Contents
- Getting Started with Cisco Prime Network Services Controller
- New and Changed Information
- Installation Requirements
- Requirements Overview
- System Requirements
- Hypervisor Requirements
- Web-Based GUI Client Requirements
- Firewall Ports Requiring Access
- Ports to Access Amazon AWS
- Cisco Nexus 1000V Series Switch Requirements
- Information Required for Installation and Configuration
- Shared Secret Password Criteria
- Configuring Chrome for Use with Prime Network Services Controller
- Installing Prime Network Services Controller
- Installing Overview
- Installing on Microsoft Hyper-V Hypervisor
- Task Title
- Installing from an ISO Image
- Deploying the Prime Network Services Controller OVA
- Configuring Prime Network Services Controller
- Configuring Overview
- Task 1—Configuring NTP
- Configuring NTP in VMs
- Configuring NTP in Prime Network Services Controller
- Task 2—Configuring Prime Network Services Controller Connectivity with vCenter
- Downloading the vCenter Extension File
- Registering the vCenter Extension Plug-in in vCenter
- Configuring vCenter in VM Manager
- Task 3—Registering Service VMs
- Task 4—Verifying Service VM Registration
- Task 5—Configuring a Tenant
- Task 6—Configuring Access Policies
- Configuring an IP Group
- Configuring an ACL Policy
- Add ACL Policy Rule Dialog Box
- Task 7—Configuring a Service Profile
- Task 8—Configuring a Device Profile
- Task 9—Importing Service Images
- Task 10—Adding a Compute Firewall
- Properties Screen
- Service Device Screen
- Task 11—Adding an Edge Firewall
- Properties Screen
- Task 12—Creating an Edge Security Profile
- Add NAT Policy Set Dialog Box
- Add NAT Policy Dialog Box
- Add NAT Policy Rule Dialog Box
- Add Condition Dialog Box
- Task 13—Enabling Logging
- Enabling Policy-Engine Logging in a Monitor Session
- Enabling Global Policy-Engine Logging
- Troubleshooting Installation and Configuration
- Troubleshooting Overview
- Examining Faults for Compute Firewalls
- Examining Faults for Edge Firewalls
- Upgrading and Patching Prime Network Services Controller
- Upgrading Overview
- Backing Up Data
- Upgrading to Prime Network Services Controller 3.0.2
- Patching Prime Network Services Controller
- Backing Up and Restoring Prime Network Services Controller
- Backing Up and Restoring Overview
- Backing Up Prime Network Services Controller
- Restoring the Previous Version
- Post-Restoration Tasks
- Updating VM Managers
- Reimporting InterCloud and VM Images
- Verifying InterCloud Status
- Additional Information
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
Getting Started with Cisco Prime Network Services Controller
New and Changed Information
Installation Requirements
Requirements Overview
The following topics identify the requirements for installing and using Cisco Prime Network Services Controller (Prime Network Services Controller) 3.0.2:
Note
This release of Cisco Prime Network Services Controller contains many new features. For information on these features and additional changes in this release, see the Cisco Prime Network Services Controller 3.0.2 Release Notes.
- System Requirements
- Hypervisor Requirements
- Web-Based GUI Client Requirements
- Firewall Ports Requiring Access
- Ports to Access Amazon AWS
- Cisco Nexus 1000V Series Switch Requirements
- Information Required for Installation and Configuration
- Shared Secret Password Criteria
- Configuring Chrome for Use with Prime Network Services Controller
System Requirements
Requirement Description Virtual Appliance
Four Virtual CPUs
1.5 GHz
Memory
4 GB RAM
Disk Space
One of the following, depending on InterCloud functionality:Management Interface
One management network interface.
Processor
x86 Intel or AMD server with 64-bit processor listed in the VMware compatibility matrix
Interfaces and Protocols
HTTP/HTTPS
—
Lightweight Directory Access Protocol (LDAP)
—
Intel VT
Intel Virtualization Technology (VT)
Enabled in the BIOS
Hypervisor Requirements
Prime Network Services Controller is a multi-hypervisor virtual appliance that can be deployed on either VMware vSphere or Microsoft Hyper-V Server 2012 (Hyper-V Hypervisor):
- See the VMware Compatibility Guide to verify that VMware supports your hardware platform.
- See the Windows Server Catalog to verify that Microsoft Hyper-V supports your hardware platform.
Table 1 Hypervisor Requirements Requirement Description VMware
VMware vSphere
Release 5.0 or 5.1 with VMware ESXi (English Only)
VMware vCenter
Release 5.0 or 5.1 (English Only)
Microsoft
Microsoft Server
Microsoft Windows Server 2012 with Hyper-V (Standard or Data Center)
Microsoft SCVMM
Microsoft SCVMM 2012 SP1 or higher
Web-Based GUI Client Requirements
Requirement Description Operating System
Either of the following:
Browser
Any of the following:
- Internet Explorer 9.0 or higher
- Mozilla Firefox 11.0 or higher
- Google Chrome 18.0 or higher1
Flash Player
Adobe Flash Player plugin 11.2 or higher
1 Before using Chrome with Prime Network Services Controller, you must disable the Adobe Flash Players that are installed by default with Chrome. For more information, see Configuring Chrome for Use with Prime Network Services Controller.Ports to Access Amazon AWS
This table lists the port numbers you must enable to access the Amazon Web Services (AWS) public IP address ranges listed at https://forums.aws.amazon.com/ann.jspa?annID=1701.
Cisco Nexus 1000V Series Switch Requirements
Requirement Notes General
The procedures in this guide assume that the Cisco Nexus 1000V Series Switch (Nexus 1000V) is up and running and that virtual machines (VMs) are installed.
—
VLANs
Two VLANs configured on the Nexus 1000V uplink ports:
Neither VLAN needs to be the system VLAN.
Port Profiles
One port profile configured on the Nexus 1000V for the service VLAN.
—
Information Required for Installation and Configuration
Required Information Your Information For Deploying the Prime Network Services Controller OVA
Name
Location of files
Data store location
Storage location, if more than one location is available
Management port profile name for virtual machine (VM) management
Note The management port profile is the same port profile that is used for the Cisco Virtual Supervisor Module (VSM). The port profile is configured in VSM and is used for the Prime Network Services Controller management interface.
IP Address
Subnet mask
Gateway IP Address
Domain Name
DNS Server
Note Access to a DNS server is required for Prime Network Services Controller to communicate with the Amazon Cloud Provider.
Admin Password
Shared secret password for communications between Prime Network Services Controller, Cisco Virtual Security Gateway (VSG), Cisco Adaptive Security Appliance 1000V (ASA 1000V), and VSM. (See Shared Secret Password Criteria.)
For Configuring VMware vCenter in Prime Network Services Controller
vCenter name Description Hostname or IP address Shared Secret Password Criteria
A shared secret password is a password that is known only to those using a secure communication channel. Passwords are designated as strong if they cannot be easily guessed for unauthorized access. When you set a shared secret password for communications between Prime Network Services Controller, VSG, ASA 1000V, and VSM, adhere to the following criteria for setting valid, strong passwords:
- Do not include the following items in passwords:
- Make sure your password contains the characteristics of strong passwords as described in the following table:
Examples of Strong Passwords are:
Configuring Chrome for Use with Prime Network Services Controller
ProcedureTo use Chrome with Prime Network Services Controller, you must disable the Adobe Flash Players that are installed by default with Chrome.
NoteYou must perform this procedure each time your client machine reboots. Chrome automatically enables the Adobe Flash Players when the system on which it is running reboots.
Installing Prime Network Services Controller
Installing Overview
The following sections describe how to install Prime Network Services Controller:
Note
Installation time varies (10-20 minutes) depending on the host or storage area network load.Installing on Microsoft Hyper-V Hypervisor
For information on feature differences when Prime Network Services Controller is installed on Hyper-V Hypervisor, see the Cisco Prime Network Services Controller 3.0.2 User Guide.
Before You BeginProcedure
- Verify that the Hyper-V Hypervisor host on which you are going to deploy the Prime Network Services Controller VM is available in the System Center Virtual Machine Manager (SCVMM).
- Copy the Prime Network Services Controller ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose Library > Library Servers, right-click the library location, then choose Refresh.
Step 1 Launch the SCVMM. Step 2 Choose the Hyper-V Hypervisor host on which to deploy the Prime Network Services Controller VM. Step 3 Right-click the Hyper-V Hypervisor host and choose Create Virtual Machine. Step 4 In the Create Virtual Machine wizard, in the Select Source screen, select the Create the new virtual machine with a blank virtual hard disk radio button, then click Next. Step 5 In the Specify Virtual Machine Identity screen, provide the required information, then click Next. Step 6 In the Configure Hardware screen, do the following:
Step 7 In the Select Destination screen, do the following: Step 8 In the Select Host screen, choose the destination, then click Next. Step 9 In the Configure Settings screen, review the virtual machine settings, then click Next. Step 10 In the Add Properties screen, select Red Hat Enterprise Linux 5 (64 bit) as the operating system, then click Next. Step 11 In the Summary screen, do the following: The Jobs window displays the status of the virtual machine being created. Verify that the job completes successfully.
Step 12 After the virtual machine is successfully created, right-click it and choose Connect or View > Connect Via Console. Step 13 Launch the console and install Prime Network Services Controller. For more information, see Deploying the Prime Network Services Controller OVA. Step 14 After Prime Network Services Controller is successfully deployed, click Close and power on the Prime Network Services Controller VM.
Installing from an ISO Image
Procedure
Step 1 Download a Prime Network Services Controller ISO image to your client machine. Step 2 Open the VMware vSphere Client. Step 3 Create a new virtual machine (VM) on the appropriate host as follows:
Step 4 When the new VM is created, power it on. Step 5 Mount the ISO to the VM CD ROM drive as follows: Step 6 When prompted, enter the following information, then click Next: Step 7 In the Set Up NSC screen, enter the following information, then click Next:
- Admin password, and a confirming entry
- Shared secret password, and a confirming entry, using the criteria described in Shared Secret Password Criteria.
Note If you configure a weak shared secret password, no error message will be generated at this point, but the shared secret password will not be usable later.
Step 8 Confirm that the information is correct as displayed, then click Next. Prime Network Services Controller is installed.
Step 9 When the installation is complete, reboot the VM.
Deploying the Prime Network Services Controller OVA
Before You BeginProcedure
- Set your keyboard to United States English before installing Prime Network Services Controller and using the VM console.
- Confirm that the Prime Network Services Controller OVA image is available in the VMware vSphere Client.
- Make sure that all system requirements are met as specified in System Requirements.
- Make sure that you have the information identified in Information Required for Installation and Configuration.
- Configure NTP on all ESX and ESXi servers that run Prime Network Services Controller, ASA 1000V, VSG, VSM, and InterCloud images. For more information, see "Configuring Network Time Protocol (NTP) on ESX/ESXi 4.1 and 5.0 hosts using the VMware vSphere Client" at http://kb.vmware.com/kb/0212069.
Configuring Prime Network Services Controller
Configuring Overview
The following topics describe how to initially configure Prime Network Services Controller for use:
Topic Description Ensures that service VMs can successfully register with Prime Network Services Controller and that communications with AWS can occur.
Task 2—Configuring Prime Network Services Controller Connectivity with vCenter
Establishes a connection between Prime Network Services Controller and VM management software.
Enables Prime Network Services Controller to recognize and communicate with service VMs.
Confirms that the required service VMs are registered with Prime Network Services Controller.
Establishes a tenant to which you can allocate resources, such as compute or edge firewalls.
Allows or prevents access to resources based on the criteria that you specify.
Enables you to apply a set of security-related policies (such as access and threat mitigation policies) to one or more objects.
Enables you to apply a set of custom security attributes and device policies to a port profile or compute or edge firewall.
Enables you to instantiate a service device from an image.
Enables you to place a compute firewall in service under a tenant or another level in the organizational hierarchy.
Enables you to place an edge firewall in service under a tenant or another level in the organizational hierarchy.
Creates an edge profile with policies and policy sets that you can apply to edge firewalls.
Ensures that you receive syslog messages for the severities that you specify.
Task 1—Configuring NTP
Before you perform any operations on the Prime Network Services Controller system, configure Network Time Protocol (NTP) on Prime Network Services Controller, ASA 1000V, VSG, and VSM. NTP must be configured with a working NTP server. If you do not configure these items with a working NTP server, the following will occur:
- You will need to manually configure the ASA 1000V, VSG, and VSM components for the date and time or they will not be able to register with Prime Network Services Controller.
- InterCloud functionality will not work because the AWS API requires the request time to be within a few seconds of the current time.
For information on configuring NTP, see the following topics:
Configuring NTP in VMs
Configure NTP on all VMs using the information in the following table.
For this VM: Do this: ASA 1000V Hyper-V Hypervisor
If Prime Network Services Controller is installed on Hyper-V Hypervisor, ensure that all Hyper-V hosts and SCVMM are in time synch with a common NTP server.
VMware
Before you install ASA 1000V in Prime Network Services Controller, configure NTP on all ESX and ESXi servers that run ASA 1000V. For information, see "Configuring Network Time Protocol (NTP) on ESX/ESXi 4.1 and ESXi 5.0 hosts using the vSphere Client" at kb.vmware.com/kb/2012069.
After installation, the ASA 1000V receives the Real Time Clock (RTC) value from the VMware ESX or ESXi host.
InterCloud Extender VM Configure the NTP server in the Prime Network Services Controller GUI by choosing InterCloud Management > InterCloud Policies > Device Profiles. You can add the NTP server to the existing default device profile or create a new device profile with the required NTP server.
InterCloud Switch VM When instantiating the InterCloud extender and InterCloud switch in Prime Network Services Controller using the InterCloud Link Wizard, select the correct device profile (with an NTP server configured) in the wizard to use for that instantiation.
VSG Enter the following CLI commands from the VSG console, where x.x.x.x is the NTP server IP address. If you use a host name, a DNS server must be configured.
clock timezone zone-name offset-hours offset-minutes clock summer-time zone-name start-week start-day start-month start-time end-week end-day end-month end-time offset-minutes ntp server x.x.x.x.For example, your entries might resemble the following:
clock timezone EST -5.0 ntp server 10.10.1.1
Note The NTP server command is not available in the VSG console if you have installed the Prime Network Services Controller policy agent. To configure NTP in VSG, you must uninstall the Prime Network Services Controller policy agent.
VSM Enter the following CLI command from the VSM console, where x.x.x.x is the NTP server IP address.
clock timezone zone-name offset-hours offset-minutes clock summer-time zone-name start-week start-day start-month start-time end-week end-day end-month end-time offset-minutes ntp server x.x.x.xConfiguring NTP in Prime Network Services Controller
Procedure
Step 1 In your browser, enter https://server-ip-address where server-ip-address is the Prime Network Services Controller IP address. Step 2 In the Prime Network Services Controller login window, enter the username admin and the admin user password. This is the password that you set when installing Prime Network Services Controller. Step 3 Set the time zone by doing the following: Step 4 Add an external NTP server as time source as follows:
- Choose Administration > System Profile > root > Profile > default.
- In the Policy tab, select Add NTP Server.
- Enter the NTP server hostname or IP address and click OK.
- Click Save.
Caution We recommend that you do not set the time zone after you add the NTP server.
Task 2—Configuring Prime Network Services Controller Connectivity with vCenter
Note
This feature is not supported on Hyper-V Hypervisor.
After you deploy the Prime Network Services Controller OVA, you need to establish connectivity with VMware vCenter by:
- Downloading the vCenter Extension File
- Registering the vCenter Extension Plug-in in vCenter
- Configuring vCenter in VM Manager
Note
You must reestablish connectivity with VMware vCenter by repeating these steps if you change the Prime Network Services Controller server hostname or fully qualified domain name (FQDN).Downloading the vCenter Extension File
Before You BeginProcedure
- Make sure you have the information identified in Information Required for Installation and Configuration.
Step 1 In Prime Network Services Controller, choose Resource Management > VM Managers > VM Managers. Step 2 In the VM Managers pane, click Export vCenter Extension. Step 3 Save the vCenter extension file in a directory that the vSphere Client can access, because you will need to register the vCenter extension plug-in from within the vSphere Client (see Registering the vCenter Extension Plug-in in vCenter). Step 4 Open the XML extension file to confirm that the content is available.
Registering the vCenter Extension Plug-in in vCenter
Registering the vCenter Extension plug-in enables you to create a VM Manager in Prime Network Services Controller and connect to VMs.
Before You BeginProcedureMake sure you have the information identified in Information Required for Installation and Configuration.
Step 1 From the VMware vSphere Client, log into the vCenter server that you want to manage by using Prime Network Services Controller. Step 2 In the vSphere Client, choose Plug-ins > Manage Plug-ins. Step 3 Right-click the window background and choose New Plug-in.
Tip You might need to scroll down and right-click near the bottom of the window to view the New Plug-in option. Step 4 Browse to the Prime Network Services Controller vCenter extension file that you previously downloaded and click Register Plug-in. The vCenter Register Plug-in Window appears, displaying a security warning.
Step 5 In the security warning message box, click Ignore.
Note If desired, you can install this certificate for further integration with Public Key Infrastructure (PKI) and Kerberos facilities.
A progress indicator shows the task status.
Step 6 When the success message is displayed, click OK, then click Close.
Task 3—Registering Service VMs
Before You BeginProcedure
- Configure NTP on all ESXi servers that run VMs. For more information, see "Configuring Network Time Protocol (NTP) on ESX/ESXi 4.1 and ESXi 5.0 hosts using the vSphere Client" at http://kb.vmware.com/kb/2012069.
- Deploy the VMs using the VMware vSphere Client.
- Make sure that a network path exists between each VM management IP address and the Prime Network Services Controller management IP address.
- Make sure that each VM has access to or has installed the Prime Network Services Controller policy agent image.
Step 1 In the VMware vSphere Client, choose Home > Inventory > Hosts and Clusters. Step 2 Navigate to the newly deployed (and powered on) VM. Step 3 Click the Console tab to access the CLI. Step 4 In the CLI, register each VM as follows, depending on the type of VM:
For ASA 1000V VMs, configure the Prime Network Services Controller IP address and the shared secret by entering the following commands:
vm-name> enable Password: vm-name# configure terminal vm-name(config)# vnmc policy-agent vm-name(config-vnmc-policy-agent)# registration host n.n.n.n vm-name(config-vnmc-policy-agent)# shared-secret MySharedSecretFor VSG VMs, configure the Prime Network Services Controller IP address and the shared secret by entering the following commands:
vm-name# configure terminal vm-name(config)# vnm-policy-agent vm-name(config-vnmc-policy-agent)# registration-ip n.n.n.n vm-name(config-vnmc-policy-agent)# shared-secret MySharedSecret For enterprise VSM VMs:
- Configure the Prime Network Services Controller IP address and the shared secret by entering the following commands:
vm-name# configure terminal vm-name(config)# nsc-policy-agent vm-name(config-nsc-policy-agent)# registration-ip n.n.n.n vm-name(config-nsc-policy-agent)# shared-secret MySharedSecret vm-name(config-nsc-policy-agent)# policy-agent-image bootflash:nsc-vsmpa.n.n.n.bin- Before reloading, save the configuration by entering the copy r s command.
Task 4—Verifying Service VM Registration
This procedure enables you to verify that the required VMs are registered with Prime Network Services Controller.
Before You BeginProcedureFor more information about configuring NTP, see Task 1—Configuring NTP.
- Make sure you have the information identified in Information Required for Installation and Configuration.
- Confirm the following:
For this device: Confirm that: ASA 1000V
- The ASA 1000V is installed.
- NTP is set up on the ASA 1000V.
- The Prime Network Services Controller policy agent status is correct on the ASA 1000V. For more information, see http://www.cisco.com/en/US/products/ps12233/prod_installation_guides_list.html.
- The ASA 1000V is registered to Prime Network Services Controller. For more information, see Task 3—Registering Service VMs.
VSG
- The VSG is installed.
- NTP is set up on the VSG.
- The Prime Network Services Controller policy agent status is correct on the VSG. For more information, see http://www.cisco.com/en/US/products/ps13095/prod_installation_guides_list.html.
- The VSG is registered to Prime Network Services Controller. For more information, see Task 3—Registering Service VMs.
VSM
- The VSM is registered to Prime Network Services Controller.
- NTP is set up on the VSM.
- The VSG and ASA 1000V port profiles are configured on the VSM. For more information, see http://www.cisco.com/en/US/products/ps13095/prod_installation_guides_list.html.
- The Prime Network Services Controller policy agent status is correct on the VSM.
Task 5—Configuring a Tenant
ProcedureTenants are entities (such as businesses, agencies, or institutions) whose data and processes are hosted on VMs in a virtual data center. To provide firewall security for each tenant, you must first configure the tenant in Prime Network Services Controller.
Note
For the purposes of this guide, a tenant is the lowest level of configuration required. You can configure subordinate levels as appropriate for your environment.
Step 1 Choose Tenant Management > root. Step 2 In the upper-right corner of the Tenant Management Root pane, click Create Tenant. Step 3 In the Create Tenant dialog box, enter a name and brief description for the tenant, then click OK. The tenant name can contain 1 to 32 alphanumeric characters including hyphen, underscore, dot, and colon. You cannot change this name after it is created.
The newly created tenant is listed in the navigation pane under root.
Task 6—Configuring Access Policies
The following access policies prevent unauthorized access to resources:
- IP groups identify the IP addresses that can access cloud or enterprise resources.
Caution
Failure to configure at least one IP group could permit unauthorized access to your InterCloud switch, cloud VMs, or enterprise data center.- ACL policies specify the criteria that enables or denies access to a tenant and its resources.
For information on configuring IP groups and ACL policies, see the following topics:Configuring an IP Group
ProcedureAn IP group protects cloud resources by ensuring that SSH access to the public interface of cloud VMs in a Virtual Private Cloud (VPC) is allowed ONLY from IP addresses in the IP group.
In InterCloud Management in Prime Network Services Controller, IP groups are applied on a per-VPC basis. This is, only those IP addresses in an IP group that is associated with a VPC have SSH access to the cloud VMs for that VPC.
Caution
Failure to configure at least one IP group could permit unauthorized access to your cloud VMs, InterCloud Switch, and enterprise data center.
Configuring an ACL Policy
Procedure
Step 1 Choose Policy Management > Service Policies > root > tenant > Policies > ACL> ACL Policies where tenant is the tenant that you created in Task 5—Configuring a Tenant. Step 2 In the General tab, click Add ACL Policy. Step 3 In the Add ACL Policy dialog box, enter a name and description for the policy, then click Add Rule. Step 4 In the Add Rule Policy dialog box, define a rule using the information described in Add ACL Policy Rule Dialog Box, then click OK in the open dialog boxes.
Add ACL Policy Rule Dialog Box
Field Description Name
Rule name, containing 2 to 32 characters. The name can contain alphanumeric characters, hyphen (-), underscore (_), period (.), and colon (:). You cannot change the name after it is saved.
Description
Brief rule description, containing 1 to 256 characters. The name can contain alphanumeric characters, hyphen (-), underscore (_), period (.), and colon (:).
Action to Take
Condition Match Criteria
Condition Match Options.
Src-Dest-Service Tab
A rule can have a service condition or a protocol condition, but not both.
Source Conditions
Source Rule Condition
Destination Conditions
Destination Rule Condition
Service
Service Expression
Protocol Tab
Specify the protocols to which the rule applies:Ether Type Tab
Specify the encapsulated protocols to be examined for this rule. To examine specific encapsulated protocols: Time Range Tab
To apply the rule all the time
Check the Always check box.
To apply the rule for a specific time range
To apply the rule based on membership in an object group
To apply the rule on a periodic basis, with the frequency you specify
- Uncheck the Always check box.
- Check the Pattern check box.
- From the Operator drop-down list, choose range (In range).
Note If you choose a frequency in the Begin drop-down list, choose the same frequency in the End drop-down list. For example, choose Weekdays from both the Begin and End drop-down lists.
Advanced Tab
Source port attributes that must be matched for the current policy to apply. To add a new source port:
Task 7—Configuring a Service Profile
ProcedureA profile is a collection of policies. By creating a profile and then applying that profile to one or more objects (such as a data interface for an ASA 1000V or a VSM port profile), you can ensure that those objects have consistent policies.
Step 1 Choose Policy Management > Service Profiles > root > tenant > Compute Firewall > Compute Security Profiles where tenant is the required tenant. Step 2 In the General tab, click Add Compute Security Profile. Step 3 In the Add Compute Security Profile dialog box, enter a name and description for the security profile, then click OK.
Note The Attributes tab in the Add Compute Security Profile is not available if Prime Network Services Controller is installed on Hyper-V Hypervisor.
Task 8—Configuring a Device Profile
Task 9—Importing Service Images
Task 10—Adding a Compute Firewall
You can add a compute firewall and assign it to a VSG, thereby placing the VSG in service. A wizard walks you through the configuration process, which includes assigning a VSG, assigning profiles, and configuring interfaces.
When you add a new compute firewall, the firewall data IP address can be the same as the data IP address of an existing compute firewall in Prime Network Services Controller as long as the firewalls have different organizational paths. That is, as long as the firewalls do not reside in the same organization, including parent and child organizations.
Users with infrastructure-admin and tenant-admin roles can work with service VMs as follows:
Note
We recommend that you add the compute firewall at the tenant level or below, and not at the root level.
Before You BeginProcedureTo place a VSG in service, at least one of the following must exist:
- To assign a VSG, an available VSG must be registered in Prime Network Services Controller. For more information, see Task 4—Verifying Service VM Registration.
- To assign a VSG pool, a VSG pool must have at least one available VSG.
- To instantiate a VSG service device, a VM service image must be imported and VM Manager must be configured in Prime Network Services Controller. For more information on importing service images, see Task 9—Importing Service Images.
Step 1 Choose Resource Management > Managed Resources > root > tenant > Compute Firewalls. Step 2 In the General tab, click Add Compute Firewall. The Add Compute Firewall Wizard opens.
Step 3 In the Properties screen, supply the information as described in Properties Screen, then click Next. Step 4 In the Service Device screen, select the required VSG service device as described in Service Device Screen, then click Next. Step 5 (Instantiate option only) If you instantiate a VSG service device from an image, do one or both of the following in the Placement screen, then click Next: Step 6 In the Interfaces screen, configure interfaces as follows, then click Next:
- If you assigned a VSG, enter the data IP address and subnet mask.
- If you assigned a VSG pool, enter the data IP address and subnet mask.
- If you instantiated a VSG service device without high availability, add management and data interfaces.
- If you instantiated a VSG service device with high availability, add management, data, and HA interfaces.
For field-level help when configuring the interfaces, see the online help.
Step 7 In the Summary screen, confirm that the information is correct, then click Finish.
Properties Screen
Field Description Name
Compute firewall name.
This name can contain 1 to 32 identifier characters. You can use alphanumeric characters including hyphen, underscore, dot, and colon. You cannot change this name after it is created.
Description
Compute firewall description.
Host Name
Management hostname of the firewall.
Device Configuration Profile
Service Device Screen
Field Description Assign VSG
Assign a VSG to the compute firewall.
In the VSG Device drop-down list, choose the required service device.
Assign VSG Pool
Assign a VSG pool to the compute firewall.
In the VSG Pool field, either choose the required pool from the drop-down list or click Add Pool to add a new pool.
Instantiate
Instantiate a VSG service device from an available image.Task 11—Adding an Edge Firewall
You can add an edge firewall and assign it to an ASA 1000V, thereby placing the ASA 1000V in service. A wizard walks you through the configuration process, which includes assigning configuration and service profiles, assigning an ASA 1000V, and configuring interfaces.
Before You BeginProcedureAt least one of the following must exist:
- To assign an ASA 1000V to the edge firewall, an ASA 1000V must be registered in Prime Network Services Controller and must be available for assignment. For more information about VM registration, see Task 4—Verifying Service VM Registration.
- To instantiate an ASA 1000V service device from an image, an ASA 1000V service must be imported and VM Manager must be configured in Prime Network Services Controller. For more information on importing service images, seeTask 9—Importing Service Images.
Step 1 Choose Resource Management > Managed Resources > root > tenant > Edge Firewalls. Step 2 In the General tab, click Add Edge Firewall. The Add Edge Firewall Wizard opens.
Step 3 In the Properties screen, provide the information described in Properties Screen, then click Next. Step 4 In the Service Device screen, do one of the following, then click Next: Step 5 (Instantiate option only) If you instantiate anASA 1000V service device from an image, do one or both of the following in the Placement screen, then click Next: Step 6 In the Interfaces screen, add the required interfaces as follows, then click Next:
- If you assigned an ASA 1000V without high availability, configure one inside and one outside interface.
- If you assigned an ASA 1000V with high availability, configure one inside and one outside interface, each with a secondary IP address.
- If you instantiated an ASA 1000V without high availability, configure management, inside, and outside interfaces.
- If you instantiated an ASA 1000V with high availability, configure management, inside, outside, and HA interfaces.
Step 7 In the Summary screen, confirm that the information is accurate, then click Finish. Step 8 If you instantiated the ASA 1000V from a service image, you must do the following to ensure registration with Prime Network Services Controller:
- Within 15 minutes of instantiation, manually register the ASA 1000V to Prime Network Services Controller by using the ASA 1000V vCenter console.
- If you do not register the ASA 1000V within 15 minutes of instantiation, the instantiated ASA 1000V will enter a failed state, and you must delete it manually from Prime Network Services Controller and vCenter.
Properties Screen
Field Description Name
Edge firewall name.
This name can contain 1 to 32 identifier characters. You can use alphanumeric characters including hyphen, underscore, dot, and colon. You cannot change this name after it is created.
Description
Edge firewall description.
Host Name
Management hostname of the firewall.
High Availability
Check the Enable HA check box to enable high availability.
Device Configuration Profile
Device Service Profile
Task 12—Creating an Edge Security Profile
ProcedureEdge security profiles include the policies and policy sets that you choose to ensure security for your edge firewalls.
Step 1 Choose Policy Management > Service Profiles > root > tenant > Edge Firewall > Edge Security Profiles. Step 2 In the General Tab, click Add Edge Security Profile. Step 3 In the Add Edge Security Profile dialog box, do the following:
- In the General tab, enter a name and description for the Edge Security Profile.
- In the Ingress tab, choose a policy set from the Ingress Policy Set drop-down list.
- In the Egress tab, choose a policy set from the Egress Policy Set drop-down list.
Note To add an ACL Policy set, click Add ACL Policy Set and follow the instructions in Task 13—Configuring Access Rules. Step 4 In the NAT tab, either select an existing NAT policy set or add a new policy set, as follows:
- Click Add NAT Policy Set.
- In the Add NAT Policy Set dialog box, enter the information as described in Add NAT Policy Set Dialog Box.
- To add a NAT policy, click Add NAT Policy and enter the information as described in Add NAT Policy Dialog Box.
- To add a rule to the NAT policy, click Add Rule and enter the information as described in Add NAT Policy Rule Dialog Box.
- To add a rule condition, click Add Rule Condition and enter the information as described in Add Condition Dialog Box.
For field-level information on the VPN and Advanced tabs, see the online help.
Step 5 Click OK in the open dialog boxes.
Add NAT Policy Set Dialog Box
Field Description Name
Policy set name.
Description
Brief description of the policy set.
Admin State
Whether the administrative state of the policy set is enabled or disabled.
Policies Area
Add NAT Policy
Adds a new policy.
Available
Policies that can be assigned to the policy set.
Use the arrows between the columns to move policies between columns.
Assigned
Policies assigned to the policy set.
Up and down arrows
Changes the priority of the selected policies.
Arrange the policies from highest to lowest priority, with the highest priority policy at the top of the list.
Add NAT Policy Dialog Box
Field Description Name
Policy name.
Description
Brief policy description.
Admin State
Whether the administrative status of the policy is enabled or disabled.
Rule Table
Add Rule
Adds a rule to the current policy.
Name
Rule name.
Source Condition
Source attributes that must be matched for the current policy to apply.
Destination Condition
Destination attributes that must be matched for the current policy to apply.
Protocol
Protocols to which the policy applies.
Action
Whether the NAT translation is static or dynamic.
Source IP Pool
Translated address pool for a source IP address match condition.
Source Port Pool
Translated address pool for a source port match condition.
Source IP PAT Pool
Translated address pool for a source port address translation (PAT) match condition.
Destination IP Pool
Translated address pool for a destination IP address match condition.
Destination Port Pool
Translated address pool for a destination port match condition.
Add NAT Policy Rule Dialog Box
Field Description Name
Rule name.
Description
Brief rule description.
Original Packet Match Conditions
Source Match Conditions
Source attributes that must be matched for the current policy to apply.
To add a new condition, click Add Rule Condition.
Available source attributes are IP Address and Network Port.
Destination Match Conditions
Destination attributes that must be matched for the current policy to apply.
To add a new condition, click Add Rule Condition.
Available destination attributes are IP Address and Network Port.
Protocol
NAT Action Table
NAT Action
From the drop-down list, choose the required translation option: Static or Dynamic.
Translated Address
Identify a translated address pool for each original packet match condition from the following options:For example, if you specify a source IP address match condition, you must identify a Source IP Pool object group. Similarly, a destination network port match requires a Destination Port Pool object group.
The Source IP PAT Pool option is available only if you choose dynamic translation.
Click Add Object Group to add object groups for the translation actions.
NAT Options
Check and uncheck the check boxes as required:
- Enable Bidirectional—Check the check box for connections to be initiated bidirectionally; that is, both to and from the host. Available only for static address translation.
- Enable DNS—Check the check box to enable DNS for NAT.
- Enable Round Robin IP—Check the check box to allocate IP addresses on a round-robin basis. Available only for dynamic address translation.
- Disable Proxy ARP—Check the check box to disable proxy ARP. Available only for static address translation.
Add Condition Dialog Box
Field Description Attribute Type
One of the following attribute types:
- Network—Network attributes.
Note Network attributes can be source and destination IP addresses, port and protocol, Ether Type and application.
- VM—Virtual machine attributes.
- User-Defined—User-defined attributes defined in an attribute dictionary.
Note User-defined attribute are specified in security profiles.
- vZone—Virtual zone attributes.
Expression
Attribute Name
Drop-down list that allows you to select an attribute name.
Operator
Drop-down list that allows you to select an operator.
Depending upon the value you select from this drop-down list, different values are available in the Attribute Value field.
Attribute Value
Attribute value.
The attribute value that you enter depends upon the attribute name selected.
Task 13—Enabling Logging
Configuring and enabling a syslog policy for a VSG or ASA 1000V element ensures that you receive syslog messages for the severities that you specify. For example, depending on the syslog policy, you could receive syslog messages notifying you that a firewall rule has been invoked and that a permit or deny action has been taken.
Logging enables you to monitor traffic, troubleshoot issues, and verify that devices are configured and operating properly.
You can configure and enable syslog policies for VSG or ASA 1000V elements by doing either or both of the following:
Enabling Policy-Engine Logging in a Monitor Session
ProcedureConfiguring a syslog policy enables you to specify the level of syslog messages to log and where to log the messages.
Step 1 Choose Policy Management > Device Configurations > root > Policies > Syslog. Step 2 In the Syslog table, select default, then click Edit. Step 3 In the Edit Syslog Policy dialog box, click the Servers tab. Step 4 In the Syslog Policy table, select the primary server type, then click Edit. Step 5 In the Edit Syslog Client dialog box, provide the following information, then click OK in the open dialog boxes:
Troubleshooting Installation and Configuration
Troubleshooting Overview
Prime Network Services Controller enables you to review the faults associated with compute and edge firewalls.
To examine faults for firewalls:
Examining Faults for Compute Firewalls
ProcedurePrime Network Services Controller enables you to examine faults and configuration errors for compute firewalls.
Step 1 Choose Resource Management > Managed Resources > root > tenant > Compute Firewalls. The Edit Compute Firewall dialog box is displayed. Step 2 In the Compute Firewalls table, select the required firewall, then click Edit. Step 3 In the General tab, in the Status area, check the configuration, association, and reachability status. Step 4 In the Faults tab, review the displayed faults. To view additional information about an entry, double-click the entry, or select the entry and then click Properties.
Examining Faults for Edge Firewalls
Before You BeginProcedureAssign the edge firewall to an ASA 1000V instance or instantiate an ASA 1000V service VM.
Step 1 Choose Resource Management > Managed Resources > root > tenant > Edge Firewalls. Step 2 In the Edge Firewalls table, choose the required edge firewall, then click Edit. Step 3 In the General tab, in the Status area, check the configuration, association, and reachability status. Step 4 In the Faults tab, review the displayed faults. To view additional information about an entry, double-click the entry or select the entry and then click Properties.
Upgrading and Patching Prime Network Services Controller
Upgrading Overview
Use the following procedure when you upgrade to a newer Prime Network Services Controller version. For Prime Network Services Controller 3.0.2, the supported upgrade paths are from Cisco Virtual Network Management Center (VNMC) 2.1 or Prime Network Services Controller 3.0. If you want to upgrade from VNMC 1.3 or 2.0 to Prime Network Services Controller 3.0.2, you must first upgrade to VNMC 2.1 or Prime Network Services Controller 3.0.
Note
If you are upgrading from VNMC 2.1, the VNMC 2.1 deployment must span only one disk. If the deployment spans more than a single disk, you cannot upgrade to Prime Network Services Controller 3.x.The following scenarios are not supported:To upgrade from VNMC 2.1 or Prime Network Services Controller 3.0 to Prime Network Services Controller 3.0.2, complete the following tasks:
- If you are upgrading from VNMC 1.3 or 2.0, first upgrade to VNMC 2.1 or Cisco Virtual Network Management Center 3.0—See the Cisco Virtual Network Management Center 2.1 Quick Start Guide at http://www.cisco.com/en/US/products/ps11213/prod_installation_guides_list.html or the Cisco Prime Network Services Controller 3.0 Quick Start Guide at http://www.cisco.com/en/US/products/ps13213/prod_installation_guides_list.html.
- Perform a full-state backup of VNMC 2.1 or Cisco Virtual Network Management Center 3.0 by using Secure Copy (SCP) protocol—See the section on backing up and restoring Prime Network Services Controller.
- Upgrade to Cisco Virtual Network Management Center 3.0.2 by using the CLI update bootflash command—See Upgrading to Prime Network Services Controller 3.0.2.
Note
- After you upgrade to Cisco Virtual Network Management Center 3.0.2, you might see the previous version in your browser. To view the upgraded version, clear the browser cache and browsing history in the browser, and restart the browser. This note applies to all supported browsers: Internet Explorer, Mozilla Firefox, and Google Chrome.
- After you upgrade or reboot, it will take about five minutes per node for each service node to register with Prime Network Services Controller.
Backing Up Data
ProcedureYou can use either of the following methods to back up data before upgrading Prime Network Services Controller:
- To use the CLI, continue with this topic.
- To use the GUI, see Backing Up Prime Network Services Controller .
We recommend that you do not perform a backup when any of the following tasks are running on the system:
Note
- Temporarily disable the Cisco Security Agent (CSA) on the remote file server.
- Do not use TFTP to back up data.
Step 1 Using the console, log in to Prime Network Services Controller as admin.
Note We recommend that you access the CLI via the console instead of using SSH. If the SSH session should disconnect, you will not be able to access the VM.
Step 2 Enter system mode: scope systemStep 3 Create a full-state backup file: where:create backup scp://user@host/file fullstate enabledStep 4 When prompted, enter the required password. Step 5 At the /system/backup* prompt, enter: commit-bufferStep 6 Log in to the SCP server, and make sure that /file exists and that the file size is not zero (0).
Upgrading to Prime Network Services Controller 3.0.2
ProcedureAfter you back up the date for your existing VNMC 2.1 or Prime Network Services Controller 3.0 installation, you can upgrade to Prime Network Services Controller 3.0.2.
Caution
To save a state for recovery purposes, perform a backup before beginning the upgrade. For more information, see Backing Up Data.
Step 1 Using the console, log in to Prime Network Services Controller as admin.
Note We recommend that you access the CLI via the console instead of using SSH. If the SSH session should disconnect, you will not be able to access the VM.
Step 2 Connect to local-mgmt: connect local-mgmtStep 3 (Optional) Check the current version of the Prime Network Services Controller software: show versionStep 4 Download the Prime Network Services Controller 3.0.2 image from a remote file server: copy scp://imageURLtoBinFile bootflash:/Step 5 Upgrade to Prime Network Services Controller 3.0.2: update bootflash:/nsc.3.0.2.XXXX.binwhere nsc.3.0.2.XXXX.bin is the image name.Step 6 Restart the server: service restartStep 7 (Optional) Confirm that the Prime Network Services Controller server is operating as desired: service statusStep 8 (Optional) Verify that the Prime Network Services Controller software version has been updated: show versionStep 9 To confirm that Prime Network Services Controller is fully accessible after the upgrade, log in via the GUI. If your browser displays the previous version instead of the upgraded version, clear the browser cache and browsing history, and restart the browser.
Step 10 If you have changed the server hostname or fully qualified domain name (FQDN), reconfigure Prime Network Services Controller connectivity with vCenter. For more information, see Task 2—Configuring Prime Network Services Controller Connectivity with vCenter.
Note You must perform this step before attempting any enterprise VM-related operations.
Patching Prime Network Services Controller
Procedure
Step 1 As user admin, log into the Prime Network Services Controller system to be patched: ssh admin@server-ip-addressStep 2 Connect to local-mgmt: connect local-mgmtStep 3 Update the bootflash: update bootflash:/nsc.3.0.2.XXXX.binwhere nsc.3.0.2.XXXX.bin is the name of the patch file.Step 4 Restart the Prime Network Services Controller services: service restartStep 5 Verify that all services are running: service statusStep 6 To verify that the patch was applied, check the update history: show update-history
Backing Up and Restoring Prime Network Services Controller
Backing Up and Restoring Overview
Note
We recommend that you use backup and restore as a disaster recovery mechanism. To migrate configuration data from one Prime Network Services Controller server to another, see the Cisco Prime Network Services Controller 3.0.2 User Guide.Prime Network Services Controller enables you to back up and restore data for the same Prime Network Services Controller version. That is, the following backup and restore operations are supported:Backing up one version and restoring to another version (such as backing up VNMC 2.1 and restoring to Prime Network Services Controller 3.0.2) is not supported.
Note
Do not use TFTP for backup and restore operations.The following topics describe how to back up data and restore data for Prime Network Services Controller 3.0.2:Backing Up Prime Network Services Controller
Prime Network Services Controller enables you to perform a backup using either the GUI or the CLI. You can back up and restore data for the same Prime Network Services Controller version. Backing up one version and restoring to another (such as backing up VNMC 2.1 and restoring to Prime Network Services Controller 3.0.2) is not supported.
We recommend the following:
Use backup and restore as a disaster recovery mechanism. To save a state for recovery purposes, perform a backup via the GUI or CLI, using one of the following methods:
- CLI—See Backing Up Data.
- GUI—See the Cisco Prime Network Services Controller 3.0.2 User Guide.
Restoring the Previous Version
Procedure
Step 1 Using the console, log in to Prime Network Services Controller as admin.
Note We recommend that you access the CLI via the console instead of using SSH. If the SSH session should disconnect, you will not be able to access the VM.
Step 2 Connect to local-mgmt: connect local-mgmtStep 3 (Optional) Check the current version of Prime Network Services Controller: show versionStep 4 Download the required image from a remote file server: copy scp://imageURLtoBinFile bootflash:/Step 5 Enter the update command: update bootflash:/nsc.3.2.nx.bin forceStep 6 Restore the previous version: restore scp://user@host-ip-address/tmp/backup-file.tgzwhere:Step 7 Restart the server: service restartStep 8 (Optional) Confirm that the Prime Network Services Controller server is operating as desired: service statusStep 9 (Optional) Verify that the Prime Network Services Controller software version has been restored: show versionStep 10 Allow the system to synchronize and stabilize for at least 15 minutes. Do not add or modify policies or service devices during this time. Step 11 To confirm that Prime Network Services Controller is fully accessible, log in via the GUI.
What to Do Next
Perform the post-restoration tasks described in Post-Restoration Tasks.
Post-Restoration Tasks
After you successfully restore Prime Network Services Controller, complete the following procedures to reestablish the previous environment:
- Update VM Managers—See Updating VM Managers.
- Reimport InterCloud and VM images—See Reimporting InterCloud and VM Images.
- Verify InterCloud status—See Verifying InterCloud Status.
Updating VM Managers
ProcedureYou must update any configured VM Managers after you upgrade or restore Prime Network Services Controller.
Step 1 Choose InterCloud Management > Enterprise > VM Managers. Step 2 For existing vCenters that you wish to retain, reimport the vCenter Extension plugin. For more information, see the Cisco Prime Network Services Controller 3.0.2 User Guide. Step 3 Check and delete any stale VM Manager entries.
Reimporting InterCloud and VM Images
Prime Network Services Controller does not restore InterCloud or VM images that were previously imported. After you restore Prime Network Services Controller, complete the following procedure to reimport any required InterCloud or VM images.
Before You BeginProcedureSuccessfully restore Prime Network Services Controller as described in Restoring the Previous Version.
Step 1 Log into the Prime Network Services Controller GUI. Step 2 Review the imported images in the following screens: Step 3 For each image or image bundle that you want to reimport, note the image properties, such as the image name, operating system, and version. You can delete images that you no longer use or need.
Note To find the original location of the image or bundle, right-click the item and choose Edit or Properties. The dialog box includes the location and name of the source file.
Step 4 After noting the details, delete each image from Prime Network Services Controller. Step 5 Reimport the images using the information that you collected in Step 3.
Verifying InterCloud Status
When a backup is performed, InterCloud-related tasks might be running but not completed. When the system is restored, Prime Network Services Controller starts the tasks from the point at which it was backed up. The following steps enable you to verify the status of InterCloud-related objects after you restore the system.
If a task fails for any reason, we recommend that you abort, terminate, or undeploy the task as appropriate, and then restart the task.
Before You BeginProcedureSuccessfully restore Prime Network Services Controller as described in Restoring the Previous Version.
Step 1 Choose InterCloud Management > InterCloud Link > Provider Accounts and confirm that the provider accounts are valid. Step 2 Choose InterCloud Management > InterCloud Link > VPCs > vpc > intercloud-link and review the link status:
If an InterCloud link was deployed in the backed-up system, but is no longer deployed:
- Choose Administration > Service Registry > Clients.
- If the Oper State column contains lost-visibility, wait approximately 10 minutes to see if visibility is regained. If visibility is not regained after 10 minutes, continue with the next steps.
- In VMware vCenter, verify that the InterCloud Extender exists in the VM placement detail. The path in VMware is vm-manager > datacenter > cluster/host > extender-vm > Edit > Placement.
- Log into Amazon Web Services (AWS) Elastic Compute Cloud (EC2), and verify that the InterCloud Switch VM exists and has the same name and instance ID as that shown in the Prime Network Services Controller GUI.
- If the InterCloud Extender or InterCloud Switch does not exist, undeploy and then delete the link.
If an InterCloud link was being deployed when the system was backed up and completed deployment after the backup, Prime Network Services Controller will attempt to deploy the link from the point at which the system was backed up. In this situation, do either of the following, as appropriate:Step 3 Choose InterCloud Management > Public Cloud VPCs > vpc > VMs and review cloud VM status:
If a cloud VM was deployed and existed in the backed-up system but was deleted due to VM termination after the system backup:- If a user created a cloud VM instance after the backup, the restored system will not have a record of it. There is no way to recover the cloud VM instance. You will need to create a new cloud VM.
If a cloud VM was being instantiated when the system was backed up and completed deployment after the backup, Prime Network Services Controller will start the VM instantiation task from the point at which the system was backed up. In this situation, do either of the following, as appropriate:Step 4 Reconcile the InterCloud Switch and cloud VM public IP addresses. If the InterCloud Switch and cloud VM public IP addresses are changed after the backup, you need to restore the IP addresses manually. This situation can occur if the InterCloud Switch or cloud VM is rebooted after the backup. To reconcile the IP addresses:
- If the InterCloud Switch is in lost-visibility state (Administration > Service Registry > Clients), reboot the InterCloud Switch by choosing InterCloud Management > InterCloud Link > VPCs > vpc > intercloud-link > InterCloud Switch Tab > intercloud-switch > Reboot.
- If the cloud VM tunnel is not up ( InterCloud Management > Public Cloud > VPCs > vpc > VMs), reboot the cloud VM.
Step 5 Reconcile the InterCloud link and cloud VM that were created after the backup on Prime Network Services Controller, as follows:
Additional Information
Related Documentation
Cisco Prime Network Services Controller
The following Cisco Prime Network Services Controller documents are available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps11213/tsd_products_support_series_home.html
- Cisco Prime Network Services Controller 3.0.2 Documentation Overview
- Cisco Prime Network Services Controller 3.0.2 Release Notes
- Cisco Prime Network Services Controller 3.0.2 Quick Start Guide
- Cisco Prime Network Services Controller 3.0.2 User Guide
- Cisco Prime Network Services Controller 3.0 CLI Configuration Guide
- Cisco Prime Network Services Controller 3.0 XML API Reference Guide
- Open Source Used in Cisco Prime Network Services Controller 3.0.2
Cisco ASA 1000V Documentation
The Cisco Adaptive Security Appliance (ASA) documentation is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps12233/tsd_products_support_series_home.html
Cisco Nexus 1000V InterCloud Documentation
The Cisco Nexus 1000V InterCloud documentation is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps12904/tsd_products_support_series_home.html
Cisco Nexus 1000V Series Switch Documentation
The Cisco Nexus 1000V Series switch documentation is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps9902/tsd_products_support_series_home.html
Cisco Virtual Security Gateway Documentation
The Cisco Virtual Security Gateway (VSG) documentation is available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps11208/tsd_products_support_model_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Notices
Copyright © 2012-2014, Cisco Systems, Inc. All rights reserved.