About NX-API
In Cisco Nexus devices, CLIs are run only on the device. NX-API improves the accessibility of these CLIs by making them available outside the switch by using HTTP or HTTPS. You can use either of these extensions to the existing Cisco Nexus CLI system on the Cisco Nexus 7000 Series devices. NX-API supports show commands and configurations.
NX-API supports JSON-RPC, JSON, and XML formats.
NX-API generates a new certificate on each device when it communicates with them. This new/auto-generated certificate is valid only for 24 hours. NX-API does not use a default or hard-coded or an outdated certificate for its communication.
NX-API comes up with a default self-signed certificate and as mentioned earlier it is valid only for 24 hours. If you need to auto renew the certificate you must re-enable the feature nxapi command. You need to use your own certficate without depending on the NX-API certificate. Some browsers might treat this certificate as invalid. In that case you need to add an exception for the same in your settings and continue with your tasks.
Transport
NX-API uses HTTP or HTTPS as its transport. CLIs are encoded into the HTTP POST or HTTPS POST body.
The NX-API backend uses the Nginx HTTP server.
Message Format
NX-API is an enhancement to the Cisco Nexus 7000 Series CLI system, which supports XML output.
Note |
|
Security
NX-API supports HTTP and HTTPS. If you use HTTPs, all communication to the device is encrypted.
NX-API is integrated into the authentication system on the device. Users must have appropriate accounts to access the device through NX-API, which uses HTTP basic authentication. All requests must contain the username and password in the HTTP header.
Note |
We recommend that you consider using HTTPS to secure your users' login credentials. |
You can enable NX-API by using the feature manager command.
Prior to Cisco NX-OS Release 8.2(3) NX-API was accessible on all Layer 3 interfaces and there was no way to restrict the access to a particular VRF. The nxapi use-vrf feature is introduced in Cisco NX-OS Release 8.2(3), which helps to secure NX-API by binding the NX-API to a particular VRF.
You can Use ACLs to restrict HTTP or HTTPS access to a device along with VRF, if you want to restrict Nx-API access particular ip. For information about configuring ACLs, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.
NX-API provides a session-based cookie, nxapi_auth, when users successfully authenticate for the first time. Along with the session cookie, the username and password are included in all subsequent NX-API requests that are sent to the device. The username and password are used with the session cookie to bypass the task of performing the entire authentication process again. If the session cookie is not included with subsequent requests, another session cookie is required and is provided by the authentication process. Avoiding multiple authentications helps reduce the devices' workload.
Note |
|