PDF(219.3 KB) View with Adobe Reader on a variety of devices
Updated:October 6, 2014
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Prime Network Services Controller is the primary management element for Cisco Nexus 1000V (Nexus 1000V) Series Virtual Switches and Services. Working together, they enable a transparent, scalable, and automation-centric network management solution for virtualized data center and hybrid cloud environments. Nexus 1000V switches and services deliver a highly secure multi-tenant environment by adding virtualization intelligence to the data center network. These virtual switches are built to scale for cloud networks. Support for Virtual Extensible LAN (VXLAN) helps enable a highly scalable LAN segmentation and broader virtual machine (VM) mobility.
Prime Network Services Controller enables the centralized management of Cisco virtual services to be performed by an administrator through its GUI or programmatically through its XML API. Prime Network Services Controller is built on an information-model architecture in which each managed device is represented by its subcomponents (or objects), which are parametrically defined. This model-centric approach enables a flexible and simple mechanism for provisioning and securing virtualized infrastructure using Cisco VSG (VSG) and Cisco ASA 1000V (ASA 1000V) Cloud Firewall virtual security services.
Table 2 details the primary features and benefits of Prime Network Services Controller.
For information on new features included in this release, see New Features.
Table 2 Features and Benefits
Central management of VSG and ASA 1000V for Nexus 1000V series switches.
Simplifies provisioning and troubleshooting in a scaled-out data center.
Representation of VSG and ASA 1000V security policy configuration in a profile.
Reduces administrative errors during security policy changes.
Reduces audit complexities.
Helps enable a highly scaled-out data center environment.
Stateless Device Provisioning
The management agents in VSG and ASA 1000V are stateless, receiving information from Prime Network Services Controller.
Provides robust endpoint failure recovery without loss of configuration state.
Security Policy Management
Security policies are authored, edited, and provisioned centrally.
Simplifies the operation and management of security policies.
Helps ensure that security intent is accurately represented in the associated security policies.
Context-Aware Security Policies
Prime Network Services Controller obtains virtual machine contexts from VMware vCenter.
Allows a security administrator to institute highly specific policy controls across the entire virtual infrastructure.
Dynamic Security Policy and Zone Provisioning
Prime Network Services Controller interacts with the Nexus 1000V Virtual Supervisor Module (VSM) to bind the security profile to the corresponding Nexus 1000V port profile. When virtual machines are dynamically instantiated by server administrators and the appropriate port profiles applied, their association with trust zones is also established.
Helps enable security profiles to stay aligned with rapid changes in the virtual data center.
Prime Network Services Controller is designed to manage VSG and ASA 1000V security policies in a dense, multi-tenant environment so that administrators can rapidly add and delete tenants and update tenant-specific configurations and security policies.
Reduces administrative errors.
Helps ensure segregation of duties in administrative terms.
Simplifies audit procedures.
Role-Based Access Control (RBAC)
RBAC simplifies operation tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures.
Reduces administrative errors.
Enables detailed control of user privileges.
Simplifies auditing requirements.
The Prime Network Services Controller XML API allows external system management and orchestration tools to programmatically provision VSG and ASA 1000V devices.
Allows use of best-in-class management software.
Offers transparent and scalable operation management.
The following tables identify Prime Network Services Controller 3.0.2 requirements:
Table 6 Prime Network Services Controller Firewall Ports Requiring Access
Table 7 lists the ports that must be enabled to access the Amazon Web Services (AWS) public IP address ranges listed at https://forums.aws.amazon.com/ann.jspa?annID=1701.
Table 7 Ports to Access Amazon AWS
22, 443, 3389, 6644, and 6646
6644 and 6646
Configuring Chrome for Use with Prime Network Services Controller
To use Chrome with Prime Network Services Controller, you must disable the Adobe Flash Players that are installed by default with Chrome.
Note You must perform this procedure each time your client machine reboots. Chrome automatically enables the Adobe Flash Players when the system on which it is running reboots.
Step 1 In the Chrome URL field, enter chrome://plugins.
Step 2 Click Details.
Step 3 Locate the Adobe Flash Player plugins, and disable each one.
Step 4 Download and install Adobe Flash Player version 11.6.602.180.
Step 5 Close and reopen Chrome before logging in to Prime Network Services Controller.
Performance and Scalability
Table 8 lists the performance and scalability data for Prime Network Services Controller.
Table 8 Prime Network Services Controller Performance and Scalability
ASA 1000Vs and VSGs
Table 9 describes the new features available in Prime Network Services Controller 3.0.2.
Table 9 New Features in Prime Network Services Controller 3.0.2
Amazon Marketplace support
Note The Amazon Marketplace feature is not supported in Prime Network Services Controller 3.0.2.
Support for Amazon Marketplace provides the following benefits associated with creating an InterCloud link:
Access to Amazon Marketplace is provided via the Add InterCloud Link wizard.
You can view and optionally purchase the number of cloud VM licenses that you need.
You can easily install an InterCloud Switch template from Amazon Marketplace.
The time required to create an InterCloud link is significantly reduced.
Amazon Marketplace manages the purchase and automatically charges the associated Amazon provider account.
Amazon tracks the available number of cloud VMs as cloud VMs are instantiated.
Bundle import of images
To improve usability and simplify the process of creating an InterCloud link, Prime Network Services Controller enables you to import a single zipped file that contains the following images:
InterCloud Extender image
InterCloud Switch image
Cloud VM driver images
After the zipped file is imported, Prime Network Services Controller automatically places the zipped files in the correct locations and populates the InterCloud Link Wizard with the images.
This feature helps ensure that you always have the compatible images available for creating InterCloud links and instantiating cloud VMs.
The following GUI items have been removed:
– Sub-Elements tabs
– Events tabs
– VM Managers tab from Administration
The following items have been changed:
– The InterCloud Agent Images and Infrastructure Images options in InterCloud Management have been replaced by a single Images option.
– The Administration Operations Backups table has been renamed to Administration Operations, and it includes all operation types (backups, import, and export).
– The VM Managers tab has been moved under Resource Management.
The following new wizards have been added:
– Add a Compute Firewall Wizard
– Adding Edge Firewall
The following enhancements have been made:
– Options have been consolidated in a single Actions drop-down list in table toolbars.
– A Filter option has been added to tables.
– A new Service Devices category has been added under Resource Management > Resources.
Hyper-V Hypervisor support
Prime Network Services Controller can be installed on the VMware Hypervisor and the Microsoft Hyper-V Hypervisor. The following are some of the Prime Network Services Controller features that are not supported when Prime Network Services Controller is installed on Hyper-V Hypervisor:
When adding a rule to create an ACL policy:
– The option to match any one rule is disabled. The only available option is to match all the rules.
– The service condition is disabled.
– If you set source or destination conditions, the VM attribute type is not supported.
When adding an object group:
– If the attribute type is Network, the attribute name Service is not supported.
– The VM attribute type is not supported.
When working with vZones, the option to match any one rule is disabled. The vZone must match all the conditions.
Prime Network Services Controller adds a new role named tenant-admin. Users with tenant-admin role can see only those objects and resources related to the tenants with which they are associated. They cannot see the policies, resources, or logs of other tenants.
Only users with the admin role can add users with the tenant-admin role, and they must associate the user with the tenant-admin role with a locale and organization.
The tenant-admin role has the following privileges:
Resource configuration (except tenant addition or deletion)
Service VM instantiation and life cycle management
Resources are available from a new Service Devices category and from the Virtual Supervisor Modules (Resources Management > Resources).
A new Images option enables you to import service images to use for instantiating compute and edge firewalls.
You now have the option to import new image versions.
InterCloud VPC-based security (IP groups)
Access to cloud VMs is limited to IP addresses identified in one or more IP groups for each Virtual Private Cloud (VPC).
The following topics provide important information for using Prime Network Services Controller:
When virtual machines are cloned, new MAC addresses are assigned. This causes a MAC address mismatch between the virtual machine settings and the Linux Guest OS. If you encounter this situation, the following message is displayed:
The Guest OS either does not contain interface configuration for the VM NICs or the interfaces are explicitly disabled.
We recommend that you create no more than three templates simultaneously. This limitation applies to creating templates using either of the following methods or a combination of these methods:
Creating a template from an Amazon Machine Image (AMI).
Creating a template by migrating a VM from the enterprise data center.
Editing Firewall Interfaces
We recommend that you do not edit the data interfaces of compute or edge firewalls. Changing the data interface via the Prime Network Services Controller GUI will stop communications between the Cisco Nexus 1000V VEM link and the firewall, and thereby stop vPath traffic.
If you change the data interfaces of compute or edge firewalls via the Prime Network Services Controller GUI, make the appropriate configuration changes on the Nexus 1000V.
Prerequisites for Migrating Windows VMs
This topic details the prerequisites that must be met before you perform either of the following procedures:
Migrate an existing Windows VM from VMware vCenter to the cloud.
Create an AMI image from a Windows VM and import it into Prime Network Services Controller.
Before migrating a Windows VM, do the following:
Disable automatic logon.
Ensure the following:
– Network interfaces are enabled.
– The DHCP client service is enabled and running.
– The Windows Firewall allows the following InterCloud ports: 22 (TCP), 3389 (TCP), and 6644 (TCP and UDP).
– There is no security software or firewall that can prevent network connectivity.
Disable any service or application on the VM that uses port 22.
If the Windows VM is joined to a domain, confirm the following:
– No domain policies exist that prohibit device driver installation for network interface devices.
– Trusted publisher policies do not prohibit installation of Cisco's certificate into the system.
Although it is rare for such policies to be set, check with the Windows Enterprise Domain Administrator if you are uncertain.
Shut down the Windows VM properly:
– Before using the Windows VM to create an AMI image, confirm that the Windows VM was shut down properly.
– If you are migrating a Windows VM to the cloud, Prime Network Services Controller will shut down the VM if VMware Tools is installed on the VM. If VMware Tools is not installed on the VM, power down the Windows VM before initiating the migration.
Enable Remote Desktop Protocol (RDP) on the source machine.
Searching for organization names will not work if the organization names include special characters.
Changing DNS Name Repeatedly Stops Cloud Provider Manager
If you change the DNS name four or more times, Cloud Provider Manager stops working. If this occurs, log in to the Prime Network Services Controller server via the CLI and enter the following commands:
nsc# connect local-mgmt
nsc(local-mgmt)# service restart
Warnings of Outdated OpenSSH and Potential Security Vulnerability
If you run a security scan against Prime Network Services Controller, the scan results in false OpenSSH security vulnerability warnings. Red Hat Enterprise Linux has verified that these issues do not pose security vulnerabilities. For more information, see the following URLs:
When adding a user account, the administrator can choose to expire the account password and select the date on which it expires. When the expiration date is reached, the account is disabled and the user cannot log in to Prime Network Services Controller until a user with administrator privileges extends the expiration date.
Table 10 lists open bugs in Prime Network Services Controller 3.0.2.
Table 10 Open Bugs in Prime Network Services Controller 3.0.2
Upon rare occasions, after rebooting Prime Network Services Controller, you might see a UCSSH log file that indicates that the UCSSH process has stopped while waiting for user input. Prime Network Services Controller components and processes are not affected by this situation.
After an InterCloud Switch upgrade, no InterCloud Switch undeploy or deploy events are issued and the known_hosts file is not updated. This problem occurs if the attach module command is issued on a cloud VSM and the related keys in the known_hosts file are not removed when the module is detached or deleted.
No error is issued if the number of cloud VMs exceeds the number of available licenses from Amazon Marketplace. The cloud VMs that can be licensed are instantiated, but no message is issued to indicate that not all requested cloud VMs were instantiated or that the license limit has been exceeded.
When creating an InterCloud link, if you do not check the Enable HA check box in the Configure InterCloud Link screen and instead continue to the Configure Network Properties screen before returning to the Configure InterCloud Link screen and checking the Enable HA check box, you cannot configure high availability on the link because the Configure Network Interfaces screen does not contain the fields for the secondary InterCloud extender and the Next button is disabled.
Accessibility Features in Prime Network Services Controller 3.0.2
All product documents are accessible except for images, graphics and some charts. If you would like to receive the product documentation in audio format, braille, or large print, contact email@example.com.
Obtaining Documentation and Submitting a Service Request
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.