Connectivity Design considerations and recommendation
1.Management Access connectivity
If there is a dedicated OOB management path, consider connecting to CIMC and MGMT port.
If OOB path is not available, Connect the dedicated Management port to LAN Switch and access NFVIS in-band.
2.Device Bootstrap and Automation
Plug-n-play : Atleast 1 wan link DHCP enabled, connect to GE0-0 for communication with service-chain orchestrator.
Site-by-Site manual deployment can utilize the 1.1.a in-band connectivity.
Packaging : ISRv VNF package with parameterized Custom Configuration. One package can be used for deploying multiple sites with resource profile and parameterized config template.
Packaging : Alternately, If pre-created site specific custom config files are available at the time of deployment, it can be passed as a bootstrap config during deployment.
Recommend that critical VNFs be deployed in Monitored mode.
3.WAN Link redundancy
2 WAN Links. Terminate on GE0-0 and GE0-1 connected to virtual router. Atleast 1 DHCP enabled.
In 3.10 release, we will have the ability to attempt DHCP on either of the WAN connection.
4. LAN side : port channel would provide link redundancy towards lan side. This would be recommended. Shutdown the LAN ports that are NOT in use.
5. Use of VLANs for segregating traffic from different VNFs, particularly on the LAN side. Note: All 8 switch ports are trunked to lan-bridge.
6. Storage : Utilize on-board storage network functions. For storage intensive application, utilize the external drive.
Security and Licensing considerations and recommendation
1.Enterprise Certificate : Enterprise root-cert for authenticating NFVIS layer in the ENCS device.
2.TACACS Role Based Access : Define Administrator vs Operator users for monitoring Vs Day N change management.
3.L3 level NFVIS access restriction using system settings ip-receive-acl.
4.Configure Primary and Backup NTP source in NFVIS and Router/VNFs for certificate validity and license authorization. Utilize satellite license server incase connectivity to cisco smart license server is not reliable.
5.Note: Hardware and NFVIS software layer have inbuilt security defaults to ensure robust security of the system.
Secure UDI, Secure Boot, Tamper protection, HW Entropy, Session resource protection, privileged access for advanced debugging, traffic segmentation between VNFs and Host, Restricted storage access, input validation, etc.
Monitoring and Management Design consideration and recommendation
NFVIS can send Syslog messages to Syslog servers. Syslogs are sent for NETCONF notifications from NFVIS.
This feature is used to configure the remote logging servers
Configuration can be done via Portal, CLI and API
CPU, Memory, Storage, Power / Voltage, Temperature, Fan
WAN port status, LAN port status, OVS-wan (Roadmap)
show system-monitoring host [cpu | disk | memory | port] stats
show system-monitoring host [cpu | disk | memory | port] table
Power / Voltage, Temperature, Fan
Default collecting duration is 5min
NFVIS sends notifications for
vmlcEvents (VM Lifecycle)
Use NFVIS CLI or GUI to query notifications
Performance consideration – Best practice
Individual performance of a VNF depends on
The underlying platform, the number of cores and the type and frequency of the processor used
The resources available for the VNF
How the VM connects to the physical NICS – PCI Passthrough, SR-IOV, virtIO
Finally The VNF itself. VNF must also be optimized to run in a virtual environment
In case of a Multi-VNF environment, the net chained VNF performance also depends on
The weakest-link VNF
Use of virtual switches to copy packets from ingress to egress vNICs
Best Practice : Dedicate CPU and utilize SRIOV for most optimal performance where possible.
Note : VNF needs to support the specific SR-IOV driver. ISRv has the required drivers for optimal performance in ENCS.
We had AT&T add a serice on demand (Metro Ethernet) between our 2 sites. Each site has a c9500 switch directly connect to the Metro Ethernet port on the AT&T circuit. When connecting the c9500 at the secondary site I'm able to connect to a vLan cr...
I'm trying to create a custom syslog policy to get notified when certain interfaces go up/down. It seems you can only create policies based on facility, severity, and mnemonic fields. So I created a policy that looks like:Facility contains LINKMnemon...
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...