Cisco CSR1000V, VMware, and RESTful APIs

2,628 views
2,299 views

Published on

Cisco CSR1000V, VMware, and RESTful APIs

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,628
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
64
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cisco CSR1000V, VMware, and RESTful APIs

  1. 1. Cisco Cloud Services Router 1000V Special Guest Topics: VMware onePK RESTful API 2/13/2014 Tanner
  2. 2. What is it? • Router in virtual form factor • Runs IOS-XE (Linux-Based) – Same base OS as ASR1k, WLC 5760 • Part of Cisco’s virtual portfolio – Nexus 1000V, ASA 1000V, CSR 1000V, • IP/Ethernet Traffic Only – No T1/PRI/DSP/WIC modules • Supported on – – – – VMware ESXi Amazon AMI Citrix XenServer Red Hat KVM
  3. 3. Feature Comparison Cisco 892 CBAC/IOS Firewall Cisco CSR1000V Zone-Based Firewall AAA Legacy & New Format AAA New Format Netflow Top Talkers FNF Top N Talkers Adv. IP Services (Included) Feature, Throughput, Term Licensing (2) L3 Interfaces Unlimited* L3 Interfaces (8) L2 Switchports Not Supported Max Throughput: 51Mbps Max Throughput: 1Gbps* * up to maximum supported by hypervisor
  4. 4. Virtual Machine Hypervisor Add NICs, Memory, etc. to VM VMware ESXi 5.1 Virtually sit at VM console screen
  5. 5. • • • • DAS NFS iSCSI Fibre Channel
  6. 6. ZONE-BASED FIREWALL
  7. 7. CBAC vs ZBFW CBAC / IOS Firewall Interface Based Configuration Zone Based Firewall Zone Based Configuration Controls Inbound and Outbound Controls Bidirectional access access on an interface between zones Uses inspect statements and stateful ACLs Uses Class-Based Policy language Not Supported Support Application Inspection and Control Support from IOS Release 11.2 Support from IOS Release 12.4(6)T Default “permit all” policy Default “deny all” policy
  8. 8. Configuration Example ip access-list extended ACL-INSIDE-TO-VPN remark --- Allow Mgmt Ports permit udp any any eq snmptrap ... class-map type inspect match-any CLASS-ZBF-INSIDE-TO-VPN match access-group name ACL-INSIDE-TO-VPN policy-map type inspect POLICY-ZBF-INSIDE-TO-VPN class type inspect CLASS-ZBF-INSIDE-TO-VPN inspect class class-default drop log interface GigabitEthernet2 description Customer Inside/Internal zone-member security INSIDE interface Tunnel1 description VPN Headend zone-member security VPN zone-pair security ZP-INSIDE-TO-VPN source INSIDE destination VPN service-policy type inspect POLICY-ZBF-INSIDE-TO-VPN
  9. 9. • CSR1k VM hosted inside – Your own server – Your hosted server – Cloud service provider server (AWS)
  10. 10. onePK and RESTful APIs PROGRAMMATIC ACCESS
  11. 11. What is an API? • Interface implemented by an application which allows other applications to communicate with it • Examples – Microsoft SharePoint (REST API) https://my.sharepoint.local/_api/web/lists/getByTitle(‘sales')/items
  12. 12. Representational State Transfer (REST) • Uses HTTP/S • Verbs / Request Methods – HTTP GET, POST (Create), PUT (Replace), DELETE Request GET https://172.30.0.123/api/v1/global/local-users Response HTTP/1.1 200 OK { "kind": "collection#local-user", "users": [{ "username": "cisco", "privilege": 15, "kind": "object#local-user", "pw-type": 0 }] }
  13. 13. Cisco APIs RESTful • • • • • • • CIMC XML Cisco ISE Cisco Prime Infrastructure Cisco CSR1000V Cisco Nexus 1000V onePK (“Coming Soon”) Application Centric Infrastructure (ACI) SOAP/WSDL • • • • Cisco ACS Cisco Mobility Services Cisco UCM Cisco UCS Manager
  14. 14. One Platform Kit • onePK is a device level API for Cisco’s core operating systems
  15. 15. Current Uses of onePK Common Use Cases • Custom Routing and Traffic Steering • Custom Traffic Analytics • Network Automation • Health Monitoring • Policy Control • Security • Threat Mitigation • Data Center Orchestration • NMS/OSS Integration Specific Applications • Configuration and verification tool • Topology mapping and device location mapping monitor • Path trace network monitoring • Programming application routes based on utilization/latency/cost • Custom encryption of selected traffic
  16. 16. Configure & Install CSR1000V Configure & Use RESTful API LAB - 30 mins 30 mins
  17. 17. Lab Summary • • • • • • Configure VMware Networking Deploy OVA from Template Configure Router Configure Zone-Based Firewall Configure RESTful API Use REST GET/POST to add & remove a NAT See lab guide for details
  18. 18. Lab Diagram
  19. 19. Lab Routers vSphere Client 172.18.31.200 Rtr # Mgmt Zone DMZ Zone (Shared) Restricted Zone API IP 1 172.18.30.16 10.228.32.16 10.66.0.1 172.18.30.116 2 172.18.30.17 10.228.32.17 10.66.0.2 172.18.30.117 3 4 5 6 7 8
  20. 20. Installing CSR1000V on UCS with VMware 5.1 ESXi Hypervisor APPENDIX A
  21. 21. Configure VMware Networking
  22. 22. Deploy OVA Template
  23. 23. Enabling RESTful API using CLI APPENDIX B
  24. 24. Enable RESTful API (3.11S) interface GigabitEthernet1 description Router Management ip address 172.28.32.xx 255.255.255.0 negotiation auto interface VirtualPortGroup0 description RESTful API ip unnumbered GigabitEthernet1 virtual-service csr_mgmt vnic gateway VirtualPortGroup0 guest ip address 172.28.32.1xx activate ip route 172.28.32.1xx 255.255.255.255 VirtualPortGroup0 name CSR1000V-REST-API
  25. 25. Using RESTful Method • Request 8-Hour Authentication Token curl -v -X POST https://172.18.32.1xx/api/v1/auth/token-services -H "Accept:application/json" -u "cisco:cisco" -d "" --insecure -3 • Get Local User List curl -v -H "Accept:application/json" -H "X-AuthToken:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X GET https://172.18.32.1xx/api/v1/global/local-users -insecure -3 • Get NAT Translations curl -v -H "Accept:application/json" -H "X-AuthToken:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X GET https://172.18.32.1xx/api/v1/nat-svc/translations --insecure -3 • Add New NAT Translation curl -v -H "Accept:application/json" -H "X-AuthToken:I4i1StrkzobKpj4L0G+V1A30Ves77l5DUaPzFveSHK8=" -H "content-type: application/json" -X POST https://172.18.32.1xx/api/v1/nat-svc/static -d '{"nat-rule-id": “phx-router01","mode": "inside-source", "ip-mapping": { "local-ip": "172.18.99.99", "global-ip": "10.14.1.1"} }' --insecure -3 ip nat name phx-router01 inside source static 172.18.99.99 10.14.1.1
  26. 26. Enabling onePK on IOS APPENDIX C
  27. 27. Enabling onePK

×