DEVNET-1126 APIC-EM API

DevNet-1606
APIC EM Rest API
Adam Radford – Distinguished Systems Engineer

• Introduction
• Quick Tour
• Use cases
Agenda

Common Policy Approach
Consistent Policy Across Cloud, DC, WAN and Access
Cloud Data Center WAN Access
Application Network Profile
SLA, Security, QoS, Load Balancing
User/Things Network Profile
QoS, Security, SLA, Device
APIC APICAPIC APIC

The Cisco APIC Enterprise Module (APIC-EM)
Advanced Visualization
for low risk SDN adoption
Elastic Services
for scalability &
HA
Existing & New Installations
Catalyst, ISR, ASR
Agile
Integration Model
Network Abstraction and Automation
APIC
Masking Network Complexity, Exposing Network Intelligence.

Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP

APIC-EM: Services Layered View
NB REST API
Pxgrid Client +
LDAP client
Radius Proxy +
LDAP client
Inventory
Topology
Policy Analysis
PnP
Network
Discovery
Network
Programmer
Policy
Programmer
(QoS, ACL)
Network
Tapping
Easy QoS
Network Events
Policy Manager
Conflict Detection and
Resolution
(BI and NI)
Business Intent to
Network Intent
Conversion
NETWORK
MODEL
DEVICE
MODEL
DEVICE
INTERFACE
Application
Visibility
PfR
APIC-EMServicesAPIC-EMApps
IWAN Services
APIC-EM Services
IWAN Services
Basic Services for Controller Availability
Inventory
Visualizer
Topology
Visualizer
Application
Visualizer
Discovery
Easy QoS
Visualizer
Compliance
Check
ACL
Visualizer
Network PnP
Network
Tapping
Visualizer
Policy
Manager

Understanding the tables
{"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"hostname": "SDN-BRANCH-3750-STACK",
"managementIpAddress": "40.0.2.18",
"macAddress": "1C:DF:0F:08:20:C2",
"type": "SWITCH",
"vendor": "Cisco",
"family": "C3750X",
"serialNumber": "FDO1432K0MC",
"platformId": "WS-C3750X-48P",
"softwareVersion": "15.2(1)E2",
"imageName": "c3750e-universalk9-mz.152-1.E2.bin",
"upTime": "26 weeks, 3 hours, 8 minutes",
"memorySize": "262144K",
"interfaceCount": "109",
"role": "Access",
"roleSource": "auto",
"lineCardCount": "5",
"lineCardId": "3220b22a-a74c-4f9e-9898-
c9afc01dc5dd,9ef0da99-963c-4289-9087-7f861c969ea3,e5b911e4-
2c1c-4a95-9214-dd9877dd2b92,f5996432-3c89-4045-ac8b-
46a6bf873845",
"lastUpdated": "2014-09-29 16:19:17.627273-07",
"portRange": "FastEthernet0, Vlan1, GigabitEthernet1/0/1-48,
GigabitEthernet1/1/1-4, GigabitEthernet2/0/1-48,
GigabitEthernet2/1/1-4, TenGigabitEthernet1/1/1-2,
TenGigabitEthernet2/1/1-2",
"avgUpdateFrequency": 300,
"numUpdates": 30,
"reachabilityStatus": "In Progress",
"reachabilityFailureReason": "Unreachable"
}, Cisco Confidential
{
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"hostMac": "00:50:56:8A:27:A3",
"hostIp": "40.0.5.12",
"hostType": "WIRED",
"connectedNetworkDeviceId": "7895a45f-47aa-42ee-9d06-
c66d3b784594",
"connectedNetworkDeviceIpAddress": "40.0.2.18",
"connectedInterfaceId": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"connectedInterfaceName": "GigabitEthernet2/0/2",
"vlanId": "1",
"lastUpdated": "September 29, 2014 1:54:13 PM PDT",
"numUpdates": 1,
"userStatus": "Active",
"source": 200
},
$python host.py | sort

Understanding topology
• Nodes
Cisco Confidential
"deviceType": "SWITCH",
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",  /network-device
"nodeType": "device",
"deviceType": "WIRED",
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",  /host
"nodeType": "host",
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
• Links
https://test-apic/api/v0/topology/physical-topology

/acl/trace
/routing-path
/application
/policy
/network-
device/{tags}
/host
/user
ACL
QoS Marking
Traffic Redirection
Path verification
ACL -> App mapping
REST API Structure - Policy

Three Classes of Use Case
Cisco Confidential
NetOps Net Integration Net Innovation
"HOW" to "WHAT"
Cultural change: "TEST and VERIFY"  "TRUST"

Location
https://adam-ga/api/v1/location GET
https://adam-ga/api/v1/location POST
{"civicAddress": "Branch Office", "geographicalAddress" : "-34.424983/150.89312389",
"locationName": "Wollongong Head Office"}
https://adam-ga/api/v1/location PUT
{"civicAddress": "WOW Branch Office", "id": "3b28cf2a-6b08-4cd2-a30a-551de6367ce5"}
TASK "progress": "Location updated successfully #3b28cf2a-6b08-4cd2-a30a-551de6367ce5",
https://adam-ga/api/v1/network-device PUT
{"id": "7895a45f-47aa-42ee-9d06-c66d3b784594", "location": "3b28cf2a-6b08-4cd2-a30a-
551de6367ce5"}

Automating Location..
./add_location.py Branch-9 +"Bundaberg"
{u'version': u'1.0', u'response': {u'locationName': u'Bundaberg', u'geographicalAddress': u'-
24.8649629/152.348653', u'id': u'329725d9-75b8-47b3-aaa7-a337161d418c'}}
329725d9-75b8-47b3-aaa7-a337161d418c
Total 338
Matched: BBWAN-Branch-9-ap-0
Adding location: Bundaberg to device BBWAN-Branch-9-ap-0(0c0772d7-82bd-4a95-9f7e-a57471976446)
{'id': u'0c0772d7-82bd-4a95-9f7e-a57471976446', 'location': u'329725d9-75b8-47b3-aaa7-a337161d418c'}
Adding location: Bundaberg to device BBWAN-Branch-9-ap-1(e3427b80-1254-492d-826f-46804c0da584)
{'id': u'e3427b80-1254-492d-826f-46804c0da584', 'location': u'329725d9-75b8-47b3-aaa7-a337161d418c'}
Adding location: Bundaberg to device BBWAN-Branch-9-ap-2(19040872-6a6b-4656-b515-cffcbe7c73bb)
{'id': u'19040872-6a6b-4656-b515-cffcbe7c73bb', 'location': u'329725d9-75b8-47b3-aaa7-a337161d418c'}
Matched: BBWAN-Branch-9-rtr
Adding location: Bundaberg to device BBWAN-Branch-9-rtr(34b1ece8-5db3-4020-b48e-6ed437381c57)
{'id': u'34b1ece8-5db3-4020-b48e-6ed437381c57', 'location': u'329725d9-75b8-47b3-aaa7-a337161d418c'}
Matched: BBWAN-Branch-9-sw
Adding location: Bundaberg to device BBWAN-Branch-9-sw(7ddb2983-1a73-473c-967e-470ea5b91961)
{'id': u'7ddb2983-1a73-473c-967e-470ea5b91961', 'location': u'329725d9-75b8-47b3-aaa7-a337161d418c'}

IPAM - All Subnets
{
"id": "5bcc0bc0-c7bd-458d-9ad6-b606970017cf",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/5",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:E4",
"ipv4Address": "40.0.3.1",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "down",
"vendor": "Cisco",
"lastUpdated": "2014-09-29 16:17:14.995619-07",
"duplex": false,
"numUpdates": 49,
"speed": 1000000
}
{
"id": "2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/4",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:F6",
"ipv4Address": "40.0.2.5",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "up",
"vendor": "Cisco",
"connectedNeighbor": "a632c6e8-89bf-4949-8e4d-a249105f2c7c",
"lastUpdated": "2014-09-29 16:17:14.980705-07",
"connectedNeighborType": "Network_Device",
"ospfSupport": true,
"duplex": true,
"numUpdates": 49,
"speed": 1000000
}
https://test-apic/api/v0/interface GET
$python all-interfaces.py | sort

Netops
• Previous examples
• Access to datastore
• Find/filter/report etc
• routing-path  similar to topology
• /routing-path/{src}/{dst}
• /routing-path/40.0.0.15/40.0.5.12
Cisco Confidential

Path has nodes and links
"nodes": [
{
"label": "40.0.0.15",
"id": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"nodeType": "host"
},{
"label": "SDN-CAMPUS-C3850",
"id": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
}
........
Some nodes removed
...........
{
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
},
{
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"nodeType": "host"
}
* NOTE: Some attributed removed
Cisco Confidential
"links":{
"source": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"startPortID": "",
"target": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"endPortID": "16e94527-33fd-4968-a0d7-0f7265b72904",
"linkStatus": "UP"
}, {
"id": "459d7b7b-01c3-449a-841d-489e0250b8da",
"source": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"startPortID": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"target": "e5f93514-3ae5-4109-8b52-b9fa876e1eae",
"endPortID": "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"linkStatus": "UP"
},
….... …………
Some nodes removed
……………………….
{
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
}
$python show-path.py

Netops
ACL
• Get ACL for a Device
https://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e
• Get ACL for Interface GigabitEthernet0/0/0
https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517
• Check for consistency of an ACL
https://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40
Cisco Confidential
$python check-acl.py

Combine PATH with ACL
https://test-apic/api/v0/acl/trace POST
{
"destIp": "40.0.0.15",
"sourceIp": "40.0.5.12",
"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"interfaceIds": ["",
"16e94527-33fd-4968-a0d7-0f7265b72904",
"0e841ab3-6192-4514-9736-d3ef63ed67f5",
"02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"54683dd7-1c17-41f6-b7ac-47935d20fe3f",
"a8c71f5e-dd31-457f-8160-556b91dd6320",
"87bb850b-6223-4540-8729-ff4c276097ea",
"82481ce8-fe7b-493f-9ca1-0390bfa71be0",
"ad8c543b-c698-468b-bb64-e0a418d6c517",
"c4a8fe79-fa1b-4349-ac37-90146554f0ff",
"2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"d3054716-73ed-4a6c-89c9-095ebe7f3445",
"42a5e927-1ed6-4483-bd66-555d9d6d2f89",
"86ff5af0-4c5a-46e1-9edb-8aa3df5e9d95",
"30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",""]
}
Cisco Confidential
$python show-path-acl.pyContent-Type = application/json

Result:"devices": [ {
"deviceName": "SDN-CAMPUS-C3850",
"deviceId": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"deviceRole": "Access",
"deviceIp": "40.0.0.3",
"interfaces": [{
"interfaceName": "GigabitEthernet1/0/12",
"interfaceId": "16e94527-33fd-4968-a0d7-0f7265b72904",
"aclName": null,
"aclId": null,
"ingress": true,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
},{
"interfaceName": "GigabitEthernet1/0/1",
"interfaceId": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"aclName": null,
"aclId": null,
"ingress": false,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
}]
},
{ "interfaceName": "GigabitEthernet0/0/0",
"interfaceId": "ad8c543b-c698-468b-bb64-e0a418d6c517",
"aclName": "one_big_acl_for_conflict",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"ingress": false,
"blockType": "complete",
"relevantAces": [{
"aceIndex": 10,
"ace": {
"id": "f175c041-da1f-46cd-b9a6-0a4df6b5e15c",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"priority": 100, "action": "DENY", "protocol": "TCP",
"srcAddr": null,"srcAddrMask": "32",
"srcPort": 0,
"srcPortUpper": 0,
"destAddr": null, "destAddrMask": "32",
"destPort": 458,
"destPortUpper": 458,
"dscp": 0,
"attributeInfo": {}
},
"sourcePortInfoList": [],
"destPortInfoList": [
{
"protocol": "tcp",
"ports": "458"
} ]},

Applications
{
"id": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"applicationGroup": "other",
"category": "voice-and-video",
"subCategory": "consumer-video-streaming",
"encrypted": "false",
"p2pTechnology": "false",
"tunnel": "false",
"name": "appleqtc",
"enabled": "true",
"nbarId": "92",
"engineId": "3",
"globalId": "L4:458",
"selectorId": "458",
"helpString": "apple quick time",
"longDescription": "Apple QuickTime is an extensible proprietary multimedia framework developed by Apple Inc.,
capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity.
QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems.",
"appProtocol": "tcp/udp",
"tcpPorts": "458",
"udpPorts": "458",
"references": "http://www.apple.com/quicktime/",
"url": "",
"valid": true
}

Integration(s)
• Collaboration – Phase 1 – (lower trust threshold)
Marking -> voice clients
E.g. UCM, Citrix
• Security – Phase 2 – (higher trust threshold)
Copy --- lower
Deny – higher (e.g. SourceFire)
Cisco Confidential

Policy based QoS
https://test-apic/api/v0/policy POST
{
"policyOwner": "Admin",
"networkUser": {"userIdentifiers":["40.0.0.15"],"applications":[{"raw": "12340;UDP"}]},
"actionProperty": {"priorityLevel": "46"},
"actions": [ "PERMIT"],
"policyName": "voice:audio:40.0.0.15"
}
Cisco Confidential
$python set-qos.py < qos-input-small.txt
{
"response": {
"taskId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"url": "/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8"
},
"version": "0.0"
}

Task for Policy creation - success
https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8 GET
{
"response": {
"id": "4bd6767d-b332-4d20-b689-05473833e0c8",
"rootId": "4bd6767d-b332-4d20-b689-05473833e0c8",
"serviceType": "Policy Service",
"progress": "767952d1-e5b5-4c9f-bcca-02e3e6515210",
"startTime": 1409885977316,
"endTime": 1409885985944
},
"version": "0.0"
}

Task for Policy creation - failure
https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8 GET
"response": {
"id": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"rootId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"serviceType": "Policy Service",
"progress": "Policy Creation Failed",
"errorCode": "PartialSuccess",
"failureReason": "04ea2f11-1e9d-435a-9db2-ded3fbcd732f: Inactive Policy - Interfaces
where this policy needs to be programmed are not within the same policy scope. Hence skipping
policy creation for this policy.",
"isError": true,
"startTime": 1412425907975,
"endTime": 1412425910331
},

Policy for Security
https://test-apic/api/v0/policy POST
{
"policyName": "deny_some",
"policyOwner": "Admin",
"actions": ["DENY"],
"networkUser": {"userIdentifiers": ["40.0.0.15"]},
"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw":
"81;TCP"}]}
}
Cisco Confidential
Sourcefire use case.
<<<<<THIS CAN BE DANGEROUS IN A SHARED LAB>>>>
Remove "resource" components (10.10.4.2)
1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81
2) deny tcp host 40.0.0.15 any eq 81
3) deny ip host 40.0.0.15 any

API Structure
31
/application
/qos
QoS Marking -> (policy)
App -> Class -> Mapping (cvd)
Queuing on interfaces
Bandwidth allocation to classes
/policy
/network-
device/{tags}
/host
/user
ACL
Traffic Redirection
QoS Marking
/qos API's automatically
create policies for QoS
Marking.

/qos
32
1 2
3
GET /qos/app-class-map/mapping GET,POST /network-device/tag POST /qos
GET /qos/status
4

PnP Server
Use Case: Device Deployment in Campus
DHCP Server
Switch running
PnP Agent
Device receives PnP server
specific metadata info
configured in DHCP option 43
Device validates server’s location and
establishes a communication with the server
Installer
Remote Installer
• Mount and cable
devices
• Power-on
Day 1
Network Admin remotely
monitors status of install
while in progress.
Day 1
Cisco
APIC -
Enterprise
Module

API Structure
/ztd-site/
/device
/file-service/
file/config
file/image
2
1
/ztd-device 3

File API
https://adam-iwan/api/v1/file/config POST ***multipart
"response": {
"nameSpace": "config",
"name": "config.txt",
"downloadPath": "/file/c13abe7a-9e35-4aaa-9aae-04fb6dc2b28d",
"fileSize": "14",
"fileFormat": "text/plain",
"id": "c13abe7a-9e35-4aaa-9aae-04fb6dc2b28d"
},

List all images
https://adam-iwan/api/v1/file/config/file-list GET will show config files
https://adam-iwan/api/v1/file/image/file-list GET
"response": [
{
"nameSpace": "image",
"name": "c2960x-universalk9-mz.152-2.E1.bin",
"downloadPath": "/file/571c8887-0e71-4a6f-8267-e1f25bfa46f4",
"fileSize": "21208064",
"fileFormat": "application/octet-stream",
"id": "571c8887-0e71-4a6f-8267-e1f25bfa46f4"
},{
"nameSpace": "image",
"name": "c2960x-universalk9-mz.152-3.E.bin",
"downloadPath": "/file/5bc3f28e-61b7-4438-a946-4d62396341db",
"fileSize": "23343104",
"fileFormat": "application/octet-stream",
"id": "5bc3f28e-61b7-4438-a946-4d62396341db"
}],

Create a site
https://adam-iwan/api/v1/ztd-site POST
{
"siteName": "Sydney"
}
{
"response": {
"taskId": "832e26a7-b10a-4a4a-9cd9-1dfc2a9d3da3",
"url": "/api/v1/task/832e26a7-b10a-4a4a-9cd9-1dfc2a9d3da3"
},
"version": "0.0"
}

Result of the task
{
"response": {
"rootId": "db96e8f5-cf68-4f1f-9cc2-f6c18fdeeaaf",
"serviceType": "Ztd Service",
"progress": "{"message":"Success creating new site","siteId":
"05159d12-3654-4ce1-b391-b5f4a3cdc6a9"}",
"startTime": 1420948314682,
"endTime": 1420948314714,
"id": "db96e8f5-cf68-4f1f-9cc2-f6c18fdeeaaf"
},
"version": "0.0"
}

Create a Rule
https://adam-iwan/api/v1/ztd-site/device POST
{
"hostName" : "test-switch6",
"site" : "Sydney",
"platformId" : "WS-C2960X-48FPD-L"
}
IMPORTANT: Name of "site" rather than UUID
These are only three mandatory attributes
Default "status" is PENDING
"serialNumber", "configId", "imageId", are often used

Result of the Rule task
{
"response": {
"rootId": "c8c9fec8-e564-4368-a0fe-1f3559926ce6",
"progress": "{"message":"Success creating new site
device(rule)","ruleId":"8fbc09aa-87b2-4c4a-bc91-6d1b851429d8"}",
"startTime": 1420965737439,
"endTime": 1420965737492,
"id": "c8c9fec8-e564-4368-a0fe-1f3559926ce6"
},
"version": "0.0"
}

Rules for a specific site
https://adam-iwan/api/v1/ztd-site/device?site_id=05159d12-3654-
4ce1-b391-b5f4a3cdc6a9&offset=1&limit=10 GET
{
"response": [
{
"hostName": "test-switch6",
"platformId": "WS-C2960X-48FPD-L",
"site": "Sydney",
"state": "PENDING",
"attributeInfo": {},
"id": "8fbc09aa-87b2-4c4a-bc91-6d1b851429d8"
}
],
"version": "0.0"
}

To Delete a Rule
https://adam-ztd:443/api/v1/ztd-site/device/7e329c54-5687-4aa0-9c13-9cb935d66a81 DELETE
"taskId": "2677fca5-8af9-4adf-9a8f-faa11cf53afa",
"response": {
"rootId": "2677fca5-8af9-4adf-9a8f-faa11cf53afa",
"progress": "Success Deleting Site Device(Rule): id# 7e329c54-
5687-4aa0-9c13-9cb935d66a81",
"startTime": 1421127076206,
"endTime": 1421127076255,
"id": "2677fca5-8af9-4adf-9a8f-faa11cf53afa"
},

DEVNET-1126 APIC-EM API

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to DEVNET-1126 APIC-EM API

Similar to DEVNET-1126 APIC-EM API (20)

More from Cisco DevNet

More from Cisco DevNet (20)

Recently uploaded

Recently uploaded (20)

DEVNET-1126 APIC-EM API