Model Driven Telemetry "grpc-tls" profile example?

barl3yb3ar · ‎10-19-2020

I am configuring CAT9K switches for Model-Driven Telemetry and want to use secure gRPC with TLS as the telemetry protocol.

Below is the IOS-XE config for my gRPC collector ("ip receiver") which requires a profile name (ie: "security_profile").

How do I configure a security profile for "grpc-tls" telemetry? Thanks!

telemetry ietf subscription 100
  encoding encode-kvgpb
  filter xpath /memory-ios-xe-oper:memory-statistics/memory-statistic
  stream yang-push
  update-policy periodic 500
  receiver ip address 24.24.24.24 5000 protocol grpc-tls secure_profile

barl3yb3ar · ‎10-19-2020

I found this Cisco "gRPC + TLS" lab which looks helpful...

https://github.com/jeremycohoe/cisco-ios-xe-programmability-lab-module-6-mdt/

It describes how to install the cert on the box for gRPC. I'll give it a try.

jcohoe · ‎11-23-2020

Hi Mark, thanks for the question - I've created a page on the Github repo at https://github.com/jeremycohoe/cisco-ios-xe-mdt/blob/master/c9300-grpc-tls-lab.md that details secure gRPC + TLS and the steps required to set it up successfully.

Create the SSL certificates like below then load into Telegraf and IOS XE

ssl.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = CA
stateOrProvinceName         = State or Province Name
stateOrProvinceName_default = Some-State
localityName                = Name (eg, city)
localityName_default        = Kanata
organizationName            = Organization Name
organizationName_default    = Cisco
commonName                  = Common
commonName_max              = 64
commonName_default          = grpc

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 10.85.134.66

generate the certs:

openssl genrsa -out myca.key 2048
openssl genrsa -out server.key 2048
openssl req -x509 -new -nodes -key myca.key -sha256 -days 365 -out myca.cert
openssl req -out server.csr -key server.key -new -config ./ssl.conf
openssl x509 -req -in server.csr -CA myca.cert -CAkey myca.key -CAcreateserial -out server.cert -days 365 -extensions v3_req -extfile ./ssl.conf

Jeremy

Be sure to refer to the config guide https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/173/b_173_programmability_cg.html when needed

barl3yb3ar · ‎10-21-2020

The Cisco lab I mentioned (github link), suggests that a public CA cert (not a client cert) is installed onto the Cisco device for the SSL handshake with the gRPC server.

So I manually installed the public CA cert for my endpoint (cut-and-paste; self-signed for prototyping)...

crypto pki trustpoint mark-home
  enrollment terminal pem

#crypto pki authenticate mark-home

<paste CA cert>

But no telemetry traffic is sent from the Cisco device for a subscription configured with the "grpc-tls" protocol:

telemetry ietf subscription 101
  encoding encode-kvgpb
  filter xpath /memory-ios-xe-oper:memory-statistics/memory-statistic
  stream yang-push
  update-policy periodic 500
  receiver ip address 24.1.2.3 5000 protocol grpc-tls profile mark-home

However, telemetry traffic is sent fine when the same subscription is configured with the "grpc-tcp" protocol:

telemetry ietf subscription 101
  encoding encode-kvgpb
  filter xpath /memory-ios-xe-oper:memory-statistics/memory-statistic
  stream yang-push
  update-policy periodic 500
  receiver ip address 24.1.2.3 5000 protocol grpc-tcp

So I don't know why the "protocol grpc-tls" config is not sending data, while the "protocol grpc-tcp" config send data fine.