Features - Internet2 › media › medialibrary › ... · 10/18/2018 · Features •Upload /...

2

Features•Upload / Compile yang models from User Interface Or Command Line•Build NetConf RPC•Generate Python example code [new]•Search yang xpaths [new]•Execute RPC against real netconf server•Save created RPCs to collections for later use•Build dependency graph for models•Browse data model tree and inspect yang propertiesRestconf support is experimental

https://github.com/CiscoDevNet/yang-explorer

Yang Explorer

6

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ü When client is authorized with any privilege level, client is automatically mapped to NACM group (PRIV00 – PRIV15)

Privilege

LevelNACM Group

0 PRIV00

1 PRIV01

2 PRIV02

3 PRIV03

4 PRIV04

5 PRIV05

6 PRIV06

7 PRIV07

8 PRIV08

9 PRIV09

10 PRIV10

11 PRIV11

12 PRIV12

13 PRIV13

14 PRIV14

15 PRIV15 (admin)

Privilege Level maps to NACM group

Feb 16 13:56:20.635: %DMI-5-AUTH_PASSED: R0/0:

dmiauthd: User 'admin' authenticated successfully

from 5.28.30.36:50390 and was authorized for

netconf over ssh. External groups: PRIV15

7

Rule 1

Rule 2

Rule 3

Emory AWS VPN

CSR1000v Lab

Jimmy Kincaid

[email protected]

October 18, 2018

11

Emory AWS Automation

• Decision made to automate connectivity to

research VPCs

– IPSEC VPN

– Emory Elastic IP i.e. 1:1 static NAT

12

Key Design Decisions

• VPC CIDR size?

– Decision - /23 (512 addresses)

– New add-on CIDR feature heavy influence

• How many VPCs?

– Decision – 200

• How much RFC1918 IP Space?

– 2 x /16 for planed 200 VPCs

– 2 x /16 additional reserved for future expansion

• Platform?

– Decision – Cisco ASR1002-HX

13

IP Addressing Plan

VpnConnection

ProfileIdVpcCidr

CustomerGateway

IpAddress

(Tunnel 1)

VpnInsideIpCidr

(Tunnel 1)

CustomerGateway

IpAddress

(Tunnel 2)

VpnInsideIpCidr

(Tunnel 2)

1 10.65.0.0/23 172.16.76.1 169.254.248.0/30 172.16.77.1 169.254.252.0/30

2 10.65.2.0/23 172.16.76.2 169.254.248.4/30 172.16.77.2 169.254.252.4/30

3 10.65.4.0/23 172.16.76.3 169.254.248.8/30 172.16.77.3 169.254.252.8/30

... ... ... ... ... ...

200 10.66.142.0/23 172.16.76.200 169.254.251.28/30 172.16.77.200 169.254.255.28/30

• 26k addresses remaining to be used as add-on CIDR

• NAT/PAT also provisioned for these address blocks on-prem– Each block of /21 receives a public IP (2048:1 oversubscribed)

– /26 public in use, /26 in reserve

• 1:1 Static NAT i.e. Emory Elastic IP Service– /23 allocated or 2.56 IP's/VPC

• 2 x /24's assigned for Emory CustomerGatewayIpAddress

14

Automation=YES, but how to safely test/dev?

• Production environment– NO GOOD!

• Physical Lab

– Used for staging changes, upgrades, regression testing, etc.

– Not a stable environment for development

– NO GOOD!

• CSR1000v Virtual Lab– Dedicated environment

– Easy to reset

– Good analog - same code/config as production

– WINNER!

15

Virtual Test / Dev Environment

• Virtual Lab– Linux KVM

• vSwitch for interconnections

– KVM host serves as CSR management and API access

– 4 x CSR1000v's• 2 emulating Emory's border/edge routers

• 1 serving as generic IP Transit i.e. Internet/Internet2

• 1 emulating 200 x AWS VPCs

• Same code/config as production hardware

– Cisco IOS XE Software, Version 16.06.02

– Dedicated for use by developers

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/

http://csr1000v-lab/src/master/

16

Emory CSR1000v Lab for Dev/Test

Lab Setup – AWS Side

• 200 x i-VRF's each representing a VPC– 001, 002, …, 200

• All using same f-VRF IP as VPN termination– Internet-vrf

• Each i-VRF has a pair of TunX0YYY interfaces– X = Tunnel Number <1 or 2>

– YYY = VpnConnectionProfileId 000, 001, …, 200

– Tun10001, Tun20001, Tun10002, Tun20002, ...

• And Lo10YYY interface with /23 for the VPC– Lo10001, Lo10002, …, Lo10200

• Crypto fully pre-configured with predictable PSK's– test001, test002, …,test200

• BGP fully configured– Using bgp listen ranges to emulate AWS passive connectivity

17

Demonstration

• VPN Operations via NETCONF

– Python script using ncclient

• Script overview

• Add

• Status

• Delete

18

References• Emory AWS VPN CSR1000v Lab Repo

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/

• Emory AWS VPN CSR1000v Lab Documentation

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/wiki/Home

• AWS Managed VPN Connections– https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_

VPN.html

• Yang models– https://github.com/YangModels/yang

• ncclient– https://github.com/ncclient/ncclient/wiki

• Yang Explorer– https://github.com/CiscoDevNet/yang-explorer

• Tail-f Java NETCONF Client (JNF)– https://github.com/tail-f-systems/JNC

19

http://csr1000v-lab/src/master/

http://csr1000v-lab/wiki/Home

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

https://github.com/YangModels/yang

https://github.com/ncclient/ncclient/wiki

https://github.com/CiscoDevNet/yang-explorer

https://github.com/tail-f-systems/JNC

Answer Period

Questions

Appendix

22

Emory AWS VPN Connectivity – Type 1 VPC

23

Tunnel Details

24

! NETCONF Config

!

! Block access from the CLI to sections controlled via NETCONF

netconf-yang cisco-ia blocking cli-blocking-enabled

netconf-yang cisco-ia blocking network-element-command "^interface Tunnel[12]0[0-9][0-9][0-

9]"

netconf-yang cisco-ia blocking network-element-command "^no interface Tunnel[12]0[0-9][0-

9][0-9]"

netconf-yang cisco-ia blocking network-element-command "^crypto keyring keyring-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^default interface Tunnel[12]0[0-

9][0-9][0-9]"

netconf-yang cisco-ia blocking network-element-command "^no crypto keyring keyring-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto ipsec profile ipsec-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto isakmp profile isakmp-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec profile ipsec-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto isakmp profile isakmp-

vpn-research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto ipsec transform-set ipsec-

prop-vpn-research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec transform-set

ipsec-prop-vpn-research-vpc.*"

...

! Enable NETCONF via SSH port 830

! Assumes AAA/SSH/etc. Are properly configured

! NOTE: SSH/vty ACL's do not get applied to port 830 as of this code version

netconf-yang

25

! VPN Config

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

! Global crypto parameters

crypto isakmp keepalive 10 10

crypto ipsec security-association replay window-size 128

crypto ipsec df-bit clear

!

crypto isakmp policy 10000

encr aes 256

hash sha256

authentication pre-share

group 2

lifetime 28800

!

! Crypto for all 200 VPNs are defined here - only 1 shown for brevity

crypto keyring keyring-vpn-research-vpc<001>-tun<1> vrf AWS

description <VpcId>

local-address <CustomerGatewayIpAddress> AWS

pre-shared-key address <RemoteVpnIp> key <PresharedKey>

!

crypto isakmp profile isakmp-vpn-research-vpc<001>-tun<1>

description <VpcId>

vrf AWS

keyring keyring-vpn-research-vpc<001>-tun<1>

match identity address 169.254.0.1 255.255.255.255 AWS

match identity address <RemoteVpnIpAddress> 255.255.255.255 AWS

local-address <CustomerGatewayIpAddress> AWS

!

26

! VPN Config - Continued


!

crypto ipsec transform-set ipsec-prop-vpn-research-vpc<001>-tun<1> esp-aes 256 esp-

sha256-hmac

mode tunnel

!

crypto ipsec profile ipsec-vpn-research-vpc<001>-tun<1>

description <VpcId>

set transform-set ipsec-prop-vpn-research-vpc<001>-tun<1>

set pfs group2

!

! All 200 tunnel interfaces are defined here - only 1 shown for brevity

interface Tunnel<1>0<001>

description <VpcId>

vrf forwarding AWS

ip address <VpnInsideIpCidr + 2> 255.255.255.252

ip tcp adjust-mss 1387

tunnel source <CustomerGatewayIpAddress>

tunnel mode ipsec ipv4

tunnel destination <RemoteVpnIpAddress>

tunnel vrf AWS

tunnel protection ipsec profile ipsec-vpn-research-vpc<001>-tun<1>

ip virtual-reassembly

<no> shutdown

!

27

VPN Config Notes

• The "local-address" directive does not yet have full YANG model support– VRF is missing

– For this reason crypto "keyring" & "isakmp profile" are mostly pre-configured

• A bogus/unused "match identity" for address 169.254.0.1 is configured for all "isakmpprofiles"– Required in order to assign a "keyring" as part of pre-

config

– For tunnel interfaces, "ip virtual-reassembly" not modeled in YANG

• For this reason, tunnel interfaces are mostly pre-configured

28

! Routing Config


!

! Define VRF

vrf definition AWS

rd 3512:853

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

! Null routes for BGP advertisement

ip route vrf AWS 10.0.0.0 255.0.0.0 Null0 254





!

! All 200 loopbacks are defined here - only 1 shown for brevity

interface Loopback<1>0<001>

description VPC<001> Tunnel<1> VPN Endpoint

vrf forwarding AWS

ip address <CustomerGatewayIpAddress> 255.255.255.255

!

29

! Routing Config - Continued


!

ip prefix-list EMORY_ROUTES seq 10 permit 163.246.0.0/16






!

route-map TO_AWS_RESEARCH_VPCs permit 10

match ip address prefix-list EMORY_ROUTES

set as-path prepend 3512 3512

set community no-export additive

!

! All 200 prefix lists are defined here - only 1 is shown for brevity

ip prefix-list AWS_RESEARCH_VPC_001 seq 5 permit 10.65.0.0/23

ip prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP seq 5 permit 169.254.248.1/32

!

! All 200 policy lists are defined here - only one shown for brevity

ip policy-list AWS_RESEARCH_VPC_001_NEXT_HOP permit

match ip route-source prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP

!

! This route-map has 200 sequence numbers - only one shown for brevity

route-map FROM_AWS_RESEARCH_VPCs permit 10001

match ip address prefix-list AWS_RESEARCH_VPC_001

match policy-list AWS_RESEARCH_VPC_001_NEXT_HOP

!

30

! Routing Config – Continued


!

router bgp 3512

bgp router-id 10.255.0.104

bgp log-neighbor-changes

!

address-family ipv4 vrf AWS

network 0.0.0.0

network 10.0.0.0

network 163.246.0.0

network 170.140.0.0

network 172.16.0.0 mask 255.240.0.0

network 192.168.0.0 mask 255.255.0.0

neighbor AWS_RESEARCH_VPCs peer-group

neighbor AWS_RESEARCH_VPCs remote-as 65533

neighbor AWS_RESEARCH_VPCs description AWS Research VPCs via IPSEC VPN

neighbor AWS_RESEARCH_VPCs timers 10 30 30

neighbor AWS_RESEARCH_VPCs soft-reconfiguration inbound

neighbor AWS_RESEARCH_VPCs route-map FROM_AWS_RESEARCH_VPCs in

neighbor AWS_RESEARCH_VPCs route-map TO_AWS_RESEARCH_VPCs out

! All 200 neighbors are defined in this section - only 1 shown for brevity

neighbor <VpnInsideIpCidr + 1> peer-group AWS_RESEARCH_VPCs

neighbor <VpnInsideIpCidr + 1> description <VpcId>

neighbor <VpnInsideIpCidr + 1> activate

exit-address-family

!

31

Routing Config Notes

• Default route is already present in IGP, so no

null route needed

• Type 1 receives all 6 routes, but technically only

needs default

– Other 5 discrete routes are for Type 2

• Route-map "FROM_AWS_RESEARCH_VPCs"

ties "route-source" to correct /23 for that VPC

– Prevents reception of incorrect routes from VPC

– Mostly applies to Type 2 VPC's

– If AWS add-on CIDR feature is used, automation must

be implemented to update allowed prefix list

Features - Internet2 › media › medialibrary › ... · 10/18/2018 · Features •Upload /...

Documents

Transcript of Features - Internet2 › media › medialibrary › ... · 10/18/2018 · Features •Upload /...