Cisco Virtual Application Cloud Segmentation Services Configuration Guide, Release 5.4STV2.1

About Cisco VACS Application Containers

A container is a set of virtual components such as routers, firewalls, load balancers, and other network services that are systematically configured to deploy varying workloads. Cisco VACS enhances the Cisco UCS Director container abstraction, adds more controls and security features, and provides ready-to-deploy containers with built-in customization. Each Cisco VACS instance consists of the following user selectable components:

A Cisco Cloud Services Router (CSR) 1000V virtual router with multiple networks on which workloads are placed and a single uplink with a Layer 3 connection to the datacenter network.
A Cisco Virtual Security Gateway (VSG) zone-based firewall to control and monitor segmentation policies within the networks.
A server load balancer (SLB) to scale up the application capacity.

A Cisco prime Network Services Controller (PNSC) that defines and monitors the zone policies. A PNSC can span across multiple containers and the security policy configuration is done by PNSC.

Each container is provided switching by one Cisco Nexus 1000V switch. The Cisco Nexus 1000V switch instantiates the networks as port profiles. A single Cisco Nexus 1000V switch can provide switching for multiple containers.

Types of Cisco VACS Container Templates

Cisco VACS provides you with three different kinds of application container templates. Depending on the specific needs of your virtual application, you can choose one of the following templates:

Three Tier Internal Container template

For more information about this template, see About Cisco VACS 3 Tier Internal and External Container Templates.
Three Tier External Container template

For more information about this template, see About Cisco VACS 3 Tier Internal and External Container Templates.
Custom Container template

For more information about this template, see About Cisco VACS Custom Container Template.

Guidelines and Limitations

The Cisco VACS guidelines and limitations are as follows:

Cisco VACS requires installation of at least one Cisco Nexus 1000V switch and Cisco PNSC to be used in conjunction with containers. Currently, it does not automate the incorporation of Cisco Nexus 1000V switches and Cisco PNSC appliances that have been installed outside of Cisco VACS.
Cisco VACS supports Cisco UCS Director Release 5.4 and the following versions of the related components:
- Cisco Nexus 1000V, Release 5.2(1)SV3(1.4)
- Cisco PNSC, Release 3.4.1b
- Cisco Virtual Security Gateway (VSG), Release 5.2(1)VSG2(1.3)
- Cisco Cloud Services Router 1000V, Release 3.16.1a
- Server Load Balancer (SLB)
  - Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
  - Keepalived 1.2.15
You can add or edit a container template, and then instantiate containers from the template.
Cisco VACS supports VMware ESX 5.0, 5.1, and 5.5 and VMware vCenter 5.1 and later versions. We recommend that you use vCenter version 5.5 because it is compatible with all versions of VMware ESXi.
The number of virtual machines that you can add to a container template is limited only by the hardware of your setup.
SLB for the 3 tier internal/external templates must be placed in the webzone, while for the custom templates it must be based on the zone that you select.

Prerequisites for Creating a Cisco VACS Container Template

The Cisco VACS template has the following prerequisites:

Set up a VMware vCenter account on Cisco UCS Director.
Define the Computing Policy. Computing policies determine the computing resources used during provisioning that satisfy group or workload requirements.
Define the Network Pools and Policies. A network pool policy includes the VLAN pool policy, the VXLAN pool policy, Static IP pool policy, and the IP Subnet pool policy.
Define the Storage Policy. A storage policy defines resources, such as the datastore scope, type of storage to use, minimum conditions for capacity, and latency. The storage policy also provides options to configure additional disk policies for multiple disks and to provide datastore choices for use during a service request creation.
Define the Systems Policy. A system policy defines the system-specific information, such as the template to use, time zone, and operating system-specific information.

Defining Policies

Before you set up the Cisco VACS application container templates, you must define the following policies.

Defining Computing Policies
Defining Network Pools and Policies
Defining Storage Policies
Defining System Policies

After you create the template, the following policies are automatically created:

PNSC Firewall Policy—The path to this policy is Physical > Network > Multi-Domain > PNSC Accounts > PNSC Name.
Tiered Application Gateway Policy—The path to this policy is Policy > Application Container > Tiered Application Gateway Policies.
Virtual Infrastructure Policy—The path to this policy is Policy > Application Container > Virtual Infrastructure Policies.

Attention:

We recommend that you do not edit the PNSC Firewall, Tiered Application Gateway Policies, and the Virtual Infrastructure Policies.

Defining Computing Policies
Defining Network Pools and Policies
Defining Storage Policies
Defining System Policies

Defining Computing Policies

Computing policies determine the computing resources used during provisioning that satisfy group or workload requirements. You can define advanced policies by mixing and matching various conditions in the computing policy.

Step 1

From the Cisco UCS Director menu bar, choose Policies > Virtual/Hypervisor Policies > Computing. The Computing sub menu appears.

Step 2

Select the VMware Computing Policy tab.

Step 3

Click Add. The Add Computing Policy screen appears.

Step 4

In the Add Computing Policy screen, complete the following fields:

Name

Description

Policy Name field

The name of the policy.

Policy Description field

The description of the policy.

Cloud Name drop-down list

Choose the cloud where resource allocation occurs.

Host Node/Cluster Scope drop-down list

Choose the scope of deployment.

Note

You can narrow the scope of deployment by specifying whether to use all, include chosen, or exclude chosen options. Depending on the choices, a new field appears where the required hosts or clusters can be chosen.

Resource Pool drop-down list

Choose the resource pool.

ESX Type drop-down list

Choose the ESX installation type: ESX, ESXi, or both.

ESX Versiondrop-down list

Choose the version of ESX.

Minimum Conditions check boxes

Check the check boxes for one or more conditions that should match. Any hosts that do not meet these criteria are excluded from consideration. If more than one condition is chosen, all of the chosen conditions must match.

Deployment Options

Override Template check box

Check the check box to override the template properties. You are provided with options to enter custom settings for CPU and memory.

Number of vCPUs field

A custom number of vCPUs. The specified number of vCPUs for a VM should not exceed the total cores for the chosen scope of host nodes or clusters.

Note

This option appears if you choose Override Template.

CPU Reservation (MHz) field

The CPU reservation for the VM. The reservation depends upon the number of vCPUs specified.

Note

This option appears if you choose Override Template.

CPU Limit (MHz) field

The CPU limit for the VM. The CPU limit is based on the chosen scope of host nodes or clusters.

CPU Shares drop-down list

Choose the CPU shares: low, normal, or high. The CPU shares determine which VM gets CPU resources when there is competition among VMs.

Note

This option appears if you choose Override Template.

Memory field

The custom memory for the VM.

Note

This option appears if you choose Override Template.

Memory Reservation (MB) field

The memory reservation for the VM. The reservation depends upon the memory specified.

Note

This option appears if you choose Override Template.

Memory Limit (MB) field

The memory limit for the VM. The memory limit is based on the chosen scope of host nodes or clusters.

Note

This option appears if you choose Override Template.

Memory Shares drop-down list

Choose the memory shares: low, normal, or high.1 Memory shares determine which VM gets memory resources when there is competition among VMs.

Note

This option appears if you choose Override Template.

Resizing Options

Allow Resizing of VM check box

Check the check box to allow VM resizing before provisioning or to resize an existing VM.

By default, this check box is checked.

Permitted Values for vCPUs field

The range of vCPUs to use while provisioning a VM or resizing an existing VM. A range of more than 8 is visible during VM provisioning or resizing. only if the chosen cloud (vCenter) is 5 or above and has VM version 8. Only the values specified in the box are visible.

Note

This option appears if you choose Allow Resizing of VM

Permitted Values for Memory in MB field

The range of memory to use while provisioning a VM or resizing an existing VM. For example: 512, 768, 1024, 1536, 2048, 3072, 4096, and so on. Only the values specified in the box are visible.

Note

This option appears if you choose Allow Resizing of VM

Deploy to Folder

The VMs created using this policy that can be deployed into a custom folder. Cisco UCS Director allows automatic creation of folder names from group names or the available Macro provided by Cisco UCS Director. See the Cisco UCS Director Orchestration Guide for more information.

Attention:

By default, the Cisco VACS container virtual machines would be placed in the folder in the vCenter (fenced container) and not in the path provided under the Deploy to Folder option.

Step 5

Click Submit.

Defining Network Pools and Policies

Cisco VACS requires that you create resource pools before you create a container template.

Note

Cisco VACS does not use the default network policy or user-created network policy. It, instead, uses the network VLAN/VXLAN pools and IP pool policies for the Cisco VACS application containers.

Defining Global Resource Pools

Defining Global Resource Pools

Cisco VACS minimizes the interdependency between server and network administrators for information about IP addresses, subnets, networks, firewall contexts, and policies for a network, and the appropriate device configurations and available resources. To support the Cisco UCS Director self-service portal and to automate large-scale deployments, Cisco VACS uses resource pools. You can create these pools ahead of time and use them when required. The resource pools defined in advance enables easier provisioning of containers.

Cisco VACS defines the following resource pools:

VLAN/VXLAN pools—These pools contain a set of VLAN IDs or Virtual Extensible Local Area Network (VXLAN) segment IDs for instantiating networks. The pool attributes are a set of numerical values from 1 to 3967, 4048 to 4093 or a valid VXLAN range from 4096 to 16000000.

For information about how to add a VLAN/VXLAN pool, see Adding a VLAN or VXLAN Pool Policy.
IP Subnet pools—These pools are used for container workload virtual machines. The pool is specified as a supernet together with the specification of the number of subnets that can be created from it. The attributes of these pools are an IP address prefix and a mask length.

For information about how to add a IP subnet pool, see Adding an IP Subnet Pool Policy.
Static IP pools—These pools are used for management, uplink, and VM networks. Management IP pools contain management IP addresses to automate the instantiation of virtual services, such as Cisco Cloud Services Router (CSR) 1000V, Cisco VSG, and Server Load Balancer (SLB) in a network. The attributes for these pools are derived from the physical router configuration and can be used in the custom containers for the VM networks with a port group option.

For information about adding management IP pools, see Defining Static IP Pool Policies.

Uplink address pools contain IP addresses that are used to automate and configure the uplink interface of the default gateway for a container. The attributes for these pools are the same as that of the management IP pools.

For information about adding uplink address pools, see Defining Static IP Pool Policies.

Adding a VLAN or VXLAN Pool Policy
Defining Static IP Pool Policies
Adding an IP Subnet Pool Policy
About Overlapping IP

Adding a VLAN or VXLAN Pool Policy

You can add a VLAN or VXLAN pool policy when you add an entry to the list of VM networks.

Step 1

From the Cisco UCS Director menu bar, choose Policies > Virtual/Hypervisor Policies > Network. The Network sub menu appears.

Step 2

Select the VLAN Pool Policy tab.

Note

Select the VXLAN Pool Policy tab if you want to add a VXLAN pool policy.

Step 3

Click Add. The Add Policy screen appears.

Step 4

In the Add Policy screen, complete the following fields:

Name

Description

Pod drop-down list

Choose the point of delivery (POD) from the list. A POD is a logical definition that represents a converged stack placement. In most cases, a POD of the generic type is sufficient.

Policy Name field

The policy name. This name can be up to 32 characters long.

Policy Description field

The description for the pool policy. This description can be up to 256 characters.

VLAN Range or VXLAN Range field

The valid VLAN or VXLAN range.

Note

The VLAN ID range from 1 to 3967 or 4048-4093, or the valid VXLAN ID range from 4096 to 16000000.
The range from 20000 to 30000 is reserved for the VSG HA.

Step 5

Click Submit to add the policy to the list or click Close to exit.

Defining Static IP Pool Policies

Step 1

From the Cisco UCS Director menu bar, choose Policies > Virtual/Hypervisor Policies > Network. The Network sub menu appears.

Step 2

Select the Static IP Pool Policy tab.

Step 3

Click Add. The Static IP Pool Policy Information screen appears.

Step 4

In the Static IP Pool Policy Information screen, complete the following fields.

Name

Description

Policy Name field

The policy name for the IP pool. This name can be alpha-numeric with maximum 32 characters.

Policy Description field

The description for the IP pool policy. The description can contain 256 characters.

Static IP Pools table

The IP pool. You can search for an IP pool in the search bar. If you want to add an entry to the existing list of IP pools, click + and complete the following fields:

In the Add Entry to Static IP Pools dialog box, complete the following fields:

Static IP Pool field

The range of IP addresses. This can be a combination of ranges, such as 192.168.4.2-192.168.4.30, and individual addresses separated by commas. The only restriction is that all of the addresses must belong to a common subnet.

Subnet Mask

The subnet mask address. For example, 255.255.255.0.

Gateway IP Address field

The default gateway IP address for this network. If this pool policy is used for a VM network, you must not use the gateway IP address.

Note

This field is mandatory for the management and uplink networks.
This field should be blank for all port group based networks.

For information on the port group based network, see Configuring VM Networks for a Custom Container Template

VLAN ID field

The VLAN ID to use for the network. This field is mandatory.

Click Submit to add the policy to the list of IP pool policies.

Step 5

Click Submit. You can click Close to close the wizard

You can click Back to review the information entered up to this point or click Close the wizard.

Adding an IP Subnet Pool Policy

Step 1

From the Cisco UCS Director menu bar, choose Policies > Virtual/Hypervisor Policies > Network. The Network sub menu appears.

Step 2

Select the IP Subnet Pool Policy tab.

Step 3

Click Add. The IP Subnet Pool Policy screen appears.

Step 4

In the IP Subnet Pool Policy Information screen, complete the following fields.

Name

Description

Policy Name field

The policy name for the IP Subnet pool. This name can be alpha-numeric with maximum 32 characters.

Policy Description field

The description for this policy. The description can be 256 characters long.

Network Supernet Address field

The network supernet address for this policy. The address must be in the a.b.c.d format.

Network Supernet Mask field

The network supernet mask address for this policy. For example, 255.255.255.0. The supernet address and mask provide the common prefix for the IP subnet pool.

Number of Subnets Required drop-down list

Choose the number of required subnets. This number must be a power of 2. The number specifies the number of bits by which the common subnet pool prefix will be extended to create individual subnets.

Choose the number of subnets in such a manner, that each subnet will have a minimum four IP addresses, excluding the network and broadcast IP addresses.

Note

One subnet will be used per container.

You must ensure that the number of IP addresses per subnet are equal to or greater than the total sum of the service VM's (both, in HA and non-HA modes) interfaces towards the workload VMs plus the number of workload VMs per container.

Gateway Address drop-down list

Choose the gateway address. This can be one of the following:

First Address in the subnet
Last address in the subnet

The chosen address specifies how the gateway address is allocated from each subnet that is created from this pool.

Allow IP Overlap drop-down list

Choose Yes if you want to allocate the same subnet to more than one container.

By default, overlapping of the IP addresses is disabled.

Note

For information on the overlapped IPs, see the About Overlapping IP section.

Context drop-down list

Note

This field is visible only if you set the Allow IP Overlap to Yes.

Choose the appropriate context type. The default option is UCSD. The available options are:

Tenant –If the subnet is in use by some tenant, the same subnet can be allocated for another tenant.
Container – If the subnet is in use by some container, the same subnet can be allocated for another container.
UCSD – This works as per existing behavior, where different subnets will be allocated to different containers (this is equivalent to the overlapped option set to No).

Step 5

Click Submit to add the policy to the list or click Close to exit the dialog box.

About Overlapping IP

The overlapping IP is a new feature in the IP Subnet Pool Policy, where the same subnet will be allocated to more than one container depending on Context Type Container or Tenant.

The IP Subnet Pool Poilcy can either be of type overlapped or non-overlapped. By default, the overlapped option is set to No, then it works as per the existing behavior.

If the IP Subnet Pool policy is the overlapped type, where the overlapped option is set to Yes, the following context types are available:

Tenant—If the subnet is in use by some tenant, the same subnet can be allocated for another tenant.
Container—If the subnet is in use by some container, the same subnet can be allocated for another container.
UCSD—This works as per existing behavior, where different subnets will be allocated to different containers (this is equivalent to the overlapped option set to No).

Attention:

If the routing type is Public and Overlap is set to Yes and the Context Type is either tenant or container, then the containers that have the same public IPs could lead to potential problem with the IP duplication.

To view the IP Subnet Pool Policy, navigate to Policies > Virtual/Hypervisor Policies > Network > IP Subnet Pool Policy. Two new columns, Overlapped and Context Type are available.

The Overlapped column indicates whether the overlapped option is being set to Yes or No.

The Context Type column indicates the level the subnet is being overlapped. It could be either UCSD, Container, or Tenant, where the UCSD is the default value.

Defining Storage Policies

Step 1

From the Cisco UCS Director menu bar, choose Policies > Virtual/Hypervisor Policies > Storage. The Storage sub menu appears.

Step 2

Select the VMware Storage Policy tab.

Step 3

Click Add. The Add Storage Resource Allocation Policy screen appears.

Step 4

In the Add Storage Resource Allocation Policy screen, complete the following fields:

Name	Description
Policy Name field	Choose the cloud in which resource allocation occurs.
Policy Description field	If you want to narrow the scope of deployment, choose whether to use all, include selected data stores, or exclude selected data stores.
Cloud Name drop-down list	Choose the cloud in which resource allocation occurs.
System Disk Scope
Data Stores/Datastore Clusters Scope drop-down list	If you want to narrow the scope of deployment, choose whether to use all, include selected data stores, or exclude selected data stores.
Use Shared Data Store Only check box	Check the check box to use only shared datastores.
Storage Options
Use Local Storate check box	Check the check box to use local storage. By default, the field is checked.
Use NFS check box	Check the check box to use NFS storage. By default, the field is checked.
Use SAN check box	Check the check box to use SAN storage. By default, the field is checked.
Minimum Conditions check boxes	Check the check box to choose one or more conditions that should match. Any datastores that do not meet these criteria are excluded from the consideration. If more than one condition is chosen, all conditions must match.
Override Template check box	Check the check box to override the template properties. You are provided with options to enter custom settings such as using thin provisioning and custom disk size.
Resizing Options for VM Life cycle
Allow Resizing of Disk check box	Check the check box to provide the end user with an option to choose the VM disk size before provisioning.
Allow user to select datastore from scope check box	Check the check box to provide the end user with an option to choose the data store during the service request creation.

Step 5

Click Next.

Step 6

In the Storage Policy - Additional Disk Policies screen, choose a disk type to configure.

Step 7

Click Edit (pencil icon) to edit the disk type.

Note

By default, the disk policy for the disk is the same as in the System Disk Policy.

The Edit option is not supported in this release.

Step 8

Click Submit.

Note

To use the storage policy created with additional disk policies, you need to associate the policy with the VDC that is used for the VM provisioning.

When using the Additional disks policies configured in a policy, ensure that you uncheck the Provision all disks in a single database check box during the catalog creation for the multiple disk template.

Defining System Policies

Step 1

On the menu bar, choose Policies > Virtual/Hypervisor Policies > Service Delivery.

Step 2

Choose the VMware System Policy tab.

Step 3

Click Add.

Step 4

In the System Policy Information dialog box, complete the following fields:

Name

Description

Policy Name field

The name of the policy.

Cisco UCS Director allows automatic creation of VM names. VM names can be automatically created using a set of variable names. Each variable must be enclosed in ${VARIABLE_NAME}. For example: vm-${GROUP_NAME}-SR${SR_ID}.

Policy Description field

The description of the policy.

VM Name Template field

Provide the VM name template to use.

Attention:

In a Cisco VACS deployment, this field displays the VM name in the Container_Zonename_VMname format by default. The VM name is obtained from the VM Name field in the Configuring Virtual Machines screen in the template wizard.

Even though this option is visible, it is not applicable to a Cisco VACS container deployment.

End User VM Name Prefix check box

Check the check box to allow the user to add a VM name prefix during a service request creation for VM provisioning.

Note

Even though this option is visible, it is not applicable to a Cisco VACS container deployment.

Power On after deploy check box

Check the check box to automatically power on all VMs deployed using this policy. In a Cisco VACS deployment, the container VMs remain powered on even when you leave this checkbox unchecked.

Step 5

Choose from the following optional VM Name Template features:

Name

Description

Host Name Template field

You can provide a host name template option or a VM host name can be automatically created using set of variable names in Cisco UCS Director. Each variable must be enclosed in ${VARIABLE}.

Attention:

In a Cisco VACS deployment, the host name provided does not reflect in the container VM.

Step 6

Choose the Host Name Template variable names. For example: ${VMNAME}

Step 7

Complete the following fields:

Name

Description

Linux Time Zone drop-down list

Choose the time zone.

DNS Domain field

The IP domain to use for the VM.

DNS Suffix List field

The DNS suffixes to configure for the DNS lookup. If there is more than one suffix, separate each by a comma.

DNS Server List field

The list of DNS server IP addresses. Use a comma to separate more than one server.

VM Image Type drop-down list

Choose the OS of the image that is installed on the VM. Choose from the two options:

Windows and Linux
Linux Only

If you choose Windows and Linux, then you need to complete the subsequent fields pertaining to Windows.

Windows

Product ID field

The Windows product ID or license key. The product ID or license key can be provided here or at the OS license pool. The key entered in OS license pool overrides the key provided here.

License Owner Name field

The Windows license owner name.

Organization field

The organization name to configure in the VM.

License Mode drop-down list

Choose per-seat or per-server.

Number of License Users

The number of license users or connections.

WINS Server List field

The WINS server IP addresses. Multiple values are separated with a comma.

Auto Logon check box

Check the check box to enable auto log on. You must retain the default settings.

Auto Logon Count field

The number of times to perform auto log on.

Administrator Password field

The password for the administrators account.

Windows Time Zone drop-down list

Choose the time zone.

Domain/Workgroup drop-down list

Choose either Domain or Workgroup.

Workgroup field

The name for the workgroup.

This option appears if Workgroup is chosen as the value in the Domain/Workgroup drop-down list.

Domain field

The name of the Windows domain.

Note

This option appears if Domain is chosen as the value in the Domain/Workgroup drop-down list.

Domain Username field

The Windows domain administrator’s username.

Note

This option appears if Domain is chosen as the value in the Domain/Workgroup drop-down list.

Domain Password field

The Windows domain password of the administrator.

Note

This option appears if Domain is chosen as the value in the Domain/Workgroup drop-down list.

Define VM Annotation check box

Check the check box to specify annotations to the VM.

You can specify a note and custom attributes as part of the annotation. After you select this check box, complete the following fields:

VM Annotation field

Enter a description for the VM.
Custom Attributes

Click Add (+) to specify the Name, Type and Value.

Note

The information that you add as part of the VM Annotation is displayed for the VM in the VM Details page.

Step 8

Click Submit.

About End User Self-Service Policy

The End User Self-Service Policy controls the actions or tasks that a user can perform on the VMs deployed in a Cisco VACS application container. The starting point for creating this policy is to specify an Account Type, for example VMware. After you specify an account type, you can continue with creating the policy. After you create the policy, you must assign the policy to an application container template that is created with the same account type. For example, if you have created an end user policy for VMware, then you can specify this policy when you create the Cisco VACS application container template. You cannot view or assign policies that have been created for other account types.

In addition to creating an end user self-service policy, Cisco VACS allows you to perform the following tasks:

View—Displays a summary of the policy.
Edit—Opens the End User Policy dialog box from which you can modify the description or the end user self service options.
Clone—Opens the End User Policy dialog box through which you can create another policy with options specified in another policy.
Delete—Deletes the policy from the system. However, no vDC must be assigned with this policy.

Important:

Assigning a policy to a Cisco VACS application container template is the only method through which you can control the tasks that a user can perform on the VMs deployed in a Cisco VACS application container.

Adding an End User Policy
Marking Datastores for ISO
Guest OS ISO Image Mapping

Adding an End User Policy

Step 1

On the menu bar, choose Policies > Virtual/Hypervisor Policies > Service Delivery.

Step 2

Choose the End User Self-Service Policy tab.

Step 3

Click Add (+).

Step 4

In the Add End User Policy dialog box, select an account type (VMware) from the drop-down list.

Step 5

Click Submit.

Step 6

In the End User Policy screen, complete the following fields:

Name

Description

Policy Name field

The name of the policy.

Policy Description field

The description for the policy.

End User Self-Service Options field

Select the tasks that a user can perform on the VM's with to the Cisco VACS application container that is assigned with this policy.

Note

We recommend that you do not select the tasks under VM Lease Expiry and VM Clone and Template Management, because performing these tasks will lead to issues with the Cisco VACS container.
For the Mount ISO Image As CD/DVD Drive task, ensure that you mark the datastores for the ISO image and map the guest ISO image. For information, see Marking Datastores for ISO and Guest OS ISO Image Mapping.

The list of tasks vary according to the Account Type.

Note

Cisco VACS Release 5.4STV2.1 supports only the VMware cloud type.

Step 7

Click Submit.

Marking Datastores for ISO

Step 1

On the menu bar, choose Policies > Virtual/Hypervisor Policies > Service Delivery.

Step 2

Click the ISO Datastores tab.

Step 3

Click Mark Datastores for ISO.

Step 4

In the Mark Datastores for ISO screen, complete the following fields:

Name	Description
Cloud Name drop-down list	Choose the cloud name.
Select Datastores button	Choose the datastores to be marked.

Step 5

Click Submit.

Guest OS ISO Image Mapping

Step 1

On the menu bar, choose Policies > Virtual/Hypervisor Policies > Service Delivery.

Step 2

Click the Guest OS ISO Image Mapping Policy tab.

Step 3

Click Add.

Step 4

In the Guest OS ISO Image Mapping screen, complete the following fields:

Name	Description
Policy Name field	The name of the policy.
Policy Description field	The description for the policy.
Cloud Name drop-down list	Choose the cloud name.
Allow End User to Select Guest OS and ISO Image check box	Check the check box to enable the user to choose the guest OS and ISO images. If checked, you can select the guest OS and ISO image source when you create a service request. If unchecked, you can only select the guest OS when you create a service request.
ISO field	Click the + icon to add an ISO image. Complete the fields in the Add Entry to ISO dialog box and click Submit.

Step 5

Click Submit.

About Zones

Cisco VACS enables you to create application container templates in the required zones based on the application design. The Web, Application, and Database zones are available in the 3 tier internal and 3 tier external templates. Depending on your requirements and security settings, you can choose to create container templates. You can choose to create custom security zones in the custom container templates.

Zones isolate virtual machine workloads that are based on security policies or rules. Cisco VACS enables predefined security policies/rules for 3 tier internal template and 3 tier external template for the web, Application and Database tiers. However, you can modify these policies for each container after the container has been deployed successfully. For more information on modifying these policies, see the Managing Firewall Policies section.

You can also add/modify the access control lists (ACLs) rules for each template that you define. The modified ACL rules will be effective only for all newly created application containers.

The custom container template does not pre-define zones or networks and therefore security policies and ACLs must be defined by the administrator based on the zones that are defined during the creation of the container template.

In Cisco VACS, the notion of zones is also used to define application tiers, such as web tier, app tier, and so on. Tiers are relevant to the load balancing function, where members of a tier express an aspect of application architecture and form a server farm.

About Cisco VACS 3 Tier Internal and External Container Templates

The Cisco VACS 3 tier internal and external container template offers a preset collection of virtual resources that you can deploy in your datacenter. The internal template defines and enforces the overall policy in the web, application, and database tiers on a shared VLAN or VXLAN and achieves minimum required segregation and enables you to choose a private or public address on the gateway. This template enables you to have external connectivity only to the web tier and restricts the application and database tiers from exposing their services or from consuming the services exposed by other applications inside a firewall.

The 3 tier internal and external container template uses Enhanced Interior Gateway Routing Protocol (EIGRP) as the default routing protocol if you choose the Public Router IP type. However, you have an option to choose either the EIGRP protocol or set up Static Routing Protocol, and set up other static routes to forward upstream traffic to the container's internal network.

These template types allows you to expose the services of the container to external applications and consume the services exposed by other applications behind the firewall. As with the internal template type, the specific security profile requirements for the tiers are enabled by the zone and security policies.

Creating a Cisco VACS 3 Tier Internal or External Template

Creating a Cisco VACS 3 Tier Internal or External Template

Select the application container type from the Add Template wizard under the VACS Container tab in Cisco UCS Director to create a new 3 tier internal or external container template.

To create the Cisco VACS 3 tier internal or external container template, perform the following tasks:

Process Flowchart for Creating the Internal/External Templates
Specifying a Template Type
Selecting the Deployment Options
Configuring Network Resource Pools
Configuring VM Networks
Configuring Server Load Balancing
Adding Virtual Machines to a Template
Reviewing the Summary

Process Flowchart for Creating the Internal/External Templates

Use the following workflow and the procedures in this chapter as a guide to create either the internal or the external templates.

Figure 1. Process Workflow—Creating Internal/External Templates

Specifying a Template Type

Note

It is important that you select the 3 Tier (Internal) or the 3 Tier (External) options from the Container Type drop-down list.
The Help link provides you access to the corresponding online help.

Step 1

From the Cisco UCS Director menu bar, choose Solutions > VACS Container. The Cisco VACS management task icons appear.

Step 2

Click Add Template. The Add VACS wizard appears.

Figure 2. Add Template Wizard

Step 3

In the VACS Template Specification screen, complete the following fields:

Name	Description
Template name field	Enter a name for the template you want to create. This name can be an alpha-numeric value with a maximum length of 256 characters.
Template Description field	Enter a description for the template. This field can contain 2048 characters.
Container Type drop-down list	Select either the 3 Tier (Internal) or 3 Tier (external) container type from the following choices: Cisco VACS 3 Tier (Internal) Cisco VACS 3 Tier (External) Cisco VACS Custom Container

Selecting the Deployment Options

You can choose the deployment options and parameters to configure your network pools and policies.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS Deployment Options screen, complete the following details:

Name

Description

Container Application Size button

Click Select to select the size of the container: Small, Medium, or Large.

Cisco VACS provides the following deployment options to meet your container requirements:

Cisco VACS Deployment Option

RAM(GB)

CPU Cycle(GHz)

vCPUs

Small

VSG—2 GB

CSR 1000V—4 GB

SLB—2 GB

VSG—1 GHz

VSG—1 vCPU

CSR 1000V—1 vCPU

SLB—1

Medium

VSG—2 GB

CSR 1000V—4 GB

SLB—2 GB

VSG—1.5 GHz

VSG—1 vCPU

CSR 1000V—2 vCPU

SLB—1

Large

VSG— 2 GB

CSR 1000V—4 GB

SLB—2 GB

VSG—1.5 GHz

VSG—2 vCPU

CSR 1000V—4 vCPU

SLB—1

Virtual Account drop-down list

Select the cloud account to deploy the container.

N1K DVSwitch drop-down list

Select the N1K Distributed Virtual Switch.

Computing Policy drop-down list

Choose the computing policy for your deployment type.

If you want to customize the computing policies, click the + icon to add a policy. For information on creating a computing policy, see Defining Computing Policies.

Storage Policy drop-down list

Choose the storage policy for your deployment type.

If you want to customize the storage policies, click the + icon to add a policy. For information on creating a storage policy, see Defining Storage Policies.

Systems Policy drop-down list

Choose the systems policy for your deployment type.

If you want to customize the system policies, click the + icon to add a policy. For information on creating a system policy, see Defining System Policies.

End User Self-Service Policy drop-down list

Select the end user self-service policy.

If you want to customize the end user self-service policies, click the + icon to add a policy. For information on creating an end user self-service policy, see Adding an End User Policy.

Infrastructure Deployment Options

Enable Server Load Balancing check box

Check this check box to enable the server load balancing (SLB) option. By default, SLB is disabled

Note

CSR and VSG are enabled by default and cannot be disabled.

High Availability drop-down list

Choose the high availability mode: Yes or No.

If you choose Yes during the container deployment, the high availablity (HA) mode is enabled as follows:

The firewall (VSG) redundancy or HA is provided by one active Cisco VSG and one standby Cisco VSG. For more information about VSG high availability, see http://www.cisco.com/c/en/us/td/docs/switches/datacenter/vsg/sw/4_2_1_VSG_1_1/vsg_configuration/guide/VSG_Config_Guide/vsg_config_high_availability.html.
The router (CSR1000V) redundancy or HA is enabled through the Hot Standby Router Protocol (HSRP). For more information about HSRP, see http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/9234-hsrpguidetoc.html.
Note
The ALG configuration on CSR will be done only when HA mode is No.
The SLB redundancy or HA is enabled through the Virtual Router Redundancy Protocol (VRRP). For more information, see http://www.haproxy.com/doc/hapee/1.5/configuration/vrrp.html.

Step 2

Click Next.

Configuring Network Resource Pools

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS Network Resource Pool screen, complete the following fields:

Name	Description
Management IP Pool
Management IP Pool button	Click Select to display the list of static IP pools. Select the appropriate pool and click Select. This pool is used to configure the Cisco Virtual Security Gateway (VSG), Cisco Cloud Services Router (CSR), and the Server Load Balancer (SLB) management IP. If no pools are displayed, click the + icon to add a new static IP pool. For more information on adding a new static IP pool, see the Defining Static IP Pool Policies
Router Network Configuration
Router Uplink IP Pool button	Click Select to display the list of static IP pools. Select the Static IP pool to configure the uplink interface of the CSR and click Select. If no pools are displayed, click the + icon to add a new static IP pool. For more information on adding a new static IP pool, see the Defining Static IP Pool Policies
Router IP Type drop-down list	Choose the Router IP type: Public or Private. If you choose Public, the router will be configured with public IP addresses based on the chosen routing protocol.
L3 Routing Protocol drop-down list	Choose the L3 routing protocol:Static or EIGRP. This field is visible only if you choose the Public Router IP type.
Autonomous System Number field	Enter the system number. The range is between 1 to 65535. This field is visible only if you choose EIGRP as the L3 routing protocol.
MTU field	Enter the MTU number. The range is between 1500 to 9216. The default value is 1500. This field is visible only if you choose EIGRP as the L3 routing protocol.

Step 2

Click Next.

Configuring VM Networks

Virtual machine networks provide all of the information about the configured virtual machines for the Cisco VACS templates.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS – VM Networks screen, select a virtual machine network from the list displayed. If no networks are displayed, click + to add an entry to the VM Networks table.

Step 2

In the Add Entry to VM Networks screen, complete the following fields:

Name

Description

Network Name field

Provide a unique network name up to 128 characters long.

Network Type drop-down list

Choose the network type to connect to the network. The available options are:

VLAN
VXLAN

VLAN Pool button

Note

Based on the network type that you select, either the VLAN Pool, the VXLAN Pool, or the Port Group buttons will appear.

Click Select to select a VLAN Pool from the list of available pools that are displayed. If no pools are displayed, click the + icon to add a new policy. For more information on adding a new policy, see Adding a VLAN or VXLAN Pool Policy.

VXLAN Pool button

Note

Based on the network type that you select, either the VLAN Pool, the VXLAN Pool, or the Port Group buttons will appear.

Click Select to select a VXLAN Pool from the list of available pools that are displayed. If no pools are displayed, click the + icon to add a new policy. For more information on adding a new policy, see Adding a VLAN or VXLAN Pool Policy.

IP Subnet Pool button

Note

The IP Subnet Pool button is visible only when you select the either VLAN or VxLAN as the network type.

Click Select to select IP Subnet Pool from the list of pools displayed. If the port group option is not selected, you must select a IP Subnet pool from the list of available pools. If no pools are displayed, click the + icon to add a new IP Subnet Pool Policy. For more information on adding a new IP subnet pool policy, see Adding an IP Subnet Pool Policy.

Click Submit.

Note

Only one network is allowed for both, 3 tier internal and external container templates.

Step 3

Click Next. You can click Back to review the information that you have provided until this point, or click Close to exit the wizard.

Configuring Server Load Balancing

Enabling the server load balancing (SLB) option is an optional task. Based on your requirements, you can enable this option. By default, the SLB option is disabled.

Note

This screen appears only if you enable SLB in the VACS Deployment Options screen. For more information, see Selecting the Deployment Options.
The Help link provides you access to the corresponding online help.

Step 1

In the Server Load Balancing screen, complete the following fields:

Note

This screen appears only if you have selected the SLB option in the Deployment Options screen.

Name

Description

Tier drop-down list

You can deploy the template only for the web, hence the WebZone is the only available value.

Handling Mode drop-down list

Choose the protocol. By default, the value is set to Passthrough. This mode indicates that the SLB will not terminate the SSL/HTTP session.

The available values are:

Passthrough
HTTP Processing

Note

In the Cisco VACS Release 5.3STV2.0, the SLB will not terminate SSL traffic. If you want to serve the SSL traffic, then it is important that you select the Passthrough mode. If you are serving only the HTTP traffic, then you can select the HTTP processing mode so as to enable the cookie based persistence.

Persistence drop-down list

Choose the persistence criteria. By default, the value is set to None. The available values are:

Source IP—Indicates that load balancing, although based on round robin, directs subsequent requests to the same backend server based on the IP address of the client.
Cookie—Indicates that the load balancing, although based on round robin, directs subsequent requests to the same backend server based on the cookie information that has been inserted by the SLB.
None—Indicates a round robin load balancing and no additional persistence criterion to stick a client to a single server.

Note

If you choose the Passthrough in the Handling mode, the persistence drop-down list displays only the Source IP and the None values.

In Passthrough mode, SLB is not handling the HTTP mode and is only managing the TCP processing. Hence, SLB will not insert/parse cookies in the HTTP header. Therefore, only the Source IP and the None values are available.

HTTP

Note

You must change the TCP port value only if the service is hosted on the custom ports. If you change this value, then you must also edit the firewall ACL rules to allow the traffic to pass through the custom ports.

Front TCP Port field

Enter the TCP port number. The default value is 80.

Back TCP Port field

Enter the TCP port number. The default value is 80.

Click Submit.

HTTPS

Note

This option is available only if you do not choose HTTP Processing as the Handling Mode.
You must change the TCP value only if the service is hosted on the custom ports. If you change this value, then you must also edit the firewall ACL rules to allow the traffic to pass through the custom ports.

Front TCP Port field

Enter the TCP port number. The default value is 443.

Back TCP Port field

Enter the TCP port number. The default value is 443.

Step 2

Click Next. You can click Back to review the information that you have provided until this point, or click Close to exit the wizard.

Adding Virtual Machines to a Template

Adding virtual machines to your Cisco VACS template at this stage is an optional task. Based on your requirements, you can add the virtual machines after you create and provision the containers.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS – Virtual Machines screen , click the + icon to add a virtual machine.

Step 2

In the Add Entry to Virtual Machines screen, complete the following fields:

Name

Description

Security Zone drop-down list

Choose a security zone.

VM Name field

Provide a unique name for the virtual machine, up to 32 characters long. The complete virtual machine name will include the name provided in this field, the zone name and the container name.

Description field

Provide a description for the virtual machine.

VM Image drop-down list

Choose a virtual machine image to deploy from the list. The list contains the virtual machine templates that are present on the chosen vCloud account. If the list is empty, then the chosen vCloud account does not have any templates.

Note

The drop-down list shows only the VM templates which are added to one of the hosts on the datacenter where Virtual Machines are deployed.
If the drop-down list does not show the added VM templates, you must perform inventory collection to display them :
- Choose Virtual > Compute.
- Under All Clouds, select your virtual account (for the polling option to become visible), and then choose Polling > Request Inventory Collection.

Number of Virtual CPUs drop-down list

Choose the custom number of virtual CPUs.

Memory drop-down list

Choose the custom memory size for the VM.

CPU Reservation (MHz) field

Enter a value to define the CPU reservation of the VM.

Memory Reservation (MB) field

Enter a value to define the memory reservation of the VM.

Disk Size (GB) field

Enter the disk size.

VM Password Sharing Option drop-down list

Choose the virtual machine password sharing option:

Do not share
Share after password reset
Share template credentials

Note

You must uncheck the Use Network Configuration from Image Option checkbox. If you select this option, the VM IP addresses will not be assigned from selected pool. By default, this checkbox is not checked.

Root Login for the Template field

Enter the username.

This field is visible only if you choose the Share after password rest or the Share template credentials option.

Root Password for the Template field

Enter the password.

This field is visible only if you choose the Share after password rest or the Share template credentials option.

VM Network Interfaces drop-down list

Choose the virtual machine network interface from the list of interfaces. Only one network is allowed for a VACS 3 tier internal type and VACS 3 tier external type containers.

Click + to add an interface and complete the following fields:

Name

Description

VM Network Interface Name field

Enter a unique name for the VM network interface.

Select the Network drop-down list

Choose the network to which the Network Interface Card (NIC) should be attached.

Adapter Type drop-down list

Select the appropriate adapter type.

Click Submit.

Initial Quantity field

Enter the number of virtual machine instances to provision when you create a container. The default number is one.

Step 3

Repeat for each zone and then click Next.

Reviewing the Summary

Step 1	In the Summary screen, review and verify the details displayed for the specific container template.
Step 2	Click Submit or click Back to modify the details. Click Close to exit the wizard.

Viewing and Editing the ACLs for the 3 Tier Templates

Cisco Virtual Application Cloud Segmentation (VACS) Services (Cisco VACS) defines default access control lists (ACLs) for the 3 tier templates. You can view and edit these ACLs.

Note

Use this procedure to edit the firewall access control lists (ACLs) rules for the templates. To modify existing firewall ACL rules for deployed containers, you must use the Firewall Policy menu option available at Policies > Application Containers. For more information, see Editing Firewall ACL Rules.

Step 1

On the menu bar, choose Physical > Network > Multi-Domain Manager > PNSC Accounts.

Step 2

In the navigation pane, choose an account.

Step 3

Choose the PNSC Firewall Policies tab. The Cisco UCS Director displays a table of the PNSC firewall policies. These policies include the ACLs.

Step 4

Select the accurate firewall policy to view or edit that policy's ACLs.

Note

The naming convention is Template Name_firewall policy.

Step 5

Click Edit.

Step 6

In the PNSC Firewall Specification screen, click Next to leave the information as is.

Step 7

In the PNSC-Zones Configuration screen, click Next to leave the information as is.

Step 8

In the PNSC-ACL Rules screen, you can add a new ACL, or edit, delete, or move the existing ACLs.

Step 9

After you are done adding, editing, deleting and moving the ACLS, click Next.

Step 10

In the PNSC-VSG Configuration screen, retain the default values, and then click Submit.

You can click Back to review the information entered up to this point or click Close to close the wizard and undo any changes.

About Cisco VACS Custom Container Template

The Cisco VACS Custom Container (or Advanced Container) template enables you to design a container that meets your specific requirements without any restrictions on the number of tiers, zones, networks, or network elements such as, CSR, and/or VSG, and/or SLB or a combination of these network elements and application types. The custom container type allows you to build a template that allows a n-tier application with each tier on a shared or dedicated VLAN or VXLAN segments.

Creating a Cisco VACS Custom Container Template

Creating a Cisco VACS Custom Container Template

Select the application container type from the Add Template wizard under the VACS Container tab in Cisco UCS Director to create a new custom container template.

To create the Cisco VACS custom container template, perform the following tasks:

Process Flowchart for Creating Custom Templates
Specifying a Template Type
Selecting the Deployment Options
Configuring Network Resource Pools
Configuring Security Zones
Configuring Access Control Lists
Configuring the Application Layer Gateway for a Cisco VACS Container
Configuring VM Networks for a Custom Container Template
Configuring Server Load Balancing
Adding Virtual Machines to a Template
Reviewing the Summary

Process Flowchart for Creating Custom Templates

Use the following workflow and the procedures in this chapter as a guide to create custom templates.

Figure 3. Process Flowchart—Creating Custom Templates

Specifying a Template Type

Note

It is important that you select the Custom Container option from the Container Type drop-down list.
The Help link provides you access to the corresponding online help.

Step 1

From the Cisco UCS Director menu bar, choose Solutions > VACS Container. The Cisco VACS management task icons appear.

Step 2

Click Add Template. The Add VACS wizard appears.

Figure 4. Add Template Wizard

Step 3

In the VACS Template Specification screen, complete the following fields:

Name	Description
Template name field	Enter a name for the template you want to create. This name can be an alpha-numeric value with a maximum length of 256 characters.
Template Description field	Enter a description for the template. This field can contain 2048 characters.
Container Type drop-down list	Select Custom container type from the following choices: Cisco VACS 3 Tier (Internal) Cisco VACS 3 Tier (External) Cisco VACS Custom Container

Selecting the Deployment Options

You can choose the deployment options and parameters to configure your network pools and policies.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS Deployment Options screen, complete the following details:

Name

Description

Container Application Size button

Click Select to select the size of the container: Small, Medium, or Large.

Cisco VACS provides the following deployment options to meet your container requirements:

Cisco VACS Deployment Option

RAM(GB)

CPU Cycle(GHz)

vCPUs

Small

VSG—2 GB

CSR 1000V—2.5 GB

SLB—2 GB

VSG—1 GHz

VSG—1 vCPU

CSR 1000V—1 vCPU

SLB—1

Medium

VSG—2 GB

CSR 1000V—4 GB

SLB—2 GB

VSG—1.5 GHz

VSG—1 vCPU

CSR 1000V—2 vCPU

SLB—1

Large

VSG— 2 GB

CSR 1000V—4 GB

SLB—2 GB

VSG—1.5 GHz

VSG—2 vCPU

CSR 1000V—4 vCPU

SLB—1

Virtual Account drop-down list

Select the cloud account to deploy the container.

N1K DVSwitch drop-down list

Select the N1K Distributed Virtual Switch.

Computing Policy drop-down list

Choose the computing policy for your deployment type.

If you want to customize the computing policies, click the + icon to add a policy. For information on creating a computing policy, see Defining Computing Policies.

Storage Policy drop-down list

Choose the storage policy for your deployment type.

If you want to customize the storage policies, click the + icon to add a policy. For information on creating a storage policy, see Defining Storage Policies.

Systems Policy drop-down list

Choose the systems policy for your deployment type.

If you want to customize the system policies, click the + icon to add a policy. For information on creating a system policy, see Defining System Policies.

End User Self-Service Policy drop-down list

Select the end user self-service policy.

If you want to customize the end user self-service policies, click the + icon to add a policy. For information on creating an end user self-service policy, see Adding an End User Policy.

Infrastructure Deployment Options

Enable Edge Gateway check box

Check the check box to deploy Cisco Services Router (CSR) 1000V as a part of the container.

By default, the edge gateway is enabled.

Enable Zone Security for Tiers check box

Check the check box to deploy Virtual Security Gateway (VSG) as a firewall of a container.

By default, the zone security for the tiers is enabled.

Enable Server Load Balancing check box

Check this check box to enable the server load balancing (SLB) option. By default, SLB is disabled

High Availability drop-down list

Choose the high availability mode: Yes or No. By default, the HA mode is set to No.

If you choose Yes during the container deployment, the high availablity (HA) mode is enabled as follows:

firewall (VSG) redundancy or HA is provided by one active Cisco VSG and one standby Cisco VSG. For more information about VSG high availability, see http://www.cisco.com/c/en/us/td/docs/switches/datacenter/vsg/sw/4_2_1_VSG_1_1/vsg_configuration/guide/VSG_Config_Guide/vsg_config_high_availability.html.
The router (CSR1000V) redundancy or HA is enabled through the Hot Standby Router Protocol (HSRP). For more information about HSRP, see http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/9234-hsrpguidetoc.html.

Note
The ALG configuration on CSR will be done only when HA mode is No.
The SLB redundancy or HA is enabled through the Virtual Router Redundancy Protocol (VRRP). For more information, see http://www.haproxy.com/doc/hapee/1.5/configuration/vrrp.html.

Step 2

Click Next.

Configuring Network Resource Pools

Note

This screen is displayed only when at least one of the service VMs, such as enabling edge gateway, appear when atleast one of the service VMs(enabling edge, zone security, or SLB are selected in the VACS Deployment Options screen.
The Help link provides you access to the corresponding online help.

Step 1

In the VACS Network Resource Pool screen, complete the following fields:

Name

Description

Management IP Pool

Management IP Pool button

Click Select to display the list of static IP pools. Select the appropriate pool and click Select. This pool is used to configure the Cisco Virtual Security Gateway (VSG), Cisco Cloud Services Router (CSR), and the Server Load Balancer (SLB) management IP. If no pools are displayed, click the + icon to add a new static IP pool.

For more information on adding a new static IP pool, see the Defining Static IP Pool Policies

Router Network Configuration

Note

This option is displayed only when you enable the edge gateway.

Router Uplink IP Pool button

Click Select to display the list of static IP pools. Select the Static IP pool to configure the uplink interface of the CSR and click Select. If no pools are displayed, click the + icon to add a new static IP pool.

For more information on adding a new static IP pool, see the Defining Static IP Pool Policies

Router IP Type drop-down list

Choose the Router IP type: Public or Private. If you choose Public, the router will be configured with public IP addresses based on the chosen routing protocol.

L3 Routing Protocol drop-down list

Choose the L3 routing protocol:Static or EIGRP.

This field is visible only if you choose the Public Router IP type.

Autonomous System Number field

Enter the system number. The range is between 1 to 65535.

This field is visible only if you choose EIGRP as the L3 routing protocol.

MTU field

Enter the MTU number. The range is between 1500 to 9216.

The default value is 1500.

This field is visible only if you choose EIGRP as the L3 routing protocol.

Step 2

Click Next.

Configuring Security Zones

You can configure the security zones for your custom container and define the zone conditions based on your requirements.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS Security Zones Configuration screen, click + to add security zones to the list.

Step 2

In the Add Entry to Security Zones screen, complete the following fields:

Name

Description

Zone Name field

Enter a unique zone name. This can be an alpha-numeric value between 2- 32 characters.

Zone description field

Enter a description for the security zone. This description can be 256 characters long.

Zone Conditions field

Note

This option is displayed only if you enable the zone security for the tiers in the VACS Deployment Options screen.

Click + to add an entry to the zone conditions table and complete the following fields:

From the Attribute Type drop-down list, choose the attribute : Network or VM.
From the Attribute Name drop-down list, choose the name.
From the Operator drop-down list, choose the operator : Range or Equals or Not Equals or Prefixed by.
In the Attribute Value field, enter an appropriate value.
Click Submit to add the entry to the list of zone conditions.

Step 3

Click Next.

Configuring Access Control Lists

Note

This screen is visible only if you enable the zone security for the tiers (VSG) in the VACS Deployment Options screen.
The Help link provides you access to the corresponding online help.

Step 1

In the VACS Access Control List Configuration screen, click + to add the ACL rules.

Step 2

In the Add Entry to Access Control List Rules screen, complete the following fields:

Name

Description

Name field

Enter a unique name for the ACL Rule. This name can be an alpha-numeric and special character set between 2-32 characters long.

Description field

Enter a description for the ACL rule in less than 256 characters.

Action drop-down list

Choose an action : Permit or Drop or Reset

Condition Match Criteria drop-down list

Choose a criteria: match-all or match-any

Protocol/Service drop-down list

Choose between Protocol or Service

Note

Check the check-box to enable protocol to set the rule. The protocol is set to Any by default.

Service field

Choose the required services. The available options are http and https.

Source Conditions table

Click + to add an entry to the source conditions table and complete the following fields:

From the Attribute Type drop-down list, choose the attribute : Network, VM, or Zone.
From the Attribute Name drop-down list, choose the name.
From the Operator drop-down list, choose the operator : Range or Equals or Not Equals or Prefixed by or Range.
In the Attribute Value field, enter the corresponding IP address.
Click Submit to add the entry to the list of zone conditions.

Destination Conditions table

Click + to add an entry to the destination conditions table and complete the following fields:

From the Attribute Type drop-down list, choose the attribute : Network, VM or Zone.
From the Attribute Name drop-down list, choose the name.
From the Operator drop-down list, choose the operator : Range or Equals or Not Equals or Prefixed by or Range.
In the Attribute Value field, enter the corresponding IP address.
Click Submit to add the entry to the list of zone conditions.

Step 3

Click Next.

Configuring the Application Layer Gateway for a Cisco VACS Container

Note

This screen is visible only when you enable the Edge Gateway (CSR) option with the non-HA mode in the in the VACS Deployment Options screen.
The Help link provides you access to the corresponding online help.

The Application Layer Gateway performs inspection on the incoming packets for the selected Application layer Protocols.

Note

By default, the first five protocols (HTTP, HTTPS, FTP, DNS, and ICMP) are enabled.

Step 1	In the Application Layer Gateway screen, check the required check-boxes to enable protocol level access control to configure the application layer gateway on the router.
Step 2	Click Next.

Configuring VM Networks for a Custom Container Template

Virtual machine networks provide all of the information about the configured virtual machines for the Cisco VACS templates.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS – VM Networks screen, select a virtual machine network from the list displayed. If no networks are displayed, click + to add an entry to the VM Networks table.

Step 2

In the Add Entry to VM Networks screen, complete the following steps:

Name

Description

Network Name field

Provide a unique network name up to 128 characters long.

Network Type drop-down list

Choose the network type to connect to the network. The available options are:

VLAN
VXLAN
Port Group

VLAN Pool button

Note

Based on the network type that you select, either the VLAN Pool, the VXLAN Pool, or the Port Group buttons will appear.

Click Select to select a VLAN Pool from the list of available pools that are displayed. If no pools are displayed, click the + icon to add a new policy. For more information on adding a new policy, see Adding a VLAN or VXLAN Pool Policy.

VXLAN Pool button

Note

Based on the network type that you select, either the VLAN Pool, the VXLAN Pool, or the Port Group buttons will appear.

Click Select to select a VXLAN Pool from the list of available pools that are displayed. If no pools are displayed, click the + icon to add a new policy. For more information on adding a new policy, see Adding a VLAN or VXLAN Pool Policy.

Port Group button

Note

Based on the network type that you select, either the VLAN Pool, the VXLAN Pool, or the Port Group buttons will appear.

Click Select to select Port Group from the list of available port groups that are displayed.

If you choose Port Group, you must select the required port group from the list of port-groups that are shown in the table. The port-groups displayed are the ones that are associated with the Nexus1000V DVS mapped to the template.

IP Subnet Pool button

Note

The IP Subnet Pool button is visible only when you select the either VLAN or VxLAN as the network type.

Click Select to select IP Subnet Pool from the list of pools displayed. If the port group option is not selected, you must select a IP Subnet pool from the list of available pools. If no pools are displayed, click the + icon to add a new IP Subnet Pool Policy. For more information on adding a new IP subnet pool policy, see Adding an IP Subnet Pool Policy.

Static IP Pool button

Note

The Static IP Pool field is visible only when you select the Port Group as the network type.

Click Select to select a static IP Pool from the list of pools displayed. If no pools are displayed, click the + icon to add a new static IP pool Policy. For more information on adding a new static IP pool policy, see Defining Static IP Pool Policies.

Click Submit.

Note

To define more than one VM network, repeat step 2.

Step 3

Click Next. You can click Back to review the information that you have provided until this point, or click Close to exit the wizard.

Configuring Server Load Balancing

Enabling the server load balancing (SLB) option is an optional task. Based on your requirements, you can enable this option. By default, the SLB option is not enabled.

Note

This screen appears only if you enable SLB in the VACS Deployment Options screen. For more information, see Selecting the Deployment Options.
The Help link provides you access to the corresponding online help.

Step 1

In the Server Load Balancing screen, complete the following fields:

Name

Description

Tier drop-down list

Choose the zone on which SLB should be associated with. The available options are based on the security zones that were created earlier.

Network drop-down list

Choose the network on which the load balancing needs to occur. The drop-down list displays all the networks that were created only for the VXLAN and VLAN type of network in the VM Networks screen.

Handling Mode drop-down list

Choose the protocol. By default, the value is set to Passthrough. This mode indicates that the SLB will not terminate the SSL/TCP session.

The available values are:

Passthrough
HTTP Processing

Note

In the Cisco VACS Release 5.3STV2.0, the SLB will not terminate SSL traffic. If you want to serve the SSL traffic, then it is important that you select the Passthrough mode. If you are serving only the HTTP traffic, then you can select the HTTP processing mode so as to enable the cookie based persistence.

Persistence drop-down list

Choose the persistence criteria. By default, the value is set to None. The available values are:

Source IP—Indicates that load balancing, although based on round robin, directs subsequent requests to the same backend server based on the IP address of the client.
Cookie—Indicates that the load balancing, although based on round robin, directs subsequent requests to the same backend server based on the cookie information that has been inserted by the SLB.
None—Indicates a round robin load balancing and no additional persistence criterion to stick a client to a single server.

Note

If you choose the Passthrough in the Handling mode, the persistence drop-down list displays only the Source IP and the None values.

In Passthrough mode, SLB is not handling the HTTP mode and is only managing the TCP processing. Hence, SLB will not insert/parse cookies in the HTTP header. Therefore, only the Source IP and the None values are available.

HTTP

Note

You must change the TCP port value only if the service is hosted on the custom ports. If you change this value, then you must also edit the firewall ACL rules to allow the traffic to pass through the custom ports.

Front TCP Port field

Enter the TCP port number. The default value is 80.

Back TCP Port field

Enter the TCP port number. The default value is 80.

Click Submit.

HTTPS

Note

This option is available only if you do not choose HTTP Processing as the Handling Mode.
You must change the TCP value only if the service is hosted on the custom ports. If you change this value, then you must also edit the firewall ACL rules to allow the traffic to pass through the custom ports.

Front TCP Port field

Enter the TCP port number. The default value is 443.

Back TCP Port field

Enter the TCP port number. The default value is 443.

Step 2

Click Next. You can click Back to review the information that you have provided until this point, or click Close to exit the wizard.

Adding Virtual Machines to a Template

Adding virtual machines to your Cisco VACS template at this stage is an optional task. Based on your requirements, you can add the virtual machines after you create and provision the containers.

Note

The Help link provides you access to the corresponding online help.

Step 1

In the VACS – Virtual Machines screen , click the + icon to add a virtual machine.

Step 2

In the Add Entry to Virtual Machines screen, complete the following fields:

Name

Description

Security Zone drop-down list

Choose a security zone.

VM Name field

Provide a unique name for the virtual machine, up to 32 characters long. The complete virtual machine name will include the name provided in this field, the zone name and the container name.

Description field

Provide a description for the virtual machine.

VM Image drop-down list

Choose a virtual machine image to deploy from the list. The list contains the virtual machine templates that are present on the chosen vCloud account. If the list is empty, then the chosen vCloud account does not have any templates.

Note

The drop-down list shows only the VM templates which are added to one of the hosts on the datacenter where Virtual Machines are deployed.
If the drop-down list does not show the added VM templates, you must perform inventory collection to display them:
- Choose Virtual > Compute.
- Under All Clouds, select your virtual account (for the polling option to become visible), and then choose Polling > Request Inventory Collection.

Number of Virtual CPUs drop-down list

Choose the custom number of virtual CPUs.

Memory drop-down list

Choose the custom memory size for the VM.

CPU Reservation (MHz) field

Enter a value to define the CPU reservation of the VM.

Memory Reservation (MB) field

Enter a value to define the memory reservation of the VM.

Disk Size (GB) field

Enter the disk size.

VM Password Sharing Option drop-down list

Choose the virtual machine password sharing option:

Do not share
Share after password reset
Share template credentials

Note

You must uncheck the Use Network Configuration from Image Option check box. If you select this option, the VM IP addresses will not be assigned from selected pool. By default, this check box is not checked.

Root Login for the Template field

Enter the username.

This field is visible only if you choose the Share after password rest or the Share template credentials option.

Root Password for the Template field

Enter the password.

This field is visible only if you choose the Share after password rest or the Share template credentials option.

VM Network Interfaces drop-down list

Choose the virtual machine network interface from the list of interfaces. Only one network is allowed for a VACS 3 tier internal type and VACS 3 tier external type containers.

Note

If SLB has been enabled in the template, you must choose at least one virtual machine network interface that is in the same network as that of the SLB.

Click + to add an interface and complete the following fields:

Name

Description

VM Network Interface Name field

Enter a unique name for the VM network interface.

Select the Network drop-down list

Choose the network to which the Network Interface Card (NIC) should be attached.

Adapter Type drop-down list

Select the appropriate adapter type.

Click Submit.

Attention:

You are allowed to add only one VLAN or VXLAN network to the VM for each zone. However, you can add any number of port group based networks.

Initial Quantity field

Enter the number of virtual machine instances to provision when you create a container. The default number is one.

Step 3

Repeat for each zone and then click Next.

Reviewing the Summary

Step 1	In the Summary screen, review and verify the details displayed for the specific container template.
Step 2	Click Submit or click Back to modify the details. Click Close to exit the wizard.

Publishing a Catalog

Step 1

On the menu bar, choose Policies > Catalogs.

Step 2

Choose the Catalog tab.

Step 3

Click Add (+)

Step 4

In the Catalog Add dialog box, select the type of catalog that you want to add.

Step 5

Click Submit.

Step 6

In the Add Catalog dialog box, complete the following fields:

Name

Description

Basic Information pane

Catalog Name field

Enter the catalog name.

Note

After you create a catalog, you cannot modify the name.

Catalog Description field

Enter a description of the catalog.

Catalog Type drop-down list

Select Service Container as the type of catalog. This catalog is used for publishing application containers as catalog items.

Catalog Icon drop-down list

Choose from a list of icons to associate this catalog with an image. This icon is seen when you are creating a service request using this catalog.

Applied to all groups check box

Check the check box to enable all groups to use this catalog. Uncheck the check box to deny its use to other groups.

Customer Organization check box

Click Select to open and select the list of customer organizations you want the published catalog be available to.

Publish to end users check box

Uncheck this check box if you do not want this catalog to be visible to end-users. If you do not uncheck this check box, then this catalog will be visible to the end users of the system.

Cloud Name drop-down list

Choose the cloud with the image for VM provisioning.

Service Container Template Name drop-down list

Choose the template from the list.

Note

This option appears when the chosen Catalog Type is Service Container.

Select Folder drop-down list

Choose the folder within which this catalog must be created in.

Note

The drop-down list includes names of folders that are available by default. You can either select a folder that is available, or click the + icon to create a new folder. In the Add New Folder dialog box, specify a folder name, and select an icon for the folder.

Step 7

Click Next.

Step 8

Review the catalog information in the Summary page.

Step 9

Click Submit.

Instantiating Cisco VACS Containers

After creating the Cisco VACS application container templates, you can instantiate them by ordering an extended application container from the Cisco UCS Director self-service catalog. The self-service catalog enables you to purchase, monitor, and manage the individual services of a container. When you submit a container provisioning request, a service request is created. If the container creation operation fails, you can resubmit the first four tasks of this process.

Note

You can resubmit a failed container rollback.

Step 1

In the Cisco UCS Director menu bar, choose Solutions > VACS Container.

Step 2

Right-click the appropriate template and Select Create Container. The Create Container from Template screen appears.

Step 3

In the Create Container from Template screen, complete the following fields:

Name	Description
Container Name field	Enter a name for the container.
Container Label field	Enter a label for the container.
Number of Hosts per Tier field	Enter the number of hosts per tier.
Group drop-down list	Select the end user you want to share the templates with.

Step 4

Click Submit.

Managing Container Templates

As an administrator, you can perform the following management actions on the Cisco VACS application container templates that you create:

Edit template
Clone template
Delete template

Note

The edit and delete operations should be performed only when the Cisco VACS application containers are not using these templates.

Do not edit or clone templates from 1 type to another. It is not recommended to change (add or remove) the optional services while editing an existing template

For detailed instructions about the management tasks you can perform in Cisco UCS Director, see the following guides:

Cisco UCS Director Application Container Guide
Cisco UCS Director Self -Service Portal Guide
Cisco UCS Director Administration Guide

Managing Application Containers

As an administrator, you can perform the following management actions on the Cisco VACS application containers that you create:

View details
View reports
Power on/off a container
Add virtual machines
ERSPAN
Firewall Policy
Static NAT
Delete virtual machines
Delete container
View Report

For detailed instructions about the management tasks you can perform in Cisco UCS Director, see the following guides:

Cisco UCS Director Application Container Guide
Cisco UCS Director Self -Service Portal Guide
Cisco UCS Director Administration Guide

Viewing Reports

You can generate summary reports, a detailed report with credentials, and a detailed report without credentials for each container.

Step 1

On the menu bar, choose Policies > Application Containers.

Step 2

Click the Application Container tab.

Step 3

Choose a container or right-click on the container to bring up all of the actions.

Step 4

Click View Reports.

Step 5

From the Select Report Type drop down list, choose the report you want to view.

Reports "with Credentials" show passwords in plain text. Reports "without Credentials" hide passwords in the report.

Reports for Administrators contain policy information not given in reports for Self-Service Users.

A dialog appears with a report detailing the application container.

Note

Any of the reports, in the report header, shows the ID of the Service Request used to create the container.

Types of Reports

Attention:

To view the login passwords and vnc details for the VMs, see the detailed report with credentials.
The login user for CSR/VSG is admin and for SLB is root.
The default enable password for CSR is cisco123.
The Summary Report and the Detailed Report in the Secure Container details are displayed based on the permissions granted by the administrator.
The contents of the Detailed report depends on whether it is a secure report or an unsecure report.

Cisco VACS generates different types of reports for each container that you create. The following reports can be viewed based on the user roles:

Note

In addition to these reports, Cisco VACS maintains the VACS Resource History Report, which is an audit report that is utilized to debug issues related to resource allocation. For more information, see About the Cisco VACS Resource History Report.

Secure Reports—These reports are displayed based on the permissions granted by the administrator while setting the end user options and they do not display the details of the service VMs.

Summary Report (for Self-Service Users)—displays the details of the workload VMs

Detailed Report (for Self-Service User)

Container:Name—displays the container name, container type, the group it belongs to, and the date the template was created.
Virtual Machines—displays the details of the workload VMs.
Event history—displays the deployment history.
Virtual Machine Subnet Information—displays the network and gateway IP addresses and the subnet mask.
CSR Uplink Information—information about the CSR 1000V uplink.

Static Nat Details—displays Static Nat related information.

Note

If the network administrator has granted permissions to view the secure container details, the Stats URL displays the VIP IP address instead of the SLB Management IP Address.

Detailed Report without Credentials (for Administrators)
Detailed Report with Credentials (for Administrators)

Unsecure Reports—These reports are displayed based on the permissions granted by the administrator while setting the end user options. The following reports are available:
- Summary Report (for Self-Service Users)—displays container details such the summary of all the VMs, including the details of the service VMs that are associated with the selected application container.
- Detailed Report with credentials (for Self-Service User)
- Detailed Report without credentials (for Self-Service User)
- Detailed Report without Credentials (for Administrators)
- Detailed Report with Credentials (for Administrators)

The detailed reports (with or without credentials) for both, the end user and the administrator displays the following information:

Container:Name—displays the container name, container type, the group it belongs to, and the date the template was created.
Virtual Machines—displays consolidated information about all the provisioned VMs and their status in the container, resource consumption details such as disk size, memory, and CPU, details of the network interface, hostname and status, and port mappings for the container.
Container Port Groups—displays details about the container port groups with specific admin credentials.
Event history—displays the deployment history.
Server Load Balancing—displays the server load balancing (SLB) primary and secondary virtual machine names, IP addresses, netmask, network gateway, data and management port-groups, Stats URL, Stats username and password, information about the VIP, zone, and real server.
Virtual Machine Subnet Information—displays the network and gateway IP addresses and the subnet mask.
CSR 1000V License Details—displays details about the CSR 1000V virtual appliances deployed by Cisco VACS and the corresponding license states.
CSR Uplink Information—information about the CSR 1000V uplink.
Static Nat Details—displays Static Nat related information.
ERSPAN Details—displays ERSPAN related information.
Upstream Router Configuration Required—This section is displayed when the edge gateway is disabled in a container.

Note

The detailed report with credentials (for Self-Service Users and Administrators) also displays the service VM passwords that were reset or reconfigured using the manager service VM password feature.

About the Cisco VACS Resource History Report

Cisco VACS maintains the resource history report, which is an audit report that displays details associated with the resource allocation and deallocation during the application container deployment, rollback, and all resource allocation related operations. This is used as a troubleshooting mechanism to identify the resource leakages, if any.

The Cisco VACS Services resource history report displays the following details:

Audit Id
SR Id
Container Id
Container Name
Initiating User
Resource Type
Resource Value
Action
Context Type
Context Name
Usage
Place Holder
Timestamp

Viewing the Cisco VACS Resource History Report
Deleting or Resetting the Data in the Cisco VACS Resource History Report

Viewing the Cisco VACS Resource History Report

Step 1

On the menu bar, choose Policies > Virtual/Hypervisor Policies > Network > VACS Resource History.

Step 2

In the VACS Resource History screen that appears, the following details are displayed:

Name	Description
Audit Id column	The audit ID. By default, this column is not displayed.
SR Id column	The service request ID.
Container Id column	The ID of the application container for which the resources were either reserved or released.
Container Name column	The name of the application container for which the resources were either reserved or released.
Initiating User column	The name of the user who initiated a particular workflow.
Resource Type column	The type of the resource, such as the IP Address, VLAN, VXLAN, or the port group that was used to create the application container.
Resource Value column	The resource value .
Action column	The actual action of the resource, such as whether it is reserved or released.
Context Type column	This column is applicable only if the IP Subnet pool policy is of type Overlapped. If it is an overlapped IP Subnet pool policy, the context type is UCSD, Tenant, or Container.
Context Name column	The name of the context type.
Usage column	The resource usage which indicates the purpose of the reserved resources, such as the VXLAN/VLAN, IP Subnet, and so on.
Place Holder column	The name of the class and the method which called the resource reserved or released API. These details are mainly used for debugging By default this column is not displayed.
Timestamp column	The time during which the resources were either reserved or released.

You are allowed to customize the details that can be displayed in this report using the Customize Table Columns button. You can also filter the display using the Add Advance Filter button. You can also export this report to a local machine using the Export Report button.

Deleting or Resetting the Data in the Cisco VACS Resource History Report

You can choose to delete selected records from the available data or delete all existing records from the database.

Step 1	On the menu bar, choose Policies > Virtual/Hypervisor Policies > Network > VACS Resource History. The VACS Resource History screen appears
Step 2	Select the row(s) that you want to delete and click the Delete button. In the Delete confirmation box that appears, click Delete to delete the selected record(s).
Step 3	Click the Reset button to delete all existing data from the database.

Viewing the CSR 1000V Licensing Information

After the Cisco VACS application container is deployed, you can view all consolidated information about the CSR 1000V licensing using the administrator privileges. The Self-Service users can view the CSR status about a CSR in a container in the view report page.

Note

If the Edge gateway is not enabled in the template, then the corresponding container will not have any CSRs. In this case, this section is not applicable for such containers.

Step 1

On the menu bar, choose Virtual > Network.

The VACS:CSR Licenses screen appears.

Step 2

The VACS:CSR Licenses screen that appears displays the list of CSRs that are deployed using Cisco VACS.

All the unlicensed CSR 1000V try to fetch the latest status of the CSR 1000V information every 10 minutes.

The available information is as follows:

License Type (Delegated, Smart, or Unknown)
CSR 1000V name
License status
Throughput

Step 3

Click the VACS: CSR License Balance tab. The VACS: CSR LIcense Balance screen appears.

This is a CSR license report that displays the count number for the Cisco VACS licenses and the CSR delegated license balance.

Results

Chapter: Configuring Application Containers

Configuring Application Containers

About Cisco VACS Application Containers

Types of Cisco VACS Container Templates

Guidelines and Limitations

Prerequisites for Creating a Cisco VACS Container Template

Defining Policies

Defining Computing Policies

Defining Network Pools and Policies

Defining Global Resource Pools

Adding a VLAN or VXLAN Pool Policy

Defining Static IP Pool Policies

Adding an IP Subnet Pool Policy

About Overlapping IP

Defining Storage Policies

Defining System Policies

About End User Self-Service Policy

Adding an End User Policy

Marking Datastores for ISO

Guest OS ISO Image Mapping

About Zones

About Cisco VACS 3 Tier Internal and External Container Templates

Creating a Cisco VACS 3 Tier Internal or External Template

Process Flowchart for Creating the Internal/External Templates

Specifying a Template Type

Selecting the Deployment Options

Configuring Network Resource Pools

Configuring VM Networks

Configuring Server Load Balancing

Adding Virtual Machines to a Template

Reviewing the Summary

Viewing and Editing the ACLs for the 3 Tier Templates

About Cisco VACS Custom Container Template

Creating a Cisco VACS Custom Container Template

Process Flowchart for Creating Custom Templates

Specifying a Template Type

Selecting the Deployment Options

Configuring Network Resource Pools

Configuring Security Zones

Configuring Access Control Lists

Configuring the Application Layer Gateway for a Cisco VACS Container

Configuring VM Networks for a Custom Container Template

Configuring Server Load Balancing

Adding Virtual Machines to a Template

Reviewing the Summary

Publishing a Catalog

Instantiating Cisco VACS Containers

Managing Container Templates

Managing Application Containers

Viewing Reports

Types of Reports

About the Cisco VACS Resource History Report

Viewing the Cisco VACS Resource History Report

Deleting or Resetting the Data in the Cisco VACS Resource History Report

Viewing the CSR 1000V Licensing Information

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions