1-Infrastructure as Code for NXOS and NDFC with Ansible.pdf

#CiscoLive
Matt Tarkington, Technical Leader
Mike Wiebe, Technical Leader
BRKDCN-2946
Infrastructure as Code
for NXOS and NDFC
with Ansible

Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install the Webex App or go directly to the Webex space
Enter messages/questions in the Webex space
How
Webex spaces will be moderated
by the speaker until June 7, 2024.
1
2
3
4
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKDCN-2946
Enter your personal notes here
2
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKDCN-2946

Agenda
• What is Infrastructure
as Code?
• Infrastructure as Code with
NXOS and Ansible
• Infrastructure as Code with
NDFC and Ansible
• Start Your IaC Journey!
BRKDCN-2946 3

What is
Infrastructure
as Code?

#CiscoLive
Infrastructure as Code for Network Ops
• Using “code” to provision and/or manage infrastructure
• Infrastructure as Code is not specific to a particular automation
engine or specific programing language
• The intended configuration state of network devices are sourced
from source code management (git) instead of the devices
themselves
5
BRKDCN-2946

#CiscoLive
Infrastructure as Code for Network Ops
6
BRKDCN-2946
1
User commits changes to
SCM (GitLab) that defines
the IaC intent
2
SCM (GitLab) detects
change and activates
pipeline
3
SCM (GitLab) Runner(s)
configures & tests staging
based on intent
4
SCM (GitLab) Runner(s)
configures & tests prod
based on intent
automatically or via user
intervention
Staging
Prod
Deploy
Deploy
Test
Test
Continuous Integration
Continuous Delivery
Lint
Main
Branch
Feature
Update
Branch
IaC
Merge
Merge/Pull
Request

Infrastructure as
Code with
NXOS and Ansible

#CiscoLive
What is Ansible?
8
BRKDCN-2946
Automation / Configuration / Orchestration tool
Open Source
Agentless Push Model
Produces the same results no matter how many times it is executed*
No programming knowledge required
Requires only data-structure manipulation knowledge
Network CLI and REST API interaction
*idempotent

#CiscoLive
What makes up Ansible?
Playbooks
Tasks
Inventory
Roles
Intent
WSL
Control Host
BRKDCN-2946 9
Ansible
Core
Python
Collections
NXOS
DCNM
Engine
Builtin
Target
CLI
NETCONF
REST
API
NDFC
NXOS
REST
API

#CiscoLive
Python Virtual Environments
• You should use a virtual environment
• Allows for installing Ansible inside a contained area with specific
version of Python
• Makes it possible to run different Python scripts that require
different versions of Python and libraries
• Detailed steps beyond scope of this session
10
BRKDCN-2946
virtualenv
Reference Slide

#CiscoLive
• pyenv is the best mechanism
to control python virtual
environments
• Allows control of python
version to execute independent
of system version
• pyenv virtualenv also needed
pyenv
11
BRKDCN-2946
% pyenv install 3.9.11
install a version of python
1
% pyenv virtualenv 3.9.11 ansible
create virtual environment
2
% mkdir my_ansible_dir
create directory for ansible development
3
% pyenv local ansible
Set pyenv virtual environment
4
https://github.com/pyenv/pyenv/wiki
https://github.com/pyenv/pyenv-virtualenv
Install instructions:
Reference Slide

#CiscoLive
• Installs only the core components
• Collections must be installed by
you
• Smaller footprint and more control
• Assures install of latest collection
version released!
Installing Ansible
12
• “batteries included”
• Installs community-curated
selection of Ansible Collections
• Complete package but larger
footprint on filesystem
• Might not install the latest version
of a desired collection!
BRKDCN-2946
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
% pip install ansible-core % pip install ansible

#CiscoLive
Ansible Collections
• Introduced in Ansible 2.9
• Uses Ansible Galaxy as the delivery vehicle
• Contains modules, plugins, filters
• Collections not related to Ansible release schedules
• Allows vendor flexibility in relation to product releases
14
BRKDCN-2946
NXOS - https://galaxy.ansible.com/cisco/nxos NDFC - https://galaxy.ansible.com/cisco/dcnm
% ansible-galaxy collection install cisco.nxos cisco.dcnm

#CiscoLive
• Modules perform specific task
like set facts (variables), import
roles, tasks, vars, and more
• Includes many filters for
working with data sets
• Actively maintained by RedHat
Ansible.Builtin
15
BRKDCN-2946
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/index.html
Reference Slide

#CiscoLive
Ansible Cisco.Nxos
Collection Modules
16
BRKDCN-2946
https://docs.ansible.com/ansible/latest/collections/cisco/nxos/index.html
• Modules perform specific task like
configure vlans, interfaces, OSPF,
BGP, and more
• Documentation provides usage
details, required variables, default
variables, etc
• Actively maintained by RedHat with
Cisco support
85

#CiscoLive
- name: Configure VLAN-to-VNI Mappings
cisco.nxos.nxos_vlans:
config:
- name: Overlay-1
vlan_id: 100
mapped_vni: 10000
- name: Web Servers
vlan_id: 101
mapped_vni: 10101
- name: DB Servers
vlan_id: 102
mapped_vni: 10102
state: merged
17
• Always use the fully qualified
collection name (FQCN) for the
module
• The modules require parameters
with values assigned that define
your configuration intent
• Documentation provides details
on default values and required
values
Ansible Modules
BRKDCN-2946
Collection
Namespace
Collection
Name
Module
Name
Parameter Value

#CiscoLive
A word about YAML Syntax
• Human Readable Data Structures
• Lists, Dictionaries, etc
• Used in inventory, playbooks, & variable files
• Best practice is to use:
• Text editor (e.g. Notepad++)
• IDE (e.g. VSCode) with language assistant
support for YAML
• Indentation is very important, and the proper
editor will help you
YAML Ain’t Markup Language
18
BRKDCN-2946
Microsoft VSCode
ATOM
PyCharm
Eclipse
Notepad++
Reference Slide

#CiscoLive
VXLAN EVPN Fabric
• Configure Hostnames,
Features, etc
(Common
configuration)
IaC – Nexus as Code
20
BRKDCN-2946

#CiscoLive
VXLAN EVPN Fabric
• Configure Underlay
(Interfaces, Routing
protocols, etc)
21
BRKDCN-2946
S2 - 10.15.1.12
10.15.1.11 - S1
10.15.1.13 - L1 10.15.1.14 - L2 10.15.1.15 - L3
Routing
(OSPF/PIM/BGP)

#CiscoLive
VXLAN EVPN Fabric
• Configure Overlay
(VRFs, VLANs, SVIs, etc)
22
BRKDCN-2946

#CiscoLive
Ansible Directory Structure
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
Where to do it
Data to do it
How to do it
What to do
BRKDCN-2946 23

#CiscoLive
Ansible Inventory
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
---
# main inventory file
all:
vars:
ansible_connection: ansible.netcommon.network_cli
ansible_user: "nxos_username"
ansible_password: "nxos_password"
ansible_network_os: cisco.nxos.nxos
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
Where to do it
Connection
information
for switches
BRKDCN-2946 24

#CiscoLive
Ansible Inventory
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
---
all:
vars:
ansible_connection: ansible.netcommon.network_cli
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
This will be annotated
shorthand in subsequent
slides as network_cli
Where to do it
BRKDCN-2946 25

#CiscoLive
Ansible Playbook
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
---
# main playbook
- hosts: spines, leafs
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
What to do
BRKDCN-2946 26

#CiscoLive
Ansible Networking
• Network modules execute from control node (Ansible host)
• Collections organized by network platform/OS
• Offers multiple connection protocols
27
BRKDCN-2946
Value of ansible_connection Protocol Requires Persistent
ansible.netcommon.network_cli CLI over SSH ansible_network_os Yes
ansible.netcommon.httpapi API over HTTP/HTTPS ansible_network_os Yes
Reference Slide

#CiscoLive
---
all:
vars:
ansible_connection: network_cli
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
Ansible Playbook Relationships
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
Spine
Group
Leaf
Group
BRKDCN-2946 28

#CiscoLive
Ansible Roles
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
common
underlay
overlay
❯ ansible-galaxy init overlay
- Role overlay was created successfully
❯ tree overlay
overlay
├── README.md
├── tasks
│ └── main.yml
├── templates
└── vars
└── main.yml
How to do it
BRKDCN-2946 29

#CiscoLive
Ansible Roles – Tasks
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
common
underlay
overlay
Common
Tasks
Hostname Features
Overlay
Tasks
NVE VRFs
VLANs/VNIs SVIs
Underlay
Tasks
Interfaces OSPF
PIM BGP
How to do it
BRKDCN-2946 30

#CiscoLive
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
common
underlay
overlay
How to do it
---
# tasks file for roles/overlay
config:
- name: Web Servers
vlan_id: 101
mapped_vni: 10101
- name: DB Servers
vlan_id: 102
mapped_vni: 10102
- name: vMotion
vlan_id: 103
mapped_vni: 10103
state: merged
<snip>
roles/overlay/tasks/main.yml
• Defines VLAN-to-VNI
mappings in config list
block
• Config block allows for
YAML list of dictionary
objects
BRKDCN-2946 31

#CiscoLive
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
common
underlay
overlay
How to do it
---
config:
- name: Web Servers
vlan_id: 101
mapped_vni: 10101
- name: DB Servers
vlan_id: 102
mapped_vni: 10102
- name: vMotion
vlan_id: 103
mapped_vni: 10103
state: merged
<snip>
BRKDCN-2946 32
Do not do Ansible
task parameters
this way!

#CiscoLive
Ansible Group Vars
ansible
inventory.yml
group_vars
host_vars
vxlan.yml
roles
leafs.yml
spines.yml
---
# var file for leafs group
features:
- ospf
- pim
- bgp
- nv overlay
- vn-segment-vlan-based
- interface-vlan
networks:
- vrf_name: AnsibleVRF
vlan_name: AnsibleNet1
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
• group_vars files are named
and referenced after
inventory groups
• match inventory group!
• contains data common to
specified group
Data to do it
BRKDCN-2946 33

#CiscoLive
---
# vars file for L1
hostname: L1
layer3_physical_interfaces:
- interface: ethernet1/11
description: To S1 Eth1/1
mode: layer3
ip_address: 10.1.1.1
mask: 31
mtu: 9216
- interface: ethernet1/12
description: To S2 Eth1/1
mode: layer3
ip_address: 10.2.2.1
mask: 31
mtu: 9216
Ansible Host Vars
ansible
inventory.yml
group_vars
host_vars
10.15.1.11.yml
10.15.1.12.yml
10.15.1.13.yml
10.15.1.14.yml
10.15.1.15.yml
Data to do it
• host_vars files are
named and referenced
after device IP address or
FQDN
• match inventory name!
• contains data specific to
that device
BRKDCN-2946 34

#CiscoLive
Putting It All Together
35
BRKDCN-2946
roles/common/tasks/main.yml
---
# tasks file for roles/common
- name: Configure Hostname
cisco.nxos.nxos_hostname:
config:
hostname: "{{ hostname }}"
state: merged
<snip>
How to do it
---
config:
- name: "{{ item.vlan_name }}"
vlan_id: "{{ item.vlan_id }}"
mapped_vni: "{{ item.vni_id }}"
loop: "{{ networks }}"
<snip>
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
36
BRKDCN-2946
---
config:
state: merged
<snip>
How to do it
---
config:
<snip>
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
37
BRKDCN-2946
---
config:
state: merged
<snip>
How to do it
---
config:
<snip>
---
# var file for 10.15.1.13
hostname: L1
<snip>
Data to do it
group_vars/leafs.yml
host_vars/10.15.1.13.yml
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
38
BRKDCN-2946
---
config:
state: merged
<snip>
How to do it
---
config:
<snip>
---
hostname: L1
<snip>
Data to do it
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
39
BRKDCN-2946
---
config:
state: merged
<snip>
How to do it
---
config:
<snip>
---
hostname: L1
<snip>
Data to do it
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
---
- name: Generate VLAN Config Payload
ansible.builtin.set_fact:
nxos_vlans: |
"{{ lookup('template', 'vlans.j2') }}"
- name: Configure VLANs
config: "{{ nxos_vlans | from_yaml }}"
state: merged
<snip>
How to do it
roles/overlay/templates/vlans.j2
{% for network in networks %}
- vlan_name: {{ network.vlan_name }}
vlan_id: {{ network.vlan_id }}
vni_id: {{ network.vni_id }}
{% endfor %}
40
---
hostname: L1
<snip>
Data to do it
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do
BRKDCN-2946

#CiscoLive
---
nxos_vlans: |
state: merged
<snip>
How to do it
{% endfor %}
41
---
hostname: L1
<snip>
Data to do it
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do
BRKDCN-2946

#CiscoLive
---
nxos_vlans: |
state: merged
<snip>
How to do it
{% endfor %}
42
BRKDCN-2946
---
hostname: L1
<snip>
Data to do it
---
<snip>
networks:
vlan_id: 101
vni_id: 10101
ip: 10.1.101.1/24
vlan_id: 102
vni_id: 10102
ip: 10.1.102.1/24
---
all:
<snip>
children:
spines:
hosts:
10.15.1.11:
10.15.1.12:
leafs:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml
Where to do it
---
# main playbook
gather_facts: false
roles:
- role: common
- role: underlay
- hosts: leafs
gather_facts: false
roles:
- role: overlay
vxlan.yml
What to do

#CiscoLive
A word about Ansible Variables
• Can be defined in many different places
• Most commonly in group_vars and host_vars directory
• Created dynamically during runtime
• Used in task modules, conditional logic, templates, etc
• Jinja2 syntax used to reference
• Variable precedence is used
44
BRKDCN-2946
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#understanding-variable-precedence
Reference Slide

#CiscoLive
• Variable substitution in tasks
• Uses double curly braces wrapped in quotes: "{{ }}"
Variables with Jinja2 Syntax
45
BRKDCN-2946
config:
- name: "{{ vlan_name }}"
vlan_id: "{{ vlan_id }}"
mapped_vni: "{{ vni_id }}"
# vars defined somewhere in Ansible
vlan_name: Web Servers
vlan_id: 101
vni_id: 10101
Set of
Key/Value Pairs
Reference Slide

#CiscoLive
Ansible Variable Lists
46
BRKDCN-2946
networks:
- vlan_name: Web Servers
vlan_id: 101
vni_id: 10101
- vlan_name: DB Servers
vlan_id: 102
vni_id: 10102
- vlan_name: vMotion
vlan_id: 103
vni_id: 10103
vlan_name: Web Servers
vlan_id: 101
vni_id: 10101
Go from this… To this…
Sequential list of three
dictionary objects
containing VLAN
information that can be
referenced iteratively
Reference Slide

#CiscoLive
• Use Ansible loop to iterate data for a tasks
Ansible Loop with Jinja2 Syntax
47
BRKDCN-2946
config:
networks:
vlan_id: 101
vni_id: 10101
vlan_id: 102
vni_id: 10102
- vlan_name: vMotion
vlan_id: 103
vni_id: 10103
Reference Slide

#CiscoLive
A word about Jinja Templating
• Leverage module and filters from Ansible Builtin collection
• Create template file(s) in a role’s template directory: .j2 file extension
48
BRKDCN-2946
nxos_vlans: "{{ lookup('template', 'vlans.j2') }}"
state: merged
# roles/overlay/templates/vlans.j2
- vlan_id: {{ network.vlan_id }}
{% endfor %}
# group_vars/leafs.yml
networks:
vlan_id: 101
vni_id: 10101
vlan_id: 102
vni_id: 10102
# config data passed to task
- vlan_id: 101
- Vlan_id: 102
Reference Slide

#CiscoLive
• Inconsistent across different network
devices
• Requires task loops for more than
one configuration item
• Simple states, present or absent
Two Types of Modules for NXOS
50
• Consistent across different network
devices
• Can leverage task loops or Jinja2
templating for config blocks
• Introduces new states for Ansible to
be the source of truth
BRKDCN-2946
Legacy Modules Resource Modules

#CiscoLive
A word about Resource Module States
• Merged - Ansible merges the on-device configuration with the
provided configuration in the task.
• Replaced - Ansible replaces the on-device configuration
subsection with the provided configuration subsection in the task.
• Overridden - Ansible overrides the on-device configuration for the
resource with the provided configuration in the task. Use caution
with this state as you could remove your access to the device (for
example, by overriding the management interface configuration).
• Deleted - Ansible deletes the on-device configuration subsection
and restores any default settings.
51
BRKDCN-2946
Reference Slide

#CiscoLive
NXOS Config Fallback Module
How to configure NXOS when a module is missing
52
BRKDCN-2946
- name: Configure PIM Anycast RP
cisco.nxos.nxos_config:
lines:
- "ip pim anycast-rp {{ s1_loopback1 }} {{ s1_loopback0 }}"
- "ip pim anycast-rp {{ s2_loopback1 }} {{ s2_loopback0 }}"
save_when: modified
• Allows passing direct cli configuration
• Can take full running-config backup, e.g. before a change operation
• Perform a save operation, i.e. "copy run start"
Options:
• always – copy always
• modified – copy only if changed
since last save
• changed – copy only if the task
made a change
• never – never copy

#CiscoLive
NXOS Command Fallback Module
How to send commands to NXOS when a module is missing
53
BRKDCN-2946
- name: Get Show Commands
cisco.nxos.nxos_command:
commands:
- show version
- show ip ospf neighbor
- show ip pim neighbor
• Allows sending arbitrary commands, e.g. show commands
• Supports prompt handling
• Can handle list of commands or prompts
- name: Misc Commands
cisco.nxos.nxos_command:
commands: copy ftp://nxos.bin bootflash:
prompt:
- "Username:"
- "Password:"
answer:
- <username>
- <password>

#CiscoLive 55
Executing Ansible Playbooks
BRKDCN-2946
ansible-playbook –i inventory.yml vxlan.yml

Infrastructure as
Code with
NDFC and Ansible

#CiscoLive
Cisco Nexus Dashboard Fabric Controller (NDFC)
Formerly Called (DCNM)
57
BRKDCN-2946
Cisco Data Center
Network Manager
Cisco Nexus
Dashboard
Fabric Controller

#CiscoLive
Automation
58
BRKDCN-2946
Rapid Deployment with Fabric Builder
best practice templates for VXLAN-EVPN
Enhanced Programmability
DevOps friendly
Easy to understand approach to
auto-bootstrapping of entire fabric
Accelerate provisioning from days to minutes

#CiscoLive
NDFC DevOps “Friendliness”
59
BRKDCN-2946
NDFC
NDFC REST API
NDFC Ansible Collection Modules
Ansible Core
HTTPAPI Connection Plugin

#CiscoLive 60
NDFC Collection Modules – Toolbox
BRKDCN-2946
https://galaxy.ansible.com/cisco/dcnm
17 Modules
Module Name Purpose
cisco.dcnm.dcnm_rest General Do Anything Module
cisco.dcnm.fabric (Ver 3.5.0) Manage creation and configuration of NDFC fabrics
cisco.dcnm.dcnm_inventory Add Devices To Fabric
cisco.dcnm.dcnm_vpc_pair (Ver 3.5.0) Manage vPC switch pairs
cisco.dcnm.dcnm_interface Configure Fabric Interfaces
cisco.dcnm.dcnm_vrf Add Overlay VRFs
cisco.dcnm.dcnm_network Add Overlay Networks / VLANs
cisco.dcnm.dcnm_template Create Custom Templates
cisco.dcnm.dcnm_policy Create Policies Based On Templates
cisco.dcnm.dcnm_links Manage Fabric Links
cisco.dcnm.dcnm_resource_manager Manage Fabric Resources
cisco.dcnm.dcnm_image_upload (Ver 3.5.0) Manage Switch Images
cisco.dcnm.dcnm_image_policy (Ver 3.5.0) Manage Image Policies
cisco.dcnm.dcnm_image_upgrade (Ver 3.5.0) Manage Images for NXOS Switches
cisco.dcnm.dcnm_service_node Manage Service Nodes
cisco.dcnm.dcnm_service_policy Manage Service Policy
cisco.dcnm.dcnm_service_route_peering Manage Service Route Peering

#CiscoLive 61
Primary VXLAN EVPN Fabric Plugins
BRKDCN-2946
cisco.dcnm.dcnm_fabric
cisco.dcnm_inventory
cisco.dcnm.dcnm_vpc_pair
cisco.dcnm_interface
cisco.dcnm_vrf & cisco.dcnm_network
cisco.dcnm_rest
httpapi plugin
8
New Modules – NDFC Collection Version 3.5.0

#CiscoLive 62
Getting started
BRKDCN-2946
Ansible Collection Installation
Collection Location: https://galaxy.ansible.com/cisco/dcnm
Install Command:
* pip install ansible
* ansible-galaxy collection install cisco.dcnm
Ansible uses the Fully Qualified Collection Name (FQCN)
Namespace: cisco
Collection Name: dcnm
Reference Slide

#CiscoLive BRKDCN-2946 63
NDFC
20/20 Hindsight Tech “Specs”
NDFC - https://galaxy.ansible.com/cisco/dcnm

NDFC
Hindsight “Specs” Model
I See
Ansible
Collection
Names

#CiscoLive 65
Transparent NDFC/DCNM Controller Support
BRKDCN-2946
+ Ansible
+ Ansible Version 12
Version 11
No Ansible playbook changes required!
NDFC

#CiscoLive
Let’s Build Something With NDFC and Ansible Together!
+
BRKDCN-2946 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

#CiscoLive 67
Levels of Complexity – CLI
BRKDCN-2946
feature bgp
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
nv overlay evpn
vlan 10
vn-segment 10000
vlan 11
vn-segment 10011
interface loopback0
ip address 10.10.10.21/32
ip pim sparse-mode
ip router ospf UNDERLAY area 0
interface loopback1
ip address 2.2.2.1/32
ip pim sparse-mode
vrf context Tenant-1
vni 10000
rd auto
address-family ipv4 unicast
route-target both auto evpn
router bgp 65001
router-id 10.10.10.21
neighbor 10.10.10.11
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf Tenant-1
advertise l2vpn evpn
evpn
vni 10011 l2
rd auto
route-target import auto
route-target export auto
interface Vlan10
no shutdown
vrf member Tenant-1
ip forward
interface Vlan11
no shutdown
vrf member Tenant-1
ip address 10.0.11.1/24
fabric forwarding mode anycast-gateway
interface nve1
no shutdown
source-interface loopback1
host-reachability protocol bgp
member vni 10000 associate-vrf
member vni 10011
mcast-group 239.0.0.11

#CiscoLive 68
Levels of Complexity – NXOS Modules
BRKDCN-2946
feature bgp
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
nv overlay evpn
vlan 10
vn-segment 10000
vlan 11
vn-segment 10011
interface loopback0
ip address 10.10.10.21/32
ip pim sparse-mode
interface loopback1
ip address 2.2.2.1/32
ip pim sparse-mode
vrf context Tenant-1
vni 10000
rd auto
route-target both auto evpn
router bgp 65001
router-id 10.10.10.21
neighbor 10.10.10.11
remote-as 65001
update-source loopback0
address-family l2vpn evpn
send-community
send-community extended
vrf Tenant-1
advertise l2vpn evpn
evpn
vni 10011 l2
rd auto
route-target import auto
route-target export auto
interface Vlan10
no shutdown
vrf member Tenant-1
ip forward
interface Vlan11
no shutdown
vrf member Tenant-1
ip address 10.0.11.1/24
fabric forwarding mode anycast-gateway
interface nve1
no shutdown
source-interface loopback1
host-reachability protocol bgp
member vni 10000 associate-vrf
member vni 10011
mcast-group 239.0.0.11
> nxos_feature
> nxos_interface
> nxos_l3_interface
> nxos_interface_ospf
> nxos_pim_rp_address
> nxos_pim_interface
> nxos_evpn_global
> nxos_bgp
> nxos_bgp_af
> nxos_bgp_neighbor
> nxos_bgp_neighbor_af
> nxos_vlan
> nxos_vrf
> nxos_vrf_af
> nxos_vrf_interface
> nxos_vxlan_vtep
> nxos_vxlan_vtep_vni
> nxos_evpn_vni
> nxos_config
19

#CiscoLive 69
Levels of Complexity – NDFC Controller
BRKDCN-2946
Easy Button

#CiscoLive
Ansible Inventory
---
all:
vars:
ansible_connection: ansible.netcommon.httpapi
ansible_user: ”ndfc_username"
ansible_password: !vault | (ndfc_password)
ansible_network_os: cisco.dcnm.dcnm
children:
ndfc:
hosts:
10.15.0.11:
dcnm:
hosts:
10.18.1.14:
Where to do it
Connection
information
for NDFC
BRKDCN-2946 70
ansible
inventory.yml
group_vars
build_fabric.yml
roles

#CiscoLive
Ansible Playbook
---
# main NDFC playbook
- name: Build VXLAN EVPN Fabric on NDFC
hosts: ndfc
gather_facts: false
roles:
- create_fabric
- add_inventory
- setup_vpc
- manage_interfaces
- manage_overlay
- deploy
What to do
BRKDCN-2946 71
ansible
inventory.yml
group_vars
build_fabric.yml
roles

#CiscoLive
---
all:
vars:
ansible_connection: ansible.netcommon.httpapi
ansible_user: ”ndfc_username"
ansible_password: ”ndfc_password"
ansible_network_os: cisco.dcnm.dcnm
children:
ndfc:
hosts:
10.15.0.11:
10.16.0.14:
dcnm:
hosts:
10.18.1.14:
Ansible Playbook Relationships
---
# main playbook
- hosts: ndfc, dcnm
gather_facts: false
roles:
- create_fabric
- add_inventory
- setup_vpc
- manage_interfaces
- manage_overlay
- deploy
NDFC
Group
DCNM
Group
BRKDCN-2946 72
Where to do it
ansible
inventory.yml
group_vars
roles
build_fabric.yml

#CiscoLive
ansible
inventory.yml
group_vars
build_fabric.yml
roles
add_inventory
setup_vpc
manage_overlay
Inventory
Tasks
POAP Underlay
Overlay
Tasks
Networks Attach
VRFs VRF-Lite
vPC
Tasks
vPC Pairs vPC Ints
How to do it
BRKDCN-2946 73
create_fabric
Devices Roles

#CiscoLive
Workflow Step1: Create VXLAN Fabric
BRKDCN-2946 74
Fabric Object
Manageability
Boostrap
Flow Monitor
General
Parameters
Resources
Protocols
vPC
Replication

Workflow Step1: Create VXLAN Fabric

#CiscoLive
Ansible Roles – Fabric Tasks
How to do it
---
# tasks file for roles/create_fabric
- name: Get Fabric List
cisco.dcnm.dcnm_rest:
method: GET
path: ”{{ fabric.gpath }}”
register: create_fabric_result
<snip>
- name: Create Fabric
vars:
payload:
BGP_AS: ”{{ fabric.asn }}”
cisco.dcnm.dcnm_rest:
method: POST
path: “{ fabric.cpath }}”
json_data: ”{{ payload | to_json }}”
when: create_fabric_flag
• Creates Fabric
• Uses json_data to
pass in payload
key/value pairs
BRKDCN-2946 76
ansible
inventory.yml
group_vars
roles
add_inventory
setup_vpc
manage_overlay
build_fabric.yml
roles/create_fabric/tasks/main.yml
create_fabric
/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/control/fabrics/{{
fabric.name }}/Easy_Fabric
/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/control/fabrics
?

#CiscoLive
How to do it
BRKDCN-2946 77
ansible
inventory.yml
group_vars
roles
<snip>
add_inventory
setup_vpc
manage_overlay
build_fabric.yml
create_fabric

#CiscoLive
How to do it
---
# tasks file for roles/create_fabric
- name: Create Fabric with Module
cisco.dcnm.dcnm_fabric:
state: merged
config:
- FABRIC_NAME: CL_STAGING
FABRIC_TYPE: VXLAN_EVPN
BGP_AS: 65000
ANYCAST_GW_MAC: 0001.aabb.ccdd
UNDERLAY_IS_V6: false
• Creates Fabric
• Handles Mutually Exclusive Properties
• Supports multiple types
(VXLAN_EVPN, MSD, LAN_CLASSIC)
BRKDCN-2946 78
ansible
inventory.yml
group_vars
roles
New Module!
(3.5.0)
add_inventory
setup_vpc
manage_overlay
build_fabric.yml
create_fabric

Fabric Object
Underlay
Overlay
VPC
Replication
OAM
Resource
Ranges
Bootstrap
Backup
Leaf1 Leaf2 Leaf3 Leaf4
Spine1 Spine2
Workflow Step2: Add Inventory
192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4

!

1 2
3
4
5
6
7

#CiscoLive
Ansible Roles – Inventory Tasks
How to do it
---
# tasks file for roles/add_inventory
- name: Add Fabric Devices
cisco.dcnm.dcnm_inventory:
fabric: ”{{ fabric.name }}”
state: merged
config:
- seed_ip: 192.168.1.1
role: spine
< credentials >
- seed_ip: 192.168.1.2
role: leaf
< credentials >
- seed_ip: 192.168.1.4
role: border
< credentials >
poap:
- serial_number: 2A3BCDEFJKL
<snip>
roles/add_inventory/tasks/main.yml
• Adds devices to the
fabric
• Defines role in the fabric
• Deploy control
BRKDCN-2946 82
ansible
inventory.yml
group_vars
roles
add_inventory
create_fabric
setup_vpc
manage_overlay
build_fabric.yml

Fabric Object
Underlay
Overlay
VPC
Replication
OAM
Resource
Ranges
Bootstrap
Backup
Leaf3 Leaf4
Spine1 Spine2
Workflow Step3: Setup VPC
192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
Leaf1 Leaf2

Workflow Step3: Setup VPC
!
!

#CiscoLive
Ansible Roles – vPC Tasks
How to do it
---
# tasks file for roles/inventory
- name: Add Fabric Devices
cisco.dcnm.vpc_pair:
src_fabric: ”{{ fabric.name }}”
state: merged
config:
- peerOneId: 192.168.1.1
peerTwoId: 192.168.1.2
roles/setup_vpc/tasks/main.yml
• Puts two leaf devices into a vPC pair
• Automatically discovers compatible
devices and interfaces
BRKDCN-2946 85
ansible
inventory.yml
group_vars
roles
setup_vpc
create_fabric
manage_overlay
build_fabric.yml
add_inventory
New Module!
(3.5.0)

Fabric Object
Underlay
Overlay
VPC
Replication
OAM
Resource
Ranges
Bootstrap
Backup
Leaf3 Leaf4
Spine1 Spine2
L3 VRF VNI 470000
L2 VNI 4000
L2VNI 7000
Workflow Step4: Manage Overlay
192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
Leaf1 Leaf2

Workflow Step4: Add Overlay – VRFs / Networks

#CiscoLive
Ansible Roles – VRF / Net Tasks
How to do it
---
- name: Add Overlay VRFs
cisco.dcnm.dcnm_vrf:
state: replaced
config:
- vrf_name: CL-VRF1
vrf_id: 470000
vlan_id: 2055
attach:
- 192.168.1.1
- 192.168.1.2
- 192.168.1.3
- 192.168.1.4
roles/manage_overlay/tasks/main.yml
• Creates VRF and Network objects
• Attach and deploy VRF and Network config to fabric leaf devices
• Deploy Control
BRKDCN-2946 88
ansible
inventory.yml
group_vars
roles
manage_overlay
---
- name: Add Overlay Networks
cisco.dcnm.dcnm_network:
state: overridden
config:
- net_name: CL-NET7000
vrf_name: CL-VRF1
net_id: 7000
vlan_id: 88
attach:
- 192.168.1.2
- 192.168.1.4
create_fabric
add_inventory
build_fabric.yml
setup_vpc

ansible
manage_overlay
roles
tasks/main.yml
1
2
3
4
Jinja2 for VRF Data

#CiscoLive
How Does One Merge a Sandwich?
Initial State
Merge Operation
Merged State
BRKDCN-2946 90

#CiscoLive
A Word About Module States - (Merged)
BRKDCN-2946 91
CL-NET7000
vrf_name: CL24_VRF1
gw_ip_address: 192.168.12.1/24
route_tag: 12345
vrf_name: CL23_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
State: Merged
vrf_name: CL24_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
route_tag: 12345
Merge
Playbook NDFC Before Merge NDFC After Merge
CL-NET7000 CL-NET7000
Other Networks
Untouched
Other Networks
Untouched

#CiscoLive
Who Is The Source Of Truth?
NDFC
It's Me!
BRKDCN-2946 92
It's Me!

#CiscoLive
How Does One Replace a Sandwich?
Desired State Replaced State
Actual State
Replace Operation
BRKDCN-2946 93

#CiscoLive
A Word About Module States - (Replaced)
BRKDCN-2946 94
CL-NET7000
vrf_name: CL24_VRF1
gw_ip_address: 192.168.12.1/24
route_tag: 12345
vrf_name: CL23_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
State: Replaced
vrf_description: CL24_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
route_tag: 12345
Replace
Playbook NDFC Before Replace NDFC After Replace
Other Networks
Untouched
Other Networks
Untouched
Source of Truth

#CiscoLive
How Does One Override a Sandwich?
Desired State
Overridden State
Actual State
Override Operation
BRKDCN-2946 95

#CiscoLive
A Word About Module States - (Overridden)
BRKDCN-2946 96
CL-NET7000
vrf_name: CL24_VRF1
gw_ip_address: 192.168.12.1/24
route_tag: 12345
vrf_name: CL23_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
State: Overridden
vrf_description: CL24_VRF1
gw_ip_address: 192.168.12.1/24
trm_enable: False
route_tag: 12345
Override
Playbook NDFC Before Overridden NDFC After Overridden
NETWORK 2
NETWORK 3
Source of Truth
NETWORK 2
NETWORK 3

#CiscoLive
---
fabric:
name: fabric-stage
asn: 5588
cpath: ”/appcenter/{…}”
networks:
vrf_name: CL-VRF1
net_id: 4000
vlan_id: 55
attach:
- 192.168.1.1
- 192.168.1.3
vrf_name: CL-VRF1
net_id: 7000
vlan_id: 88
attach:
- 192.168.1.2
- 192.168.1.4
Data to do it
group_vars/ndfc.yml
---
all:
<snip>
children:
ndfc:
hosts:
10.15.1.11:
10.15.1.12:
dcnm:
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
inventory.yml roles/manage_overlay/tasks/main.yml
---
- name: Configure Overlay VRFs
cisco.dcnm.dcnm_vrf:
state: overridden
config:
- vrf_name: CL-VRF1
vrf_id: 470000
<snip>
- name: Configure Overlay Networks
cisco.dcnm.dcnm_network:
state: replaced
config: “{{ networks }}”
How to do it
Where to do it
---
# main playbook
- hosts: ndfc, dcnm
gather_facts: false
roles:
- create_fabric
- add_inventory
- setup_vpc
- manage_overlay
- manage_interfaces
- deploy
build_fabric.yml
What to do
BRKDCN-2946 97

#CiscoLive
IaC NDFC Pipeline Demo
99
BRKDCN-2946
1
• Add Networks
group_vars
• State: Overridden
• Commit / Push
changes to GitLab
Staging branch
group_vars

#CiscoLive
100
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch 2
• Open Merge
Request
• Triggers Staging
Pipeline for
Deploy and Verify
.gitlab-ci.yml

#CiscoLive
2
• Open Merge
Request
Pipeline for
Deploy and Verify
101
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch
.gitlab-ci.yml

#CiscoLive
Staging
CL-NET4000
CL-NET7000
Other Networks
Other Networks
102
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch 2
• Open Merge
Request
Pipeline for
Deploy and Verify
.gitlab-ci.yml

#CiscoLive
103
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch 2
• Open Merge
Request
Pipeline for
Deploy and Verify
3
• Click Merge
• Triggers Production
Pipeline for Deploy
and Verify
.gitlab-ci.yml

#CiscoLive
104
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch 2
• Open Merge
Request
Pipeline for
Deploy and Verify
3
• Click Merge
Pipeline for Deploy
and Verify
.gitlab-ci.yml

#CiscoLive
Production
CL-NET4000
CL-NET7000
Other Networks
Other Networks
105
BRKDCN-2946
1
• Add Networks
group_vars
• Commit / Push
changes to GitLab
Staging branch 2
• Open Merge
Request
Pipeline for
Deploy and Verify
3
• Click Merge
Pipeline for Deploy
and Verify
.gitlab-ci.yml

References to
Start Your
Journey

#CiscoLive
Ansible for NXOS and NDFC Repos
BRKDCN-2946 107
BRKDCN-2946
Session Repo
NDFC Roles
Repo
https://github.com/allenrobel/ndfc-roles
https://github.com/mtarking/BRKDCN-2946

#CiscoLive
What is your path?
I got this! I need help?!
Many Cisco
services
Checkout
@ World of Solutions
Services as Code
To assist you in your
automation journey
Many sessions
ciscolive.com
@
with great material
DevNet
& developer.cisco.com
also
108
BRKDCN-2946

#CiscoLive
More Information
• https://www.ansible.com/resources/get-started
• https://docs.ansible.com/ansible/latest/collections_guide/index.html
• https://galaxy.ansible.com/cisco/dcnm
• https://galaxy.ansible.com/cisco/nxos
• https://developer.cisco.com/docs/nexus-as-code/#!nx-os-with-ansible
• https://developer.cisco.com/docs/nexus-as-code/#!ndfc-with-ansible
BRKDCN-2946 109

#CiscoLive
More Information – Other Sessions/Labs
• DEVWKS-3928: Build VXLAN Fabric with NDFC and Ansible
• BRKDCN-2929 (Simple VXLAN/EVPN Fabric Setup with Nexus
Dashboard)
• BRKDCN-1619 (Introduction to NDFC: Simplifying Management of
Your Data Center)
• BRKDCN-2988 (Design, Automate, and Manage Next-Gen Data
Center VXLAN BGP EVPN Fabric with NDFC)
BRKDCN-2946 110

#CiscoLive
Complete Your Session Evaluations
111
BRKDCN-2946
Complete a minimum of 4 session surveys and the Overall Event Survey to be
entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.
Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.
Level up and earn exclusive prizes!
Complete your surveys in the Cisco Live mobile app.

Continue
your education
• Visit the Cisco Showcase
for related demos
• Book your one-on-one
Meet the Engineer meeting
• Attend the interactive education
with DevNet, Capture the Flag,
and Walk-in Labs
• Visit the On-Demand Library
for more sessions at
www.CiscoLive.com/on-demand
112
BRKDCN-2946

1-Infrastructure as Code for NXOS and NDFC with Ansible.pdf

More Related Content

Similar to 1-Infrastructure as Code for NXOS and NDFC with Ansible.pdf (20)

More from AntonioIsipJr1 (9)

Recently uploaded (20)

1-Infrastructure as Code for NXOS and NDFC with Ansible.pdf