docker app
Developing Configuration Libraries
Using Playbooks to Organize your Workflow
• While developing ACI configurations, I found myself
using Ansible Playbooks
to organize my work.
• The total configuration is broken into distinct,
verified steps.
• The configuration snippits can be shared among
engineers as ACI ‘best practice’ configs.
• Repository on WWT’s GitHub Enterprise server
atc-ops / aci-config-templates
Configure via the GUI
Verify |
Save XML
Verify and Test the configuration
Verify |
Save XML
Save the config snippet as XML
<traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10"
dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" ownerKey="" ownerTag="" payloadSz="56">
<traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/>
<traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/>
Verify |
Save XML
Incorporate into Playbook
- name: Deploy Tenant for A10 ADC
hosts: prod-01
connection: local
gather_facts: no
local_path: /home/administrator/ansible/CFGS
fvTenant: A10_DEMO
L4L7: vnsLDevVip_A10.xml
- name: Loop through the variables to deploy the tenant
xml_file: "{{ local_path }}/{{ item }}"
URI: "/api/mo/uni/tn-{{fvTenant}}.xml"
host: "{{hostname}}"
username: admin
password: "{{password}}"
- fvTenant_A10_DEMO.xml # Create Tenant
- vzFilter_A10_TCP_SMALL_SERVERS.xml # Create Filter
- vzBrCP_A10_CONTRACT_SUBJ.xml # Create Contract and Subject
- fvCtx_A10_DEMO.xml # Create Pritx_A10_DEMO.xml
- fvBD_A10_BRIDGE_DOMAIN.xml # Create Bridge Domains
- fvAP_A10_APP.xml # Create Application EPGs
- traceroutepTrEp_A10_clientserver.xml # Create traceroute policy
- "{{ L4L7 }}" # Create L4-L7 Services
Verify |
Save XML
Verify |
Save XML
Configuration Libraries
• ACI needs a library of ‘best practice’ configurations.
• Network engineers create configurations using
• Configurations are tested, verified and then saved
in XML.
• The configuration snippets are organized into a
• Only the with_items loop needs be changed in the
• XML files can be converted into templates.
• Playbooks, XML and Templates stored in Git Repo.
Key Take-away
• Networks are evolving from individual devices to the SDN paradigm
of a single fabric under a central controller.
• Cisco ACI is an SDN implementation which abstracts the network devices,
the fabric is plug-n-play, provides central management and visibility.
• The GUI on top of an SDN controller isn't sufficient and we will still need automation
• Eliminate the hands in operations -
• No keyboard errors,
• No incomplete configurations,
• Build libraries of ‘best practice’ configurations.
• Network Engineers can use Ansible to automate Nexus switches to more closely align with
• Ansible is an open source
automation tool.
• Designed to be easy for anyone to
understand and learn.
• Written module to apply
configuration changes to Cisco IOS
• Requires an inventory file to
identify target routers and switches
to apply a baseline configuration.
• APIC-EM is a SDN controller for
legacy LAN/WAN devices.
• Single source of truth.
• Provides inventory to Ansible by
discovery of Cisco IOS devices in
the network.
• Python module to integrate the
two applications.
Understanding the Network
• You can’t automate what you don’t understand!
• Discovery based on
• IP address ranges
• Imitated either via GUI
• Discovered Devices
“you used the northbound API, put two disparate pieces of technology together and made
them work better than they can individually.”
Phil Casini, Director Product Management for Cisco’s LAN/WAN SDN controller APIC EM.
Advanced Technology Center (ATC)
Using APIC-EM as the single source of truth.
1. apic_em_gather_facts
Query the APIC-EM controller
for a list of discovered
2. cisco_ios_install_config
Updates running config of
discovered devices.
- name: Integration of APIC-EM with Ansible
connection: local
gather_facts: no
ansible_ssh_user: administrator
enablepw: xxxxx
password: xxxxx
- name: Use APIC-EM controller to return a list of discovered devices
username: bob
password: xxxxxx
- name: Install the configuration file
URI: ftp://ftpuser:xxxxx@
host: "{{ item }}"
username: admin
enablepw: "{{ enablepw }}"
password: "{{ password }}"
debug: off
with_items: mgmtIp
ip name-server vrf management
ip http server
ip http secure-server
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
deny ip any any log
Execute the Playbook in Ansible Tower
Thanks to our sponsors
Slides are available at:
"It is no longer about writing 300,000 lines of code. It is about writing as little code as possible to get
that rapid speed.“
Tim Vanderham, the head of development for IBM Bluemix and IBM Cloud Marketplace.
Cultivating the API Economy
RTP NPUG: Ansible Intro and Integration with ACI

RTP NPUG: Ansible Intro and Integration with ACI

  • 1. Copyright © 2015 World Wide Technology, Inc. All rights reserved. RTP NPUG Ansible Intro and Integration with ACI 10 August 2015 Joel W. King Technical Solutions Architect Enterprise Networking Solutions Engineering and Innovations
  • 2. Agenda • Whoami, how I got started using Ansible • Introduction to Ansible • Demo – Power on VMs • Demo – Power on VMs, copy file to Linux hosts • Application Centric Infrastructure (ACI) Integration • Why we need automation for Software-Defined Networking (SDN) • Ansible Modules for ACI • Demo- Find the MAC address • Demo- Apply ACI policy, run Docker application • ACI workflow using Ansible, developing configuration libraries • APIC-EM Integration (time permitting) • Discussion – Q and A
  • 3. whoami • At World Wide Technology, Inc. – Enterprise SDN, NetDevOps, Programmable Networks • Past Experience • NetApp – Technical Solutions Architect, Digital Video Surveillance – Big Data – E-Series • Cisco – Technical Leader - Enterprise Systems Engineering (ESE) – Cisco Validated Designs (CVDs) • Network Architect – AMP Incorporated – LAN / WAN design for 150 location global network • Flash cutover of AMP’s network from OSPF to EIGRP using Perl and Telnet ~ 1996 • CCIE No. 1846 (retired) • Participated on Networking Panel at AnsibleFest NYC 2015 joel.king@wwt.com @joel_w_king www.slideshare.net/joelwking github.com/joelwking/
  • 4. How I got started with Ansible… • Cisco Nexus switches have a variety of network programmability features. • We had use cases with everything but Orchestration and NX-API. • I thought installing an agent might be a pain point! Power On Auto Provisio ning (POAP) Nexus 9K NX-API RPC / REST API Python Interpreter Bash shell Introduction to Python Programming on Nexus Switches Nexus Data Broker w/ REST API NXOS ACI Orchestration APIC REST API OpenFlow Security-Defined Routing
  • 5. … after a little research • Downloaded The Benefits of Agentless Architecture • Installed Ansible on Ubuntu in Virtual Box git clone git://github.com/ansible/ansible.git --recursive • Found in the FAQs: ansible_connection=local • Enabled NX-API NEX-9396-A-TRNG-CLASS(config)# feature nxapi NEX-9396-A-TRNG-CLASS(config)# end NEX-9396-A-TRNG-CLASS# copy run start [###########################] 100% Copy complete. • Wrote an Ansible module for NX-API ! NX-API Developer Sandbox
  • 6. Introduction to Ansible • Ansible uses SSH instead of agents. • Python modules run locally or on target systems SIMPLE AGENTLESS POWERFUL • Deploy applications • Configuration management • Network provisioning • Playbooks are both human and machine readable. • Large library of modules.
  • 7. Pushed Based • Chef and Puppet are “pull-based” • The agent on the server periodically checks with the central server for configuration information. (Chef agent by default checks with Chef server every 30 minutes) • Chef uses a “convergent” model of configuration. As changes propagate through the nodes, the network as a whole converges to the desired configuration state. • Ansible is “push-based” • You run the playbook, • Ansible modules connect to the target servers and executes the modules • Push based approach - you control when the changes are made on the server! • No need to wait for a timer to fire. Source: Ansible Up & Running & www.chef.io/solutions/configuration-management/
  • 8. Lexicon • Inventory A file grouping host names and (optionally) variables. • Playbooks A design plan of tasks to act on one or more hosts. • YAML Markup language, more human readable than XML / JSON. • Facts Variables describing the target system. • Tasks An activity to be carried out, e.g. install package, configure interface. • Modules Python code to implement tasks. • Idempotent Producing the same results if executed once or multiple times. • Jinja2 Templating language converting templates to configuration files
  • 9. Ansible and the Cisco Network SSH – TCP/22 Users, API NTP – UDP / 123 HTTP(s) TCP/80:443:22 HTTP(s) TCP/80:443 SSH – TCP/22 GitHub HTTPS TCP/443 LDAP – TCP / 389 ESX Server Windows Systems Linux DockerAmazon Web Services Agentless Ansible / Tower REST API connection: local feature nx-api Nexus 3000 | 9000 CentOS Nexus 9000 ACI github.com/joelwking/ PARAMIKO APIC-EM Cisco IOS • Provides “tool based” abstraction • Low barrier to entry • User written modules • Common framework to manage controllers and individual devices
  • 10. $ python Python 2.7.6 (default, Jun 22 2015, 17:58:13) >>> import yaml >>> playbook = yaml.load(open("add_local_user.yml", "r")) >>> print playbook[0]["tasks"][0]["name"] Add local user What is YAML? • YAML ( rhymes with camel) is a data serialization format. • Designed to be human and machine readable. • Ansible playbooks are YAML format • Syntax is designed to be mapped to data types in programming languages: lists, associative array (Python dictionaries), and scalar variables.
  • 11. Use Case: Power On • ESXi hosts on ACI Demo Fabric were power cycled. • VMs for ACI Tenant were in power-down state following reboot. • Run playbook to power-up my demo VMs, rather than use vSphere Client $ cat power_up_vms.yml --- - hosts: connection: local user: administrator sudo: false gather_facts: false vars: vmware_guest_facts: yes joelking: - X-DOCKER-CLIENT - X-DOCKER-SERVER-1 - X-DOCKER-SERVER-2 - X-A10-vThunder tasks: - name: Power UP vsphere_guest: vcenter_hostname: username: administrator@vsphere.local password: **foo** guest: "{{item}}" state: powered_on esxi: datacenter: "ACI Demo DC" hostname: with_items: joelking
  • 12. Demo: Power On virtual machines
  • 13. Use Case: Copy File to VMs • Modify playbook to list VM names and Ubuntu hosts in Inventory file • Items under group [virtual_machines[] are VM names not DNS names • Items under group [Ubuntu] • X-A10-vThunder is a virtual appliance, not a Ubuntu host • When running a play, the values are referenced by variable {{inventory_hostname}} $ cat hosts # [aci] aci-demo.sandbox.wwtatc.local ansible_connection=local ansible_ssh_user=kingjoe admin_uid=netdeploy # # [server] scp-server.sandbox.wwtatc.local ansible_ssh_user=administrator # [virtual_machines] X-DOCKER-CLIENT X-DOCKER-SERVER-1 X-DOCKER-SERVER-2 X-A10-vThunder [Ubuntu] X-DOCKER-CLIENT.sandbox.wwtatc.local X-DOCKER-SERVER-1.sandbox.wwtatc.local X-DOCKER-SERVER-2.sandbox.wwtatc.local
  • 14. Use Case: Copy File to VMs (continued) $ cat power_up_vms.yml --- - hosts: virtual_machines connection: local user: kingjoe sudo: false gather_facts: false vars: vmware_guest_facts: yes vars_prompt: - name: "vCenter_password" prompt: "Enter vCenter password" private: yes tasks: - name: Power UP my VMs vsphere_guest: vcenter_hostname: username: administrator@vsphere.local password: "{{vCenter_password}}" guest: "{{inventory_hostname}}" state: powered_on esxi: datacenter: "ACI Demo DC" hostname: - hosts: Ubuntu user: administrator vars: MY_directory: "/tmp/ansible" tasks: - name: Create directory file: dest={{MY_directory}} state=directory mode=0755 - name: Download a file to the directory get_url: url=http://docs.ansible.com/ansible/modules.html dest={{MY_directory}} mode=0666 validate_certs=no $ ansible-playbook -i hosts power_up_vms.yml --ask-pass Note: this is an example of running modules locally and on remote systems from the same playbook continued
  • 15. Demo: Modify Power On virtual machines playbook to use inventory file, Copy file to Linux hosts
  • 16. Ansible Tower Ansible Enterprise Automation Simple. Agentless. Powerful. Control. Security. Delegation. / Uses OpenSSH / No extra code to manage / Ready for cloud-scale / Uses YAML for playbooks / No special coding skills needed / Fast learning curve / App deployment / Orchestration / Configuration management / Role-Based Access Control / Delegation of credentials/keys / Audit trail for automation / Centralized job runs / Job scheduling / Automation dashboard / Push-button job execution / Portal mode for delegation / REST API for integration Ansible Open Source Ansible Tower
  • 17. PUSH-BUTTON LAUNCH Launch automation jobs with a button ACCESS CONTROL Role-based access control & LDAP integration DELEGATION OF CREDENTIALS Delegate credentials without giving away secrets SCHEDULING Schedule automation jobs (great for periodic remediation) INVENTORY MANAGEMENT Graphically manage your internal & cloud resources API & CLI Documented RESTful API and Tower CLI to integrate Tower into your tools AUDITING See a full Ansible job history with drill-in details ANSIBLE TOWER The best way to run Ansible in your organization.
  • 18. Ansible Up & Running
  • 19. Network automation going mainstream #netdevops
  • 21. Cisco Nexus Data Center Switching • If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000. • Nexus 9000 runs in either of two modes: • NX-OS • Application Centric Infrastructure – ACI • Networks need Automation & Programmability. • NX-API enables a northbound REST interface on individual NX-OS switches • Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1). • NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000 • APIC is the Software Defined Networking controller for ACI • Ansible | Tower can be your automation engine.
  • 22. Why do I need automation with ACI? • Using the ACI GUI is time consuming and prone to human error. • WWT Integration Technology Center (ITC) is the hub of our global deployments and supply chain programs. • Customers use the ITC to stage their data center infrastructure prior to deployment.
  • 23. Cisco Application-Centric Infrastructure (ACI) • A data center fabric with three components: • Nexus 9000 Series Switches and the Cisco Application Virtual Switch (AVS) • SDN architecture based on a policy framework for configuration, management, security • Cisco Application Policy Infrastructure Controllers (APIC) • Nexus switches in the fabric are plug-n-play. • All functions of the controller are exposed via REST APIs. • The Web GUI designed for initial configuration, a tool for automation. Cisco APIC Python SDK (“cobra”) CLI admin@apic1:aci>
  • 24. Ansible and Nexus Switches • Nexus 9K switches run either ACI mode or NX-OS mode. • Enhancements to NX-OS including feature nx-api in Nexus 3K, 7K, 5K, etc. • NX-API provide HTTP based APIs for configuration management – XML or JSON • Application Policy Infrastructure Controller – APIC is an SDNcontroller managing Nexus 9K in ACI mode. • Servers, applications, and network can be managed in a single playbook. SSH – TCP/22 Users, API NTP – UDP / 123 HTTP(s) TCP/80:443 HTTP(s) TCP/80:443 SSH – TCP/22 GitHub HTTPS TCP/443 LDAP – TCP / 389 ESX Server Windows Systems Linux Docker Agentless Ansible / Tower REST API connection: local feature nx-api Nexus 3000 | 9000 CentOS Nexus 9000
  • 25. Ansible ACI Modules • aci_gather_facts.py • Gather Facts using Class or Managed Object Queries • https://youtu.be/Ec_ArXjgryo • aci_install_config.py • Configures the fabric via ACI controller (APIC) northbound REST API interface. • https://youtu.be/PGBYIxEsqU8 • This module issues POST of XML, the APIC will create or update object as required. • Deletions implemented by including status="deleted“ in the XML APIC
  • 26. Gathering Facts: Types of Queries • Managed Objects (MO) are abstract representations of physical / logical entity. • Contain a set of configurations and properties. • Organized in a tree structure called the Management Information Tree. get /api/mo/uni/tn-ACME.jsonget /api/class/fvTenant.json tn-mgmt tn-ACMEtn-infra tn-mgmt tn-ACMEtn-infra Object-level queryClass-level query
  • 27. Managed Object Query • Managed Object Queries and Class Queries are handled by the same module, aci_gather_facts.py • The difference is the URI specified as argument to the module, • In either case, the answer set is a list of objects, typically the Class Query will have more than one element in the list. • If the REST call is successful, but the results are null, the list is empty. • Example playbook for Managed Object query: https://github.com/joelwking/ansible-aci/blob/master/aci_mo_example.yml
  • 28. Class Query: Find MAC address given IP fvCEp A client endpoint attaching to the network. ./bin/ansible-playbook find_macaddress.yml --- # https://github.com/joelwking/ansible-aci/blob/master/find-macaddress.yml - name: Ansible ACI Demo of gathering facts using a class query hosts: prod-01 connection: local gather_facts: no vars: IPaddr: tasks: - name: Find the MAC address given an IP address aci_gather_facts: queryfilter: 'eq(fvCEp.ip, "{{IPaddr}}")' URI: /api/class/fvCEp.json host: "{{hostname}}" username: admin password: "{{password}}" - name: use msg format debug: msg=" ManagementIP {{ fvCEp[0].ip }} mac {{ fvCEp[0].mac }} encap {{ fvCEp[0].encap }} " TASK: [use msg format] ***************************************** ok: [prod-01] => { "msg": " ManagementIP mac 00:50:56:B6:1C:CC encap vlan-2142 " } Filter results based on ip address specified Can anyone tell me the flaw in this logic?
  • 29. Importing Playbook into Tower • Logon Tower • Create directory /var/lib/awx/projects/find-macaddress • Copy the contents of the playbook into a file in the directory, e.g. find-macaddress.yml • I commented out the variable, IPaddr, Tower will prompt. • Create a project, • Create a job template, • Run job template.
  • 30. Demo: Find the MAC address https://youtu.be/t03ty5Y295U
  • 31. Install ACI Configuration • Ansible module aci_install_config.py • Configures the fabric via ACI controller (APIC) northbound REST API interface. • Reads the XML file specified as an argument • Authenticates with the APIC • Issues HTTP Post with the URL specified. • Key Point • Gather Facts provided the MAC and ‘dn’ based on a Tenant and IP address • Now we can programmatically build a troubleshooting policy and load into tenant. • By automating the creation of monitoring and troubleshooting policies, we save time.
  • 32. • Tower initiates Python modules to apply policy to tenant in ACI fabric. • Tower initiates Python application installed in Docker container on client machine. Ansible Tower – Apply ACI policy and run Docker app x-docker-client x-docker-server-1 .10 .1 .1 .10 / 24 TEST-NET-1 / 24 TEST-NET-2 Bridge Domain TEST-NET-2 Bridge Domain TEST-NET-1 management network policy app
  • 33. Demo: Apply ACI policy, run Docker app https://youtu.be/t03ty5Y295U?t=1m49s
  • 35. Using Playbooks to Organize your Workflow • While developing ACI configurations, I found myself using Ansible Playbooks to organize my work. • The total configuration is broken into distinct, verified steps. • The configuration snippits can be shared among engineers as ACI ‘best practice’ configs. • Repository on WWT’s GitHub Enterprise server atc-ops / aci-config-templates
  • 36. Configure via the GUI configure Verify | test Save XML Incorporate into playbook automate
  • 37. Verify and Test the configuration configure Verify | test Save XML Incorporate into playbook automate
  • 38. Save the config snippet as XML <fvTenant> <traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10" dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" ownerKey="" ownerTag="" payloadSz="56"> <traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/> <traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/> </traceroutepTrEp> </fvTenant> configure Verify | test Save XML Incorporate into playbook automate
  • 39. Incorporate into Playbook --- - name: Deploy Tenant for A10 ADC hosts: prod-01 connection: local gather_facts: no vars: local_path: /home/administrator/ansible/CFGS fvTenant: A10_DEMO L4L7: vnsLDevVip_A10.xml tasks: - name: Loop through the variables to deploy the tenant aci_install_config: xml_file: "{{ local_path }}/{{ item }}" URI: "/api/mo/uni/tn-{{fvTenant}}.xml" host: "{{hostname}}" username: admin password: "{{password}}" with_items: - fvTenant_A10_DEMO.xml # Create Tenant - vzFilter_A10_TCP_SMALL_SERVERS.xml # Create Filter - vzBrCP_A10_CONTRACT_SUBJ.xml # Create Contract and Subject - fvCtx_A10_DEMO.xml # Create Pritx_A10_DEMO.xml - fvBD_A10_BRIDGE_DOMAIN.xml # Create Bridge Domains - fvAP_A10_APP.xml # Create Application EPGs - traceroutepTrEp_A10_clientserver.xml # Create traceroute policy - "{{ L4L7 }}" # Create L4-L7 Services configure Verify | test Save XML Incorporate into playbook automate
  • 41. Configuration Libraries • ACI needs a library of ‘best practice’ configurations. • Network engineers create configurations using the APIC GUI. • Configurations are tested, verified and then saved in XML. • The configuration snippets are organized into a playbook. • Only the with_items loop needs be changed in the playbook. • XML files can be converted into templates. • Playbooks, XML and Templates stored in Git Repo.
  • 42. Key Take-away • Networks are evolving from individual devices to the SDN paradigm of a single fabric under a central controller. • Cisco ACI is an SDN implementation which abstracts the network devices, the fabric is plug-n-play, provides central management and visibility. • The GUI on top of an SDN controller isn't sufficient and we will still need automation • Eliminate the hands in operations - • No keyboard errors, • No incomplete configurations, • Build libraries of ‘best practice’ configurations. • Network Engineers can use Ansible to automate Nexus switches to more closely align with DevOps.
  • 44. Synergy Ansible • Ansible is an open source automation tool. • Designed to be easy for anyone to understand and learn. • Written module to apply configuration changes to Cisco IOS devices • Requires an inventory file to identify target routers and switches to apply a baseline configuration. Cisco APIC-EM • APIC-EM is a SDN controller for legacy LAN/WAN devices. • Single source of truth. • Provides inventory to Ansible by discovery of Cisco IOS devices in the network. WWT • Python module to integrate the two applications.
  • 45. Understanding the Network • You can’t automate what you don’t understand! • Discovery based on • CDP • IP address ranges • Imitated either via GUI or REST API • Discovered Devices
  • 46. “you used the northbound API, put two disparate pieces of technology together and made them work better than they can individually.” Phil Casini, Director Product Management for Cisco’s LAN/WAN SDN controller APIC EM. Advanced Technology Center (ATC) Using APIC-EM as the single source of truth.
  • 47. Playbook Tasks 1. apic_em_gather_facts Query the APIC-EM controller for a list of discovered devices. 2. cisco_ios_install_config Updates running config of discovered devices. --- - name: Integration of APIC-EM with Ansible hosts: connection: local gather_facts: no vars: ansible_ssh_user: administrator enablepw: xxxxx password: xxxxx tasks: - name: Use APIC-EM controller to return a list of discovered devices apic_em_gather_facts: host: username: bob password: xxxxxx - name: Install the configuration file cisco_ios_install_config: URI: ftp://ftpuser:xxxxx@ host: "{{ item }}" username: admin enablepw: "{{ enablepw }}" password: "{{ password }}" debug: off with_items: mgmtIp github.com/joelwking/ansible-apic-em github.com/joelwking/ansible-ios
  • 48. ! ! ip name-server vrf management ! ip http server ip http secure-server ! ip access-list extended ACL-AGENT-REDIRECT remark explicitly prevent DNS from being redirected to address a bug deny udp any any eq domain remark redirect HTTP traffic only permit tcp any any eq www remark all other traffic will be implicitly denied from the redirection ip access-list extended ACL-ALLOW permit ip any any ! ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps permit udp any any eq domain remark Ping permit icmp any any remark PXE / TFTP permit udp any any eq tftp deny ip any any log ! end Execute the Playbook in Ansible Tower mgmtIp
  • 50. Thanks to our sponsors www.slideshare.net/joelwking Slides are available at:
  • 51. "It is no longer about writing 300,000 lines of code. It is about writing as little code as possible to get that rapid speed.“ Tim Vanderham, the head of development for IBM Bluemix and IBM Cloud Marketplace. searchsoa.techtarget.com/feature/Cultivating-the-API-Economy Cultivating the API Economy

