Cisco Virtual Security Gateway for Nexus 1000V Series Switch Configuration Guide, Release 4.2(1)VSG1(4.1)
Configuring the Cisco Virtual Security Gateway
Downloads: This chapterpdf (PDF - 249.0KB) The complete bookPDF (PDF - 2.63MB) | Feedback

Configuring the Cisco Virtual Security Gateway

Table Of Contents

Configuring the Cisco Virtual Security Gateway

Configuring the vservice Node

Configuring a Port Profile for VSM Protection by the Cisco VSG

Configuring vmknics for the Layer 3 Mode VSG Encapsulation

Configuring TCP State Checks for Cisco VSGs in the vPath

Configuring the vservice Path

Configuring the Port Profile on the VSM for vservice Path

Configuring the vPath to Bypass the Cisco VSG for Service Chain Traffic

Verifying the Cisco VSG Configuration

Show Commands

vPath Bypassing the Cisco VSG for Service Chain Traffic

vPath Ping Command for the Layer 2 Mode

vPath Ping Command for the Layer 3 Mode

Where to Go Next


Configuring the Cisco Virtual Security Gateway


This chapter describes how to configure the Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch and the Cisco Nexus 1010 Virtual Services Appliance.

This chapter includes the following sections:

Configuring the vservice Node

Configuring a Port Profile for VSM Protection by the Cisco VSG

Configuring TCP State Checks for Cisco VSGs in the vPath

Configuring the vservice Path

Configuring the Port Profile on the VSM for vservice Path

Configuring the vPath to Bypass the Cisco VSG for Service Chain Traffic

Verifying the Cisco VSG Configuration

Where to Go Next

For additional details about the Cisco Nexus 1000V Series switch port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.2(1)SV1(5.1).

Configuring the vservice Node

BEFORE YOU BEGIN

Before begining this procedure, you must know or do the following:

Set up the vservice node

To set up the vservice node, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide.

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.

When the VEM communicates with the Cisco VSG in the Layer 2 mode, an additional header with 62 bytes is added to the original packet. The VEM fragments the packet if it exceeds the uplink maximum transmission unit (MTU). For better performance, increase the MTU of all links between the VEM and the Cisco VSG by 62 bytes to account for packet encapsulation, which occurs for communication between vPath and the Cisco VSG.

When the VEM communicates with the Cisco VSG in the Layer 3 mode, an additional header with 82 bytes is added to the original packet. The VEM does not support fragmentation in Layer 3 mode and the ports/network elements that carry the vPath-encapsulated packets must be configured so that the vPath overhead is accommodated.

If the jumbo frames are enabled in the network, make sure that the MTU of the client and server VMs are reduced by the vPath encapsulation size.

If the Cisco VSG is deployed on a Vitual Extensible Local Area Network (VXLAN), an additional header with 50 bytes is added in front of the vPath encapsulation. Adjust the MTU by this amount.

SUMMARY STEPS

1. configure

2. vservice node node_name type {vsg | asa | ace}

3. {ip address ip_addr | no ip address}

4. {adjacency {l2 {vlan vlan_num}| {vxlan bridge-domain bd_name}}| l3} | no adjacency}

5. {failmode {close | open} | no failmode}

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2 

vservice node node_name type {vsg | asa | ace }

Example:

n1000v(config)# vservice node test type vsg

n1000v(config-vservice-node)#

Configures the vservice node name for the Cisco VSG. The name will be used to associate with port profile or vservice path.

A node can be deleted only if it is not bound to any virtual machines or not used in any service path.

type is needed only when you are creating a node. Once a node is created, type is not needed.

Step 3 

{ip address ip_addr | no ip address}

Example:

n1000v(config-vservice-node)# ip address 10.0.0.1

n1000v(config-vservice-node)#

Configures the vservice node IP address for the Cisco VSG.

Note The IP address must match the data interface (data0) IP address on the Cisco VSG.

Step 4 

{adjacency {{l2 {vlan vlan_num}|

{vxlan bridge-domain bd_name}}| l3} | no adjacency}

Example:

n1000v(config-vservice-node)# adjacency l2 vlan 88

n1000v(config-vservice-node)#

or

n1000v(config-vservice-node)# adjacency l2 vxlan bridge-domain vxlan-8888

n1000v(config-vservice-node)#

or

n1000v(config-vservice-node)# adjacency l3

n1000v(config-vservice-node)#

Configures the adjacency for the Cisco VSG. If the Cisco VSG is operating in the L2 mode, You must configure the VLAN or VXLAN information. If the Cisco VSG is operating in Layer 3 mode, specify Layer 3 as a keyword.

Step 5 

{fail-mode {close | open} | no fail-mode}

Example:

n1000v(config-vservice-node)# fail-mode close

n1000v(config-vservice-node)#

Configures faile mode.

Note Fail mode specifies the behavior when the VEM does not have connectivity to the service node. The default fail mode for ASA 1000V and Cisco VSG is close, which means that the packets will be dropped. The default fail mode for vWAAS is open, which means that packets will be forwarded. vPath 1.0 service nodes do not support service chaining. When using a vPath 1.0 service node in a chain, the traffic to that node goes into fail mode.

Configuring a Port Profile for VSM Protection by the Cisco VSG

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.

You have completed creating the Cisco VSG port profiles for the service and high-availability (HA) interface. See the "Cisco VSG Configuration Guidelines and Limitations" section.

You have defined the vservice node that will be added to the service path.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. port-profile port-profile-name

3. org org-name

4. vservice node node name profile [security-profile-name]

5. (Optional) copy running-config startup-config

6. exit

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2 

port-profile port-profile-name

Example:

n1000v(config-port-prof)# port-profile host-profile

n1000v(config-port-prof)#

Enters the port profile configuration mode for the named port profile. If the port profile does not exist, it is created using the following characteristics:

port-profile-name—The port profile name can be up to 80 alphanumeric characters and must be unique for each port profile on the Cisco VSG.

Step 3 

org org-name

Example:

n1000v(config-port-prof)# org root/Tenant-A

n1000v(config-port-prof)#

Designates an organization name for the Cisco VSG port profile.

Step 4 

vservice node node name profile [security-profile-name]

Example:

n1000v (config-port-prof)# vservice node vsg1 profile profile-1

n1000v (config-port-prof)#

Associate the port profile with the previously defined vservice node and the security profile name.

Note If you do not pick a security profile name, the default name is used. The security profile name must match the security profile created on the Cisco VNMC.

Step 5 

copy running-config startup-config

Example:

n1000v(config-port-prof)# copy running-config startup-config

n1000v(config-port-prof)#

(Optional) Saves configuration changes.

Step 6 

exit

Example:

n1000v(config-port-prof)# exit

n1000v(config)#

Exits the configuration mode and returns you to the global configuration mode.


Note The Cisco VSG in Layer 2 mode can exist on a VXLAN.


Configuring vmknics for the Layer 3 Mode VSG Encapsulation

You can configure vmknics for a Cisco VSG in the Layer 3 mode encapsulation.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

Identify a VLAN to be used for transporting the Cisco VSG in the Layer 3 mode-encapsulated traffic. Ensure that the VLAN is configured on the uplink port profile for all VEMs on which the Cisco VSG in Layer 3 mode can be configured.

SUMMARY STEPS

1. configure

2. port-profile profilename

3. vmware port-group name

4. switchport mode access

5. switchport access vlan id

6. capability l3-vn-service

7. no shutdown

8. state enabled

9. (Optional) show port-profile name profilename

10. (Optional) copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

switch# configure

switch(config)#

Enters global configuration mode.

Step 2 

port-profile profilename

Example:

switch(config)# port-profile vmknic-pp

switch(config-port-prof)

Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics:

The port profile name can be up to 80 characters and must be unique for each port profile on the Cisco Nexus 1000V.

Note If a port profile is configured as an Ethernet type, it cannot be used to configure VMware virtual ports.

Step 3 

vmware port-group name

Example:

switch(config-port-prof)# vmware port-group

switch(config-port-prof)#

Designates the port profile as a VMware port group.

The port profile is mapped to a VMware port group of the same name unless you specify a name. When you connect the VSM to vCenter Server, the port group is distributed to the virtual switch on the vCenter Server.

Step 4 

switchport mode access

Example:

switch(config-port-prof)# switchport mode access

switch(config-port-prof)#

Designates the interfaces as switch access ports (by default).

Step 5 

switchport access vlan id

Example:

switch(config-port-prof)# switchport access vlan 100

switch(config-port-prof)

Assigns a VLAN ID to this port profile.

Step 6 

capability l3-vn-service

Example:

switch(config-port-prof)# capability l3-vn-service

switch(config-port-prof)

Assigns the capability l3-vn-service to the port profile to ensure that the interfaces that inherit this port profile are used as sources for the Cisco VSG in Layer 3 mode encapsulated traffic.

Step 7 

no shutdown

Example:

switch(config-port-prof)# no shutdown

switch(config-port-prof)

Administratively enables all ports in the profile.

Step 8 

state enabled

Example:

switch(config-port-prof)# state enabled

switch(config-port-prof)

Sets the operational state of a port profile.

Step 9 

show port-profile name profilename

Example:

switch# show port-profile vmknic-pp

(Optional) Displays the port profile configuration.

Step 10 

copy running-config startup-config

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring TCP State Checks for Cisco VSGs in the vPath

The TCP (Transmission Control Protocol) state checks performs three checks on TCP traffic that is routed through the Cisco VSG:

invalid-ack—When the ACK (acknowledge) number of a received TCP packet is greater than the sequence number of the TCP packet to be sent next, it is an invalid ACK.

seq-past-window—The sequence number of a received TCP packet is greater than the right edge of the TCP receiving window.

window-variation—The window size mechanism allows TCP to advertise a large window and to subsequently advertise a much smaller window without accepting a lot of data. From the TCP specification, it is recommended not to make the window size smaller.

When one of the above checks is turned on, the data packets are dropped by the Cisco VSG if they meet the specified condition. However, you may need to disable a specific check when you do not want the information generated by that TCP state check to hide other information in which you are specifically interested.


Note This feature is supported for Cisco Nexus 1000V, Release 4.2(1)SV2(1.1) onwards.


BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of VEMs that you want to protect.

You have completed creating the Cisco VSG port profiles for the service and HA interface.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. vservice global type vsg

3. [no] tcp state-checks

4. (Optional) [no] tcp state-checks invalid-ack

5. (Optional) [no] tcp state-checks seq-past-window

6. (Optional) [no] tcp state-checks window-variation

7. exit

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2 

vservice global type vsg

Example:

n1000v(config)# vservice global type vsg

n1000v(config-vservice-global)#

Enters vservice global configuration mode.

Step 3 

[no] tcp state-checks

Example 1:

n1000v(config-vservice-global)# tcp state-checks

n1000v(config-vservice-global)#

Example 2:

n1000v(config-vservice-global)# no tcp state-checks

n1000v(config-vservice-global)#

Enables or disables all the three TCP state checks for Cisco VSGs in the vPath.

The default behavior of the TCP checks is as follows:

invalid-ack—Enabled by default.

seq-past-window—Enabled by default.

window-variation—Disabled by default.

The no form of this command reverses the above respective default state.

Step 4 

[no] tcp state-checks invalid-ack

Example:

n1000v(config-vservice-global)# tcp state-checks invalid-ack

n1000v(config-vservice-global)#

Enables the invalid-ack TCP state check on the Cisco VSG. By default, when a data packet triggers an invalid ACK, the packet is dropped by the Cisco VSG. The no form of this command disables the check.

Step 5 

[no] tcp state-checks seq-past-window

Example:

n1000v(config-vservice-global)# tcp state-checks seq-past-window

n1000v(config-vservice-global)#

Enables the seq-past-window TCP state check on the Cisco VSG. By default, when a data packet's sequence number is greater than the right edge of the TCP receiving window, the packet is dropped by the Cisco VSG. The no form of this command disables the check.

Step 6 

[no] tcp state-checks window-variation

Example:

n1000v(config-vservice-global)# tcp state-checks window-variation

n1000v(config-vservice-global)#

Enables the window-variation TCP state check on the Cisco VSG. The no form of the command disables the check. By default, the Cisco VSG does not allow you to make the window size smaller.

Step 7 

exit

Example:

n1000v(config-vservice-global)# exit

n1000v(config)#

Exits vservice global configuration mode and returns you to the global configuration mode.

Configuring the vservice Path

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You have the Cisco VSG software installed and the basic installation completed. For details, see the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(4.1) and Cisco Virtual Network Management Center, Release 2.0 Installation and Upgrade Guide.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.

There are multiple combinations in which the service nodes in a vservice path can be deployed. Based on the combination/topology used, provision the uplink MTU correspondingly for the traffic to go across in a service chain. The uplink MTU chosen for a given combination is  usually the highest of the overhead provisions that you make for each service node in that particular combination.

You have completed creating the Cisco VSG port profiles for the service and high-availability (HA) interface. For details, see the "Cisco VSG Configuration Guidelines and Limitations" section.

You have defined the vservice node that will be added to the service path.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. vservice path svc_path_name

3. node node_name profile profile_name order order_num

4. exit

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Enters global configuration mode.

Step 2 

vservice path svc_path_name

Example:

n1000v(config)# vservice path VSPATH-3

n1000v(config-vservice-path)#

Enters the vservice path mode.

A maximum of two node sub commands are allowed. A maximum of one node sub command is allowed for a vservice node type. Only Cisco VSG and ASA 1000V nodes can be used in a service chain.

The specified node_name should have been defined already.

The profile is mandatory for node types.

The ASA 1000V node must be the last node in a service path list.

Step 3 

node node_name profile profile_name order order_num

Example:

pn1000v(config-vservice-path)# node VSG195-1 profile sp-test order 10

n1000v(config-vservice-path)#  node VASA193-1 profile ep-test order 20

n1000v(config-vservice-path)#

Binds a node to a vservice path in a specific order.

Note A profile is required for the Cisco VSG and ASA1000V node. The ASA1000V must be at the end of the service chain.

Step 4 

exit

Example:

vsm(config)# exit

vsm#

Exits the global configuration mode and returns you to EXEC mode.

Configuring the Port Profile on the VSM for vservice Path

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You have the Cisco VSG software installed and the basic installation completed.

You must have the NEXUS_VSG_SERVICES_PKG license installed on the switch. Ensure that you have enough licenses to cover the number of Virtual Ethernet Modules (VEMs) you want to protect.

Complete the vservice node. For details, see the Configuring the vservice Node section or the Configuring the vservice Path section.

You have completed creating the Cisco VSG port profiles for the service and high-availability (HA) interface. See the "Cisco VSG Configuration Guidelines and Limitations" section.

You have defined the vservice node that will be added to the service path.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. port-profile port-profile-name

3. org org-name

4. vservice path path_name

5. (Optional) copy running-config startup-config

6. exit

DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2 

port-profile port-profile-name

Example:

n1000v(config-port-prof)# port-profile host-profile

n1000v(config-port-prof)#

Enters the port profile configuration mode for the named port profile. If the port profile does not exist, it is created using the following characteristics:

port-profile-name—The port profile name can be up to 80 alphanumeric characters and must be unique for each port profile on the Cisco VSG.

Step 3 

org org-name

Example:

n1000v(config-port-prof)# org root/Tenant-A

n1000v(config-port-prof)#

Designates an organization name for the Cisco VSG port profile.

Step 4 

vservice path path_name

Example:

n1000v (config-port-prof)# vservice path VSPATH-5

n1000v (config-port-prof)#

Associates the port profile with the previously defined vservice path.

Step 5 

copy running-config startup-config

Example:

n1000v(config-port-prof)# copy running-config startup-config

n1000v(config-port-prof)#

(Optional) Saves configuration changes.

Step 6 

exit

Example:

n1000v(config-port-prof)# exit

n1000v(config)#

Exits the configuration mode and returns you to the global configuration mode.

Configuring the vPath to Bypass the Cisco VSG for Service Chain Traffic

In a service chain, the traffic between the inside and outside networks traverses the Cisco ASA and VSG service nodes. However, sometimes the data packets may not require the Cisco VSG approval. In such a scenario, you can configure the vPath to bypass all Cisco VSG nodes, so that the policy lookup is performed only in the Cisco ASA nodes. This traffic optimization improves network performance, while simplifying the policy configuration on the Cisco Virtual Network Management Center (VNMC).

Note that this feature works only in a service chaining environment, wherein all traffic between inside and outside networks skip the Cisco VSG. However, non-service chaining and inside to inside traffic continues to be validated by the Cisco VSG.


Note This feature is supported for Cisco Nexus 1000V, Release 4.2(1)SV2(1.1) onwards.


BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You have successfully configured a service chain on the Cisco Nexus 1000V switch.

You must bypass the Cisco VSG node in a service chain to improve network peformance.

You are logged in to the switch CLI in EXEC mode.

SUMMARY STEPS

1. configure

2. vservice global type vsg

3. [no] bypass asa-traffic

4. exit


Note Because this is a global configuration command, all Cisco VSG-bound traffic bypasses that node in a service chain. Currently, you cannot configure to bypass specific Cisco VSG nodes.


DETAILED STEPS

 
Command
Purpose

Step 1 

configure

Example:

n1000v# configure

n1000v(config)#

Places you in global configuration mode.

Step 2 

vservice global type vsg

Example:

n1000v(config)# vservice global type vsg

n1000v(config-vservice-global)#

Enters vservice global configuration mode.

Step 3 

[no] bypass asa-traffic

Example 1:

n1000v(config-vservice-global)# bypass asa-traffic

Example 2:

n1000v(config-vservice-global)# no bypass asa-traffic

Configures the traffic to bypass the Cisco VSG node (example 1). By default, the no form of the command disables the feature, wherein the traffic traverses the VSG node (example 2).

Step 4 

exit

Example:

n1000v(config-vservice-global)# exit

n1000v(config)#

Exits global vservice configuration mode and returns you to global configuration mode.

Verifying the Cisco VSG Configuration

To display information related to a Cisco VSG, perform one of the following tasks on the switch CLI:

Command
Purpose

show license usage

Example:

vsm# show license usage

Displays a table with the Cisco VSG license usage information for the Cisco Nexus 1000V Series switch.

show license usage NEXUS_VSG_SERVICES_PKG

Example:

vsm# show license usage NEXUS_VSG_SERVICES_PKG

Displays the usage information for the license package NEXUS_VSG_SERVICES_PKG.

show vservice {statistics | brief | {detail [{vlan vlan-num [ip ip-addr]} | module module-num]}

Example:

vsm# show vservice statistics detail vlan 1

Displays information about the configuration, MAC address, state of associated Cisco VSG and Virtual Ethernet Module (VEM), Virtual ethernet interfaces (Veths) to which Cisco VSGs are bound, and Virtual Service Node (VSN) statistics for all VEM modules associated with Cisco VSGs.


Show Commands

For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.2(1)SV2(1.1).

vPath Bypassing the Cisco VSG for Service Chain Traffic

In a service chain, when "bypass asa-traffic" is enabled, traffic between the inside and outside networks bypasses the Cisco VSG, whilst processing only via the Cisco ASA. To verify if the traffic is indeed bypassing the Cisco VSG nodes, use the show vservice connection command.

Examples

In the following example, the "n" against the Cisco VSG node output shows that it has "not processed" the service chain traffic between the outside and inside networks. The "n" flag is highlighted in yellow in the output. This example shows how to see the vservice connection:

VSM# show vservice connection
Actions(Act):
d - drop                             s - reset
p - permit                           t - passthrough
r - redirect                         e - error
n - not processed           upper case - offloaded
Flags:
A - seen ack for syn/fin from src    a - seen ack for syn/fin from dst
E - tcp conn established (SasA done)
F - seen fin from src                f - seen fin from dst
R - seen rst from src                r - seen rst from dst
S - seen syn from src                s - seen syn from dst
T - tcp conn torn down (FafA done)   x - IP-fragment connection
 
   
#Port-Profile:VSPATH-1-vlan-87                 Path:VSPATH-1
#Module 3
Proto SrcIP[:Port]          SAct  DstIP[:Port]          DAct  Flags       Bytes
 icmp 192.168.193.11        np    192.168.192.1                            2940
 tcp  192.168.193.11:52897  np    192.168.192.1:80            T            1290

vPath Ping Command for the Layer 2 Mode

To verify various connections and reachable attributes of the Cisco VSG, you can use the vPath ping command.

The vPath ping command for Layer 2 mode has the following syntax:

ping vsn {all | {ip ip-addr [vlan vlan-num | vxlan bridge-domain bd_name]]}} src-module {all | vpath-all | module-num} [timeout secs] [count {count | unlimited}]

Examples

This example shows how to see the VSN connections:

VSM-1# ping vsn all src-module all
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
  module(usec)   :  3(156)  5(160)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
  module(usec)   :  3(230)  5(151)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
  module(usec)   :  3(239)  5(131)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
  module(usec)   :  3(248)  5(153)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
  module(usec)   :  3(259)  5(126)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   

This example shows how VSN ping options are displayed:

VSM-1# ping vsn ?
  all   All VSNs associated to VMs
  ip    IP Address
  vlan  VLAN Number
  vxlan VXLAN 
 
   

This example shows how VSN ping options are displayed for all source modules:

VSM-1# ping vsn all src-module ?
  <3-66>     Module number
  all        All modules in VSM
  vpath-all  All modules having VMs associated to VSNs
 
   

This example shows how to set up a ping for all source modules from a specified IP address:

VSM-1# ping vsn ip 10.1.1.60 src-module all
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=1-sec
  module(usec)   :  4(301)  5(236)
  module(failed) :  7(VSN ARP not resolved)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=1-sec
  module(usec)   :  4(241)  5(138)  7(270)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=1-sec
  module(usec)   :  4(230)  5(155)  7(256)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=3 timeout=1-sec
  module(usec)   :  4(250)  5(154)  7(284)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=4 timeout=1-sec
  module(usec)   :  4(231)  5(170)  7(193)
 
   

This example shows how to set up a ping for all vPath source modules for a specified IP address:

VSM-1# ping vsn ip 10.1.1.60 src-module vpath-all
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=0 timeout=1-sec
  module(usec)   :  4(223)  5(247)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=1 timeout=1-sec
  module(usec)   :  4(206)  5(167)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5, seq=2 timeout=1-sec
  module(usec)   :  4(241)  5(169)
 
   

This example shows how to set up a ping for all source modules of a specified IP address with a time out and a count:

VSM-1# ping vsn ip 10.1.1.60 src-module all timeout 2 count 3
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=0 timeout=2-sec
  module(usec)   :  4(444)  5(238)  7(394)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=1 timeout=2-sec
  module(usec)   :  4(259)  5(154)  7(225)
 
   
ping vsn 10.1.1.60 vlan 501 from module 4 5 7, seq=2 timeout=2-sec
  module(usec)   :  4(227)  5(184)  7(216)

Note The vPath ping command for the Layer 2 and Layer 3 mode is not supported on Cisco vWAAS.


vPath Ping Command for the Layer 3 Mode

Examples

This example shows how to see the VSN connections:

vsm# ping vsn ip 10.1.1.40 src-module vpath-all
ping vsn 10.1.1.40 vlan 0 from module 9 11 12, seq=0 timeout=1-sec
  module(usec)   :  9(698) 11(701) 12(826)
 
   
ping vsn 10.1.1.40 vlan 0 from module 9 11 12, seq=1 timeout=1-sec
  module(usec)   :  9(461) 11(573) 12(714)
 
   
ping vsn 10.1.1.40 vlan 0 from module 9 11 12, seq=2 timeout=1-sec
  module(usec)   :  9(447) 11(569) 12(598)
 
   
ping vsn 10.1.1.40 vlan 0 from module 9 11 12, seq=3 timeout=1-sec
  module(usec)   :  9(334) 11(702) 12(559)
 
   
ping vsn 10.1.1.40 vlan 0 from module 9 11 12, seq=4 timeout=1-sec
  module(usec)   :  9(387) 11(558) 12(597)
 
   
vsm#
 
   

This example shows how VSN ping options are for all source modules:

vsm# ping vsn all src-module all
ping vsn 10.1.1.44 vlan 501 from module 9 10 11 12, seq=0 timeout=1-sec
  module(usec)   :  9(508)
  module(failed) : 10(VSN ARP not resolved) 11(VSN ARP not resolved)
                   12(VSN ARP not resolved)
ping vsn 10.1.1.40 vlan 0 from module 9 10 11 12, seq=0 timeout=1-sec
  module(usec)   :  9(974) 11(987) 12(1007)
  module(failed) : 10(VSN ARP not resolved)
 
   
ping vsn 10.1.1.44 vlan 501 from module 9 10 11 12, seq=1 timeout=1-sec
  module(usec)   :  9(277) 10(436) 11(270) 12(399)
ping vsn 10.1.1.40 vlan 0 from module 9 10 11 12, seq=1 timeout=1-sec
  module(usec)   :  9(376) 10(606) 11(468) 12(622)
 
   
ping vsn 10.1.1.44 vlan 501 from module 9 10 11 12, seq=2 timeout=1-sec
  module(usec)   :  9(272) 10(389) 11(318) 12(357)
ping vsn 10.1.1.40 vlan 0 from module 9 10 11 12, seq=2 timeout=1-sec
  module(usec)   :  9(428) 10(632) 11(586) 12(594)
 
   
ping vsn 10.1.1.44 vlan 501 from module 9 10 11 12, seq=3 timeout=1-sec
  module(usec)   :  9(284) 10(426) 11(331) 12(387)
ping vsn 10.1.1.40 vlan 0 from module 9 10 11 12, seq=3 timeout=1-sec
  module(usec)   :  9(414) 10(663) 11(644) 12(698)
 
   
ping vsn 10.1.1.44 vlan 501 from module 9 10 11 12, seq=4 timeout=1-sec
  module(usec)   :  9(278) 10(479) 11(334) 12(469)
ping vsn 10.1.1.40 vlan 0 from module 9 10 11 12, seq=4 timeout=1-sec
  module(usec)   :  9(397) 10(613) 11(560) 12(593)
 
   
vsm#

Where to Go Next

After you have completed configuring the Cisco VSG port profile on the switch for protection, proceed to assign port profiles to your VMs for Cisco VSG firewall protection on the vCenter.