features - internet2 › media › medialibrary › ... · 10/18/2018  · features •upload /...

1

2

Features•Upload / Compile yang models from User Interface Or Command Line•Build NetConf RPC•Generate Python example code [new]•Search yang xpaths [new]•Execute RPC against real netconf server•Save created RPCs to collections for later use•Build dependency graph for models•Browse data model tree and inspect yang propertiesRestconf support is experimental

https://github.com/CiscoDevNet/yang-explorer

Yang Explorer

3

4

5

6

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ü When client is authorized with any privilege level, client is automatically mapped to NACM group (PRIV00 – PRIV15)

Privilege

LevelNACM Group

0 PRIV00

1 PRIV01

2 PRIV02

3 PRIV03

4 PRIV04

5 PRIV05

6 PRIV06

7 PRIV07

8 PRIV08

9 PRIV09

10 PRIV10

11 PRIV11

12 PRIV12

13 PRIV13

14 PRIV14

15 PRIV15 (admin)

Privilege Level maps to NACM group

Feb 16 13:56:20.635: %DMI-5-AUTH_PASSED: R0/0:

dmiauthd: User 'admin' authenticated successfully

from 5.28.30.36:50390 and was authorized for

netconf over ssh. External groups: PRIV15

7

Rule 1

Rule 2

Rule 3

8

Emory AWS VPN

CSR1000v Lab

Jimmy Kincaid

jimmy.kincaid@emory.edu

October 18, 2018

11

Emory AWS Automation

• Decision made to automate connectivity to

research VPCs

– IPSEC VPN

– Emory Elastic IP i.e. 1:1 static NAT

12

Key Design Decisions

• VPC CIDR size?

– Decision - /23 (512 addresses)

– New add-on CIDR feature heavy influence

• How many VPCs?

– Decision – 200

• How much RFC1918 IP Space?

– 2 x /16 for planed 200 VPCs

– 2 x /16 additional reserved for future expansion

• Platform?

– Decision – Cisco ASR1002-HX

13

IP Addressing Plan

VpnConnection

ProfileIdVpcCidr

CustomerGateway

IpAddress

(Tunnel 1)

VpnInsideIpCidr

(Tunnel 1)

CustomerGateway

IpAddress

(Tunnel 2)

VpnInsideIpCidr

(Tunnel 2)

1 10.65.0.0/23 172.16.76.1 169.254.248.0/30 172.16.77.1 169.254.252.0/30

2 10.65.2.0/23 172.16.76.2 169.254.248.4/30 172.16.77.2 169.254.252.4/30

3 10.65.4.0/23 172.16.76.3 169.254.248.8/30 172.16.77.3 169.254.252.8/30

... ... ... ... ... ...

200 10.66.142.0/23 172.16.76.200 169.254.251.28/30 172.16.77.200 169.254.255.28/30

• 26k addresses remaining to be used as add-on CIDR

• NAT/PAT also provisioned for these address blocks on-prem– Each block of /21 receives a public IP (2048:1 oversubscribed)

– /26 public in use, /26 in reserve

• 1:1 Static NAT i.e. Emory Elastic IP Service– /23 allocated or 2.56 IP's/VPC

• 2 x /24's assigned for Emory CustomerGatewayIpAddress

14

Automation=YES, but how to safely test/dev?

• Production environment– NO GOOD!

• Physical Lab

– Used for staging changes, upgrades, regression testing, etc.

– Not a stable environment for development

– NO GOOD!

• CSR1000v Virtual Lab– Dedicated environment

– Easy to reset

– Good analog - same code/config as production

– WINNER!

15

Virtual Test / Dev Environment

• Virtual Lab– Linux KVM

• vSwitch for interconnections

– KVM host serves as CSR management and API access

– 4 x CSR1000v's• 2 emulating Emory's border/edge routers

• 1 serving as generic IP Transit i.e. Internet/Internet2

• 1 emulating 200 x AWS VPCs

• Same code/config as production hardware

– Cisco IOS XE Software, Version 16.06.02

– Dedicated for use by developers

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/

16

Emory CSR1000v Lab for Dev/Test

Lab Setup – AWS Side

• 200 x i-VRF's each representing a VPC– 001, 002, …, 200

• All using same f-VRF IP as VPN termination– Internet-vrf

• Each i-VRF has a pair of TunX0YYY interfaces– X = Tunnel Number <1 or 2>

– YYY = VpnConnectionProfileId 000, 001, …, 200

– Tun10001, Tun20001, Tun10002, Tun20002, ...

• And Lo10YYY interface with /23 for the VPC– Lo10001, Lo10002, …, Lo10200

• Crypto fully pre-configured with predictable PSK's– test001, test002, …,test200

• BGP fully configured– Using bgp listen ranges to emulate AWS passive connectivity

17

Demonstration

• VPN Operations via NETCONF

– Python script using ncclient

• Script overview

• Add

• Status

• Delete

18

References• Emory AWS VPN CSR1000v Lab Repo

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/

• Emory AWS VPN CSR1000v Lab Documentation

– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/wiki/Home

• AWS Managed VPN Connections– https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_

VPN.html

• Yang models– https://github.com/YangModels/yang

• ncclient– https://github.com/ncclient/ncclient/wiki

• Yang Explorer– https://github.com/CiscoDevNet/yang-explorer

• Tail-f Java NETCONF Client (JNF)– https://github.com/tail-f-systems/JNC

19

Answer Period

Questions

Appendix

22

Emory AWS VPN Connectivity – Type 1 VPC

23

Tunnel Details

24

! NETCONF Config

!

! Block access from the CLI to sections controlled via NETCONF

netconf-yang cisco-ia blocking cli-blocking-enabled

netconf-yang cisco-ia blocking network-element-command "^interface Tunnel[12]0[0-9][0-9][0-

9]"

netconf-yang cisco-ia blocking network-element-command "^no interface Tunnel[12]0[0-9][0-

9][0-9]"

netconf-yang cisco-ia blocking network-element-command "^crypto keyring keyring-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^default interface Tunnel[12]0[0-

9][0-9][0-9]"

netconf-yang cisco-ia blocking network-element-command "^no crypto keyring keyring-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto ipsec profile ipsec-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto isakmp profile isakmp-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec profile ipsec-vpn-

research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto isakmp profile isakmp-

vpn-research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^crypto ipsec transform-set ipsec-

prop-vpn-research-vpc.*"

netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec transform-set

ipsec-prop-vpn-research-vpc.*"

...

! Enable NETCONF via SSH port 830

! Assumes AAA/SSH/etc. Are properly configured

! NOTE: SSH/vty ACL's do not get applied to port 830 as of this code version

netconf-yang

25

! VPN Config

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

! Global crypto parameters

crypto isakmp keepalive 10 10

crypto ipsec security-association replay window-size 128

crypto ipsec df-bit clear

!

crypto isakmp policy 10000

encr aes 256

hash sha256

authentication pre-share

group 2

lifetime 28800

!

! Crypto for all 200 VPNs are defined here - only 1 shown for brevity

crypto keyring keyring-vpn-research-vpc<001>-tun<1> vrf AWS

description <VpcId>

local-address <CustomerGatewayIpAddress> AWS

pre-shared-key address <RemoteVpnIp> key <PresharedKey>

!

crypto isakmp profile isakmp-vpn-research-vpc<001>-tun<1>

description <VpcId>

vrf AWS

keyring keyring-vpn-research-vpc<001>-tun<1>

match identity address 169.254.0.1 255.255.255.255 AWS

match identity address <RemoteVpnIpAddress> 255.255.255.255 AWS

local-address <CustomerGatewayIpAddress> AWS

!

26

! VPN Config - Continued

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

crypto ipsec transform-set ipsec-prop-vpn-research-vpc<001>-tun<1> esp-aes 256 esp-

sha256-hmac

mode tunnel

!

crypto ipsec profile ipsec-vpn-research-vpc<001>-tun<1>

description <VpcId>

set transform-set ipsec-prop-vpn-research-vpc<001>-tun<1>

set pfs group2

!

! All 200 tunnel interfaces are defined here - only 1 shown for brevity

interface Tunnel<1>0<001>

description <VpcId>

vrf forwarding AWS

ip address <VpnInsideIpCidr + 2> 255.255.255.252

ip tcp adjust-mss 1387

tunnel source <CustomerGatewayIpAddress>

tunnel mode ipsec ipv4

tunnel destination <RemoteVpnIpAddress>

tunnel vrf AWS

tunnel protection ipsec profile ipsec-vpn-research-vpc<001>-tun<1>

ip virtual-reassembly

<no> shutdown

!

27

VPN Config Notes

• The "local-address" directive does not yet have full YANG model support– VRF is missing

– For this reason crypto "keyring" & "isakmp profile" are mostly pre-configured

• A bogus/unused "match identity" for address 169.254.0.1 is configured for all "isakmpprofiles"– Required in order to assign a "keyring" as part of pre-

config

– For tunnel interfaces, "ip virtual-reassembly" not modeled in YANG

• For this reason, tunnel interfaces are mostly pre-configured

28

! Routing Config

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

! Define VRF

vrf definition AWS

rd 3512:853

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

! Null routes for BGP advertisement

ip route vrf AWS 10.0.0.0 255.0.0.0 Null0 254

ip route vrf AWS 163.246.0.0 255.255.0.0 Null0 254

ip route vrf AWS 170.140.0.0 255.255.0.0 Null0 254

ip route vrf AWS 172.16.0.0 255.240.0.0 Null0 254

ip route vrf AWS 192.168.0.0 255.255.0.0 Null0 254

!

! All 200 loopbacks are defined here - only 1 shown for brevity

interface Loopback<1>0<001>

description VPC<001> Tunnel<1> VPN Endpoint

vrf forwarding AWS

ip address <CustomerGatewayIpAddress> 255.255.255.255

!

29

! Routing Config - Continued

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

ip prefix-list EMORY_ROUTES seq 10 permit 163.246.0.0/16

ip prefix-list EMORY_ROUTES seq 20 permit 170.140.0.0/16

ip prefix-list EMORY_ROUTES seq 30 permit 10.0.0.0/8

ip prefix-list EMORY_ROUTES seq 40 permit 172.16.0.0/12

ip prefix-list EMORY_ROUTES seq 50 permit 192.168.0.0/16

ip prefix-list EMORY_ROUTES seq 60 permit 0.0.0.0/0

!

route-map TO_AWS_RESEARCH_VPCs permit 10

match ip address prefix-list EMORY_ROUTES

set as-path prepend 3512 3512

set community no-export additive

!

! All 200 prefix lists are defined here - only 1 is shown for brevity

ip prefix-list AWS_RESEARCH_VPC_001 seq 5 permit 10.65.0.0/23

ip prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP seq 5 permit 169.254.248.1/32

!

! All 200 policy lists are defined here - only one shown for brevity

ip policy-list AWS_RESEARCH_VPC_001_NEXT_HOP permit

match ip route-source prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP

!

! This route-map has 200 sequence numbers - only one shown for brevity

route-map FROM_AWS_RESEARCH_VPCs permit 10001

match ip address prefix-list AWS_RESEARCH_VPC_001

match policy-list AWS_RESEARCH_VPC_001_NEXT_HOP

!

30

! Routing Config – Continued

! RED = Pre-configured / GREEN = configured dynamically by NETCONF

!

router bgp 3512

bgp router-id 10.255.0.104

bgp log-neighbor-changes

!

address-family ipv4 vrf AWS

network 0.0.0.0

network 10.0.0.0

network 163.246.0.0

network 170.140.0.0

network 172.16.0.0 mask 255.240.0.0

network 192.168.0.0 mask 255.255.0.0

neighbor AWS_RESEARCH_VPCs peer-group

neighbor AWS_RESEARCH_VPCs remote-as 65533

neighbor AWS_RESEARCH_VPCs description AWS Research VPCs via IPSEC VPN

neighbor AWS_RESEARCH_VPCs timers 10 30 30

neighbor AWS_RESEARCH_VPCs soft-reconfiguration inbound

neighbor AWS_RESEARCH_VPCs route-map FROM_AWS_RESEARCH_VPCs in

neighbor AWS_RESEARCH_VPCs route-map TO_AWS_RESEARCH_VPCs out

! All 200 neighbors are defined in this section - only 1 shown for brevity

neighbor <VpnInsideIpCidr + 1> peer-group AWS_RESEARCH_VPCs

neighbor <VpnInsideIpCidr + 1> description <VpcId>

neighbor <VpnInsideIpCidr + 1> activate

exit-address-family

!

31

Routing Config Notes

• Default route is already present in IGP, so no

null route needed

• Type 1 receives all 6 routes, but technically only

needs default

– Other 5 discrete routes are for Type 2

• Route-map "FROM_AWS_RESEARCH_VPCs"

ties "route-source" to correct /23 for that VPC

– Prevents reception of incorrect routes from VPC

– Mostly applies to Type 2 VPC's

– If AWS add-on CIDR feature is used, automation must

be implemented to update allowed prefix list