• Code-Server
  • Code-Server
  • Nexus Dashboard
  • USER: admin
  • PASS: cisco.123
  • ND
  • Switch Login
  • USER: admin
  • PASS: cisco.123
  • GitLab
  • USER: pod01
  • PASS: c1sco.123
  • Gitlab
Task04
Design Policy Data Model

Design the Policy Data Model

NOTE: This task is not required to complete the lab. If you have time, this bonus task introduces the vxlan.policy section of the NaC data model.

Check Branch

Before starting this lab, make sure you are on the stage branch


git branch --show-current



stage

Quick Tip

Before starting this section, it might be helpful to close out your file tabs at the top of your VSCode editor from the previous lab task. This is certainly not mandatory but might keep the flow more organized and uncluttered.

Step 1 - Understand NaC policies

The previous version of this bonus task created custom Ansible task files around the cisco.dcnm.dcnm_template and cisco.dcnm.dcnm_policy modules. With NaC, policy intent is stored in the same model structure as the overlay. The vxlan.policy section can define reusable policies, group them together, and attach those groups to switches.

In this bonus task, you will create policy intent for:

  • Enabling telemetry on one staging leaf using freeform CLI policy
  • Applying telemetry configuration on the same staging leaf
  • Applying per-device NTP server values using the built-in ntp_server template

Step 2 - Create the staging policy model

Create a new policy.nac.yaml file for fabric-stage. The policies are grouped so the same policy set can be attached to one or more switches. 


cat << EOF > ~/workspace/CiscoLive/DEVWKS-3928/host_vars/fabric-stage/policy.nac.yaml
---
vxlan:
  policy:
    policies:
      - name: template_telemetry_feature
        template_name: switch_freeform
        template_vars:
          CONF: |
            feature telemetry
      - name: template_telemetry
        template_name: switch_freeform
        template_vars:
          CONF: |
            telemetry
              certificate /bootflash/telegraf.crt telegraf
              destination-profile
                use-vrf management
              destination-group 101
                ip address 192.168.55.55 port 57101 protocol gRPC encoding GPB
              sensor-group 101
                data-source DME
                path sys/ch depth unbounded
              subscription 101
                dst-grp 101
                snsr-grp 101 sample-interval 10101
      - name: ntp_leaf1
        template_name: ntp_server
        template_vars:
          NTP_SERVER: 10.55.0.1
          NTP_SERVER_VRF: management
      - name: ntp_leaf2
        template_name: ntp_server
        template_vars:
          NTP_SERVER: 10.66.0.2
          NTP_SERVER_VRF: management
      - name: ntp_spine1
        template_name: ntp_server
        template_vars:
          NTP_SERVER: 10.188.0.55
          NTP_SERVER_VRF: management
    groups:
      - name: telemetry_leaf
        policies:
          - name: template_telemetry_feature
            priority: 1
          - name: template_telemetry
            priority: 2
      - name: ntp_leaf1
        policies:
          - name: ntp_leaf1
            priority: 4
      - name: ntp_leaf2
        policies:
          - name: ntp_leaf2
            priority: 4
      - name: ntp_spine1
        policies:
          - name: ntp_spine1
            priority: 4
    switches:
      - name: staging-leaf1
        groups:
          - telemetry_leaf
          - ntp_leaf1
      - name: staging-leaf2
        groups:
          - ntp_leaf2
      - name: staging-spine1
        groups:
          - ntp_spine1
EOF

The telemetry examples use switch_freeform to apply freeform CLI. The NTP examples use an existing template with per-device variables. This gives us the same practical outcome as the original policy bonus, but the user-facing workflow is still NaC: update intent in YAML and run the NaC playbook.