Brkarc 2112

#CLUS
Harnessing the power of Software

Defined Branch and SD-WAN
Ramesh Kalimuthu,
Technical Marketing Engineer
BRKARC-2112
#CLUS
Agenda
• Introduction and Motivation
• What is SD Branch?
Solution Components
Automation, Security, Performance, High availability, Serviceability
• SD-WAN Integration
• Deployed Use-cases
• Monitoring and Troubleshooting
• Conclusion
#CLUS BRKARC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2112

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Benefits of Software Defined Branch
Simplified Management
Simplify day to Quickly roll out new Consistent network policies

day operations services and locations through the entire enterprise
network to the cloud
Use Cisco DNA Center, MSX/NSO to manage your Branch

Why Virtualize? Motivations for the Enterprise
CAPEX OPEX
• Deploy on standard x86 servers • Deployment Flexibility
• Economies of scale • Reduction of number of network elements
• Service Elasticity • Reduction of on-site visits
• deploy as needed Simpler architectural paradigm • Deployment of standard on-premise hardware
• High availability • Simplification of physical network architecture
• Best-of-breed • Leveraging Virtualization benefits

• Hardware oversubscription, Fault Tolerance
• Increased potential for automated network

operations
• Re-alignment of organizational boundaries
Cisco DNA Virtualization
Automated, software-based network services in minutes on any platform
Branch/
Mobile Campus
Devices
Laptops
Cisco
Digital Network
Architecture
Users/Things Applications
IoT
Colocation Public
Centers Cloud
Secure, open, extensible Any virtual functions

Flexible deployment models
Anywhere in the network
Cisco Digital Network Architecture DIY or Managed Services
Any platform
What is Software Defined Branch Architecture?
Solution Oriented Approach
Centralized Orchestration and Management
SDN Applications
Consistent, trusted network services across all the platforms

Network Services and Applications
Hardware and software independence

Virtualization layer
Freedom of choice
Hardware platform
Software Defined Branch
Deploy Services on Any Platform
Cisco DNA Center / Network Service Orchestrator/ MSX
Virtual WAN vWireless LAN

Virtual Router Virtual Firewall Optimization Controller Third-Party
(ISRv,CSR,vEdge) (ASAv, NGFWv) (vWAAS) (WLC) applications/VNFs
Network Functions Virtualization Infrastructure Software (NFVIS)
Enterprise Network CSP-5000

Cisco 4000 Series ISR + Select
UCS® E-Series
Compute System UCS-M5 C-Series
(ENCS) 3 rd Party Hardware
Hardware
Enterprise Network
Compute System
Platform Built for Enterprise NFV
Branch/Campus
Colocation Center
Public Cloud
ENCS 5000 Series for the Branch
Best of Routing Complete Open for Third Party

& Compute Virtualized Services Services and Apps
Enterprise Network Compute System
ENCS 5100 Series
ENCS 5400 Series
ENCS 5000 Series - Chassis Options
ENCS 5412
ENCS 5408 12-Core
ENCS 5406 8-Core
ENCS 5104 6-Core
4-Core
ENCS 5104 ENCS 5406 ENCS 5408 ENCS 5412

CPU 4-core, 3.4 GHz 6-core, 1.9GHz 8-core, 2.0GHz 12-core, 1.5GHz
LAN PoE No No 200W 200W
Capacity Guidance ISRv + 1 VNF ISRv + 2 VNFs ISRv + 3 VNFs ISRv + 5 VNFs
ENCS 5400 Series – I/O Side
Dedicated Lights- (Optional) Internal
Integrated 16 - 64 GB 6, 8, or 12-Core
out Management Hardware RAID M.2 Storage
Power Supply DRAM Intel Xeon-D
(CIMC) Controller 64 – 400 GB
8 Integrated LAN Ports USB 3.0 Network Interface 2 HDD or SSD

with Optional POE Storage Module for LTE & WAN RAID 0 & 1
Hardware 2 Onboard Gigabit

Acceleration for VM Ethernet ports with SFP
Traffic
Data Path
Control Path
ENCS 5400 Internal Networking

ENCS 5400 Series
VNF 1 ISRv VNF 2

(NIC aware) (NIC aware)
HW offload for
VM-VM traffic Software
switched path
X86 / NFVIS
High-speed Lights-out
NIC CIMC
backplane management
Switch
VLAN-aware
X86 CIMC
HW Switch NIM
POE MGMT MGMT
Dual-PHY
Cellular, T1, Dedicated management
WAN GE or
DSL, LAN, GE ports
LAN uplink
Understanding SR-IOV on the ENCS 5400
• There are multiple ways a VNF can connect to a physical NIC
of the underlying server/hardware
1
Virtual • Virtual switch - introduced by the hypervisor
Switch
• SR-IOV - by connecting the VNF directly to the physical NIC
• PCI Passthrough – dedicating the entire NIC to the VNF directly
SR-IOV • SR-IOV (Single root IO-Virtualization) allows multiple VNFs to

VNF
connect to a physical interface on the server/hardware
• However for a VNF to use SR-IOV network that the NIC provides, the
VNF needs to support the drivers that are required by the NIC
• On the ENCS, there are two NIC types on which SR-IOV has
been enabled
• WAN NIC GiG NIC – Intel i350, uses IGB Drivers
• LAN back plane NIC - Intel XL710, uses i40vef Drivers
• As long as the VNF supports these NIC drivers, the VNF can be
deployed using SR-IOV
• VNFs can be service chained using SR-IOV VFs on ENCS
• Using SR-IOV provides the best performance

• Eliminates performance issues due to the virtual switch
• VNFs can always be connected/service chained using virtual

switch
Performance Dependencies
Individual performance of a VNF depends on
• The underlying platform, the number of cores and the type and frequency of the
processor used
• The resources available for the VNF
• How the VM connects to the physical NICS – PCI Passthrough, SR-IOV, virtIO
• Finally The VNF itself. VNF must also be optimized to run in a virtual environment
• In case of a Multi-VNF environment, the net chained VNF performance also
depends on
• The weakest-link VNF
• Use of virtual switches to copy packets from ingress to egress vNICs
• DPDK mode for virtual switches
NFVIS Compare Networking Options
SR-IOV DPDK-OVS OVS
Performance Flexibility
Service Chain Service Chain throughput Service Chain throughput near Service chain
Throughput better than DPDK/OVS SRIOV, better than non-DPDK throughput lower than
OVS DPDK and SRIOV
NFVIS Default 1 core < 16core system 1+1 CPU <=16 core system 1 core < 16core
Cores + 2 cores >= 16 core system 2+2 >16 core system system
Additional CPU 1+1GB mem in <=32GB system 2 cores >= 16 core
1+2GB mem in > 32GB system system
Driver SRIOV NO NO
requirements in Virtio required Virtio required
VNF
Supported ENCS54xx igb, igbvf, i40evf Yes 3.10.1 onwards Supported
capability in UCSEM3 front_10G ixgbvf Yes 3.12.1 onwards
platforms *** UCS5K, CSP5K i40evf, ixgbvf Yes 3.12.1 onwards
***Default LAN-VF increase from 6-to-16 in NFVIS 3.12.1 onwards
***Dynamic VF addition in CSP5K, UCSM5 in NFVIS 3.12.1 onwards
Packet flow to the VM deployed with SRIOV
Virtual Machine
User Space
Application 1. Packet is received by the physical NIC

7 2. NIC performs a MAC/VLAN lookup and selects
6
a VF.
3. Packet is placed in the VF queue and an interrupt
Guest Kernel
Tx Rx
5 Cisco is generated.
4. Qemu thread for the VM vCPU receives the
Qemu Virtual NFVIS interrupt and sends an virtual interrupt to the
Storage guest kernel.
4
5. Guest kernel processes the interrupt and reads
Kernel Space
the packet from the buffer
6. Guest Linux networking stack processes the
3 packet and delivers the packet to the user
space process.
VF-1 VF-2 VF-3 VF-3
7. Guest User space process consumes the packet
2 TenGig Port 1 (PF)
1
Packet flow to the VM deployed with OVS DPDK
Virtual Machine User Space
Application
8
1. Packet is received by the physical NIC and
Guest Kernel
7
Cisco placed in the ring buffer in user space
2. DPDK Poll Mode Driver dequeues the packet
Tx
6
Rx
NFVIS 3. OVS performs a MAC/VLAN lookup and
identifies specific port
Qemu 4. Packet is copied to vhost-user shared memory
Ctrl Socket
Notification
Virtual 5. OVS generates the control socket notification to
5 Storage Qemu.
6. Guest kernel processes the notification and
vhost user OVS
reads the packet from the buffer
shared mem 4 7. Guest Linux networking stack processes the
packet and delivers the packet to the user
Tx
3 2 Rx
space process.
VFIO Driver 8. Guest User space process consumes the
packet
Huge Pages
Kernel Space
TenGig Port 1 (PF)
1
Packet flow to the VM deployed with OVS
Virtual Machine User Space
Application
8
1. Packet is received by the physical NIC
7
2. Packet is placed in the interface ring buffer and
Guest Kernel
an interrupt is generated.
Cisco
6
Tx Rx 3. OVS performs a MAC/VLAN lookup and
identifies specific port
Qemu NFVIS 4. vHost kernel thread is scheduled and copies the
5 Virtual packet to shared memory
Tx Rx Storage 5. Qemu generates the IRQ virtual interrupt to the
shared mem Kernel Space
guest kernel.
vhost-net kernel 4 3 OVS
6. Guest kernel processes the interrupt and reads
thread Tap the packet from the buffer
7. Guest Linux networking stack processes the
Tx
2 Rx
packet and delivers the packet to the user
pNIC Driver space process.
TenGig Port 1 (PF) 8. Guest User space process consumes the
packet
1
ENCS-W vs ENCS
ENCS-W ENCS
• Standalone WAVE Replacement • Part of SD-Branch Solution

• Managed completely by WCM • vWAAS along with other VNFs
orchestrated by Cisco DNAC
• No interaction with • VM lifecycle management via
hypervisor(NFVIS) required hypervisor(NFVIS)
• Scale up to 6000 CC • Scales upto 750 CC
• Positioned when use-case • Positioned when usecase
involves standalone WAN / involves collapsing multiple
Application acceleration services (Routing, Firewall,
WAN-opt, etc) into single
• Perpetual license bundled with platform
appliance, same as WAVE • Term based licensing per VNF
UCS E-Series
Cisco UCS E-Series DC-class Servers
Intel Broadwell
Intel Ivy Bridge Cisco UCS E180D M3/

Intel Broadwell 1120D M3
Cisco ® UCS E160D
Intel Ivy Bridge  Double-Wide Service Module
Cisco UCS ® E160S M3  NFVIS, VMware, Hyper-V,
 Double-Wide Service Citrix certified
Cisco UCS ® E140S Module  Intel E5 8 core processor
 Single-Wide Service
module  NFVIS, VMware, Hyper-V,  96GB DRAM
Scalability
 Service module Citrix certified

 NFVIS, VMware, Hyper-V,
Citrix certified  Intel E5 6 core processor
 VMware, Hyper-V,
Citrix certified  Intel Broadwell 6 core  96GB DRAM
 Intel E3 4 core processor processor
 16GB DRAM  32GB DRAM
 USB 3.0 & 10Gb Interface
Performance
Cloud Services
Platform 5K
CSP 5000 SKUs:
CSP 5216 CSP 5228 CSP 5436 CSP 5444 CSP 5456
Rack 1RU 2RU
16 28 36 44 56
CPU Cores
2.1GHz Xeon 4110 2.2 GHz Xeon 5120 3.0GHz Xeon 6154 2.1GHz Xeon 6152 2.1GHz Xeon 8176
Mem(16GB/32GB) (128GB Minimum)
(12x2 DIMM Slot) 384GB-768 GB Total Capacity
PCIe NIC Slots 2 6
On Board NICs (LOM) 2x10 GbE SFP+
VIC 4x10/25 GbE SFP28

1GbE (i350) Y (Optional Add-in) 4x1GbE RJ45
i520(2x10GbE SFP+) Y
I710(4x10GbE SFP+) Y
Max NIC ports 14 (2x4+4+2) 30(6x4+4+2)
Min-Max BW 164GbE -200 GbE 324GbE-360GbE
Disk slot(small form) 10 (useable 8) 24
Disk Capacity 1.2*8/2=4.8TB(HDD)/3.8TB(SSD) 14.4 T(HDD)/11.5TB(SSD)

Power 2 slots (AC) 1540 W(2x770) 2100W (2x1050)
NFVIS on CSP5K
• Supported with release 3.11 and Higher

• CSP5K ships with CSP-OS: NFVIS will need to be
installed after unpacking box
• Replaces older CSP2100 Series Models
• More details can be found here:
Installing NFVIS on CSP
Virtual Network
Functions
Network Services from Cisco
Consistent software across physical and virtual
ISRv/SD-WAN ASAv/FTD* vWAAS vWLC

High Performance Application
Full DC-Class Built for small and
Optimization and
Rich Features Featured Functionality medium branches
Akamai Connect
Windows Server Linux 3rd Party

Active Directory, File Network Services
Custom Applications
Share, Server Management &
DNS/DHCP
Applications Monitoring
Enterprise NFV Open Ecosystem
• Customers have flexibility to run third-party VNF of their choosing.
• Third-Party vendors may choose to submit their VNF for certification.
• No admission restrictions; third party may be complimentary to Cisco, or competitive.

Requirements are the same regardless.
• Irrespective of certification, customers have flexibility to run third-party VNF of their choosing.
• More information: http://cs.co/3nfv
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-
functions-virtualization-nfv/nfv-open-ecosystem-qualified-vnf-vendors.pdf
Reference
Third party VNF Certification Resources
http://cisco.com/go/enfv
Certification Program at DevNet, http://cs.co/3nfv
Vendor Status (December ‘18)
Certified Currently Testing Ready to Test
Netscaler
Expected Engaged
CloudBridge
NFVIS
Purpose built Network Hypervisor
Enterprise NFV Infrastructure Software (NFVIS)
Network Hypervisor Zero-Touch Deployment Security
 Supports segmentation of virtual  Automatic connection to PnP  Secure Chain of Trust

networks server  Secure overlay for management
 Abstract CPU, memory, and  Highly secure connection to the and monitoring
storage resources orchestration system  VNF secure boot
 Easy day-0 provisioning  Role Based Access Control
Lifecycle Management Service Chaining Open API
 Provisioning and launch of VNFs  Elastic service insertion  Programmable API for
 Stop and restart services  PNIC tracking and VNIC update service orchestration
 Dynamically add and remove  Multiple independent service  Rest and NETCONF API
services paths based on applications or  Netconf Notification
 Failure monitoring and and user profiles
recovery  Host and VM Statistics, Packet
 VNF Backup Restore Capture
NFVIS Architecture
Not Just KVM, Power in software
PnP Console/ NSO DNA Center Portal
Server SSH
NFVIS CLI NETCONF REST
Image Web VM Life Cycle * Cluster

Plug-n-Play Confd Server/Portal
Management Manager Management
Storage Resource Service Host Statistics

Health Monitor AAA
Management Manager Chaining Management Collector
Hardware
libvirt Open vSwitch Qemu Collectd Syslogd Snmpd
Management
CentOS Linux 7.6 + KVM + Kernel Drivers
* Roadmap
What is NEW in NFVIS?
• NFVIS 3.11.2FC2 posted in April 2019. NFVIS 3.12.1 in EFT Target CCO July
2019
• Validated SRIOV for LAN/WAN SDWAN on ENCS
• Secure Overlay Tunnel with VNF Management Network with MSX, DNAC
• VNF Storage IO optimization via eager-zero initialization
• VNF storage Backup and Restore for VNFs
• PNIC tracking for LAN/WAN interface on ENCS
• OVS-DPDK performance improvement across supported platforms ENCS,
CSP5K, UCSC-M5, UCSE
• Dynamic SRIOV for VNF scale
Default System Configuration on ENCS NFVIS
3.10.1 +
ENCS5400
Hypervisor (KVM)
wan-net wan2-net lan-net int-mgmt.-net
NFVIS
vSwitch
wan-br wan2-br lan-br Int-mgmt-br
VF VF VF VF VF VF
VF VF VF VF MGMT
NFVIS LAN Backplane
GE0/0 GE0/1 Port NIM
Default - DHCP for NFVIS on Default ENCS Integrated Switch

WAN-NET and WAN2-NET 192.168.1.1/24
GE1/0 GE1/1 GE1/2 GE1/3 GE1/4 GE1/5 GE1/6 GE1/7
• NFVIS can be accessed by default via the FP GE WAN ports or via the dedicated Management port
• NFVIS 3.10+ Default association: GE0-0 to wan-br, GE0-1 to wan2-br. Both wan-br and wan2-br are enabled for DHCP by default.
DHCP is attempted(cycle between GE0-0, GE0-1) until one of the ports acquire DHCP address. PnP will be attempted over the wan
facing network with path to default gateway. Pre-NFVIS 3.10, no wan2-br created by default, no dhcp by default via GE0-1.
• The Management port on ENCS is set to to 192.168.1.1 to access NFVIS
• All Switch ports – GE 1/0 to GE1/7 is associated to LAN bridge
• An internal management network (int-mgmt-net) and a bridge (int-mgmt-br) is created and is internally used for system monitoring.
NFVIS Security
Security: Chain of trust
Host Secure Boot VNF Secure Boot
KVM Kernel verifies
module signature
NFVIS
Kernel
Kernel hardened
Kernel for protection
VNF
Grub.efi uses
shim.efi to verify
shim.efi Grub.efi uses
kernel
Trust Chain
shim.efi to verify
Grub-efi kernel Grub-efi
UEFI uses UEFI uses
shim.efi shim.efi to verify shim.efi to verify
grub.efi grub.efi
UEFI Trust anchor
NFVIS
verifies UEFI
firmware
OVMF UEFI
Hardware Trust Anchor
Microloader
Cisco SD Branch Chain of Trust
Security Risks Cisco Trusted Solution
VNF secure boot based on OVMF UEFI
 VM image tampering
 VM-to-VM communication
VNF / VM Encrypt VM Disk and VNF image*
VNF secure boot*
vulnerabilities
 Hypervisor security
Integrity measurement architecture (IMA)*
 Components integrity
UEFI, GRUB, Kernel secure boot
 Unauthorized access to hypervisor
 System file integrity NFVIS Basic RBAC, secure SSL, Granular RBAC*
Restrict NFVIS access from VNFs*
 OS authenticity
Kernel hardening
 OS tampering
Storage isolation
 Hardware authenticity
SUDI / ACT2 authentication with orchestrator
 Storage security and vulnerabilities Hardware Storage encryption via CIMC
Note: features with * are planned roadmap items.
Security embedded at all layers of software
• CPU, Memory, Network and Storage Isolation

• Traffic Segmentation
Infrastructure • Passwords protection - stored on non reversible form using a
hashing algorithm
• Avoid issues related to overlapping names in user-mgmt,
• Can be accessed via secure authenticated interfaces

Access Layer • Encrypted, hashing and key exchange algorithms for SSH
and SSL
Linux/KVM • Image Tamper Protection

• Use of firewall rules to block unauthorized ports
• Strong SSH/SSL/TLS Configs
• SELinux
Trustworthy Technologies for Enterprise Networking
Built-in security features that defend against today’s threats
Hardware Anchored Trust Anchor Module Hardware Authenticity
Image Signing (TAm) Check
Secure Boot
Creates a unique digital signature Helps ensure that code is authentic A tamper-resistant chip featuring Uses a X.509 SUDI certificate to
for a block of code. Signed images and unmodified. Anchors the nonvolatile secure storage, SUDI, verify hardware authenticity. Runs
may be checked at runtime to microloader in immutable and crypto services including RNG, only after the secure boot process
verify that software has not been hardware, to prevent Cisco key store, and crypto engine. has completed and software has
modified. devices from executing tainted
been verified to be trusted.
software.
HW Assisted SUDI for Cisco

Virtualization Plug & Play
Process and Memory The Secure Unique Identifier (SUDI)
segmentation for data isolation and is an X.509 certificate that provides
protection with better performance. factory-installed device identity.
Enables secure remote on-boarding
of devices.
Cisco ENCS 5000 Series
Secure Development
SE Linux Modern Cryptography Factory Reset Lifecycle (SDL)
Fine-grained system level access Provides secure, up-to-date One command to reset the device to A repeatable, measurable process
control to better protect against encryption so that encrypted data factory-original settings to protect designed to reduce vulnerabilities
privilege escalation attacks communications in-transit and at- sensitive data when the device is out and enhance the security and
rest remains confidential. of direct control. resilience of Cisco solutions.
Domain isolation in
NFVIS
Domain Isolation between network function and
VMs
Core Isolation Memory Isolation
NFVIS Infra isolates VM and host memory to

ensure there is no threat from compromised VMs.
Leverage KVM/QEMU to add an extra level of
Each core is dedicated to a function and address translation.
prevents sharing/oversubscribing cores VMs are not allowed to access file system and
storage in host directly
Dedicated CPUs vs. Hyperthreading vs. pinning
Hyper-threaded platform like ENCS5400
Best Practice :
1vCPU = 1 logical CPUs

For predictable
1vCPU = 2 logical CPUs
Dedicated core, Pinned
Shared Core, Pinned performance, Dedicate
Core for Virtual Network
Functions like vRouters,
vFirewall, etc.
Lightweight Compute
Applications based on TCP
could share cores, host
more applications
Domain Isolation between network function and
VMs
Storage Isolation Interface Isolation
VNF can use SR-IOV networks to connect to

WAN and Lan Backplane ports
Network functions (VNF) can be deployed on Applications can use Lan-network/virtIO to

Internal Datastore – M.2 SSD connect to the lan back plane
Customer data/Virtual Machines should be Provides independent path of each other

stored on external SED
Security: Linux
Feature Detail Status
Image Tamper Digital signature creation and verification using asymmetric key Available today
Protection pairs.
Cisco root credential is leveraged to authenticate Cisco services -

bootloader, ISO and upgrade package are built by Cisco
Attack Vector Only essential packages that are required by NFVIS service is Available today
Reduction installed.
Only selective NFVIS service ports are opened through firewall rules
Linux Super-User Account is disabled
Periodic patching known security vulnerability fixes
Strong SSH/SSL/TLS 2048 bit key; strong encryption, hash, and key exchange algorithm, Available today
Configs Support for TLS 1.2 only.
SELinux Enabled in permissive mode Available today
Security: NFVIS Management (Access)
Secure Interfaces Allow only secure authenticated administrative interfaces for Available today
REST/NetConf (SSH, HTTPS)
Support only strong encryption, hashing and key exchange

algorithms for SSH and SSL.
Certificate Management Generates self-sign SSL certificate when first deployed, but can Available today
be replaced by CA signed certificate
Restricted storage access Restricted access to storage and folders. Protects NFVIS data Available today
Mounting USB Storage Device requires authentication
Admin-User Controlled Network Allow user to define the scope of IP addresses/services through Available today
Access “ip-receive-acl”. - Access list
VM Console Access Protection Port is opened for 60 seconds for external server to start Available today
session to the VM inside. If no activity, then then port is closed.
The port allows only one-time access.
Role Based Access Sensitive information/action accessible only to a predefined set of Available today
Control users.
Users are assigned roles: administrators, operators, auditors
Unauthorized access is prevented.
Identity Control Default password change enforced at initial login Available today
Time based lockdown after max failed attempt
Enforce strong password rules
Integration with external AAA servers (TACACS+, RADIUS).
Monitor User inactivity and disable user-account if inactive
Idle Session Timeout User Session times out automatically Available today
Activity Logging Every attempt to login/logout and system configuration Available today
changes are recorded with enough information (who, when,
what)
VM lifecycle auditing
Session Resource Protection Maximum limit on concurrent sessions Available today
Maximum log file size, log rotation, deletion of log
Generate warning when reach threshold
Secure Unlock Client Presents a mechanism to ensure privileged debug access to a Available today
device in the field is restricted to authorized employees
Input Validation API input-validations to prevent command injection attacks Available today
Security: NFVIS Management (System)
Memory Isolation for System isolates VM and host memory to prevent threat from compromised VM. Available
VMs and Host KVM/QEMU adds an extra level of address translation. today
VM is not allowed to access file system and storage in host directly
Resource provision for One VM can not use more resources than provisioned. This will avoid denial of service Available
VMs condition from one VM consuming the resources. CPU, memory and storage are today
protected
ENCS 5400 Secure Ensure only authentic (signed) NFVIS software is executed Available
Boot today
Security: NFVIS Management (Traffic)
Traffic Segmentation Support creating VLAN and virtual bridges to help identify different sources of traffic Available
between VMs and and separate traffic between each VMs today
Host
Separate bridges and VLANs isolate the virtual machine network and management
network. Two machines on same physical network cannot send packets to each other
unless they are on same VLAN.
NIC Virtualization SRIOV (IO Virtualization) support enables Ethernet adaptor to appear as multiple virtual Available
adaptors called Virtual Functions (VFs). today
Hypervisor can map guest interfaces to specific VFs, guest uses direct access to their
VFs. Each VM “owns” a virtual interface and its related resource
Security: NFVIS Management (GUI / Portal)
Session Management Delete session information after user logout Available today
Portal Session times out automatically
Audit record starts when portal session started
Input Field Validation Input validation to avoid command injection runtime Available today
User Authentication Mechanics User session authenticated Available today
Token based user authentication for session management
VNF Onboarding
Demo
VNF format support on NFVIS
• NFVIS is based on a Linux distribution with KVM
• Can deploy any VNF with a QCOW2 extension (standard KVM file format)
• However, NFVIS can also support additional file formats
• .ISO, .IMG, .RAW
• Has ability to convert a VMDK file into QCOW2 using NFVIS CLI
nfvis# image-convert myimage.vmdk myimage.qcow2
• NFVIS provides users flexibility by creating a package to deploy on NFVIS

• Similar to creating an “OVA”
Why Package?
• Creating a VNF package is not mandatory however it has it advantages
• Provides a way to scale out deployments
• Support for Day 0 configuration for 3rd party VNFs
• The packaging utility creates a tar.gz file which contains
• The raw QCOW2 file
• Image properties file
• Supported and default profiles
• Day 0 configs
• Image properties file is created by using either the GUI or using the
packaging utility provided with every release.
VM Packaging using Packing Tool
• This is an enhanced packaging process that allows the VM owner to run
the nfvpt.py utility as a command with a combination of parameters to
package the VM.
• The VM packaging utility contains the following
• nfvpt.py—It is a python based packaging tool that bundles the VM raw disk
image/s along with VM specific properties.
• image_properties_template.xml—This is the template file for the VM image
properties file, and has the parameters with default values. If the user provides
new values to these parameters while creating the VM package, the default
values get replaced with the user-defined values.
• nfvis_vm_packaging_utility_examples.txt—This file contains examples on how
to use the image packaging utility to package a VM image.
vEdge VM Packaging using the Package Utility
(nfvpt.py)
Input parameters Packaging Utility Final Package
image_properties_template.xml
./nfvpt.py -o vedge17.3.2 -i viptela-edge-genericx86-64.qcow2 -n

vedge.17.03.02 -t ROUTER -r 17.03.02 --monitored false --
cloudinit.cfg privileged true --bootstrap
/dir/latest/user_data:cloudinit.cfg,/dir/latest/meta_data.json:met
a_data,/dir/latest/vendor_data.json:vendor_data --min_vcpu 2 --
max_vcpu 8 --min_mem 4096 --max_mem 8192 --min_disk 8 --max_disk 8
--vnic_max 8 --optimize true --nocloud true --profile vEdge- vedge-17.3.2.tar.gz
meta_data small,"vEdge small profile",2,4096,8192 --profile vEdge-
Standard,"vEdge Standard profile",4,4096,8192 --default_profile
vEdge-Standard --custom ORGNAME, --custom OTP, --custom UUID, --
custom SYSTEM_IP, --custom VBOND,
vendor_data
• cloudinit.cfg: mounted as /openstack/latest/user_data

viptela-edge-genericx86-
• meta_data: mounted as /openstack/latest/meta_data.json
64.qcow2
• vendor_data: mounted as /openstack/latest/vendor_data
Creating a Package using the NFVIS GUI
Access the utility from VM Life Cycle -> Image Repository -> Image Packaging
Add a new VM Package for vEdge Cloud
Upload the QCOW2 binary and Day 0 config
Upload vEdge Cloud qcow2 binary
Upload cloud-init file
Define Flavors
• Flavors set the CPU, Memory, Storage requirements for a VNF
• Helps with one-click automated deployment
Default Flavor
2 vCPU and 4096 MB of RAM
Create Package, Download or Register
• Once the package is created, you can then download it and reuse it on other NFVIS
systems
• Register the VNF within NFVIS to deploy it
Register new Package so that it appears

under Image registration (image and profiles)
Access the VNF Console from NFVIS
NFVIS - shows list of VM names NFVIS - console request to a deployed VM
vbo-UCPE1# show system deployments vbo-UCPE1# vmConsole 1511257222.vEdgeCloud

NAME ID STATE Connected to domain 1511257222.vEdgeCloud
------------------------------------ Escape character is ^]
1511257222.vEdgeCloud 7 running
viptela 17.2.0
vbo-UCPE1#
vedge login: admin
Password:
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vedge
vedge#
VNF must be packaged with “Serial” console as enabled while using the VNF
packaging tool
Accessing VNF using Port Forwarding
Port Forwarding from NFVIS
• NFVIS supports port forwarding for VNFs
• NFVIS Host IP address can be used to manage multiple VNFs using port
forwarding
• Example
• NFVIS host - 172.19.169.51
• ISRv deployed with port 22 is mapped to 2224
Lab-test01$ ssh admin@172.19.169.51:2224
Note:
• In order to use Port Forwarding, the VNF must allow itself to be monitored via NFVIS.
• NFVIS can then use the internal management network to connect to the VNF
• Port forwarding needs to know the source interface – Either MGMT or WAN Interface to work
Secure Overlay
and Single WAN IP
Secure Overlay over WAN
Static/DHCP with/without NAT CPE
Orchestrator
MSX
S/N Day 0 mapping
NSO
vBranchCFP
VPN Terminator Remote System-IP

PnP
Remote Interface IP
1 Day 0 config
Call Home
WAN-IP Local Bridge: wan-br

Local System IP
3
NFVIS 4
Management Network
vBranch
Solution – Hypervisor Management Overlay
Orchestrator
MSX
S/N Day 0 mapping
NSO
Mgmt-Hub
PnP Headend System-IP
Headend Interface IP
2
1 Day 0 config
Call Home
WAN-IP NFVIS Interface IP

NFVIS System IP
3
NFVIS 4
vBranch
Solution – Overlay and Single Public IP
Orchestrator
MSX
NSO
Mgmt-Hub
PnP
Headend System IP
WAN-IP
7
NFVIS Interface IP
NFVIS System IP
8
NFVIS 9
vBranch
Solution – Single Public IP Failover
Orchestrator
MSX
NSO
Mgmt-Hub
PnP Headend System IP
X
WAN-IP NFVIS Interface IP
NFVIS System IP
2
NFVIS 3
vBranch
Backup and
Restore
NFVIS Backup Restore NFVIS
3.10.1 +
BACKUP
rbac monitoring
API
rbac monitoring
API
pnp snmp mgmt rbac monitoring
API
pnp snmp mgmt
ovs ovs pnp snmp mgmt
sriov ovs
sriov ovs
ovs ovs
sriov
or
vnf1 … vnfN or
vnf1 … vnfN vnf1 … vnfN
or or
Mgmt
connectivity Mgmt
connectivity Mgmt
connectivity
vBranch Topology
DEPLOYED Optional Per VNF vs
Complete Topology Backup RESTORE
Restore from No-VNF-disk-Backup will

result in Re-Deploy of VNF.
VNF License is subject to change.
VNF package reqd in image repository.
Backup/Restore CLIs
Physical Port
Status Tracking
NFVIS PNIC Tracking, VNIC Update NFVIS
3.10.1 +
ENCS5400 UPDATE UPDATE UPDATE
ISRv NGFW
Hypervisor (KVM)
wan-net wan2-net service-net lan-net int-mgmt.-net

NFVIS
vSwitch
wan-br wan2-br service-br lan-br Int-mgmt-br
VF VF VF VF VF VF
VF VF VF VF NIM
MGMT LAN Backplane
GE0/0 GE0/1
TRACK TRACK
ENCS Integrated Switch
GE1/0 GE1/1 GE1/2 GE1/3 GE1/4 GE1/5 GE1/6 GE1/7
• PNIC tracking works for ports associated with OVS, works on LAN and WAN facing ports. Available starting NFVIS 3.10.1 release.
• PNIC tracking is useful in High Availability Designs. HSRP, VRRP like stateful features depend on interface status to switch between
ACTIVE and STANDBY modes.
• PNIC state can be propagated to multiple vnics based on association
High Availability
ENCS High Availability
MPLS
Internet
PORT CHANNEL
Preferred path for VLAN 996, 997, 998

Alternate path for VLAN 100,126,127,128
Preferred path for Alternate path for
VLAN 100,126,127,128 VLAN 100,126,127,128
Hosts on LAN
Deploying a VNF
on NFVIS using the
GUI
Deploying VNFs Using NFVIS GUI
VM Life Cycle -> Deploy
“Draw” the desired

Topology
Enter the VNF properties

and Deploy
Network PnP
PnP Solution Components
1 DNA-C (PnP Server)
Auto-provision device w/
images & configs.
DNA Center
SSL
PnP Connect
Cloud-based device Policy Automation Analytics
discovery Customer On-Premise
SSL
PnP Connect
4 Redirects devices to SSL
On-Prem DNA-C
PnP Protocol
3 HTTPs/XML based Open
Schema protocol
SUDI Capable devices
2 PnP Agent PnP Helper App*

5
Cisco ®switches, routers, Delivers bootstrap status
and wireless AP and troubleshooting checks
* DNA-C Support in Roadmap

PnP Server Discovery Options
Routers
DHCP with options 60 and 43 (ASR, ISR)
1 PnP string: 5A1D;B2;K4;I172.19.45.222;J80 added to DHCP Server
Wireless
Automated
Access Points
DNS lookup
2
resolves to DNA-C IP Address
Switches
(Catalyst®)
3 Redirect
Cloud re-direction https://devicehelper.cisco.com/device-helper
USB-based bootstrapping
4 router-confg/router.cfg/ciscortr.cfg Manual discovery
not supported for
Manual
Access Points
Manual - using the Cisco® Installer App*

5
* DNA-C Support in Roadmap

PnP DHCP with options 43
The Cisco PnP agent automatically discovers the IP address of the Cisco Network PnP server specified in the
DHCP option 43 string.
Ex: of DHCP options 43 configs on DHCP server :
ip dhcp pool P_ENCS_18375

host 172.19.183.75 255.255.255.0
hardware-address 00f2.8bc3.4a54 //* mac address of NFVIS WAN Bridge
default-router 172.19.183.1
domain-name cisco.com
dns-server 172.19.183.147
option 43 ascii "5A;B2;K4;I172.19.152.41;J80”
PnP DNS Lookup
Construct a fully qualified domain name (FQDN), using the preset hostname "pnpserver”,
based on the network domain name configured on the DHCP server.
Example of DNS lookup configurations on DHCP server:

host 172.19.183.75 255.255.255.0
hardware-address 00f2.8bc3.4a54
dns-server 172.19.183.147
ip host pnpserver.cisco.com 172.19.152.41
ip dns server
PnP Cloud Redirect
• This method uses the Cisco Cloud Device Redirect
tool available in the Cisco Software Central.
• User needs to have a Cisco CCO account in advance.
Example of Cloud Redirect configurations on DHCP server:

host 172.19.183.75 255.255.255.0
hardware-address 00f2.8bc3.4a54
dns-server 172.19.183.147
ip host devicehelper.cisco.com 64.101.32.10
ip dns server
PnP Cloud Redirect – Cisco Account
In order to use Cisco Cloud Device Redirect tool, user needs to have a Cisco Account in advance.
Launch Cisco Software Central at https://software.cisco.com in browser and Click “Login In”
PnP Cloud Redirect (cont’d)
Orchestration
Deploying a VNF
on NFVIS using
APIs
Deploying VNFs Using APIs
Using NFVIS APIs – REST or NETCONF
curl -k -i -u admin:Cisco#123 -H Accept:application/vnd.yang.data+xml -H content-type:application/vnd.yang.data+xml -X

POST https://201.0.0.157/api/config/vm_lifecycle/tenants/tenant/admin/deployments --data
'<deployment><name>ISRv_SW_dep</name><vm_group><name>VM_GROUP_1</name><image>ISRv_IMAGE</image><flavor>ISRv-
small</flavor><bootup_time>600</bootup_time><recovery_wait_time>0</recovery_wait_time><recovery_policy><action_on_recovery>REBOOT_ONL
Y</action_on_recovery></recovery_policy><interfaces><interface><nicid>0</nicid><network>int-mgmt-
net</network><port_forwarding><port><type>ssh</type><protocol>tcp</protocol><vnf_port>22</vnf_port><external_port_range><start>20022</start
><end>20022</end></external_port_range></port><port><type>telnet</type><protocol>tcp</protocol><vnf_port>23</vnf_port><external_port_rang
e><start>20023</start><end>20023</end></external_port_range></port></port_forwarding></interface><interface><nicid>1</nicid><network>GE0-
0-SRIOV-1</network></interface><interface><nicid>2</nicid><network>GE0-1-SRIOV-
1</network></interface></interfaces><scaling><min_active>1</min_active><max_active>1</max_active></scaling><kpi_data><kpi><event_name>VM
_ALIVE</event_name><metric_value>1</metric_value><metric_cond>GT</metric_cond><metric_type>UINT32</metric_type><metric_collector><type
>ICMPPing</type><nicid>0</nicid><poll_frequency>3</poll_frequency><polling_unit>seconds</polling_unit><continuous_alarm>false</continuous_ala
rm></metric_collector></kpi></kpi_data><rules><admin_rules><rule><event_name>VM_ALIVE</event_name><action>ALWAYS
log</action><action>TRUE servicebooted.sh</action><action>FALSE recover
autohealing</action></rule></admin_rules></rules><config_data><configuration><dst>bootstrap_config</dst><variable><name>TECH_PACKAGE</na
me><val>security</val></variable><variable><name>ngio</name><val>enable</val></variable></configuration></config_data></vm_group></deploym
ent>
What is so great about REST? – Same concept,
many APIs Easy to use:
• In mobile apps
• In console apps
• In web apps
Cisco NFVIS REST APIs
• VM Image Management
• VM Deployment
• Virtual Network Configuration
• On-box Switch
• PNP
How does this work?
GET, POST, PUT,
Client Request DELETE API Service
Client Action Do Something
JSON, XML, TEXT Response
Network Service
Orchestrator
Automation Transition Challenges
Network Service
Ops and
Engineerin Developer
Provisioning s
g
Automation Customer Experience Time-to-Market
Day-to-day management Provisions services and manages Develops new network services
of rapidly growing, service quality on demand
complex networks in networks
Challenges Challenges Challenges

• Error-prone, manual tasks • No service insight • Implementation time
• Growing backlog • Lack of automation • Cost of change
• Virtualization is coming • Quality issues in service • Lack of tooling
delivery
Stage 1 Stage 2 Stage 3
Network API Service Abstraction Transformation
Utilize a single interface to all Leverage one central API for all Develop your own
network devices services services
System Overview
• Model-driven, end-to-
Network Service end service lifecycle and
Ops and
Engineerin Developer customer experience
g Provisioning focused
s
• Seamless integration
with existing and future
OSS/BSS environment
Orchestrator (NSO)
Service Manager
Network Services
CDB Package • Loosely-coupled and

Manager modular architecture
Device Manager
leveraging open APIs and
standard protocols
Device Abstraction ESC (VNFM)
• Orchestration across
VNF Lifecycle VNF Service
NED NED NED • multi-domain and multi-
Manager Monitoring
layer for network-wide,
centralized policy and
services
Multi-domain Networks
Network Service Orchestrator (NSO) for Service
Providers
• Model-driven end-to-end
Network Engineering Ops and Provisioning Service Developers
service lifecycle and
customer experience in
focus
NSO
• Seamless integration
Service Manager with existing and future
Package OSS/BSS environment
CDB Manager
Device Manager • Loosely-coupled and
modular architecture
Device Abstraction ESC (VNFM)
leveraging open APIs and
standard protocols
VNF Lifecycle VNF Service
NED NED NED • Orchestration across
Manager Monitoring
multi-domain and multi-
layer for centralized policy
and services across
Multi-domain Networks
entire network
Core Function Packs
Currently
• Ready-made implementations
supported
for specific features
• Productized, TAC supported
• 80/20 rule – reduce
implementation cost and TTM SDWAN
vBranch
NFVO
NFV Orchestration with
NSO NFVO
NFV Orchestration Challenges
Lessons Learned
CISCO’S NFVO PROVIDES… …TO AVOID
A flexible software platform with open and Proprietary technologies with specialized
ETSI-aligned architecture and interfaces tooling driving long integration projects
A fully multi-vendor stack to accelerate VNF Hard-coded assumptions on VNF design

onboarding to smallest effort possible and behavior requiring fundamental updates
An integrated set of lifecycle operations on Procedural operations leading to expensive

network service and VNF-level change life cycle
NFVO High Level Architecture
VNFD Catalogue
OSS/BSS RFS Services
NSD Catalogue
NFV Orchestrator (NFVO)
NSRs and VNFRs
EM EM EM NFVI Resources
Or-Vnfm
(Or-Vi)
VNF VNF VNF VNF Manager (VNFM)
NFV Infrastructure (NFVI) Virtual Infrastructure Manager (VIM)
Service Lifecycle VNF Lifecycle

NFVO: High Level Architecture Mapping
RFS Services
RFS Provisioning and Activation VNFD, NSD Catalogue NFV Orchestrator (NFVO)
Cisco NSO NSRs and VNFRs NSO NFVO Component
NFVI Resources
Or-Vnfm
(Or-Vi)
VNF Manager (VNFM)
VNF VNF VNF
Cisco ESC
NFV Infrastructure (NFVI) Virtual Infrastructure Manager (VIM)
Service Lifecycle VNF Lifecycle

NSO vBranch
Core Function
Pack
for ENFV
Automation
ENFV Automated Operations - 1
Branch CPE fully operational in minutes
Customer 1. Pre-provision CPE

or Operator Select branch template
and enter device serial#
Portal
NSO w
vBranch
4. PnP
request CFP
2. Configure PnP
Enter PnP server IP
5+. Configure
CPE and
VNFs
3. Restart
ENFV Automated Operations - 2
Branch CPE fully operational in minutes
Customer 1. On-board CPE

or Operator 2. Provision CPE
Select branch template
Portal
NSO w
vBranch
CFP
3. Configure
CPE and
VNFs
• Bootstrap configuration (day-0)
• e.g. IP/credentials/license
• Set once
• Base configuration (day-1)

Golden configuration – best
Definitions:
•
practices for device role
Configuration • Set once
Service configuration (day-2/n)

Types •
• Configuration that changes over
device lifetime, e.g. ACL, firewall
rules, etc.
• Create/Modify/Delete multiple times
BRKARC-2112 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
MSX
MSX Unlocks Multiservice, Multitenancy, Multivendor
for Service Providers
One-time OSS / BSS Integration
UI /
API
Managed Services Accelerator (MSX) – One Platform; Many Services
SD-WAN SD-Branch Managed SD-Access Meraki Security SP Custom
Cisco Service Device
Packs: PnP Services
Reduce Costs and
Time to Market
Cisco DNA Center: Domain Controller

for Managed SD-Access
Campus, Extended Campus, IoT

SD-Access Fabric
MSX Simplifies Service Creation & Delivery
Faster Time to Multiple Deployment Reduced Differentiated

Market Options Development Costs Services
One Platform; Many Services

MSX is a full-stack solution that integrates into a BSS/OSS once
and enables multiple service offers.
The Power of MSX vBranch…
Many vendors, Many services…One Branch
Drill Down to Site/Device Status
VNF Topology View
VNF Resource
Consumption
Cisco DNA Center
Cisco DNA Center for Enterprise Customers
Profiles Self-Optimizing Predictive
Standardized configurations Machine learning-based detection
for multi-PIN services of problems prior to occurrence
Policy abstraction Proactive

Expressing the business Intent Faster troubleshooting with
Automation Assurance
rather than a feature problems and trends
correlation and dynamic thresholding
Validation E2E visibility

Machine learning-based Scalable data collection and reporting
network-wide configuration for reactive troubleshooting and planning
validation prior to deployment
Closed Loop
Enterprise WAN and access networks | Wired and wireless
Deployment using Profiles
• Plan for the network deployment
Network Before
• Feature and Capabilities to be
enabled based on requirements
Design
• Topology for network
deployment
• PnP Based Day 0 Deployment

Deployment During • Version management of Profile
Standardization for Day 2 Change Management
Profile Based Deployment

• Configuration Compliance
Network Validation against Profile
After • Remediation of Configuration to
Compliance
Golden Configuration
Simplified Network Integrated IT

Configuration Consistency
Deployment #CLUS BRKARC-2112 © 2019 Cisco and/or its affiliates.Process
All rights reserved.Flows
Cisco Public 111
Use Case #1: New Device Onboarding
Direct Costs Complexity Security Time/Productivity

• Pre-staging & Shipping • Configuration errors • Manual process
costs • 3rd party not secure
• Different products, IOS • Shipping , Storage,
• Travel costs • Rogue devices
Releases Travel
Order Staging Manual Technician Deploy

Equipment Site device on
Installer
site
~50%
Day 0 OPEX Savings*
Cisco DNA Center Automation
With Plug & Play • Drop Ship devices
Order Deploy
• Centralized device discovery
Equipment device on
(DHCP, DNS, Cloud)
site
• Non-technical installer at site
• Template based configurations
• Secure SUDI Authentication
Device on-Boarding – Router/Switch Design
Design and Provisioning workflow Provision

DESIGN
Optional
Design
Design Network Credentials Design
Network Hierarchy Create/Save CLI/SNMP Image Repository
Create Site credentials and override at Import image
Site level (optional)
Design
Design Tools Network Profile
Design Template Editor
Image Repository Image Repository Create Network Profile and
Assign Image to product Create Onboarding day0 select Onboarding day0
Family Mark image as golden for a Template and tag for given template for given product
product family product family family, Assign to a Site
PROVISION
Provision
Provision Provision
Device Unclaimed Device Claim Provision Day0 Config
Device shows up Select ‘Unclaimed’ switch, Select image, day0 PreviewClaim
Unclaimed in Cisco DNA Action>>Claim template/fill-in values
Center using DHCP Option Device is added to
Select Site Inventory
43 Discovery
Cisco DNA Center components
Design Provision Policy Assurance

UI
Cisco DNA Center Dashboard
Routing Routing
Switching Wireless PathTrace
Switching Wireless WAAS NFV
NFV
Apps
Automation Automation Apps Assurance Assurance Apps
Discovery/ Service Device Collector Data Storage Analytics

Platform Inventory Manager Manager
Services NP NDP Services

Controller Fusion Services
App
NDP App
P/IAAS Maglev
Cisco DNA Automation – Branch DeploymentCisco ONE
Simplified Deployment of Physical/Virtual Branches Foundation
Onboard WAN devices &

Services via 3 easy steps
ISE
ISR/ENCS DHCP
WAN
Office Site Network Services DC

APs Cisco DNAC
1. Configure Network Settings, Service Provider & IP Pools
Branch Deployment in Minutes 2. Design a Router/Virtual Profile
3. Assign to Sites & Provision Network Devices
SD-Branch
Orchestration in
Cisco DNAC
ENCS based Virtual Branch Profile
Router WAN Router LAN
1 Configuration
2 Configuration 3 Integrated Switch
Configuration
4 Custom CLI
Configuration
Virtual Services using Cisco Validated Designs
Select to
add service
Support for Third party Services
3rd party
Services
support
with day 0
configs
Application
Hosting
Support
Support for Third party Applications
Custom
network for
untrusted
traffic
CVD service
chaining
support for
DIA
Plug and Play
Discovery Un-claimed Devices Secure Deployment
• Installer powers-on devices • Network admin claims devices

Configure device discovery based on device information
mechanism • Devices securely connects to
Cisco DNA-C Server, waiting to • Adds Device to Site for
• DHCP Option-43 Provisioning
• DNS be ‘Claimed’
• Cisco Cloud Redirect
Device
Authentication Cisco Cisco
DNAC DNAC
Cisco DNA-C app
DHCP DNS
OR
Server Server
Installer
PnP Cloud
Redirection Service
PnP-Agent PnP-Agent
BRKARC-2112 #CLUS Admin

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Claim Device
SDWAN
Integration
Available Today
Cisco SD-WAN Support on ENCS
Can run vEdge as a VNF on ENCS starting with NFVIS 3.7.1

Minimum vEdge Cloud version required - 17.2.1
SR-IOV support as part of 18.4
Provision Work Flow In Cisco DNA Center 1.2
vEdge – Input
Provision vEdge
Select ENCS and parameters Connect vEdge to
on ENCS with Day
Map to Site obtained from vManage
0 config
vManage
Viptela vEdgeCloud Onboarding through Cisco DNAC
vManage Properties for Integration

• IP Address
• Username/ Password
• Port Details
• vBond information
• Organization Name
• Certificate for onboarding vEdge
Virtual vEdge On-boarding on ENCS
Provisioning Flow
lan-net
Integration via APIs to vManage

• One Time Password
• UUID
• Service Chain vEdge with other
services
• Day 1 registration of vEdge with
vManage
SDWAN onboarding using Zero Touch
Provisioning
Cisco SD-WAN Control and Policy
Redirect Elements
PnP Server 4
Server
3
Token and Serial Number
2 vEdge-cloud
PnP Call home

5
Deploy VNF Service

6
8
Chain
Full Registration and
1 Configuration
Assumption:
 DHCP on Transport Side (ENCS mgmt)  DHCP or Static IP (WAN Transport)
 DNS to resolve devicehelper.cisco.com*  DNS to resolve vbond fqdn
* Factory default config NFVIS
ENFV and SDWAN Zero Touch Provisioning
CPE NAT Traversal
Control and Policy

Redirect Elements
PnP Server 6
Server
3 4
Token and Serial
2 Number vEdge-cloud
Tunnel Config via PnP

PnP Call home
5
Secure Overlay
7
8
10
Service Chain
Secure Overlay
Deploy VNF
Tunnel
Full Registration and
1 Configuration
9
NAT Enabled CPE
Assumption:
 DHCP on Transport Side (ENCS mgmt)  DHCP or Static IP (WAN Transport)
 DNS to resolve devicehelper.cisco.com*  DNS to resolve vbond fqdn
* Factory default config NFVIS
Note : Step 7 REST API uses Secure Overlay Tunnel.
Without Step 4 and 5, Step 7 cannot traverse NAT CPE
Cisco DNA Center
Automation Demo
Customer Use
Cases
Straumann Reference
From: 1 Routers, 1 FW and 1 vWAAS

• Straumann currently deploys two Cisco
2951s, 1 Palo Alto Firewall and Riverbed
for Wan Optimization across 70 locations.
• Converted them from a Riverbed customer
to a vWAAS customer
• Preferred choice of FW vendor is PAN
• Want automation.
To: 1 Router, 1 FW and 1 vWAAS all in one platform
• Positioned Enterprise Service Automation
• ESA fell short in terms of the flexibility required
to deploy the VNFs and the different custom
networks required
• DNA Center addresses these limitations, where
we are adding editable topology, support for
generic 3rd party VNF, adding custom networks
etc.
Investment Company in NY
Ethernet Transport vEdge
• Two major use case driving this LTE Transport ISRv
• Redesign their WAN WAN Opt vWAAS
• Refresh their existing ISRs (2911s) VNF Orchestration DNA Center
SD-WAN Management vManage
• As part of their SD-WAN design they evaluated Cisco
IWAN, Viptela and Versa.
• Cisco IWAN – They evaluated IWAN, but overall
were not happy with management options.
• Viptela – Liked ease of manageability, and had
features they want
• Versa – Really liked the NFV and virtualization
approach, but not so much on the SD-WAN
capabilities
• Needed a platform with 4G-LTE capability (for backup

connectivity to the sites) that runs
• vEdge
• vWAAS (we displaced Riverbed in the process)
• Palo Alto Firewall
• High Availability between VNFs was necessary
Large bottling company – Type 1 Profile
Managed Service
(SDWAN)
• Branch consolidation and operational efficiency driving move to
virtualization
• Three main site profiles covered by this solution

• Type 1: Corporate – 500+ users, 120 Sites
• Dual ENCS 5412
• vEdgecloud and vFirepower
• Dual MPLS and Internet Circuits
Type 2 and 3 Profiles
• Type2 : Medium remote locations - 51 - 200 users, 120 sites
• Single ENCS 5412
• Single MPLS and dual Internet Circuits
• Type 3 Small – 15 users, 10 sites World wide
• Single ENCS 5412
• single MPLS and single Internet Circuits
Reference
Bank in EMEA Why ENFV?
• Automation has been key
• Cisco chosen after beating out the • Bank has been exploring virtualization for
a year now
competition for 246 branches. Initial order
for 165 branches. • Bank initially were engaged with other
vendors. However no vendor was able
• Key Requirements to provide an end to end solution that
included automation.
• Consolidation, Automation and Quickly
• After running pilots at multiple branches
isolate and troubleshoot problems. and saw how easy it was to automate
• Security is paramount with the bank. and spin up new sites, the customer was
convinced with the Cisco solution.
• Analyzed every component of the solution till
it met their standards • They were able to eliminate multiple
Windows workstations at every branch
• Two key promises made by Cisco by virtualizing them
• Continue to invest in the solution • Chose the ENCS for it compactness
• Complete Common Criteria certification
Reference
Large Bank in Canada
Bank’s strategic investment is on Mobile Banking – Why ENFV?

Load the bank in a truck and drive it from location to
• Hardware consolidation
location to grow their customer base
• Integrated switch with POE capabilities
Wanted a solution that fits the following
• Dual 4G primary WAN access
requirements
• IWAN Solution Integration
• IWAN enabled WAN router.
• Automation
• Run routing, security and banking applications in
a virtual environment
• 4G-LTE for WAN connectivity
• Hardware that can accommodate the above
requirements and fits into the space available in
the mobile trucks
Reference
Orange Business Services
• OBS has been one of the first customers to For OBS, ENFV opens up new revenue streams
test and provide feedback on a lot of areas OBS use Blue Plant to orchestrate. They have
of the solution integrated with NFVIS NETCONF APIs
• Used the learnings from OBS to shape
Positioning ISRv with 3rd party VNFs
the product for the better
Initially wanted to use Riverbed for WAN Opt,
• Tested 3rd party VNFs – PAN, Steelhead, however Cisco and OBS were able to convince
Checkpoint, Fortinet PMI to use vWAAS instead
• Started pilot with Phillip Morris International OBS have projected 800 sites across 8
and E&Y customers for FY18
https://www.businesswire.com/news/ho
me/20180206005830/en/Orange-
Business-Services-Cisco-Bring-SD-WAN-
Network
Reference
British Telecom
• BT are launching their service in September 2017 One of BT’s key requirement has been to
deploy a site with 1 WAN routable IP address.
• BT are using NSO w/ vbranch CFP for
orchestration Enhancements done in NFVIS to support this
by implementing secondary IP addressing
• BT are enhancing their existing monitoring tools
and are gearing up to support this launch
• They are moving away from SNMP based
monitoring to API based monitoring
• Accordingly to BT, APIs are proving to be far
more efficient than SNMP
• They have integrated all the monitoring APIs
provided
• Very close engagement with BT. There are three

meetings a week between BT and the NFVIS team BT press release -
• Features have been prioritized to ensure BT’s https://www.globalservices.bt.com/btfederal/
rollout is kept on schedule.
en/news/bt-and-cisco-accelerate-for-future-
networks
Monitoring and
Troubleshooting a
Virtual
Environment
Enterprise NFV Monitoring
VNF NetFlow EEM Scripts
Syslog and SNMP Show CLI
ISRv CPU Utilization Memory Utilization Interface Stats
• NFVIS supports REST and NETCONF APIs that can be used to export all Host and VNF specific information
Hypervisor
• CLIs are also available to monitor and export data
NFVIS
• All data is exported via NETCONF. Need a NETCONF client to receive data
• Host and Interface SNMP MIBS support added as part of 3.6.1 release (July 2017)
• Exporting to external Syslog support added as part of 3.6.1 release (July 2017)
Hardware • Monitoring via Cisco Integrated Management Controller for Platforms that support it.
ENCS • CIMC supports an exhaustive list of MIBS which can be used to monitor every aspect of the underlying
hardware
• CPU, Memory, Interface and Disk Stats
CLIs for Monitoring
• Stats: content for graphical display
show system-monitoring host [cpu | disk | memory | port] stats

show system-monitoring vnf [cpu | memory] stats
• Table: summary (e.g. min / max / average)
show system-monitoring host [cpu | disk | memory | port] table
• Default collecting duration is 5min

• Query for a specific collecting duration via API / CLI.
NFVIS Notifications for Monitoring and Troubleshooting
• NFVIS sends notifications for
• vmlcEvents (VM Lifecycle)
• nfvisEvents (NFVIS)
• Use NFVIS CLI or GUI to query notifications
nfvis# show notification stream vmlcEvent

notification
eventTime 2017-02-17T22:27:20.292+00:00
vmlcEvent
status SUCCESS
status_code 200
status_message Image creation completed successfully.
image isrv-universalk9.16.03.01.tar.gz
vmlcEvent vm_source
!
vmlcEvent vm_target
!
vmlcEvent event
type CREATE_IMAGE
!
NFVIS Notification Events
• VM Life Cycle Events
CREATE_IMAGE VM_STOPPED
DELETE_IMAGE VM_STARTED
CREATE_FLAVOR VM_REBOOTED
DELETE_FLAVOR VM_MONITOR_UNSET
VM_DEPLOYED VM_MONITOR_SET
VM_ALIVE VM_RECOVERY_CANCELLED
VM_UPDATED VM_RECOVERY_REBOOT
VM_UNDEPLOYED
VM_RECOVERY_INIT
VM_RECOVERY_COMPLETED
• NFVIS System Events

WAN_DHCP_RENEW NETWORK_CREATE
INIT_STATUS_CHANGE NETWORK_UPDATE
NETWORK_DELETE
SPAN & Packet Capture
SRIOV or OVS vnic can be spanned(port replicated) to a Packet capture VM
Tcpdump can be done via GUI or CLI on OVS vnics
Troubleshooting Enhancements
Exposed low level Linux show commands without having to go to root
• Low level Show commands under “Support” keyword
• Provides stats from OVS, provides TCP data dump and output from virsh commands
Example: How to verify if the Day 0 configuration is attached to the VNF when instantiated by NFVIS?
Step1: Get the list of VNFs running on NFVIS

nfvis# support virsh list
Id Name State
----------------------------------------------------
19 1509553386.ROUTER running
Step 2: Next check if there is a config drive generated with the day 0 configuration you added to the package
nfvis# support show config-drive 19
-rw-r--r--. 1 qemu qemu 397312 Nov 1 16:23 /cisco/esc/esc_database/nodejs/VM/ae828bab-
3e90-4a53-ba97-14aa0db258f2/ae828bab-3e90-4a53-ba97-14aa0db258f2-hdd.config
Step 3: Once verified that config drive is present, next look at the contents of the drive by using
nfvis# support show config-drive content 19
At the tail end you should see the configuration that you packaged with the VNF
Troubleshooting Enhancements
Example 2 : How to verify if your VM is actually enabled for serial console?
Step1: Use the support virsh dumpxml <id>

nfvis# support virsh dumpxml 19
The virsh dumpxml command lists out exactly how the VNF was deployed on NFVIS. It lists out the properties that was
enabled as well
For the above example by using the virsh dumpxml command look for key word Serial, if you see the following in the
output then you know the VNF was enabled for Serial Console on NFVIS.
<serial type='pty'>
<source path='/dev/pts/0'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
Troubleshooting (specific to config drive)
Issue Cause Debug Fix
Image registration fails if package is not *.tar.gz Look at the error message on Repackage using local portal
(doesn’t have the required files portal/API response code. or packaging tool
on slide#27 Also look at ESCManager.log
NFVIS#show log
/var/log/esc/escmanager.log |
include Image_name
Image registration fails Checksum is not correct - Look at the error message on Repackage using local portal
maybe packaging tool /local portal/API response code. or packaging tool
portal not used to package the Also look at ESCManager.log
VM NFVIS#show log
include Image_name
VM deployment fails VM is monitored VM. VM is not Look at the API response Undeploy VM
attached to int-mgmt-net (it code. Re-Deploy using local portal or
can be attached to any nic) Also look at ESCManager.log using API attach int-mgmt-net
when deployed using API. By NFVIS#show log to one of the nics
default local portal attaches /var/log/esc/escmanager.log |
nic0 of the monitored VM to include vm_dep_name
int-mgmt-net.
Troubleshooting (contd…)
Issue Cause Debug Fix
VM deployment fails VM is a monitored VM and Look at the error message on Re-deploy using local portal
bootup_time is not specified in portal/API response code. (default bootup_time is local
the payload Also look at ESCManager.log portal is 600 seconds)
bootup_time is boot time NFVIS#show log Or deploy using API and specify a
required for VM to boot in /var/log/esc/escmanager.log | reasonable, positive value for the
seconds (+ve value) include vm_dep_name VM to boot in seconds.
Some VMs need longer time to
boot.
VM deployment fails VM is a monitored VM and Look at the error message on Re-deploy using local portal
kpi_data is not provided in the portal/API response code. (it attaches kpi_data)
payload Also look at ESCManager.log Or deploy using API and specify a
NFVIS#show log kpi_data
include vm_dep_name
VM deployment fails Bootstrap config file is tokenized Look at the API response code. Use a different unused ip address
and the key, value pairs are Also look at ESCManager.log for the int-mgmt-net.
passed during deployment using NFVIS#show log
API. But static ip address is used /var/log/esc/escmanager.log |
through the deployment payload include vm_dep_name
for this VM for int-mgmt-net
which was already assigned by
the system for other VMs.
White box or not a
White box
White Box - what could possibly go wrong?
All Cisco Stack vs White Box Stack
White Box Stack consists of… “quality?”
“reliability?”
“licensing cost?”
• COTS Hardware “support?” “compatibility with
• Unrelated hypervisor hardware?”
“support?” (again)
• Disparate VNF collection “cross component compatibility/duplication?”
“support?” (again) (multiple touch points now!)
• Orchestration?
so. many.
“what’s the glue?” questions.
“Can it ‘see’ my hardware?”
wobbling stack of uncertainty™
All Cisco Stack vs White Box Stack
All Cisco White Box
vBranch is the key to How well can a single
VMS Non-Cisco
success for the Cisco
vBranch + SDWAN Orchestration (Ericsson, etc..)
orchestrator support
stack. Pre-defined multiple underlying
templates are fully components?
tested and supported
VNFs are on their own.
Palo Alto
Riverbed
vWAAS
Fortinet
Juniper
strengthen the vEdge
vWLC
Cisco
ASAv
Inconsistent licensing,
ISRv
VNF
overall offer. VNFs hypervisor support, etc.
weaken the stack.
Opportunity to
highlight synergies
How well does each
between products Non-Cisco
NFVIS Hypervisor VNF work with the
throughout the entire (KVM, Openstack, etc.) chosen hypervisor?
solution stack.
No Cisco product in
An integrated stack
Advantech
the white box space.
offers single vendor
Cisco ?
Juniper
ENCS and UCSE do
Dell
sourcing, and ENCS Hardware not fit into white box
consistent cross- model (pricing or
solution support. technology)
Example: Cisco Stack vs Dell VEP ‘white box’
vCenter?
The SD-WAN vendor’s?
Good Luck! (you’re going to need it)
RedHat’s? (CloudForm? OpenStack Platform Director?)
Some other vendor or open source*?
Versa VeloCloud Silver Peak Choice?: Three (only) vendors. SD-WAN only.
hypervisor Extra cost: VMWare ESX isn’t free if you want to manage it,
VMWare or RedHat RedHat isn’t free. Both require support.
Single platform only, Ethernet only, Intel Xeon D2100
‘up to’** 16 cores, ‘up to’ 64 RAM, max 1TB storage
Two expansion slots, but nothing for them
Summary of ENCS advantages over Competition Reference
Superior Hardware Engineering Superior Operational Platform
• Flexible, Expandable platform: • Integrated switch with 8 ports with PoE

4, 6, 8, 12 Core Options
Up to 64MB RAM upgrades • Hardware acceleration of VM-to-VM traffic flow
Up to 2 TB SATA, 1.2 TB SET, 1.8 TB SAS (~30% performance improvement than our
Disk Storage competitors for multiple VNFs)
Upgradable in the Field !
• Support for Hardware RAID on 12” chassis for
• Support Multiple VNFs including those with Redundancy
high storage demand like vWAAS, vNAM,
Windows Servers, Log Servers • Secure boot and BMC/CIMC Lights Out Server
Management
• NIMs/WAN module support
- 4G/LTE (without loosing integrated • LTE modules can support Dying Gasp support that
WAN ports) is available on NIMs. (SMS messaging)
- T1/E1 (Up to 8 ports, no SFP with
VNF/Core usage req’d as others) • Enterprise class grade components (comparable
- xDSL* to an ISR)
- Voice T1/E1, FXS, FXO*
• Purpose built HW with > 7 Years lifetime versus
general white box with ~ 3 Years
* Roadmap
Reference
NFVIS – True Network Hypervisor
• Designed Specifically for Enterprise • Zero touch deployment
deployments • Embedded PnP Client in NFVIS enables true Zero Touch
Deployment model without any human intervention
• Targeted for Networking teams in Enterprise
organizations • Allows for quick and error free deployment of network
services
• Optimized for the deployment and • Automatic Resource Optimization for improved network
monitoring of Virtual Network Functions performance
• Built-in VM monitoring capability allows for • Optimized use of CPU, Memory and Storage for maximum
auto restart of VNFs when down performance of the different VNFs.
• Avoids expensive truck rolls to remote sites • Management GUI bundled in with NFVIS
• Rich Open APIs • Easy to use GUI eliminates complexity of dealing with the
underlying hypervisor
• Industry standard API that allows integration • Provides ability to draw network topology and instantiate a
with any Orchestration system virtual branch
• APIs available for both RESTConf and • Open Architecture Software stack
NETConf
• Allows for easy onboarding of any 3rd party software
• APIs support includes
• VM deployment • Secure and Trusted Infrastructure Software
• VM health monitoring • Security tested and certified. Chain of trust between
orchestrator, hardware, nfvis components and vnfs
• System resource (compute/memory/storage)
management • FIPS and Common Criteria Certifications on Roadmap
Key Takeaways
Key Takeaways
• Network Function Virtualization is a standard tool in the tool-box of network
engineers
• SD-Branch solution is SDWAN ready
• Cisco Virtualized Network Functions offer full feature richness and
consistency with their hardware variants
• Key benefits:
• Operational simplicity - deploy functionality within minutes
• Leverage power of programmability
• Potential to achieve architectural simplification
• Important to understand the system architecture, in particular with a view to
performance
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
NDA Roadmap Sessions at Cisco Live
Customer Connection Member Exclusive
Join Cisco’s online user group to …
Connect online with 29,000 peer and Cisco NETWORKING ROADMAPS SESSION ID DAY / TIME
experts in private community forums
Roadmap: SD-WAN and Routing CCP-1200 Mon 8:30 – 10:00
Roadmap: Machine Learning and

CCP-1201 Tues 3:30 – 5:00
Learn from experts and stay informed Artificial Intelligence
about product roadmaps Roadmap: Wireless and Mobility CCP-1202 Thurs 10:30 – 12:00
 Roadmap sessions at Cisco Live
 Monthly NDA briefings
Give feedback to Cisco product teams Join at the Customer Connection Booth
(in the Cisco Showcase)
 Product enhancement ideas
 Early adopter trials Member Perks at Cisco Live
 User experience insights • Attend NDA Roadmap Sessions
• Customer Connection Jacket
Join online: www.cisco.com/go/ccp • Member Lounge
Thank you
#CLUS
#CLUS

Brkarc 2112

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkarc 2112

Uploaded by

Copyright:

Available Formats

#CLUS

Harnessing the power of Software

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2112

Simplify day to Quickly roll out new Consistent network policies

Use Cisco DNA Center, MSX/NSO to manage your Branch

• High availability • Simplification of physical network architecture

• Best-of-breed • Leveraging Virtualization benefits

• Increased potential for automated network

Secure, open, extensible Any virtual functions

Consistent, trusted network services across all the platforms

Hardware and software independence

Cisco DNA Center / Network Service Orchestrator/ MSX

Virtual WAN vWireless LAN

Network Functions Virtualization Infrastructure Software (NFVIS)

Enterprise Network CSP-5000

Best of Routing Complete Open for Third Party

Enterprise Network Compute System

ENCS 5100 Series

ENCS 5400 Series

ENCS 5104 ENCS 5406 ENCS 5408 ENCS 5412

8 Integrated LAN Ports USB 3.0 Network Interface 2 HDD or SSD

Hardware 2 Onboard Gigabit

ENCS 5400 Internal Networking

VNF 1 ISRv VNF 2

SR-IOV • SR-IOV (Single root IO-Virtualization) allows multiple VNFs to

• VNFs can be service chained using SR-IOV VFs on ENCS

• Using SR-IOV provides the best performance

• VNFs can always be connected/service chained using virtual

Application 1. Packet is received by the physical NIC

• Standalone WAVE Replacement • Part of SD-Branch Solution

Intel Ivy Bridge Cisco UCS E180D M3/

 Service module Citrix certified

VIC 4x10/25 GbE SFP28

Min-Max BW 164GbE -200 GbE 324GbE-360GbE

Disk slot(small form) 10 (useable 8) 24

Disk Capacity 1.2*8/2=4.8TB(HDD)/3.8TB(SSD) 14.4 T(HDD)/11.5TB(SSD)

• Supported with release 3.11 and Higher

ISRv/SD-WAN ASAv/FTD* vWAAS vWLC

Windows Server Linux 3rd Party

• Customers have flexibility to run third-party VNF of their choosing.

• Third-Party vendors may choose to submit their VNF for certification.

• No admission restrictions; third party may be complimentary to Cisco, or competitive.

• More information: http://cs.co/3nfv

Certification Program at DevNet, http://cs.co/3nfv

 Supports segmentation of virtual  Automatic connection to PnP  Secure Chain of Trust

Lifecycle Management Service Chaining Open API

NFVIS CLI NETCONF REST

Image Web VM Life Cycle * Cluster

Storage Resource Service Host Statistics

CentOS Linux 7.6 + KVM + Kernel Drivers

wan-net wan2-net lan-net int-mgmt.-net

Default - DHCP for NFVIS on Default ENCS Integrated Switch

• The Management port on ENCS is set to to 192.168.1.1 to access NFVIS

• All Switch ports – GE 1/0 to GE1/7 is associated to LAN bridge

UEFI Trust anchor

• CPU, Memory, Network and Storage Isolation

• Can be accessed via secure authenticated interfaces

Linux/KVM • Image Tamper Protection

HW Assisted SUDI for Cisco

Core Isolation Memory Isolation

NFVIS Infra isolates VM and host memory to

1vCPU = 1 logical CPUs

VNF can use SR-IOV networks to connect to