简介
本文档介绍如何设置gNMI以订用在Cisco Nexus 9000系列交换机上运行的遥测应用。
先决条件
要求
您了解以下主题的一般建议:
- gRPC(Google remote-procedure-call)
- gNMI(Google RPC — 网络管理接口)
- CA证书(证书颁发机构)
- TLS(传输层安全协议)
- Nexus 9000命令行
使用的组件
服务器(SW1) |
N9K-C-93180-FX |
9.3(9) 版 |
收集器(客户端) |
Mac/Ubuntu |
13.4.1 / 5.19.0-46 |
TLS |
在Ubuntu上运行的服务 |
3.3.6 |
gNMI |
在Ubuntu上运行的服务 |
0.5.0 |
- 本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
什么是gRPC?
- gRPC(由Google开发)是创建分布式系统的RPC框架。
- 在gRPC协议中,在一个系统上运行的客户端可以调用远程服务器中定义的服务,就好像它是本地对象一样。
- 终端(或服务器)是能够使用gRPC协议与其他终端通信的运行进程。一个终端可以托管多个服务。
什么是gNMI(Dail-in)?
- gNMI是基于Google RPC的网络管理接口,用于配置网络设备。
支持的gNMI RPC
gNMI RPC |
受支持 |
功能 |
Yes |
GET |
Yes |
设置 |
Yes |
订阅 |
Yes |
支持的gNMI方法
服务器端身份验证(TLS)/使用密码
在Nexus 9k上配置gNMI
配置客户端计算机
安装gNMI服务:
bash -c "$(curl -sL https://get-gnmic.openconfig.net)"
验证Nexus 9k
# show run grpc
feature grpc
#show grpc gnmi transactions
=============
gRPC Endpoint
=============
Vrf : management
Server address : [::]:50051
Cert notBefore : Jul 19 13:16:53 2023 GMT <- Default switch certificates used for one day
Cert notAfter : Jul 20 13:16:53 2023 GMT
RPC DataType Session Time In Duration(ms) Status
------------ ---------- --------------- -------------------- ------------ ------
Get ALL 3538957304 07/19 14:21:14 1 0
subtype: dtx: st: path:
- - OK /System/bgp-items/inst-items/dom-items/Dom-list/rtrId
Get ALL 3536859976 07/19 14:20:30 1101 0
subtype: dtx: st: path:
- - OK /System/intf-items
验证客户端收集器
% gnmic -a 10.88.146.112:50051 -u (username) -p (password) --skip-verify get --path /System/bgp-items/inst-items/dom-items/Dom-list/rtrId
[
{
"source": "10.88.146.112:50051",
"timestamp": 1689773883108293792,
"time": "2023-07-19T19:08:03.108293792+05:30",
"updates": [
{
"Path": "System/bgp-items/inst-items/dom-items/Dom-list/rtrId",
"values": {
"System/bgp-items/inst-items/dom-items/Dom-list/rtrId": null
}
}
]
}
]
% gnmic -a 10.88.146.112:50051 -u (username) -p (password) --skip-verify capabilities
gNMI version: 0.5.0
supported models:
- Cisco-NX-OS-device, Cisco Systems, Inc., 2022-02-04
- DME, Cisco Systems, Inc.,
- Cisco-NX-OS-Syslog-oper, Cisco Systems, Inc., 2019-08-15
supported encodings:
- JSON
- PROTO
注意:使用安装了密码身份验证的交换机默认证书加密数据。
使用根CA证书和密码的服务器端身份验证(TLS)
配置客户端
成为本地根CA
以下是成为根并生成证书的步骤:
1.生成密钥:
bash-4.3# openssl genrsa -des3 -out myCA.key 2048 <<< Generate key for Root CA
Generating RSA private key, 2048 bit long modulus
..........
...............
e is 65537 (0x10001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:
2.生成根证书:
bash-4.3# openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1000 -out myCA.pem
Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:IN
Locality Name (eg, city) []:IN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IN
Organizational Unit Name (eg, section) []:IN
Common Name (e.g. server FQDN or YOUR name) []:IN
Email Address []:IN
bash-4.3# pwd
/bootflash/home/admin/certs
bash-4.3# ls -ll
total 8
-rw-r--r-- 1 root root 1743 Jul 19 14:24 myCA.key
-rw-r--r-- 1 root root 1302 Jul 19 14:25 myCA.pem
3.创建由根服务器签名的服务器证书:
1. openssl genrsa -out Server.test.key 2048. << create server private key
2. openssl req -new -key Server.test.key -out Server.test.csr << Create server csr
3. Need to create an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate.
bash-4.3# cat Server.test.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.88.x.x. << Server IP address
4. Creating Server certificates singed by Root CA (myCA.pem)
openssl x509 -req -in Server.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out Server.test.crt -days 825 -sha256 -extfile Server.test.ext
5. At last, we need to create .PFX file to use on switch.
openssl pkcs12 -export -out Server.test.pfx -inkey Server.test.key -in Server.test.crt -certfile myCA.pem -password pass:cisco
6. All created files
bash-4.3# ls -l
total 32
-rw-r--r-- 1 root root 1743 Jul 19 14:24 myCA.key
-rw-r--r-- 1 root root 1302 Jul 19 14:25 myCA.pem <-- .pem will be used on client machine for server authentication
-rw-r--r-- 1 root root 17 Jul 19 14:40 myCA.srl
-rw-r--r-- 1 root root 1298 Jul 19 14:40 Server.test.crt
-rw-r--r-- 1 root root 1054 Jul 19 14:38 Server.test.csr
-rw-r--r-- 1 root root 203 Jul 19 14:40 Server.test.ext
-rw-r--r-- 1 root root 1679 Jul 19 14:36 Server.test.key
-rw-r--r-- 1 root root 3485 Jul 19 14:43 Server.test.pfx. <-- Copy file to Switch and import certificates to gRPC trust point
bash-4.3#
配置gRPC Nexus 9k
Feature grpc
crypto ca trustpoint trust_my <-- trust point created
crypto ca import trust_my pkcs12 bootflash:Server.test.pfx cisco <-- pfx file used to import certificates
grpc certificate trust_my <-- trust point added to grpc
验证交换机
show grpc gnmi service statistics
=============
gRPC Endpoint
=============
Vrf : management
Server address : [::]:50051
Cert notBefore : Jul 19 14:40:57 2023 GMT <-- Certificates installed by Admin
Cert notAfter : Oct 21 14:40:57 2025 GMT
Max concurrent calls : 8
Listen calls : 1
Active calls : 0
Number of created calls : 29
Number of bad calls : 28
Subscription stream/once/poll : 0/0/0
Max gNMI::Get concurrent : 5
Max grpc message size : 8388608
gNMI Synchronous calls : 34
gNMI Synchronous errors : 19
gNMI Adapter errors : 18
gNMI Dtx errors : 0
show crypto ca certificates trust_my
Trustpoint: trust_my
certificate:
subject= /C=IN/ST=IN/L=IN/O=IN/OU=IN/CN=IN/emailAddress=IN
issuer= /C=IN/ST=IN/L=IN/O=IN/OU=IN/CN=IN/emailAddress=IN
serial=AC6E9591F0919488
notBefore=Jul 19 14:40:57 2023 GMT
notAfter=Oct 21 14:40:57 2025 GMT
SHA1 Fingerprint=7D:F1:7E:CD:C7:32:7E:B9:68:16:D4:D8:9A:48:C0:4A:7E:72:15:33
purposes: sslserver sslclient
CA certificate 0:
subject= /C=IN/ST=IN/L=IN/O=IN/OU=IN/CN=IN/emailAddress=IN
issuer= /C=IN/ST=IN/L=IN/O=IN/OU=IN/CN=IN/emailAddress=IN
serial=EE18094A2EC65F7D
notBefore=Jul 19 14:25:49 2023 GMT
notAfter=Apr 14 14:25:49 2026 GMT
SHA1 Fingerprint=A4:06:6A:80:A0:2A:D5:E1:15:92:F4:2B:50:89:BF:23:A0:52:D5:54
purposes: sslserver sslclient
show grpc gnmi transactions
=============
gRPC Endpoint
=============
Vrf : management
Server address : [::]:50051
Cert notBefore : Jul 19 14:40:57 2023 GMT
Cert notAfter : Oct 21 14:40:57 2025 GMT
Client Root Cert notBefore : n/a
Client Root Cert notAfter : n/a
RPC DataType Session Time In Duration(ms) Status
------------ ---------- --------------- -------------------- ------------ ------
Set - 3458208880 07/26 07:46:09 98 0
subtype: dtx: st: path:
Update - OK /interfaces/interface[name=mgmt0]/config/description
show run grpc
feature grpc
grpc certificate trust_my
检验客户端
1: Get
% gnmic -a 10.88.146.112:50051 -u (username) -p (Password) --tls-ca myCA.pem get --path /System/bgp-items/inst-items/dom-items/Dom-list/rtrId
[
{
"source": "10.88.146.112:50051",
"timestamp": 1689779603147750570,
"time": "2023-07-19T20:43:23.14775057+05:30",
"updates": [
{
"Path": "System/bgp-items/inst-items/dom-items/Dom-list/rtrId",
"values": {
"System/bgp-items/inst-items/dom-items/Dom-list/rtrId": null
}
}
]
}
]
2: Capabilities
% gnmic -a 10.88.146.112:50051 -u (username) --tls-ca myCA.pem capabilities
gNMI version: 0.5.0
supported models:
- Cisco-NX-OS-device, Cisco Systems, Inc., 2022-02-04
- DME, Cisco Systems, Inc.,
- Cisco-NX-OS-Syslog-oper, Cisco Systems, Inc., 2019-08-15
supported encodings:
- JSON
- PROTO
% gnmic -a 10.88.146.112:50051 -u (username) -p (password) --tls-ca myCA.pem capabilities
gNMI version: 0.5.0
supported models:
- Cisco-NX-OS-device, Cisco Systems, Inc., 2022-02-04
- DME, Cisco Systems, Inc.,
- Cisco-NX-OS-Syslog-oper, Cisco Systems, Inc., 2019-08-15
supported encodings:
- JSON
- PROTO
3: Set
interface mgmt0 <-- No Description on interface
vrf member management
ip address x.x.x.x/x
% gnmic -a 10.88.146.112:50051 -u (username) -p (password) --tls-ca myCA.pem set --update-path "interfaces/interface[name=mgmt0]/config/description" --update-value gnmic
{
"source": "10.88.146.112:50051",
"timestamp": 1690357569933044933,
"time": "2023-07-26T13:16:09.933044933+05:30",
"results": [
{
"operation": "UPDATE",
"path": "interfaces/interface[name=mgmt0]/config/description"
}
]
}
interface mgmt0
description gnmic <-- Description added with set RPC
vrf member management
ip address x.x.x.x/x
摘要
- 有关更多详细信息和gNMI准则/限制,请查看Nexus 9000配置指南。
- 查找链接以检查Openconfig path以获取并设置RPC。
- 您需要为9.3(x)版本上的Openconfig支持的路径安装RPM,并启用从10.2.(2)开始的Openconfig功能。
相关信息