Sie sind auf Seite 1von 59

Lab Guide

Cisco dCloud

Cisco ACI with F5 and Ansible Lab v1

Last Updated: 30-September-2019

About This Demonstration


This guide for the preconfigured demonstration includes:

About This Demonstration

Requirements

About This Solution

Topology

Get Started

Scenario 1. Ansible Tower

Scenario 2. Dynamic End point attach/detach

Appendix A. Troubleshooting the dCloud Environment

Whats Next?

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 59
Lab Guide
Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop Cisco AnyConnect®

About This Solution


This lab guide covers using Ansible to automate a F5 BIG-IP and Cisco ACI environment.

Goal is to use Ansible to automate an end-to-end workflow which can be broken down into following tasks:
• Perform L2-L3 stitching between the Cisco ACI fabric and F5 BIG-IP

• Configure the network on the BIG-IP

• Deploy an application on BIG-IP

• Automate elastic workload commision/decommission

We will be using Ansible Tower to execute all the tasks.

NOTE: If new to Tower please watch the 10-minute overview before proceeding:
https://www.Ansible.com/products/tower

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 59
Lab Guide
Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can see
the IP address and user account credentials to use to access a component by clicking the component icon in
the Topology menu of your active session and in the scenario steps that require their use.

dCloud Topology

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 59
Lab Guide
Cisco dCloud

Get Started

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the
local RDP client on your laptop [Show Me How]

• Workstation 1: 198.18.133.36, Username: dcloud\demouser, Password: C1sco12345

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 59
Lab Guide
Cisco dCloud

Scenario 1. Ansible Tower


Value Proposition: Red Hat® Ansible® Tower helps you scale IT automation, manage complex deployments
and speed productivity. Centralize and control your IT infrastructure with a visual dashboard, role-based access
control, job scheduling, integrated notifications and graphical inventory management. And Ansible Towers REST
API and CLI make it easy to embed Ansible Tower into existing tools and processes.

As mentioned, we will be using Ansible Tower to execute all of the playbooks/workflows.


Below is an overview of the flow of the lab:

Start by going over the Tower configurations.

Steps

Pre-configured

In this section, we will go over some of the objects that are configured on Ansible tower and their purpose

1. On the workstation, open a Chrome browser. Open a new tab and click the Ansible AWX shortcut.

2. Log in to Ansible Tower using username admin and password C1sco12345. You will see the dashboard
view by default.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 59
Lab Guide
Cisco dCloud

The following is the structure of tower objects:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 59
Lab Guide
Cisco dCloud

Organization

NOTE: An Organization is a logical collection of Users, Teams, Projects, and Inventories, and is the highest level
in the Tower object hierarchy.

1. Scroll down to Access section of the menu and click Organization on the left-hand pane.
2. There are two organizations present. We will be working with organization dCloud which currently has 1
project defined.

Projects

A Project is a logical collection of Ansible playbooks, represented in Tower. You can manage playbooks and
playbook directories by either placing them manually under the Project Base Path on your Tower server, or by
placing your playbooks into a source code management (SCM) system supported by Tower.
We are going to use Git as our SCM for this lab.

1. Click on Resources > Projects on the left-hand pane.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 59
Lab Guide
Cisco dCloud

2. Click on the + sign on the top right-hand corner to create a new project.

3. Enter the following values:

• Name: demo_git_repo

• Organization: dCloud

• SCM type: Git

• SCM URL: https://github.com/f5devcentral/f5-aci-labs.git (All the playbooks that are placed in this Git
repo will be available in Tower for the user to execute)

• UPDATE REVISION ON LAUNCH - enabled (the Git Repo will be updated everytime a job using this repo
is executed)

4. Click Save.

NOTE: All playbooks are placed under docs/pure_Ansible/Ansible_playbooks directory.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 59
Lab Guide
Cisco dCloud

Inventory

Ansible playbooks can be run against multiple hosts, the inventory is used to define those hosts.

1. Click on Resources > Inventories on the left-hand pane.


2. Click on Demo Inventory.

3. Click on Groups.

4. Click on aci.

5. Click on Hosts.
6. Here the aci host to run the playbook has been defined.

NOTE: This is where we would add more hosts under the group aci.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 59
Lab Guide
Cisco dCloud

Credentials

The credentials used to login to the APIC are already defined here.

1. Click on Resources > Credentials on the left-hand pane.


2. Click on apic1.

3. Notice that the Credential type is Network.

Creating Job templates

A job template is a definition and set of parameters for running an Ansible job. Job templates are useful to
execute the same job many times. Job templates also encourage the reuse of Ansible playbook content and
collaboration between teams.
We are going to create two job templates, one to configure the APIC and the second to configure the BIG-IP.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 59
Lab Guide
Cisco dCloud

Job template - APIC configuration

This job template pushes all the configuration needed to setup a service graph on the APIC. We are going to
configure a 2 arm service graph to connect a F5 BIG-IP to a the Cisco APIC fabric.

Information about service graph => Cisco®Application Centric Infrastructure (Cisco ACI™) technology enables
you to insert Layer 4 through Layer 7 (L4-L7) functions using a concept called a service graph. This document
describes the service graph concept and how to design for service insertion using the service graph.

With the service graph, Cisco ACI introduces innovations at both the data-plane and management levels.

Using the service graph, Cisco ACI can redirect traffic between security zones to a firewall or a load balancer,
without the need for the firewall or the load balancer to be the default gateway for the servers. Cisco ACI can
selectively send traffic to L4-L7 devices based, for instance, on the protocol and the Layer 4 port. Service
graph redirect offers many advantages:

• It eliminates the need to make the firewall or load balancers the default gateway.

• It avoids the need for more complex types of designs such as the Virtual Routing and Forwarding (VRF)
instance–L4-L7–VRF design.

• It avoids to need to split Layer 2 domains (bridge domains) to insert, for instance, a firewall in the path.
• It allows you to redirect only a subset of the traffic based on the protocol and port.

• It allows you to filter traffic between security zones in the same Layer 2 domain (bridge domain).

• It allows you to scale the performance of the L4-L7 device by distributing traffic to multiple devices.
The service graph offers these advantages:

• The service graph can redirect traffic to L4-L7 devices, eliminating the need for more complex designs.

• The service graph automatically manages VLAN assignments.


• The service graph automatically connects virtual Network Interface Cards (vNICs).

• The configuration template can be reused multiple times.

• The service graph provides a more logical view and offers an application-related view of services.
• The service graph provides a better model for sharing a device across multiple departments.

For more information view the white paper on service graph.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 59
Lab Guide
Cisco dCloud

A few more items that we are going to configure as part of the service graph:
• Contract: An administrator uses a contract to select the type(s) of traffic that can pass between EPGs,
including the protocols and ports allowed. If there is no contract, inter-EPG communication is disabled by
default. No contract is required for intra-EPG communication; intra-EPG communication is always implicitly
allowed.

o Present under Tenant > Contracts

• Logical device cluster : A device cluster (also known as a logical device) is one or more concrete devices
that act as a single device. A device cluster has cluster (logical) interfaces, which describe the interface
information for the device cluster.

o Present under Tenant > L4-L7 Services > L4-L7 Devices

• Service graph template: A service graph template is represented as two or more tiers of an application
with the appropriate service functioninserted between the tiers

o Present under Tenant > L4-L7 Services > Service Graph Templates

Below is an overall view of the APIC constructs:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 59
Lab Guide
Cisco dCloud

Configure the Job Template

1. Click on Resources > Templates on the left-hand pane.

2. Click on the green + sign on the upper right corner.

3. Select Job template.

4. Enter the following:

• Name: Configure L4-L7 APIC

• Inventory: Demo Inventory

• Project: demo_git_repo

• Playbook: docs/pure_ansible/ansible_playbooks/apic_configure_l4l7.yml (Look for the playbook


name under the dropdown list)
• Credential: apic1 (From the Credential type select Network and then select apic1)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 59
Lab Guide
Cisco dCloud

5. After all the values are filled, scroll to the bottom and click Save.

Playbook details

• There are templates defined using Jinga2 templating. For information on jinga2 refer to:
https://jinja.palletsprojects.com/en/2.10.x/

• Take a look at one example of the jinja2 we are going to be using. Click here

• There is one jinja2 template for each object that is to be created in the APIC

• This is payload that is going to be posted to the APIC. Anything in "{{ }}" is a variable, this variable will be
substitued to its value once we run the playbook

• An Ansible module called aci_rest is used to POST the payload to the APIC rest end point

Playbook Code

- name: Configure ACI


hosts: aci
connection: local
gather_facts: false

tasks:

# Jinja2 templates with variables are substitued with values and stored in the destination
file
- name: Create XML POSTS from templates
template: src={{ item.src }} dest={{ item.dest }}
with_items:
- { src: ldev.j2, dest: ldev.xml }

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 59
Lab Guide
Cisco dCloud

- { src: contract.j2, dest: contract.xml }


- { src: service_graph_template.j2, dest: service_graph_template.xml}
- { src: deviceSelectionPolicy.j2, dest: deviceSelectionPolicy.xml}
- { src: apply_graph.j2, dest: apply_graph.xml}
- { src: attach_cons_prov_contract.j2, dest: attach_cons_prov_contract.xml}

# Each file is send as payload to the REST API endpoint defined in the uri key below
- name: Execute POSTS
aci_rest:
action: "post"
uri: "/api/node/mo/uni/tn-{{tenant_name}}.xml"
config_file: "{{ item }}"
host: "{{inventory_hostname}}"
# This username/password is taken from the Credentials defined in Ansible tower
username: {{ lookup("env", "ANSIBLE_NET_USERNAME") }}
password: {{ lookup("env", "ANSIBLE_NET_PASSWORD") }}
validate_certs: "false"
with_items:
- "ldev.xml"
- "contract.xml"
- "service_graph_template.xml"
- "deviceSelectionPolicy.xml"
- "apply_graph.xml"
- "attach_cons_prov_contract.xml"

Job template - BIG-IP configuration

We will create two job templates.

• Push network related configuration to the BIG-IP (Self-IP/VLAN)

• Pull the VLAN information from the service graph template deployment from APIC and deploy on the BIG-IP

• Push application related configuration to the BIG-IP (Nodes/Pool members/Virtual Servers)

1. Click on Resources > Templates on the left-hand pane.

2. Click on the green + sign on the upper right corner.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 59
Lab Guide
Cisco dCloud

3. Select Job template.

4. Enter the following:

• Name: Configure BIG-IP Network


• Inventory: Demo Inventory

• Project: demo_git_repo

• Playbook: docs/pure_ansible/ansible_playbooks/bigip_configure_network.yml
• Credential: apic1 (From the Credential type select Network and then select apic1)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 59
Lab Guide
Cisco dCloud

5. After all the values are filled, scroll to the bottom and click Save.

NOTE: Take a look at the code. Click here before proceeding. There are comments in the playbook to help
understand the flow.

6. Click on Templates on the left-hand pane.


7. Click on the green + sign on the upper right corner.

8. Select Job template.

9. Enter the following:


• Name: Configure BIG-IP Application

• Inventory: Demo Inventory

• Project: demo_git_repo

• Playbook: docs/pure_ansible/ansible_playbooks/bigip_configure_application.yml

• Credential: apic1 (From the Credential type select Network and then select apic1)

10. After all the values are filled, scroll to the bottom and click Save.

NOTE: Take a look at the code. Click here before proceeding. There are comments in the playbook to help
understand the flow

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 59
Lab Guide
Cisco dCloud

Creating workflow

The three job templates created can be moved to a workflow that can be executed via tower.

NOTE: Refer https://docs.Ansible.com/Ansible-tower/latest/html/userguide/workflows.html for more details


Ansible tower workflows

1. Click on Templates from the left-hand pane.


2. Click on the green + button on the top left corner.

3. Select Workflow Template.

4. Enter Name: APIC-BIGIP-Workflow.

5. Scroll to the bottom and click Save.

NOTE: As soon as save is clicked, a new window opens for entering all the jobs that will be part of the
workflow.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 59
Lab Guide
Cisco dCloud

6. Click on the green Start button.

7. From the right-hand pane, choose the Job template Configure L4-L7 APIC.
8. Scroll down on the right-hand pane and click Select.

9. Hover over the node Configure L4-L7 APIC until a smaller green button displays.

10. Click on the + sign.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 59
Lab Guide
Cisco dCloud

11. From the right-hand pane, choose the job template Configure BIG-IP Network.

12. Click Select.

13. Hover over the newly added node and click the smaller green + sign.

14. From the right-hand pane, choose the job template Configure BIG-IP Application.

15. Click Select.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 59
Lab Guide
Cisco dCloud

16. Click Save.

17. To verify the workflow, click the Workflow visualizer to view the workflow created.

18. Click on the Settings button to change the visual percentage.

NOTE: Next, we will provide input to the workflow. A few variables are defined in the playbooks; we will provide
input for those variables.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 59
Lab Guide
Cisco dCloud

19. Click Close.

20. Back in the workflow, find the Extra Variables text box.
21. Copy the variables below and paste them into Extra Variables text box.
#Variables used in playbooks used by Job1, Job3 and Job3
tenant_name: SJC
logicalDeviceCluster_name: BIGIP-VE-Standalone

#Login credentials
bigip_ip: 198.18.128.130
bigip_username: "admin"
bigip_password: "admin"

consumer_interface: '1.1'
provider_interface: '1.2'

#External Self-IP from the consumer subnet


#Internal Self-IP from the provider subnet
selfip_information:
- name: 'External-SelfIP'
address: '10.10.10.50'
netmask: '255.255.255.0'
vlan: 'consumer'
- name: 'Internal-SelfIP'
address: '10.193.102.50'
netmask: '255.255.255.0'
vlan: 'provider'

vip_name: "http_vs"
#Virtual IP address from the consumer subnet
vip_ip: "10.10.10.100"
pool_name: "https-pool"

22. Click Save.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 59
Lab Guide
Cisco dCloud

Executing workflow

Before executing, log in to the APIC and BIG-IP and make sure there is no preexisting configuration.

1. In Chrome, open a new browser tab. Click the APIC shortcut.


2. Log in using username admin and password C1sco12345.

3. Close the Welcome pop up window.

4. From the menu, select Tenants.

5. Double click on SJC.

6. Select Services > L4-L7, and look at all the menu options there should be nothing configured

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 59
Lab Guide
Cisco dCloud

7. On Chrome, open a new tab. Select the BIG-IP shortcut.

8. Log in with username admin and password admin.


9. Select the following menu options and confirm there is no current configuration.

• Network > Self-IP

• Network > VLAN

• Local Traffic > Virtual Servers

• Local Traffic > Pools

• Local Traffic > Nodes

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 59
Lab Guide
Cisco dCloud

10. Go back to Ansible and click Launch.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 59
Lab Guide
Cisco dCloud

11. The workflow executes one job template at a time. In the left-hand pane click the double arrow icon to
view the expanded view.

NOTE: Once all the jobs are executed the workflow execution is complete.

12. Select Jobs on the left-hand pane to see the workflow and the jobs executed.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 59
Lab Guide
Cisco dCloud

Verify execution - APIC

1. Return to the APIC tab.

2. In Tenants > SJC, select Services > L4-L7.


3. Expand L4-L7 > Service Graph Templates.

4. Expand Devices > BIGIP-VE-Standalone.

5. Expand Devices Selection Policies and Deployed Graph Instances.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 59
Lab Guide
Cisco dCloud

6. Select Function Node – N1.

7. Scroll down to display the VLANs.

8. Take a note of the VLANS.

NOTE: The values you see might be different from the screen shot.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 59
Lab Guide
Cisco dCloud

Verify execution - BIG-IP

1. Return to the BIG-IP tab.

2. From the menu, select Network > VLANs.

NOTE: Look at the VLANs. The same VLAN that is deployed in APIC is pushed to the BIG-IP. We did NOT
provide any VLAN information in the automation scripts. The scripts pulled the VLAN information from this
deployed graph and pushed it to the BIG-IP.

3. Select Network > Self-IPs.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 59
Lab Guide
Cisco dCloud

4. View Local Traffic > Virtual Servers.

5. Click on the Virtual Server http_vs.

6. Click on the Resources tab to display the default pool assigned to it is https-pool.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 59
Lab Guide
Cisco dCloud

7. Click on LocalTraffic > Pools.

8. Click https-pool.

9. Select the Members tab. Notice that no members have been added to the pool.

NOTE: In the next section we will see how to use a playbook to dynamically add and remove workload to this
pool.

NOTE: At this point in a real environment you would be able to reach the virtual server IP address from the
consumer EPG. This is a simulator hence there is no traffic and the virtual IP address will not be reachable.

In the next section, we will focus on adding workload/node members to the BIG-IP pool.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 59
Lab Guide
Cisco dCloud

Scenario 2. Dynamic End point attach/detach


Value Proposition: This feature offloads the burden from a network administrator in terms of how to manage
elastic workload.

In this digital age the need to increase/decrease application workload has become more frequent to be able to
handle the increase/decrease in traffic to the application.

Imagine a real-world example of a service provider who wants to run a website. At moment t0, the website is
unpopular and a single machine (most commonly a virtual machine) is enough to serve all web users. At
moment t1, the website suddenly becomes popular and a single machine is no longer sufficient to serve all
users. Based on the number of web users simultaneously accessing the website and the resource requirements
of the web server, it might be that ten machines are needed. At this point nine additional machines vitual
machines are bought online to serve all web users responsively. These nine more web servers also need to
added to the BIG-IP pool so that the traffic can be load balanced

At time t2, the website becomes unpopular again. The ten machines that are currently allocated to the website
are mostly idle and a single machine would be enough to serve the few users who are accessing the website.
The nine machines are deprovisioned and used for some other purpose.

Now in the ACI world when application workload is added it is learned by the ACI fabric and becomes a part of
an Endpoint Group on the ACI fabric

In the BIG-IP world that workload is the members of the load balanced pool.

To summarize:

• Endpoint group on APIC = Pool on the BIG-IP

• Endpoints in an endpoint group = Pool members on the BIG-IP ( application servers handling traffic)

When workload is commissioned/decommissioned it needs to also be added/deleted to a pool member on the


BIG-IP.

Using Ansible lets automate the process.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 59
Lab Guide
Cisco dCloud

In our environment we are going to be using the following:

• EPG on APIC => Provider-EPG


• Pool on BIG-IP => https-pool

NOTE: All playbooks are placed under docs/pure_Ansible/Ansible_playbooks directory.

Create a job template

1. In Chrome, log in to Ansible.

2. Click on Resources > Templates on the left-hand pane.


3. Click on the green + sign on the upper right corner.

4. Select Job template.

5. Enter the following parameters:

• Name: Dynamic EP

• Inventory: Demo Inventory

• Project: demo_git_repo
• Playbook: docs/pure_ansible/ansible_playbooks/dynamic_ep.yml (Choose the correct playbook from
the dropdown list)

• Credential: apic1 (From the Credential type select Network and then select apic1)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 59
Lab Guide
Cisco dCloud

6. Scroll to the bottom. In the Extra Variables section, add the following:
bigip_ip: '198.18.128.130'
bigip_username: 'admin'
bigip_password: 'admin'

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 59
Lab Guide
Cisco dCloud

7. Scroll to the bottom and click Save.

NOTE: Next we will create a Survey for this job template. Surveys set extra variables for the playbook similar to
Extra Variables but in a user-friendly question and answer way. Surveys also allows for validation of user input.

8. Click on Add Survey.

9. Enter the following:

• PROMPT: Tenant

• ANSWER VARIABLE NAME: tenant_name

• ANSWER TYPE: Text

• DEFAULT ANSWER: SJC (provide a default value so that we dont have to enter it everytime we run the
playbook)

10. Click +Add. The Tenant variable is added to the right-hand pane now.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 59
Lab Guide
Cisco dCloud

11. Continue this process for each extra variable that needs to be passed to the playbook:

• PROMPT: Application Profile


• ANSWER VARIABLE NAME: app_profile_name

• ANSWER TYPE: Text

• DEFAULT ANSWER: SJC-APN

12. Click +Add.

• PROMPT: EndPoint Group

• ANSWER VARIABLE NAME: epg_name

• ANSWER TYPE: Text

• DEFAULT ANSWER: Provider-EPG

13. Click +Add.


• PROMPT: BIG-IP Pool Name

• ANSWER VARIABLE NAME: pool_name

• ANSWER TYPE: Text

• DEFAULT ANSWER: https-pool

14. Click +Add.

• PROMPT: BIG-IP Pool Port

• ANSWER VARIABLE NAME: pool_port

• ANSWER TYPE: Integer

• DEFAULT ANSWER: 80

15. Click +Add.

16. All the variables display in the right-hand pane. Scroll to the bottom and click Save.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 59
Lab Guide
Cisco dCloud

At this point:

• The job template is defined

• Variables are being passed through the extra variables section which do not need to be changed often

• Variables are also being passed though the survey

NOTE: Before we launch the job template, we will go back to the BIG-IP and make sure there are no pool
members defined for the pool https-pool

17. Go back to the BIG-IP tab.

18. Click on Local Traffic > Pools.

19. Click on https-pool.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 59
Lab Guide
Cisco dCloud

20. In APIC, go to Tenants > SJC.

21. Expand Application Profiles > SJC-APN > Application EPGs.


22. Click on Provider-EPG.

23. Click the Operational tab on the right-hand side. Only one endpoint is learned at this point.

Execute the job template

1. Return to the Ansible tower and click Launch.

NOTE: The survey will pop up since we have given Default values. The fields will be pre-filled. If no default
values were given, these fields would be empty and the user could fill in the fields.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 59
Lab Guide
Cisco dCloud

2. Click Next. Another pop up will appear indicating all the extra variables being passed. This is non editable.

3. Click on Launch.

NOTE: Examine the execution and wait for the job to be successful. After the job is successful go back to the
BIG-IP and now view the members in pool https-pool. You will see one member added which is the member IP
learned on APIC.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 59
Lab Guide
Cisco dCloud

4. Examine the playbook code before moving ahead. Looking at the tasks ONLY.
tasks:
# Setup the login information for the BIG-IP which will be passed to subsequent tasks
- name: Setup provider
set_fact:
provider:
server: "{{bigip_ip}}"
user: "{{bigip_username}}"
password: "{{bigip_password}}"
server_port: "443"
validate_certs: "no"

# Get the end points learned for the Tenant/App/EPG


# and query the REST API end point below
- name: Get end points learned from End Point group
aci_rest:
action: "get"
uri: "/api/node/mo/uni/tn-{{tenant_name}}/ap-{{app_profile_name}}/epg-
{{epg_name}}.json?query-target=subtree&target-subtree-class=fvIp"
host: "{{inventory_hostname}}"
username: {{ lookup("env", "ANSIBLE_NET_USERNAME") }}
password: {{ lookup("env", "ANSIBLE_NET_PASSWORD") }}
validate_certs: "false"
register: eps

# Parse the output from the above result and store the members in an array
- set_fact:
EPG_ MEMBERS= "{{epg_members + [item]}}"
loop: "{{eps | json_query(query_string)}}"
vars:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 59
Lab Guide
Cisco dCloud

query_string: "imdata[*].fvIp.attributes.addr"
no_log: True

# Further filter the members to support only IPv4 members


- set_fact:
EPG_ MEMBERS= "{{epg_members | ipv4}}"

# Add those members to the BIG-IP pool


- name: Adding Pool members
bigip_pool_member:
provider: "{{provider}}"
state: "present"
name: "{{item}}"
host: "{{item}}"
port: "{{pool_port}}"
pool: "{{pool_name}}"
loop: "{{epg_members}}"

# Query the BIG-IP pool for pool members - this is for deleting any members
# that are not part of the list above
- name: Query BIG-IP facts
bigip_device_facts:
provider: "{{provider}}"
gather_subset:
- LTM- POOLS
register: bigip_facts

# Next few tasks to display the current pool members on BIG-IP


- name: "Show members belonging to pool {{pool_name}}"
set_fact:
POOL_ MEMBERS= "{{pool_members + [item]}}"
loop: "{{bigip_facts.ltm_pools | json_query(query_string)}}"
vars:
query_string: "[?name=={{pool_name}}].members[*].name[]"

- set_fact:
pool_members_ip: "{{pool_members_ip + [item.split(:)[0]]}}"
loop: "{{pool_members}}"

- debug: "msg={{pool_members_ip}}"
# Compare the Pool members on the BIG-IP vs what is on the APIC and get the difference
- set_fact:
members_to_be_deleted: "{{ pool_members_ip | difference(epg_members) }}"

- debug: "msg={{members_to_be_deleted}}"
# Delete all the members that in the difference list
- name: Delete Pool members
bigip_pool_member:
provider: "{{provider}}"
state: "absent"
name: "{{item}}"
port: "{{pool_port}}"
pool: "{{pool_name}}"
preserve_node: yes
loop: "{{members_to_be_deleted}}"

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 59
Lab Guide
Cisco dCloud

Add/Delete endpoints

1. To get APIC to learn/add more endpoints, open the POSTMAN application from the desktop.
2. Close down any pop up screens.

3. Select Collections.

4. Navigate to collection EndPoint Management.


5. Click on APIC Login request.

• The POST request is directed towards the APIC.

• The body of the POST has the login credentials.

6. Click Send.

7. Next click Add EndPoint SJC request.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 59
Lab Guide
Cisco dCloud

8. Click Body.

9. Change the body to the following and click Send:


<fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/3]" encap="vlan-2003"/>

10. Follow the same procedures to add a few more endpoints:

• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/4]" encap="vlan-2003"/> and


click Send.

• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/5]" encap="vlan-2003"/> and


click Send.
• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/6]" encap="vlan-2003"/> and
click Send.

• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/7]" encap="vlan-2003"/> and


click Send.
• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/8]" encap="vlan-2003"/> and
click Send.

• Change body to <fvRsPathAtt tDn="topology/pod-1/paths-102/pathep-[eth1/9]" encap="vlan-2003"/> and


click Send.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 59
Lab Guide
Cisco dCloud

11. Go back to APIC.

12. Select Tenant > SJC.


13. Expand Application Profiles > SJC-APN > Application EPGs > Provider-EPG.

14. Click on Operational tab on the right-hand side and verify all the new endpoints display.

15. Go to Ansible tower.

16. Click Jobs.

17. Click the Relaunch icon to Launch the playbook again. Wait till the playbook is successful.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 59
Lab Guide
Cisco dCloud

18. Go to the BIG-IP.

19. Navigate to Local Traffic > Pools.


20. Click https-pool.

21. Select the Members tab to display the pool members.

22. Go back to POSTMAN.


23. Select Delete EndPoint SJC.

24. Click Body. The body of the request is designed to delete one endpoint. Click Send.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 59
Lab Guide
Cisco dCloud

25. Go back to APIC.

26. Select Tenant > SJC.


27. Expand Application Profiles > SJC-APN > Application EPGs > Provider-EPG.

28. Click on Operational tab on the right-hand side and verify the endpoint has been deleted.

NOTE: Make sure the end point is deleted from APIC before running the playbook again.

29. Go to Ansible tower.

30. Click Jobs.

31. Click the Relaunch icon to Launch the playbook again. Wait till the playbook is successful.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 59
Lab Guide
Cisco dCloud

32. Go to the BIG-IP.

33. Navigate to Local Traffic > Pools.


34. Click https-pool.

35. Select the Members tab to display the pool members.

Scheduling jobs

Previously in this document, we have described a fairly manual process to keep running the Ansible job and
making sure the workload in APIC and on BIG-IP are in sync.
One way to ease this burden is to create a schedule in Ansible tower, which could run this playbook every
minute or every hour. The schedule can be based on your application need and operational model.

Before creating a schedule, look at the date and time currently on the Ansible tower.

1. From the desktop, open Putty.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 59
Lab Guide
Cisco dCloud

2. Load the tools server and click Open.

3. Login with credentials: root/C1sco12345.


4. Run command date once logged in and note it down, for example, Tue Aug 6 20:35:35 UTC 2019.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 59
Lab Guide
Cisco dCloud

5. Log in into Ansible Tower.

6. Click Resources > Templates.


7. Click Dynamic EP.

8. Select Schedules.

9. Click on the + button.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 59
Lab Guide
Cisco dCloud

10. Enter the following:

• Name: Every_minute
• Start Date: Based on the date above, choose the start date

• Start time: Based on the time above, choose the start time that is few minutes later than the current
time
• Local time zone: UTC

• Repeat frequency: Minute

• End: After

• Occurances: 5

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 59
Lab Guide
Cisco dCloud

11. Click Save.

12. To view the schedule added, click Schedules from the menu.

13. To see the schedule in action, click Jobs to see all the jobs executed and/or executing.

14. Once the time in the schedule is reached, the playbook will execute.

NOTE: Since this playbook runs every minute, any changes you make in terms of end point addition/deletion to
the APIC will automatically be reflected on the BIG-IP.

OPTIONAL: The bullets list a few things you can try while the scheduled job is running. You can change the
schedule occurrence to be more than 5 for trying the below.

• Delete a few more members from APIC using POSTMAN and see if its reflected on BIG-IP

• Add a few nodes directly on the BIG-IP using the LocalTraffic> Nodes menu and see the behaviour once the
playbook is run

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 59
Lab Guide
Cisco dCloud

Delete configuration

Now we will create job templates and workflow to execute deleting configuration.

1. In Ansible, click on Resources > Templates on the left-hand pane.


2. Click on the green + sign on the upper right corner.

3. Select Job template.

4. Create a job template using the following:

• Name: Delete BIG-IP Application

• Inventory: Demo Inventory

• Project: demo_git.repo

• Playbook: docs/pure_ansible/ansible_playbooks/cleanup/bigip_delete_application

• Credential: apic1 (Select Network as credential type, and then select apic1.)

5. Click Save.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 59
Lab Guide
Cisco dCloud

6. Create a job template using the following:

• Name: Delete BIG-IP Network


• Inventory: Demo Inventory

• Project: demo_git_repo

• Playbook: docs/pure_ansible/ansible_playbooks/cleanup/bigip_delete_network

• Credential: apic1 (Select Network as credential type, and then select apic1.)

7. Click Save.

8. Create a job template using the following:

• Name: Delete L4-L7 APIC

• Inventory: Demo Inventory

• Project: demo_git.repo

• Playbook: docs/pure_ansible/ansible_playbooks/cleanup/apic_delete_l4l7

• Credential: apic1 (Select Network as credential type, and then select apic1.)

9. Click Save.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 59
Lab Guide
Cisco dCloud

10. Create a workflow. Click on Templates from the left-hand pane.

11. Click on the green + button on the top left corner.


12. Select Workflow Template.

13. Enter Name: Delete BIG-IP Application Workflow.

14. Scroll to the bottom and click Save.

NOTE: As soon as save is clicked, a new window opens for entering all the jobs that will be part of the
workflow.

15. Click on the green Start button.

16. From the right-hand pane, choose the Job template Delete BIG-IP Application.

17. Scroll down on the right-hand pane and click Select.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 59
Lab Guide
Cisco dCloud

18. Hover over the node Delete BIG-IP Application until a smaller green button displays.

19. Click on the + sign.

20. From the right-hand pane, choose the job template Delete BIG-IP Network.

21. Click Select.

22. Hover over the newly added node and click the smaller green + sign.

23. From the right-hand pane, choose the job template Delete L4-L7 APIC.

24. Click Select.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 59
Lab Guide
Cisco dCloud

25. Click Save.

26. Find the Extra Variables text box.


27. Copy the variables below and paste them into Extra Variables text box.
# Variables used in playbooks used by Job1, Job3 and Job3
tenant_name: SJC
logicalDeviceCluster_name: BIGIP-VE-Standalone

#Login credentials
bigip_ip: 198.18.128.130
bigip_username: "admin"
bigip_password: "admin"

consumer_interface: '1.1'
provider_interface: '1.2'

#External Self-IP from the consumer subnet


#Internal Self-IP from the provider subnet
selfip_information:
- name: 'External-SelfIP'
address: '10.10.10.50'
netmask: '255.255.255.0'
vlan: 'consumer'
- name: 'Internal-SelfIP'
address: '10.193.102.50'
netmask: '255.255.255.0'
vlan: 'provider'

vip_name: "http_vs"
#Virtual IP address from the consumer subnet
vip_ip: "10.10.10.100"
pool_name: "https-pool"

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 59
Lab Guide
Cisco dCloud

28. Click Save.

29. To verify the workflow, click the Workflow visualizer to view the workflow created.

30. Click Save.

31. Click Launch.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 59
Lab Guide
Cisco dCloud

Appendix A. Troubleshooting the dCloud Environment


Refresh token expired

While executing the Lab if you see a refresh token or invalid token error either under the following conditions:
• Accessing the F5 ACI Service Center application

• Running the Ansible/Postman commands

If this error is encountered:

1. Click on Fix my Demo icon on the RDP desktop.

2. Enter 7 and click Enter.

After 10-15 seconds the Fix my Demo window will disappear.

After this step, to continue with the Lab execution.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 59
Lab Guide
Cisco dCloud

Whats Next?
Check out the related demonstration.
Cisco ACI with F5 ServiceCenter Lab v1

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 59

Das könnte Ihnen auch gefallen