Creating an ANC Policy

An ANC policy is created with the desired action. In this example, the pxGrid client creates an ANC_QUARANTINE_EXAMPLE policy with the quarantine action. Please note the supported actions are: Quarantine, Port-Bounce and Port-Shut. For more information on the ANC Configuration topic, please see: ANC Configuration

Code Step-Through

We create a public class ANCCreatePolicy using enum to define the allowed ANC Actions: QUARANTINE, SHUT_DOWN, and BORT_BOUNCE.

The private static void apply method calls SampleConfigObject string name and ip address. The Sample config object contains the pxGrid connection parameters such as the ISE pxGrid name hostname, identity filename keystore (.jks) filename and the truststore keystore (.jks)filename and we receive the new pxGrid control object. The pxGrid control configuration contains the pxGrid client account, service lookup, and access secret obtained from the ISE pxGrid node

Under //pxGrid ServiceLookup for session service, a service lookup is performed for the ISE node publishing the com.cisco.ise.config.anc service. If there were more the (1) ISE node in the pxGrid, randomization would be performed to find the availble node. This of this is as load balancing to evenly distribute the load

Under //User first service, we get WebSockets URL from "restBaseUrl" + "/createPolicy"

Under //pxGrid AccessSecret for the node, we obtain the secret from the ISE pxGrid node and we create the policy, you will also need to specify the desired action.i.e. QUARANTINE

SampleHelper.postObjectAndPrint obtains the ISE pxGrid node, access secret, WebSocket URL, and trust information from the Client Manager.

Main parses the SampleObject Parameters

Under //Account Activate we obtain the pxGridcontrol and wait 60 seconds for the pxGrid client account to be activated, the pxGrid controller version is received, the desired ANC policy is created.

JAVA Code Example

package com.cisco.pxgrid.samples.ise;

import java.io.IOException;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;

import org.apache.commons.cli.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.cisco.pxgrid.samples.ise.model.AccountState;
import com.cisco.pxgrid.samples.ise.model.Service;

/**
 * Demonstrates how to create an ANC Policy
 */
public class ANCCreatePolicy {
    private static Logger logger = LoggerFactory.getLogger(ANCCreatePolicy.class);
    private static class Policy {
        public enum Action {
            QUARANTINE, SHUT_DOWN, PORT_BOUNCE
        }
        private String name;
        private List<Action> actions;
        public String getName() {
            return name;
        }
        public void setName(String name) {
            this.name = name;
        }
        public List<Action> getActions() {
            return actions;
        }
        public void setActions(List<Action> actions) {
            this.actions = actions;
        }
        
    }	
    
    private static void create(SampleConfiguration config, String policyName) throws IOException {
        PxgridControl pxgrid = new PxgridControl(config);
        
        // pxGrid ServiceLookup for session service
        Service[] services = pxgrid.serviceLookup("com.cisco.ise.config.anc");
        if (services == null || services.length == 0) {
            System.out.println("Service unavailabe");
            return;
        }
        
        // Use first service
        Service service = services[0];
        String url = service.getProperties().get("restBaseUrl") + "/createPolicy";
        logger.info("url={}", url);
        
        // pxGrid AccessSecret for the node
        String secret = pxgrid.getAccessSecret(service.getNodeName());
        Policy policy = new Policy();
        policy.setName(policyName);
        policy.setActions(Arrays.asList(Policy.Action.QUARANTINE));
        SampleHelper.postObjectAndPrint(url, config.getNodeName(), secret, config.getSSLContext().getSocketFactory(), policy);
    }

    public static void main(String [] args) throws Exception {
        // Parse arguments
        SampleConfiguration config = new SampleConfiguration();
        try {
            config.parse(args);
        } catch (ParseException e) {
            config.printHelp("ANCCreatePolicy");
            System.exit(1);
        }

        // AccountActivate
        PxgridControl pxgrid = new PxgridControl(config);
        while (pxgrid.accountActivate() != AccountState.ENABLED)
            Thread.sleep(60000);
        logger.info("pxGrid controller version={}", pxgrid.getControllerVersion());
        String policyName = SampleHelper.prompt("Create policy name: ");
        create(config, policyName);
        }
    }

Output

------ config ------
  hostname = ise24fc3.lab10.com
  nodename = mac05
  password = (not specified)
  description = (not specified)
  keystorefilename = /Applications/master_rest_samples/sw1.jks
  keystorepassword = Cisco123
  truststorefilename = /Applications/master_rest_samples/sw1root.jks
  truststorepassword = Cisco123
--------------------
20:16:21.375 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
20:16:21.557 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"ENABLED","version":"2.0.0.13"}
20:16:21.558 [main] INFO com.cisco.pxgrid.samples.ise.ANCCreatePolicy - pxGrid controller version=2.0.0.13
Create policy name: 
ANC_QUARANTINE_EXAMPLE
20:16:43.591 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.config.anc"}
20:16:43.610 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.config.anc","nodeName":"ise-admin-ise24fc3","properties":{"wsPubsubService":"com.cisco.ise.pubsub","restBaseUrl":"https://ise24fc3.lab10.com:8910/pxgrid/ise/config/anc","statusTopic":"/topic/com.cisco.ise.config.anc.status"}}]}
20:16:43.611 [main] INFO com.cisco.pxgrid.samples.ise.ANCCreatePolicy - url=https://ise24fc3.lab10.com:8910/pxgrid/ise/config/anc/createPolicy
20:16:43.620 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret request={"peerNodeName":"ise-admin-ise24fc3"}
20:16:43.640 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret response={"secret":"RhntxITOSQNNCh9y"}
20:16:43.658 [main] INFO com.cisco.pxgrid.samples.ise.SampleHelper - postData={"name":"ANC_QUARANTINE_EXAMPLE","actions":["QUARANTINE"]}
20:16:43.792 [main] INFO com.cisco.pxgrid.samples.ise.SampleHelper - Response status=200
Content: {"name":"ANC_QUARANTINE_EXAMPLE","actions":["QUARANTINE"]}

What you see in ISE

Select Operations->Adaptive Network Control->Policy List. You should see that the ANC_QUARANTINE_EXAMPLE policy was created.