Cisco Secure Agile Exchange Release Notes

About Cisco Secure Agile Exchange

Cisco® Secure Agile Exchange (SAE) is a solution that enables enterprises to quickly and securely interconnect users to applications by virtualizing the network edge (DMZ) and extending it to colocation centers, the crossroads of Internet traffic. SAE provides orchestration and automation of Cisco products like CSRv and ASAv, along with third-party VNFs using the CSP platform. CSP is an open appliance Cisco Network Function Virtualization (NFV) platform.

Components of SAE

Orchestration : The SAE orchestration solution consists of the SAE Core Function Pack (CFP) application that is placed on top of the Cisco Network Services Orchestrator (NSO) and Cisco Elastic Services Controller (ESC). This enables VNF service chain lifecycle management, fabric configuration, routing of layer 2 and 3 networks between VNFs. The SAE CFP also provides intelligent VNF placement logic that is based on the availability of compute resources and high availability (HA) requirements.

x86 Compute Platform:CSP, a x86 Kernel-based KVM platform is used to host VNFs. CSP 2100 supports high-throughput internal switching technologies such as Single Root I/O virtualization (SR-IOV) and 10 Gbps physical network cards (pNICs). It also uses a central network file system (NFS) to host the images of shared VNFs and configuration templates.

Nexus 9000 Switching Fabric: Nexus 9000 series switches form the network fabric in SAE. The switches are connected to the CSPs hosting the VNFs; as well as to external networks towards the internet, public clouds, and private clouds.

Virtual Network Functions (VNFs): SAE supports both Cisco-developed and third-party virtual network functions (VNFs).

System Specifications

Supported Hardware & Software

Cisco Secure Agile Exchange supports the following devices and their software versions.

Table 1. Devices and Software Version
Device Software Version
Compute System

CSP Devices (CSP 2100 and CSP 5000)


  • Intel X520 dual-port 10-Gbps SFP+ adapter (Niantic)

  • Intel XL710-DA4 quad-port 10-Gbps SFP+ adapter (Fortville)

N9K 93180YC-FX 9.2(1)

Supported Software

Cisco Secure Agile Exchange supports the following software.

Table 2. Software and Version
Software Software Version
NSO Version 4.7.1

NSO supports the following operation systems and versions.


  • v17.10 Artful

  • v16.04.4 LTS Xenial

  • v18.04 LTS Bionic

CentOS v7.4


ESC on CSP + patch

Supported VNFs

Cisco Secure Agile Exchange supports both–Cisco VNFs and third-party VNFs supported by Cisco.

The following tables only include the VNFs that the SAE solution has been tested with.

Table 3. Cisco VNFs Tested for SAE
VNF Version
Cisco CSR100v 16.07.02 and 16.08.01a
Cisco ASAv 9.8.2 and 9.9.2
Cisco FTDv 6.2.2–81 and 6.2.3–83
Cisco FMC 6.2.2–81 and 6.2.3–83
Table 4. Third-party VNFs Tested for SAE
VNF Version
Palo Alto Firewall (PAFW) 8.1.5 and 8.0.5
AVI Controller 18.1.3
AVI Service Engine 18.1.3
Fortinet 6.0.2

If you would like to use VNFs other than the ones listed in the tables above, see Cisco Certification Program for information on how to validate third-party VNFs.


The following features are suuported inCisco Secure Agile Exchange (SAE).

  • Networking Topologies: Spine-leaf and Standalone VPC pairing are the supported topologies.

  • Routing Mechanism: BGP is supported as the routing mechanism between service chains and the switching fabric.

  • Service Chains: Service chains can be created using both, Cisco VNFs and third-party VNFs supported by Cisco.

  • Network Resource Management: Resource management for IP addresses and VLANs is supported.

  • VNF Placement Logic: VNFs are placed on the CSP devices based on affinity rules, HA requirements, compute resources avaialble, and interface requirements.

  • VNF Lifecycle Management: VNF lifecycle management for VNF monitoring and recovery is supported through ESC.

  • Intelligent Traffic Director (ITD): ITD is supported for standalone VPC pair switching fabric.

  • Infrastructure Discovery: Automatic infrastrucure discovery is supported for onboarded devices.

Known Issues

The following are known bugs associated with SAE. The table below provides a workaround to resolve them temporarily.

Table 5. Open Bugs
Bug ID Description and Workaround


Description: Fortinet HA needs spoof check disabled on SR-IOV links

Workaround: Use custom template or NSO command line to disable spoof check on the VNIC. Follow the steps below to disable spoof check on the VNIC

  1. Do a sync from CSP1 and CSP2.

  2. Run the following commands for CSP1:

    set devices device CSP1 vsb:Services <fortinet-1> vnics vnic 3 spoof-chk off and set devices device CSP1 vsb:Services <fortinet-1> vnics vnic 4 spoof-chk off
  3. Run the following commands for CSP2:

    set devices device CSP2 vsb:Services <fortinet-2> vnics vnic 3 spoof-chk offand set devices device CSP2 vsb:Services <fortinet-2> vnics vnic 3 spoof-chk off


Description: Fortinet HA needs an extra IP address from management subnet pool, whereas NSO SAE allocation provides one management IP per VNF that is used for monitoring.

Workaround: Follow these steps to allocate an extra management IP for Fortinet HA.

  1. Exclude IP addresses from the management subnet pool.

  2. Provide the following key value pairs in the SAE site: var ExcludeIP1 val ip address and var ExcludeIP2 val ip address.

  3. Include the following variables in your day-0 file for Fortinet VNF: $ExcludeIP1 and $ExcludeIP2.