Published On: October 24ᵗʰ, 2019 16:20

Cisco Enterprise Network Function Virtualization Infrastructure Software Configuration Guide, Release 3.12.1

Secure Overlay

An overlay is a virtualized network layer on top of the physical network with the support of its infrastructure to provide additional security to the newtork. IPSec is a framework with protocols and algorithms to provide secured data transimission over unprotected or untrusted networks. IPSec secure tunnel is created between two networks to ensure virtual private network communication.

Secure overlay in NFVIS allows IPSec tunnel establishment between NFVIS supporting the vBranch platform and a VPN device in the headend orchestrator. This feature manages traffic only between the headend orchestrator and the vBranch platform.

Starting from NFVIS 3.11.1 release, you can set the internal management bridge (int-mgmt-br) gateway IP address and subnet as NFVIS system IP address and system IP subnet. The orchestrator connects to NFVIS through the internal management bridge gateway IP address and manages NFVIS over the secure tunnel. The interface has IP address from IP address pool of internal management network (int-mgmt-net) or subnet for VMs deployed with interface on int-mgmt-net. The orchestrator can access these VMs using the IP address directly over the secure tunnel.


  • Secure overlay is supported on:

    • IPSec IKEv2

    • IPv4

    • Pre-shared-key authentication

    • IKE cipher: aes128-sha1-mopd1536

    • ESP cipher: aes128-sha1

    • Local-system-ip unique to each NFVIS device

    • Local-bridge: Wan-br and Wan2-br

  • When the guest VM is deployed and single-ip-mode is configured:

    • The configuration requests can be sent in one NETCONF commit.

    • If the configuration requests are sent separately, then commit single-ip-mode creation request first. NFVIS releases the WAN IP address only after the guest device is deployed.

    • If you commit the guest device deployement configuration first, commit the single-ip-mode configuration request before the guest device is active. The guest VM will have conflicting IP address if the commit is delayed.

  • When the guest device and single-ip-mode configurations need to be deleted:

    • The two deletion requests can be sent in one NETCONF commit.

    • If the two deletion requests are sent separately,commit the guest device deletion first.

Supported Event Notifications

The following event types are supported












Secure Overlay over WAN

NFVIS can be configured with WAN IP address, static IP address or DHCP IP address. NFVIS calls home PnP server, which pushes NFVIS Day-0 configurations including the secure overlay configurations. NFVIS establishes IPSec connection between NFVIS and the headend management hub which has IPSec VPN configured. On NFVIS side, the tunnel end point has NFVIS local system IP address. When IPSec tunnel is up Network Services Orchestrator (NSO) solution, can connect to the NFVIS system throught the system IP address and manage NFVIS throught the IPSec tunnnel.

To configure secure overlay with public the management IP address as remote system IP address:

configure terminal
secure-overlay mgmthub remote-interface-ip-addr local-bridge wan-br remote-system-ip-addr remote-id local-system-ip-addr local-psk Cisco1234Admin remote-psk Cisco1234Admin

To create secure overlay with the management IP address as local system IP address:

configure terminal
secure-overlay myconn local-system-ip-addr local-system-ip-bridge int-mgmt-net remote-interface-ip-addr remote-system-ip-addr local-psk Admin remote-psk Admin

Secure Overlay APIs and Commands

Secure Overlay APIs

Secure Overlay Commands




Single IP Address with Secure Overlay

This image 368051.jpg is not available in preview/

Single public IP address is shared seamlessly between NFVIS and the guest VM deployed on NFVIS. NFVIS initially has WAN public IP address. The guest router with day-0 configuration, takes the public IP address when it is active. Secure overlay configured over WAN, established between NFVIS and the headend orchestrator, goes through the guest router after the guest router is active.

NFVIS reclaims the WAN IP address if the guest device has:

  • Error state.

  • Stopped.

  • Undeployed.

The following image illustrates failover handling when the guest VM is in error.

This image 368052.jpg is not available in preview/

  1. 1. NFVIS takes WAN IP address.

  2. NFVIS sets up IPSec tunnel to the mgmt-hub.

  3. When IPSec tunnel is up, NSO connects to NFVIS via its system IP and manages NFVIS over the IPSec tunnel.

NFVIS releases the WAN IP address if the guest device has:

  • Deployed.

  • Started.

To create a single-ip-mode:

configure terminal
single-ip-mode vm-name ROUTER.ROUTER

To get the state of single-ip-mode use the show single-ip-mode command.

Each NFVIS has its int-mgmt-net/subnet and associated IP address pool. To setup the IP address pool before deploying VM:

configure terminal
vm_lifecycle networks network int-mgmt-net
subnet int-mgmt-net-subnet address netmask gateway dhcp false ipversion ipv4

Single IP and Secure Overlay APIs

Secure Overlay APIs

Secure Overlay Commands




Guest VM taking Public IP Address

Guest VM must be deployed as a monitored VM which has two interfaces:

  • Interface facing public with the public IP address.

  • Interface on int-mgmt-net-br for traffic flow with NFVIS.

The guest VM has routing function to route traffic between the two interfaces and Network address translation (NAT) enabled. NFVIS reaches remote through int-mgmt-net-br to the guest VM.

The int-mgmt-net-br address pool and gateway IP address must be unique on each NFVIS. If secure overlay is configured, single IP mode is setup when VM is active and int-mgmt-net-br is used as a local-bridge.

Single IP address and DHCP

NFVIS single IP mode supports the public IP address acquired through DHCP by leveraging the lease timer configuration on DHCP server. NFVIS dhclient sends release message to DHCP server and the guest VM should have a proper day-0 configuration to get the WAN IP address through DHCP.

To handle failure, NFVIS:

  • stops the VM, to ensure the VM dhclient does not send DHCP renew to DHCP server

  • switches back to WAN and its dhclient sends DHCP renew message to DHCP server

  • gets IP address from DHCP server when VM’s lease time expires.

Single IP Address Without Secure Overlay


This feature is only supported for WAN bridge in NFVIS 3.10.1 release.

To reach NFVIS when secure overlay is not configured, you must first configure the guest device and manage IP addressing. The rest of the functionality, switching IP address between NFVIS and the guest device is the same as IP address with secure overlay.