Now that we have successfully deployed the staging fabric using Ansible we will use GitLab and a CI/CD Pipeline to deploy the production fabric and then any additional changes we need to make to the production Fabric will first be tested in our safe staging fabric before pushing them to the production fabric.
First we need to create the same variable files for the production fabric just like we did for the staging fabric.
Production Fabric
Like you did back in the NDFC Ansible section, create an inventory file for your production fabric. When this is used in the pipeline,
it will be the inventory used with ansible-playbook -i. Since this file uses the same ndfc group name, your
previously developed playbooks remain unchanged and can be reused.
touch ~/workspace/ndfclab/nac/hosts.prod.yml
cat << EOF > ~/workspace/ndfclab/nac/hosts.prod.yml
---
# Inventory Information For Prod Fabric and External Fabric
ndfc:
hosts:
fabric-prod:
ansible_host: 10.15.0.26
fabric-external-prod:
ansible_host: 10.15.0.26
EOF
Prod data model files:
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/fabric.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/fabric.nac.yml
---
vxlan:
fabric:
name: fabric-prod
type: VXLAN_EVPN
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/topology.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/topology.nac.yml
---
vxlan:
topology:
switches:
- name: prod-spine1
serial_number: READ_TIMEOUT
role: spine
management:
management_ipv4_address: 10.15.6.18
default_gateway_v4: 10.15.6.1
- name: prod-leaf1
serial_number: READ_TIMEOUT
role: leaf
management:
management_ipv4_address: 10.15.6.19
default_gateway_v4: 10.15.6.1
- name: prod-leaf2
serial_number: READ_TIMEOUT
role: leaf
management:
management_ipv4_address: 10.15.6.20
default_gateway_v4: 10.15.6.1
- name: prod-leaf3
serial_number: READ_TIMEOUT
role: border
management:
management_ipv4_address: 10.15.6.21
default_gateway_v4: 10.15.6.1
EOF
To help speed up the process of creating the production fabric files, you can copy this entire section and paste it into your terminal to create all the files at once. All of these files and their contents are very similar to the staging fabric files you created earlier. They are just modified to reflect the production fabric names and IP addresses.
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/global.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/global.nac.yml
---
vxlan:
global:
bgp_asn: "65001"
route_reflectors: 2
anycast_gateway_mac: 12:34:56:78:90:00
dns_servers:
- ip_address: 10.0.249.16
vrf: management
ntp_servers:
- ip_address: 10.81.254.131
vrf: management
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/underlay.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/underlay.nac.yml
---
vxlan:
underlay:
general:
routing_protocol: ospf
underlay_routing_loopback_id: 0
underlay_routing_protocol_tag: UNDERLAY
underlay_vtep_loopback_id: 1
replication_mode: multicast
underlay_rp_loopback_id: 250
ipv4:
fabric_interface_numbering: p2p
subnet_mask: 31
underlay_routing_loopback_ip_range: 10.11.0.0/22
underlay_vtep_loopback_ip_range: 10.111.100.0/22
underlay_rp_loopback_ip_range: 10.251.251.0/24
underlay_subnet_ip_range: 10.1.0.0/16
ospf:
area_id: 0.0.0.0
multicast:
underlay_rp_loopback_id: 250
rp_mode: asm
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/vpc.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/vpc.nac.yml
---
vxlan:
global:
bgp_asn: "65001"
vpc:
peer_link_vlan: 3600
peer_keep_alive: management
auto_recovery_time: 240
delay_restore_time: 150
peer_link_port_channel_id: 500
advertise_pip: true
domain_id_range: 1-100
topology:
vpc_peers:
- peer1: prod-leaf1
peer2: prod-leaf2
fabric_peering: true
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_access.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_access.nac.yml
---
vxlan:
topology:
switches:
- name: prod-leaf1
interfaces:
- name: Ethernet1/1
mode: access
description: VLAN 2301 Access Interface
enabled: true
mtu: jumbo
speed: auto
enable_bpdu_guard: false
access_vlan: 2301
spanning_tree_portfast: true
- name: prod-leaf2
interfaces:
- name: Ethernet1/1
mode: access
description: VLAN 2302 Access Interface
enabled: true
mtu: jumbo
speed: auto
enable_bpdu_guard: false
access_vlan: 2302
spanning_tree_portfast: true
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_vpc.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_vpc.nac.yml
---
vxlan:
topology:
switches:
- name: prod-leaf1
interfaces:
- name: port-channel10
mode: trunk
enabled: true
pc_mode: active
vpc_id: 10
members:
- eth1/5
mtu: jumbo
speed: auto
trunk_allowed_vlans:
- from: 2301
to: 2302
spanning_tree_portfast: true
- name: port-channel20
mode: trunk
enabled: true
pc_mode: active
vpc_id: 20
members:
- eth1/6
mtu: jumbo
speed: auto
spanning_tree_portfast: true
- name: prod-leaf2
interfaces:
- name: port-channel10
mode: trunk
enabled: true
pc_mode: active
vpc_id: 10
members:
- eth1/5
mtu: jumbo
speed: auto
trunk_allowed_vlans:
- from: 2301
to: 2302
spanning_tree_portfast: true
- name: port-channel20
mode: trunk
enabled: true
pc_mode: active
vpc_id: 20
members:
- eth1/6
mtu: jumbo
speed: auto
spanning_tree_portfast: true
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_routed.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/interfaces_routed.nac.yml
---
vxlan:
topology:
switches:
- name: prod-leaf3
interfaces:
- name: Ethernet1/1
mode: routed
description: Connected to prod-ext-rtr Ethernet1/1
enabled: true
- name: Ethernet1/1.2
mode: routed_sub
description: Connected to prod-ext-rtr Ethernet1/1.2
enabled: true
dot1q_id: 2
vrf: NaC-VRF01
ipv4_address: 10.31.0.1/30
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/vrfs.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/vrfs.nac.yml
---
vxlan:
overlay:
vrfs:
- name: NaC-VRF01
vrf_id: 150001
vlan_id: 2001
vrf_attach_group: all
vrf_attach_groups:
- name: all
switches:
- hostname: prod-leaf1
- hostname: prod-leaf2
- hostname: prod-leaf3
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/networks.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/networks.nac.yml
---
vxlan:
overlay:
networks:
- name: NaC-Net01
vrf_name: NaC-VRF01
net_id: 130001
vlan_id: 2301
vlan_name: NaC-Net01_vlan2301
gw_ip_address: 192.168.1.1/24
network_attach_group: all
- name: NaC-Net02
vrf_name: NaC-VRF01
net_id: 130002
vlan_id: 2302
vlan_name: NaC-Net02_vlan2302
gw_ip_address: 192.168.2.1/24
network_attach_group: all
network_attach_groups:
- name: all
switches:
- hostname: prod-leaf1
ports:
- port-channel10
- hostname: prod-leaf2
ports:
- port-channel10
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/vrf_lite.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/vrf_lite.nac.yml
---
vxlan:
overlay_extensions:
vrf_lites:
- name: NaC-VRF-Lite01
vrf: NaC-VRF01
bgp:
graceful_restart: false
switches:
- name: prod-leaf3
router_id: 10.31.0.1
bgp_peers:
- address: 10.31.0.2
remote_as: 65999
description: Peer to prod-ext-rtr in fabric-external-prod
address_family_ipv4_unicast:
send_community: true
send_ext_community: true
route_map_out: extcon-rmap-filter
static_routes:
static_ipv4:
- prefix: 0.0.0.0/0
# route_tag: 12345
next_hops:
- ip: 10.31.0.2
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-prod/policy.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-prod/policy.nac.yml
---
vxlan:
policy:
policies:
- name: BGP Network Statement Policy
template_name: bgp_vrf_network
template_vars:
BGP_AS: 65001
VRF_NAME: NaC-VRF01
IP_PREFIX: 0.0.0.0/0
groups:
- name: Border Leaf
policies:
- name: BGP Network Statement Policy
switches:
- name: prod-leaf3
groups:
- Border Leaf
EOF
External Fabric
Once all of the production files have been created, you will need to create a new host_vars/fabric-external-prod directory for the production external fabric files.
cd ~/workspace/ndfclab/nac
mkdir -p host_vars/fabric-external-prod
Just like the staging external fabric, you will create the files that define the fabric name, and type as well as the topology, global settings, and policy for the production external fabric.
touch ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/fabric.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/fabric.nac.yml
---
vxlan:
fabric:
name: fabric-external-prod
type: External
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/topology.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/topology.nac.yml
---
vxlan:
topology:
switches:
- name: prod-ext-rtr
serial_number: READ_TIMEOUT
role: core_router
management:
management_ipv4_address: 10.15.6.22
default_gateway_v4: 10.15.6.1
interfaces:
- name: Ethernet1/1
mode: routed
description: Routed Interface towards Border Leaf
enabled: true
- name: Ethernet1/1.2
mode: routed_sub
description: Routed Sub-Interface towards Border Leaf
enabled: true
dot1q_id: 2
ipv4_address: 10.31.0.2/30
- name: loopback0
mode: loopback
description: NaC Ping Test Loopback
enabled: true
ipv4_address: 172.16.1.1
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/global.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/global.nac.yml
---
vxlan:
global:
bgp_asn: "65999"
EOF
touch ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/policy.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-external-prod/policy.nac.yml
---
vxlan:
policy:
policies:
- name: BGP Neighbor Policy
template_name: External_VRF_Lite_eBGP
template_vars:
asn: 65999
vrfName: default
NEIGHBOR_IP: 10.31.0.1
NEIGHBOR_ASN: 65001
- name: BGP Network Statement Policy
template_name: bgp_network
template_vars:
BGP_AS: 65999
IP_MASK: 172.16.1.1/32
groups:
- name: External Router
policies:
- name: BGP Neighbor Policy
- name: BGP Network Statement Policy
switches:
- name: prod-ext-rtr
groups:
- External Router
EOF
Perform a git add to move your configuration intent for your prod fabric to git staging.
git add .
Review what is staged to be committed to your git repo.
git status .
The following files are staged for commit. Make sure your list matches the output below!
On branch main
Your branch is up to date with 'origin/main'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: host_vars/fabric-external-prod/fabric.nac.yml
new file: host_vars/fabric-external-prod/global.nac.yml
new file: host_vars/fabric-external-prod/policy.nac.yml
new file: host_vars/fabric-external-prod/topology.nac.yml
new file: host_vars/fabric-prod/fabric.nac.yml
new file: host_vars/fabric-prod/global.nac.yml
new file: host_vars/fabric-prod/interfaces_access.nac.yml
new file: host_vars/fabric-prod/interfaces_routed.nac.yml
new file: host_vars/fabric-prod/interfaces_vpc.nac.yml
new file: host_vars/fabric-prod/networks.nac.yml
new file: host_vars/fabric-prod/policy.nac.yml
new file: host_vars/fabric-prod/topology.nac.yml
new file: host_vars/fabric-prod/underlay.nac.yml
new file: host_vars/fabric-prod/vpc.nac.yml
new file: host_vars/fabric-prod/vrf_lite.nac.yml
new file: host_vars/fabric-prod/vrfs.nac.yml
new file: hosts.prod.yml
Commit your prod configuration intent with a meaningful message.
git commit -m "Add VXLAN as Code Production Data Model Files"
[main ebe193c] Add VXLAN as Code Production Data Model Files 17 files changed, 346 insertions(+) create mode 100644 host_vars/fabric-external-prod/fabric.nac.yml create mode 100644 host_vars/fabric-external-prod/global.nac.yml create mode 100644 host_vars/fabric-external-prod/policy.nac.yml create mode 100644 host_vars/fabric-external-prod/topology.nac.yml create mode 100644 host_vars/fabric-prod/fabric.nac.yml create mode 100644 host_vars/fabric-prod/global.nac.yml create mode 100644 host_vars/fabric-prod/interfaces_access.nac.yml create mode 100644 host_vars/fabric-prod/interfaces_routed.nac.yml create mode 100644 host_vars/fabric-prod/interfaces_vpc.nac.yml create mode 100644 host_vars/fabric-prod/networks.nac.yml create mode 100644 host_vars/fabric-prod/policy.nac.yml create mode 100644 host_vars/fabric-prod/topology.nac.yml create mode 100644 host_vars/fabric-prod/underlay.nac.yml create mode 100644 host_vars/fabric-prod/vpc.nac.yml create mode 100644 host_vars/fabric-prod/vrf_lite.nac.yml create mode 100644 host_vars/fabric-prod/vrfs.nac.yml create mode 100644 hosts.prod.yml
Finally, push your commit to your remote repo in GitLab.
git push -u origin main
Enumerating objects: 24, done.
Counting objects: 100% (24/24), done.
Delta compression using up to 8 threads
Compressing objects: 100% (21/21), done.
Writing objects: 100% (22/22), 4.09 KiB | 1.02 MiB/s, done.
Total 22 (delta 3), reused 0 (delta 0), pack-reused 0
To 10.15.0.159:Pod06_2025_01/LTRDCN-3439.git
bb2a31a..ebe193c main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.
In Gitlab, you need to refresh the page to see your repo populated.
Continue to the next section to define your GitLab CI file for your CI/CD pipeline.