《多域 IBN 网络中的实际自动化.pdf》由会员分享,可在线阅读,更多相关《多域 IBN 网络中的实际自动化.pdf(78页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveJeremy BowmanibnsrevengeBRKOPS-3028Real-World Automation in Multidomain IBN Networks 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after the sessionF
2、ind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserve
3、d.Cisco PublicBRKOPS-3028 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWho are you?4BRKOPS-3028Jeremy BowmanJeremy BowmanSr.Delivery ArchitectCisco CX8+Years CiscoCCIE#51241(R/S,Security)CCDE#2018:16Specialized in:Full Enterprise IBN with Security and A 2023 Cisco and/o
4、r its affiliates.All rights reserved.Cisco Public#CiscoLiveAlbert Einstein“Everyone knew it was impossible,until a fool who didnt know came along and did it.”5BRKOPS-3028#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaWhat Are Multidomain IBN NetworksHow Can Automat
5、ion HelpAutomation TroublesSimple Use Case:Device Password ManagementMore Complicated:CI/CD Template ManagementComplicated:New Client SegmentationConclusion6BRKOPS-3028Multidomain Networks 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultidomain IBN Networks8BRKOPS-3028
6、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCharacteristicsUnique controller for each domainvManage,APIC,DNAC,Meraki CloudDifferent network architecturesOMP Route-Reflector Control Plane,IPsec Data PlaneCOOP,MP-BGP eVPN,VXLANLISP,VXLAN,Cisco TrustSecDifferent API appr
7、oachesEven login/token differsBRKOPS-30289Automation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation and OrchestrationAutomationPerforming an action on a single device without human intervention.Would EEM qualify?What about the same one change on multiple device
8、s?OrchestrationPerforming various unique automation changes in a coordinated way to achieve a desired state.Domain One and Domain Two should work togetherBRKOPS-302811 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise Concerns When Moving to IBNMonitoringEnterpris
9、e tools utilize older practicesStreaming TelemetryMonitoring versus ObservabilityManagementEnterprise tools written with CLI in mindDomain controllers use UIBRKOPS-302812 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCI/CD and IaCContinuous Integration/Continuous Deliver
10、yConfigurations centrally stored in a repositoryProduction environment same as test environmentValidated testingInfrastructure as CodeState is maintained via templates,YAML Is reproducibleBRKOPS-302813 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCI/CD and IaCBRKOPS-302
11、814Automation Troubles 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation ConcernsHow do I get started?May be overwhelming at first,but not impossible.The UI is the API.Best Friends:Chrome InspectionPostmancurlBRKOPS-302816 2023 Cisco and/or its affiliates.All righ
12、ts reserved.Cisco Public#CiscoLiveAutomation ConcernsWhat about enterprise security?No hardcoded passwordsUses TLSOWASP followedBRKOPS-302817 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation ConcernsWhere can I find documentation and examples?DevNet https:/ Blogs
13、 https:/ Learning Labs https:/ to try it out(lab)https:/vManage:8443/apidocsBRKOPS-302818 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation ConcernsWhat about results?WebEx has APIs too!Post results as a markdown message in WebEx TeamsIncoming WebhooksNot a botClo
14、ud based-TLSBRKOPS-302819Device Password Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse CaseMultiple DomainsSDWANSDASecurity RequirementsLast Resort Password(local admin user)must change every 90 days.Hundreds of SDWAN routers with many device templates.Hun
15、dreds of SDA fabric devices.Passwords managed via 3rdparty tool.Same password or different password per device or domain?BRKOPS-302821 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown One Piece at a TimePassword Management ToolThird party toolLimited acce
16、ss SecOps onlyManages passwords and updates on device schedule.Supported OptionsSSH to deviceHTTPS to controllerPython scriptingBRKOPS-302822 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown One Piece at a TimeSDWANPasswords are variables in templates.No
17、other variables are changing.High Level API WorkflowvManage Login and TokenDetermine template attached to device(s)Export the template CSV(list of dictionaries)Update CSV and push to vManageBRKOPS-302823 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown On
18、e Piece at a TimeSDAPasswords are inherited from DNAC site design hierarchy.Additional users can be managed via CLI templates.High Level API WorkflowDNAC Login and TokenObtain password template IDDeploy template with updated passwordBRKOPS-302824 2023 Cisco and/or its affiliates.All rights reserved.
19、Cisco Public#CiscoLiveFinal SolutionPassword Management Tool InitiatedSelects device for update.Determines domain for the device selectedSDWANSDAGenerates a new random passwordUses API calls based on domain workflowValidates new password after modifying AAA order to prefer local over TACACSRestores
20、AAA order or preferenceBRKOPS-302825 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution SDWANLoginTwo steps:Cookie and Token/j_security_checkreturns a cookie/dataservice/client/tokenreturns the token in the bodyBRKOPS-302826 2023 Cisco and/or its affiliates.All
21、 rights reserved.Cisco Public#CiscoLiveFinal Solution SDWANSubsequent CallsCookie and token provided in headerBRKOPS-302827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution SDWANIdentify Template ID Attached to Target DeviceIdentify Chassis Number of DeviceBR
22、KOPS-302828data:deviceIP:192.168.255.21,chasisNumber:ISR4331/K9-FLM225008MH,site-id:3001,host-name:SOME_HOSTNAME,availableVersions:17.06.03a.0.3,template:“SOME_TEMPLATE,templateId:6b3d9c50-6d49-4faf-ad99-aaeeb15d4e55 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal So
23、lution SDWANUse Information to Get Current Variable ValuesBRKOPS-302829data:csv-status:complete,csv-deviceId:ISR4331/K9-FLM225008MH,csv-deviceIP:192.168.255.21,csv-host-name:SOME_HOSTNAME,User_Password:cisco.123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solutio
24、n SDWANPOST variables back to vManage with new password.Returns a Task IDBRKOPS-302830 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution SDWANMonitor Task StatusBRKOPS-302831 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solu
25、tion SDABRKOPS-302832Login Returns a Token to be used in header as X-Auth-Token 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution SDABRKOPS-302833CLI Template Created that configures the user on the device.2023 Cisco and/or its affiliates.All rights reserved.C
26、isco Public#CiscoLiveFinal Solution SDABRKOPS-302834Get template to deploy.name:“MySuperTemplate,projectId:0223b225-59b1-430a-95ef-4a548cf8d7aa,templateId:50209745-1c97-44c2-955a-1a7defb1a9f9,versionsInfo:id:8860eed6-c039-4364-9aec-e4b00daaba01,description:,author:SYSTEM,version:1,versionComment:Imp
27、ortedTemplate,versionTime:66 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution SDABRKOPS-302835Deploy template to target device.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIssues and HiccupsStatic passwords for vManage
28、/DNAC loginAAA service account for toolWhat about the controllers?vManage API for vManageDNAC via SSH for UI user and maglevBRKOPS-302836CI/CD Template Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse CaseClient EnvironmentsSDWAN DevSDWAN QASDWAN ProdTemplate
29、 RequirementsDev environment is for development and experimentation of new templates.QA environment for testing validation of a version.Must match dev version.QA templates promoted to Prod.Must be exact match.BRKOPS-302838 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSo
30、lution Breakdown One Piece at a TimeTemplate LocationThree vManage deploymentsNaming conventionsDevice templates composed of feature templatesDevice TemplatesData structuresFeature template IDs are uniqueBRKOPS-302839 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolutio
31、n Breakdown One Piece at a TimeTemplate Management ToolPromotion of device templateRequires exact feature templatesSame names and versionsRemove templates from ProdIf not matched in QAWorkflowGit repository for DevGitLab runner deploys to QAApproval deploys to ProdBRKOPS-302840 2023 Cisco and/or its
32、 affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionWorkflow initiated by developers.New templates/versions are created in Dev vManageCandidate template commit to Git repositoryData structure includes required Dev feature templatesGitLab workflow provisions versioned templates on QA
33、vManageQA testing and validation is performed.If template is approved,GitLab continuesIf template fails,removed from QA and notificationsGitLab provisions to Prod exact replica of Dev and QA versionBRKOPS-302841 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIssues and Hi
34、ccupsUnique feature template IDs on DevDifferent from QADifferent from ProdScript used to marry IDs to names and updateWho created the template?All QA and Prod templates only created by the runners userAll others are removedBRKOPS-302842New Client Segmentation 2023 Cisco and/or its affiliates.All ri
35、ghts reserved.Cisco Public#CiscoLiveUse CaseMultiple DomainsSDWANACIBusiness RequirementsManaged call center services.Each client must be segmented from all others.New client onboarding requires configurations on many devices in many locations.ACI provides segmented services.Segmentation is maintain
36、ed to remote locations through SDWAN.BRKOPS-302844 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown One Piece at a TimeACICreate new tenantNew IP poolsNew bridge domainsNew L3Out handoffsWorkflowLeverage TerraformNew client plan folder from templateNaming
37、 convention includes client name for uniquenessVariable values different per client,rest of plan is consistent.BRKOPS-302845 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown One Piece at a TimeSDWANDifferent clients exist at different sitesDifferent sites
38、 haveDifferent combinations of clientsDifferent amount of clientsWorkflowvManage API Login/TokenCreate client Service VPN feature templateIdentify template for a siteUprev template with additional service VPNProvision with additional client dataBRKOPS-302846 2023 Cisco and/or its affiliates.All righ
39、ts reserved.Cisco Public#CiscoLiveFinal SolutionWorkflow initiated by python script.ACI client folder created from templatesCommit into Git repositoryGitLab Runner performsTerraform init,plan,apply for ACI updatesACI client validationDeploy services to VMware environmentProvision DC and Remote cEdge
40、 updatesEnd to end network validationBRKOPS-302847 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution-ACIClient Folder File Structureclient1main.tfComplete Terraform file for one ACI tenant.variables.tf Variables specific to the tenant.sdwan.csvCSV of the DC an
41、d remote site IP addressing required.BRKOPS-302848 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution-ACIBRKOPS-302849#Bridge Domains and Subnetsvariable“bds default=192.168.100.0_24=ip=192.168.100.1/24,192.168.101.0_24=ip=192.168.101.1/24,192.168.102.0_24=ip=1
42、92.168.102.1/24#Bridge Domainsresource aci_bridge_domain bds for_each=var.bdsname =each.keytenant_dn=aci_tenant.tenant1.idrelation_fv_rs_ctx=aci_vrf.vrf1.idrelation_fv_rs_bd_to_out=for key,value in var.epgs:data.aci_l3_outside.shared_l3_out.id if value.external_access=true&value.bd=each.key#Bridge D
43、omains Subnetsresource aci_subnet subnets for_each=for key,value in var.epgs:key=value parent_dn=aci_bridge_domain.bdsvar.epgseach.key.bd.idip=var.bdsvar.epgseach.key.bd.ipscope =each.value.external_access?public,shared:privatehttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public
44、#CiscoLiveFinal Solution-SDWANClone base Service VPN TemplateBRKOPS-302850 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution-SDWANRepeat these steps at each location requiring the new VPNInformation is part of the CSV file for programmatic executionIdentify th
45、e current template attached at the siteObtain JSON of template definitionUpdate JSON to add the new VPN template(and buildout)POST new device template to vManageAttach device(s)to the new templateBRKOPS-302851 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution-
46、SDWANGET Current Device Template JSONBRKOPS-302852 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal Solution-SDWANPOST the New,Updated Template Structure Back Returns a new IDBRKOPS-302853 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIssu
47、es and HiccupsAdditional domainsASAv deployments and configurationsNon-ACI Nexus platforms in DCsClient customizationsStandardization is your friendSupport for client specific configurations on ASAvBRKOPS-302854 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlbert Einste
48、in“Everyone knew it was impossible,until a fool who didnt know came along and did it.”55BRKOPS-3028vManage HA/DR 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDisclaimerUsing these vManage APIs incorrectly will break your HA cluster.vmanageIDvmanageID to deviceIPdeviceIP
49、 mapping MUST be maintained in all API calls.BRKOPS-302857 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse CaseHA and DR cluster passwords must be updated.Exist in ISE/TACACS server.Allows full netadmin role.Note:Documentation of the payloads of HA/DR API calls is inco
50、mplete.BRKOPS-302858 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSolution Breakdown One Piece at a TimeDisable Disaster RecoveryPause DR ReplicationDeregister DR DevicesEdit HA Cluster ConfigurationEnable Disaster RecoveryBRKOPS-302859 2023 Cisco and/or its affiliates.
51、All rights reserved.Cisco Public#CiscoLiveFinal SolutionTrack DR Replication StatusBRKOPS-302860replicationDetails:lastReplicated:57,exportDuration:45 secs,exportSize:7.189 MB,replicationStatus:SuccessreplicationDetails:2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
52、coLiveFinal SolutionPause Disaster Recovery ReplicationDeregister Disaster RecoveryResponse:id:15fcf8fe-e3d1-4d73-8ff7-92906691b183Track the status of the Task ID.It will take 10 or more minutes to complete.BRKOPS-302861 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFina
53、l SolutionGet the HA cluster list.Repeat these steps for both HA clusters.BRKOPS-302862 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionChange the HA cluster password.(not a list,called for each device)BRKOPS-302863 2023 Cisco and/or its affiliates.All rights
54、 reserved.Cisco Public#CiscoLiveFinal SolutionValidate the DR cluster members with new credentials.BRKOPS-302864 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionRecreate the DR cluster with new credentials.Body data structure on following pages.BRKOPS-302865
55、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionBRKOPS-302866dataCenters:name:DC1,nmsPersonality:nms_user,dcPersonality:primary,mgmtIPAddress:10.114.3.1,username:dr_username,password:dr_password,name:DC2,nmsPersonality:nms_user,dcPersonality:secondary,mgmtIPA
56、ddress:10.115.3.1,username:dr_username,password:dr_password,2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionBRKOPS-302867disasterRecoverySettings:delayThreshold:2,startTime:12:00am,interval:30,vbonds:name:,ip:10.114.4.1,username:adminUsername,password:adminPa
57、ssword,name:,ip:10.115.4.3,username:adminUsername,password:adminPassword 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal SolutionResponse returns the Task ID.Monitor the Task ID.Completion will take 10 minutes.Repeat the DR Replication Status API.BRKOPS-302868Unusual
58、 APIs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDNAC API AuthenticationBRKOPS-302870 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDNAC API AuthenticationBRKOPS-302871 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
59、oLiveSDA Fabric Edge Static Port AssignmentBRKOPS-302872Only configures one interface.Each call requires 40-60 seconds for DNAC to process.(per switch)Interface list to be supported.Q&A 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees
60、 who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!74BRKOPS-3028These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Li
61、ve Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit t
62、he On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive77Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123477 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKOPS-3028#CiscoLive