Cisco Support Community

Deep Dive Expert Series Webcast

Cisco Nexus 1000v Series Switches,
Part 2: Meet the 1000v Family: The Secret of Unity February 17, 2015
Vishal Mehta

Technical Marketing Engineer

February 17, 2015

Upcoming Expert Series Webcast

In-Depth on Cisco Nexus
1000V Series Switches, Part 3

Demystifying Unified Computing System

(UCS) Interfaces for troubleshooting.

Game Changer: Silver Lining in

the Cloud the 1000v Family: The
Secret of Unity

March 17th, 2015

February 24, 2015

Where Vishal will continue the topic by discussing
Nexus 1000v through deployment phases for
enabling ICF

http://tools.cisco.com/gems/cust/custome
rSite.do?METHOD=E&LANGUAGE_ID=
E&SEMINAR_CODE=S22085

Ever wonder what VFC, VETH, VIF and HIF are in UCS
and which path your packets are taking?
UCS infrastructure has several virtual components and
this makes it challenging to troubleshoot but it is critical
to understand. Cisco Expert, Niles Pyelshak will discuss
UCS interfaces and how packets travels from the UCS
server.
https://supportforums.cisco.com/event/12413
926/expert-webcast-demystifying-unifiedcomputing-system-ucs-interfacestroubleshooting

Ask the Expert Events Active

Now through February 27th
Cisco Email Security Appliance (ESA), Web
Security Appliance (WSA), and Content
Security Management Appliance (SMA).
Join Cisco Expert, Nasir Abbas

Join the discussion for these Ask The Expert Events:

https://supportforums.cisco.com/expert-corner/knowledge-sharing

Rate Content

Now your ratings on documents, videos,

and blogs count give points to the
authors!!!
So, when you contribute and receive
ratings you now get the points in your
profile.

Encourage and acknowledge

people who generously share their
time and expertise

Help us to recognize the quality content

in the community and make your
searches easier. Rate content in the
community.
https://supportforums.cisco.com/blog/154746

Become an Event Top Contributor

Participate in Live
Interactive
Technical Events
and much more
http://bit.ly/1jlI93B

https://supportforums.cisco.com/expert-corner/top-contributors

Cisco Support Community Expert Series Webcast

Cisco Nexus 1000v Series Switches,
Meet the 1000v Family: The Secret of
Unity
February 17, 2015

Todays featured expert is Cisco Technical Marketing

Engineer Vishal Mehta

Ask your questions now in the Q&A window

Vishal Mehta
Technical Marketing Engineer

Topic: Part 2:
Meet the 1000v Family: The Secret of Unity
Technical Expert Question Manager

Gunjan Patel

Thank You For Joining Us Today!

If you would like a copy of the presentation slides, click the PDF file link in
the chat box on the right or go to:
https://supportforums.cisco.com/document/12427796/expert-depth-seriescisco-nexus-1000v-series-switches-part-2-slides
Or, https://supportforums.cisco.com/expert-corner/knowledge-sharing

Ask the Expert Event

following the Webcast
Now through February 27th
Vishal will be continuing the discussion in an Ask
the Expert event. So if you have more
questions, please visit the Knowledge Center on
the Cisco Support Community
https://supportforums.cisco.com/discussion
/12412941/ask-expert-deepdive-cisco-nexus1000v-series-switches

Join the discussion for these Ask The Expert Events:

https://supportforums.cisco.com/expert-corner/knowledge-sharing

Submit Your Questions Now!

Use the Q & A panel to submit your questions
and the panel of experts will respond.

Please take a moment to

complete the survey at
the end of the webcast

How do you provide Security to

Virtual Workloads ?

Polling
Question 1

a.

We rely on Physical Security Devices

b.

We are using mix of Physical and

Virtual security applications

c.

We are using Virtual Security

Cisco Nexus 1000V Series Switches

Part 2: Conquered Territory: Multi-Hypervisor
Cisco Support Community Deep Dive Expert Series Webcast
Vishal Mehta

Technical Marketing Engineer

February 17, 2015

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

Conquered Territory: Multi-Hypervisor

14

14

VXLAN Strategy
1.5.1

3.0

VXLAN 1.0

VXLAN 1.5

VXLAN 2.0

Multicast based

Single VSM only

BGP Control Plane

Flood and Learn

Mac-distribution

VTEP distribution

No flood and learn

VXLAN

1.5.1
N/A

VXLAN GATEWAY

2.2

Continue supporting multicast based VXLAN for

standards compliance and
interoperability w ith Nexus
hardw are
BGP control plane for
interoperability w ith
Nexus9K and for better
physical virtual story

2.2
Nexus 1110

Strategy

3.0

GW as a VM

Strategy
Minimize investment in
softw are VLXAN GW since
Nexus hardw are w ill have
GW functionality at a
cheaper price-point
Develop GW as a VM for
Proof of Concepts and
cloud use cases

1000v L2-7 Services

16

16

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

18

18

vPath Explanation

19

19

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

21

21

PNSC

22

22

PNSC - Look & Feel

Prime NSC Functional Components

Functional
Component

Description

A central registry of endpoints - VSM, VSG, ASA 1000v, ICS, ICX, CVSM and providers RM, PM,
VMM, MC
Org Repository for multi-tenancy

Policy Manager

Centralized repository of device, firewall and InterCloud tunnel policies

Policy authoring and administration

Resource Manager

Management of VSG, ASA 1000v, VSM, VMware vCenter, InterCloud Link and Cloud VM
Image Management for endpoints and Cloud VM
Configures endpoints, Discovers Port Profiles and VM attributes from VSMs
Create ICX VM on vCenter
Assign mac address and port id for cloud VM overlay interfaces

VM Manager

Collects VM Attributes from VMware vCenter

Management
Controller

VNMC system management: DNS, NTP, syslog, core files

Cloud Provider
Manager

Image manipulation probing, conversion

Interface with Cloud Provider to implement cloud VM Lifecycle

Service Registry

Prime NSC Functional Components (Contd.)

Functional
Component

Description

Policy Agent on
VSG/ASA 1000v

Registration of VSG/ASA 1000v with VNMC

Configures Policy Engine on VSG/ASA 1000v(firewall policies and device policies)

Policy Agent on
Nexus 1000v

Registration of VSM with VNMC

Notifies VNMC when VMs are attached/detached
Notifies VNMC when VM IP addresses are learned

Policy Agent on
ICS/ICX

Configures tunnel & key policy

Cloud VM configuration is sent to ICS

GUI

Flash-based GUI Internet Explorer, Mozilla Firefox, Google Chrome

API

HTTP/XML APIs Used by GUI and northbound API clients

PMON

Manages NSC processes start, stop, monitor and restart

PNSC / VSG / VSM System Architecture

XML API Client
GUI

VNMC

Virtual Network Manager Center (VNMC)

REST-XML API

VC

VM
Attributes

VM
Manager

Resource
Manager

Service
Registry

Policy
Manager

DME model-driven framework

VM IP Learning
VM Attach
Port Profiles

Policy
Agent

XML Over HTTPS

VSM
VSM

VSG

Port Profiles
and Security
Profiles

VEM
VM Management Hypervisor
Hypervisor
Hypervisor
Hypervisor

Policy
Resolution
Policy
Agent

VSG
Packets
Via Overlay Tunnel

SDP

Centralized Management Plane

Centralized Policy Repository
Centralized Policy Administration
VM Attributes from vCenter
REST XML API
NOT in the data path VNMC can be
shutdown
and the
VM traffic will still flow
Virtual Security
Gateway(VSG)

Each VSG handles the traffic of one tenant

No Persistent Configuration
Centralized Run-Time State, Flow Table
Policy Engine, Stateful Firewall
Service Data Path (SDP)
Distributed Data Plane
Embedded in VEM, 1 Per ESX Host
Intercepts Traffic using Service Table
Redirects Traffic via Overlay Tunnel
Fast-Path using Flow Table

27

27

Family Photo

28

28

Family Photo

29

29

Family Photo

30

30

Family Photo

31

31

Family Photo

32

32

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

VSG Deployments

34

34

VSG HA Setup

35

35

Virtual Security Gateway

Intelligent Traffic Steering with vPath
VM

VM

VM

VM

VM

VM

VM

VM

VM

PNSC

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Nexus 1000V

vPath

Distributed Virtual Switch

VSG

Decision 3
Caching
1 Initial Packet

Flow

2 Flow Access Control

(policy evaluation)

Log/Audit

Virtual Security Gateway

Performance Acceleration with vPath
VM

VM

VM

VM

VM

VM

VM

VM

VM

PNSC

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Nexus 1000V

vPath

Distributed Virtual Switch

VSG
ACL offloaded to
Nexus 1000V
(policy enforcement)

Remaining
packets from flow

Log/Audit

vCenter
Virtual Network Management Center (VNMC)
TENANT A

TENANT B
VDC

VDC
vApp

VSG

VSG

VSG

vApp
VSG

ASA 1000V

Hypervisor Nexus1000V

ASA 1000V

vPath

40

40

Interface security-profile 2
Interface security-profile
security-profile
db-server 1
Port Profile 2
Edge Security Profile:
db-server

Port Profile 1
Edge Security Profile:
web-server

Port Group 2

Port Group 1
VM

VM

VM Nexus
VM 1000

VM

VM

security-profile
web-server
nameif
db
nameif
web
no ip
address
no ip address
security-level 100
Interface GigabitEthernet0/0
nameif inside

inside

ip address 192.168.0.1
security-level 100

Nexus 1000V
ASA
1000V

VM

outside

Port Group 3
Port Profile 3

service-interface security-profile all inside

Interface GigabitEthernet0/1
nameif outside
ip address 201.24.56.11
security-level 0

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

VPC Challenges
VPC
Internet

Customer 1
Data Center
192.168.1.0/16

Customer 1
10.0.1.0/24

Branch B

VPC

VRF

Customer 2
QoS
Acceleration
Visibility

Cloud
Provider

MPLS

VPC
Customer 4094
Branch A

Point-to-Point tunnel between DC and VPC adds network latency

Terminating WAN at Cloud Providers edge limits VPC scalability

Disjoint local networks complicate application on-boarding to VPC

Lack of traffic control in VPC restricts use of networking services

Cisco CSR1000v
Internet

CSR
1000v

Branch B

LISP
Router
vWAAS
QoS

Customer 1
Data Center
LISP for
VM Mobility

VPC
Customer 1

VPC
Customer 2

Cloud
Provider

MPLS

VPC
Customer N
Branch A

Direct VPN connectivity to VPC reduces network latency

Termination of MPLS at VPC eliminates dependence on VLANs

Extending DC network to VPC simplifies application deployment

Traffic control at VPC edge enables support of network services

VPN Gateway for VPC

Branch A

Branch B
Cloud Provider
CSR
1000v

Internet

Data Center

VPC

Public WAN VPN tunnel

Private address space

Enterprise VPNs
S2S (IPSec) VPN
DMVPN
EZVPN
FlexVPN

SSLVPN (future)

Routing

Addressing

Static

NAT/PAT

EIGRP
OSPF

DHCP
Firewall & ACLs

BGP
AAA

MPLS Gateway for VPC

DC Edge
Router

MPLS VPN 1
MPLS VPN 2

CSR
1000v

VPC
Customer 1

MPLS
VPC
Customer 2
MPLS

MPLS

MPLS

Overcomes VRF to VLAN mapping limitation at DC edge router

Extends MPLS WAN directly to VPC for any-to-any connectivity

MPLS

Routing

Traffic Management

Traditional

EIGRP, OSPF

QoS

Secure (GETVPN)

BGP, Static

IP SLAs

Extend DC Network to VPC

L2 over WAN
LISP protocol

CSR
1000v

Internet
VPC

Data Center
Enterprise

LISP Tunnel
Router
Cloud Provider

LISP VM
Mobility

L2 connectivity and L3 address mobility between DC and VPC

Transparent on-boarding of existing business applications to VPC

Addressing
Transport Services
L2 over WAN
NAT/PAT
LISP for VM Mobility
EoMPLS over GRE
VRF-Lite

Multicast

Network Services in VPC

Branch A

Branch B

WAAS

Cloud Provider

WAAS

vWAAS

Internet or
MPLS

CSR 1000v

VPC

WAAS
Data Center

Optimized TCP

Traffic crossing VPC edge can be redirected to network services

Transport services
Interception
Monitoring

QoS
Resiliency HSRP

WCCP
AppNav

AVC
NetFlow
NBAR

Each router interface has one host Ethernet interface.

Multiple interfaces sharing one host Ethernet interface

Trunking all the way

On Vmware ESXi host, assign VM Network adapters to appropriate VLANS in vSwitch

52

52

Polling
Question 2

Can 3rd party tool use vPath with 1000v ?

a.

Yes

b.

No

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

vPath 3.0

Cisco & Citrix Product Break-out

NetScaler
1000V
= VPXArchitecture
w/ Cisco Competing features disabled & vPath toggle
Current
Citrix
NetScaler

Product

VPX

MPX

SDX

Platform

x86

HW
Appliance

HW
Appliance

NetScaler
1000V
X86

N1110

1. Cisco Competing features that have been disabled:

Citrix Branch Repeater (now Cloud Bridge),
NetScaler CloudConnectors,
Citrix Access Gateway EE SSL VPN (now NetScaler Gateway),
2. Throughputs: 10M, 200M, 500M, 1G, 2G, 3G & 4G (w/ and w/o Clustering)
3. Ability to enable/disable (toggle) vPath; disabling vPath allows you to load balance physical servers
4. 141x SKUs NOW orderable on Ciscos Global Price List (GPL); includes ALL upgrade SKUs
5. Since vPath is optional the Nexus 1000V is also now optional so customer does NOT need vSphere Enterprise Plus to utilize

Citrix NetScaler 1000V

Citrix Netscaler 1000V as a Virtual Service

Blade (VSB) on Nexus 1110 or 1110. Virtual

Appliance option available too.
Simplified Operations: Create Netscaler

instance from Nexus 1110/1010 management

console
Ease of Deployment: Customers have

deployment flexibility to meet their performance

use case
2 vCPU for low performance (500 Mbps)
6-8 vCPU for high performance (2 Gbps)
Full Cisco HA: Netscaler HA enabled on

Nexus 1110/1010 pairs

58

58

59

59

60

60

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

62

62

63

63

Cisco Virtual WAAS

Cloud-ready WAN Optimization
FEATURES
Virtual WAAS Appliances

ESX ESXi Hypervisor

w/Nexus 1000

vPath

Allows Agile, Elastic, & Multi Tenant

Deployment
Supports DRE Cache in SAN
Policy-based Provisioning w/ Nexus 1000V
Extends WAAS Solution Portfolio
BUSINESS BENEFITS

UCS /x86 Servers

Virtual WAAS
on Nexus 1000V with vPath

Business Agility w/on-demand orchestration

Lower operational cost & migration risk

Fault-tolerance with VM mobility awareness

vWAAS

66

66

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

Multi-tenant

68

68

Within tenant

69

69

VSM-VSG-NetScaler topology

71

71

VSM-VSG-NetScaler Chaining

72

72

Polling
Question 3

Is there a easy way to deploy all

1000v products ?
a.

Yes

b.

No

Agenda

vPath The Secret

Prime NSC (* VNMC)

Firewalls VSG & ASAv

Cloud Service Router CSRv

Netscaler Load-Balancer

vNAM & vWAAS

Common Deployments

VACS - Containers

Current Service Delivery is Manual & Complex

Architect

Design
- QoS
- Security
Complianc
e

Identify
Resources

Capacity
On-Demand

License

From Weeks to Minutes

Install
Provision

Secure

Test

Automated
Self-Service
Provisioning
Manual

Policy-Based
Provisioning

Flexible, Agile
Resource
Utilization

Low efficiency due to uncontrolled VM sprawl

Lack of
Security

Lack of
Visibility

Manually
Provisioned

VMs talking to
each other

Troubleshooting is
a nightmare

Weeks to onboard
customer/app

DC Edge Security

From VM Sprawl to On-Demand Containers

Containers that are:
Secured
Added Visibility
Automated Provisioning
Enterprise
Apps

Enterprise
Apps

DC Edge Security

Enterprise
Apps

VACS Built on Proven Technology

Unified Licensing Per Server based
Automated Provisioning and
OrchestrationUCS Director
Enterprise Apps

RoutingCSR 1000V

Edge FWASA 1000V

Enforced by Best in
Class Services
Built on flag ship Cisco NXOS & IOS SW

Zone Based FW
Virtual Security Gateway
Virtual FabricNexus 1000V
Platform for Distribute FW

Automated Service Delivery for Applications

WEB

APP

DB

CONTAINER

WEB

APP

DB

Virtual Application
Container Services

Provision Regulatory
Compliant Containers in
minutes
Multi Hypervisor support
Provisioning and Virtual
Services included in single
SKU

Deploy Multi-Tenants as Containers

Stingray Orchestration
(UCS Director)

Automation & Agility through UCS Director as the

management plane:

1.

Container A

Container B

No CLI experience

Simplified Install and Configuration of :

Virtual Fabric Nexus 1000V

Virtual Routing CSR 1000V

Virtual Security Virtual Security Gatew ay & CSR 1000V

Virtual Services Portfolio

2.

Multi Hypervisor support vSphere & Hyper-V

vPath

3.

Easy to create and deploy Virtual Network Containers

VMware
vSphere

Microsoft
HyperV

4.

Deploy Netw ork Container w ith less than 6 logical questions

Unified Licensing - Single License for all virtual components

VACS Architecture
UCSD

PNSC

CSR

VSG

Container

CSR

N1000V

vCenter

VSG

Container

CSR

VSG

Container

CSR

VSG

Container

VACS hierarchy
N1000V

UCSD

vCenter

PNSC

N1000V

N1000V
vCenter

PNSC
N1000V

VACS container types

Three types

3 tier internal
3 tier external
Custom

Both three tier container types contain a single network (can be vlan or vxlan)
with three pre-defined zones and zone policies.

Internal and external container types differ in which zones are allowed
access to/from outside the container

Custom containers can contain multiple networks, zones and custom firewall
policies

Application VMs may be deployed at container deployment time or

afterwards. This facilitates template re-use by de-coupling workloads from
network topologies

Deploy 3-Tier Application Container Internal Access

Upstream Router

Routing EIGRP or Static

VACS 3 Tier App Container

CSR 1000V

1.
2.
3.
4.

VLAN 1/
VXLAN 101

VSG

Web Tier

NAT (Optional)
L3 Routing EIGRP
Edge FW
Monitoring Features

Zone based FW

App Tier

DB Tier

3 Pre-created Zones with External connectivity for Web Tier Only

Deploy 3-Tier Application Container External Access

Upstream Router

Routing EIGRP or Static

VACS 3 Tier App Container

CSR 1000V

1.
2.
3.
4.

VLAN 1/
VXLAN 101

VSG

Web Tier

NAT (Optional)
L3 Routing EIGRP
Edge FW
Monitoring Features

Zone based FW

App Tier

DB Tier

3 Pre-created Zones with External connectivity for all Tiers

VACS Custom Container

Upstream Router

Routing EIGRP or Static

VACS Custom Container

CSR 1000V

VLAN 1/
VXLAN 101

1.
2.
3.
4.

VSG

NAT (Optional)
L3 Routing EIGRP
Edge FW
Monitoring Features

VLAN 2/
VXLAN 202

Zone based FW

Tier 1

Tier 2

Tier 3

. .

Providing capability to design custom containers with N Tiers

Salient features

Automated installation of all component services

Integrated licensing model

Template based container deployment

Public/Private IP address assignment

Static/Dynamic NAT or EIGRP

Vlan and vxlan based networks

Distributed firewalling for east-west traffic

HA/HSRP

ERSPAN

3-tier Internal Container Traffic walkthrough

Web Client VM 10.1.1.20

CSR1000V

Gig2.31(1) - 31.0.0.10
Gig2.31(2) 31.0.0.11

Gig1(1) - 30.0.0.103
Gig1(2) 30.0.0.105

VIP 192.168.1.1
Management VLAN id 30

Data/HA VXLAN id 20000

Workload VM netw ork

VXLAN id 5000

VSG

10.2.2.2 (SNAT)
WEB Server VM

APP VM

DB VM

192.168.1.5

192.168.1.6

Mgmt IP: 30.0.0.104

192.168.1.4

Traffic initiated from Inside to Outside (only from WebZone VM)

1.
2.
3.
4.
5.

First packet from Web VM enters the VEM and is re-directed to VSG.
VSG ACL rule (permit Web to Any) is hit, & vPATH on the VEM is programmed with the flow
Packet sent to the gateway, which is CSRs downlink interface
Packet src IP changed to NATed Public IP and sent outside via the Uplink interface
Subsequent packets are sent directly to CSRs downlink interface (skipping step 1-2)

3-tier External Container Traffic walkthrough

VM1

10.1.1.30

Gig2.31- 31.0.0.10

CSR1000V
Mgmt Gig1
30.0.0.103

Gig3.2 192.168.1.1
Management VLAN id 30

Data/HA VXLAN id 20000

Workload VM netw ork

VXLAN id 5000

VSG

10.2.2.2 (SNAT)
WEB Server VM

10.2.2.3 (SNAT)
APP VM

DB VM

192.168.1.5

192.168.1.6

Mgmt IP: 30.0.0.104

192.168.1.4

Traffic initiated from Outside to Inside (Eg: App VM)

1. VM1 wants to talks to App VMs Public IP (10.2.2.3)
2. Packet reaches CSRs uplink (G2.31)
3. NAT translation is done and packet dest.IP is changed to App Server VMs Private IP 192.168.1.5
4. Packet is then sent to CSRs downlink interface (G3.2)
5. On entering N1kv VEM, packet is re-directed to VSG data interface
6. VSG ACL Rule permit Any to App is hit
7. vPATH programmed with the above flow and return flow decisions.
8. Packet sent to App VM
9. Subsequent packets of that session are directly sent to the App VM, (steps 5-6 are skipped)

Physical
to
Virtual
to
Cloud
Journey

Inter
Cloud

Hybrid
Cloud

Public
Cloud

Virtualization

Private
Cloud

Submit Your Questions Now!

Use the Q & A panel to submit your questions and our expert will respond

Collaborate
within our
Social Media

Facebook- http://bit.ly/csc-facebook
Twitter- http://bit.ly/csc-twitter
You Tube http://bit.ly/csc-youtube

Google+ http://bit.ly/csc-googleplus
LinkedIn http://bit.ly/csc-linked-in
Instgram http://bit.ly/csc-instagram

Learn About
Upcoming Events

Newsletter Subscription
http://bit.ly/csc-newsletter

Cisco has support

communities in
other languages!
If you speak Spanish, Portuguese,
Japanese, Russian or Chinese we invite you
to participate and collaborate in your
language

Spanish
https://supportforums.cisco.com/community/spanish
Portuguese
https://supportforums.cisco.com/community/portuguese
Japanese
https://supportforums.cisco.com/community/csc-japan
Russian
https://supportforums.cisco.com/community/russian
Chinese
http://www.csc-china.com.cn

More IT Training Videos and Technical Seminars on the

Cisco Learning Network
View Upcoming Sessions Schedule
https://cisco.com/go/techseminars

Please take a moment to complete the survey

Thank you for Your Time!

VACS Container
Topology Configuration

Install UCSD

Install VACS Patch

Select Option 19 to perform patch update
You will be prompted to backup, select n

This will upload all the prerequisite

binaries, ovas, workflows, etc. required for
VACS to be deployed as a value-added
option for UCSD.

Import UCSD & VACS Licenses

Navigated to licenses
Upload Licenses*
Validate the two licensees
have been installed
You should see tw o
PAK files

* Licenses:
UCSD.lic
VACS.lic

Restarting Services: License & Workflows Activation

From stopping and restarting services and the GUI come back to a
login prompt is ~ 10 minutes

SSH into the UCS-D console

Access Shelladmin/changme
Selection Option 3 to stop
services
Select Option 4 to restart the
services
Select Option 2 repeatedly to
verify all services have
restarted
Your browser session will
expire
You get to see clouds until the
system completely comes back
online.

Configure Physical Accounts, Site & Pod

Navigate to Administration
Physical Accounts

Provide a Site Name and Contact

Create a POD, specifying a name,
type and address

Installing VACS Components

Navigate to Policy Application
Containers
Select the VACS/Stingray Containers Tab
Select the CSR License Button &
Navigate to the location of the CSR
Token. Cut-n-Paste the license into
the dialogue box, and upload
Next select the Package Upload
button
Then navigate to the then select
the service request to monitor the
status of the package upload

~4-5 minutes

Add Virtual Account and Setup Cloud

Navigate to Administration
Virtual Accounts
Select Add Cloud and populate
accordingly
Cloud added successfully and
verification
Select Converged Tab, then
double click the Pod to see
the associations

Install PNSC

Make sure your storage has over 250Gb

You should see in VC that

the PNSC is being deployed

~ 15 minutes to deploy PNSC

Install N1KV/VSG (Part 1)

Install N1KV/VSG (Part 2)

Add Host (i.e., Install VEMs on hosts)

Create Compute & Storage Policies

First Time Template Creation (includes resource pools)

Deploying a Secure Container from VACS Template

Container template

Template types

VACS deployment options (for internal

template type)

Container application size

Policies

VACS Network resource pool

Routing protocol

VM networks entry (vlan)

VM networks entry (vxlan)

VM networks entry (vxlan)

Virtual machines

Virtual machines entry

VM network interfaces entry

VACS Summary

Custom template type

Custom-Security zones

Custom-ACL rules entry

Custom-ACL rules entry

Custom-ALG options

Custom-VM network options

After the template is submitted successfully, there are default policies

being created:

Virtual Infrastructure Policies

Tiered Application Gateway Policies

PNSC firewall policies

VIP

Policies -> Application Containers->Virtual Infrastructure Policies

VIP

VIP PNSC information

VIP - Gateway

VIP - Summary

Tiered Application Gateway Policies

Policies -> Application Containers ->Tiered Application Gateway Policies

Gateway policy

CSR configuration

Gateway Policy - Summary

PNSC firewall policies

Physical->Network->PNSC accounts->PNSC->PNSC Firewall Policies

PNSC policy

PNSC zones

PNSC ACL rules

PNSC-VSG config

Publishing catalog

Policies ->Catalogs

Add catalog

Catalog - Summary

Catalog published

VACS Workflows ( Policies -> Orchestration ->Workflows)

Workflow

Description

VACS Container Setup

This Workflow is executed when a VACS container deployment is requested, based on a

VACS template.
The workflow deploys a VACS container based on the compute, storage, network policies
associated with the template, network configuration, firewall and routing configuration and
workload VM specifications.

Add VMs to VACS Container

This workflow is executed when a VACS user requests addition of VMs to an existing
VACS container.

VACS Delete VMs

This workflow is executed when a VACS user requests deletion of VMs from an existing
VACS container.

VACS Static NAT

This workflow is executed when a VACS user requests Static NAT configuration for
workload VMs in a VACS Container

VACS ERSPAN

This workflow is executed when a VACS user requests monitoring of VM traffic for one or
more VMS