From a234ecda87f803b05637f3d74ba53815f20f472f Mon Sep 17 00:00:00 2001
From: Henry Gessau <gessau@cisco.com>
Date: Thu, 13 Feb 2014 11:58:47 -0500
Subject: [PATCH] Cisco APIC ML2 mechanism driver, part 1

This set of changes introduces a mechanism driver for the
Cisco APIC. Please see the blueprint for more information.

The review is submitted in two parts:
- Part 1 (this one)
    o APIC REST Client
    o APIC data model and migration script
    o APIC configurations
- Part 2 (dependent on part 1)
    o APIC mechanism driver
    o APIC manager

Partially implements: blueprint ml2-cisco-apic-mechanism-driver

Change-Id: I698b25ca975fed746107ee64f03563ef1a56e0ef
---
 etc/neutron/plugins/ml2/ml2_conf_cisco.ini    |  46 ++
 .../1b837a7125a9_cisco_apic_driver.py         |  74 ++++
 .../alembic_migrations/versions/HEAD          |   2 +-
 .../ml2/drivers/cisco/apic/__init__.py        |   0
 .../ml2/drivers/cisco/apic/apic_client.py     | 416 ++++++++++++++++++
 .../ml2/drivers/cisco/apic/apic_model.py      | 177 ++++++++
 .../plugins/ml2/drivers/cisco/apic/config.py  |  82 ++++
 .../ml2/drivers/cisco/apic/exceptions.py      |  52 +++
 .../unit/ml2/drivers/cisco/apic/__init__.py   |   0
 .../cisco/apic/test_cisco_apic_client.py      | 272 ++++++++++++
 .../cisco/apic/test_cisco_apic_common.py      | 225 ++++++++++
 11 files changed, 1345 insertions(+), 1 deletion(-)
 create mode 100644 neutron/db/migration/alembic_migrations/versions/1b837a7125a9_cisco_apic_driver.py
 create mode 100644 neutron/plugins/ml2/drivers/cisco/apic/__init__.py
 create mode 100644 neutron/plugins/ml2/drivers/cisco/apic/apic_client.py
 create mode 100644 neutron/plugins/ml2/drivers/cisco/apic/apic_model.py
 create mode 100644 neutron/plugins/ml2/drivers/cisco/apic/config.py
 create mode 100644 neutron/plugins/ml2/drivers/cisco/apic/exceptions.py
 create mode 100644 neutron/tests/unit/ml2/drivers/cisco/apic/__init__.py
 create mode 100644 neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_client.py
 create mode 100644 neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_common.py

diff --git a/etc/neutron/plugins/ml2/ml2_conf_cisco.ini b/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
index 927c6f5bea7..95f963f8369 100644
--- a/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
+++ b/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
@@ -46,3 +46,49 @@
 # ssh_port=22
 # username=admin
 # password=mySecretPassword
+
+[ml2_cisco_apic]
+
+# Hostname for the APIC controller
+# apic_host=1.1.1.1
+
+# Username for the APIC controller
+# apic_username=user
+
+# Password for the APIC controller
+# apic_password=password
+
+# Port for the APIC Controller
+# apic_port=80
+
+# Names for APIC objects used by Neutron
+# Note: When deploying multiple clouds against one APIC,
+#       these names must be unique between the clouds.
+# apic_vmm_domain=openstack
+# apic_vlan_ns_name=openstack_ns
+# apic_node_profile=openstack_profile
+# apic_entity_profile=openstack_entity
+# apic_function_profile=openstack_function
+
+# The following flag will cause all the node profiles on the APIC to
+# be cleared when neutron-server starts. This is typically used only
+# for test environments that require clean-slate startup conditions.
+# apic_clear_node_profiles=False
+
+# Specify your network topology.
+# This section indicates how your compute nodes are connected to the fabric's
+# switches and ports. The format is as follows:
+#
+# [switch:<swich_id_from_the_apic>]
+# <compute_host>,<compute_host>=<switchport_the_host(s)_are_connected_to>
+#
+# You can have multiple sections, one for each switch in your fabric that is
+# participating in Openstack. e.g.
+#
+# [switch:17]
+# ubuntu,ubuntu1=1/10
+# ubuntu2,ubuntu3=1/11
+#
+# [switch:18]
+# ubuntu5,ubuntu6=1/1
+# ubuntu7,ubuntu8=1/2
diff --git a/neutron/db/migration/alembic_migrations/versions/1b837a7125a9_cisco_apic_driver.py b/neutron/db/migration/alembic_migrations/versions/1b837a7125a9_cisco_apic_driver.py
new file mode 100644
index 00000000000..92b132643c9
--- /dev/null
+++ b/neutron/db/migration/alembic_migrations/versions/1b837a7125a9_cisco_apic_driver.py
@@ -0,0 +1,74 @@
+# Copyright 2014 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""Cisco APIC Mechanism Driver
+
+Revision ID: 1b837a7125a9
+Revises: 6be312499f9
+Create Date: 2014-02-13 09:35:19.147619
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '1b837a7125a9'
+down_revision = '6be312499f9'
+
+migration_for_plugins = [
+    'neutron.plugins.ml2.plugin.Ml2Plugin'
+]
+
+from alembic import op
+import sqlalchemy as sa
+
+from neutron.db import migration
+
+
+def upgrade(active_plugins=None, options=None):
+    if not migration.should_run(active_plugins, migration_for_plugins):
+        return
+
+    op.create_table(
+        'cisco_ml2_apic_epgs',
+        sa.Column('network_id', sa.String(length=255), nullable=False),
+        sa.Column('epg_id', sa.String(length=64), nullable=False),
+        sa.Column('segmentation_id', sa.String(length=64), nullable=False),
+        sa.Column('provider', sa.Boolean(), default=False, nullable=False),
+        sa.PrimaryKeyConstraint('network_id'))
+
+    op.create_table(
+        'cisco_ml2_apic_port_profiles',
+        sa.Column('node_id', sa.String(length=255), nullable=False),
+        sa.Column('profile_id', sa.String(length=64), nullable=False),
+        sa.Column('hpselc_id', sa.String(length=64), nullable=False),
+        sa.Column('module', sa.String(length=10), nullable=False),
+        sa.Column('from_port', sa.Integer(), nullable=False),
+        sa.Column('to_port', sa.Integer(), nullable=False),
+        sa.PrimaryKeyConstraint('node_id'))
+
+    op.create_table(
+        'cisco_ml2_apic_contracts',
+        sa.Column('tenant_id', sa.String(length=255), nullable=False),
+        sa.Column('contract_id', sa.String(length=64), nullable=False),
+        sa.Column('filter_id', sa.String(length=64), nullable=False),
+        sa.PrimaryKeyConstraint('tenant_id'))
+
+
+def downgrade(active_plugins=None, options=None):
+    if not migration.should_run(active_plugins, migration_for_plugins):
+        return
+
+    op.drop_table('cisco_ml2_apic_contracts')
+    op.drop_table('cisco_ml2_apic_port_profiles')
+    op.drop_table('cisco_ml2_apic_epgs')
diff --git a/neutron/db/migration/alembic_migrations/versions/HEAD b/neutron/db/migration/alembic_migrations/versions/HEAD
index cf11bc9d3b0..38f74bb5b42 100644
--- a/neutron/db/migration/alembic_migrations/versions/HEAD
+++ b/neutron/db/migration/alembic_migrations/versions/HEAD
@@ -1 +1 @@
-6be312499f9
+1b837a7125a9
diff --git a/neutron/plugins/ml2/drivers/cisco/apic/__init__.py b/neutron/plugins/ml2/drivers/cisco/apic/__init__.py
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/neutron/plugins/ml2/drivers/cisco/apic/apic_client.py b/neutron/plugins/ml2/drivers/cisco/apic/apic_client.py
new file mode 100644
index 00000000000..202e84c1ca9
--- /dev/null
+++ b/neutron/plugins/ml2/drivers/cisco/apic/apic_client.py
@@ -0,0 +1,416 @@
+# Copyright (c) 2014 Cisco Systems
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Henry Gessau, Cisco Systems
+
+import collections
+import time
+
+import requests
+import requests.exceptions
+
+from neutron.openstack.common import jsonutils as json
+from neutron.openstack.common import log as logging
+from neutron.plugins.ml2.drivers.cisco.apic import exceptions as cexc
+
+
+LOG = logging.getLogger(__name__)
+
+APIC_CODE_FORBIDDEN = str(requests.codes.forbidden)
+
+
+# Info about a Managed Object's relative name (RN) and container.
+class ManagedObjectName(collections.namedtuple(
+        'MoPath', ['container', 'rn_fmt', 'can_create'])):
+    def __new__(cls, container, rn_fmt, can_create=True):
+        return super(ManagedObjectName, cls).__new__(cls, container, rn_fmt,
+                                                     can_create)
+
+
+class ManagedObjectClass(object):
+
+    """Information about a Managed Object (MO) class.
+
+    Constructs and keeps track of the distinguished name (DN) and relative
+    name (RN) of a managed object (MO) class. The DN is the RN of the MO
+    appended to the recursive RNs of its containers, i.e.:
+        DN = uni/container-RN/.../container-RN/object-RN
+
+    Also keeps track of whether the MO can be created in the APIC, as some
+    MOs are read-only or used for specifying relationships.
+    """
+
+    supported_mos = {
+        'fvTenant': ManagedObjectName(None, 'tn-%s'),
+        'fvBD': ManagedObjectName('fvTenant', 'BD-%s'),
+        'fvRsBd': ManagedObjectName('fvAEPg', 'rsbd'),
+        'fvSubnet': ManagedObjectName('fvBD', 'subnet-[%s]'),
+        'fvCtx': ManagedObjectName('fvTenant', 'ctx-%s'),
+        'fvRsCtx': ManagedObjectName('fvBD', 'rsctx'),
+        'fvAp': ManagedObjectName('fvTenant', 'ap-%s'),
+        'fvAEPg': ManagedObjectName('fvAp', 'epg-%s'),
+        'fvRsProv': ManagedObjectName('fvAEPg', 'rsprov-%s'),
+        'fvRsCons': ManagedObjectName('fvAEPg', 'rscons-%s'),
+        'fvRsConsIf': ManagedObjectName('fvAEPg', 'rsconsif-%s'),
+        'fvRsDomAtt': ManagedObjectName('fvAEPg', 'rsdomAtt-[%s]'),
+        'fvRsPathAtt': ManagedObjectName('fvAEPg', 'rspathAtt-[%s]'),
+
+        'vzBrCP': ManagedObjectName('fvTenant', 'brc-%s'),
+        'vzSubj': ManagedObjectName('vzBrCP', 'subj-%s'),
+        'vzFilter': ManagedObjectName('fvTenant', 'flt-%s'),
+        'vzRsFiltAtt': ManagedObjectName('vzSubj', 'rsfiltAtt-%s'),
+        'vzEntry': ManagedObjectName('vzFilter', 'e-%s'),
+        'vzInTerm': ManagedObjectName('vzSubj', 'intmnl'),
+        'vzRsFiltAtt__In': ManagedObjectName('vzInTerm', 'rsfiltAtt-%s'),
+        'vzOutTerm': ManagedObjectName('vzSubj', 'outtmnl'),
+        'vzRsFiltAtt__Out': ManagedObjectName('vzOutTerm', 'rsfiltAtt-%s'),
+        'vzCPIf': ManagedObjectName('fvTenant', 'cif-%s'),
+        'vzRsIf': ManagedObjectName('vzCPIf', 'rsif'),
+
+        'vmmProvP': ManagedObjectName(None, 'vmmp-%s', False),
+        'vmmDomP': ManagedObjectName('vmmProvP', 'dom-%s'),
+        'vmmEpPD': ManagedObjectName('vmmDomP', 'eppd-[%s]'),
+
+        'physDomP': ManagedObjectName(None, 'phys-%s'),
+
+        'infra': ManagedObjectName(None, 'infra'),
+        'infraNodeP': ManagedObjectName('infra', 'nprof-%s'),
+        'infraLeafS': ManagedObjectName('infraNodeP', 'leaves-%s-typ-%s'),
+        'infraNodeBlk': ManagedObjectName('infraLeafS', 'nodeblk-%s'),
+        'infraRsAccPortP': ManagedObjectName('infraNodeP', 'rsaccPortP-[%s]'),
+        'infraAccPortP': ManagedObjectName('infra', 'accportprof-%s'),
+        'infraHPortS': ManagedObjectName('infraAccPortP', 'hports-%s-typ-%s'),
+        'infraPortBlk': ManagedObjectName('infraHPortS', 'portblk-%s'),
+        'infraRsAccBaseGrp': ManagedObjectName('infraHPortS', 'rsaccBaseGrp'),
+        'infraFuncP': ManagedObjectName('infra', 'funcprof'),
+        'infraAccPortGrp': ManagedObjectName('infraFuncP', 'accportgrp-%s'),
+        'infraRsAttEntP': ManagedObjectName('infraAccPortGrp', 'rsattEntP'),
+        'infraAttEntityP': ManagedObjectName('infra', 'attentp-%s'),
+        'infraRsDomP': ManagedObjectName('infraAttEntityP', 'rsdomP-[%s]'),
+        'infraRsVlanNs__phys': ManagedObjectName('physDomP', 'rsvlanNs'),
+        'infraRsVlanNs__vmm': ManagedObjectName('vmmDomP', 'rsvlanNs'),
+
+        'fvnsVlanInstP': ManagedObjectName('infra', 'vlanns-%s-%s'),
+        'fvnsEncapBlk__vlan': ManagedObjectName('fvnsVlanInstP',
+                                                'from-%s-to-%s'),
+        'fvnsVxlanInstP': ManagedObjectName('infra', 'vxlanns-%s'),
+        'fvnsEncapBlk__vxlan': ManagedObjectName('fvnsVxlanInstP',
+                                                 'from-%s-to-%s'),
+
+        # Read-only
+        'fabricTopology': ManagedObjectName(None, 'topology', False),
+        'fabricPod': ManagedObjectName('fabricTopology', 'pod-%s', False),
+        'fabricPathEpCont': ManagedObjectName('fabricPod', 'paths-%s', False),
+        'fabricPathEp': ManagedObjectName('fabricPathEpCont', 'pathep-%s',
+                                          False),
+    }
+
+    # Note(Henry): The use of a mutable default argument _inst_cache is
+    # intentional. It persists for the life of MoClass to cache instances.
+    # noinspection PyDefaultArgument
+    def __new__(cls, mo_class, _inst_cache={}):
+        """Ensure we create only one instance per mo_class."""
+        try:
+            return _inst_cache[mo_class]
+        except KeyError:
+            new_inst = super(ManagedObjectClass, cls).__new__(cls)
+            new_inst.__init__(mo_class)
+            _inst_cache[mo_class] = new_inst
+            return new_inst
+
+    def __init__(self, mo_class):
+        self.klass = mo_class
+        self.klass_name = mo_class.split('__')[0]
+        mo = self.supported_mos[mo_class]
+        self.container = mo.container
+        self.rn_fmt = mo.rn_fmt
+        self.dn_fmt, self.args = self._dn_fmt()
+        self.arg_count = self.dn_fmt.count('%s')
+        rn_has_arg = self.rn_fmt.count('%s')
+        self.can_create = rn_has_arg and mo.can_create
+
+    def _dn_fmt(self):
+        """Build the distinguished name format using container and RN.
+
+        DN = uni/container-RN/.../container-RN/object-RN
+
+        Also make a list of the required name arguments.
+        Note: Call this method only once at init.
+        """
+        arg = [self.klass] if '%s' in self.rn_fmt else []
+        if self.container:
+            container = ManagedObjectClass(self.container)
+            dn_fmt = '%s/%s' % (container.dn_fmt, self.rn_fmt)
+            args = container.args + arg
+            return dn_fmt, args
+        return 'uni/%s' % self.rn_fmt, arg
+
+    def dn(self, *args):
+        """Return the distinguished name for a managed object."""
+        return self.dn_fmt % args
+
+
+class ApicSession(object):
+
+    """Manages a session with the APIC."""
+
+    def __init__(self, host, port, usr, pwd, ssl):
+        protocol = ssl and 'https' or 'http'
+        self.api_base = '%s://%s:%s/api' % (protocol, host, port)
+        self.session = requests.Session()
+        self.session_deadline = 0
+        self.session_timeout = 0
+        self.cookie = {}
+
+        # Log in
+        self.authentication = None
+        self.username = None
+        self.password = None
+        if usr and pwd:
+            self.login(usr, pwd)
+
+    @staticmethod
+    def _make_data(key, **attrs):
+        """Build the body for a msg out of a key and some attributes."""
+        return json.dumps({key: {'attributes': attrs}})
+
+    def _api_url(self, api):
+        """Create the URL for a generic API."""
+        return '%s/%s.json' % (self.api_base, api)
+
+    def _mo_url(self, mo, *args):
+        """Create a URL for a MO lookup by DN."""
+        dn = mo.dn(*args)
+        return '%s/mo/%s.json' % (self.api_base, dn)
+
+    def _qry_url(self, mo):
+        """Create a URL for a query lookup by MO class."""
+        return '%s/class/%s.json' % (self.api_base, mo.klass_name)
+
+    def _check_session(self):
+        """Check that we are logged in and ensure the session is active."""
+        if not self.authentication:
+            raise cexc.ApicSessionNotLoggedIn
+        if time.time() > self.session_deadline:
+            self.refresh()
+
+    def _send(self, request, url, data=None, refreshed=None):
+        """Send a request and process the response."""
+        if data is None:
+            response = request(url, cookies=self.cookie)
+        else:
+            response = request(url, data=data, cookies=self.cookie)
+        if response is None:
+            raise cexc.ApicHostNoResponse(url=url)
+        # Every request refreshes the timeout
+        self.session_deadline = time.time() + self.session_timeout
+        if data is None:
+            request_str = url
+        else:
+            request_str = '%s, data=%s' % (url, data)
+            LOG.debug(_("data = %s"), data)
+        # imdata is where the APIC returns the useful information
+        imdata = response.json().get('imdata')
+        LOG.debug(_("Response: %s"), imdata)
+        if response.status_code != requests.codes.ok:
+            try:
+                err_code = imdata[0]['error']['attributes']['code']
+                err_text = imdata[0]['error']['attributes']['text']
+            except (IndexError, KeyError):
+                err_code = '[code for APIC error not found]'
+                err_text = '[text for APIC error not found]'
+            # If invalid token then re-login and retry once
+            if (not refreshed and err_code == APIC_CODE_FORBIDDEN and
+                    err_text.lower().startswith('token was invalid')):
+                self.login()
+                return self._send(request, url, data=data, refreshed=True)
+            raise cexc.ApicResponseNotOk(request=request_str,
+                                         status=response.status_code,
+                                         reason=response.reason,
+                                         err_text=err_text, err_code=err_code)
+        return imdata
+
+    # REST requests
+
+    def get_data(self, request):
+        """Retrieve generic data from the server."""
+        self._check_session()
+        url = self._api_url(request)
+        return self._send(self.session.get, url)
+
+    def get_mo(self, mo, *args):
+        """Retrieve a managed object by its distinguished name."""
+        self._check_session()
+        url = self._mo_url(mo, *args) + '?query-target=self'
+        return self._send(self.session.get, url)
+
+    def list_mo(self, mo):
+        """Retrieve the list of managed objects for a class."""
+        self._check_session()
+        url = self._qry_url(mo)
+        return self._send(self.session.get, url)
+
+    def post_data(self, request, data):
+        """Post generic data to the server."""
+        self._check_session()
+        url = self._api_url(request)
+        return self._send(self.session.post, url, data=data)
+
+    def post_mo(self, mo, *args, **kwargs):
+        """Post data for a managed object to the server."""
+        self._check_session()
+        url = self._mo_url(mo, *args)
+        data = self._make_data(mo.klass_name, **kwargs)
+        return self._send(self.session.post, url, data=data)
+
+    # Session management
+
+    def _save_cookie(self, request, response):
+        """Save the session cookie and its expiration time."""
+        imdata = response.json().get('imdata')
+        if response.status_code == requests.codes.ok:
+            attributes = imdata[0]['aaaLogin']['attributes']
+            try:
+                self.cookie = {'APIC-Cookie': attributes['token']}
+            except KeyError:
+                raise cexc.ApicResponseNoCookie(request=request)
+            timeout = int(attributes['refreshTimeoutSeconds'])
+            LOG.debug(_("APIC session will expire in %d seconds"), timeout)
+            # Give ourselves a few seconds to refresh before timing out
+            self.session_timeout = timeout - 5
+            self.session_deadline = time.time() + self.session_timeout
+        else:
+            attributes = imdata[0]['error']['attributes']
+        return attributes
+
+    def login(self, usr=None, pwd=None):
+        """Log in to controller. Save user name and authentication."""
+        usr = usr or self.username
+        pwd = pwd or self.password
+        name_pwd = self._make_data('aaaUser', name=usr, pwd=pwd)
+        url = self._api_url('aaaLogin')
+        try:
+            response = self.session.post(url, data=name_pwd, timeout=10.0)
+        except requests.exceptions.Timeout:
+            raise cexc.ApicHostNoResponse(url=url)
+        attributes = self._save_cookie('aaaLogin', response)
+        if response.status_code == requests.codes.ok:
+            self.username = usr
+            self.password = pwd
+            self.authentication = attributes
+        else:
+            self.authentication = None
+            raise cexc.ApicResponseNotOk(request=url,
+                                         status=response.status_code,
+                                         reason=response.reason,
+                                         err_text=attributes['text'],
+                                         err_code=attributes['code'])
+
+    def refresh(self):
+        """Called when a session has timed out or almost timed out."""
+        url = self._api_url('aaaRefresh')
+        response = self.session.get(url, cookies=self.cookie)
+        attributes = self._save_cookie('aaaRefresh', response)
+        if response.status_code == requests.codes.ok:
+            # We refreshed before the session timed out.
+            self.authentication = attributes
+        else:
+            err_code = attributes['code']
+            err_text = attributes['text']
+            if (err_code == APIC_CODE_FORBIDDEN and
+                    err_text.lower().startswith('token was invalid')):
+                # This means the token timed out, so log in again.
+                LOG.debug(_("APIC session timed-out, logging in again."))
+                self.login()
+            else:
+                self.authentication = None
+                raise cexc.ApicResponseNotOk(request=url,
+                                             status=response.status_code,
+                                             reason=response.reason,
+                                             err_text=err_text,
+                                             err_code=err_code)
+
+    def logout(self):
+        """End session with controller."""
+        if not self.username:
+            self.authentication = None
+        if self.authentication:
+            data = self._make_data('aaaUser', name=self.username)
+            self.post_data('aaaLogout', data=data)
+        self.authentication = None
+
+
+class ManagedObjectAccess(object):
+
+    """CRUD operations on APIC Managed Objects."""
+
+    def __init__(self, session, mo_class):
+        self.session = session
+        self.mo = ManagedObjectClass(mo_class)
+
+    def _create_container(self, *args):
+        """Recursively create all container objects."""
+        if self.mo.container:
+            container = ManagedObjectAccess(self.session, self.mo.container)
+            if container.mo.can_create:
+                container_args = args[0: container.mo.arg_count]
+                container._create_container(*container_args)
+                container.session.post_mo(container.mo, *container_args)
+
+    def create(self, *args, **kwargs):
+        self._create_container(*args)
+        if self.mo.can_create and 'status' not in kwargs:
+            kwargs['status'] = 'created'
+        return self.session.post_mo(self.mo, *args, **kwargs)
+
+    def _mo_attributes(self, obj_data):
+        if (self.mo.klass_name in obj_data and
+                'attributes' in obj_data[self.mo.klass_name]):
+            return obj_data[self.mo.klass_name]['attributes']
+
+    def get(self, *args):
+        """Return a dict of the MO's attributes, or None."""
+        imdata = self.session.get_mo(self.mo, *args)
+        if imdata:
+            return self._mo_attributes(imdata[0])
+
+    def list_all(self):
+        imdata = self.session.list_mo(self.mo)
+        return filter(None, [self._mo_attributes(obj) for obj in imdata])
+
+    def list_names(self):
+        return [obj['name'] for obj in self.list_all()]
+
+    def update(self, *args, **kwargs):
+        return self.session.post_mo(self.mo, *args, **kwargs)
+
+    def delete(self, *args):
+        return self.session.post_mo(self.mo, *args, status='deleted')
+
+
+class RestClient(ApicSession):
+
+    """APIC REST client for OpenStack Neutron."""
+
+    def __init__(self, host, port=80, usr=None, pwd=None, ssl=False):
+        """Establish a session with the APIC."""
+        super(RestClient, self).__init__(host, port, usr, pwd, ssl)
+
+    def __getattr__(self, mo_class):
+        """Add supported MOs as properties on demand."""
+        if mo_class not in ManagedObjectClass.supported_mos:
+            raise cexc.ApicManagedObjectNotSupported(mo_class=mo_class)
+        self.__dict__[mo_class] = ManagedObjectAccess(self, mo_class)
+        return self.__dict__[mo_class]
diff --git a/neutron/plugins/ml2/drivers/cisco/apic/apic_model.py b/neutron/plugins/ml2/drivers/cisco/apic/apic_model.py
new file mode 100644
index 00000000000..a3c05d63060
--- /dev/null
+++ b/neutron/plugins/ml2/drivers/cisco/apic/apic_model.py
@@ -0,0 +1,177 @@
+# Copyright (c) 2014 Cisco Systems Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Arvind Somya (asomya@cisco.com), Cisco Systems Inc.
+
+import sqlalchemy as sa
+
+from neutron.db import api as db_api
+from neutron.db import model_base
+from neutron.db import models_v2
+
+
+class NetworkEPG(model_base.BASEV2):
+
+    """EPG's created on the apic per network."""
+
+    __tablename__ = 'cisco_ml2_apic_epgs'
+
+    network_id = sa.Column(sa.String(255), nullable=False, primary_key=True)
+    epg_id = sa.Column(sa.String(64), nullable=False)
+    segmentation_id = sa.Column(sa.String(64), nullable=False)
+    provider = sa.Column(sa.Boolean, default=False, nullable=False)
+
+
+class PortProfile(model_base.BASEV2):
+
+    """Port profiles created on the APIC."""
+
+    __tablename__ = 'cisco_ml2_apic_port_profiles'
+
+    node_id = sa.Column(sa.String(255), nullable=False, primary_key=True)
+    profile_id = sa.Column(sa.String(64), nullable=False)
+    hpselc_id = sa.Column(sa.String(64), nullable=False)
+    module = sa.Column(sa.String(10), nullable=False)
+    from_port = sa.Column(sa.Integer(), nullable=False)
+    to_port = sa.Column(sa.Integer(), nullable=False)
+
+
+class TenantContract(model_base.BASEV2, models_v2.HasTenant):
+
+    """Contracts (and Filters) created on the APIC."""
+
+    __tablename__ = 'cisco_ml2_apic_contracts'
+
+    __table_args__ = (sa.PrimaryKeyConstraint('tenant_id'),)
+    contract_id = sa.Column(sa.String(64), nullable=False)
+    filter_id = sa.Column(sa.String(64), nullable=False)
+
+
+class ApicDbModel(object):
+
+    """DB Model to manage all APIC DB interactions."""
+
+    def __init__(self):
+        self.session = db_api.get_session()
+
+    def get_port_profile_for_node(self, node_id):
+        """Returns a port profile for a switch if found in the DB."""
+        return self.session.query(PortProfile).filter_by(
+            node_id=node_id).first()
+
+    def get_profile_for_module_and_ports(self, node_id, profile_id,
+                                         module, from_port, to_port):
+        """Returns profile for module and ports.
+
+        Grabs the profile row from the DB for the specified switch,
+        module (linecard) and from/to port combination.
+        """
+        return self.session.query(PortProfile).filter_by(
+            node_id=node_id,
+            module=module,
+            profile_id=profile_id,
+            from_port=from_port,
+            to_port=to_port).first()
+
+    def get_profile_for_module(self, node_id, profile_id, module):
+        """Returns the first profile for a switch module from the DB."""
+        return self.session.query(PortProfile).filter_by(
+            node_id=node_id,
+            profile_id=profile_id,
+            module=module).first()
+
+    def add_profile_for_module_and_ports(self, node_id, profile_id,
+                                         hpselc_id, module,
+                                         from_port, to_port):
+        """Adds a profile for switch, module and port range."""
+        row = PortProfile(node_id=node_id, profile_id=profile_id,
+                          hpselc_id=hpselc_id, module=module,
+                          from_port=from_port, to_port=to_port)
+        self.session.add(row)
+        self.session.flush()
+
+    def get_provider_contract(self):
+        """Returns  provider EPG from the DB if found."""
+        return self.session.query(NetworkEPG).filter_by(
+            provider=True).first()
+
+    def set_provider_contract(self, epg_id):
+        """Sets an EPG to be a contract provider."""
+        epg = self.session.query(NetworkEPG).filter_by(
+            epg_id=epg_id).first()
+        if epg:
+            epg.provider = True
+            self.session.merge(epg)
+            self.session.flush()
+
+    def unset_provider_contract(self, epg_id):
+        """Sets an EPG to be a contract consumer."""
+        epg = self.session.query(NetworkEPG).filter_by(
+            epg_id=epg_id).first()
+        if epg:
+            epg.provider = False
+            self.session.merge(epg)
+            self.session.flush()
+
+    def get_an_epg(self, exception):
+        """Returns an EPG from the DB that does not match the id specified."""
+        return self.session.query(NetworkEPG).filter(
+            NetworkEPG.epg_id != exception).first()
+
+    def get_epg_for_network(self, network_id):
+        """Returns an EPG for a give neutron network."""
+        return self.session.query(NetworkEPG).filter_by(
+            network_id=network_id).first()
+
+    def write_epg_for_network(self, network_id, epg_uid, segmentation_id='1'):
+        """Stores EPG details for a network.
+
+        NOTE: Segmentation_id is just a placeholder currently, it will be
+              populated with a proper segment id once segmentation mgmt is
+              moved to the APIC.
+        """
+        epg = NetworkEPG(network_id=network_id, epg_id=epg_uid,
+                         segmentation_id=segmentation_id)
+        self.session.add(epg)
+        self.session.flush()
+        return epg
+
+    def delete_epg(self, epg):
+        """Deletes an EPG from the DB."""
+        self.session.delete(epg)
+        self.session.flush()
+
+    def get_contract_for_tenant(self, tenant_id):
+        """Returns the specified tenant's contract."""
+        return self.session.query(TenantContract).filter_by(
+            tenant_id=tenant_id).first()
+
+    def write_contract_for_tenant(self, tenant_id, contract_id, filter_id):
+        """Stores a new contract for the given tenant."""
+        contract = TenantContract(tenant_id=tenant_id,
+                                  contract_id=contract_id,
+                                  filter_id=filter_id)
+        self.session.add(contract)
+        self.session.flush()
+
+        return contract
+
+    def delete_profile_for_node(self, node_id):
+        """Deletes the port profile for a node."""
+        profile = self.session.query(PortProfile).filter_by(
+            node_id=node_id).first()
+        if profile:
+            self.session.delete(profile)
+            self.session.flush()
diff --git a/neutron/plugins/ml2/drivers/cisco/apic/config.py b/neutron/plugins/ml2/drivers/cisco/apic/config.py
new file mode 100644
index 00000000000..c5c43f28ff5
--- /dev/null
+++ b/neutron/plugins/ml2/drivers/cisco/apic/config.py
@@ -0,0 +1,82 @@
+# Copyright (c) 2014 OpenStack Foundation
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Arvind Somya (asomya@cisco.com), Cisco Systems Inc.
+
+from oslo.config import cfg
+
+
+apic_opts = [
+    cfg.StrOpt('apic_host',
+               help=_("Host name or IP Address of the APIC controller")),
+    cfg.StrOpt('apic_username',
+               help=_("Username for the APIC controller")),
+    cfg.StrOpt('apic_password',
+               help=_("Password for the APIC controller"), secret=True),
+    cfg.StrOpt('apic_port',
+               help=_("Communication port for the APIC controller")),
+    cfg.StrOpt('apic_vmm_provider', default='VMware',
+               help=_("Name for the VMM domain provider")),
+    cfg.StrOpt('apic_vmm_domain', default='openstack',
+               help=_("Name for the VMM domain to be created for Openstack")),
+    cfg.StrOpt('apic_vlan_ns_name', default='openstack_ns',
+               help=_("Name for the vlan namespace to be used for openstack")),
+    cfg.StrOpt('apic_vlan_range', default='2:4093',
+               help=_("Range of VLAN's to be used for Openstack")),
+    cfg.StrOpt('apic_node_profile', default='openstack_profile',
+               help=_("Name of the node profile to be created")),
+    cfg.StrOpt('apic_entity_profile', default='openstack_entity',
+               help=_("Name of the entity profile to be created")),
+    cfg.StrOpt('apic_function_profile', default='openstack_function',
+               help=_("Name of the function profile to be created")),
+    cfg.BoolOpt('apic_clear_node_profiles', default=False,
+                help=_("Clear the node profiles on the APIC at startup "
+                       "(mainly used for testing)")),
+]
+
+
+cfg.CONF.register_opts(apic_opts, "ml2_cisco_apic")
+
+
+def get_switch_and_port_for_host(host_id):
+    for switch, connected in _switch_dict.items():
+        for port, hosts in connected.items():
+            if host_id in hosts:
+                return switch, port
+
+
+_switch_dict = {}
+
+
+def create_switch_dictionary():
+    multi_parser = cfg.MultiConfigParser()
+    read_ok = multi_parser.read(cfg.CONF.config_file)
+
+    if len(read_ok) != len(cfg.CONF.config_file):
+        raise cfg.Error(_("Some config files were not parsed properly"))
+
+    for parsed_file in multi_parser.parsed:
+        for parsed_item in parsed_file.keys():
+            if parsed_item.startswith('apic_switch'):
+                switch, switch_id = parsed_item.split(':')
+                if switch.lower() == 'apic_switch':
+                    _switch_dict[switch_id] = {}
+                    port_cfg = parsed_file[parsed_item].items()
+                    for host_list, port in port_cfg:
+                        hosts = host_list.split(',')
+                        port = port[0]
+                        _switch_dict[switch_id][port] = hosts
+
+    return _switch_dict
diff --git a/neutron/plugins/ml2/drivers/cisco/apic/exceptions.py b/neutron/plugins/ml2/drivers/cisco/apic/exceptions.py
new file mode 100644
index 00000000000..1c478853b01
--- /dev/null
+++ b/neutron/plugins/ml2/drivers/cisco/apic/exceptions.py
@@ -0,0 +1,52 @@
+# Copyright (c) 2014 Cisco Systems
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Henry Gessau, Cisco Systems
+
+"""Exceptions used by Cisco APIC ML2 mechanism driver."""
+
+from neutron.common import exceptions
+
+
+class ApicHostNoResponse(exceptions.NotFound):
+    """No response from the APIC via the specified URL."""
+    message = _("No response from APIC at %(url)s")
+
+
+class ApicResponseNotOk(exceptions.NeutronException):
+    """A response from the APIC was not HTTP OK."""
+    message = _("APIC responded with HTTP status %(status)s: %(reason)s, "
+                "Request: '%(request)s', "
+                "APIC error code %(err_code)s: %(err_text)s")
+
+
+class ApicResponseNoCookie(exceptions.NeutronException):
+    """A response from the APIC did not contain an expected cookie."""
+    message = _("APIC failed to provide cookie for %(request)s request")
+
+
+class ApicSessionNotLoggedIn(exceptions.NotAuthorized):
+    """Attempted APIC operation while not logged in to APIC."""
+    message = _("Authorized APIC session not established")
+
+
+class ApicHostNotConfigured(exceptions.NotAuthorized):
+    """The switch and port for the specified host are not configured."""
+    message = _("The switch and port for host '%(host)s' are not configured")
+
+
+class ApicManagedObjectNotSupported(exceptions.NeutronException):
+    """Attempted to use an unsupported Managed Object."""
+    message = _("Managed Object '%(mo_class)s' is not supported")
diff --git a/neutron/tests/unit/ml2/drivers/cisco/apic/__init__.py b/neutron/tests/unit/ml2/drivers/cisco/apic/__init__.py
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_client.py b/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_client.py
new file mode 100644
index 00000000000..23444033a3c
--- /dev/null
+++ b/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_client.py
@@ -0,0 +1,272 @@
+# Copyright (c) 2014 Cisco Systems
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Henry Gessau, Cisco Systems
+
+import mock
+import requests
+import requests.exceptions
+
+from neutron.plugins.ml2.drivers.cisco.apic import apic_client as apic
+from neutron.plugins.ml2.drivers.cisco.apic import exceptions as cexc
+from neutron.tests import base
+from neutron.tests.unit.ml2.drivers.cisco.apic import (
+    test_cisco_apic_common as mocked)
+
+
+class TestCiscoApicClient(base.BaseTestCase, mocked.ControllerMixin):
+
+    def setUp(self):
+        super(TestCiscoApicClient, self).setUp()
+        self.set_up_mocks()
+        self.apic = apic.RestClient(mocked.APIC_HOST)
+        self.addCleanup(mock.patch.stopall)
+
+    def _mock_authenticate(self, timeout=300):
+        self.reset_reponses()
+        self.mock_apic_manager_login_responses(timeout=timeout)
+        self.apic.login(mocked.APIC_USR, mocked.APIC_PWD)
+
+    def test_login_by_instantiation(self):
+        self.reset_reponses()
+        self.mock_apic_manager_login_responses()
+        apic2 = apic.RestClient(mocked.APIC_HOST,
+                                usr=mocked.APIC_USR, pwd=mocked.APIC_PWD)
+        self.assertIsNotNone(apic2.authentication)
+        self.assertEqual(apic2.username, mocked.APIC_USR)
+
+    def test_client_session_login_ok(self):
+        self._mock_authenticate()
+        self.assertEqual(
+            self.apic.authentication['userName'], mocked.APIC_USR)
+        self.assertTrue(self.apic.api_base.startswith('http://'))
+        self.assertEqual(self.apic.username, mocked.APIC_USR)
+        self.assertIsNotNone(self.apic.authentication)
+        self.apic = apic.RestClient(mocked.APIC_HOST, mocked.APIC_PORT,
+                                    ssl=True)
+        self.assertTrue(self.apic.api_base.startswith('https://'))
+
+    def test_client_session_login_fail(self):
+        self.mock_error_post_response(requests.codes.unauthorized,
+                                      code='599',
+                                      text=u'Fake error')
+        self.assertRaises(cexc.ApicResponseNotOk, self.apic.login,
+                          mocked.APIC_USR, mocked.APIC_PWD)
+
+    def test_client_session_login_timeout(self):
+        self.response['post'].append(requests.exceptions.Timeout)
+        self.assertRaises(cexc.ApicHostNoResponse, self.apic.login,
+                          mocked.APIC_USR, mocked.APIC_PWD)
+
+    def test_client_session_logout_ok(self):
+        self.mock_response_for_post('aaaLogout')
+        self.apic.logout()
+        self.assertIsNone(self.apic.authentication)
+        # Multiple signouts should not cause an error
+        self.apic.logout()
+        self.assertIsNone(self.apic.authentication)
+
+    def test_client_session_logout_fail(self):
+        self._mock_authenticate()
+        self.mock_error_post_response(requests.codes.timeout,
+                                      code='123', text='failed')
+        self.assertRaises(cexc.ApicResponseNotOk, self.apic.logout)
+
+    def test_query_not_logged_in(self):
+        self.apic.authentication = None
+        self.assertRaises(cexc.ApicSessionNotLoggedIn,
+                          self.apic.fvTenant.get, mocked.APIC_TENANT)
+
+    def test_query_no_response(self):
+        self._mock_authenticate()
+        requests.Session.get = mock.Mock(return_value=None)
+        self.assertRaises(cexc.ApicHostNoResponse,
+                          self.apic.fvTenant.get, mocked.APIC_TENANT)
+
+    def test_query_error_response_no_data(self):
+        self._mock_authenticate()
+        self.mock_error_get_response(requests.codes.bad)  # No error attrs.
+        self.assertRaises(cexc.ApicResponseNotOk,
+                          self.apic.fvTenant.get, mocked.APIC_TENANT)
+
+    def test_generic_get_data(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('topSystem', name='ifc1')
+        top_system = self.apic.get_data('class/topSystem')
+        self.assertIsNotNone(top_system)
+        name = top_system[0]['topSystem']['attributes']['name']
+        self.assertEqual(name, 'ifc1')
+
+    def test_session_timeout_refresh_ok(self):
+        self._mock_authenticate(timeout=-1)
+        # Client will do refresh before getting tenant
+        self.mock_response_for_get('aaaLogin', token='ok',
+                                   refreshTimeoutSeconds=300)
+        self.mock_response_for_get('fvTenant', name=mocked.APIC_TENANT)
+        tenant = self.apic.fvTenant.get(mocked.APIC_TENANT)
+        self.assertEqual(tenant['name'], mocked.APIC_TENANT)
+
+    def test_session_timeout_refresh_no_cookie(self):
+        self._mock_authenticate(timeout=-1)
+        # Client will do refresh before getting tenant
+        self.mock_response_for_get('aaaLogin', notoken='test')
+        self.assertRaises(cexc.ApicResponseNoCookie,
+                          self.apic.fvTenant.get, mocked.APIC_TENANT)
+
+    def test_session_timeout_refresh_error(self):
+        self._mock_authenticate(timeout=-1)
+        self.mock_error_get_response(requests.codes.timeout,
+                                     code='503', text=u'timed out')
+        self.assertRaises(cexc.ApicResponseNotOk,
+                          self.apic.fvTenant.get, mocked.APIC_TENANT)
+
+    def test_session_timeout_refresh_timeout_error(self):
+        self._mock_authenticate(timeout=-1)
+        # Client will try to get refresh, we fake a refresh error.
+        self.mock_error_get_response(requests.codes.bad_request,
+                                     code='403',
+                                     text=u'Token was invalid. Expired.')
+        # Client will then try to re-login.
+        self.mock_apic_manager_login_responses()
+        # Finally the client will try to get the tenant.
+        self.mock_response_for_get('fvTenant', name=mocked.APIC_TENANT)
+        tenant = self.apic.fvTenant.get(mocked.APIC_TENANT)
+        self.assertEqual(tenant['name'], mocked.APIC_TENANT)
+
+    def test_lookup_mo_bad_token_retry(self):
+        self._mock_authenticate()
+        # For the first get request we mock a bad token.
+        self.mock_error_get_response(requests.codes.bad_request,
+                                     code='403',
+                                     text=u'Token was invalid. Expired.')
+        # Client will then try to re-login.
+        self.mock_apic_manager_login_responses()
+        # Then the client will retry to get the tenant.
+        self.mock_response_for_get('fvTenant', name=mocked.APIC_TENANT)
+        tenant = self.apic.fvTenant.get(mocked.APIC_TENANT)
+        self.assertEqual(tenant['name'], mocked.APIC_TENANT)
+
+    def test_use_unsupported_managed_object(self):
+        self._mock_authenticate()
+        # unittest.assertRaises cannot catch exceptions raised in
+        # __getattr__, so we need to defer the evaluation using lambda.
+        self.assertRaises(cexc.ApicManagedObjectNotSupported,
+                          lambda: self.apic.nonexistentObject)
+
+    def test_lookup_nonexistant_mo(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvTenant')
+        self.assertIsNone(self.apic.fvTenant.get(mocked.APIC_TENANT))
+
+    def test_lookup_existing_mo(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvTenant', name='infra')
+        tenant = self.apic.fvTenant.get('infra')
+        self.assertEqual(tenant['name'], 'infra')
+
+    def test_list_mos_ok(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvTenant', name='t1')
+        self.mock_append_to_response('fvTenant', name='t2')
+        tlist = self.apic.fvTenant.list_all()
+        self.assertIsNotNone(tlist)
+        self.assertEqual(len(tlist), 2)
+        self.assertIn({'name': 't1'}, tlist)
+        self.assertIn({'name': 't2'}, tlist)
+
+    def test_list_mo_names_ok(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvTenant', name='t1')
+        self.mock_append_to_response('fvTenant', name='t2')
+        tnlist = self.apic.fvTenant.list_names()
+        self.assertIsNotNone(tnlist)
+        self.assertEqual(len(tnlist), 2)
+        self.assertIn('t1', tnlist)
+        self.assertIn('t2', tnlist)
+
+    def test_list_mos_split_class_fail(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvnsEncapBlk', name='Blk1')
+        encap_blks = self.apic.fvnsEncapBlk__vlan.list_all()
+        self.assertEqual(len(encap_blks), 1)
+
+    def test_delete_mo_ok(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('fvTenant')
+        self.assertTrue(self.apic.fvTenant.delete(mocked.APIC_TENANT))
+
+    def test_create_mo_ok(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('fvTenant', name=mocked.APIC_TENANT)
+        self.mock_response_for_get('fvTenant', name=mocked.APIC_TENANT)
+        self.apic.fvTenant.create(mocked.APIC_TENANT)
+        tenant = self.apic.fvTenant.get(mocked.APIC_TENANT)
+        self.assertEqual(tenant['name'], mocked.APIC_TENANT)
+
+    def test_create_mo_already_exists(self):
+        self._mock_authenticate()
+        self.mock_error_post_response(requests.codes.bad_request,
+                                      code='103',
+                                      text=u'Fake 103 error')
+        self.assertRaises(cexc.ApicResponseNotOk,
+                          self.apic.vmmProvP.create, mocked.APIC_VMMP)
+
+    def test_create_mo_with_prereq(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('fvTenant', name=mocked.APIC_TENANT)
+        self.mock_response_for_post('fvBD', name=mocked.APIC_NETWORK)
+        self.mock_response_for_get('fvBD', name=mocked.APIC_NETWORK)
+        bd_args = mocked.APIC_TENANT, mocked.APIC_NETWORK
+        self.apic.fvBD.create(*bd_args)
+        network = self.apic.fvBD.get(*bd_args)
+        self.assertEqual(network['name'], mocked.APIC_NETWORK)
+
+    def test_create_mo_prereq_exists(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('vmmDomP', name=mocked.APIC_DOMAIN)
+        self.mock_response_for_get('vmmDomP', name=mocked.APIC_DOMAIN)
+        self.apic.vmmDomP.create(mocked.APIC_VMMP, mocked.APIC_DOMAIN)
+        dom = self.apic.vmmDomP.get(mocked.APIC_VMMP, mocked.APIC_DOMAIN)
+        self.assertEqual(dom['name'], mocked.APIC_DOMAIN)
+
+    def test_create_mo_fails(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('fvTenant', name=mocked.APIC_TENANT)
+        self.mock_error_post_response(requests.codes.bad_request,
+                                      code='not103',
+                                      text=u'Fake not103 error')
+        bd_args = mocked.APIC_TENANT, mocked.APIC_NETWORK
+        self.assertRaises(cexc.ApicResponseNotOk,
+                          self.apic.fvBD.create, *bd_args)
+
+    def test_update_mo(self):
+        self._mock_authenticate()
+        self.mock_response_for_post('fvTenant', name=mocked.APIC_TENANT)
+        self.mock_response_for_get('fvTenant', name=mocked.APIC_TENANT,
+                                   more='extra')
+        self.apic.fvTenant.update(mocked.APIC_TENANT, more='extra')
+        tenant = self.apic.fvTenant.get(mocked.APIC_TENANT)
+        self.assertEqual(tenant['name'], mocked.APIC_TENANT)
+        self.assertEqual(tenant['more'], 'extra')
+
+    def test_attr_fail_empty_list(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('fvTenant')  # No attrs for tenant.
+        self.assertIsNone(self.apic.fvTenant.get(mocked.APIC_TENANT))
+
+    def test_attr_fail_other_obj(self):
+        self._mock_authenticate()
+        self.mock_response_for_get('other', name=mocked.APIC_TENANT)
+        self.assertIsNone(self.apic.fvTenant.get(mocked.APIC_TENANT))
diff --git a/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_common.py b/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_common.py
new file mode 100644
index 00000000000..3c42b98aca3
--- /dev/null
+++ b/neutron/tests/unit/ml2/drivers/cisco/apic/test_cisco_apic_common.py
@@ -0,0 +1,225 @@
+# Copyright (c) 2014 Cisco Systems
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# @author: Henry Gessau, Cisco Systems
+
+import mock
+import requests
+
+from oslo.config import cfg
+
+from neutron.common import config as neutron_config
+from neutron.plugins.ml2 import config as ml2_config
+from neutron.plugins.ml2.drivers.cisco.apic import apic_client as apic
+from neutron.tests.unit import test_api_v2
+
+
+OK = requests.codes.ok
+
+APIC_HOST = 'fake.controller.local'
+APIC_PORT = 7580
+APIC_USR = 'notadmin'
+APIC_PWD = 'topsecret'
+
+APIC_TENANT = 'citizen14'
+APIC_NETWORK = 'network99'
+APIC_NETNAME = 'net99name'
+APIC_SUBNET = '10.3.2.1/24'
+APIC_L3CTX = 'layer3context'
+APIC_AP = 'appProfile001'
+APIC_EPG = 'endPointGroup001'
+
+APIC_CONTRACT = 'signedContract'
+APIC_SUBJECT = 'testSubject'
+APIC_FILTER = 'carbonFilter'
+APIC_ENTRY = 'forcedEntry'
+
+APIC_VMMP = 'OpenStack'
+APIC_DOMAIN = 'cumuloNimbus'
+APIC_PDOM = 'rainStorm'
+
+APIC_NODE_PROF = 'red'
+APIC_LEAF = 'green'
+APIC_LEAF_TYPE = 'range'
+APIC_NODE_BLK = 'blue'
+APIC_PORT_PROF = 'yellow'
+APIC_PORT_SEL = 'front'
+APIC_PORT_TYPE = 'range'
+APIC_PORT_BLK1 = 'block01'
+APIC_PORT_BLK2 = 'block02'
+APIC_ACC_PORT_GRP = 'alpha'
+APIC_FUNC_PROF = 'beta'
+APIC_ATT_ENT_PROF = 'delta'
+APIC_VLAN_NAME = 'gamma'
+APIC_VLAN_MODE = 'dynamic'
+APIC_VLANID_FROM = 2900
+APIC_VLANID_TO = 2999
+APIC_VLAN_FROM = 'vlan-%d' % APIC_VLANID_FROM
+APIC_VLAN_TO = 'vlan-%d' % APIC_VLANID_TO
+
+
+class ControllerMixin(object):
+
+    """Mock the controller for APIC driver and service unit tests."""
+
+    def __init__(self):
+        self.response = None
+
+    def set_up_mocks(self):
+        # The mocked responses from the server are lists used by
+        # mock.side_effect, which means each call to post or get will
+        # return the next item in the list. This allows the test cases
+        # to stage a sequence of responses to method(s) under test.
+        self.response = {'post': [], 'get': []}
+        self.reset_reponses()
+
+    def reset_reponses(self, req=None):
+        # Clear all staged responses.
+        reqs = req and [req] or ['post', 'get']  # Both if none specified.
+        for req in reqs:
+            del self.response[req][:]
+            self.restart_responses(req)
+
+    def restart_responses(self, req):
+        responses = mock.MagicMock(side_effect=self.response[req])
+        if req == 'post':
+            requests.Session.post = responses
+        elif req == 'get':
+            requests.Session.get = responses
+
+    def mock_response_for_post(self, mo, **attrs):
+        attrs['debug_mo'] = mo  # useful for debugging
+        self._stage_mocked_response('post', OK, mo, **attrs)
+
+    def mock_response_for_get(self, mo, **attrs):
+        self._stage_mocked_response('get', OK, mo, **attrs)
+
+    def mock_append_to_response(self, mo, **attrs):
+        # Append a MO to the last get response.
+        mo_attrs = attrs and {mo: {'attributes': attrs}} or {}
+        self.response['get'][-1].json.return_value['imdata'].append(mo_attrs)
+
+    def mock_error_post_response(self, status, **attrs):
+        self._stage_mocked_response('post', status, 'error', **attrs)
+
+    def mock_error_get_response(self, status, **attrs):
+        self._stage_mocked_response('get', status, 'error', **attrs)
+
+    def _stage_mocked_response(self, req, mock_status, mo, **attrs):
+        response = mock.MagicMock()
+        response.status_code = mock_status
+        mo_attrs = attrs and [{mo: {'attributes': attrs}}] or []
+        response.json.return_value = {'imdata': mo_attrs}
+        self.response[req].append(response)
+
+    def mock_responses_for_create(self, obj):
+        self._mock_container_responses_for_create(
+            apic.ManagedObjectClass(obj).container)
+        name = '-'.join([obj, 'name'])  # useful for debugging
+        self._stage_mocked_response('post', OK, obj, name=name)
+
+    def _mock_container_responses_for_create(self, obj):
+        # Recursively generate responses for creating obj's containers.
+        if obj:
+            mo = apic.ManagedObjectClass(obj)
+            if mo.can_create:
+                if mo.container:
+                    self._mock_container_responses_for_create(mo.container)
+                name = '-'.join([obj, 'name'])  # useful for debugging
+                self._stage_mocked_response('post', OK, obj, debug_name=name)
+
+    def mock_apic_manager_login_responses(self, timeout=300):
+        # APIC Manager tests are based on authenticated session
+        self.mock_response_for_post('aaaLogin', userName=APIC_USR,
+                                    token='ok', refreshTimeoutSeconds=timeout)
+
+    def assert_responses_drained(self, req=None):
+        """Fail if all the expected responses have not been consumed."""
+        request = {'post': self.session.post, 'get': self.session.get}
+        reqs = req and [req] or ['post', 'get']  # Both if none specified.
+        for req in reqs:
+            try:
+                request[req]('some url')
+            except StopIteration:
+                pass
+            else:
+                # User-friendly error message
+                msg = req + ' response queue not drained'
+                self.fail(msg=msg)
+
+
+class ConfigMixin(object):
+
+    """Mock the config for APIC driver and service unit tests."""
+
+    def __init__(self):
+        self.mocked_parser = None
+
+    def set_up_mocks(self):
+        # Mock the configuration file
+        args = ['--config-file', test_api_v2.etcdir('neutron.conf.test')]
+        neutron_config.parse(args=args)
+
+        # Configure the ML2 mechanism drivers and network types
+        ml2_opts = {
+            'mechanism_drivers': ['apic'],
+            'tenant_network_types': ['vlan'],
+        }
+        for opt, val in ml2_opts.items():
+                ml2_config.cfg.CONF.set_override(opt, val, 'ml2')
+
+        # Configure the Cisco APIC mechanism driver
+        apic_test_config = {
+            'apic_host': APIC_HOST,
+            'apic_username': APIC_USR,
+            'apic_password': APIC_PWD,
+            'apic_port': APIC_PORT,
+            'apic_vmm_domain': APIC_DOMAIN,
+            'apic_vlan_ns_name': APIC_VLAN_NAME,
+            'apic_vlan_range': '%d:%d' % (APIC_VLANID_FROM, APIC_VLANID_TO),
+            'apic_node_profile': APIC_NODE_PROF,
+            'apic_entity_profile': APIC_ATT_ENT_PROF,
+            'apic_function_profile': APIC_FUNC_PROF,
+        }
+        for opt, val in apic_test_config.items():
+            cfg.CONF.set_override(opt, val, 'ml2_cisco_apic')
+
+        apic_switch_cfg = {
+            'apic_switch:east01': {'ubuntu1,ubuntu2': ['3/11']},
+            'apic_switch:east02': {'rhel01,rhel02': ['4/21'],
+                                   'rhel03': ['4/22']},
+        }
+        self.mocked_parser = mock.patch.object(cfg,
+                                               'MultiConfigParser').start()
+        self.mocked_parser.return_value.read.return_value = [apic_switch_cfg]
+        self.mocked_parser.return_value.parsed = [apic_switch_cfg]
+
+
+class DbModelMixin(object):
+
+    """Mock the DB models for the APIC driver and service unit tests."""
+
+    def __init__(self):
+        self.mocked_session = None
+
+    def set_up_mocks(self):
+        self.mocked_session = mock.Mock()
+        get_session = mock.patch('neutron.db.api.get_session').start()
+        get_session.return_value = self.mocked_session
+
+    def mock_db_query_filterby_first_return(self, value):
+        """Mock db.session.query().filterby().first() to return value."""
+        query = self.mocked_session.query.return_value
+        query.filter_by.return_value.first.return_value = value