Presentation for the vNPUG: Configuration Management Series w/Ansible 22 October 2015

1. Copyright © 2015 World Wide Technology, Inc. All rights reserved.
Programmability and Automation
in Data Center Networks
One tool, two fabrics: Nexus 9000 Configuration Management with
Ansible.
22 October 2015 Joel W. King Engineering and Innovations
Enterprise Networking Solutions

2. Introduction
Topic Brief:
Ansible is an automation and configuration management technology used to provision, deploy, and manage
compute infrastructure across cloud, virtual, and physical environments. This talk demonstrates how to use
Ansible to automate the configuration of Nexus 9000 series switches in either NX-OS using the NX-API or through
the Application Centric Infrastructure (ACI) controller (APIC).
Speaker Bio:
Joel W. King is a network architect at World Wide Technology (WWT) focused on engineering innovation in
enterprise SDN and network programmability.
Participated on Networking Panel at AnsibleFest NYC 2015
joel.king@wwt.com
@joel_w_king
www.slideshare.net/joelwking
github.com/joelwking/

3. Agenda
What is Ansible?
Using Ansible for Cisco Nexus 9000 series fabric deployments
 NX-OS using the NX-API (MP-BGP EVPN VXLAN Fabric Design)
 Application Centric Infrastructure

4. Cisco Data Center Switching
• If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000.
• Nexus 9000 runs in either of two modes:
• NX-OS
• Application Centric Infrastructure – ACI
• Networks need Automation & Programmability.
• NX-API enables a northbound REST interface on individual NX-OS switches
• Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1).
• NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000
• APIC is the Software Defined Networking controller for ACI

5. Introduction to Ansible
SIMPLE AGENTLESS POWERFUL
• Ansible uses
SSH instead of
agents.
• Python
modules run
locally or on
target systems
• Deploy
applications
• Configuration
management
• Network
provisioning
• Playbooks are
both human
and machine
readable.
• Large library of
modules.

6. Ansible and Cisco Data Center Networking
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443:22
HTTP(s) TCP/80:443
SSH – TCP/22
GitHub
HTTPS TCP/443
LDAP – TCP / 389
ESX
Server
Windows
Systems
Linux
DockerAmazon
Web Services
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000
Nexus 9000
ACI
github.com/joelwking/
PARAMIKO
APIC-EM
Cisco IOS

7. Push Based
• Chef and Puppet are “pull-based”
• The agent on the server periodically checks with the central server for configuration
information. (Chef agent by default checks with Chef server every 30 minutes)
• Chef uses a “convergent” model of configuration. As changes propagate through the
nodes, the network as a whole converges to the desired configuration state.
• Ansible is “push-based”
• You run the playbook,
• Ansible modules connect to the target servers and executes the modules
• Push based approach - you control when the changes are made on the server!
• No need to wait for a timer to fire.
Source: Ansible Up & Running & www.chef.io/solutions/configuration-management/

8. Lexicon
• Inventory A file grouping host names and (optionally) variables.
• Playbooks A design plan of tasks to act on one or more hosts.
• YAML Markup language, more human readable than XML / JSON.
• Facts Variables describing the target system.
• Tasks An activity to be carried out, e.g. install package, configure interface.
• Modules Python code to implement tasks.
• Idempotent Producing the same results if executed once or multiple times.
• Jinja2 Templating language converting templates to configuration files.
• Vault Encrypts sensitive data, passwords, use --ask-vault to prompt.
• Roles Directory structure to provide abstraction, think include files.

9. Why Learn Ansible?
• Simple, powerful automation tool
• Agentless
• Automation without programming
• Exposes you to Markup Languages
• Forces you to think like a programmer
• Low barrier to entry – Open Source, runs in a VM on your laptop
• Ansible Tower
• centralize and control your infrastructure
• visual dashboard,
• role-based access control,
• job scheduling,
• graphical inventory management.

10. What are Markup Languages?
• Markup Languages are implementations of
Data Serialization formats | standards | languages
• Cisco IOS configuration files are a proprietary form of
Markup Language
• Examples
• CSV Comma Separated Values
• XML Extensible Markup Language
• JSON JavaScript Object Notation
• YAML YAML ain’t Markup Language

11. Why Learn Markup Languages?
• Represent structured data to define a network configuration.
• Less emphasis on Command Line Interface (CLI) and IOS config files
Cisco ACI controller (APIC)
will generate and accept both
JSON and XML to save and upload
configurations
NETCONF protocol uses an XML
for configuration data and output messages.
Cisco IOS XR software has an XML
application programming interface (API).

12. NX-OS Programmability for MP-BGP EVPN
VXLAN Fabric Design

13. NX-OS Programmabilty
• ******* [ customer name removed ] *******************
• MP-BGP EVPN VXLAN Fabric Design
• Nexus 9500 spines (4)
• Nexus 9300 leafs (40)
• NX-OS configuration is complex
775 lines of config per leaf
WWT Integration Technology Center (ITC)
Cisco Virtual Topology System (VTS)
Cisco Prime Data Center Network Manager
(DCNM)

14. Process Flow
Group Variables
(All Leafs)
Host Variables
(Individual Switch)
Jinja Template
L2 Port Configuration
CSV
L3 Port Configuration
CSV
Switch
Configuration

15. Configuring your network from Excel
kingjoe@rocket:~/ansible/roles/excel_nxos/templates$ cat leaf_uplinks.j2
#
# Template for leaf uplinks
#
{% for row in spreadsheet %}
interface {{row.SourcePort}}
description {{row.Description}}
mtu 9216
load-interval counter 1 5
ip address {{row.SourceIP}}
no ipv6 redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 {{OSPF.message_digest_key}}
ip ospf network point-to-point
ip router ospf {{OSPF.processID}} area 0.0.0.0
ip pim sparse-mode
no shutdown
!
{% endfor %}
end
#
# group_vars/leaf
#
OSPF:
message_digest_key: DEADBEEF
processID: 64800

16. group_vars/leaf
#
# group_vars/leaf
#
OSPF:
message_digest_key: DEADBEEF
processID: 64800
BGP:
as: 64800
neighbor:
- {ip_address: 10.181.63.1, password: DEADBEEF}
- {ip_address: 10.181.63.2, password: DEADBEEF}
- {ip_address: 10.181.63.3, password: DEADBEEF}
- {ip_address: 10.181.63.4, password: DEADBEEF}
vrf:
- PROD
- ACPT
- BACKUP
- MNGMT

17. host_vars/13leafzn01-rp01y
#
# host_vars/13leafzn01-rp01y
#
Vlan100:
ip_address: 10.181.0.250/31
loopback0:
ip_address: 10.181.63.11
mask: "/32"
s_ip_address: 10.181.63.100
s_mask: "/32"
#
# vPC peer information
#
peer_keepalive:
destination: 10.192.64.12
source: 10.192.64.11
channel_group_number: 10
channel_group:
- interface: "Ethernet2/11"
description: "13leafzn01-rp01z_E2/11"
- interface: "Ethernet2/12"
description: "13leafzn01-rp01z_E2/12"
13leafzn02-rp01.csv
13leafzn02-rp01_uplinks.csv
Ethernet 1/1 - 48
(layer2 port configuration)
Ethernet 2/1 – 4
(layer3 port configuration)

18. Render the Configuration
#
# Template for leaf uplinks
#
interface Ethernet2/1
description 13spine-rp01_E1/1
mtu 9216
load-interval counter 1 5
ip address 10.181.0.1/31
no ipv6 redirects
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 DEADBEEF
ip ospf network point-to-point
ip router ospf 64800 area 0.0.0.0
ip pim sparse-mode
no shutdown
!
! [ interfaces E2/2 E2/3 and E2/4 removed for brevity ]
!
end
Each column headers are variable names,
cell contents are assigned to these variables.
Variables are then used to render configuration.
Network engineer controls column header names
https://github.com/joelwking/ansible-nxapi/blob/master/csv_to_facts.py

19. Ansible Directory Structure
/home/kingjoe/ansible/roles:
DAILY_BACKUP
NTP
/playbooks:
xml
templates
hosts
ansible.cfg
*.yml
Inventory file
Configuration file
Playbooks
Static and Dynamic XML
Jinja2 Templates
kingjoe@rocket:~$ tail -3 .profile
#
export ANSIBLE_CONFIG="$HOME/ansible/playbooks/ansible.cfg"
#
inventory = $HOME/ansible/playbooks/hosts
library = /usr/share/ansible/
excel_nxos
Python modules
ACI
NX-OS

20. Playbook to install modules demonstrated
#
# Copyright (c) 2015 World Wide Technology, Inc.
# All rights reserved.
#
# Author: joel.king@wwt.com
#
# Usage: ansible-playbook download_wwt_modules.yml
#
# Assuming you are running this playbook from the 'administrator' account with sudo permissions,
# before running the first time, set the directory up with proper permissions
#
# sudo rm -rf /usr/share/ansible
# sudo mkdir /usr/share/ansible
# sudo chown administrator /usr/share/ansible
# sudo chgrp administrator /usr/share/ansible
#
# Revision history:
# 12 October 2015 | 1.0 - initial release
#
- name: Update WWT Ansible modules for automating Cisco routers and switches
hosts: localhost
connection: local
gather_facts: no
vars:
path:
target: "/usr/share/ansible/"
source: "https://raw.githubusercontent.com/joelwking/"
programs:
- {repo: "ansible-nxapi/master/", fn: nxapi_install_config.py}
- {repo: "ansible-nxapi/master/", fn: csv_to_facts.py}
- {repo: "ansible-aci/master/", fn: aci_install_config.py}
- {repo: "ansible-aci/master/", fn: AnsibleACI.py}
- {repo: "ansible-aci/master/", fn: aci_gather_facts.py}
- {repo: "ansible-ios/master/", fn: cisco_ios_install_config.py}
- {repo: "ansible-apic-em/master/", fn: apic_em_gather_facts.py}
tasks:
- name: Download the software
uri:
method: GET
url: "{{path.source}}{{item.repo}}{{item.fn}}"
dest: "{{path.target}}"
validate_certs: no
with_items: "{{programs}}"
- name: dos2unix
command: "/usr/bin/dos2unix {{path.target}}{{item.fn}}"
with_items: "{{programs}}"
- name: chmod
command: "/bin/chmod 755 {{path.target}}{{item.fn}}"
with_items: "{{programs}}"
download_wwt_modules.yml

21. NX-OS Programmability for MP-BGP EVPN
VXLAN Fabric Design
Demonstration

22. Application Centric Infrastructure

23. Why do I need automation with ACI?
• Using the ACI GUI is time consuming and prone to human error.
• WWT Integration Technology Center
(ITC) is the hub of our
global deployments and
supply chain programs.
• Customers use the ITC to
stage their data center
infrastructure prior to
deployment.

24. ACI Demonstrations
• Published demos
• Find the MAC address
https://youtu.be/t03ty5Y295U
• Apply ACI policDemo: Apply ACI policy, run Docker app
https://youtu.be/t03ty5Y295U?t=1m49s
• Today’s demo
• Use Ansible Roles to configure ACI fabric
• Specify NTP servers in CSV file
• Create XML files from templates
• Configure NTP and Daily Backups

25. Process Flow
vars
Jinja Template (s)
XML
ntp_server.csv
NTP
DAILY_BACKUP
REST API
---
- name: Example of a site.yml file running two roles
hosts: aci
gather_facts: no
roles:
- NTP
- DAILY_BACKUP

26. Application Centric Infrastructure
Demonstration

27. Configuring your ACI network from Excel
http://erjosito.tumblr.com/post/129878491127/configuring-your-network-from-excel

28. Summary
• One tool, two fabrics - ACI or NX-OS.
• Next generation networks, configurations less CLI, more Markup Languages.
• Network Engineers can ‘program’ the network without writing programs.