The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You have to add a variety of resources to Cisco CNAP to form the pool of devices and addresses that you can use in your clouds. This involves:
You use Cisco CNAP to specify your IP addressing scheme details so that those IP addresses, VLAN pools, subnets, etc. are available during container creation.
– The VLAN ranges and their associated VLAN pools that you will be utilizing when creating network plans. When you add a VLAN range, Cisco CNAP populates the VLAN pool.
– How IP subnets and their associated IP address pools will be utilized, such as for Infrastructure, Management, NAT, or Tier.
Note Since Cisco CNAP is also pushing configurations for the automation of work flows on devices, certain precautions need to be followed when manually configuring devices to avoid disrupting Cisco CNAP-based automation. Changing configurations pushed from Cisco CNAP will cause the automated provisioning system to malfunction, which in some cases could cause all automated provisioning to stop until the error conditions are manually remediated. In general on the data center provider edge, all configurations under the tenant VRFs pushed by Cisco CNAP should not be edited or changed, including sub-interfaces and routing. Similarly on the Cisco APIC, the Cisco APIC tenants configured by Cisco CNAP should only be changed by Cisco CNAP. Any configurations pushed by Cisco CNAP should not be manually edited. For more information, see Installing Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform, Release 2.1.
You add network devices to form the pool of infrastructure resources available to a cloud. Network devices are associated with a specific cloud. In the current release, only one cloud is supported.
Note Enter device information carefully. In the current release, you cannot modify device information once you have added it. If you want to make changes after you have added a device, you must delete the device and add it again.
You must initially add the following three devices before you can perform network provisioning:
Note If you are manually provisioning WAN Edge/PE, you do not have to add a Cisco ASR 9000 or ASR 1000. For more information on manual provisioning, see Understanding the Difference Between Auto-provisioning and Manually Provisioning WAN Gateways in Chapter5, “Managing Container Plans”
Note Before you add the Cisco APIC, you must create a directory to store the Cisco APIC configurations. As the admin user (or ensure the admin user has read and write access to the directory), create the directory:
/home/admin/cisco-apicdc
If you want to implement access control for the network, add a
You can also delete devices if necessary. Virtual network devices that are created by Cisco CNAP are displayed but cannot be deleted.
You should have performed this step as part of the Cisco CNAP installation because the Cisco NSO should be the first network device you add.
For more information, see the section Connecting Cisco Cloud Network Automation Provisioner to the Cisco Network Services Orchestrator in Installing Cisco Cloud Network Automation Provisioner for the Microsoft Cloud Platform, Release 2.1.
After you add the Cisco NSO, the next two devices you should add are:
Note Before you add the Cisco APIC, you must create a directory to store the Cisco APIC configurations. As the admin user (or ensure the admin user has read and write access to the directory), create the directory:
/home/admin/cisco-apicdc
Note When used with Cisco CNAP, the Cisco APIC cluster should be front-ended by a Server Load Balancer (SLB) and you should set up an HTTPS bridging session, which allows registration of one IP address on Cisco CNAP for the Cisco APIC cluster (basically the SLB VIP). Cisco CNAP expects a single IP address for the Cisco APIC cluster, which may have three or more nodes.
To add a Cisco ASR and Cisco APIC:
Step 1 On the Network Devices Tab screen, in the Region drop-down, click the Region to which you want to add a device, as shown in the following screen.
Figure 3-1 Network Devices Tab Screen
You see the Add Network Device screen.
Figure 3-2 Add Network Device Screen
The Type pull-down menu displays the devices you can add, as shown in the following screen.
Figure 3-3 Add Network Device Screen—Type Pull-down Menu
Step 3 Region: Region Name displays the Region to which the Network Device will be associated. Complete the following fields:
– Protocol—Protocol used to connect to the device: SSH, HTTP, or HTTPS
– Port—Port used to establish the connection to the device.
– FQDN/IP—IP Address or FQN given to the Network Device at the Providers Network. Fully Qualified Name or Valid IP address in dotted format. Characters, numbers, and “-”. (The period [.] is also used in DNS names, but only between DNS labels and at the end of an FQDN.) https://technet.microsoft.com/en-us/library/cc959336.aspx
– Login—Service Account Logon used to establish a connection with the Network Device.
– Password—Service account password.
– Enable Password—If the device you are adding has an enable password that is different than the device password, enter it here. Otherwise the device password will be used for enable mode.
Step 4 Click Add to add the network device or Cancel to cancel the addition.
Step 5 Repeat the procedure for the other device(s) you must add, such as a Cisco ASR 9000, Cisco ASR 1000, Cisco ASR 5585, or Cisco APIC.
During container creation, Cisco CNAP checks if a Cisco TACACS+ or RADIUS server has been onboarded. If it has, Cisco CNAP adds the configuration for it to the Cisco CSR 1000V. Cisco TACACS+ is used by default unless you have only onboarded a RADIUS server.
To add a Cisco TACACS+ or RADIUS server:
Step 1 On the Network Devices Tab screen, in the Region drop-down, click the Region to which you want to add the server, as shown in the following screen.
Figure 3-4 Network Devices Tab Screen
You see the Add Network Device screen.
Figure 3-5 Add Network Device Screen
The Type pull-down menu displays the devices you can add, as shown in the following screen.
Figure 3-6 Add Network Device Screen—Type Pull-down Menu
Step 3 Region: Region Name displays the Region to which the server will be associated. Complete the following fields:
– Protocol—TCP is the default protocol used to connect to a Cisco TACACS+ server. UDP is the default protocol used to connect to a RADIUS server.
– Port—443 is the default port used to establish the connection to a Cisco TACACS+ server. You can change this value. You must enter the port number for a RADIUS server.
– FQDN/IP—IP Address or FQN given to the Network Device at the Providers Network. Fully Qualified Name or Valid IP address in dotted format. Characters, numbers, and “-”. (The period [.] is also used in DNS names, but only between DNS labels and at the end of an FQDN.) https://technet.microsoft.com/en-us/library/cc959336.aspx
– Login—Service Account Logon used to establish a connection with the server.
– Password—Service account password.
– Enable Password—If the server you are adding has an enable password that is different than the server password, enter it here. Otherwise the server password will be used for enable mode.
Step 4 Click Add to add the network device or Cancel to cancel the addition.
Step 1 On the Network Devices Tab Screen, in the Region pull-down menu on the left, click the region containing the device you want to delete.
Note You can delete an existing Network Device only if the device is not being used by a network container, irrespective of whether the device is Active or Inactive.
Step 2 Click the specific device you want to delete, then click the Delete button.
You see the Delete Network Device screen.
Figure 3-7 Delete Network Device Screen
Step 3 Click Remove to remove the network device or Cancel to cancel the deletion.
You must specify the VLAN ranges and their associated VLAN pools that you will be utilizing when creating network plans. When you add a VLAN range, Cisco CNAP populates the VLAN pool.
For example, when you create a WAN Gateway, Cisco CNAP will acquire a VLAN ID from the VLAN pool and mark it as allocated.
On the Network Pool tab, you can:
You must take into consideration the following configuration requirements and recommendations:
You use the Network Pool tab to manage the VLANs that will be used during the orchestration of Network Containers. A group of VLANs make up each VLAN Range (on the Network Pool tab, the group of VLANs in a particular VLAN Range is also called the VLAN Pool). All of the VLAN Ranges collectively make up the Network Pool.
In the current release of Cisco CNAP, one VLAN Range must be created for WAN connectivity between data center PE routers and the Cisco ACI Fabric. Note that the VLAN Range entered into Cisco CNAP must be consistent with configurations on the Cisco ACI VLAN pools associated with the external interfaces to the data center PEs.
Figure 3-8 Network Pool Tab Screen
If you click on a specific entry in the VLAN Range table, you see the associated VLAN Pool, as shown in the following screen.
Figure 3-9 VLAN Pool for Selected VLAN Range Screen
The Network Pools tab contains the following:
– VLAN IDs—A range of VLAN IDs in the format: “Start Vlan ID - End Vlan ID”.
– State—State of the VLAN Range, which is either Available or Unavailable. A VLAN Range is said to be Available when it still has VLANs that are not yet Allocated. The VLAN Range is marked Unavailable once all the constituent VLANs have been allocated.
– Group—The VLAN Range group, which in the current release is Infrastructure for all VLANs. Infrastructure VLANs are used to “stitch” the provider edge (PE) to the customer edge (CE). In future releases, there may be container patterns that require these VLANs to be managed through Cisco CNAP by the user.
– Created On—Date and time when the VLAN Range was created.
– Modified On—Date and time when the VLAN Range was last modified.
– VLAN ID—Numeric value representing a VLAN.
– State—State of the VLAN, which is either Allocated or Unallocated. A VLAN will be marked “Unallocated” as long as it has not been used by any network component in the backend. Once it has been consumed by the network, the backend will mark it as “Allocated”.
– Allocated On—Date and time when the VLAN was allocated.
– Modified On—Date and time when the VLAN was last modified.
Step 1 To add a new VLAN Range, select a Region in the VLAN Range table and click the Add button.
You see the Add VLAN Range screen.
Figure 3-10 Add VLAN Range Screen
Step 2 Enter information in the following fields:
– Start—The Starting VLAN ID on the Range. Enter a numeric value in the range [0,4096].
– End—The Ending VLAN ID on the Range. Enter a numeric value in the range (Start, 4096].
– Group—The VLAN Range group, which in the current release is Infrastructure for all VLANs. Infrastructure VLANs are used to “stitch” the provider edge (PE) to the customer edge (CE). In future releases, there may be container patterns that require these VLANs to be managed through Cisco CNAP by the user.
– Region—Name of the Region to which the VLAN Range will be associated.
Note If you use VLAN blocks, the range should be an exact multiple of the block size. For example, VLAN range 101-300, block size of 10.
– Split Range in Blocks—Indicates whether or not the VLAN Range needs to be divided up into smaller VLAN Range blocks, which lets you add and delete in smaller blocks. If the value is true, then the VLAN Range defined by Start and End needs to be divided up into smaller VLAN Range blocks or else the VLAN Range will not be split.
– Size—Total number of VLANs on each block. Enter a numeric value ≤ (End - Start).
Step 3 Click Add to add the VLAN Range or Cancel to cancel the addition.
Note New VLANs are Available by default. The Available button is active only if all the VLANs in a given range are allocated and the VLAN range itself is allocated.
Step 1 To make a VLAN Range and specific VLAN Pool available, on the Network Pool tab select a VLAN Range and a VLAN Pool, as shown in the following screen.
Figure 3-11 Select VLAN Range and Pool
You see the Make VLAN Range Available screen.
Figure 3-12 Make VLAN Range Available Screen
Step 3 Click Available to make the VLAN Range available or Cancel to cancel the operation.
If you click Available, you see the following screen.
Figure 3-13 Make VLAN Range Available—Warning Screen
Step 4 To make the VLAN Range available, click Yes, continue!
Step 1 To unallocate a specific VLAN, on the Network Pool tab select a VLAN Pool, then click Unallocate.
Note On the Network Pools tab, you cannot de-couple a VLAN from the configurations in which it may be a part. Unallocating a VLAN merely resets a flag in the database and makes this VLAN available to Cisco CNAP. It does not actually remove it from any network configuration in which it may be a part.
You see the Unallocate VLAN screen.
Figure 3-14 Unallocate VLAN Screen
Step 2 Click Unallocate to unallocate the specified VLAN ID or Cancel to cancel the operation.
Step 1 To remove a VLAN Range, on the Network Pool tab select a VLAN Range, then click Delete.
You see the Remove VLAN Range screen.
Figure 3-15 Remove VLAN Range Screen
Step 2 Click Remove to remove the specified VLAN Range or Cancel to cancel the operation.
You must specify how IP subnets and their associated IP address pools will be utilized, such as for Infrastructure, Management, NAT, or Tier.
You use the Address Pool tab to manage the IP addresses and IP subnets that are used during the orchestration of network containers. IP addresses and IP subnets are associated with a specific cloud.
You should carefully consider your IP addressing scheme and how you plan to use it when configuring address pools.
Table 3-1 shows the various IP subnet groups and how they are used by Cisco CNAP. Each subnet group is described in more detail in the following sections.
You must take into consideration the following configuration requirements and recommendations:
The Infrastructure subnet group consists of Private and Public IP subnets.
A Private subnet with /29 network mask is used for stitching the Cisco CSR 1000V to the PE devices. This subnet is overlapping across tenants. Cisco CNAP uses the IP addressing scheme in Table 3-2 for L3VPN connectivity when a Zinc container is provisioned.
|
|
|
---|---|---|
The Loopback IP address is derived from an IP address pool of type Public. Each Cisco CSR 1000V will inherit an IP address from this pool with a /32 network mask.
Each workload tier by default requires a Private IP subnet with a mask of /26 or lower. The first 20 IP addresses are reserved by Cisco CNAP for various purposes, as shown in Table 3-3 . A /24 subnet is used in this example.
|
|
|
---|---|---|
The Management subnet group is used for assigning management IP address to virtual devices, such as the Cisco CSR1000V. This is typically a Private subnet configured to access the management network of the cloud service provider. You may choose the size of the subnet depending on the number of virtual devices that are managed by Cisco CNAP.
The Internet IP subnet is a Private subnet that is shared across each tenant Cisco CSR 1000V requiring Internet access. Tenants with active and standby Cisco CSR 1000Vs would require three unique IP addresses from this pool. Table 3-4 shows a sample scheme used for the Internet subnet.
|
|
|
---|---|---|
The NAT subnet is used by the Cisco CSR 1000V for dynamic NAT when Internet access is required. Each tenant will get a unique NAT address from this pool for their Cisco CSR 1000Vs. With a /24 mask, Cisco CNAP can generate NAT addresses for 254 tenants. Choose the subnet size depending on the number of tenants that the cloud service provider is planning to support.
On the Address Pool tab, you manage IP addresses and IP subnets:
You can view information about IP subnets on the Address Pool tab, as shown in the following screen.
Figure 3-16 Address Pool Tab Screen
The Address Pool tab contains the following fields:
Subnets Table—Displays the IP subnets available for orchestration and automation of a Network Container or Network Service. The fields in the table are:
– Infrastructure—Group of subnets used for stitching core network elements of the container
– Tier—Group of subnets used on the provisioning of network segments in a tier
– Management—Group of subnets used for the data center management of each cloud
– Internet—Group of subnets used for used for the Internet tier (not available in current release)
– NAT—Group of subnets used for dynamic and static NAT
– VIP—Group of subnets used for DMZ VIPs (not available in current release)
If you click a specific subnet, you see the corresponding IP Address Pool table, as shown in the following screen.
Figure 3-17 IP Address Pool Table Screen
IP Address Pool Table—For the selected subnet, displays the IP Addresses available for orchestration and automation of a Network Container or Network Service. The fields in the table are:
Step 1 On the Address Pool tab, to add a new IP subnet, click the Add button.
You see the Add New IP Subnet screen.
Figure 3-18 Add New IP Subnet Screen
Step 2 To create a new IP subnet, complete the following fields:
Step 3 Click Add to add the subnet or Cancel to cancel the addition.
Step 1 On the Address Pool tab, to remove an IP subnet, click the subnet you want to remove and then click the Delete button.
You see the Delete IP Subnet screen.
Figure 3-19 Delete IP Subnet Screen
Step 2 Click Delete to delete the subnet or Cancel to cancel the deletion.
The DMZ tier is a perimeter network inside a tenant’s container which is securely separated from the other interior networks of the container. The DMZ tier hosts applications and is accessible from the public Internet and other external networks having connectivity to the container edge.
To enable real-time inbound communication from the public Internet to the tenant’s private cloud DMZ tier, you can allow tenant-administered servers to be addressable on the public Internet. You can create pools of unallocated (unassigned) public IP addresses. Then, as needed, you can allocate (assign) these public IP addresses to tenants. Tenants can map the allocated public IP addresses to private IP addresses within their DMZ tiers, including any DMZ Load Balancer VIP and any Workload VM addresses. Mapping directs inbound traffic from a public IP address to a private DMZ address. Figure 3-20 illustrates this concept. Tenants can also unmap addresses.
Figure 3-20 Mapping Public IP Addresses to Private DMZ IP Addresses
For example, a tenant might create a workload VM on the DMZ tier and want access to it from the Internet, in which case the tenant will request a public IP address, which you can provide from the VIP pool. The tenant can then map the workload VM address to the public IP address you allocated to the tenant.
For more information about the VIP Group of subnets used for DMZ VIPs, see Important Considerations When Configuring Address Pools.
To allocate public IP addresses to a tenant:
Step 1 On the Address Pool tab, locate the VIP public IP subnet with the unallocated IP addresses you want to allocate and click it. You see the following screen showing the Unallocated IP Addresses in the selected subnet.
Figure 3-21 Unallocated IP Addresses
Step 2 At the bottom of the screen, click Allocate. You see the following screen.
Figure 3-22 Allocate IP Subnet
Step 3 Use the pull-down menu to select the tenant to which you want to assign IP addresses and enter the number of IP address you want to assign. Click Allocate. You see the following screen with the IP address allocated.
Figure 3-23 IP Addresses Allocated
To unallocate a public IP address from a tenant:
Step 1 Select the IP address you want to unallocate, then click Unallocate at the bottom of the screen, as shown in the following screen.
Figure 3-24 Unallocate IP Address
You see the following screen asking you to confirm that you want to unallocate the IP address from the specified tenant.
Figure 3-25 Unallocate Confirmation