← All posts
Deep Dive

Talking to Cisco SD-WAN: Automating vManage With the REST API

The overlay has an API — use it instead of clicking through dashboards.

NAPT Team11 min read
vManage API flowPython clientrequests.SessionvManage/dataservice RESTvSmartOMP control planeWAN edgesBFD sessionstoken auth → JSESSIONID + X-XSRF-TOKEN
vManage is the API front door to the SD-WAN fabric; vSmart and the edges sit behind it.

Cisco SD-WAN is API-first whether you treat it that way or not. Every screen in vManage is backed by a /dataservice endpoint. Automating it starts with one slightly awkward authentication flow.

The auth handshake

vManage uses session-cookie auth plus a cross-site request token. You log in for a JSESSIONID, then fetch an X-XSRF-TOKEN you must attach to every write.

python
import requests

class VManage:
    def __init__(self, host, user, pw):
        self.base = f"https://{host}"
        self.s = requests.Session()
        self.s.verify = False  # lab only; pin the cert in production
        self._login(user, pw)

    def _login(self, user, pw):
        r = self.s.post(f"{self.base}/j_security_check",
                        data={"j_username": user, "j_password": pw})
        if "html" in r.text.lower():
            raise RuntimeError("vManage login failed")
        token = self.s.get(f"{self.base}/dataservice/client/token")
        self.s.headers["X-XSRF-TOKEN"] = token.text
Info: The login "succeeds" with HTTP 200 even on bad credentials — vManage returns the login page HTML. Always inspect the body, not just the status code.

List devices in the fabric

python
    def devices(self):
        r = self.s.get(f"{self.base}/dataservice/device")
        return r.json()["data"]

vm = VManage("vmanage.example.com", "automation", "••••")
for d in vm.devices():
    print(d["host-name"], d["device-type"], d["reachability"])

Collect BFD session health

In SD-WAN, tunnel health is BFD health. A down BFD session means a dead data-plane tunnel between two edges, regardless of what the routing looks like.

python
    def bfd_summary(self, system_ip):
        r = self.s.get(f"{self.base}/dataservice/device/bfd/sessions",
                       params={"deviceId": system_ip})
        return r.json()["data"]

for s in vm.bfd_summary("10.255.0.1"):
    state = s["state"]
    flag = "OK " if state == "up" else "DOWN"
    print(f"{flag} {s['src-ip']} -> {s['dst-ip']} ({s['color']}/{s['dst-color']})")

What the control plane gives you for free

Because vSmart distributes routing through OMP, the fabric's intended state lives in one place. Pulling OMP routes from vManage lets you diff intended overlay reachability against the BFD reality on the edges — the SD-WAN equivalent of config-vs-state drift.

Pro tip: Wrap the session in a context manager and always call /logout. vManage caps concurrent sessions, and leaked sessions from crashed scripts will eventually lock you out.
#sdwan#api#deep-dive

Was this helpful?

Generate scripts for the task covered in this post

Describe what you need and NAPT writes production-ready automation in Netmiko, NAPALM, or Nornir.

Open Script Generator →
New to NAPT? Start with the Setup Guide

Related posts