Full Release Notes for networking-cisco


Bug Fixes


New Features

  • Cisco UCSM: vNIC and Service Profile Template support for Single UCSM

    This feature allows a cloud admin to take advantage of the Service Profile Template and vNIC Template configuration options available on the UCS Manager. The UCSM driver can be provided with the Service Profile or the Service Profile Template configuration, and it will handle the configuration of the UCS Servers accordingly. The vNIC Templates can be used to configure several vNIC on different UCS Servers, all connected to the same physical network. The driver will handle configuration of the appropriate vNIC Template with the VLAN configuration associated with the corresponding neutron provider network.


Security Issues

  • Nexus: https certification now supported by RESTAPI Client

    The Nexus RESTAPI Client now sends requests using https instead of http which results in communication with the Nexus to be encrypted. Certificate verification can also be performed. A new configuration option ‘https_verify’ controls this latter capability. When set to False, the communication path is insecure making it vulnerable to man-in-the-middle attacks. Initially, the default for ‘https_verify’ is set to False but will change to True in the ‘Cisco 6.0.0’ release. If a certificate is already available and configured on the Nexus device, it is highly recommended to set this options to True in the neutron start-up configuration file.

    For testing or lab purposes, a temporary local certificate can be generated and the certificate filename can be provided in the configuration option ‘https_local_certificate’. This depends on the Nexus device being configured with the local key and certificate file.

    Both configuration options are available for every Nexus switch configured. Refer to the Nexus Configuration Reference for more details on these options as well as https://bugs.launchpad.net/networking-cisco/+bug/1735295

  • Nexus: Obfuscate password

    In log output, obfuscate Nexus Switch password provided in Neutron Start-up configuration.

  • Cisco UCSM: Add config to control SSL certificate checks

    This feature allows a cloud admin to disable SSL certificate checking when the UCSM driver connects to the UCS Managers provided in its configuration. SSL certificate checking is ON by default and setting the ucsm_https_verify configuration parameter to False turns it OFF. Turning it OFF makes the connection insecure and vulnerable to man-in-the-middle attacks.

Bug Fixes

  • Nexus: Remove ‘.’ from configuration variable names

    When testing new configuration variables with puppet and tripleo, the use of dot ‘.’ in configuration variable name fails. There is only one such variable which is intfcfg.portchannel. It is replaced with intfcfg_portchannel.

Other Notes

  • Nexus: RESTAPI Client Scaling Improvement

    To improve performance, the same cookie will be used in requests until it expires and the Nexus device returns a status_code of 403. When this is detected, an attempt to refresh the cookie occurs and upon successful receipt of a new cookie the request that originally failed will be resent. For more details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1735295


New Features

  • Nexus: Improved port-channel support with baremetal events

    When there are multiple ethernet interfaces in the baremetal’s neutron port event, the Nexus driver determines whether the interfaces are already configured as members of a port-channel. If not, it creates a new port-channel interface and adds the ethernet interfaces as members. In either case, trunk vlans are applied to the port-channel. For this to be successful, a new configuration variable ‘vpc_pool’ must be defined with a pool of vpc ids for each switch. This must be defined beneath the section header [ml2_mech_cisco_nexus:<switch-ip-address>]. A vpc id common between participating switches will be selected. To get more details on defining this variable, refer to networking-cisco repo, file: etc/neutron/plugins/ml2/ml2_conf_cisco.ini For implementation details on automated port-channel creation, refer to https://bugs.launchpad.net/networking-cisco/+bug/1707286 and https://bugs.launchpad.net/networking-cisco/+bug/1691822 and https://bugs.launchpad.net/networking-cisco/+bug/1705294

  • Nexus: User customizable port-channels for baremetal interfaces

    When the Nexus driver creates port-channels for baremetal events, an additional capability was provided to allow the user to custom configure port-channels that are created. This is done by way of the config variable ‘intfcfg.portchannel’ beneath each switch’s section header [ml2_mech_cisco_nexus:<switch-ip-address>]. Nexus CLI commands are defined in this variable unique for each switch and sent while creating the port-channel. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1706965

  • Nexus: Provider Network Limited Operations

    The Openstack administrator may want to control how the neutron port events program the Nexus switch for provider networks. Two configuration variables have been introduced to suppress vlan creation and the vlan trunk port setting on the Nexus switch for provider networks. These variables, ‘provider_vlan_auto_create’ and ‘provider_vlan_auto_trunk’, are defined under the [ml2_cisco] section header.

  • Cisco UCSM: Auto detection of Compute hosts

    This feature allows a cloud admin to expand the size of the Openstack cloud dynamically by adding more compute hosts to an existing UCS Manager. The cloud admin can now add the hostname of this new compute host to the “Name” field of its Service Profile on the UCSM. Then when a VM is scheduled on this compute host, the Cisco UCSM ML2 mechanism driver goes through all the Service Profiles of all the UCSMs known to it to figure out the UCSM and the Service Profile associated with that host. After learning the UCSM and Service Profile, the mechanism driver saves this information for future operations. Note that this method cannot be used to add more Controller nodes to the cloud.

Upgrade Notes

  • Nexus: Add host to switch/interface mapping database table

    A new database table for host to interface mapping is added for baremetal deployments. The administrator must perform a database migration to incorporate this upgrade. The new database table name is ‘cisco_ml2_nexus_host_interface_mapping’. For more details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1691194

  • Nexus: Set RESTAPI driver as default replacing ncclient driver

    The Nexus 9K handles the RESTAPI events more efficiently and without session limitations. It is now the default and will be the only choice in ‘Cisco 7.0.0’ release. This may require the administrator to upgrade the Nexus operating system. If necessary, use ‘nexus_driver=ncclient’ to temporarily go back to original default driver; however, some enhancements may not be available when using this driver. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1705036

  • Nexus: Set default for Configuration Replay to enabled

    Configuration replay is now enabled by default by setting the variable ‘switch_heartbeat_time’ to 30 seconds (defined under the [ml2_cisco] section header). If the administrator does not want this feature enabled, set this variable to 0. When enabled, the nexus driver checks each switch for connectivity and will restore the configuration known to the driver if a switch recovers from failure. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1712090

Deprecation Notes

  • Nexus: The ncclient/ssh config driver has been deprecated for removal

    Use of ncclient/ssh_driver will be removed in the ‘Cisco 7.0.0’ release. It will be replaced by the RESTAPI Driver. Some configuration options are also deprecated for removal since they relate only to the ncclient driver. These include ‘persistent_switch_config’, ‘never_cache_ssh_connection’, ‘host_key_checks’, and ‘nexus_driver’. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1705036

Bug Fixes

  • ASR1k: Fix greenpool.py traceback in Ocata

    The ASR1k plugin was wrapping neutron and plugin DB operations in common transactions that was generating a lot of strange tracebacks in the neutron server logs. This commit removes the transaction wrapper to make the operations more independent of each other, eliminating the tracebacks entirely.

Other Notes

  • Nexus: Remove unused configuration variables

    The configuration variables ‘svi_round_robin’, ‘provider_vlan_name_prefix’, and ‘vlan_name_prefix’ are no longer used by the nexus driver and can be removed. For further details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1712118