Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Interfaces
Downloads: This chapterpdf (PDF - 567.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Interfaces

Table Of Contents

Configuring Interfaces

Information About Interfaces

Ethernet Interfaces

Security Profile Interfaces

Security Profile Coordination with VNMC

Security Profiles on the Inside Interface

Interface-Based Policy

Port Profiles for Security Profile Interfaces

How to Apply the Security Policy to Interfaces

To-the-Box Traffic

vPath Tagging

Interface Security Levels

Guidelines and Limitations

Default Settings

Configuring Communication with VNMC

Configuring Interfaces

Configuring the Inside and Outside Ethernet Interfaces

Configuring Security Profile Interfaces

Associating Security Profile Interfaces with an Ethernet Interface

Setting the vPath MTU

Monitoring Interfaces

ARP Table

DHCP

DHCP Server Table

DHCP Client Lease Information

DHCP Statistics

Dynamic ACLs

Interface Graphs

Graph/Table

Security Profiles

Interface Connection

Track Status for

Monitoring Statistics for

Feature History for Interfaces


Configuring Interfaces


This chapter describes tasks to complete the interface configuration and includes the following sections:

Information About Interfaces

Guidelines and Limitations

Default Settings

Configuring Communication with VNMC

Configuring Interfaces

Monitoring Interfaces

Feature History for Interfaces

Information About Interfaces

Ethernet Interfaces

Security Profile Interfaces

How to Apply the Security Policy to Interfaces

To-the-Box Traffic

vPath Tagging

Interface Security Levels

Ethernet Interfaces

When you initially provision the ASA 1000V, you associate the ASA 1000V Ethernet interfaces with port groups that correspond to the Nexus 1000V port profiles for these interfaces. Nexus 1000V port profiles associate the interface to a VLAN, in addition to specifying other switch parameters to the interface. Assigning the same port profile to multiple interfaces has the effect of applying the same switchport configuration to these interfaces. For more information about configuring port profiles, see the Nexus 1000V documentation.

Each ASA 1000V provides four available Ethernet interfaces for data and failover traffic: one for management, 2 for through traffic, and one for a failover link.

Management 0/0—For management-only traffic, named management, with IP address parameters you specified when you deployed the ASA 1000V. You can change these parameters using this chapter if desired, but the name is fixed.

GigabitEthernet 0/0—Configure this interface as a data interface according to this chapter.

GigabitEthernet 0/1—Configure this interface as a data interface according to this chapter.

GigabitEthernet 0/2—For failover traffic, with IP address parameters you specified when you deployed the ASA 1000V. To change the failover link parameters, see Chapter 7 "Configuring Active/Standby Failover."

Configure the two data interfaces as the inside (higher security level) interface and as the outside (lower security level) interface. See the "Interface Security Levels" section for information about security levels.

Security Profile Interfaces

Security profile interfaces correspond to security profiles on the Nexus 1000V. On a given network, security profiles let you segregate a class of virtual machines (VMs) from other VMs; for example, web servers from application servers. Security profiles let you apply a security policy based on a class of VMs instead of based on IP addresses.

Security Profile Coordination with VNMC

Security Profiles on the Inside Interface

Interface-Based Policy

Port Profiles for Security Profile Interfaces

Security Profile Coordination with VNMC

When you create a security profile interface on the ASA 1000V, a security profile with the same name is added to Cisco VNMC automatically for use in port profiles on the Nexus 1000V.

Security Profiles on the Inside Interface

When traffic enters the ASA 1000V inside interface, the ASA 1000V can identify the security profile for the traffic based on a tag included in the packet (called vPath tagging; see the "vPath Tagging" section). The ASA 1000V can only receive traffic from security profiles on one Ethernet interface: the service interface, which must be the inside interface. The service interface is automatically made to be the inside interface. Traffic on the outside interface is untagged.

Interface-Based Policy

The ASA operating system has an interface-based security policy. Security profiles are treated as "interfaces" within the ASA to take advantage of the ASA interface-based policy. The security profile is a class of traffic that is a subset of all of the traffic sent or received on the inside interface.

Port Profiles for Security Profile Interfaces

Like Ethernet interfaces, security profile interfaces are also associated with Nexus 1000V port profiles. Just as a security profile is attached to the inside Ethernet interfaces, the Nexus 1000V port profile for the security profile must be on the same VLAN as the inside interface port profile.

How to Apply the Security Policy to Interfaces

A security policy determines the allowed behavior of traffic: whether packets are allowed from the outside to the inside; whether to perform NAT on inside networks; whether to apply inspection on traffic from the inside when it access a server on the outside, and so on. Depending on the feature, you may need to identify one or more interfaces on which to apply the feature.

All features that need to refer to the outside interface must refer to the outside Ethernet interface directly. Because security profiles are only attached to the inside interface (the service interface), all features applied to the inside interface must refer to the specific security profile, and not the inside interface directly. For security policy purposes, the inside interface is divided up into separate security profiles.

For features that control the network topology, however, you must refer to the inside interface directly; for example, routing and the DHCP server.

To-the-Box Traffic

To-the-box management traffic is recieved by the inside Ethernet interface, not a security-profile interface. Similarly, from-the-box traffic is sent from the inside interface.

vPath Tagging

The Nexus 1000V applies vPath tagging to traffic with a destination MAC address equal to the ASA 1000V inside interface.

If the ASA 1000V receives through traffic on the inside interface that are not tagged, then the ASA 1000V drops the packets (see the show asp drop command to view dropped packets).

Broadcast and multicast traffic is not tagged (ARP and DHCP). Broadcast and multicast traffic is handled by the inside Ethernet interface on the ASA 1000V, not security profile interfaces.

Interface Security Levels

Both Ethernet and security profile interfaces use security levels:

The inside interface has a security level of 100 (highest). We recommend leaving this level as is.

The security-profile interfaces have a security level of 0. You must change this level to a higher security level, for example 100.

The outside interface has a security level of 0 (lowest). We recommend leaving this level as is.

The management interface has a security level of 0. We recommend leaving this level as is.

The level controls the following behavior:

Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You cannot communicate between interfaces at the same security level.

Inspection engines—Some application inspection engines are dependent on the security level.

NetBIOS inspection engine—Applied only for outbound connections.

SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the ASA.

Guidelines and Limitations

Failover Guidelines

To configure the failover link, see Chapter 7 "Configuring Active/Standby Failover."

Additional Guidelines

The Management 0/0 interface can only be configured as a management-only interface.

You can create up to 256 security profile interfaces.

The ASA 1000V supports jumbo Ethernet packets; configure the MTU and TCP maximum segment size as desired.

Default Settings

Default Security Level

The inside interface has a security level of 100 (highest). We recommend leaving this level as is.

The security-profile interfaces have a security level of 0. You must change this level to a higher security level, for example 100.

The outside interface has a security level of 0 (lowest). We recommend leaving this level as is.

The management interface has a security level of 0. We recommend leaving this level as is..

Default State of Interfaces

Ethernet interfaces—Disabled.

Management interface—Enabled as part of ASA 1000V deployment.

Security profile interfaces—Disabled.

Default Speed and Duplex

By default, the speed and duplex for Ethernet interfaces are set to auto-negotiate.

Default MAC Addresses

By default, the Ethernet interfaces use a MAC address dynamically assigned when you deployed the ASA 1000V. All associated security profile interfaces use the same MAC address.

Configuring Communication with VNMC

You must enable communication with VNMC before you can set up security profile interfaces.

Detailed Steps


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 In the Virtual Network Management Center (VNMC) area, specify the following settings:

a. In the VNMC Access Parameters area, enter the VNMC IP address, login username, and password. Confirm the password. Your account must have administrator privilege on VNMC.

b. In the Shared Secret area, enter the shared secret and confirm it.

c. In the Organization Path area, enter the organization path in the format root/tenant/datacenter/application/tier.

A maximum of four layers is allowed, and the organization path must be located under the root/ directory.

Each ASA 1000V must specify a unique organization path. There must not be another ASA 1000V assigned at this ORG path in VNMC.


Note Make sure that the VNMC policy agent has been started and registered before continuing to the next procedure.


Step 3 Click Apply to save your changes.


Tip To save room, after you have completed the VNMC setup, you can hide the VNMC Area by clicking the double arrow on the right side of the Interfaces pane.



Configuring Interfaces

This section includes the following topics:

Configuring the Inside and Outside Ethernet Interfaces

Configuring Security Profile Interfaces

Associating Security Profile Interfaces with an Ethernet Interface

Setting the vPath MTU

Configuring the Inside and Outside Ethernet Interfaces

This section describes how to set the name, IPv4 address, and other options for the inside and outside interfaces.

If you want to change parameters for the management interface, you can also use this procedure.

Guidelines and Limitations

If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. To configure the failover and state links, see Chapter 7 "Configuring Active/Standby Failover."

Detailed Steps


Step 1 Choose the Configuration > Device Setup > Interfaces pane.

Step 2 Choose the interface row for GigabitEthernet0/0 or 0/1, and click Edit. If you use failover, GigabitEthernet0/2 is reserved for the failover link. The Management0/0 interface was configured when you deployed the ASA 1000V. You can change the Management interface parameters if desired.

The Edit Interface dialog box appears with the General tab selected.

Step 3 Enter the following parameters:

a. Interface Name—Enter a name up to 48 characters in length.

b. Security Level—Do not change the security level. When you assign the security profile interfaces to the inside interface, the security level will automatically be changed to 100. For the outside interface, 0 is the appropriate level.

c. Enable Interface—If the interface is not already enabled, check the Enable Interface check box.

a. IP Address—To set the IP address, use one of the following options:


Note For use with failover, you must set the IP address and standby address manually; DHCP is not supported. Set the standby IP addresses on the Configuration > Device Management > High Availability > Failover > Interfaces tab.


To set the IP address manually, click the Use Static IP radio button and enter the IP address and mask.

To obtain an IP address from a DHCP server, click the Obtain Address via DHCP radio button.

To force a MAC address to be stored inside a DHCP request packet for option 61, click the Use MAC Address radio button.

Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned.

To use a generated string for option 61, click Use "Cisco-<MAC>-<interface_name>-<host>".

(Optional) To obtain the default route from the DHCP server, check Obtain Default Route Using DHCP.

(Optional) To assign an administrative distance to the learned route, enter a value between 1 and 255 in the DHCP Learned Route Metric field. If this field is left blank, the administrative distance for the learned routes is 1.

(Optional) To enable tracking for DHCP-learned routes, check Enable Tracking for DHCP Learned Routes. Set the following values:

Track ID—A unique identifier for the route tracking process. Valid values are from 1 to 500.

Track IP Address—Enter the IP address of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface.

SLA ID—A unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647.

Monitor Options—Click this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box, you can configure the parameters of the tracked object monitoring process.

(Optional) To set the broadcast flag to 1 in the DHCP packet header when the DHCP client sends a discover requesting an IP address, check Enable DHCP Broadcast flag for DHCP request and discover messages.

The DHCP server listens to this broadcast flag and broadcasts the reply packet if the flag is set to 1.

(Optional) To renew the lease, click Renew DHCP Lease.

b. (Optional) Description—In the Description field, enter a description for this interface. The description can be up to 240 characters on a single line, without carriage returns.

Step 4 (Optional) To set the media type, duplex, speed, and enable pause frames for flow control, click Configure Hardware Properties.

a. Media Type—RJ-45 is the default.

b. Duplex—Choose Full, Half, or Auto.

c. Speed—Choose 10, 100, 1000, or Auto.

d. Click OK to accept the Hardware Properties changes.

Step 5 (Optional) To set the MTU, MAC address, and flow control, click the Advanced tab.

a. MTU—Sets the maximum transmission unit (MTU) for normal or jumbo Ethernet packets, between 64 and 9216 bytes. The default is 1500 bytes. You cannot set this value to be higher than the vPath MTU that you set in the "Setting the vPath MTU" section. For optimal performance, set the interface MTU to a maximum of the vPath MTU minus 164 bytes (twice the size of the maximum vPath header, which is 82 bytes).

b. Mac Address Cloning—To manually assign a MAC address to this interface, enter a MAC address in the Active Mac Address field in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. The first two bytes of a manual MAC address cannot be A2 if you also want to use auto-generated MAC addresses.

If you use failover, enter the standby MAC address in the Standby Mac Address field. If the active ASA 1000V fails over and the standby ASA 1000V becomes active, the new active ASA 1000V starts using the active MAC addresses to minimize network disruption, while the old active ASA 1000V uses the standby address.

c. Pause Frame for Flow Control—If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. Pause (XOFF) and XON frames are generated automatically by the NIC hardware based on the FIFO buffer usage. A pause frame is sent when the buffer usage exceeds the high-water mark. After a pause is sent, an XON frame can be sent when the buffer usage is reduced below the low-water mark. The link partner can resume traffic after receiving an XON, or after the XOFF expires, as controlled by the timer value in the pause frame. If the buffer usage is consistently above the high-water mark, pause frames are sent repeatedly, controlled by the pause refresh threshold value.

Enable Pause Frame—To enable pause (XOFF) frames for flow control on 1-Gigabit and 10-Gigabit Ethernet interfaces, check the Enable Pause Frame check box.

Use Default Values—Check the Use Default Values check box to use the deafly values for the low watermark, high watermark, and pause time.

Low Watermark—By default, the low_water value is 16 KB; you can set it between 0 and 47 KB.

High Watermark—The default high_water value is 24 KB; you can set it between 0 and 47 KB.

Pause Time—The default pause_time value is 26624; you can set it between 0 and 65535.


Note Only flow control frames defined in 802.3x are supported. Priority-based flow control is not supported.


Step 6 Click OK.

Step 7 Click Apply.


Configuring Security Profile Interfaces

To configure a security profile interface, perform the following steps.

Detailed Steps


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 In the Security Profiles area, click Add.

Step 3 Configure the following parameters:

a. Interface Name—Names the interface. This name is only used within the ASA 1000V configuration. The name is a text string up to 48 characters, and is not case-sensitive.

b. Security Profile Name—Specifies the name of the security profile. The name can range from 1 to 256 characters. When you add a security profile interface, this name is used to create the security profile in VNMC. You cannot associate the same security profile name with two different security profile interfaces. An error message occurs for this type of configuration.

c. Security Level—Set the security level to 100.

d. Enable Interface—If it is not already enabled, check the Enable Interface check box.

e. (Optional) Description—In the Description field, enter a description for this interface. The description can be up to 240 characters on a single line, without carriage returns.

f. Click OK.

Step 4 Click Apply.


Associating Security Profile Interfaces with an Ethernet Interface

You must associate all security profiles with the inside interface by identifying the inside interface as the service interface.

Detailed Steps


Step 1 Choose Configuration > Device Setup > Interfaces.

Step 2 From the Security Profile Service Interface drop-down list, choose the inside Ethernet interface.

Step 3 Click Apply to save your changes.


Setting the vPath MTU

The ASA 1000V receives encapsulated packets from virtual machines (VMs) using a packet-redirection mechanism known as vPath (see the "vPath Tagging" section). Due to the size of these vPath headers (up to 82 bytes), it is possible for a payload to require fragmentation after the vPath header has been added. The ASA 1000V has the ability to transparently handle this overhead without requiring the VMs to reduce their MTU to account for these additional bytes. The ASA 1000V can split a packet exceeding the uplink MTU into two vPath fragments when adding the vPath encapsulation before sending the fragments over Ethernet. The vPath fragments are reassembled by the Virtual Ethernet Module (VEM) in the Nexus 1000V switch before the packet is delivered to the destination VM.

The vPath MTU setting configures how the vPath module in the ASA 1000V fragments a packet so that it complies with the MTU on the path from the ASA 1000V to the destination VM. The vPath module operates below the IP layer on the ASA 1000V and is therefore independent of IP fragmentation (see the "Configuring the Inside and Outside Ethernet Interfaces" section). The VEM and vPath module on the ASA 1000V work together to present a valid IP datagram (fragment or otherwise) to the VMs and to the ASA 1000V. The ASA 1000V enforces a TCP MSS setting that already accounts for the additional overhead for vPath.

There may be other encapsulations in the path between the ASA 1000V and the VM. For example, if VXLAN is used between the ASA 1000V and the VM, then 50 additional bytes are used for the packets.

To avoid vPath fragmentation when additional overhead is present, do one of the following:

Decrease the vPath MTU to accommodate the VXLAN encapsulation (50 bytes). The default value of the vPath MTU is 9000 bytes, which matches the uplink port default MTU on the Nexus 1000V. For example, set the vPath MTU to 8950.

Increase the uplink MTUs to avoid any vPath fragmentation and allow VXLAN encapsulation. To accommodate VXLAN encapsulation, you could increase the Nexus 1000V MTU to 9050.

Reduce the MTU setting on the VMs to account for the additional overhead.

Detailed Steps


Step 1 Choose Configuration > Device Setup > Interfaces.

In the VPath MTU field, enter the MTU threshold in bytes, which is the MTU of the physical uplink interface as configured on the Nexus 1000V switch, between 64 and 65535. The default is 1500 bytes. The MTU should to be at least 164 bytes (twice the size of the maximum vPath header, which is a maximum of 82 bytes).

Step 2 Click Apply to save your changes.


Monitoring Interfaces

To monitor interfaces, choose the following pane:

Choose Monitoring > Interfaces to display statistics for interfaces.

This section includes the following topics:

ARP Table

DHCP

Dynamic ACLs

Dynamic ACLs

Interface Graphs

Interface Connection

ARP Table

The Monitoring > Interfaces > ARP Table pane displays the ARP table, including static and dynamic entries. The ARP table includes entries that map a MAC address to an IP address for a given interface.

Fields

Interface—Lists the interface name associated with the mapping.

IP Address—Shows the IP address.

MAC Address—Shows the MAC address.

Proxy ARP—Displays Yes if proxy ARP is enabled on the interface. Displays No if proxy ARP is not enabled on the interface.

Clear Dynamic ARP Entries—Clears the dynamic ARP table entries. Static entries are not cleared.

Refresh—Refreshes the table with current information from the ASA 1000V and updates Last Updated date and time.

Last UpdatedDisplay only. Shows the date and time the display was updated.

DHCP

The ASA 1000V lets you monitor DHCP status.

DHCP Server Table

The Monitoring > Interfaces > DHCP > DHCP Server Table pane lists the IP addresses assigned to DHCP clients.

Fields

IP Address—Shows the IP address assigned to the client.

Client-ID—Shows the client MAC address or ID.

Lease Expiration—Shows the date that the DHCP lease expires. The lease indicates how long the client can use the assigned IP address. Remaining time is also specified in the number of seconds and is based on the timestamp in the Last Updated display-only field.

Number of Active Leases—Shows the total number of DHCP leases.

Refresh—Refreshes the information from the ASA 1000V.

Last Updated—Shows when the data in the table was last updated.

DHCP Client Lease Information

If you obtain the ASA 1000V interface IP address from a DHCP server, the Monitoring > Interfaces > DHCP > DHCP Server Table > DHCP Client Lease Information pane shows information about the DHCP lease.

Fields

Select an interface—Lists the ASA 1000V interfaces. Choose the interface for which you want to view the DHCP lease. If an interface has multiple DHCP leases, then choose the interface and IP address pair you want to view.

Attribute and Value—Lists the attributes and values of the interface DHCP lease.

Temp IP addr—Display only. The IP address assigned to the interface.

Temp subnet mask—Display only. The subnet mask assigned to the interface.

DHCP lease server—Display only. The DHCP server address.

state—Display only. The state of the DHCP lease, as follows:

Initial—The initialization state, where the ASA 1000V begins the process of acquiring a lease. This state is also shown when a lease ends or when a lease negotiation fails.

Selecting—The ASA 1000V is waiting to receive DHCPOFFER messages from one or more DHCP servers, so it can choose one.

Requesting—The ASA 1000V is waiting to hear back from the server to which it sent its request.

Purging—The ASA 1000V is removing the lease because of an error.

Bound—The ASA 1000V has a valid lease and is operating normally.

Renewing—The ASA 1000V is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply.

Rebinding—The ASA 1000V failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends.

Holddown—The ASA 1000V started the process to remove the lease.

Releasing—The ASA 1000V sends release messages to the server indicating that the IP address is no longer needed.

Lease—Display only. The length of time, specified by the DHCP server, that the interface can use this IP address.

Renewal—Display only. The length of time until the interface automatically attempts to renew this lease.

Rebind—Display only. The length of time until the ASA 1000V attempts to rebind to a DHCP server. Rebinding occurs if the ASA 1000V cannot communicate with the original DHCP server, and 87.5 percent of the lease time has expired. The ASA 1000V then attempts to contact any available DHCP server by broadcasting DHCP requests.

Next timer fires after—Display only. The number of seconds until the internal timer triggers.

Retry count—Display only. If the ASA 1000V is attempting to establish a lease, this field shows the number of times the ASA 1000V tried sending a DHCP message. For example, if the ASA 1000V is in the Selecting state, this value shows the number of times the ASA 1000V sent discover messages. If the ASA 1000V is in the Requesting state, this value shows the number of times the ASA 1000V sent request messages.

Client-ID—Display only. The client ID used in all communication with the server.

Proxy—Display only. Specifies if this interface is a proxy DHCP client for VPN clients, True or False.

Hostname—Display only. The client hostname.

DHCP Statistics

The Monitoring > Interfaces > DHCP > DHCP Statistics pane shows statistics for the DHCP server feature.

Fields

Message Type—Lists the DHCP message types sent or received:

BOOTREQUEST

DHCPDISCOVER

DHCPREQUEST

DHCPDECLINE

DHCPRELEASE

DHCPINFORM

BOOTREPLY

DHCPOFFER

DHCPACK

DHCPNAK

Count—Shows the number of times a specific message was processed.

Direction—Shows if the message type is Sent or Received.

Total Messages Received—Shows the total number of messages received by the ASA 1000V.

Total Messages Sent—Shows the total number of messages sent by the ASA 1000V.

Counter—Shows general statistical DHCP data, including the following:

DHCP UDP Unreachable Errors

DHCP Other UDP Errors

Address Pools

Automatic Bindings

Expired Bindings

Malformed Messages

Value—Shows the number of each counter item.

Refresh—Updates the DHCP table listings.

Last Updated—Shows when the data in the tables was last updated.

Dynamic ACLs

The Monitoring > Interfaces > Dynamic ACLs pane shows a table of the Dynamic ACLs, which are functionally identical to the user-configured ACLs except that they are created, activated, and deleted automatically by the ASA 1000V. These ACLs do not appear in the configuration and are only visible in this table. They are identified by the "(dynamic)" keyword in the ACL header.

When you choose an ACL in this table, the contents of the ACL appear in the bottom text field.

Fields

ACL—Shows the name of the dynamic ACL.

Element Count—Shows the number of elements in the ACL

Hit Count—Shows the total hit count for all of the elements in the ACL.

Interface Graphs

The Monitoring  > Interfaces > Interface Graphs pane lets you view interface statistics in graph or table form.

Fields

Available Graphs for—Lists the types of statistics available for monitoring. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.

Byte Counts—Shows the number of bytes input and output on the interface.

Packet Counts—Shows the number of packets input and output on the interface.

Packet Rates—Shows the rate of packets input and output on the interface.

Bit Rates—Shows the bit rate for the input and output of the interface.

Drop Packet Count—Shows the number of packets dropped on the interface.

These additional statistics display for physical interfaces:

Buffer Resources—Shows the following statistics:

Overruns—The number of times that the ASA 1000V was incapable of handing received data to a hardware buffer because the input rate exceeded the ASA 1000V capability to handle the data.

Underruns—The number of times that the transmitter ran faster than the ASA 1000V could handle.

No Buffer—The number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks are often responsible for no input buffer events.

Packet Errors—Shows the following statistics:

CRC—The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the ASA 1000V notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Frame—The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device.

Input Errors—The number of total input errors, including the other types listed here. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the other types.

Runts—The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference.

Giants—The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant.

Deferred—For FastEthernet interfaces only. The number of frames that were deferred before transmission due to activity on the link.

Miscellaneous—Shows statistics for received broadcasts.

Collision Counts—For FastEthernet interfaces only. Shows the following statistics:

Output Errors—The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.

Collisions—The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN. A packet that collides is counted only once by the output packets.

Late Collisions—The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the ASA 1000V is partly finished sending the packet. The ASA 1000V does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.

Input Queue—Shows the number of packets in the software input queue, the current and the maximum.

Output Queue—Shows the number of packets in the software output queue, the current and the maximum.

Add—Adds the selected statistic type to the selected graph window.

Remove—Removes the selected statistic type from the selected graph window. This button name changes to Delete if the item you are removing was added from another pane, and is not being returned to the Available Graphs pane.

Show Graphs—Shows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, choose the open graph window name. The statistics already included on the graph are shown in the Selected Graphs pane, to which you can add additional types. Graph windows are named for ASDM followed by the interface IP address and the name "Graph". Subsequent graphs are named "Graph (2)" and so on.

Selected Graphs—Shows the statistic types you want to show in the selected graph window. You an include up to four types.

Show Graphs—Shows the graph window or updates the graph with additional statistic types if added.

Graph/Table

The Monitoring > Interfaces > Interface Graphs > Graph/Table window shows a graph for the selected statistics. The Graph window can show up to four graphs and tables at a time. By default, the graph or table displays the real-time statistics. If you enable History Metrics (see the "Enabling History Metrics" section), you can view statistics for past time periods.

Fields

View—Sets the time period for the graph or table. To view any time period other than real-time, enable History Metrics (see the "Enabling History Metrics" section). The data is updated according to the specification of the following options:

Real-time, data every 10 sec

Last 10 minutes, data every 10 sec

Last 60 minutes, data every 1 min

Last 12 hours, data every 12 min

Last 5 days, data every 2 hours

Export—Exports the graph in comma-separated value format. If there is more than one graph or table on the Graph window, the Export Graph Data dialog box appears. Choose one or more of the graphs and tables listed by checking the check box next to the name.

Print—Prints the graph or table. If there is more than one graph or table on the Graph window, the Print Graph dialog box appears. Choose the graph or table you want to print from the Graph/Table Name list.

Bookmark—Opens a browser window with a single link for all graphs and tables on the Graphs window, as well as individual links for each graph or table. You can then copy these URLs as bookmarks in your browser. ASDM does not have to be running when you open the URL for a graph; the browser launches ASDM and then displays the graph.

Security Profiles

The Monitoring  > Interfaces > Security Profiles pane lets you view security profile information.

Fields

Interface ID—Shows the interface ID in the form security-profilenumber.

Interface Name—Shows the interface name.

Security Profile Name—Shows the security profile name that is used to create the security profile in VNMC.

Security Profile ID—Shows the internal security profile ID number.

VM IP Addresses—Shows the IP addresses of virtual machines using the security profile interface.

Columns icon—Launches the Choose Columns to Display dialog box so you can show or hide columns.

Refresh—Refreshes the information from the ASA 1000V.

Last Updated—Shows when the data in the table was last updated.

Interface Connection

The Monitoring > Interfaces > interface connection node in the Monitoring > Interfaces tree only appears if static route tracking is configured. If you have several routes tracked, there will be a node for each interface that contains a tracked route.

See the following for more information about the route tracking information available:

Track Status for

Monitoring Statistics for

Track Status for

The Monitoring > Interfaces > interface connection > Track Status for pane displays information about the tracked object.

Fields

Tracked Route—Display only. Displays the route associated with the tracking process.

Route Statistics—Display only. Displays the reachability of the object, when the last change in reachability occurred, the operation return code, and the process that is performing the tracking.

Monitoring Statistics for

The Monitoring > Interfaces > interface connection > Monitoring Statistics for pane displays statistics for the SLA monitoring process.

Fields

SLA Monitor ID—Display only. Displays the ID of the SLA monitoring process.

SLA statistics—Display only. Displays SLA monitoring statistics, such as the last time the process was modified, the number of operations attempted, the number of operations skipped, and so on.

Feature History for Interfaces

Table 8-1 lists the release history.

Table 8-1 Feature History for Interfaces 

Feature Name
Releases
Feature Information

Security profile interfaces

8.7(1)

We introduced security profile interfaces. Security profile interfaces correspond to security profiles on the Nexus 1000V. On a given network, security profiles let you segregate a class of virtual machines (VMs) from other VMs; for example, web servers from application servers. Security profiles let you apply a security policy based on a class of VMs instead of based on IP addresses.

We introduced or modified the following screens:

Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add Security Profile
Monitoring > Interfaces > Security Profiles

Service interface

8.7(1)

The service interface is the Ethernet interface associated with security profile interfaces. You can only configure one service interface, which must be the inside interface.

We modified the following screen: Configuration > Device Setup > Interfaces.

VNMC policy agent

8.7(1)

The VNMC policy agent enables policy configuration through both the ASDM and VNMC modes. It includes a web server that receives XML-based requests from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration.

We modified the following screen: Configuration > Device Setup > Interfaces.