Connecting to the lab server

• Open your favourite Terminal Emulator
• SSH to the netlab server:

•   $ ssh-keygen -R netlab.nanocat.net   <- delete the cached fingerprint
                                            (lab server rebuilt frequently)
    $ ssh lab@netlab.nanocat.net
    Password: (generated fresh each week)

• List the running containerlab devices:

•   $ sudo containerlab inspect --all

• Connect to an Arista device:

•   $ sudo docker exec -it clab-device–name Cli

• .. or connect to a Linux device:

•   $ sudo docker exec -it clab-pcXX-name bash

Diagram

Topology 01

Enabling the RestConf API: SSL

Set up a self-signed certificate + ssl profile

r5#security pki certificate generate self-signed restconf.crt key restconf.key generate rsa 2048 parameters common-name restconf
r5#config
r5(config)#management security
r5(config-mgmt-security)#ssl profile restconf
r5(config-mgmt-sec-ssl-profile-restconf)#certificate restconf.crt key restconf.key
r5(config-mgmt-sec-ssl-profile-restconf)#end
r5#
!

Enabling the RestConf API: local user

Create a new user. configure, then:

!
username foo privilege 15 secret bar
aaa authorization exec default local
!

Enabling the RestConf API: enable restconf

Set up RestConf. configure, then:

!
management api restconf
   transport https test
   ssl profile restconf
!

Enabling the RestConf API: control-plane ACL

• look at the default control-plane ACL with show ip access-lists default-control-plane-acl

• set a new control-plane ACL. configure, then:

•   !
    ip access-list my-control-plane-acl
       10 permit icmp any any
       20 permit ip any any tracked
       30 permit udp any any eq bfd ttl eq 255
       40 permit udp any any eq bfd-echo ttl eq 254
       50 permit udp any any eq multihop-bfd micro-bfd sbfd
       60 permit udp any eq sbfd any eq sbfd-initiator
       70 permit ospf any any
       80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi
       90 permit udp any any eq bootps bootpc ntp snmp ptp-event ptp-general rip ldp
       100 permit tcp any any eq mlag ttl eq 255
       110 permit udp any any eq mlag ttl eq 255
       120 permit vrrp any any
       130 permit ahp any any
       140 permit pim any any
       150 permit igmp any any
       160 permit tcp any any range 5900 5910
       170 permit tcp any any range 50000 50100
       180 permit udp any any range 51000 51100
       190 permit tcp any any eq 3333
       200 permit tcp any any eq nat ttl eq 255
       210 permit tcp any eq bgp any
       220 permit rsvp any any
       230 permit tcp any any eq 6040
       240 permit tcp any any eq 5541 ttl eq 255
       250 permit tcp any any eq 5542 ttl eq 255
       260 permit tcp any any eq 9559
       270 permit udp any any eq 8503
       280 permit udp any any eq lsp-ping
       290 permit udp any eq lsp-ping any
       ! this is the new one:
       300 permit tcp any any eq 6020
    !
    system control-plane
       ip access-group my-control-plane-acl in
    !

Testing the RestConf API

r5#bash

Arista Networks EOS shell

[arista@r5 ~]$ curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces' \
                    --header 'Accept: application/yang-data+json' \
                    --insecure \
                    -u foo:bar

Get an interface description:

curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces/interface=Ethernet1/config/description' \
     --header 'Accept: application/yang-data+json' \
     --insecure \
     -u foo:bar

Get info for a specific interface:

curl -s GET 'https://172.16.0.x:6020/restconf/data/openconfig-interfaces:interfaces/interface=Ethernet1' \
     --header 'Accept: application/yang-data+json' \
     --insecure \
     -u foo:bar

Browse the JSON using your favourite JSON browser.

eg http://jsonviewer.stack.hu