Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide
Installing the Cisco VSG
Downloads: This chapterpdf (PDF - 1.25MB) The complete bookPDF (PDF - 5.68MB) | Feedback

Installing the Cisco VSG

Installing the Cisco VSG

This chapter contains the following sections:

Information About the Cisco VSG

This section describes how to install and complete the basic configuration of the Cisco VSG for VMware vSphere software.

Host and VM Requirements

The Cisco VSG has the following requirements:
  • ESX or ESXi platform running VMware software release 4.1, 5.0, or 5.1 and requiring a minimum of 4-GB physical RAM to host a Cisco VSG VM
  • Virtual Machine (VM)
    • 32-bit VM is required and “Other 2.6.x (32-bit) Linux” is a recommended VM type.
    • 2 processors (1 processor is optional.)
    • 2-GB RAM
    • 3 NICs (1 of type VMXNET3 and 2 of type E1000)
    • Minimum 3-GB SCSI hard disk with LSI Logic Parallel adapter (default)
    • Minimum CPU speed of 1 GHz

Cisco VSG and Supported Cisco Nexus 1000V Series Device Terminology

The following table lists the terminology is used in the Cisco VSG implementation.

Term

Description

Distributed Virtual Switch (DVS)

Logical switch that spans one or more VMware ESX servers. It is controlled by one VSM instance.

ESX/ESXi

Virtualization platform used to create the virtual machines as a set of configuration and disk files. The package that contains the following files used to describe a virtual machine and saved in a single archive using .TAR packaging:that together perform all the functions of a physical machine.

NIC

Network interface card.

Open Virtual Appliance or Application (OVA) file

Package that contains the following files used to describe a virtual machine and saved in a single archive using .TAR packaging:

  • Descriptor file (.OVF)
  • Manifest (.MF) and certificate files (optional)

Open Virtual Machine Format (OVF)

Platform-independent method of packaging and distributing Virtual Machines (VMs).

vCenter Server

Service that acts as a central administrator for VMware ESX/ESXi hosts that are connected on a network. vCenter Server directs actions on the VMs and the VM hosts (the ESX/ESXi hosts).

Virtual Ethernet Module (VEM)

Part of the Cisco Nexus 1000V Series switch that switches data traffic. It runs on a VMware ESX host. Up to 64 VEMs are controlled by one VSM. All the VEMs that form a switch domain should be in the same virtual data center as defined by the VMware vCenter Server.

Virtual Machine (VM)

Virtualized x86 PC environment in which a guest operating system and associated application software can run. Multiple VMs can operate on the same host system concurrently.

VMotion

Practice of migrating virtual machines live from server to server. (The Cisco VSGs cannot be moved by VMotion.)

vPath

Component in the Cisco Nexus 1000V Series switch with a VEM that directs the appropriate traffic to the Cisco VSG for policy evaluation. It also acts as fast path and can short circuit part of the traffic without sending it to the Cisco VSG.

Virtual Security Gateway (VSG)

Cisco software that secures virtual networks and provides firewall functions in virtual environments using the Cisco Nexus 1000V Series switch by providing network segmentation.

Virtual Supervisor Module (VSM)

Control software for the Cisco Nexus 1000V Series distributed virtual device that runs on a virtual machine (VM) and is based on Cisco NX-OS.

vSphere Client

User interface that enables users to connect remotely to the vCenter Server or ESX/ESXi from any windows PC. The primary interface for creating, managing, and monitoring VMs, their resources, and their hosts. It also provides console access to VMs.

Prerequisites for Installing the Cisco VSG Software

The following components must be installed and configured:

  • On the Cisco Nexus 1000V Series switch, configure two VLANs, a service VLAN, and an HA VLAN on the switch uplink ports. (The VLAN does not need to be the system VLAN.)
  • On the Cisco Nexus 1000V Series switch, configure two port profiles for the Cisco VSG: one for the service VLAN and the other for the HA VLAN. (You will be configuring the Cisco VSG IP address on the Cisco VSG so that the Cisco Nexus 1000V Series switch can communicate with it.)

Details about configuring VLANs and port profiles on the Cisco Nexus 1000V Series switch are available in the Cisco Nexus 1000V Series switch documentation.

Obtaining the Cisco VSG Software

You can obtain the Cisco VSG software files at this URL:

http:/​/​www.cisco.com/​en/​US/​products/​ps11208/​index.html

Installing the Cisco VSG Software

You can install the Cisco VSG software on a VM by using an open virtual appliance (OVA) file or an ISO image file from the CD. Depending upon the type of file that you are installing, use one of the installation methods described in the following topics

Installing the Cisco VSG Software from an OVA File

To install the Cisco VSG software from an OVA file, obtain the OVA file and either install it directly from the URL or copy the file to the local disk from where you connect to the vCenter Server.

Before You Begin

  • Specify a name for the new Cisco VSG that is unique within the inventory folder and has up to 80 characters.
  • Know the name of the host where the Cisco VSG will be installed in the inventory folder.
  • Know the name of the datastore in which the VM files will be stored.
  • Know the names of the network port profiles used for the VM.
  • Know the Cisco VSG IP address.
  • Know the mode in which you will be installing the Cisco VSG:
    • Standalone
    • HA Primary
    • HA Secondary
    • Manual Installation
Procedure
    Step 1   Choose the host on which to deploy the Cisco VSG VM.
    Step 2   Choose File > Deploy OVF Template. The Deploy OVF Template—Source window opens.
    Step 3   In the Deploy OVF Template—Source window, do the following:
    1. Browse to the path to the Cisco VSG OVA file in the Deploy from a file or URL field.
    2. Click Next. The Deploy OVF Template—OVF Template Details window opens.
    Step 4   In the Deploy OVF Template—OVF Template Details window, review the product information including the size of the file and the VM disk.
    Step 5   Click Next.
    Step 6   In the Deploy OVF Template—End User License Agreement window, do the following:
    1. Review the end user license agreement and click Accept.
    2. Click Next . The Name and Location window.
    Step 7   In the Deploy OVF Template—Name and Location window, do the following:
    1. In the Name field, enter a name for the Cisco VSG that is unique within the inventory folder and has up to 80 characters.
    2. In the Inventory Location pane, choose the location that you would like to use for hosting the Cisco VSG.
    3. Click Next. The Deploy OVF Template—Deployment Configuration window opens.
    Step 8   In the Deploy OVF Template—Deployment Configuration window, do the following:
    1. From the Configuration drop-down list, choose Standalone.
    2. Click Next. The Disk Format dialog box opens.
    Note   

    The Standalone Installation for this document is an example in this publication. If you chose Manual Installation mode, you would choose the default values for the following steps. In Standalone mode, be sure to fill in all the fields indicated (they will be indicated on the GUI with red type).

    Step 9   In the Disk Format dialog box, choose the radio button for the selected format and click Next.The Host or Cluster window opens.
    Step 10   In the Host or Cluster window, choose the host where the Cisco VSG will be installed.
    Step 11   Click Next. The Datastore dialog box opens.
    Step 12   From the Select a datastore field in which to store the VM files pane, choose your datastore.
    Step 13   Click Next. The Network Mapping dialog box opens.
    Step 14   Click the drop-down arrows for Data (Service), Management, and HA to associate port profiles.
    Step 15   Click Next. The Deploy OVF Template—Properties window opens.
    Step 16   In the Deploy OVF Template—Properties window, do the following:
    1. In the HaId field, enter the high-availability identification number for a Cisco VSG pair (value from 1 through 4095).
    2. In the Password field, enter a password that contains at least one uppercase letter, one lowercase letter, and one number.
    3. In the ManagementIpV4 field, enter the IP address for the Cisco VSG.
    4. In the ManagementIpV4 Subnet field, enter the subnet mask.
    5. In the Gateway field, enter the gateway name.
    6. In the VnmcIpV4 field, enter the IP address of the Cisco VNMC.
    7. In the SharedSecret field, enter the shared secret password defined during the Cisco VNMC installation.
    8. In the ImageName field, enter the VSG VNM-PA image name (vnmc-vsgpa.1.0.1j.bin).
    Note   

    In the following step, make sure that red text messages do not appear before you click Next. If you do not want to enter valid information in the red-indicated fields, use null values to fill those fields. If those fields are left empty or filled with invalid null values, the application does not power on. Ignore the VNMC Restore fields.

    Step 17   Click Next. The Ready to Complete window opens.
    Step 18   In the Ready to Complete window, review the deployment settings information.
    Note   

    Review the IP/mask/gateway information carefully because any discrepancies might cause the VM to have bootup issues.

    Step 19   Click Finish. The Deploying Nexus 1000VSG dialog box opens.

    The progress bar in the Deploying Nexus 1000VSG dialog box shows how much of the deployment task is completed before the Cisco VNMC is deployed.

    Step 20   Wait and click Close after the progress indicator shows that the deployment is completed successfully.
    Step 21   Power on the Cisco VSG VM.
    Step 22   If you chose the Standalone mode for installation earlier, you now see the Cisco VSG login prompt. Log in with your Cisco VSG administration password. You may now proceed with configuring the Cisco Virtual Security Gateway. For details, see the Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide.
    Step 23   If you chose the manual installation in the Configuration field earlier, see Configuring Initial Settings to configure the initial settings on the Cisco VSG.
    Note   

    If you are installing high availability (HA), you must configure the software on the primary Cisco VSG before installing the software on the secondary Cisco VSG.


    Installing the Cisco VSG Software from an ISO File

    You can install the Cisco VSG from an ISO file.

    Before You Begin
    • Specify a name for the new Cisco VSG that is unique within the inventory folder and has up to 80 characters.
    • Know the name of the host where the Cisco VSG will be installed in the inventory folder.
    • Know the name of the datastore in which the VM files will be stored.
    • Know the names of the network port profiles used for the VM.
    • Know the Cisco VSG IP address.
    Procedure
      Step 1   Upload the Cisco Virtual Security Gateway ISO image to the vCenter datastore.
      Step 2   From the data center in the vSphere Client menu, choose your ESX host where you want to install the Cisco VSG and choose New Virtual Machine. The Create New Virtual Machine dialog box opens.

      For VM requirements, see the Host and VM Requirements.

      For detailed information about how to create a VM, see the VMware documentation.

      Step 3   In the Create New Virtual Machine dialog box, do the following:
      1. Click Custom to create a virtual machine.
      2. Click Next.
      Step 4   In the Create New Virtual Machine dialog box, do the following:
      1. In the Name field, add a name for the Cisco VSG. The Cisco VSG name must be a unique name within the inventory folder and should be up to 80 characters.
      2. In the Inventory Location field, choose your data center and click Next. The Datastore dialog box opens.
      Step 5   In the Datastore dialog box, choose your datastore from the Select a datastore. Click Next.
      Step 6   In the Virtual Machine Version dialog box, click the Virtual Machine Version. The Guest Operating System dialog box opens.
      Note   

      Keep the selected virtual machine version.

      Step 7   In the Guest Operating System dialog box, do the following:
      1. Click the Linux radio button.
      2. In the Version field, choose Other 2.6x Linux (32-bit) from the drop-down list and click Next. The CPUs dialog box opens.
      Step 8   For CPUs, choose 1 socket with 2 cores or 2 sockets each with one core. Click Next.

      By default, the Cisco VSG virtual machine deployed with OVA has only one1 vCPU. You can choose 2 vCPUs. For an older version of the ESX hosts, you can directly select the number of vCPUs. The Memory dialog box opens.

      Step 9   In the Memory dialog box, choose 2 GB memory size and click Next. The Create Network Connectors dialog box opens.
      Step 10   In the Create Network Connectors dialog box, do the following:
      1. In the How many NICs do you want to connect? field, choose 3 from the drop-down list.
      2. In the Network area, choose service, management, and HA port profiles in that sequence for the NIC 1, NIC 2, and NIC 3 from the drop-down list. Choose VMXNET3 for the adapter type for NIC 1. Choose E1000 for the adapter type for NIC 2 and NIC 3.
      Step 11   Click Next. The SCSI Controller dialog box opens.

      The radio button for the default SCSI controller is chosen.

      Step 12   Click Next. The Select a Disk dialog box opens.

      The radio button for the default disk is chosen.

      Step 13   Click Next. The Create a Disk dialog box opens.

      The default virtual disk size and policy is chosen.

      Step 14   Click Next. The Advanced Options dialog box opens.

      The default options are chosen.

      Step 15   Click Next. The Ready to Complete dialog box opens.
      Step 16   Review your settings in the Settings for the new virtual machine area.
      Step 17   Check the Edit the virtual machine before completion check box and click Continue to open a dialog box with the device details.
      Step 18   In the Work pane, choose your New CD/DVD (adding) in the Hardware area.
      Step 19   Click Datastore ISO File, and select your ISO file from the drop-down list.
      Step 20   In the work pane, check the Connect at power on check box and click Finish.The Summary tab window opens.

      The Create virtual machine status completes.

      Step 21   From the vSphere Client menu, choose your recently installed VM.
      Step 22   In the work pane, click Power on the virtual machine.
      Step 23   Click the Console tab to view the VM console. Wait for the Install Virtual Firewall and bring up the new image to boot.

      See the Configuring Initial Settings section to configure the initial settings on the Cisco VSG.

      Note   

      To allocate additional RAM, right-click the VM icon to power off the VM and then choose Power > Power Off from the dialog box. After the VM is powered down, edit the configuration settings on the VM for controlling memory resources.


      Configuring Initial Settings

      This section describes how to configure the initial settings on the Cisco VSG and configure a standby Cisco VSG with its initial settings. For configuring a standby Cisco VSG, see Configuring Initial Settings on a Standby Cisco VSG section.

      When you power on the Cisco VSG for the first time, depending on which mode you used to install your Cisco VSG, you might be prompted to log in to the Cisco VSG to configure initial settings at the console on your vSphere Client. For details about installing Cisco VSG, see Installing the Cisco VSG Software in this chapter.

      Before You Begin

      The following table determines if you must configure the initial settings as described in this section.

      Your Cisco Virtual Security Gateway Software Installation Method

      Do You Need to Proceed with “Configuring Initial Settings”?

      Installing an OVA file and choosing Manually Configure Nexus 1000 VSG in the configuration field during installation.

      Yes. Proceed with configuring initial settings described in this section.

      Installing an OVA file and choosing any of the options other than the manual method in the configuration field during installation.

      No. You have already configured the initial settings during the OVA file installation.

      Installing an ISO file.

      Yes. Proceed with configuring initial settings described in this section.

      Procedure
        Step 1   Navigate to the Console tab in the VM.

        Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software.

        Step 2   At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter.
        Step 3   At the prompt, confirm the admin password and press Enter.
        Step 4   At the Enter HA role[standalone/primary/secondary] prompt, enter the HA role you want to use and press Enter.

        This can be one of the following:

        • standalone
        • primary
        • secondary
        Step 5   At the Enter the ha id(1-4095) prompt, enter the HA ID for the pair and press Enter.
        Note   

        If you entered secondary in the earlier step, the HA ID for this system must be the same as the HA ID for the primary system.

        Step 6   If you want to perform basic system configuration, at the Would you like to enter the basic configuration dialog (yes/no) prompt, enter yes and press Enter, then complete the following steps.
        1. At the Create another login account (yes/no)[n] prompt, do one of the following:
          • To create a second login account, enter yes and press Enter.
          • Press Enter.
        2. Optional: At the Configure read-only SNMP community string (yes/no)[n] prompt, do one of the following:
          • To create an SNMP community string, enter yes and press Enter.
          • Press Enter.
        3. At the Enter the Virtual Security Gateway (VSG) name prompt, enter VSG-demo and press Enter.
        Step 7   At the Continue with Out-of-band (mgmt0) management configuration? (yes/no)[y]: prompt, enter yes and press Enter.
        Step 8   At the Mgmt IPv4 address: prompt, enter 10.10.10.11 and press Enter.
        Step 9   At the Mgmt IPv4 netmask prompt, enter 255.255.255.0 and press Enter.
        Step 10   At the Configure the default gateway? (yes/no)[y] prompt, enter yes and press Enter.
        Step 11   At the Enable the telnet service? (yes/no)[y]: prompt, enter noand press Enter.
        Step 12   At the Enable the telnet service? (yes/no)[y]: prompt, enter no.
        Step 13   At the Configure the ntp server? (yes/no)[n] prompt, enter noand press Enter.

        The following configuration will be applied:

        Interface mgmt0
        ip address 10.10.10.11 255.255.255.0
        no shutdown
        vrf context management
        ip route 0.0.0.0/10.10.11.1
        no telnet server enable 
        ssh key rsa 768 force
        ssh server enable
        no feature http-server
        ha-pair id 25
        Step 14   At the Would you like to edit the configuration? (yes/no)[n] prompt, enter nand press Enter.
        Step 15   At the Use this configuration and save it? (yes/no)[y]: prompt, enter yand press Enter.
        Step 16   At the VSG login prompt, enter the name of the admin account you want to use and press Enter.

        The default account name is admin.

        Step 17   At the Password prompt, enter the name of the password for the admin account and press Enter.

        You are now at the Cisco VSG node.


        Configuring Initial Settings on a Standby Cisco VSG

        You can add a standby Cisco VSG by logging in to the Cisco VSG you have identified as secondary and using the following procedure to configure a standby Cisco VSG with its initial settings.

        Procedure
          Step 1   Navigate to the Console tab in the VM.

          Cisco Nexus 1000V Series switch opens the Console window and boots the Cisco VSG software.

          Step 2   At the Enter the password for "admin" prompt, enter the password for the admin account and press Enter.
          Step 3   At the prompt, confirm the admin password and press Enter.
          Step 4   At the Enter HA role[standalone/primary/secondary] prompt, enter the secondary HA role and press Enter.
          Step 5   At the Enter the ha id(1-4095) prompt, enter 25 for the HA pair id and press Enter.
          Note   

          The HA ID uniquely identifies the two Cisco VSGs in an HA pair. If you are configuring Cisco VSGs in an HA pair, make sure that the ID number you provide is identical to the other Cisco VSG in the pair.

          Step 6   At the VSG login prompt, enter the name of the admin account you want to use and press Enter.

          The default account name is admin.

          Step 7   At the Password prompt, enter the name of the password for the admin account and press Enter.

          You are now at the Cisco VSG node.


          Verifying the Cisco VSG Configuration

          To display the Cisco VSG configuration, perform one of the tasks:

          Command

          Purpose

          show interface brief

          Displays brief status and interface information.

          show vsg

          Displays the Cisco VSG and system-related information.

          This example shows how to verify the Cisco VSG configurations:

          vsg# show interface brief
          --------------------------------------------------------------------------------
          Port     VRF          Status IP Address                            Speed    MTU
          --------------------------------------------------------------------------------
          mgmt0    --           up     10.193.77.217                         1000     1500
          
          
          vsg# show vsg
          Model: VSG
          HA ID: 3437
          VSG Software Version: 4.2(1)VSG1(1) build [4.2(1)VSG1(0.399)] 
          VNMC IP: 10.193.75.73

          Where to Go Next

          After installing and completing the initial configuration of the Cisco VSG, you can configure firewall policies on the Cisco VSG through the Cisco VNMC.