SAE Core Function Pack Release 1.0.0 Release Notes Introduction The SAE Core Function Pack (FP) is a collection of multiple re-usable NSO packages organized in layers. This FP supports on-boarding of both physical and virtual infrastructures. Services can be built on top of the FP using the strongly typed service models. The FP supports pushing Day1 configurations to the VNF via generic key-value pair paradigm. To deploy the VNFs, NSO uses VNF descriptors that are compliant with the ETSI-MANO specifications. Cisco Secure Agile Exchange Solution enables enterprises to quickly and securely interconnect users to applications by virtualizing the network edge and extending it to colocation centers. Large enterprises can benefit by deploying the solution themselves working with colocation centers like, Barclays or Colo providers like Equinix can deploy SAE in muti-tenant mode and provide SAE services to its customers. NSO SAE Core Function Pack can help orchestrate service chains on managed hardware. Cisco End User License Agreement This software is governed by the Cisco End User License Agreement available at the following URL: http://www.cisco.com/c/en/us/td/docs/general/warranty/English/EU1KEN_.html Minimum System Requirements +----------------+--------------+--------------+-----------------+-----------------+ | OS | Ubuntu | Red Hat | CentOS | MacOSX | +----------------+--------------+--------------+-----------------+-----------------+ | Minimum Server | CPU-8 Cores | CPU-8 Cores | CPU-8 Cores | CPU-8 Cores | | Configuration | RAM-8 GB | RAM-8 GB | RAM-8 GB | RAM- 8 GB | | | Disk-100GB | Disk-100GB | Disk-100GB | Disk-100GB | |----------------+--------------+--------------+-----------------+-----------------+ | Version | 16.04.4 LTS. | | | | | | 17.10 | 7.3 (Maipo) | 7.4 (Core) | 10.12.6. | | | 18.04 LTS | | | | +----------------+--------------+--------------+-----------------+-----------------+ Supported NSO Version: 4.7.1 Supported Packages: --------------------------------------------------- NAME VERSION --------------------------------------------------- cisco-extension-framework 1.0.0 cisco-nx 5.7.2 cisco-sae-asav-extension 1.0.0 cisco-sae-avi-extension 1.0.0 cisco-sae-core-fp 1.0.0 cisco-sae-core-fp-cfs 1.0.0 cisco-sae-core-fp-common 1.0.0 cisco-sae-core-fp-release 1.0.0 cisco-sae-core-fp-status 1.0.0 cisco-sae-diagnosis 1.0.0 cisco-sae-ftdv-extension 1.0.0 cisco-sae-itd-service 1.0.0 core-fp-common 1.5.0 csp 1.0.0 csp-vim 1.0.0 custom-template-utils 1.0.0 day1-templates 1.0.0 diagnosis 0.1.0 esc 4.3.0 infra-discovery 1.0.0 resource-manager 3.3.1 tailf-etsi-rel2-nfvo 3.2.0 tailf-etsi-rel2-nfvo-csp 1.0.0 --------------------------------------------------- Devices Tested +-----------------+---------------------+ | Device | Version | +-----------------+---------------------+ | ESC on CSP. | 4_3_0_128 | | ESC on Vmware | | | | | +-----------------+---------------------+ | CSP-2100 X1 | | | CSP-2100 X2 | 2.3.1.112 | | NIC Card-X710 | | | NIC Card-X520 | | +-----------------+---------------------+ | N9k | | | N9K-C9396PX | nxos.7.0.3.I7.4.bin | | N9K-C93180YC-FX | nxos.7.0.3.I7.5.bin | | N9K-C93180YC-EX | | | N9K-C93108TC-EX | | +-----------------+---------------------+ VNF's Tested +-----------------------------------------------------------------------+ | VNF | Version | +------------+----------------------------------------------------------+ | CSR1000v | csr1000v-universalk9.16.07.02.qcow2 | | csr1000v-universalk9.16.08.01a.qcow2 | +------------+----------------------------------------------------------+ | ASAv | asav982.qcow2 | | | asav992.qcow2 | +------------+----------------------------------------------------------+ | FTDv | Cisco_Firepower_Threat_Defense_Virtual-6.2.2-81.qcow2 | | | Cisco_Firepower_Threat_Defense_Virtual-6.2.3-83.qcow2 | +------------+----------------------------------------------------------+ | FMC | Cisco_Firepower_Management_Center_Virtual-6.2.2-81.qcow2 | | | Cisco_Firepower_Management_Center_Virtual-6.2.3-83.qcow2 | +------------+----------------------------------------------------------+ | Palo Alto | PA-VM-KVM-8.0.5.qcow2 | | | PA-VM-KVM-8.1.3.qcow2 | +------------+----------------------------------------------------------+ | AVI | controller_17_2_7.qcow2 | | Controller | controller_18_1_3a.qcow2 | +------------+----------------------------------------------------------+ | AVI SE | Download AVI SE qcow2 from AVI Controller | +------------+----------------------------------------------------------+ | Fortinet | 6.0.2 | +------------+----------------------------------------------------------+ Installation Instruction for the SAE 1.0.0 Release Please refer to "SAE-Core-Function-Pack-Installation-Guide-Version-1.0.0" for information on how to install SAE CoreFP. Note :- Sample SAE Bootstrap data is already been loaded as part of installation (Local/System Installation). Please add Day0-password in sae-catalog/VNFD-Deployment for CSR and ASA, and use same password in csr-authgroup and asa-authgroup respectively.Default esc-authgroup username & password: admin/admin. Modify the catalog csp-2100-2.3.1 with values for virtio, sriov and Mgmt PC based on TestBed Features Supported: *Infrastructure onboarding *Infrastructure Auto Discovery *vnf-manager onboarding *Standalone & Spine-leaf infrastructure support *VNF Resource Orchestration Bandwidth allocation [pnic] Affinity support Resource Zone support *SAE Service Instantiation Half Chain End to End Stitching service Shared / Inline gateway *Controller Based VNF Support AVI-SE FTDv *VNF HA support [ASAv, FTDv, CSR, PAFW] *Transparent mode VNF's Support [Experimental] *Routed VNF's Support *Operational features & show commands cleanup Actions site-actions custom actions SAE Allocations Service VNF variables *VNF Replacement in service *SAE Customization *VNF Image upload support *BGP configs support *ITD support as service [Experimental] *VNF licensing support [support type - IOS,ASA] *SAE PLAN status *SAE Notifications & Alarms Known Issues and Workaround +------------+----------------------------------------------------------------------------------------------+ | CSCvm72545 | Should not allow deleting Service Chain unless all VNFs in service chain fail. | +------------+----------------------------------------------------------------------------------------------+ Workaround: Wait till the service chain vnf's are deployed , before performing a delete operation. +------------+----------------------------------------------------------------------------------------------+ | CSCvm83163 | ASAv HA are stuck in recovering mode | +------------+----------------------------------------------------------------------------------------------+ Workaround: Message in plan is incorrect , service state is reached. +------------+----------------------------------------------------------------------------------------------+ | CSCvm87029 | Proper validation is needed if a deployment is made without an ESC added to the | | | infrastructure | +------------+----------------------------------------------------------------------------------------------+ Workaround: Delete AVISE and deploy new AVISE. +------------+----------------------------------------------------------------------------------------------+ | CSCvm88581 | Custom-Undeploy redeploy for AVISE doesnt request new auth token from AVI Controller | +------------+----------------------------------------------------------------------------------------------+ Workaround: Delete AVISE and deploy new AVISE. +------------+-----------------------------------------------------------------------------------------------+ | CSCvm90655 | Re-run discovery failed with new changes in CSP | +------------+-----------------------------------------------------------------------------------------------+ Workaround: For this issue, Pre-requisite is to make sure CSP does not have any VNF deployed if its present then delete it from sae-site, Once CSP is clean then go and make any change in CSP like the port-channel update, To capture the new change in infra, the next step is to delete it from sae-site infrastructure & rerun the discovery,this will detect new change like port-channel. +------------+-----------------------------------------------------------------------------------------------+ | CSCvm94293 | Run out of internal ip pool when spinning up ASAv HA service chain | +------------+-----------------------------------------------------------------------------------------------+ Workaround: No current workaround. +------------+------------------------------------------------------------------------------------------------+ | CSCvn06242 | Plan status not updated for failed AVISE deployment | +------------+------------------------------------------------------------------------------------------------+ Workaround: Check the post response for AVI is in failed state. This means we need to manually clean up AVI extension request as below. AVI-102:Failed to retrieve avi-se uuid node admin@ncs> request extension registry avi-se-post-extension actions avi-post-clean-up req-id SanDiego-AVISE-avi-profile-SAE-AVISE-SAE-AVISE-VDU owner /cisco-sae-core-fp:sae-site{SanDiego}/endpoint-gateway-vnf{AVISE} status : Done ! [ok][2018-10-26 17:16:09] After this plan will be moved to ready state. +------------+-----------------------------------------------------------------------------------------------+ | CSCvn07854 | Notifications between NSO and ESC need to be consistent for all use cases | +------------+-----------------------------------------------------------------------------------------------+ Workaround: No current workaround. +------------+-----------------------------------------------------------------------------------------------+ | CSCvn07954 | Need a better user operation to recover Failed VNF via NSO | +------------+-----------------------------------------------------------------------------------------------+ Workaround: The following sample is to recover a failed VNF which is managed by NSO: devices device SANJOSE-E2E_CSR_FTD_CSR_-CSR_PRO_1_PROFI state admin-state unlocked devices device ESC-0 rpc rpc-vmAction vmAction actionType ENABLE_MONITOR vmName SANJOSE-E2E_CSR__VNFD_C_0_8d3e0179-ee0d-4c6b-8e72-1636831ef13d +------------+-----------------------------------------------------------------------------------------------+ | CSCvn10039 | VM deployement fails for AVI controller v18.1.3 inline service chain | +------------+-----------------------------------------------------------------------------------------------+ Workaround: AVISE registration to AVI Controller takes more time like states of Initializing and then status as UP. Hence increase the Metric OCC True value for Catalog VNFD-Deployment for AVISE to wait before processing avi-post extension Set the var METRIC_OCC_TRUE { val 40; +------------+-----------------------------------------------------------------------------------------------+ | CSCvn11840 | Sae-site-action recover vnf on csp doesnt work if component in ready reached state +------------+-----------------------------------------------------------------------------------------------+ Workaround: No current workaround.