I'd like to start off some discussion about the Nexus1000v with vSphere 6.5 which has just been released.
I have successfully run up a test ESXi and VCSA server and am looking at installing the N1kv in this environment. Note: I have had success and understanding of this from running this under VCSA-6.0 and ESXi-6.0 so I have used these products before - but not yet under 6.5.
As of now the N1kv is not officially supported/validated on this release but I'd like to get as far as I can with installing it anyway. It looks like the problems may be mostly just about packaging and installation process rather than binary incompatibility.
So far the issues I have had are:
1. There is no vib to install on ESXi-6.5, and the ESXi-6.0 vib fails to install:
[root@vmware-2:~] esxcli software vib install -v /vmfs/volumes/55023178-7d2b0288-46fb-a0369f00f4aa/cross_cisco-vem-v320-188.8.131.52.2.5.0-6.0.1.vib
VIB Cisco_bootbank_cisco-vem-v320-esx_184.108.40.206.2.5.0-6.0.1 requires esx-base = 6.0.0, but the requirement cannot be satisfied within the ImageProfile.
Please refer to the log file for more details.
Is there a way to force this vem to load? I believe - but haven't tested - that this vib should be compatible with ESXi-6.5
2. With the vSphere Desktop client no longer supported or functional with VCSA 6.5, how can we import the cisco_nexus_1000v_extension.xml file with the embedded certificate into VCSA?
3. Has there been any indication from Cisco as to the timeframe or supportability and/or updates of the N1kv to allow it to work seamlessly with vSphere 6.5?
I think I've solved the first problem, here's how. You will need a Linux (or Unix) system to do this though:
1. Extract the cross_cisco-vem-v320-220.127.116.11.2.5.0-6.0.1.vib file from the zip file within Nexus1000v.5.2.1.SV3.2.5-pkg.zip
2. Extract the vib file:
ar vx ../cross_cisco-vem-v320-18.104.22.168.2.5.0-6.0.1.vib
3. Edit the descriptor.xml file using vi or pico/nano etc:
(a) Update the version number from 22.214.171.124.2.5.0-6.0.1 to 126.96.36.199.2.5.0-6.5.0. This isn't mandatory but it makes it easier to distinguish the fixed version from the Cisco partner version
(b) Update the section: name="esx-base" relation="=" version="6.0.0" to instead read: "name="esx-base" relation="=" version="6.5.0"
(c) Update the <acceptance-level>partner</acceptance-level> to instead be <acceptance-level>community</acceptance-level> . This is because we cannot resign the package.
4. Delete the contents of sig.pkcs7 but leave the file in place. It should then be a 0 byte file.
5. Wrap it all back up:
ar -r cross_cisco-vem-v320-188.8.131.52.2.5.0-6.5.0.vib descriptor.xml sig.pkcs7 cisco-vem-v320-
NB: the order of the files in this command does matter, the descriptor.xml must come first.
As I haven't modified the actual binary vib itself there is no need to change the payloads or anything else in the descriptor.
6. Copy it to your host:
scp -p cross_cisco-vem-v320-184.108.40.206.2.5.0-6.5.0.vib root@vmware-2:/
7. Accept 'Community' supported vibs on the host:
esxcli software acceptance set --level=CommunitySupported
esxcli software vib install -v /cross_cisco-vem-v320-220.127.116.11.2
The process above works but I haven't yet been able to fully put everything together so this has only been very lightly tested. But I can see the vemdpa and vemcmd-API processes running, and the vem status command runs and indicates that things are working.
I'm still working out how to get VCSA 6.5 to accept the .xml file with the certificate so that the VSM can talk to the VCSA again, but at least the installation of the VEMs on the end hosts now seems to be worked around.
I am hoping there may be a place on disk or a certificate repository where I can drop the (extracted) certificate from the xml file and add it as a trusted cert. Still looking for that though.
Here's the decoded contents of the certificate in the xml file:
thunderstorm tmp # openssl x509 -in cisco_nexus_1000v_extension.xml-2 -text -noout
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, O=Cisco, OU=NexusCertificate, CN=Cisco_Nexus_1000V_938331362
Not Before: Apr 19 23:45:15 2015 GMT
Not After : Apr 16 23:45:15 2025 GMT
Subject: C=US, ST=CA, O=Cisco, OU=NexusCertificate, CN=Cisco_Nexus_1000V_938331362
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
So it looks like a very standard 1024 bit x509 cert and I'm pretty sure that it's just a matter of somehow getting it in to VCSA via some other means.
Could you maybe share the solution how to install the certificate - i assume it's not possible anymore to do it in one run with the xml extension ? i've managed to modify the xml based on original nexus.xml and invoke method through mob works - but still i'm getting "ERROR: [VMWARE-VIM] i assume this has to do to something with missing certificate ?
I never actually worked out how to import the certificate either. I was able to tweak the XML file and import that, but like you, I couldn't work out how to get the certificate to install.
The only way around this that I found to work was to do an upgrade from 6.0 (even a blank 6.0 with just the .xml file installed was OK) and go to 6.5 - then it all worked and the certificate somehow remained installed. I wasn't able to work out how to get the certificate in the system despite spending quite some time working with various certificate stores.
It would be useful if someone from Cisco was able to give us a bit more information about what they are planning and/or what timeframes are likely for this to be resolved properly rather than by some unsupported dirty tricks ;-)
vsum 2.1's out but still no 6.5 support.
We did try to deploy on vcenter vcsa 6.5 but fails with supported version.
Hopefully the guys at cisco hurry up a bit and bring up compatible versions for both vsum and nexus 1000v very soon.
As most people the beta lastet some time and i suppose also cisco is able to participate and test out things before a release. is there any cisco beta program for nexus 1000v ?
vSphere 6.5 What's New training material states that VMware has removed third party virtual switch support from vSphere 6.5 (in favor to VMware NSX business).
I have not seen this statement in anywhere else so I'd take this information with grain of salt as of now, but it may very well be that vSphere 6.0 is last release supporting Nexus 1000v at all.