Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

API Deep Dive: APIC EM Rest API

3,624 views

Published on

The APIC Enterprise Module provides a single point of control to simplify the operation of your enterprise network. The heart of the controller is a rich policy engine that translates higher order business intent into network configuration. The controller exposes a rich REST based API to allow other applications to take advantage capabilities of the controller and unlock the power of the underlying network infrastructure. This session will present the basic constructs of the controller such as the policy engine, and the capabilities of the REST API. There will be examples of how these capabilities can be integrated into other applications to simplify operations, improve security and enhance user experience. Taught by Adam Redford.

Published in: Technology
  • Be the first to comment

API Deep Dive: APIC EM Rest API

  1. 1. DevNet @
  2. 2. DevNet @ API Deep Dive: APIC EM Rest API DevNet-1007 Adam Radford – Distinguished Systems Engineer
  3. 3. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Agenda • Introduction • Quick Tour • Use cases
  4. 4. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Common Policy will Drive End-to-End Solutions 4 Consistent Policy Across Cloud, DC, WAN and Access Cloud Data Center WAN Access Application Network Profile SLA, Security, QoS, Load Balancing User/Things Network Profile QoS, Security, SLA, Device APIC APICAPIC APIC
  5. 5. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Introducing Cisco APIC Enterprise Module Advanced Visualization for low risk SDN adoption Elastic Services for scalability & HA Existing & New Installations Catalyst, ISR, ASR Agile Integration Model Network Abstraction and Automation APIC Masking Network Complexity, Exposing Network Intelligence.
  6. 6. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Cisco APIC Enterprise Module Architecture Abstracts Network Devices to Mask Complexity Treat Network as a System Exposes Network Intelligence For Business Innovation Cisco APIC Enterprise Module Cisco and Third Party Applications Network Devices Catalyst, ASR, ISR Network Info Database Policy Infrastructure Automation REST API Southbound Interface: CLI Security QoS IWAN Network PnP
  7. 7. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ APIC-EM: Services Layered View NB REST API Pxgrid Client + LDAP client Radius Proxy + LDAP client Inventory Topology Policy Analysis PnP Network Discovery Network Programmer Policy Programmer (QoS, ACL) Network Tapping Easy QoS Network Events Policy Manager Conflict Detection and Resolution (BI and NI) Business Intent to Network Intent Conversion NETWORK MODEL DEVICE MODEL DEVICE INTERFACE Application Visibility PfR APIC-EMServicesAPIC-EMApps IWAN Services APIC-EM Services IWAN Services Basic Services for Controller Availability Inventory Visualizer Topology Visualizer Application Visualizer Discovery Easy QoS Visualizer Compliance Check ACL Visualizer Network PnP Network Tapping Visualizer Policy Manager
  8. 8. DevNet @ Quick Tour APIC-EM API
  9. 9. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ RESTful services exposed
  10. 10. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Understanding the tables {"id": "7895a45f-47aa-42ee-9d06-c66d3b784594", "hostname": "SDN-BRANCH-3750-STACK", "managementIpAddress": "40.0.2.18", "macAddress": "1C:DF:0F:08:20:C2", "type": "SWITCH", "vendor": "Cisco", "family": "C3750X", "serialNumber": "FDO1432K0MC", "platformId": "WS-C3750X-48P", "softwareVersion": "15.2(1)E2", "imageName": "c3750e-universalk9-mz.152-1.E2.bin", "upTime": "26 weeks, 3 hours, 8 minutes", "memorySize": "262144K", "interfaceCount": "109", "role": "Access", "roleSource": "auto", "lineCardCount": "5", "lineCardId": "3220b22a-a74c-4f9e-9898- c9afc01dc5dd,9ef0da99-963c-4289-9087-7f861c969ea3,e5b911e4- 2c1c-4a95-9214-dd9877dd2b92,f5996432-3c89-4045-ac8b- 46a6bf873845", "lastUpdated": "2014-09-29 16:19:17.627273-07", "portRange": "FastEthernet0, Vlan1, GigabitEthernet1/0/1-48, GigabitEthernet1/1/1-4, GigabitEthernet2/0/1-48, GigabitEthernet2/1/1-4, TenGigabitEthernet1/1/1-2, TenGigabitEthernet2/1/1-2", "avgUpdateFrequency": 300, "numUpdates": 30, "reachabilityStatus": "In Progress", "reachabilityFailureReason": "Unreachable" }, Cisco Confidential { "id": "8f41bef8-698c-4701-af14-471e910ed9ff", "hostMac": "00:50:56:8A:27:A3", "hostIp": "40.0.5.12", "hostType": "WIRED", "connectedNetworkDeviceId": "7895a45f-47aa-42ee-9d06- c66d3b784594", "connectedNetworkDeviceIpAddress": "40.0.2.18", "connectedInterfaceId": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c", "connectedInterfaceName": "GigabitEthernet2/0/2", "vlanId": "1", "lastUpdated": "September 29, 2014 1:54:13 PM PDT", "numUpdates": 1, "userStatus": "Active", "source": 200 }, $python host.py | sort
  11. 11. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Understanding topology • Nodes Cisco Confidential "deviceType": "SWITCH", "label": "SDN-BRANCH-3750-STACK", "id": "7895a45f-47aa-42ee-9d06-c66d3b784594",  /network-device "nodeType": "device", "deviceType": "WIRED", "label": "40.0.5.12", "id": "8f41bef8-698c-4701-af14-471e910ed9ff",  /host "nodeType": "host", "source": "7895a45f-47aa-42ee-9d06-c66d3b784594", "startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c", "target": "8f41bef8-698c-4701-af14-471e910ed9ff", "endPortID": "", "linkStatus": "UP" • Links https://test-apic/api/v0/topology/physical-topology
  12. 12. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ /acl/trace /routing-path /application /qos App -> Class -> Mapping (cvd) Queuing on interfaces Bandwidth allocation to classes QoS Marking /policy /network- device/{tags} /host /user ACL QoS Marking Traffic Redirection Path verification ACL -> App mapping REST API Structure - Policy 12
  13. 13. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Policy Construct
  14. 14. DevNet @ API Use cases
  15. 15. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Three Classes of Use Case Cisco Confidential NetOps Net Integration Net Innovation "HOW" to "WHAT" Cultural change: "TEST and VERIFY"  "TRUST"
  16. 16. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Tags - Adding https://test-apic/api/v0/network-device/tag POST {"networkDeviceId" : "7895a45f-47aa-42ee-9d06-c66d3b784594", "tag" : "branch"}
  17. 17. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Automating Tagging.. $ ./tag_device.py BRANCH +branch Adding tag: branch to device SDN-BRANCH-3750-STACK(7895a45f-47aa-42ee-9d06-c66d3b784594) 202 TAGGED {u'url': u'/api/v0/task/3e934c30-43f1-4157-b4e8-a4291ba6c198', u'taskId': u'3e934c30-43f1-4157-b4e8-a4291ba6c198'} Adding tag: branch to device SDN-BRANCH-3850-TB1(526c8fc6-f732-41a9-9faf-5876293a2e8c) 202 TAGGED {u'url': u'/api/v0/task/3714ef69-11ef-411b-945f-db52bba47db0', u'taskId': u'3714ef69-11ef-411b-945f-db52bba47db0'} Adding tag: branch to device SDN-BRANCH-ASR1002(cceaf2fe-c3d9-4d37-bf14-fba071c27d6e) 202 TAGGED {u'url': u'/api/v0/task/8c85d4cf-6bc7-40b8-8616-938af7a446b1', u'taskId': u'8c85d4cf-6bc7-40b8-8616-938af7a446b1'} Adding tag: branch to device SDN-BRANCH-C4K(a36bc35a-94ed-4b2c-a66c-e46dddd5e037) 202 TAGGED {u'url': u'/api/v0/task/dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1', u'taskId': u'dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1'}
  18. 18. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ IPAM - All Subnets { "id": "5bcc0bc0-c7bd-458d-9ad6-b606970017cf", "deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c", "interfaceType": "Physical", "portName": "GigabitEthernet1/0/5", "portType": "Gigabit Ethernet", "portMode": "routed", "connectorType": "RJ-45", "macAddress": "18:9C:5D:16:FC:E4", "ipv4Address": "40.0.3.1", "ipv4Mask": "30", "serialNo": "FOC1743X0CJ", "pid": "WS-C3850-48P", "status": "down", "vendor": "Cisco", "lastUpdated": "2014-09-29 16:17:14.995619-07", "duplex": false, "avgUpdateFrequency": 180, "numUpdates": 49, "speed": 1000000 } { "id": "2fdb927f-a5a7-47b2-bbed-8499c1c12105", "deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c", "interfaceType": "Physical", "portName": "GigabitEthernet1/0/4", "portType": "Gigabit Ethernet", "portMode": "routed", "connectorType": "RJ-45", "macAddress": "18:9C:5D:16:FC:F6", "ipv4Address": "40.0.2.5", "ipv4Mask": "30", "serialNo": "FOC1743X0CJ", "pid": "WS-C3850-48P", "status": "up", "vendor": "Cisco", "connectedNeighbor": "a632c6e8-89bf-4949-8e4d-a249105f2c7c", "lastUpdated": "2014-09-29 16:17:14.980705-07", "connectedNeighborType": "Network_Device", "ospfSupport": true, "duplex": true, "avgUpdateFrequency": 180, "numUpdates": 49, "speed": 1000000 } https://test-apic/api/v0/interface GET $python all-interfaces.py | sort
  19. 19. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Netops • Previous examples – Access to datastore – Find/filter/report etc • routing-path  similar to topology – /routing-path/{src}/{dst} – /routing-path/40.0.0.15/40.0.5.12 Cisco Confidential
  20. 20. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Path has nodes and links "nodes": [ { "deviceType": "WIRED", "label": "40.0.0.15", "id": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201", "nodeType": "host" },{ "deviceType": "SWITCH", "label": "SDN-CAMPUS-C3850", "id": "f8c3fc68-cd26-4576-bcec-51f9b578f71e", "nodeType": "device", } ........ Some nodes removed ........... { "deviceType": "SWITCH", "label": "SDN-BRANCH-3750-STACK", "id": "7895a45f-47aa-42ee-9d06-c66d3b784594", "nodeType": "device", }, { "deviceType": "WIRED", "label": "40.0.5.12", "id": "8f41bef8-698c-4701-af14-471e910ed9ff", "nodeType": "host" } * NOTE: Some attributed removed Cisco Confidential "links":{ "source": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201", "startPortID": "", "target": "f8c3fc68-cd26-4576-bcec-51f9b578f71e", "endPortID": "16e94527-33fd-4968-a0d7-0f7265b72904", "linkStatus": "UP" }, { "id": "459d7b7b-01c3-449a-841d-489e0250b8da", "source": "f8c3fc68-cd26-4576-bcec-51f9b578f71e", "startPortID": "0e841ab3-6192-4514-9736-d3ef63ed67f5", "target": "e5f93514-3ae5-4109-8b52-b9fa876e1eae", "endPortID": "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2", "linkStatus": "UP" }, ….... ………… Some nodes removed ………………………. { "source": "7895a45f-47aa-42ee-9d06-c66d3b784594", "startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c", "target": "8f41bef8-698c-4701-af14-471e910ed9ff", "endPortID": "", "linkStatus": "UP" } $python show-path.py
  21. 21. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Netops ACL – Get ACL for a Device https://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e – Get ACL for Interface GigabitEthernet0/0/0 https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517 • Check for consistency of an ACL https://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40 Cisco Confidential $python check-acl.py
  22. 22. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Combine PATH with ACL https://test-apic/api/v0/acl/trace POST { "destIp": "40.0.0.15", "sourceIp": "40.0.0.12", "applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619", "interfaceIds": [ "", "16e94527-33fd-4968-a0d7-0f7265b72904", "4556c2eb-0df4-41b3-8558-05f04be02fe0", "" ] } Cisco Confidential $python show-path-acl.pyContent-Type = application/json
  23. 23. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Combine PATH with ACL https://test-apic/api/v0/acl/trace POST { "destIp": "40.0.0.15", "sourceIp": "40.0.5.12", "applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619", "interfaceIds": ["", "16e94527-33fd-4968-a0d7-0f7265b72904", "0e841ab3-6192-4514-9736-d3ef63ed67f5", "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2", "54683dd7-1c17-41f6-b7ac-47935d20fe3f", "a8c71f5e-dd31-457f-8160-556b91dd6320", "87bb850b-6223-4540-8729-ff4c276097ea", "82481ce8-fe7b-493f-9ca1-0390bfa71be0", "ad8c543b-c698-468b-bb64-e0a418d6c517", "c4a8fe79-fa1b-4349-ac37-90146554f0ff", "2fdb927f-a5a7-47b2-bbed-8499c1c12105", "d3054716-73ed-4a6c-89c9-095ebe7f3445", "42a5e927-1ed6-4483-bd66-555d9d6d2f89", "86ff5af0-4c5a-46e1-9edb-8aa3df5e9d95", "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",""] } Cisco Confidential $python show-path-acl.pyContent-Type = application/json
  24. 24. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Result: "devices": [ { "deviceName": "SDN-CAMPUS-C3850", "deviceId": "f8c3fc68-cd26-4576-bcec-51f9b578f71e", "deviceType": "SWITCH", "deviceRole": "Access", "deviceIp": "40.0.0.3", "interfaces": [{ "interfaceName": "GigabitEthernet1/0/12", "interfaceId": "16e94527-33fd-4968-a0d7-0f7265b72904", "aclName": null, "aclId": null, "ingress": true, "blockType": "none", "relevantAces": [], "implicitDenies": [] },{ "interfaceName": "GigabitEthernet1/0/1", "interfaceId": "0e841ab3-6192-4514-9736-d3ef63ed67f5", "aclName": null, "aclId": null, "ingress": false, "blockType": "none", "relevantAces": [], "implicitDenies": [] }] }, { "interfaceName": "GigabitEthernet0/0/0", "interfaceId": "ad8c543b-c698-468b-bb64-e0a418d6c517", "aclName": "one_big_acl_for_conflict", "aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40", "ingress": false, "blockType": "complete", "relevantAces": [{ "aceIndex": 10, "ace": { "id": "f175c041-da1f-46cd-b9a6-0a4df6b5e15c", "aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40", "priority": 100, "action": "DENY", "protocol": "TCP", "srcAddr": null,"srcAddrMask": "32", "srcPort": 0, "srcPortUpper": 0, "destAddr": null, "destAddrMask": "32", "destPort": 458, "destPortUpper": 458, "dscp": 0, "attributeInfo": {} }, "sourcePortInfoList": [], "destPortInfoList": [ { "protocol": "tcp", "ports": "458" } ]},
  25. 25. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Applications { "id": "46de799b-7f51-4a5e-8d08-46e2e78ff619", "applicationGroup": "other", "category": "voice-and-video", "subCategory": "consumer-video-streaming", "encrypted": "false", "p2pTechnology": "false", "tunnel": "false", "name": "appleqtc", "enabled": "true", "nbarId": "92", "engineId": "3", "globalId": "L4:458", "selectorId": "458", "helpString": "apple quick time", "longDescription": "Apple QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems.", "appProtocol": "tcp/udp", "tcpPorts": "458", "udpPorts": "458", "references": "http://www.apple.com/quicktime/", "url": "", "valid": true }
  26. 26. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Reference
  27. 27. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Integration(s) • Collaboration – Phase 1 – (lower trust threshold) Marking -> voice clients E.g. UCM, Citrix • Security – Phase 2 – (higher trust threshold) Copy --- lower Deny – higher (e.g. SourceFire) Cisco Confidential
  28. 28. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Policy based QoS https://test-apic/api/v0/policy POST { "policyOwner": "Admin", "networkUser": {"userIdentifiers":["40.0.0.15"],"applications":[{"raw": "12340;UDP"}]}, "actionProperty": {"priorityLevel": "46"}, "actions": [ "PERMIT"], "policyName": "voice:audio:40.0.0.15" } Cisco Confidential $python set-qos.py < qos-input-small.txt { "response": { "taskId": "f5c07be7-ae8e-4350-80b0-1971874803c8", "url": "/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8" }, "version": "0.0" }
  29. 29. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Task for Policy creation - success https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8 GET { "response": { "id": "4bd6767d-b332-4d20-b689-05473833e0c8", "rootId": "4bd6767d-b332-4d20-b689-05473833e0c8", "serviceType": "Policy Service", "progress": "767952d1-e5b5-4c9f-bcca-02e3e6515210", "startTime": 1409885977316, "endTime": 1409885985944 }, "version": "0.0" }
  30. 30. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Task for Policy creation - failure https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8 GET "response": { "id": "f5c07be7-ae8e-4350-80b0-1971874803c8", "rootId": "f5c07be7-ae8e-4350-80b0-1971874803c8", "serviceType": "Policy Service", "progress": "Policy Creation Failed", "errorCode": "PartialSuccess", "failureReason": "04ea2f11-1e9d-435a-9db2-ded3fbcd732f: Inactive Policy - Interfaces where this policy needs to be programmed are not within the same policy scope. Hence skipping policy creation for this policy.", "isError": true, "startTime": 1412425907975, "endTime": 1412425910331 },
  31. 31. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ Policy for Security https://test-apic/api/v0/policy POST { "policyName": "deny_some", "policyOwner": "Admin", "actions": ["DENY"], "networkUser": {"userIdentifiers": ["40.0.0.15"]}, "resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw": "81;TCP"}]} } Cisco Confidential Sourcefire use case. <<<<<THIS CAN BE DANGEROUS IN A SHARED LAB>>>> Remove "resource" components (10.10.4.2) 1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81 2) deny tcp host 40.0.0.15 any eq 81 3) deny ip host 40.0.0.15 any
  32. 32. © 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @ For more information… • SDN BOF 1:30PM classroom • Other Sessions – DevNet-1044 – Create Hello World with APIC-EM
  33. 33. Thank you. DevNet @ Join us on DevNet at developer.cisco.com Follow DevNet on Twitter: @ciscodevnet

×