Deep Dive into Secure Agile

Exchange
Design, Deploy and Debug your
Secure Multicloud Access using
Automation and Assurance
Dinesh Ranjit, Technical Architect SAE/CSP

Sujay Murthy, NSO Application Team/SAE

TECCLD-2107
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Secure Agile Exchange ( SAE) Overview
• SAE Planning
• SAE Design
• SAE Infrastructure
---- Break ----
• SAE Deployment
• End to End Service Chains
• SAE Assurance and Day2 Service Operation.
• Shared Endpoint Gateway and Half Service Chains
• Stitching Service Chains and Shared End Point Gateway

• SAE Debug and Troubleshooting

• SAE Roadmap and References
• SAE Conclusion / Q & A

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Secure Agile Exchange (SAE)
Overview
Today’s Global Enterprise Network
MPLS Core

Moscow
Russia
Clichy
San Jose France
USA Kansas City Tokyo
USA Japan
Shanghai
China

Bangalore
India

Sao Paulo
Brazil
Johannesburg
South Africa

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Challenges of multi-cloud access by disparate
user groups

Business Challenges
SaaS

- Efficient IaaS and SaaS

SaaS
SaaS access keeping app SLA
Other
Public
SaaS intact
Clouds
SaaS
- Distributed internet access
SaaS
SaaS - Operationally efficient

Private Private

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 Multi-Cloud Access Changes the Network
Data Center Centric Multi-Cloud Centric with Cloud Edge

Mainframe/
Servers Data
Network/Security Center
Perimeter
Public
Internet
Cloud
WAN Security Edge SaaS

Campus/ Data
SAAS SaaS
Branch Center Secure Agile Exchange
in the Cloud Edge
Internet
Cloud 2
Cloud 1

Security Suboptimal Multi-Cloud Network Centralized Faster Scale for any

growing in Lower cloud multicloud
challenges for routing adds access adds security provisioning of
complexity, no connectivity environment
distributed latency more security and policy new cloud
scalability charges
cloud services (roundtrip) services management based services

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cloud Edge is the New Network Hub
SaaS Virtualized network services can be automatically
deployed on demand.
Customers

Centralized policy management simplifies secure

Cisco
Secure Agile communication between employees, customers,
Employees
Exchange Private partners.
Data Center

Reduced Latency improves user experience.

Public Cloud Segmentation of flows brings agility to enable
Partners connectivity
Virtual
Core
Create New Virtual Core Network to
significantly reduce Transport Costs
SAE SAE

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Gartner Paper (Aug 2019)
• The legacy data center model is becoming obsolete due
to cloud adoption
• Defines SASE (Secure Access Service Edge) (”sassy”).
• “Tromboning” traffic is inefficient and costly, inspection
engines should be located closest to the where the data
is stored.
• The enterprise network perimeter is no longer a location
but more a set of capabilities delivered from the cloud.
[Link]
and-security-conver

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure Agile Exchange Peering Architecture
Cisco
SAE
Consumer Zones Provider Zones

Zones Zones
Orchestration Software

WAN
Branches
WAN
Physical Network Functions Physical Network Functions Data Center

N9K Switching Fabric

Partners

Nexus9k
Foundation Architecture
Mobile Employees

Internet

VNFs
Customers Internet
CSP CSP CSP
SaaS

NFV Infrastructure

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Secure Agile Exchange (SAE)
Cisco
SAE
Consumer Zones Provider Zones
1. SD-WAN/SD-Branch Neutral
• Support Meraki
NSO Zones
2. Design/Policy flexibility
Zones
Orchestration
Software
Branches
WAN
• Route leaking
WAN • Half chains
Data
Center
• Multi-cloud interconnectivity
Partners N9K Switching • Endpoint Add/delete to VNF
Fabric
• PNF blob(SAE 2.1)*

Mobile
Nexus Nexus9k
9K Switching 3. Orchestration support
Workers
• NSO license available
Internet • Physical device mgmt
Cisco & 3rd Party VNF • OOB switch
Users
C C C
Internet • ASR, FTD
SaaS
S S S • Day2 automation via NED
NFV
P Infrastructure
P P
(separate SKU)

Scale Visibility support

• N9K/NX-OS • Netflow/Sflow support
• Leaf pair/VXLAN • 3rd party- Netrounds, LiveAction
• Multi-tenancy • NAE, Stealthwatch (ACI 2.1) *
• ACI(SAE 2.1)*

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 SAE HUB

London
Frankfurt

Chicago
Beijing
San Jose Washington, DC Tokyo

Miami

Architecture Overview:
Global Network Access Points (Hubs) Singapore
Utilizing global SAE hubs allows Enterprises to
deploy resources in proximity to their user
population which reduces latency for digital
communication, provide an internet first
consumption model, includes both hybrid and Sao Paulo
multi-cloud usage, and facilitates decreased
network traffic through appropriate distribution
of the Hubs.

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
SAE Building Blocks

VNFs Flexible Switching Fabric

CSP NFV
VNF Platform
Hypervisor Virtual First Focus VNF Ready
VXLANFabric Orchestration
Automate and
Cisco & 3rd Party
Orchestrate Cisco and
Performance Focused Consistent Software Scales From Small to
3rd Party VNFs
Hardware Between Virtual and Large Deployments
Hardware Create Repeatable
CLI, GUI, and API
Service Chain Models
Driven

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
SAE Solution Stack
SAE Solution GUI

API One Instance of NSO in HA-Pair

Core Function
Pack

Service Chain Image VNF

Catalog Repository Templates One instance of ESC HA per site
Infrastructure Instance Alerts
Inventory Status Notifications NEDs enable Day -1/2 configurations

NSO Orchestrator CDB

NETCONF Nexus NED VNF
YANG NED

Site 1
Site 2
Switching
ESC VNF ESC
Life Cycle
Manager Switching
Roadmap

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAE Component Stack

NFV Infrastructure (NFVI)

• Support for any KVM based NFVs (QCOW2)
• Multiple networking options, including OVS
DPDK, SRIOV and port-channels
• Hosting Cisco VNFs like CSR, ASAv and FTDv
and 3rd party VNFs like Palo Alto, Fortinet as
firewall and load balancers like AVI, F5 etc.

VNF VNF CSP-5200/5400 VNF VNF

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SAE Component Stack

Nexus Fabric
• Nexus Standalone or Spine/Leaf or ACI
• Support for VLAN and/or VXLAN,
• Support for ITD
• Multi-Tenancy with VRFs
• Full redundancy with port-channels and VPC
VNF VNF CSP-5200/5400 VNF VNF

Nexus 9K

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
SAE Component Stack

VNF VNF CSP-5200/5400 VNF VNF

Physical Network Function
Nexus 9K Support Physical Device in a SAE Service

PNF

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
SAE Component Stack

Cisco Firepower Appliance

Support Firepower Appliances – 4100/9300
for FTDc deployment in Service Chain

VNF CSP VNF FTDc PFTD FTDc

Nexus 9K

PNF

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
SAE Component Stack

Elastic Services
Controller
FTDc PFTD VNF Lifecycle Manager (VNFM)
VNF CSP VNF FTDc • Instantiate individual and/or groups of VNFs
• Provision Day0 configurations and network
Nexus 9K objects
• Monitor VNF health and perform recovery

PNF

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
SAE Component Stack

Network Service Orchestrator

Secure Agile Exchange Function Pack
Elastic Services
Controller
NSO and SAE Core Function Pack
VNF CSP VNF FTDc PFTD FTDc • Model and deploy Service Chains ( Day1,Day2)
• Manage Resource Pools (IP, VLAN, VXLAN,
Compute, Endpoint Gateway)
Nexus 9K • Manage Lifecycle of Service Chains (Create, Re-
deploy, Update, Delete)
• Full northbound API support and extensibility
PNF (VRFs, Day 2 Policy, etc.)

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Cloud Services Platform
CSP 5216/5228 CSP 5436/5444/5456
24 SSD or HDD Slots
8^ SSD or HDD Slots

2 PCIe slots 6 PCIe slots

2x10G Ethernet CIMC / OOB LOM

2x10G Ethernet CIMC / OOB LOM
NICs: X520(2x10G),X710(4x10G), XL710
^RAID10 used disks in multiple of 4, only 8 used out of 10 slots (2x40G), XXV710(2x25G)
RAID 10 reduces the available storage by half

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
System Overview – NSO and ESC

• Model-driven, end-to-end
Network Ops and Service service lifecycle and
customer experience
Engineering Provisioning Developers focused
• Seamless integration
with existing and future
OSS/BSS environment
Orchestrator (NSO)
Network Services

Service Manager
CDB Package • Loosely-coupled and
Manager modular architecture
Device Manager
leveraging open APIs and
standard protocols
Device Abstraction ESC (VNFM)
• Orchestration across
VNF Lifecycle VNF Service
NED NED NED • multi-domain and multi-
Manager Monitoring
layer for network-wide,
centralized policy and
services
Multi-domain Networks

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Network Element Drivers (NED’s) - Multivendor
Abstraction
A NED abstracts
Network Ops and Service • Underlying protocol and
Engineering Provisioning Developers data-models
• Error-handling
The NED computes the
ordered sequence of device-
Orchestrator (NSO)
Network Services

Service Manager specific commands to go:

CDB Package
Manager • From current configuration
Device Manager state

Device Abstraction • To desired configuration

ESC (VNFM)
state
VNF Lifecycle VNF Service
NED NED NED Key benefits include:
Manager Monitoring
• Removes the device
adapter problem
• Removes complex device
Multi-domain Networks
logic from the service logic

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Industry’s Broadest Multivendor Support
Over 100 Supported NEDs — Customization
Available

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Virtualization - Scale Up, Out and Down

1 Service Engine
• 40 cores
• 40 Gbps SCALE-UP
• 100k SSL TPS More cores & IO

Scale to 200 Service Engines

1 Service Engine
Equal Cost Multipath Load Balancing NED
• 4 cores
• 4 Gbps
• 10k SSL TPS SCALE-OUT More CSPs & VNFs

1 Service Engine SCALE-DOWN Centralized

• 1 core API
• 1 Gbps Management
• 2.5k SSL TPS Monitoring

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
SAE Assurance Journey

Assurance
• monitoring
Monitoring • SLA
• threshold
• Periodic/Scheduled
• recovery Actions
Health-check health-check

• ad-hoc action to
Validation check the packet
path when invoked
• After service chain
instantiation, prove
packet path is same
as service chain path

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Benefits of SAE

Flexibility Agile Cost

85%

Cited as the #1 Reduce Complexity Reduces CapEx,

benefit of NFV & Deployment Time saves space and
power

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Use Case 1: Onboard a new partner

SAE Solution Physical Solution

• Under an Hour • Days/weeks

• Select or Create a Service chain • Network team creates design & configuration

• Deploy Service chain at Site • Security/firewall team instantiates firewall rules,

ACLs

• Solution reviewed & approved by Change Board

• Maintenance Window scheduled for production

deployment

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Use Case 2: Onboard a new application

SAE Solution Physical Solution

• Under an Hour • Days/Weeks

• Select or Create a Service Chain • Network team creates design & configuration,
deploys and hardware for network connectivity
• Deploy Service chain at Site
• Security team opens ports & protocols required

• Change Board reviews & approves

• Maintenance Window scheduled for production

deployment

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
NFV TCO
Use case: Financial securities company doing a Firewall refresh.
Physical FW vs NFV
CapEx Savings $ 400k (~30%)

Power Savings $ 13K

Space Savings (RU) 38

Total NFV/VNF
Solution Total PNF Cost $ 1,419,282 Cost $ 1,000,000 $ 419,282
Power Power/Unit Watts 1,200 1,050
Total Watts for Units 21,600 6,300 15,300
Cost/KwH $0.10 $0.10
Cost/unit $1,046.40 $915.60
Total power cost $ 18,835 $ 5,494 $ 13,338

RU 3RU*18 54 2RU*6 12 38

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
SAE Planning
Consumer Zones VPN Provider Zones
Users Internet

SAE 2.5 Gbps

500Mbps ASAv DMZ

ASAv
Meraki
Branch 5Gbps
6Gbps

Viptela 5Gbps
Branch
6Gbps

SAE
CORE
ITD
Legacy DMVPN
DMVPN 2.5Gbps
8Gbps Shared Colo
Sites Services

Legacy 300Mbps
MPLS
Sites SAE
10Gbps
Interconnect
(DCI)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access to app hosted in Cloud
Effects, when traffic back-hauled to DC to apply security policies
• Hair pinning/tromboning of traffic
• Adds latency
• Increases BW requirements
• Increase transport costs

DMVPN

SP
Router Data Center

Traffic delivered to cloud App over internet or Hybrid Cloud Connect

(Direct Connect/Express Route)

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
SAE: Centralized Secure Policy Application to
Traffic Flows- Virtual Only
Co Location Center

CSP SP
Router

DMVPN SP
Router Nexus9k

SP
Router Data Center

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
SAE: Centralized Secure Policy Application to
Traffic Flows- Physical & Virtual
Co Location Center

CSP SP
Router

Nexus9k
DMVPN SP
Router

ASRc ASRp SP
Router Data Center

1. ASRc IN connected to Branch router, OUT to Nexus 9K

leaf
2. ASRp IN connected to N9K and OUT to SP Router

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 SAE Workflow
Discover & Infrastructure Deploy
Assess Design Setup Service
Sites

Identify Onboard Select Pre-

Identify Traffic VNF’s/Service Infrastructure Designed
Flow Chains Service
Chains from
Catalog ,
Design Service Create SAE Resource
Identify & Service Zones
Bandwidth Site
Chains

Create Catalog Associate Provide

Identify for Service & Catalog to Deployment
HA/Affinity Service Chains Site Parameters

Discover Deploy SAE

Determine Create
Security Service
Co-Location External End
Policies Chains
Cluster & Point Handoff
Applied to and
CSP’s EPGW’s
Traffic Validate

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 Consumer Zones Service Chain
300Mbps MPLS
Secure Agile Exchange
1vCPU 4GB RAM
2vCPU 8GB RAM
Threat Anti- CSRv
Next-Gen PAN FW
Intelligence Malware IPS

2Gbps DMVPN DMVPN

4vCPU 9GB RAM
Sites
4vCPU 4GB RAM
Threat Anti- Next-Gen PAN FW CSRv
Intelligence Malware IPS

6Gbps Core/Enh
8vCPU 12GB RAM SD-WAN
8vCPU 12GB RAM
8vCPU 12GB RAM Threat Anti- Next-Gen PAN FW vEdge
8vCPU 16GB RAM Intelligence Malware IPS

6Gbps Std Sites

8vCPU 12GB RAM SD-WAN
8vCPU 12GB RAM
8vCPU 16GB RAM CSRv
Threat Anti- Next-Gen PAN FW
Intelligence Malware IPS
500Mbps VPN
4vCPU 8GB RAM Users
Threat Identity Anti- Next-Gen ASAv
Intelligence Services Malware IPS

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Provider Zones Service Chain
8Gbps
Secure Agile Exchange

Internet
8vCPU 16GB RAM
8vCPU 16GB RAM
1vCPU 4GB RAM CSRv
1vCPU 4GB RAM Load Threat Anti- IPS PAN FW
Balancer Intelligence Malware

Colo
Services
Load
Balancer
1Gbps Azure
2vCPU 8GB RAM
1vCPU 4GB RAM
CSRv
Threat Anti- IPS PAN FW
Intelligence Malware
8Gbps
AWS
8vCPU 16GB RAM
8vCPU 16GB RAM
1vCPU 4GB RAM CSRv
Load Threat Anti- IPS PAN FW
1vCPU 4GB RAM Balancer Intelligence Malware
2Gbps DCI
4vCPU 9GB RAM Backbone
4vCPU 4GB RAM
Threat Anti- IPS PAN FW CSRv
Intelligence Malware
47 vCPU 105GB RAM

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SAE Design
 SAE Workflow
Discover & Infrastructure Deploy
Assess Design Setup Service
Sites

Identify Onboard Select Pre-

Identify Traffic VNF’s/Service Infrastructure Designed
Flow Chains Service
Chains from
Catalog ,
Design Service Create SAE Resource
Identify & Service Zones
Bandwidth Site
Chains

Create Catalog Associate Provide

Identify for Service & Catalog to Deployment
HA/Affinity Service Chains Site Parameters

Discover Deploy SAE

Determine Create
Security Service
Co-Location External End
Policies Chains
Cluster & Point Handoff
Applied to and
CSP’s EPGW’s
Traffic Validate
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 Intent: Branch needs connectivity to app in the cloud
Customer and Cloud Service Provider (CSP) have presence in Co-Location

DMVPN
Internet

BRANCH Application
Unable to access application Unable to ping server hosted in Cloud

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
End–to-End Service Chain Traffic Flow
CSRv ASAv CSRv

DMVPN Internet

Gateway
Gateway
[Link] Router [Link]
Router

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
End–to-End Service Chain – Traffic Flow Configuration
x.x.x.x
[Link] AS:Y:Y [Link]
AS:38 ASAv AS:138
CSRv VLAN A VLAN B CSRv
Consumer Provider
DMVPN eBGP eBGP
VLAN 138 Internet
VLAN 38
eBGP
eBGP

Gateway
Gateway
[Link] Router [Link]
Router

vlan-number 38 vlan-number 138

local-bgp-as-number 38 local-bgp-as-number 138
remote-bgp-as-number 380 remote-bgp-as-number 1380
endpoint-ipaddress [Link] eth2 eth3 endpoint-ipaddress [Link]
endpoint-netmask [Link] endpoint-netmask [Link]
eth1 eth4

Test Agent

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
CSR 1000v Resource Sizing

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 ASAv Sizing
ASAv Specifications
Feature ASAv5 ASAv10 ASAv30 ASAv50
Virtual CPUs 1 1 4 8 Ordering Information: In Cisco Commerce Workspace (CCW) Order the Base Selection
1 GB (Denoted by “K9” in the Part Number), Followed by the Desired License Type
Memory 2 GB 8 GB 16 GB
minimum
1.5 GB
maximum
Minimum disk storage4 8 GB 8 GB 16 GB 16 GB Part Number Description
Stateful inspection throughput L-ASAV5S-K9= 8-pack Cisco ASAv5 (100 Mbps) selection
100 Mbps 1 Gbps 2 Gbps 10 Gbps
(maximum)1
Stateful inspection throughput
50 Mbps 500 Mbps 1 Gbps 5 Gbps L-ASAV5S-STD-8 8-pack Cisco ASAv5 (100 Mbps) with all firewall features licensed
(multiprotocol)2
Advanced Encryption Standard (AES) L-ASAV10S-K9= Cisco ASAv10 (1 Gbps) selection
30 Mbps 125 Mbps 1 Gbps 3 Gbps
VPN throughput3
Connections per second 8,000 20,000 60,000 120,000
L-ASAV10S-STD Cisco ASAv10 (1 Gbps) with all firewall features licensed
Concurrent sessions 50,000 100,000 500,000 2,000,000 L-ASAV10S-STD-16 16-pack Cisco ASAv10 (1 Gbps) with all firewall features licensed
VLANs 25 50 200 1024
L-ASAV30S-K9= Cisco ASAv30 (2 Gbps) selection
Bridge groups 12 25 100 250
L-ASAV30S-STD Cisco ASAv30 (2 Gbps) with all firewall features licensed
IPsec VPN peers 50 250 750 10,000
Cisco AnyConnect® or clientless VPN L-ASAV30S-STD-4 4-pack Cisco ASAv30 (2 Gbps) with all firewall features licensed
50 250 750 10,000
user sessions
Cisco Unified Communications phone L-ASAV50S-K9= Cisco ASAv50 (10 Gbps) selection
50 250 1000 Not tested
proxy
L-ASAV50S-STD Cisco ASAv50 (10 Gbps) with all firewall features licensed
Cisco Cloud Web Security users 250 1,000 5000 Not tested
High availability Active/standby L-ASAV50S-STD-4 4-pack Cisco ASAv50 (10 Gbps) with all firewall features licensed
Modes Routed and transparent

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Palo Alto Sizing

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Virtual Network Function ( VNF) Catalog
VNF Catalog
vCPU Memory (GB) Storage (GB) Vendor
16 56 2046 Palo Alto
8 16 2046 Palo Alto
2 8 2046 Palo Alto
8 16 10 F5
2 4 10 F5
1 4 8 Cisco
1 4 8 Cisco
2 4 8 Cisco
App Catalog
12 96 2.4 Cisco
7 64 1.5 Cisco
4 4 50 Cisco
4 32 250 Infloblox

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 ASAv VNF Profile/Template

VNF Template

hostname $VD_ASA_HOSTNAME
nameif $MGMT_IF
ip address $VD_ASA_NICID_0_IP_ADDRESS
$VD_ASA_NICID_0_IP_MASK
username $VFIREWALL_USERNAME
password $VFIREWALL_PASSWORD
privilege 15
ssh [Link] [Link] $MGMT_IF
router bgp $VD_ASA_ASNUMBER
bgp router-id $VD_ASA_NICID_0_IP_ADDRESS
license smart register idtoken $LICENSE_TOKEN force

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Service Design → Virtual Services/VNFD
CPU

VNF Resources Memory

Storage

Description HA
Virtual Service

Flavor Interfaces Ingress

Vendor Information Management Egress

VNFM Day0 DUO vs IPSec

E.g. Cisco CSR 1000v Image

*VNFD – Virtual Network Function Descriptor

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Virtual Services

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Service Catalog → Virtual Service
Instance/VNFD-Deployment
• Catalog of various services
• Day0 Configuration
• Configuration parameter changes
• Day1 Configuration

Virtual Service Instance VNF Monitoring

Name
Virtual Service Instance
Day0 File /DMVPN
Virtual Service Flavor
E.g. DMVPN CSR-
Day1(Optional)
2.5 GBPS/Security Configuration/DMVPN
users Disable Web
Traffic

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Virtual Service Instance

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 Service Design → Service Chain / NSD
Description
Virtual Service
Flavor1/IPBASE
Profile
Virtual Service
Flavor Flavor2/APPX
Physical
Service
Type Affinity-Rule
Service Chain
Affinity Scope Consumer-End
E.g. Branch-Cloud
Switch Provider-End

External
Connection Chain-End
Connection

PRE-ITD-End
*NSD=Network
POST-ITD-END Service Descriptor
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Service Chains

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 Service Catalog → Service Chain Instance/NSD-
Deployment
Catalog of various service-chains
• Different Services
• Configuration parameter changes

Service Chain

Service Chain Instance Virtual Service Profile

Catalog Flavor
Virtual Service Instance
E.g. DMVPN-Internet Name

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Service Chain Instance

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SAE Infrastructure
SAE Workflow
Discover & Infrastructure Deploy
Assess Design Setup Service
Sites

Identify Onboard Select Pre-

Identify Traffic VNF’s/Service Infrastructure Designed
Flow Chains Service
Chains from
Catalog ,
Design Service Create SAE Resource
Identify & Service Zones
Bandwidth Site
Chains

Create Catalog Associate Provide

Identify for Service & Catalog to Deployment
HA/Affinity Service Chains Site Parameters

Discover Deploy SAE

Determine Create
Security Service
Co-Location External End
Policies Chains
Cluster & Point Handoff
Applied to and
CSP’s EPGW’s
Traffic Validate
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 vCPU1 vCPU1

3
1
vCPU2 vCPU2

3
1
vCPU3 vCPU3

3
1

C
C
C

CIMC
CIMC
CIMC
vCPU4 vCPU4

3
1
1
1
vCPU5 vCPU5

vCPU6 vCPU6

vCPU7 vCPU7

NSO
vCPU8 vCPU8

vCPU9 vCPU9

CSP5456
CSP5456

CSP5216
vCPU10 vCPU10
Nexus 93180

vCPU11 vCPU11

vCPU12 vCPU12

vCPU13 vCPU13

1
1

vCPU14 vCPU14

2
2

vCPU15 vCPU15
Intel XL710

Intel XL710
SIP

vCPU16 vCPU16

vCPU17 vCPU17

vCPU18 vCPU18

vCPU19 vCPU19

vCPU20 vCPU20
3
3

vCPU21 vCPU21
1
4

OOB
4
4

ESC - HA
1
vCPU22 vCPU22
2
5

Intel XL710

Intel XL710

vCPU23 vCPU23
2
Intel X520
3
6

vCPU24 vCPU24
M
MGMT
M

C C C M
C C C M
MGMT

vCPU1 vCPU1
4
2

vCPU2 vCPU2
4
2

OOB: ISR4331 + EtherSwitch

vCPU3 vCPU3
C

C
4
2

CIMC

CIMC
CIMC
4
2

vCPU4 vCPU4
TECCLD-2107
2
2

vCPU5 vCPU5

vCPU6 vCPU6

vCPU7 vCPU7
Example SAE Physical Buildout

vCPU8 vCPU8

vCPU9 vCPU9
CSP5456

CSP5216
CSP5456

vCPU10 vCPU10
NSO - HA
Nexus 93180

vCPU11 vCPU11

vCPU12 vCPU12

vCPU13 vCPU13
1
1

vCPU14 vCPU14
2
2

vCPU15 vCPU15
SIP

Intel XL710

Intel XL710

vCPU16 vCPU16

vCPU17 vCPU17

vCPU18 vCPU18
ESC

vCPU19 vCPU19

vCPU20 vCPU20
3

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

vCPU21 vCPU21
1
4

vCPU22 vCPU22
2
5

Intel XL710

Intel XL710

60
2

vCPU23 vCPU23
Intel X520
3
6

vCPU24 vCPU24
SAE Standalone - Wiring Topology
• Wire 2 N9K-C93180YC-FX to 2 CSP5K CSP Pnic Pnic- Port- N9K Port- Interface
type channel/S Channel
RIOV
csp-9-48 enp7s0f0 X710 DATA-PC LEAF3-R4 port- Ethernet1/1
channel15
csp-9-48 enp7s0f1 X710 DATA-PC LEAF4-R4 port- Ethernet1/1
channel15
csp-9-48 enp7s0f2 X710 HA-PC LEAF3-R4 port- Ethernet1/2
channel16
csp-9-48 enp7s0f3 X710 HA-PC LEAF4-R4 port- Ethernet1/2
channel16
csp-9-48 enp3s0f0 X520 SRIOV LEAF3-R4 Ethernet1/5

csp-9-48 enp3s0f1 X520 SRIOV LEAF4-R4 Ethernet1/5

csp-9-49 enp7s0f0 X710 DATA-PC LEAF3-R4 port- Ethernet1/3

channel17
csp-9-49 enp7s0f1 X710 DATA-PC LEAF4-R4 port- Ethernet1/3
channel17
csp-9-49 enp7s0f2 X710 HA-PC LEAF3-R4 port- Ethernet1/4
channel18
csp-9-49 enp7s0f3 X710 HA-PC LEAF4-R4 port- Ethernet1/4
channel18
csp-9-49 enp3s0f0 X520 SRIOV LEAF3-R4 Ethernet1/7

csp-9-49 enp3s0f1 X520 SRIOV LEAF4-R4 Ethernet1/7

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SAE Spine Leaf - Wiring topology
• Wire 2 N9K-C93180YC-FX to 2 N9K-C9364C
• Wire 2 N9K-C93180YC-FX to 2 CSP5K
Cluster 1 Cluster 2

Spine1 Spine2

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SAE Demo Topology- Infrastructure • Management Domain will be a separate domain from the
SAE Core (Data & Service Plane) for remote management
N93180-1 N93180-2 .
• Dual Switches (N93180) in VPC Pair
• Dual CSP5K - (Min For Management Applications)

Data-PC
Data-PC • NSO-HA SAE Service Orchestration
SRIOV-1 SRIOV-2 SRIOV-1 SRIOV-2
• ESC-HA ( VNF Life Cycle Management
NSO HA • Netrounds Controller for Traffic Assurance- Synthetic
Pair
Traffic Monitoring
NSO1 NSO2
• Live Action – SAE Assurance –Active Traffic Monitoring
ESC HA
Pair

ESC-1 ESC-2
Netrounds
Controller

Live Action
Agent

CSP5K - Primary CSP5K - Secondary

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
SAE SITE Infrastructure Discovery
START/SEED N9k
DEVICE IP

Authgroup of SEED
SWITCH AUTHGROUP
N9k Switch

Authgroup of CSP
CSP AUTHGROUP
Device

SAE SITE Discovery

Data Vlan Pool for SAE
VLAN POOL
Site

SERVER PROFILE
CSP TYPE CSP’s with Identical
Connection

CLUSTER NAME
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
End–to-End Service Chain – External End Point
CSRv ASAv CSRv

DMVPN Internet
eBGP
eBGP

Gateway
Gateway
[Link] Router [Link]
Router

vlan-number 38 vlan-number 138

local-bgp-as-number 38 local-bgp-as-number 138
remote-bgp-as-number 380 remote-bgp-as-number 1380
endpoint-ipaddress [Link] endpoint-ipaddress [Link]
endpoint-netmask [Link] endpoint-netmask [Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SAE SITE – External End Point
Name

Local BGP NUMBER

Remote BGP
Number
SAE SITE External End
Point External End Point
Peer IP ADDRESS

External Endpoint
Peer Netmask
VLAN

Traffic Hand OFF VLAN OVER

METHOD PORT CHANNEL

VPN TUNNEL

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Break
Agenda
• Secure Agile Exchange ( SAE) Overview
• SAE Planning
• SAE Design
• SAE Infrastructure
---- Break ----
• SAE Deployment
• End to End Service Chains
• SAE Assurance and Day2 Service Operation.
• Shared Endpoint Gateway and Half Service Chains
• Stitching Service Chains and Shared End Point Gateway

• SAE Debug and Troubleshooting

• SAE Roadmap and References
• SAE Conclusion / Q & A

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SAE Deployment
End to End Service Chains
SAE Workflow
Discover & Infrastructure Deploy
Assess Design Setup Service
Sites

Identify Onboard Select Pre-

Identify Traffic VNF’s/Service Infrastructure Designed
Flow Chains Service
Chains from
Catalog ,
Design Service Create SAE Resource
Identify & Service Zones
Bandwidth Site
Chains

Create Catalog Associate Provide

Identify for Service & Catalog to Deployment
HA/Affinity Service Chains Site Parameters

Discover Deploy SAE

Determine Create
Security Service
Co-Location External End
Policies Chains
Cluster & Point Handoff
Applied to and
CSP’s EPGW’s
Traffic Validate
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
End–to-End Service Chain Deployment
x.x.x.x
AS:Y:Y
[Link] ASAv [Link]
VLAN A VLAN B
CSRv CSRv

DMVPN eBGP eBGP

VLAN 138 Internet
VLAN 38
eBGP
eBGP

Gateway
Gateway
[Link] Router [Link]
Router

eth2 eth3

eth1 eth4

Test Agent

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Service Chain - End to End
Service Chain
Instance
Service Chain
Instance Flavor

End to End

Consumer End Virtual Service/NF

Consumer IP’s
Point Profile
Service Chain Provider End Virtual Service/NF
Provider IP's
Point Profile
End to End
Bandwidth

Resource-
Zones

Device-Names

Variables

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Branch connectivity to application in the Cloud
ASAv
CSRv CSRv

DMVPN Internet

Gateway
Gateway
[Link] Router [Link]
Router

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SAE Deployment
SAE Assurance and Day2 Service Operation.
SAE Service - Validation/Monitoring with
Netrounds VNF Test Agent
4x Network namespaces (vNICs)
Service Endpoints
(SD-WAN / IPSec)
[Link] [Link]

[Link] [Link]

Branch

.12 .12 .11 .11 .10 .10 .1

[Link]/24 [Link]/24 [Link]/24 [Link]/24

Router IPS Firewall

(VNF1) (VNF2) (VNF3)

Router Firewall

IPS

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Service Chain Monitoring – DMVPN to Internet
x.x.x.x
AS:Y:Y
[Link] ASAv [Link]
VLAN A VLAN B
CSRv CSRv

DMVPN eBGP eBGP

VLAN 138 Internet
VLAN 38
eBGP
eBGP

Gateway
Gateway
[Link] Router [Link]
Router

eth2 eth3

eth1 eth4

Test Agent

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Service Chain Active Traffic Monitoring – Live Action
x.x.x.x
AS:Y:Y
ASAv
VLAN B
CSRv
DMVPN Internet
eBGP

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SAE Service Chain – Day 2 operation
-Disable Web Access

ASAv
CSRv CSRv

DMVPN Internet

Gateway
Gateway
[Link] Router [Link]
Router

eth2 eth3

eth1 eth4

Test Agent

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
SAE Deployment
Shared Endpoint Gateway and Half
Service Chains
Consumer Zones VPN Provider Zones
Users Internet

SAE 2.5 Gbps

500Mbps ASAv DMZ

ASAv
Meraki
Branch 5Gbps
6Gbps

Viptela 5Gbps
Branch
6Gbps

SAE
CORE
ITD
Legacy DMVPN
DMVPN 2.5Gbps
8Gbps Shared Colo
Sites Services

Legacy 300Mbps
MPLS
Sites SAE
10Gbps
Interconnect
(DCI)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consumer Zones SAE Consumer and Provider Service Chain Provider Zones

Internet
2.5 Gbps

ASAv
Employees
5Gbps

PAN

5Gbps
Partners
SAE
CORE
Direct
Connect
Sites 300Mbps 10 Gbps

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SAE Service Chain Connectivity
Internet VPN Management PAN
Users Domain
Internet /
VPLS

Direct
Connect
Sites ASAv PAN

PAN PAN
CSRv CSRv
PAN PAN

ISE

PAN
PAN CSRv CSRv PAN
MPLS
CSRv CSRv CSRv
Internet
PAN
PAN CSRv PAN
PAN

CSRv
DMVPN DMVPN CSRv CSRv

Sites cEdge

Colo Shared
Services
Internet / DCI
VPLS Backbone

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
 Inbound Service Chain Design
500Mbps PAN
MPLS
Secure Agile Exchange

CSRv
PAN Direct
10Gbps PAN Connect
Sites
CSRv ITD CSRv
ITD

2Gbps PAN DMVPN DMVPN

Sites
CSRv

6Gbps Core/Enh
SD-WAN
cEdge
500Mbps VPN
Users
ISE ASAv

6Gbps PAN Std Sites

SD-WAN

MX450 MX450

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
 Outbound Service Chain Design
PAN
8Gbps
Secure Agile Exchange
PAN
Internet
CSRv

1Gbps PAN
Colo
Services
PAN
8Gbps PAN
Azure
CSRv CSRv
ITD ITD
PAN
8Gbps PAN
AWS
CSRv ITD CSRv
ITD

10Gbps DCI
Backbone
CSRv

1Gbps PAN
Management
Domain

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 Static Chains
End to End chain Requirements - 4 chains/24 vCPU
* Each VNF – 2 vCPU
CSR ASAv CSR
Employee
VLAN A VLAN
[Link] eBGP
CSR [Link]
CSR
ASAv
Employee
VLAN B VLAN

[Link] eBGP
[Link]

CSR
PAFW VM Series CSR
Partner VLAN C
VLAN

[Link] eBGP
CSR
CSR [Link]

Partner VLAN D
VLAN

[Link] eBGP
[Link]
PAFW VM Series
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Dynamic Access using Chain Stitching

CSR ASAv CSR

Employee
VLAN 40 VLAN

[Link] eBGP
[Link]

CSR
PAFW CSR
Partner VLAN 41
VLAN

[Link] eBGP
[Link]

Benefit:
✓ Access to additional providers simplified
✓ Savings on compute resources
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 Dynamic Access enablement using Chain Stitching
Consumer Chain < ------ > Provider Chain Requirements – 3 chains/10 vCPU
* Each VNF – 2 vCPU

Employee AWS
CSR ASAv Chain VRF Chain VRF
Employee
VLAN 40 VLAN

[Link] eBGP [Link]

CSR

CSR
PAFW
Partner VLAN 41
VLAN
[Link]
[Link] eBGP
Partner Azure
Chain VRF Chain VRF

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SAE Deployment
Stitching Service Chains and Shared End
Point Gateway
SAE Half Chain Use Case

Consumer Half-Chain Provider Half-Chain

vRouter vFirewall
(CSR) (paloalto)

vFirewall vRouter VRF VRF

(ASAv) (CSR)
vFirewall
Route vRouter vFirewall
Campus Leaking DC
(ASAv) (CSR) (ASA)
Gateway Gateway

CSP Switch Switch CSP

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 VNF Sharing Consumer: Logical view

SAE Scope
VPC:
Switch AWS
Employees
Route
Leak
VPC:
Azure

Cable
Packet Flow

eBGP
SVI on 9K

Route leak

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SAE Debug and
Troubleshooting
SAE – Peeking Under the Hood PAN

SAE
Solution
GUI VNF

CSP-5xxx

Nexus 9xxx

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
System Requirements NSO SAE CFP with GUI.
• NSO + Core Function Pack + GUI can be installed on any Ubuntu/RedHat/CentOS
System.
OS Ubuntu Red Hat CentOS MacOSX
Minimum CPU-8 Cores CPU-8 Cores CPU-8 Cores CPU-8 Cores
Server RAM-24 GB RAM-24 GB RAM-24 GB RAM-24 GB
Configuration Disk-300GB Disk-300GB Disk-300GB Disk-300GB
Version 16.04.4 LTS 7.3 (Maipo) 7.4 (Core) 10.12.6
17.10
18.04 LTS

❖ System ulimit set to 65535 ( open file )

Extensive Documentation for Deployment, Debugging and Troubleshooting available in below link:
SAE Solution GUI :
[Link]
Platform/csp_5000/sae/release_notes/[Link]#
[Link]
Platform/csp_5000/sae/user-guide/b-sae-user-guide/[Link]#
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
SAE Solution GUI Troubleshooting
• SAE Solution GUI Installation has prerequisite checks
defined.
• For SE-LINUX issue on Centos, set below to avoid invalid
credentials: null
sudo setsebool -P httpd_can_network_connect on

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
NSO/SAE CFP Troubleshooting
• NSO + Core Function Pack Installation
• NSO is installed on Ubuntu/CentOS as system installation and SAE Core Function Pack is
installed post NSO installation .

• SAE Site Infra Discovery.

• Performs the Infrastructure Discovery for SAE Site based on topology connected between N9k,
CSP and PNF devices.

• Resource Orchestration Placement.

• Performs placement of VNF based on various requirements defined in NFV - VNFD, NSD
,Affinity/Anti-Affinity , Bandwidth etc.
Extensive Documentation for Deployment, Debugging and Troubleshooting available in below links:
NSO: [Link]
[Link]
NSO SAE Core Function Pack : - SAE User Guide, Installation Guide and Troubleshooting Guide
[Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
NSO SAE CFP Installation Troubleshooting
Problem
System Installation failed with following error
nso-4.7.1-cisco-sae-core-fp-1.0.0-9/installer/core-FP-installer$ ./[Link]

PLAY ***************************************************************************

TASK [setup] *******************************************************************

fatal: [[Link]]: UNREACHABLE! => {"changed": false, "msg": "ERROR! SSH Error: data could not be sent to the remote
host. Make sure this host can be reached over ssh", "unreachable": true}

Solution
Check NSO Host is reachable and re run installation .

Problem
Packages failed to come up, oper-status of some packages are down

Solution:
Check ulimit on NSO system set to allow 65535 open file systems.

Reload NSO System and perform restart of NSO with package-reload

Restart ncs process

sudo /etc/init.d/ncs restart-with-package-reload

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
NSO SAE CFP Logs Troubleshooting
• Enable Logs - detailed logging is disabled in NSO SAE CFP by default. Please enable logs as below:
set devices global-settings trace raw
set java-vm java-logging logger [Link] level level-all
set python-vm logging level level-debug

• Log files are located under: /var/log/ncs

Components and logs - SAE-Site Components and logs can be seen as below
.
Component Logs

SAE-Site Deployment [Link]

Placement [Link]

Image [Link]

Discovery [Link]
[Link]

VNF Deployment netconf-ESC-*.trace

Day1 config ned logs for VNF -CSR,ASA, etc.

N9k ned-cisco-nx-*.trace

CSP netconf-csp-*.trace

Commands history [Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
ESC - Troubleshooting
Login to ESC Device ( VIP for HA )
Logs are located under: sudo cd /var/log/esc

Component Logs
Main ESC log [Link]
VNF deployment [Link]
VIM manager vimmanager/[Link]
Monitoring and Action mona/[Link]

Extensive Documentation for Deployment, Debugging and Troubleshooting for ESC available in
below link:

[Link]
controller-esc/[Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
 ESC - Troubleshooting Commands
ESC-5.0 and above CLI
ESC version esc_version
Operation/maintenance mode escadm op_mode show
escadm op_mode set --mode MAINTENANCE
escadm op_mode set --mode OPERATION
current configurations escadm dump(dump in yaml format)

Verification the vim settings are escadm vim show

correctly populated
ESC backup DB escadm backup --file /tmp/[Link].bz2

ESC restore DB escadm restore --file /tmp/[Link].bz2

Collect Logs escadm log collect

ESC Service control (Start/Stop check status escadm status --v
ESC service) in HA stop sudo escadm stop
start sudo escadm start
restart sudo escadm restart

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Cloud Services Platform(CSP)-5xxx-
Troubleshooting
• CSP-5xxx used in SAE environment are being pre configured with connectivity to Nexus
N9k
• VNF Deployment is deployed and monitored by ESC

• NSO SAE Service performs Infra Discovery based on configuration in N9k and CSP.

• NSO SAE Service initiates deployment of VNF on CSP after performing resource request
checks.
Extensive Documentation for Deployment, Debugging and Troubleshooting for CSP-5xxx
available in below link:

[Link]
[Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Nexus 9xxx - Troubleshooting

• N9Ks used in SAE environment are being configured by NSO CFP. Therefore, avoid
configure N9K out-of-band. All N9K configuration should be done via SAE CFP.
• If N9K is out-of-sync with NSO CFP, make sure to sync it with NSO CFP by issue
command
request devices fetch-ssh-host-keys
request device sync-from

Extensive Documentation for Deployment, Debugging and Troubleshooting for Nexus9xxx

available in below link:

[Link]
[Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Nexus N9xxx - Troubleshooting
Main routing protocol used in SAE is BGP. Commands useful to debug in Nexus N9k

show ip route
show bgp all
show bgp sessions
show ip bgp summary
show ip bgp neighbor
show ip bgp neighbor <IP-address-of-neighbor> routes

clear ip bgp *
terminal monitor
debug ip bgp events
show ip bgp regexp ^$

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
VNF Troubleshooting - Scenario PAN

Problem : VNF deployed is not reachable and ESC performing recovery

Solution :
Check VNF deployment has appropriate config needed to bootup :

1. day0 destination ( ASAv, FTDv - day0-config, CSR - iosxe-config , AVISE - avi_meta_se.yml, etc. )
2. day0 file has the minimum configuration $NICID_0_IP_ADDRESS, $NICID_0_CIDR_ADDRESS, $NICID_0_GATEWAY gateway etc.
3. Verify the values are assigned that will be reachable by ESC and NSO .

Problem: After service is deployed , VNF SSH authentication failure and plan is failed.

Solution :
Check authgroups provided for the VNF correct them if needed, verify the connection is fine from NSO. Delete the service and create
a new service.
or
Check connectivity and correct authgroup if incorrect. Perform replay of ESC notifications after ESC has sent VM_ALIVE as below.

admin@ncs> request devices device ESC-vmware netconf-notifications subscription cisco-etsi-nfvoreplay from-date-time

Possible completions:
<dateTime (CCYY-MM-DDTHH:MM:SS)>

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
SAE Solution Recovery Mechanism:
• SAE Solution offers various recovery mechanisms:
• SAE-Site Actions :

SAE Site Actions Command Description

sae-actions recover-vnf-on-vim < sae- Initiate Recovery of VNF on SAE Service
site> .. tab
sae-actions recover-vnf-on-vim realloc- Initiate Recovery of VNF on SAE Service and
on-same < sae-site> .. tab reallocate on same VIM ( CSP )

sae-actions services-on-csp List services on CSP device

sae-actions undep-redep-services-on- Perform undeploy-redeploy of all services on

csp CSP device

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
 SAE Solution Cleanup
• SAE Solution offers various cleanup operations in event deletion of specific SAE
Services fail
• SAE Cleanup Actions are offered as below options :
• NSO CDB cleanup
• Network Wide cleanup ( with more option )
( more)
SAE Site Actions Cleanup Command Description
action-status-cleanup Clear sae-action-status records
compute-cleanup Will cleanup leftover data for compute day1 service
endpoint-gateway-vnf-cleanup with more Will cleanup leftover data for endpoint-gateway-
vnf service
service-chain-cleanup with more Will cleanup leftover data for service-chain service
stitching-service-cleanup with more Will cleanup leftover data for stitching service
vnf-manager-cleanup with more Will cleanup leftover data for vnf-manager service

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
SAE Deployment Best Practice
• Setup NTP on NSO,ESC, CSP, N9k nodes and other nso-unmanaged devices , ensure ntp is enabled and time
synch performed . Preferred to have these devices in same Time Zone.

• Controllers for VNF – FMC, AVI Controller, Panorama etc to be spun as pre-requisite.

• Individual IP address subnet for Management Pool and Data pool , with licensing enabled (optional). Provide
proxy configuration for vnf’s and nso-unmanaged devices to reach internet when needed.

• Check on NSO-SAE-Site-Status plan before proceeding to next steps , during multiple create and delete
operations .

• N9k- VPC peer link ( day-1) must be configured to allow VLAN 1 .

• Multiple SAE Cluster – Spine-Leaf switch method - Infra-Discovery, each cluster needs to have a unique CSP
type name.

• SAE Customizations ( custom templates available from NSO for users to perform any custom operation on
specific devices managed by NSO.

• After every deletion operation please ensure there are no stale data left behind on any device and NSO plan
status is cleared for the particular operation.

• Perform Cleanup operations as described in SAE Solution Cleanup for any deletion failures.

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
SAE Roadmap and References
 SAE Completed Releases
SAE 1.1 Q2’19(Apr) SAE 1.2 July ‘19 SAE 2.0 Q3’19

• Physical device- FTD • Physical device-ASR • Multi-tenancy

• Tested chain • Assurance update
Core •
•
Assurance Enablement
CSR-IPSec support documentation
capabilities •
•
Sub-interface support
Dynamic endpoint add
Control Plane
Dynamic Diagnostics

Hardware • X710-SR-IOV • XL710 40G-Breakout

Platform

UI/UX • Production UI
• Chain health status
• 1.1 Catchup release • Image management
• VNF image update
(Different • Infra discovery
AC/release)

• Physical device
Focus orchestration
• Rockwell requirements • Increased Ecosystem

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
 SAE Release and Roadmap
SAE 2.0.1 Q4’19 SAE 2.0.2 Q1’20 SAE 2.1 Q2’20 SAE 2.2 Q3’20
(Jan CY20 release) (Mar 20) (June 2020) (Sept 2020)

• Bug Fixes • QCOW2 packaging • VNF with Day2 recovery • SAE as a Service
Core • Customer UX risk
with VNF licensing
• vNIC bandwidth control
• PNF anywhere
• Control plane Network
Assurance
(CX EX commit
dependency)
capabilities • Spine-Leaf config • ACI Integration
fix
• Checkpoint onboarding

Hardware • CSP 2.6: • TPM support on CSP in • CSP 2.7 • CSP 2.8
Platform • LLDP
enhancement
2.6 • Storage
Virtualization/NFS
• Intel SmartNIC(N3000
FPGA)
• 100G o IPSEC & TLS acceleration
o Mellanox (pure possible through N3000

UI/UX bandwidth)

(Different
AC/release) • Operational updates • Health & status • SAE Wizard • SaaS portal
• UI parity with CLI for enhancements • ACI support(VXLAN enhancements
notifications details)

Focus
• Maintenance release • Pre SAE as a Service • Launch SAE as a Service
• Customer wins
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Secure Agile Exchange Build Out
MVP

Base:
• 6 x CSP 5000 CSP5000 N9K-C9364C
• 2 x N9K 9364C (NXOS)
• 4 x N9K 93180YC-FX (NXOS)
Spine
MGT
• 2 x CSP 5000
• 2 x ISR 4221
• 2 x N9K 93180YC-FX
• 2 x NSO N9K-C93180YC-FX
Leaf

FTD4120

Cloud Data
Edge Center Internet WAN
Core
Edge Edge Edge

CSR1000v CSR1000v ASR1002HX vEdge ASR1002HX ASR1002HX

AZ1 AZ2

AZ1 AZ2 Internet SD-WAN MPLS Backbone

Cloud Providers Data Center Regional
Branch © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 • Intent- based policies across
different functions and
Secure Cloud Edge
Infrastructure locations managed
OEM centrally
Partner Policy OEM Services Internet &
Mgmt
Providers & Services Security Apps & Data & 3 rd Party Apps
& Visibility Services Analytics
Authorities

Net Comp

• SD- WAN overlay provides Apps & Security Data &

Secure Services & Visibility Analytics
secure connectivity, visibility
Cloud
and segmentation throughout Edge Comp
• Secure Cloud Edge enables
Secure Cloud Edge Net
distributed deployment of
applications & services
• Distributed data and analytics
Managed Connectivity &
supported as well Unmanaged Connectivity (Internet)
Distributed Compute
Secure Cloud
Data & Apps & Security Edge • Secure agent in the vehicle provides
Analytics Services & Visibility
SD- WAN secure ’on- ramp’
Comp • Agent provides application- aware
telemetry reporting, traffic
Net Secure Cloud Edge
segmentation and policy enforcement
• Flexible Endpoint management in the
App &
hands of the OEM
Vehicle Service Compute Mobile SD- WAN • SD- WAN provides secure data path
& Storage Control Point
Policies
Policies
from vehicle to high- value applications

Applications & Services

Virtualization, Containers, etc.

Compute Platform(s) Legacy ECUs

In- Vehicle Network Policies Security Policies Connectivity Policies Telemetry/Data Legacy Network (CAN, etc.)

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Secure Agile Exchange ACI Fabric

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Services for Secure Agile Exchange Portfolio

End to End Services for Secure Agile Exchange

Solution Design Optimize Solution

Technology Discovery
& Implement Ongoing Support

Accelerated Deployment Lifecycle Management

Quick Start (3 weeks) (10 weeks) (Annual Subscription)

Discovery & Evaluation Solution Test & Validation Business Critical Services
(Annual Subscription) (Annual Subscription) (Annual Subscription)

Cisco Managed Services

(Annual Subscription)

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
 SAE Solution Overview - click here

SAE Solution Guide - click here

Resources Dinesh Ranjit – Solution Architect

dranjit@[Link]

Sujay Murthy – Lead Engineer

sujmurth@[Link]

Ask SAE :
ask-sae-external@[Link]

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
 Secure Agile Exchange Key Takeaways !!!
• Secure Agile Exchange enables multi-cloud journey for customers
• Capitalize on the transformation in consumption model
• Considerable WAN cost savings
• Cloud service provider and WAN technology agnostic
• Turn-key with user friendly Graphical User Interface
• Programmable, customizable and extensible to fit into existing OSS/BSS
stack

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on [Link]/emea.

Cisco Live sessions will be available for viewing on

demand after the event at [Link].

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Continue your education

Demos in the
Walk-In Labs
Cisco Showcase

Meet the Engineer

Related sessions
1:1 meetings

TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
 Engage with us NOW so you can put to
action what you learnt today
Enabling Secure access to multiple clouds
is absolutely EASY!
TECCLD-2107 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Thank you