350-401 ENCOR – Cisco CCIE Enterprise – Security part 4
January 27, 2023

12. Control Plane Policy Lab

I’m going to show you. That how we can go and do the configuration for the Cop. Let me log into one of the router. Alright, so what we can do at this point of time is that let me show you the configuration for this. So I can go here and we can go and create the classmap, say, type or what. We can do that. We can go and do classmap match any ICMP comp. All right, then. If we have any ACL, we can go and create that ACL. So what basically I’m telling here is that once you are inside the class map you can go and match for example, I can go and match whatever. Things I can match. I can match the ACL, I can do listing of class map as well. But I can go and match the DSCP flow, et cetera.

 Even we have this option to match the protocol as well. So what we can do here that I have created the class map. Let me go and create one more class map. Say, for example, IP Redirect. Okay, now, since I have this class map, what I can do now is that I can go to the policy map and so, for example, cop policy. Then I can go and call the class. What class map we have. Let me go and show you the class maps. So here I can go and take this ICMP cop and then I can give the policy. So what you want the policy rate is burst. Is, for example, one packet. Then what is the confirm action? Say for example transmit and then the exceeded action is drop okay likewise I will go to other class as well so what is the other class we have here? You can see. Let me scroll up.

 So we have created this policy with respect to ICMP. And then I have other class called so let me call the other class as well. Let me go on a step up class IP redirect. Once I’m inside this, I can go and create the policy. Say for example, 101 hundred PPS and then the burst is drop. What you want to do with the burst, let me give, say for example, two packets and then the packet confirm action is drop and exceed is also drop. All right, so what policy we have created?

Let me show you that policy map here you can see the policy just to showcase I have created only two policy two class map and then called inside the policy like this but we can create as per our requirement. So once we have this policy, what we can do now that we can go to the global configuration mode and we can go to the control plane, and then you can go and apply this service policy. Whose? Name is cop policy. So you should give some string here, let me show you. That what options we have here. So we can go and use service policy input and then policy. That’s it. All right, now how we can go and verify. So now you can see that control policy feature, control plane policy feature enable on control plane, aggregate path, we can go and verify this.

So for example, show control plane and then we have the safe counters, features host, etc. T but what policy that we have created that we can go and verify like this. So policy map and the control room, this is the policy that we have created and you can see the packet hits and all but here you have the control plane option as well, where you want to check the aggregate path and the counters that you can go and check and you have the features as well that you can go and verify. But the main important thing here is to check the control plane and then we can go and check the platform and the QoS as well. So if you go to the monitoring section here, you can see that you have this control policy map control plane and then you can go and check the control plane QS IP as well.

 So let me show you this show platform. Now, all these hardware, they don’t have this supported output. So here, for example, I don’t have this output support, I can go and check the hardware, but it’s not equivalent to show platform QS IP, okay? But we have options that we can further go and check the control plane and the option aggregate, that is the control plane aggregate path, you have the safe exception path, you have the counters, you have the features, you have the control plane host path, you have control plane transit path. So these things we can go and check. Now this is a way that we can create the policy, apply the policy and after that we can go and verify it.

13. API & API Security

Next topic we have to understand about Rest API security. Now, it is a good practice that before understanding Rest API security, we should understand that what is Rest API itself, or what is API itself, and then how we can use this API. So that’s the reason what I have done that that upcoming two videos will find that I have taken example of Cisco SDWAN VIP Taylor API. It is using Swagger API interface. And from there I have shown first of all, I’m going to explain that what is Restful API, how it is used. So we have CLI GUI and then we have the API. So why it is used, what are the things we can do with the API?

And that is specific. Or you can think that is true for all the supported technology API. What does it mean? It means that is true. So these are the application and that is true. Say for example, for ACI, for DNAC, for sqvan, any other Sdn supported infrastructure. Correct. So we’ll go and learn that what are the methods, methodology for this API. And then in coming two videos, you’ll find small examples as well as how we are doing the API call. And then after that we’ll go and learn about API security as well.

14. API SDWAN 01

Next topic we have related to application programming interface APIs. Now APIs, now they are getting the popularity. Why? Because if you see the evolution of networking domain, we started with CLI command line interface. Then we have the GUI, that is graphical user interface. And finally we have the application programming interface as well. Now, the CLI is also good and fast. But with respect to GUI and the API, we can do things very fast even with API. If we do some bulk APIs call and all this will become very accurate. There is less chance of female error and it will be very faster. So to provide a speed up, we are using the API. Here we have the restful API for wemanage, we can use third party integration for API, use cases or use even inside. We manage also we have the Swagger API interface from where we can do multiple tasks.

Here you can see important thing that we are using the restful API. That is the representational state transfer API that we are going to use. Here you can see that we can do things with help of CLI SSH syslog SNMP NETCONF. But we can go and connect my we manage with the restful API. Once you are connected with the restful API, what are the things you can do? Actually you can do each and everything. So you can go and use certificate management, configuration, device and inventory monitoring, real time monitoring and troubleshooting. Everything is possible. Important thing here that you can see that while you’re using these APIs we have four different type of methods. So what are those methods we have? So we have method called put.

 If you want to update the object or an object. To update an object, you have put method. Then you have get method. That is something very much related to show command. If you want to retrieve the info of that object, you can use the git. Then you have post method if you want to create new object. So, creation of an object, put this post. And then finally you have delete if you want to delete an object. So, these are the four methods that all the APIs are using to do the things inside. With help of API you can see Get, put, post and delete. Now we have the resources. And if you collect those resources, you can think resource as a group of object or collection with a group of resources like that. So here we know that what type of task we can do with help of API.

 And here on top you can see in the chart that you have resource collection and this resource collection for what? So for example administration. So all the administration tasks, you can group all the related object for administration. And with help of API you can do this. So, administration related to groups, viewing audit, log, managing the local, we manage server, et cetera. Then certificate management, configuration, device inventory monitoring, real time monitoring and the troubleshooting. Now these objects that we are seeing here. Because if you go and check behind the scene, these are the object. And then you’re collecting same type of object.

So these object, they should have their format. And here you can see that the victim rest API uses the JSON data model to represent. We’ll see later on that while we are getting the output we are getting the output in JSON format. In JSON format they have three type of data scalar array and object. That’s very much programming related that you can go and check. Now once you log into the Swagger interface, you’ll find that color coding for these operations. So delete will be red, get will be blue, post will be green, put will be brown like that. You can see now how I can go and log into the Swagger interface. So for that you have to go and use this URL, your V manage IP and then the API talks. So let me do one thing. Let me go and log in to the Swagger interface. So here I have my we manage dashboard. And what I can do that we can go and check API docs. So now it will redirect towards on top you can see this API document. Fetching the resources for API doc.

 And then you’ll get the long list of things that we can do. So give him some chance to come. And meanwhile we’ll go and check the slides. So you can go and log in there. Then you have API calls. You can go and use the data store and services and call different different type of things. So for example, if you want to see the Omppering, how you can do so let me quickly show you here that how you can go and build your own query, built your own API call. So let me open the note pad here. And OMP peering. What I can do here you can see that API is data service. And then the device OMP peer. And then you have to give the device ID. That is the system ID. So for example, ten 40 dot one. I want to check the Ompp here for this particular device. So let me go to info.

So you can see this. So like that you can go and create I think we have our dashboard open, API dock page open. So let me quickly go and log in there. So here you can see, you can see the API doc. Now if you want to search OMP, you can go and search real time monitoring and OMP. You want to check the OMP peer. Here you can see you have the OMP pair. And as per our slide, you can see the gate is blue color. But you have different different color. Delete will be red like that. So what you want, you want to check the OMP pair for ten 40 one you can go and query this. If you do the query here you can see 200 means success and then you have 400 bad requests 40 three forbidden, 500 is the internal error.

Now here you can see that we got the request URL and here you can see the output correct? So this is the output who are the OMP peer? My OMP peer always will be the Vsmart. So here we can see the peer and peer to Vs smarts are my OMP peer. Now we are also making or building our API call so here we can see we have this API call for OMP peer and here we can see what are the things needed only you have to add the URL and port number and that’s it. So what I will do, I will copy this and we’ll go ahead and put here. Once you go and put, you can see that you’re getting the result and if you want to get the result in the JSON format so let me use the other browser for the same and let me show you the result in the other browser, same output.

 I ran inside this mozilla and here you can see that we are getting the JSON format. Inside that you have the header so if you minimize the header then you have the data value. In data value you can see that your peer is Vsmart and whose IP is this? This is the peer and then again you can see that your other peer is other Vs Smart and whose IP is this? So you are getting the result. Likewise you can go and use any type of these API calls. Suppose if you want to check the DTLs or TLS connection you can go and use this. So let me quickly build this one more time. So here we are and now we can copy and paste as well. So what you want, you want you can see the DTLs and TLS connection API call you want and here you can see you can go to the devices and then and control and then connections correct, so I can go and copy this and this will be one of my API call related.

15. API SDWAN 02

So now we have built our API call to check the control connections. You can copy and paste and we are getting some error. So let me quickly go and fix this error. What we can do at this point of time that we can go and check our V manage from where we can get this particular API. So I’m logging back to my API. Once I’ll get my screen, I’ll go and search the DTLs connection API. So here we have the search option. We can go and check say for example API for DTLs. So what we can do, we can go and check the control. Next you have this real time monitoring control. And then if you go scroll down somewhere you’ll find that you want to see the number of control connection. And here if you go and give the system ID and if you try it out, you will get the exact API you are looking for. And you can see that there is a small change in the API. So that’s why you are not getting the correct result. Now I can go back here, we can go and put that correct API. And then you can see we are getting the result. So the control connection related to this particular device, you can see who are the controllers means one is the V manage. This IP you can see let me see the IP public IP. And this, this is the Vsmart. Here you can see the peer type as well.

So one Vs smart, then Vs smart number two, then Vsmart with other. So this is other Vsmart with other transport. This is again the other Vsmart means we have two Vsmart. And then finally you should have V manage as well. So here you can see the V manage over the MPLS. All right. So this is the way that you can go and further check all types of APIs. So that means you can check the connection BGP. Then if you want to check the orchestrator connections, those we can see what is the API call, what is the GUI equivalence, what is the CLI equivalent? Even we can compare all three as well. So for example show orchestrated local properties is the CLI even in the GUI.

 Also we can go and check and even the URL means the API call. Also you can go and verify. So in this manner, in this way you can have a list that what CLI, what GUI and what API. And later on you can use only the GUI and the API calls. Even if you want to go and verify the OSPF related things like database interface, Naples processes, etc. That you can go and run these API’s call that we have built for two, you can build for the rest of them and then it will work as it is. All right, so this is related to API. Next section we’ll discuss about software upgrade.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!