ACI and Full Stack Automation

Size: px

Start display at page:

Download "ACI and Full Stack Automation"

Madeline Logan
5 years ago
Views:

2 ACI and Full Stack Automation Steve Sharman and Russ Whitear BRKACI-2770

3 Abstract ACI and Full Stack Automation provides the attendee with a view on how network and application constructs can be delivered in an automated manner to an ACI network. We will take a look at the tools required to provision the full stack from network provisioning through to application delivery. Technologies discussed will include Cisco Application Policy Infrastructure Controller (APIC), UCS Director and Cisco Cloud Center (Formerly CliQr). The focus will be on providing structured methodologies that can be used to satisfy the requirements and desires of both infrastructure admins and application developers alike. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Session objectives Provide you with an understanding on ACI networking constructs Explain how UCS Director can be used to Automate ACI Explain how Cisco Cloud Center can interact with ACI Provide you with a clear understanding where to use the different tools available BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Before we start, let s get to know each other

6 Agenda Why Automate? ACI Primer Infrastructure as a Service with UCS Director Controlling ACI with Cisco Cloud Center

7 Let s start with an obvious question

8 Why are customers looking to automate in the Data Center?

9 There are actually many different reasons: Cost reduction Simplicity Consistent configuration (Policy conformance, elimination of human error) Reduction in maintenance windows Structured changes during the business day Service Catalogue for IT services UCSD IaaS Cisco Cloud Center Hybrid Cloud Management BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Automation means different things to different people!

11 Network centric, Server centric, Application centric Switch Interfaces Tenants VRFs Bridge Domains (L2) VLAN Extension Bridge Domains (L3) External L3 Application Network Profiles Endpoint Groups Contracts VMware Portgroups Firewall Configuration SLB Configuration Storage LUNs Storage zoning Server Configuration (BIOS etc) Bare Metal Deployments Operating System Virtual Machine Deployment Multi server deployment Application containers Server Configuration (BIOS etc) Virtual Machine Deployment Load balancers Database BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 ACI Primer

13 To help understand ACI, let s look at a real customer example

14 CPoC Large Financial Organisation APIC APIC APIC OSPF Area 0 L2 L3 e1/3 e1/7 e1/8 e1/1 e1/2 e1/1 e1/2 e1/5 e1/6 e1/15 e1/11 e1/12 e1/15 e1/15 c3850 OSPF Area 10 (stub) n n n7706 n n n9504 Spirent Test Center ESX-02 ESX-01 Spirent Test Center Spirent Test Center OSPF Area 20 OSPF Area 30 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Firstly, we needed to configure the switch interfaces

Network Provisioning Quick Start wizard Manual setup BRKACI-2770

17 Policy Defined Network APIC APIC APIC Switch Policies Leaf Profiles Leafs_101_and_102 Concrete Model Logical Model Virtual Machine Domains (vswitches) vcenter-01-dvs-01 Security Domain (optional) Leaf Profile vpc_to_ucs_fi_a Interface Policies Leaf Profiles Interface Selector 1/21 Pools VLAN/VXLAN vcenter-01-dvs-01 UCS-phys-svrs Outside-Fabric Phy/Out Domains (VLAN mgmt) UCS-phys-svrs Outside-Fabric AAEP (Allowed VLANs) vcenter-01-dvs-01 UCS-phys-svrs Outside-Fabric Interface Policies Leaf Policy Groups vpc_to_ucs_fi_a SVI_to_outside Interface Policies Policies CDP_enabled LACP_Active BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Notes to remember: Interface Policies can be reused across any interface type Leaf Policy Groups for Access ports can be used by different Leaf Profiles Leaf Policy Groups for PC/vPC cannot be used by different Leaf Profiles Leaf Profiles can be used by different Switch Profiles BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 A consistent naming convention is critical for simple troubleshooting

Example Rack Layout Row ID A Rack ID A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 ToR ID 101 103 105 107 109 111 113 115 117 119 ToR ID 102 104 106 108 110 112 114 116 118 120 B Rack ID B1 B2 B3 B4 B5 B6 B7 B8 B9

20 Example Rack Layout Row ID A Rack ID A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 ToR ID ToR ID B Rack ID B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 ToR ID ToR ID C Rack ID C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 ToR ID ToR ID D Rack ID D1 D2 D3 D4 D5 D6 D7 D8 D9 D10 ToR ID ToR ID BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Example Naming Approach VLAN Pool Domains (L2, L3, Phys) AAEP (allowed VLANs) Interface Polices (settings) Leaf Policy Groups (aggregated settings) Leaf Profiles (settings mapped to interfaces) Switch Profiles (interfaces mapped to switches) Tenant_Name Tenant_Name Tenant_Name Enabled/Disabled PortSpeed_PortType_Usage Rack_ID/Switch_ID_to_ConnectedDevice Rack_ID or Rack_ID_SwitchID Customer_A_01 Customer_A_L3_01 Customer_A_01 10G, CDP_enabled 10G_access_c _to_c A1_101 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 How does this look?

23 10G_acc_c3850 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ ld04-c Rack/Switch to connected device Interface setting group Interface Selector 1/3 Leaf Policy Group 10G_acc_c3850 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 24

24 10G_acc_n7706 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ lg05-n Rack/Switch to connected device Interface setting group Interface Selector 1/7 Leaf Policy Group 10G_acc_n7706 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 25

25 10G_acc_n9504 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ lg11-n Rack/Switch to connected device Interface setting group Interface Selector 1/8 Leaf Policy Group 10G_acc_n9504 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 26

26 10G_vPC_esx_li07-c220m4-01 Concrete Model Logical Model Leaf Profile Leafs_103_and_104 Leaf Profile li08_to_ li07-c220m4-01 Rack/Switch to connected device Unique Interface setting group Interface Selector 1/11 Leaf Policy Group 10G_vPC_esx_ li07-c220m4-01 Interface Policies LACP_active VLAN Pool Customer_A_01 Physical Domain Customer_A_Phys_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies LLDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 28

27 10G_vPC_esx_li07-c220m4-02 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ li07-c220m4-02 Rack/Switch to connected device Unique Interface setting group Interface Selector 1/12 Leaf Policy Group 10G_vPC_esx_ li07-c220m4-02 Interface Policies LACP_active VLAN Pool Customer_A_01 Physical Domain Customer_A_Phys_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies LLDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 29

28 Couldn t we reduce the number of Leaf Policy Groups?

29 Yes provided that they are Access Policy Groups with the same Interface Policies

30 10G_acc_ c3850 n7706 n9504 Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c Leaf Profile li07_to_ lg05-n Leaf Profile li07_to_ lg11-n Interface Selector 1/3 Interface Selector 1/7 Interface Selector 1/8 All Leaf Policy Groups use the same Interface Policies (Settings and allowed VLANs) Leaf Policy Group 10G_acc_c3850 Leaf Policy Group 10G_acc_n7706 Leaf Policy Group 10G_acc_n9504 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 32

31 10G_acc_to_external_L3_switch Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c Leaf Profile li07_to_ lg05-n Leaf Profile li07_to_ lg11-n Interface Selector 1/3 Interface Selector 1/7 Interface Selector 1/8 Leaf Policy Group 10G_acc_to_external_ L3_switch Consolidated Leaf Policy Group for Interfaces which use the same Interface Policies (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 33

32 Couldn t we reduce the number of Leaf Profiles?

33 Yes provided that they use the same interfaces on the physical switch(es)

34 10G_acc_to_external_L3_switch Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c Leaf Profile li07_to_ lg05-n Leaf Profile li07_to_ lg11-n Interface Selector 1/3 Interface Selector 1/7 Leaf Policy Group 10G_acc_to_external_ L3_switch Interface Selector 1/8 Multiple Leaf Profiles / Interface Selectors consume the same Leaf Policy Group (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 36

35 10G_acc_to_external_L3_switch Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_external L3_switch Interface Selector 1/3, 1/7, 1/8 Leaf Policy Group 10G_acc_to_external_ L3_switch Consolidated Leaf Profiles / Interface Selectors consume the same Leaf Policy Group (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 37

37 In large organisations having an automated approach to interface configuration could allow the rack/stack team to configure the switches from a simple IT services catalogue BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 39

38 Secondly, we needed to consume the switch interfaces Tenant Configuration

Network Consumption Tenants Quick Start wizard BRKACI-2770 2017

ACI Nomenclature Refresher A Tenant is just an Administrative boundary A VRF is a VRF as you know it today A Bridge Domain is a L2 segment where flooding rules apply think VLAN but without a VLAN ID

40 ACI Nomenclature Refresher A Tenant is just an Administrative boundary A VRF is a VRF as you know it today A Bridge Domain is a L2 segment where flooding rules apply think VLAN but without a VLAN ID A Bridge Domain is the scope of one or more subnets think SVI and IP Secondary An EPG is just a logical grouping of devices think interfaces and VLANs An EPG is a Port Group in VMware An EPG can contain different VLANs, e.g. when mixing dynamic Virtual Port Groups and Physical machines think hardware VTEP Devices in an EPG are allowed to communicate (by default) Isolated EPGs block communication within the EPG think PVLAN Micro Segmentation (µseg) EPGs are used to dynamically move devices from a base EPG into a more specific EPG An Application Network Profile is a group of one or more EPGs remember an EPG can only be inside one ANP Communication between EPGs and/or from devices off the ACI fabric require Contracts (ACLs) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 42

41 Network Interfaces must be configured first! ANP: My_App APIC EPG: Web Domain: Production_Svrs APIC APIC Path: vpc_to_ucs_fi_a VLAN_10 Path: vpc_to_ucs_fi_b VLAN_10 Concrete Model Leaf Profiles (Target Switches) Leafs_101_and_102 Logical Model Leaf Profile vpc_to_ucs_fi_a Leaf Profiles Interface Selector 1/21 Security Domain (optional) Leaf Profile vpc_to_ucs_fi_b Interface Selector 1/22 VLAN/VXLAN (Pools) UCS-phys-svrs VLAN mgmt (Phy/Out Domain) UCS-phys-svrs AAEP (Allowed VLANs) UCS-phys-svrs Leaf Policy Group vpc_to_ucs_fi_a Leaf Policy Group vpc_to_ucs_fi_b Interface Policies CDP_enabled LACP_Active BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 43

42 What about VLANs, SVIs, ACLs, etc?

Option 1: Single EPG on a Single BD with a Single Subnet standard networking APIC APIC APIC VRF: 01 (Anycast gateway) BD: 192.168.10.

43 Option 1: Single EPG on a Single BD with a Single Subnet standard networking APIC APIC APIC VRF: 01 (Anycast gateway) BD: X Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No BD: x Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No BD: x Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No Endpoints in EPG identified by Switch/Interface and VLAN ID / / / / / /24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Option 2: Multiple EPGs on a Single BD with a Single Subnet µsegmentation in IP space APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.

44 Option 2: Multiple EPGs on a Single BD with a Single Subnet µsegmentation in IP space APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: X_24 Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID / / / / / /24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 46

45 Just because you can doesn't always mean you should

46 Option 3a: Multiple EPGs on a Single BD with Multiple Subnets IP secondary APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: multiple_subnets Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Endpoints in EPG identified by Switch/Interface and VLAN ID / / / / / /24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 48

47 Option 3b: Multiple EPGs on a Single BD with Multiple Subnets IP secondary APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: multiple_subnets Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Endpoints in EPG identified by Switch/Interface and VLAN ID / / / / / /24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 49

48 What about segmenting inside an EPG?

49 Options 1, 2, and 3 µsegmentation within an EPG/Port Group (no East/West traffic flows) APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: X_24 Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID / / / / / /24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone Tenant: My_Tenant Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 51

50 Options 1, 2, and 3 µsegmentation within an EPG/Port Group based on machine attribute APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: X_24 Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID Name Contains: Web_1 Name Contains: Web_2 Name Contains: Web_ / / / / / /24 ANP: My_App EPG Tag: All_Web_Servers (VLAN 10) Security Zone Tenant: My_Tenant Communication allowed within useg EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 52

51 External VLANs L2 connection to legacy networks

52 Option 1: Same VLANs Outside/Inside (No Contract Required) APIC APIC vlan-10 APIC VRF: 01 (Anycast gateway) Bridge Domain: outside_vlan_10 Gateway: Bridge Domain Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: Yes vpc_to_ucs_a vlan-10 vpc_to_ucs_b vlan-10 vpc_to_n5ks vlan-10 ANP: Outside_VLANs Tenant: My_Tenant EPG: Host-Mgmt Communication allowed within EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 54

53 Option 2: Different VLANs Outside/Inside (Contract Required) APIC APIC vlan-10 APIC VRF: 01 (Anycast gateway) Bridge Domain: outside_vlan_10 Gateway: Bridge Domain Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: Yes L2out vpc_to_n5ks vlan-10 vpc_to_ucs_a vlan-100 vpc_to_ucs_b vlan-100 ANP: Outside_VLANs Tenant: My_Tenant EPG: Host-Mgmt Communication allowed within EPG Communication allowed to External EPG EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 55

54 External Subnets

55 External Routed Connections APIC Outside APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: x_22 Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes L3out: Area0 101/1/96: /30 102/1/96: /30 OSPF Configuration Security Import Subnet* i.e which external subnets can be accessed through this EPG / / / /24 ANP: My_App Tenant: My_Tenant EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone Communication allowed to /24 Communication allowed to all External Subnets EPG /24 Permit access to remote subnet: /24 EPG /0 Permit access to all remote subnets: /0 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 57

56 A quick note about contracts

Contracts permit communication between EPGs 192.168.10.11/24 192.168.10.12/24 192.168.10.11/24 192.168.10.12/24 EPG: Web_1 EPG: App_1 ANP: MyApp_1 BD:192.168.30.x BD: 192.168.10.X BD: 192.168.20.

57 Contracts permit communication between EPGs / / / /24 EPG: Web_1 EPG: App_1 ANP: MyApp_1 BD: x BD: X BD: x VRF: / /24 EPG: DB_1 ANP: DB / /24 EPG: Web_1 ANP: MyApp_ / /24 EPG: App_1 Tenant: My_Tenant BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 59

58 Now that we have a better understanding of ACI, lets consider what customers typically want to automate

59 Customer Use Cases Credit Services Multi-Tier application Deployments Tenants VRFs Bridge Domains Endpoint Groups Contracts Load Balancing (Citrix) VM creation Banking VRFs Bridge Domains Endpoint Groups Contracts Switch Interfaces VM creation OS Installation Media Tenants VRFs Bridge Domains Endpoint Groups Contracts Switch Interfaces BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 61

60 What should you look to do first? A. Automate the building of networking infrastructure B. Automate the consumption of networking resources Blueprints for Tenants, L2 (EPG/VLAN/VXLAN), L3, L4-7 services IP Address Management (IPAM) Summary routes into the fabric Virtual machine creation Containers Application Provisioning Self service offering C. Automate both infrastructure and consumption D. Automate application deployment BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 62

61 Take a step back, most customers actually require a number of pre defined functional Blueprints

62 Sample Network Blueprints Clients Clients Clients External Router to WAN Gateway External Router to WAN External Router to WAN ACI Gateway (not used) ACI Gateway ACI Gateway L2 Fabric (external g/w) L3 Fabric L3 Fabric with external firewall BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 64

63 Sample Network Blueprints Clients Clients Clients External Router to WAN External Router to WAN External Router to WAN ACI External Gateway ACI External Gateway SLB SLB ACI Internal Gateway ACI Internal Gateway ACI Gateway L3 Fabric with firewall on fabric L3 Fabric with SLB on fabric L3 Fabric with firewall and SLB BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 65

65 They simply concern themselves with the IP addresses/gateway for their applications, and the security rules which allow access to those applications BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 67

67 If we now understand the why

68 We next need to understand the how

69 How Many of You... Are already scripting and automating common tasks? In my experience, most of us are not Are really good at copy and paste? That s me that is!! BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 71

71 Being Serious For A Moment We talk to a lot of partner and customer engineers all over the world It is clear that some knowledge of programming concepts is quite valuable these days The top question is always Do I need to learn programming to keep doing my job? I ve got some good news for you... In a nutshell, the answer is No... But only if you learn to consume the easy-to-use tools and processes out there BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 73

72 ACI and the API

ACI and REST API REST is fundamental to APIC interaction All other tools are built around it Understand REST, understand ACI automation The second

74 ACI and REST API REST is fundamental to APIC interaction All other tools are built around it Understand REST, understand ACI automation The second time you need to do something, think about automating it instead!! BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 76

75 Using REST HTTP(S) to the URL or Address of an object Select an Action to perform (GET, POST etc) Send the Payload (in XML or JSON format) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Common (Free) Tools For The Network Engineer Use these to automate things in ACI Postman Plugin for Google Chrome API Inspector APIC GUI COBRA SDK

76 Common (Free) Tools For The Network Engineer Use these to automate things in ACI Postman Plugin for Google Chrome API Inspector APIC GUI COBRA SDK Python IDE (Pycharm, Atom, others) Git / Github ARYA ACI Toolkit Many Others BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Different Engineers, Different Tools Powerful/Complex APIC GUI REST API SDK APIC CLI

API Inspector a REST API Sniffer Record your GUI interaction as JSON Modify and replay with

Python SDK (aka Cobra ) + ARYA Full featured access to entire APIC REST API Native ACI language configure in GUI and turn into Cobra SDK Contributors include: Business Unit Engineers, Technical

py Python code {"fvtenant":{"attributes":{"dn":"uni/tn- Cisco","name":"Cisco","rn":"tn- Cisco","status":"created"},"children":[{"fvBD":{"attribut es":{"dn":"uni/tn-cisco/bd-

modified"},"children":[]}},{"fvsubnet":{"attributes":{"dn ":"uni/tn-cisco/bd-ciscobd/subnet- [10.

81 Python SDK (aka Cobra ) + ARYA Full featured access to entire APIC REST API Native ACI language configure in GUI and turn into Cobra SDK Contributors include: Business Unit Engineers, Technical Services Engineers, Advanced Services Engineers Complete user use cases all possible XML/JSON arya.py Python code {"fvtenant":{"attributes":{"dn":"uni/tn- Cisco","name":"Cisco","rn":"tn- Cisco","status":"created"},"children":[{"fvBD":{"attribut es":{"dn":"uni/tn-cisco/bd- CiscoBd","mac":"00:22:BD:F8:19:FF","name":"CiscoBd","rn": "BD- CiscoBd","status":"created"},"children":[{"fvRsCtx":{"att ributes":{"tnfvctxname":"cisconetwork","status":"created, modified"},"children":[]}},{"fvsubnet":{"attributes":{"dn ":"uni/tn-cisco/bd-ciscobd/subnet- [ /8]","ip":" /8","rn":"subnet- [ /8]","status":"created"},"children":[]}}]}},{"fv Ctx":{"attributes":{"dn":"uni/tn-Cisco/ctx- CiscoNetwork","name":"CiscoNetwork","rn":"ctx- CiscoNetwork","status":"created"},"children":[]}}]}} fvtenant = cobra.model.fv.tenant(topmo, name='cisco') fvctx = cobra.model.fv.ctx(fvtenant, name='cisconetwork') fvbd = cobra.model.fv.bd(fvtenant, mac='00:22:bd:f8:19:ff', name='ciscobd') fvrsctx = cobra.model.fv.rsctx(fvbd, tnfvctxname=fvctx.name) fvsubnet = cobra.model.fv.subnet(fvbd, ip=' /8') BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Cisco on Github https://github.com/datacenter https://github.com/datacenter/aci https://github.com/datacenter/aci-examples https://github.

85 Customer demo

87 UCSD Director for IAAS ACI Network Configuration

88 Introduction

Cisco ONE Enterprise Cloud Suite Infrastructure Management Build and run a Private Cloud Cisco UCS Director (Infrastructure) Virtual Physical Hypervisor Builds and manages Private Cloud

89 Cisco ONE Enterprise Cloud Suite Infrastructure Management Build and run a Private Cloud Cisco UCS Director (Infrastructure) Virtual Physical Hypervisor Builds and manages Private Cloud Infrastructure Physical and Virtual, including ACI In pure IaaS deployments provides VM provisioning E.G. Through vcenter for ESX and SCVMM for HyperV Provides a end-user self service portal for IaaS provisioning BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 91

91 Orchestrating with UCS Director Model Based Orchestration Object, not script, based ~2,000 infrastructure tasks included Graphical Design Interface Logical processing of Conditionals and Loops Versioning Support BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Orchestrating with UCS Director Model Based Orchestration Object, not script, based ~2,000 infrastructure tasks included Graphical Design Interface Logical processing of Conditionals and Loops Versioning Support BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 91

93 UCSD Director for IaaS ACI

Different Catalogues for Different User Types Network Admins ACI Fabric

and Bind to VLAN Pool Create AAEP and Bind to Domain & Leaf Policy Group

98 Different Catalogues for Different User Types Network Admins ACI Fabric Provisioning Network Administrator Tasks Create VLAN Pool Create Domain and Bind to VLAN Pool Create AAEP and Bind to Domain & Leaf Policy Group Create Leaf Profile and Bind to Switch Profile Create Interface selector and Bind to Leaf Profile &Leaf Policy Group Create Switch Profile BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Domain (L3) & Bind to VRF Create EPG & Bind to Bridge Domain Create Contract & Filter & Bind to EPGs Create a BD/EPG with

101 Different Catalogues for Different User Types ACI Tenant Administrator Tasks Tenant Admins Create New Tenant ACI Tenant Operations Create VRF & Bind to Tenant Create L3out & Bind to VRF Create Bridge Domain (L2) & Bind to VRF Create Bridge Domain (L3) & Bind to VRF Create EPG & Bind to Bridge Domain Create Contract & Filter & Bind to EPGs Create a BD/EPG with Flooding Enabled & a Static Binding to a VLAN BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Different Catalogues for Different User Types Network Operations Tasks Add additional Interface to a L3out Add Subnets to existing L3out Add Ports to an existing Filter Add Filters to an existing

104 Different Catalogues for Different User Types Network Operations Tasks Add additional Interface to a L3out Add Subnets to existing L3out Add Ports to an existing Filter Add Filters to an existing Contract Add an additional EPG to a Bridge Domain Add an additional Domain to an EPG Add a Static Binding to an EPG Add new vswitch to Virtual Center Network Operations ACI Service Expansion BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Creating a New Workflow/Catalogue Entry BRKACI-2770 2017

Configure ACI Network via UCS Director BRKACI-2770 2017

Create New ACI Tenant, VRF, BD and Subnet BRKACI-2770 2017

137 Northbound API Access

$"r01_1g_acc_wibble_esx" }, { "name": "Enter Interface(s)", "value": "1/79" }$

141 UCSD Access via its Northbound API { } "param0": "Add Device to ACI Fabric", "param1": { "list": [ { "name": "Device Type", "value": "r01_1g_acc_wibble_esx" }, { "name": "Enter Interface(s)", "value": "1/79" } ] }, "param2": -1 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 107

143 Flexible automation models

Flexible Automation Models Service Request ITSM vcenter APIC APIC APIC

152 UCSD Director for IaaS When 230 OOB ACI tasks are not enough!

APIC API Inspector BRKACI-2770 2017 Cisco and/or

161 Useful Links Cisco Communities ( >300 Examples ) APIC Inspector to UCS Director Workflow Task Convertor Convertor Script: Baseline WF Template: HowTo Video: BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 167

162 Coming soon. Updated interface

Preview: HTML5 Admin Interface BRKACI-2770 2017 Cisco

168 Multi Cloud Management Cisco Cloud Center

169 Introduction

LoB requirements A widening Cloud Gap Cloud applications Cloud Gap Between what cloud applications require Traditional applications IT capabilities People

170 LoB requirements A widening Cloud Gap Cloud applications Cloud Gap Between what cloud applications require Traditional applications IT capabilities People Processes Tools and what IT is capable of reliably and confidently supporting today. Time BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public

Integrated Platform Lifecycle Management New and Existing

171 CloudCenter Unique Value Model Once. Deploy and Manage Anywhere. Data Center DEPLOY MODEL Private Cloud MANAGE Public Cloud One Integrated Platform Lifecycle Management New and Existing Applications BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public

172 What Does Model Once Mean? Script-Based Application Profile-Based Infrastructure-Centric Application-Centric Cloud-Specific workflows and Scripts Cloud-Agnostic Labor /Services Intensive Unique Script / Workflow Unique Script / Workflow Unique Script / Workflow Low TCO BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 178

) Services are instantiated using packages and customized using artifacts.

173 CloudCenter Terminology Application Profile Repositories An application profile is comprised of services. The services define a function of the application (e.g.- web, firewall, database, etc.) Services are instantiated using packages and customized using artifacts. Artifacts can consist of scripts, code snippets, applications. Repositories contain the artifacts and can contain packages. Services bash sql Artifacts package perl 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

175 CloudCenter Integration into ACI

176 Cloud Center and ACI Seamless Integration Zero Touch automation Powerful Benefits Application Security Ops Efficiency User Agility CloudCenter Model-Based Approach Application Profile ACI Policy-Based Approach Application Network Profile BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 182

Cloud Center Automation of ACI CloudCenter Manager CloudCenter Orchestrator APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.

168.10.12/22 192.168.10.21/22 192.168.10.22/24 ANP: My_App Tenant: My_Tenant EPG Tag: Web (VLAN 10) Security Zone Communication allowed to App EPG Tag: App (VLAN 11) Security Zone Communication allowed to 10.

177 Cloud Center Automation of ACI CloudCenter Manager CloudCenter Orchestrator APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: x_22 Gateway: Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes L3out: Area0 101/1/96: /30 102/1/96: / / / / /24 ANP: My_App Tenant: My_Tenant EPG Tag: Web (VLAN 10) Security Zone Communication allowed to App EPG Tag: App (VLAN 11) Security Zone Communication allowed to /24 Communication allowed to all External Subnets EPG /24 Permit access to remote subnet: /24 EPG /0 Permit access to all remote subnets: /0 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 183

178 Additional Resources

179 Additional Resources Title CloudCenter Overview Video CloudCenter and ACI Automation Video CloudCenter with ServiceNow Video Cisco dcloud CloudCenter Installation Video Description - Learn how CloudCenter enables IT organizations to put the right workload in the right environment to take advantage of hybrid IT. - Get the full power and scale of SDN with Cisco CloudCenter and ACI together. - Leverage your ServiceNow investment to get the benefits and controls of ITSM with the power of Cisco CloudCenter. dcloud.cisco.com provides fully working environments of Cisco products, search for Cisco CloudCenter Install, Configure, and Manage Lab v1 - Once you ve purchased CloudCenter, steps to perform a basic installation of the platform. For more details, please visit: Questions? Speak with your Cisco account team BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 185

180 Summary

181 Questions?

182 Other Sessions of Interest BRKACI-2301 Practical Applications of Cisco ACI µsegmentation LTRACI ACI microsegmentation deployment techtorial lab LABACI ACI Micro Segmentation Lab LTRSEC Deep Dive Lab on ASA, FTD, and Firepower in ACI BRKACI Real World ACI L4-L7 Service Integration Design LTRSEC Integrating Cisco TrustSec and Cisco ACI Together BRKACI ACI and Container Networking BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 188

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

183 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 189

184 Thank you!!

185

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr) Jeremy Oakey Senior Director, Technical Marketing and Integrations Agenda Introduction Architecture