features - internet2 › media › medialibrary › ... · 10/18/2018 · features •upload /...
TRANSCRIPT
1
2
Features•Upload / Compile yang models from User Interface Or Command Line•Build NetConf RPC•Generate Python example code [new]•Search yang xpaths [new]•Execute RPC against real netconf server•Save created RPCs to collections for later use•Build dependency graph for models•Browse data model tree and inspect yang propertiesRestconf support is experimental
https://github.com/CiscoDevNet/yang-explorer
Yang Explorer
3
4
5
6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ü When client is authorized with any privilege level, client is automatically mapped to NACM group (PRIV00 – PRIV15)
Privilege
LevelNACM Group
0 PRIV00
1 PRIV01
2 PRIV02
3 PRIV03
4 PRIV04
5 PRIV05
6 PRIV06
7 PRIV07
8 PRIV08
9 PRIV09
10 PRIV10
11 PRIV11
12 PRIV12
13 PRIV13
14 PRIV14
15 PRIV15 (admin)
Privilege Level maps to NACM group
Feb 16 13:56:20.635: %DMI-5-AUTH_PASSED: R0/0:
dmiauthd: User 'admin' authenticated successfully
from 5.28.30.36:50390 and was authorized for
netconf over ssh. External groups: PRIV15
7
Rule 1
Rule 2
Rule 3
8
11
Emory AWS Automation
• Decision made to automate connectivity to
research VPCs
– IPSEC VPN
– Emory Elastic IP i.e. 1:1 static NAT
12
Key Design Decisions
• VPC CIDR size?
– Decision - /23 (512 addresses)
– New add-on CIDR feature heavy influence
• How many VPCs?
– Decision – 200
• How much RFC1918 IP Space?
– 2 x /16 for planed 200 VPCs
– 2 x /16 additional reserved for future expansion
• Platform?
– Decision – Cisco ASR1002-HX
13
IP Addressing Plan
VpnConnection
ProfileIdVpcCidr
CustomerGateway
IpAddress
(Tunnel 1)
VpnInsideIpCidr
(Tunnel 1)
CustomerGateway
IpAddress
(Tunnel 2)
VpnInsideIpCidr
(Tunnel 2)
1 10.65.0.0/23 172.16.76.1 169.254.248.0/30 172.16.77.1 169.254.252.0/30
2 10.65.2.0/23 172.16.76.2 169.254.248.4/30 172.16.77.2 169.254.252.4/30
3 10.65.4.0/23 172.16.76.3 169.254.248.8/30 172.16.77.3 169.254.252.8/30
... ... ... ... ... ...
200 10.66.142.0/23 172.16.76.200 169.254.251.28/30 172.16.77.200 169.254.255.28/30
• 26k addresses remaining to be used as add-on CIDR
• NAT/PAT also provisioned for these address blocks on-prem– Each block of /21 receives a public IP (2048:1 oversubscribed)
– /26 public in use, /26 in reserve
• 1:1 Static NAT i.e. Emory Elastic IP Service– /23 allocated or 2.56 IP's/VPC
• 2 x /24's assigned for Emory CustomerGatewayIpAddress
14
Automation=YES, but how to safely test/dev?
• Production environment– NO GOOD!
• Physical Lab
– Used for staging changes, upgrades, regression testing, etc.
– Not a stable environment for development
– NO GOOD!
• CSR1000v Virtual Lab– Dedicated environment
– Easy to reset
– Good analog - same code/config as production
– WINNER!
15
Virtual Test / Dev Environment
• Virtual Lab– Linux KVM
• vSwitch for interconnections
– KVM host serves as CSR management and API access
– 4 x CSR1000v's• 2 emulating Emory's border/edge routers
• 1 serving as generic IP Transit i.e. Internet/Internet2
• 1 emulating 200 x AWS VPCs
• Same code/config as production hardware
– Cisco IOS XE Software, Version 16.06.02
– Dedicated for use by developers
– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/
16
Emory CSR1000v Lab for Dev/Test
Lab Setup – AWS Side
• 200 x i-VRF's each representing a VPC– 001, 002, …, 200
• All using same f-VRF IP as VPN termination– Internet-vrf
• Each i-VRF has a pair of TunX0YYY interfaces– X = Tunnel Number <1 or 2>
– YYY = VpnConnectionProfileId 000, 001, …, 200
– Tun10001, Tun20001, Tun10002, Tun20002, ...
• And Lo10YYY interface with /23 for the VPC– Lo10001, Lo10002, …, Lo10200
• Crypto fully pre-configured with predictable PSK's– test001, test002, …,test200
• BGP fully configured– Using bgp listen ranges to emulate AWS passive connectivity
17
Demonstration
• VPN Operations via NETCONF
– Python script using ncclient
• Script overview
• Add
• Status
• Delete
18
References• Emory AWS VPN CSR1000v Lab Repo
– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/src/master/
• Emory AWS VPN CSR1000v Lab Documentation
– https://bitbucket.org/jbkinca/emory-aws-vpn-csr1000v-lab/wiki/Home
• AWS Managed VPN Connections– https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_
VPN.html
• Yang models– https://github.com/YangModels/yang
• ncclient– https://github.com/ncclient/ncclient/wiki
• Yang Explorer– https://github.com/CiscoDevNet/yang-explorer
• Tail-f Java NETCONF Client (JNF)– https://github.com/tail-f-systems/JNC
19
Answer Period
Questions
Appendix
22
Emory AWS VPN Connectivity – Type 1 VPC
23
Tunnel Details
24
! NETCONF Config
!
! Block access from the CLI to sections controlled via NETCONF
netconf-yang cisco-ia blocking cli-blocking-enabled
netconf-yang cisco-ia blocking network-element-command "^interface Tunnel[12]0[0-9][0-9][0-
9]"
netconf-yang cisco-ia blocking network-element-command "^no interface Tunnel[12]0[0-9][0-
9][0-9]"
netconf-yang cisco-ia blocking network-element-command "^crypto keyring keyring-vpn-
research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^default interface Tunnel[12]0[0-
9][0-9][0-9]"
netconf-yang cisco-ia blocking network-element-command "^no crypto keyring keyring-vpn-
research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^crypto ipsec profile ipsec-vpn-
research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^crypto isakmp profile isakmp-vpn-
research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec profile ipsec-vpn-
research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^no crypto isakmp profile isakmp-
vpn-research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^crypto ipsec transform-set ipsec-
prop-vpn-research-vpc.*"
netconf-yang cisco-ia blocking network-element-command "^no crypto ipsec transform-set
ipsec-prop-vpn-research-vpc.*"
...
! Enable NETCONF via SSH port 830
! Assumes AAA/SSH/etc. Are properly configured
! NOTE: SSH/vty ACL's do not get applied to port 830 as of this code version
netconf-yang
25
! VPN Config
! RED = Pre-configured / GREEN = configured dynamically by NETCONF
!
! Global crypto parameters
crypto isakmp keepalive 10 10
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear
!
crypto isakmp policy 10000
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 28800
!
! Crypto for all 200 VPNs are defined here - only 1 shown for brevity
crypto keyring keyring-vpn-research-vpc<001>-tun<1> vrf AWS
description <VpcId>
local-address <CustomerGatewayIpAddress> AWS
pre-shared-key address <RemoteVpnIp> key <PresharedKey>
!
crypto isakmp profile isakmp-vpn-research-vpc<001>-tun<1>
description <VpcId>
vrf AWS
keyring keyring-vpn-research-vpc<001>-tun<1>
match identity address 169.254.0.1 255.255.255.255 AWS
match identity address <RemoteVpnIpAddress> 255.255.255.255 AWS
local-address <CustomerGatewayIpAddress> AWS
!
26
! VPN Config - Continued
! RED = Pre-configured / GREEN = configured dynamically by NETCONF
!
crypto ipsec transform-set ipsec-prop-vpn-research-vpc<001>-tun<1> esp-aes 256 esp-
sha256-hmac
mode tunnel
!
crypto ipsec profile ipsec-vpn-research-vpc<001>-tun<1>
description <VpcId>
set transform-set ipsec-prop-vpn-research-vpc<001>-tun<1>
set pfs group2
!
! All 200 tunnel interfaces are defined here - only 1 shown for brevity
interface Tunnel<1>0<001>
description <VpcId>
vrf forwarding AWS
ip address <VpnInsideIpCidr + 2> 255.255.255.252
ip tcp adjust-mss 1387
tunnel source <CustomerGatewayIpAddress>
tunnel mode ipsec ipv4
tunnel destination <RemoteVpnIpAddress>
tunnel vrf AWS
tunnel protection ipsec profile ipsec-vpn-research-vpc<001>-tun<1>
ip virtual-reassembly
<no> shutdown
!
27
VPN Config Notes
• The "local-address" directive does not yet have full YANG model support– VRF is missing
– For this reason crypto "keyring" & "isakmp profile" are mostly pre-configured
• A bogus/unused "match identity" for address 169.254.0.1 is configured for all "isakmpprofiles"– Required in order to assign a "keyring" as part of pre-
config
– For tunnel interfaces, "ip virtual-reassembly" not modeled in YANG
• For this reason, tunnel interfaces are mostly pre-configured
28
! Routing Config
! RED = Pre-configured / GREEN = configured dynamically by NETCONF
!
! Define VRF
vrf definition AWS
rd 3512:853
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
! Null routes for BGP advertisement
ip route vrf AWS 10.0.0.0 255.0.0.0 Null0 254
ip route vrf AWS 163.246.0.0 255.255.0.0 Null0 254
ip route vrf AWS 170.140.0.0 255.255.0.0 Null0 254
ip route vrf AWS 172.16.0.0 255.240.0.0 Null0 254
ip route vrf AWS 192.168.0.0 255.255.0.0 Null0 254
!
! All 200 loopbacks are defined here - only 1 shown for brevity
interface Loopback<1>0<001>
description VPC<001> Tunnel<1> VPN Endpoint
vrf forwarding AWS
ip address <CustomerGatewayIpAddress> 255.255.255.255
!
29
! Routing Config - Continued
! RED = Pre-configured / GREEN = configured dynamically by NETCONF
!
ip prefix-list EMORY_ROUTES seq 10 permit 163.246.0.0/16
ip prefix-list EMORY_ROUTES seq 20 permit 170.140.0.0/16
ip prefix-list EMORY_ROUTES seq 30 permit 10.0.0.0/8
ip prefix-list EMORY_ROUTES seq 40 permit 172.16.0.0/12
ip prefix-list EMORY_ROUTES seq 50 permit 192.168.0.0/16
ip prefix-list EMORY_ROUTES seq 60 permit 0.0.0.0/0
!
route-map TO_AWS_RESEARCH_VPCs permit 10
match ip address prefix-list EMORY_ROUTES
set as-path prepend 3512 3512
set community no-export additive
!
! All 200 prefix lists are defined here - only 1 is shown for brevity
ip prefix-list AWS_RESEARCH_VPC_001 seq 5 permit 10.65.0.0/23
ip prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP seq 5 permit 169.254.248.1/32
!
! All 200 policy lists are defined here - only one shown for brevity
ip policy-list AWS_RESEARCH_VPC_001_NEXT_HOP permit
match ip route-source prefix-list AWS_RESEARCH_VPC_001_NEXT_HOP
!
! This route-map has 200 sequence numbers - only one shown for brevity
route-map FROM_AWS_RESEARCH_VPCs permit 10001
match ip address prefix-list AWS_RESEARCH_VPC_001
match policy-list AWS_RESEARCH_VPC_001_NEXT_HOP
!
30
! Routing Config – Continued
! RED = Pre-configured / GREEN = configured dynamically by NETCONF
!
router bgp 3512
bgp router-id 10.255.0.104
bgp log-neighbor-changes
!
address-family ipv4 vrf AWS
network 0.0.0.0
network 10.0.0.0
network 163.246.0.0
network 170.140.0.0
network 172.16.0.0 mask 255.240.0.0
network 192.168.0.0 mask 255.255.0.0
neighbor AWS_RESEARCH_VPCs peer-group
neighbor AWS_RESEARCH_VPCs remote-as 65533
neighbor AWS_RESEARCH_VPCs description AWS Research VPCs via IPSEC VPN
neighbor AWS_RESEARCH_VPCs timers 10 30 30
neighbor AWS_RESEARCH_VPCs soft-reconfiguration inbound
neighbor AWS_RESEARCH_VPCs route-map FROM_AWS_RESEARCH_VPCs in
neighbor AWS_RESEARCH_VPCs route-map TO_AWS_RESEARCH_VPCs out
! All 200 neighbors are defined in this section - only 1 shown for brevity
neighbor <VpnInsideIpCidr + 1> peer-group AWS_RESEARCH_VPCs
neighbor <VpnInsideIpCidr + 1> description <VpcId>
neighbor <VpnInsideIpCidr + 1> activate
exit-address-family
!
31
Routing Config Notes
• Default route is already present in IGP, so no
null route needed
• Type 1 receives all 6 routes, but technically only
needs default
– Other 5 discrete routes are for Type 2
• Route-map "FROM_AWS_RESEARCH_VPCs"
ties "route-source" to correct /23 for that VPC
– Prevents reception of incorrect routes from VPC
– Mostly applies to Type 2 VPC's
– If AWS add-on CIDR feature is used, automation must
be implemented to update allowed prefix list