Enabling Web-API Access for vNET and vNET Manager
Starting with NetVisor OS version 7.0.0, you can access and configure vNET features by using REST API commands. This web-API support enables the Arista NetVisor UNUM customers to access vNET, vNET Manager, and vNET resources by using the UNUM interface.
To enable web-API access through UNUNM interface, the vNET-admin must login using the mgmt IP address of the switch. Prior to version 7.0.0, NetVisor allowed the vNET-admin to login by using only the interface IP address (or vNET IP address). The vNET-admin and the users created with vNET-admin role can also access the CLI shell by logging in using the mgmt IP address of the switch.
Prior to NetVisor OS version 7.0.0, to access vNET and it's resources, you must login into the vNET container, which is present only on the switch where vNET is created (even in the case of fabric scoped vNET). However, starting with version 7.0.0, you can access the vNET context from any of the nodes regardless of where the vNET is created.
To access vNET and vNET Manager through UNUM interface, you must enable web API on all devices by using the admin-service-modify if mgmt web command and then use the vNET credentials in the curl request.
You can access a vNET and manage the vNET resources by using the vnet-admin user and corresponding password just as similar to network-admin user. Following is an example format to log into the switch by using vnet-admin user:
Example of a GET request:
curl -s -u vn1-admin:vn1-admin -X GET http://switch-test1/vRest/port-configs
or
curl -s http://vn1-admin:vn1-admin@switch-test1/vRest/ports-phys | python -m json.tool
To access using RESTful API,
root@switch-test1:~# curl -s -u vnet-1-admin:vnet-1-admin -X GET http://192.168.22.82/vRest/vnets | python -m json.tool
{
"data": [
{
"admin": 40000,
"global": false,
"id": "c0000bf:1",
"managed-ports": "",
"name": "vnet-1",
"num-private-vlans": 0,
"num-vlans": 1,
"public-vlans": "",
"scope": "fabric",
"shared-port-vlans": "",
"shared-ports": "",
"vlan-type": "public",
"vlans": "5",
"vnet-mgr-name": "vnet-1-mgr",
"vrg-id": "c0000bf:0",
"vxlan-end": 0,
"vxlans": 0
}
],
"result": {
"result": [
{
"api.switch-name": "local",
"code": 0,
"message": "",
"scope": "local",
"status": "Success"
}
],
"status": "Success"
}
}
You can also access vNET and vNET Manager on NetVisor OS by enabling SSH logging into the switch using one of the following methods:
- ssh vnet-admin@<switch-name>
- ssh vnet-admin@<switch mgmt IP address>
Below is an example of how to login and access using the switch name and to verify the configurations:
ssh vn1-admin@switch-test1
* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system. *
* ACCESS RESTRICTED TO AUTHORIZED USERS ONLY *
* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *
* End User License Agreement (EULA). The EULA can be accessed via *
* http://www.arista.com/eula or by using the command "eula-show" *
vn1-admin@switch1's password:
Last login: Thu Jan 6 23:10:42 2021 from 10.140.0.48
Netvisor OS Command Line Interface 7.0
Connected to Switch switch-test1; nvOS Identifier:0xc0000bf; Ver: 7.0.0-7000018494
CLI (vn1-admin@switch-test1) > vnet-show
name scope vlan-type vlans public-vlans vxlans managed-ports shared-ports shared-port-vlans admin
---- ----- --------- ----- ------------ ----------------- ------------- ------------ ----------------- ---------
vn1 local private none 2000-2099 10000110-10000119 9,17 18 none vn1-admin
CLI (vn1-admin@switch-test1) > port-phy-show
port state speed eth-mode max-frame def-vlan
---- ----- ----- -------- --------- --------
9 down 10000 xfi 1540 1
17 down 10000 xfi 1540 1
18 down 10000 xfi 1540 1
Below is an example of how to login and access using the in-band IP address and to verify the configurations:
root@switch-test2:~# cli
Netvisor OS Command Line Interface 7.0
Connected to Switch switch-test2; nvOS Identifier:0xc00021d; Ver: 7.0.0-7000018494
CLI (network-admin@switch-test2) > fabric-node-show
name fab-name mgmt-ip in-band-ip in-band-vlan-type fab-tid out-port version state device-state
------------- -------- -------------- --------------- ----------------- ------- -------- ---------------- ------ ------------
switch-test2 fab-1 10.14.22.84/23 192.168.22.84/24 public 3 7.0.0-7000018494 online ok
switch-test1 fab-1 10.14.22.82/23 192.168.22.82/24 public 3 49 7.0.0-7000018494 online ok
root@switch-test1:~# ssh vnet-1-admin@192.168.22.82
The authenticity of host '192.168.22.82 (192.168.22.82)' can't be established.
ECDSA key fingerprint is SHA256:XXosFnaL8bQ/BUFbJAXP3bTXpgpwGvhrSuYvSgjmSv0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.22.82' (ECDSA) to the list of known hosts.
* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system. *
* ACCESS RESTRICTED TO AUTHORIZED USERS ONLY *
* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *
* End User License Agreement (EULA). The EULA can be accessed via *
* http://www.arista.com/eula or by using the command "eula-show" *
vnet-1-admin@192.168.22.82's password:
Netvisor OS Command Line Interface 7.0
Connected to Switch switch-test1; nvOS Identifier:0xc0000bf; Ver: 7.0.0-7000018494
CLI (vnet-1-admin@switch-test1) > vnet-show
switch name scope vlan-type vlans public-vlans num-private-vlans vxlans managed-ports shared-ports shared-port-vlans admin
------------ ------ ------ --------- ----- ------------ ----------------- ------ ------------- ------------ ----------------- ------------
switch-test1 vnet-1 fabric public 5 none 0 0 none none none vnet-1-admin
switch-test2 vnet-1 fabric public 5 none 0 0 none none none vnet-1-admin
To view the details of users, use the command. For example:
CLI (network-admin@switch-test1) > user-show
switch name scope uid type login-fail-count lock-account minimum-pw-length
------------- ------------- ------ ----- -------- ---------------- ------------ -----------------
network-admin fabric 39999 netvisor 0 false 0
switch-test1 vn2-admin local 20001 netvisor 0 false 6
switch-test1 vn1-admin local 20000 netvisor 0 false 6
switch-test1 user-1 local 20002 netvisor 0 false 6
switch-test1 user-2 local 20003 netvisor 0 false 6
To view the user roles, use the command:
CLI (network-admin@switch-test1) > user-role-show
switch user-name role
------------- ------------- -------------
network-admin network-admin
switch-test1 vn2-admin vn2-admin
switch-test1 vn1-admin vn1-admin
switch-test1 user-1 vn1-admin
switch-test1 user-2 vn2-admin
Limitations and Restrictions
In cases, where the vNET container is not created and if you do not want access to vNET resources, then use the no-config-admin option along with no-create-vnet-mgr parameter while creating the vNET. For example,
To create a vNET with no-vnet-managers, no-config-admin:
CLI (network-admin@switch-test1) > vnet-create name vnet-test scope local no-create-vnet-mgr no-config-admin
The above command creates a vNET without an admin and no users are listed with vNET admin role in user-show output as below:
CLI (network-admin@switch-test1) > vnet-show name vnet-test
switch name scope vlan-type vlans public-vlans num-private-vlans vxlans managed-ports shared-ports shared-port-vlans
------------ --------- ----- --------- ----- ------------ ----------------- ------ ------------- ------------ -----------------
switch-test1 vnet-test local public 5 none 0 0 none none none
CLI (network-admin@switch-test1) > user-show
name scope uid type login-fail-count lock-account minimum-pw-length
------------- ------ ----- -------- ---------------- ------------ -----------------
network-admin fabric 39999 netvisor 0 false 0
The above configuration restricts the access of vNET with mgmt-ip/ inband-ip as there are no users on the vNET that is created.