ACI and Full Stack Automation - PDF Free Download

ACI and Full Stack Automation Steve Sharman and Russ Whitear BRKACI-2770

Abstract ACI and Full Stack Automation provides the attendee with a view on how network and application constructs can be delivered in an automated manner to an ACI network. We will take a look at the tools required to provision the full stack from network provisioning through to application delivery. Technologies discussed will include Cisco Application Policy Infrastructure Controller (APIC), UCS Director and Cisco Cloud Center (Formerly CliQr). The focus will be on providing structured methodologies that can be used to satisfy the requirements and desires of both infrastructure admins and application developers alike. BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Session objectives Provide you with an understanding on ACI networking constructs Explain how UCS Director can be used to Automate ACI Explain how Cisco Cloud Center can interact with ACI Provide you with a clear understanding where to use the different tools available BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Before we start, let s get to know each other

Agenda Why Automate? ACI Primer Infrastructure as a Service with UCS Director Controlling ACI with Cisco Cloud Center

Let s start with an obvious question

Why are customers looking to automate in the Data Center?

There are actually many different reasons: Cost reduction Simplicity Consistent configuration (Policy conformance, elimination of human error) Reduction in maintenance windows Structured changes during the business day Service Catalogue for IT services UCSD IaaS Cisco Cloud Center Hybrid Cloud Management BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Automation means different things to different people!

Network centric, Server centric, Application centric Switch Interfaces Tenants VRFs Bridge Domains (L2) VLAN Extension Bridge Domains (L3) External L3 Application Network Profiles Endpoint Groups Contracts VMware Portgroups Firewall Configuration SLB Configuration Storage LUNs Storage zoning Server Configuration (BIOS etc) Bare Metal Deployments Operating System Virtual Machine Deployment Multi server deployment Application containers Server Configuration (BIOS etc) Virtual Machine Deployment Load balancers Database BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

ACI Primer

To help understand ACI, let s look at a real customer example

CPoC Large Financial Organisation APIC APIC APIC OSPF Area 0 L2 L3 e1/3 e1/7 e1/8 e1/1 e1/2 e1/1 e1/2 e1/5 e1/6 e1/15 e1/11 e1/12 e1/15 e1/15 c3850 OSPF Area 10 (stub) n5672-01 n5672-02 n7706 n7706-01 n7706-02 n9504 Spirent Test Center ESX-02 ESX-01 Spirent Test Center Spirent Test Center OSPF Area 20 OSPF Area 30 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Firstly, we needed to configure the switch interfaces

Policy Defined Network APIC APIC APIC Switch Policies Leaf Profiles Leafs_101_and_102 Concrete Model Logical Model Virtual Machine Domains (vswitches) vcenter-01-dvs-01 Security Domain (optional) Leaf Profile vpc_to_ucs_fi_a Interface Policies Leaf Profiles Interface Selector 1/21 Pools VLAN/VXLAN vcenter-01-dvs-01 UCS-phys-svrs Outside-Fabric Phy/Out Domains (VLAN mgmt) UCS-phys-svrs Outside-Fabric AAEP (Allowed VLANs) vcenter-01-dvs-01 UCS-phys-svrs Outside-Fabric Interface Policies Leaf Policy Groups vpc_to_ucs_fi_a SVI_to_outside Interface Policies Policies CDP_enabled LACP_Active BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Notes to remember: Interface Policies can be reused across any interface type Leaf Policy Groups for Access ports can be used by different Leaf Profiles Leaf Policy Groups for PC/vPC cannot be used by different Leaf Profiles Leaf Profiles can be used by different Switch Profiles BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

A consistent naming convention is critical for simple troubleshooting

Example Rack Layout Row ID A Rack ID A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 ToR ID 101 103 105 107 109 111 113 115 117 119 ToR ID 102 104 106 108 110 112 114 116 118 120 B Rack ID B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 ToR ID 121 123 125 127 129 131 133 135 137 139 ToR ID 122 124 126 128 130 132 134 136 138 140 C Rack ID C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 ToR ID 141 143 145 147 149 151 153 155 157 159 ToR ID 142 144 146 148 150 152 154 156 158 160 D Rack ID D1 D2 D3 D4 D5 D6 D7 D8 D9 D10 ToR ID 161 163 165 167 169 171 173 175 177 179 ToR ID 162 164 166 168 170 172 174 176 178 180 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Example Naming Approach VLAN Pool Domains (L2, L3, Phys) AAEP (allowed VLANs) Interface Polices (settings) Leaf Policy Groups (aggregated settings) Leaf Profiles (settings mapped to interfaces) Switch Profiles (interfaces mapped to switches) Tenant_Name Tenant_Name Tenant_Name Enabled/Disabled PortSpeed_PortType_Usage Rack_ID/Switch_ID_to_ConnectedDevice Rack_ID or Rack_ID_SwitchID Customer_A_01 Customer_A_L3_01 Customer_A_01 10G, CDP_enabled 10G_access_c3850-01 101_to_c3850-01 A1_101 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

How does this look?

10G_acc_c3850 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ ld04-c3850-01 Rack/Switch to connected device Interface setting group Interface Selector 1/3 Leaf Policy Group 10G_acc_c3850 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

10G_acc_n7706 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ lg05-n7706-01 Rack/Switch to connected device Interface setting group Interface Selector 1/7 Leaf Policy Group 10G_acc_n7706 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

10G_acc_n9504 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ lg11-n9504-01 Rack/Switch to connected device Interface setting group Interface Selector 1/8 Leaf Policy Group 10G_acc_n9504 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

10G_vPC_esx_li07-c220m4-01 Concrete Model Logical Model Leaf Profile Leafs_103_and_104 Leaf Profile li08_to_ li07-c220m4-01 Rack/Switch to connected device Unique Interface setting group Interface Selector 1/11 Leaf Policy Group 10G_vPC_esx_ li07-c220m4-01 Interface Policies LACP_active VLAN Pool Customer_A_01 Physical Domain Customer_A_Phys_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies LLDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

10G_vPC_esx_li07-c220m4-02 Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_ li07-c220m4-02 Rack/Switch to connected device Unique Interface setting group Interface Selector 1/12 Leaf Policy Group 10G_vPC_esx_ li07-c220m4-02 Interface Policies LACP_active VLAN Pool Customer_A_01 Physical Domain Customer_A_Phys_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies LLDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Couldn t we reduce the number of Leaf Policy Groups?

Yes provided that they are Access Policy Groups with the same Interface Policies

10G_acc_ c3850 n7706 n9504 Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c3850-01 Leaf Profile li07_to_ lg05-n7706-01 Leaf Profile li07_to_ lg11-n9504-01 Interface Selector 1/3 Interface Selector 1/7 Interface Selector 1/8 All Leaf Policy Groups use the same Interface Policies (Settings and allowed VLANs) Leaf Policy Group 10G_acc_c3850 Leaf Policy Group 10G_acc_n7706 Leaf Policy Group 10G_acc_n9504 VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

10G_acc_to_external_L3_switch Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c3850-01 Leaf Profile li07_to_ lg05-n7706-01 Leaf Profile li07_to_ lg11-n9504-01 Interface Selector 1/3 Interface Selector 1/7 Interface Selector 1/8 Leaf Policy Group 10G_acc_to_external_ L3_switch Consolidated Leaf Policy Group for Interfaces which use the same Interface Policies (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Couldn t we reduce the number of Leaf Profiles?

Yes provided that they use the same interfaces on the physical switch(es)

10G_acc_to_external_L3_switch Concrete Model Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Leaf Profile Leafs_101_and_102 Logical Model Leaf Profile li07_to_ ld04-c3850-01 Leaf Profile li07_to_ lg05-n7706-01 Leaf Profile li07_to_ lg11-n9504-01 Interface Selector 1/3 Interface Selector 1/7 Leaf Policy Group 10G_acc_to_external_ L3_switch Interface Selector 1/8 Multiple Leaf Profiles / Interface Selectors consume the same Leaf Policy Group (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

10G_acc_to_external_L3_switch Concrete Model Logical Model Leaf Profile Leafs_101_and_102 Leaf Profile li07_to_external L3_switch Interface Selector 1/3, 1/7, 1/8 Leaf Policy Group 10G_acc_to_external_ L3_switch Consolidated Leaf Profiles / Interface Selectors consume the same Leaf Policy Group (Settings and allowed VLANs) VLAN Pool Customer_A_01 External Routed Domain Customer_A_L3_01 AAEP Customer_A_01 Interface Policies 10G Interface Policies CDP_enabled BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

In large organisations having an automated approach to interface configuration could allow the rack/stack team to configure the switches from a simple IT services catalogue BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Secondly, we needed to consume the switch interfaces Tenant Configuration

ACI Nomenclature Refresher A Tenant is just an Administrative boundary A VRF is a VRF as you know it today A Bridge Domain is a L2 segment where flooding rules apply think VLAN but without a VLAN ID A Bridge Domain is the scope of one or more subnets think SVI and IP Secondary An EPG is just a logical grouping of devices think interfaces and VLANs An EPG is a Port Group in VMware An EPG can contain different VLANs, e.g. when mixing dynamic Virtual Port Groups and Physical machines think hardware VTEP Devices in an EPG are allowed to communicate (by default) Isolated EPGs block communication within the EPG think PVLAN Micro Segmentation (µseg) EPGs are used to dynamically move devices from a base EPG into a more specific EPG An Application Network Profile is a group of one or more EPGs remember an EPG can only be inside one ANP Communication between EPGs and/or from devices off the ACI fabric require Contracts (ACLs) BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Network Interfaces must be configured first! ANP: My_App APIC EPG: Web Domain: Production_Svrs APIC APIC Path: vpc_to_ucs_fi_a VLAN_10 Path: vpc_to_ucs_fi_b VLAN_10 Concrete Model Leaf Profiles (Target Switches) Leafs_101_and_102 Logical Model Leaf Profile vpc_to_ucs_fi_a Leaf Profiles Interface Selector 1/21 Security Domain (optional) Leaf Profile vpc_to_ucs_fi_b Interface Selector 1/22 VLAN/VXLAN (Pools) UCS-phys-svrs VLAN mgmt (Phy/Out Domain) UCS-phys-svrs AAEP (Allowed VLANs) UCS-phys-svrs Leaf Policy Group vpc_to_ucs_fi_a Leaf Policy Group vpc_to_ucs_fi_b Interface Policies CDP_enabled LACP_Active BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

What about VLANs, SVIs, ACLs, etc?

Option 1: Single EPG on a Single BD with a Single Subnet standard networking APIC APIC APIC VRF: 01 (Anycast gateway) BD: 192.168.10.X Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No BD: 192.168.20.x Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No BD:192.168.30.x Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: No Endpoints in EPG identified by Switch/Interface and VLAN ID 192.168.10.11/24 192.168.10.12/24 192.168.20.11/24 192.168.20.12/24 192.168.30.11/24 192.168.30.12/24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Option 2: Multiple EPGs on a Single BD with a Single Subnet µsegmentation in IP space APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.X_24 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID 192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Just because you can doesn't always mean you should

Option 3a: Multiple EPGs on a Single BD with Multiple Subnets IP secondary APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: multiple_subnets Gateway: 192.168.10.1 192.168.20.1 192.168.30.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Endpoints in EPG identified by Switch/Interface and VLAN ID 192.168.10.11/24 192.168.10.12/24 192.168.20.11/24 192.168.20.12/24 192.168.30.11/24 192.168.30.12/24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Option 3b: Multiple EPGs on a Single BD with Multiple Subnets IP secondary APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: multiple_subnets Gateway: 192.168.10.1 192.168.20.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Endpoints in EPG identified by Switch/Interface and VLAN ID 192.168.10.11/24 192.168.20.11/24 192.168.10.12/24 192.168.20.12/24 192.168.10.15/24 192.168.10.16/24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone EPG Tag: DB (VLAN 12) Security Zone Tenant: My_Tenant Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

What about segmenting inside an EPG?

Options 1, 2, and 3 µsegmentation within an EPG/Port Group (no East/West traffic flows) APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.X_24 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID 192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24 ANP: My_App EPG Tag: Web (VLAN 10) Security Zone Tenant: My_Tenant Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Options 1, 2, and 3 µsegmentation within an EPG/Port Group based on machine attribute APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.X_24 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes Layer 2 Segment Endpoints in EPG identified by Switch/Interface and VLAN ID Name Contains: Web_1 Name Contains: Web_2 Name Contains: Web_3 192.168.10.11/24 192.168.10.12/24 192.168.10.13/24 192.168.10.14/24 192.168.10.15/24 192.168.10.16/24 ANP: My_App EPG Tag: All_Web_Servers (VLAN 10) Security Zone Tenant: My_Tenant Communication allowed within useg EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

External VLANs L2 connection to legacy networks

Option 1: Same VLANs Outside/Inside (No Contract Required) APIC APIC vlan-10 APIC VRF: 01 (Anycast gateway) Bridge Domain: outside_vlan_10 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: Yes vpc_to_ucs_a vlan-10 vpc_to_ucs_b vlan-10 vpc_to_n5ks vlan-10 ANP: Outside_VLANs Tenant: My_Tenant 192.168.10.11 192.168.10.10 EPG: Host-Mgmt Communication allowed within EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Option 2: Different VLANs Outside/Inside (Contract Required) APIC APIC vlan-10 APIC VRF: 01 (Anycast gateway) Bridge Domain: outside_vlan_10 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: No ARP Flooding: Yes Unknown Unicast Flooding: Yes IP Routing: Yes L2out vpc_to_n5ks vlan-10 vpc_to_ucs_a vlan-100 vpc_to_ucs_b vlan-100 ANP: Outside_VLANs Tenant: My_Tenant EPG: Host-Mgmt 192.168.10.10 192.168.10.11 Communication allowed within EPG Communication allowed to External EPG EPG BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

External Subnets

External Routed Connections APIC Outside APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.x_22 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes L3out: Area0 101/1/96: 192.168.30.1/30 102/1/96: 192.168.30.5/30 OSPF Configuration Security Import Subnet* i.e which external subnets can be accessed through this EPG 192.168.10.11/22 192.168.10.12/22 192.168.10.21/22 192.168.10.22/24 ANP: My_App Tenant: My_Tenant EPG Tag: Web (VLAN 10) Security Zone EPG Tag: App (VLAN 11) Security Zone Communication allowed to 10.1.1.0/24 Communication allowed to all External Subnets EPG 10.1.1.0/24 Permit access to remote subnet: 10.1.1.0/24 EPG 0.0.0.0/0 Permit access to all remote subnets: 0.0.0.0/0 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

A quick note about contracts

Contracts permit communication between EPGs 192.168.10.11/24 192.168.10.12/24 192.168.10.11/24 192.168.10.12/24 EPG: Web_1 EPG: App_1 ANP: MyApp_1 BD:192.168.30.x BD: 192.168.10.X BD: 192.168.20.x VRF: 01 192.168.10.11/24 192.168.10.12/24 EPG: DB_1 ANP: DB 192.168.10.11/24 192.168.10.12/24 EPG: Web_1 ANP: MyApp_2 192.168.20.11/24 192.168.20.12/24 EPG: App_1 Tenant: My_Tenant BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Now that we have a better understanding of ACI, lets consider what customers typically want to automate

Customer Use Cases Credit Services Multi-Tier application Deployments Tenants VRFs Bridge Domains Endpoint Groups Contracts Load Balancing (Citrix) VM creation Banking VRFs Bridge Domains Endpoint Groups Contracts Switch Interfaces VM creation OS Installation Media Tenants VRFs Bridge Domains Endpoint Groups Contracts Switch Interfaces BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

What should you look to do first? A. Automate the building of networking infrastructure B. Automate the consumption of networking resources Blueprints for Tenants, L2 (EPG/VLAN/VXLAN), L3, L4-7 services IP Address Management (IPAM) Summary routes into the fabric Virtual machine creation Containers Application Provisioning Self service offering C. Automate both infrastructure and consumption D. Automate application deployment BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Take a step back, most customers actually require a number of pre defined functional Blueprints

Sample Network Blueprints Clients Clients Clients External Router to WAN Gateway 192.168.10.1 External Router to WAN External Router to WAN ACI Gateway (not used) ACI Gateway ACI Gateway L2 Fabric (external g/w) L3 Fabric L3 Fabric with external firewall BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Sample Network Blueprints Clients Clients Clients External Router to WAN External Router to WAN External Router to WAN ACI External Gateway ACI External Gateway SLB SLB ACI Internal Gateway ACI Internal Gateway ACI Gateway L3 Fabric with firewall on fabric L3 Fabric with SLB on fabric L3 Fabric with firewall and SLB BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

They simply concern themselves with the IP addresses/gateway for their applications, and the security rules which allow access to those applications BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

If we now understand the why

We next need to understand the how

How Many of You... Are already scripting and automating common tasks? In my experience, most of us are not Are really good at copy and paste? That s me that is!! BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Being Serious For A Moment We talk to a lot of partner and customer engineers all over the world It is clear that some knowledge of programming concepts is quite valuable these days The top question is always Do I need to learn programming to keep doing my job? I ve got some good news for you... In a nutshell, the answer is No... But only if you learn to consume the easy-to-use tools and processes out there BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

ACI and the API

ACI and REST API REST is fundamental to APIC interaction All other tools are built around it Understand REST, understand ACI automation The second time you need to do something, think about automating it instead!! BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Using REST HTTP(S) to the URL or Address of an object Select an Action to perform (GET, POST etc) Send the Payload (in XML or JSON format) BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Common (Free) Tools For The Network Engineer Use these to automate things in ACI Postman Plugin for Google Chrome API Inspector APIC GUI COBRA SDK Python IDE (Pycharm, Atom, others) Git / Github ARYA ACI Toolkit Many Others BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Python SDK (aka Cobra ) + ARYA Full featured access to entire APIC REST API Native ACI language configure in GUI and turn into Cobra SDK Contributors include: Business Unit Engineers, Technical Services Engineers, Advanced Services Engineers Complete user use cases all possible http://github.com/datacenter/cobra http://github.com/datacenter/arya XML/JSON arya.py Python code {"fvtenant":{"attributes":{"dn":"uni/tn- Cisco","name":"Cisco","rn":"tn- Cisco","status":"created"},"children":[{"fvBD":{"attribut es":{"dn":"uni/tn-cisco/bd- CiscoBd","mac":"00:22:BD:F8:19:FF","name":"CiscoBd","rn": "BD- CiscoBd","status":"created"},"children":[{"fvRsCtx":{"att ributes":{"tnfvctxname":"cisconetwork","status":"created, modified"},"children":[]}},{"fvsubnet":{"attributes":{"dn ":"uni/tn-cisco/bd-ciscobd/subnet- [10.0.0.1/8]","ip":"10.0.0.1/8","rn":"subnet- [10.0.0.1/8]","status":"created"},"children":[]}}]}},{"fv Ctx":{"attributes":{"dn":"uni/tn-Cisco/ctx- CiscoNetwork","name":"CiscoNetwork","rn":"ctx- CiscoNetwork","status":"created"},"children":[]}}]}} fvtenant = cobra.model.fv.tenant(topmo, name='cisco') fvctx = cobra.model.fv.ctx(fvtenant, name='cisconetwork') fvbd = cobra.model.fv.bd(fvtenant, mac='00:22:bd:f8:19:ff', name='ciscobd') fvrsctx = cobra.model.fv.rsctx(fvbd, tnfvctxname=fvctx.name) fvsubnet = cobra.model.fv.subnet(fvbd, ip='10.0.0.1/8') BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Cisco on Github https://github.com/datacenter https://github.com/datacenter/aci https://github.com/datacenter/aci-examples https://github.com/datacenter/sparci https://github.com/datacenter/acitoolkit BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Customer demo

UCSD Director for IAAS ACI Network Configuration

Introduction

Cisco ONE Enterprise Cloud Suite Infrastructure Management Build and run a Private Cloud Cisco UCS Director (Infrastructure) Virtual Physical Hypervisor Builds and manages Private Cloud Infrastructure Physical and Virtual, including ACI In pure IaaS deployments provides VM provisioning E.G. Through vcenter for ESX and SCVMM for HyperV Provides a end-user self service portal for IaaS provisioning BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Orchestrating with UCS Director Model Based Orchestration Object, not script, based ~2,000 infrastructure tasks included Graphical Design Interface Logical processing of Conditionals and Loops Versioning Support BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

UCSD Director for IaaS ACI

Different Catalogues for Different User Types Network Admins ACI Fabric Provisioning Network Administrator Tasks Create VLAN Pool Create Domain and Bind to VLAN Pool Create AAEP and Bind to Domain & Leaf Policy Group Create Leaf Profile and Bind to Switch Profile Create Interface selector and Bind to Leaf Profile &Leaf Policy Group Create Switch Profile BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Different Catalogues for Different User Types ACI Tenant Administrator Tasks Tenant Admins Create New Tenant ACI Tenant Operations Create VRF & Bind to Tenant Create L3out & Bind to VRF Create Bridge Domain (L2) & Bind to VRF Create Bridge Domain (L3) & Bind to VRF Create EPG & Bind to Bridge Domain Create Contract & Filter & Bind to EPGs Create a BD/EPG with Flooding Enabled & a Static Binding to a VLAN BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Different Catalogues for Different User Types Network Operations Tasks Add additional Interface to a L3out Add Subnets to existing L3out Add Ports to an existing Filter Add Filters to an existing Contract Add an additional EPG to a Bridge Domain Add an additional Domain to an EPG Add a Static Binding to an EPG Add new vswitch to Virtual Center Network Operations ACI Service Expansion BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Configure ACI Network via UCS Director Select the ACI switch policy leaf profile to associate Interface Leaf Profile to BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Configure ACI Network via UCS Director...and select the Interface Leaf Profile that was created in the previous request BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Northbound API Access

UCSD Access via its Northbound API { } "param0": "Add Device to ACI Fabric", "param1": { "list": [ { "name": "Device Type", "value": "r01_1g_acc_wibble_esx" }, { "name": "Enter Interface(s)", "value": "1/79" } ] }, "param2": -1 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

Flexible automation models

UCSD Director for IaaS When 230 OOB ACI tasks are not enough!

Useful Links Cisco Communities ( >300 Examples ) https://communities.cisco.com/docs/doc-56419 APIC Inspector to UCS Director Workflow Task Convertor Convertor Script: https://cisco.box.com/s/zexj4r4unkcotykq1u5a1vl0dan6e05w Baseline WF Template: https://cisco.box.com/s/6phyf2rvv11qd7db3a0haynbxrr4zcni HowTo Video: https://cisco.box.com/s/w1vi4fce1wo6n14svih9pn5uf1f15c6d BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 167

Coming soon. Updated interface

Multi Cloud Management Cisco Cloud Center

Introduction

LoB requirements A widening Cloud Gap Cloud applications Cloud Gap Between what cloud applications require Traditional applications IT capabilities People Processes Tools and what IT is capable of reliably and confidently supporting today. Time BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

CloudCenter Unique Value Model Once. Deploy and Manage Anywhere. Data Center DEPLOY MODEL Private Cloud MANAGE Public Cloud One Integrated Platform Lifecycle Management New and Existing Applications BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

What Does Model Once Mean? Script-Based Application Profile-Based Infrastructure-Centric Application-Centric Cloud-Specific workflows and Scripts Cloud-Agnostic Labor /Services Intensive Unique Script / Workflow Unique Script / Workflow Unique Script / Workflow Low TCO BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 178

CloudCenter Terminology Application Profile Repositories An application profile is comprised of services. The services define a function of the application (e.g.- web, firewall, database, etc.) Services are instantiated using packages and customized using artifacts. Artifacts can consist of scripts, code snippets, applications. Repositories contain the artifacts and can contain packages. Services bash 0101 1011 1101 0011 sql Artifacts package perl 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

CloudCenter Integration into ACI

Cloud Center and ACI Seamless Integration Zero Touch automation Powerful Benefits Application Security Ops Efficiency User Agility CloudCenter Model-Based Approach Application Profile ACI Policy-Based Approach Application Network Profile BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 182

Cloud Center Automation of ACI CloudCenter Manager CloudCenter Orchestrator APIC APIC APIC VRF: 01 (Anycast gateway) Bridge Domain: 192.168.10.x_22 Gateway: 192.168.10.1 Bridge Domain Hardware Proxy: Yes ARP Flooding: No Unknown Unicast Flooding: No IP Routing: Yes L3out: Area0 101/1/96: 192.168.30.1/30 102/1/96: 192.168.30.5/30 192.168.10.11/22 192.168.10.12/22 192.168.10.21/22 192.168.10.22/24 ANP: My_App Tenant: My_Tenant EPG Tag: Web (VLAN 10) Security Zone Communication allowed to App EPG Tag: App (VLAN 11) Security Zone Communication allowed to 10.1.1.0/24 Communication allowed to all External Subnets EPG 10.1.1.0/24 Permit access to remote subnet: 10.1.1.0/24 EPG 0.0.0.0/0 Permit access to all remote subnets: 0.0.0.0/0 BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 183

Additional Resources

Additional Resources Title CloudCenter Overview Video CloudCenter and ACI Automation Video CloudCenter with ServiceNow Video Cisco dcloud CloudCenter Installation Video Description https://www.youtube.com/watch?v=2ghfe5vwbk8 - Learn how CloudCenter enables IT organizations to put the right workload in the right environment to take advantage of hybrid IT. https://www.youtube.com/watch?v=35ssaqhf8tw - Get the full power and scale of SDN with Cisco CloudCenter and ACI together. https://www.youtube.com/watch?v=0u0ofdkuhns - Leverage your ServiceNow investment to get the benefits and controls of ITSM with the power of Cisco CloudCenter. dcloud.cisco.com provides fully working environments of Cisco products, search for Cisco CloudCenter 4.5 - Install, Configure, and Manage Lab v1 https://www.youtube.com/watch?v=km-fivlbb9a - Once you ve purchased CloudCenter, steps to perform a basic installation of the platform. For more details, please visit: http://www.cisco.com/go/cloudcenter Questions? Speak with your Cisco account team BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 185

Summary

Questions?

Other Sessions of Interest BRKACI-2301 Practical Applications of Cisco ACI µsegmentation LTRACI-2800 - ACI microsegmentation deployment techtorial lab LABACI-1234 - ACI Micro Segmentation Lab LTRSEC-3001 - Deep Dive Lab on ASA, FTD, and Firepower in ACI BRKACI-2307 - Real World ACI L4-L7 Service Integration Design LTRSEC-2800 - Integrating Cisco TrustSec and Cisco ACI Together BRKACI-3403 - ACI and Container Networking BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 188

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKACI-2770 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 189

Thank you!!