Goal

kramesh · ‎07-10-2023

Goal

To successfully provision a ENCS5400 series, Catalyst 8200 uCPE, Catalyst 8300 uCPE device in remote site with internet connection.

Catalyst 8300 uCPE is the next generation of Cisco Enterprise Network Compute System (ENCS) 5400 Series. Highlights of upcoming C8300-UCPE platform:

Spoiler

The Cisco Catalyst 8300 Series Edge uCPE (Universal Customer Premises Equipment) is a purpose built x86 platform that is designed for branch network function virtualization deployments in branches, on-premises and colocation data centers. It enables device consolidation across network and security functions, improves operational flexibility and service agility, simplifies network operations and results in reducing deployment times and fewer truck rolls for delivery of add-on services.
•Device consolidation - run 3-6 VNFs from Cisco or other partners.

•4-cores for C8000V delivers:

•5 Gbps of SD-WAN IMIX IPsec

•2 Gbps of SD-WAN IMIX IQDF

•20-cores – Intel Xeon Ice Lake 2 Ghz processor.

•Powered by Cisco NFVIS hypervisor operating system for KVM-based virtualization.

•10Gbps WAN/LAN ports.

•Dual-power supply.

•Use as stand-alone device or centrally manage using Cisco vManage as orchestrator with the updated UX2.0 interface.

•Expandable further with NIM and PIM modules.

•5G-ready via PIM.

•< 18” depth form-factor ideal for tight spaces in branches.

•Supports CIMC software for device firmware management.

The Cisco Catalyst 8300 Series Edge uCPE (Universal Customer Premises Equipment) is a purpose built x86 platform that is designed for branch network function virtualization deployments in branches, on-premises and colocation data centers. It enables device consolidation across network and security functions, improves operational flexibility and service agility, simplifies network operations and results in reducing deployment times and fewer truck rolls for delivery of add-on services. •Device consolidation - run 3-6 VNFs from Cisco or other partners. •4-cores for C8000V delivers: •5 Gbps of SD-WAN IMIX IPsec •2 Gbps of SD-WAN IMIX IQDF •20-cores – Intel Xeon Ice Lake 2 Ghz processor. •Powered by Cisco NFVIS hypervisor operating system for KVM-based virtualization. •10Gbps WAN/LAN ports. •Dual-power supply. •Use as stand-alone device or centrally manage using Cisco vManage as orchestrator with the updated UX2.0 interface. •Expandable further with NIM and PIM modules. •5G-ready via PIM. •< 18” depth form-factor ideal for tight spaces in branches. •Supports CIMC software for device firmware management.

Highlights of UX2.0 NFV in vManage (Cisco Catalyst SDWAN Manager)

Spoiler

Lifecycle management of uCPE platforms using vManage
Quick Connect workflow for onboarding 8300-uCPE
Simplified design and provisioning with out-of-the-box validated NFV design
-Ability to create NFV configuration group for Day 0
-SDWAN Router, SDWAN Router and Firewall, Custom service chain designs
-Modify configuration group parcels for DayN design customization.
-Bulk deployment support
Software image management for uCPE platform and VNF services
-Ability to source NFVIS and VNF images from external repository
Monitoring uCPE platform and VNF health
Modular and rich set of API for ease of automation using external systems

Lifecycle management of uCPE platforms using vManageQuick Connect workflow for onboarding 8300-uCPESimplified design and provisioning with out-of-the-box validated NFV design -Ability to create NFV configuration group for Day 0 -SDWAN Router, SDWAN Router and Firewall, Custom service chain designs -Modify configuration group parcels for DayN design customization. -Bulk deployment supportSoftware image management for uCPE platform and VNF services -Ability to source NFVIS and VNF images from external repositoryMonitoring uCPE platform and VNF healthModular and rich set of API for ease of automation using external systems

Documentation

Minimum software release requirements on onboarding ENCS5400, C8200-UCPE platforms

-ENCS 5400 series or 8200-UCPE platform with NFVIS 4.14.1 release.

-Catalyst Manager 20.14.1 release

Minimum software release requirements on onboarding 8300-UCPE platform

-8300-UCPE platform with NFVIS 4.12.1 release.

-Catalyst Manager 20.12.1 release.

This document is expected to complement SD-Branch Design and Deployment Guide

Also reference

Getting started with 8300uCPE

Getting started with ENCS 5400 Series

Define

Typical virtual branch deployment requires authorized list of devices and image packages for the services to be deployed. Also, VNF service images must be made available in vmanage image repository.

Device List

Create the device list in Smart Account and make it available in Catalyst Manager

Spoiler

When the 8300uCPE devices are ordered with controller mode, Cisco Manufacturing will populate the devices in the smart account. Often, for demos/POC, the following manual approach is required.

1. Access the 8300uCPE through console, change the default password Admin123# to a secure password that meets the password policy requirement. Login to get the device's Serial Number and SUDI Certificate, used in the next step. To do so, follow the example below.

login: admin
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
admin@localhost's password: 

Cisco Network Function Virtualization Infrastructure Software (NFVIS)

NFVIS Version: 4.12.1-EFT2

Copyright (c) 2015-2023 by Cisco Systems, Inc.
Cisco, Cisco Systems, and Cisco Systems logo are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

The copyrights to certain works contained in this software are owned by other
third parties and used and distributed under third party license agreements.
Certain components of this software are licensed under the GNU GPL 2.0, GPL 3.0,
LGPL 2.1, LGPL 3.0 and AGPL 3.0.

admin connected from ::1 using ssh on nfvis

nfvis# support show chassis
Product Name             : C8300-UCPE-1N20
Chassis Serial Num       : FGL2722LF0B
Certificate Serial Num   : 6650522988207529A1B
nfvis#

Add Device to Smart Account

1. Navigate to software.cisco.com

2. Scroll down to the Smart Licensing section.

3. Under Network Plug and Play, click on Manage devices.

4. Click on Add Device(s).
Add device.png

5. Under the Identify source, select the Enter Device info manually option. Advance to the next step by clicking Next.
Enter Device info manually.png

6. Click on Identify Device.

7. Enter Serial Number, select Base PID (ENCS) from the drop-down menu and add Controller Profile (VIPTELA-CLOUD-HOSTED-PROFILE) from the drop-down menu. Click Save and advance to the next step by clicking Next.

8. Verify the entered information and click Next. Advance to the next step by clicking Submit.

9. If the device is added correctly, you should see a success message. Click on Done to add the device.
Add the device.png

10. You will be redirected to the initial PnP Connect Devices page. You should be able to see the newly added device listed with the Pending (Redirection) status.

Sync Smart Account via vManage

1. Log in to vManage.

2. Navigate to the Hamburger Menu, go to Configuration > Devices.

3. Click on Sync Smart Account. When prompted, enter CEC Credentials.

4. Refresh the Smart Account Device Sync Service page to see the status of the sync. The Success message will appear in the Status box.

5. After the device has been successfully added to vManage, you should see the C8300-uCPE in the Devices list.

Note: If you still don't see the C8300-uCPE in the Devices list, try syncing the smart account one more time.

6. The device will reach out to the Plug and Play Connect portal to receive the controller information. Do not interrupt the PnP boot-up process or the redirection to controllers will fail.
7. Select your device from the Available Devices window and move it to the Selected Devices section. Click on Attach.

When the 8300uCPE devices are ordered with controller mode, Cisco Manufacturing will populate the devices in the smart account. Often, for demos/POC, the following manual approach is required. 1. Access the 8300uCPE through console, change the default password Admin123# to a secure password that meets the password policy requirement. Login to get the device's Serial Number and SUDI Certificate, used in the next step. To do so, follow the example below.login: admin Warning: Permanently added 'localhost' (RSA) to the list of known hosts. admin@localhost's password: Cisco Network Function Virtualization Infrastructure Software (NFVIS) NFVIS Version: 4.12.1-EFT2 Copyright (c) 2015-2023 by Cisco Systems, Inc. Cisco, Cisco Systems, and Cisco Systems logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under third party license agreements. Certain components of this software are licensed under the GNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 and AGPL 3.0. admin connected from ::1 using ssh on nfvis nfvis# support show chassis Product Name : C8300-UCPE-1N20 Chassis Serial Num : FGL2722LF0B Certificate Serial Num : 6650522988207529A1B nfvis# Add Device to Smart Account 1. Navigate to software.cisco.com 2. Scroll down to the Smart Licensing section. 3. Under Network Plug and Play, click on Manage devices. 4. Click on Add Device(s).5. Under the Identify source, select the Enter Device info manually option. Advance to the next step by clicking Next. 6. Click on Identify Device. 7. Enter Serial Number, select Base PID (ENCS) from the drop-down menu and add Controller Profile (VIPTELA-CLOUD-HOSTED-PROFILE) from the drop-down menu. Click Save and advance to the next step by clicking Next. 8. Verify the entered information and click Next. Advance to the next step by clicking Submit. 9. If the device is added correctly, you should see a success message. Click on Done to add the device. 10. You will be redirected to the initial PnP Connect Devices page. You should be able to see the newly added device listed with the Pending (Redirection) status. Sync Smart Account via vManage 1. Log in to vManage. 2. Navigate to the Hamburger Menu, go to Configuration > Devices. 3. Click on Sync Smart Account. When prompted, enter CEC Credentials. 4. Refresh the Smart Account Device Sync Service page to see the status of the sync. The Success message will appear in the Status box. 5. After the device has been successfully added to vManage, you should see the C8300-uCPE in the Devices list. Note: If you still don't see the C8300-uCPE in the Devices list, try syncing the smart account one more time. 6. The device will reach out to the Plug and Play Connect portal to receive the controller information. Do not interrupt the PnP boot-up process or the redirection to controllers will fail.7. Select your device from the Available Devices window and move it to the Selected Devices section. Click on Attach.

Link VNF Images in Remote repository

Pre-requisite : Create a ftp, scp or http server and upload the VNF disk images or VNF packages.

vManage uses the remote repository to source the vnf-disk-image, bootstrap files and auto-generate the other environment files required by nfvis.

Alternately, VNF tar package with vnf-disk-image, bootstrap files and environment files can be used.

Spoiler

1.1 Remote server and VNF images

Spoiler

1.1.1 Create a pointer to Remote repository
link ftp server outside vmanage

1.1.2 Add VNF image entries
vnf image reference in remote server

1.2 VNF packages

Spoiler

This chapter is to describe how to get the VNF packages for vBranch and modify/re-package if needed and then upload into vManage.

Download VNF package for vBranch from CCO
Modify and repackage for vBranch VNF package (Optional)
Upload VNF package into vManage

1.2.1 Download VNF package for vBranch from CCO

Currently the legacy VNF package posted in CCO links cannot be used due to format incompatible.

Please find Cisco supported VNF package at https://software.cisco.com/download/home/286308649/type/286327969/release/17.03.03

For third party VNF, please download the scaffold packages at https://software.cisco.com/download/home/286308693/type/286327978/release/4.4.1

1.2.2 Modify and repackage for vBranch VNF package (Optional)

CCO golden vBranch VNF packages for SDWAN routers such as C8000v, ISRv and vEdge have day0 configuration with the following network mapping which match to vBranch pre-defined 5 topologies in Network Design.

Below is the pre-defined default network mapping for SDWAN routers.

vnic0 -> int-mgmt-net
vnic1 -> GE0-0-SRIOV-1
vnic2 -> mgmt-net
vnic3 -> lan-net

If want to change day0 configuration in cloudinit bootstrap file, users can follow the steps below to repackage.

Download the golden vBranch VNF package from CCO
Extract the golden vBranch VNF package
Modify day0 configuration in cloudinit bootstrap file including enterprise root CA addition
Modify image_properties.xml file for <name> and add/delete/modify <bootstrap_file> and <custom_property> when needed
Modify package.mf with new checksum for all modified files
Repackage

1.2.3 Upload VNF package into vManage

Open vManage UI and goto “Maintenance” -> “Software Repository” -> “Virtual Images” -> “Upload Virtual Image” -> select “vManage”
In the pop-up window, browse and select the VNF package(s) for upload (NOTE: The upload speed depends on the package size and network quality)
After upload, the new entry will be shown in the table in “Virtual Images” page

1.1 Remote server and VNF images 1.1.1 Create a pointer to Remote repositorylink ftp server outside vmanage 1.1.2 Add VNF image entries vnf image reference in remote server 1.2 VNF packages This chapter is to describe how to get the VNF packages for vBranch and modify/re-package if needed and then upload into vManage. Download VNF package for vBranch from CCO Modify and repackage for vBranch VNF package (Optional) Upload VNF package into vManage 1.2.1 Download VNF package for vBranch from CCO Currently the legacy VNF package posted in CCO links cannot be used due to format incompatible. Please find Cisco supported VNF package at https://software.cisco.com/download/home/286308649/type/286327969/release/17.03.03 For third party VNF, please download the scaffold packages at https://software.cisco.com/download/home/286308693/type/286327978/release/4.4.1 1.2.2 Modify and repackage for vBranch VNF package (Optional) CCO golden vBranch VNF packages for SDWAN routers such as C8000v, ISRv and vEdge have day0 configuration with the following network mapping which match to vBranch pre-defined 5 topologies in Network Design. Below is the pre-defined default network mapping for SDWAN routers. vnic0 -> int-mgmt-net vnic1 -> GE0-0-SRIOV-1 vnic2 -> mgmt-net vnic3 -> lan-net If want to change day0 configuration in cloudinit bootstrap file, users can follow the steps below to repackage. Download the golden vBranch VNF package from CCO Extract the golden vBranch VNF package Modify day0 configuration in cloudinit bootstrap file including enterprise root CA addition Modify image_properties.xml file for <name> and add/delete/modify <bootstrap_file> and <custom_property> when needed Modify package.mf with new checksum for all modified filesRepackage 1.2.3 Upload VNF package into vManage Open vManage UI and goto “Maintenance” -> “Software Repository” -> “Virtual Images” -> “Upload Virtual Image” -> select “vManage” In the pop-up window, browse and select the VNF package(s) for upload (NOTE: The upload speed depends on the package size and network quality) After upload, the new entry will be shown in the table in “Virtual Images” page

Quick Connect workflow

The Quick Connect workflow in Cisco Catalyst Manager creates a basic day-0 configuration profile, which is applicable to all Cisco IOS XE SD-WAN devices and NFV devices. This workflow establishes control plane and data plane access in your WAN.

Spoiler

The behavior of the Quick Connect workflow depends on how you upload devices to Cisco vManage. You can upload your devices in one of the following ways, either as part of the Quick Connect workflow or independently.

Using the auto sync option, where your Smart Account is synced with Cisco vManage. This option requires Cisco vManage to be able to connect with the Cisco Plug n Play (PnP) portal
Using the manual upload method, where you download the authorized serial number file of devices from the Cisco PnP portal and upload it to Cisco vManagePrep for basic connectivity to device.

The behavior of the Quick Connect workflow depends on how you upload devices to Cisco vManage. You can upload your devices in one of the following ways, either as part of the Quick Connect workflow or independently. Using the auto sync option, where your Smart Account is synced with Cisco vManage. This option requires Cisco vManage to be able to connect with the Cisco Plug n Play (PnP) portal Using the manual upload method, where you download the authorized serial number file of devices from the Cisco PnP portal and upload it to Cisco vManagePrep for basic connectivity to device.

Design

Create a NFV multi-VNF service chain using NFV configuration group.

Configuration group provides a simple, reusable, and structured approach for the configurations in Cisco SD-WAN and NFV. You can create a configuration group, that is, a logical grouping of features or configurations that can be applied to one or more devices in the network. You can also create profiles based on features that are required, recommended, or uniquely used, and then combine the profiles to complete a device configuration.

The configuration group workflow in Cisco vManage provides a guided method to create configuration groups and feature profiles.

Spoiler

Create Configuration Group

nfv config group name-desc

nfv config group site and wan settings

Define : Site Type, Site settings, WAN Profile

Spoiler

site settings

wan profile

Define VNF Services : Resources, Bootstrap, WAN Interface connectivity, LAN Interface connectivity

Select the service chain design of interest.
For C8000v in SDWAN mode, start with "Router" or "Router-Firewall".
For C8000v in Routing mode, start with "Custom" option.

Spoiler

Define Router VNF properties

ASAv bootstrap file (sample)

Note: When importing/copy-n-paste of bootstrap files with pre-defined variables, please ensure that the following syntax is used. If the $ or { is incorrectly used, variable/value will not be accepted during deployment time.

Variables are represented within “{{“ “}}”. Example: {{SAMPLE_VARIABLE}}
Passwords are represented within “$${“ and “}”. Example : $${SAMPLE_PASSWORD}
Variables to be ignored are represented within “${“ and “}”. Example: ${NICID_0}

Spoiler

!
username {{SSH_USERNAME}} password $${SSH_PASSWORD}
enable password $${ENABLE_PASSWORD}
!
interface management0/0
description Management Network for mgmt-net
nameif management
security-level 100
ip address {{MGMT_IP_ADDRESS}} {{MGMT_NETMASK}}
no shutdown
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address {{SERVICE_IP_ADDRESS}} {{SERVICE_NETMASK}}
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address {{LAN_IP_ADDRESS}} {{LAN_NETMASK}}
no shutdown
!
http server enable
http 0.0.0.0 0.0.0.0 management
aaa authentication http console LOCAL
!
ssh version 2
crypto key generate rsa modulus 2048
ssh 0.0.0.0 0.0.0.0 management
aaa authentication ssh console LOCAL
!
aaa authorization exec LOCAL auto-enable
!
route outside 0.0.0.0 0.0.0.0 {{SERVICE_GATEWAY}} 1
route management 0.0.0.0 0.0.0.0 {{MGMT_GATEWAY}} 2
!
ssh key-exchange group dh-group14-sha1

Define Firewall VNF properties

!username {{SSH_USERNAME}} password $${SSH_PASSWORD}enable password $${ENABLE_PASSWORD}!interface management0/0description Management Network for mgmt-netnameif managementsecurity-level 100ip address {{MGMT_IP_ADDRESS}} {{MGMT_NETMASK}}no shutdown!interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address {{SERVICE_IP_ADDRESS}} {{SERVICE_NETMASK}}no shutdown!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address {{LAN_IP_ADDRESS}} {{LAN_NETMASK}}no shutdown!http server enablehttp 0.0.0.0 0.0.0.0 managementaaa authentication http console LOCAL!ssh version 2crypto key generate rsa modulus 2048ssh 0.0.0.0 0.0.0.0 managementaaa authentication ssh console LOCAL!aaa authorization exec LOCAL auto-enable!route outside 0.0.0.0 0.0.0.0 {{SERVICE_GATEWAY}} 1route management 0.0.0.0 0.0.0.0 {{MGMT_GATEWAY}} 2!ssh key-exchange group dh-group14-sha1Define Firewall VNF properties

Review Summary of Configuration Group and Modify as required

Spoiler

CG Site and WAN Summary

SDWAN Router Config

Firewall Config Summary

Associate devices to the configuration group, this step does NOT auto-initiate the configuration provisioning process.

Spoiler

Associate Device step 1

Associate device step 2

Associate Device

Device associate confirmation

Associate Device

Associate Device step 1Associate device step 2Associate DeviceDevice associate confirmationAssociate Device

Day N Modifications to the Configuration Group

Following procedure is also used for adding configuration options not available in the workflow above.

Configuration group by design is platform agnostic. Configurations that are platform-family specific are also supported in a configuration group designed all UCPE platforms. During deployment, appropriate warning is generated to notify the user about unsupported configurations that are removed. For example : When a configuration group(with switch parcel) is used for deploying non-ENCS(ie. C8xxx UCPE).

Spoiler

DayN Configuration Group Changes

Edit Configuration Group

Edit the sections in configuration group
Switch Parcel for ENCS5400Switch port configuration for ENCS 5400

Spoiler

Copy and paste the required CLI configurations for advanced features which are not supported in Network Design UI

system settings default-gw {{bizInt-gw}}
system:system settings name-server {{nameserver-ip}}
system:system routes route 10.255.254.0 24 gateway {{mgmt-gw}}
!
vpn 0
 interface int-mgmt-net-br
  no shutdown
  tunnel-interface
   vmanage-connection-preference 8
   color bronze
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
   encapsulation ipsec
  !
 !
 single-ip-mode vm-name deployment-ROUTER.deployment-ROUTER
 !

Note:

For vm_lifecycle VM group name and VM deployment name, please add “deployment-“ prefix. For example: when service VM name is specified as ISRv, in vm_lifecycle, VM group name and VM deployment name will be “deployment-ISRv”.
For SNMP configuration, please add “nfvis-snmp:” prefix in each SNMP command.
Click “Save” -> click “Save”

Below are the validated features for add-on CLI configuration.

Boot-up time	vm_lifecycle tenants tenant admindeployments deployment deployment-ROUTER_1 vm_group deployment-ROUTER_1 bootup_time 600
PNIC tracking	pnic GE0-0 track-state ROUTER_1 1
ACL	system settings ip-receive-acl 0.0.0.0/0service [ scpd ]action acceptpriority 0 ! system settings ip-receive-acl 10.31.40.24/32service [ scpd ]action acceptpriority 5 !
Static route	system routes route 102.0.0.0 24gateway 192.168.0.2
TACACS	aaa authentication tacacstacacs-server host 172.19.156.179key 7encrypted-shared-secret cisco123admin-priv 15oper-priv 14 !
Banner	banner-motd banner "Banner for vBranch"
Message of the Day (MOTD)	banner-motd motd "MOTD for vBranch"
SNMP	nfvis-snmp:snmp enable traps linkUp nfvis-snmp:snmp enable traps linkDown nfvis-snmp:snmp community test snmpcommunity-access readOnly ! nfvis-snmp:snmp group snmpgroupv1 snmp 1 noAuthNoPrivread testwrite testnotify test ! nfvis-snmp:snmp group snmpgroupv2 snmp 2 noAuthNoPrivread testwrite testnotify test ! nfvis-snmp:snmp group snmpgroupv3 snmp 3 authPrivread testwrite testnotify test ! nfvis-snmp:snmp user testerv1user-version 1user-group snmpgroupv1 ! nfvis-snmp:snmp user testerv2user-version 2user-group snmpgroupv2 ! nfvis-snmp:snmp user testerv3user-version 3user-group snmpgroupv3auth-protocol sha passphrase cisco123priv-protocol aes passphrase cisco123 ! nfvis-snmp:snmp host SNMP-SERVER-57host-port 161host-ip-address 172.19.149.57host-version 3host-security-level authPrivhost-user-name testerv3 ! nfvis-snmp:snmp host SNMP-SERVER-179host-port 161host-ip-address 172.19.156.179host-version 1host-security-level noAuthNoPrivhost-user-name testerv1 ! nfvis-snmp:snmp host SNMP-SERVER-229host-port 161host-ip-address 172.25.221.229host-version 2host-security-level noAuthNoPrivhost-user-name testerv2 !
Default gateway	system settings default-gw 172.25.217.1
ENCS switch configurations: port-channel, track-state, speed, duplex and QoS	switchinterface gigabitEthernet1/0track-state ISRv 3 ! interface gigabitEthernet1/1speed 100duplex full ! interface gigabitEthernet1/2channel-group 1 mode auto ! interface gigabitEthernet1/3channel-group 1 mode auto!interface gigabitEthernet1/4qos cos 3 ! interface port-channel1spanning-tree mst 1 cost 200000000spanning-tree mst 2 cost 200000000switchport mode trunkno switchport trunk allowedswitchport trunk allowed vlan vlan-range 100,126-128!qos port ports-trustedqos trust cos-dscpspanning-tree mode mstspanning-tree mst 2 priority 61440spanning-tree mst configurationname mst_LANinstance 1 vlan 996-998instance 2 vlan 100,126-128!
Single IP Address Sharing between NFVIS and the Router VM	single-ip-mode vm-name deployment-ROUTER_1. deployment-ROUTER_

DayN Configuration Group ChangesEdit Configuration Group Edit the sections in configuration groupSwitch Parcel for ENCS5400Switch port configuration for ENCS 5400 Copy and paste the required CLI configurations for advanced features which are not supported in Network Design UI system settings default-gw {{bizInt-gw}}system:system settings name-server {{nameserver-ip}}system:system routes route 10.255.254.0 24 gateway {{mgmt-gw}}!vpn 0 interface int-mgmt-net-br no shutdown tunnel-interface vmanage-connection-preference 8 color bronze no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https encapsulation ipsec ! ! single-ip-mode vm-name deployment-ROUTER.deployment-ROUTER ! Note: For vm_lifecycle VM group name and VM deployment name, please add “deployment-“ prefix. For example: when service VM name is specified as ISRv, in vm_lifecycle, VM group name and VM deployment name will be “deployment-ISRv”. For SNMP configuration, please add “nfvis-snmp:” prefix in each SNMP command. Click “Save” -> click “Save” Below are the validated features for add-on CLI configuration. Boot-up time vm_lifecycle tenants tenant admindeployments deployment deployment-ROUTER_1 vm_group deployment-ROUTER_1 bootup_time 600 PNIC tracking pnic GE0-0 track-state ROUTER_1 1 ACL system settings ip-receive-acl 0.0.0.0/0service [ scpd ]action acceptpriority 0!system settings ip-receive-acl 10.31.40.24/32service [ scpd ]action acceptpriority 5 ! Static route system routes route 102.0.0.0 24gateway 192.168.0.2 TACACS aaa authentication tacacstacacs-server host 172.19.156.179key 7encrypted-shared-secret cisco123admin-priv 15oper-priv 14! Banner banner-motd banner "Banner for vBranch" Message of the Day (MOTD) banner-motd motd "MOTD for vBranch" SNMP nfvis-snmp:snmp enable traps linkUpnfvis-snmp:snmp enable traps linkDownnfvis-snmp:snmp community testsnmpcommunity-access readOnly!nfvis-snmp:snmp group snmpgroupv1 snmp 1 noAuthNoPrivread testwrite testnotify test!nfvis-snmp:snmp group snmpgroupv2 snmp 2 noAuthNoPrivread testwrite testnotify test!nfvis-snmp:snmp group snmpgroupv3 snmp 3 authPrivread testwrite testnotify test!nfvis-snmp:snmp user testerv1user-version 1user-group snmpgroupv1!nfvis-snmp:snmp user testerv2user-version 2user-group snmpgroupv2!nfvis-snmp:snmp user testerv3user-version 3user-group snmpgroupv3auth-protocol sha passphrase cisco123priv-protocol aes passphrase cisco123!nfvis-snmp:snmp host SNMP-SERVER-57host-port 161host-ip-address 172.19.149.57host-version 3host-security-level authPrivhost-user-name testerv3!nfvis-snmp:snmp host SNMP-SERVER-179host-port 161host-ip-address 172.19.156.179host-version 1host-security-level noAuthNoPrivhost-user-name testerv1!nfvis-snmp:snmp host SNMP-SERVER-229host-port 161host-ip-address 172.25.221.229host-version 2host-security-level noAuthNoPrivhost-user-name testerv2! Default gateway system settings default-gw 172.25.217.1 ENCS switch configurations: port-channel, track-state, speed, duplex and QoS switchinterface gigabitEthernet1/0track-state ISRv 3!interface gigabitEthernet1/1speed 100duplex full!interface gigabitEthernet1/2channel-group 1 mode auto!interface gigabitEthernet1/3channel-group 1 mode auto!interface gigabitEthernet1/4qos cos 3!interface port-channel1spanning-tree mst 1 cost 200000000spanning-tree mst 2 cost 200000000switchport mode trunkno switchport trunk allowedswitchport trunk allowed vlan vlan-range 100,126-128!qos port ports-trustedqos trust cos-dscpspanning-tree mode mstspanning-tree mst 2 priority 61440spanning-tree mst configurationname mst_LANinstance 1 vlan 996-998instance 2 vlan 100,126-128! Single IP Address Sharing between NFVIS and the Router VM single-ip-mode vm-name deployment-ROUTER_1. deployment-ROUTER_