flokinet-003 - Introduction to the Arista CLI, continued
Connecting to the lab server
- Open your favourite Terminal Emulator
- SSH to the netlab server:
-
$ ssh-keygen -R netlab.nanocat.net <- delete the cached fingerprint (lab server rebuilt frequently) $ ssh lab@netlab.nanocat.net Password: (generated fresh each week) - List the running containerlab devices:
-
$ sudo containerlab inspect --all - Connect to an Arista device:
-
$ sudo docker exec -it clab-device–name Cli - .. or connect to a Linux device:
-
$ sudo docker exec -it clab-pcXX-name bash
Diagram
Enabling the RestConf API: SSL
Set up a self-signed certificate + ssl profile
r5#security pki certificate generate self-signed restconf.crt key restconf.key generate rsa 2048 parameters common-name restconf
r5#config
r5(config)#management security
r5(config-mgmt-security)#ssl profile restconf
r5(config-mgmt-sec-ssl-profile-restconf)#certificate restconf.crt key restconf.key
r5(config-mgmt-sec-ssl-profile-restconf)#end
r5#
!
Enabling the RestConf API: local user
Create a new user. configure, then:
!
username foo privilege 15 secret bar
aaa authorization exec default local
!
Enabling the RestConf API: enable restconf
Set up RestConf. configure, then:
!
management api restconf
transport https test
ssl profile restconf
!
Enabling the RestConf API: control-plane ACL
-
look at the default control-plane ACL with
show ip access-lists default-control-plane-acl -
set a new control-plane ACL.
configure, then: -
! ip access-list my-control-plane-acl 10 permit icmp any any 20 permit ip any any tracked 30 permit udp any any eq bfd ttl eq 255 40 permit udp any any eq bfd-echo ttl eq 254 50 permit udp any any eq multihop-bfd micro-bfd sbfd 60 permit udp any eq sbfd any eq sbfd-initiator 70 permit ospf any any 80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi 90 permit udp any any eq bootps bootpc ntp snmp ptp-event ptp-general rip ldp 100 permit tcp any any eq mlag ttl eq 255 110 permit udp any any eq mlag ttl eq 255 120 permit vrrp any any 130 permit ahp any any 140 permit pim any any 150 permit igmp any any 160 permit tcp any any range 5900 5910 170 permit tcp any any range 50000 50100 180 permit udp any any range 51000 51100 190 permit tcp any any eq 3333 200 permit tcp any any eq nat ttl eq 255 210 permit tcp any eq bgp any 220 permit rsvp any any 230 permit tcp any any eq 6040 240 permit tcp any any eq 5541 ttl eq 255 250 permit tcp any any eq 5542 ttl eq 255 260 permit tcp any any eq 9559 270 permit udp any any eq 8503 280 permit udp any any eq lsp-ping 290 permit udp any eq lsp-ping any ! this is the new one: 300 permit tcp any any eq 6020 ! system control-plane ip access-group my-control-plane-acl in !
Testing the RestConf API
r5#bash
Arista Networks EOS shell
[arista@r5 ~]$ curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces' \
--header 'Accept: application/yang-data+json' \
--insecure \
-u foo:bar
Get an interface description:
curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces/interface=Ethernet1/config/description' \
--header 'Accept: application/yang-data+json' \
--insecure \
-u foo:bar
Get info for a specific interface:
curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces/interface=Ethernet1' \
--header 'Accept: application/yang-data+json' \
--insecure \
-u foo:bar
Browse the JSON using your favourite JSON browser.