BRKDCN 2946 1

#CiscoLive
Infrastructure as Code
for NXOS and NDFC
with Ansible
Matt Tarkington – Technical Leader

Mike Wiebe – Technical Leader
BRKDCN-2946
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKDCN-2946
#CiscoLive BRKDCN-2946 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• What is Infrastructure as Code?

• Infrastructure as Code with NXOS and Ansible
• Infrastructure as Code with NDFC and Ansible
• Start Your IaC Journey!
What is
Infrastructure as Code?
Infrastructure as Code (IaC)
• Using “code” to provision and/or • Leverages Software Tools
manage infrastructure • Version Control (Repositories)
• Automate provisioning/repeatable • Pipelines (CI/CD)
tasks • Automated Testing!
• Speed, Scale Infrastructure
{code}
Infrastructure as Code Tools
• Git
• Ansible
GitHub
SCM
•
Execution Software
• Terraform
• GitLab
• Chef
• Bitbucket • Puppet
• AWS CloudFormation
• Google Cloud Deployment
• Jenkins Manager
GitLab CI Vagrant
Pipeline
• •
• Saltstack
• CircleCI
• Travis CI
• GitHub Actions
Infrastructure as Code for Network Ops
• Infrastructure as Code is not specific to a particular automation
engine or specific programing language
• The intention is that your “source of truth” of how network devices
are configured is sourced from an SCM (GIT) instead of the devices
themselves
• Think intended configuration versus concrete configuration on the devices
Infrastructure as Code for Network Ops
SCM (GitLab) Runner(s)
3 configures & tests staging
based on intent
User commits changes to
1 SCM (GitLab) that defines Continuous Integration Continuous Delivery/Deployment
the IaC intent
Staging Prod
Branch
IaC
Main
Lint Deploy Test Deploy Test
Branch
SCM (GitLab) Runner(s)

4 configures & tests prod
NetDevOps!
SCM (GitLab) detects based on intent
2 change and activates automatically or via user
pipeline intervention
with NXOS and Ansible
What is Ansible?
Automation / Configuration / Orchestration tool
Open Source
Agentless Push Model
Produces the same results no matter how many times it is executed*
No programming knowledge required
Requires only data-structure manipulation knowledge
Network CLI and REST API interaction
*idempotent
What makes up Ansible?
NXOS
Builtin Roles
NETCONF
REST API
Tasks
CLI
WSL NXOS
Inventory
DCNM
Ansible Core
REST API
Collections
Python
Playbooks
NDFC
Control Host Engine Intent Target
Python Virtual Environments virtualenv
• You should use a virtual environment

• Allows for installing Ansible inside a contained area with specific
version of Python
• Makes it possible to run different Python scripts that require
different versions of Python and libraries
• Detailed steps beyond scope of this session
Reference Slide
pyenv
• pyenv is the best mechanism 1 install a version of python
to control python virtual % pyenv install 3.9.11
environments
2 create virtual environment
• Allows control of python
% pyenv virtualenv 3.9.11 ansible
version to execute independent
of system version create directory for ansible development
3
• pyenv virtualenv also needed % mkdir my_ansible_dir
4 Set pyenv virtual environment

Install instructions: % pyenv local ansible
https://github.com/pyenv/pyenv/wiki
https://github.com/pyenv/pyenv-virtualenv
Installing Ansible
% pip install ansible-core % pip install ansible
• Installs only the core components • “batteries included”

• Collections must be installed by • Installs community-curated
you selection of Ansible Collections
• Smaller footprint and more control • Complete package but larger
footprint on filesystem
• Assures install of latest collection
version released! • Might not install the latest version
of a desired collection!
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
Ansible Collections
Ansible Collections
• Introduced in Ansible 2.9
• Uses Ansible Galaxy as the delivery vehicle
• Contains modules, plugins, filters
• Collections not related to Ansible release schedules
• Allows vendor flexibility in relation to product releases
% ansible-galaxy collection install cisco.nxos cisco.dcnm
NXOS - https://galaxy.ansible.com/cisco/nxos NDFC - https://galaxy.ansible.com/cisco/dcnm
Reference Slide
Ansible.Builtin
• Modules perform specific task
like set facts (variables), import
roles, tasks, vars, and more
• Includes many filters for
working with data sets
• Actively maintained by RedHat
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/index.html
Ansible Cisco.Nxos
Collection Modules
77
• Modules perform specific task like
configure vlans, interfaces, OSPF,
BGP, and more
• Documentation provides usage
details, required variables, default
variables, etc
• Actively maintained by RedHat with
Cisco support
https://docs.ansible.com/ansible/latest/collections/cisco/nxos/index.html
Ansible Modules Collection
Namespace
Collection
Name
Module
Name
• Always use the fully qualified - name: Configure VLAN-to-VNI Mappings

cisco.nxos.nxos_vlans:
collection name (FQCN) for the config:
module - name: Overlay-1
vlan_id: 100
• The modules require parameters mapped_vni: 10000
with values assigned that define - name: Web Servers
your configuration intent vlan_id: 101
mapped_vni: 10101
• Documentation provides details - name: DB Servers
on default values and required vlan_id: 102
values mapped_vni: 10102
state: merged
Parameter Value
Reference Slide
A word about YAML Syntax

YAML Ain’t Markup Language Microsoft VSCode
• Human Readable Data Structures

• Lists, Dictionaries, etc ATOM
• Used in inventory, playbooks, & variable files

• Best practice is to use: PyCharm
• Text editor (e.g. Notepad++)
• IDE (e.g. VSCode) with language assistant Eclipse
support for YAML
• Indentation is very important, and the proper
editor will help you
Notepad++
Ansible Concepts
VXLAN EVPN Fabric
IaC – Nexus as Code
• Configure Hostnames,
Features, etc. (Common
configuration)
VXLAN EVPN Fabric
10.15.1.11 - S1 S2 - 10.15.1.12
• Configure Underlay
(Interfaces, Routing
protocols, etc.) Routing
(OSPF/PIM/BGP)
10.15.1.13 - L1 10.15.1.14 - L2 10.15.1.15 - L3
VXLAN EVPN Fabric
• Configure Overlay
(VRFs, VLANs, SVIs,
etc.)
Ansible Directory Structure
ansible Where to do it
inventory.yml
group_vars Data to do it
host_vars
roles How to do it
vxlan.yml
What to do
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to do
Ansible Playbook
ansible ---
# main playbook
inventory.yml - hosts: spines, leafs

gather_facts: false
group_vars
roles:
host_vars - role: common
- role: underlay
roles
- hosts: leafs
vxlan.yml gather_facts: false
roles:
- role: overlay
Where to do it
Ansible Inventory
---
ansible # main inventory file
all:
vars:
inventory.yml ansible_connection: ansible.netcommon.network_cli
ansible_user: "nxos_username"
group_vars ansible_password: "nxos_password"

ansible_network_os: cisco.nxos.nxos
children:
host_vars spines:
hosts:
10.15.1.11:
Connection
roles 10.15.1.12:
leafs: information
hosts:
vxlan.yml 10.15.1.13: for switches
10.15.1.14:
10.15.1.15:
Where to do it
Ansible Inventory
---
all:
vars:
inventory.yml ansible_connection: ansible.netcommon.network_cli
ansible_user: "nxos_username"
group_vars ansible_password: "nxos_password"

children:
host_vars spines:
hosts:
10.15.1.11:
roles 10.15.1.12:
leafs:
hosts: This will be annotated
vxlan.yml 10.15.1.13:
10.15.1.14: shorthand in subsequent
10.15.1.15: slides as network_cli
Reference Slide
Ansible Networking
• Network modules execute from control node (Ansible host)
• Collections organized by network platform/OS
• Offers multiple connection protocols
Value of ansible_connection Protocol Requires Persistent
ansible.netcommon.network_cli CLI over SSH ansible_network_os Yes
ansible.netcommon.httpapi API over HTTP/HTTPS ansible_network_os Yes
Ansible Playbook Relationships
---
all:
inventory.yml ---
vars:
ansible_connection: network_cli
group_vars # main playbook ansible_user: "nxos_username"
ansible_password: "nxos_password"
- hosts: spines, leafs
host_vars gather_facts: false
children:
spines:
roles roles: hosts: Spine
- role: common 10.15.1.11: Group
vxlan.yml - role: underlay 10.15.1.12:
leafs:
- hosts: leafs hosts: Leaf
gather_facts: false 10.15.1.13:
10.15.1.14: Group
roles: 10.15.1.15:
- role: overlay
How to do it
Ansible Roles
ansible
❯ ansible-galaxy init overlay
inventory.yml - Role overlay was created successfully
❯ tree overlay
group_vars overlay
├── README.md
host_vars ├── tasks
│ └── main.yml
roles ├── templates
└── vars
common └── main.yml
underlay
overlay
vxlan.yml
How to do it
Ansible Roles – Tasks
ansible PIM BGP
Hostname Features Interfaces OSPF
inventory.yml
Tasks Tasks
group_vars
Common Underlay
host_vars
roles
common VLANs/VNIs SVIs
underlay NVE VRFs
overlay Tasks
vxlan.yml Overlay
How to do it
Ansible Roles – Tasks
ansible
roles/overlay/tasks/main.yml
inventory.yml ---
group_vars
# tasks file for roles/overlay
- name: Configure VLAN-to-VNI Mappings

host_vars cisco.nxos.nxos_vlans:
config:
roles • Defines VLAN-to-VNI

- name: Web Servers
vlan_id: 101
mapped_vni: 10101 mappings in config list
common - name: DB Servers
vlan_id: 102
block
mapped_vni: 10102
underlay - name: vMotion • Config block allows for
vlan_id: 103
YAML list of dictionary
overlay mapped_vni: 10103
state: merged objects
<snip>
vxlan.yml
Putting It All Together
Where to do it What to do How to do it
inventory.yml vxlan.yml roles/overlay/tasks/main.yml
--- --- ---
# main inventory file # main playbook # tasks file for roles/overlay
all: - hosts: spines, leafs - name: Configure VLAN-to-VNI Mappings

vars: cisco.nxos.nxos_vlans:
gather_facts: false config:
- name: Web Servers
ansible_user: "nxos_username" roles: vlan_id: 101
ansible_password: "nxos_password" - role: common mapped_vni: 10101
ansible_network_os: cisco.nxos.nxos - role: underlay - name: DB Servers
children: vlan_id: 102
spines: mapped_vni: 10102
- hosts: leafs - name: vMotion
hosts:
gather_facts: false vlan_id: 103
10.15.1.11:
10.15.1.12: mapped_vni: 10103
leafs: roles: state: merged
- role: overlay <snip>
hosts:
10.15.1.13:
10.15.1.14:
10.15.1.15:
--- --- ---

- name: Web Servers
hosts:
10.15.1.11:
10.15.1.12: mapped_vni: 10103
hosts:
10.15.1.13:
10.15.1.14: Three VLAN-to-VNI mappings
10.15.1.15:
configured on all leaf switches!
--- --- ---

- name: Web Servers
hosts:
10.15.1.11:
10.15.1.12: mapped_vni: 10103
hosts:
10.15.1.13: Do not do Ansible
10.15.1.14:
10.15.1.15: variables this way!
A word about Ansible Variables
• Can be defined in many different places
• Most commonly in group_vars and host_vars directory
• Created dynamically during runtime
• Used in task modules, conditional logic, templates, etc
• Jinja2 syntax used to reference
• Variable precedence is used
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#understanding-variable-precedence
Data to do it
Variables with Jinja2 Syntax
• Variable substitution in tasks
• Uses double curly braces wrapped in quotes: "{{ }}"
# tasks file for roles/overlay # vars defined somewhere in Ansible
- name: Configure VLAN-to-VNI Mappings vlan_name: Web Servers

cisco.nxos.nxos_vlans: vlan_id: 101
config: vni_id: 10101
- name: "{{ vlan_name }}"
vlan_id: "{{ vlan_id }}"
mapped_vni: "{{ vni_id }}"
Set of
Key/Value Pairs
Data to do it
Ansible Variable Lists
Go from this… To this…

# vars defined somewhere in Ansible # vars defined somewhere in Ansible
vlan_name: Web Servers networks:

vlan_id: 101 - vlan_name: Web Servers
vni_id: 10101 vlan_id: 101
vni_id: 10101
- vlan_name: DB Servers
Sequential list of three vlan_id: 102
dictionary objects vni_id: 10102
containing VLAN - vlan_name: vMotion
information that can be vlan_id: 103
referenced iteratively vni_id: 10103
Data to do it
Ansible Loop with Jinja2 Syntax
• Use Ansible loop to iterate data for a tasks
# tasks file for roles/overlay # vars defined somewhere in Ansible
- name: Configure VLAN-to-VNI Mappings networks:

cisco.nxos.nxos_vlans: - vlan_name: Web Servers
config: vlan_id: 101
- name: "{{ item.vlan_name }}" vni_id: 10101
vlan_id: "{{ item.vlan_id }}" - vlan_name: DB Servers
mapped_vni: "{{ item.vni_id }}" vlan_id: 102
loop: "{{ networks }}" vni_id: 10102
- vlan_name: vMotion
vlan_id: 103
vni_id: 10103
Data to do it
Ansible Group Vars
---
ansible # var file for leafs group
inventory.yml features:
- ospf • group_vars files are named
- pim
group_vars - bgp
and referenced after
- nv overlay inventory groups
leafs.yml - vn-segment-vlan-based
- interface-vlan • match inventory group!
spines.yml networks:
- vlan_name: Web Servers • contains data common to
host_vars vlan_id: 101
vni_id: 10101
specified group
roles vlan_id: 102
vni_id: 10102
vxlan.yml - vlan_name: vMotion
vlan_id: 103
vni_id: 10103
Data to do it
Ansible Host Vars
---
ansible # vars file for L1
inventory.yml hostname: L1
• host_vars files are
layer3_physical_interfaces:
group_vars - interface: ethernet1/11
named and referenced
description: To S1 Eth1/1 after device IP address or
host_vars mode: layer3 FQDN
ip_address: 10.1.1.1
10.15.1.11.yml mask: 31
mtu: 9216
• match inventory name!
- interface: ethernet1/12
10.15.1.12.yml description: To S2 Eth1/1 • contains data specific to
mode: layer3 that device
10.15.1.13.yml ip_address: 10.2.2.1
mask: 31
mtu: 9216
10.15.1.14.yml
10.15.1.15.yml
Where to do it What to do How to do it Data to do it
inventory.yml vxlan.yml roles/common/tasks/main.yml group_vars/leafs.yml

--- --- --- ---
# main inventory file # main playbook # tasks file for roles/common # var file for leafs group
all: - hosts: spines, leafs - name: Configure Hostname features:

<snip> gather_facts: false cisco.nxos.nxos_hostname: - ospf
children: config: - pim
spines: roles: hostname: "{{ hostname }}" - bgp
hosts: - role: common state: merged - nv overlay
10.15.1.11: - role: underlay - vn-segment-vlan-based
10.15.1.12: - name: Enable Features - interface-vlan
leafs: - hosts: leafs cisco.nxos.nxos_feature: <snip>
hosts: gather_facts: false feature: "{{ item }}"
10.15.1.13: state: enabled
10.15.1.14: roles: loop: "{{ features }}" host_vars/10.15.1.13.yml
10.15.1.15: - role: overlay
---
# var file for 10.15.1.13
hostname: L1
<snip>
Executing Ansible Playbooks
ansible-playbook –i <inventory file> <playbook file>
Details for NXOS
Two Types of Modules for NXOS
Legacy Modules Resource Modules
• Inconsistent across different network • Consistent across different network

devices devices
• Requires task loops for more than • Can leverage task loops or Jinja2
one configuration item templating for config blocks
• Simple states, present or absent • Introduces consistent and clearly
defined states
Reference Slide
A word about Resource Module States

• Merged - Ansible merges the on-device configuration with the
provided configuration in the task.
• Replaced - Ansible replaces the on-device configuration
subsection with the provided configuration subsection in the task.
• Overridden - Ansible overrides the on-device configuration for the
resource with the provided configuration in the task. Use caution
with this state as you could remove your access to the device (for
example, by overriding the management interface configuration).
• Deleted - Ansible deletes the on-device configuration subsection
and restores any default settings.
Data to do it
A word about Jinja Templating
• Leverage module and filters from Ansible Builtin collection
• Create template file(s) in a role’s template directory: .j2 file extension
# tasks file for roles/overlay # group_vars/leafs.yml
networks:
- name: Generate VLAN Config Payload
- vlan_name: Web Servers
ansible.builtin.set_fact:
vlan_id: 101
nxos_vlans: "{{ lookup('template', 'vlans.j2') }}"
vni_id: 10101
- name: Configure VLANs
cisco.nxos.nxos_vlans: vlan_id: 102
config: "{{ nxos_vlans | from_yaml }}" vni_id: 10102
state: merged
# roles/overlay/templates/vlans.j2
# config data passed to task
{% for network in networks %}
- vlan_id: {{ network.vlan_id }}
- vlan_id: 101
{% endfor %}
- Vlan_id: 102
NXOS Config Fallback Module
How to configure NXOS when a module is missing
• Allows passing direct cli configuration

• Can take full running-config backup, e.g. before a change operation
• Perform a save operation, i.e. “copy run start”
- name: Configure PIM Anycast RP

cisco.nxos.nxos_config:
lines:
- "ip pim anycast-rp {{ s1_loopback1 }} {{ s1_loopback0 }}"
- "ip pim anycast-rp {{ s2_loopback1 }} {{ s2_loopback0 }}" Options:
save_when: modified • always – copy always
• modified – copy only if changed
since last save
• changed – copy only if the task
made a change
• never – never copy
NXOS Command Fallback Module
How to send commands to NXOS when a module is missing
• Allows sending arbitrary commands, e.g. show commands

• Supports prompt handling
• Can handle list of commands or prompts
- name: Get Show Commands - name: Misc Commands

cisco.nxos.nxos_command: cisco.nxos.nxos_command:
commands: commands: copy ftp://nxos.bin bootflash:
- show version prompt:
- show ip ospf neighbor - "Username:"
- show ip pim neighbor - "Password:"
answer:
- <username>
- <password>
An Example
An Example – Add VXLAN EVPN Overlay
Modules Required interface Vlan500

vlan 500 no shutdown
vn-segment 50000 ansible.builtin.set_fact vrf member AnsibleVRF
vlan 101 cisco.nxos.nxos_vlans ip forward
vn-segment 10101 cisco.nxos.nxos_overlay_global interface Vlan101
vrf context AnsibleVRF no shutdown
cisco.nxos.nxos_vxlan_vtep
vni 50000 vrf member AnsibleVRF
rd auto cisco.nxos.nxos_vxlan_vtep_vni ip address 10.0.11.1/24
address-family ipv4 unicast cisco.nxos.nxos_evpn_vni fabric forwarding mode anycast-gateway
route-target both auto evpn cisco.nxos.nxos_vrf interface nve1
evpn cisco.nxos.nxos_vrf_af no shutdown
vni 10101 l2 source-interface loopback1
cisco.nxos.nxos_vrf_interface
rd auto host-reachability protocol bgp
route-target import auto cisco.nxos.nxos_interfaces member vni 50000 associate-vrf
route-target export auto cisco.nxos.nxos_l3_interfaces member vni 10101
mcast-group 239.0.0.1
An Example – Add VXLAN EVPN Overlay
with NDFC and Ansible
Cisco Nexus Dashboard Fabric Controller (NDFC)
Formerly Called (DCNM)
Cisco Nexus
Cisco Data Center
Dashboard
Network Manager
Fabric Controller
Nexus Dashboard
Simple to Automate, Simple to Consume
Insights Fabric
Controller
Orchestrator Fabric
Discovery
Data SAN
Broker Controller
Consume all services in one place
Private cloud | Third-party apps | Public cloud
Automation
Accelerate provisioning from days to minutes
Easy to understand approach to

auto-bootstrapping of entire fabric
Rapid Deployment with Fabric Builder

best practice templates for VXLAN-EVPN
DevOps friendly
Enhanced Programmability
Scale within and across data centers

with Nexus Dashboard Orchestrator
Reference Slide
Getting started
Ansible Collection Installation
Collection Location: https://galaxy.ansible.com/cisco/dcnm
Install Command:
* pip install ansible
* ansible-galaxy collection install cisco.dcnm
Ansible uses the Fully Qualified Collection Name (FQCN)

Namespace: cisco
Collection Name: dcnm
20/20 Hindsight Tech “Specs”
NDFC
NDFC - https://galaxy.ansible.com/cisco/dcnm
Hindsight “Specs” Model
I See
NDFC
Ansible
Collection
Names
Reference Slide
NDFC Ansible Galaxy Collection Site
History Lesson
Link to repo
Collection Version
& Install Command
NDFC Version
NDFC - https://galaxy.ansible.com/cisco/dcnm
NDFC Collection Modules – Toolbox
https://galaxy.ansible.com/cisco/dcnm
12 Modules
Module Name Purpose
cisco.dcnm.dcnm_rest General Do Anything Module
cisco.dcnm.dcnm_inventory Add Devices To Fabric
cisco.dcnm.dcnm_interface Configure Fabric Interfaces
cisco.dcnm.dcnm_vrf Add Overlay VRFs
cisco.dcnm.dcnm_network Add Overlay Networks / VLANs
cisco.dcnm.dcnm_template Create Custom Templates
cisco.dcnm.dcnm_policy Create Policies Based On Templates
cisco.dcnm.dcnm_links Manage Fabric Links
cisco.dcnm.dcnm_resource_manager Manage Fabric Resources
cisco.dcnm.dcnm_service_node Manage Service Nodes
cisco.dcnm.dcnm_service_policy Manage Service Policy
cisco.dcnm.dcnm_service_route_peering Manage Service Route Peering
Primary VXLAN EVPN Fabric Modules
cisco.dcnm.dcnm_rest
cisco.dcnm.inventory
cisco.dcnm.vrf
cisco.dcnm.network
cisco.dcnm.interface
cisco.dcnm.template & cisco.dcnm.policy
HTTPAPI Plugin
Transparent NDFC/DCNM Controller Support
No Ansible playbook changes required!
NDFC + Ansible Version 12
+ Ansible Version 11
+
Let’s Build Something With NDFC and Ansible Together!

#CiscoLive BRKDCN-2946 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Levels of Complexity – CLI
router bgp 65001
router-id 10.10.10.21
neighbor 10.10.10.11
remote-as 65001
update-source loopback0
feature bgp address-family l2vpn evpn
feature interface-vlan send-community
feature vn-segment-vlan-based send-community extended
feature nv overlay vrf Tenant-1
nv overlay evpn address-family ipv4 unicast
vlan 10 advertise l2vpn evpn
vn-segment 10000 evpn
vlan 11 vni 10011 l2
vn-segment 10011 rd auto
interface loopback0 route-target import auto
ip address 10.10.10.21/32 route-target export auto
ip pim sparse-mode interface Vlan10
ip router ospf UNDERLAY area 0 no shutdown
interface loopback1 vrf member Tenant-1
ip address 2.2.2.1/32 ip forward
ip pim sparse-mode interface Vlan11
vrf context Tenant-1 vrf member Tenant-1
vni 10000 ip address 10.0.11.1/24
rd auto fabric forwarding mode anycast-gateway
address-family ipv4 unicast interface nve1
route-target both auto evpn no shutdown
source-interface loopback1
host-reachability protocol bgp
member vni 10000 associate-vrf
member vni 10011
Levels of Complexity – NXOS Modules
router bgp 65001
router-id 10.10.10.21
> nxos_feature neighbor 10.10.10.11
remote-as 65001
> nxos_interface update-source loopback0
feature bgp
feature interface-vlan > nxos_l3_interface address-family l2vpn evpn
send-community
feature vn-segment-vlan-based
feature nv overlay
> nxos_interface_ospf send-community extended
vrf Tenant-1
nv overlay evpn > nxos_pim_rp_address address-family ipv4 unicast
vlan 10 advertise l2vpn evpn
vn-segment 10000 > nxos_evpn_global evpn
vlan 11
vn-segment 10011 > nxos_bgp vni 10011 l2
rd auto
interface loopback0
ip address 10.10.10.21/32
> nxos_bgp_af route-target import auto
route-target export auto
ip pim sparse-mode > nxos_bgp_neighbor interface Vlan10
interface loopback1 > nxos_bgp_neighbor_af vrf member Tenant-1
ip address 2.2.2.1/32
ip pim sparse-mode > nxos_vlan ip forward
interface Vlan11
ip router ospf UNDERLAY area 0
vrf context Tenant-1
> nxos_vrf no shutdown
vrf member Tenant-1
vni 10000 > nxos_vrf_af 18 ip address 10.0.11.1/24
rd auto fabric forwarding mode anycast-gateway
address-family ipv4 unicast > nxos_vrf_interface interface nve1
route-target both auto evpn
> nxos_vxlan_vtep no shutdown
source-interface loopback1
> nxos_vxlan_vtep_vni host-reachability protocol bgp
member vni 10000 associate-vrf
> nxos_evpn_vni member vni 10011
> nxos_config
Levels of Complexity – NDFC Controller
Easy Button
Levels of Complexity – NDFC Modules
> dcnm_rest
> dcnm_inventory
> dcnm_interface
7 > dcnm_vrf
> dcnm_network
> dcnm_template
> dcnm_policy
BRKDCN-2946 70
Workflow Step1: Create VXLAN Fabric
Replication Backup
VPC Bootstrap
Fabric Object Resource

Overlay
Ranges
Underlay OAM
Workflow Step2: Add Devices
Spine1 Spine2
Replication Backup
VPC Bootstrap

Overlay
Ranges
Underlay OAM
Leaf1 Leaf2 Leaf3 Leaf4
Workflow Step3: Configure VRFs
Spine1 Spine2
Replication Backup
L3 VPC
VRF VNI 470000 Bootstrap

Overlay
Ranges
Underlay OAM
Workflow Step4: Configure Networks
Spine1 Spine2
Replication Backup
L3 VPC
Fabric Object
L2 VNI 4000
Overlay
Resource
Ranges
L2VNI 7000
Underlay OAM
Workflow Step5: Configure Host Interfaces
Spine1 Spine2
Replication Backup
L3 VPC
Fabric Object
L2 VNI 4000
Overlay
Resource
Ranges
L2VNI 7000
Underlay OAM
Host Host
Reference Slide
Workflow Step6: Extend The Fabric
Spine1 Spine2
Replication Backup
L3 VPC
Fabric Object
L2 VNI 4000
Overlay
Resource
Ranges
L2VNI 7000
Underlay OAM
External
Fabric
Host Host
Reference Slide
Workflow Step: Configure vPC
Spine1 Spine2
Replication Backup
VPC Bootstrap

Overlay
Ranges
Underlay OAM
NDFC Playbook & Inventory Relationship
Playbook Inventory File

all:
--- vars:
ansible_user: "dcnm_username"
- hosts: ndfc_controllers ansible_password: "dcnm_password"
gather_facts: false ansible_python_interpreter: python
connection: ansible.netcommon.httpapi ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
vars: children:
password: !vault | ndfc_controllers:
$ANSIBLE_VAULT;1.1;AES256 hosts:
192.168.2.10:
ansible_network_os: cisco.dcnm.dcnm
tasks: dcnm_controllers:
- name: Add Switches to Fabric hosts:
cisco.dcnm.dcnm_inventory: 192.168.55.4:
fabric: vxlan-fabric ansible_network_os: cisco.dcnm.dcnm
state: overridden
Create VXLAN EVPN Fabric
• Ansible Task Description
• Fabric Variables – Overrides Default Values

- Set BGP Autonomous System
- Green Field Fabric – Impacts Device Reload
- Use CLI instead of Profiles
- name: Create Fabric {{ fabric.name }} on NDFC

vars: cisco.dcnm.dcnm_rest
payload:
BGP_AS: "{{ fabric.asn }}"
GRFIELD_DEBUG_FLAG: "Enable"
OVERLAY_MODE: "cli"
Create VXLAN EVPN Fabric
• Invoke module call to cisco.dcnm.dcnm_rest
- Stop gap module – Invoke any NDFC REST API
- Use when intent module not available
- Fabric module on the roadmap
• Important Note: Does not check error conditions
- name: Create Fabric {{ fabric.name }} on NDFC

payload:
BGP_AS: "{{ fabric.asn }}"
GRFIELD_DEBUG_FLAG: "Enable"
OVERLAY_MODE: "cli"
cisco.dcnm.dcnm_rest:
method: POST
path: "/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/control/fabrics/{{ fabric.name }}/Easy_Fabric"
json_data: "{{ payload| to_json }}"
ignore_errors: true
Add Devices To Fabric
• Invoke module call to cisco.dcnm.dcnm_inventory
- Specify target Fabric Name
• Config parameters
- Credentials to access each switch device and set role
- Wipe or preserve exiting device config
- name: Add switches to fabric {{ fabric.name }}

cisco.dcnm.dcnm_inventory: cisco.dcnm.dcnm_inventory
fabric: "{{ fabric.name }}"
config:
- seed_ip: 192.168.0.1
auth_proto: MD5 # choose from [MD5, SHA, MD5_DES, MD5_AES, SHA_DES, SHA_AES]
user_name: "{{ switch_username }}"
password: "{{ switch_password }}"
max_hops: 0
role: leaf # choose from [spine, leaf]
preserve_config: False
Add Devices To Fabric – POAP
• Power On Auto Provisioning Support
- Same module with poap: config block
cisco.dcnm.dcnm_inventory
- name: Add Switch Fabric Using POAP
cisco.dcnm.dcnm_inventory:
state: merged # Only 2 options supported [merged, query] for poap config
config:
- seed_ip: 192.168.0.5
{…}
poap:
- serial_number: 2A3BCDEFJKL
model: 'N9K-C9300v'
version: '9.3(7)'
hostname: 'POAP_SWITCH'
image_policy: "poap_image_policy"
config_data:
modulesModel: [N9K-X9364v, N9K-vSUP]
gateway: 192.168.0.1/24
Reference Slide
Enable vPC Peer Link

• Payload specifying each peer serial number
- useVirtualPeerLink set to false – use physical link
• Invoke module call to cisco.dcnm.dcnm_rest

- useVirtualPeerLink set to false
- Use POST method and vpcpair path + Payload
- name: create VPC peer on leaf {{ leaf1_ip }}|{{ leaf_2.ip }}

payload:
peerOneId: "{{leaf_sws.response[0].serialNumber}}"
peerTwoId: "{{leaf_sws.response[1].serialNumber}}"
useVirtualPeerlink: false
cisco.dcnm.dcnm_rest:
method: POST
path: "/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/vpcpair"
json_data: "{{ payload | to_json }}"
ignore_errors: true
Reference Slide
Configure vPC Interfaces

• Invoke module call to cisco.dcnm.dcnm_interface
- name: Configure vPC Interfaces - Supported states: merged, replaced, overridden
cisco.dcnm.dcnm_interface:
state: merged • Supports a list of different types of interfaces
config: - Ethernet, Loopback, FEX, PortChannel
- name: eth1/8
type: eth - SubInterfaces, VPC
admin_state: true
switch:
- "{{ leaf1.ip }}"
profile: • VPC Interfaces
mode: trunk - Setup using Ethernet Interfaces
- name: eth1/9
type: eth - Specify Leaf IP
admin_state: true - Use Trunk Mode Profile
switch:
- "{{ leaf2.ip }}"
profile:
mode: trunk
cisco.dcnm.dcnm_interface
Create and Deploy VRF Objects
• Invoke module call to cisco.dcnm.dcnm_vrf
- Supported states: merged, replaced, overridden
• Supports a list of VRFs
• Supports a list of Devices for Attach and Deploy

- name: Add VRFs to Fabric
cisco.dcnm.dcnm_vrf:
fabric: "{{ fabric_name }}"
cisco.dcnm.dcnm_vrf
state: merged
config:
- vrf_name: CL-VRF1
vrf_id: 470000
vlan_id: 2055
attach:
- 192.168.0.1
- 192.168.0.2
- 192.168.0.3
- 192.168.0.4
How Does One Merge A Sandwhich?
Initial State Merged State
Merge Operation
A Word About Module States - (Merged)
Playbook NDFC Before Merge NDFC After Merge
VRF1 VRF1 VRF1
Property A Property A Property A
State: Merged Merge
Property B Property B Property B
Property D Property C Property C
Other VRFs Property D

Untouched
Other VRFs
Untouched
Who Is The Source Of Truth?
It's Me! It's Me!
NDFC
How Does One Replace A Sandwhich?
Desired State Actual State Replaced State
Replace Operation
A Word About Module States - (Replaced)
Playbook NDFC Before Replace NDFC After Replace
VRF1 VRF1 VRF1
Property A Property A Property A
State: Replaced Replace
Property B Property B Property B
Property D Property C Property C
Source of Truth Other VRFs Property D

Untouched
Other VRFs
Untouched
How Does One Override A Sandwhich?
Desired State Actual State Overridden State
Override Operation
#CiscoLive BRKDCN-2946 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Word About Module States - (Overridden)
NDFC Before Overridden NDFC After Overridden
Playbook VRF1 VRF1
VRF1 Property A Property A
Property A Property B Property B
Property B Property D Property D
Property D VRF2 VRF2
State: Overridden Override
Property A Property A
VRF3 Property B Property B
Property A Property C Property C
Property B
Property C VRF3 VRF3
Property A Property A
Source of Truth
Property B Property B
Property D Property C
Property D
Create Network Objects
• Invoke module call to cisco.dcnm.dcnm_network
- Supported states: merged, replaced, overridden
• Supports a list of Networks
• Supports a list of Devices for Attach and Deploy

- name: Add Networks
cisco.dcnm.dcnm_network:
cisco.dcnm.dcnm_network
state: merged
config:
- net_name: CL-NET4000 - net_name: CL-NET7000
vrf_name: CL-VRF1 vrf_name: CL-VRF1
net_id: 4000 net_id: 7000
vlan_id: 55 vlan_id: 88
attach: attach:
- 192.168.0.1 - 192.168.0.2
- 192.168.0.3 - 192.168.0.4
Configure Host Interfaces
- name: Add Networks
cisco.dcnm.dcnm_interface:
state: merged
config:
- name: "eth1/1"
type: eth
switch:
- 192.168.0.1 • Invoke module call to cisco.dcnm.dcnm_interface
deploy: true
profile:
admin_state: true
mode: access • Configure and assign access vlan for host facing
speed: 'Auto'
bpdu_guard: false
interfaces on leaf devices
port_type_fast: true
mtu: jumbo
access_vlan: 55
cmds:
- no shutdown cisco.dcnm.dcnm_interface
description: "VLAN 55 Access"
What to do
Ansible Playbook
ansible ---
# main NDFC playbook
inventory.yml - name: Build VXLAN EVPN Fabric on NDFC

hosts: ndfc
group_vars gather_facts: false
roles roles:
- create_fabric
vxlan.yml - add_inventory
- add_overlay
- manage_interfaces
Reference Slide
VRF-Lite Support
• Attach Using Specfic Device for VRF-Lite
• Specify Peer VRF and Network Parameters
- name: Add VRFs to Fabric

cisco.dcnm.dcnm_vrf: cisco.dcnm.dcnm_vrf
{ … }
config:
{ … }
attach:
- 192.168.0.1
- 192.168.0.2
vrf_lite:
- peer_vrf: CL_VRF1 # peer_vrf is mandatory
interface: Ethernet1/16 # optional
ipv4_addr: 10.33.0.2/30 # optional
neighbor_ipv4: 10.33.0.1 # optional
ipv6_addr: 2010::10:34:0:7/64 # optional
neighbor_ipv6: 2010::10:34:0:3 # optional
dot1q: 2 # dot1q can be got from dcnm/optional
Reference Slide
Custom Templates and Policies

- name: Create Telemetry Template content: |
cisco.dcnm.dcnm_template: telemetry
state: merged | deleted | query certificate /bootflash/telegraf.crt telegraf
config: destination-profile
- name: template_telemetry use-vrf management
description: ”Telemetry_Base_Template" destination-group 101
tags: "internal policy 101” ip address 10.195.225.176 port 57101 protocol gRPC…
content: | (config content follows) sensor-group 101
data-source DME
path sys/ch depth unbounded
- name: Create Telemetry Policy subscription 101
cisco.dcnm.dcnm_policy: dst-grp 101 snsr-grp 101 sample-interval 10101
fabric: "{{ ndfc_fabric_name }}"
state: merged | deleted | query
deploy: true
config:
- name: template_telemetry
create_additional_policy: false
priority: 101
- switch:
- ip: ”{{ device_leaf1}}”
CI/CD Pipeline Demo
NDFC & GitLab
Continuous Integration Continuous Delivery/Deployment
Staging Prod
Branch
IaC
Main
Lint Deploy Test Deploy Test
Branch
NetDevOps!
References to Start
Your Journey
Ansible for NXOS and NDFC
• Install Ansible and cisco.nxos and cisco.dcnm Ansible Collections
• Play with module examples
https://github.com/ansible-collections/cisco.nxos/blob/main/docs/cisco.nxos.nxos_bgp_module.rst#examples
https://github.com/CiscoDevNet/ansible-dcnm/blob/develop/docs/cisco.dcnm.dcnm_inventory_module.rst#examples
• Play with roles (https://github.com/allenrobel/ndfc-roles)

• Think big ….. Start small
• Mix cisco.nxos and cisco.dcnm modules for better coverage
More information – Other sessions/labs
• DEVWKS-3928 (Build VXLAN Fabric with NDFC and Ansible)
• DEVNET-2117 (CI/CD Pipelines for Infrastructure Automation)
• LABDCN-2574 (VLXAN EVPN Automation via NDFC Walk in Lab)
• BRKDCN-1619 (Introduction to NDFC: Simplifying Management of
Your Data Center)
• BRKDCN-2918 (Design, Automate, and Manage Next-Gen Data
Center VXLAN BGP EVPN Fabric with NDFC)
More information – Ansible
• https://www.ansible.com/resources/get-started
• https://docs.ansible.com/ansible/latest/collections_guide/index.html
• https://galaxy.ansible.com/cisco/dcnm
• https://galaxy.ansible.com/cisco/nxos
• https://developer.cisco.com/docs/nexus-as-code/#!nx-os-with-
ansible
• https://developer.cisco.com/docs/nexus-as-code/#!ndfc-with-
ansible
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Game for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKDCN-2946 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Visit us at “Share Your Experience”
Booth #214 in the DevNet Zone
Win prizes by participating in hands on activities about
API quality and insights while working with Crosswork
Automation, ACI & NDFC.
Find us in the
center of the
DevNet
Zone
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive

BRKDCN 2946 1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKDCN 2946 1

Uploaded by

Copyright:

Available Formats

#CiscoLive

Matt Tarkington – Technical Leader

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

• What is Infrastructure as Code?

tasks • Automated Testing!

• Speed, Scale Infrastructure

SCM (GitLab) Runner(s)

Agentless Push Model

Produces the same results no matter how many times it is executed*

No programming knowledge required

Requires only data-structure manipulation knowledge

Network CLI and REST API interaction

Control Host Engine Intent Target

• You should use a virtual environment

4 Set pyenv virtual environment

% pip install ansible-core % pip install ansible

• Installs only the core components • “batteries included”

% ansible-galaxy collection install cisco.nxos cisco.dcnm

NXOS - https://galaxy.ansible.com/cisco/nxos NDFC - https://galaxy.ansible.com/cisco/dcnm

• Always use the fully qualified - name: Configure VLAN-to-VNI Mappings

A word about YAML Syntax

• Human Readable Data Structures

• Used in inventory, playbooks, & variable files

10.15.1.13 - L1 10.15.1.14 - L2 10.15.1.15 - L3

inventory.yml - hosts: spines, leafs

group_vars ansible_password: "nxos_password"

group_vars ansible_password: "nxos_password"

Value of ansible_connection Protocol Requires Persistent

ansible.netcommon.network_cli CLI over SSH ansible_network_os Yes

ansible.netcommon.httpapi API over HTTP/HTTPS ansible_network_os Yes

- name: Configure VLAN-to-VNI Mappings

roles • Defines VLAN-to-VNI

all: - hosts: spines, leafs - name: Configure VLAN-to-VNI Mappings

all: - hosts: spines, leafs - name: Configure VLAN-to-VNI Mappings

all: - hosts: spines, leafs - name: Configure VLAN-to-VNI Mappings

# tasks file for roles/overlay # vars defined somewhere in Ansible

- name: Configure VLAN-to-VNI Mappings vlan_name: Web Servers

Go from this… To this…

vlan_name: Web Servers networks:

# tasks file for roles/overlay # vars defined somewhere in Ansible

- name: Configure VLAN-to-VNI Mappings networks:

inventory.yml vxlan.yml roles/common/tasks/main.yml group_vars/leafs.yml

all: - hosts: spines, leafs - name: Configure Hostname features:

Legacy Modules Resource Modules

• Inconsistent across different network • Consistent across different network

A word about Resource Module States

• Allows passing direct cli configuration

- name: Configure PIM Anycast RP

• Allows sending arbitrary commands, e.g. show commands

- name: Get Show Commands - name: Misc Commands

Modules Required interface Vlan500

Consume all services in one place

Private cloud | Third-party apps | Public cloud

Easy to understand approach to

Rapid Deployment with Fabric Builder

Scale within and across data centers

Collection Location: https://galaxy.ansible.com/cisco/dcnm

Ansible uses the Fully Qualified Collection Name (FQCN)

NDFC Ansible Galaxy Collection Site

cisco.dcnm.template & cisco.dcnm.policy