Upload
private
View
1.160
Download
6
Tags:
Embed Size (px)
DESCRIPTION
Cisco CSR1000V, VMware, and RESTful APIs
Citation preview
Cisco Cloud Services Router 1000V
Special Guest Topics:VMwareonePK
RESTful API2/13/2014
Tanner
What is it?• Router in virtual form factor• Runs IOS-XE (Linux-Based)
– Same base OS as ASR1k, WLC 5760• Part of Cisco’s virtual portfolio
– Nexus 1000V, ASA 1000V, CSR 1000V,• IP/Ethernet Traffic Only
– No T1/PRI/DSP/WIC modules• Supported on
– VMware ESXi– Amazon AMI– Citrix XenServer– Red Hat KVM
Feature ComparisonCisco 892 Cisco CSR1000V
CBAC/IOS Firewall Zone-Based Firewall
AAA Legacy & New Format AAA New Format
Netflow Top Talkers FNF Top N Talkers
Adv. IP Services (Included)
Feature, Throughput, Term Licensing
(2) L3 Interfaces Unlimited* L3 Interfaces
(8) L2 Switchports Not Supported
Max Throughput: 51Mbps Max Throughput: 1Gbps*
* up to maximum supported by hypervisor
VMware ESXi 5.1
Add NICs, Memory, etc.
to VM
Virtual Machine
HypervisorVirtually sit at
VM console screen
• DAS• NFS• iSCSI• Fibre Channel
ZONE-BASED FIREWALL
CBAC vs ZBFWCBAC / IOS Firewall Zone Based Firewall
Interface Based Configuration Zone Based Configuration
Controls Inbound and Outbound access on an interface
Controls Bidirectional access between zones
Uses inspect statements and stateful ACLs Uses Class-Based Policy language
Not Supported Support Application Inspection and Control
Support from IOS Release 11.2 Support from IOS Release 12.4(6)T
Default “permit all” policy Default “deny all” policy
Configuration Exampleip access-list extended ACL-INSIDE-TO-VPN remark --- Allow Mgmt Ports permit udp any any eq snmptrap ...
class-map type inspect match-any CLASS-ZBF-INSIDE-TO-VPN match access-group name ACL-INSIDE-TO-VPN
policy-map type inspect POLICY-ZBF-INSIDE-TO-VPN class type inspect CLASS-ZBF-INSIDE-TO-VPN inspect class class-default drop log
interface GigabitEthernet2 description Customer Inside/Internal zone-member security INSIDE
interface Tunnel1 description VPN Headend zone-member security VPN
zone-pair security ZP-INSIDE-TO-VPN source INSIDE destination VPN service-policy type inspect POLICY-ZBF-INSIDE-TO-VPN
• CSR1k VM hosted inside– Your own server– Your hosted server– Cloud service provider
server (AWS)
PROGRAMMATIC ACCESSonePK and RESTful APIs
What is an API?
• Interface implemented by an application which allows other applications to communicate with it
• Examples– Microsoft SharePoint (REST API)
https://my.sharepoint.local/_api/web/lists/getByTitle(‘sales')/items
Representational State Transfer (REST)
• Uses HTTP/S• Verbs / Request Methods– HTTP GET, POST (Create), PUT (Replace), DELETE
RequestGET https://172.30.0.123/api/v1/global/local-users
ResponseHTTP/1.1 200 OK{ "kind": "collection#local-user", "users": [{ "username": "cisco", "privilege": 15, "kind": "object#local-user", "pw-type": 0 }] }
Cisco APIs
RESTful
• CIMC XML• Cisco ISE• Cisco Prime Infrastructure• Cisco CSR1000V• Cisco Nexus 1000V• onePK (“Coming Soon”)• Application Centric
Infrastructure (ACI)
SOAP/WSDL
• Cisco ACS• Cisco Mobility Services• Cisco UCM• Cisco UCS Manager
One Platform Kit• onePK is a device level API for Cisco’s core
operating systems
Current Uses of onePK
Common Use Cases
• Custom Routing and Traffic Steering
• Custom Traffic Analytics• Network Automation• Health Monitoring• Policy Control• Security• Threat Mitigation• Data Center Orchestration• NMS/OSS Integration
Specific Applications
• Configuration and verification tool• Topology mapping and device
location mapping monitor• Path trace network monitoring• Programming application routes
based on utilization/latency/cost• Custom encryption of selected
traffic
LAB
Configure & Install CSR1000V - 30 minsConfigure & Use RESTful API - 30 mins
Lab Summary
• Configure VMware Networking• Deploy OVA from Template• Configure Router• Configure Zone-Based Firewall• Configure RESTful API• Use REST GET/POST to add & remove a NAT
See lab guide for details
Lab Diagram
Lab Routers
Rtr # Mgmt ZoneDMZ Zone (Shared) Restricted Zone API IP
1 172.18.30.16 10.228.32.16 10.66.0.1 172.18.30.116
2 172.18.30.17 10.228.32.17 10.66.0.2 172.18.30.117
3
4
5
6
7
8
vSphere Client172.18.31.200
APPENDIX A
Installing CSR1000V on UCS with VMware 5.1 ESXi Hypervisor
Configure VMware Networking
Deploy OVA Template
APPENDIX BEnabling RESTful API using CLI
Enable RESTful API (3.11S)
interface GigabitEthernet1 description Router Management ip address 172.28.32.xx 255.255.255.0 negotiation auto
interface VirtualPortGroup0 description RESTful API ip unnumbered GigabitEthernet1
virtual-service csr_mgmt vnic gateway VirtualPortGroup0 guest ip address 172.28.32.1xx activate
ip route 172.28.32.1xx 255.255.255.255 VirtualPortGroup0 name CSR1000V-REST-API
Using RESTful Method• Request 8-Hour Authentication Token
curl -v -X POST https://172.18.32.1xx/api/v1/auth/token-services -H "Accept:application/json" -u "cisco:cisco" -d "" --insecure -3
• Get Local User Listcurl -v -H "Accept:application/json" -H "X-Auth-Token:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X GET https://172.18.32.1xx/api/v1/global/local-users --insecure -3
• Get NAT Translationscurl -v -H "Accept:application/json" -H "X-Auth-Token:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X GET https://172.18.32.1xx/api/v1/nat-svc/translations --insecure -3
• Add New NAT Translationcurl -v -H "Accept:application/json" -H "X-Auth-Token:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X POST https://172.18.32.1xx/api/v1/nat-svc/static -d '{"nat-rule-id": “phx-router01","mode": "inside-source", "ip-mapping": { "local-ip": "172.18.99.99", "global-ip": "10.14.1.1"} }' --insecure -3
ip nat name phx-router01 inside source static 172.18.99.99 10.14.1.1
APPENDIX CEnabling onePK on IOS
Enabling onePK