Data Sheet
Cisco Prime Network Services Controller
Introduction
Today’s dynamic data centers require IT departments to apply frequent changes to networking infrastructures that
consist of virtual and physical service instances, such as firewalls, load balancers, routers, traffic accelerators, and
switches. Traditional methods and tools are inadequate in these environments.
Initiating and maintaining such infrastructure changes properly and consistently requires a networking management
solution with advanced automation and resource-management capabilities. Ideal solutions give IT the ability to
rapidly automate common infrastructure solutions from predefined, or golden, templates that can be applied
through the network consistently, according to meticulous standards.
In addition, enterprises are increasingly moving to hybrid clouds to gain the benefits of both public clouds and
private clouds. Private clouds have their advantages. They allow enterprises to privately control data and design,
customize their infrastructure, and control aspects of their security. However, private clouds are usually less agile
than public clouds and can be expensive to run to meet peak demand. Enterprises face a number of challenges
when extending the data center to the cloud provider:
●
Network security: The connection from the enterprise data center to the cloud must be secure and
encrypted. It must not compromise critical corporate data as it is transported to the cloud. In addition, after
transporting the workload, the enterprise needs to control any connection made to the cloud service,
maintaining the same security level provided for that workload in its private premises.
●
Application dependencies: Applications should not require redesign when they move to a new cloud
environment. For example, they should not require changes to IP address, Domain Name System (DNS),
Dynamic Host Configuration Protocol (DHCP), or other infrastructure parameter changes.
●
Management complexity: A cloud provider’s network policies should be consistent with the policies and
configuration used in the enterprise data center and should be controlled through the same security policy
management framework.
The Cisco Prime™ Network Services Controller addresses these complex network challenges. It offers a single
solution to manage virtual network infrastructure and automate processes. The solution promotes standardization
and consistent execution of policies, helping staff save time, so they can focus on optimizing the network
environment.
Cisco Prime Network Services Controller supports current shifts in IT, leading to more standardized, automated
dynamic infrastructure and networks. As part of the larger Cisco Nexus® 1000V Switch solution, this Cisco® Unified
Management solution fully integrates with the Cisco ASA 1000V Cloud Firewall, the Cisco Virtual Security Gateway
(VSG) for Nexus 1000V Series Switch, and Citrix NetScaler 1000V virtual load balancer. In addition, Cisco Prime
Network Services Controller supports Cisco Cloud Service Router (CSR) 1000V and Citrix NetScaler VPX virtual
load balancer. Using this combination of virtual services brings numerous possibilities for customers to build virtual
data centers with all required components to provide best-in-class cloud services.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 11
Cisco Prime Network Services Controller also plays a major part in Cisco hybrid cloud solutions as the cloud
manager platform of the Cisco Intercloud solution. It addresses challenges in hybrid cloud management and helps
provide a secure policy management foundation that can combine the benefits of both public and private clouds.
The virtual networking and security components of Cisco Intercloud make it possible to deploy virtual data centers
across private and public clouds, which is the foundation of any successful private cloud and hybrid cloud
deployment.
Developed for cloud environments on virtualized infrastructure, the Cisco Prime Network Services Controller is also
highly scalable and provides network infrastructure automation with multitenancy capabilities.
Product Overview
Cisco Prime Network Services Controller is the primary management element for Cisco Nexus 1000V virtual
switches and services that help enable a transparent, scalable, and automation-centric network management
solution for virtualized data center and hybrid cloud environments. Cisco Nexus 1000V Switches and services
deliver a highly secure multitenant environment by adding virtualization intelligence to the data center network.
These virtual switches are built to scale for cloud networks. Support for Virtual Extensible LAN (VXLAN) helps
enable a highly scalable LAN segmentation and broader virtual machine mobility.
With Cisco Prime Network Services Controller, centralized management of Cisco virtual services can be performed
by an administrator using the GUI or programmatically through the XML API. The controller is built on an
information-model architecture in which each managed device is represented by the subcomponents (or objects),
which are parametrically defined. This approach provides a flexible and simple mechanism for provisioning and
managing virtualized infrastructure, using Cisco VSG, Cisco ASA 1000V Cloud Firewall, Cisco CSR 1000V, and
Citrix NetScaler VPX and 1000V virtual services. (See Figure 1 for a topology example and Figure 2 for a more
detailed view of the components.)
Figure 1.
Cisco Virtual Data Center Topology Example
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 11
Figure 2.
Logical View of a Basic Service Implemented Through Hypervisors
Cisco Intercloud
With Cisco Intercloud, the enterprise network can be more securely extended to the cloud because enterprise
network and security configurations such as VLANs and policies can be extended to the cloud. Using Cisco Prime
Network Services Controller, workloads can be migrated from the enterprise data center to the public cloud, while
retaining the same IP addresses and other networking parameters, which helps avoid the need to redesign the
application.
Using Cisco Prime Network Services Controller, workloads in the public cloud can use the same security policies
as their counterparts in the enterprise data center. System administrators get the policy consistency and network
visibility they require, while retaining control of the cloud environment as a transparent extension of the enterprise
data center.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 11
In addition, customers gain a unified view of workloads across the enterprise data center (private cloud) and public
cloud. They can select and migrate workloads from the enterprise data center to the public cloud (Figure 3).
Figure 3.
Cisco Intercloud Structure with Cisco Prime Network Services Controller
Virtual Services Management
Cisco Prime Network Services Controller provides several important benefits that increase efficiency for
administration teams:
●
Rapid and scalable deployment through dynamic, template-based policy management based on security
profiles, policy sets, and policy rules
●
Transparent operation management through an XML API that can enable programmatic integration with
Cisco Intelligent Automation for Cloud (IAC), as well as third-party management and orchestration tools
●
Collaboration across security, network, and server teams while maintaining administrative separation and
reducing errors through a deployment and resource-management model that is consistent and repeatable
The Cisco Prime Network Services Controller framework provides centralized device and policy management of
Cisco VSG, the Cisco ASA 1000V Cloud Firewall, the Cisco CSR 1000V router, and Citrix NetScaler VPX or
NetScaler 1000V load balancers in virtual data centers (VDCs) and multitenant private and public cloud
environments.
As shown in Figure 4, Cisco VSG, Cisco ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler VPX and 1000V
address different aspects of virtualized data center environments:
●
Cisco VSG offers a zone-based firewall solution for inter-virtual machine traffic that travels from server to
server or from client to server.
●
Cisco ASA 1000V offers edge security services, including gateway service, firewall, Network Address
Translation (NAT), VPN, Dynamic Host Configuration Protocol (DHCP), and more.
●
Both Cisco VSG and Cisco ASA 1000V have tight integration with Cisco Nexus 1000V, and both are
managed by a single management platform (Cisco Prime Network Services Controller).
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 11
●
The Cisco CSR 1000V is a single-tenant router in a virtual form factor that delivers routing (BGP, OSPF,
EIGRP, etc.), the Cisco IOS® Software zone-based firewall, NAT, VPN, DHCP, and ACLs.
●
Citrix NetScaler VPX and 1000V provide web application load balancing, acceleration, security, and offload
feature sets in a simple, easy-to-install virtual appliance.
Figure 4.
Cisco Prime Network Services Controller Framework
Support for Multiple Hypervisors
The Cisco Prime Network Services Controller platform can support multiple virtual machine managers through their
APIs and support multiple hypervisor types including Microsoft Hyper-V, VMware vSphere, and OpenStack KVM.
In a VMware vSphere environment, Cisco Prime Network Services Controller integrates with VMware vCenter and
supports Cisco VSG, Cisco ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler VPX and 1000V. Cisco Prime
Network Services Controller allows users to configure Cisco Nexus 1000V vPath service chaining for Cisco VSG,
Cisco ASA 1000V, and Citrix NetScaler 1000V.
In a Microsoft Hyper-V environment, Cisco Prime Network Services Controller integrates with Microsoft SCVMM
and supports Cisco VSG.
In an OpenStack environment, Cisco Prime Network Services Controller integrates with OpenStack and supports
CSR 1000V and NetScaler VPX.
Virtual Services Integration with Cisco Dynamic Fabric Automation
As network infrastructure and fabric management become more complex, virtual and physical server deployment is
becoming difficult to configure. Cisco Dynamic Fabric Automation (DFA) is a set of innovations under Cisco Unified
Fabric that delivers fabric optimization, management, and automation capabilities. The innovations are unique in
that they simplify the network architecture and configurations, which allows for the safety of the automation. That,
in turn, allows for the single open point of integration of the fabric with the compute/storage orchestrators.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 11
Cisco DFA brings a superior level of integration that allows IT to simplify operation and bring up new services
quickly with end-to-end fabric visibility, which results in increased agility and lower operating costs.
Cisco Prime Network Services Controller plays a critical role in the Cisco DFA solution with services integration.
The controller integrates with Cisco Prime Data Center Network Manager (DCNM) to support Cisco VSG, Cisco
ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler VPX and 1000V services in a VMware vSphere environment.
In an OpenStack environment, Cisco Prime Network Services Controller supports virutal services, including CSR
1000V and CitrixNetScaler VPX. By communicating with the Cisco Prime DCNM, the controller enables
orchestration of network services dynamically using service profile templates. In addition, it supports license
automation for CSR 1000V, Citrix NetScaler VPX, and Citrix NetScaler 1000V.
Features and Benefits
Consistent, Efficient Execution of Service Policies
Cisco Prime Network Services Controller uses security profiles for template-based configuration of security
policies - a collection of security policy sets and integrated policies and rules that can be predefined and applied on
demand at virtual machine instantiation. This profile-based approach significantly simplifies authoring, deployment,
and management of security policies, such as for dense multitenant environments, while enhancing deployment
agility and scaling. Security profiles also help reduce administrative errors and simplify audits.
The XML API for Cisco Prime Network Services Controller facilitates integration with northbound network
provisioning tools for programmatic network and service instantiation, provisioning, and management of Cisco
VSG, Cisco ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler VPX and NetScaler 1000V. The option to employ
programmatic control of those virtual appliances can greatly simplify operating processes and reduce infrastructure
management costs.
Nondisruptive Administration Model
By providing visual and programmatic controls, Cisco Prime Network Services Controller helps the security
operations team author and manage security policies for virtualized infrastructure, and it can also enhance
collaboration with the server and network operations teams. This nondisruptive administration model helps ensure
administrative segregation of duties to reduce errors and simplify regulatory compliance and auditing. Cisco Prime
Network Services Controller operates in conjunction with the Cisco Nexus 1000V VSM to achieve the following
workflow:
●
Security administrators can author and manage security profiles and manage Cisco VSG and Cisco ASA
1000V instances. Security profiles are referenced in Cisco Nexus 1000V port profiles.
●
Network administrators can author and manage port profiles, as well as manage Cisco Nexus 1000V
distributed virtual switches. Port profiles with referenced security profiles are available in VMware vCenter
through a Cisco Nexus 1000V VSM programmatic interface with VMware vCenter.
●
Network administrators can further scale applications provisioned on the virtual data center using robust
routing on Cisco CSR 1000V and load balance with Citrix NetScaler 1000V, all controlled through the same
single pane of glass on Cisco Prime Network Services Controller.
●
Server administrators can select an appropriate port profile in VMware vCenter when instantiating a virtual
machine.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 11
Figure 5 displays a possible setup to manage security policies in a multitenant data center.
Figure 5.
Managing Services Policy in a Multitenant Data Center
Efficient Management for Easier Scalability
Cisco Prime Network Services Controller implements an information-model architecture in which each managed
device, such as Cisco VSG, Cisco ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler VPX, as well as the Citrix
NetScaler 1000V virtual machine form factor with vPath integration, is represented by the object-information model
of the device. This model-based architecture helps enable the use of:
●
Stateless managed devices: Security policies (security templates) and object configurations are abstracted
into a centralized repository and used as a template against any virtual device type.
●
Dynamic device allocation: A centralized resource management function manages pools of devices that are
commissioned (deployed) in service and a pool of devices available for commissioning. This approach
simplifies large-scale deployments because managed devices can be pre-instantiated and then configured
on demand. In addition, devices can be instantiated using the Cisco Prime Network Services Controller GUI
or API.
●
Device configuration templates and policy configuration templates: The templates are separated into the
different technologies (routing templates for routers, firewall templates for firewalls, and load-balancing
templates for load balancers) but are still embedded in the same multitenant model and management
control.
●
Scalable management: A distributed management-plane function is implemented using an embedded or
external agent for each managed device to promote greater scalability.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 11
Table 1 shows the primary features and benefits of Cisco Prime Network Services Controller.
Table 1.
Features and Benefits
Feature
Description
Benefits
Device management
through policy-based
templates
Cisco Prime Network Services Controller provides
central management of Cisco VSG, Cisco ASA 1000V,
Cisco CSR 1000V, and Citrix NetScaler VPX and 1000V.
Simplifies provisioning and troubleshooting of multiple
virtual services in a scale-out data center.
Load-balancing profiles
An application networking profile represents the Citrix
NetScaler VPX or NetScaler 1000V server farm and
related features and attributes.
Simplifies provisioning, reduces administrative errors
during load balancing policy changes, reduces audit
complexities, and helps enable a highly scale-out data
center environment.
Routing profiles
A networking profile represents the Cisco CSR 1000V
routing policy and routing-related features and attributes.
Simplifies provisioning, reduces administrative errors
during routing policy changes, reduces audit
complexities, and helps enable a highly scale-out data
center environment.
Security profiles
A security profile represents the Cisco VSG or Cisco
ASA 1000V security policy configuration in a profile
(template).
Simplifies provisioning, reduces administrative errors
during security policy changes, reduces audit
complexities, and helps enable a highly scale-out data
center environment.
Generic device
configuration profiles
A set of policy-based templates to be deployed on
devices for management, logging, monitoring,
authorizations, high-availability clustering, and more.
Simplifies provisioning, reduces administrative errors
during any virtual device configuration changes, reduces
audit complexities, and helps enable a highly scale-out
data center environment.
Stateless device
provisioning
The management agents in Cisco VSG, Cisco ASA
1000V, and Cisco CSR 1000V are stateless, receiving
information from Cisco Prime Network Services
Controller.
● Enhances scalability
● Provides robust endpoint failure recovery without
loss of configuration state
Cisco Intercloud policies
and templates
Instantiate Cisco Intercloud switches in private and
public cloud, create secure tunnel, and transport
workloads across with the required security.
● Provides ability to extend private cloud networks into
public providers (Amazon Web Services [AWS] in
this release)
● Introduces a framework for a virtual data center in
hybrid cloud environments
● Controls workloads migration and workload
transformation with security enhancements
Security policy
management
Security policies are authored, edited, and provisioned
centrally.
● Simplifies operation and management of security
policies
● Helps ensure that security intent is accurately
represented in the associated security policies
Support virtual services
for DFA environments
Cisco Prime Network Services Controller obtains tenant
information and allows virtual services to be added to
DFA virtual overlay networks.
● Allows a network administrator to control virtual
overlay networks and their services
Context-aware security
policies
Cisco Prime Network Services Controller obtains virtual
machine context from VMware vCenter.
Allows a security administrator to institute highly specific
policy controls across the entire virtual infrastructure
Dynamic security policy
and zone provisioning
Cisco Prime Network Services Controller interacts with
the Cisco Nexus 1000V VSM to bind the security profile
to the corresponding Cisco Nexus 1000V port profile.
When virtual machines are dynamically instantiated by
server administrators and appropriate port profiles
applied, their association with trust zones is also
established.
Helps enable security profiles to stay aligned with rapid
changes in the virtual data center
Multitenant (scale-out)
management
Cisco Prime Network Services Controller is designed to
manage Cisco VSG, Cisco ASA 1000V, Cisco CSR
1000V, and Citrix NetScaler VPX and 1000V policies in a
dense, multitenant environment so that administrators
can rapidly add and delete tenants and update tenantspecific configurations and policies.
● Reduces administrative errors
● Helps ensure segregation of duties in administrative
teams
● Simplifies audit procedures
Role-based access
control (RBAC)
RBAC simplifies operation tasks across different types of
administrators, while allowing subject-matter experts to
continue with their normal procedures.
● Reduces administrative errors
● Enables detailed control of user privileges
The Cisco Prime Network Services Controller XML API
allows external system management and orchestration
tools to programmatically provision Cisco VSG, Cisco
ASA 1000V, Cisco CSR 1000V, and Citrix NetScaler
VPX and NetScaler 1000V.
● Allows use of best-in-class management software
● Offers transparent and scalable operation
management
XML-based API
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
● Simplifies auditing requirements
Page 8 of 11
Software Packaging
Table 2 lists the software packages available for Cisco Prime Network Services Controller.
Table 2.
Packages and Descriptions
Package
Description
Open virtualization
format (OVF)
● Downloadable OVF virtual appliance in the form of a single file with the .ova extension
● Deployed with OVF templates and packages
ISO format
● Downloadable ISO file that can be mounted on a virtual machine
System Requirements
Table 3 lists the systems requirements for Cisco Prime Network Services Controller.
Table 3.
Components and Specifications
Component
Minimum Specifications
Cisco Prime Network
Services Controller
Virtual Appliance
● 4 virtual CPUs at 1.5 GHz
● RAM: 4 GB
Cisco Prime Network
Services Controller
Device Adapter
● 2 virtual CPUs at 1.5 GHz
● RAM: 2 GB
Hypervisor and
hypervisor manager
● VMware vSphere with at least Release 5.0, with VMware ESX or ESXi (Releases 5.0 and later)
● VMware vCenter with at least Release 5.0
● Hard disk (vdisk): 20 GB plus 200 GB on disk 2
● Network interfaces: 1 (management)
● Hard disk (vdisk): 20 GB
● Network interfaces: 1 (management)
● Microsoft Hyper-V Server 2012 (Standard or Data Center) and Microsoft Hyper-V Server 2012 R2 (Standard or
Data Center)
● Microsoft SCVMM 2012 SP1 (UR2) and Microsoft SCVMM 2012 R2
● OpenStack Grizzly with KVM
● Amazon EC2 virtual environment
Web browsers (clients)
supported
● Internet Explorer 9.0 or later, Mozilla Firefox 11.0 or later, and Chrome 18.0 or later
● Adobe Flash Player plug-in 11.2 or later
Interfaces and protocols
● XML API, HTTP/HTTPS, Lightweight Directory Access Protocol (LDAP), syslog, SNMP, and SCP
Extensibility of Management API
Cisco Prime Network Services Controller integrates with management and orchestration solutions such as Cisco
Intelligent Automation for Cloud (IAC) through its northbound API, through which it can support provisioning of
virtual infrastructure. Cisco Prime Network Services Controller also supports integration with a variety of third-party
orchestration systems.
Licensing and Ordering
Cisco Prime Network Services Controller is the management platform for Cisco VSG and Cisco ASA 1000V, and it
is mandatory for those offerings. Although Cisco Prime Network Services Controller is installed like a stand-alone
product, it is offered as part of a bundle that includes either Cisco VSG or Cisco ASA 1000V, and it is added
automatically when ordering those products.
Cisco Prime Network Services Controller is included as part of the bundle for the Cisco Intelligent Automation for
Cloud Virtualized Server offering to manage Cisco CSR 1000V and Citrix NetScaler VPX, in addition to Cisco VSG
and Cisco ASA 1000V.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 11
For managing Cisco CSR 1000V and Citrix NetScaler VPX and 1000V in environments without Cisco IAC (such as
in Cisco DFA and other deployments), customers need to order a license for each instance of Cisco CSR 1000V
and Citrix NetScaler VPX and NetScaler 1000V managed by Cisco Prime Network Services Controller.
Please contact your Cisco representative to help you determine and place the appropriate order for your particular
environment.
Service and Support
Cisco Software Application Support plus Upgrades (SASU) is a comprehensive support service that helps you
maintain and enhance the availability, security, and performance of your business-critical applications. Cisco SASU
includes the following resources:
●
Software updates and upgrades: The Cisco SASU service provides timely, uninterrupted access to software
updates and upgrades to help you keep existing systems stable and network release levels current.
Updated releases, including major upgrade releases that may include significant architectural changes and
new capabilities for your licensed feature set, are available by software download from Cisco.com or by CD
ROM shipment.
●
Cisco Technical Assistance Center (TAC): Cisco TAC engineers provide accurate, rapid diagnosis and
resolution of software application problems to help you reduce outages and performance degradation.
These specialized software application experts are trained to support Cisco Prime Network Services
Controller. Their expertise is available to you 24 hours a day, 365 days a year, by telephone, fax, email, or
the Internet.
●
Online support: Cisco SASU provides access to a wide range of online tools and communities to help you
resolve problems quickly, support business continuity, and improve competitiveness.
For More Information
For additional information about Cisco Prime Network Services Controller and related products, please visit the
following links:
●
Cisco Prime Network Services Controller: http://www.cisco.com/go/services-controller.
●
Cisco Intelligent Automation software: http://www.cisco.com/go/ia.
●
Cisco Dynamic Fabric Automation: http://www.cisco.com/go/dfa.
●
Cisco Nexus Intercloud: http://www.cisco.com/go/intercloud.
●
Cisco Virtual Security Gateway: http://www.cisco.com/go/vsg.
●
Cisco ASA 1000V Cloud Firewall: http://www.cisco.com/go/asa1000v.
●
Cisco Cloud Services Router 1000V: http://www.cisco.com/go/csr1000v.
●
Citrix NetScaler 1000V: http://www.cisco.com/go/ns1000v.
●
Cisco Nexus 1000V Switches: http://www.cisco.com/go/nexus1000v.
●
Cisco NX-OS Software: http://www.cisco.com/go/nxos.
●
Microsoft Hyper-V: http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx.
●
VMware vSphere: http://www.vmware.com/products/vsphere/.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 11
Printed in USA
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C78-618245-09
05/14
Page 11 of 11
