cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ENCS Design and Deployment Best Practice

465
Views
0
Helpful
0
Comments

Connectivity Design considerations and recommendation

1.Management Access connectivity

  • If there is a dedicated OOB management path, consider connecting to CIMC and MGMT port.
  • If OOB path is not available, Connect the dedicated Management port to LAN Switch and access NFVIS in-band.

2.Device Bootstrap and Automation

  • Plug-n-play : Atleast 1 wan link DHCP enabled, connect to GE0-0 for communication with service-chain orchestrator.
  • Site-by-Site manual deployment can utilize the 1.1.a in-band connectivity.
  • Packaging : ISRv VNF package with parameterized Custom Configuration. One package can be used for deploying multiple sites with resource profile and parameterized config template.
  • Packaging : Alternately, If pre-created site specific custom config files are available at the time of deployment, it can be passed as a bootstrap config during deployment.
  • Recommend that critical VNFs be deployed in Monitored mode.

3.WAN Link redundancy

  • 2 WAN Links. Terminate on GE0-0 and GE0-1 connected to virtual router. Atleast 1 DHCP enabled.
  • In 3.10 release, we will have the ability to attempt DHCP on either of the WAN connection. 

4. LAN side : port channel would provide link redundancy towards lan side. This would be recommended. Shutdown the LAN ports that are NOT in use.

5. Use of VLANs for segregating traffic from different VNFs, particularly on the LAN side. Note: All 8 switch ports are trunked to lan-bridge.

6. Storage : Utilize on-board storage network functions. For storage intensive application, utilize the external drive.

Security and Licensing considerations and recommendation

1.Enterprise Certificate : Enterprise root-cert for authenticating NFVIS layer in the ENCS device.

2.TACACS Role Based Access : Define Administrator vs Operator users for monitoring Vs Day N change management. 

3.L3 level NFVIS access restriction using system settings ip-receive-acl.

4.Configure Primary and Backup NTP source in NFVIS and Router/VNFs for certificate validity and license authorization. Utilize satellite license server incase connectivity to cisco smart license server is not reliable.

5.Note: Hardware and NFVIS software layer have inbuilt security defaults to ensure robust security of the system.

Secure UDI, Secure Boot, Tamper protection, HW Entropy, Session resource protection, privileged access for advanced debugging, traffic segmentation between VNFs and Host, Restricted storage access, input validation, etc.

Monitoring and Management Design consideration and recommendation

  • Syslog

NFVIS can send Syslog messages to Syslog servers. Syslogs are sent for NETCONF notifications from NFVIS.

This feature is used to configure the remote logging servers

Configuration can be done via Portal, CLI and API

  • SNMPv3

CPU, Memory, Storage, Power / Voltage, Temperature, Fan

WAN port status, LAN port status, OVS-wan (Roadmap)

  • Monitoring CLI

show system-monitoring host [cpu | disk | memory | port] stats

show system-monitoring host [cpu | disk | memory | port] table

Power / Voltage, Temperature, Fan

Default collecting duration is 5min

  • NETConf

NFVIS sends notifications for

vmlcEvents (VM Lifecycle)

nfvisEvents (NFVIS)

Use NFVIS CLI or GUI to query notifications

Performance consideration – Best practice

Individual performance of a VNF depends on

The underlying platform, the number of cores and the type and frequency of the processor used

The resources available for the VNF

How the VM connects to the physical NICS – PCI Passthrough, SR-IOV, virtIO

Finally The VNF itself. VNF must also be optimized to run in a virtual environment

  • In case of a Multi-VNF environment, the net chained VNF performance also depends on

The weakest-link VNF

Use of virtual switches to copy packets from ingress to egress vNICs

Best Practice : Dedicate CPU and utilize SRIOV for most optimal performance where possible.

Note : VNF needs to support the specific SR-IOV driver. ISRv has the required drivers for optimal performance in ENCS.

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards