nexus1000v-series-switches webcast indepth part2 17feb
DESCRIPTION
Nexus 1000vTRANSCRIPT
Vishal Mehta
Technical Marketing Engineer
February 17, 2015
Cisco Nexus 1000v Series Switches, Part 2: Meet the 1000v Family: The Secret of Unity – February 17, 2015
Cisco Support Community
Deep Dive Expert Series Webcast
Upcoming Expert Series Webcast
Game Changer: Silver Lining in the Cloud the 1000v Family: The Secret of Unity February 24, 2015 Where Vishal will continue the topic by discussing Nexus 1000v through deployment phases for enabling ICF
In-Depth on Cisco Nexus
1000V Series Switches, Part 3
http://tools.cisco.com/gems/cust/custome
rSite.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S22085
March 17th, 2015
Ever wonder what VFC, VETH, VIF and HIF are in UCS and which path your packets are taking?
UCS infrastructure has several virtual components and this makes it challenging to troubleshoot but it is critical to understand. Cisco Expert, Niles Pyelshak will discuss UCS interfaces and how packets travels from the UCS server.
Demystifying Unified Computing System
(UCS) Interfaces for troubleshooting.
https://supportforums.cisco.com/event/12413
926/expert-webcast-demystifying-unified-computing-system-ucs-interfaces-
troubleshooting
Now through February 27th
Ask the Expert Events – Active
Join the discussion for these Ask The Expert Events:
https://supportforums.cisco.com/expert-corner/knowledge-sharing
Cisco Email Security Appliance (ESA), Web
Security Appliance (WSA), and Content
Security Management Appliance (SMA).
Join Cisco Expert, Nasir Abbas
Rate Content Now your ratings on documents, videos, and blogs count give points to the authors!!!
So, when you contribute and receive ratings you now get the points in your profile.
Help us to recognize the quality content in the community and make your searches easier. Rate content in the community.
https://supportforums.cisco.com/blog/154746
Encourage and acknowledge
people who generously share their
time and expertise
https://supportforums.cisco.com/expert-corner/top-contributors
Participate in Live
Interactive
Technical Events
and much more
http://bit.ly/1jlI93B
Become an Event Top Contributor
Cisco Support Community Expert Series Webcast
• Today’s featured expert is Cisco Technical Marketing Engineer Vishal Mehta
• Ask your questions now in the Q&A window
Vishal Mehta
Technical Marketing Engineer
February 17, 2015
Cisco Nexus 1000v Series Switches,
Meet the 1000v Family: The Secret of
Unity
Topic: Part 2: Meet the 1000v Family: The Secret of Unity
Technical Expert – Question Manager
Gunjan Patel
If you would like a copy of the presentation slides, click the PDF file link in the chat box on the right or go to:
https://supportforums.cisco.com/document/12427796/expert-depth-series-cisco-nexus-1000v-series-switches-part-2-slides
Or, https://supportforums.cisco.com/expert-corner/knowledge-sharing
Thank You For Joining Us Today!
Now through February 27th
Ask the Expert Event following the Webcast
Join the discussion for these Ask The Expert Events:
https://supportforums.cisco.com/expert-corner/knowledge-sharing
Vishal will be continuing the discussion in an Ask
the Expert event. So if you have more
questions, please visit the Knowledge Center on
the Cisco Support Community
https://supportforums.cisco.com/discussion
/12412941/ask-expert-deepdive-cisco-nexus-
1000v-series-switches
Submit Your Questions Now! Use the Q & A panel to submit your questions
and the panel of experts will respond.
Please take a moment to
complete the survey at
the end of the webcast
Polling Question 1
How do you provide Security to Virtual Workloads ?
a. We rely on Physical Security Devices
b. We are using mix of Physical and Virtual security applications
c. We are using Virtual Security
Vishal Mehta
Technical Marketing Engineer
February 17, 2015
Cisco Support Community Deep Dive Expert Series Webcast
Cisco Nexus 1000V Series Switches Part 2: Conquered Territory: Multi-Hypervisor
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
Conquered Territory: Multi-Hypervisor
14 14
1.5.1 2.2 3.0 Strategy
VXLAN
• VXLAN 1.0
• Multicast based
• Flood and Learn
• VXLAN 1.5
• Single VSM only
• Mac-distribution
• No flood and learn
• VXLAN 2.0
• BGP Control Plane
• VTEP distribution
• Continue supporting multi-
cast based VXLAN for
standards compliance and
interoperability w ith Nexus
hardw are
• BGP control plane for
interoperability w ith
Nexus9K and for better
physical virtual story
1.5.1 2.2 3.0 Strategy
VXLAN GATEWAY
• N/A • Nexus 1110 • GW as a VM • Minimize investment in
softw are VLXAN GW since
Nexus hardw are w ill have
GW functionality at a
cheaper price-point
• Develop GW as a VM for
Proof of Concepts and
cloud use cases
VXLAN Strategy
16 16
1000v L2-7 Services
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
18 18
19 19
vPath Explanation
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
21 21
22 22
PNSC
PNSC - Look & Feel
Prime NSC Functional Components Functional
Component
Description
Service Registry • A central registry of endpoints - VSM, VSG, ASA 1000v, ICS, ICX, CVSM and providers – RM, PM,
VMM, MC
• Org Repository for multi-tenancy
Policy Manager • Centralized repository of device, firewall and InterCloud tunnel policies
• Policy authoring and administration
Resource Manager • Management of VSG, ASA 1000v, VSM, VMware vCenter, InterCloud Link and Cloud VM
• Image Management for endpoints and Cloud VM
• Configures endpoints, Discovers Port Profiles and VM attributes from VSMs
• Create ICX VM on vCenter
• Assign mac address and port id for cloud VM overlay interfaces
VM Manager • Collects VM Attributes from VMware vCenter
Management
Controller
• VNMC system management: DNS, NTP, syslog, core files…
Cloud Provider
Manager
• Image manipulation – probing, conversion
• Interface with Cloud Provider to implement cloud VM Lifecycle
Prime NSC Functional Components (Contd.) Functional
Component
Description
Policy Agent on
VSG/ASA 1000v
• Registration of VSG/ASA 1000v with VNMC
• Configures Policy Engine on VSG/ASA 1000v(firewall policies and device policies)
Policy Agent on
Nexus 1000v
• Registration of VSM with VNMC
• Notifies VNMC when VMs are attached/detached
• Notifies VNMC when VM IP addresses are learned
Policy Agent on
ICS/ICX
• Configures tunnel & key policy
• Cloud VM configuration is sent to ICS
GUI • Flash-based GUI – Internet Explorer, Mozilla Firefox, Google Chrome
API • HTTP/XML APIs – Used by GUI and northbound API clients
PMON • Manages NSC processes – start, stop, monitor and restart
Hypervisor Hypervisor Hypervisor
VSM VSG
PNSC / VSG / VSM System Architecture
VC
VSM VSG
Hypervisor
VEM SDP
VM Management
VNMC
Packets
Via Overlay Tunnel
Policy
Resolution
Port Profiles
and Security Profiles
VM
Attributes
Centralized Management Plane
Centralized Policy Repository
Centralized Policy Administration
VM Attributes from vCenter
REST XML API
NOT in the data path – VNMC can be
shutdown and the VM traffic will still flow
Each VSG handles the traffic of one tenant
No Persistent Configuration
Centralized Run-Time State, Flow Table
Policy Engine, Stateful Firewall
Distributed Data Plane
Embedded in VEM, 1 Per ESX Host
Intercepts Traffic using Service Table
Redirects Traffic via Overlay Tunnel
Fast-Path using Flow Table
Virtual Security Gateway(VSG)
Service Data Path (SDP)
Virtual Network Manager Center (VNMC)
Policy Agent
Policy Agent
Resource
Manager
VM
Manager
Policy
Manager
Service
Registry
GUI
REST-XML API
DME model-driven framework
VM IP Learning
VM Attach Port Profiles
XML API Client
XML Over HTTPS
27 27
28 28
Family Photo
29 29
Family Photo
30 30
Family Photo
31 31
Family Photo
32 32
Family Photo
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
34 34
VSG Deployments
35 35
VSG HA Setup
Virtual Security Gateway Intelligent Traffic Steering with vPath
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
PNSC
Log/Audit
Initial Packet
Flow
VSG
1 Flow Access Control
(policy evaluation)
2
Decision
Caching 3
4
Virtual Security Gateway Performance Acceleration with vPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
Remaining
packets from flow
ACL offloaded to
Nexus 1000V
(policy enforcement)
PNSC
Log/Audit
VSG
TENANT A
VSG
ASA 1000V
Hypervisor Nexus1000V vPath
Virtual Network Management Center (VNMC)
vCenter
TENANT B
VSG
VSG
VSG
vApp
vApp
ASA 1000V
VDC VDC
40 40
Interface security-profile 2
security-profile db-server
nameif db
no ip address
Nexus 1000
Nexus 1000V
VM VM VM VM VM VM
Port Group 1 Port Group 2
Port Profile 1
Edge Security Profile: web-server
Port Profile 2
Edge Security Profile: db-server
ASA
1000V VM Port Profile 3
Port Group 3
inside
outside
Interface security-profile 1
security-profile web-server
nameif web
no ip address
security-level 100
Interface GigabitEthernet0/0
nameif inside
ip address 192.168.0.1
security-level 100
service-interface security-profile all inside
Interface GigabitEthernet0/1
nameif outside
ip address 201.24.56.11
security-level 0
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
VPC Challenges
VPC Customer 1
10.0.1.0/24
VPC Customer 2
VPC Customer 4094
• Point-to-Point tunnel between DC and VPC adds network latency
• Terminating WAN at Cloud Provider’s edge limits VPC scalability
• Disjoint local networks complicate application on-boarding to VPC
• Lack of traffic control in VPC restricts use of networking services
192.168.1.0/16
• QoS
• Acceleration
• Visibility
Customer 1
Data Center
Branch A
Branch B
VRF Cloud
Provider
MPLS
Internet
Cisco CSR1000v
• Direct VPN connectivity to VPC reduces network latency
• Termination of MPLS at VPC eliminates dependence on VLANs
• Extending DC network to VPC simplifies application deployment
• Traffic control at VPC edge enables support of network services
VPC Customer 1
VPC Customer 2
VPC Customer N
Customer 1
Data Center
Branch A
Branch B
Cloud
Provider
CSR
1000v
LISP for
VM Mobility
LISP
Router
QoS
Internet
MPLS
vWAAS
VPN Gateway for VPC
• Enterprise VPNs
• S2S (IPSec) VPN
• DMVPN
• EZVPN
• FlexVPN
• SSLVPN (future)
• Routing
Static
EIGRP
OSPF
BGP
• Addressing
NAT/PAT
DHCP
• Firewall & ACLs
• AAA
Data Center
Branch B
Cloud Provider
Branch A
VPC
CSR
1000v Internet
Public WAN VPN tunnel
Private address space
MPLS Gateway for VPC
• Overcomes VRF to VLAN mapping limitation at DC edge router
• Extends MPLS WAN directly to VPC for any-to-any connectivity
VPC Customer 1
VPC Customer 2
MPLS
CSR
1000v
MPLS MPLS MPLS
MPLS VPN 1
MPLS VPN 2
DC Edge
Router
• MPLS
Traditional
Secure (GETVPN)
• Routing
EIGRP, OSPF
BGP, Static
• Traffic Management
QoS
IP SLAs
Extend DC Network to VPC
• L2 connectivity and L3 address mobility between DC and VPC
• Transparent on-boarding of existing business applications to VPC
Data Center
Cloud Provider
VPC
CSR
1000v
L2 over WAN
LISP protocol
Internet
Enterprise LISP VM
Mobility
LISP Tunnel
Router
• L2 over WAN
EoMPLS over GRE
• Addressing
NAT/PAT
VRF-Lite
• Transport Services
LISP for VM Mobility
Multicast
Network Services in VPC
• Traffic crossing VPC edge can be redirected to network services
Data Center
Branch B
Cloud Provider
Branch A
VPC
CSR 1000v Internet or
MPLS
Optimized TCP
vWAAS
WAAS
WAAS WAAS
• Transport services
QoS
• Resiliency HSRP
• Interception
WCCP
AppNav
• Monitoring
AVC
NetFlow
NBAR
Each router interface has one host Ethernet interface.
Multiple interfaces sharing one host Ethernet interface
Trunking all the way
On Vmware ESXi host, assign VM Network adapters to appropriate VLANS in vSwitch
52 52
Polling Question 2
Can 3rd party tool use vPath with 1000v ?
a. Yes
b. No
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
vPath 3.0
Cisco & Citrix Product Break-out
VPX MPX
HW
Appliance
SDX
HW
Appliance
Product
N1110
NetScaler
1000V
NetScaler 1000V = VPX w/ Cisco Competing features disabled & vPath toggle Current Citrix NetScaler Architecture
x86 X86 Platform
1. Cisco Competing features that have been disabled:
• Citrix® Branch Repeater® (now Cloud Bridge), • NetScaler CloudConnectors™,
• Citrix Access Gateway™ EE SSL VPN (now NetScaler Gateway), 2. Throughputs: 10M, 200M, 500M, 1G, 2G, 3G & 4G (w/ and w/o Clustering)
3. Ability to enable/disable (toggle) vPath; disabling vPath allows you to load balance physical servers 4. 141x SKUs NOW orderable on Cisco’s Global Price List (GPL); includes ALL upgrade SKUs
5. Since vPath is optional the Nexus 1000V is also now optional so customer does NOT need vSphere Enterprise Plus to utilize
Citrix NetScaler 1000V
• Citrix Netscaler 1000V as a Virtual Service Blade (VSB) on Nexus 1110 or 1110. Virtual Appliance option available too.
• Simplified Operations: Create Netscaler instance from Nexus 1110/1010 management console
• Ease of Deployment: Customers have deployment flexibility to meet their performance use case
• 2 vCPU for low performance (500 Mbps)
• 6-8 vCPU for high performance (2 Gbps)
• Full Cisco HA: Netscaler HA enabled on Nexus 1110/1010 pairs
58 58
59 59
60 60
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
62 62
63 63
Cisco Virtual WAAS Cloud-ready WAN Optimization
ESX ESXi Hypervisor w/Nexus 1000
UCS /x86 Servers
Virtual WAAS “Appliances”
vPath
Virtual WAAS
on Nexus 1000V with vPath
FEATURES
Allows Agile, Elastic, & Multi Tenant
Deployment
Supports DRE Cache in SAN
Policy-based Provisioning w/ Nexus 1000V
Extends WAAS Solution Portfolio
BUSINESS BENEFITS
Business Agility w/on-demand orchestration
Lower operational cost & migration risk
Fault-tolerance with VM mobility awareness
66 66
vWAAS
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
68 68
Multi-tenant
69 69
Within tenant
71 71
VSM-VSG-NetScaler topology
72 72
VSM-VSG-NetScaler Chaining
Polling Question 3
Is there a easy way to deploy all 1000v products ?
a. Yes
b. No
• vPath – The Secret
• Prime NSC (* VNMC)
• Firewalls – VSG & ASAv
• Cloud Service Router – CSRv
• Netscaler Load-Balancer
• vNAM & vWAAS
• Common Deployments
• VACS - Containers
Agenda
Current Service Delivery is Manual & Complex
Architect Design
- QoS - Security - Compliance
Identify
Resources
License Install Provision Secure Test
Manual
Capacity On-Demand
Policy-Based Provisioning
Flexible, Agile Resource Utilization
From Weeks to Minutes
Automated Self-Service Provisioning
DC Edge Security
Low efficiency due to uncontrolled VM sprawl
VM’s talking to
each other
Lack of
Security
Manually
Provisioned
Lack of
Visibility
Troubleshooting is
a nightmare
Weeks to onboard
customer/app
From VM Sprawl to On-Demand Containers
DC Edge Security
Containers that are: Secured
Added Visibility
Automated Provisioning
Enterprise
Apps
Enterprise
Apps
Enterprise
Apps
Virtual Fabric—Nexus 1000V Platform for Distribute FW
Zone Based FW— Virtual Security Gateway
Edge FW—ASA 1000V
Routing—CSR 1000V
Automated Provisioning and Orchestration—UCS Director
VACS Built on Proven Technology
Enterprise Apps
Enforced by Best in
Class Services Built on flag ship Cisco NXOS & IOS SW
Unified Licensing Per Server based
WEB APP DB
Automated Service Delivery for Applications
CONTAINER
WEB APP DB
Virtual Application
Container Services
• Provision Regulatory
Compliant Containers in
minutes
• Multi Hypervisor support
• Provisioning and Virtual
Services included in single
SKU
Deploy Multi-Tenants as Containers
Container A Container B
VMware vSphere
Microsoft HyperV
Virtual Services Portfolio
vPath
Stingray Orchestration
(UCS Director)
1. Automation & Agility through UCS Director as the management plane:
• No CLI experience
• Simplified Install and Configuration of :
• Virtual Fabric – Nexus 1000V
• Virtual Routing – CSR 1000V
• Virtual Security – Virtual Security Gatew ay & CSR 1000V
2. Multi Hypervisor support – vSphere & Hyper-V
3. Easy to create and deploy Virtual Network Containers
• Deploy Netw ork Container w ith less than 6 logical questions
4. Unified Licensing - Single License for all virtual components
VACS Architecture
UCSD
PNSC vCenter N1000V
CSR VSG CSR VSG CSR VSG CSR VSG
Container Container Container Container
VACS hierarchy
UCSD vCenter
vCenter
PNSC
PNSC
N1000V
N1000V
N1000V
N1000V
VACS container types • Three types
• 3 tier internal
• 3 tier external
• Custom
• Both three tier container types contain a single network (can be vlan or vxlan) with three pre-defined zones and zone policies.
• Internal and external container types differ in which zones are allowed access to/from outside the container
• Custom containers can contain multiple networks, zones and custom firewall policies
• Application VMs may be deployed at container deployment time or afterwards. This facilitates template re-use by de-coupling workloads from network topologies
Deploy 3-Tier Application Container – Internal Access
• 3 Pre-created Zones with External connectivity for Web Tier Only
Upstream Router
1. NAT (Optional)
2. L3 Routing – EIGRP 3. Edge FW
4. Monitoring Features
VACS – 3 Tier App Container
Zone based FW
Routing – EIGRP or Static
VLAN 1/ VXLAN 101
Web Tier App Tier DB Tier
VSG
CSR 1000V
Deploy 3-Tier Application Container – External Access
• 3 Pre-created Zones with External connectivity for all Tiers
Upstream Router
1. NAT (Optional)
2. L3 Routing – EIGRP 3. Edge FW
4. Monitoring Features
VACS – 3 Tier App Container
Zone based FW
Routing – EIGRP or Static
VLAN 1/ VXLAN 101
Web Tier App Tier DB Tier
VSG
CSR 1000V
VACS Custom Container
• Providing capability to design custom containers with N Tiers
Upstream Router
1. NAT (Optional)
2. L3 Routing – EIGRP 3. Edge FW
4. Monitoring Features
VACS – Custom Container
Zone based FW
Routing – EIGRP or Static
VLAN 1/ VXLAN 101
VLAN 2/ VXLAN 202
CSR 1000V
VSG
Tier 1 Tier 2 Tier 3 . .
Salient features • Automated installation of all component services
• Integrated licensing model
• Template based container deployment
• Public/Private IP address assignment
• Static/Dynamic NAT or EIGRP
• Vlan and vxlan based networks
• Distributed firewalling for east-west traffic
• HA/HSRP
• ERSPAN
3-tier Internal Container Traffic walkthrough
WEB Server VM DB VM APP VM
Management VLAN id 30
Workload VM netw ork
VXLAN id 5000
VSG
CSR1000V
VIP – 192.168.1.1
Gig2.31(1) - 31.0.0.10
Gig2.31(2) – 31.0.0.11
Gig1(1) - 30.0.0.103 Gig1(2) – 30.0.0.105
Data/HA VXLAN id 20000
192.168.1.4 192.168.1.5 192.168.1.6
Mgmt IP: 30.0.0.104
Traffic initiated from Inside to Outside (only from WebZone VM) 1. First packet from Web VM enters the VEM and is re-directed to VSG. 2. VSG ACL rule (permit Web to Any) is hit, & vPATH on the VEM is programmed with the flow 3. Packet sent to the gateway, which is CSR’s downlink interface 4. Packet src IP changed to NAT’ed Public IP and sent outside via the Uplink interface 5. Subsequent packets are sent directly to CSR’s downlink interface (skipping step 1-2)
Web Client VM 10.1.1.20
10.2.2.2 (SNAT)
3-tier External Container Traffic walkthrough
WEB Server VM DB VM APP VM
Management VLAN id 30
Workload VM netw ork
VXLAN id 5000
VSG
CSR1000V
Gig3.2 – 192.168.1.1
Gig2.31- 31.0.0.10
Mgmt Gig1
30.0.0.103
Data/HA VXLAN id 20000
192.168.1.4 192.168.1.5 192.168.1.6
Mgmt IP: 30.0.0.104
Traffic initiated from Outside to Inside (Eg: App VM)
1. VM1 wants to talks to App VM’s Public IP (10.2.2.3)
2. Packet reaches CSR’s uplink (G2.31)
3. NAT translation is done and packet dest.IP is changed to App Server VM’s Private IP – 192.168.1.5
4. Packet is then sent to CSR’s downlink interface (G3.2)
5. On entering N1kv VEM, packet is re-directed to VSG data interface
6. VSG ACL Rule permit Any to App is hit
7. vPATH programmed with the above flow and return flow decisions.
8. Packet sent to App VM
9. Subsequent packets of that session are directly sent to the App VM, (steps 5-6 are skipped)
VM1 10.1.1.30
10.2.2.2 (SNAT) 10.2.2.3 (SNAT)
Physical to
Virtual to
Cloud Journey
Inter Cloud
Private
Cloud
Hybrid
Cloud
Virtualization
Public
Cloud
Submit Your Questions Now! Use the Q & A panel to submit your questions and our expert will respond
Collaborate within our Social Media
Facebook- http://bit.ly/csc-facebook
Twitter- http://bit.ly/csc-twitter
You Tube http://bit.ly/csc-youtube
Google+ http://bit.ly/csc-googleplus
LinkedIn http://bit.ly/csc-linked-in
Instgram http://bit.ly/csc-instagram
Newsletter Subscription http://bit.ly/csc-newsletter
Learn About Upcoming Events
Cisco has support communities in other languages!
Spanish https://supportforums.cisco.com/community/spanish
Portuguese https://supportforums.cisco.com/community/portuguese
Japanese https://supportforums.cisco.com/community/csc-japan
Russian https://supportforums.cisco.com/community/russian
Chinese
http://www.csc-china.com.cn
If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate and collaborate in your language
More IT Training Videos and Technical Seminars on the Cisco Learning Network
View Upcoming Sessions Schedule
https://cisco.com/go/techseminars
Please take a moment to complete the survey
Thank you for Your Time!
VACS Container Topology Configuration
Install UCSD
Install VACS Patch
You will be prompted to backup, select “n”
Select Option 19 to perform patch update
This will upload all the prerequisite
binaries, ovas, workflows, etc. required for
VACS to be deployed as a value-added
option for UCSD.
• Upload Licenses* • Validate the two licensees
have been installed
* Licenses:
• UCSD.lic
• VACS.lic
• Navigated to licenses
You should see tw o
PAK files
Import UCSD & VACS Licenses
• Selection Option 3 to stop
services
• Select Option 4 to restart the services
• SSH into the UCS-D console • Access Shelladmin/changme
• Select Option 2 repeatedly to
verify all services have
restarted • Your browser session will
expire • You get to see clouds until the
system completely comes back
online.
From stopping and restarting services and the GUI come back to a
login prompt is ~ 10 minutes
Restarting Services: License & Workflows Activation
Configure Physical Accounts, Site & Pod
• Create a POD, specifying a name, type and address
• Navigate to Administration Physical Accounts
• Provide a Site Name and Contact
• Select the CSR License Button & Navigate to the location of the CSR Token. Cut-n-Paste the license into the dialogue box, and upload
• Navigate to Policy Application Containers
• Select the VACS/Stingray Containers Tab
• Next select the Package Upload button
~4-5 minutes
• Then navigate to the “” then select the service request to monitor the status of the package upload
Installing VACS Components
• Cloud added successfully and
verification
• Navigate to Administration
Virtual Accounts
• Select Add Cloud and populate
accordingly
• Select Converged Tab, then
double click the Pod to see
the associations
Add Virtual Account and Setup Cloud
Make sure your storage has over 250Gb
~ 15 minutes to deploy PNSC
You should see in VC that
the PNSC is being deployed
Install PNSC
Install N1KV/VSG (Part 1)
Install N1KV/VSG (Part 2)
Add Host (i.e., Install VEMs on hosts)
Create Compute & Storage Policies
First Time Template Creation (includes resource pools)
Deploying a Secure Container from VACS Template
Container template
Template types
VACS deployment options (for internal template type)
Container application size
Policies
VACS Network resource pool
Routing protocol
VM networks entry (vlan)
VM networks entry (vxlan)
VM networks entry (vxlan)
Virtual machines
Virtual machines entry
VM network interfaces entry
VACS Summary
Custom template type
Custom-Security zones
Custom-ACL rules entry
Custom-ACL rules entry
Custom-ALG options
Custom-VM network options
After the template is submitted successfully, there are default policies being created:
• Virtual Infrastructure Policies
• Tiered Application Gateway Policies
• PNSC firewall policies
VIP
Policies -> Application Containers->Virtual Infrastructure Policies
VIP
VIP – PNSC information
VIP - Gateway
VIP - Summary
Tiered Application Gateway Policies
Policies -> Application Containers ->Tiered Application Gateway Policies
Gateway policy
CSR configuration
Gateway Policy - Summary
PNSC firewall policies
Physical->Network->PNSC accounts->PNSC->PNSC Firewall Policies
PNSC policy
PNSC zones
PNSC – ACL rules
PNSC-VSG config
Publishing catalog
Policies ->Catalogs
Add catalog
Catalog - Summary
Catalog published
VACS Workflows ( Policies -> Orchestration ->Workflows)
Workflow Description
VACS Container Setup This Workflow is executed when a VACS container deployment is requested, based on a
VACS template. The workflow deploys a VACS container based on the compute, storage, network policies
associated with the template, network configuration, firewall and routing configuration and workload VM specifications.
Add VMs to VACS Container This workflow is executed when a VACS user requests addition of VMs to an existing
VACS container.
VACS Delete VMs This workflow is executed when a VACS user requests deletion of VMs from an existing
VACS container.
VACS Static NAT This workflow is executed when a VACS user requests Static NAT configuration for
workload VMs in a VACS Container
VACS ERSPAN This workflow is executed when a VACS user requests monitoring of VM traffic for one or
more VMS
