Feedback
Table Of Contents
Using Query Methods for Policies
Authentication via Management Controller
Tenant Management via Service Registry
Using the VNMC XML API
This chapter includes the following:
•
VNMC XML API Use Case Example
API method details are provided below.
Tutorial Examples
This section contains the following topics:
•
Authentication Methods
Authentication allows API interaction with VNMC. It also provides a way to set permissions and control the operations that can be performed.
Note
Login
The following example uses a Linux POST command to post authentication requests, using HTTPS to VNMC.
POST https://10.193.34.70/xmlIM/mgmt-controllerPlease enter content (application/x-www-form-urlencoded) to be POSTed:Then use aaaLogin and provide a username and password:
<aaaLogininName="admin"inPassword="cisco@123"/>
Note
Each XMLAPI document represents an operation to be performed. When the request is received as an XML API document, VNMC reads the request and performs the actions as provided in the method. VNMC responds with a message in XML document format and indicates success or failure of the request.
The following is a typical successful response:
(1) <aaaLogin(2) response="yes"(3) outCookie="<real_cookie>"(4) outRefreshPeriod="600"(5) outPriv="admin,read-only"(6) outDomains="mgmt02-dummy"(7) outChannel="fullssl"(8) outEvtChannel="fullssl">(9) </aaaLogin>(1) The method used to login.
(2) Confirms this is a response.
(3) This is the session cookie.
(4) The recommended cookie refresh period. The default login session length is two hours.
(5) The privileges assigned to the user account.
(6) The outDomains value is mgmt02-dummy.
(7) The outChannel value is fullssl (this session is using encryption over SSL).
(8) The outEvtChannel value is fullssl (any event subscriptions use encryption over SSL).
(9) Closing tag.
Note
Refreshing the Session
Sessions are refreshed with aaaRefresh method, using the 47-character cookie obtained either from the aaaLogin response or a previous refresh.
<aaaRefreshinName="admin"inPassword="mypasword"inCookie="<real_cookie>"/>Logging Out of the Session
Use the following method to log out of a session:
<aaaLogoutinCookie="<real_cookie>" />Unsuccessful Responses
The following is the response to a failed login:
(1) <aaaLogin(2) response="yes"(3) cookie=""(4) errorCode="551"(5) invocationResult="unidentified-fail"(6) errorDescr="Authentication failed">(7) </aaaLogin>(1) The method used to login. The VNMC sends a response message with the result from the method.
(2) Confirms this is a response.
(3) The VNMC does not supply a session cookie.
(4) (5) (6) Shows the error code and description.
(7) Closing tagQuery Methods
Query methods obtain information (that is, hierarchy, state, and scope)
This section contains the following topics:
Using configResolveDn
When resolving a DN, note the following:
•
•
•
•
•
See the example request/response in configResolveDn, page 3-22.
Using configResolveDns
When resolving multiple DNs, note the following:
•
•
•
•
•
•
Unknown DNs are returned as part of the outUnresolved element.
See the example request/response in configResolveDns, page 3-24.
Using configResolveClass
When resolving a class, note the following:
•
•
•
•
•
Result sets can be large. Be precise when defining result sets. For example, to obtain only a list of servers, use computeBlade as the attribute value for classId in the query. To get all instances of equipment, query the equipmentItem class. This queries for all instances of the class equipmentItem:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="faultPolicy"/>See the example request/response in configResolveClass, page 3-20.
Using configResolveClasses
When resolving multiple classes, note the following:
•
•
•
•
•
If an invalid class name is specified in the inId attribute, an XML parsing error is generated. The query cannot execute.
See the example request/response in configResolveClasses, page 3-21.
Using configFindDnsByClassId
When finding distinguished names of a specified class, note the following
•
•
•
•
•
See the example request/response in configFindDnsByClassId, page 3-16.
Using configResolveChildren
When resolving children of objects in the management information tree, note the following:
•
•
•
•
•
•
See the example request/response in configResolveChildren, page 3-18.
Using configResolveParent
When resolving the parent object of an object, note the following:
•
•
•
•
•
See the example request/response in configResolveParent, page 3-26.
Using configScope
Limiting the scope of a query allows for a finer grained, less resource-intensive request. The query can be anchored at a point in the management information tree other than the root. When setting the query scope, note the following:
•
•
•
•
•
•
The following example queries for the policies in the policy manager:
<configScope dn="sys/chassis-1"inClass=""cookie="<real_cookie>"inHierarchical="false"/>Also see the example request/response in configScope, page 3-28.
Using Query Methods for Policies
Policies are available on different organizations. In a large system with many policies, querying all policies at once is resource intensive. Instead, identify the type of policy and the parent org on which the policies are attached. For example, use the following query to get all the rule based policies defined under a tenant with the dn " org-root/org-tenant_d3338",
<configScopecookie="<real_cookie>"inHierarchical="false"dn="org-root/org-tenant_d3338"inClass="policyRuleBasedPolicy" />The response is as follows:
<configScopedn="org-root/org-tenant_d3338"cookie="<real_cookie>"commCookie="7/13/0/24e7"srcExtSys="10.193.34.70"destExtSys="10.193.34.70"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><policyRuleBasedPolicydescr=""dn="org-root/org-tenant_d3338/pol-p9"intId="10274"name="p9"/><policyRuleBasedPolicydescr=""dn="org-root/org-tenant_d3338/pol-p1"intId="10301"name="p1"/></outConfigs></configScope>Although, a query by the DN is more efficient:
<configResolveDninHierarchical="false"cookie="<real_cookie>"dn="sys org-root/org-tenant_d3338/pol-p1"></configResolveDn>To get the policy object and its rule data, change inHierarchical to true:
<configResolveDninHierarchical="true"cookie="<real_cookie>"dn=" org-root/org-tenant_d3338/pol-p1"></configResolveDn>Querying Faults
The following example obtains a list of major faults:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="faultInst"/>The following example (which contains the filter <inFilter>eq class= "faultInst") obtains a list of all major or critical faults:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="faultInst"><inFilter><eq class="faultInst"property="highestSeverity"value="major" /></inFilter></configResolveClass>Using Filters
Use filters to create specific and targeted queries. This section contains the following topics:
Simple Filters
Simple filters use true and false conditions of properties to select results.
False example
<configResolveClasscookie="<real_cookie>"classId="topSystem"inHierarchical="false"><inFilter></inFilter></configResolveClass>
True example<configResolveClasscookie="<real_cookie>"classId="topSystem"inHierarchical="true"><inFilter></inFilter></configResolveClass>Property Filters
Equality Filter
The example shows a query for all associated compute firewalls. The equality filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="fwComputeFirewall"><inFilter><eq class="fwComputeFirewall"property="assocState"value="associated" /></inFilter></configResolveClass>Not Equal Filter
The example finds all compute firewalls that are not associated. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="fwComputeFirewall"><inFilter><ne class="fwComputeFirewall"property="assocState"value="associated" /></inFilter></configResolveClass>Greater Than Filter
The example finds the memory arrays with more than 1024 MB capacity. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="memoryArray"><inFilter><gt class="memoryArray"property="currCapacity"value="1024" /></inFilter></configResolveClass>Greater Than or Equal to Filter
The example finds core dump files with size greater than 2MB. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="sysdebugCore"><inFilter><ge class="sysdebugCore"property="size"value="2097152" /></inFilter></configResolveClass>Less Than Filter
The example finds core dumpfiles with size less than 2MB. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="sysdebugCore"><inFilter><lt class="sysdebugCore"property="size"value="2097152" /></inFilter></configResolveClass>Less Than or Equal to Filter
The example finds core dump files with size less than orequals to 2MB. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="sysdebugCore"><inFilter><le class="sysdebugCore"property="size"value="2097152" /></inFilter></configResolveClass>Wildcard Filter
The wildcard filter uses standard regular expression syntax. The example finds any virtual firewalls whose name begins with the prefix "dmz":
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="fwInstance"><inFilter><wcard class="fwInstance"property="name"value="dmz.*" /></inFilter></configResolveClass>Any Bits Filter
The example finds all managed endpoints that have a capacity of either vm-fw or vm-vasw (the property capability is a bit mask). The filter is framed as follows:
<configResolveClasscookie="null"inHierarchical="false"classId="extpolClient"><inFilter><anybit class="extpolClient"property="capability"value="vm-fw,vm-vasw" /></inFilter></configResolveClass>All Bits Filter
The example finds all service profiles with the capability bit mask set to both vm-fw and vm-slb. The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="extpolClient"><inFilter><allbits class="extpolClient"property="capability"value="vm-fw,vm-vasw" /></inFilter></configResolveClass>Composite Filters
AND Filter
To finad all computer firewalls that are associated with configuration properly applied, run the following query:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="fwComputeFirewall"><inFilter><and><eq class="fwComputeFirewall"property="assocState"value="associated" /><eq class="fwComputeFirewall"property="configState"value="applied" /></and></inFilter></configResolveClass>OR Filter
The example returns all managed endpoints whose operational state is either "lost-visibility" or "unregistered".
<configResolveClassinHierarchical="false"cookie="<real_cookie>"classId="extpolClient"><inFilter><or><eq class="extpolClient"property="operState"value="unregistered"/><eq class="extpolClient"property="operState"value="lost-visibility"/></or></inFilter></configResolveClass>Between Filter
The example finds the memory arrays with slots 1, 2, 3, 4, or 5 populated (note that the between range is inclusive). The filter is framed as follows:
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="memoryarray"><inFilter><bw class="memoryArray"property="populated"firstValue="1"secondValue="5"/></inFilter></configResolveClass>AND, OR, NOT Composite Filter
The example is an AND, OR, NOT combination. It returns all objects of type computeBlade that are located in slot one or slot eight from all chassis, except chassis five.
<configResolveClassinHierarchical="false"cookie="<real_cookie>"classId="computeBlade"><inFilter><and><or><eq class="computeBlade"property="slotId"value="1"/><eq class="computeBlade"property="slotId"value="8"/></or><not><eq class="computeBlade"property="chassisId"value="5"/></not></and></inFilter></configResolveClass>Modifier Filter
NOT Filter
The NOT filter can negate a contained filter. The example below queries for managed endpoints that do not have a capability of "vm-fw" (the property capability is a bit mask):
<configResolveClasscookie="<real_cookie>"inHierarchical="false"classId="extpolClient"><inFilter><not><anybit class="extpolClient"property="capability"value="vm-fw" /></not></inFilter></configResolveClass>VNMC XML API Use Case Example
This use case is provided to enable API developers to have an example on using the VNMC XML API to configure and manage the VNMC application.
This use case example is divided into these sections with the ordering of sections representing the workflow:
•
•
Authentication via Management Controller
Login
Access to the VNMC is session-based and must first be authenticated with a login request. Default session lengths are 120 minutes. Sessions can be extended with the aaaKeepAlive and aaaRefresh methods. It is recommended that when activity is completed that the user manually log out of the session using aaaLogout.
Use service type 'mgmt-controller' to send your login request to VNMC.
Request
POST URL: https://10.193.33.221/xmlIM/mgmt-controllerXML API payload:<aaaLogininName="admin"inPassword="Nbv12345" />Response
<aaaLogincookie=""commCookie=""srcExtSys="0.0.0.0"destExtSys="0.0.0.0"srcSvc="" destSvc=""response="yes"outCookie="<real_cookie>"outRefreshPeriod="600"outPriv="admin,read-only"outDomains=""outChannel="fullssl"outEvtChannel="fullssl"outSessionId="web_13528"outVersion="1.0"></aaaLogin>Tenant Management via Service Registry
The Service Registry (service type 'service-reg') is used to create and manage tenants and the sub-organizations which are used to organize the policies and resources under a tree hierarchy for the bottom-up based policy and resource resolution. Class names used in tenant and its sub-org creation VNMC supports the following four level organization hierarchies:
•
•
•
•
To create a new or update an existing org object, provide the object's DN and attribute values and use status "created" or "modified" respectively. To delete an org object, use status="deleted" in the request. The request shows how to create a tenant named demoTenant.
Request
POST URL: https://10.193.33.221/xmlIM/service-reg<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-demoTenant"><orgTenant dn="org-root/org-demoTenant"name="demoTenant"status="created"/></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="2/15/0/839"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="service-reg_dme"response="yes"><outConfigs><pair key="org-root/org-demoTenant"><orgTenantdescr=""dn="org-root/org-demoTenant"fltAggr="0"level="1"name="demoTenant"status="created"/></pair></outConfigs></configConfMos>Policy Management
The API sample payloads have been taken from their usage in the VNMC GUI application.
In each example where configConfMos API used a single XML element <pair> to specify a single configuration object, as an alternative, the configConfMo API can be used to obtain the same result.
This section includes the following topics:
•
Device Policy
These actions establish various policies that include:
•
•
Syslog
Description
The syslog policy object tracks all actions that take place within the system. It sets the logging level for a device policy. This creates mysyslog.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs> <pair key="org-root/syslog-mysyslog"><commSyslog dn="org-root/syslog-mysyslog"><commSyslogConsoleadminState="enabled"severity="emergencies"/><commSyslogClientname="primary"adminState="enabled"hostname="5.6.7.8"severity="notifications"forwardingFacility="local7"/><commSyslogClientname="secondary"adminState="enabled"hostname="123.23.53.123"severity="warnings"forwardingFacility="local5"/></commSyslog></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1b9"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/syslog-mysyslog"><commSyslogadminState="enabled"descr=""dn="org-root/syslog-mysyslog"intId="25301"name="mysyslog"port="514"proto="udp"severity="warnings"status="created"/></pair></outConfigs></configConfMos>SNMP
This example creates a SNMP policy named mysnmp. Once created, this will be available by that name in the device profile listing.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/snmp-mysnmp"><commSnmp dn="org-root/snmp-mysnmp"adminState="enabled"descr="The default SNMP policy"sysContact="Andrew Jackson"sysLocation="San Jose" ><commSnmpCommunitycommunity="public"role="read-only"/><commSnmpTraphostname="nms-1.cisco.com"community="private"/><commSnmpTraphostname="nms-2.cisco.com"community="private"/></commSnmp></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1bc"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/snmp-mysnmp"><commSnmpadminState="enabled"descr="The default SNMP policy"dn="org-root/snmp-mysnmp"intId="25281"name="mysnmp"port="161"proto="all"sysContact="Andrew Jackson"sysLocation="San Jose"/></pair></outConfigs></configConfMos>LogProfile
This example sets the debug level for a LogProfile policy named debugLog. It sets the logging level.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/logprof-default"><policyLogProfiledn="org-root/logprof-debugLog"name="debugLog"level="debug1"size="10000000"backupCount="4"/></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/33"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/logprof-debugLog"><policyLogProfileadminState="enabled"backupCount="4"descr="the log level for every process"dn="org-root/logprof-debugLog"intId="10068"level="debug1"name="debugLog"size="10000000"status="modified"/></pair></outConfigs></configConfMos>Device Profile
This action creates a device profile named myDeviceProfile. It enables the profile and designates the contents of the profile.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-Cola/fwdevprofile-myDeviceProfile"><fwpolicyFirewallDeviceProfiledn="org-root/org-Cola/fwdevprofile-myDeviceProfile"adminState="enabled"snmpPolicy="mysnmp"syslogPolicy="mysyslog"timezone="America/Los_Angeles" ><commDnsname="somedns.com"domain="somedns.com"/><!-- The order means the device should first use the DNS provider with the smallest "order" value. If that DNS server is not responsive, use the DNS provider with the next smaller number. --><commDnsProviderhostip="171.70.168.183"order="1"/><commDnsProviderhostip="171.68.226.120"order="2"/><commDnsProviderhostip="64.102.6.247"order="3"/><commNtpProvidername="somentp.com"order="1"/><commNtpProvidername="north-america.pool.ntp.org"order="2"/></fwpolicyFirewallDeviceProfile></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1ba"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-Cola/fwdevprofile-myDeviceProfile"><fwpolicyFirewallDeviceProfileadminState="enabled"coreFilePolicy=""descr=""dn="org-root/org-Cola/fwdevprofile-myDeviceProfile"dnsPolicy=""enablePolicyDecisionLog="no"faultPolicy=""httpPolicy=""httpsPolicy=""intId="25326"logProfilePolicy=""name="myDeviceProfile"snmpPolicy="mysnmp"status="created"syslogPolicy="mysyslog"telnetPolicy=""timezone="America/Los_Angeles"/></pair></outConfigs></configConfMos>Zone
This creates two zones named trustedClients-0 and trustedServers-0. A set of attributes with values are also assigned.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-Cisco/zone-trustedClients-0"><!-- Create a zone of all VMs in the 192.168.1.0/24 subnet --><policyZone dn="org-root/org-Cisco/zone-trustedClients-0"><policyZoneCondition id="1" order="1"><policyZoneExpression opr="prefix"><policyIPAddress id="1" value="192.168.1.0" /><policyIPSubnet id="1" value="255.255.255.0" /></policyZoneExpression></policyZoneCondition></policyZone></pair><pair key="org-root/org-Cisco/zone-trustedServers-0"><!-- Create a zone of all VMs attached to a VNSP where the "appType" is set to "BuildServer" --><policyZone dn="org-root/org-Cisco/zone-trustedServers-0"><policyZoneCondition id="1" order="1"><policyZoneExpression opr="eq"><policyParentAppName id="1" value="BuildServer" /></policyZoneExpression></policyZoneCondition></policyZone></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1a6"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-tenant0/zone-zone0"><policyZonedescr=""dn="org-root/org-tenant0/zone-zone0"intId="24295"name="zone0"status="created"/></pair><pair key="org-root/org-Cisco/zone-trustedServers-0"><policyZonedescr=""dn="org-root/org-Cisco/zone-trustedServers-0"intId="24404"name="trustedServers-0"status="created"/></pair><pair key="org-root/org-Cisco/zone-trustedClients-0"><policyZonedescr=""dn="org-root/org-Cisco/zone-trustedClients-0"intId="24408"name="trustedClients-0"status="created"/></pair></outConfigs></configConfMos>Object Group
This example creates an object group named ftpPorts0 and assigns a set of attributes.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-tenant0/objgrp-ftpPorts0"><policyObjectGroup dn="org-root/org-tenant0/objgrp-ftpPorts0"><policyObjectGroupExpression id="1" order="1" opr="eq"><policyNetworkPort id="1" value="20" /></policyObjectGroupExpression><policyObjectGroupExpression id="2" order="2" opr="eq"><policyNetworkPort id="1" value="21" /></policyObjectGroupExpression></policyObjectGroup></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1a4"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-tenant0/objgrp-ftpPorts0"><policyObjectGroupattributeName=""descr=""dn="org-root/org-tenant0/objgrp-ftpPorts0"intId="24265"name="ftpPorts0"status="created"/></pair></outConfigs></configConfMos>Attribute Dictionary
This sets the dictionary that defines the various attribute IDs and name.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><!-- Create Sample VnspCustomDictionary under org-Cisco --><pair key="org-root/attr-dict-custom-userAttrs"><policyVnspCustomDictionary dn="org-root/attr-dict-custom-userAttrs"><policyVnspCustomAttr dataType="string" id="1" name="userAttr1" /><policyVnspCustomAttr dataType="string" id="2" name="userAttr2" /><policyVnspCustomAttr dataType="string" id="3" name="dept" /><policyVnspCustomAttr dataType="string" id="4" name="production" /></policyVnspCustomDictionary></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1a3"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/attr-dict-custom-userAttrs"><policyVnspCustomDictionarydescr=""dn="org-root/attr-dict-custom-userAttrs"intId="24245"name="userAttrs"status="created"/></pair></outConfigs></configConfMos>Policy
This creates a policy named trustedHosts and sets the rules it can use.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-Cisco/pol-trustedHosts"><policyRuleBasedPolicy dn="org-root/org-Cisco/pol-trustedHosts"><policyRule name="allowSsh" order="1"><!-- This rule allows all VMs in zone "trustedClients" to initiate an SSH connection to VMs in zone "trustedServers" --><policyRuleCondition id="100" order="1"><policyNetworkExpression opr="eq"><policyNwAttrQualifier attrEp="source"/><policyZoneNameRef id="1" value="trustedClients-0" /></policyNetworkExpression></policyRuleCondition><policyRuleCondition id="101" order="20"><policyNetworkExpression opr="eq"><policyNwAttrQualifier attrEp="destination"/><policyZoneNameRef id="1" value="trustedServers-0" /></policyNetworkExpression></policyRuleCondition><policyRuleCondition id="103" order="30"><policyNetworkExpression opr="eq"><policyNwAttrQualifier attrEp="destination"/><policyNetworkPort id="1" placement="0" value="22" /></policyNetworkExpression></policyRuleCondition><fwpolicyAction actionType="permit"/></policyRule><policyRule name="allowTacacs" order="2"><fwpolicyAction actionType="permit"/></policyRule></policyRuleBasedPolicy></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1b5"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-Cisco/pol-trustedHosts"><policyRuleBasedPolicydescr=""dn="org-root/org-Cisco/pol-trustedHosts"intId="25131"name="trustedHosts"status="created"/></pair></outConfigs></configConfMos>PolicySet
This creates myPolicySet0 and sets the order that policies are applied.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-tenant0/pset-myPolicySet0"><policyPolicySetdn="org-root/org-tenant0/pset-myPolicySet0"<!-- Policy Set contains references to three policies. Policies are resolved by name in the org hierarchy. Ordering of policies is important, so we use the "order" property to order the policies. Note that two policy sets can refer to the same policies, and use a different order. --><policyPolicyNameRef order="1" policyName="trustedHosts"/></policyPolicySet></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookied>"commCookie="7/15/0/1a8"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-tenant0/pset-myPolicySet0"><policyPolicySetadminState="enabled"descr=""dn="org-root/org-tenant0/pset-myPolicySet0"intId="24431"name="myPolicySet0"status="created"/></pair></outConfigs></configConfMos>Security Profile
This creates a security profile named vnsp-sp1, and assigns the VNSP to it.
Request
POST URL: https://10.193.33.221/xmlIM/policy-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-tenant0/vnsp-sp1"><policyVirtualNetworkServiceProfiledn="org-root/org-tenant0/vnsp-sp1"policySetNameRef="myPolicySet0"><policyVnspAVPair id="1"><policyAttributeDesignator attrName="dept"/><policyAttributeValue value="DEV" /></policyVnspAVPair></policyVirtualNetworkServiceProfile></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="7/15/0/1ac"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="policy-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-tenant0/vnsp-sp1"><policyVirtualNetworkServiceProfiledescr=""dn="org-root/org-tenant0/vnsp-sp1"intId="24512"name="sp1"policySetNameRef="myPolicySet0"status="created"vnspId="2"/></pair></outConfigs></configConfMos>Resource Management
This component performs the following functions:
•
•
•
This section includes the following topics:
Compute Firewall
This assigns computeFirewall to a device policy..
Request
POST URL: https://10.193.33.221/xmlIM/resource-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-Cisco/cfw-VSNaaa"><fwComputeFirewall dn="org-root/org-Cisco/cfw-VSNaaa"devicePolicy="myDeviceProfile"hostname="cfw-VSNaaa"dataIpAddress="10.10.10.100"></fwComputeFirewall></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="5/15/0/19a"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="resource-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-Cisco/cfw-VSNaaa"><fwComputeFirewallassocState="unassociated"configState="not-applied"dataIpAddress="10.10.10.100"dataIpSubnet="255.255.255.0"descr=""devicePolicy="myDeviceProfile"dn="org-root/org-Cisco/cfw-VSNaaa"fltAggr="0"hostname="cfw-VSNaaa"intId="12368"name="VSNaaa"status="created"/></pair></outConfigs></configConfMos>Query Firewall Instances
This queries all firewall instances and their attributes.
Request
POST URL: https://10.193.33.221/xmlIM/resource-mgrXML API payload:<configResolveClasscookie="<real_cookie>"classId="fwInstance"inHierarchical="false"><inFilter><eq class="fwInstance"property="mgmtIp"value="10.193.33.221" /></inFilter></configResolveClass>Response
configResolveClass cookie=<real_cookie>"commCookie="5/15/0/1d9"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="resource-mgr_dme"response="yes"classId="fwInstance"><outConfigs><fwInstanceassignedToDn=""assoc="none"descr=""dn="fw/inst-1005"fltAggr="0"fsmDescr=""fsmPrev="DisassociateSuccess"fsmProgr="100"fsmRmtInvErrCode="none"fsmRmtInvErrDescr=""fsmRmtInvRslt=""fsmStageDescr=""fsmStamp="2010-12-03T23:18:13.304"fsmStatus="nop"fsmTry="0"intId="10155"mgmtIp="10.193.33.221"model=""name="firewall"pooled="0"registeredClientDn="extpol/reg/clients/client-1005"revision="0"serial=""svcId="1005"vendor=""/></outConfigs></configResolveClass>Associate Firewall Instance
This associates a firewall instance to a managed object.
This example assigns firewall-0 to the inst-1005.
Request
POST URL: https://10.193.33.221/xmlIM/resource-mgrXML API payload:<configConfMoscookie="<real_cookie>"><inConfigs><pair key="org-root/org-Cola/cfw-firewall-0"><fwComputeFirewall dn="org-root/org-Cola/cfw-firewall-0"><fwResourceBinding assignedToDn="fw/inst-1005"/></fwComputeFirewall></pair></inConfigs></configConfMos>Response
<configConfMoscookie="<real_cookie>"commCookie="5/15/0/1df"srcExtSys="10.193.33.221"destExtSys="10.193.33.221"srcSvc="sam_extXMLApi"destSvc="resource-mgr_dme"response="yes"><outConfigs><pair key="org-root/org-Cola/cfw-firewall-0"><fwComputeFirewallassocState="associated"configState="not-applied"dataIpAddress="168.1.1.221"dataIpSubnet="255.255.255.0"descr=""devicePolicy="myDeviceProfile"dn="org-root/org-Cola/cfw-firewall-0"fltAggr="1"hostname="cfw-firewall-0"intId="12514"name="firewall-0"status="modified"/></pair></outConfigs></configConfMos>
