Today's dynamic data centers require IT organizations to apply frequent changes to networking infrastructures that consist of virtual and physical service instances, such as firewalls, load balancers, routers, traffic accelerators, and switches. Traditional methods and tools are inadequate in these environments.
Initiating and maintaining such infrastructure changes properly and consistently requires a networking management solution with advanced automation and resource-management capabilities. Ideal solutions give IT the ability to rapidly automate common infrastructure solutions from predefined or "golden" templates that can be applied through the network consistently, according to meticulous standards.
In addition, enterprises are increasingly moving to hybrid clouds to gain the benefits of both public clouds and private clouds. Private clouds have their advantages. They allow enterprises to privately control data, design and customize their infrastructure, and control aspects of their security. However, private clouds are usually less agile than a public cloud and can be expensive to run to meet peak demand. Enterprises face a number of challenges when extending the data center to the cloud provider:
• Network security: The connection from the enterprise data center to the cloud must be secure and encrypted. It must not compromise critical corporate data as it is transported to the cloud. In addition, after transporting the workload, the enterprise needs to control any connection made to the cloud service, maintaining the same security level provided for that workload in its private premises.
• Application dependencies: Applications should not require redesign when they move to a new cloud environment. For example, they should not require IP address changes, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and other infrastructure parameter changes.
• Management complexity: A cloud provider's network policies should be consistent with the policies and configuration used in the enterprise data center and should be controlled through the same security policy management framework.
The Cisco Prime™ Network Services Controller addresses these complex network challenges. It offers a single solution to manage network infrastructure and automate processes, as well as manage virtual and physical resources. The solution promotes standardization and consistent execution of policies, helping staff save time, so they can focus on optimizing the network environment.
Cisco Prime Network Services Controller supports current shifts in IT, leading to more standardized, automated dynamic infrastructure and networks. As part of the larger Cisco Nexus® 1000V Switch solution, this Cisco® Unified Management solution fully integrates with the Cisco ASA 1000V Cloud Firewall and the Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series Switch. Cisco Prime Network Services Controller also plays a major part in Cisco hybrid cloud solutions, as the cloud manager platform of the Cisco Nexus 1000V InterCloud solution. It addresses challenges in hybrid cloud management and helps provide a secure policy management foundation that can combine the benefits of both public and private clouds. Developed for cloud environments on virtualized infrastructure, the Cisco Prime Network Services Controller is highly scalable and provides network infrastructure automation with multitenancy capabilities.
Cisco Prime Network Services Controller is the primary management element for Cisco Nexus 1000V Series virtual switches and services that help enable a transparent, scalable, and automation-centric network management solution for virtualized data center and hybrid cloud environments. Cisco Nexus 1000V switches and services deliver a highly secure multitenant environment by adding virtualization intelligence to the data center network. These virtual switches are built to scale for cloud networks. Support for Virtual Extensible LAN (VXLAN) helps enable a highly scalable LAN segmentation and broader virtual machine mobility.
With Cisco Prime Network Services Controller, centralized management of Cisco virtual services can be performed by an administrator, using the GUI, or it can be managed programmatically through the XML API. Cisco Prime Network Services Controller is built on an information-model architecture in which each managed device is represented by the subcomponents (or objects), which are parametrically defined. This approach provides a flexible and simple mechanism for provisioning and securing virtualized infrastructure, using Cisco VSG and Cisco ASA 1000V Cloud Firewall virtual security services. (See Figure 1 for a topology example and Figure 2 for a more detailed view of the components.)
Figure 1. Cisco Virtual Data Center Topology Example
Figure 2. Detailed View of Cisco Virtual Data Center Components
Cisco Nexus 1000V InterCloud
With Cisco Nexus 1000V InterCloud, the enterprise network can be more securely extended to the cloud because enterprise network and security configurations such as VLANs and policies can be extended to the cloud. Using Cisco Prime Network Services Controller, workloads can be migrated from the enterprise data center to the public cloud, while retaining the same IP addresses and other networking parameters, which helps avoid the need to redesign the application.
Using Cisco Prime Network Services Controller, workloads in the public cloud can use the same security policies as their counterparts in the enterprise data center. System administrators get the policy consistency and network visibility that they require, while retaining control of the cloud environment as a transparent extension of the enterprise data center.
In addition, customers have a unified view of the workloads across the enterprise data center (private cloud) and public cloud. They can select and migrate workloads from the enterprise data center to the public cloud.
Figure 3. Cisco Nexus 1000V InterCloud Structure with Cisco Prime Network Services Controller
Cisco Prime Network Services Controller provides several important benefits that increase efficiency for administration teams:
• Rapid and scalable deployment through dynamic, template-based policy management based on security profiles, policy sets, and policy rules
• Transparent operation management through an XML API that can enable programmatic integration with Cisco Intelligent Automation for Cloud (CIAC), as well as third-party management and orchestration tools
• Collaboration across security and server teams while maintaining administrative separation and reducing errors through a deployment and resource-management model that is consistent and repeatable
The Cisco Prime Network Services Controller framework provides centralized device and policy management of Cisco VSG and the Cisco ASA 1000V Cloud Firewall in virtual data centers (VDCs) and multitenant private and public cloud environments.
Figure 4. Cisco Prime Network Services Controller Framework
As shown in Figure 4, Cisco VSG and Cisco ASA1000V address different aspects of securing the virtualized data center environments. Cisco VSG offers a zone-based firewall solution for inter-virtual machine traffic that travels from server to server or from client to server. Cisco ASA1000V offers edge security services, such as gateway service, firewall, Network Address Translation (NAT), VPN, Dynamic Host Configuration Protocol (DHCP), etc. Both have tight integration with Cisco Nexus 1000V, and both have a single management platform (Cisco Prime Network Services Controller). Other appliances using Cisco vPath will be available soon as optional gateways that can provide edge services for the virtual data center.
Support for Multiple Hypervisors
The Cisco Prime Network Services Controller platform can support multiple virtual machine managers through their APIs and support multiple hypervisor types through tight integration with Nexus 1000V Virtual Ethernet Modules (VEMs) and Virtual Supervisor Modules (VSMs).
Features and Benefits
Consistent, Efficient Execution of Security Policies
Cisco Prime Network Services Controller uses security profiles for template-based configuration of security policies. A security profile is a collection of security policy sets and integrated policies and rules that can be predefined and applied on demand at virtual machine instantiation. This profile-based approach significantly simplifies authoring, deployment, and management of security policies, for example, for dense multitenant environments, while enhancing deployment agility and scaling. Security profiles also help reduce administrative errors and simplify audits.
The XML API for Cisco Prime Network Services Controller facilitates integration with northbound network provisioning tools for programmatic network and security provisioning and management of Cisco VSG and Cisco ASA 1000V. The option to employ programmatic control of those virtual appliances can greatly simplify operating processes and reduce infrastructure management costs.
Nondisruptive Administration Model
By providing visual and programmatic controls, Cisco Prime Network Services Controller helps the security operations team author and manage security policies for virtualized infrastructure, and it can also enhance collaboration with the server and network operations teams. This nondisruptive administration model helps ensure administrative segregation of duties to reduce errors and simplify regulatory compliance and auditing. Cisco Prime Network Services Controller operates in conjunction with the Cisco Nexus 1000V Series VSM to achieve the following workflow:
• Security administrators can author and manage security profiles and manage Cisco VSG and ASA 1000V instances. Security profiles are referenced in Cisco Nexus 1000V Series port profiles.
• Network administrators can author and manage port profiles, as well as manage Cisco Nexus 1000V distributed virtual switches. Port profiles with referenced security profiles are available in VMware vCenter through a Cisco Nexus 1000V VSM programmatic interface with VMware vCenter.
• Server administrators can select an appropriate port profile in VMware vCenter when instantiating a virtual machine.
Figure 5 displays a possible setup to manage security policies in a multitenant data center.
Figure 5. GUI Screen Illustrating Security Policy Control in a Multitenant Data Center
Efficient Management for Easier Scalability
Cisco Prime Network Services Controller implements an information-model architecture in which each managed device, such as Cisco VSG or Cisco ASA 1000V, is represented by the object-information model of the device. This model-based architecture helps enable the use of:
• Stateless managed devices: Security policies (security templates) and object configurations are abstracted into a centralized repository and used as a template against any virtual device type.
• Dynamic device allocation: A centralized resource management function manages pools of devices that are commissioned (deployed) in service and a pool of devices available for commissioning. This approach simplifies large-scale deployments because managed devices can be pre-instantiated and then configured on demand. In addition, devices can be allocated and de-allocated dynamically across commissioned and noncommissioned pools.
• Scalable management: A distributed management-plane function is implemented using an embedded agent on each managed device to promote greater scalability.
Table 1 shows the primary features and benefits of Cisco Prime Network Services Controller.
Table 1. Features and Benefits
Cisco Prime Network Services Controller provides central management of Cisco VSG and ASA 1000V for Cisco Nexus 1000V Series Switches.
Simplifies provisioning and troubleshooting in a scale-out data center
A security profile represents the Cisco VSG or ASA1000V security policy configuration in a profile (template).
Simplifies provisioning, reduces administrative errors during security policy changes, reduces audit complexities, and helps enable a highly scale-out data center environment
Stateless device provisioning
The management agents in Cisco VSG and ASA 1000V are stateless, receiving information from Cisco Prime Network Services Controller.
• Enhances scalability
• Provides robust endpoint failure recovery without loss of configuration state
Security policy management
Security policies are authored, edited, and provisioned centrally.
• Simplifies operation and management of security policies
• Helps ensure that security intent is accurately represented in the associated security policies
Context-aware security policies
Cisco Prime Network Services Controller obtains virtual machine contexts from VMware vCenter.
Allows a security administrator to institute highly specific policy controls across the entire virtual infrastructure
Dynamic security policy and zone provisioning
Cisco Prime Network Services Controller interacts with the Cisco Nexus 1000V VSM to bind the security profile to the corresponding Cisco Nexus 1000V port profile. When virtual machines are dynamically instantiated by server administrators and appropriate port profiles applied, their association with trust zones is also established.
Helps enable security profiles to stay aligned with rapid changes in the virtual data center
Multitenant (scale-out) management
Cisco Prime Network Services Controller is designed to manage Cisco VSG and Cisco ASA 1000V security policies in a dense multitenant environment so that administrators can rapidly add and delete tenants and update tenant-specific configurations and security policies.
• Reduces administrative errors
• Helps ensure segregation of duties in administrative teams
• Simplifies audit procedures
Role-based access control (RBAC)
RBAC simplifies operation tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures.
• Reduces administrative errors
• Enables detailed control of user privileges
• Simplifies auditing requirements
The Cisco Prime Network Services Controller XML API allows external system management and orchestration tools to programmatically provision Cisco VSGs and the Cisco ASA 1000V.
• Allows use of best-in-class management software
• Offers transparent and scalable operation management
Software Packaging and Installation
Tables 2 and 3 describe how to obtain the software for Cisco Prime Network Services Controller.
Table 2. Packages and Descriptions
Open virtualization format (OVF)
• Downloadable OVF virtual appliance in the form of a single file with the .ova extension
• Deployed with OVF templates and packages
• Downloadable ISO file that can be mounted on a virtual machine
Table 3. Components and Specifications
Cisco Prime Network Services Controller Virtual Appliance
• 1 virtual CPU at 1.5 GHz
• RAM: 3 GB
• Hard disk (vdisk): 25 GB
• Network interfaces: 1 (management)
Hypervisor and hypervisor manager
• VMware vSphere 4.1.0 and 5.0 with VMware ESX or ESXi
• VMware vCenter 4.1.0 and 5.0
Web browser (client)
• Internet Explorer 9.0 or higher, Mozilla Firefox 11.0 or higher, and Chrome 18.0 or higher
• Adobe Flash Player plug-in 11.2 or higher
Interfaces and protocols
• XML API, HTTP/HTTPS, Lightweight Directory Access Protocol (LDAP), and syslog
Licensing and Ordering
Cisco Prime Network Services Controller is the management platform for Cisco VSG and Cisco ASA1000V, and it is mandatory for those offerings. Although Cisco Prime Network Services Controller is installed like a stand-alone product, it is offered as part of a bundle that includes either Cisco VSG or Cisco ASA1000V, and it is added automatically when ordering those products.
Please contact your Cisco representative to help you determine and place the appropriate order for your particular environment.
Service and Support
Cisco Software Application Support plus Upgrades (SASU) is a comprehensive support service that helps you maintain and enhance the availability, security, and performance of your business-critical applications. Cisco SASU includes the following resources:
• Software updates and upgrades: The Cisco SASU service provides timely, uninterrupted access to software updates and upgrades to help you keep existing systems stable and network release levels current. Updated releases, including major upgrade releases that may include significant architectural changes and new capabilities for your licensed feature set, are available by software download from Cisco.com or by CD-ROM shipment.
• Cisco Technical Assistance Center (TAC): Cisco TAC engineers provide accurate, rapid diagnosis and resolution of software application problems to help you reduce outages and performance degradation. These specialized software application experts are trained to support Cisco Prime Network Services Controller. Their expertise is available to you 24 hours a day, 365 days a year, by telephone, fax, email, or the Internet.
• Online support: Cisco SASU provides access to a wide range of online tools and communities to help you resolve problems quickly, support business continuity, and improve competitiveness.
For More Information
For additional information about Cisco Prime Network Services Controller and related products, please visit the following links: