Connectivity Design considerations and recommendation
1.Management Access connectivity
If there is a dedicated OOB management path, consider connecting to CIMC and MGMT port.
If OOB path is not available, Connect the dedicated Management port to LAN Switch and access NFVIS in-band.
2.Device Bootstrap and Automation
Plug-n-play : Atleast 1 wan link DHCP enabled, connect to GE0-0 for communication with service-chain orchestrator.
Site-by-Site manual deployment can utilize the 1.1.a in-band connectivity.
Packaging : ISRv VNF package with parameterized Custom Configuration. One package can be used for deploying multiple sites with resource profile and parameterized config template.
Packaging : Alternately, If pre-created site specific custom config files are available at the time of deployment, it can be passed as a bootstrap config during deployment.
Recommend that critical VNFs be deployed in Monitored mode.
3.WAN Link redundancy
2 WAN Links. Terminate on GE0-0 and GE0-1 connected to virtual router. Atleast 1 DHCP enabled.
In 3.10 release, we will have the ability to attempt DHCP on either of the WAN connection.
4. LAN side : port channel would provide link redundancy towards lan side. This would be recommended. Shutdown the LAN ports that are NOT in use.
5. Use of VLANs for segregating traffic from different VNFs, particularly on the LAN side. Note: All 8 switch ports are trunked to lan-bridge.
6. Storage : Utilize on-board storage network functions. For storage intensive application, utilize the external drive.
Security and Licensing considerations and recommendation
1.Enterprise Certificate : Enterprise root-cert for authenticating NFVIS layer in the ENCS device.
2.TACACS Role Based Access : Define Administrator vs Operator users for monitoring Vs Day N change management.
3.L3 level NFVIS access restriction using system settings ip-receive-acl.
4.Configure Primary and Backup NTP source in NFVIS and Router/VNFs for certificate validity and license authorization. Utilize satellite license server incase connectivity to cisco smart license server is not reliable.
5.Note: Hardware and NFVIS software layer have inbuilt security defaults to ensure robust security of the system.
Secure UDI, Secure Boot, Tamper protection, HW Entropy, Session resource protection, privileged access for advanced debugging, traffic segmentation between VNFs and Host, Restricted storage access, input validation, etc.
Monitoring and Management Design consideration and recommendation
NFVIS can send Syslog messages to Syslog servers. Syslogs are sent for NETCONF notifications from NFVIS.
This feature is used to configure the remote logging servers
Configuration can be done via Portal, CLI and API
CPU, Memory, Storage, Power / Voltage, Temperature, Fan
WAN port status, LAN port status, OVS-wan (Roadmap)
show system-monitoring host [cpu | disk | memory | port] stats
show system-monitoring host [cpu | disk | memory | port] table
Power / Voltage, Temperature, Fan
Default collecting duration is 5min
NFVIS sends notifications for
vmlcEvents (VM Lifecycle)
Use NFVIS CLI or GUI to query notifications
Performance consideration – Best practice
Individual performance of a VNF depends on
The underlying platform, the number of cores and the type and frequency of the processor used
The resources available for the VNF
How the VM connects to the physical NICS – PCI Passthrough, SR-IOV, virtIO
Finally The VNF itself. VNF must also be optimized to run in a virtual environment
In case of a Multi-VNF environment, the net chained VNF performance also depends on
The weakest-link VNF
Use of virtual switches to copy packets from ingress to egress vNICs
Best Practice : Dedicate CPU and utilize SRIOV for most optimal performance where possible.
Note : VNF needs to support the specific SR-IOV driver. ISRv has the required drivers for optimal performance in ENCS.
Hello, I was trying to configure Flexible Netflow on C9500 running Fuji 16.09.04 and ran into an issue. When I try to assign an ip flow monitor to an SVI, the command is rejected. Here's the output from the cli "SW-A(config-if)#ip flow monitor standa...
This link gives examples of license activation. What's interesting is that it talks about a "Memory Evaluation License". I know that you can buy additional memory for the ISR G2 router like the 2951, but I had no idea you had to purchase a memory lic...
Hello, We have a cisco Nexus9000 C93108TC-EX running NXOS: version 7.0(3)I4(7) where we can't get our port monitor to work. Below are the configs. Does anyone have any idea what we may need to add or take off? interface Ethernet1/13s...
Hi usually we use bgp attribute as-path and local preference for load balance between two ISPs. If we add SD-WAN in the network, I wonder if SD-WAN would do better load balance between two ISP than the original as-path and local preference? Thank you ...
Our network consists of primarily 3560G, 2960G and 2960X switches that we have configured to send snmp traps to a syslog server but not all of the switches are sending traps for user logins despite being configured the same. need assistance. Be...