b Cisco VSG for Microsoft Hyper-V License Configuration Guide Release 5 2 1 VSG 1 4 1
VSG-TDM
-
Upload
ugur-koken -
Category
Documents
-
view
162 -
download
0
Transcript of VSG-TDM
Virtual Security Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 2 2
Agenda
Nexus 1000V Overview
Virtual Security Gateway (VSG) Overview
VSG Policy Model
VSG Packet Flow
Virtual Network Management Center (VNMC)
Deployment Scenario
Use Case Example
Summary
Nexus 1000V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 4 4
L2
MO D E
L3
M O D E
… ESX ESX ESX
VSM-1
VSM-2
VEM-1
VEM-2
VEM-N
Nexus 1000V Architecture
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Linecard-N
…
Modular Switch
Nexus 1010
VSM-A1
VSM-A4
VSM-B1
VSM-B4
Virtual Appliance
B
A
C
K
P
L
A
N
E
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
• 200+ vEth ports per VEM • 64 VEMs per 1000V • 2K vEths per 1000V • Multiple 1000Vs can be created per vCenter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 5 5
… ESX ESX
Embedding Intelligence for Virtual Services vPath – Virtual Service Datapath
L2
MO D E
L3
M O D E
VEM-1 VEM-2 vPath vPath
vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS
Nexus 1010 Virtual Appliance
vWAAS VSG VSM … VSM-1 VSM-4
… VSM-1 VSM-4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 6 6
… ESX ESX
Nexus 1010 – hosting platform for services
L2
MO D E
L3
M O D E
VEM-1 VEM-2 vPath vPath
NAM
NAM
VSG
VSG
vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS
Nexus 1010 Virtual Appliance
vWAAS VSG VSM … VSM-1 VSM-4
… VSM-1 VSM-4
*VSG on 1010 target: 2Q CY11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 7 7 7 7
Why 1000V?
Feature & operational consistency NX-OS across physical and virtual networks (Nexus 7K/5K/2K/1KV) Cisco CLI experience Standards based, IEEE 802.1Q
Advanced NX-OS switching features Security, QoS, Monitoring, Management, …
Non-disruptive administration Network team manages virtual network, creates port profiles Server team assigns port profiles to VMs
Intelligent integration with virtual services (vPath) Transparent insertion (topology agnostic) Efficient deployment – no need to deploy on every host Dynamic policy-based operation Performance acceleration
Nexus 1000V Differentiators Software Switch for VMware vSphere and vCloud
Director
vSphere
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 8 8
Securing Virtual Desktops (VDI)
1000V Security Features for VDI • Access Control List • Port Security • Private VLAN • DHCP Snooping • Dynamic ARP Inspection • IP Source Guard
Desktop Virtualization Software
WAAS
Nexus Switch
Desktop OS
ACE
Hypervisor
Virtualized Data Center
Applications Desktop Applications
Nexus 1000V
WAAS: Wide Area Application Service ACE: Application Control Engine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 9 9
Securing Virtual Desktops (Use Case)
Persistent virtual workspace for the doctor
Flexible workspace for Doctor’s assistant
Maintain compliance while supporting IT consumerization
Cisco AnyConnect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 10 10
Cisco Nexus 7000 Series
vSphere
vSphere
Long Distance vMotion across 2 DCs Nexus innovations – virtual to physical
• Network integrity is critical to long distance vMotion
• Security • Quality of Service • Network Monitoring • Troubleshooting
• Nexus 1000V provides these critical network functions across data centers
Cisco Nexus 7000 Series
OTV: Overlay Transport Virtualization
Layer-2 extension across DCs with Nexus 7K OTV
O T V
QA validation: 2QCY11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 11 11 11 11
Quality of Service
Provide bandwidth guarantee for up to 64 total queues on uplinks
User defined Queues
8 Predefined traffic classes For VMware and 1000V protocol traffic
Queuing configured via modular QoS CLI (MQC)
20%
30%
15%
5%
15%
15%
vMotion
VM_Platinum
VM_Gold
Default
ESX_Mgmt
N1K_Control, N1K_Packet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 12 12
Vblocks Imagine:
30 racks reduced down to 3 racks Provisioning applications in hours instead of weeks
Secure Multi-tenancy
Imagine: Securely sharing servers between
multiple users/groups without having to add another server
Nexus 1000V in Cisco Validated Solutions
Cisco’s network-centric virtualized data center is best positioned to enable the journey to the networked cloud
Flexpod Imagine:
Predesigned, validated, Flexible infrastructure that can grow and scale to meet cloud computing
requirements
Virtual Desktop
Imagine: Over 4000 desktops in a single rack! Savings up to 60+% per PC per year
Significant savings in operations
1000V
"1000V
"
1000V
"1000V
"
VSG Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 14 14
App
OS
App
OS
App
OS
App
OS
VM-to-VM traffic VM-to-VM traffic
Control inter-VM traffic Address new blind spot
Enable Dynamic Provisioning
Mobility Transparent Enforcement
VLAN-agnostic Operation Policy based
Administrative Segregation Server • Network • Security
VSG: What Problem is Being Solved ?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 15 15
Virtual Network Management
Center (VNMC)
Virtual Security Gateway Virtual Firewall for Nexus 1000V
VM context aware rules Context aware Security
Establish zones of trust Zone based Controls
Policies follow vMotion Dynamic, Agile
Efficient, Fast, Scale-out SW Best-in-class Architecture
Security team manages security Non-Disruptive Operations
Central mgmt, scalable deployment, multi-tenancy
Policy Based Administration
Virtual Security Gateway
(VSG)
XML API, security profiles Designed for Automation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 16 16
Defense in Depth Security Model
Internet Edge
• Filter external traffic • Extensive app protocol support • VPN access, Threat mitigation
Internal Security
• Segment internal network • Policy applied to VLANs • Application protocol inspection • Virtual Contexts
Virtual Security
• Policy applied to VM zones • Dynamic, scale-out operation • VM context based controls
ASA 55xx
ASA 55xx
FWSM
VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 17 17
VMWare vSphere 4.0+ and Virtual Center
Nexus 1000V Series switch (1.4 or later)
One (or More) Active VSGs per tenant
Virtual Network Management Center (VNMC)
VSG Deployment Requirements
Note: Licensing is based on per protected CPU socket (same as Nexus 1000V)
VSG can protect subset of 1000V-licensed CPUs.
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 18 18
Multi-tenant Deployment
• Deployment granularity depending on use case Tenant, VDC, vApp
• Multi-instance deployment provides horizontal scale-out
Tenant A
vSphere Nexus 1000V
vPath
Tenant B
VDC-1
vApp
vApp
VDC-2
Virtual Network Management Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 19 19
Example: 3-tier Server Zones
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone Database-zone Application-zone
Only Permit Application servers access to Database servers
Block all external access to database servers
Tenant A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 20 20
Virtual Security Gateway Logical deployment like physical appliances
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
VNMC
Log/Audit
VSG
Secure Segmentation (VLAN agnostic)
Efficient Deployment (secure multiple hosts)
Transparent Insertion (topology agnostic) High Availability
Dynamic policy-based provisioning
Mobility aware (policies follow vMotion)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 21 21
Virtual Security Gateway Intelligent Traffic Steering with vPath
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
VNMC
Log/Audit Initial Packet Flow
VSG
1 Flow Access Control (policy evaluation)
2
Decision Caching
3
4
Access Log (syslog)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 22 22
Virtual Security Gateway Performance Acceleration with vPath
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
Remaining packets from flow
ACL offloaded to Nexus 1000V
(policy enforcement)
VNMC
Log/Audit
VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 23 23
vPath- Summary
vPath is intelligence build into Virtual Ethernet Module (VEM) of N1KV (1.4 and above)
vPath has two main functions:
a. Intelligent Traffic Steering to VSG
b. Offload the processing from VSG to VEM
Dynamic Security Policy Provisioning (via security profile)
vPath is Multi-tenant Aware
Leveraging vPath enhances the service performance by moving the processing to Hypervisor
Nexus 1000V- VEM vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 24 24
VSG: Fixup Support
vPath maintains the state of each flow after caching the decision (Syn, Syn-Ack, Ack, Established etc.)
Application Level Protocol Fixup (e.g. FTP) to dynamically allow additional connections is accomplished by keeping the control connection in the VSG and NOT offloaded to vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 25 25
Nexus 1000V Distributed Virtual Switch
vPath
VSG: Application Layer Protocol Fixup (Example FTP)
VM
VM
VM VM VM
VM
VM VM VM
VM VM VM VM
VNMC
VSG
FTP Control FTP Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 26 26
Nexus 1000V Distributed Virtual Switch
vPath
VSG: Application Layer Protocol Fixup (Example FTP)
VM
VM
VM VM VM
VM
VM VM VM
VM VM VM VM
VNMC
VSG
FTP Control FTP Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27
VSG System Architecture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 28 28
VMWare vCenter
VSM
VMWare vCenter
VSM
Virtual Network Management Center (VNMC)
Security Profiles
Port Profiles Interactions
VM Attributes
VSN VSG
Packets (slow-path, ??)
VSG System Architecture
ESX Servers Nexus 1000V
vPath
VM-to-IP Binding
Packets (fast-path)
Packets (fast-path)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 29 29
VMWare vCenter
VSM
VMWare vCenter
VSM
Virtual Network Management Center (VNMC)
Encrypted Channel
VSN VSG
VSG System Architecture - Communication
SOAP/HTTPS API
XML/HTTPS
ESX Servers Nexus 1000V
vPath
XML/HTTPS
Encrypted Channel
Security Profiles
Port Profiles Interactions
VM Attributes
Packets (slow-path)
VM-to-IP Binding
Packets (fast-path)
Packets (fast-path)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 30 30
System Interactions VNMC – vCenter Communication
VNMC communicate with vCenter over VIM API
VNMC gets the visibility to vCenter VM attributes to use in the Security Policy
Network (L3)
SSL (443)
1000V VSM
SSL (443)
Network (L3)
Network (L2)
1000V VEM
Network (L2 or L3)
VIM: Vmware Infrastructure Methodology
Service VLAN
SSL (443)
VSG
Network (L3)
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 31 31
System Interactions VNMC – VSG Communication
VSG and VMNC communicate over secure layer 3 (SSL) with Pre-Shared Key
VNMC publishes Device and Security Policies to Tenant VSGs
Network (L3)
SSL (443)
1000V VSM
SSL (443)
Network (L3)
Network (L2)
1000V VEM
Network (L2 or L3)
Service VLAN
SSL (443)
VSG
Network (L3)
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 32 32
System Interactions VNMC – VSM Communication
VMNC and VSM communicate over secure layer 3 (SSL) with Pre-Shared Key
VSM provides VM to IP Mapping to VNMC
Network (L3)
SSL (443)
SSL (443)
VSG
Network (L3)
1000V VSM
SSL (443)
Network (L3)
Network (L2)
1000V VEM
Network (L2 or L3)
Service VLAN
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 33 33
System Interactions VSG – VEM Communication
VEM communicate with VSG over Layer 2 Service VLAN
vPath redirects the data traffic over Service VLAN
Policy Result is send to vPath (VEM) by VSG
Network (L3)
SSL (443)
SSL (443)
Network (L3)
1000V VSM
SSL (443)
Network (L3)
Network (L2)
1000V VEM
Network (L2 or L3)
Service VLAN
VSG
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 34 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 34
VSG Security Policy Model
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 35 35
VSG Policy Model
Security Policy
Network Attributes VM Attributes Custom
Attributes
Zones
Security Policy is applied per Port-Profile (Port Group)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 36 36
Security Policy Building Block
Security Profile
Policy Set
Policy 1 Policy 2 Policy N
Rule 2
Rule N
Rule 1
Rule 2
Rule N
Rule 1
Rule 2
Rule N
Rule 1
Rule is analogous to an ACE; Policy is analogous to an ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 37 37
VSG Policy: Rule (ACE) Construct
Source
Condition Destination Condition Action
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 38 38
VSG Policy: Rule (ACE) Construct
Source
Condition Destination Condition Action
Rule
Attribute Type
Network
VM
Custom
VM Attributes
Instance Name
Guest OS full name
Zone Name
Parent App Name
Port Profile Name
Cluster Name
Hypervisor Name
Network Attributes
IP Address
Network Port
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 39 39
VSG
Access Policy Network Attributes – Allow Ping
192.168.1.1 192.168.1.2
VSG – Use Case 1a Access Policy based on Network Attributes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 40 40
Use Case 1a: Simple Rule
Source Condition
Destination Condition
Action
Rule Leveraging Network Attribute to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 41 41
VSG
Access Policy VM Attributes– Allow Ping
WebServer Database Server
VSG – Use Case 1b Access Policy based on VM Attributes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 42 42
Use Case 1b: Simple Rule
Source Condition
Destination Condition Action
Rule Leveraging VM Attribute to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 43 43
VSG
Access Policy Zone Based Policy– Allow Ping
Web Server Zone
Database Server Zone
VSG – Use Case 1c Access Policy based on Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 44 44
Zones are defined by a condition leveraging the attributes e.g. Network, VM or Custom Attributes
VSG – Use Case 1c Defining the Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 45 45
Use Case 1c: Simple Rule with Zones
Source Condition
Destination Condition
Action
Rule Leveraging Zone to allow communication between Server A and Server B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 46 46
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone Database-zone Application-zone
Only Permit Application servers access to Database servers
Block all external access to database servers
Use Case 2: Content Hosting Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 47 47
Use Case 2: Policy Rules with Zones
Leveraging Zones in Rule Conditions
VM Attribute Example
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 48 48
HR Zone Finance Zone
QA Zone Dev Zone
VDI Zone
Tenant A
VSG
Zoning Classification
Based upon network/VM attributes
Security Policies can be defined on Zones
Exterior Security: External-to-Zone
Interior Security: Zone-to-Zone and within-Zone
Virtual Machine(s) can belong in multiple zones
Policy: Trusted Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 49 49
Virtual Network Management Center
(VNMC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 50 50
Virtual Network Management Center (VNMC)
VNMC is available as a Virtual Appliance
Manages Multitenant Environment
XML APIs for 3rd Party Management tool Integration
Provides Non-disruptive Administration Model
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 51 51
Network Admin Security Admin
Non-Disruptive Administration
Server Admin
vCenter Nexus 1KV VNMC
Mitigate Operational errors between teams Security team defines security policies Networking team binds port-profile to VSG service profile Server team Assigns VMs to Nexus 1000V port-profiles
Port Group Port Profile Security Profile
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 52 52
VNMC: Multitenant Org Structure
Tier Level
vApp Level
vDC Level
Tenant Level
Root Tenant A
DC 1
DC 2 App 1
Tier 1
Tier 2
Tier 3 App 2 DC 3 Tenant B
Single Tenant can have up to 3 sub-levels of orgs Each sub-Level can have multiple orgs
Overlapping Network Addresses across Tenants are supported
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 53 53
VNMC: Multi-Tenant Management
VSG Enforcement can be applied any level of the Tenant “tree”
Each tenant must have at least one active VSG
VSG “CANNOT” manage across tenants
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 54 54
VNMC: Administrative Roles
1. VNMC Admin Roles 2. Tenant Level Access Tenant Level RBAC Access for Security Admin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 55 55
Integrated with LDAP to leverage AD Credentials
User can be placed to a pre-defined role based on the LDAP attributes
VNMC Administrative Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 56 56
Locales Option restrict the admin to tenant level access
VNMC Admin Access – Tenant Level
VSG Deployment Scenario
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 58 58
vSphere vSphere vSphere
Active VSG (Tenant B)
Active VSG (Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter Server
Data Center Network
vPath vPath
1000V VSM
Deployment in Multitenant Environment
Standby VSG Standby VSG
vPath
Cisco Virtual Network Management Center Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 59 59
vSphere vSphere vSphere
Active VSG (Tenant B)
Active VSG (Tenant A) Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter Server
Data Center Network
vPath vPath
1000V VSM
Deployment in Multitenant Environment
Standby VSG Standby VSG
vPath
Security Policies Enforced on Shared Compute Environment
vPath Multitenant Aware
Active Stand by VSGs on different Physical Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 60 60
Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter Server
1000V VSM
Deployment VSGs on Dedicated Host VSGs VSGs
Cisco Virtual Network Management Center Server
vPath vPath vPath
Data Center Network
A A B B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 61 61
Web Zone App Zone
Tenant A Tenant B
Dev Zone QA Zone
VMWare vCenter Server
1000V VSM
Deployment VSGs on Dedicated Host Standby VSGs Active VSGs
Cisco Virtual Network Management Center Server
vPath vPath vPath
Data Center Network
A A B B
Dedicated Servers to host VSG Appliances
Decouple Service from Compute Resources
Easy to scale out with dedicated hosting of Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 62 62
VMWare vCenter
VSM
Virtual Network Management Center (VNMC)
VSG
VSG/VNMC Deployment Steps
1) Install VNMC
2) Register VNMC to vCenter
3) Register VSM to VNMC
4) Install VSG
5) Register VSG to VNMC
1
2
3
4
5
Note: vCenter, vSphere and Nexus 1000V (VSM & VEMs) are assumed to be already installed; VSM can be a VM or on Nexus 1010
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 63 63
Deployment Step 1: Install VNMC
Install VNMC as a Virtual Appliance in vCenter
Installed as OVA or ISO image
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 64 64
Deployment Step 2: Register VNMC
Register the VNMC to vCenter
vCenter Extension File installed via vCenter Plug-in
Similar to VSM integration with vCenter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 65 65
Deployment Step 3: Register VSM
Register VSM to VNMC via Policy Agent
VNMC gets the VM to IP Mapping from VSM
Registration Steps
Registration Status
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 66 66
Deployment Step 4: Install VSG
Install VSG as a Virtual Appliance in vCenter
Installed as OVA or ISO image
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 67 67
Deployment Step 5: Register VSG
Register VSG to VNMC via Policy Agent
Security and Device Policies are published to VSG once it is registered to VNMC
NOTE: Registration is done as part of installing VSG via OVA Template
Registration Steps
Registration Status
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 68 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 68
VSG High Availability (HA)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 69 69
VSG Solution – High Availability
Component High Availability Behavior
VSG Active Standby Standby VSG takes over within 6-10 seconds
VNMC VMware High Availability
Hardware Failures backup
VSM Active Standby Standby VSM takes over within 6-10 seconds
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 70 70
VSG Solution – High Availability Head-less operation
VSM
VMWare vCenter
VSM
Virtual Network Management Center (VNMC)
VSN VSG
ESX Servers Nexus 1000V
vPath
Security Profiles
Port Profiles Interactions
VM Attributes
Packets (slow-path)
VM-to-IP Binding
Packets (fast-path)
Packets (fast-path)
Head-less operation: vPath continues to enforce security decision on existing flows during temporary failures of vCenter, VNMC, VSM and/or VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 71 71
Performance/Scale
Feature VSG VNMC
Zones 32 4096
Access control Rules 1024 8192
Max attributes per rule 16 16 Max concurrent connections
128K in vPath 256K in VSG N/A
Max New Connections/Sec 4K N/A
Max VSGs N/A 128
Max VSMs N/A 3
Max VCs N/A 2
Max tenants 1 128
Max VMs 300 800 – 1000 (1600 vnics)
Host scalability 12 VEMs N/A
Max Security Profiles 256 2048
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 72 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 72
VSG: Use Case
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 73 73
Example: 3-tier Server Zones
Permit Only Port 80(HTTP) of Web Servers
Permit Only Port 22 (SSH) to application servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone Database-zone Application-zone
Only Permit Application servers access to Database servers
Block all external access to database servers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 74 74
VSG Policy Provisioning Logical Flow
Define Zones
Define Policy
Port Profile
VSM
VNMC
PortGroup
vCenter
Protection
Policy Set
Create Security Profile Assign Tenant VSG
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 75 75
Security Policy Flow – Define Zones
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 76 76
Security Policy Flow – Define Zones
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 77 77
Security Policy Flow – Define Policy
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Policy Management > Firewall Policy > Tenant > Policies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 78 78
Security Policy Flow – Rules Within Policy
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Edit the Policy to create Rule(s) where source and destination conditions are specified based on
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 79 79
Security Policy Flow- Conditions Within Rules
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Edit the Policy to create Rule(s) where source and destination conditions are specified based on
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 80 80
Security Policy Flow- Assign Policies to Policy Set
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
One OR More Policies are assigned to the Policy Set
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 81 81
Security Profile
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Create Security Profile at the tenant level
Select from the available Policy Sets from the drop down menu
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 82 82
Assign VSG to the Security Profile
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
Assign VSG at a tenant level under Resource Management > Managed Resources > Virtual Security Gateways > Tenant (tree level) > VSG Details
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 83 83
Port Profile to Security Profile Binding
Go to VSM and under port profile, apply the security profile and define the tenant tree
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 84 84
vCenter: VM attach to a PortGroup (PortProfile)
1 Zones 2 Policies 3 Rules 4 Conditions 5 Policy Set 6 Security-
Profile 7 Assign
VSG 8 Profile-
Binding 9 VM Port-
Group Mapping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 85 85
Summary
Cisco N1KV Switch is required components to deploy VSG
VSG leverages vPath technology on VEM and NOT required to be installed on every ESX Host
Non-Disruptive Administration Model
One or more active VSG per tenant
Hypervisor Nexus 1000V
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 86 86