Cisco Virtual Application Cloud Segmentation Services Configuration Guide, Release 5.4STV3.0

Managing Service VM Passwords

Cisco VACS allows you to reconfigure passwords for service VMs (CSR, ASAv, VSG, and SLB) in an application container. You can either set the same password for all the service VMs or a different password for each of these services VMs. By default, the Manage Service VM Password option is enabled in all the service VMs.

Note

The password must be alphanumeric and must contain at least one uppercase letter, one lowercase letter, and one numeric digit, and must be between 8 to 64 characters long.
The password must not contain special characters.
The Help link provides you access to the corresponding online help.

Attention:

Based on the secure container report options that you select, the Manager Service VM password UI option is either visible or hidden from the Self-Service user(s). You must either refresh the browser or navigate to another tab before you navigate to Virtual Resources > Application Containers, so that the UI reflects the change.

Step 1

On the menu bar, choose Policies > Application Containers > Manage Service VM Password.

Note

If you log in with the service end user credentials, you must choose Virtual Resources > Application Containers.

The Manage Service VM Password screen appears.

Step 2

In the Select Containers screen, check the check box(es) against the container(s) for which you want to reconfigure the service VM password(s).

Note

The following list of Cisco VACS application containers are not displayed in the list of container list.

Those that have a service request in progress.
Those that do not have a service VM.

Step 3

Click Next. The Set Service VM Password screen appears.

Step 4

In the Set Service VM Password screen, complete the following fields:

Name	Description
Default Password field	Enter the password if you want to set the same password for all the service VMs. If you do not want to set the same password for all the service VMs, leave this field blank.
Confirm Default password field	Re-enter the password.
Apply this password for all services check box	Check this check box if you want the set the default password as a common password for all the service VMs. By default, this check box is unchecked.
CSR Password field	Enter a password for the CSR.
Confirm CSR Password field	Re-enter the password.
ASAv Password field	Enter a password for ASAv.
Confirm ASAv Password field	Re-enter the password.
VSG Password field	Enter a password for VSG.
Confirm VSG Password field	Re-enter the password.
SLB Password field	Enter a password for SLB.
Confirm SLB Password field	Re-enter the password.

Note

You must leave the fields blank if a specific service VM password must not be changed.

Step 5

Click Submit.

Note

After the service VM passwords are changed, the detailed report (for both, the Self-Service Users and the administrators) is updated to reflect the changed passwords.

Managing Firewall Policies

Cisco VACS allows you to modify existing firewall access control lists (ACLs) rules for each container that is already deployed. This includes adding new ACL rules and modifying or deleting existing ACL rules. In a firewall policy, you can change only the ACLs that are defined for a container. You cannot add new zones or modify existing zones.

Note

This option is not functional if the zone security for tiers (VSG) is not enabled in the template from which the container was deployed.
Use this procedure to modify existing firewall access control lists (ACLs) rules for the deployed containers. To modify firewall ACL rules for templates, you must use the PNSC Firewall Policies tab available at Physical > Network > Multi-Domain Manager > PNSC Accounts. For more information, see Viewing and Editing the ACLs for the 3 Tier Templates.
The Help link available within the wizard provides you access to the corresponding online help.

Viewing Firewall ACL Rules
Adding Firewall ACL Rules
Editing Firewall ACL Rules
Deleting Firewall ACL Rules

Viewing Firewall ACL Rules

You can view existing ACL rules associated with a firewall policy that is defined for a container.

Step 1	On the menu bar, choose Policies > Application Containers.
Step 2	Select the appropriate Application Container and click Firewall Policy. The Edit Firewall dialog box appears.
Step 3	The PNSC Firewall Specification screen displays the policy name and description. Click Next. The PNSC-ACL Rules screen appears. You can view the existing PNSC ACL rules.

Adding Firewall ACL Rules

You can add new ACL rules to a firewall policy that is defined for a container.

Note

The Help link provides you access to the corresponding online help.

Step 1

On the menu bar, choose Policies > Application Containers.

Step 2

Select the appropriate Application Container and click Firewall Policy. The Edit Firewall dialog box appears.

Step 3

The PNSC Firewall Specification screen displays the policy name and description. Click Next. The PNSC-ACL Rules screen appears.

Step 4

In the PNSC-ACL Rules screen, click the + icon to add a new PNSC ACL rule. The Add Entry to PNSC ACL Rules screen appears.

Step 5

In the Add Entry to PNSC ACL Rules screen, complete the following fields:

Name

Description

Name field

Enter a unique name for the PNSC ACL rule.

This name can be an alpha-numeric and special character set between 2-32 characters long.

Description field

Enter a description for the PNSC ACL rule. This description can be less than or equal to 256 characters long.

Action drop-down list

Choose an action to take if the rule conditions are not met. The available options are:

Drop—Drops traffic or denies access.
Permit—Forwards traffic or allows access.
Reset—Resets the connection.

Condition Match Criteria drop-down list

Choose the condition match criteria. The available options are:

Choose match-all for the ACL Policy Rule to match all the conditions (AND).
Choose match-any for the ACL Policy Rule to match any one condition (OR).

Protocol/Service drop-down list

Choose between protocol or service.

Service table

In a given protocol if you want to specify any application service related port number to be opened, then you must choose this . Currently, Cisco UCS Directors supports http and https.

Note

This option appears if you choose Service.

To add a service, click the + icon to add an entry to the service table and complete the following fields:

From the Operator drop-down list. choose the operator. The available options are: Equals and Not equals.
From the Protocol drop-down list. choose the protocol.
From the Service drop-down list, choose the service. The available options are: http and https.
In the Port field, enter the application service related port number.
Click Submit to add the entry to the list of zone conditions.

You can edit or delete an existing service.

Any Protocol check box

To apply the rule to any protocol, check the Any check box.

Note

This option appears if you choose Protocol.

Source Conditions table

Click the + icon to add an entry to the source conditions table and complete the following fields:

From the Attribute Type drop-down list, choose the attribute : Network, VM, or Zone.
From the Attribute Name drop-down list, choose the name.
From the Operator drop-down list, choose the operator : Range or Equals or Not Equals or Prefixed by or Range.
In the Attribute Value field, enter the corresponding value.
Click Submit to add the entry to the list of zone conditions.

Destination Conditions table

Click the + icon to add an entry to the destination conditions table and complete the following fields:

From the Attribute Type drop-down list, choose the attribute : Network, VM, or Zone.
From the Attribute Name drop-down list, choose the name.
From the Operator drop-down list, choose the operator : Range or Equals or Not Equals or Prefixed by or Range.
In the Attribute Value field, enter the corresponding value.
Click Submit to add the entry to the list of zone conditions. The new ACL rule is added to the list of zone conditions and is listed at the end of the existing list.

Step 6

Click the Up arrow icon to move the newly created ACL rule in an ascending order.

Step 7

Click Submit.

Editing Firewall ACL Rules

Cisco VACS allows you to modify existing firewall ACL rules.

Note

The Help link provides you access to the corresponding online help.

Step 1	On the menu bar, choose Policies > Application Containers.
Step 2	Select the appropriate application container and click Firewall Policy. The Edit Firewall dialog box appears.
Step 3	The PNSC Firewall Specification screen displays the policy name and description. Click Next. The PNSC-ACL Rules screen appears.
Step 4	In the PNSC-ACL Rules screen, select the PNSC ACL rule that you want to edit, and click the edit (pencil) icon. The Edit Entry to PNSC ACL Rules screen appears.
Step 5	In the Edit Entry to PNSC ACL Rules screen, modify the corresponding fields, and click Submit.
Step 6	Click the Up or down arrow icon to move the modified ACL rule in an ascending or descending order.
Step 7	Click Submit.

Deleting Firewall ACL Rules

Cisco VACS allows you to delete existing ACL rules.

Note

The Help link provides you access to the corresponding online help.

Step 1	On the menu bar, choose Policies > Application Containers.
Step 2	Select the appropriate Application Container and click Firewall Policy. The Edit Firewall dialog box appears.
Step 3	The PNSC Firewall Specification screen displays the policy name and description. Click Next. The PNSC-ACL Rules screen appears.
Step 4	In the PNSC-ACL Rules screen, click the delete (x) icon to delete an existing PNSC ACL rule. The Delete PNSC ACL Rules Entry confirmation box appears.
Step 5	Click Submit to delete the selected PNSC ACL rule.

Configuring Static NAT to the Virtual Machines

Static NAT mappings are required for allowing the outside public IP addresses to reach the virtual machines that are inside the container. The static NAT screen allows you to specify the outside public IP address and map it to the private IP address of the virtual machine in the Web tier of the container.

Note

The static NAT operation is blocked for containers that do not have the edge gateway enabled.
The static NAT operation is applicable only if the IP type = Private. If you try to configure this feature on a container whose IP type=public, then you will get an error message and cannot proceed with the configuration.
The Help link provides you access to the corresponding online help.

To configure Static NAT to the workload virtual machines, use the following procedure:

Step 1

On the menu bar, choose Policies > Application Container > Static NAT. In the Static NAT dialog box, check the check box for each provisioned VM that require Static NAT enablement. If none of the workload VMs are provisioned on the container, the Static NAT screen is be empty. If the workload VMs are already provisioned, this screen displays the VMs with check boxes next to each of them.

Step 2

Click the checkbox for each provisioned VM that require Static NAT enablement. These VMs can be reached from outside public IP addresses .

Step 3

Click Submit.

Note

If Private addressing was specified in the container template, Cisco VACS will provision NAT overloading to allow internal VMs with private addresses to initiate connections to the outside, during the container provisioning.

After clicking Submit, a pop-up window that appears , displays a service request number that can be used to track the progress of the workflow.

Monitoring ERSPAN

Traffic to and from individual virtual machines can be monitored using the encapsulated remote switched port analyzer (ERSPAN) feature after workload virtual machines are provisioned. ERSPAN is generally enabled on a per-virtual machine basis for troubleshooting. You must supply an ERSPAN destination for forwarding and analyzing traffic.

Note

The Help link provides you access to the corresponding online help.

Use the following procedure to enable ERSPAN for the workload VMs and the SLB VM:

Step 1

On the menu bar, choose Policies > Application Container > ERSPAN. The Cisco VACS ERSPAN Configuration screen is displayed.

Step 2

In the ERSPAN Destination IP address Specification screen specify the Destination IP Address for forwarding and analyzing traffic. If ERSPANs are already present, they are displayed in the Destination IP Address Report table in this screen. This table also lists the ERSPAN session ID and the corresponding Destination IP address.

Step 3

Click Next to proceed to the ERSPAN Configuration page.

Step 4

In theERSPAN Configuration screen, select the appropriate VM NIC configuration for ERSPAN.

Step 5

In theERSPAN Configuration screen, click the + icon to add a new VM NIC configuration for ERSPAN. and complete the following: The Add Entry to VM NIC Configuration screen.

Step 6

In the Add Entry to VM NIC Configuration screen, complete the following fields

Name	Description
VM Name drop-down list	Choose the workload VM that you want to monitor.
NIC Name drop-down list	Choose the VM NIC attached to the workload VM.
Rx Tx Both drop-down list	Choose the direction of the traffic that you want to monitor. The options are: Receive direction (Rx) Transmit direction (Tx) Both directions (Both)

Step 7

Click Submit to add the entry to the VM NIC Configuration table.

Note

You can also edit, delete, or move an entry up and down using the respective icons.

Step 8

Click Submit in the ERSPAN Configuration screen to submit the ERSPAN configuration request. The service request will be submitted to the workflow to configure the ERSPAN monitoring. Upon successful execution of the workflow, the ERSPAN session will be visible from ERSPAN screen after a few minutes.

Note

If you want to stop an existing ERSPAN session, click the checkbox corresponding to the Destination IP address and Session ID, delete the VM NIC configuration, and Submit the request.

Step 9

Click Submit.

After clicking Submit, a pop-up window that appears , displays a service request number that can be used to track the progress of the workflow.

Adding Virtual Machines to a Container

Although deploying virtual machines during the container deployment process is optional, you can use the Add VMs tab available in the Cisco VACS UI to add virtual machines after deploying a container.

Note

The Help link provides you access to the corresponding online help.
If you migrate from Cisco UCS Director Release 5.3 to Cisco UCS Director Release 5.4, you must manually edit the Add VM workflow. For information on editing the Add VM workflow, see Editing the Add VM Workflow Manually.

Step 1

On the menu bar, choose Policies > Application Containers > Add VMs.

Step 2

In the Add VMs dialog box, complete the following fields:

Name

Description

Security Zone drop-down list

Choose a security zone.

VM Name field

Enter a unique name for the virtual machine, up to 32 characters long. The complete virtual machine name will include the name provided in this field, the zone name and the container name.

Image Type drop-down list

Choose the image type. The available options are VM template or OVF. By default, the VM template is chosen.

Note

ISO images are not supported.

Image File drop-down list

Choose a virtual machine image to deploy from the list. The list contains the virtual machine templates that are present on the chosen vCenter.Cloud Account and the OVF files.

Note

The drop-down list shows only the VM templates which are added to one of the hosts on the datacenter where Virtual Machines are deployed.
If the drop-down list does not show the added VM templates, you must perform inventory collection to display them : Virtual > Compute > Polling > Request Inventory Collection.
If the available OVF file does not have VMware tools installed, the workflow fails while configuring the IP addresses on the VM.

Number of Virtual CPUs drop-down list

Choose the number of vCPUs that are required for the newly created VM.

Memory drop-down list

Choose the memory that is required for the newly created VM.

Disk Size (GB) drop-down list

Enter the appropriate value to resize the disk size. You can enter values from 0 GB to 1024 GB.

This field is visible only if you choose VM template as the image type.

VM Password Sharing Option drop-down list

Choose an option on how to share the username and the password with the end users:

Do not share
Share after password reset
Share template credentials

VM Network Interfaces table

Note

This table is visible only for the custom containers.

Choose the virtual machine network interface from the list of interfaces.

Click+ to add an interface.

Note

If SLB has been enabled in the template, you must choose at least one virtual machine network interface that is in the same network as that of the SLB.

To add an interface, do the following:

Name

Description

VM Network Interface Name field

Enter a unique name for the VM network interface.

Select the Network drop-down list

Choose the network to which the Network Interface Card (NIC) should be attached.

Adapter Type drop-down list

Select the appropriate adapter type.

Click Submit.

Number of VM instances field.

Enter the number of virtual machine instances to provision to an existing container. This number limits your choices so as to not exceed the maximum of VMs defined.

Step 3

Click Submit.

After clicking Submit, a pop-up window that appears , displays a service request number that can be used to track the progress of the workflow.

Editing the Add VM Workflow Manually

Note

This section is not applicable for all fresh installation or upgrades from 5.4STV2.1 and later releases of Cisco VACS. For releases prior to 5.4STV2.1, you must migrate to Cisco UCS Director 5.4 based patches.

If you migrate from Cisco UCS Director Release 5.3 to Cisco UCS Director Release 5.4, you must manually map the add VM workflow.

Step 1	On the menu bar, choose Policies > Orchestration.
Step 2	Expand the VACS folder and double click VACS Add VMs to Container. The Workflow Designer – VACS Add VMs to Container screen appears.
Step 3	In the Workflow Designer – VACS Add VMs to Container screen that appears, double click VACS:ProvisionContainer-VM. The Edit Task (VACS: Provision Container - VM) wizard appears.
Step 4	In the Workflow Task Basic Information screen, click Next.
Step 5	In the User Input Mapping screen that appears, complete the following: Map to User Input check box—Check the check box to map the add VM to the workflow user input. User Input drop-down list—Select the image from the list of available images.
Step 6	Click Next. The Tasks Inputs screen appears.
Step 7	Click Next. The User Output Mappings to Task Output Attributes screen appears.
Step 8	Click Submit.
Step 9	Click Validate Workflow.

About OVF Files

You can upload Open Virtualization Format (OVF) files (in both, the zip and jar formats) to a previously configured storage location, where they are deployed. These files can be used while adding VMs to the Cisco VACS application containers.

Uploading OVF Files
Deleting OVF Files

Uploading OVF Files

Cisco VACS allows you to upload OVF files (OVA, zip, and jar formats) to a predefined storage location and deploy them to a group or customer organization.

Step 1

On the menu bar, choose Administration > Integration.

Step 2

Click the User OVF Management tab.

Step 3

Click Upload File.

Step 4

In the Upload File dialog box, complete the following fields:

Name

Description

Folder Type drop-down list

The type of folder containing the OVF file. Choose one of the following:

Public—This file is available to all public users.
User—Choose this role if you are an end user. End users are not granted extensive privileges. The User role is well suited for first-level support, in which problem identification, remediation, and escalation are the primary goals.
Group—The file is only available to those in a defined group.

File Name field

The name of the OVF file to upload and display.

Upload option

Launches the File Upload dialog box in which you can browse and select an OVF file.

Note

Only OVF files in OVA, zip and jar formats can only be uploaded to the storage location.

After the file is uploaded, and a confirmation message stating that the file is ready for use is displayed, close the File Upload dialog box.

File Description field

The description of the file (if required).

Step 5

Click Submit.

Step 6

When the Submit Result - Upload Successfully dialog box appears, click OK. The uploaded file is listed in the User OVF Management table.

Note

These files are used while adding VMs to the application containers.

Deleting OVF Files

If you are an administrator, you can delete files located in the storage area.

Step 1	On the menu bar, choose Administration > Integration.
Step 2	Click the User OVF Management tab.
Step 3	Choose an OVF file from the table and click Delete File. The Delete File dialog box appears.
Step 4	Click Submit.

Managing the End User Settings

You are allowed to choose to display post container operations that can be invoked by the Self-Service user or the type of the container reports that can be displayed to a Self-Service user by using the Options tab available under Solutions > VACS Container.

The post container operations that can be invoked are as follows:

ERSPAN
Firewall Policy
StaticNat
Add VMs
Delete VMs
Power On Container
Power Off Container

The Secure Container Details option allows you to either hide or display the following reports:

Secure Reports
Unsecure Reports

The Manage Service VM Password feature is enabled for the Self-Service users only when the Secure Container Details option is unchecked.

Step 1

From the Cisco UCS Director menu bar, choose Solutions > VACS Container. The Cisco VACS management task icons appear.

Step 2

Click Options. The Options screen appears.

Step 3

In the Options Specification screen, complete the following fields:

Name	Description
Container Operations By default, these menu options are visible to an end user and these check boxes are checked.
ERSPAN check box	Uncheck this check box to hide the ERSPAN option in the Self-Service end user portal.
Firewall check box	Uncheck this check box to hide the Firewall Policy option in the Self-Service end user portal.
Static Nat check box	Uncheck this check box to hide the StaticNAT option in the Self-Service end user portal.
Add VMs check box	Uncheck this check box to hide the Add VMs option in the Self-Service end user portal.
Delete VMs check box	Uncheck this check box to hide the Delete VMs option in the Self-Service end user portal.
Power On Container check box	Uncheck this check box to hide the Power On Container option in the Self-Service end user portal.
Power Off Container check box	Uncheck this check box to hide the Power Off option in the Self-Service end user portal.
Container Reports
Secure Container Details check box	Check this check box to hide the details of the service VM, such as the CSR, VSG, and the SLB details (Management IP address and password, vnc, and the control access. By default, this check box is unchecked and hence will display all the container details to the end user.

Step 4

Click Submit to save the settings. Alternatively, click Close to exit from this screen.

Adding vNICs

You can add multiple port-group network based vNICs to a VM.

Note

The Help link provides you access to the corresponding online help.

Step 1

On the menu bar, choose Policies > Application Containers.

Step 2

Double click the appropriate application container and click the Virtual Machines tab.

Step 3

Select the appropriate VM and choose VACS Add vNICs. The Add VACS VM vNICs screen appears.

Step 4

Click+ to add a new interface. The Add Entry to VACS VM Networks 2 dialog box appears.

Step 5

In the Add Entry to VACS VM Networks 2 dialog box, complete the following fields:

Name

Description

VM Network Interface Name field

Enter a unique name for the VM network interface.

Select the Network drop-down list

Choose the port group based networks to which the Network Interface Card (NIC) should be attached.

Caution

This list displays only the port group based networks. Hence, in the absence of a port group based network in the VM networks for the template, none of the networks will be displayed.

Adapter Type drop-down list

Select the appropriate adapter type.

Click Submit.

Step 6

Click Submit.

Caution

After you add the vNICs to a VM, you must do the manual VM inventory to gather accurate information from that VM.

To do a manual inventory, select the appropriate VM and click Inventory Collection Request for VM. In the Request VM Inventory Collection dialog box that appears, click Submit.

Deleting vNICs

You can delete existing (or multiple) multiple port-group network based vNICs on a VM. This option is available only for those VMs that are a part of the Cisco VACS application container.

Note

The Help link provides you access to the corresponding online help.

Step 1

On the menu bar, choose Policies > Application Containers.

Step 2

Double click the appropriate application container and click the Virtual Machines tab.

Step 3

Select the appropriate VM and choose VACS Del vNICs. The Delete VM vNICs screen appears.

Step 4

Click Select from the VM vNICs button.

The Select Items dialog box appears.

Step 5

Check the check box of the vNIC you want to delete or click Check All to select all vNICs.

Step 6

Click Select.

Step 7

Click Delete.

Caution

After you delete the vNICs from a VM, you must do the manual VM inventory to gather accurate information from that VM. If you do not do the manual VM inventory, the IP address of the VM will not get displayed in the UI.

To do a manual inventory, select the appropriate VM and click Inventory Collection Request for VM. In the Request VM Inventory Collection dialog box that appears, click Submit.

The VM is restarted in order to complete the removal process.

Deleting Virtual Machines

Using the Cisco VACS UI, you can delete workload VMs from a selected application container that has been deployed and the VMs that have been provisioned.

Note

The Help link provides you access to the corresponding online help.

Step 1	On the menu bar, choose Policies > Application Containers > Delete VMs. The Delete VMs dialog box that appears, displays the VMs that have been provisioned.
Step 2	Check the check box against the VMs that you choose to delete. and click Submit. After clicking Submit, a pop-up window that appears, displays a service request number that can be used to track the progress of the Workflow.
Step 3	(Optional) Click Close to cancel the deletion.

Enabling VNC Console Access

Step 1	On the menu bar, choose Virtual > Compute.
Step 2	Select the appropriate Application Container and click the VMs tab.
Step 3	Select the VM for which you want to you want to enable the console access and click Configure VNC. The Configure VNC Request dialog box appears.
Step 4	Click Submit.

Accessing a VM Console

You can view the console on your VMs if you have the proper access rights.

Step 1

On the menu bar, choose Policies > Application Containers.

Step 2

Select the appropriate Application Container and click Open Console. The Access Console dialog box appears.

Step 3

From the Select VM drop-down list, choose a VM.

Step 4

Click Submit. A console of the selected VM opens in a new browser.

Note

For automatic configuration of a VNC console on a container, you must provide permission by checking the Enable VNC Based Console Access checkbox when you created the application container template.

Book Title

Chapter Title

Results

Chapter: Managing Application Container Operations

Managing Application Container Operations

Managing Service VM Passwords

Managing Firewall Policies

Viewing Firewall ACL Rules

Adding Firewall ACL Rules

Editing Firewall ACL Rules

Deleting Firewall ACL Rules

Configuring Static NAT to the Virtual Machines

Monitoring ERSPAN

Adding Virtual Machines to a Container

Editing the Add VM Workflow Manually

About OVF Files

Uploading OVF Files

Deleting OVF Files

Managing the End User Settings

Adding vNICs

Deleting vNICs

Deleting Virtual Machines

Enabling VNC Console Access

Accessing a VM Console

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions