Pipeline use case Updating edge router routing table
Currently, this is the only supported use case of the pipeline system. But, more is on its way. Check out the roadmap to see upcoming features.
In this scenario, a Cisco device running NX-OS - seems like no version and device has the included the feature - is used as a layer 3 DHCPv6 relay agent. It encapsulated traffic received on its VLAN interfaces and sent it via unicast to a server running DaAPI.
If a response is received, the inner packet is decapsulated and sent to the link-local address.
A device "behind" the DHCPv6 client can send a packet into the network, but the response will be thrown away, because there is no route to the network. Unlike DHCPv6 relay agent, running IOS or IOS-XE, which create routes based on "sniffed" prefixes, NX-OS device doesn't create static routes due to a received reply.
The built-in pipeline system can help with this issue by offering an actor that can create a static route for NX-OS devices.
There seems to be another bug with the DHCPv6 relay agent features. A response sent to the client uses the server address as the source address instead of its link-local address. Some LDRA filter these packets.
The NxOsStaticRouteUpdaterNotificationActor uses the NX-OS API to sent the CLI command to add or remove a static route. Besides, it is recommended to create a single user for this purpose with the only rights to execute the »ipv6 route« and »no ipv6 route« command.
The NX-OS API is per default not activated on most devices.
!enabling the feature
feature nxapi
! set the vrf. If the API should be available for any vrf (not recommended), the next command can be skipped
nxapi use-vrf <MANAGEMENT-VRF-NAME>
! define the user role, that only can add and remove ipv6 static routes, and save the configuration
role name DaAPI-DHCPv6
rule 5 permit command copy run sta
rule 4 permit command config t ; no ipv6 route *
rule 3 permit command config t ; ipv6 route *
rule 2 permit command show ipv6 route
rule 1 deny command show *
username <username> password <Password> role DaAPI-DHCPv6
The next step is to create the Pipeline in DaAPI. In the menu, choose Pipeline and then hit the »New« button.
You can choose any name. The name will be displayed in the overview and logs.
Choose »Edge router binding updated« as the trigger because a route update (add or remove) is the consequence of an updated lease. Four possible reasons for this trigger exists.
- A new lease with a prefix binding is created (create)
- A prefix was added to an existing lease (create)
- A prefix was removed from an existing lease (remove)
- The lease has been canceled or is expired etc. (remove)
Depending on your network and needs, you need to decide which Scopes should result in what NX-OS device in need of a route update. If you have only one NX-OS device for all your Scope, a wise choice would be to selected your main Scope and include its children as well. If you have multiple sites, maybe creating a pipeline for each site (always with a different condition) is the right choice.
So, choosing the condition »DHCPv6 Scopes« is overall the right decision.
The option »Include Childscopes?« means that the condition is also satisfied if the lease doesn't belong to the select Scope, but it belongs to a child, grandchild, or any other ancestor.
You should select »HTTPS based NX-OS static router updater« as an actor. To work correctly, this actor needs to know three properties.
- The URL of the NX-OS device. It has to start with https:// and can include an IP address or DNS name. Noteworthy is that the machine running DAPI can resolve the name and reach the IP address.
- The username the actor should use to connect to the NX-OS device. It should be the username created in the steps before.
- The password for the username the actor should use to connect to the NX-OS device. It should be the same password that was used in the steps before. It needs to be a plain text password.
The last step is to hit the »Create« to create the Pipeline.
