Deploy the ASAv Using KVM
You can deploy the ASAv using the Kernel-based Virtual Machine (KVM).
- About ASAv Deployment Using KVM
- Prerequisites for the ASAv and KVM
- Prepare the Day 0 Configuration File
- Prepare the Virtual Bridge XML Files
- Launch the ASAv
About ASAv Deployment Using KVM
Figure 1 shows a sample network topology with ASAv and KVM. The procedures described in this chapter are based on the sample topology. You requirements will dictate the exact procedures you need. The ASAv acts as the firewall between the inside and outside networks. A separate management network is also configured.
Figure 1 Sample ASAv Deployment Using KVM
Prerequisites for the ASAv and KVM
Note: A Cisco.com login and Cisco service contract are required.
- For the purpose of the sample deployment in this document, we are assuming you are using Ubuntu 14.04 LTS. Install the following packages on top of the Ubuntu 14.04 LTS host:
- Performance is affected by the host and its configuration. You can maximize the throughput of the ASAv on KVM by tuning your host. For generic host-tuning concepts, see Network Function Virtualization Packet Processing Performance of Virtualized Platforms with Linux and Intel Architecture.
- Useful optimizations for Ubuntu 14.04 include the following:
–
macvtap—High performance Linux bridge; you can use macvtap instead of a Linux bridge. Note that you must configure specific settings to use macvtap instead of the Linux bridge.
–Transparent Huge Pages—Increases memory page size and is on by default in Ubuntu 14.04.
–Hyperthread disabled—Reduces two vCPUs to one single core.
–txqueuelength—Increases the default txqueuelength to 4000 packets and reduces drop rate.
–pinning—Pins qemu and vhost processes to specific CPU cores; under certain conditions, pinning is a significant boost to performance.
- For information on optimizing a RHEL-based distribution, see Red Hat Enterprise Linux6 Virtualization Tuning and Optimization Guide.
- For KVM system requirements, see Cisco ASA Compatibility.
Prepare the Day 0 Configuration File
You can prepare a Day 0 configuration file before you launch the ASAv. This file is a text file that contains the ASAv configuration that will be applied when the ASAv is launched. This initial configuration is placed into a text file named “day0-config” in a working directory you chose, and is manipulated into a day0.iso file that is mounted and read on first boot. At the minimum, the Day 0 configuration file must contain commands that will activate the management interface and set up the SSH server for public key authentication, but it can also contain a complete ASA configuration. The day0.iso file (either your custom day0.iso or the default day0.iso) must be available during first boot.
Note : To automatically license the ASAv during initial deployment, place the Smart Licensing Identity (ID) Token that you downloaded from the Cisco Smart Software Manager in a text file named ‘idtoken’ in the same directory as the Day 0 configuration file.
Note : If you want to deploy the ASAv in transparent mode, you must use a known running ASA config file in transparent mode as the Day 0 configuration file. This does not apply to a Day 0 configuration file for a routed firewall.
Note : We are using Linux in this example, but there are similar utilities for Windows.
1. Enter the CLI configuration for the ASAv in a text file called “day0-config”. Add interface configurations for the three interfaces and any other configuration you want.
The fist line should begin with the ASA version. The day0-config should be a valid ASA configuration. The best way to generate the day0-config is to copy the desired parts of a running config from an existing ASA or ASAv. The order of the lines in the day0-config is important and should match the order seen in an existing show run command output.
2. (Optional) Download the Smart License identity token file issued by the Cisco Smart Software Manager to your computer.
3. (Optional) Copy the ID token from the download file and put it a text file named ‘idtoken’ that only contains the ID token.
4. (Optional) For automated licensing during initial ASAv deployment, make sure the following information is in the day0-config file:
–Management interface IP address
–(Optional) HTTP proxy to use for Smart Licensing
–A route command that enables connectivity to the HTTP proxy (if specified) or to tools.cisco.com
–A DNS server that resolves tools.cisco.com to an IP address
–Smart Licensing configuration specifying the ASAv license you are requesting
–(Optional) A unique host name to make the ASAv easier to find in CSSM
5. Generate the virtual CD-ROM by converting the text file to an ISO file:
The Identity Token automatically registers the ASAv with the Smart Licensing server.
6. Repeat Steps 1 through 5 to create separate default configuration files with the appropriate IP addresses for each ASAv you want to deploy.
Prepare the Virtual Bridge XML Files
You need to set up virtual networks that connect the ASAv guests to the KVM host and that connect the guests to each other.
Note: This procedure does not establish connectivity to the external world outside the KVM host.
Prepare the virtual bridge XML files on the KVM host. For the sample virtual network topology described in Prepare the Day 0 Configuration File, you need the following three virtual bridge files: virbr1.xml, virbr2.xml, and virbr3.xml (you must use these three filenames; for example, virbr0 is not allowed because it already exists). Each file has the information needed to set up the virtual bridges. You must give the virtual bridge a name and a unique MAC address. Providing an IP address is optional.
1. Create three virtual networks bridge XML files:
2. Create a script that contains the following (in our example, we will name the script virt_network_setup.sh):
3. Run this script to setup the virtual network. The script brings the virtual networks up. The networks stay up as long as the KVM host is running.
Note: If you reload the Linux host, you must re-run the virt_network_setup.sh script. It does not persist over reboots.
4. Verify that the virtual networks were created:
5. Display the IP address assigned to the virbr1 bridge. This is the IP address that you assigned in the XML file.
Launch the ASAv
Use a virt-install based deployment script to launch the ASAv.
1. Create a virt-install script called “virt_install_asav.sh”.
The name of the ASAv VM must be unique across all other virtual machines (VMs) on this KVM host. The ASAv can support up to 10 networks. This example uses three networks. The order of the network bridge clauses is important. The first one listed is always the management interface of the ASAv (Management 0/0), the second one listed is GigabitEthernet 0/0 of the ASAv, and the third one listed is GigabitEthernet 0/1 of the ASAv, and so on up through GigabitEthernet0/8. The virtual NIC must be Virtio.
2. Run the virt_install script:
A window appears displaying the console of the VM. You can see that the VM is booting. It takes a few minutes for the VM to boot. Once the VM stops booting you can issue CLI commands from the console screen.
フィードバック