Note If you install VNMC with VSG, ASA 1000V, or both, memory and disk space requirements are higher than identified in Table 2. For more information, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG2(1.1) and Cisco Virtual Network Management Center, Release 2.1 Installation and Upgrade Guide.
Table 2 VNMC System Requirements
Two virtual CPUs
3 GB RAM
20 GB on a single disk
Note If VNMC is deployed in a high availability (HA) cluster, the disk may be configured on a shared disk (provisioned using SAN or NFS)).
One management network interface
x86 Intel or AMD server with 64-bit processor listed in the VMware compatibility matrix
Interfaces and Protocols
Lightweight Directory Access Protocol (LDAP)
Intel Virtualization Technology (VT)
Enabled in the BIOS
VNMC is a multi-hypervisor virtual appliance that can be deployed on either VMware vSphere or Microsoft Hyper-V Server 2012 (Hyper-V Hypervisor):
A shared secret password is a password that is known only to those using a secure communication channel. Passwords are designated as
if they cannot be easily guessed for unauthorized access. When you set a shared secret password for communications between VNMC, VSG, ASA 1000V, and VSM, adhere to the following criteria for setting valid, strong passwords:
Do not include the following items in passwords:
– These characters: & ' " ` ( ) < > | \ ; $
Make sure your password contains the characteristics of strong passwords as described in Table 8
Table 8 Characteristics of Strong Passwords
Strong passwords have:
Strong passwords do not have:
At least eight characters.
Lowercase letters, uppercase letters, digits, and special characters.
Consecutive alphanumeric characters, such as
abcd or 1234.
Characters repeated three or more times, such as
A variation of the word
, such as
, or one that changes the capitalization of letters in the word
The username, or the username in reverse.
A permutation of characters present in the username or
Examples of strong passwords are:
Configuring Chrome for Use with VNMC
If you are using Chrome version 18.0 or below, with VNMC 2.x, you must disable the Adobe Flash Players that are installed by default with Chrome.
Note You must perform this procedure each time your client machine reboots. Chrome 18.0 or below, automatically enables the Adobe Flash Players when the system on which it is running reboots.
To disable default Adobe Flash Players in Chrome 18.0 or below:
Step 1 In the Chrome URL field, enter
Step 2 Click
Step 3 Locate the Adobe Flash Player plugins, and disable each one.
Step 4 Download and install Adobe Flash Player version 11.0.
Step 5 Close and reopen Chrome before logging into VNMC 2.x.
You can install VNMC in either of the following ways:
Note If you are installing both VNMC and VSG in your environment, refer to the Cisco Virtual Security Gateway, Rel. 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Rel. 2.0 Installation and Upgrade Guide for complete installation instructions.
Installing VNMC on VMware Hypervisor
VNMC can be installed by deploying the VNMC OVA image or the VNMC ISO image on the VMware Hypervisor. This section includes the procedures for both:
Step 1 Use vSphere Client to log into the vCenter Server.
Step 2 Choose the host on which to deploy the VNMC VM.
Step 3 From the File menu, choose Deploy OVF Template.
Step 4 In the Source screen (see Figure 1
), choose the VNMC OVA, then click Next.
Step 5 In the OVF Template Details screen, review the details of the VNMC template, then click Next.
Step 6In the End User License Agreement screen, click Accept, then click Next.
Step 7 In the Name and Location screen, provide the required information, then click
Step 8 In the Deployment Configuration screen, choose VNMC Installer from the Configuration drop-down list, then click Next.
Step 9 In the Datastore screen (see Figure 2
), select the data store for the VM, then click Next.
The storage can be local or shared remote, such as NFS or SAN.
Step 10 In the Disk Format screen, click either Thin provisioned format or Thick provisioned format to store the VM virtual disks, then click Next.
The default is thick provisioned. If you do not want to allocate the storage immediately, use thin provisioned.
Note You can safely ignore the red text in the window.
Step 11 In the Network Mapping screen, select the management network port profile for the VM, then click Next.
Step 12In the Properties screen (see Figure 3
), provide the required information, and address any errors described in the red text messages below the selection box (if needed, you can enter placeholder information as long as your entry meets the field requirements); then click
Note You can safely ignore the VNMC Restore fields.
Step 13 In the Ready to Complete screen (see Figure 4
), review the deployment settings, then click Finish.
Caution Any discrepancies can cause VM booting issues. Carefully review the IP address, subnet mask, and gateway information.
A progress indicator shows the task progress until VNMC is deployed.
Step 14 After VNMC is successfully deployed, click Close and power on the VNMC VM.
Example Screens Showing OVA Deployment
Figure 1 Source Screen
Figure 2 Datastore Screen
Figure 3 Properties Screen
Figure 4 Ready to Complete Screen
Deploying the ISO image on VMware Hypervisor
Before You Begin
Set your keyboard to United States English before installing VNMC and using the VM console.
Verify that the VNMC ISO image is available in the vSphere Client.
Verify that the Hyper-V Hypervisor host on which to deploy the VNMC VM is available in the System Center Virtual Machine Manager (SCVMM).
Copy the VNMC 2.1 ISO image to the SCVMM library location on the file system. To make this image available in SCVMM, choose
Library > Library Servers,
right-click the library location, and then refresh.
Step 14 Launch SCVMM again, right-click the virtual machine (vnmc21-hyperv in this case), and choose
Properties > Hardware Configuration > Bus Configuration > Virtual DVD Drive > no media
, so that VNMC does not use the ISO image at boot time.
Step 15 After VNMC is successfully deployed, click Close and power on the VNMC VM.
Example Screens Showing VNMC Installation on Microsoft Hyper-V Hypervisor
Figure 5 Select Source Screen
Figure 6 Configure Hardware Screen
Figure 7 Summary Screen
Figure 8 Jobs Screen
provides a checklist of the VNMC configuration tasks.
Task 5—Verifying VSG, VSM, and ASA 1000V Registration with VNMC
Before You Begin
Make sure you have the information identified in Table 7
To verify the VNMC policy agent status on ASA 1000V, VSM, or VSG, enter the following command in the CLI:
vsg# show vnm-pa status
The following message is displayed if registration was successful:
VNM Policy-Agent status is - Installed Successfully. Version 2.0(1a)-vsg
To verify if VSG, VSM, and ASA 1000V are registered with VNMC:
Step 1 In VNMC, choose Administration > Service Registry > Clients.
Step 2 In the Clients table (see Figure 13
), confirm that the Open State column contains registered for the ASA 1000V, VSG, and VSM entries.
Example Screen Showing the Client Window
Figure 13 Clients Window
Task 6—Configuring a Tenant
Tenants are entities (such as businesses, agencies, or institutions) whose data and processes are hosted on VMs in a virtual data center. To provide firewall security for each tenant, you must first configure the tenant in VNMC.
To configure a tenant:
Step 1 Choose
Tenant Management > root
Step 2 In the upper-right corner of the Tenant Management Root pane (see Figure 14
Step 3 In the Create Tenant dialog box, enter a name and brief description for the tenant, then click
The newly created tenant is listed in the navigation pane under root (see Figure 15
Example Screens Showing Tenant Configuration
Figure 14 Tenant Management Root Pane
Figure 15 VNMC Navigation Pane with Tenant
Task 7—Configuring a Service Profile in VNMC
A profile is a collection of policies. By creating a profile and then applying that profile to one or more objects (such as a data interface for an ASA 1000V or a VSM port profile), you can ensure that those objects have consistent policies.
To configure a compute security profile in VNMC:
Step 1 Choose Policy Management > Service Profiles > root >
> Compute Firewall > Compute
Security Profiles where
is the required tenant.
Step 2 In the General tab, click Add Compute Security Profile.
Step 3 In the Add Compute Security Profile dialog box, enter a name and description for the security profile, then click
Task 8—Configuring a Device Profile in VNMC
To configure a device profile in VNMC:
Step 1 Choose
Policy Management > Device Configurations > root >
> Device Profiles
is the required tenant
Step 2 In the General tab, click Add Device Profile.
Step 3 In the New Device Profile dialog box, enter a name and description for the device profile, then click
Task 9—Configuring a Compute Firewall
A compute firewall is a logical virtual entity in VNMC that contains the device profile that you assign to a VSG VM. Any device policies that are in the VNMC device profile are applied to the assigned VSG. After the policy has been applied to the VSG, the compute firewall is in an applied configuration state in VNMC.
Step 2 In the General tab, click Add Compute Firewall.
Step 3 In the Add Compute Firewall dialog box (see Figure 16
), enter the information described in Table 10
, then click
The VNMC window is refreshed and displays the newly created compute firewall.
Table 10 Add Compute Firewall Dialog Box Fields
Compute firewall name, consisting of 1 to 32 characters. The name can contain alphanumeric characters, hyphen (-), underscore (_), period (.), and colon (:). You cannot change this name after it is saved.
Brief description of the compute firewall.
To apply a device profile:
2. In the Select Device Profile dialog box, choose the device profile, then click
Data IP Address
VSG data IP address (
the management IP address).
Data IP Subnet
VSG subnet mask.
Example Screen Showing the Add Compute Firewall Dialog Box
Figure 16 Add Compute Firewall Dialog Box
Task 10—Assigning a Compute Firewall to a VSG
After you configure a compute firewall in VNMC, you can assign it to a VSG so that the device policies in the specified device profile are applied to the VSG.
Configuring and enabling a syslog policy for a VSG or ASA 1000V element ensures that you receive syslog messages for the severities that you specify. For example, depending on the syslog policy, you could receive syslog messages notifying you that a firewall rule has been invoked and that a permit or deny action has been taken.
Logging enables you to monitor traffic, troubleshoot issues, and verify that devices are configured and operating properly.
Enabling Policy-Engine Logging in a Monitor Session
To enable logging level 6 for policy-engine logging in a monitor session:
Step 3 In the Policy Engine Logging area at the lower-right of the device profiles page (see Figure 25
), click Enabled, and then click Save.
Example Screens Showing Global Policy-Engine Logging
Figure 25 Device Profiles Pane
Troubleshooting VNMC Installation and Configuration
The VNMC interface provides links to browser windows that enable you to examine policy and configuration errors that prevent the successful application of a policy, or to review the faults and events associated with successfully applied policies and configurations. This same feature enables you to examine the faults associated with a compute firewall or an edge firewall.
Examining Faults and Configuration Errors for Edge Firewalls
Before You Begin
Associate the edge firewall to an ASA 1000V instance.
To examine faults and configuration errors for edge firewalls:
Step 2 In the General tab, in the States area, click
View Configuration Faults
The Fault Table is displayed in a new browser window, and includes the fault severity, affected object, cause, last transition, acknowledgement state, type, and description.
Step 3 To view additional information about an entry, double-click or select the entry, then click
Note Use the following upgrade procedure when you upgrade to a newer VNMC version. VNMC supports upgrades from VNMC 1.3 to VNMC 2.1 and from VNMC 2.0 to VNMC 2.1. Backing up from VNMC 1.3 and then restoring to VNMC 2.1 is not supported. Exporting from VNMC 1.3 and then importing to VNMC 2.1 is also not supported.
To upgrade from VNMC 1.3 or VNMC 2.0 to VNMC 2.1, complete the following procedures:
Note After you upgrade to VNMC 2.1, you might see the previous version of VNMC in your browser. To view the upgraded version, clear the browser cache and browsing history in the browser. This note applies to all supported browsers: Internet Explorer, Mozilla Firefox, and Chrome.
Backing Up VNMC Data Using the CLI
To save a state for recovery purposes, back up your existing VNMC data via SCP.
You can use one of the following methods to back up VNMC data:
To use the GUI, see the
Cisco Virtual Network Management Center 2.1 GUI Configuration Guide
Restoring the Previous VNMC Version
If the upgrade fails, use the CLI to restore the previous version.
Note If you are restoring VNMC with a large number of endpoints (such as VSG or ASA) and policies, allow VNMC to recover for at least 5 minutes, because CPU usage after a large data restoration is high.
Before You Begin
Temporarily disable the CSA on the remote file server.
Note Be sure to replace the example settings with the settings that apply to your environment.
Note Do not use TFTP to update data.
To restore to the previous VNMC version:
Step 1 Log into VNMC as admin:
Step 2 Connect to local-mgmt:
Step 3 (Optional) Check the current version of the Cisco VNMC software:
Step 4 Download the 1.x image from a remote file server:
copy scp://imageURLtoBinFile bootflash:/
where the VNMC 1.x image filename is vnmc.1.x.0.XXXX.bin.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly
What’s New in Cisco Product Documentation
, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the
What’s New in Cisco Product Documentation
as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks
. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.