 Feedback
|
Table Of Contents
Dynamic (Virtualization-Aware) Operation
Setting Up Cisco VSG and VLAN Usages
Open Caveats—Cisco VSG Release 4.2(1)VSG1(4.1)
Open Caveats—Cisco VSG Release 4.2(1)VSG1(3.1)
Resolved Caveats—Cisco VSG Release 4.2(1)VSG1(4.1)
Cisco Virtual Security Gateway Documentation
Cisco Virtual Network Management Center Documentation
Cisco Nexus 1000V Series Switch Documentation
Obtaining Documentation and Submitting a Service Request
Cisco Virtual Security Gateway for Cisco Nexus 1000V Series Switch Release Notes, Release 4.2(1)VSG1(4.1)
Release Date: August 21, 2012Part Number: OL-27570-01
Current Release: Cisco VSG Release 4.2(1)VSG1(4.1)This document describes the features, limitations, and caveats for the Cisco Virtual Security Gateway and Cisco Virtual Network Management Center software. Use this document in combination with documents listed in the "Related Documentation" section. The following is the change history for this document.
Contents
This document includes the following sections:
•
Open Caveats—Cisco VSG Release 4.2(1)VSG1(4.1)
•
•
Introduction
The Cisco Virtual Security Gateway (VSG) for the Cisco Nexus 1000V Series switch is a virtual firewall appliance that provides trusted access to virtual data center and cloud environments with dynamic policy-driven operation, mobility-transparent enforcement, and scale-out deployment for dense multitenancy. The Cisco VSG enables a broad set of multitenant workloads that have varied security profiles to share a common compute infrastructure. By associating one or more Virtual Machines into distinct trust zones, the Cisco VSG ensures that access to trust zones is controlled and monitored through established security policies.
Together, the Cisco VSG and Cisco Nexus 1000V Virtual Ethernet Module provide the following benefits:
•
•
•
•
•
Software Compatibility
The servers that run the Cisco Nexus 1000V VSM and VEM must be in the VMware Hardware Compatibility list, which is a requirement for running the ESX 4.1 or 5.0 software.
For additional compatibility information, see the Cisco Nexus 1000V Compatibility Information, Release 4.2(1)SV1(5.2).
Features
This section provides the following information about this release:
•
•
Product Architecture
The Cisco VSG operates with the Cisco Nexus 1000V distributed virtual switch in the VMware vSphere hypervisor. The Cisco VSG leverages the virtual network service data path (vPath) that is embedded in the Cisco Nexus 1000V Virtual Ethernet module (VEM). vPath steers traffic, whether external-to-VM or VM-to-VM, to the Cisco VSG of a tenant. A split-processing model is applied where initial packet processing occurs in the Cisco VSG for policy evaluation and enforcement. After the policy decision is made, the Cisco VSG off-loads policy enforcement of remaining packets to vPath.
vPath supports the following features:
•
•
Trusted Multitenant Access
You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000V distributed virtual switch is deployed. Upon insertion, one or more instances of the Cisco VSG is deployed on a per-tenant basis, which allows a highly scaled-out deployment across many tenants. Because tenants are isolated from each other, no traffic can cross tenant boundaries. Depending on the use case, you can deploy Cisco VSG at the tenant level, at the virtual data center (vDC) level, or at the vApp level.
Note
As VMs are instantiated for a given tenant, association to security profiles and zone membership occurs immediately through binding with the Cisco Nexus 1000V port profile. Upon instantation, each VM is placed into a logical trust zone. Security profiles contain context-aware rule sets that specify access policies for traffic that enters and exits each zone. With the VM and network contexts, you can leverage custom attributes to define zones directly through security profiles. The profiles are applied to zone-to-zone traffic and external-to-zone/zone-to-external traffic. This enforcement occurs within a VLAN because a VLAN often identifies a tenant boundary.
The Cisco VSGs evaluate access control rules and then offloads enforcement to the Cisco Nexus 1000V VEM vPath module for performance optimization. Access is permitted or denied based on policies. The Cisco VSG provides policy-based traffic monitoring capability and generates access logs.
Dynamic (Virtualization-Aware) Operation
A virtualization environment is dynamic, where frequent additions, deletions, and changes occur across tenants and especially across VMs. Live migration of VMs can occur due to manual or programmatic VMotion events.
A Cisco VSG operates with the Cisco Nexus 1000V (and vPath), which supports a dynamic VM environment. Typically, a tenant is created with the Cisco VSG (standalone or active-standby pair) and on the Cisco Virtual Network Management Center (VNMC). Associated security profiles are defined that include trust zone definitions and access control rules.
Each security profile is bound to a Cisco Nexus 1000V port profile (authored on the Cisco Nexus 1000V Virtual Supervisor Module and published to the VMware Virtual Center). When a new VM is instantiated, you can assign appropriate port profiles to the virtual Ethernet port of the VM. Because the port profile uniquely refers to a security profile and VM zone membership, security controls are immediately applied. A VM can be repurposed by assigning a different port profile or security profile.
As VMotion events occur, VMs move across physical servers. The Cisco Nexus 1000V ensures that port profile policies and associated security profiles follow the VMs. Security enforcement and monitoring remain transparent to VMotion events.
Setting Up Cisco VSG and VLAN Usages
A Cisco VSG is set up in an overlay fashion so that VMs can reach a Cisco VSG irrespective of its location. The vPath component in the Cisco Nexus 1000V VEM intercepts the packets from the VM and sends them to the Cisco VSG for further processing.
A Cisco VSG is configured with three vNICS that are each connected to one of the VLANs. The VLAN functions are as follows:
•
•
•
You can allocate one or more VM Data VLAN(s) for VM-to-VM communications. In a multitenant environment, the Management VLAN is shared among all tenants. The Service VLAN, HA VLAN, and the VM Data VLAN are allocated on a per-tenant basis. When VLAN resources are scarce, you can use a single VLAN for Service and HA functions.
New and Changed Information
This section describes the new and changed features for the Cisco Virtual Security Gateway for Nexus 1000V Series Switch, Release 4.2(1)VSG1(4.1).
New Software Features
Cisco vPath Service Chaining
Service chaining allows multiple service nodes to be included in a service path so that the packets that belong to a particular flow can pass through this service chain. Each service node in a chain uses the security profile specified in the vservice command for that node.
Cisco VSG Release 4.2(1)VSG1(4.1) supports service chaining that allows the packets on a flow to be directed to more than one service node. Cisco vPath service chaining allows two types of service nodes:
•
•
Note
Selective TCP State Checks
Cisco VSG Release 4.2(1)VSG1(4.1) supports the selective TCP state checks that can be configured to set the invalid-ack, seq-past-window, and window-variation parameters for the data packets.
Note
Service Node on VXLANs
Starting with Cisco VSG Release 4.2(1)VSG1(4.1), the virtual service node can be configured on a Virtual Extensible Local Area Network (VXLAN).
Multiple CPU Support
Starting with Cisco VSG Release 4.2(1)VSG1(4.1), Cisco VSG performance can be scaled up to two vCPUs.
SNMVv3 Support
Starting with Cisco VSG Release 4.2(1)VSG1(4.1), Cisco VSG supports Simple Network Management Protocol Version 3 (SNMPv3). SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. The security features provided in SNMPv3 are as follows:
•
•
•
Limitations and Restrictions
The Cisco Virtual Security Gateway for Nexus 1000V Series switch has the following limitations and restrictions:
•
•
•
•
During OVA installation, the following error message might be seen:
The network card VirtualE1000 has dvPort backing, which is not supported. This could be because the host does not support vDS, or because the host is not using vDS.
Workaround: Ensure that all three network interfaces in the Cisco VSG port profile are set to VM Network (port profile from vSwitch) during OVA installation. Once the virtual machine is created, the port profile for these three interfaces should be changed according to the Cisco Virtual Security Gateway, Release 4.2(1)VSG1(2) and Cisco Virtual Network Management Center, Release 1.2 Installation and Upgrade Guide.
•
Workaround: To prevent this situation, configure the Service VLAN and the HA VLAN used by the Cisco VSG as system vlan vlan_number in the uplink port profile.
•
When the VEM communicates with the Cisco VSG in the Layer 2 mode, an additional header with 74 bytes is added to the original packet. The VEM fragments the packet if it exceeds the uplink MTU.
For better performance, increase the MTU of all links between the VEM and the Cisco VSG by 74 bytes to account for packet encapsulation which occurs for communication between vPath and the Cisco VSG. For example, if the MTU values of the client and server VMs and uplink are all 1500 bytes, set the uplink MTU to 1574 bytes.
•
–
–
–
–
•
Configuring a rule with a reset action for the non-TCP/UDP protocol will result in dropped traffic. However, the syslog generated for this traffic shows that the action performed for the traffic is reset as shown below:
2011 June 16 07:19:56 VSG-Fw %POLICY_ENGINE-6-POLICY_LOOKUP_EVENT: policy=ps-web@root/Tenant-A rule=pol-B/udp-rule@root/Tenant-A action=Reset direction=ingress src.net.ip-address=172.31.2.107 dst.net.ip-address=172.31.2.101 net.protocol=1 net.ethertype=800 src.vm.name=sg-centos-vk-7 src.vm.host-name =10.193.75.91 src.vm.os-fullname="red hat enterprise linux 5 (64-bit)" dst.vm.cluster-name ="sg1-dc1-clu1 ankaa tenth" src.vm.cluster-name="sg1-dc1-clu1 ankaa tenth" dst.vm.portprofile-name=access-3770-tenant-a src.vm.portprofile-name=access-3770-tenant-a dst.zone.name=centos-zone@root/Tenant-A src.zone.name=centos-zone@root/Tenant-A src.vm.os-hostname=(null) src.vm.res-pool=(null)•
The CLI session for the Cisco VSG version 1.3x that is newly deployed will time out after a period of five minutes of an inactivity. The CLI session time out does not work on Cisco VSG that has been upgraded from version 1.0x.
•
- gold001-vsg01# sh run | i line|timeout
- line console
- gold001-vsg01#
As a workaround, when upgrade is done from 1.0x to 1.3 version of Cisco VSG, "exec-timeout 5" can be configured under "line console" and "line vty" command modes to enable a five minutes CLI session inactivity timeout.
•
VM names for VMs on ESX 4.1 hosts that exceed 21 characters are not displayed properly on the VSM. When you use a show vservice command that displays the port profile name, for example, the show vservice port brief port-profile port-profile-name command, only VMs with names that are 21 characters or less are displayed correctly. Longer VM names may cause the VM name to be truncated, or extra characters to be appended to the VM name. Depending on the network adapter, the name length limitation may vary. For example:
–
–
Workaround: This is a display issue with ESX Release 4.1 only. Use VM names of 21 characters or less to avoid this issue.
VSG Scalability Matrix
The following table presents a feature-based comparative analysis between two VSGs having different number of virtual CPUs and VNMC:
Caveats
This section include the following topics:
•
•
•
Open Caveats—Cisco VSG Release 4.2(1)VSG1(4.1)
The following are descriptions of the caveats in Cisco Virtual Security Gateway for Nexus 1000V Series switch, Release 4.2(1)VSG1(4.1). The ID links open the Cisco Bug Toolkit.
Open Caveats—Cisco VSG Release 4.2(1)VSG1(3.1)
The following are descriptions of the caveats in Cisco Virtual Security Gateway for Nexus 1000V Series switch, Release 4.2(1)VSG1(3.1). The ID links open the Cisco Bug Toolkit.
Resolved Caveats—Cisco VSG Release 4.2(1)VSG1(4.1)
The following table describes the resolved caveats in Cisco Virtual Security Gateway for Nexus 1000V Series switch, Release 4.2(1)VSG1(4.1). The ID links open the Cisco Bug Toolkit.
Related Documentation
This section contains information about the documentation available for Cisco Virtual Security Gateway and related products.
Cisco Virtual Security Gateway Documentation
The following Cisco Virtual Security Gateway for the Nexus 1000V Series Switch documents are available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps11208/tsd_products_support_model_home.html
•
•
•
•
•
•
•
Cisco Virtual Network Management Center Documentation
The following Cisco Virtual Network Management Center documents are available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps11213/tsd_products_support_series_home.html
Cisco Nexus 1000V Series Switch Documentation
The Cisco Nexus 1000V Series Switch documents are available on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps9902/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed above.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Internet Protocol (IP) addresses used in this document are for illustration only. Examples, command display output, and figures are for illustration only. If an actual IP address appears in this document, it is coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.
