gRPC Tunnel

About gRPC Tunnel

This feature is intended to add the grpc-tunnel support on NX-OS. The grpc tunnel implements traffic tunnels on top of grpc. For more information about grpc, see gNMI-gRPC Network Management Interface.

Guidelines and Limitations

The gRPC tunnel has the following guidelines and limitations:

  • The naming conventions when assigning a target identifier for a tunnel is completely up to the user.

  • The user is responsible to make sure the naming convention of the target identifier is unique. It is recommended that an automated deployment workflow should handle the uniqueness of the target identifier.

Configuring gRPC Tunnel

This procedure describes how to enable and configure the gRPC Tunnel.

SUMMARY STEPS

  1. configure terminal
  2. feature grpc
  3. [no] feature grpctunnel
  4. [no] grpctunnel destination

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

feature grpc

Example:

switch(config)# feature grpc

Enables the gRPC agent, which supports the gNMI interface for dial-in.

Step 3

[no] feature grpctunnel

Example:

switch(config)# feature grpctunnel
Enables or disables grpc-tunnel feature.

Step 4

[no] grpctunnel destination

Example:

switch(config)# grpctunnel destination 1.1.1.1 port 8000 target test1 type GNMI_GNOI use-vrf management
Enables the grpc-tunnel feature. The no form of this command disables the feature.

  • destination - (Type: IPv4/IPv6 address or hostname string) Tunnel server ip address or the hostname. If hostname is given, a valid name-server config is required.

  • port - (Type: tcp port) Tunnel server port number.

  • target - (Type: string, 64 bytes limit) Target ID is a string. If the user sets the ID as the reserved keyword 'HOSTNAME', the switch would substitute the switch hostname as the target.

  • type - (Type: string, 64 bytes limit) Type only supports GNMI_GNOI in 10.3.2F release.

  • use-vrf - (Type: string) The vrf name string that switch will use to dial out for grpc tunnel session.

  • [Optional] source-interface - (Type: interface name string) source-interface is used to determine the egress source ip address of the tunnel establishment. The switch would select the first ipv6 global unicast address of the interface. Else, it would select the ipv4 unicast address of the interface. This configuration supports loopback and svi interfaces only. The interface must be specified in the short name format such as Lo10, Vlan100.

  • [Optional]cert - (Type: string) Trustpoint which holds the tunnel server certificate. If not specified, would skip the server verification.

  • [Optional] client-cert - (Type: string) Trustpoint which holds the client certificate. If specified, would exercise mutual authentication with the tunnel server.

  • [Optional] target-vrf - (Type: string) vrf name is used to reach local grpc server target. If not specified, uses the same as the vrf parameter. For example, specifying grpctunnel ... use-vrf foo ... target-vrf bar means the switch establishes connection to the external tunnel server in vrf foo, but forwards incoming grpc requests to the local switch grpc server residing on vrf bar.

Configuration Examples for gRPC Tunnel

The following steps describe how to configure the tunnel destination without server validation.


switch # config t 
switch(config)# grpctunnel destination 1.1.1.1 port 8000 target test1 type GNMI_GNOI use-vrf management
switch(config)# grpctunnel destination server.foo.com port 8000 target test2 type GNMI_GNOI use-vrf management

The following steps describe how to configure the tunnel destination with server validation.

Execute the following commands to Import server cert to the trustpoint


switch(config)# crypto ca trustpoint tunnel_server_trustpoint
switch(config-trustpoint)# crypto ca authenticate tunnel_server_trustpoint
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIJAO4xEeL+IrpuMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDHNqYy1hZHMtNjAxNDAeFw0yMjA1MjYwMDE4MzBaFw0zMjA1MjMwMDE4MzBa
MBcxFTATBgNVBAMMDHNqYy1hZHMtNjAxNDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALudrG824XmW/4+BNd632CT3x47akV0QfjwAU1xBDScpAw9brERO
YTLP9BxInbA+WAS+zGql6nmBoZxbqZZL/NVD8ltLKYJJxtDQHJkqdX2lURnMUFr2
9pyJQtuh/udq9hp8zGcEpbPayfIdHCnZqraWMLvk1W0mqAa7ek0iizIZNwKmU3oR
7CGQOxi8aMsAfH5iBsRTNURFdaXdJYTOjry0il+jBKT21F2Z3vGcB7ddTt+I7qrd
GjJs4BI4a22Y3usYb/dnsEa0ZCFTFIq6Y2Pwc3DOuKalUhujSqisqfMDuqC34ATw
kWwLnHDWVu0iVaWndy3uvQZKDNv/bIIuoo8CAwEAAaMsMCowFwYDVR0RBBAwDoIM
c2pjLWFkcy02MDE0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIjNgq/paYfPtHDe9PlZKzrmGz+UlUAx8saj2WHtrKgBj48J6fYvz1yTPWLKMPct
/5y+nhia6gRlV/navFcpiUUpQGpoZQnaa40/nkBMDvVxnTu6l9UC0WUAyTh2l7ec
BriY8yq3elpQWHZS4KRNmBH8fuviAv4f0fzOAuNGeIuv7UGnfA8Ed/q/Z3frQxOI
qNXr3vBBTptYTLwdrRM0axagL6waZgZyTFfFHpIXBPEtsXKb/5GuP4+nqXvtfkfe
d6P9jA4BKA/e6Gu6NAR0JMOdmJeEFjMbg+uu8jghcRTcwRsGeb9DqPUL+5IsVg3a
dKMaZxyQFiRz0LyTqQtZmE0=
-----END CERTIFICATE-----
END OF INPUT
Fingerprint(s): SHA1 Fingerprint=D4:9D:79:5B:8B:38:D6:50:6D:46:89:A8:C4:41:AB:
C9:D9:9F:D1:66
Do you accept this certificate? [yes/no]:yes

Execute the following command to configure the tunnel destination.

switch(config)# grpctunnel destination 1.1.1.1 port 8000 target test1 type GNMI_GNOI use-vrf management cert tunnel_server_trustpoint
switch(config)# show system internal dme running-config all dn sys/grpctunnel
{ 
  "grpctunnelInst": {
    "attributes": {
      "childAction": "",
      "dn": "sys/grpctunnel",
      "modTs": "2022-12-02T12:57:37.891+00:00",
      "status": ""
    },
    "children": [
      { 
        "grpctunnelTunnelMgr": {
          "attributes": {
            "childAction": "",
            "dn": "sys/grpctunnel/tunnelmgr",
            "modTs": "2022-12-02T12:57:37.891+00:00",
            "status": ""
          },
          "children": [
            { 
              "grpctunnelTunnel": {
                "attributes": {
                  "cert": "tunnel_server_trustpoint",
                  "certClient": "",
                  "childAction": "",
                  "dest": "1.1.1.1",
                  "dn": "sys/grpctunnel/tunnelmgr/tunnel-[1.1.1.1]-port-[8000]-target-[test1]-type-[GNMI_GNOI]-vrf-[management]",
                  "modTs": "2022-12-05T10:09:45.163+00:00",
                  "port": "8000",
                  "srcIf": "unspecified",
                  "status": "",
                  "targetId": "test1",
                  "targetType": "GNMI_GNOI",
                  "targetVrf": "",
                  "vrf": "management"
                }
              }
            }
          ]
        }
      }
    ]
  }
}