cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2845
Views
0
Helpful
4
Replies

Subinterfaces on a device in subdomains

sullinsms
Level 1
Level 1

I am trying to configure sub interfaces on a device located in a subdomains . I am unable to make this work. When I use the API-explore I receive the error below. I have also tried using python code below.

Devices:

  • FMC virtual 6.6.1
  • FTD virtual 6.6.1

 

API-Explorer error

{

  "error": {

    "category": "FRAMEWORK",

    "messages": [

      {

        "description": "You do not have the required authorization to do this operation."

      }

    ],

    "severity": "ERROR"

  }

}

 

 

API-Explorer code

{

        "type": "SubInterface",

        "vlanId": 30,

        "subIntfId": 12345,

        "enabled": true,

        "MTU": 1500,

        "managementOnly": false,

        "enableAntiSpoofing": true,

        "enableSGTPropagate": true,

        "ifname": "Intf_name",

        "name": "GigabitEthernet0/1",

        "overrideDefaultFragmentSetting": {

            "size": 200,

            "chain": 24,

            "timeout": 5

        },

        

        "ipv4": {

            "static": {

                "address": "1.2.3.4",

                "netmask": "25"

            }

        }

    }

 

sullinsms_0-1624735514001.png

 

 

sullinsms_1-1624735514016.png

 

 

 

 

 

 

 

 

Python Code error

 

 

Response test {"error":{"category":"FRAMEWORK","messages":[{"description":"Invalid Request"}],"severity":"ERROR"}}

Response

<Response [404]>

Python Code

 

def configure_subinterface(addr: str = None, token: str = None):

 

    print("*" * 80)

    print("Create subinterfaces")

       

    db_list0 = {}

    db_list1 = {}

   

    with os.scandir('./') as entries:

     for entry in entries:

      db_list0[entry.name] = entry.name

 

    print("*" * 80)

    ftdinterface = selectFromDict(db_list0, 'FTD interface backup to restore')

   

    with open(ftdinterface) as readfile:

      subinterface = json.load(readfile)

   

    with os.scandir('./') as entries:

     for entry in entries:

      db_list1[entry.name] = entry.name

 

    print("*" * 80)

    ftdrecord = selectFromDict(db_list1, 'FTD device to apply interface')

    print("*" * 80) 

   

    with open(ftdrecord) as readfile:

      devicerecord = json.load(readfile)

 

    domainuuid = ("e276abec-e0f2-11e3-8169-6d9ed49b625f/ " + devicerecord['items'][0]['metadata']['domain']['id'])

    deviceuuid = devicerecord['items'][0]['id']

   

   

    payload = json.dumps([

        {

            "type": "SubInterface",

            "vlanId": 30,

            "subIntfId": 12345,

            "enabled": True,

            "MTU": 1500,

            "managementOnly": True,

            "enableAntiSpoofing": True,

            "enableSGTPropagate": True,

            "ifname": "Intf_name",

            "name": "GigabitEthernet0/1",

            "overrideDefaultFragmentSetting": {

            "size": 200,

            "chain": 24,

            "timeout": 5

            },

            "securityZone": {

            "id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95",

            "type": "SecurityZone"

            },

            "ipv4": {

            "static": {

                "address": "1.2.3.4",

                "netmask": "25"

            }

            }

        }

        ])

      

 

    api_uri = f"/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/ 7f180e2c-ce4a-489f-57df-000000000001/devices/devicerecords/{deviceuuid}/subinterfaces?bulk=true"

    url = "https://" + addr + api_uri

    headers = { "X-auth-access-token": token } 

 

    response = requests.request("POST", url, headers=headers, data=json.dumps(payload), verify=False)

1 Accepted Solution

Accepted Solutions

I believe your issue is with regard to the domain.  If you look at the URL:

 

https://fmc.cisco.com/api/fmc_config/v1/domain/bad037b7-11fa-32d5-caf6-000000000000/devices/devicerecords/421e39c2-e4b8-11eb-9b7e-efd0ba43de90/subinterfaces

Pay special attention to the domain what I did is the following:

 

1.  Added a VFTD and put it in my new subdomain

2.  I created a new admin role user that is a member of both global and my sub-domain

 

First I went into API explorer where the domain was selected as "global"  

domain_selector.png

I received the same error you did when the domain was set as "global" when I swapped it to "Global/child_domain" then I did not get an error and the subinterface was successfully created.

 

I believe this is just swapping the domain uuid in the URL to the child domain.

 

My JSON document looked like the following:

 

{
"type": "SubInterface",
"vlanId": 10,
"subIntfId": 1,
"MTU": 1500,
"enabled": true,
"managementOnly": false,
"mode": "NONE",
"enableSGTPropagate": true,
"ipv4": {
"static": {
"address": "192.168.6.1",
"netmask": "255.255.255.0"
}
},
"ipv6": {
"enableRA": true,
"enableIPV6": false,
"enforceEUI64": false,
"enableAutoConfig": false,
"enableDHCPAddrConfig": false,
"enableDHCPNonAddrConfig": false,
"dadAttempts": 1,
"nsInterval": 1000,
"reachableTime": 0,
"raLifeTime": 1800,
"raInterval": 200
},
"enableAntiSpoofing": false,
"fragmentReassembly": false,
"ifname": "sub2",
"name": "GigabitEthernet0/2",
}

 
 

My suggestion is to make sure you have the URL with the correct subdomain and I suspect your issue will be resolved.  The deceptive thing is that it looks like you can do a GET with the global URL but you can only do the POST with the child domain in the URL.  I suspect the same is also true for PUT.

 

 

View solution in original post

4 Replies 4

ross
Level 1
Level 1

On mobile so haven't looked at this thoroughly, however, have you created the API key in the Global Domain then trying to Post data to the sub-domain? I can't remember whether that should actually work or not. 

 

 

Try posting the data to the global domain but with the correct Device ID. 

I'll take another look when I'm at my PC tomorrow for you. I have done this without issue previously on 6.3

Yes I have tried that method. See results below.

 

 Device record for FMC

https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords

Response body

{

  "links": {

    "self": "https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords?offset=0&limit=1"

  },

  "items": [

    {

      "id": "16836780-d1ab-11eb-b26b-ec8dd1d64550",

      "type": "Device",

      "links": {

        "self": "https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d64550"

      },

      "name": "FTDv2"

    }

  ],

  "paging": {

    "offset": 0,

    "limit": 1,

    "count": 1,

    "pages": 1

  }

}

 

 

Python code for post interface

 

 

def configure_subinterface(addr: str = None, token: str = None):

 

    print("*" * 80)

    print("Create subinterfaces")

       

    db_list0 = {}

    db_list1 = {}

   

    with os.scandir('./') as entries:

     for entry in entries:

      db_list0[entry.name] = entry.name

 

    print("*" * 80)

    ftdinterface = selectFromDict(db_list0, 'FTD interface backup to restore')

   

    with open(ftdinterface) as readfile:

      subinterface = json.load(readfile)

   

    with os.scandir('./') as entries:

     for entry in entries:

      db_list1[entry.name] = entry.name

 

    print("*" * 80)

    ftdrecord = selectFromDict(db_list1, 'FTD device to apply interface')

    print("*" * 80) 

   

    with open(ftdrecord) as readfile:

      devicerecord = json.load(readfile)

 

    deviceuuid = devicerecord['items'][0]['id']

       

    payload = json.dumps(

        {

            "type": "SubInterface",

            "vlanId": 30,

            "subIntfId": 12345,

            "enabled": True,

            "MTU": 1500,

            "managementOnly": True,

            "enableAntiSpoofing": True,

            "enableSGTPropagate": True,

            "ifname": "Intf_name",

            "name": "GigabitEthernet0/1",

            "overrideDefaultFragmentSetting": {

            "size": 200,

            "chain": 24,

            "timeout": 5

            },

            "securityZone": {

            "id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95",

            "type": "SecurityZone"

            },

            "ipv4": {

            "static": {

                "address": "1.2.3.4",

                "netmask": "25"

            }

            }

        }

        )

      

    api_uri = f"/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d645508/subinterfaces"

    url = "https://" + addr + api_uri

    headers = { "X-auth-access-token": token } 

 

    response = requests.request("POST", url, headers=headers, data=(payload), verify=False)

       

    print("Device uuid " + deviceuuid)

    print("Response test " + response.text)

    print(response)

    print("*" * 80)

    print("Payload")

    print(payload)

    print("*" * 80)      

 

Response

 

Device uuid 16836780-d1ab-11eb-b26b-ec8dd1d64550

Response test {"error":{"category":"OTHER","messages":[{}],"severity":"ERROR"}}

<Response [500]>

********************************************************************************

Payload

{"type": "SubInterface", "vlanId": 30, "subIntfId": 12345, "enabled": true, "MTU": 1500, "managementOnly": true, "enableAntiSpoofing": true, "enableSGTPropagate": true, "ifname": "Intf_name", "name": "GigabitEthernet0/1", "overrideDefaultFragmentSetting": {"size": 200, "chain": 24, "timeout": 5}, "securityZone": {"id": "a5d02a5e-d1ce-11eb-9144-f657a2d3df95", "type": "SecurityZone"}, "ipv4": {"static": {"address":

"1.2.3.4", "netmask": "25"}}}

 

Response on FMC

 

2021-06-29 08:32:08       api2        API         POST https://172.16.40.2/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords/16836780-d1ab-11eb-b26b-ec8dd1d64550 Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fu(...)

sullinsms
Level 1
Level 1

Any updates?

 

I believe your issue is with regard to the domain.  If you look at the URL:

 

https://fmc.cisco.com/api/fmc_config/v1/domain/bad037b7-11fa-32d5-caf6-000000000000/devices/devicerecords/421e39c2-e4b8-11eb-9b7e-efd0ba43de90/subinterfaces

Pay special attention to the domain what I did is the following:

 

1.  Added a VFTD and put it in my new subdomain

2.  I created a new admin role user that is a member of both global and my sub-domain

 

First I went into API explorer where the domain was selected as "global"  

domain_selector.png

I received the same error you did when the domain was set as "global" when I swapped it to "Global/child_domain" then I did not get an error and the subinterface was successfully created.

 

I believe this is just swapping the domain uuid in the URL to the child domain.

 

My JSON document looked like the following:

 

{
"type": "SubInterface",
"vlanId": 10,
"subIntfId": 1,
"MTU": 1500,
"enabled": true,
"managementOnly": false,
"mode": "NONE",
"enableSGTPropagate": true,
"ipv4": {
"static": {
"address": "192.168.6.1",
"netmask": "255.255.255.0"
}
},
"ipv6": {
"enableRA": true,
"enableIPV6": false,
"enforceEUI64": false,
"enableAutoConfig": false,
"enableDHCPAddrConfig": false,
"enableDHCPNonAddrConfig": false,
"dadAttempts": 1,
"nsInterval": 1000,
"reachableTime": 0,
"raLifeTime": 1800,
"raInterval": 200
},
"enableAntiSpoofing": false,
"fragmentReassembly": false,
"ifname": "sub2",
"name": "GigabitEthernet0/2",
}

 
 

My suggestion is to make sure you have the URL with the correct subdomain and I suspect your issue will be resolved.  The deceptive thing is that it looks like you can do a GET with the global URL but you can only do the POST with the child domain in the URL.  I suspect the same is also true for PUT.