在 NSX 上完成組態設定程序,以便可將 CVX 新增為 NSX 中的強制執行點,使 NSX 可與 CVX 互動。
必要條件
取得 Arista CVX 叢集的虛擬 IP 位址。
程序
- 以 root 使用者身分登入 NSX Manager,然後執行下列命令以擷取 CVX 的指紋:
openssl s_client -connect <virtual IP address of CVX cluster> | openssl x509 -noout -fingerprint -sha256
輸出範例:depth=0 CN = self.signed verify error:num=18:self signed certificate verify return:1 depth=0 CN = self.signed verify return:1 SHA256 Fingerprint=35:C1:42:BC:7A:2A:57:46:E8:72:F4:C8:B8:31:E3:13:5F:41:95:EF:D8:1E:E9:3D:F0:CC:3B:09:A2:FE:22:DE
- 編輯所擷取的指紋,使其僅使用小寫字元,並在指紋中排除任何冒號。
編輯後的 CVX 指紋範例:
35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de
- 呼叫
PATCH /policy/api/v1/infra/sites/default/enforcement-points
API,然後使用 CVX 指紋來為 CVX 建立強制執行端點。例如:PATCH https://<nsx-manager>/policy/api/v1/infra/sites/default/enforcement-points/cvx-default-ep { "auto_enforce": "false", "connection_info": { "enforcement_point_address": "<IP address of CVX>", "resource_type": "CvxConnectionInfo", "username": "cvpadmin", "password": "1q2w3e4rT", "thumbprint": "65a9785e88b784f54269e908175ada662be55f156a2dc5f3a1b0c339cea5e343" } }
- 呼叫
GET /policy/api/v1/infra/sites/default/enforcement-points
API 以擷取端點資訊。例如:https://<nsx-manager>/policy/api/v1/infra/sites/default/enforcement-points/cvx-default-ep { "auto_enforce": "false", "connection_info": { "enforcement_point_address": "<IP address of CVX>", "resource_type": "CvxConnectionInfo", "username": "admin", "password": "1q2w3e4rT", "thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de" } }
輸出範例:{ "connection_info": { "thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de", "enforcement_point_address": "192.168.2.198", "resource_type": "CvxConnectionInfo" }, "auto_enforce": false, "resource_type": "EnforcementPoint", "id": "cvx-default-ep", "display_name": "cvx-default-ep", "path": "/infra/sites/default/enforcement-points/cvx-default-ep", "relative_path": "cvx-default-ep", "parent_path": "/infra/sites/default", "marked_for_delete": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1564036461953, "_last_modified_user": "admin", "_last_modified_time": 1564036461953, "_protection": "NOT_PROTECTED", "_revision": 0 }
- 呼叫
POST /api/v1/notification-watchers/
API,然後使用 CVX 指紋來建立通知識別碼。例如:POST https://<nsx-manager>/api/v1/notification-watchers/ { "server": "<virtual IP address of CVX cluster>", "method": "POST", "uri": "/pcs/v1/nsgroup/notification", "use_https": true, "certificate_sha256_thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de", "authentication_scheme": { "scheme_name":"BASIC_AUTH", "username":"cvpadmin", "password":"1q2w3e4rT" } }
- 呼叫
GET /api/v1/notification-watchers/
以擷取通知識別碼。輸出範例:{ "id": "a0286cb6-de4d-41de-99a0-294465345b80", "server": "192.168.2.198", "port": 443, "use_https": true, "certificate_sha256_thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de", "method": "POST", "uri": "/pcs/v1/nsgroup/notification", "authentication_scheme": { "scheme_name": "BASIC_AUTH", "username": "cvpadmin" }, "send_timeout": 30, "max_send_uri_count": 5000, "resource_type": "NotificationWatcher", "display_name": "a0286cb6-de4d-41de-99a0-294465345b80", "_create_user": "admin", "_create_time": 1564038044780, "_last_modified_user": "admin", "_last_modified_time": 1564038044780, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 }
- 呼叫
PATCH /policy/api/v1/infra/domains/default/domain-deployment-maps/cvx-default-dmap
API 以建立 CVX 網域部署對應。例如:PATCH https://<nsx-manager>/policy/api/v1/infra/domains/default/domain-deployment-maps/cvx-default-dmap { "display_name": "cvx-deployment-map", "id": "cvx-default-dmap", "enforcement_point_path": "/infra/sites/default/enforcement-points/cvx-default-ep" }
- 呼叫
GET /policy/api/v1/infra/domains/default/domain-deployment-maps
API 以擷取部署對應資訊。