Installing the Cisco Virtual Security Gateway
This document describes how to install and complete the basic configuration of the Cisco Virtual Security Gateway (VSG) for Cisco Nexus 1000V Series switch software.
This chapter includes the following sections:
•Information About the Cisco VSG
•Prerequisites to Installing VSG Software
•Obtaining the VSG Software
•Installing the VSG Software
•Configuring Initial Settings
•Verifying the Cisco VSG Configuration
•Where to Go Next
Information About the Cisco VSG
This section describes the Cisco VSG and includes the following topics:
•Host and VM Requirements
•Cisco Virtual Security Gateway and Supported Cisco Nexus 1000V Series Switch Terminology
Host and VM Requirements
The Cisco VSG has the following requirements:
•ESX/ESXi platform running VMware software release 4.0.0 or 4.1.0 and requiring a minimum of 4-GB physical RAM to host a Cisco VSG VM.
•Virtual Machine (VM)
–32-bit VM is required and "Other 32-bit Linux" is a recommended VM type.
–1 Processor
–2-GB RAM
–3 NICs (1 of type VMXNET3, and 2 of type E1000)
–Minimum 3-GB SCSI hard disk with LSI Logic Parallel adapter (default)
–CPU speed of 1.5 GHz
Cisco Virtual Security Gateway and Supported Cisco Nexus 1000V Series Switch Terminology
The following terminology is used in the Cisco Virtual Security Gateway implementation.
Table 3-1 Cisco Virtual Security Gateway Terminology
|
|
Distributed Virtual Switch (DVS) |
This is a logical switch that spans one or more VMware ESX 4.0 servers. It is controlled by one VSM instance. |
ESX/ESXi |
A virtualization platform used to create the virtual machines as a set of configuration and disk files that together perform all the functions of a physical machine. |
NIC |
Network Interface Card. |
Open Virtual Appliance or Application (OVA) file |
The package that contains the following files used to describe a virtual machine and saved in a single archive using .TAR packaging. •Descriptor file (.OVF) •Manifest (.MF) and certificate files (optional) |
Open Virtual Machine Format (OVF) |
A platform independent method of packaging and distributing virtual machines. |
vCenter Server |
A service that acts as a central administrator for VMware ESX/ESXi hosts that are connected on a network. vCenter Server directs actions on the virtual machines and the virtual machine hosts (the ESX/ESXi hosts). |
Virtual Ethernet Module (VEM) |
This is the part of Nexus 1000 V Series switch that switches data traffic. It runs on a VMware ESX 4.0 host. Up to 64 VEMs are controlled by one VSM. All the VEMs that form a switch domain should be in the same virtual Data Center as defined by VMware vCenter Server. |
Virtual Machine (VM) |
A virtualized x86 PC environment in which a guest operating system and associated application software can run. Multiple virtual machines can operate on the same host system concurrently. |
vMotion |
The practice of migrating virtual machines live from server to server. (The VSGs cannot be moved by vMotion.) |
vPath |
A component in the Cisco Nexus 1000V Series switch VEM, it directs the appropriate traffic to the VSG for policy evaluation. It also acts as fast path and can short circuit part of the traffic without sending it to the VSG. |
Virtual Security Gateway (VSG) |
VSG secures virtual networks and provides firewall functions in virtual environments using the Cisco Nexus 1000V Series switch by providing network segmentation. |
Virtual Supervisor Module (VSM) |
This is the control software of the Cisco Nexus 1000V Series distributed virtual switch. It runs on a virtual machine (VM) and is based on Cisco NX-OS. |
vSphere Client |
The user interface that lets users connect remotely to the vCenter Server or ESX/ESXi from any windows PC. The primary interface for creating, managing, and monitoring virtual machines, their resources, and their hosts. It also provides console access to virtual machines. |
Prerequisites to Installing VSG Software
Before installing the VSG, the following prerequisites must be satisfied.
For a VSG to function, the following components must be installed and configured:
•On the Cisco Nexus 1000V Series switch, configure two VLANs: a service VLAN and an HA VLAN on the switch uplink ports. (The VLAN need not be the system VLAN).
•On the Cisco Nexus 1000V Series switch configure two port profiles for the VSG: one for the service VLAN and the other for the HA VLAN. (You will be configuring the VSG IP address on the VSG so that the Cisco Nexus 1000V Series switch can communicate with it.)
Details about configuring VLANs and port profiles on the Cisco Nexus 1000V Series switch are available in the Cisco Nexus 1000V Series switch documentation.
Obtaining the VSG Software
How and where to obtain the Cisco VSG software files:
http://www.cisco.com/en/US/products/ps13095/tsd_products_support_series_home.html
Note For the VSG to function in your network, you also must meet specific prerequisites. See the "Prerequisites to Installing VSG Software" section.
Installing the VSG Software
You can install the VSG software on a virtual machine (VM) using an open virtual appliance (OVA) file or an ISO image file from the CD. Depending upon the type of file you are installing, use one of the following installation methods.
This section includes the following topics:
•Installing the VSG Software from an OVA File
•Installing the VSG Software from an ISO File
Installing the VSG Software from an OVA File
To install the VSG software from an OVA file, obtain the OVA file and either install it directly from the URL, or copy the file to the local disk from where you connect to the vCenter Server.
BEFORE YOU BEGIN
Have the following information available:
•A name for the new VSG that is unique within the inventory folder and up to 80 characters long.
•The name of the host where the VSG will be installed in the inventory folder.
•The name of the datastore in which the VM files will be stored.
•The names of the network port profiles used for the VM.
•The VSG IP address.
•Decide on what mode in which you will be installing the VSG:
–Standalone
–HA Primary
–HA Secondary
–Manual Installation
The following steps specifically present those for installing a standalone instance of a VSG.
DETAILED STEPS
Step 1 From the vSphere Client menu, choose the data center where you want to install the OVA file for the VSG.
Step 2 Choose File > Deploy OVF Template.
The Source dialog box opens.
Step 3 Click the Deploy from file radio button to browse and choose the location of the OVA file on the local disk.
Step 4 Click Next.
The OVF Template Details dialog box opens displaying product information, including the size of the file and the size of the VM disk.
Step 5 Click Next.
The End User License Agreement dialog box opens.
Step 6 Read the End User License Agreement.
Step 7 Click Accept and then click Next.
The Name and Location dialog box opens.
Step 8 In the Name field, add a name for the VSG that is unique within the inventory folder and less than 80 characters long.
Step 9 From the Select a datastore in which to store the VM files pane, choose your datastore. Click Next.
The Deployment Configuration window opens.
Step 10 In the Configuration field, you will be presented with four options:
•Standalone
•HA Primary
•HA Secondary
•Manual Installation
•For this example, select Standalone and click Next.
The Disk Format dialog box opens.
Note We are using the Standalone installation for this document as an example. If you chose Manual Installation mode, you would choose the default values for the following steps.
Note In Standalone mode, be sure to fill in all the fields indicated below (they will be indicated on the GUI with red type.
Step 11 From the Select a format in which to store the virtual machines virtual disks, click the radio button for the format you choose. Click Next.
The Host or Cluster window opens.
Step 12 Choose the host where the VSG will be installed.
Step 13 Click Next.
The Datastore dialog box opens.
Step 14 From the Select a datastore in which to store the VM files pane, choose your datastore.
Step 15 Click Next.
The Network Mapping dialog box opens.
Step 16 Click the drop-down arrows for Data (Service), Management, and HA to associate port profiles.
Step 17 Click Next.
The Properties dialog boxes opens.
a. In the Cisco VSG HA ID field, enter a unique number between 1 and 4095. This number helps you identify your Cisco VSG HA pairs.
b. In the Nexus 1000VSG Administration User Password field, enter your password.
c. In the Management IP Address field, enter the management address value.
d. In the Management IP Subnet Mask field, enter the management subnet mask value.
e. In the Management IP Gateway field, enter the management gateway value.
The Ready to Complete dialog box opens displaying details about your settings. Click Next.
Step 18 If the settings are correct, click Finish.
The deployment task begins in a dialog box that notifies you when the installation completes successfully.
Step 19 Click Close.
You have completed installing the Cisco Virtual Security Gateway software and creating a VM for the VSG.
a. Power on the VSG you just created.
b. If you chose the Standalone mode for installation in Step 10, you will now see the VSG login prompt. Login with your VSG Administration password.
You may now proceed with configuring the Cisco Virtual Security Gateway. For details, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch Fireway Policy Guide, Release 4.2(1)VSG1(1).
c. If you chose the Manual installation in Step 10, proceed to "Configuring Initial Settings" section to configure the initial settings on the VSG.
Note If you are installing HA VSGs, you must configure the software on the primary VSG before installing the software on the secondary VSG.
Installing the VSG Software from an ISO File
To install the Virtual Security Gateway from an ISO file, use the following procedure.
BEFORE YOU BEGIN
Have the following information available:
•A name for the new VSG that is unique within the inventory folder and up to 80 characters long.
•The name of the host where the VSG will be installed in the inventory folder.
•The name of the datastore in which the VM files will be stored.
•The names of the network port profiles used for the VM.
•The VSG IP address.
DETAILED STEPS
Step 1 Upload the Cisco Virtual Security Gateway ISO image to the vCenter datastore.
Step 2 From the data center in the vSphere Client menu, choose your ESX host where you want to install the Cisco Virtual Security Gateway and choose New Virtual Machine.
The Create New Virtual Machine dialog box opens.
For VM requirements, see the "Host and VM Requirements" section. For detailed information about how to create a VM, see the VMware documentation.
Step 3 Click the Custom radio button to create a VM, and click Next.
The Create New Virtual Machine dialog box opens.
Step 4 In the Name field, add a name for the Cisco VSG that is unique within the inventory folder and less than 80 characters long.
Step 5 In the Inventory Location field, choose your data center. Click Next.
The Datastore dialog box opens.
Step 6 From the Select a datastore in which to store the VM files pane, choose your datastore. Click Next.
The Virtual Machine Version dialog box opens.
Step 7 Click the Virtual Machine Version: 7 radio button to run on VMware ESX server version 4.0 or later and VMware Server 2.0.
The Guest Operating System dialog box opens.
Step 8 Click the Linux radio button.
Step 9 In the Version field, choose Other 2.6x Linux (32-bit) from the drop-down list. Click Next.
The CPUs dialog box opens.
Step 10 In the Number of virtual processors field, choose 1 from the drop-down list. Click Next.
The Memory dialog box opens.
Step 11 Choose 2GB memory size. Click Next.
The Create Network Connectors dialog box opens.
Step 12 In the How many NICs do you want to connect? field, choose 3 from the drop-down list.
Step 13 In the Network pane, choose service, management, and HA port profiles in that sequence from the NIC 1, NIC 2, and NIC 3 drop-down lists as required. Choose VMXNET3 for the adapter type for NIC 1. Choose E1000 for the adapter type for NIC 2 and NIC 3. Click Next.
The SCSI Controller dialog box opens.
Step 14 The radio button for the default SCSI controller is chosen. Click Next.
The Select a Disk dialog box opens. The radio button for the default disk is chosen.
Step 15 Click Next.
The Create a Disk dialog box opens. The default virtual disk size and policy is chosen.
Step 16 Click Next.
The Advanced Options dialog box opens. The default options are chosen.
Step 17 Click Next.
The Ready to Complete dialog box opens.
Step 18 In the Settings for the new virtual machine pane, review your settings.
Step 19 Check the Edit the virtual machine before completion box. Click Continue.
A dialog box with device details opens.
Step 20 From the Hardware pane, choose your New CD/DVD (adding).
Step 21 Click the Datastore ISO File radio button to browse and locate your ISO file from the drop-down menu.
Step 22 In the Device Status pane, check the Connect at power on box. Click Finish.
The Summary tab window opens.
Step 23 In the Recent Tasks pane, wait for the Create virtual machine status to complete.
Step 24 From the vSphere Client menu, choose your recently installed VM and click Power on the virtual machine in the VM pane.
Step 25 Click the Console tab to view the VM console and wait for the Install Virtual Firewall and bring up the new image to boot.
Proceed to "Configuring Initial Settings" section to configure the initial settings on the Cisco VSG.
Note To allocate additional RAM, first power off the VM by right-clicking on the VM icon and then choosing Power > Power Off from the popup menu.
After the VM is powered down, edit the configuration settings on the VM for controlling memory resources.
Configuring Initial Settings
This section describes how to configure initial settings on the Cisco VSG and includes the following topic:
•Configuring Initial Settings on a Standby Cisco VSG
When you power on the Cisco VSG for the first time, depending on which mode you used to install your Cisco VSG, you might be prompted to log into the Cisco VSG to configure initial settings at the console on your vSphere Client.
For details about installing Cisco VSG, see the "Installing the VSG Software" section.
BEFORE YOU BEGIN
See Table 3-2 to determine if you must configure initial settings as described in this section.
Table 3-2 Configure Initial Settings Based on Cisco Virtual Security Gateway Installation Method
Your Cisco Virtual Security Gateway Software Installation Method
|
|
Installing an OVA file and choosing Manually Configure Nexus 1000VSG in the configuration field during installation. |
Yes. Proceed with configuring initial settings described in this section. |
Installing an OVA file and choosing any of the options other than the manual method in the configuration field during installation. |
No. You have already configured the initial settings during the OVA file installation. |
Installing an ISO file. |
Yes. Proceed with configuring initial settings described in this section. |
Use the following procedure to configure the Cisco VSG with its initial settings:
Step 1 At the Console tab on your VM after the Cisco VSG software image boots, create the admin password.
Enter the password for "admin":<password>
Note This passsword is required for further access for Cisco VSG administrators.
Step 2 Confirm the admin password.
Step 3 Enter the HA role of the Cisco VSG.
Enter HA role[standalone/primary/secondary]:primary
Step 4 Enter an ID number for the HA pair.
Enter the ha id(1-4095): 25
Note The HA ID uniquely identifies the two Cisco VSGs in an HA pair. If you are configuring Cisco VSGs in an HA pair, make sure that the ID number you provide is identical to the other Cisco VSG in the pair.
Step 5 Enter the basic system configuration setup dialog.
The following example shows how to configure a basic system configuration setup dialog:
Would you like to enter the basic configuration dialog (yes/no):yes
Create another login account(yes/no)[n]:n
Configure read-only SNMP community string (yes/no)[n]:n
Enter the Virtual Security Gateway (VSG) name:VSG-demo
Continue with Out-of-band (mgmt0) management configuration? (yes/no)[y]:y
Mgmt IPv4 address:10.10.10.11
Mgmt IPv4 netmask:255.255.255.0
Configure the default gateway? (yes/no)[y]:y
IPv4 address of the default gateway:10.10.10.1
Configure the DNS IPv4 address? (yes/no)[no]:no
Enable the telnet service? (yes/no)[y]:n
Configure the ntp server? (yes/no) [n]:n
The following configuration will be applied:
ip address 10.10.10.11 255.255.255.0
ip address 215.1.1.1 255.255.0
ip route 0.0.0.0/10.10.11.1
Would you like to edit the configuration? (yes/no)[n]:n
Use this configuration and save it? (yes/no)[y]:y
[##########################################################] 100%
Step 6 Enter the administrator login.
Step 7 Enter the password.
You are now at the VSG node.
Configuring Initial Settings on a Standby Cisco VSG
To add a standby Cisco VSG, login to the Cisco VSG you have identified as secondary and use the following procedure to configure a standby Cisco VSG with its initial settings:
Step 1 At the Console tab on your VM after the Cisco VSG software image boots, enter the admin password.
Enter the password for "admin":<password>
Step 2 Confirm the admin password.
Step 3 Enter an ID number for the HA pair.
Enter the ha-pair id(1-4095): 25
Note The HA ID uniquely identifies the two VSGs in an HA pair. If you are configuring Cisco VSGs in an HA pair, make sure that the ID number you provide is identical to the other Cisco VSG in the pair.
Step 4 Enter the HA role of the Cisco VSG.
Enter HA role[standalone/primary/secondary]:secondary
Step 5 Enter the administrator login.
Step 6 Enter the password.
You are now at the Cisco VSG node.
Verifying the Cisco VSG Configuration
To display the Cisco VSG configuration, perform one of these tasks:
Table 3-3 Verifying VSG Configuration
|
|
vsg# show interface brief |
Displays brief status and interface information |
vsg# show vsg |
Displays the Cisco VSG and system-related information |
These examples show how to verify the Cisco VSG configurations.
vsg# show interface brief
--------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
--------------------------------------------------------------------------------
mgmt0 -- up 10.193.77.217 1000 1500
--------------------------------------------------------------------------------
Port VRF Status IP Address Speed MTU
--------------------------------------------------------------------------------
data0 -- up 172.168.1.1 1000 1500
VSG Software Version: 4.2(1)VSG1(1) build [4.2(1)VSG1(0.399)]
Where to Go Next
After installing and completing the initial configuration of the Cisco VSG, you can configure firewall policies on the Cisco VSG through the Cisco VNMC.