Host System Management

System Access Configuration

Dual WAN Support

Dual WAN support is introduced to provide multiple links to NFVIS connectivity. Starting from NFVIS 3.10.1 release, a second WAN bridge configured with DHCP by default is supported on ENCS 5000 series platform.

During NFVIS system initialization, NFVIS attempts to establish connectivity through DHCP on both WAN bridges. This allows connectivity to NFVIS during initial deployment even if the network is down on one of the WAN bridges. Once DHCP assigns an IP address through one WAN bridge, the other WAN bridge can be configured with static IP address for connectivity to NFVIS.

Restrictions for Dual WAN Support

  • The DHCP toggle behavior is not supported during the upgrade flow. It is only triggered during fresh installation of NFVIS or after a factory default reset.

  • Does not support active/standby or redundant WAN bridges. NFVIS does not detect connectivity failure from one WAN bridge and switchover to another WAN bridge. In case connectivity fails on the WAN bridge with DHCP configurations, connectivity through the other WAN bridge is established only if static IP is applied to the second WAN bridge and static routing is configured for connectivity through that bridge.

  • IPv6 is not supported for dual WAN toggle.

  • If wan2-br is DHCP enabled WAN bridge, you must remove DHCP from wan2-br to apply default gateway from static IP configurations.

Dual WAN Bridge and DHCP Toggle


Note

This feature is supported only on ENCS 5000 series devices.

In zero touch deployment, NFVIS requests for IPv4 assignments through DHCP for two WAN interfaces. During system initialization a second WAN bridge is configured with GE0-1 port attached. NFVIS toggles between the two default WAN bridges sending DHCP requests on any one of the WAN bridges at a time, for 30 second intervals. The toggling stops as soon as one WAN bridge is assigned an IP address through DHCP. The bridge with the assigned IP address is configured with DHCP. The other WAN bridge has no default IP configuration and can be manually configured with static IP if required.

If neither of the bridges is assigned an IP address through DHCP, the WAN DHCP toggle can be terminated by logging in to NFVIS using the default credentials. In this case, wan-br is configured with DHCP and wan2-br has no default IP configuration.

After zero touch deployment, the toggle feature is terminated. To add additional connectivity to the NFVIS host, static IP address can be configured on the other WAN bridge and system static routing can be applied. A default gateway is not supported as the system default gateway is set through DHCP. If DHCP configuration is not required, then both WAN bridges can be configured with static IP addresses, and a default gateway can then be applied under system settings.

Accessing NFVIS

For initial login, use admin as the default user name, and Admin123# as the default password. Immediately after the initial login, the system prompts you to change the default password. You must set a strong password as per the on-screen instructions to proceed with the application. All other operations are blocked until default password is changed. API will return 401 unauthorized error if the default password is not reset.

If wan-br or wan2-br have not obtained IP addresses through DHCP, the zero touch deployment is terminated. To manually apply the IP configurations answer 'y' and the system proceeds with DHCP assignment on wan-br until the configurations are changed. For DHCP assignment to continue to request IP address for PnP flow on both WAN interfaces answer 'n'.

You must adhere to the following rules to create a strong password:

  • Must contain at least one upper case and one lower case letter.

  • Must contain at least one number and one special character (# _ - * ?).

  • Must contain seven characters or greater. Length should be between 7 and 128 characters.

You can change the default password in three ways:

  • Using the Cisco Enterprise NFVIS portal.

  • Using the CLI—When you first log into Cisco Enterprise NFVIS through SSH, the system will prompt you to change the password.

  • Using PnP (for details, see the Cisco Network Plug-n-Play Support).

  • Using console - After the initial login using the default password, you are prompted to change the default password.

    
NFVIS Version: 3.12.3

Copyright (c) 2015-2020 by Cisco Systems, Inc.
Cisco, Cisco Systems, and Cisco Systems logo are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

The copyrights to certain works contained in this software are owned by other
third parties and used and distributed under third party license agreements.
Certain components of this software are licensed under the GNU GPL 2.0, GPL 3.0,
LGPL 2.1, LGPL 3.0 and AGPL 3.0.

login: admin
NFVIS service is OK
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
admin@localhost's password:


Cisco Network Function Virtualization Infrastructure Software (NFVIS)

NFVIS Version: 3.12.3-RC8

Copyright (c) 2015-2020 by Cisco Systems, Inc.
Cisco, Cisco Systems, and Cisco Systems logo are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

The copyrights to certain works contained in this software are owned by other
third parties and used and distributed under third party license agreements.
Certain components of this software are licensed under the GNU GPL 2.0, GPL 3.0,
LGPL 2.1, LGPL 3.0 and AGPL 3.0.


admin connected from ::1 using ssh on nfvis
admin logged with default credentials
Setting admin password will disable zero touch deployment behaviors.
Do you wish to proceed? [y or n]y
Please provide a password which satisfies the following criteria:
        1.At least one lowercase character
        2.At least one uppercase character
        3.At least one number
        4.At least one special character from # _ - * ?
        5.Length should be between 7 and 128 characters
Please reset the password :
Please reenter the password :


 Resetting admin password


New admin password is set

nfvis#
System message at 2020-01-08 03:10:10...
Commit performed by system via system using system.
nfvis#

Note

To commit the target configuration to the active (running) configuration, use the commit command in any configuration mode. Changes made during a configuration session are inactive until the commit command is entered. By default, the commit operation is pseudo-atomic, meaning that all changes must succeed for the entire commit operation to succeed.

Connecting to the System

Using IPv4

The three interfaces that connect the user to the system are the WAN and WAN2 interfaces and the management interface. By default, the WAN interface has DHCP configuration and the management interface is configured with static IP address 192.168.1.1. If the system has a DHCP server connected to the WAN interface, the WAN interface is assigned an IP address from this server. You can use this IP address to connect to the system.

You can connect to the server locally (with an Ethernet cable) using the static management IP address; to connect to the box remotely using a static IP address, the default gateway needs to be configured.

You can connect to the system in the following three ways:

  • Using the local portal—After the initial login, you are prompted to change the default password.

  • Using the KVM console—After the initial login using the default password, you are prompted to change the default password.

  • Using PnP—After the initial provisioning through PnP, the configuration file pushed by the PNP server must include the new password for the default user (admin).

Using IPv6

IPv6 can be configured in static, DHCP stateful and Stateless Autoconfiguration (SLAAC) mode. By default, DHCP IPv6 stateful is configured on the WAN interface. If DHCP stateful is not enabled on the network, the router advertisement (RA) flag decides which state the network stays in. If the RA shows Managed (M) flag, then the network stays in DHCP mode, even if there is no DHCP server in the network. If the RA shows Other (O) flag, then the network switches from DHCP server to SLAAC mode.

SLAAC provides IPv6 address and default gateway. Stateless DHCP is enabled in the SLAAC mode. If the server has DNS and domain configured, then SLAAC also provides those values via stateless DHCP.

Performing Static Configuration without DHCP


Note

Starting from NFVIS 3.10.1 release, for ENCS 5400 and ENCS 5100, wan2-br obtains an IP address from DHCP. To configure default gateway, first use no bridges bridge wan2-br dhcp command.

If you want to disable DHCP and use static configuration, initial configuration is done by setting the WAN IP address and/or management IP address, and the default gateway. You can also configure a static IP on a created bridge.

To perform initial configuration on the system without using DHCP: 


configure terminal
system settings mgmt ip address 192.168.1.2 255.255.255.0 
bridges bridge wan-br ip address 209.165.201.22 255.255.255.0
system settings default-gw 209.165.201.1
commit

Note

When an interface is configured with a static IP address, DHCP is automatically disabled on that interface.

Now you can either use the management IP or WAN IP to access the portal.

To configure static IPv6 on the WAN interface:


configure terminal
system settings mgmt ipv6 address 2001:DB8:1:1::72/64 
bridges bridge wan-br ipv6 address 2001:DB8:1:1::75/64
system settings default-gw-ipv6 2001:DB8:1:1::76
commit

Note

When an interface is configured with a static IPv6 address, DHCP IPv6 is automatically disabled on that interface. There are three options for IPv6 - static, DHCP and SLAAC, out of which only one can be enabled at a time.

To configure DHCP on the WAN interface: 


configure terminal
no system settings default-gw
system settings wan dhcp
commit
exit
hostaction wan-dhcp-renew

Note

Starting from NFVIS 3.10.1, you can configure DHCP IPv6 on any bridge. You can only have one DHCP IPv6 bridge or management interface active at a time, and cannot have DHCP IPv6 and default IPv6 gateway or SLAAC IPv6 configured at the same time.

To configure DHCP IPv6 on the WAN interface: 


configure terminal
no system settings default-gw-ipv6
system settings wan dhcp-ipv6
commit
exit
hostaction wan-dhcp-renew

Verifying Initial Configuration

The show system settings-native command is used to verify initial configuration. Use show bridge-settings and show bridge-settings bridge_name commands to verify the configuration for any bridge on the system.

Extract from the output of the show system settings-native command when both WAN and management interfaces have a static configuration: 


system settings-native mgmt ip-info interface lan-br
system settings-native mgmt ip-info ipv4_address 192.168.1.2
system settings-native mgmt ip-info netmask 255.255.255.0
!
!
!
system settings-native mgmt dhcp disabled
system settings-native wan ip-info interface wan-br
system settings-native wan ip-info ipv4_address 209.165.201.22 
system settings-native wan ip-info netmask 255.255.255.0
!
!
!
system settings-native wan dhcp disabled
!
!
system settings-native gateway ipv4_address 209.165.201.1
system settings-native gateway interface wan-br

Extract from the output of the show system settings-native command when the management interface has a DHCP configuration and the WAN interface has a static configuration: 


system settings-native mgmt ip-info interface MGMT
system settings-native mgmt ip-info ipv4_address 192.168.1.2
system settings-native mgmt ip-info netmask 255.255.255.0
!
!
!
system settings-native mgmt dhcp enabled
system settings-native wan ip-info interface wan-br
system settings-native wan ip-info ipv4_address 209.165.201.22
system settings-native wan ip-info netmask 255.255.255.0
!
!
!
system settings-native wan dhcp disabled

Extract from the output of the show system settings-native command when the WAN interface has a DHCP configuration and the management interface has a static configuration: 


system settings-native mgmt ip-info interface lan-br
system settings-native mgmt ip-info ipv4_address 209.165.201.2 
system settings-native mgmt ip-info netmask 255.255.255.0
!
!
!
system settings-native mgmt dhcp disabled
system settings-native wan ip-info interface wan-br
system settings-native wan ip-info ipv4_address 209.165.201.22
system settings-native wan ip-info netmask 255.255.255.0
!
!
!
system settings-native wan dhcp enabled

Configuring VLAN for NFVIS Management Traffic

A VLAN is a method of creating independent logical networks within a physical network. VLAN tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to.

You can configure a VLAN tag on the WAN bridge (wan-br) interface to isolate Cisco Enterprise NFVIS management traffic from VM traffic. You can also configure VLAN on any bridge on the system (wan2-br for ENCS5400 or ENCS 5100, and user-br for all systems)

By default, Wan bridge and LAN bridge are in trunk mode and allows all VLANs. When you configure native VLAN, you must also configure all the allowed VLANs at the same time. The native VLAN becomes the only allowed VLAN if you do not configure all the VLANs. If you want a network that allows only one VLAN, then create another network on top of wan-net and lan-net and make it access network.


Note

You cannot have the same VLAN configured for the NFVIS management and VM traffc.

For more details on the VLAN configuration, see the Understanding and Configuring VLANs module in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

Configuring System Routes

In addition to the default routes in the system, you can configure additional system routes. This configuration is specifically useful when certain destinations are not reachable through the default routes.

While you can create a route just by providing the destination and prefix length, a valid route requires that you specify either a device or a gateway or both.

To configure additional system routes:


configure terminal
system routes route  209.165.201.1 dev lan-br
commit
Verifying the System Routes Configuration

To verify the system routes configuration, use the show system routes command as shown below: 


nfvis# show system routes
DESTINATION 	PREFIXLEN 	STATUS
----------------------------------
209.165.201.1 	12 -
209.165.201.2 	12 -
209.165.201.3 	24 -
System Routes APIs and Commands

System Routes APIs

System Routes Commands

  • /api/config/system/routes

  • /api/config/system/routes/route/<host

    destination,netmask>

  • system routes route

  • show system routes

Configuring the IP Receive ACL

To filter out unwanted traffic, you can configure ip-receive-acl to block or allow certain traffic based on the IP address and service ports.

To configure the source network for Access Control List (ACL) access: 


configure terminal
system settings ip-receive-acl 198.0.2.0/24
action accept priority 10
commit

Verifying the Trusted IP Connection

Use the show running-config system settings ip-receive-acl command to display the configured source network for ACL access to the management interface 


nfvis# show running-config system settings ip-receive-acl 
system settings ip-receive-acl 198.51.100.11/24
service
[ ssh https scpd]
action accept
priority 100

Port 22222 and Management Interface ACL

Port 22222 is used for SCP server and is closed by default on an NFVIS system. You cannot SCP a file into NFVIS from an external server. If you need to SCP file from an external server, you must first open the port.

To open port 22222:


config terminal
system settings ip-receive-acl address/mask_len service scpd priority 2 action accept
commit

The Access Control List (ACL) is identify by address. If this ACL is removed, all ACLs sharing the same address are also removed. Ensure that you configure the ACLs that share the same address once again.


Note

From 3.8.1 release, only a user belonging to administrator role can use the SCP command on this port to upload or download only from restricted folders like /data/intdatastore/. For more information, see Host System Operations.


Caution

SCP command cannot be used to copy files from one NFVIS device to another NFVIS device.

Use the show running-config system settings ip-receive-acl command to verify the interface configuration: 


nfvis# show running-config system settings ip-receive-acl

system settings ip-receive-acl 10.156.0.0/16

 service  [ ssh https scpd ]

 action   accept

 priority 100

!

Configuring Secondary IP and Source Interface

Secondary IP

The Cisco Enterprise NFVIS supports multiple IP addresses per interface. A Secondary IP feature can be configured on the WAN interface, as an additional IP to reach the software. Set the external routes for Secondary IP to reach the NFVIS. Routers configured with secondary addresses can route between the different subnets attached to the same physical interface.

To access secondary IP through ISRv, the WAN physical port is removed from wan-br similar to single IP.

To configure Secondary IP:


Configure Secondary IP
nfvis(config)# system settings wan secondary ip address 1.1.2.3 255.255.255.0

Source Interface

This feature is used to set the source interface with an ip address. The ip address configured will be used for for packets generated by the NFVIS. The packets generated use the default route.

Prerequisites for configuring Source Interface

  • IP must be one of the configured IP addresses in system settings.

  • The source-interface IP address can be one of the following:

    • mgmt

    • WAN

    • WAN Secondary IP

    • WAN2 IP or IP configured on any bridge

  • Source-interface configuration must be applied if the WAN IP is static.

  • For DHCP, Source-interface IP is accepted but cannot be applied. The configuration takes effect once you switch from DHCP to static.

To configure Source Interface:


Configure source-interface ip
nfvis(config)# system settings source-interface 
1.1.2.3

The Secondary IP and Source Interface related errors are logged in show log nfvis_config.log file.

Secondary IP and Source Interface APIs and Commands

APIs

Commands

  • /api/config/system/settings/wan/secondary

  • system settings wan secondary

  • /api/config/system/settings/source-interface

  • system settings source-interface

CIMC Access Control

On ENCS 5400, NFVIS administrators have authoritative control of the device. This includes capability to change the IP address used to reach the CIMC and modifying the CIMC and BIOS passwords

CIMC Access using NFVIS


Note

CIMC access using NFVIS is supported only on ENCS 5400.

When CIMC access is enabled on NFVIS, ISRv can gain access to the host CIMC and internal switch management console. You must have authorization from Cisco Interactive Debug (CID) to access both consoles.

To access CIMC using NFVIS WAN or management interface IP address, use the system settings cimc-access enable command. Once you configure CIMC access on NFVIS, the stand alone CIMC access using CIMC IP address is disabled and you will be able to access CIMC using NFVIS management interface IP address. The configurations remain on the device even after the device reboot.

When the CIMC access is configured, it enables a few ports to access services like SSH, SNMP, HTTP and HTTPs into the CIMC.

The following port numbers are being used for forwarding services to CIMC:

  • 20226 for SNMP

  • 20227 for SSH

  • 20228 for HTTP

  • 20229 for HTTPS

If you are unable to access CIMC using NFVIS, check the show log nfvis_config.log file.

Use system settings cimc-access disable to disable this feature.

BIOS-CIMC Update

Starting from 3.8.1 release, for ENCS 5400 router, if existing BIOS/CIMC version is lower than the bundled image in NFVIS ISO or upgrade package, it is updated automatically during the NFVIS upgrade or installation. Also the CPU microcode is upgraded. The upgrade time takes longer than the previous releases and the upgrade will be done automatically, and you cannot stop the process once it is initiated.

For ENCS 5100 router, BIOS will be upgraded automatically to a new version but you need to boot up the server manually after the upgrade.

BIOS and CIMC Password

To change the BIOS and CIMC password for ENCS 5400 use hostaction change-bios-password newpassword or hostaction change-cimc-password newpassword commands. The change in the password will take effect immediately after the commands are executed. For both CIMC and BIOS passwords any alphanumeric character along with some special characters (_ @ # ) are allowed.

For CIMC, the password must contain a minimum of eight characters..

For BIOS, the password must contain a minimum of seven characters and the first letter cannot be #.

BIOS and CIMC Password APIs and Commands

BIOS and CIMC Password APIs

BIOS and CIMC Password Commands

  • /api/operations/hostaction/change-cimc-password

    /api/operations/hostaction/change-bios-password

  • hostaction change-cimc-password

  • hostaction change-bios-password

Overview to ENCS 5400 for UEFI Secure Boot

You can use Unified Extensible Firmware Interface (UEFI) secure boot to ensure that all the EFI drivers, EFI applications, option ROM or operating systems prior to loading and execution are signed and verified for authenticity and integrity, before you load and execute the operating system. You can enable this option using either web UI or CLI. When you enable UEFI secure boot mode, the boot mode is set to UEFI mode and you cannot modify the configured boot mode until the UEFI boot mode is disabled.


Note

If you enable UEFI secure boot on a nonsupported OS, on the next reboot, you cannot boot from that particular OS. If you try to boot from the previous OS, an error is reported and recorded the under system software event in the web UI. You must disable the UEFI secure boot option using Cisco IMC to boot from your previous OS.

Enabling UEFI Secure Boot Mode

To enable UEFI secure boot mode:


Server# scope bios
Server /bios # set secure-boot enable
Setting Value : enable
Commit Pending.
Server /bios *# commit

Reboot the server to have your configuration boot mode settings take place.

Disabling UEFI Secure Boot Mode

To disable UEFI secure boot mode:


Server# scope bios
Server /bios # set secure-boot disable
Setting Value : enable
Commit Pending.
Server /bios *# commit

Reboot the server to have your configuration boot mode settings take place.

To install NFVIS in UEFI mode, map the iso image through vmedia or kvm first, then enable secure boot and change the BIOS set-up parameters. 


encs# scope bios
encs /bios # scope advanced
encs /bios/advanced # set BootOpRom UEFI
encs /bios/advanced # set BootOrderRules Loose
encs /bios/advanced *# commit

Reboot the device to start installation.


Note

All VNFs and configurations are lost at reboot. Secure boot in UEFI mode works differently from the legacy mode. Therefore, there is no compatibility in between legacy mode and UEFI mode. The previous environment is not kept.

Enabling or Disabling the Portal Access

The Cisco Enterprise NFVIS portal access is enabled by default. You can disable the access if required.

To disable the portal access:


configure terminal
system portal access disabled 
commit

Note

You can enable the portal access using the enabled keyword with the system portal access configuration.

Verifying the Portal Access

Use the show system portal status command to verify the portal access status as shown below: 


nfvis# show system portal status
system portal status "access disabled"

Portal Access APIs and Commands

Portal Access APIs

Portal Access Commands

  • /api/config/system/portal

  • /api/operational/system/portal/status

  • system portal access

  • show system portal status

Users, Roles and Authentication

Local User Account Management

Role based access enables the administrator to manage different levels of access to the system's compute, storage, database, and application services. It uses the access control concepts such as users, groups, and rules, which you can apply to individual API calls. You can also keep a log of all user activities.

Table 1. Supported User Roles and Privileges

User Role

Privilege

Administrators

Owns everything, can perform all tasks including changing of user roles, but cannot delete basic infrastructure. Admin's role cannot be changed; it is always "administrators".

Operators

Start and stop a VM, and view all information

Auditors

Read-only permission

Rules for User Passwords

The user passwords must meet the following requirements:

  • Must have at least seven characters length or the minimum required length configured by the admin user.

  • Must not have more than 128 characters.

  • Must contain a digit.

  • Must contain one of the following special characters: hash (#), underscore (_), hyphen (-), asterisk (*), and question mark (?).

  • Must contain an uppercase character and a lowercase character.

  • Must not be same as last five passwords.

Creating Users and Assigning Roles

The administrator can create users and define user roles as required. You can assign a user to a particular user group. For example, the user "test1" can be added to the user group "administrators".


Note

All user groups are created by the system. You cannot create or modify a user group.

Starting from NFVIS 3.9.1, create-user, delete-user, change-role and change-password operations are configurable from exec mode.

To create a user:


rbac authentication users create-user name test1 password Test1_pass role administrators

To delete a user:


rbac authentication users delete-user name test1

Note

To change the password, use the rbac authentication users user test1 change-password new-password newPassword old-password oldPassword command. To change the user role to administrators, operators or auditors, use the rbac authentication users user test1 change-role new-role newRole old-role oldRole command.

User Management APIs and Commands

User Management APIs

User Management Commands

  • /api/config/rbac/authentication/users

  • /api/operations/rbac/authentication/users

    /user/<user-name>/change-password

  • /api/operations/rbac/authentication/users/user

    /<user-name>/change-role

  • /api/operations/rbac/authentication/users/create-user

  • /api/operations/rbac/authentication/users/delete-user

  • rbac authentication users

  • rbac authentication users user <user-name> change-password old-password <old_pwd> new-password <new_pwd>

  • rbac authentication users user <user-name> change-role old-role <old_role> new-role <new_role>

  • rbac authentication users create-user name <user-name> password <password> role <role>

  • rbac authentication users delete-user name <user-name>

Configuring Minimum Length for Passwords

The admin user can configure the minimum length required for passwords of all users. The minimum length must be between 7 to 128 characters. By default, the minimum length required for passwords is set to 7 characters. 


configure terminal
rbac authentication min-pwd-length 10
commit

Minimum Password Length APIs and Commands

APIs

Commands

/api/config/rbac/authentication/min-pwd-length

rbac authentication min-pwd-length

Configuring Password Lifetime

The admin user can configure minimum and maximum lifetime values for passwords of all users and enforce a rule to check these values. The default minimum lifetime value is set to 1 day and the default maximum lifetime value is set to 60 days.

When a minimum lifetime value is configured, the user cannot change the password until the specified number of days have passed. Similarly, when a maximum lifetime value is configured, a user must change the password before the specified number of days pass. If a user does not change the password and the specified number of days have passed, a notification is sent to the user.


Note

The minimum and maximum lifetime values and the rule to check for these values are not applied to the admin user. 


configure terminal
rbac authentication password-lifetime enforce true min-days 2 max-days 30
commit

Password Lifetime APIs and Commands

APIs

Commands

/api/config/rbac/authentication/password-lifetime/

rbac authentication password-lifetime

Deactivating Inactive User Accounts

The admin user can configure the number of days after which an unused user account is marked as inactive and enforce a rule to check the configured inactivity period. When marked as inactive, the user cannot login to the system. To allow the user to login to the system, the admin user can activate the user account by using the rbac authentication users user username activate command.


Note

The inactivity period and the rule to check the inactivity period are not applied to the admin user. 


configure terminal
rbac authentication account-inactivity enforce true inactivity-days 2
commit

Deactivate Inactive User Accounts APIs and Commands

APIs

Commands

/api/config/rbac/authentication/account-inactivity/

rbac authentication account-inactivity

Activating an Inactive User Account

The admin user can activate the account of an inactive user.


configure terminal
rbac authentication users user guest_user activate
commit

Activate Inactive User Account APIs and Commands

APIs

Commands

/api/operations/rbac/authentication/users/user/username/activate

rbac authentication users user activate

NFVIS Password Recovery

  1. Load the NFVIS ISO image, using the CIMC KVM console.

  2. Select Troubleshooting from the Boot Selection menu.

  3. Select Rescue a NFVIS Password.

  4. Select Continue.

  5. Press Return to get a shell.

  6. Run the chroot /mnt/sysimage command.

  7. Run the ./nfvis_password_reset command to reset the password to admin.

  8. Confirm the change in password and enter Exit twice.

    Disconnect the NFVIS ISO image in the CIMC KVM console and reboot NFVIS.

  9. Login to NFVIS with the default credentials admin/Admin123#.

    After login to NFVIS, enter a new password at prompt.

  10. Connect to NFVIS with the new password.


Note

You can update and recover NFVIS 3.8.1 and older passwords using NFVIS 3.9.1.

RADIUS Support

About RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.

Cisco supports RADIUS under its AAA security paradigm. RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

RADIUS Operation

When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:

  1. The user is prompted to enter the username and password.

  2. The username and encrypted password are sent over the network to the RADIUS server.

  3. The user receives one of the following responses from the RADIUS server:

    1. ACCEPT—The user is authenticated.

    2. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

    3. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.

    4. REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:

  • Services that the user can access, including connections such as Telnet, rlogin, or local-area transport (LAT), and services such as PPP, Serial Line Protocol (SLIP), or EXEC services.

  • Connection parameters, including the host or client IP address, access list, and user timeouts.

Configuring RADIUS

To configure RADIUS support:


configure terminal
radius-server host 103.1.4.3
shared-secret cisco123
admin-priv 15
oper-priv  11
commit

Starting from NFVIS 3.9.2 release, RADIUS secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. Use encrypted secret if special characters are used in secret. To configure encrypted RADIUS secret: 


configure terminal
radius-server host 103.1.4.3
encrypted-shared-secret cisco123
admin-priv 15
oper-priv  11
commit
Verifying the RADIUS configuration

Use the show running-config radius-server command to verify the interface configuration for a RADIUS session: 


nfvis# show running-config radius-server 

radius-server host 103.1.4.3
 key           0
 shared-secret cisco123
 admin-priv    15
 oper-priv     11
RADIUS Support APIs and Commands

APIs

Commands

  • /api/config/security_servers/radius-server

  • radius-server host

  • key

  • admin-priv

  • oper-priv

  • encrypted-shared-secret or shared-secret

TACACS+ Support

About TACACS+

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.

On the TACACS+ server, ensure you configure Cisco attribute-value (AV) pair privilege level (priv-lvl) for Cisco Enterprise NFVIS service for the minimum privilege level of administrators and operators.


Note

In NFVIS 3.11.1 or earlier release, users with no privilege level or users with a privilege level that is less than the operator's privilege level are considered as auditors with read-only permission.

After NFVIS 3.12.1 release, users with privilege level zero won't be able to login to NFVIS anymore.

TACACS Operation

When a user attempts a simple ASCII login by authenticating to NFVIS using TACACS+, this process occurs:

  1. When the user tries to log in, NFVIS sends user credential to TACACS+ server.

  2. NFVIS will eventually receive one of the following responses from the TACACS+ server:

    1. ACCEPT—The user is authenticated and service can begin. If NFVIS is configured to require authorization, authorization begins at this time.

    2. REJECT—The user is not authenticated. The user can be denied access or is prompted to retry the login sequence, depending on the TACACS+ server.

    3. ERROR—An error occurred at some time during authentication with the server or in the network connection between the server and NFVIS. If an ERROR response is received, NFVIS typically tries to use an alternative method for authenticating the user.

    4. CONTINUE—The user is prompted for additional authentication information.

    After authentication, NFVIS will send authorization request to TACACS+ server.

  3. Based on authorization result, NFVIS will assign user's role.

Configuring a TACACS+ Server

To configure TACACS+:


configure terminal
tacacs-server host 209.165.201.20 shared-secret 
test1

key 0 
admin-priv 
14

oper-priv 
9

commit

In this configuration, privilege level 14 is assigned to the administrator role, and privilege level 9 is assigned to the operator role. This means a user with privilge level 14 or higher will have all admin privileges when the user logs into the system, and a user with privilege level 9 or higher will have all privileges of an operator at the time of login.

Starting from NFVIS 3.9.2 release, TACACS+ secret encryption is supported. You can only configure either secret key or encrypted secret key at a given time. Encrypted secret key can contain special characters but secret key cannot. For NFVIS 3.12.1 release, the following pattern is supported for encryped-shared-key: [-_a-zA-Z0-9./\\<>%!*$€#{}()+].

To configure encrypted TACACS+ key:


configure terminal
tacacs-server host 209.165.201.20 encrypted-shared-secret test1
key 0 
admin-priv 
14

oper-priv 
9

commit
Verifying the TACAC+ configuration

Use the show running-config tacacs-server command to verify the configuration if encrypted TACACS+ key is configured: 


nfvis# show running-config tacacs-server 

tacacs-server host 209.165.201.20
 encrypted-shared-secret $8$mRTnL9TKZCFi1BUP7Mwbm3JVIo4Z7QvJ
 admin-priv              15
 oper-priv               11
!
TACACS+ APIs and Commands

TACACS+ APIs

TACACS+ Commands

  • /api/config/security_servers/tacacs-server

  • /api/config/security_servers/tacacs-server?deep

  • /api/config/security_servers/tacacs-server

    /host/<ip-address/domain-name>

  • tacacs-server host

  • key

  • admin-priv

  • oper-priv

  • encrypted-shared-secret or shared-secret

Default Authentication Order

NFVIS supports both TACACS+ and RADIUS but only one authentication method can be enabled at a time. After you have identified the TACACS+ and RADIUS server and defined an associated TACACS+ and RADIUS authentication key, you must define method lists for TACACS+ and RADIUS authentication. Because TACACS+ and RADIUS authentication is operated through AAA, you need to issue the aaa authentication command, specifying TACACS+ or RADIUS as the authentication method. 


nfvis(config)# aaa authentication ?
Possible completions:
  radius   Use RADIUS for AAA
  tacacs   Use TACACS+ for AAA
  users    List of local users

Note

  • Only when TACACS+ or RADIUS is enabled, it can be used for authentication.

  • When TACACS+ or RADIUS is not accessible, local authentication is used. It is recommended to use aaa authentication TACACS local command to authenticate using local database. Local authentication is disabled if the connection between TACACS+ or RADIUS and NFVIS is restored.

  • If same username exists on both local and TACACS+ or RADIUS, then TACACS+ or RADIUS user is chosen for authentication.

  • It is recommended to configure Syslog so that it is easier to debug if TACACS+ or RADIUS does not work as expected.

All login attempts will be logged in syslogs in the local nfvis_syslog.log, nfvis-ext-auth.log files and in remote syslog servers.

Enchancements for NFVIS 3.12.3, User Specific Authentication Order

Starting from NFVIS 3.12.3 release, the supported aaa authentication order is local authentication followed by TACACS+.

  • If the user is in local database execute authentication and permit or deny access.

  • If the user is not in local database, use TACACS+ for authentication

  • If the same user is present in both local and TACACS+, then the user can login with local password or TACACS+ password. It is not recommended to configure same user in both local and TACACS+.

In NFVIS 3.12.3 release the only supported combination for authentication order is aaa auth-order local tacacs . Any other combinations are not supported. aaa auth-order configuration is mutually exclusive to aaa authentication and if one is configured, the other is automatically replaced. 


nfvis(config)# aaa ?
Possible completions:
auth-order Configure authentication order; Mutually exclusive to authentication method configuration
authentication Configure external authentication method; Mutually exclusive to auth-order configuration
ios Specific IOS settings

nfvis(config)# aaa auth-order ?
Description: Configure authentication order; Mutually exclusive to authentication method configuration
Possible completions:local radius tacacs
nfvis(config)# aaa auth-order local ?
Possible completions:
radius tacacs <cr>
nfvis(config)# aaa auth-order local tacacs ?
Possible completions:radius <cr>
nfvis(config)# aaa auth-order local tacacs
nfvis(config)#

Networking

Bridges

The IP configuration on bridges and show bridge-settings command were added in NFVIS 3.10.1 release. NFVIS is installed with LAN and WAN bridges by default. A service bridge can also be created. A bridge can be used for NFVIS connectivity. Each bridge can be configured with IPv4 or IPv6 configurations such as Static IP, DHCP, SLAAC, or VLAN. Each bridge can have a port or port channel associated with it.

On all NFVIS systems, lan-br and wan-br are generated by default and populated with the appropriate ports for that system. On ENCS 5000 series platforms wan2-br is also generated by default for the dual WAN initialization. For more information, see Dual WAN Support. Except on ENCS 5000 Series platforms, the default LAN bridge is configured with a static IP address 192.168.1.1 and the WAN bridges uses DHCP for initial NFVIS connectivity.

On ENCS 5400 series platforms configuration changes are not allowed on the lan-br bridge. The LAN bridge cannot be modified in any way.

Using IPv4

If the system has a DHCP server connected to a bridge with DHCP configured, the bridge receives the IP address from the server. You can use this IP address to connect to the system.

You can also connect to the server locally with an ethernet cable using a static IP address. To connect to the box remotely using a static IP address, you must configure the default gateway or setup an appropriate static route.

Both DHCP and a default gateway cannot be configured on NFVIS simultaneously. NFVIS only supports one system level default gateway and if DHCP is configured, the default gateway is assigned to the system through the DHCP server. Also, only one bridge can be configured with DHCP at any time.

Using IPv6

IPv6 can be configured in static, DHCP stateful and Stateless Auto configuration (SLAAC) modes. By default,DHCP IPv6 stateful is configured on the WAN interface. If DHCP stateful is not enabled on the network, the router advertisement (RA) flag decides which state the network stays in. If the RA shows Managed (M) flag, then the network stays in DHCP mode, even if there is no DHCP server in the network. If the RA shows Other (O) flag, then the network switches from DHCP server to SLAAC mode.

SLAAC provides IPv6 address and a default gateway. Stateless DHCP is enabled in the SLAAC mode. If the server has DNS and domain configured, then SLAAC also provides those values through stateless DHCP.

Similar to IPv4, IPv6 DHCP and IPv6 default gateway cannot be configured on the system simultaneously, nor can stateful and stateless IPv6 DHCP. Also, only one bridge can be configured with either stateful or stateless IPv6 DHCP at any time.

Creating Bridges

To configure a new bridge:


configure terminal
bridges bridge my-br
commit

To verify the bridge generation, use the show bridge-settings command: 


nfvis# show bridge-settings my-br ip-info interface
ip-info interface my-br

Configuring Bridge Port

A bridge can be tied to a physical interface by applying the port configuration. A bridge can have as many ports as are available, however a port must be unique to at most one bridge. If a port channel is applied to a bridge, it must be the only port configuration on that bridge.

To configure a port on a bridge:


configure terminal
bridges bridge my-br port eth3
commit

To configure a port channel on a bridge:


configure terminal
bridges bridge my-br port pc1
commit

To verify the port settings applied to a bridge, use the support ovs vsctl command: 


nfvis# support ovs vsctl list-ports my-br
eth3

The same command can be used to verify the port channel settings applied to a bridge:


nfvis# support ovs vsctl list-ports my-br
bond-pc1

Configuring Bridge IP Connectivity

Configuring DHCP on Bridge

DHCP configuration can be applied to any bridge if no other bridge on the system has DHCP configured, and default gateway is not applied under system settings. Starting from NFVIS 3.12.1 release, DHCP configuration on a bridge automatically triggers a DHCP renew request from the bridge. For an additional DHCP renew trigger, use the hostaction bridge-dhcp-renew command.

To configure DHCP on a bridge:


configure terminal
bridges bridge my-br dhcp
commit

To verify the DHCP settings applied to a bridge, use the show bridge-settings <br_name> dhcp command. 


nfvis# show bridge-settings my-br dhcp

dhcp enabled
dhcp offer                         true
dhcp interface                     my-br
dhcp fixed_address                 10.10.10.14
dhcp subnet_mask                    255.255.255.128
dhcp gateway                        10.10.10.1
dhcp lease_time                     7200
dhcp message_type                     5
dhcp name_servers                    NA
dhcp server_identifier              10.10.10.1
dhcp renewal_time                   3600
dhcp rebinding_time                   6300
dhcp vendor_encapsulated_options     NA
dhcp domain_name                      NA
dhcp renew                      2019-12-11T13:28:29-00:00
dhcp rebind                    2019-12-11T14:17:12-00:00
dhcp expire                    2019-12-11T14:32:12-00:00
Configuring Static IP on Bridge

An IPv4 address and subnet can be configured on any bridge which does not have DHCP configured. To enable routing outside of the subnet, apply the default gateway under system settings or confirgure system routes.

To configure an IPv4 address on a bridge:


configure terminal
bridges bridge my-br ip address 172.25.220.124 255.255.255.0
commit

To verify the IPv4 settings applied to a bridge, use the show bridge-settings <br_name> ip_info command. 


nfvis# show bridge-settings my-br ip_info
ip-info interface                        my-br
ip-info ipv4_address                     172.25.220.124
ip-info netmask                          255.255.255.0
ip-info link-local ipv6 address          fe80::4e00:82ff:fead:e802
ip-info link-local ipv6 prefixlen        64
ip-info global ipv6                    address::
ip-info global ipv6 prefix              len0
ip-info mac_address                     4c:00:82:ad:e8:02
ip-info mtu                            9216
ip-info txqueuelen                     1000
Configuring IPv6 DHCP on Bridge

IPv6 DHCP configuration can be applied to any bridge if no other bridge on the system has IPv6 DHCP or IPv6 SLAAC configured, and IPv6 default gateway is not applied under system settings. Starting from NFVIS 3.12.1 release, an IPv6 DHCP configuration on a bridge automatically triggers an IPv6 DHCP renew request from the bridge. For an additional IPv6 DHCP renew trigger use the hostaction bridge-dhcp-renew command.

To configure IPv6 DHCP on a bridge:


configure terminal
bridges bridge my-br dhcp-ipv6
commit

To verify the IPv6 DHCP settings applied to a bridge, use the show bridge-settings <br_name> dhcp-ipv6 command. 


nfvis# show bridge-settings my-br dhcp-ipv6
dhcp-ipv6 offer true
dhcp-ipv6 interface my-br
dhcp-ipv6 ia-naec:d2:7d:b4
dhcp-ipv6 starts 1554792146
dhcp-ipv6 renew 43200
dhcp-ipv6 rebind 69120
dhcp-ipv6 iaaddr 2001:420:30d:201:ffff:ffff:fffa:8e48
dhcp-ipv6 preferred-life 86400
dhcp-ipv6 max-life 172800
dhcp-ipv6 client-id 0:1:0:1:24:3e:fb:50:0:62:ec:d2:7d:b4
dhcp-ipv6 server-id 0:3:0:1:0:25:45:1b:c2:2a
dhcp-ipv6 name_servers NA
dhcp-ipv6 domain_name NA
dhcp-ipv6 option [ ]
Configuring IPv6 SLAAC on Bridge

IPv6 SLAAC configuration can be applied to any bridge if no other bridge on the system has IPv6 SLAAC or IPv6 DHCP configured, and IPv6 default gateway is not applied under system settings.

To configure IPv6 SLAAC on a bridge:


configure terminal
bridges bridge my-br slaac-ipv6
commit

To verify the IPv6 SLAAC settings applied to a bridge, use the show bridge-settings <br_name> slaac-ipv6 command. 


nfvis# show bridge-settings my-br slaac-ipv6
slaac-ipv6 enabled
Configuring Static IPv6 Address on Bridge

An IPv6 address can be configured on any bridge which does not have IPv6 DHCP or SLAAC configured. To enable routing outside of the subnet, apply the default gateway under system settings or confirgure system routes.

To configure an IPv6 address on a bridge:


configure terminal
bridges bridge my-br ipv6 address 2001:db8:85a3::8a2e:370:7334/64
commit

To verify the IPv6 settings applied to a bridge, use the show bridge-settings <br_name> ip_info command. 


nfvis# show bridge-settings my-br ip_info
ip-info interface my-br 
ip-info ipv4_address 172.25.220.124
ip-info netmask 255.255.255.0
ip-info link-local ipv6 address fe80::4e00:82ff:fead:e802
ip-info link-local ipv6 prefixlen 64
ip-info global ipv6 address 2001:db8:85a3::8a2e:370:7334
ip-info global ipv6 prefixlen 64
ip-info mac_address 4c:00:82:ad:e8:02
ip-info mtu 9216
ip-info txqueuelen 1000
Configuring VLAN on Bridge

A VLAN is a method of creating independent logical networks within a physical network. VLAN tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to.

You can configure a VLAN tag on the WAN bridge (wan-br) interface to isolate Cisco Enterprise NFVIS management traffic from VM traffic. You can also configure VLAN on any bridge on the system (wan2-br for ENCS5400 or ENCS 5100, and user-br for all systems)

By default, Wan bridge and LAN bridge are in trunk mode and allows all VLANs. When you configure native VLAN, you must also configure all the allowed VLANs at the same time. The native VLAN becomes the only allowed VLAN if you do not configure all the VLANs. If you want a network that allows only one VLAN, then create another network on top of wan-net and lan-net and make it access network.


Note

You cannot have the same VLAN configured for the NFVIS management and VM traffc.

For more details on the VLAN configuration, see the Understanding and Configuring VLANs module in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.

To configure a VLAN:


configure terminal
bridges bridge wan-br vlan 120
commit

To verify the VLAN settings applied to a bridge, use the show bridge-settings my-br vlan command. 


nfvis# show bridge-settings my-br vlan
vlan tag 10
Configuring MAC Aging Time on Bridge

MAC aging time specifies the time at which a MAC address entry ages out of the MAC address table. The max-aging-time specifies the maximum number of seconds to retain a MAC learning entry for which no packets have been seen. The default value is 300 seconds.

To configure MAC aging time on a bridge:


configure terminal
bridges bridge my-br mac-aging-time 600
commit

To verify the MAC aging time settings applied to a bridge, use the show bridge-settings <br_name> mac-aging-time command. 


nfvis# show bridge-settings my-br mac-aging-time
mac-aging-time 600
Bridge APIs and Commands

Bridge APIs

Bridge Commands

/api/operational/bridge-settings

/api/config/bridges/bridge/

bridges bridge <br_name>

bridges bridge <br_name> port

bridges bridge <br_name> ip address

bridges bridge <br_name> dhcp

bridges bridge <br_name> ipv6 address

bridges bridge <br_name> dhcp-ipv6

bridges bridge <br_name> slaac-ipv6

bridges bridge <br_name> vlan

bridges bridge <br_name> mac-aging-time

show bridge-settings <br_name>

support ovs vsctl list-ports <br_name>

Port Channels

Information About Port Channels

Port channels combine individual links into a group to create a single logical link that provides the aggregate bandwidth of up to eight physical links. Creating port channels helps to increase bandwidth and redundancy and to load balance traffic between the member ports. If a member port within a port channel fails, the traffic from the failed port switches to the remaining member ports.

Port channels must have atleast two ports and can be configured using static mode or Link Access Control Protocol (LACP). Configuration changes that are applied to the port channel are applied to each member port of the port channel. A port channel can also be added to a bridge. When a port channel has two or more than two members and the port channel is added to a bridge, a bond is created.

A port can be a member of only one port channel and all the ports in a port channel must be compatible. Each port must use the same speed and operate in full-duplex mode.

Port Channels Bond Mode

A port channel can be configured for the following bond modes:

  • active-backup: In this mode, one of the ports in the aggregated link is active and all others ports are in the standby mode.

  • balance-slb: In this mode, load balancing of traffic is done based on the source MAC address and VLAN.

  • balance-tcp: In this mode, 5-tuple (source and destination IP, source and destination port, protocol) is used to balance traffic across the ports in an aggregated link.

Port Channels LACP Mode

A port channel can be configured for the following LACP modes:

  • off: Indicates that no mode is applicable.

  • active: Indicates that the port initiates transmission of LACP packets.

  • passive: Indicates that the port only responds to the LACP packets that it receives but does not initiate the LACP negotiation.

Configuring a Port Channel

Creating a Port Channel

To create a port channel: 


configure terminal
pnic egroup type port_channel lacp_type active bond_mode balance-tcp trunks 10,20
commit
Adding a Port to a Port Channel

You can add a port to a new port channel or a port channel that already contains ports. To add a port to a port channel:

Adding GE0-0 and GE0-1 to egroup:


configure terminal
pnic GE0-0 member_of egroup
commit


configure terminal
pnic GE0-1 member_of egroup
commit
Adding a Port Channel to a Bridge

You can add a port channel to a new bridge or an existing bridge. When a port channel is added to a bridge, a bond is added for the port channel.

To add a port channel to a bridge: 


configure terminal
bridges bridge test-br port egroup
commit
Deleting a Port Channel

Before deleting a port channel, you must remove all members assigned to the port channel. If the port channel is configured on the bridge, you must remove the port channel from the bridge.

  1. Remove ports from port channel. If GE0-0 and GE0-1 are part of port channel pc, remove them from pc first. 

    
configure terminal
no pnic pc GE0-0 member_of egroup
commit

    
configure terminal
no pnic GE0-1 member_of egroup
commit

  2. Remove port channel from the bridge.

    
configure terminal
no bridges bridge test-br port egroup
commit

  3. Delete port channel.

    
configure terminal
no pnic egroup
commit
Verifying Port Channel Configurations

To verify port channel configurations, use the show port-channel command. 


nfvis# show port-channel 

----bond-egroup----
bond_mode: balance-tcp
bond may use recirculation: yes, Recirc-ID : 1
bond-hash-basis: 0
updelay: 0 ms
downdelay: 0 ms
next rebalance: 6921 ms
lacp_status: negotiated >>>this should be negotiated to indicate port channel is active
lacp_fallback_ab: false 
active slave mac: 38:90:a5:1b:fe:0d(GE0-1)>>should indicate active slave mac address

slave GE0-0: enabled
may_enable: true

slave GE0-1: enabled
active slave >>>active slaveport should show active
may_enable: true
Port Channel APIs and Commands

APIs

Commands

/api/config/pnics

/api/config/pnics/pnic/<pnic_name>/member_of

/api/config/pnics/pnic/<pnic_name>/bond_mode

/api/config/pnics/pnic/<pnic_name>/trunks

pnic <port_channel_name> type port_channel

pnic <pnic_name> member_of <portchannel_name>

show port-channel

Physical Network Interface Cards

Configuring LLDP

Starting from NFVIS 3.7.1 release LLDP is supported on NFVIS. The Link Layer Discovery Protocol (LLDP) is used by network devices for advertising their identity, capabilities, and neighbors. You can configure LLDP on a PNIC which is not a port channel or a DPDK port. By default, LLDP is disabled for all PNICs.

LLDP information is sent by devices from each of the interface at a fixed interval, in the form of an ethernet frame. Each frame contains one LLDP Data Unit (LLDPDU). Each LLDPDU is a sequence of type-length-value (TLV) structures.

LLDP is enabled in transmit and receive mode. The LLDP agent can transmit the local system capabilities and status information and receive the remote system's capabilities and status information

If LLDP is enabled on two connected devices, they can see each other as neighbors.


Note

LLDP packets are not propagated to VMs. LLDP cannot be enabled on port channel or DPDK ports.

To enable LLDP on a PNIC:


configure terminal
pnic eth0 lldp enabled
commit

To disable LLDP on a PNIC: 


configure terminal
pnic eth0 lldp disabled
commit

Use the show lldp neighbors command to display the peer information: 


nfvis# show lldp neighbors eth0
--------------------------------------------------------------
DEVICE                                                 
NAME ID      HOLDTIME  CAPS  PLATFORM  PORTID  DESCRIPTION  

--------------------------------------------------------------
eth0 Switch1623 120 Bridge, Router Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 15.0(1)EX3, RELEASE SOFTWARE (fc2)Ifname:
Gi1/0/4GigabitEthernet1/0/4

Use the show lldp stats command to display the tx and rx information: 


nfvis# show lldp stats eth0
------------------------------------------------------------------
TX      DISCARD  ERROR  RX      DISCARDED  UNREC           
NAME   FRAMES  RX       RX     FRAMES    TLVS       TLVS   AGEOUTS  
------------------------------------------------------------------
eth0    23      0        0       19667     0         0         0
LLDP Configuration APIs and Commands

APIs

Commands

/api/config/pnics/pnic/<pnic_name>/lldp

/api/operational/lldp/neighbors

/api/operational/lldp/stats

pnic <pnic_name> lldp enabled

pnic <pnic_name> lldp disabled

show lldp neighbors <pnic_name>

show lldp stats <pnic_name>

Configuring Administrative Status of a Port

Administrator status provides a mechanism for configuring the administrative status of a port. It can be set to up or down and the default setting is on.

To configure adminstatus on a pnic for a VM:


configure terminal
pnic GE0-1 admin status down
commit

Use the show pnic command to verify the admin status configuration. Use the show pnic link_state command to verify the admin state configuration. 


nfvis# show pnic GE0-1 link_state
link_state down
Admin Status Configuration APIs and Commands

APIs

Commands

/api/config/pnics/pnic/<pnic_name>/adminstatus

pnic <pnic_name> adminstatus

Tracking Changes for a Port


Note

This feature is supported only on ENCS 5400 starting from NFVIS 3.10.1 release.

In a virtual environment when the PNIC goes down there is no indication to the interfaces inside the VNFs. It is useful to track state changes of PNICs including switch ports to one or more VNF interfaces and accordingly bring down or up the vNICs. This feature brings the appropriate interfaces inside the VNF up or down based on the PNIC state changes. Most of the VNFs support this functionality.

Track state can also be configured for LAN-SRIOV. The LAN network is not physically connected to LAN-SRIOV. Switch ports are connected to an embedded switch on the LAN side. The switch has an int-LAN interface which is a 10G interface the VMs can connect to from the LAN network using VFs (virtual functions). Therefore, the VM is not directly connected to LAN-SRIOV.

Track state configuration on WAN-SRIOV is not needed, as there is a one to one connection between WAN-SRIOV and the VM.

Track state can be configured for monitored and un-monitored VMs. If a track state configuration is deleted, the PNIC or switch port state changes will not be notified to the vNICs or VFs.

The VM has to be first deployed before you can configure PNIC track state for the VM. VNFs or vNICs do not have to be attached to a bridge connected to the PNIC.

To configure track state on a pnic for a VM use the following commands: pnic <pnic_name> track-state <vm_name> <vnic> or pnic <pnic_name> track-state <deploy_name.vm_grp_name> <vnic> 


configure terminal
pnic GE0-0 track-state ROUTER 0
end

To verify the track state configuration on the VM use the show interface or ethtool commands or the VM specific command that displays the interface link state.

In the following example, the vedge VM deployed and vNIC 0 is being tracked by GE0-1. The if-oper-status command shows the state of the vNIC being tracked by pNIC. When GE0-1 is down, if-oper-status also shows as down.

Track StateAPIs and Commands

Track StateAPIs

Track State Commands

  • api/config/pnics/pnic/<pnic_name>/track-state

  • pnic <pnic_name> track-state <vm_name> <vnic>

  • pnic <pnic_name> track-state <deploy_name.vm_grp_name> <vnic>

Speed, Duplex and Autonegotiation

NFVIS supports autonegotiation by default on all PNICs. Speed and duplex are set to auto mode to indicate autonegotiation is enabled.

Autonegotiation allows a PNIC to communicate with the device on the other end of the link to determine the optimal duplex mode and speed for the connection. Autonegotiation can be turned off by configuring speed and duplex. Supported ethernet speed is 10 Mbps, 100 Mbps, and 1G and 10G.

Duplex mode displays the data flow on the interface. Duplex mode on an interface can be full or half duplex. A half-duplex interface, can only transmit or receive data at any given time and a full-duplex interface can send and receive data simultaneously.

When autonegotiation is enabled on a port, it does not automatically determine the configuration of the port on the other side of the ethernet cable to match it. Autonegotiation only works if it is enabled on both sides of the link. If one side of a link has auto-negotiation enabled, and the other side of the link does not, then autonegotiation cannot determine the speed and duplex configurations of the other side. If autonegotiation is enabled on the other side of the link, the two devices decide together on the best speed and duplex mode. Each interface advertises the speed and duplex mode at which it can operate, and the best match is selected. Higher speed and full duplex is the preferred mode.

If one side of a link does not have autonegotiation enabled, then the speed and duplex on both sides must match so that the data can transmit without collisions. Autonegotiation fails on 10/100 links, if one side of the link has been set to 100/full, and the other side has been set to autonegotiation which is 100/half.


Note

Not all ports on ENCS 5000 series platform devices support auto-mdix feature. When autonegotiation is disabled you need to use the correct cable to configure speed and duplex correctly. The cable type depends on the remote system, based on which you can try straight through or cross over cable.

To disable autonegotiation on a PNIC, speed and duplex must be configured:


configure terminal
pnic GE0-0 speed 100 duplex full
commit

To enable autonegotiation on a PNIC:


configure terminal
pnic GE0-0 speed auto duplex auto
commit

To configure speed and duplex with non auto values:


configure terminal
pnic GE0-0 speed 100 duplex full
commit

Use the show pnic GE0-0 operational-speed , show pnic GE0-0 operational-duplex and show pnic GE0-0 autoneg to verify the configurations. 


nfvis# show pnic GE0-0 operational-speed
operational-speed 100 


nfvis# show pnic GE0-0 operational-duplex
operational-duplex full


nfvis# show pnic GE0-0 autoneg
autoneg off

To verify the PNIC speed and duplex configurations, use the show notification stream nfvis Event command. 


notification
event Time 2019-12-16T22:52:49.238604+00:00
nfvisEvent
    user_id admin
    config_change true
    transaction_id 0
    status FAILURE
    status_code 0
    status_message Pnic GE0-1 speed did not update successfully
    details NA
    event_type PNIC_SPEED_UPDATE
    severity INFO
    host_name nfvis
    !
!
notification
event Time 2019-12-16T22:53:05.01598+00:00
nfvisEvent
    user_id admin
    config_change true
    transaction_id 0
    status SUCCESS
    status_code 0
    status_message Pnic GE0-1 duplex updated successfully:full
    details NA
    event_type PNIC_DUPLEX_UPDATE
    severity INFO
    host_name nfvis
    !
!
Speed, Duplex and Autonegotiation APIs and Commands

Speed, Duplex and Autonegotiation APIs

Speed, Duplex and Autonegotiation Commands

/api/config/pnics/pnic/GE0-0/speed

/api/config/pnics/pnic/GE0-0/duplex

/api/operational/pnics/pnic/GE0-0/operational-speed

/api/operational/pnics/pnic/GE0-0/operational-duplex

/api/operational/pnics/pnic/GE0-0/autoneg

pnic GE0-0 speed auto duplex auto

pnic GE0-0 speed 100 duplex full show

show pnic GE0-0 operational-speed

show pnic GE0-0 operational-duplex

show pnic GE0-0 autoneg

Dynamic SR-IOV

Dynamic Single-root input/output virtualization (SR-IOV) allows you to enable or disable SR-IOV on a Physical Network Interface Controller (PNIC). You can disable SR-IOV on any PNIC to 0 and enable SR-IOV by setting a value between 1 to maximum virtual functions (maxvfs) supported on PNICs. You can also create and delete SR-IOV networks based on the number of virtual functions (numvfs) set on that PNIC while enabling SR-IOV. Existing fresh installation behavior has not changed. Each PNIC has default number of VFs created and default SR-IOV networks are created. User can use CLI, API or GUI to enable or disable SR-IOV on a PNIC or to create or delete SR-IOV networks

Restrictions or Limitations

  • The supported platforms are CSP-2100, CSP-5000, UCSc-C220-M5X and UCS-E-M3.

    Dynamic SR-IOV is not supported on ENCS 5000 series.

  • Dynamic SR-IOV is not supported on certain PNICs:

    • PNIC with driver i40e


      Note

      PNIC with driver i40e is supported on default SR-IOV.

    • PNIC that does not support SR-IOV

  • Only switch mode VEB is supported for NFVIS 3.12.1 release.

  • Resizing the number of virtual functions is not supported. SR-IOV should be disabled and then enabled with desired number of virtual functions.

Disable SR-IOV on a PNIC

All SR-IOV networks for a PNIC must be deleted. PNIC should not be attached to a bridge. 


configure terminal
no pnic eth0-1 sriov
commit
Enable SR-IOV on a PNIC

To enable SR-IOV on a PNIC, it has to support SR-IOV, numvfs field should be less than maximum supported VFs (maxvfs) on a PNIC and PNIC should not be attached to a bridge. 


configure terminal
pnic eth0-1 sriov numvfs 20
commit

To display SR-IOV state of all PNICs use show pnic sriov command. To display SR-IOV state of individual PNIC use show pnic eth0-1 sriov command.

Creation of SR-IOV Networks

To create SR-IOV networks, PNIC must have SR-IOV enabled and configured with numvfs. The SRIOV network name must have the following format: <pnic_name>-SRIOV-<num> with <pnic_name> as a valid PNIC name and <num> must be greater than 0 and less than numvfs.

To create SR-IOV network in trunk mode:


configure terminal
networks network eth0-1-SRIOV-1 sriov true
commit

To create SR-IOV network in access mode:


configure terminal
networks network eth0-1-SRIOV-1 sriov true trunk false vlan 30
commit
Delete SR-IOV Networks

To delete SR-IOV networks VM should not be attached to the network.


configure terminal
no networks network eth0-1-SRIOV-1 
commit

To verify the system networks use show system networks command.

System Routes

You can also configure static system routes along with the default routes in the system. Static routes are for traffic that should not go through the default gateway. When certain destinations are not reachable through the default routes, this configuration is effective. Also it updates the system routing table.

You can create a route by providing the destination and prefix length, but a valid route requires a specified device, a gateway or both. The gateway input represents the address of the nexthop router in the address family. The dev input is the name of the outbound interface for the static route.

Configuring System Routes

To configure additional system routes:


configure terminal
system routes route 172.25.222.024 gateway 172.25.221.1
system routes route 172.25.223.024 dev wan-br
commit

To verify the system routes configuration, use the show system routes command. 


nfvis# show system routes

DESTINATION    PREFIXLEN       STATUS
----------------------------------------
172.25.222.0      24           Success
172.25.223.0      24           Success
System Routes APIs and Commands

System Routes APIs

System Routes Commands

/api/config/system/routes

/api/config/system/routes/route/<host destination,netmask>

system routes route

show system routes

Troubleshooting

To troubleshoot errors in configured routes, use show system routes command to identify the failed route. The following example shows common failures with system routes: 


nfvis# show system routes

DESTINATION      PREFIXLEN       STATUS
-------------------------------------------
172.25.222.0        24          Failure(1)
172.25.223.1        24          Failure(2)

You can find the cause for each error in the nfvos-confd log. 


Failure 1) result=RTNETLINK answers: Network is unreachable

In this failure nfvos-confd log indicates the network is unreachable. To resolve this issue you can either reconfigure the route with a reachable gateway or identify network connectivity issue. 


Failure 2)result=RTNETLINK answers: Invalid argument

In this failure there is a mismatch between the subnet address and the prefix length. To resolve this issue you can reconfigure the route with the correct subnet address (in this case 172.25.223.0 for prefix length 24).

Cisco Network Plug-n-Play Support


Note

Starting from 3.10.1 release, NFVIS is integrated with PnP 1.8.

The Cisco Network Plug and Play (Cisco Network PnP) solution provides a simple, secure, unified, and integrated offering for enterprise network customers to ease new branch or campus device rollouts, or for provisioning updates to an existing network. The solution provides a unified approach to provision enterprise networks comprising Cisco routers, switches, and wireless devices with a near zero touch deployment experience. This solution uses Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) to centrally manage remote device deployments.

Currently, you can use the Cisco Network Plug and Play client to:

  • Auto discover the server

  • Provide device information to the server

  • Bulk provisioning of user credentials

Bulk Provisioning of User Credentials

You can change the default user name and password of the devices using the Cisco Network PnP client. The Cisco Network PnP server sends the configuration file to Cisco Network PnP clients residing on multiple devices in the network, and the new configuration is automatically applied to all the devices.


Note

For bulk provisioning of user credentials, ensure that you have the necessary configuration file uploaded to the Cisco APIC-EM. The following are the supported configuration formats:

Sample Format 1


<config xmlns="http://tail-f.com/ns/config/1.0">
  <rbac xmlns="http://www.cisco.com/nfv/rbac">
    <authentication>
      <users>
        <user>
          <name>admin</name>
          <password>Cisco123#</password>
          <role>administrators</role>
        </user>
        <user>
          <name>test1</name>
          <password>Test1239#</password>
          <role>administrators</role>
        </user>
        <user>
          <name>test2</name>
          <password>Test2985#</password>
          <role>operators</role>
        </user>
      </users>
    </authentication>
  </rbac>
</config>

Sample Format 2

If you use format 2, the system will internally convert this format into format 1. 


<aaa xmlns="http://tail-f.com/ns/aaa/1.1">
    <authentication>
      <users>
        <user>
          <name>admin</name>
          <password>User123#</password>
         </user>
      </users>
    </authentication>
</aaa>

PnP Discovery Methods

When a device is powered on for the first time, the Cisco Network PnP agent discovery process, which is embedded in the device, wakes up in the absence of the startup configuration file, and discovers the IP address of the Cisco Network PnP server located in the Cisco APIC-EM. The Cisco Network PnP agent uses the following discovery methods:

  • Static IP address—The IP address of the Cisco Network PnP server is specified using the set pnp static ip-address command.

  • DHCP with option 43—The Cisco PnP agent automatically discovers the IP address of the Cisco Network PnP server specified in the DHCP option 43 string. For more details on how to configure DHCP for PnP server auto-discovery, see the Solution Guide for Cisco Network Plug and Play

  • Domain Name System (DNS) lookup—If DHCP discovery fails to get the IP address of the PnP server, for example, because option 43 is not configured, the Cisco Plug and Play Agent falls back on a DNS lookup method. Based on the network domain name returned by the DHCP server, it constructs a fully qualified domain name (FQDN) for the PnP server, using the preset hostname "pnpserver". For more details on how to configure DNS for PnP server auto-discovery, see the Solution Guide for Cisco Network Plug and Play.


    Note

    DNS FQDN Only lookup method is supported since 3.10.1 release.

  • Cloud Redirection—This method uses the Cisco Cloud Device Redirect tool available in the Cisco Software Central.The Cisco Plug and Play Agent falls back on the Cloud Redirection method if DNS lookup is not successful.

Configuring PnP Discovery Methods

To enable static mode for PnP discovery using IPv4:


configure terminal
pnp automatic dhcp disable dhcp-ipv6 disable dns disable dns-ipv6 disable cco disable cco-ipv6 disable
pnp static ip-address 192.0.2.8 port 80 transport http
commit
pnp action command restart

To enable static mode for PnP discovery using IPv6:


configure terminal
pnp automatic dhcp disable dhcp-ipv6 disable dns disable dns-ipv6 disable cco disable cco-ipv6 disable
pnp static ipv6-address 0:0:0:0:0:ffff:c000:208 port 80 transport http
commit
pnp action command restart

Note

Either IPv4 or IPv6 can be enabled at a time.

To enable static mode for PnP discovery using FQDN:


configure terminal
pnp static ip-address apic-em-fqdn.cisco.com port 80 transport http
commit

Note

In FQDN support for PnP, domain names can be specified as an input. FQDN that is configured with IPv6 on a DNS server is not supported.

To enable automatic mode for PnP discovery using IPv4:


Note

By default, the automatic discovery mode for DHCP, DNS, and CCO is enabled. You can enable or disable the options as required. For example, you can enable all options or keep one enabled, and the rest disabled. 


configure terminal
pnp automatic dhcp enable
pnp automatic dns enable
pnp automatic cco enable
pnp automatic timeout 100
commit

To enable automatic mode for PnP discovery using IPv6:


configure terminal
pnp automatic dhcp-ipv6 enable
pnp automatic dns-ipv6 enable
pnp automatic cco-ipv6 enable
pnp automatic timeout 30
commit

Note

You cannot disable both static and automatic PnP discovery modes at the same time. You must restart PnP action every time you make changes to the PnP discovery configuration. You can do this using the pnp action command restart.

Verifying the PnP Status

Use the show pnp command in privileged EXEC mode to verify the configuration of PnP discovery methods. The following sample output shows that the static discovery mode is enabled, and the automatic discovery mode is disabled.

nfvis# show pnp
pnp status response "PnP Agent is running\n"
pnp status ip-address 192.0.2.8
pnp status ipv6-address ""
pnp status port 80
pnp status transport http
pnp status cafile ""
pnp status created_by user
pnp status dhcp_opt43 0
pnp status dns_discovery 0
pnp status cco_discovery 0
pnp status dhcp-ipv6 0
pnp status dns-ipv6 0
pnp status cco-ipv6 0
pnp status timeout 100
nfvis# 

FQDN
nfvis# show pnp
pnp status response "PnP Agent is running\nserver-connection\n    status: Success\n    time: 06:23:11 Jun 17\ndevice-info\n    status: Success\n    time: 06:23:06 Jun 17\nbackoff\n    status: Success\n    time: 06:23:11 Jun 17\ncertificate-install\n    status: Success\n    time: 06:21:38 Jun 17\ncli-exec\n    status: Success\n    time: 06:22:50 Jun 17\ntopology\n    status: Success\n    time: 06:23:00 Jun 17\n"
pnp status ip-address apic-em-fqdn.cisco.com
pnp status ipv6-address ""
pnp status port 443
pnp status transport https
pnp status cafile /etc/pnp/certs/trustpoint/pnplabel
pnp status created_by user
pnp status dhcp_opt43 0
pnp status dns_discovery 0
pnp status cco_discovery 0
pnp status dhcp-ipv6 0
pnp status dns-ipv6 0
pnp status cco-ipv6 0
pnp status timeout 0
nfvis#

The following sample output shows that the static discovery mode is disabled, and the automatic discovery mode is enabled for DHCP, DNS, and CCO: 


DHCP:
nfvis# show pnp
pnp status response "PnP Agent is running\nserver-connection\n    status: Success\n    time: 05:05:59 Jun 17\ninterface-info\n    status: Success\n    time: 05:05:56 Jun 17\ndevice-info\n    status: Success\n    time: 05:05:38 Jun 17\nbackoff\n    status: Success\n    time: 05:05:59 Jun 17\ncapability\n    status: Success\n    time: 05:05:44 Jun 17\ncertificate-install\n    status: Success\n    time: 05:01:19 Jun 17\ncli-exec\n    status: Success\n    time: 04:58:29 Jun 17\ntopology\n    status: Success\n    time: 05:05:49 Jun 17\n"
pnp status ip-address 192.0.2.8
pnp status ipv6-address ""
pnp status port 443
pnp status transport https
pnp status cafile /etc/pnp/certs/trustpoint/pnplabel
pnp status created_by dhcp_discovery
pnp status dhcp_opt43 1
pnp status dns_discovery 1
pnp status cco_discovery 1
pnp status dhcp-ipv6 1
pnp status dns-ipv6 1
pnp status cco-ipv6 1
pnp status timeout 60

DNS:
nfvis# show pnp
pnp status response "PnP Agent is running\nserver-connection\n    status: Success\n    time: 05:13:55 Jun 17\ndevice-info\n    status: Success\n    time: 05:13:49 Jun 17\nbackoff\n    status: Success\n    time: 05:13:55 Jun 17\ncertificate-install\n    status: Success\n    time: 05:12:26 Jun 17\ncli-exec\n    status: Success\n    time: 05:13:34 Jun 17\ntopology\n    status: Success\n    time: 05:13:45 Jun 17\n"
pnp status ip-address pnpserver.apic-em-fqdn.cisco.com
pnp status ipv6-address ""
pnp status port 443
pnp status transport https
pnp status cafile /etc/pnp/certs/trustpoint/pnplabel
pnp status created_by dns_discovery
pnp status dhcp_opt43 1
pnp status dns_discovery 1
pnp status cco_discovery 1
pnp status dhcp-ipv6 1
pnp status dns-ipv6 1
pnp status cco-ipv6 1
pnp status timeout 60

CCO:
nfvis# show pnp
pnp status response "PnP Agent is running\nserver-connection\n    status: Success\n    time: 05:24:25 Jun 17\ninterface-info\n    status: Success\n    time: 05:23:13 Jun 17\ndevice-info\n    status: Success\n    time: 05:23:01 Jun 17\nbackoff\n    status: Success\n    time: 05:24:25 Jun 17\ncapability\n    status: Success\n    time: 05:23:06 Jun 17\nredirection\n    status: Success\n    time: 05:09:43 Jun 17\ncli-exec\n    status: Success\n    time: 05:09:53 Jun 17\ncertificate-install\n    status: Success\n    time: 05:18:43 Jun 17\ntopology\n    status: Success\n    time: 05:23:10 Jun 17\n"
pnp status ip-address 192.0.2.8
pnp status ipv6-address ""
pnp status port 443
pnp status transport https
pnp status cafile /etc/pnp/certs/trustpoint/pnplabel
pnp status created_by cco_discovery
pnp status dhcp_opt43 1
pnp status dns_discovery 1
pnp status cco_discovery 1
pnp status dhcp-ipv6 1
pnp status dns-ipv6 1
pnp status cco-ipv6 1
pnp status timeout 60

PnP Server APIs and Commands

PnP Server APIs

PnP Server Commands

  • /api/config/pnp

  • /api/config/pnp?deep

  • pnp static ip-address

  • pnp automatic

  • show pnp

PnP Action

You can start, stop, and restart any PnP action using the PnP action command or API.

PnP Action API and Command

PnP Action API

PnP Action Command

  • /api/operations/pnp/action

  • pnp action command

DPDK Support on NFVIS

Data Plane Development Kit (DPDK) support on NFVIS is introduced to increase network throughput. DPDK allows applications to pull data directly from the Network Interface Card (NIC) without involving the kernel, therefore delivering high-performance user-space network I/O. DPDK support on NFVIS allows network traffic to bypass NFVIS kernel and directly reach deployed VNFs and service chains. For DPDK adption NFVIS reserves additional cores and memory to enhance system performance.

DPDK support on NFVIS was first introduced in NFVIS 3.10.1 release and enhancements were added in subsequent releases:

  • NFVIS 3.10.1 – DPDK support only for service bridges. DPDK support can be enabled only when the device is in the factory default state. DPDK support is supported only on ENCS 5400 series devices.

  • NFVIS 3.11.1 – DPDK support can be enabled at any time. All Virtual NICs connected to service bridges for all VNFs are upgraded to DPDK support. DPDK support is supported only on ENCS 5400 series devices.

  • NFVIS 3.12.1 – DPDK support is extended to all supported platforms. Physical NICs can also use DPDK.

DPDK support on NFVIS includes:

  • Upgrading existing bridges to enable DPDK

  • Upgrading virtual NICs attached to VNFs to enable DPDK

  • Upgrading physical NICs to enable DPDK


    Note

    NICs and WAN side are not upgraded as they are configured with SR-IOV.

Once DPDK support is successfully enabled, you can disable DPDK only by resetting NFVIS to factory settings.

Restrictions

  • SR-IOV interfaces and DPDK support:


    Note

    This restriction does not apply to ENCS 5000 series devices.

    To enable DPDK, every device driver must be supported by DPDK. NFVIS does not support SR-IOV interface upgrade to enable DPDK because SR-IOV device drivers are not supported by DPDK. If any SR-IOV network has been configured on an interface, that interface will not support DPDK. Also if an SR-IOV interface is attached to a bridge, the bridge does not support DPDK and if a bridge is supporting DPDK, any SR-IOV interface cannot be attached to it.

  • VNF downtime:

    When DPDK support is enabled on a system, NFVIS upgrades virtual NICs attached to the VNFs. The VNFs are powered down causing a downtime for the VNF service for a short duration of time. After the upgrade is complete, all VNFs are powered up again.

System Requirements

DPDK support optimizes the performance by utilizing additional resources such as CPU and memory. If NFVIS is not able to acquire additional processing or memory, DPDK support can not be enabled.

Enabling DPDK support requires additional core from each socket available in the system. Depending upon the number of sockets present in the system, NFVIS acquires additional core for DPDK support.

Table 2. CPU Allocation

Total Cores

Before NFVIS 3.12.x

NFVIS 3.12.x Without DPDK support

NFVIS 3.12 with DPDK support

12 or less

1

1

1 + (1 core per socket)

Between 12 and 16 (including 16)

2

1

1 + (1 core per socket)

More than 16

4

2

2 + (1 core per socket)

Note

If hyper-threading is enabled on the device, each core reflects two vCPUs in NFVIS portal under system resource allocation.

The amount of memory required for DPDK support is summarized in the table below.

Table 3. Memory Allocation

Total System Memory

Reserved for NFVIS

 Additional memory required for DPDK support

Up to 16 GB

3 GB

1 GB

Up to 32 GB

3 GB

1 GB

Up to 64 GB

4 GB

2 GB

Up to 128 GB

4 GB

4 GB

Note

The additional memory required for DPDK support is counted per NUMA node available on the system.

Configuring DPDK Support on NFVIS

Configuring DPDK support takes up to a minute and network changes can be observed during the process. NFVIS provides an operational status for DPDK support which indicates if DPDK support is enabled or not. The different values for operational status are listed in the table below.

DPDK Status

Description

disabled

The system is not using DPDK.

enabled

DPDK support is successfully enabled on the system. Additional CPU and memory resources are reserved for DPDK.

enabling

The system is in the process of enabling DPDK.

error

The system is unable to acquire the required resources to support DPDK. All of the resources that were acquired by DPDK are released again.

If DPDK status is in error state, DPDK support can be manually disabled. Before enabling DPDK again, reboot the system to defragment the system memory and increase the chance of resource allocation for a successfull configuration.

After enabling DPDK, SR-IOV configured physical NICs will not be able to interact with DPDK bridges. To add a physical NIC to a DPDK bridge, all SR-IOV networks created on the interface should be removed first. NFVIS will not allow adding an SR-IOV configured interface to a DPDK bridge. For more information, see <dynamic sriov link>

To enable DPDK support:


config terminal
system setting dpdk enable
commit

To display the operational status that indicates DPDK support, use show system native settings command. 


nfvis# show system settings-native dpdk-status
system settings-native dpdk-status enabled

If NFVIS is unable to acquire sufficient resources, it shows an error state, and DPDK configuration can be removed. After removing the configuration, DPDK can be enabled again. 


nfvis# show system settings-native dpdk-status
system settings-native dpdk-status error

config terminal
no system settings dpdk
commit

nfvis# show system setting-native dpdk-status
system settings-native dpdk-status disabled

Storage Access

Network File System Support

The Network File System (NFS) is an application where the user can view, store and update the files on a remote device. NFS allows the user to mount all or a part of a file system on a server. NFS uses Remote Procedure Calls (RPC) to route requests between the users and servers.

NFS Mount and Unmount

To mount NFS:


configure terminal
system storage nfs_storage
nfs
100
10.29.173.131
/export/vm/amol
commit

To unmount NFS use no system storage nfs_storage command.

Image Registration on NFS

Images in tar.gz, ISO and qcow2 format, remote images and images on mounted NFS can be registered on NFS.

To register tar.gz images on NFS:


configure terminal
vm_lifecycle images image myas10 src file:///data/mount/nfs_storage/repository/asav961.tar.gz
properties property placement value nfs_storage
commit

Similar configuration can be used for the various images formats.

To unregister an image from NFS use no vm_lifecycle images command.

Deploy VM on NFS

To deploy a VM on NFS, under deployment vm group use placement type zone_host host nfs_storage command.

External Storage for Cisco ENCS 5400

For details on supported storage type, number of storage devices and, RAID modes on each hardware, see the table below:

Device

Storage Details

ENCS 5400

Cisco 5400 Enterprise Network Compute System Hardware Installation Guide

Note

RAID controller is optional on ENCS 5400.

RAID configurations are performed from Cisco IMC for each hardware platform. For UCS-E devices, all RAID configurations should be performed before NFVIS installation. For ENCS 5400, RAID configurations can be done even after the NFVIS is installed, as the installation is not done on an external storage.

For each hardware platform a maximum of two external disks are supported. Starting from NFVIS 3.8.1 release, external disks are supported on ENCS 5400. For ENCS 5400, if the external disk is raided into a single virtual group, it shows up as extdatastore1. Without the RAID card, ENCS 5400 can support multiple external disks called as extdatastore1 and extdatastore2 depending upon the slot it occupies.


Note

Power off the system before you remove or insert disks in ENCS 5400.

To display the number of external disks on the system, use the show system ext-disks command. 


nfvis# show system ext-disks 

NAME           
---------------
extdatastore1

To display the disk space on an external disk, use the show system disk-space command. 


nfvis# show system disk-space 

ASSOCIATED                                   
          PHYSICAL    TOTAL  SIZE  SIZE       USE      
DISK NAME DISK        SIZE   USED  AVAILABLE  PERCENT  
------------------------------------------------------------
lv_data        sde2        99G    4.3G  94G        5%       
lv_var         sde2        3.9G   245M  3.4G       7%       
lv_root        sde2        7.8G   1.9G  5.5G       26%      
extdatastore1  sda         917G   77M   871G       1%

Host System Operations

This section describes operations that can be performed on the NFVIS host.

Power Cycle System

To power cycle NFVIS, use the following command:


nfvis# hostaction powercycle

A notification and syslog is sent to indicate that a power cycle was performed.

Reboot System

To reboot NFVIS, use the following command:


nfvis# hostaction reboot

A notification and syslog is sent to indicate the system reboot.

Shutdown System

To shutdown NFVIS, use the following command:


nfvis# hostaction shutdown

A notification and syslog will be sent to indicate that the system was shutdown.

System file-list

To view a list of files on the system, use the show system file-list command. 


nfvis# show system file-list [disk [local | nfs | usb] ]

Disk Type

Files

local

Files present in the internal datastore and external datastores

nfs

Files on NFS

usb

Files on the mounted USB drive

System file-copy

To copy a file from the USB drive to the /data/intdatastore/uploads directory, use the system file-copy command. To copy a VM image from the USB drive: 


configure terminal
system usb-mount mount active
system file-copy usb file name usb1/package/isrv-universalk9.16.03.01.tar.gz
commit

The system file-copy command can also be used to copy a file from the given source path to the given destination path. The allowed directories for source path and destination path are /data/intdatastore, /mnt/extdatastore1, /mnt/extdatastore2 and /data/mount. 


nfvis# system file-copy source <path-to-source-file> destination <path-to-destination-file>

System file-delete

The system file-delete command is used to delete a file from one of these directories: /data/intdatastore, /mnt/extdatastore1, /mnt/extdatastore2, /mnt-usb/ or /data/mount 


nfvis# system file-delete file name /data/intdatastore/uploads/isrv-universalk9.16.03.01.tar.gz

Secure Copy

The secure copy (scp) command allows only the admin user to securely copy files from NFVIS to an external system, or from an external system to NFVIS. For example, this command can be used to copy an upgrade package to NFVIS.

The syntax for this command is:

scp <source> <destination>


Note

For detailed information about how to use the scp command to copy to or from supported locations, see the scp section in Cisco Enterprise Network Function Virtualization Infrastructure Software Command Reference.

SCP between two NFVIS devices is not supported.

Examples

The following example copies the sample.txt file from intdatastore to an external system. 

nfvis# scp intdatastore:sample.txt user@203.0.113.2:/Users/user/Desktop/sample.txt

The following example copies the test.txt file from an external system to intdatastore. 

nfvis# scp user@203.0.113.2:/Users/user/Desktop/test.txt intdatastore:test_file.txt

The following example copies the test.txt file from an external system to USB. 

nfvis# scp user@203.0.113.2:/user/Desktop/my_test.txt usb:usb1/test.txt

The following example copies the sample.txt file to an NFS location. 

nfvis# scp user@203.0.113.2:/user/Desktop/sample.txt nfs:nfs_test/sample.txt

The following example copies the sample.txt file from an external system with IPv6 address. 

nfvis# scp user@[2001:DB8:0:ABCD::1]:/user/Desktop/sample.txt intdatastore:sample.txt

The following example copies the nfvis_scp.log file to an external system.

nfvis# scp logs:nfvis_scp.log user@203.0.113.2:/Users/user/Desktop/copied_nfvis_scp.log

The following example shows how to secure copy from techsupport as source:

nfvis# scp logs:nfvis_techsupport.tar.gz user@203.0.113.2:/Users/user/Desktop/copied_techsupport.tar.gz

Change BIOS Password

This command is applicable only to the ENCS platform. It allows the user to change the BIOS password. A notification and syslog are sent regarding the password change.

To change the BIOS password:


nfvis# hostaction change-bios-password <new-password>

There is a strong password check enforced for the new BIOS password. The new password should contain:

  • At least one lowercase character

  • At least one uppercase character

  • At least one number

  • At least one special character from #, @ or _

  • Password length should be between 7 and 20 characters

  • The first character cannot be a #

Change CIMC Password

This command is applicable only to the ENCS platform. It allows the user to change the CIMC password. A notification and syslog are sent regarding the password change.

To change CIMC password:


nfvis# hostaction change-cimc-password <new-password>

There is a strong password check enforced for the new CIMC password. The new password should contain:

  • At least one lowercase character

  • At least one uppercase character

  • At least one number

  • At least one special character from #, @ or _

  • Password length should be between 8 and 20 characters

Route Distribution

The Route Distribution feature works together with a remote BGP router. It allows you to announce or withdraw specified routes to the remote BGP router.

You can use this feature to announce the route of int-mgmt-net subnet to a remote BGP router. A remote user, can access the VMs attached to int-mgmt-net through the VMs’ IP address on int-mgmt-net-br through a BGP router, when the routes are successfully inserted on the remote BGP router.

To configure or update route distribution:


configure terminal
route-distribute 172.25.221.17local-bridge wan-br local-as 45.45remote-as 65000 network-subnet 12.12.12.0/24
commit
Table 4. Property Description

Property

Type

Description

Mandatory

neighbor-address

IPv4

BGP neighbor IPv4 address. It is the key of the route distribution list.

Yes

local-address

IPv4

Local IPv4 address. This address must be configured as neighbor IP address on the remote BGP router. If not configured, local-address is set to local-bridge’s IP address.

No

local-as

Local autonomous system number. It can be in following two formats: <decimal number, 1.0 .. 65535.65535><unsignedInt, 1 .. 4294967295>

Yes

local-bridge

Local bridge name for advertising routes (default wan-br).

No

remote-as

Remote autonomous system number. It can be in following two formats: <decimal number, 1.0 .. 65535.65535><unsignedInt, 1 .. 4294967295>

Yes

router-id

IPv4

Local router ID

No

network-subnet

List of network subnet to be announced.

Yes

subnet

IPv4 prefix

Network subnet to be announced H.H.H.H/N

Yes

next-hop

IPv4

IPv4 address of next hop. Default local-address or IP address of local-bridge.

No

Use the no route-distribute command to delete route distribution. To verify the route-distrubition status use the show route-distribution command.

Remote BGP Router Configuration Example

The NFVIS route distribution feature works together with the remote BGP router. The configuration on NFVIS and on remote BGP router must match.

This example shows the configuration on a remote BGP router. 


router bgp 65000
  bgp log-neighbor-changes
  neighbor 172.25.221.106 remote-as 45.45
  neighbor 172.25.221.106 update-source GigabitEthernet2

Backup and Restore NFVIS and VM Configurations

Starting from NFVIS 3.10.1 release, you can backup and restore NFVIS configurations and VMs. You can also restore a backup from one NFVIS device to another if they are running on the same version of NFVIS and have the same platform.


Note

To backup or restore a single VM, use vmImportAction and vmBackupAction APIs.

Restrictions for Backup and Restore on NFVIS

  • The backup includes all deployed VMs except the registered images and uploaded files.

  • VM backup failure results in failure of the whole system backup process.

  • VM restore (including hostaction restore and vmImportAction) requires original registered image on the system, on the same datastore. Missing registered image or image registered in a different datastore results in VM restore failure.

  • NFVIS VM backup does not support differential disk backup and every backup is a full VM backup.

  • In case of multiple deployments based on a single registered image, every VM backup includes the registered image disk.

  • The time taken to backup a VM depends on the option you choose:

    • configuration-only - within 1 min.

    • configuration-and-vms - depends on the number of VM deployments on your system, system disk write speed, and compress the VM disks into one bundle.

  • The BACKUP_SUCCESS notification implies that the backup process has started successfully and does not indicate a successful system backup.

  • Backup of a large deployment is time consuming and can result in failure due to insufficient disk space. The backup process cleans up the temporary files if the disk space is insufficient.

  • You can either backup all the VMs or none.

  • The final backup is a compressed file which requires temporary disk space to create the VM backup file. If the system has only one datastore, the maximum deployment backups in a single file is around one-third to half of the datastore disk space. If the deployments occupies more disk space, use vmExportAction to backup an individual VM instead of relying on host backup for all VM deployments.

Backup and Restore

To backup and save NFVIS and all VM configurations use configuration-only option. To backup and save VM disks, NFVIS and VM configurations use configuration-and-vms option.

You can only create a backup to datastore or uploads directory, mounted USB device, or NFS mounted datastore. Without specifying, the backup file will have .bkup extension.

The following examples shows the backup options:



nfvis# hostaction backup configuration-and-vms file-path intdatastore:sample




nfvis# hostaction backup configuration-only file-path extdatastore2:sample-dir/sample

The following example shows the backup stored on a USB:



nfvis# hostaction backup configuration-only file-path usb:usb1/sample

Use the hostaction backup force-stop command to stop the running backup.

To restore a previous backup on an existing NFVIS setup or on a new NFVIS setup use except-connectivity option which preserves connectivity of the NFVIS and restores everything else from backup.


Note

In hostaction restore process, the full file name (with .bkup extension) is required in the CLI. 



nfvis# hostaction restore file-path intdatastore:sample.bkup

The following example shows how to restore a backup on a different NFVIS device:



nfvis# hostaction restore except-connectivity file-path extdatastore2:sample-dir/sample.bkup

Backup, Restore and Factory-Default-Reset

To perform hostaction backup -> factory-default-reset -> hostaction restore on the same box without any external storage (like USB or NFS mount), check the following issues:

  • Backup file location:

    • The system backup bundle is saved under /datastore/uploads/ by default.

    • Factory-default-reset cleans up all files under /datastore/uploads/, but leave files under /datastore/ intact.

    • hostaction restore requires backup bundle saved under /datastore/uploads/. The restore process will not start if the backup bundle is saved in another location (bundle saved on USB or NFS should be copied to datastore/uploads/ folder).

  • System requirements if system backup bundle contains VM backups:

    • VM restoration requires the original image or template registered in NFVIS.

    • Factory-default-reset all clean ups all registered images and uploaded files. You need to configure minimum setup, like host connection and upload registered images to the same datastore.

To prevent backup bundle from deleting with factory-default-reset:

  • Save the backup bundle in remote locations. Then restore the connectivity and upload the backup bundle after reset.

  • Save backup bundle in local /datastore/ and not in /datastore/uploads/ or copy backup bundle from /datastore/uploads/ to /datastore/: 

    
# Backup & Restore on the same NFVIS box without NFS & USB
# [[ BACKUP ]]
# before executing factory-default-reset

nfvis# nfvis# hostaction backup configuration-only file-path extdatastore1:configBackup-01.bkup
nfvis# system file-copy source /mnt/extdatastore1/uploads/configBackup-01.bkup destination /mnt/extdatastore2/

# after factory-default-reset all-except-images or all-except-images-connnectivity, 
# file /mnt/extdatastore1/uploads/configBackup-01.bkup will be deleted
# but /mnt/extdatastore2/configBackup-01.bkup won't.

# [[RESTORE]]
# after NFVIS rebooted and login to console, copy file to uploads/ directory

nfvis# system file-copy source /mnt/extdatastore2/configBackup-01.bkup destination /mnt/extdatastore2/uploads/
nfvis# hostaction restore file-path extdatastore2:configBackup-01.bkup

For VM restoration:

  • Use factory-default-reset all-except-images or factory-default-reset all-except-images-connectivity command to keep original registered images intact.

  • If you use factory-default-reset all command, you need to upload and register images before running any hostaction restore action.

APC UPS Support and Monitoring


Note

This feature is supported only on ENCS 5400.

This feature provides support for monitoring battery status for an APC UPS connected to the ENCS box through a USB cable. NFVIS gracefully shuts down when the UPS battery reaches 5% and boots up again when the battery reaches 15%. This feature is available only through NFVIS CLI and is disabled by default.

Incase of a prolonged power outage that drains the UPS battery completely, the box is powered off. When power is restored to the UPS, CIMC boots up which in turn boots up the NFVIS.

To enable APC UPS support feature:


apcups enable

To disable APC UPS support feature:


apcups disable

To check the battery status of an APC UPS:


apcups battery-status

Resetting to Factory Default

Factory default reset is available on all NFVIS supported hardware platforms.

You can reset the host server to factory default with the following three options :

  • Reset all—Deletes VMs and volumes, files including logs, images, and certificates. Erases all configuration. Connectivity will be lost, and the admin password will be changed to factory default password..

  • Reset all-except-images—Delete VMs and volumes, files including logs, user uploaded files and certificates. Erases all configuration except registered images. Connectivity will be lost, and the admin password will be changed to factory default password..

  • Reset all-except-images-connectivity—Deletes VMs and volumes, files including logs and certificates. Erases all configuration except images, network, and connectivity.


Note

Factory default rese tmust be used only for troubleshooting purpose. We recommend you contact Cisco Technical Support before performing factory default reset. This feature will reboot the system. Do not perform any operations for at least twenty minutes until the system reboots successfully.

To execute factory default reset:


nfvis#factory-default-resetall|all-except-images|all-except-images-connectivity

Note

Enter Yes when you are prompted with the factory default warning message or no to cancel.

Factory Default APIs and Commands

Factory Default APIs

Factory Default Commands

  • /api/operations/factory-default-reset/all

  • /api/operations/factory-default-reset/all-except-images

  • /api/operations/factory-default-reset

    /all-except-images-connectivity

  • factory-default-reset

Configure Banner, Message of the day and System Time

Configuring Your Banner and Message of the Day

Cisco Enterprise NFVIS supports two types of banners: system-defined and user-defined banners. You cannot edit or delete the system-defined banner, which provides copyright information about the application. Banners are displayed on the login page of the portal.

You can post messages using the Message of the Day option. The message is displayed on the portal's home page when you log into the portal.

To configure your banner and message:


configure terminal
banner-motd banner "This is a banner" motd "This is the message of the day"
commit

Note

Currently, you can create banners and messages in English only. You can view the system-defined banner using the show banner-motd command. This command does not display the user-defined banner or message.

Banner and Message APIs and Commands

Banner and Message APIs

Banner and Message Commands

  • /api/config/banner-motd

  • /api/operational/banner-motd

  • banner-motd

  • show banner-motd

Setting the System Time Manually or With NTP

You can configure the Cisco Enterprise NFVIS system time manually or synchronise with an external time server using Network Time Protocol (NTP).

To set the system time manually:


configure terminal
system set-manual-time 2017-01-01T00:00:00
commit

Note

NTP is automatically disabled when the time clock is set manually.

To set the system time using NTP IPv4: 


configure terminal
system time  ntp preferred_server 209.165.201.20 backup_server 1.ntp.esl.cisco.com
commit

To set the system time using NTP IPv6:


configure terminal
system time  ntp-ipv6 2001:420:30d:201:ffff:ffff:fff4:35
commit

Verifying the System Time Configuration

To verify all system time configuration details, use the show system time command in privileged EXEC mode as shown below: 


nfvis# show system time

system time current-time 2017-01-01T17:35:39+00:00

system time current-timezone "UTC (UTC, +0000)"

REMOTE               REFID  	ST   	T         WHEN       POLL       REACH         DELAY         OFFSET        JITTER    

=================================================================================================================================================

*calo-timeserver     .GPS.   	1          u           4  	64           1         69.423         2749736        0.000     

* sys.peer and synced, o pps.peer, # selected, + candidate,

- outlyer, . excess, x falseticker, space reject

If the NTP server is invalid, it will not be displayed in the table. Also, when an NTP server is queried, if a response is not received before the timeout, the NTP server will also not be displayed in the table.

System Time APIs and Commands

APIs

Commands

  • /api/operations/system/set-manual-time

  • /api/config/system/time/ntp/preferred_server

  • /api/config/system/time/ntp/backup_server

  • /api/config/system/time/timezone

  • /api/operational/system/time?deep

  • system time

  • show system time

  • system set-manual-time

Configuring System Logs

NFVIS generates log files for troubleshooting issues. The configuration log and the operational log are the two main system log files. The configuration log has information related to configurations and actions performed on the system such as creation of networks. The operational log has information related to system operation such as statistics collection and monitoring.

Log entries can be one of the following types:

Log Level

Purpose

DEBUG

Information, typically of interest only when diagnosing problems.

INFO

Confirmation that things are working as expected.

WARNING

An indication that something unexpected happened, or indicative of some problem in the near future (for example, ‘disk space low’). The software application is still working as expected.

ERROR

Due to a serious problem, the software application is not able to perform some function.

CRITICAL

A serious error, indicating that the program itself may not be able to continue running.

By default, the configuration log has a log-level of INFO. All logs of type INFO, WARNING, ERROR and CRITICAL are logged.

By default, the operational log has a log-level of WARNING. All logs of type WARNING, ERROR and CRITICAL are logged.

The log-level for these log files can be changed using the system set-log command: 


system set-log level error logtype configuration

The change to the log level is not persistant across a reboot. After a reboot, the default log levels are used.

The current log files are kept in the /var/log directory in the system:

  • show log - To display the list of available log files

  • show log {filename} - To display the contents of a specific log file

Log Rotation

There is a size limit for the log files, under /var/log/ directory. When the log files reach the size limit, the location of logs is rotated to another place. The space limit for the total size of all rotated log files is 2 GB. The older log files are dropped automatically on reaching the space limit. You can also execute a command to trigger the log rotation procedure. The log files are monitored periordically and if a log file gets too big, it is rotated to another place.

There is a size limit for the log files stored in the /var/log directory. The size of the log files is monitored periodically every fifteen minutes and if a log file gets too big, it is rotated to the /data/intdatastore/logs directory. The space limit for the total size of all the rotated log files is 2 GB. The older log files are dropped automatically on reaching the space limit. You can also execute the logrotate command to trigger the log rotation procedure. 


nfvis# logrotate

Verifying the System Log Configuration

To verify the system log configuration, use the show system logging-level command as shown below: 


nfvis# show system logging-level
system logging-level configuration error
system logging-level operational warning

System Log APIs and Commands

System Log APIs

System Log Commands

  • /api/operations/system/set-log

  • /api/operational/system/logging-level

  • system set-log logtype [all/configuration/operational] level [critical/debug/error/info/warning]

  • show system logging-level