perfect so good morning good afternoon or good evening everybody and thank you for joining our webinar thank you Federica for the introduction and feder as Federica said I'm Alexandro I'm a technical markeet engineer for the data center and provider connectivity group today I will be presenting to you the latest episode we have around the Nexus dashboard fabric controller series it's time now to talk a little bit about Automation and Automation in contest of ndfc why is it important well there are many benefits that we can all get with Automation and today my goal would be to tell you a little bit what are all the possible use cases that you could Implement for your data center uh networking architectures for your data center Fabrics control via npfc in order to do this in order to be able to provide you some sort of guidance in order to be able to provide you some sort of inspiration on the different use cases that you could to implement I will need first to review why automation is important then I will have to explain what are the possible use cases that you can Implement and what are the possible interfaces that you can use in order to interact with ndfc in a programmable way we will try to understand what are the existing tools that will allow you to do so and we will also cover this with uh some demos some demos using different Technologies now like I said this is mostly to get you inspired we have have 90 minutes ahead of us and that should be enough to cover at least the basics then hopefully some of the some of the use cases I will show you are going to be relevant for you but as well try to understand the basics try to think what are your use cases that you would like to alate and build it build them starting from the basics that uh we are going to cover today agenda very quick we will start with an introduction on the Automation and the benefits of automation we will talk about Nexus dashboard apis which always include as well the Nexus dashboard fabric controller apis because that is going to be the base for all the upcoming discussions at this point we will move to the section about the integration between ndfc and anot and finally I would like to close by telling you a little bit something around the VX done es code which is a new module for the network s code automation framework that Cisco is delivering let's start with the introduction we constantly talk about automation right why do we talk about automation because automation is very important automation can bring us many benefits you see the most important ones here we talk about increase efficiency why because automation allows us to save so much time on the routine operations on the most basic day-to-day operations and uh tasks that we have to do in our daily jobs by saving the time on those phases by automating those phases with some sort of automated workflows we can recover preious hours precious days that we can invest somewhere else and this is about getting more resources when we talk about more resources could be time time that we can reinvest in other tasks that we normally leave behind for example let's study a new functionality let's review our design or let's review the documentation those are normally the things that we leave behind because we do not have time and thanks to automation we will be able to uh get some of this time back for for for these tasks we also talk about reducing risks why because using an automated workflow allows us to deliver a predictable configuration into our environments now we know that when we have predictable configurations when we have standardized configurations everything is going to work as we expect if we start having drifts into the configuration that is the moment where we start or we will have some problems it's also about including additional tasks together with the configuration automation workflows imagine you also want to introduce some sort of validation some sort of testing after the change is implemented with automation that is where you can get all the benefits around the risk red reduction that will provide you a better uh use user quality a better quality uh for your services for your applications and so on and finally we talk about accelerate business because automated workflows can span across multiple Technologies and can help us provision the entire feature set we need for a new uh service for a new application and so on one of the most common urban legends around automation but luckily I hear this less and less is the following one I can't ad Vantage from automation because I'm not a software developer and this quote is coming in this case from Cod pocket right a fictional character but I've I've heard this also coming from uh customers and partners speaking with them my answer every time I hear this kind of quote of statement is the following one that is absolutely false whatever you are a developer or not you can still Implement automated processes and this is what I want to show you today because today we are going to cover three different M macro areas around automation options we will start by looking as well at some a direct API interaction which requires some sort of coding experience and then we're going to uncover two more methods anible and VX done as a code each of them is going to abstract the complexities of coding of writing scripts more and more that is going to be in order to prove you that definitely you do not need to be a developer you do not need to know or have any coding skills in order to implement automated processes now all this webinar is going to be around Nexus dashboard fabric controller obviously we know that the fabric controller has three main core functionalities management which allows us to Define our intent right intent for our fabrics for our overlays and so on we have some visibility some basic visibility that provides us insights on the state of these fabrics and we also have automation but when we talk about the automation core functionality we really mean the ndfc native automation capabilities so the ones that allow ndfc to read the intent that the administrator is setting on the controller and transform that render that into real configurations that can be sent to the devices and can be uh transformed into running configuration onto them but today I want to talk about something else I want to talk about the additional automation capabilities that are exposed by n DFC via the apis and that can be used in order to implement different use cases now let's try to understand what are the most common use cases then we're going to see how we can achieve that first of all standardized deployment processes now we talk about avoiding the manual clicking the web UI use in order to configure our networks why is this important because if we use an automated process and let's keep it at very high level as of now let's call it just automated process we can ensure that every time the script the automated process will run it will return to us a predictable outcome a predictable configuration and that means having standard configurations it could be that if we do things manually we forget about enabling a checkbox we forget about a specific thing that we should every time too because it was part of our testing plan and that is going to create problems into the future maybe with an automated process we can avoid all this we can also talk about importing data from external resources imagine in the context of ndfc you want to push networks you want to push subnets you want to push villan IDs but these resources are stored somewhere else maybe an IP address management system like in this case I'm talking about netbox which is a very powerful one why do we have this use case well because you do not control only data center networks you control other network domains as well campus one branch offices and so on right and you want a central uh database a central tool that can keep all this information so in your case you will enter the information into the ipam and then you will have the automated process reading the information from the ipam and render the configurations the intent that is is going to be pushed to n DFC automatically and this is also something that we are going to see during the demo we can talk about integrating additional applications it's not only about automating n DFC when we create a new network when we create a new vrf we always know that that Network definitely has to be available on our data center fabric but it has also to be stretched outside of it so we can attach end points we can attach PMS we can attach firewalls with automation we can integrate different applications we can manage all of them we can push configurations to all of them to ensure that we have an endtoend uh path let's say an endtoend configuration that is going to span across all of them and it will allows us to push the networks wherever they are required we can talk as well about infrastructure as code which gives us the possibility to define the entire networking infrastructure configuration in an easy to read easy to write file file can be encoded in different formats we are going to see an example with the VX is a code but the important thing is that the same file can also be processed by the automated uh by the automation process right so it can read it it can understand it and it can transform it into the real configuration that is going to be pushed into the devices and we're going to talk about the different benefits into the VL as a code section and last but not least think about the automation pipelines automation pipelines are set of EOG genous automated tasks that we can Define for our automated workflows they can include tasks that are going to push the configurations they can include tasks that are going to perform initial validations task that are going to perform post change validations all of them can be part of our dayto day-to-day workflows that we want to use when implementing new Networks new Services new applications like I was saying before these the ones we just cover are just the high level of the different use cases we can achieve right with uh ndfc additional automation how can we interact with ndfc now I'll make three General I will provide you three General options the first one is the direct API interaction and obviously I I consider this probably the most difficult one why because first of all it requires API knowledge and when I say API knowledge I mean you need to know the different API codes that you can make towards ndfc that requires some study second in order to interact with apis you also need the proper tools like API testing tools or better you need some sort of scripts some sort of programming languages that will allow you to play around with sending data and receiving data from the apis obviously the are there are pros and cons for this direct API interaction Pros definitely you have the full functionality set available to you all the apis that is used by the application by the application can also be used by your scripts by your um code let's say you can integrate with any other application because most of the times if we think about highlevel languages like python those highlevel languages offer libraries to integrate with any kind of application with any kind of architecture So reading data from one side pushing the data to the other side talking about uh applications is going to be very easy and obviously you can manipulate the data as you want you can play the data as you want you can do pretty much whatever you want the possibilities are going to be Infinity the cons like we were saying before definitely you need to understand apis you need to know what apis are available you need to be able to write some sort of code you need to understand at least the basics of coding I'm not saying you need to be a software developer definitely I'm not a software developer but at least I'm able to understand a little bit how to handle the code that allows me to interact with the different applications with the different systems and last thing it's not good definitely in case you are just starting with ndfc because you will not be able to understand what are the basics of the operational model that ndfc is offering the next section the next option is going to be around automation tools what are automation tools well those are binaries are softwares that are written by other companies you know by other people that allows us to introduce automated workflows into our networks because they are flexible because they can be expanded with additional modules that allows us to interact with different tools with different applications as of today anol and terraform are probably the most two Commons but I already want to do a distinction at this point of the webinar when we talk about anible we have an anible collection available that contains a lot of modules that allow you to interact with pretty much all the functionalities available in the DFC and we are going to cover that later on when we talk about terraform instead there is a terraform provider available for NFC that is not something that we have by we I mean Cisco that is it's not something that we have created it's not something that we are currently maintaining we only did a couple of PO requests into this uh repository and to be honest it doesn't offer the same feature parity as an that's the reason why I have excluded from this webinar because the possibilities that we have compared to anible are quite limited so now what are the pros about using an automation tool like in this case you see here right in into this slide uh nonble Playbook first of all we are abstracting all the complexities of the code there is no need to know anymore how to code there is no no need to know how to keep track of the variables eventually how to um Define the loops and so on even though we still have the possibility to implement this into anible if we really need but if we don't care about that that's fine we can still use static playbooks and everything is going to work fine additional Pros for anible definitely the integration because anible is a well-known tool and has modules to interact with all the different applications especially into the data center world to the data center portfolio now definitely if you want to move over this direction you still need to do some sort of upskilling some sort of learning you cannot expect to install anible and be able to use it in five minutes I would say it takes a few hours at least to get some sort of basic understanding and start defining the playbooks uh which we are going to see in a little bit start managing the different configuration through the playbooks and so on if we want to abstract things even more at this point we have to talk about VX Lanes code which is an additional module part of the Cisco Network as a code at this point we do not care about coding anymore we do not care about loops we do not care care about variables anymore the only thing we care about is the data model which is a file a text file encoded into yaml format which if you believe me or not and you can see it from here it could also really look like a running configuration on the devices it's not that different right and this file is going to contain the configurations for our entire networking infrastructure the vix Lanes code will be able to read this file and Implement whatever it is required in order to push this as an intent into ndfc now the pros definitely are the fact that we do not need to know anything about coding we do not need to know anything about playbooks we can automate everything the con about this is the functionality I would say is very new because it was released uh in the past summer so 3 four months ago it's still missing some of uh the capabilities that ndfc can expose but there is an active development going on so I know that they're going to release the next version quite soon and that is going already to include some new Co functionalities but we're going to talk a little bit more about this later on let's understand what is the Nexus dashboard API architecture first because that is going to be the key for understanding all the upcoming discussions apis are the automation primary interface when it comes to Nexus dashboard and Nexus dashboard fabric controller they are enabled by default because the web uis of ND and ndfc as well NBI and ndo are using those apis they are HTTP apis and we can use the rest the common HTTP rest framework in order to interact with ndfc that means that we have the normal methods the normal HTTP methods available get post put and delete which will allows us to read the data from ndfc to add new objects to ndfc to modify these objects or to delete them when we need one important point to understand when we talk about Nexus dashboard you know that as of today Nexus dashboard is the common underlay platform and when we talk about apis Nexus dashboard is still the first point of contact the first point of Gateway let's say the first gateway that you will have to hit in order to talk in a programmable way with all the services exposed by Nexus dashboard like fabric controller insights or orchestrator it means that on top of Nexus dashboard we have a container which is called the API Gateway container and this container is able to understand based on the URL what API call we are making and based on that it will redirect the API call to the cor container for example the fabric Builder container of ndfc or a container of ndi and so on authentication always is done on Nexus dashboard itself and it is compliant with the role base access control that we have defined there you know that Nexus dashboard fabric controller support our back it allows you to Define different authorization profiles depending on users depending on groups and based on the authorization profile some users or some groups might or might not be able to access a specific fabric this is true for the webui it is also true for all the API calls where can you find documentation about apis because this is the most important thing if you plan to have some sort of direct interaction with the apis now there are two places an online page which I'm going to paste into the chat as we speak the online page provides you a developer guide which is going to contain basically a getting started guide uh some general information on how you have to handle Authentication how you have to make the API calls what are the structures and so on and it also contains an API reference which is very important and we're going to understand why in the next slide there is also another option to get additional documentation to get additional API testing tools and this is inside of Nexus dashboard if you point your browser to your Nexus dashboard IP or host name slag slel Center that will open the page you see here on the slide which is the help center from this page there is a programming section with two links rest API is an embedded API reference which also allows you to have some sort of interaction it also allows you to play a little bit with apis and I will show you how in a little bit and then you have a link of the uh to the developer guide which will take you to the online page I just pasted into the chat now we were talking about API references right why is that because API reference references are the key part of interacting with apis API references are indexes that contain the information about all the different API codes that we can make into a system they do not only contain the list of the different URLs they also contain information on what are the parameters that we have to specify when we want to send data to the application in our case if we take as an example this API here create network which will allows us to define a new network into Nexus dasboard fabric controller you see that this page is telling us okay you will have to use a parameter inside of the URL and this parameter is the fabric name so we can see exactly where we have chuse the fabric name inside of the URL in addition to this because we are posting data because we want to create a new object we also have to pass uh some sort of payload using the body of the HTML request and down here we can see an example of the payload we have to send that contains all the required information to create a new network if you are not sure about which items which parameters are mandatory which ones are not or how a parameter should look like we can click on the button close to example value which is called the schema and the schema contains all that information remember one thing into the API reference index we list all the apis that are validated that are supported and the ones that are being trucked meaning that if at some point we decide to decate an API code because we created a different one that offers multiple or better functionalities we are going to notify you that into the uh the release notes of the newer Nexus dashboard version you might be tempted if you are skilled with apis to inspect what are the API CS that are made by the webui in case you do not find a valid API call inside of the reference there is no problem with that technically meaning that it will work even if the API is made from an external tool like a script but remember that we might decide to change all those apis that are not part of the API reference at any time without having notice so that means that it could break your scripts just remember this point which is very important how do we authenticate into Nexus dashboard two options the first option we pass to Nexus dashboard SL login page a payload that contains the username the password and the authentication domain now the fact that we can pass also the authentication domain is also telling you that we support for this kind of authentication both local users as well well as remote authenticated users in case you're using txx radius and you have attached them to Nexus dashboard the token that you get if your if the input you have specified is valid is going to be valid by Def uh by default for 20 minutes after those 20 minutes are expired you can obviously refresh the token within that time or you can reauthenticate again for all the subsequent API CES that you want to make remember that that token that work received by ndfc by ndfc that was sent by ndfc has to be attached as a cookie for all the API sorry for all the API calls that you're going to make subsequently now this might not be the best option in case you want to use some sort of automated scripts because you do not want every time to input the password nor you want to store the password somewhere uh close to the script like the files to script due to this we have another options and the option is the API Keys now every local user not remote users but only local user can request an API key to be generated up to 10 API keys for every user this API key can be used inside of the headers every time you are going to send an API request to Nexus dashboard fabric controller that is going to be enough to tell Nexus dashboard fabric controller hey I'm receiving a request from user Alexandro I know that user SRO has this authorization rules so I know exactly what he can request and what he can access and this is a much better option especially in the case where you want to embed this in some sort of script when we talk about supports of Nexus dashboard API what is important to know first of all they are integral part of Nexus dashboard and Nexus dashboard public controller that means that if something is broken if the apis are not responding as they should if the apis are not are responding with the payloads that we are expecting we might open a t case and ask T guys to verify and eventually create a bug that is going to be uh sent to the bu for fixing the problem but there is also another route that you can have and this is the Cisco devet data center community here you can post more general questions for example hey I'm trying to use this API call I don't really understand how I I should do or I cannot authenticate using an API can somebody help me that is also valid remember one thing though it's Community Based that means that it's best effort there are no slas and there is also no privacy so you really need to be careful on what data you are posting do not post passwords do not post sensitive data that is very important now three different ways to interact with apis and then I will show you in a demo one of them the first one the API test page available in Nexus dashboard this is what I was telling you before you open your browser you point your Nexus host name or API sorry or hyp SL API docs that will take you to this page here right which contains the list of all the supported apis and it will also contain a way to play with apis for example I have selected the one that says list the role of all or given switches the information in the page is telling me hey you need to pass this specific parameters the serial number of the switches but it also allow me on the right side of it to input the serial number of the switches to click on the Run button and to see what is the result that the API is going to return me this is filled as well with examples that we can take a look in order to understand better how we have to pass the parameters and and so on obviously in case you're running multiple services on top of Nexus dashboard you will have to select the right one you see into this section of this slide in the API documentation you have as well the option to select or to switch between Nexus dashboard in my case ndfc or ndi or ndo in order to have the correct reference if you do not want to do this over uh the Nexus dashboard web UI there is also the possibility to play along with the API testing tools one of the most uh common one one of the most known one is Postman now Postman allows you to Define all the different API CES that are exposed into NFC and to see what the integration would look like to understand what is the payload that API is going to return you what is the payload that you have to send uh to the apis now it might be a problem um doing all this manually right defining all the different apis that you see here manually because there are hundreds of them and in order to help you with this I'm pasting just now into the chat we have released a postman collection that contains all this information that contains all the apis that are exposed in 10fc that will allow to import the collection in Postman and start playing with that last but not least we talk about programming languages now programming languages are very flexible they allows us to do everything there are no limits when we have programming languages most of the times we use high level programming languages that's why I use the python icon here at least that's the one I use the most right I love python why do I love it because like I was saying it allows me to do any kind of action it allows me to integrate with any kind of tool it allows me to do any sort of Logics any sort of data manipulation that I need in order to implement my own Logics into automated way and now I want to show you a demo about this so you can understand what I'm talking about let me switch to visual studio code and by the way I will post into the chat as well a link to the GitHub repository that contains all the examples that we are going to use today this python script here as well as the anible playbooks and the Nexus sorry and the vix as a code data model so you have everything here in case you want to explore it in case you want to play a little bit with it now we were talking about the python script let me start first describing what is the goal of this python script you know that Nexus dashboard fabric controller keeps track of the running configuration on the devices if the running configuration is not the expected one meaning that is drifting from the intent that Nexus dashboard fabric controller is storing that device is going to be reported out of sync and it is important for you to understand understand why the device is out of sync and to remediate that now in the case where you do not use Nexus dashboard fabric controller constantly maybe you use it once a week once a month who knows it is sometimes hard to understand if the devices are out of scene because you don't have direct impact on this there is no automated messaging that is sent out from Nexus dashboard fabric controller so one of the things I was having in my mind was hey why can't we automate is why can't we have a script that connects to Nexus dashboard fabric controller that get the list of fabrics that get the list of devices look at every single device and if the device is reported out of sync it has somehow to notify the network administrator and this is what I'm doing with this script obviously I don't want to spend time you know explaining all the different options let's just see it in action you can by the way uh take a look at the script because I just pasted the link but now let's move to ndfc right we have a couple of fabrics the pixan fabric and the core fabric the external fabric we open the core one and you see the device is in sync this is what ndfc knows about the configuration we open the vxlan fabric and we also have all the seven devices in sync let's try to change this so we are going to open the device and as you can see in this case I'm using CML I will open the core device and I'm going to change some configurations manually right because we still can do that if we are using n DFC nobody stops you to go on the device and change the configuration manually even though you should not do you should not do that but with this script we can understand if someone did it so let's do showrun interface ethernet1 one I think this is a configure yeah this is a interface configured by ntfc is providing connectivity between the external Fabric and the pixan fabric now what I will do I will do a quick change so interface ethernet one1 better then we're going to change them M to right from 91216 we are going to set 9,000 if we go back immediately into Nexus dashboard fabric controller and we open the core fabric you see that the device is still in sync but this is normal because ndfc performs the configuration compliance verification by default once per day it means that it could take up to 24 hours 20fc to understand that there was a change this is something that you can change though it's something that you can change manually and reduce it down to maximum or minimum 30 minutes now let's see what the script would say in our case so I'm going to expand a little bit my terminal I am I need to get into the API interaction folder and now we're going to do python 3 and the script name is check and Report status we run the script and like I said the script is going to connect to all the devices sorry to all to ndfc he's going to get the list of devices he going to check for every device what is the status now we have two ways to check the status and that is going to be dictated by this mode that we are setting here aggressive or not now that we are using the aggressive way we are simply telling ndfc hey I do not care about what status you know now really as of now like we said before when we open the core fabric I want you to pull the latest running configuration from the devices and compare that one with your intent and you see that the script is telling me device core one is not in sync and it is also no defined the administrator by sending a WebEx message message so if I'll open the WebEx window as of now and we scroll up a little bit you see 1038 which was a few seconds ago we got this message device core one in fabric ban ml uh Workshop core is not in sync and is also telling us what is the difference in terms of configuration that should be applied to the devices this is what ndfc is providing at the same time if we go back to ndfc again and we refresh this page you see that the device is reported out of sync because the script triggered the configuration compliance review on ndfc and this is just one possible use case but the real Point here is that with scripts with code you can do pretty much whatever you want now I'm going to open a new poll out around this section actually I I have to open two polls sorry because there was also one about the previous section which I did not open so I will leave this one open for five minutes and then I will open the API architecture one and in the meantime I will switch back to my slides Now demo done the question is is this too much for you is it too complex to play with python to play with code but that is not a problem at all the reason is again the same that I said before this morning right we are in 2024 we have so many different tools that allows us to interact in an automated way with several applications with several architectures with the complexity that we need meaning maximum complexity coding minimum complexity the maximum level of of abstraction that we can have today we are going to learn two of them we will start with the anle and I will start by talking a little bit about the integration we have between ndfc and an the first thing the first important thing let's try to review the anible architecture I'm not intending to explain to you how anible works that is going to take me probably hours which I don't have I will try to do this just in a couple of minutes now we know that anible is an automation tool that means that is a tool written by someone else that allows us to benefit from some core functionalities from some core binaries to implement some sort of Logics that we can Define but that are going to use the inner binaries of anible in order to be pushed in order to be rendered and applied to the applications to the devices that we want now anible is totally written in Python and now you might be saying well you just said that I do not need to know anything about coding and that is still true because the places where we find python in anible are the core functionalities the binaries of anible and the modules now the modules are addons that we can add to the vanilla installation of anol and that will allow us to interact with different application with different architectures into today use case we can talk about the modules that are going to allows us via anle to talk with ndfc this is what we are going to see but the beauty of all this is that you do not need to care about the modules nor you need to care about the anle core binaries or code that is something that is going to be totally abstracted to you no need to know python what do you need to do then when you start using anible well in the context of ndfc we have three different sections that we might be aware of that we need to be aware of the first one is the anible configuration file why is that because anible requires a couple of changes a couple of parameter change around timeouts when it has to speak with ndfc something that you do once the first time you install the uh the modules for ndfc and then you can forget about it the next file I want to talk about is the inventory file even this one is something that you mostly touch once the first time you start uh configuring anible and then you can forget about it the inventory file contains the information about n DFC what is ndfc uh host name or what is ndfc IP what's the username the password that I have to use in order to interact with ndfc and additional parameters that we might set or we might not set depending on our use case everything is documented by the way there are no surprises here the last bit and the most important important one are the playbooks the playbooks are the text files even in this case they are PR in yl that tell anible what are the different operations that it has to do so the playbooks contain information on what is the automation we want to run in our case towards ndfc playbooks contain list of tasks and each task has to be binded to a module the modules in our case could be all coming from the uh collection that includes the ndfc functionalities the ndfc modules or can be also other modules that allows us to integrate to interact with other applications something that we're also going to see into the anle demo now where can you find the documentation on how to get started with anible well we have the anible Galaxy portal that contains the information about all the collections when I say collection The Collection is the name for a group of modules uh exposed shipped by the same entity like in this case we have the collection Cisco do dcnm that contains all the modules that we can use to interact with ndfc so if I'm talking about ndfc why is it called DNM that's the question you might be asking well if you remember ndfc is coming from dcnm and DFC is the evolution of uh dcnm and the answer ible collection can work with both of them it was existing also before ndfc that's the reason why we kept the original name changing it at this point might be quite complicated we will see in the future what we can do so now you can access the anible Galaxy portal you can move to the Cisco dcnm collection and here you have the first page that is going to tell you how to install this collection and how to start using it what are the initial configurations I want to tell you that this collection is developed is maintained by Cisco especially in the last months there has been a lot of changes we have introduced a lot of new modules that you can use so the next exercise I want to do let's try to understand what are the most important modules around ndfc I have divided them into two categories not because they are they are working differently but simply because most of the times I've run this kind of ndfc webinar series we we are talking about BX LPN Fabrics so I think it is important to differentiate what you can do as well into those Fabrics now talking about bxl VPN with anible we can totally manage the bxl VPN Fabrics we can manage the vrfs that we want to attach to these fabrics and that we want to extend to these Fabrics we can manage the networks we can attach the networks we can Define modify delete the networks we have the full life cycle control about the the overlays basically we can also Define policies around the service nodes the layer 4 to layer 7 service insertion devices we can create the policies the nodes the interfaces the connections and so on everything through an anle module and then we have also the other modules the more general ones that are applicable to any kind of fabric configur into ndfc we have the dcnm fabric module that allows us to create those Fabrics to Define their properties the inventory module another important one which allows us to import the devices into the Fabrics we have the bpc pair that you can imagine what it allows us to do right we have the policy module we also have the dcnm module sorry the dcnm rest module the last that you see here which is very important and you will understand why in a little bit all the ones which are flagged with an asterisk are the ones that we recently released so the fabric the VPC pair and this dcnm image XX which contains multiple modules right there are multiple modules that are all prefixed with dcnm image that allows us to handle the life cycle of the image management of the devices control via ndfc let me show you just a few examples over the slides and then we're going to jump into the de and by the way I will uh switch the service now aland I I combine them both I combine them both yeah so they're both running you are a legend thank you no problem all right so like I was saying dcnm fabric right this is maybe the first module you want to start with ndfc what it allows you to do well it allows you to create Fabrics Fabrics are different right depending on the template we want to use we can have the big SL VPN Fabrics we can have the external Fabrics we can have the Isn the intersight network Fabrics that are going to put multiple biglan VPN in communication over the multi side domain you see from the example here that the configuration is pretty easy we create or we provide the name to our task we associate to the task the module Cisco do dcnm dcnm fabric again this is the structure we have been seen in the previous two slides we tell about the state which controls what is the operation we want to do into this task and I will get back to the state in a few slides because this is very important and then we pass additional configuration parameters to the task so that it knows exactly what is the payload that it has to send to ndfc apis in order to create the fabric why is it not moving let me click all right the next one is the dcnm inventory why do we use the DNM inventory well we use it when we have defined the fabric and we want to start adding devices into the fabric exactly the same you would do by the web UI how do we add the devices well we can discover the ones that have already been configured with their management IP easy peasy or we can also use the module with the Pope option as you can see now into this example and this will allow ndsc to listen for incoming the hcp request from the devices looping into the pope phase if you remember the pope for Nexus is the zero touch provisioning process and once ndfc listens or gets a request from the device it will send its initial configuration as well as the software image that we have specified into our policy like in this case I'm saying 1042 right actually I don't think this is the right parameter probably there is another one that you have to use but still you can tell through this Playbook what is the image that ndfc has to send together with the initial configuration we can have the dcnm network policy well let's not spend too much time over this one because we are going to see it into the demo but you can understand what it allows us to do we create overlay networks and we also attach the network to the devices where we want to trun them this is interesting dcnm policy now you know that ndfc is fully based on policies policies are created when we run the ndfc workflows for example when we create a network and we want to attach the network to a device in that case ndfc creates all the required policies and attach those policies to the devices policies are also important for the Fabrics which are not big Landing VPN Fabrics or which are not easy Fabrics the one that have all the inner automation workflows why is that because policies are basically templates that allows us to specify parameters and once we have Associated a template and we have passed the required parameters and we have made the association all together with the device at this point ndfc knows that it has to render that specific template configuration and push it into the device now think about the use case your partially seeing here and I will also send to you A playbook you can also find the playbook in the file sorry to the GitHub repository that I sent you before it's called Play 4 that contains the Full example but the idea here is to configure a fabric which is not an easy fabric for example a core Fabric or an Isn fabric Now ndfc by default doesn't know much what it has to do with these devices it doesn't know if it has to create UHF configurations it doesn't know if it has to create uh bgp configurations unless that is for the direct link interconnected with the vix Lan VPN but with the policies we can push all whatever we want in a programmatical way in this case for example for this device here I EXN one one I'm easily telling ndfc by anible by this anible Playbook hey I want obf attached to this device I want an OPF process to be added to this device and I want these parameters to be pass to the SPF process now what I'm doing here I'm combining a variable statically defined into the Playbook together with another set of variable variables Define outside which are common to all the OPF router configurations that I want to attach into the fabric the translation of this Playbook will look like this into ndfc it's going to look like a policy which is attached to a device a policy template using the router ORF classic template with all the parameters that I have specified before and the final iteration of all this is the following one the generated configuration now this is what ndfc does in terms of automation natively it generates the configuration of the policies and it pushes them to the devices what we have seen now is how we can trigger all this in a more programmable way and the last module I want to cover over the slides is the following one the dcnm rest like I was telling you before this is very important because it allows us to trigger any kind of API call we want towards ndfc in the case where there are some functionalities missing into the ndfc anle module or anle collection example you see here what are we doing we have we have defined two more tasks one task called recalculate and one task called deploy why is that because there is no native module for the anible collection that can do this into the Fabrics now what are we doing then well we simply sending a post an HTTP post using this API URL here and this obviously you need to know the API URLs at this point but this is going to trigger the recalculate first with the config Save Route and the config deploy the deploy operation later on now why is it very important now let me tell you this story very briy you remember when I show you all the modules into that slide at least the most important ones the ones that where marked as new is something that we have released into the past summer one of them was very important the fabric the dcnm fabric module before we had that option available every time I wanted to create a new fabric I had to use the dcnm rest module I had to use the API URL that was uh the current one in order to create a new Fabric and I had to pass a huge payload of data inside of that API code all the data that was specified in the configuration of that fabric now instead that we have release the module I'm simply using that one and that simplifies my life but still I always have fail save in case the module cannot do something that I would like to do in 20fc where can you find documentation about the modules where can you see if the modules parameters are mandatory are required or not what are the different choices the answer is the same as before the anible Galaxy portal again you look for the Cisco dcnm then you have the documentation option I'm I lighting now and this will tell you to the page that is going to list all the different modules and on the central colume you'll get all the details about that did you lose me because my VP I see the VPN client flopped no no all good alexand but I'll take opportunity I'll take opportunity to raise a question to you okay uh yeah yeah go for it the the question is uh the question is if I'm using a policy to configure an interface do I use dcnm policy module to edit the configuration or do I use dcnm interface module for that case I you do the interface I mean if you have a more specific one because remember the policy all right is going to generate the actual policy template into the policy list of the fabric the interface does the same at the end because at the end it's just a matter of policies but I think it's more uh how can I say it's more logical to use that one because it would be the same action as going into the interfaces list and changing the settings of the interface there at that point because remember one thing that the interface policy sorry yeah the interface policy the interface and plate might be also generating multiple policies not a single one but mul multiple ones so if you use a dcnm interface module it means that it will Cascade it will generate all the required sub policies if you do it by the policy instead you might have to create multiple ones on your own one by one y yes understood thank you asandra no problems no problems now the very important thing I was telling you before the states of the module every time we Define a task and we attach a module most of the times let's say we also have to provide the state and the state finds the condition of the object into ndfc if we are using merge and by the way if you don't get this from my explanation because it's not that immediate to be honest if you don't get this from the slide I will show you in the demo what I mean but if I use merged it means that I'm going to push any new objects or any missing objects into ndfc and I'm going to or I'm going to update them in case the information I have into the Playbook is different from the data I have in 20fc if the Playbook is missing some parameters I don't care I will not touch the ones I have in ndfc replaced is quite similar but there is a substantial difference we still create an object if it's not available if it's not already defined in 20fc but in the case where the object is defined in ndfc we take a look at all the properties we have into the Playbook if any property if any data is different or n DFC we are going to replace it with the one we have into the Playbook but for all the properties that are not defined into the Playbook we are going to reset the ones in ndfc so we are going to set the default values and this is something very important the next one is the most dangerous I mean if I could have an entire slide with a red flag I would probably do that why is that because with overridden we risk to delete everything we have in ndfc which is not specified into the Playbook example in my playbook I have only two networks and I'm using the over readen state that means that those two networks are going to be created or updated but all the other ones that have in ndfc are going to be removed something very dangerous my take on this is that you should use overridden well then you should not use overridden you should use it only if you're extremely sure about what you're doing because it's very dangerous deleted basically means okay the network I have listed into my playbook into my tasks are going to be deleted query I will use Query when I simply want to retrieve the current status the current configuration of that specific object for example the network the VF or the switch that is contained at the moment in NFC but like I said I will show you this in a demo before we jump to the demo though let me talk a little bit about support even for anible because it is important to understand now the collection the anible collection for dcnm ndfc you can still manage both of them with the same collection are maintained by Cisco like I was telling you before and are uh publicly available it's open source right we host all the code on GitHub how can you get support for this but the way is the community way so you either open an issue on kab if you're running into some weird problems or also if you need some sort of information or you can use the Cisco devet Community again another portal another place where you can get all sort of help from uh program sorry from automation experts com coming from all over the world remember though that this is still Community Based so that means no SLA that means no privacy remember to be extremely careful when posting data when posting traces when posting logs that might be containing sensitive information there is also a learning path available for ndfc if you want to take a look I'm listing the the the link into this slide and this contains uh anible examples as well as terraform examples so at least you can see you can understand that difference between the two of them like I was telling you before all right let me move to the demo and show you some action with anable I'm going to switch again to my visual studio code first thing I want to do I want to open the right folder the same that you are going to find into my uh repository that I posted before so we are going to use anible examples and we're going to expand the playbooks folder let me close this file here and let's start with Playbook number one now let's also change folder into the terminal anible examples all right Playbook number one is showing you a very easy example on how we can create vrfs and how we can create networks in ano obviously we have two tasks the first task is going to create a vrf the second task is going to create one network for now it is both both of them are attached to a module to a dcnm module dcnm vrf and dcnm network and both of them contains additional information like where is the fabric that I want where I want to apply this configuration what are the additional parameters for example or the additional payloads that I want to send with this module in my case I'm creating a single vrf called anible Static vrf with some templates Association and so on if you are not sure what are the mandatory uh values you can refer to the anible Galaxy Pol U portal looking at the Cisco dcnm documentation for networks we do something very similar we are creating actually you see this is something I left I left from my previous test so I will move to merge again to the state to show you all the possible options but for Network we're doing something very similar we are defining a network we call it un simple static Network one with some parameters net ID villan ID subnet and where we want this network to be attached take a look at this option here deploy true what does it mean it means that at the same time when we are going to push the configuration into ndfc we are also going to trigger the recalculate and deploy now if you have one network if you have two networks that is fine to leave the deploy at this point if you're pushing 50 networks you might do not do not want to do that you might want to set the deploy option to false and only at the end or after the create n tasks you want to trigger a full recalculate and deploy for all the fabric what's the difference if you do the deploy every time you create a new network and this is going to be a loop on the module you will have to wait for the recalculate and deploy to happen which probably means one minute wait if you multiply that for 50 networks it means that you have to wait 15 minutes ID don't just for the recalculate and deploy to happen but let's avoid this now and let me show you how you can do this IM that we also want to create a second Network by the way imagine that we are going to take all this right we copy we go to a new line and we paste it now exactly the same we can keep the same information we can keep the same data into the Playbook the only thing we're going to do we're going to change the network name we are going to change the IP very easily we are going to change the V and ID otherwise ndfc is going to get upset with us and we're also going to change the V ID right just to have different things we can reattach the same network to the same devices to the same port Channel which is a bpc port channel in this case now let's run the Playbook and while the Playbook runs we can also jump into ndfc and check what was the current configuration so in order to run the Playbook I'm going to do an Playbook minus I which is inventory and I will tell anol which is my inventory file that's contains information on ndfc and then I want to run the playbooks Playbook one the last thing I will do but this is just in uh my example in my playbook I will also add ask Vol password because some of the secrets are encrypted so enter I'll pass this for password and while this is running we jump back to ndfc and we take a look at our Fabrics here we move to the VFS see you see we do not have a static vrf yet if I'll try to look for it find it static there is nothing static VF because it is actually getting created now let's move back to visual studio code okay VF should be created so while the networks are created let's go back here and hit on refresh and there we go we have the static vrf defined you see it is also in progress why is it in progress because while we are creating the networks actually we already created the networks in the meantime we are also triggering the deploy which means that VF is going to be deployed into some devices so if we go back here now and we hit the refresh again there we go the vrf is deployed all good if we move to the networks and we take a look we have static Network one and static Network 2 deployed double click Network attachments and we see that they are deployed into Port channel 10 perfect exactly what we wanted so before we move to the next playbooks let me just show you over this example what are the differences between the states instead of merge we are going to use replaced now we keep the configuration as they are the only thing I will do is I will remove some options do I have something I can change here not really not really I should have added maybe a description before which is not here but let's maybe just do net I think is description let me take a look from a different Playbook if we have it net ID net extension it's not all right let's take a look anible Galaxy anible dcnm and we take a look at what options we have in order to set a description so documentation we open the network one and we find description interface description for example there we go all right so Playbook one interface description and we give the same name as the network name and we do the same down here right because we are using replaced it means that if the value is not into ndfc we are going to push it once more so let's do this and let
2025-01-06 16:31