1. No category

PDF

Deployment Guide
Cisco Virtual Security Gateway
Deployment Guide VSG 1.4
Deployment Guide
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 33
Introduction.............................................................................................................................................................. 3
Benefits..................................................................................................................................................................... 3
Dynamic (Virtualization-Aware) Operation............................................................................................................ 3
Nondisruptive Operating Model ............................................................................................................................ 3
Multitenancy.......................................................................................................................................................... 4
Solution Architecture .............................................................................................................................................. 5
Solution Components ........................................................................................................................................... 5
Communication Between Cisco Prime Network Services Controller and VMware vCenter.................................. 5
Communication Between Cisco Prime Network Services Controller and Cisco VSG........................................... 6
Communication Between Cisco Prime Network Services Controller and the VSM .............................................. 6
Communication Between Cisco VSG and the VEM (vPath) ................................................................................. 6
Communication Between the VSM and the VEM.................................................................................................. 8
Virtual Extensible LAN ............................................................................................................................................ 9
Cisco VSG Deployment Considerations ................................................................................................................ 9
Cisco Nexus 1000V Series Infrastructure ............................................................................................................. 9
Setup Requirements ........................................................................................................................................... 10
Installation and Initial Setup................................................................................................................................ 10
Enabling the Firewall .......................................................................................................................................... 11
License Requirements ........................................................................................................................................ 12
Network Segmentation........................................................................................................................................ 12
Service VLAN Maximum Transmission Unit Size ............................................................................................... 13
High Availability .................................................................................................................................................. 13
Tenant Management........................................................................................................................................... 14
Security Policy Management .............................................................................................................................. 14
Device Policy Management ................................................................................................................................ 15
Service Chaining................................................................................................................................................. 15
Scalability............................................................................................................................................................ 15
Cisco VSG Deployment Scenarios and Configuration Tasks............................................................................ 16
Three-Tier Access Control with Virtual Machine Base Policies .......................................................................... 17
Tasks for Security Administrators .................................................................................................................. 17
Tasks for Network Administrators .................................................................................................................. 23
Tasks for Server Administrators ..................................................................................................................... 24
Three-Tier Access Control with Custom Attribute Base Policies ........................................................................ 24
Tasks for Security Administrators .................................................................................................................. 25
Tasks for Network Administrators .................................................................................................................. 28
Tasks for Server Administrators..................................................................................................................... 29
Configuring a Syslog Server ............................................................................................................................... 29
Conclusion ............................................................................................................................................................. 32
For More Information............................................................................................................................................. 32
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 33
Introduction
®
This document provides guidelines and best practices for deploying Cisco Virtual Security Gateway (VSG) 1.4 or
®
later and Cisco Prime Network Services Controller 2.0 with Cisco Nexus 1000V Series Switches 1.5.2 or later.
This document discusses the architecture design components required to build a secure virtual computing
environment; the interaction of components such as VMware vCenter, Cisco Nexus 1000V Series Virtual
Supervisor Module (VSM), Cisco VSG, and Cisco Prime Network Services Controller; and deployment
considerations and design best practices.
Cisco VSG is a virtual firewall for Cisco Nexus 1000V Series Switches that delivers security and compliance for
virtual computing environments. Cisco VSG uses the virtual network service data path (vPath) technology
embedded in the Cisco Nexus 1000V Series Virtual Ethernet Module (VEM), offering transparent insertion and
efficient deployment. The Cisco VSG solution allows IT security, network, and server teams to collaborate while
helping ensure administrative segregation to meet regulatory and audit requirements. This approach also reduces
administrator errors. Cisco VSG also introduces Cisco Prime Network Services Controller, which manages Cisco
VSG instances in a multitenant environment.
Benefits
Cisco VSG provides controls at the virtual machine level, using virtual machine attributes, so that context-based
policies can be applied. These policies are VLAN-independent and can be applied to zones of virtual machines,
thereby providing topology-invariant, policy-based security controls. Traffic from external sources to the virtual
machines and from virtual machine to virtual machine can be protected. The following sections describe some of
the main benefits of deploying Cisco VSG in a virtualized environment.
Dynamic (Virtualization-Aware) Operation
Virtualization can be highly dynamic, with virtual machines frequently added, deleted, and changed. Live migration
of virtual machines occurs through manual VMware vMotion or Distributed Resource Scheduler (DRS) events.
Cisco VSG, operating in conjunction with the Cisco Nexus 1000V Series (and vPath), supports dynamic
virtualization. Trust zones and associated security profiles for each line of business or tenant are created with
Cisco VSG and Cisco Prime Network Services Controller. Security profiles are bound to Cisco Nexus 1000V
Series port profiles (authored on the Cisco Nexus 1000V VSM and published to VMware vCenter). When a new
virtual machine is instantiated, the server administrator assigns the appropriate port profile to the virtual machine’s
virtual Ethernet port. The port and security profiles and the virtual machine’s zone membership are immediately
applied. A virtual machine can be repurposed simply by assigning different port and security profiles.
Nondisruptive Operating Model
With the introduction of the Cisco Nexus 1000V Series, Cisco VSG provides transparent integration with VMware
vCenter. The operating model is still intact, in which the system security administrators define the security rules
and policies, the network administrators manage those policies and associate them with a particular port profile,
and the server administrators select the appropriate port group (the Cisco Nexus 1000V Series equivalent of a port
profile) for the particular virtual machine. Figure 1 depicts this operating model.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 33
Figure 1.
Administrative Segregation of Server, Network, and Security Administrators
The tight integration with VMware vCenter allows transparent and dynamic provisioning of port profiles and
security policies to the virtual machines.
Multitenancy
Cisco Prime Network Services Controller is designed to manage Cisco VSG and security policies in a dense,
multitenant environment, so that administrators can rapidly add and delete tenants and update tenant-specific
configurations and security policies. Figure 2 depicts the multitenant deployment of Cisco VSG. In the architecture
shown in the figure, Tenant A has its own Cisco VSG that provides security policies for its virtual machines.
Tenant B has its own, separate Cisco VSG to manage its security policies for its virtual machines.
Figure 2.
Multitenant Deployment with Cisco VSG Solution
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 33
Independent capacity planning: Cisco VSG can be placed on a dedicated server controlled by the security
operations team so that appropriate computing capacity can be allocated to application workloads, capacity
planning can occur independently across server and security teams, and operational segregation can be
maintained across security, network, and server teams.
vPath Intelligence: Cisco VSG leverage Nexus 1000V vPath intelligence for traffic redirection, fast path offload
with all policy enforcement of flows offloaded to vPath, and insertion of Cisco VSG along with other virtual network
services in the traffic path. vPath is designed for multi-tenancy, providing traffic steering and fast path offload on a
per-tenant basis.
Solution Architecture
Figure 3 shows the overall architecture of the Cisco VSG solution and the integration of the required components
in the solution. This section discusses the communication across these components.
Figure 3.
Cisco VSG Solution Architecture
Solution Components
The following components are required to set up the Cisco VSG environment:
●
Cisco Prime Network Services Controller: Cisco Prime Network Services Controller is a virtual appliance
that provides centralized device and security policy management for Cisco VSG.
●
Cisco Virtual Security Gateway: Cisco VSG operates with the Cisco Nexus 1000V Series distributed virtual
switches in the VMware vSphere hypervisor, and it uses the vPath technology embedded in the Cisco
Nexus 1000V VEM.
●
Cisco Nexus 1000V Series Switches: Cisco Nexus 1000V Series Switches are virtual machine access
switches that are an intelligent software switch implementation for VMware vSphere environments running
Cisco NX-OS Software. To support the Cisco VSG solution, the Cisco Nexus 1000V Series must be
running Cisco NX-OS Release 1.4 or later.
●
VMware vCenter: The VMware vCenter server manages the VMware vSphere environment and provides
unified management of all the hosts and virtual machines in the data center from a single console.
Communication Between Cisco Prime Network Services Controller and VMware vCenter
Cisco Prime Network Services Controller registers with VMware vCenter for visibility into the VMware environment.
This registration allows the security administrator to define policies based on the VMware virtual machine
attributes. Cisco Prime Network Services Controller integrates through an XML plug-in. The integration process is
similar to that of the Cisco Nexus 1000V VSM with VMware vCenter. Cisco Prime Network Services Controller and
VMware vCenter communicate over an SSL connection on port 443 (Figure 4).
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 33
There is no specific network limitation for communications between Cisco Prime Network Services Controller and
VMware vCenter, other than that the appropriate ports must be open if there is a firewall between them.
Figure 4.
Communication Between Cisco Prime Network Services Controller and VMware vCenter
Communication Between Cisco Prime Network Services Controller and Cisco VSG
Cisco VSG registers with Cisco Prime Network Services Controller through the policy agent configuration
performed on Cisco VSG. After registration, Cisco Prime Network Services Controller pushes the security and
device polices to Cisco VSG. No policy configuration is performed using the Cisco VSG command-line interface
(CLI) after Cisco VSG is registered with Cisco Prime Network Services Controller. The CLI is available to the
administrator for monitoring and troubleshooting purposes. Communication between Cisco VSG and Cisco Prime
Network Services Controller takes place over an SSL connection on port 443 (Figure 5).
Figure 5.
Communication Between Cisco Prime Network Services Controller and Cisco VSG
Communication Between Cisco Prime Network Services Controller and the VSM
The VSM registers with Cisco Prime Network Services Controller through the policy agent configuration performed
on the VSM. The steps for registration are similar to those for registering Cisco VSG with Cisco Prime Network
Services Controller. After registration, the VSM can send IP-to-virtual machine bindings to Cisco Prime Network
Services Controller. IP-to-virtual machine mappings are required by Cisco VSG to evaluate policies that are based
on virtual machine attributes. The VSM also resolves the security-profile ID using Cisco Prime Network Services
Controller. This security-profile ID is sent in every vPath packet (discussed in the next section) to Cisco VSG and
is used to identify the policy for evaluation. Communication between the VSM and Cisco Prime Network Services
Controller is supported over an SSL connection on port 443 (Figure 6).
Figure 6.
Communication Between Cisco Prime Network Services Controller and the VSM
Communication Between Cisco VSG and the VEM (vPath)
Cisco VSG receives traffic from the VEM when protection is enabled on a port profile. The redirection of the traffic
occurs using vPath. vPath encapsulates the original packet and sends it to Cisco VSG. Cisco VSG has a
dedicated interface (Data 0) with an IP address for vPath communication.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 33
Cisco VSG can be Layer 2 or Layer 3 adjacent to the VEM:
Cisco VSG-L2 adjacent: When configured in Layer 2 mode, VEM obtains Cisco VSG's MAC address through the
Address Resolution Protocol (ARP) for that IP address. If Cisco VSG and the VEM are Layer 2 adjacent,
communication will be through the Data 0 interface VLAN of Cisco VSG. The following VSM configuration example
shows the addition of service node Cisco VSG as Layer 2 adjacent to the VEM. Layer 2 adjacency is
recommended having minimal latency in data path.
Nexus1000V#
vservice node vsg type vsg
ip address 192.168.1.99
adjacency l2 vlan 10
fail-mode close
Cisco VSG-L3 adjacent: Layer 3 adjacency is applicable when Cisco VSG is not in the same Layer 2 domain and
is multiple hops away from the VEM. In this configuration, Layer 3 communication will be through the Cisco VSG
Data 0 interface, and a VMkernel interface on the VEM. Each protected VEM needs to have VMkernel
communicate with VSG Data Interface. The VMkernel interface can be same as the one used for VSM and VEM
(Layer 3 control) communication. The VEM needs IP reachability only to the tenant-specific Cisco VSG to redirect
traffic from vPath to Cisco VSG for policy evaluation. VSM configuration example below shows how Cisco VSG
Layer 3 adjacency is configured on VSM.
For Layer 3 adjacency, a new port profile is defined on the VSM with capability l3-vn-service, and this port profile
will be associated with a VMkernel interface on the VEM.
Nexus1000V#
vservice node VSGL3 type vsg
ip address 10.10.10.10
adjacency l3
fail-mode open
port-profile type vethernet VSG-Data-interface
vmware port-group
switchport mode access
switchport access vlan 1001
no shutdown
capability l3-vn-service
state enabled
An alternate approach is to use the same VMkernel interface on protected host, that’s used for VSM and VEM
control traffic, for communication between Cisco VSG and VEM. This is achieved by adding capability l3-vnservice to the same port profile as the one used for VSM and VEM (Layer 3 control) communication.
Configuration example below:
port-profile type vethernet n1kv-l3
capability l3control
capability l3-vn-service
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 33
vmware port-group
switchport mode access
switchport access vlan 171
no shutdown
system vlan 171
state enabled
Cisco VSG evaluates policies on the first packet of each flow that is redirected by vPath. Cisco VSG then
transmits the policy evaluation results to vPath. vPath maintains the result in the flow table, and subsequent
packets of the flow are permitted or denied based on the result cached in the flow table (Figure 7).
Figure 7.
Communication Between Cisco VSG and the VEM
vPath maintains the state of the TCP flows. In the event of a reset (RST) event or a finish (FIN) flag in the TCP
flow, vPath purges the entry of that flow from the table. Inactivity in any flow will also cause the entry to be cleared
from the flow table.
Cisco VSG supports stateful protocols, such as FTP, Trivial File Transfer Protocol (TFTP), and Remote Shell
(RSH) Protocol.
Communication Between the VSM and the VEM
There are two ways of connecting the VSM and the VEM (Figure 8):
●
Over Layer 2: If the VSM and VEM are in the same Layer 2 domain, They can connect using L2 mode.
However Layer 3 mode for VSM-VEM is recommended best practice.
●
Over Layer 3: If the VSM and VEM are in different Layer 2 domains, the Layer 3 connectivity mode should
be used. The Layer 3 mode will encapsulate the packet of the Layer 2 mode using Generic Routing
Encapsulation (GRE). All communication between the VSM and the VEM are encrypted using a 128-bit
algorithm. Cisco VSG implementation is independent of VSM-to-VEM communication (whether in Layer 2
or Layer 3 mode).
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 33
Figure 8.
Communication Between the VSM and the VEM
Virtual Extensible LAN
Cisco Nexus 1000V Series supports Virtual Extensible LAN (VXLAN) technology with a 24-bit LAN segment
identifier to provide segmentation at cloud scale. Cisco vPath secures virtual machines configured as part of
VXLAN. Because the VXLAN header is decapsulated on a VEM, vPath does not need the VXLAN reachability
information to make decisions about either rerouting packets to Cisco VSG or permitting or denying traffic based
on the configured security policy. Cisco VSG Data interface can be on a VLAN or a VXLAN segment.
Cisco VSG Deployment Considerations
This section discusses various aspects of Cisco VSG deployment in your network.
Cisco Nexus 1000V Series Infrastructure
Before installing Cisco VSG, you are required to install Cisco Nexus 1000V Series Software Release 4.2(1)
SV1(5.2) in your environment. Cisco VSG 1.4 is supported from Cisco Nexus 1000V Release 4.2(1) SV1(4) and
performs the basic configuration of the Cisco Nexus 1000V Series Switch. This will configuration includes:
●
Installing and configuring the VSM
●
Providing access to shared storage
●
Creating the necessary port profiles, including
◦
Uplink port profiles
◦
VMkernel port profiles
◦
Virtual machine data port profiles
●
Registering the VSM with VMware vCenter
●
Installing two or more VEMs
●
Adding the VEMs to the VSM
This deployment guide does not discuss the details of installing and deploying the Cisco Nexus 1000V Series.
Please refer to the Cisco Nexus 1000V Installation Guide or a Deployment Guide for this information.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 33
Setup Requirements
Cisco VSG uses three network interfaces in the following order:
1.
Cisco VSG data interface
2.
Cisco VSG management interface
3.
Cisco VSG high-availability interface
Note:
During VSG OVA install, installer prompts for configuring VSG management interface, subnet mask,
default gateway, Cisco Prime Network Services Controller IP address and Cisco Prime Network Services
Controller Shared Secret for secure connectivity with Cisco Prime Network Services Controller. VSG Data
Interface is not be configured during initial installation. This is only done via Cisco Prime Network Services
Controller when assign VSG to a Compute Firewall, and is covered later in this document.
Create additional VLANs for the Cisco VSG data and high-availability interfaces on the VSM and allow the VLANs
to forward on the system uplinks. Create these VLANs on the upstream switch. You can have the same VLAN for
both the high-availability and data interfaces, depending on the utilization of the data interface.
The existing management VLAN in your setup can be used to manage Cisco VSG.
The recommend approach is to use VMware Open Virtual Appliance (OVA) for the Cisco VSG installation, which
allows simplified installation. Since Cisco Prime Network Services Controller is the central management center for
Cisco VSG, it will be located in your management VLAN. There are no specific network requirements for setting up
Cisco Prime Network Services Controller. Please refer to the quick start guide at for the steps for deploying Cisco
Prime Network Services Controller.
Cisco VSG (OVA or ISO) contains respective Cisco Prime Network Services Controller policy-agent image, which
is copied to bootflash on installation of VSG. In certain scenarios VSG works with multiple versions of Cisco Prime
Network Services Controller, and if need to use non-default Cisco Prime Network Services Controller Policy-Agent
image, you would need to manually copy the Cisco Prime Network Services Controller Policy Agent image to boot
flash, which is available with Cisco Prime Network Services Controller download.
Installation and Initial Setup
Please refer to Part 1 of the Cisco VSG and Cisco Prime Network Services Controller Installation Guide to do the
following (Figure 9):
1.
Install Cisco Prime Network Services Controller as a virtual appliance.
2.
Install Cisco VSG as a virtual appliance.
3.
Register Cisco VSG with Cisco Prime Network Services Controller
4.
Register the VSM with Cisco Prime Network Services Controller.
5.
Register Cisco Prime Network Services Controller with VMware vCenter
Note:
Step 3 is achieved by installing Cisco Prime Network Services Controller-VSG policy agent image on
VSG. Cisco VSG is bundled with respective Cisco Prime Network Services Controller Policy Image; It is by default
copied to VSG bootflash. If you’re deploying VSG in mixed mode deployment where Cisco Prime Network
Services Controller version is different, then you need to copy new Cisco Prime Network Services Controller policy
agent image bundled in downloaded Cisco Prime Network Services Controller zip file.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 33
Here’s an example of installing vsg-policy-agent on Cisco VSG:
VSG(config)#vnm-policy-agent
VSG(config)#registration-ip 10.29.171.102
VSG(config)# shared-secret **********
VSG(config)# policy-agent-image bootflash:/ Cisco Prime Network Services
Controller-vsgpa.2.0.1a.bin
VSG# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 2.0(1a)-vsg
VSG#
Figure 9.
Initial Setup of Cisco VSG and Cisco Prime Network Services Controller
After completing these tasks, you should be ready to start defining and implementing the policies for Cisco VSG.
Figure 10 shows a typical network with all the necessary components in place for the Cisco VSG solution.
Figure 10.
Network Topology with Cisco Nexus 1000V Series, Cisco VSG, and Cisco Prime Network Services Controller
Enabling the Firewall
To insert the firewall into the network, you need to attach Firewall security profile to the port profile. All the traffic
traversing the virtual ports associated with that port profile is subjected to policy evaluation.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 33
The following commands define the Cisco VSG firewall feature on the VSM:
Nexus1000V (config)# vservice node VSG_Node-Name type vsg
Nexus1000V(config-vservice-node)# ip address VSG_DATA_IP
Nexus1000V(config-vservice-node)# adjacency {l2/l3} vlan VSG_Service_VLAN
Nexus1000V(config-vservice-node)# fail-mode {open/close}
The first command defines virtual service instance of node type Cisco VSG. The second and third commands
provide information for vPath communication with Cisco VSG, including the mode of adjacency, Cisco VSG data
interface IP address, and Cisco VSG service VLAN.
The following commands turn on the firewall feature under the port profile on the VSM:
Nexus1000V (config-port-prof)# org root/ATenant
Nexus1000V (config-port-prof)# vservice node VSG_Node-Name profile
VSG_TenantA_Security_Profile
The first command specifies the tenant in which the firewall is enabled. The second command binds a specific
Cisco VSG and security profile to the port profile. It enables vPath to redirect the traffic to the Cisco VSG in the
service VLAN.
The following example shows the port-profile configuration with Cisco VSG firewall protection enabled:
port-profile type vethernet Secure-ATenant-VM
vmware port-group
switchport access vlan 10
switchport mode access
vservice node vsg profile Secure-ATenant
no shutdown
state enabled
License Requirements
Starting with Cisco Nexus 2.1 Release, Cisco VSG and Cisco Prime Network Services Controller license is
bundled with Cisco Nexus 1000V Advanced Edition licenses.
A Cisco Nexus 1000V advanced edition license is required for each CPU socket, and VSG licensing follows the
same model as licensing for the Cisco Nexus 1000V Series. Each CPU requires one license, and there is no limit
on the number of cores per CPU. The main point to note is that the licenses need to be installed on the VSM.
Because the licenses are based on physical host sockets, you can instantiate Cisco VSGs in a scale-out model
without worrying about licenses.
You must purchase enough licensing capacity to cover all installed CPUs. Licenses are not applied to a VEM
unless the existing license has the capacity to cover all its CPUs. Please refer to the licensing guide at for the
steps you need to take to install the licenses.
The Cisco Nexus 1000V Series Release 2.1 software comes with a 60-day evaluation license of Advanced Edition.
Network Segmentation
Cisco VSG is a transparent firewall inserted at Layer 2 and acts like a “bump in the wire”; it is not seen as a Layer
3 hop to connected devices. Insertion of a Cisco VSG into the network does not require any reengineering of the
existing network.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 33
Cisco Prime Network Services Controller supports overlapping network spaces for a multitenant environment.
Therefore, if network segmentation exists that allows overlapping IP spaces (for example, virtual route forwarding
lite (VRF-lite), Cisco Prime Network Services Controller will allow you to build policies for each tenant with
overlapping networks.
Service VLAN Maximum Transmission Unit Size
Starting from Cisco VSG 1.3, Cisco VSG can be either Layer 2 or Layer 3 adjacent to the VEM. vPath intercepts
the first packet of the flow and encapsulates the original packet with an additional vPath header. When the
connectivity between Cisco VSG and the VEM is Layer 2, the frame size is increased by 74 bytes. With Layer 3
connectivity between Cisco VSG and the VEM, the increase in payload size is 94 bytes.
For Layer 2 mode, vPath performs fragmentation if the encapsulated packet exceeds the outgoing interface
maximum transmission unit (MTU) value. Typically, this overhead does not affect TCP flows. These flows will not
be subject to fragmentation because the first packet of any TCP flow is a SYN packet, which is not subject to
fragmentation after vPath encapsulation. You may see fragmentation with User Datagram Protocol (UDP) flows in
which the packet is already 1500 bytes when vPath intercepts it. To avoid fragmentation, you can increase the
MTU value by 74 bytes on the uplink port profile configured in Cisco Nexus 1000V Series Switches and on the
upstream physical switch to which other physical hosts are connected.
With Layer 3 connectivity between Cisco VSG and the VEM, the payload increase is 94 bytes. In Layer 3 mode,
vPath does not support fragmentation, so if the new packet size after the addition of 94 bytes exceeds the
outgoing interface MTU value, the packet will be dropped and an Internet Control Message Protocol (ICMP) error
message (error code = 4) will be sent back to source.
Note:
In Cisco VSG Layer 3 mode, IP fragmentation is not supported on the VEM virtual machine network
interface card (vmnic) for traffic leaving the VMware ESX or ESXi host. Hence, after vPath encapsulation, if an IP
packet is received by a VEM from a virtual machine with a packet size greater than the outgoing interface MTU
value, it will be dropped, and an ICMP error message (error code = 4) will be sent back to the source virtual
machine. To avoid packet drops in this scenario, increase the outgoing server port MTU value by 94 bytes. For
example, if the MTU values of client and server virtual machines and uplinks are all 1500 bytes, set the uplink
MTU value to 1594 bytes.
High Availability
Table 1 summarizes the high-availability behavior for various components of the solution. Like the VSM, Cisco
VSG comes with high availability. It is not recommended that you use the VMware High Availability (HA) feature or
the fault-tolerance or VMware DRS feature for Cisco VSG and the VSM. If neither the primary nor the standby
Cisco VSG is available to vPath, you can configure the failure mode as Fail Open or Fail Close. You can make
this configuration when you enable the security profile with the vn-service command in the port profile.
Table 1.
High-Availability Behavior for Cisco VSG Solution Components
High Availability
Behavior
Cisco VSG
Active standby
Standby Cisco VSG takes over in 6 to 8
seconds
Cisco Prime Network Services Controller
VMware HA
Hardware failure backup
VSM
Active standby
Standby VSM takes over in 6 to 8 seconds
Note:
A Cisco VSG pair shares a high-availability ID that should be unique to the pair, if you have more than
one Cisco VSG high-availability pair sharing the same management or high-availability VLAN.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 33
Tenant Management
One or more instances of Cisco VSG are deployed on a per-tenant basis, which allows a highly scalable
deployment across many tenants. Tenants are isolated from each other, so that no traffic can cross tenant
boundaries. A tenant can be further divided to the following levels:
●
Virtual data center
●
Virtual application
●
Virtual tier
Each instance in a tenant tree is classified as an organization (org) level. Depending on the use case, you can
deploy a Cisco VSG at the tenant level, at the virtual data center (vDC) level, or at the virtual application (vApp)
level. Figure 11 shows how a tenant tree structure can be built in Cisco Prime Network Services Controller.
Figure 11.
Cisco Prime Network Services Controller Tenant Management View
Security Policy Management
The security policy in Cisco Prime Network Services Controller uses network attributes, VMware virtual machine
attributes, and virtual machine custom attributes. You can define multiple policies for a tenant. All the policies are
published to the Cisco VSG through a security profile. These policies can be applied at any organization level
within a tenant.
A general guideline is to apply more generic policies at a higher level in the tenant hierarchy, and to apply more
specific policies closer to the organization level within a tenant, where they are more meaningful.
In Figure 12, Cisco VSG is placed at the tenant level (Tenant A), but the policies are applied at two different levels
within the tenant. Policy P1 is applied at the data center level, which means that the entire data center DC 2, and
all the sublevels within DC 2, are subjected to P1 policy evaluation. Policy P2 is specific to App 2 only and is
placed at that organization level.
The general guideline is to place more generic policies higher in the organization structure, and to place more
specific policies closer to the organization level, where they are more meaningful.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 33
Figure 12.
Cisco VSG and Policy Placement in Tenant Hierarchy
Device Policy Management
The general settings for Cisco VSG are also specified through Cisco Prime Network Services Controller. The
settings include Simple Network Management Protocol (SNMP), syslog, Network Time Protocol (NTP), and fault
logging. All these settings are part of the device policy that is published to Cisco VSG along with the security
policy. When assigning a registered firewall to a tenant Cisco VSG, if you do not define a device policy, a default
policy is pushed to Cisco VSG for these settings.
Service Chaining
With Cisco Nexus 1.5.2 Release, vPath 2.0 supports enabling multiple services for a network port with its unique
intelligent service chaining architecture. Cisco VSG for Compute Firewall, and Cisco ASA 1000V for Edge Security
Firewall, can both be enabled for a particular VM Port group. White Paper on vPath Service Chaining has more
details.
Scalability
Cisco VSG is designed to be scalable. As virtualized environments grow to accommodate business needs, you
can instantiate more Cisco VSGs and apply the same policies to protect a larger environment. Table 2 can help
you understand how you can scale from both the Cisco VSG and Cisco Prime Network Services Controller
perspectives.
Table 2.
Scaling Cisco VSG and Cisco Prime Network Services Controller
Feature Scale
Cisco VSG 1vCPU
Cisco VSG 2vCPU
Cisco Prime Network
Services Controller
Number of Cisco VSG instances
-
-
128
Concurrent Connections
256000
256000
-
New Connections Per Second
6000
10000
-
Tenants
-
-
128
Zones
64
64
8192
Security-Profiles
256
256
2048
Policies
32
32
2048
Rules
1024
1024
8192
Max Number of VSMs
-
-
16
Object Groups
64
64
4096
Number of Hosts
64
64
600
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 15 of 33
Currently, if you need to deploy an additional Cisco VSG, you use a manual process in which you bind one port
profile to one Cisco VSG and another port profile to another Cisco VSG. In future versions, Cisco VSG will offer a
clustering feature that will allow you to perform load balancing with two or more Cisco VSGs dynamically.
Cisco VSG Deployment Scenarios and Configuration Tasks
This Tables describes the flow and how segregation of duties and ownership is maintained for provisioning
Security Firewall.
Security Administrator
Cisco Prime Network Services Controller GUI: Define Security Profile, Add Rules, Assign and publish policies to
Cisco VSG
Network Administrator
VSM Interface: Define Service node, and bind Security Profile to Port-Profile (available as Port-Group in vCenter)
Server Administrator
vCenter Interface: Attach Virtual Machines to Firewall enabled port-group to instantly enable security for the VM’s
Figure 13 depicts the physical topology and network configuration that is used in this document in the sample
Cisco VSG deployment.
Figure 13.
Note:
Sample Cisco VSG Deployment Topology
Standard practice for the Cisco Nexus 1000V VSM still applies, with a separate VLAN used for
management, and dedicated VLAN used for VSM-VEM control traffic. The example here uses this scheme.
However, this configuration is not a requirement, and users can choose to have all three traffic types in the same
VLAN or to have a separate VLAN for each.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 16 of 33
Three-Tier Access Control with Virtual Machine Base Policies
Cisco VSG provides the standard 5-tuple network attributes that can be used in the security policies. Table 3
shows the supported attributes.
Table 3.
Cisco VSG Supported Network Attributes
Name
Meaning
Value Type
src.net.ip-address
Source IP address
IP address
src.net.port
Source port
Integer
dst.net.ip-address
Destination IP address
IP address
dst.net.port
Destination port
Integer
net.protocol
Protocols specified in IP header (TCP, UDP, etc.)
String
Here is a sample security policy for Tenant content hosting, which will be applied to this use case:
●
Permit only port 80 (HTTP) for virtual machines in the web zone.
●
Permit port 22 (Secure Shell [SSH]) for virtual machines that belong to the database zone.
●
Allow communication only between web servers and database servers.
●
Allow communication only between application servers and database servers.
●
Explicitly deny all traffic to all zones.
Tasks for Security Administrators
The security administrator must perform the following high-level steps on the Cisco Prime Network Services
Controller to create a policy using conditions based on VM or Network attributes.
Let’s walk through the flow of provisioning VSG security policies via Cisco Prime Network Services Controller Web
Interface.
Access Cisco Prime Network Services Controller from your browser session using URL https://pnsc-server-ip/#.
Note:
The pnsc-server-ip should be replaced with the IP address of the server where Prime Network Services
Controller is installed.
In the next few pages, following tasks are illustrated for provisioning Compute Firewall (VSG) policies through
Cisco Prime Network Services Controller:
Define Tenants, Add Zones, Define Security-Profile, Create Rules, Assign VSG to a Tenant (configure VSG Data
Interface), and Verify Security Profile is published to VSG.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 17 of 33
Define Tenants
Log into Cisco Prime Network Services Controller and select the Tenant Management tab. Right-click the root
node and create a tenant (Figure 14).
Figure 14.
Create a Tenant
Add Zones for Tenants
A zone is a logical group of virtual machines or hosts. Zones simplify policy writing by allowing users to write
policies based on zone attributes using zone names. After you have created the tenant, you can go to the Policy
Management tab to define logical Zones (vZones).
Navigate to Policy Management > Service Profiles > Tenant > Policy Helpers >vZones (Figure 15).
Add three zones:
●
WebZone
●
AppZone
●
DBZone
Figure 15.
Adding vZone
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 18 of 33
After defining the vZones; WebZone as an example, select the Edit tab to classify the zone, as shown in
Figure 16. This example will use VM attributes to classify the zones.
Figure 16.
Adding a Condition for vZone Classification
Similarly, define conditions for the other two zones based on VM or Network attributes. All three zones are now
displayed in the Summary tab, as shown in Figure 17.
Figure 17.
Three vZones Defined for the Policy
Define the Security Profile
You configure security profiles in the Cisco Prime Network Services Controller Policy Management interface. The
predefined zones can be used to define the security policy for each tenant. The security profile contains set of
policy rules defined for the tenant compute firewall.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 19 of 33
Navigate to Policy Management > Service Profiles > Tenant > Compute Firewall > Compute Security
Profiles. Select Add to add a new security profile (Figure 18).
Figure 18.
Adding a Security Profile for a Tenant
Define a Policy Set and Create Rules in the Policy
Define a policy set in the security profile and add rules to the policy set. Policy specifications outlined in the use
case will be implemented by adding rules to this policy.
In this example:
●
Allow only HTTP traffic destined to virtual machines in the web zone.
●
Allow all ICMP traffic to virtual machines.
●
Allow only traffic originating from the web server in the database zone.
●
Allow only communication between the web and database servers.
●
Deny all other traffic.
Define a new policy set in the security profile, as shown in Figure 19.
Figure 19.
Adding Policy Set to the Security Profile
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 20 of 33
Then click Add Rule to add rules to this policy set, as shown in Figure 20.
Figure 20.
Adding Rules to the Policy Set
Assign Cisco VSG to a Tenant
All the registered Cisco VSGs appear in the Resource Management interface. (This step requires that Cisco Prime
Network Services Controller policy agent image is successfully installed on Cisco VSG, details in VSG installation
tasks)
To push configured security profile to a Cisco VSG instance, you need to assign Cisco VSG to a tenant. After this
assignment, all the policies (security profiles) are published to that Cisco VSG. The recommended approach is to
add the computing firewall object directly at the tenant level.
Follow these steps:
1.
In the navigation pane, click the Cisco Prime Network Services Controller > Resource Management tab >
Managed Resources tab.
2.
Expand the root node.
3.
Select Compute Firewalls for the Tenant in which you have defined Security Profile and want to add a
computing firewall service instance.
4.
In the work pane, click the Add Compute Firewall link.
In the Add Compute Firewall dialog box, do the following:
◦
On the General tab, add a user-defined name and description.
◦
In the Firewall Settings area, enter the VSG Data IP address, as shown in Figure 21. This interface IP
address/Vlan will be used to define VSG as a service node in VSM, and for vPath-VSG communication.
◦
Then you Assign that computing firewall object to an available Cisco VSG, as shown in Figure 22.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 21 of 33
Figure 21.
Adding a Compute Firewall at the Tenant Level
Figure 22.
Selecting a Cisco VSG from the Drop-Down Menu
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 22 of 33
After you have assigned the computing firewall object to the Cisco VSG, the Cisco VSG configuration status
should be “applied ” and association status should be “associated” as shown in Figure 23.
Figure 23.
Cisco VSG Assignment Status
Verify the Security Policy Configuration Using the CLI
Log in to the Cisco VSG CLI and enter command “show run policy” to verify security policy is being pushed
successfully by the Cisco Prime Network Services Controller (Figure 24). This step is optional and only for
verification purpose.
Figure 24.
Verifying the Security Policy Using the Cisco VSG CLI
Tasks for Network Administrators
The configured security policy is made available to the network administrator through the security profile. This
feature makes the network administrator’s configuration task much easier because the administrator does not
have to deal with security-policy-related details.
The network administrator now creates a port profile and can also bind the security policy to this port profile. The
definition for the security policy does not require a separate port profile, so a single port profile can be used for all
the virtual machines. The sample configuration in Figure 25 shows how this configuration is accomplished.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 23 of 33
Figure 25.
Binding a Security Profile to the Port Profile
Tasks for Server Administrators
The server administrator only needs to go to the network settings of the virtual machine and select the port profile
that the network administrator created with the security profile (Figure 26).The network profile and security profiles
created will be instantiated dynamically when the virtual machine is associated with this network port profile.
Figure 26.
Selecting a Firewall-Enabled Port Group
Three-Tier Access Control with Custom Attribute Base Policies
This example discuss how to use custom attributes for the same three-tier server zone use case, follow the steps
in this section in addition to the steps in the previous sections using virtual machine. The goal of this use case is to
help you gain a better understanding of how you can use custom attributes to build a security policy, based on
VMware virtual machine attributes and network attributes.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 24 of 33
Tasks for Security Administrators
Define a Custom Attribute
1.
Choose Cisco Prime Network Services Controller > Policy Management > Service Policies > A-Tenant >
Security Profile Dictionary.
2.
Right-click and choose Add Security Profile Dictionary (Figures 27 through 29).
Figure 27.
Adding a Security Profile Dictionary
Figure 28.
Naming the Security Profile Dictionary
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 33
Figure 29.
Adding a Custom Attribute to the Dictionary
Define Zones Based on Custom Attributes
Add three zones - WebZone, AppZone, and DBZone - as in the previous two examples. The only difference is that
here you will use a custom attribute that was added to the security profile dictionary, “Server-Type” (Figure 30).
Figure 30.
Adding a Zone Condition Based on a Custom Attribute
Follow the same process for AppZone and DBZone.
Build the Security Policy
The policy rules are exactly the same as in previous two examples, in which zones were added based on network
and virtual machine attributes.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 26 of 33
Create Security Profiles
The process of creating security profiles using custom attributes involves an additional step. You need to create
three security profiles, such as the following:
●
Secure-Web
●
Secure-App
●
Secure-DB
For each profile, perform the following steps:
1.
Select the policy set from the drop-down menu (Figure 31).
Figure 31.
2.
Adding a Custom Attribute to the Security Profile
Give a value to the custom attribute on the Attributes tab (Figure 32).
Figure 32.
Assigning a Value to the Custom Attribute
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 33
The new profiles will appear in the list of security profiles (Figure 33).
Figure 33.
List of Newly Created Security Profiles
You have created three security profiles with different custom attribute values but the same policy set. The policy
evaluation will be different depending on which security profile is enabled for the traffic flow.
Tasks for Network Administrators
Create three port profiles in the Cisco Nexus 1000V Series Switch:
●
Secure_ATenant_WebServers
●
Secure_ATenant_DBServers
●
Secure_ATenant_AppServers
All these port profiles belong to the same tenant and share the same VLAN, but they have different security
profiles (Figure 34).
Figure 34.
Enabling Three Different Security Profiles on Three Port Profiles
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 28 of 33
Tasks for Server Administrators
The server administrator can select from three port groups depending on whether the virtual machine belongs to
the Web, App, or DB port group (Figure 35).
Figure 35.
Selecting the Port Group Based on Server Type
Configuring a Syslog Server
Device settings for Cisco VSG are also configured through Cisco Prime Network Services Controller. You can use
these settings to configure NTP, syslog, and SNMP options. Please refer to the information about how to configure
device policies in the Cisco Prime Network Services Controller GUI Configuration Guide for the options available
on the Device Policies tab.
After you have defined a device policy, you assign this policy on the Resource Management tab. The following
example shows how to add a device policy to set up a syslog server for logging Cisco VSG.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 29 of 33
Create a Device Policy
1.
Choose Policy Management > Device Configurations > A-Tenant > Policies > Syslog. Right-click (Figure 36).
Figure 36.
2.
Adding a Syslog Policy
Add a syslog policy. Keep the severity level set to Warning, so that applied security policy logging is sent to
the syslog server (Figure 37).
Figure 37.
Adding a Syslog Server
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 30 of 33
Assign the Policy to the Device Profile
After you create syslog policy, you need to assign this policy to a device profile at the tenant level.
1.
Choose Cisco Prime Network Services Controller > Policy Management > Device Configurations >
Device Profiles > A-Tenant > Device Profiles, then select - Add Device Profile [Figure 38]
2.
Add a firewall device profile.
Figure 38.
Adding a Firewall Device Profile
Assign the syslog policy to the newly created device profile (Figure 39).
Figure 39.
Syslog Policy Assigned to Device Profile
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 31 of 33
Assign the Device Profile to Cisco VSG
1.
Choose Cisco Prime Network Services Controller > Resource Management > Managed Resources >
Tenant > Compute Firewall > <VSG-Firewall>.
2.
On the right side pane, in Firewall Settings, select the device profile that you created for syslog (Figure 40).
Then save the configuration.
Figure 40.
Assigning the Device Profile to Cisco VSG
Conclusion
Cisco VSG integrates with Cisco Nexus 1000V Series Switches to enforce security policies for your virtualized
environment. Cisco Prime Network Services Controller provides policy management for a multitenant environment.
One or more Cisco VSG instances are required per tenant. Cisco VSG uses the vPath intelligence in the Cisco
Nexus 1000V VEM to provide security policy enforcement.
For More Information
Nexus 1000V Licensing Guide
Nexus 1000V Deployment Guide
Enabling Service Chaining with Nexus 1000V White Paper
Cisco VSG Installation and Upgrade Guide
Cisco vPath and vServices Reference Guide
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 32 of 33
Printed in USA
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C07-647435-04
07/13
Page 33 of 33

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz