API Deep Dive: APIC EM Rest API

DevNet @

DevNet @

API Deep Dive: APIC EM Rest API

DevNet-1007

Adam Radford – Distinguished Systems Engineer

© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @

Agenda

• Introduction

• Quick Tour

• Use cases


Common Policy will Drive End-to-End Solutions

4

Consistent Policy Across Cloud, DC, WAN and Access

Cloud Data Center WAN Access

Application Network ProfileSLA, Security, QoS, Load Balancing

User/Things Network ProfileQoS, Security, SLA, Device

APIC APICAPIC APIC


Introducing Cisco APIC Enterprise Module

Advanced Visualization

for low risk SDN adoption

Elastic Services

for scalability &

HA

Existing & New Installations

Catalyst, ISR, ASR

Agile

Integration Model

Network Abstraction and Automation

APIC

Masking Network Complexity, Exposing Network Intelligence.


Cisco APIC Enterprise Module Architecture

Abstracts Network Devices to Mask Complexity

Treat Network as a System

Exposes Network Intelligence

For Business Innovation

Cisco APIC Enterprise Module

Cisco and Third Party Applications

Network DevicesCatalyst, ASR, ISR

Network Info Database

PolicyInfrastructure

Automation

REST API

Southbound Interface: CLI

Security QoS IWAN Network PnP


APIC-EM: Services Layered View

NB REST API

Pxgrid Client + LDAP client

Radius Proxy + LDAP client

Inventory

Topology

Policy Analysis

PnP

Network Discovery

Network Programmer

Policy Programmer (QoS, ACL)

Network Tapping

Easy QoS

Network Events

Policy Manager

Conflict Detection and Resolution (BI and NI)

Business Intent to Network Intent

Conversion

NETWORK

MODEL

DEVICE

MODEL

DEVICE

INTERFACE

Application Visibility

PfR

APIC

-EM

Serv

ices

APIC

-EM

Apps

IWAN Services

APIC-EM Services

IWAN Services

Basic Services for Controller Availability

Inventory Visualizer

Topology Visualizer

Application Visualizer

Discovery

Easy QoS Visualizer

Compliance Check

ACL Visualizer

Network PnP

Network Tapping Visualizer

Policy Manager

DevNet @

Quick Tour APIC-EM API


RESTful services exposed


Understanding the tables{"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",

"hostname": "SDN-BRANCH-3750-STACK",

"managementIpAddress": "40.0.2.18",

"macAddress": "1C:DF:0F:08:20:C2",

"type": "SWITCH",

"vendor": "Cisco",

"family": "C3750X",

"serialNumber": "FDO1432K0MC",

"platformId": "WS-C3750X-48P",

"softwareVersion": "15.2(1)E2",

"imageName": "c3750e-universalk9-mz.152-1.E2.bin",

"upTime": "26 weeks, 3 hours, 8 minutes",

"memorySize": "262144K",

"interfaceCount": "109",

"role": "Access",

"roleSource": "auto",

"lineCardCount": "5",

"lineCardId": "3220b22a-a74c-4f9e-9898-

c9afc01dc5dd,9ef0da99-963c-4289-9087-7f861c969ea3,e5b911e4-

2c1c-4a95-9214-dd9877dd2b92,f5996432-3c89-4045-ac8b-

46a6bf873845",

"lastUpdated": "2014-09-29 16:19:17.627273-07",

"portRange": "FastEthernet0, Vlan1, GigabitEthernet1/0/1-48,

GigabitEthernet1/1/1-4, GigabitEthernet2/0/1-48,

GigabitEthernet2/1/1-4, TenGigabitEthernet1/1/1-2,

TenGigabitEthernet2/1/1-2",

"avgUpdateFrequency": 300,

"numUpdates": 30,

"reachabilityStatus": "In Progress",

"reachabilityFailureReason": "Unreachable"

}, Cisco Confidential

{

"id": "8f41bef8-698c-4701-af14-471e910ed9ff",

"hostMac": "00:50:56:8A:27:A3",

"hostIp": "40.0.5.12",

"hostType": "WIRED",

"connectedNetworkDeviceId": "7895a45f-47aa-42ee-9d06-

c66d3b784594",

"connectedNetworkDeviceIpAddress": "40.0.2.18",

"connectedInterfaceId": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",

"connectedInterfaceName": "GigabitEthernet2/0/2",

"vlanId": "1",

"lastUpdated": "September 29, 2014 1:54:13 PM PDT",

"numUpdates": 1,

"userStatus": "Active",

"source": 200

},

$python host.py | sort


Understanding topology• Nodes

Cisco Confidential

"deviceType": "SWITCH",

"label": "SDN-BRANCH-3750-STACK",

"id": "7895a45f-47aa-42ee-9d06-c66d3b784594", /network-device

"nodeType": "device",

"deviceType": "WIRED",

"label": "40.0.5.12",

"id": "8f41bef8-698c-4701-af14-471e910ed9ff", /host

"nodeType": "host",

"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",

"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",

"target": "8f41bef8-698c-4701-af14-471e910ed9ff",

"endPortID": "",

"linkStatus": "UP"

• Links

https://test-apic/api/v0/topology/physical-topology


/acl/trace

/routing-path

/application /qos

App -> Class -> Mapping (cvd)

Queuing on interfaces

Bandwidth allocation to classes

QoS Marking

/policy

/network-

device/{tags}

/host

/user

ACL

QoS Marking

Traffic Redirection

Path verification

ACL -> App mapping

REST API Structure - Policy

12


Policy Construct

DevNet @

API Use cases


Three Classes of Use Case

Cisco Confidential

NetOps Net Integration Net Innovation

"HOW" to "WHAT"

Cultural change: "TEST and VERIFY" "TRUST"


Tags - Adding

https://test-apic/api/v0/network-device/tag POST

{"networkDeviceId" : "7895a45f-47aa-42ee-9d06-c66d3b784594", "tag" : "branch"}

https://test-apic/api/v0/network-device/tag


Automating Tagging..

$ ./tag_device.py BRANCH +branch

Adding tag: branch to device SDN-BRANCH-3750-STACK(7895a45f-47aa-42ee-9d06-c66d3b784594)

202

TAGGED {u'url': u'/api/v0/task/3e934c30-43f1-4157-b4e8-a4291ba6c198', u'taskId':

u'3e934c30-43f1-4157-b4e8-a4291ba6c198'}

Adding tag: branch to device SDN-BRANCH-3850-TB1(526c8fc6-f732-41a9-9faf-5876293a2e8c)

202

TAGGED {u'url': u'/api/v0/task/3714ef69-11ef-411b-945f-db52bba47db0', u'taskId':

u'3714ef69-11ef-411b-945f-db52bba47db0'}

Adding tag: branch to device SDN-BRANCH-ASR1002(cceaf2fe-c3d9-4d37-bf14-fba071c27d6e)

202

TAGGED {u'url': u'/api/v0/task/8c85d4cf-6bc7-40b8-8616-938af7a446b1', u'taskId':

u'8c85d4cf-6bc7-40b8-8616-938af7a446b1'}

Adding tag: branch to device SDN-BRANCH-C4K(a36bc35a-94ed-4b2c-a66c-e46dddd5e037)

202

TAGGED {u'url': u'/api/v0/task/dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1', u'taskId':

u'dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1'}


IPAM - All Subnets

{

"id": "5bcc0bc0-c7bd-458d-9ad6-b606970017cf",

"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",

"interfaceType": "Physical",

"portName": "GigabitEthernet1/0/5",

"portType": "Gigabit Ethernet",

"portMode": "routed",

"connectorType": "RJ-45",

"macAddress": "18:9C:5D:16:FC:E4",

"ipv4Address": "40.0.3.1",

"ipv4Mask": "30",

"serialNo": "FOC1743X0CJ",

"pid": "WS-C3850-48P",

"status": "down",

"vendor": "Cisco",

"lastUpdated": "2014-09-29 16:17:14.995619-07",

"duplex": false,


"numUpdates": 49,

"speed": 1000000}

{

"id": "2fdb927f-a5a7-47b2-bbed-8499c1c12105",

"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",

"interfaceType": "Physical",

"portName": "GigabitEthernet1/0/4",

"portType": "Gigabit Ethernet",

"portMode": "routed",

"connectorType": "RJ-45",

"macAddress": "18:9C:5D:16:FC:F6",

"ipv4Address": "40.0.2.5",

"ipv4Mask": "30",

"serialNo": "FOC1743X0CJ",

"pid": "WS-C3850-48P",

"status": "up",

"vendor": "Cisco",

"connectedNeighbor": "a632c6e8-89bf-4949-8e4d-a249105f2c7c",

"lastUpdated": "2014-09-29 16:17:14.980705-07",

"connectedNeighborType": "Network_Device",

"ospfSupport": true,

"duplex": true,


"numUpdates": 49,

"speed": 1000000}

https://test-apic/api/v0/interface GET

$python all-interfaces.py | sort

https://test-apic/api/v0/interface


Netops

• Previous examples

– Access to datastore

– Find/filter/report etc

• routing-path similar to topology– /routing-path/{src}/{dst}

– /routing-path/40.0.0.15/40.0.5.12

Cisco Confidential


Path has nodes and links"nodes": [

{


"label": "40.0.0.15",

"id": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",

"nodeType": "host"

},{


"label": "SDN-CAMPUS-C3850",

"id": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",


}

........

Some nodes removed

...........

{


"label": "SDN-BRANCH-3750-STACK",

"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",


},

{


"label": "40.0.5.12",

"id": "8f41bef8-698c-4701-af14-471e910ed9ff",

"nodeType": "host"

}

* NOTE: Some attributed removed

Cisco Confidential

"links":{

"source": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",

"startPortID": "",

"target": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",

"endPortID": "16e94527-33fd-4968-a0d7-0f7265b72904",

"linkStatus": "UP"

}, {

"id": "459d7b7b-01c3-449a-841d-489e0250b8da",

"source": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",

"startPortID": "0e841ab3-6192-4514-9736-d3ef63ed67f5",

"target": "e5f93514-3ae5-4109-8b52-b9fa876e1eae",

"endPortID": "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",

"linkStatus": "UP"

},

….... …………

Some nodes removed

……………………….

{

"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",

"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",

"target": "8f41bef8-698c-4701-af14-471e910ed9ff",

"endPortID": "",

"linkStatus": "UP"

}

$python show-path.py


Netops

ACL

– Get ACL for a Devicehttps://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e

– Get ACL for Interface GigabitEthernet0/0/0https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517

• Check for consistency of an ACLhttps://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40

Cisco Confidential

$python check-acl.py

https://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e

https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517

https://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40


Combine PATH with ACL https://test-apic/api/v0/acl/trace POST

{

"destIp": "40.0.0.15",

"sourceIp": "40.0.0.12",

"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",

"interfaceIds": [

"",

"16e94527-33fd-4968-a0d7-0f7265b72904",

"4556c2eb-0df4-41b3-8558-05f04be02fe0",

"" ]

}

Cisco Confidential

$python show-path-acl.pyContent-Type = application/json

https://test-apic/api/v0/acl/trace


Combine PATH with ACL https://test-apic/api/v0/acl/trace POST

{

"destIp": "40.0.0.15",

"sourceIp": "40.0.5.12",

"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",

"interfaceIds": ["",

"16e94527-33fd-4968-a0d7-0f7265b72904",

"0e841ab3-6192-4514-9736-d3ef63ed67f5",

"02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",

"54683dd7-1c17-41f6-b7ac-47935d20fe3f",

"a8c71f5e-dd31-457f-8160-556b91dd6320",

"87bb850b-6223-4540-8729-ff4c276097ea",

"82481ce8-fe7b-493f-9ca1-0390bfa71be0",

"ad8c543b-c698-468b-bb64-e0a418d6c517",

"c4a8fe79-fa1b-4349-ac37-90146554f0ff",

"2fdb927f-a5a7-47b2-bbed-8499c1c12105",

"d3054716-73ed-4a6c-89c9-095ebe7f3445",

"42a5e927-1ed6-4483-bd66-555d9d6d2f89",

"86ff5af0-4c5a-46e1-9edb-8aa3df5e9d95","30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",""]

}

Cisco Confidential

$python show-path-acl.pyContent-Type = application/json

https://test-apic/api/v0/acl/trace


Result:"devices": [ {

"deviceName": "SDN-CAMPUS-C3850",

"deviceId": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",


"deviceRole": "Access",

"deviceIp": "40.0.0.3",

"interfaces": [{

"interfaceName": "GigabitEthernet1/0/12",

"interfaceId": "16e94527-33fd-4968-a0d7-0f7265b72904",

"aclName": null,

"aclId": null,

"ingress": true,

"blockType": "none",

"relevantAces": [],

"implicitDenies": []

},{

"interfaceName": "GigabitEthernet1/0/1",

"interfaceId": "0e841ab3-6192-4514-9736-d3ef63ed67f5",

"aclName": null,

"aclId": null,

"ingress": false,

"blockType": "none",

"relevantAces": [],

"implicitDenies": []

}]

},

{ "interfaceName": "GigabitEthernet0/0/0",

"interfaceId": "ad8c543b-c698-468b-bb64-e0a418d6c517",

"aclName": "one_big_acl_for_conflict",

"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",

"ingress": false,

"blockType": "complete",

"relevantAces": [{

"aceIndex": 10,

"ace": {

"id": "f175c041-da1f-46cd-b9a6-0a4df6b5e15c",

"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",

"priority": 100, "action": "DENY", "protocol": "TCP",

"srcAddr": null,"srcAddrMask": "32",

"srcPort": 0,

"srcPortUpper": 0,

"destAddr": null, "destAddrMask": "32",

"destPort": 458,

"destPortUpper": 458,

"dscp": 0,

"attributeInfo": {}

},

"sourcePortInfoList": [],

"destPortInfoList": [

{

"protocol": "tcp",

"ports": "458"

} ]},


Applications{"id": "46de799b-7f51-4a5e-8d08-46e2e78ff619",

"applicationGroup": "other",

"category": "voice-and-video",

"subCategory": "consumer-video-streaming",

"encrypted": "false",

"p2pTechnology": "false",

"tunnel": "false",

"name": "appleqtc",

"enabled": "true",

"nbarId": "92",

"engineId": "3",

"globalId": "L4:458",

"selectorId": "458",

"helpString": "apple quick time",

"longDescription": "Apple QuickTime is an extensible proprietary multimedia framework developed by Apple Inc.,

capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity.

QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems.",

"appProtocol": "tcp/udp",

"tcpPorts": "458",

"udpPorts": "458",

"references": "http://www.apple.com/quicktime/",

"url": "",

"valid": true

}


Reference


Integration(s)

• Collaboration – Phase 1 – (lower trust threshold)

Marking -> voice clients

E.g. UCM, Citrix

• Security – Phase 2 – (higher trust threshold)Copy --- lowerDeny – higher (e.g. SourceFire)

Cisco Confidential


Policy based QoS

https://test-apic/api/v0/policy POST

{

"policyOwner": "Admin",

"networkUser": {"userIdentifiers":["40.0.0.15"],"applications":[{"raw": "12340;UDP"}]},

"actionProperty": {"priorityLevel": "46"},

"actions": [ "PERMIT"],

"policyName": "voice:audio:40.0.0.15"

}

Cisco Confidential

$python set-qos.py < qos-input-small.txt

{

"response": {

"taskId": "f5c07be7-ae8e-4350-80b0-1971874803c8",

"url": "/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8"

},

"version": "0.0"

}

https://test-apic/api/v0/policy


Task for Policy creation - success

https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8 GET{

"response": {

"id": "4bd6767d-b332-4d20-b689-05473833e0c8",

"rootId": "4bd6767d-b332-4d20-b689-05473833e0c8",

"serviceType": "Policy Service",

"progress": "767952d1-e5b5-4c9f-bcca-02e3e6515210",

"startTime": 1409885977316,

"endTime": 1409885985944

},

"version": "0.0"

}

https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8


Task for Policy creation - failure

https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8 GET

"response": {

"id": "f5c07be7-ae8e-4350-80b0-1971874803c8",

"rootId": "f5c07be7-ae8e-4350-80b0-1971874803c8",

"serviceType": "Policy Service",

"progress": "Policy Creation Failed",

"errorCode": "PartialSuccess",

"failureReason": "04ea2f11-1e9d-435a-9db2-ded3fbcd732f: Inactive Policy - Interfaces

where this policy needs to be programmed are not within the same policy scope. Hence skipping

policy creation for this policy.",

"isError": true,

"startTime": 1412425907975,

"endTime": 1412425910331

},

https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8


Policy for Securityhttps://test-apic/api/v0/policy POST

{

"policyName": "deny_some",

"policyOwner": "Admin",

"actions": ["DENY"],

"networkUser": {"userIdentifiers": ["40.0.0.15"]},

"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw":

"81;TCP"}]}

}

Cisco Confidential

Sourcefire use case.

<<<<<THIS CAN BE DANGEROUS IN A SHARED LAB>>>>

Remove "resource" components (10.10.4.2)1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81

2) deny tcp host 40.0.0.15 any eq 81

3) deny ip host 40.0.0.15 any

https://test-apic/api/v0/policy


For more information…

• SDN BOF 1:30PM classroom

• Other Sessions

– DevNet-1044 – Create Hello World with APIC-EM

Thank you.

DevNet @

Join us on DevNet at developer.cisco.com

Follow DevNet on Twitter: @ciscodevnet

API Deep Dive: APIC EM Rest API

Technology

Transcript of API Deep Dive: APIC EM Rest API