Automating NDFC using Ansible

This section contains several examples automating Nexus Dashboard Fabric Controller (NDFC) with Ansible. Whilst this example is not part of the Nexus-as-Code data model, it offers more seasoned Ansible users several comprehensive examples to automate the provisioning of Ethernet Virtual Private Network (EVPN) fabrics using NDFC.

• NDFC Roles

Getting started

This repo contains Ansible Roles and example playbooks that, together, implement a basic Spine/Leaf VXLAN/EVPN fabric using Cisco's DCNM/NDFC Controller.

Two identical child fabrics and a multisite domain (MSD) fabric are defined in the role ndfc_common. The two child fabrics use non-overlapping underlay addressing to facilitate interconnection via a multi-site domain (MSD) fabric, which is also defined in ndfc_common; specifically, in ndfc_common/vars/main.yml

The main playbooks, which create the two fabrics and the MSD fabric are located in the top-level directory.

You should use either (1 and 2) OR 3 (which creates 1 and 2, but with MSD connectivity). That is, (1 and 2) are mutually exclusive to 3.

These playbooks leverage many of the included roles.

The remaining Roles are offered as examples which either provide extra functionality (e.g. create external fabrics, and service nodes) or facilitate various day2 ops, such as deleting a fabric, etc.

To clone this repo

Copygit clone https://github.com/allenrobel/ndfc-roles.git

Dependencies

Cisco Nexus Dashboard (ND) + Nexus Dashboard Fabric Controller (NDFC)

ndfc-roles has been tested with the following ND+NDFC versions

cisco.dcnm Ansible Collection Version 2.1.0

The Ansible Roles in this repo require that version 2.1.0 of the cisco.dcnm Collection be installed. A requirements.yml file is included in the top-level directory which will install this collection. Or you may do so explicitly. It's recommended to use requirements.yml as this file may be updated with other dependencies later.

NOTE: Some earlier versions of the cisco.dcnm Ansible Collection are known not to work due to NDFC API changes involving VPC interfaces.

Example using requirements.yml

Copyansible-galaxy collection install --requirements-file /path/to/this/repo/top-level/requirements.yml

Example using explicit Collection Version 2.1.0

Copyansible-galaxy collection install cisco.dcnm

jmespath

The Ansible Roles in this repo make extensive use of json_query() which requires that jmespath be installed. To install (preferably, you're running Ansible within a python virtual environment):

Copypip install jmespath

Ansible Custom Configuration

NDFC requires increasing the default timeout for persistent connections from the default of 30 seconds to >= 1000 seconds. We have provided an ansible.cfg file with the requisite changes in this repo's top-level directory. If you would rather edit your existing ansible.cfg file (where ever it is), the changes are shown below.

Copy[persistent_connection]
command_timeout=1800
connect_timeout=1800

Fabric Characteristics

The characteristics of the child/site fabrics are as follows (see also the included PDF for a topology).

1. 2 Spine acting as Route Reflectors for all Leaf and Border Gateway
2. 4 Leaf / VTEP (2 VPC pairs using fabric-peering for their virtual peer-link)
3. 2 Border Gateway / VTEP
4. 2 VRF: v1 and v2
5. L3 (ipv4 / ipv6) connectivity between VRF v1 and v2 (import/export of route-targets)
6. L2 connectivity within each VRF
7. OSPF underlay
8. VXLAN/EVPN Replication Mode: Ingress

Spines and Leafs can be added/removed by updating the Common Role Variables described below.

Common Role Variables

To use these Roles, and example playbooks, you'll need to update some common variables used across all Roles. These are maintained in inventory/groups_vars.

Inventory

Next, you'll need to edit the following to add your NDFC username and password and the username/password for the switches comprising your fabric(s)

Copy./inventory/group_vars/ndfc 

It is recommended (but not mandatory) that you encrypt these passwords. Below is one way to do this.

Modify ./inventory/group_vars/ndfc

Edit ansible_password (password for NDFC controller) and device_password (password for NX-OS switches)

Add ansible_password and device_password in encrypted format (or non-encrypted, if you don't care about security). These are the passwords you use to login to your NDFC Controller, and NX-OS switches, respectively.

To add encrypted passwords for the NDFC controller and NX-OS devices, issue the following from this repo's top-level directory.

Copyansible-vault encrypt_string 'mySuperSecretNdfcPassword' --name 'ansible_password' >> ./inventory/group_vars/ndfc
ansible-vault encrypt_string 'mySuperSecretNxosPassword' --name 'device_password' >> ./inventory/group_vars/ndfc

ansible-vault will prompt you for a vault password, which you'll use to decrypt these passwords (using ansible-playbook --ask-vault-pass) when running the example playbooks.

Example:

Copy% ansible-vault encrypt_string 'mySuperSecretNdfcPassword' --name 'ansible_password' >> ./inventory/group_vars/ndfc
New Vault password: 
Confirm New Vault password: 
% cat ./inventory/group_vars/ndfc
ansible_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          35313565343034623966323832303764633165386439663133323832383336366362663431366565
          6238373030393562363831616266336464353963393566300a316564663135323263653165393330
          33353935396462663531323437336366653937326234313866623535313431366534363938633834
          6563336634653963320a376364323430316134623430636265383561663631343763646465626365
          36666366333438373537343033393939653830663061623362613439376161626439
% 

If you don't care about security, you can add a non-encrypted password by editing the file directly. The following are example unencrypted passwords for the NDFC controller and NX-OS devices added to this file:

Copyansible_password: mySuperSecretNdfcPassword
device_password: mySuperSecretNxosPassword

Edit ansible_user

Change ansible_user in the same file to the username associated with the above password that you're using on NDFC. Change device_username in the same file to the username used to login to your NX-OS switches.

Example:

Copyansible_user: voldomort
device_username: admin

Update ./inventory/hosts/hosts with the IP address of your NDFC Controller

Copy% cat ./inventory/hosts/hosts 
---
ndfc:
  hosts:
    ndfc1:
      ansible_host: 192.168.1.1

To run a playbook if you encrypted your NDFC password

Copycd /top/level/directory/for/this/repo
ansible-playbook example_ndfc_rest_fabric_create_f1.yml --ask-vault-pass -i inventory

When prompted, enter the password you used in response to the ansible-vault command in step 1 above.

Or, to run a playbook if you didn't encrypt the NDFC password

Copycd /top/level/directory/for/this/repo
ansible-playbook example_ndfc_rest_fabric_create_f1.yml -i inventory

Roles

Role naming conventions used in this repo.

1. If a Role pushes a specific Ansible state, that state is included in the Role's name.
2. If a Role requires the user to provide the Ansible state, the Role's name does not include the state.
3. If a Role uses the NDFC REST API, its name includes _rest_ (e.g. ndfc_rest_rediscover)