API Deep Dive: APIC EM Rest API

DevNet @
API Deep Dive: APIC EM Rest API
DevNet-1007
Adam Radford – Distinguished Systems Engineer

© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Agenda
• Introduction
• Quick Tour
• Use cases

Common Policy will Drive End-to-End Solutions
4
Consistent Policy Across Cloud, DC, WAN and Access
Cloud Data Center WAN Access
Application Network Profile
SLA, Security, QoS, Load Balancing
User/Things Network Profile
QoS, Security, SLA, Device
APIC APICAPIC APIC

Introducing Cisco APIC Enterprise Module
Advanced Visualization
for low risk SDN adoption
Elastic Services
for scalability &
HA
Existing & New Installations
Catalyst, ISR, ASR
Agile
Integration Model
Network Abstraction and Automation
APIC
Masking Network Complexity, Exposing Network Intelligence.

Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP

APIC-EM: Services Layered View
NB REST API
Pxgrid Client +
LDAP client
Radius Proxy +
LDAP client
Inventory
Topology
Policy Analysis
PnP
Network
Discovery
Network
Programmer
Policy
Programmer
(QoS, ACL)
Network
Tapping
Easy QoS
Network Events
Policy Manager
Conflict Detection and
Resolution
(BI and NI)
Business Intent to
Network Intent
Conversion
NETWORK
MODEL
DEVICE
MODEL
DEVICE
INTERFACE
Application
Visibility
PfR
APIC-EMServicesAPIC-EMApps
IWAN Services
APIC-EM Services
IWAN Services
Basic Services for Controller Availability
Inventory
Visualizer
Topology
Visualizer
Application
Visualizer
Discovery
Easy QoS
Visualizer
Compliance
Check
ACL
Visualizer
Network PnP
Network
Tapping
Visualizer
Policy
Manager

DevNet @
Quick Tour APIC-EM API

RESTful services exposed

Understanding the tables
{"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"hostname": "SDN-BRANCH-3750-STACK",
"managementIpAddress": "40.0.2.18",
"macAddress": "1C:DF:0F:08:20:C2",
"type": "SWITCH",
"vendor": "Cisco",
"family": "C3750X",
"serialNumber": "FDO1432K0MC",
"platformId": "WS-C3750X-48P",
"softwareVersion": "15.2(1)E2",
"imageName": "c3750e-universalk9-mz.152-1.E2.bin",
"upTime": "26 weeks, 3 hours, 8 minutes",
"memorySize": "262144K",
"interfaceCount": "109",
"role": "Access",
"roleSource": "auto",
"lineCardCount": "5",
"lineCardId": "3220b22a-a74c-4f9e-9898-
c9afc01dc5dd,9ef0da99-963c-4289-9087-7f861c969ea3,e5b911e4-
2c1c-4a95-9214-dd9877dd2b92,f5996432-3c89-4045-ac8b-
46a6bf873845",
"lastUpdated": "2014-09-29 16:19:17.627273-07",
"portRange": "FastEthernet0, Vlan1, GigabitEthernet1/0/1-48,
GigabitEthernet1/1/1-4, GigabitEthernet2/0/1-48,
GigabitEthernet2/1/1-4, TenGigabitEthernet1/1/1-2,
TenGigabitEthernet2/1/1-2",
"avgUpdateFrequency": 300,
"numUpdates": 30,
"reachabilityStatus": "In Progress",
"reachabilityFailureReason": "Unreachable"
}, Cisco Confidential
{
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"hostMac": "00:50:56:8A:27:A3",
"hostIp": "40.0.5.12",
"hostType": "WIRED",
"connectedNetworkDeviceId": "7895a45f-47aa-42ee-9d06-
c66d3b784594",
"connectedNetworkDeviceIpAddress": "40.0.2.18",
"connectedInterfaceId": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"connectedInterfaceName": "GigabitEthernet2/0/2",
"vlanId": "1",
"lastUpdated": "September 29, 2014 1:54:13 PM PDT",
"numUpdates": 1,
"userStatus": "Active",
"source": 200
},
$python host.py | sort

Understanding topology
• Nodes
Cisco Confidential
"deviceType": "SWITCH",
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",  /network-device
"nodeType": "device",
"deviceType": "WIRED",
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",  /host
"nodeType": "host",
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
• Links
https://test-apic/api/v0/topology/physical-topology

/acl/trace
/routing-path
/application /qos
App -> Class -> Mapping (cvd)
Queuing on interfaces
Bandwidth allocation to classes
QoS Marking
/policy
/network-
device/{tags}
/host
/user
ACL
QoS Marking
Traffic Redirection
Path verification
ACL -> App mapping
REST API Structure - Policy
12

Policy Construct

Three Classes of Use Case
Cisco Confidential
NetOps Net Integration Net Innovation
"HOW" to "WHAT"
Cultural change: "TEST and VERIFY"  "TRUST"

Tags - Adding
https://test-apic/api/v0/network-device/tag POST
{"networkDeviceId" : "7895a45f-47aa-42ee-9d06-c66d3b784594", "tag" :
"branch"}

Automating Tagging..
$ ./tag_device.py BRANCH +branch
Adding tag: branch to device SDN-BRANCH-3750-STACK(7895a45f-47aa-42ee-9d06-c66d3b784594)
202
TAGGED {u'url': u'/api/v0/task/3e934c30-43f1-4157-b4e8-a4291ba6c198', u'taskId':
u'3e934c30-43f1-4157-b4e8-a4291ba6c198'}
Adding tag: branch to device SDN-BRANCH-3850-TB1(526c8fc6-f732-41a9-9faf-5876293a2e8c)
202
TAGGED {u'url': u'/api/v0/task/3714ef69-11ef-411b-945f-db52bba47db0', u'taskId':
u'3714ef69-11ef-411b-945f-db52bba47db0'}
Adding tag: branch to device SDN-BRANCH-ASR1002(cceaf2fe-c3d9-4d37-bf14-fba071c27d6e)
202
TAGGED {u'url': u'/api/v0/task/8c85d4cf-6bc7-40b8-8616-938af7a446b1', u'taskId':
u'8c85d4cf-6bc7-40b8-8616-938af7a446b1'}
Adding tag: branch to device SDN-BRANCH-C4K(a36bc35a-94ed-4b2c-a66c-e46dddd5e037)
202
TAGGED {u'url': u'/api/v0/task/dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1', u'taskId':
u'dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1'}

IPAM - All Subnets
{
"id": "5bcc0bc0-c7bd-458d-9ad6-b606970017cf",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/5",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:E4",
"ipv4Address": "40.0.3.1",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "down",
"vendor": "Cisco",
"lastUpdated": "2014-09-29 16:17:14.995619-07",
"duplex": false,
"numUpdates": 49,
"speed": 1000000
}
{
"id": "2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/4",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:F6",
"ipv4Address": "40.0.2.5",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "up",
"vendor": "Cisco",
"connectedNeighbor": "a632c6e8-89bf-4949-8e4d-a249105f2c7c",
"lastUpdated": "2014-09-29 16:17:14.980705-07",
"connectedNeighborType": "Network_Device",
"ospfSupport": true,
"duplex": true,
"numUpdates": 49,
"speed": 1000000
}
https://test-apic/api/v0/interface GET
$python all-interfaces.py | sort

Netops
• Previous examples
– Access to datastore
– Find/filter/report etc
• routing-path  similar to topology
– /routing-path/{src}/{dst}
– /routing-path/40.0.0.15/40.0.5.12
Cisco Confidential

Path has nodes and links
"nodes": [
{
"label": "40.0.0.15",
"id": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"nodeType": "host"
},{
"label": "SDN-CAMPUS-C3850",
"id": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
}
........
Some nodes removed
...........
{
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
},
{
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"nodeType": "host"
}
* NOTE: Some attributed removed
Cisco Confidential
"links":{
"source": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"startPortID": "",
"target": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"endPortID": "16e94527-33fd-4968-a0d7-0f7265b72904",
"linkStatus": "UP"
}, {
"id": "459d7b7b-01c3-449a-841d-489e0250b8da",
"source": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"startPortID": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"target": "e5f93514-3ae5-4109-8b52-b9fa876e1eae",
"endPortID": "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"linkStatus": "UP"
},
….... …………
Some nodes removed
……………………….
{
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
}
$python show-path.py

Netops
ACL
– Get ACL for a Device
https://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e
– Get ACL for Interface GigabitEthernet0/0/0
https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517
• Check for consistency of an ACL
https://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40
Cisco Confidential
$python check-acl.py

Combine PATH with ACL
https://test-apic/api/v0/acl/trace POST
{
"destIp": "40.0.0.15",
"sourceIp": "40.0.0.12",
"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"interfaceIds": [
"",
"16e94527-33fd-4968-a0d7-0f7265b72904",
"4556c2eb-0df4-41b3-8558-05f04be02fe0",
"" ]
}
Cisco Confidential
$python show-path-acl.pyContent-Type = application/json

Combine PATH with ACL
https://test-apic/api/v0/acl/trace POST
{
"destIp": "40.0.0.15",
"sourceIp": "40.0.5.12",
"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"interfaceIds": ["",
"16e94527-33fd-4968-a0d7-0f7265b72904",
"0e841ab3-6192-4514-9736-d3ef63ed67f5",
"02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"54683dd7-1c17-41f6-b7ac-47935d20fe3f",
"a8c71f5e-dd31-457f-8160-556b91dd6320",
"87bb850b-6223-4540-8729-ff4c276097ea",
"82481ce8-fe7b-493f-9ca1-0390bfa71be0",
"ad8c543b-c698-468b-bb64-e0a418d6c517",
"c4a8fe79-fa1b-4349-ac37-90146554f0ff",
"2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"d3054716-73ed-4a6c-89c9-095ebe7f3445",
"42a5e927-1ed6-4483-bd66-555d9d6d2f89",
"86ff5af0-4c5a-46e1-9edb-8aa3df5e9d95",
"30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",""]
}
Cisco Confidential
$python show-path-acl.pyContent-Type = application/json

Result:
"devices": [ {
"deviceName": "SDN-CAMPUS-C3850",
"deviceId": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"deviceRole": "Access",
"deviceIp": "40.0.0.3",
"interfaces": [{
"interfaceName": "GigabitEthernet1/0/12",
"interfaceId": "16e94527-33fd-4968-a0d7-0f7265b72904",
"aclName": null,
"aclId": null,
"ingress": true,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
},{
"interfaceName": "GigabitEthernet1/0/1",
"interfaceId": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"aclName": null,
"aclId": null,
"ingress": false,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
}]
},
{ "interfaceName": "GigabitEthernet0/0/0",
"interfaceId": "ad8c543b-c698-468b-bb64-e0a418d6c517",
"aclName": "one_big_acl_for_conflict",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"ingress": false,
"blockType": "complete",
"relevantAces": [{
"aceIndex": 10,
"ace": {
"id": "f175c041-da1f-46cd-b9a6-0a4df6b5e15c",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"priority": 100, "action": "DENY", "protocol": "TCP",
"srcAddr": null,"srcAddrMask": "32",
"srcPort": 0,
"srcPortUpper": 0,
"destAddr": null, "destAddrMask": "32",
"destPort": 458,
"destPortUpper": 458,
"dscp": 0,
"attributeInfo": {}
},
"sourcePortInfoList": [],
"destPortInfoList": [
{
"protocol": "tcp",
"ports": "458"
} ]},

Applications
{
"id": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"applicationGroup": "other",
"category": "voice-and-video",
"subCategory": "consumer-video-streaming",
"encrypted": "false",
"p2pTechnology": "false",
"tunnel": "false",
"name": "appleqtc",
"enabled": "true",
"nbarId": "92",
"engineId": "3",
"globalId": "L4:458",
"selectorId": "458",
"helpString": "apple quick time",
"longDescription": "Apple QuickTime is an extensible proprietary multimedia framework developed by Apple Inc.,
capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity.
QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems.",
"appProtocol": "tcp/udp",
"tcpPorts": "458",
"udpPorts": "458",
"references": "http://www.apple.com/quicktime/",
"url": "",
"valid": true
}

Reference

Integration(s)
• Collaboration – Phase 1 – (lower trust threshold)
Marking -> voice clients
E.g. UCM, Citrix
• Security – Phase 2 – (higher trust threshold)
Copy --- lower
Deny – higher (e.g. SourceFire)
Cisco Confidential

Policy based QoS
https://test-apic/api/v0/policy POST
{
"policyOwner": "Admin",
"networkUser": {"userIdentifiers":["40.0.0.15"],"applications":[{"raw": "12340;UDP"}]},
"actionProperty": {"priorityLevel": "46"},
"actions": [ "PERMIT"],
"policyName": "voice:audio:40.0.0.15"
}
Cisco Confidential
$python set-qos.py < qos-input-small.txt
{
"response": {
"taskId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"url": "/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8"
},
"version": "0.0"
}

Task for Policy creation - success
https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8 GET
{
"response": {
"id": "4bd6767d-b332-4d20-b689-05473833e0c8",
"rootId": "4bd6767d-b332-4d20-b689-05473833e0c8",
"serviceType": "Policy Service",
"progress": "767952d1-e5b5-4c9f-bcca-02e3e6515210",
"startTime": 1409885977316,
"endTime": 1409885985944
},
"version": "0.0"
}

Task for Policy creation - failure
https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8 GET
"response": {
"id": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"rootId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"serviceType": "Policy Service",
"progress": "Policy Creation Failed",
"errorCode": "PartialSuccess",
"failureReason": "04ea2f11-1e9d-435a-9db2-ded3fbcd732f: Inactive Policy - Interfaces
where this policy needs to be programmed are not within the same policy scope. Hence skipping
policy creation for this policy.",
"isError": true,
"startTime": 1412425907975,
"endTime": 1412425910331
},

Policy for Security
https://test-apic/api/v0/policy POST
{
"policyName": "deny_some",
"policyOwner": "Admin",
"actions": ["DENY"],
"networkUser": {"userIdentifiers": ["40.0.0.15"]},
"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw":
"81;TCP"}]}
}
Cisco Confidential
Sourcefire use case.
<<<<<THIS CAN BE DANGEROUS IN A SHARED LAB>>>>
Remove "resource" components (10.10.4.2)
1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81
2) deny tcp host 40.0.0.15 any eq 81
3) deny ip host 40.0.0.15 any

For more information…
• SDN BOF 1:30PM classroom
• Other Sessions
– DevNet-1044 – Create Hello World with APIC-EM

Thank you.
DevNet @
Join us on DevNet at developer.cisco.com
Follow DevNet on Twitter: @ciscodevnet

API Deep Dive: APIC EM Rest API

API Deep Dive: APIC EM Rest API

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to API Deep Dive: APIC EM Rest API (20)

More from Cisco DevNet (18)

Recently uploaded (20)

API Deep Dive: APIC EM Rest API