PDF(216.3 KB) View with Adobe Reader on a variety of devices
ePub(86.2 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(95.6 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 13, 2016
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the features, limitations, and bugs for the Cisco Virtual Application Cloud Segmentation (VACS) Services software solution. Use this document in combination with the documents listed in Related Documentation and Cisco VACS Documentation Matrix.
Cisco Virtual Application Cloud Segmentation (VACS) Services is a software solution that automates the coordinated licensing, installation, and deployment of multiple virtual services in your data center to enable an easy and efficient setup of virtualized applications. Cisco VACS provides a fully customizable, extended application container abstraction to simplify deploying and provisioning virtual services.
Cisco VACS lets you define extended application container templates and instantiate them through automated setup and provisioning of the underlying virtual components. Cisco UCS Director provides the management interface to deploy, provision, and monitor the Cisco VACS solution.
Cisco VACS leverages the features in the following virtual components to build a secure multi-tenant cloud and create application container templates:
Cisco Nexus 1000V
Cisco Prime Network Services Controller (PNSC)
Cisco Cloud Services Router (CSR) 1000V
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Virtual Security Gateway (VSG)
Server Load Balancer (SLB)
Cisco VACS provides you with a choice of ready-to-use application container templates that define the rules for deploying a collection of virtual machines (VMs) within a private network secured by a firewall. An application container is a set of virtual services such as virtual switches, routers, firewalls, and other network devices configured in a consistent manner to deploy different workloads. When you create and instantiate an application container template, Cisco VACS deploys VMs, and configures networks, the firewall, and virtual switches, and enables network and security provisioning at the virtual layer.
Key features and benefits of Cisco VACS include:
Single workflow automation to logically isolate virtual application workloads at the virtual layer.
VMware vSphere support for interoperability across private cloud environments.
Consistent provisioning and orchestration experience across physical and virtual assets through Cisco UCS Director.
New Features and Enhancements in Release 5.4STV3.0
This release of Cisco VACS contains the following new features and enhancements:
New Features
Provides an option to deploy Cisco ASAv, instead of the Cisco CSR 1000V as the edge gateway in the Cisco VACS containers.
Provides support to VMware vSphere 6.0.
Support for scaling up to 128 containers.
Provides the following new REST APIs:
– vacs:userAPIGetContainerVmIps
– vacs:userAPIGetVacsResourceHistory
– vacs:userAPIGetGroupName
Enhancements
Enhancements to the following REST APIs:
– userAPIVACSPowerOnContainer (SLB VM Type has been changed to “Load Balancer” and also supports ASAv)
– userAPIVACSPowerOffContainer (SLB VM Type has been changed to “Load Balancer” and also supports ASAv)
– userAPIVACSCreateContainerRest (Supports Container deployment with ASAv)
Updated UI labels for the Add Template wizard.
Supports cloning of workload VMs as images.
Supports blocking of parallel post container operations on an application container.
Software Compatibility
The following table lists the compatibility information for Cisco VACS, Cisco UCS Director, and the relevant Cisco VACS components.
Table 1 Software Compatibility
Cisco VACS
Cisco UCS Director
Cisco VACS Components
Release 5.4STV3.0
Release 5.4 and Release 5.4-based patch releases.
Note
Cisco UCS Director Release 5.4.0.3 is the recommended version.
Cisco UCS Director Release 5.5 is not supported.
VMware vSphere 5.5 or 6.0
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.16.1a
Cisco ASAv 9.6.1
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.4STV2.1.2
Release 5.4.0.2
Note Release 5.3 and the Release 5.3-based patches are not supported.
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.16.1a
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.4STV2.1.1
Release 5.4.0.2
Note Release 5.3 and the Release 5.3-based patches are not supported.
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.16.1a
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.4STV2.1
Release 5.4
Note Release 5.3 and the Release 5.3-based patches are not supported.
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.16.1a
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.3STV2.0.1
Release 5.3 or the later releases
Note We recommend that you use the Cisco UCS Director Release 5.3.1.2.
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.14.0
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.3STV2.0
Release 5.3 or the 5.3.1.0 patch
Release 5.2 or Release 5.2-based patch releases
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.4)
Cisco PNSC 3.4.1b
Cisco VSG 5.2(1)VSG2(1.3)
Cisco CSR 1000V XE 3.14.0
Server Load Balancer (SLB)
– Open Source HA-proxy, Release 1.5.2 1.5.2-2.el6 (on x86_64)
– Keepalived 1.2.15
Release 5.3STV1.1.2
Release 5.3
Release 5.2
Note Apply the Cisco UCS Director maintenance patch (patch 1, which is cucsd_patch_5_2_0_1.zip) before installing or upgrading to Cisco VACS Release 5.3STV1.1.2.
Release 5.1
VMware vSphere 5.1 or later
Cisco Nexus 1000V5.2(1)SV3(1.1)
Cisco PNSC 3.2.2.b
Cisco VSG 5.2(1)VSG2(1.1)
Cisco CSR 1000V XE 3.14.0
Release 5.2STV1.1.1
Release 5.2
Note Apply the Cisco UCS Director maintenance patch (patch 1, which is cucsd_patch_5_2_0_1.zip) before installing or upgrading to Cisco VACS Release 5.3STV1.1.2.
Release 5.1
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.1)
Cisco PNSC 3.2.2.b
Cisco VSG 5.2(1)VSG2(1.1)
Cisco CSR 1000V XE 3.14.0
Release 5.2STV1.1
Release 5.2
Note Apply the Cisco UCS Director maintenance patch (patch 1, which is cucsd_patch_5_2_0_1.zip) before installing or upgrading to Cisco VACS Release 5.3STV1.1.2.
Release 5.1
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.1)
Cisco PNSC 3.2.2.b
Cisco VSG 5.2(1)VSG2(1.1)
Cisco CSR 1000V XE 3.14.0
Release 5.1STV1.0
Release 5.1
VMware vSphere 5.1 or later
Cisco Nexus 1000V 5.2(1)SV3(1.1)
Cisco PNSC 3.2.2.b
Cisco VSG 5.2(1)VSG2(1.1)
Cisco CSR 1000V XE 3.12.0
Limitations and Restrictions
This section describes the limitations and restrictions of Cisco VACS.
General Cisco VACS Limitations
Cisco VACS supports the following:
– ESX versions 5.0 and later
– vCenter versions 5.1 and later
Only one Cisco PNSC can be deployed per vCenter, but there is no limit to the number of vCenters that can be managed as the virtual account and the number of Cisco Nexus 1000V deployed per vCenter.
All VXLAN VTEPs added per host using the add host operation should be configured to be in the same subnet.
During the add host operation, do not migrate the VSM VMs to VEM.
If you upgrade to UCS Director patches after upgrading to Cisco VACS, you must reapply the Cisco VACS patch.
Cisco VACS does not support multi-node UCS Director deployments.
UCS Director supports only hosts or clusters under DC. It does not support any folder structures under DC.
The add host operation could fail when you add a host that has a previous version of the Cisco Nexus 1000V VIB.
License Limitations
Each Cisco Nexus 1000V is licensed with 1024 licenses.
Cisco VACS does not support ELA UCS Director licenses.
When upgrading from Cisco VACS evaluation to Cisco VACS production licenses, note the following:
– After installing the UCS Director production licenses, the Cisco VACS evaluation licenses are invalid. You must use a Cisco VACS production license.
– After installing the Cisco VACS production licenses, the existing Cisco Nexus 1000V that was installed with the evaluation license does not get a permanent Cisco Nexus 1000V license. You must deploy a new Cisco Nexus 1000V so that it gets a permanent license.
– A Cisco CSR 1000V or Cisco ASAv deployed during the Cisco VACS evaluation license (or with no Cisco ASAv licenses)comes up with default licenses and a maximum throughput of 100 Kbps.
– After installing the Cisco VACS production licenses, the existing Cisco CSR 1000V or Cisco ASAv of deployed containers is not automatically licensed with permanent licenses. If required, you must manually apply the permanent licenses for the Cisco CSR 1000V or Cisco ASAv.
Configuration Limitations
IP pool limitations:
– The IP pools used for management and uplink pools should have mandatory VLAN and Gateway fields.
– The IP pools used for the port group-based VM networks in custom containers should not have the Gateway field.
– The broadcast and network IP addresses should not be used as the IP addresses in the pool.
– The IP subnet for the management and uplink networks must be different in a new Cisco VACS template, irrespective of the type of the edge gateway selected. For all existing templates, the same IP pool is supported for both these networks as long as the template is not edited.
IP subnet pool limitations:
– The subnet cannot contain fewer than 4 IP addresses, or more than 1024 IP addresses.
IP address limitations when an IP needs to be entered for install actions, IP pools, and ERSPAN:
– Do not use broadcast and network, Experimental/Use in research IP addresses.
Cisco VACS does not configure the upstream switches and routers in the physical infrastructure. Cisco VACS only configures the virtual infrastructure for Cisco PNSC, Cisco Nexus 1000V, Cisco CSR 1000V and Cisco ASAv.
You must configure the upstream devices such that the path MTU between the VEMs has an MTU of greater than or equal to 1600.
Container Limitations
You are not allowed to execute the post container operations in parallel. You must wait for the current task to be completed before you proceed with the next task.
Parallel container operations on multiple Cisco Nexus 1000V DVS might cause failures. Hence, you must execute the container deployment sequentially when there are multiple N1kv DVS present.
Do not cancel the service request of any of the post container operations, such as add VM, delete VM, configure SNAT, configure ERSPAN, power on and power off a container.
You cannot resubmit failed service requests of container add-on operations.
Rollback of container add-on operations is not supported. To undo, you must use the UI for the add-on operation.
Currently, all service options that are a part of PNSC are not available in UCS Director. The only available service options are http and https. To access the other service options, you must enter the appropriate standard port number by ignoring the type selection.
During container deployment, the storage policy occasionally selects storage that does not belong to a shortlisted host from the compute policy.
For cluster mode compute policy deployments, all hosts under the cluster must be a part of Cisco Nexus 1000V and must have the same common storage.
If the network adapter type is VMXNET3, the container deployment fails intermittently on VMware ESXi 5.1.0 build-1483097 (ESXi 5.1.0 Update 2).
When multiple application containers with SLB/CSR VMs are deployed, deployment fails for some of these application containers. You must resubmit the failed application containers after the other application containers are deployed successfully.
Parallel deployment of application containers is serialized at the SLB task, which delays container deployment.
Container deployment might take longer than expected if the containers are deployed in parallel and have SLB VMs.
SLB Limitations
When workload VMs are added or deleted from the SLB zone, traffic impact for 2 to 3 seconds. This delay occurs because HA proxy must restart for the changes to take effect.
Secure Reports and VM Options Limitations
The Accounting tab in the Self-Service Portal displays the service VM details, even when the secure container details option is enabled.
The container icon (under the Options tab) available in the Self-Service Portal displays the total number of VMs (including service VMs), even though the secure container details option is enabled.
Note These limitations can mislead the end user about VM details that are displayed.
Administrator-made changes in the Options menu do not reflect in the Self-Service Portal until the Refresh action is performed (Virtual Resources > Application Containers > Container Icon > Refresh).
Scale Limitations
Cisco VACS has the following scale limitations:
Number of containers: 128
Number of VMs per container: 60*(20 VMs in each zone of a 3-tier container)
Number of containers per host: 15*
Number of containers that can be deployed in parallel: 5*
*-These scale limits are the soft limits. The number of containers can vary, and it mainly depends on the below parameters:
If VSG is present in the container or not (as one Cisco PNSC instance can support 128 VSGs)
The Size of the containers (Small/Medium/Large)
The vCPU/memory capacity of the individual hosts
The type of Service VMs that are included in the container
The Workload VM reservations in terms of vCPU/memory
The defined VLAN/VXLAN/IP pool limits
The Compute and storage policies
Using the Bug Search Tool
Use the Bug Search Tool to search for a specific bug or to search for all bugs in a release. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Step 3 To search for a specific bug, enter the bug ID in the Search For field and press Return.
Step 4 To search for bugs in the current release:
a. In the Search For field, enter Cisco Virtual Application Cloud Segmentation (VACS) Services and press Enter. (Leave the other fields empty.)
b. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by status, severity, modified date, and so forth.
Tip To export the results to a spreadsheet, click the Export Results to Excel link.
Bugs
The following are descriptions of the open and resolved bugs in Cisco VACS Release 5.4STV3.0. The bug ID links you to the Cisco Bug Search Tool.
When you upgrade Cisco VACS from Release 5.4STV2.1 or Release 5.4STV2.1.2 to Release 5.4STV3.0, the same SNAT IP addresse(s) used by the containers are being reused by a newly created container.
If the container name and the VM include special characters such as % and $, the container deployment fails because the Cisco Nexus 1000V does not create port profiles that include special characters.
When an Ubuntu version 14.04 template is used, the correct IP address and the hostname are not assigned to the IP address/host. IP addresses are not reflected in the VMs.
When you upgrade Cisco VACS from Release 5.4STV2.1 or Release 5.4STV2.1.2 to Release 5.4STV3.0, the same SNAT IP addresse(s) used by the containers are being reused by a newly created container.
The container icon (under the Options tab) available in the Self-Service Portal displays the total number of VMs (including service VMs), even though the secure container details option is enabled.
When you create a zone using the port profile name attribute and deploy the container, the workload VMs do not consider the port profile name attribute. Instead they are created based on the VM network.
If a container name ends with a non-alphanumeric character, the container deployment completes but the policies are not applied. This causes traffic problems.
When multiple Cisco Nexus 1000V(DVS) accounts are available and the containers are deployed on the multiple accounts in parallel, the container deployment fails during the provisioning task.
To provide technical feedback on this document or report an error or omission, please send your comments to:
nexus1k-docfeedback@cisco.com
We appreciate your feedback.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
This document is to be used in conjunction with the documents listed in the
“Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.