Enabling Web-API Access for vNET and vNET Manager



Starting with NetVisor OS version 7.0.0, you can access and configure vNET features by using REST API commands. This web-API support enables the Arista NetVisor UNUM customers to access vNET, vNET Manager, and vNET resources by using the UNUM interface.


To enable web-API access through UNUNM interface, the vNET-admin must login using the mgmt IP address of the switch. Prior to version 7.0.0, NetVisor allowed the vNET-admin to login by using only the interface IP address (or vNET IP address). The vNET-admin and the users created with vNET-admin role can also access the CLI shell by logging in using the mgmt IP address of the switch.


Prior to NetVisor OS version 7.0.0, to access vNET and it's resources, you must login into the vNET container, which is present only on the switch where vNET is created (even in the case of fabric scoped vNET).  However, starting with version 7.0.0, you can access the vNET context from any of the nodes regardless of where the vNET is created.


To access vNET and vNET Manager through UNUM interface, you must enable web API on all devices by using the admin-service-modify if mgmt web command and then use the vNET credentials in the curl request. 


You can access a vNET and manage the vNET resources by using the vnet-admin user and corresponding password just as similar to network-admin user. Following is an example format to log into the switch by using vnet-admin user:


       Example of a GET request:

       curl -s -u vn1-admin:vn1-admin -X GET http://switch-test1/vRest/port-configs

       or 

                curl -s http://vn1-admin:vn1-admin@switch-test1/vRest/ports-phys | python -m json.tool


To access using RESTful API,


root@switch-test1:~# curl -s -u vnet-1-admin:vnet-1-admin -X GET http://192.168.22.82/vRest/vnets | python -m json.tool

{

       "data": [

       {

               "admin": 40000,

                       "global": false,

                       "id": "c0000bf:1",

                       "managed-ports": "",

                       "name": "vnet-1",

                       "num-private-vlans": 0,

                       "num-vlans": 1,

                       "public-vlans": "",

                       "scope": "fabric",

                       "shared-port-vlans": "",

                       "shared-ports": "",

                       "vlan-type": "public",

                       "vlans": "5",

                       "vnet-mgr-name": "vnet-1-mgr",

                       "vrg-id": "c0000bf:0",

                       "vxlan-end": 0,

                       "vxlans": 0

       }

       ],

       "result": {

               "result": [

               {

                       "api.switch-name": "local",

                       "code": 0,

                       "message": "",

                       "scope": "local",

                       "status": "Success"

               }

               ],

               "status": "Success"

       }

}


You can also access vNET and vNET Manager on NetVisor OS by enabling SSH logging into the switch using one of the following methods:


  • ssh vnet-admin@<switch-name> 
  • ssh vnet-admin@<switch mgmt IP address> 


Below is an example of how to login and access using the switch name and to verify the configurations:


ssh vn1-admin@switch-test1

* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system.   *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.arista.com/eula or by using the command "eula-show"     *

vn1-admin@switch1's password:

Last login: Thu Jan  6 23:10:42 2021 from 10.140.0.48

Netvisor OS Command Line Interface 7.0

Connected to Switch switch-test1; nvOS Identifier:0xc0000bf; Ver: 7.0.0-7000018494


CLI (vn1-admin@switch-test1) > vnet-show


name scope vlan-type vlans public-vlans  vxlans            managed-ports shared-ports shared-port-vlans admin

---- ----- --------- ----- ------------  ----------------- ------------- ------------ ----------------- ---------

vn1  local private   none  2000-2099     10000110-10000119 9,17           18           none             vn1-admin


CLI (vn1-admin@switch-test1) > port-phy-show


port state speed eth-mode max-frame def-vlan

---- ----- ----- -------- --------- --------

9    down  10000 xfi      1540      1

17   down  10000 xfi      1540      1

18   down  10000 xfi      1540      1



Below is an example of how to login and access using the in-band IP address and to verify the configurations:


root@switch-test2:~# cli

Netvisor OS Command Line Interface 7.0

Connected to Switch switch-test2; nvOS Identifier:0xc00021d; Ver: 7.0.0-7000018494


CLI (network-admin@switch-test2) > fabric-node-show


name         fab-name mgmt-ip        in-band-ip       in-band-vlan-type fab-tid out-port version          state  device-state

------------- -------- -------------- --------------- ----------------- ------- -------- ---------------- ------ ------------

switch-test2 fab-1    10.14.22.84/23 192.168.22.84/24 public            3                7.0.0-7000018494 online ok

switch-test1 fab-1    10.14.22.82/23 192.168.22.82/24 public            3       49       7.0.0-7000018494 online ok


root@switch-test1:~# ssh vnet-1-admin@192.168.22.82

The authenticity of host '192.168.22.82 (192.168.22.82)' can't be established.

ECDSA key fingerprint is SHA256:XXosFnaL8bQ/BUFbJAXP3bTXpgpwGvhrSuYvSgjmSv0.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.22.82' (ECDSA) to the list of known hosts.

* Welcome to Arista Networks Inc. Netvisor(R). This is a monitored system.   *

*                ACCESS RESTRICTED TO AUTHORIZED USERS ONLY                    *

* By using the Netvisor(R) CLI,you agree to the terms of the Arista Networks *

* End User License Agreement (EULA). The EULA can be accessed via              *

* http://www.arista.com/eula or by using the command "eula-show"     *

vnet-1-admin@192.168.22.82's password:

Netvisor OS Command Line Interface 7.0

Connected to Switch switch-test1; nvOS Identifier:0xc0000bf; Ver: 7.0.0-7000018494


CLI (vnet-1-admin@switch-test1) > vnet-show


switch       name   scope  vlan-type vlans public-vlans num-private-vlans vxlans managed-ports shared-ports shared-port-vlans admin

------------ ------ ------ --------- ----- ------------ ----------------- ------ ------------- ------------ ----------------- ------------

switch-test1 vnet-1 fabric public    5     none         0                 0      none          none         none              vnet-1-admin

switch-test2 vnet-1 fabric public    5     none         0                 0      none          none         none              vnet-1-admin


To view the details of users, use the command. For example:


CLI (network-admin@switch-test1) > user-show

switch        name          scope  uid   type     login-fail-count lock-account minimum-pw-length

------------- ------------- ------ ----- -------- ---------------- ------------ -----------------

network-admin fabric 39999 netvisor 0                false         0

switch-test1  vn2-admin     local  20001 netvisor 0                false        6

switch-test1  vn1-admin     local  20000 netvisor 0                false        6

switch-test1  user-1        local  20002 netvisor 0                false        6

switch-test1  user-2        local  20003 netvisor 0                false        6


To view the user roles, use the command:


CLI (network-admin@switch-test1) > user-role-show


switch        user-name     role

------------- ------------- -------------

network-admin network-admin

switch-test1 vn2-admin     vn2-admin

switch-test1 vn1-admin     vn1-admin

switch-test1 user-1        vn1-admin

switch-test1 user-2        vn2-admin


Limitations and Restrictions


In cases, where the vNET container is not created and if you do not want access to vNET resources, then use the no-config-admin option along with no-create-vnet-mgr parameter while creating the vNET. For example,


To create a vNET with no-vnet-managers, no-config-admin


CLI (network-admin@switch-test1) > vnet-create name vnet-test  scope local no-create-vnet-mgr no-config-admin 


The above command creates a vNET without an admin and no users are listed with vNET admin role in user-show output as below:


CLI (network-admin@switch-test1) > vnet-show name vnet-test


switch       name      scope vlan-type vlans public-vlans num-private-vlans vxlans managed-ports shared-ports shared-port-vlans

------------ --------- ----- --------- ----- ------------ ----------------- ------ ------------- ------------ -----------------

switch-test1 vnet-test local public    5     none         0                 0      none          none         none


CLI (network-admin@switch-test1) > user-show


name          scope  uid   type     login-fail-count lock-account minimum-pw-length

------------- ------ ----- -------- ---------------- ------------ -----------------

network-admin fabric 39999 netvisor 0                false        0


The above configuration restricts the access of vNET with mgmt-ip/ inband-ip as there are no users on the vNET that is created.

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south