Introduction
Cisco Virtual Security Gateway (VSG) is a virtual firewall for Cisco Nexus 1000v Switches that delivers security and compliance for virtual computing environments. Cisco VSG uses virtual network service data path (vPath) technology embedded in the Cisco Nexus 1000V Series Virtual Ethernet Module (VEM). However, when you deploy the VSG, it can be overwhelm to understand which element is meant to interact with others. Also it can be huge obstacle when you troubleshoot any type of VSG issue.
So the purpose of this document is to explain the core components of VSG deployment and how they relates to each other. What needs to be configured and where it should be applied.
Solution Components
Virtual Network Management Center (VMNC)
- Cisco VNMC is a virtual appliance that provides centralized device and security policy management of the Cisco VSG.
Virtual Security Gateway (VSG)
- VSG operates with the Cisco Nexus 1000V Series distributed virtual switch in VMware vSphere hypervisor, and it uses the vPath embedded in the Nexus 1000V Series VEM.
Nexus1000V Switches
- Nexus 1000V Series Switches are virtual machine access switches that are an intelligent software switch implementation for VMware vSphere environments running the Cisco NX-OS Software operating system.
VMware vCenter
- VMware vCenter Server manages the vSphere environment and provides unified management of all the hosts and VMs in the data center from a single console.
Understanding of Communication between the devices
VNMC-to-vCenter Communication
- VNMC registers to vCenter to have visibility into the VMware environment. This allows the security administrator to define the policies based on the VMware VM attributes. VNMC integrates via an XML plug-in. The process is similar to the way the Cisco Nexus 1000V VSM integrates with vCenter. The communication between VNMC and vCenter takes place over a Secure Sockets Layer (SSL) connection on port 443
VNMC-to-VSG Communication
- VSG registers to VNMC via the policy agent configuration done on VSG. Once registered, VNMC pushes the security and device polices to VSG. No policy configuration is done via the VSG command-line interface (CLI) once it is registered to VNMC. The CLI is available to the administrator for monitoring and troubleshooting purposes. Communication between VSG and VNMC takes place over an SSL connection on port 443
VNMC-to-VSM Communication
- VSM registers to VNMC via the policy agent configuration done on VSM. The steps to register are similar to those for VSG-to-VNMC registration. Once registered, VSM will be able to send IP-to-VM binding to VNMC. IP-to-VM mapping is required by the VSG for evaluating policies that are based on VM attributes. VSM also resolves the security-profile-id using VNMC. This security-profile-id is sent in every vPath packet to VSG and is used to identify the policy for evaluation. The communication between VSG and VNMC takes place over an SSL connection on port 443
VSG-to-VEM (vPATH) Communication
- VSG receives traffic from VEM when protection is enabled on a port profile. The redirection of the traffic occurs via vPath. vPath encapsulates the original packet with the VSG’s MAC address and sends it to VSG. VSG has a dedicated interface (Data 0). VEM uses this interface to attain the VSG’s MAC address by performing Address Resolution Protocol (ARP) to that IP address. Cisco VSG is required to be Layer 2 adjacent to vPath. The mechanism used for communication between vPath and VSG is similar to that used for communication between VEM and the Cisco Nexus 1000V Series on a packet VLAN. VSG evaluates policies on the first packet of each flow that is redirected by vPath. VSG then transmits the policy evaluation results to vPath. vPath maintains the result in the flow table, and subsequent packets of the flow are permitted or denied based on the result cached in the flow table
VSG Setup requirements
VSG uses three vNICs
- Management : VNMC talks to vCenter, VSM, VSG via management VLAN.
- HA : Its' own VLAN is recommended.
- Data : N1K vPath and VSG communicate over this VLAN.
Installation and Initial Setup
1. Install the VNMC as a virtual appliance
2. Install the VSG as a virtual appliance
3. Register VSG to VNMC
4. Register VSM to VNMC
5. Register VNMC to vCenter
At VSM
1. Login to the VSM
2. Configure "port-profile". In this example, vsg_pp_tenant-anam" is the new port-profile we will use traffic redirection to VN service. This new port-profile should be seen from vCenter when you configure "Network Connection".
3. Configure "vservice node". In this example "an-vsg" is the vservice mode name and service type is "VSG".
At vCenter
1. Login to vCenter and verify if this new port-profile is visible.
At VNMC
1. Login to VNMC
2. If your VSG is properly configured to talk to VNMC, you should be able to see the VSG under "Resource Management > Resources > Firewalls > All VSG". Confirm that the VSG shows up in this list. If it does not, resolve this issue by properly registering your VSG. In this example, VSG is shown as "an-vsg".
Once VSG is properly registered as above, you are good to configure the security policies to control VM traffic.
No comments:
Post a Comment