Device Policies and Profiles
enables you to create device profiles and policies at any organizational level.
Device Profiles
A device profile is a set of custom security attributes and device policies. For Nexus 1000V VSMs, the device profile is added to the port profile. The port profile is assigned to the Nexus 1000V VSM vNIC, making the device profile part of the virtual machine (VM). Adding a device profile to the VM allows the addition of custom attributes to the VM. Firewall rules can be written using custom attributes such that traffic between VMs can be allowed to pass or be dropped.
You apply device profiles by choosing Resource Management > Managed Resources and then navigating to the required device at the root or tenant level. The Firewall Settings area of the firewall pane includes the Device Profile option.
includes a default device profile at root level. The default device profile can be edited but cannot be deleted.
Policies
supports the following objects related to policies:
- Policy set—Contains policies. After a policy set is created, it can be assigned to a profile. An existing default policy set is automatically assigned at system boot up.
-
Policy—Contains rules that can be ordered. An existing default policy is automatically assigned at system boot up. The default policy contains a rule with an action of drop.
-
Rule—Contains conditions for regulating traffic. The default policy contains a rule with an action of drop. Conditions for a rule can be set using the network, custom, and virtual machine attributes.
-
Object group—Can be created under an organization node. An object group defines a collection of condition expressions on a system-defined or user-defined attribute. An object group can be referred to in a policy rule condition when the member or not-member operator is selected. A rule condition that refers to an object group resolves to true if any of the expressions in the object group are true.
-
Security Profile Dictionary—Logical collection of security attributes. You define dictionary attributes for use in a security profile. A security profile dictionary is created at the root or tenant node. You can create only one dictionary for a tenant and one for root. The security profile dictionary allows the user to define names of custom attributes. Custom attribute values are specified on security profile objects. Custom attributes can be used to define policy rule conditions. Attributes configured in a root level dictionary can be used by any tenant. You cannot create a dictionary below the tenant level.
-
Zone—Set of VMs based on conditions. The zone name is used in the authoring rules.
Security policies are created and then pushed to the Cisco VSG or ASA 1000V.