Contents
The dynamic nature of cloud environments requires organizations to apply and enforce frequent changes to networks. These networks can consist of thousands of virtual services elements, such as firewalls, load balancers, routers, and switches. Cisco Prime Network Services Controller simplifies operations with centralized, automated multidevice and policy management for Cisco network virtual services. For the latest Prime Network Services Controller release updates and overview, see the corresponding Prime Network Services Controller data sheet.
Cisco Prime Network Services Controller (Prime Network Services Controller) is the primary management element for Cisco Nexus 1000V (Nexus 1000V) switches and services that can enable a transparent, scalable, and automation-centric network management solution for virtualized data center and hybrid cloud environments. Nexus 1000V switches and services deliver a highly secure multitenant environment by adding virtualization intelligence to the data center network. These virtual switches are built to scale for cloud networks. Support for Virtual Extensible LAN (VXLAN) helps enable a highly scalable LAN segmentation and broader virtual machine (VM) mobility.
Prime Network Services Controller enables the centralized management of Cisco virtual services to be performed by an administrator, through its GUI, or programmatically through its XML API. Prime Network Services Controller is built on an information-model architecture in which each managed device is represented by its subcomponents (or objects), which are parametrically defined. This model-centric approach enables a flexible and simple mechanism for provisioning and securing virtualized infrastructure using Cisco VSG and Cisco Adaptive Security Appliance 1000V (ASA 1000V) Cloud Firewall virtual security services.
In addition, Prime Network Services Controller supports Cisco Cloud Services Router 1000V (CSR 1000V) edge routers, and Citrix NetScaler 1000V and Citrix NetScaler VPX load balancers. This combination of virtual services brings numerous possibilities to customers, enabling them to build virtual data centers with all of the required components to provide best-in-class cloud services.
The following topics identify the primary requirements for installing and using Prime Network Services Controller. For a complete set of requirements, see the Cisco Prime Network Services Controller 3.4 Installation Guide.
Requirement | Description |
---|---|
Prime Network Services Controller Virtual Appliance |
|
Four virtual CPUs |
1.8 GHz |
Memory |
4 GB RAM |
Disk space |
|
Management interface |
One management network interface |
Processor |
x86 Intel or AMD server with 64-bit processor listed in the VMware compatibility matrix |
Prime Network Services Controller Device Adapter |
|
Two virtual CPUs |
1.8 GHz |
Memory |
2 GB RAM |
Disk space |
20 GB |
Interfaces and Protocols |
|
HTTP/HTTPS |
— |
Lightweight Directory Access Protocol (LDAP) |
— |
Intel VT |
|
Intel Virtualization Technology (VT) |
Enabled in the BIOS |
See the VMware Compatibility Guide to confirm that VMware supports your hardware platform.
See the Windows Server Catalog to confirm that Microsoft Hyper-V supports your hardware platform.
Requirement | Description |
---|---|
VMware |
|
VMware vSphere |
5.1, 5.5, and 6.0 with VMware ESXi (English only) |
VMware vCenter |
5.1, 5.5, and 6.0 (English only) |
OpenStack KVM |
|
KVM Hypervisor |
Ubuntu 12.04 LTS server, 64-bit |
KVM Kernel |
Version 3.2.0-52-generic |
Cisco OpenStack Installer |
Havana (Standalone mode only) Prime Network Services Controller 3.4 does not support Orchestrator mode. |
Microsoft |
|
Microsoft Server |
Microsoft Hyper-V Server 2012 R2 (Standard or Data Center) |
Microsoft System Center Virtual Machine Manager (SCVMM) |
Microsoft SCVMM 2012 R2 |
Note | Prime Network Services Controller running as a virtual machine with version 3.4.1b and later can be hosted on VMware vSphere ESXi 6.0 hosts that are managed by VMware vCenter Server 6.0. |
The following table identifies features that differ with regard to hypervisor support in Prime Network Services Controller 3.4. Features that are not listed are supported by all hypervisors.
Feature and Device Support |
VMware vSphere ESXi 5.1 and 5.5 |
OpenStack KVM Ubuntu 12.04 |
Microsoft Hyper-V Server 2012 R2 |
---|---|---|---|
Feature Support |
|||
Automatic deployment of network services |
Supported |
Not supported |
Not supported |
Licensing for CSR 1000V edge routers and Citrix NetScaler 1000V load balancers |
Supported |
Supported |
Not supported |
Network Refresh button |
N/A |
Supported |
Supported |
VM Attribute support |
N/A |
||
Device Support For detailed information about device support, see Cisco Prime Network Services Controller Supported Devices. |
|||
ASA 1000V |
Supported |
Not supported |
Not supported |
Citrix NetScaler 1000V |
Supported |
Supported |
Not supported |
Citrix NetScaler VPX |
Supported |
Supported |
Not supported |
CSR 1000V |
Supported |
Supported |
Partial support1 |
VSG |
Supported |
Not supported |
Supported |
The following topics provide important information for using Prime Network Services Controller.
If you instantiate an ASA 1000V service using the asa871-8.ova image, the service instance will not register with Prime Network Services Controller. Contact the Cisco Technical Assistance Center (TAC) for help in addressing this issue.
Regional phone numbers are available at http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html#numbers.
To use the Web, go to http://www.cisco.com/cisco/web/support/index.html.
If you instantiate a CSR 1000V edge router or Citrix NetScaler load balancer from Prime Network Services Controller with a data interface configured for DHCP and DHCP is enabled for networks in OpenStack, the interface is assigned correctly in OpenStack but is shown as unassigned in the device CLI. To address this situation, turn off TX for the TAP interface used for DHCP service in OpenStack as described in the following procedure.
If you bring up a Prime Network Services Controller instance from an ISO image on the OpenStack Kilo platform, the PNSC installation might loop after finishing and restart at the first step of the installation. This problem is due to an open issue on libvert. To correct this problem, complete the following steps.
Step 1 | Locate the driver.py file in the /usr/lib/python2.7/site-packages/nova/virt/libvirt folder on the OpenStack controller and compute nodes. Replace it with the driver.py file that is available on the public repository: https://cnsg-yum-server.cisco.com/yumrepo/osp7/driver.py |
Step 2 | After replacing
the driver.py file on the controller and compute nodes, restart the nova
service.
The following example shows the difference between the original driver.py file and the modified one: # diff driver.py driver.py.orig 2192c2192 < write_to_disk=True, pnsc=True) --- > write_to_disk=True) 4018c4018 < instance, inst_path, image_meta, disk_info, pnsc=False): --- > instance, inst_path, image_meta, disk_info): 4027,4030c4027 < if pnsc: < guest.os_boot_dev = ["hd"] < else: < guest.os_boot_dev = blockinfo.get_boot_order(disk_info) --- > guest.os_boot_dev = blockinfo.get_boot_order(disk_info) 4114c4111 < context=None, pnsc=False): --- > context=None): 4182c4179 < instance, inst_path, image_meta, disk_info, pnsc) --- > instance, inst_path, image_meta, disk_info) 4307c4304 < block_device_info=None, write_to_disk=False, pnsc=False): --- > block_device_info=None, write_to_disk=False): 4325c4322 < context, pnsc) --- > context) |
When using Hyper-V Hypervisor, some DNS attributes are not displayed in Prime Network Services Controller. This situation occurs due to recent changes in Linux VMs running in Hyper-V Hypervisor. For more information and the Microsoft services that must be installed for Prime Network Services Controller to fetch the VM DNS attributes from SCVMM, see http://technet.microsoft.com/en-us/library/jj860438.aspx.
When Linux virtual machines are cloned, new MAC addresses are assigned. This causes a MAC address mismatch between the VM settings and the Linux Guest OS. If you encounter this situation, the following message is displayed:
The Guest OS either does not contain interface configuration for the VM NICs or the interfaces are explictly disabled.
For information on how to resolve the MAC address mismatch, see the VMware Knowledge Base.
We recommend that you do not edit the data interfaces of compute or edge firewalls. Changing the data interface via the Prime Network Services Controller GUI will stop communications between the Cisco Nexus 1000V VEM link and the firewall, and thereby stop vPath traffic.
If you change the data interfaces of compute or edge firewalls via the Prime Network Services Controller GUI, make the appropriate configuration changes on the Nexus 1000V.
Searching for organization names will not work if the organization names include special characters, such as $.
When adding a user account, the administrator can choose to expire the account password and select the date on which it expires. When the expiration date is reached, the account is disabled and the user cannot log in to Prime Network Services Controller until a user with administrator privileges extends the expiration date.
Prime Network Services Controller enables you to automatically deploy compute firewall and load balancer network services by preparing the required networks, defining organizational profiles by configuring service automation policies, and assigning the organizational profiles to the required organization in the tenant hierarchy.
The following table identifies the tasks required to configure Prime Network Services Controller for automatic network service deployment, the related documentation, and the minimum role required for each task.
Task | Related Documentation | Role Required |
---|---|---|
1. Confirm that the following prerequisites are met: |
admin |
|
2. Import service images. Supported service devices are VSG compute firewalls and Citrix NetScaler load balancers. |
admin |
|
3. Configure Management, HA, and vPath networks and subnetworks at root. |
admin |
|
4. Create the policies and profiles for the network services. |
admin |
|
5. Create organizational (Org) profiles and add service automation definitions to each profile. |
admin |
|
6. In Tenant Management, create the organization where the network services will be deployed and assign an Org profile. |
admin or tenant-admin |
|
7. Add a network to the organization to deploy the network service. |
tenant-admin |
|
8. Configure additional policies and profiles as needed. |
Configuring Additional Policies and Profiles for Network Services |
tenant-admin |
9. Removing an automatically deployed compute firewall network service. |
tenant-admin |
Prime Network Services Controller enables you to import service images that you can then use to instantiate a device or service VM.
After you import an image, Prime Network Services Controller automatically places the file in the correct location and populates the Images table.
Confirm that the service images are available for importing into Prime Network Services Controller.
To automatically deploy network services, you must configure the following networks with subnetworks at the root level:
A management network—This network provides IP addresses for the automatically deployed services.
A vPath service network—This network is required for deploying compute firewall network services.
An HA network—This network is required for deploying compute firewall network services in HA mode.
The following guidelines apply when creating networks for automated network service deployment:
A device profile is a set of custom security attributes and device policies. Adding a device profile enables you to specify the DNS and NTP servers that the service device is to use in addition to SNMP, syslog, and authentication policies.
For more information about device profiles, see the Cisco Prime Network Services Controller User Guide or the online help.
A network service automation policy specifies the profiles, image, and credentials to be used when deploying a network service. Depending on the type of service, different options are available. For each Org profile, you can create a definition for each network service type: compute firewall and load balancer.
After you configure the service automation policies for an Org profile, create the tenant or other organization on which you want to deploy the network service. Creating the organization includes assigning the Org profile that will be used to automatically deploy network services.
Determine the level in the hierarchy where the organization that will be configured to automatically deploy network services will reside.
Step 1 | Choose Tenant Management > root and navigate to the level where you want to add the organization that will deploy network services using the Org profile. For example, to assign an Org profile to a tenant, click Create Tenant at the root level. Similarly, to assign an Org profile at the Application level, navigate to the VDC and click Create Application. |
Step 2 | In the Create dialog box, enter a name for the organization and, from the Profile drop-down list, choose the Org profile to assign to the organization. |
Step 3 | Click OK. |
After you create the organization where network services will be deployed and assign an Org profile, you can deploy the network service. To deploy the network service, create a network on the organization.
The following guidelines apply when deploying a network service:
Step 1 | Choose Resource Management > Managed Resources > root > tenant or tenant > org. |
Step 2 | In the Networks tab, create the network for the service to be deployed, being sure to choose the correct role for the service. The network service is then automatically deployed. To monitor progress, choose Resource Management > Managed Resources > root > tenant or tenant > org and click the Network Services tab. |
Step 3 | For load balancer network services only, create a new virtual server profile and policies before adding a VIP to the automatically instantiated load balancer. For more information, see Creating a Virtual Server Profile. |
You can create a virtual server profile that you can then apply to virtual servers. For more information, see the Cisco Prime Network Services Controller User Guide or the online help.
Step 1 | Choose Policy Management > Service Profiles > root > tenant > Load Balancer > Virtual Server Profiles. |
Step 2 | Click Add Virtual Server Profile. |
Step 3 | In the Add Virtual Server Profile dialog box, enter a name and description for the profile, and then click Add Service. |
Step 4 | In the Add Service dialog box, enter service information in the General and Server Farm tabs. |
Step 5 | When you are done, click OK in the open dialog boxes. |
After deploying a network service, you might need to apply new policies and profiles to the network service. To apply new policies and profiles to a specific, deployed network service, create the policies and profiles at the same organizational level as the deployed service. For example, if a compute firewall network service has been deployed for a VDC, create the new policies and profiles at the VDC level.
You cannot delete an automatically deployed compute firewall by deleting the network of a specific client. However, you can delete an automatically deployed compute firewall service from the Managed Resources Network Services tab in Prime Network Services Controller.
Note | If you delete the vPath network from root, it will remove all compute firewalls from all tenants and subordinate organizations. |
The following table lists the open bugs in Prime Network Services Controller 3.4.1d.
Bug ID | Description |
---|---|
In OpenStack environments, CSR 1000V edge routers enter Failed to Apply state if ten or more interfaces are configured. |
|
Service automation fails without an error message for new tenants if all existing management IP addresses assigned to the Layer 2 network have been used. You can confirm this has occurred by choosing Resource Management > Managed Resources > root > Faults. |
|
Prime Network Services Controller Device Adapter fails in OpenStack. |
|
Cisco ASA 1000V instantiation hangs at the VM creation step with the error "VNMC password not configurable." |
|
IP-SPID bindings are missing from the Cisco ASA 1000V. |
The following table lists the resolved bugs in Prime Network Services Controller 3.4.1d.
Bug ID |
Headline |
---|---|
A change in the Prime Network Services Controller shared secret does not take effect for the service virtual machine. |
|
A reboot message occurs during the Prime Network Services Controller upgrade. |
|
Internal ID rule corruption causes the error "Attribute not found." |
|
The Prime Network Services Controller CLI should check the NTP status, similar to show ntp peer-status. |
|
Need to remove the keepalived service from the Prime Network Services Controller base OS. |
|
The hypervisorIntegration setting becomes corrupted on the wrong upgrade path. |
This topic explains how to use the Bug Search Tool to search for a specific bug or to search for all bugs in a release.
Step 1 | Go to http://tools.cisco.com/bugsearch. | ||
Step 2 | In the Log In
screen, enter your registered Cisco.com username and password, and then click
Log
In. The Bug Search page opens.
| ||
Step 3 | To search for a specific bug, enter the bug ID in the Search For field and press Enter. | ||
Step 4 | To search for
bugs in the current release:
|
The Prime Network Services Controller documentation is available on Cisco.com at the following URL:
The Cisco Intercloud Fabric documentation is available on Cisco.com at the following URL:
The Cisco Adaptive Security Appliance (ASA) documentation is available on Cisco.com at the following URL:
The Cisco Cloud Services Router 1000V (CSR 1000V) documentation is available on Cisco.com at the following URL:
The Cisco Nexus 1000V Series switch documentation is available on Cisco.com at the following URL:
The Cisco Prime Data Center Network Manager (DCNM) documentation is available on Cisco.com at the following URL:
The Cisco Virtual Security Gateway (VSG) documentation is available on Cisco.com at the following URL:
All product documents are accessible except for images, graphics, and some charts. If you would like to receive the product documentation in audio format, braille, or large print, contact accessibility@cisco.com.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation, at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.
Copyright © 2015, Cisco Systems, Inc. All rights reserved.