Dial-Out with TLS

Within NSO, edit the telegraf_dial_out.conf file. Uncomment the TLS lines under INPUT PLUGINS:

Follow these steps to create certificates for the server: https://xrdocs.io/telemetry/tutorials/telemetry-stack-update-grpc-tls/#telegraf-certificate

Note that I had to do this after following all of those steps:

sudo chmod +r telegraf.lab.key

Edit the docker-compose.yaml file. Add the three lines to copy the cert files to the container. Set the method to dial_out.

- ./telegraf.lab.key:/etc/telegraf/key.pem:ro
- ./telegraf.lab.pem:/etc/telegraf/cert.pem:ro
- ./CA.pem:/etc/telegraf/CA.pem:ro

Stop and then launch the container

sudo docker compose down
sudo docker compose up -d

Configure Dial-Out MDT on XR1 using the following parameters:

  • The collector is 10.10.40.17:57500

  • Use GPB-KV

  • Use gRPC using TLS

    • SCP the root CA cert to the router using scp CA.pem clab@10.100.100.101:/harddisk:/ within Ubuntu. This file is located in the /tig-stack-qos-interface-statistics directory.

    • Place the CA.pem file in the correct directory on the router using run cp /harddisk\:/CA.pem …

      • You will have to figure out the destination location on your own!

    • Restart the EMSD process using: process restart emsd

    • Use the tls-hostname telegraf.lab for the server

  • Use the YANG model Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters

  • Push the data at a 5 second interval to the collector

Login to Grafana at http://10.200.255.4 using admin/admin123. Use the following grafana query to confirm the MDT is working:

from(bucket: "telemetry")
  |> range(start: v.timeRangeStart, stop:v.timeRangeStop)
  |> filter(fn: (r) =>
    r._measurement == "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters" and
    r._field == "bytes_sent"
  )

Answer

#XR1
run cp /harddisk\:/CA.pem /misc/config/grpc/dialout/dialout.pem


telemetry model-driven
 destination-group TIG
  address-family ipv4 10.100.100.1 port 57500
   encoding self-describing-gpb
   protocol grpc tls-hostname telegraf.lab
  !
 !
 sensor-group SENSOR1
  sensor-path Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters
 !
 subscription SUB1
  sensor-group-id SENSOR1 sample-interval 5000
  destination-id TIG

Explanation

When using dial out MDT, the router is the client and the collector is the server. (The router initiates the TCP connection with the collector). The collector sends its certificate to the server to authenticate itself. The router needs the public cert of the root CA to verify the collector’s cert.

This means that we need to copy the root CA to the router. We do this using SCP from the Ubuntu node.

scp CA.pem clab@10.100.100.101:/harddisk:/ 

Next, we need to copy the file to the correct location on the router. The router only looks for the cert in /misc/config/grpc/dialout/dialout.pem. The filename is important - it must match exactly. We use the bash cp command to copy the file to this location.

run cp /harddisk\:/CA.pem /misc/config/grpc/dialout/dialout.pem

Now that the root CA is present, we just configure dial out MDT as usual, but set the TLS parameters. We just need to specify the TLS hostname that is present in the cert the server is sending, which in this case is telegraf.lab. (The cert was generated with this hostname).

telemetry model-driven
 destination-group TIG
  address-family ipv4 10.100.100.1 port 57500
   encoding self-describing-gpb
   protocol grpc tls-hostname telegraf.lab

Traffic should now be working. You should see data in Grafana using the below query.

from(bucket: "telemetry")
  |> range(start: v.timeRangeStart, stop:v.timeRangeStop)
  |> filter(fn: (r) =>
    r._measurement == "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters" and
    r._field == "bytes_sent"
  )

We can see in a pcap that traffic is correctly encrypted using TLSv1.3:

We can also see on the router that the connection is using grpc with TLS:

If the session is not connecting, we can use the command show telemetry model-driven trace go-info | in TLS to help troubleshot. Below is the message you would see when there is no cert present in /misc/config/grpc/dialout/dialout.pem

When it is working, you will see a message similar to this:

Note that gRPC is required for using TLS. While TCP is a valid transport method for Dial Out, it cannot be used with TLS.

Last updated