we are in the process of designing our ACI fabric.
As we want to start from the beginning with automation we are discussing what tool/way would be the best.
We are no programmers but networking engineers with some scripting knowledge.
We plan to migrate the ACI fabric to Multisite in future and would like to not start with automation then again.
In the moment we are discussing terraform, ansible and python (with ACI-Toolkit).
Any suggestions on which way to go and why would be appreciated.
When you look at it on the Devnet from Cisco, you'll see 3 major options:
-> Pure jSON inside Cisco APIC with Google Postman
-> Python Scripting with the Cobra SDK
I've been through all of them in a test environment and production, my choices goes out to Ansible. The flexibility of building a playbook with variables and inventory files is really good.
Pure jSON was very fault prone and also Python scripting had these drawbacks.
Ansible was a game changer for me, because you get output from the file. You can add checks to the file for safety and it's very easy to setup.
I am still using (and adapted) the playbook you get from the training of Cisco Devnet. It works a charm.
I second that..
I checked out Cobra, native JSON and Ansible. In terms of readability and low complexity, Ansible is (currently) my choice.
The only thing that bugs me with the predefined ACI modules is the approach one HTTP post per object. So each EPG, contract, bridge domain, fabric policy etc. needs one HTTPS POST operation. When deploying a fabric from scratch, maybe this is time consuming. On the other hand, the pre built ACI modules only covers some parts of the ACI configuation.
Currently I'm writing reusable roles using the aci_rest module. They are designed in a "bulky" manner - meaning you may post multiple childrens in of one instance in one go.
The challenge with Ansible is to figure out a proper way of doing and designing it. There are so (too) many ways to dead with things in Ansilble. Took me three fresh starts until I got the (hopefully) right structure for my use case. So it makes sense to think about the whole thing and structure it from the beginning before programming a playbook.
One word to the ACI CLI (which could be used for automation as well)... don't do it ... it's a piece of crap for configuration, because it doesn't understand and populate the MO tree correctly. Very important ACI concepts like AEPs, policies etc. are not known by the CLI resulting in a config "mess".
As a curveball, you could try my PowerShell modules for ACI that I'm working on (at https://github.com/kevsterd/ACI-PoSH) ... Depends on your skillset but if you are used to VMware's PowerCLI or PowerNSX it may be handy.
Not at all finished but it may be a start for you....
Hi Kevin. I was reviewing your ACI-POSH powershell work. You mention that the auth timeout is rather short (300 secs) so you may have to re-auth often. This timeout can be changed inside APIC so you avoid that. It is found under the Admin tab > Security in APIC. Max value is 9600. Hope that helps.