|
| 1 | +#!/usr/bin/env python |
| 2 | + |
| 3 | +""" |
| 4 | +* ******************************************************* |
| 5 | +* Copyright (c) VMware, Inc. 2019. All Rights Reserved. |
| 6 | +* SPDX-License-Identifier: MIT |
| 7 | +* ******************************************************* |
| 8 | +* |
| 9 | +* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT |
| 10 | +* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, |
| 11 | +* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED |
| 12 | +* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, |
| 13 | +* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. |
| 14 | +""" |
| 15 | + |
| 16 | +__author__ = 'VMware, Inc.' |
| 17 | + |
| 18 | +import argparse |
| 19 | +from com.vmware.nsx_policy_client_for_vmc import create_nsx_policy_client_for_vmc |
| 20 | +from vmware.vapi.bindings.struct import PrettyPrinter as NsxPrettyPrinter |
| 21 | +from com.vmware.nsx_policy.model_client import ApiError |
| 22 | +from com.vmware.nsx_policy.model_client import L3VpnSubnet |
| 23 | +from com.vmware.nsx_policy.model_client import RouteBasedL3VpnSession |
| 24 | +from com.vmware.nsx_policy.model_client import PolicyBasedL3VpnSession |
| 25 | +from com.vmware.nsx_policy.model_client import L3VpnSession |
| 26 | +from com.vmware.nsx_policy.model_client import L3VpnRule |
| 27 | +from com.vmware.nsx_policy.model_client import BgpNeighborConfig |
| 28 | +from com.vmware.nsx_policy.model_client import TunnelSubnet |
| 29 | +from com.vmware.nsx_policy.model_client import L3Vpn |
| 30 | + |
| 31 | +# format NSXT objects for readability |
| 32 | +nsx_pp = NsxPrettyPrinter() |
| 33 | + |
| 34 | + |
| 35 | +class NSXPolicyL3VPN(object): |
| 36 | + """ |
| 37 | + e.g. Demonstrate access to NSX Policy Manager and show |
| 38 | + L3VPN CRUD operations |
| 39 | + """ |
| 40 | + |
| 41 | + def __init__(self): |
| 42 | + parser = argparse.ArgumentParser( |
| 43 | + formatter_class=argparse.ArgumentDefaultsHelpFormatter) |
| 44 | + |
| 45 | + parser.add_argument('--refresh_token', |
| 46 | + required=True, |
| 47 | + help='Refresh token obtained from CSP') |
| 48 | + |
| 49 | + parser.add_argument('--org_id', |
| 50 | + required=True, |
| 51 | + help='Orgization ID') |
| 52 | + |
| 53 | + parser.add_argument('--sddc_id', |
| 54 | + required=True, |
| 55 | + help='Sddc ID') |
| 56 | + |
| 57 | + parser.add_argument('--remote_endpoint_public_ip', |
| 58 | + required=True, |
| 59 | + help='L3 VPN Remote end point\'s public ip') |
| 60 | + |
| 61 | + parser.add_argument('--passphrase', |
| 62 | + required=True, |
| 63 | + help='Passphrase used for VPN') |
| 64 | + |
| 65 | + self.args = parser.parse_args() |
| 66 | + |
| 67 | + self.nsx_client = create_nsx_policy_client_for_vmc( |
| 68 | + refresh_token=self.args.refresh_token, |
| 69 | + org_id=self.args.org_id, |
| 70 | + sddc_id=self.args.sddc_id) |
| 71 | + |
| 72 | + def get_l3_vpn_context(self): |
| 73 | + print(' Get L3VPN Context '.center(70, '=')) |
| 74 | + try: |
| 75 | + context = self.nsx_client.infra.tier_0s.locale_services.L3vpnContext.get("vmc", "default") |
| 76 | + nsx_pp.pprint(context) |
| 77 | + return context |
| 78 | + except Exception as ex: |
| 79 | + print(ex) |
| 80 | + self.log_error(ex) |
| 81 | + |
| 82 | + def create_policy_based_l3_vpn(self, vpn_id): |
| 83 | + print(' Create policy based L3VPN '.center(70, '=')) |
| 84 | + try: |
| 85 | + context = self.get_l3_vpn_context() |
| 86 | + local_end_point_ip = context.available_local_addresses[0].address_value |
| 87 | + print("local_end_point_ip={}".format(local_end_point_ip)) |
| 88 | + destination_subnet = [L3VpnSubnet(subnet="10.3.0.0/16")] # Value should be per the user setup config |
| 89 | + source_subnet = [L3VpnSubnet(subnet="10.2.0.0/16")] # Value should be per the user setup config |
| 90 | + |
| 91 | + self.l3vpn_rule = L3VpnRule( |
| 92 | + revision=0, |
| 93 | + description="rule 1", |
| 94 | + display_name="rule1", |
| 95 | + resource_type=L3VpnSession.RESOURCE_TYPE_POLICYBASEDL3VPNSESSION, |
| 96 | + action=L3VpnRule.ACTION_PROTECT, |
| 97 | + destinations=destination_subnet, |
| 98 | + sequence_number=0, |
| 99 | + id="rule-" + vpn_id, |
| 100 | + sources=source_subnet) |
| 101 | + l3vpn_session = PolicyBasedL3VpnSession(resource_type=L3VpnSession.RESOURCE_TYPE_POLICYBASEDL3VPNSESSION, |
| 102 | + rules=[self.l3vpn_rule]) |
| 103 | + |
| 104 | + self.l3VPN = L3Vpn( |
| 105 | + revision=0, |
| 106 | + id=vpn_id, |
| 107 | + description="Example policy based L3VPN", |
| 108 | + display_name="Example policy based L3VPN", |
| 109 | + resource_type=L3VpnSession.RESOURCE_TYPE_POLICYBASEDL3VPNSESSION, |
| 110 | + dh_groups=[L3Vpn.DH_GROUPS_GROUP14], |
| 111 | + enable_perfect_forward_secrecy=True, |
| 112 | + enabled=True, |
| 113 | + ike_digest_algorithms=[L3Vpn.IKE_DIGEST_ALGORITHMS_SHA1], # Value should be per the user setup config |
| 114 | + ike_encryption_algorithms=[L3Vpn.IKE_ENCRYPTION_ALGORITHMS_128], |
| 115 | + # Value should be per the user setup config |
| 116 | + ike_version=L3Vpn.IKE_VERSION_V1, # Value should be per the user setup config |
| 117 | + l3vpn_session=l3vpn_session, |
| 118 | + local_address=local_end_point_ip, |
| 119 | + passphrases=[self.args.passphrase], |
| 120 | + remote_public_address=self.args.remote_endpoint_public_ip, |
| 121 | + tunnel_digest_algorithms=[L3Vpn.TUNNEL_DIGEST_ALGORITHMS_SHA1], |
| 122 | + # Value should be per the user setup config |
| 123 | + tunnel_encryption_algorithms=[L3Vpn.TUNNEL_ENCRYPTION_ALGORITHMS_128] |
| 124 | + # Value should be per the user setup config |
| 125 | + ) |
| 126 | + self.nsx_client.infra.tier_0s.locale_services.L3vpns.patch("vmc", "default", |
| 127 | + l3vpn_id=vpn_id, l3_vpn=self.l3VPN) |
| 128 | + except Exception as ex: |
| 129 | + print(ex) |
| 130 | + self.log_error(ex) |
| 131 | + |
| 132 | + def create_route_based_l3_vpn(self, vpn_id): |
| 133 | + print(' Create route based L3VPN '.center(70, '=')) |
| 134 | + try: |
| 135 | + context = self.get_l3_vpn_context() |
| 136 | + local_end_point_ip = context.available_local_addresses[0].address_value |
| 137 | + print("local_end_point_ip={}".format(local_end_point_ip)) |
| 138 | + tunnel_subnet = TunnelSubnet(ip_addresses=["169.254.2.1"], # Value should be per the user setup config |
| 139 | + prefix_length=24) # Value should be per the user setup config |
| 140 | + bgpconfig1 = BgpNeighborConfig(links=None, |
| 141 | + description="bgp neighbor config", |
| 142 | + display_name="bgp_neighbor_config_1", |
| 143 | + id="bgp_neighbor_config_1", |
| 144 | + neighbor_address="169.254.2.2", # Value should be per the user setup config |
| 145 | + remote_as_num=str(65002)) # Value should be per the user setup config |
| 146 | + self.nsx_client.infra.tier_0s.locale_services.bgp.Neighbors.patch(tier0_id="vmc", |
| 147 | + locale_service_id="default", |
| 148 | + neighbor_id="rb_neighbor_1", |
| 149 | + bgp_neighbor_config=bgpconfig1) |
| 150 | + |
| 151 | + neighbor_list = self.nsx_client.infra.tier_0s.locale_services.bgp.Neighbors.list(tier0_id="vmc", |
| 152 | + locale_service_id="default" |
| 153 | + ) |
| 154 | + print("List of neighbors={}".format(neighbor_list)) |
| 155 | + get_neighbhor = self.nsx_client.infra.tier_0s.locale_services.bgp.Neighbors.get( |
| 156 | + tier0_id="vmc", locale_service_id="default", neighbor_id="rb_neighbor_1") |
| 157 | + print("get_neighbhor={}".format(get_neighbhor)) |
| 158 | + |
| 159 | + l3vpn_session = RouteBasedL3VpnSession(routing_config_path=get_neighbhor.path, |
| 160 | + tunnel_subnets=[ |
| 161 | + tunnel_subnet], |
| 162 | + resource_type=L3VpnSession.RESOURCE_TYPE_ROUTEBASEDL3VPNSESSION) |
| 163 | + self.l3VPN = L3Vpn( |
| 164 | + revision=0, |
| 165 | + id=vpn_id, |
| 166 | + description="vpn config from automation", |
| 167 | + display_name="Example route based L3VPN", |
| 168 | + resource_type=L3VpnSession.RESOURCE_TYPE_ROUTEBASEDL3VPNSESSION, |
| 169 | + dh_groups=[L3Vpn.DH_GROUPS_GROUP14], |
| 170 | + enable_perfect_forward_secrecy=True, |
| 171 | + enabled=True, # To enabel/disable the VPN |
| 172 | + ike_digest_algorithms=[L3Vpn.IKE_DIGEST_ALGORITHMS_SHA1], # Value should be per the user setup config |
| 173 | + ike_encryption_algorithms=[L3Vpn.IKE_ENCRYPTION_ALGORITHMS_128], |
| 174 | + # Value should be per the user setup config |
| 175 | + ike_version=L3Vpn.IKE_VERSION_V1, # Value should be per the user setup config |
| 176 | + l3vpn_session=l3vpn_session, |
| 177 | + local_address=local_end_point_ip, |
| 178 | + passphrases=[self.args.passphrase], |
| 179 | + remote_public_address=self.args.remote_endpoint_public_ip, |
| 180 | + tunnel_digest_algorithms=[L3Vpn.TUNNEL_DIGEST_ALGORITHMS_SHA1], |
| 181 | + # Value should be per the user setup config |
| 182 | + tunnel_encryption_algorithms=[L3Vpn.TUNNEL_ENCRYPTION_ALGORITHMS_128] |
| 183 | + # Value should be per the user setup config |
| 184 | + ) |
| 185 | + self.nsx_client.infra.tier_0s.locale_services.L3vpns.patch("vmc", "default", |
| 186 | + l3vpn_id=vpn_id, l3_vpn=self.l3VPN) |
| 187 | + except Exception as ex: |
| 188 | + print(ex) |
| 189 | + self.log_error(ex) |
| 190 | + |
| 191 | + def list_l3_vpns(self): |
| 192 | + print(' List L3VPN '.center(70, '=')) |
| 193 | + try: |
| 194 | + list_of_vpns = self.nsx_client.infra.tier_0s.locale_services.L3vpns.list("vmc", "default") |
| 195 | + for vpn_entry in list_of_vpns.results: |
| 196 | + nsx_pp.pprint(vpn_entry) |
| 197 | + except Exception as ex: |
| 198 | + print(ex) |
| 199 | + self.log_error(ex) |
| 200 | + |
| 201 | + def get_l3_vpn(self, vpn_id): |
| 202 | + print(' Get L3VPN '.center(70, '=')) |
| 203 | + try: |
| 204 | + vpn_entry = self.nsx_client.infra.tier_0s.locale_services.L3vpns.get("vmc", "default", vpn_id) |
| 205 | + nsx_pp.pprint(vpn_entry) |
| 206 | + except Exception as ex: |
| 207 | + print(ex) |
| 208 | + self.log_error(ex) |
| 209 | + |
| 210 | + def delete_l3vpn(self, vpn_id): |
| 211 | + print(' Delete L3VPN '.center(70, '=')) |
| 212 | + try: |
| 213 | + self.nsx_client.infra.tier_0s.locale_services.L3vpns.delete("vmc", "default", vpn_id) |
| 214 | + except Exception as ex: |
| 215 | + print(ex) |
| 216 | + self.log_error(ex) |
| 217 | + |
| 218 | + def delete_bgp_neighbor(self, neighbor_id): |
| 219 | + print(' Delete BGP Neighbor '.center(70, '=')) |
| 220 | + try: |
| 221 | + self.nsx_client.infra.tier_0s.locale_services.bgp.Neighbors.delete(tier0_id="vmc", |
| 222 | + locale_service_id="default", |
| 223 | + neighbor_id=neighbor_id) |
| 224 | + except Exception as ex: |
| 225 | + print(ex) |
| 226 | + self.log_error(ex) |
| 227 | + |
| 228 | + def log_error(self, ex): |
| 229 | + """ |
| 230 | + Generic error logger that will use NSXT API Error message decoders for |
| 231 | + more descriptive information on errors |
| 232 | + """ |
| 233 | + api_error = ex.data.convert_to(ApiError) |
| 234 | + print("Error configuring {}".format(api_error.error_message)) |
| 235 | + print("{}".format(api_error.__dict__)) |
| 236 | + print("{}".format(api_error.details)) |
| 237 | + |
| 238 | + def run_policy_based_vpn(self): |
| 239 | + self.create_policy_based_l3_vpn(vpn_id="example_policy_vpn_1") |
| 240 | + self.list_l3_vpns() |
| 241 | + self.get_l3_vpn(vpn_id="example_policy_vpn_1") |
| 242 | + |
| 243 | + def cleanup_policy_based_vpn(self): |
| 244 | + self.delete_l3vpn(vpn_id="example_policy_vpn_1") |
| 245 | + |
| 246 | + def run_route_based_vpn(self): |
| 247 | + self.create_route_based_l3_vpn(vpn_id="example_route_vpn_1") |
| 248 | + self.list_l3_vpns() |
| 249 | + self.get_l3_vpn(vpn_id="example_route_vpn_1") |
| 250 | + |
| 251 | + def cleanup_route_based_vpn(self): |
| 252 | + self.delete_bgp_neighbor(neighbor_id="rb_neighbor_1") |
| 253 | + self.delete_l3vpn(vpn_id="example_route_vpn_1") |
| 254 | + |
| 255 | + |
| 256 | +def main(): |
| 257 | + nsx = NSXPolicyL3VPN() |
| 258 | + nsx.run_policy_based_vpn() |
| 259 | + nsx.cleanup_policy_based_vpn() |
| 260 | + nsx.run_route_based_vpn() |
| 261 | + nsx.cleanup_route_based_vpn() |
| 262 | + |
| 263 | + |
| 264 | +if __name__ == '__main__': |
| 265 | + main() |
0 commit comments