Ansible is one of the newer and more exciting automation toolsets for networking. Ansible (unlike Puppet and Chef) is agentless, which makes it significantly easier to automate existing devices that may not have an agent installed – such as many networking devices. Networks are evolving from hundreds or thousands of individual devices to the Software-Defined Network paradigm of a single fabric under a central controller. The GUI on top of an SDN controller isn’t sufficient and will still need automation. This presentation describes how Ansible can add value to configuration management of a Cisco Application Centric Infrastructure (ACI) infrastructure.

1. Copyright © 2015 World Wide Technology, Inc. All rights reserved.
RTP NPUG
Ansible Intro and Integration with ACI
10 August 2015
Joel W. King
Technical Solutions Architect
Enterprise Networking Solutions
Engineering and Innovations

2. Agenda
• Whoami, how I got started using Ansible
• Introduction to Ansible
• Demo – Power on VMs
• Demo – Power on VMs, copy file to Linux hosts
• Application Centric Infrastructure (ACI) Integration
• Why we need automation for Software-Defined Networking (SDN)
• Ansible Modules for ACI
• Demo- Find the MAC address
• Demo- Apply ACI policy, run Docker application
• ACI workflow using Ansible, developing configuration libraries
• APIC-EM Integration (time permitting)
• Discussion – Q and A

3. whoami
• At World Wide Technology, Inc. – Enterprise SDN, NetDevOps, Programmable Networks
• Past Experience
• NetApp – Technical Solutions Architect, Digital Video Surveillance – Big Data – E-Series
• Cisco – Technical Leader - Enterprise Systems Engineering (ESE) – Cisco Validated Designs (CVDs)
• Network Architect – AMP Incorporated – LAN / WAN design for 150 location global network
• Flash cutover of AMP’s network from OSPF to EIGRP using Perl and Telnet ~ 1996
• CCIE No. 1846 (retired)
• Participated on Networking Panel at AnsibleFest NYC 2015
joel.king@wwt.com
@joel_w_king
www.slideshare.net/joelwking
github.com/joelwking/

4. How I got started with Ansible…
• Cisco Nexus switches have a variety of network programmability features.
• We had use cases with everything but Orchestration and NX-API.
• I thought installing an agent might be a pain point!
Power
On
Auto
Provisio
ning
(POAP)
Nexus 9K
NX-API
RPC / REST API
Python
Interpreter
Bash shell
Introduction
to Python
Programming
on Nexus
Switches
Nexus Data Broker
w/ REST API
NXOS ACI
Orchestration APIC
REST API
OpenFlow
Security-Defined
Routing

5. … after a little research
• Downloaded The Benefits of Agentless Architecture
• Installed Ansible on Ubuntu in Virtual Box
git clone git://github.com/ansible/ansible.git --recursive
• Found in the FAQs: ansible_connection=local
• Enabled NX-API
NEX-9396-A-TRNG-CLASS(config)# feature nxapi
NEX-9396-A-TRNG-CLASS(config)# end
NEX-9396-A-TRNG-CLASS# copy run start
[###########################] 100%
Copy complete.
• Wrote an Ansible module for NX-API !
NX-API Developer Sandbox

6. Introduction to Ansible
• Ansible uses
SSH instead of
agents.
• Python
modules run
locally or on
target systems
SIMPLE AGENTLESS POWERFUL
• Deploy
applications
• Configuration
management
• Network
provisioning
• Playbooks are
both human
and machine
readable.
• Large library of
modules.

7. Pushed Based
• Chef and Puppet are “pull-based”
• The agent on the server periodically checks with the central server for configuration
information. (Chef agent by default checks with Chef server every 30 minutes)
• Chef uses a “convergent” model of configuration. As changes propagate through the
nodes, the network as a whole converges to the desired configuration state.
• Ansible is “push-based”
• You run the playbook,
• Ansible modules connect to the target servers and executes the modules
• Push based approach - you control when the changes are made on the server!
• No need to wait for a timer to fire.
Source: Ansible Up & Running & www.chef.io/solutions/configuration-management/

8. Lexicon
• Inventory A file grouping host names and (optionally) variables.
• Playbooks A design plan of tasks to act on one or more hosts.
• YAML Markup language, more human readable than XML / JSON.
• Facts Variables describing the target system.
• Tasks An activity to be carried out, e.g. install package, configure interface.
• Modules Python code to implement tasks.
• Idempotent Producing the same results if executed once or multiple times.
• Jinja2 Templating language converting templates to configuration files

9. Ansible and the Cisco Network
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443:22
HTTP(s) TCP/80:443
SSH – TCP/22
GitHub
HTTPS TCP/443
LDAP – TCP / 389
ESX
Server
Windows
Systems
Linux
DockerAmazon
Web Services
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000
CentOS
Nexus 9000
ACI
github.com/joelwking/
PARAMIKO
APIC-EM
Cisco IOS
• Provides “tool based” abstraction
• Low barrier to entry
• User written modules
• Common framework to manage
controllers and individual devices

10. $ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
>>> import yaml
>>> playbook = yaml.load(open("add_local_user.yml", "r"))
>>> print playbook[0]["tasks"][0]["name"]
Add local user
What is YAML?
• YAML ( rhymes with camel) is a data
serialization format.
• Designed to be human and machine
readable.
• Ansible playbooks are YAML format
• Syntax is designed to be mapped to
data types in programming languages:
lists,
associative array (Python dictionaries),
and scalar variables.

11. Use Case: Power On
• ESXi hosts on ACI Demo
Fabric were power cycled.
• VMs for ACI Tenant were in
power-down state following
reboot.
• Run playbook to power-up
my demo VMs, rather than
use vSphere Client
$ cat power_up_vms.yml
---
- hosts: 127.0.0.1
connection: local
user: administrator
sudo: false
gather_facts: false
vars:
vmware_guest_facts: yes
joelking:
- X-DOCKER-CLIENT
- X-DOCKER-SERVER-1
- X-DOCKER-SERVER-2
- X-A10-vThunder
tasks:
- name: Power UP
vsphere_guest:
vcenter_hostname: 10.255.40.128
username: administrator@vsphere.local
password: **foo**
guest: "{{item}}"
state: powered_on
esxi:
datacenter: "ACI Demo DC"
hostname: 10.255.138.168
with_items: joelking

12. Demo: Power On virtual machines

13. Use Case: Copy File to VMs
• Modify playbook to list VM names
and Ubuntu hosts in Inventory file
• Items under group
[virtual_machines[] are VM names
not DNS names
• Items under group
[Ubuntu]
• X-A10-vThunder is a virtual
appliance, not a Ubuntu host
• When running a play, the values
are referenced by variable
{{inventory_hostname}}
$ cat hosts
#
[aci]
aci-demo.sandbox.wwtatc.local ansible_connection=local
ansible_ssh_user=kingjoe admin_uid=netdeploy
#
#
[server]
scp-server.sandbox.wwtatc.local ansible_ssh_user=administrator
#
[virtual_machines]
X-DOCKER-CLIENT
X-DOCKER-SERVER-1
X-DOCKER-SERVER-2
X-A10-vThunder
[Ubuntu]
X-DOCKER-CLIENT.sandbox.wwtatc.local
X-DOCKER-SERVER-1.sandbox.wwtatc.local
X-DOCKER-SERVER-2.sandbox.wwtatc.local

14. Use Case: Copy File to VMs (continued)
$ cat power_up_vms.yml
---
- hosts: virtual_machines
connection: local
user: kingjoe
sudo: false
gather_facts: false
vars:
vmware_guest_facts: yes
vars_prompt:
- name: "vCenter_password"
prompt: "Enter vCenter password"
private: yes
tasks:
- name: Power UP my VMs
vsphere_guest:
vcenter_hostname: 10.255.40.128
username: administrator@vsphere.local
password: "{{vCenter_password}}"
guest: "{{inventory_hostname}}"
state: powered_on
esxi:
datacenter: "ACI Demo DC"
hostname: 10.255.138.168
- hosts: Ubuntu
user: administrator
vars:
MY_directory: "/tmp/ansible"
tasks:
- name: Create directory
file: dest={{MY_directory}} state=directory mode=0755
- name: Download a file to the directory
get_url: url=http://docs.ansible.com/ansible/modules.html
dest={{MY_directory}} mode=0666 validate_certs=no
$ ansible-playbook -i hosts power_up_vms.yml --ask-pass
Note: this is an example of running modules locally and on remote
systems from the same playbook
continued

15. Demo:
Modify Power On virtual machines
playbook to use inventory file,
Copy file to Linux hosts

16. Ansible Tower
Ansible Enterprise Automation
Simple. Agentless. Powerful.
Control. Security. Delegation.
/ Uses OpenSSH
/ No extra code to manage
/ Ready for cloud-scale
/ Uses YAML for playbooks
/ No special coding skills needed
/ Fast learning curve
/ App deployment
/ Orchestration
/ Configuration management
/ Role-Based Access Control
/ Delegation of credentials/keys
/ Audit trail for automation
/ Centralized job runs
/ Job scheduling
/ Automation dashboard
/ Push-button job execution
/ Portal mode for delegation
/ REST API for integration
Ansible
Open Source
Ansible
Tower

17. PUSH-BUTTON LAUNCH
Launch automation jobs with a
button
ACCESS CONTROL
Role-based access
control & LDAP
integration DELEGATION OF
CREDENTIALS
Delegate credentials
without giving away
secrets
SCHEDULING
Schedule
automation jobs
(great for
periodic
remediation)
INVENTORY MANAGEMENT
Graphically manage your internal
& cloud resources
API & CLI
Documented RESTful
API and Tower CLI to
integrate Tower into your
tools
AUDITING
See a full Ansible job
history with drill-in details
ANSIBLE TOWER
The best way to run Ansible in your organization.

18. Ansible Up & Running

19. Network automation going mainstream
#netdevops

20. Application Centric Infrastructure (ACI)

21. Cisco Nexus Data Center Switching
• If you are looking to Cisco for a Data Center switch, it will be a Nexus 9000.
• Nexus 9000 runs in either of two modes:
• NX-OS
• Application Centric Infrastructure – ACI
• Networks need Automation & Programmability.
• NX-API enables a northbound REST interface on individual NX-OS switches
• Nexus 3000 NX-API supported NX-OS 6.0(2)U4(1).
• NX-OS release 7.x enables NX-API on Cisco Nexus 5000 and 6000
• APIC is the Software Defined Networking controller for ACI
• Ansible | Tower can be your automation engine.

22. Why do I need automation with ACI?
• Using the ACI GUI is time consuming and prone to human error.
• WWT Integration Technology Center
(ITC) is the hub of our
global deployments and
supply chain programs.
• Customers use the ITC to
stage their data center
infrastructure prior to
deployment.

23. Cisco Application-Centric Infrastructure (ACI)
• A data center fabric with three components:
• Nexus 9000 Series Switches and the Cisco Application Virtual Switch (AVS)
• SDN architecture based on a policy framework for configuration, management, security
• Cisco Application Policy Infrastructure Controllers (APIC)
• Nexus switches in the fabric are plug-n-play.
• All functions of the controller
are exposed via REST APIs.
• The Web GUI designed for
initial configuration, a
tool for automation. Cisco APIC Python SDK
(“cobra”)
CLI admin@apic1:aci>

24. Ansible and Nexus Switches
• Nexus 9K switches run either ACI
mode or NX-OS mode.
• Enhancements to NX-OS
including feature nx-api in
Nexus 3K, 7K, 5K, etc.
• NX-API provide HTTP based APIs
for configuration management –
XML or JSON
• Application Policy Infrastructure
Controller – APIC is an
SDNcontroller managing Nexus
9K in ACI mode.
• Servers, applications, and
network can be managed in a
single playbook.
SSH – TCP/22
Users, API
NTP – UDP / 123
HTTP(s) TCP/80:443
HTTP(s) TCP/80:443
SSH – TCP/22
GitHub
HTTPS TCP/443
LDAP – TCP / 389
ESX
Server
Windows
Systems
Linux
Docker
Agentless
Ansible / Tower
REST API
connection: local
feature nx-api
Nexus 3000 | 9000
CentOS
Nexus 9000

25. Ansible ACI Modules
• aci_gather_facts.py
• Gather Facts using Class or
Managed Object Queries
• https://youtu.be/Ec_ArXjgryo
• aci_install_config.py
• Configures the fabric via
ACI controller (APIC) northbound
REST API interface.
• https://youtu.be/PGBYIxEsqU8
• This module issues POST of XML,
the APIC will create or update object as required.
• Deletions implemented by including status="deleted“ in the XML
APIC

26. Gathering Facts: Types of Queries
• Managed Objects (MO) are abstract representations of physical / logical entity.
• Contain a set of configurations and properties.
• Organized in a tree structure called the Management Information Tree.
get /api/mo/uni/tn-ACME.jsonget /api/class/fvTenant.json
tn-mgmt tn-ACMEtn-infra tn-mgmt tn-ACMEtn-infra
Object-level queryClass-level query

27. Managed Object Query
• Managed Object Queries and Class Queries are handled by the same module,
aci_gather_facts.py
• The difference is the URI specified as argument to the module,
• In either case, the answer set is a list of objects, typically the Class Query will have
more than one element in the list.
• If the REST call is successful, but the results are null, the list is empty.
• Example playbook for Managed Object query:
https://github.com/joelwking/ansible-aci/blob/master/aci_mo_example.yml

28. Class Query: Find MAC address given IP
fvCEp A client endpoint attaching to the network.
./bin/ansible-playbook find_macaddress.yml
---
# https://github.com/joelwking/ansible-aci/blob/master/find-macaddress.yml
- name: Ansible ACI Demo of gathering facts using a class query
hosts: prod-01
connection: local
gather_facts: no
vars:
IPaddr: 198.51.100.4
tasks:
- name: Find the MAC address given an IP address
aci_gather_facts:
queryfilter: 'eq(fvCEp.ip, "{{IPaddr}}")'
URI: /api/class/fvCEp.json
host: "{{hostname}}"
username: admin
password: "{{password}}"
- name: use msg format
debug: msg=" ManagementIP {{ fvCEp[0].ip }} mac {{ fvCEp[0].mac }} encap {{ fvCEp[0].encap
}} "
TASK: [use msg format]
*****************************************
ok: [prod-01] => {
"msg": " ManagementIP 198.51.100.4
mac 00:50:56:B6:1C:CC encap vlan-2142 "
}
Filter results based on ip address specified
Can anyone tell me the flaw in this logic?

29. Importing Playbook into Tower
• Logon Tower
• Create directory /var/lib/awx/projects/find-macaddress
• Copy the contents of the playbook
into a file in the directory,
e.g. find-macaddress.yml
• I commented out the variable,
IPaddr, Tower will prompt.
• Create a project,
• Create a job template,
• Run job template.

30. Demo: Find the MAC address
https://youtu.be/t03ty5Y295U

31. Install ACI Configuration
• Ansible module aci_install_config.py
• Configures the fabric via
ACI controller (APIC) northbound
REST API interface.
• Reads the XML file specified as an argument
• Authenticates with the APIC
• Issues HTTP Post with the URL specified.
• Key Point
• Gather Facts provided the MAC and ‘dn’ based
on a Tenant and IP address
• Now we can programmatically build a
troubleshooting policy and load into tenant.
• By automating the creation of monitoring
and troubleshooting policies, we save time.

32. • Tower initiates Python modules
to apply policy to tenant in ACI
fabric.
• Tower initiates Python application
installed in Docker container
on client machine.
Ansible Tower – Apply ACI policy and run Docker app
x-docker-client
x-docker-server-1
.10
.1
.1
.10
192.0.2.0 / 24
TEST-NET-1
198.51.100.0 / 24
TEST-NET-2
Bridge Domain
TEST-NET-2
Bridge Domain
TEST-NET-1
management network
policy
app

33. Demo: Apply ACI policy, run Docker app
https://youtu.be/t03ty5Y295U?t=1m49s

34. Developing Configuration Libraries

35. Using Playbooks to Organize your Workflow
• While developing ACI configurations, I found myself
using Ansible Playbooks
to organize my work.
• The total configuration is broken into distinct,
verified steps.
• The configuration snippits can be shared among
engineers as ACI ‘best practice’ configs.
• Repository on WWT’s GitHub Enterprise server
atc-ops / aci-config-templates

36. Configure via the GUI
configure
Verify |
test
Save XML
Incorporate
into
playbook
automate

37. Verify and Test the configuration
configure
Verify |
test
Save XML
Incorporate
into
playbook
automate

38. Save the config snippet as XML
<fvTenant>
<traceroutepTrEp adminSt="start" descr="traceroute policy for client to server 10"
dn="uni/tn-A10_DEMO/trEp-CLIENT_SERVER10" name="CLIENT_SERVER10" ownerKey="" ownerTag="" payloadSz="56">
<traceroutepRsTrEpSrc tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-CLIENT/cep-00:50:56:9A:79:5C"/>
<traceroutepRsTrEpDst tDn="uni/tn-A10_DEMO/ap-SMALL_SERVERS/epg-SERVER/cep-00:50:56:9A:6A:03"/>
</traceroutepTrEp>
</fvTenant>
configure
Verify |
test
Save XML
Incorporate
into
playbook
automate

39. Incorporate into Playbook
---
- name: Deploy Tenant for A10 ADC
hosts: prod-01
connection: local
gather_facts: no
vars:
local_path: /home/administrator/ansible/CFGS
fvTenant: A10_DEMO
L4L7: vnsLDevVip_A10.xml
tasks:
- name: Loop through the variables to deploy the tenant
aci_install_config:
xml_file: "{{ local_path }}/{{ item }}"
URI: "/api/mo/uni/tn-{{fvTenant}}.xml"
host: "{{hostname}}"
username: admin
password: "{{password}}"
with_items:
- fvTenant_A10_DEMO.xml # Create Tenant
- vzFilter_A10_TCP_SMALL_SERVERS.xml # Create Filter
- vzBrCP_A10_CONTRACT_SUBJ.xml # Create Contract and Subject
- fvCtx_A10_DEMO.xml # Create Pritx_A10_DEMO.xml
- fvBD_A10_BRIDGE_DOMAIN.xml # Create Bridge Domains
- fvAP_A10_APP.xml # Create Application EPGs
- traceroutepTrEp_A10_clientserver.xml # Create traceroute policy
- "{{ L4L7 }}" # Create L4-L7 Services
configure
Verify |
test
Save XML
Incorporate
into
playbook
automate

40. Automate
configure
Verify |
test
Save XML
Incorporate
into
playbook
automate

41. Configuration Libraries
• ACI needs a library of ‘best practice’ configurations.
• Network engineers create configurations using
the APIC GUI.
• Configurations are tested, verified and then saved
in XML.
• The configuration snippets are organized into a
playbook.
• Only the with_items loop needs be changed in the
playbook.
• XML files can be converted into templates.
• Playbooks, XML and Templates stored in Git Repo.

42. Key Take-away
• Networks are evolving from individual devices to the SDN paradigm
of a single fabric under a central controller.
• Cisco ACI is an SDN implementation which abstracts the network devices,
the fabric is plug-n-play, provides central management and visibility.
• The GUI on top of an SDN controller isn't sufficient and we will still need automation
• Eliminate the hands in operations -
• No keyboard errors,
• No incomplete configurations,
• Build libraries of ‘best practice’ configurations.
• Network Engineers can use Ansible to automate Nexus switches to more closely align with
DevOps.

43. APIC - EM

44. Synergy
Ansible
• Ansible is an open source
automation tool.
• Designed to be easy for anyone to
understand and learn.
• Written module to apply
configuration changes to Cisco IOS
devices
• Requires an inventory file to
identify target routers and switches
to apply a baseline configuration.
Cisco APIC-EM
• APIC-EM is a SDN controller for
legacy LAN/WAN devices.
• Single source of truth.
• Provides inventory to Ansible by
discovery of Cisco IOS devices in
the network.
WWT
• Python module to integrate the
two applications.

45. Understanding the Network
• You can’t automate what you don’t understand!
• Discovery based on
• CDP
• IP address ranges
• Imitated either via GUI
or REST API
• Discovered Devices

46. “you used the northbound API, put two disparate pieces of technology together and made
them work better than they can individually.”
Phil Casini, Director Product Management for Cisco’s LAN/WAN SDN controller APIC EM.
Advanced Technology Center (ATC)
Using APIC-EM as the single source of truth.

47. Playbook
Tasks
1. apic_em_gather_facts
Query the APIC-EM controller
for a list of discovered
devices.
2. cisco_ios_install_config
Updates running config of
discovered devices.
---
- name: Integration of APIC-EM with Ansible
hosts: 127.0.0.1
connection: local
gather_facts: no
vars:
ansible_ssh_user: administrator
enablepw: xxxxx
password: xxxxx
tasks:
- name: Use APIC-EM controller to return a list of discovered devices
apic_em_gather_facts:
host: 10.255.40.125
username: bob
password: xxxxxx
- name: Install the configuration file
cisco_ios_install_config:
URI: ftp://ftpuser:xxxxx@10.255.40.101/sdn/lab_config_files/ios_config.cfg
host: "{{ item }}"
username: admin
enablepw: "{{ enablepw }}"
password: "{{ password }}"
debug: off
with_items: mgmtIp
github.com/joelwking/ansible-apic-em
github.com/joelwking/ansible-ios

48. !
!
ip name-server vrf management 8.8.8.8
!
ip http server
ip http secure-server
!
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
!
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
deny ip any any log
!
end
Execute the Playbook in Ansible Tower
mgmtIp

49. Blog
https://communities.cisco.com/community/developer/blog/2015/07/20/using-apic-em-as-the-single-source-of-truth

50. Thanks to our sponsors
www.slideshare.net/joelwking
Slides are available at:

51. "It is no longer about writing 300,000 lines of code. It is about writing as little code as possible to get
that rapid speed.“
Tim Vanderham, the head of development for IBM Bluemix and IBM Cloud Marketplace.
searchsoa.techtarget.com/feature/Cultivating-the-API-Economy
Cultivating the API Economy