Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Contrail Insights JTI (gRPC) Monitoring

Set Up gRPC-based Streaming

For gRPC based streaming, Junos OS Release 16.1R3 or later is required. Contrail Insights automatically configures the network device based on the JSON file you provide. Contrail Insights will stream the gRPC metrics with a default interval of 60 seconds.

For platforms that are running a version of Junos OS based on an upgraded FreeBSD kernel only, you must install a separate package called Network Agent that functions as a gRPC server and terminates the RPC interfaces. For all other versions of Junos OS, the Network Agent functionality is embedded in the software. You must also install the OpenConfig for Junos OS module and the YANG models. For more details, see Understanding OpenConfig and gRPC on Junos Telemetry Interface.

After completing the above steps, verify the following configuration on the network device:

While configuring gRPC devices, you can select to enable SSL on the gRPC subscription. Select Settings in the top right of the Dashboard, Network Devices > +Add Device. Also, see section “Secure Socket Layer (SSL) gRPC Configuration.”

Figure 1: Configure gRPC Network Device Telemetry and Enable SSLConfigure gRPC Network Device Telemetry and Enable SSL

In addition, you need to enable gRPC plug-in in your group_vars/all file to enable gRPC monitoring in Contrail Insights:

To allow Contrail Insights to configure the network device, have the following settings on your device and supply the device username and password:

Unsecured gRPC Configuration

Following is the configuration Contrail Insights adds on the device when you select SSLEnabled = False when configuring the device.

Secure Socket Layer (SSL) gRPC Configuration

In order for Contrail Insights to subscribe to devices over SSL technology, complete the following steps in advance of enabling SSL.

  1. Certificates for all devices need to be signed by one single certificate authority (CA).

  2. Common Name (CN) value specified for the certificate used by a particular device, should be that device's Domain Name System (DNS) name.

  3. Certificates need to be preloaded on the device as name appformix by running the following command:

  4. When configuring the devices in Contrail Insights, enter the device DNS name or IP address in the ManagementIp field. The ManagementIp should be able to resolve (translate) the device DNS name from the Contrail Insights Platform node.

    Example configuration Contrail Insights puts on the device:

Distribute gRPC Network Device CA Using Ansible

In order for Contrail Insights to have secure connections between collectors (Contrail Insights Agent and devices), the collector needs to have the CA, which signed all of the devices' certificates, in /opt/appformix/etc/cert/.

Then use Ansible to distribute the CA to all Contrail Insights Agents. Add the following in your group_vars/all file and then run the playbook.