Dial-Out with TLS
Last updated
Last updated
Within NSO, edit the telegraf_dial_out.conf file. Uncomment the TLS lines under INPUT PLUGINS:
Follow these steps to create certificates for the server: https://xrdocs.io/telemetry/tutorials/telemetry-stack-update-grpc-tls/#telegraf-certificate
Note that I had to do this after following all of those steps:
Edit the docker-compose.yaml file. Add the three lines to copy the cert files to the container. Set the method to dial_out.
Stop and then launch the container
Configure Dial-Out MDT on XR1 using the following parameters:
The collector is 10.10.40.17:57500
Use GPB-KV
Use gRPC using TLS
SCP the root CA cert to the router using scp CA.pem clab@10.100.100.101:/harddisk:/ within Ubuntu. This file is located in the /tig-stack-qos-interface-statistics directory.
Place the CA.pem file in the correct directory on the router using run cp /harddisk\:/CA.pem …
You will have to figure out the destination location on your own!
Restart the EMSD process using: process restart emsd
Use the tls-hostname telegraf.lab for the server
Use the YANG model Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters
Push the data at a 5 second interval to the collector
Login to Grafana at http://10.200.255.4 using admin/admin123. Use the following grafana query to confirm the MDT is working:
When using dial out MDT, the router is the client and the collector is the server. (The router initiates the TCP connection with the collector). The collector sends its certificate to the server to authenticate itself. The router needs the public cert of the root CA to verify the collector’s cert.
This means that we need to copy the root CA to the router. We do this using SCP from the Ubuntu node.
Next, we need to copy the file to the correct location on the router. The router only looks for the cert in /misc/config/grpc/dialout/dialout.pem. The filename is important - it must match exactly. We use the bash cp command to copy the file to this location.
Now that the root CA is present, we just configure dial out MDT as usual, but set the TLS parameters. We just need to specify the TLS hostname that is present in the cert the server is sending, which in this case is telegraf.lab. (The cert was generated with this hostname).
Traffic should now be working. You should see data in Grafana using the below query.
We can see in a pcap that traffic is correctly encrypted using TLSv1.3:
We can also see on the router that the connection is using grpc with TLS:
If the session is not connecting, we can use the command show telemetry model-driven trace go-info | in TLS to help troubleshot. Below is the message you would see when there is no cert present in /misc/config/grpc/dialout/dialout.pem
When it is working, you will see a message similar to this:
Note that gRPC is required for using TLS. While TCP is a valid transport method for Dial Out, it cannot be used with TLS.
